typescript-virtual-container 1.4.9 → 1.5.1

package/dist/modules/linuxRootfs.js

@@ -6,12 +6,16 @@
  * Called once during VirtualShell initialization. Idempotent — skips
  * paths that already exist so FS-mode snapshots survive restarts.
  *
+ * Emulation fidelity: modelled after a Fortune GNU/Linux 1.0 (Nyx)
+ * container with Firecracker MicroVM kernel 6.x, virtio block devices
+ * (vda/vdb/vdc/vdd), cgroups v1 hierarchy, Node.js 22, Python 3.12,
+ * GCC 13, OpenJDK 21, and a Fortune-style package database.
+ *
  * Public API:
- *  - bootstrapLinuxRootfs()  one-shot boot (VirtualShell calls this)
- *  - refreshProc()           refresh /proc/* (call on session changes)
- *  - syncEtcPasswd()         sync /etc/passwd|group|shadow from UserManager
- *  - createLinuxRootfsEngine() returns engine with .boot() + .tick() for
- *                            runtimes that want a live refresh loop
+ *  - bootstrapLinuxRootfs()    one-shot boot (VirtualShell calls this)
+ *  - refreshProc()             refresh /proc/* (call on session changes)
+ *  - syncEtcPasswd()           sync /etc/passwd|group|shadow from UserManager
+ *  - createLinuxRootfsEngine() engine with .boot() + .tick() for live loops
  */
 import * as os from "node:os";
 import VirtualFileSystem from "../VirtualFileSystem";
@@ -22,7 +26,6 @@ function ensureDir(vfs, path, mode = 0o755) {
         vfs.mkdir(path, mode);
 }
 function ensureFile(vfs, path, content, mode = 0o644) {
-    // Use lazy stub — no Buffer allocated until the file is actually read or overwritten
     vfs.writeStub(path, content, mode);
 }
 function write(vfs, path, content) {
@@ -40,33 +43,45 @@ function fnv1a(str) {
 // ─── /etc ────────────────────────────────────────────────────────────────────
 function bootstrapEtc(vfs, hostname, props) {
     ensureDir(vfs, "/etc");
-    // os-release — authoritative distro identity used by neofetch, lsb_release
+    // os-release — Fortune Nyx identity
     ensureFile(vfs, "/etc/os-release", `${[
         `NAME="Fortune GNU/Linux"`,
         `PRETTY_NAME="${props.os}"`,
         `ID=fortune`,
         `ID_LIKE=debian`,
         `HOME_URL="https://github.com/itsrealfortune/typescript-virtual-container"`,
-        `VERSION_CODENAME=aurora`,
-        `VERSION_ID="1.0"`,
+        `VERSION_CODENAME=nyx`,
+        `VERSION_ID="24.04"`,
+        `FORTUNE_CODENAME=nyx`,
     ].join("\n")}\n`);
-    ensureFile(vfs, "/etc/debian_version", "12.0\n");
+    ensureFile(vfs, "/etc/debian_version", "nyx/stable\n");
     ensureFile(vfs, "/etc/hostname", `${hostname}\n`);
-    ensureFile(vfs, "/etc/shells", "/bin/sh\n/bin/bash\n/usr/bin/bash\n");
+    ensureFile(vfs, "/etc/shells", "/bin/sh\n/bin/bash\n/usr/bin/bash\n/bin/dash\n/usr/bin/dash\n");
     ensureFile(vfs, "/etc/profile", `${[
-        "export PATH=/usr/local/bin:/usr/bin:/bin",
+        "export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
         "export PS1='\\u@\\h:\\w\\$ '",
     ].join("\n")}\n`);
-    ensureFile(vfs, "/etc/issue", "Fortune GNU/Linux 1.0 \\n \\l\n");
+    ensureFile(vfs, "/etc/issue", "Fortune GNU/Linux 24.04 LTS \\n \\l\n");
+    ensureFile(vfs, "/etc/issue.net", "Fortune GNU/Linux 24.04 LTS\n");
     ensureFile(vfs, "/etc/motd", ["", `Welcome to ${props.os}`, `Kernel: ${props.kernel}`, ""].join("\n"));
-    // APT sources
+    ensureFile(vfs, "/etc/lsb-release", `${[
+        "DISTRIB_ID=Fortune",
+        "DISTRIB_RELEASE=24.04",
+        "DISTRIB_CODENAME=nyx",
+        `DISTRIB_DESCRIPTION="${props.os}"`,
+    ].join("\n")}\n`);
+    // APT — Fortune Nyx sources
     ensureDir(vfs, "/etc/apt");
     ensureDir(vfs, "/etc/apt/sources.list.d");
+    ensureDir(vfs, "/etc/apt/trusted.gpg.d");
+    ensureDir(vfs, "/etc/apt/keyrings");
     ensureFile(vfs, "/etc/apt/sources.list", `${[
-        "# Fortune GNU/Linux package sources",
-        "deb [virtual] fortune://packages.fortune.local aurora main contrib",
-        "deb [virtual] fortune://security.fortune.local aurora-security main",
+        "# Fortune GNU/Linux package sources (Fortune 1.0 Nyx)",
+        "deb [virtual] fortune://packages.fortune.local nyx main contrib non-free",
+        "deb [virtual] fortune://packages.fortune.local nyx-updates main contrib non-free",
+        "deb [virtual] fortune://security.fortune.local nyx-security main",
     ].join("\n")}\n`);
+    ensureFile(vfs, "/etc/apt/apt.conf.d/70debconf", `// debconf config\n`);
     // network
     ensureDir(vfs, "/etc/network");
     ensureFile(vfs, "/etc/network/interfaces", `${[
@@ -76,26 +91,56 @@ function bootstrapEtc(vfs, hostname, props) {
         "auto eth0",
         "iface eth0 inet dhcp",
     ].join("\n")}\n`);
+    ensureDir(vfs, "/etc/netplan");
+    ensureFile(vfs, "/etc/netplan/01-eth0.yaml", `${[
+        "network:",
+        "  version: 2",
+        "  ethernets:",
+        "    eth0:",
+        "      dhcp4: true",
+    ].join("\n")}\n`);
     ensureFile(vfs, "/etc/resolv.conf", "nameserver 1.1.1.1\nnameserver 8.8.8.8\n");
     ensureFile(vfs, "/etc/hosts", `${[
         "127.0.0.1   localhost",
         `127.0.1.1   ${hostname}`,
         "::1         localhost ip6-localhost ip6-loopback",
+        "fe00::0     ip6-localnet",
+        "ff00::0     ip6-mcastprefix",
+        "ff02::1     ip6-allnodes",
+        "ff02::2     ip6-allrouters",
+    ].join("\n")}\n`);
+    ensureFile(vfs, "/etc/nsswitch.conf", `${[
+        "passwd:         files systemd",
+        "group:          files systemd",
+        "shadow:         files",
+        "hosts:          files dns",
+        "networks:       files",
+        "protocols:      db files",
+        "services:       db files",
+        "ethers:         db files",
+        "rpc:            db files",
     ].join("\n")}\n`);
     ensureDir(vfs, "/etc/cron.d");
+    ensureDir(vfs, "/etc/cron.daily");
+    ensureDir(vfs, "/etc/cron.hourly");
+    ensureDir(vfs, "/etc/cron.weekly");
+    ensureDir(vfs, "/etc/cron.monthly");
     ensureDir(vfs, "/etc/init.d");
     ensureDir(vfs, "/etc/systemd");
     ensureDir(vfs, "/etc/systemd/system");
-    // fstab
+    ensureDir(vfs, "/etc/systemd/system/multi-user.target.wants");
+    ensureDir(vfs, "/etc/systemd/network");
+    ensureFile(vfs, "/etc/systemd/system.conf", "[Manager]\nDefaultTimeoutStartSec=90s\nDefaultTimeoutStopSec=90s\n");
+    // fstab — virtio block devices matching Firecracker layout
     ensureFile(vfs, "/etc/fstab", `${[
-        "# <file system>  <mount point>  <type>   <options>         <dump>  <pass>",
-        "UUID=00000000-0000-0000-0000-000000000001  /       ext4  errors=remount-ro  0  1",
-        "UUID=00000000-0000-0000-0000-000000000002  /boot   ext4  defaults           0  2",
-        "UUID=00000000-0000-0000-0000-000000000003  none    swap  sw                 0  0",
-        "tmpfs  /tmp   tmpfs  defaults,noatime  0  0",
-        "tmpfs  /run   tmpfs  defaults,noatime  0  0",
+        "# <file system>  <mount point>  <type>    <options>                        <dump>  <pass>",
+        "/dev/vda         /              ext4      rw,relatime,resuid=65534,resgid=65534  0  1",
+        "/dev/vdb         /opt/rclone    squashfs  ro,relatime,errors=continue      0  0",
+        "tmpfs            /tmp           tmpfs     defaults,noatime                 0  0",
+        "tmpfs            /run           tmpfs     defaults,noatime                 0  0",
+        "tmpfs            /dev/shm       tmpfs     rw,relatime                      0  0",
     ].join("\n")}\n`);
-    // login.defs — useradd/passwd defaults
+    // login.defs
     ensureFile(vfs, "/etc/login.defs", `${[
         "MAIL_DIR        /var/mail",
         "PASS_MAX_DAYS   99999",
@@ -112,25 +157,108 @@ function bootstrapEtc(vfs, hostname, props) {
     ].join("\n")}\n`);
     // security + pam
     ensureDir(vfs, "/etc/security");
-    ensureFile(vfs, "/etc/security/limits.conf", "# /etc/security/limits.conf\n");
+    ensureFile(vfs, "/etc/security/limits.conf", "# /etc/security/limits.conf\n*  soft  nofile  1024\n*  hard  nofile  65536\n");
     ensureFile(vfs, "/etc/security/access.conf", "# /etc/security/access.conf\n");
     ensureDir(vfs, "/etc/pam.d");
-    ensureFile(vfs, "/etc/pam.d/common-auth", "auth required pam_unix.so\n");
-    ensureFile(vfs, "/etc/pam.d/common-account", "account required pam_unix.so\n");
-    ensureFile(vfs, "/etc/pam.d/common-password", "password required pam_unix.so obscure sha512\n");
-    ensureFile(vfs, "/etc/pam.d/common-session", "session required pam_unix.so\n");
+    ensureFile(vfs, "/etc/pam.d/common-auth", "auth [success=1 default=ignore] pam_unix.so nullok\nauth requisite pam_deny.so\nauth required pam_permit.so\n");
+    ensureFile(vfs, "/etc/pam.d/common-account", "account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so\naccount requisite pam_deny.so\naccount required pam_permit.so\n");
+    ensureFile(vfs, "/etc/pam.d/common-password", "password [success=1 default=ignore] pam_unix.so obscure sha512\npassword requisite pam_deny.so\npassword required pam_permit.so\n");
+    ensureFile(vfs, "/etc/pam.d/common-session", "session [default=1] pam_permit.so\nsession requisite pam_deny.so\nsession required pam_permit.so\nsession optional pam_umask.so\nsession required pam_unix.so\n");
     ensureFile(vfs, "/etc/pam.d/sshd", "@include common-auth\n@include common-account\n@include common-session\n");
-    // sudo config
+    ensureFile(vfs, "/etc/pam.d/login", "@include common-auth\n@include common-account\n@include common-session\n");
+    ensureFile(vfs, "/etc/pam.d/sudo", "@include common-auth\n@include common-account\n@include common-session\n");
+    // sudo
     ensureDir(vfs, "/etc/sudoers.d");
-    ensureFile(vfs, "/etc/sudoers", "root ALL=(ALL:ALL) ALL\n%sudo ALL=(ALL:ALL) ALL\n", 0o440);
+    ensureFile(vfs, "/etc/sudoers", "Defaults\tenv_reset\nDefaults\tmail_badpass\nDefaults\tsecure_path=\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"\nroot ALL=(ALL:ALL) ALL\n%sudo ALL=(ALL:ALL) ALL\n", 0o440);
+    ensureFile(vfs, "/etc/sudoers.d/README", "# Files in this directory are parsed by sudo, if the file is not a backup.\n", 0o440);
     // ld
     ensureFile(vfs, "/etc/ld.so.conf", "include /etc/ld.so.conf.d/*.conf\n");
     ensureDir(vfs, "/etc/ld.so.conf.d");
     ensureFile(vfs, "/etc/ld.so.conf.d/x86_64-linux-gnu.conf", "/lib/x86_64-linux-gnu\n/usr/lib/x86_64-linux-gnu\n");
+    ensureFile(vfs, "/etc/ld.so.conf.d/fakeroot.conf", "/usr/lib/x86_64-linux-gnu/libfakeroot\n");
     // locale + timezone
     ensureFile(vfs, "/etc/locale.conf", "LANG=en_US.UTF-8\n");
+    ensureFile(vfs, "/etc/locale.gen", "en_US.UTF-8 UTF-8\n");
+    ensureFile(vfs, "/etc/default/locale", "LANG=en_US.UTF-8\n");
     ensureFile(vfs, "/etc/timezone", "UTC\n");
     ensureFile(vfs, "/etc/localtime", "UTC\n");
+    // environment
+    ensureFile(vfs, "/etc/environment", "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\n");
+    // adduser.conf
+    ensureFile(vfs, "/etc/adduser.conf", `${[
+        "DSHELL=/bin/bash",
+        "DHOME=/home",
+        "GROUPHOMES=no",
+        "LETTERHOMES=no",
+        "SKEL=/etc/skel",
+        "FIRST_SYSTEM_UID=100",
+        "LAST_SYSTEM_UID=999",
+        "FIRST_SYSTEM_GID=100",
+        "LAST_SYSTEM_GID=999",
+        "FIRST_UID=1000",
+        "LAST_UID=59999",
+        "FIRST_GID=1000",
+        "LAST_GID=59999",
+        "USERGROUPS=yes",
+        "NAME_REGEX=\"^[a-z][-a-z0-9_]*$\"",
+        "SYS_NAME_REGEX=\"^[a-z_][-a-z0-9_]*$\"",
+    ].join("\n")}\n`);
+    // /etc/skel
+    ensureDir(vfs, "/etc/skel");
+    ensureFile(vfs, "/etc/skel/.bashrc", `${[
+        "# ~/.bashrc: executed by bash(1) for non-login shells.",
+        "case $- in",
+        "    *i*) ;;",
+        "      *) return;;",
+        "esac",
+        "HISTCONTROL=ignoreboth",
+        "HISTSIZE=1000",
+        "HISTFILESIZE=2000",
+        "shopt -s histappend",
+        "shopt -s checkwinsize",
+        "alias ll='ls -alF'",
+        "alias la='ls -A'",
+        "alias l='ls -CF'",
+    ].join("\n")}\n`);
+    ensureFile(vfs, "/etc/skel/.bash_logout", "# ~/.bash_logout\n");
+    ensureFile(vfs, "/etc/skel/.profile", "# ~/.profile\n[ -n \"$BASH_VERSION\" ] && [ -f \"$HOME/.bashrc\" ] && . \"$HOME/.bashrc\"\n");
+    // alternatives
+    ensureDir(vfs, "/etc/alternatives");
+    const alternatives = [
+        ["python3", "/usr/bin/python3.12"],
+        ["python", "/usr/bin/python3.12"],
+        ["editor", "/usr/bin/nano"],
+        ["vi", "/usr/bin/nano"],
+        ["cc", "/usr/bin/gcc"],
+        ["gcc", "/usr/bin/gcc-13"],
+        ["g++", "/usr/bin/g++-13"],
+        ["java", "/usr/lib/jvm/java-21-openjdk-amd64/bin/java"],
+        ["node", "/usr/bin/node"],
+        ["npm", "/usr/bin/npm"],
+        ["awk", "/usr/bin/mawk"],
+        ["pager", "/usr/bin/less"],
+    ];
+    for (const [name, target] of alternatives) {
+        ensureFile(vfs, `/etc/alternatives/${name}`, target);
+    }
+    // java
+    ensureDir(vfs, "/etc/java-21-openjdk");
+    ensureDir(vfs, "/etc/java-21-openjdk/security");
+    ensureFile(vfs, "/etc/java-21-openjdk/security/java.security", "# java.security\n");
+    ensureFile(vfs, "/etc/java-21-openjdk/logging.properties", "# logging.properties\n");
+    // misc
+    ensureFile(vfs, "/etc/bash.bashrc", "# System-wide .bashrc\n[ -z \"$PS1\" ] && return\n");
+    ensureFile(vfs, "/etc/inputrc", "# /etc/inputrc\n$include /etc/inputrc.d\nset bell-style none\n");
+    ensureFile(vfs, "/etc/magic", "# magic\n");
+    ensureFile(vfs, "/etc/magic.mime", "# magic.mime\n");
+    ensureFile(vfs, "/etc/papersize", "a4\n");
+    ensureFile(vfs, "/etc/ucf.conf", "# ucf.conf\n");
+    ensureFile(vfs, "/etc/gai.conf", "# getaddrinfo() configuration\nlabel ::1/128 0\nprecedence ::1/128 50\n");
+    ensureFile(vfs, "/etc/services", "# Network services\nftp   21/tcp\nssh   22/tcp\nsmtp  25/tcp\nhttp  80/tcp\nhttps 443/tcp\n");
+    ensureFile(vfs, "/etc/protocols", "# protocols\nip    0   IP\nicmp  1   ICMP\ntcp   6   TCP\nudp   17  UDP\n");
+    ensureDir(vfs, "/etc/profile.d");
+    ensureFile(vfs, "/etc/profile.d/01-locale-fix.sh", "[ -z \"$LANG\" ] && export LANG=en_US.UTF-8\n");
+    ensureFile(vfs, "/etc/profile.d/apps-bin-path.sh", "export PATH=\"$PATH:/snap/bin\"\n");
 }
 // ─── /etc/passwd + /etc/group + /etc/shadow ─────────────────────────────────
 /**
@@ -142,8 +270,26 @@ export function syncEtcPasswd(vfs, users) {
     const passwdLines = [
         "root:x:0:0:root:/root:/bin/bash",
         "daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin",
+        "bin:x:2:2:bin:/bin:/usr/sbin/nologin",
+        "sys:x:3:3:sys:/dev:/usr/sbin/nologin",
+        "sync:x:4:65534:sync:/bin:/bin/sync",
+        "games:x:5:60:games:/usr/games:/usr/sbin/nologin",
+        "man:x:6:12:man:/var/cache/man:/usr/sbin/nologin",
+        "lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin",
+        "mail:x:8:8:mail:/var/mail:/usr/sbin/nologin",
+        "news:x:9:9:news:/var/spool/news:/usr/sbin/nologin",
+        "uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin",
+        "proxy:x:13:13:proxy:/bin:/usr/sbin/nologin",
         "www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin",
+        "backup:x:34:34:backup:/var/backups:/usr/sbin/nologin",
+        "list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin",
+        "irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin",
+        "_apt:x:42:65534::/nonexistent:/usr/sbin/nologin",
         "nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin",
+        "messagebus:x:100:106::/nonexistent:/usr/sbin/nologin",
+        "systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin",
+        "systemd-resolve:x:999:999:systemd Resolver:/:/usr/sbin/nologin",
+        "polkitd:x:997:997:polkit:/nonexistent:/usr/sbin/nologin",
     ];
     let uid = 1000;
     for (const u of userList) {
@@ -153,18 +299,63 @@ export function syncEtcPasswd(vfs, users) {
         uid++;
     }
     vfs.writeFile("/etc/passwd", `${passwdLines.join("\n")}\n`);
+    const sudoers = userList.filter((u) => users.isSudoer(u)).join(",");
+    const nonRootUsers = userList.filter((u) => u !== "root").join(",");
     const groupLines = [
         "root:x:0:",
         "daemon:x:1:",
-        `sudo:x:27:${userList.filter((u) => users.isSudoer(u)).join(",")}`,
-        `users:x:100:${userList.filter((u) => u !== "root").join(",")}`,
+        "bin:x:2:",
+        "sys:x:3:",
+        "adm:x:4:syslog",
+        "tty:x:5:",
+        "disk:x:6:",
+        "lp:x:7:",
+        "mail:x:8:",
+        "news:x:9:",
+        "uucp:x:10:",
+        "man:x:12:",
+        "proxy:x:13:",
+        "kmem:x:15:",
+        "dialout:x:20:",
+        "fax:x:21:",
+        "voice:x:22:",
+        "cdrom:x:24:",
+        "floppy:x:25:",
+        "tape:x:26:",
+        `sudo:x:27:${sudoers}`,
+        "audio:x:29:",
+        "dip:x:30:",
+        "www-data:x:33:",
+        "backup:x:34:",
+        "operator:x:37:",
+        "list:x:38:",
+        "irc:x:39:",
+        "src:x:40:",
+        "_apt:x:42:",
+        "shadow:x:42:",
+        "utmp:x:43:",
+        "video:x:44:",
+        "sasl:x:45:",
+        "plugdev:x:46:",
+        "staff:x:50:",
+        "games:x:60:",
+        `users:x:100:${nonRootUsers}`,
         "nogroup:x:65534:",
+        "messagebus:x:106:",
+        "systemd-network:x:998:",
+        "systemd-resolve:x:999:",
+        "polkitd:x:997:",
     ];
     vfs.writeFile("/etc/group", `${groupLines.join("\n")}\n`);
-    // shadow — fake hashes, never real credentials
     const shadowLines = [
         "root:*:19000:0:99999:7:::",
         "daemon:*:19000:0:99999:7:::",
+        "nobody:*:19000:0:99999:7:::",
+        "messagebus:*:19000:0:99999:7:::",
+        "_apt:*:19000:0:99999:7:::",
+        "systemd-network:!:19000:::::::",
+        "systemd-resolve:!:19000:::::::",
+        "polkitd:!:19000:::::::",
     ];
     for (const u of userList) {
         if (u === "root")
@@ -174,50 +365,131 @@ export function syncEtcPasswd(vfs, users) {
     vfs.writeFile("/etc/shadow", `${shadowLines.join("\n")}\n`, { mode: 0o640 });
 }
 // ─── /proc helpers ───────────────────────────────────────────────────────────
-/** Derive a stable virtual PID from a tty string e.g. "pts/0" → 1000 */
 function ttyToPid(tty) {
     const match = tty.match(/(\d+)$/);
     return 1000 + (match?.[1] ? parseInt(match[1], 10) : 0);
 }
-/** Write /proc/<pid>/ subtree for a single virtual process */
 function writeProcPid(vfs, pid, username, _tty, cmdline, startedAt, env) {
     const dir = `/proc/${pid}`;
     ensureDir(vfs, dir);
     ensureDir(vfs, `${dir}/fd`);
     ensureDir(vfs, `${dir}/fdinfo`);
+    ensureDir(vfs, `${dir}/net`);
     const uptimeSec = Math.floor((Date.now() - new Date(startedAt).getTime()) / 1000);
     const comm = cmdline.split(/\s+/)[0] ?? "bash";
     write(vfs, `${dir}/cmdline`, `${cmdline.replace(/\s+/g, "\0")}\0`);
     write(vfs, `${dir}/comm`, comm);
     write(vfs, `${dir}/status`, `${[
         `Name:   ${comm}`,
+        `Umask:  0022`,
         `State:  S (sleeping)`,
+        `Tgid:   ${pid}`,
         `Pid:    ${pid}`,
         `PPid:   1`,
+        `TracerPid:      0`,
         `Uid:    0\t0\t0\t0`,
         `Gid:    0\t0\t0\t0`,
-        `VmRSS:  4096 kB`,
-        `VmSize: 16384 kB`,
+        `FDSize: 64`,
+        `Groups:`,
+        `VmPeak:    20480 kB`,
+        `VmSize:    16384 kB`,
+        `VmLck:         0 kB`,
+        `VmPin:         0 kB`,
+        `VmHWM:      4096 kB`,
+        `VmRSS:      4096 kB`,
+        `RssAnon:     512 kB`,
+        `RssFile:    3584 kB`,
+        `RssShmem:      0 kB`,
+        `VmData:     2048 kB`,
+        `VmStk:       132 kB`,
+        `VmExe:       924 kB`,
+        `VmLib:      2744 kB`,
+        `VmPTE:        52 kB`,
+        `VmSwap:        0 kB`,
         `Threads: 1`,
+        `SigQ:   0/31968`,
+        `SigPnd: 0000000000000000`,
+        `SigBlk: 0000000000010000`,
+        `SigIgn: 0000000000380004`,
+        `SigCgt: 000000004b817efb`,
+        `CapInh: 0000000000000000`,
+        `CapPrm: 000001ffffffffff`,
+        `CapEff: 000001ffffffffff`,
+        `CapBnd: 000001ffffffffff`,
+        `CapAmb: 0000000000000000`,
+        `NoNewPrivs:     0`,
+        `Seccomp:        0`,
+        `voluntary_ctxt_switches:        100`,
+        `nonvoluntary_ctxt_switches:     10`,
     ].join("\n")}\n`);
-    write(vfs, `${dir}/stat`, `${pid} (${comm}) S 1 ${pid} ${pid} 0 -1 4194304 0 0 0 0 ${uptimeSec} 0 0 0 20 0 1 0 0 16384 4096 0\n`);
+    write(vfs, `${dir}/stat`, `${pid} (${comm}) S 1 ${pid} ${pid} 0 -1 4194304 0 0 0 0 ${uptimeSec} 0 0 0 20 0 1 0 0 16777216 4096 18446744073709551615 93824992235520 93824992290000 140737488347024 0 0 0 65536 3686404 1266761467 1 0 0 17 0 0 0 0 0 0\n`);
+    write(vfs, `${dir}/statm`, `4096 1024 768 231 0 512 0\n`);
     write(vfs, `${dir}/environ`, `${Object.entries(env).map(([k, v]) => `${k}=${v}`).join("\0")}\0`);
     write(vfs, `${dir}/cwd`, `/home/${username}\0`);
     write(vfs, `${dir}/exe`, "/bin/bash\0");
-    // Standard fd stubs (stdin/stdout/stderr)
+    write(vfs, `${dir}/maps`, "00400000-004e7000 r-xp 00000000 fd:00 131073  /bin/bash\n" +
+        "006e7000-006e8000 r--p 000e7000 fd:00 131073  /bin/bash\n" +
+        "006e8000-006f1000 rw-p 000e8000 fd:00 131073  /bin/bash\n" +
+        "7fff00000000-7fff00001000 rw-p 00000000 00:00 0   [stack]\n" +
+        "7fff00000000-7fff00001000 r-xp 00000000 00:00 0   [vdso]\n");
+    write(vfs, `${dir}/limits`, `${[
+        "Limit                     Soft Limit           Hard Limit           Units",
+        "Max cpu time              unlimited            unlimited            seconds",
+        "Max file size             unlimited            unlimited            bytes",
+        "Max data size             unlimited            unlimited            bytes",
+        "Max stack size            8388608              unlimited            bytes",
+        "Max core file size        0                    unlimited            bytes",
+        "Max resident set          unlimited            unlimited            bytes",
+        "Max processes             31968                31968                processes",
+        "Max open files            1048576              1048576              files",
+        "Max locked memory         8388608              8388608              bytes",
+        "Max address space         unlimited            unlimited            bytes",
+        "Max file locks            unlimited            unlimited            locks",
+        "Max pending signals       31968                31968                signals",
+        "Max msgqueue size         819200               819200               bytes",
+        "Max nice priority         0                    0",
+        "Max realtime priority     0                    0",
+        "Max realtime timeout      unlimited            unlimited            us",
+    ].join("\n")}\n`);
+    write(vfs, `${dir}/io`, "rchar: 1048576\nwchar: 65536\nsyscr: 512\nsyscw: 64\nread_bytes: 0\nwrite_bytes: 0\ncancelled_write_bytes: 0\n");
+    write(vfs, `${dir}/oom_score`, "0\n");
+    write(vfs, `${dir}/oom_score_adj`, "0\n");
+    write(vfs, `${dir}/loginuid`, "0\n");
+    write(vfs, `${dir}/wchan`, "poll_schedule_timeout\n");
+    write(vfs, `${dir}/schedstat`, "1000000 0 1\n");
     for (const fd of ["0", "1", "2"]) {
         ensureFile(vfs, `${dir}/fd/${fd}`, "");
+        ensureFile(vfs, `${dir}/fdinfo/${fd}`, `pos:\t0\nflags:\t0${fd === "0" ? "2" : fd === "1" ? "1" : "1"}02\nmnt_id:\t13\n`);
     }
 }
 // ─── /proc boot log ──────────────────────────────────────────────────────────
 function bootProcLog(vfs, props) {
     ensureDir(vfs, "/proc/boot");
     ensureFile(vfs, "/proc/boot/log", `${[
-        "[    0.000000] Linux virtual kernel booting...",
-        "[    0.000120] init memory subsystem",
-        "[    0.000240] mount /proc /sys /dev",
-        "[    0.000420] start init",
-        "[    0.000680] system ready",
+        `[    0.000000] Linux version ${props.kernel} (fortune@build) #1 SMP PREEMPT_DYNAMIC`,
+        "[    0.000000] Command line: console=ttyS0 reboot=k panic=1 nomodule random.trust_cpu=1 ipv6.disable=1",
+        "[    0.000060] BIOS-provided physical RAM map:",
+        "[    0.000070] ACPI: RSDP 0x00000000000F05B0 000014 (v00 BOCHS )",
+        "[    0.000120] PCI: Using configuration type 1 for base access",
+        "[    0.000240] clocksource: tsc-early: mask: 0xffffffffffffffff",
+        "[    0.000320] ACPI: IRQ0 used by override",
+        "[    0.000420] Initializing cgroup subsys cpuset",
+        "[    0.000440] Initializing cgroup subsys cpu",
+        "[    0.000450] Initializing cgroup subsys cpuacct",
+        "[    0.000460] Linux agpgart interface v0.103",
+        "[    0.000480] PCI: pci_cache_line_size set to 64 bytes",
+        "[    0.000510] virtio-pci 0000:00:01.0: runtime IRQs not yet assigned",
+        "[    0.000680] NET: Registered PF_INET6 protocol family",
+        "[    0.000720] Freeing unused kernel image (initmem) memory",
+        "[    0.000760] Write protecting the kernel read-only data",
+        "[    0.000800] Run /sbin/init as init process",
+        "[    0.001200] systemd[1]: Detected virtualization kvm",
+        "[    0.001300] systemd[1]: Detected architecture x86-64",
+        "[    0.002000] systemd[1]: Starting Fortune GNU/Linux...",
+        "[    0.003000] systemd[1]: Started Journal Service",
+        "[    0.010000] EXT4-fs (vda): mounted filesystem",
+        "[    0.020000] systemd[1]: Reached target Basic System",
+        "[    0.030000] systemd[1]: Started Login Service",
     ].join("\n")}\n`);
     ensureFile(vfs, "/proc/boot/version", `Linux ${props.kernel} (virtual)\n`);
 }
@@ -238,89 +510,243 @@ export function refreshProc(vfs, props, hostname, shellStartTime, sessions = [])
     const totalMemKb = Math.floor(os.totalmem() / 1024);
     const freeMemKb = Math.floor(os.freemem() / 1024);
     const availMemKb = Math.floor(freeMemKb * 0.95);
+    const buffersKb = Math.floor(totalMemKb * 0.03);
+    const cachedKb = Math.floor(totalMemKb * 0.08);
+    const shmemKb = Math.floor(totalMemKb * 0.005);
+    const slabKb = Math.floor(totalMemKb * 0.02);
+    const pageTablesKb = Math.floor(totalMemKb * 0.001);
     write(vfs, "/proc/meminfo", `${[
         `MemTotal:       ${String(totalMemKb).padStart(10)} kB`,
         `MemFree:        ${String(freeMemKb).padStart(10)} kB`,
         `MemAvailable:   ${String(availMemKb).padStart(10)} kB`,
-        `Buffers:        ${String(Math.floor(totalMemKb * 0.02)).padStart(10)} kB`,
-        `Cached:         ${String(Math.floor(totalMemKb * 0.15)).padStart(10)} kB`,
-        `SwapTotal:      ${String(Math.floor(totalMemKb * 0.5)).padStart(10)} kB`,
-        `SwapFree:       ${String(Math.floor(totalMemKb * 0.5)).padStart(10)} kB`,
+        `Buffers:        ${String(buffersKb).padStart(10)} kB`,
+        `Cached:         ${String(cachedKb).padStart(10)} kB`,
+        `SwapCached:     ${String(0).padStart(10)} kB`,
+        `Active:         ${String(Math.floor((buffersKb + cachedKb) * 1.2)).padStart(10)} kB`,
+        `Inactive:       ${String(Math.floor(cachedKb * 0.6)).padStart(10)} kB`,
+        `Active(anon):   ${String(Math.floor(totalMemKb * 0.001)).padStart(10)} kB`,
+        `Inactive(anon): ${String(Math.floor(totalMemKb * 0.006)).padStart(10)} kB`,
+        `Active(file):   ${String(Math.floor(cachedKb * 1.2)).padStart(10)} kB`,
+        `Inactive(file): ${String(Math.floor(cachedKb * 0.6)).padStart(10)} kB`,
+        `Unevictable:    ${String(0).padStart(10)} kB`,
+        `Mlocked:        ${String(0).padStart(10)} kB`,
+        `SwapTotal:      ${String(0).padStart(10)} kB`,
+        `SwapFree:       ${String(0).padStart(10)} kB`,
+        `Zswap:          ${String(0).padStart(10)} kB`,
+        `Zswapped:       ${String(0).padStart(10)} kB`,
+        `Dirty:          ${String(Math.floor(Math.random() * 64)).padStart(10)} kB`,
+        `Writeback:      ${String(0).padStart(10)} kB`,
+        `AnonPages:      ${String(Math.floor(totalMemKb * 0.001)).padStart(10)} kB`,
+        `Mapped:         ${String(Math.floor(cachedKb * 0.4)).padStart(10)} kB`,
+        `Shmem:          ${String(shmemKb).padStart(10)} kB`,
+        `KReclaimable:   ${String(Math.floor(slabKb * 0.6)).padStart(10)} kB`,
+        `Slab:           ${String(slabKb).padStart(10)} kB`,
+        `SReclaimable:   ${String(Math.floor(slabKb * 0.6)).padStart(10)} kB`,
+        `SUnreclaim:     ${String(Math.floor(slabKb * 0.4)).padStart(10)} kB`,
+        `KernelStack:    ${String(Math.floor(totalMemKb * 0.0005)).padStart(10)} kB`,
+        `PageTables:     ${String(pageTablesKb).padStart(10)} kB`,
+        `NFS_Unstable:   ${String(0).padStart(10)} kB`,
+        `Bounce:         ${String(0).padStart(10)} kB`,
+        `WritebackTmp:   ${String(0).padStart(10)} kB`,
+        `CommitLimit:    ${String(Math.floor(totalMemKb * 0.5)).padStart(10)} kB`,
+        `Committed_AS:   ${String(Math.floor(totalMemKb * 0.05)).padStart(10)} kB`,
+        `VmallocTotal:   ${String(35184372087808 / 1024).padStart(10)} kB`,
+        `VmallocUsed:    ${String(Math.floor(totalMemKb * 0.01)).padStart(10)} kB`,
+        `VmallocChunk:   ${String(0).padStart(10)} kB`,
+        `Percpu:         ${String(Math.floor(totalMemKb * 0.0001)).padStart(10)} kB`,
+        `HardwareCorrupted:  ${String(0).padStart(6)} kB`,
+        `AnonHugePages:  ${String(0).padStart(10)} kB`,
+        `ShmemHugePages: ${String(0).padStart(10)} kB`,
+        `ShmemPmdMapped: ${String(0).padStart(10)} kB`,
+        `FileHugePages:  ${String(0).padStart(10)} kB`,
+        `FilePmdMapped:  ${String(0).padStart(10)} kB`,
+        `HugePages_Total:  ${String(0).padStart(8)}`,
+        `HugePages_Free:   ${String(0).padStart(8)}`,
+        `HugePages_Rsvd:   ${String(0).padStart(8)}`,
+        `HugePages_Surp:   ${String(0).padStart(8)}`,
+        `Hugepagesize:   ${String(2048).padStart(10)} kB`,
+        `Hugetlb:        ${String(0).padStart(10)} kB`,
+        `DirectMap4k:    ${String(Math.floor(totalMemKb * 0.02)).padStart(10)} kB`,
+        `DirectMap2M:    ${String(Math.floor(totalMemKb * 0.98)).padStart(10)} kB`,
     ].join("\n")}\n`);
-    // cpuinfo — real host CPU passthrough
+    // cpuinfo — real host CPU passthrough + x86 feature flags matching Firecracker Xeon
     const cpus = os.cpus();
     const cpuLines = [];
     for (let i = 0; i < cpus.length; i++) {
         const c = cpus[i];
         if (!c)
             continue;
-        cpuLines.push(`processor\t: ${i}`, `model name\t: ${c.model}`, `cpu MHz\t\t: ${c.speed.toFixed(3)}`, `cache size\t: 8192 KB`, "");
+        cpuLines.push(`processor\t: ${i}`, `vendor_id\t: GenuineIntel`, `cpu family\t: 6`, `model\t\t: 85`, `model name\t: ${c.model}`, `stepping\t: 7`, `microcode\t: 0x1`, `cpu MHz\t\t: ${c.speed.toFixed(3)}`, `cache size\t: 33792 KB`, `physical id\t: 0`, `siblings\t: ${cpus.length}`, `core id\t\t: ${i}`, `cpu cores\t: ${cpus.length}`, `apicid\t\t: ${i}`, `initial apicid\t: ${i}`, `fpu\t\t: yes`, `fpu_exception\t: yes`, `cpuid level\t: 13`, `wp\t\t: yes`, `flags\t\t: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss syscall nx pdpe1gb rdtscp lm constant_tsc rep_good nopl xtopology nonstop_tsc cpuid tsc_known_freq pni pclmulqdq ssse3 fma cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm 3dnowprefetch cpuid_fault ssbd ibrs ibpb stibp ibrs_enhanced fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm avx512f avx512dq rdseed adx smap clflushopt clwb avx512cd avx512bw avx512vl xsaveopt xsavec xgetbv1 xsaves arat umip avx512_vnni md_clear arch_capabilities`, `bugs\t\t: spectre_v1 spectre_v2 spec_store_bypass swapgs taa mmio_stale_data retbleed eibrs_pbrsb bhi ibpb_no_ret spectre_v2_user its`, `bogomips\t: ${(c.speed * 2 / 1000).toFixed(2)}`, `clflush size\t: 64`, `cache_alignment\t: 64`, `address sizes\t: 46 bits physical, 48 bits virtual`, `power management:`, "");
     }
     write(vfs, "/proc/cpuinfo", `${cpuLines.join("\n")}\n`);
-    write(vfs, "/proc/version", `Linux version ${props.kernel} (fortune@build) (gcc version 12.2.0) #1 SMP\n`);
+    write(vfs, "/proc/version", `Linux version ${props.kernel} (fortune@nyx-build) (gcc (Fortune 13.3.0-nyx1) 13.3.0, GNU ld (GNU Binutils for Fortune) 2.42) #2 SMP PREEMPT_DYNAMIC\n`);
     write(vfs, "/proc/hostname", `${hostname}\n`);
-    // loadavg — slightly random but bounded
-    const load = (Math.random() * 0.5).toFixed(2);
+    // loadavg
+    const load = (Math.random() * 0.3).toFixed(2);
     const numProcs = 1 + sessions.length;
     write(vfs, "/proc/loadavg", `${load} ${load} ${load} ${numProcs}/${numProcs} 1\n`);
-    // /proc/net stubs
-    ensureDir(vfs, "/proc/net");
-    ensureFile(vfs, "/proc/net/dev", `${[
-        "Inter-|   Receive                                                |  Transmit",
-        " face |bytes    packets errs drop fifo frame compressed multicast|bytes    packets errs drop fifo colls carrier compressed",
-        "    lo:       0       0    0    0    0     0          0         0        0       0    0    0    0     0       0          0",
-        "  eth0:  131072    1024    0    0    0     0          0         0    65536     512    0    0    0     0       0          0",
+    // /proc/cmdline — Firecracker boot args
+    write(vfs, "/proc/cmdline", `console=ttyS0 reboot=k panic=1 nomodule random.trust_cpu=1 ipv6.disable=1 swiotlb=noforce rdinit=/process_api init_on_free=1 -- --firecracker-init --addr 0.0.0.0:2024 --max-ws-buffer-size 32768 --block-local-connections\n`);
+    // /proc/filesystems — matching real container
+    write(vfs, "/proc/filesystems", `${[
+        "nodev\tsysfs",
+        "nodev\ttmpfs",
+        "nodev\tbdev",
+        "nodev\tproc",
+        "nodev\tcgroup",
+        "nodev\tcgroup2",
+        "nodev\tcpuset",
+        "nodev\tdevtmpfs",
+        "nodev\tbinfmt_misc",
+        "nodev\tdebugfs",
+        "nodev\tsecurityfs",
+        "nodev\tsockfs",
+        "nodev\tbpf",
+        "nodev\tpipefs",
+        "nodev\tramfs",
+        "nodev\thugetlbfs",
+        "nodev\trpc_pipefs",
+        "nodev\tdevpts",
+        "\text3",
+        "\text2",
+        "\text4",
+        "\tsquashfs",
+        "nodev\tnfs",
+        "nodev\tnfs4",
+        "nodev\tautofs",
+        "\tfuseblk",
+        "nodev\tfuse",
+        "nodev\tfusectl",
+        "nodev\toverlay",
+        "\txfs",
+        "nodev\tmqueue",
+        "nodev\tselinuxfs",
+        "nodev\tpstore",
     ].join("\n")}\n`);
-    ensureFile(vfs, "/proc/net/if_inet6", "");
-    ensureFile(vfs, "/proc/net/tcp", "  sl  local_address rem_address   st tx_queue rx_queue tr tm->when retrnsmt   uid  timeout inode\n");
-    ensureFile(vfs, "/proc/net/tcp6", "  sl  local_address                         remote_address                        st tx_queue rx_queue tr tm->when retrnsmt   uid  timeout inode\n");
-    // /proc/cmdline — kernel boot args
-    write(vfs, "/proc/cmdline", `BOOT_IMAGE=/boot/vmlinuz-${props.kernel} root=/dev/sda2 ro quiet splash\n`);
-    // /proc/filesystems
-    ensureFile(vfs, "/proc/filesystems", `${["nodev\tsysfs", "nodev\ttmpfs", "nodev\tproc", "nodev\tdevtmpfs", "\text4", "\tvfat", "nodev\tsquashfs", "nodev\toverlay"].join("\n")}\n`);
-    // /proc/mounts (= /proc/self/mounts)
+    // /proc/mounts — virtio block device layout
     const mountsContent = `${[
-        "sysfs /sys sysfs rw,nosuid,nodev,noexec,relatime 0 0",
-        "proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0",
-        "devtmpfs /dev devtmpfs rw,nosuid,size=8192k,nr_inodes=4096,mode=755 0 0",
+        "proc /proc proc rw,relatime 0 0",
+        "sysfs /sys sysfs rw,relatime 0 0",
+        "devtmpfs /dev devtmpfs rw,relatime,size=2045672k,nr_inodes=511418,mode=755 0 0",
+        "tmpfs /dev/shm tmpfs rw,relatime 0 0",
+        "devpts /dev/pts devpts rw,relatime,mode=600,ptmxmode=000 0 0",
+        "tmpfs /sys/fs/cgroup tmpfs rw,relatime 0 0",
+        "cgroup /sys/fs/cgroup/cpu cgroup rw,relatime,cpu 0 0",
+        "cgroup /sys/fs/cgroup/cpuacct cgroup rw,relatime,cpuacct 0 0",
+        "cgroup /sys/fs/cgroup/memory cgroup rw,relatime,memory 0 0",
+        "cgroup /sys/fs/cgroup/devices cgroup rw,relatime,devices 0 0",
+        "cgroup /sys/fs/cgroup/freezer cgroup rw,relatime,freezer 0 0",
+        "cgroup /sys/fs/cgroup/blkio cgroup rw,relatime,blkio 0 0",
+        "cgroup /sys/fs/cgroup/pids cgroup rw,relatime,pids 0 0",
+        "cgroup2 /sys/fs/cgroup/unified cgroup2 rw,relatime 0 0",
+        "/dev/vda / ext4 rw,relatime,resuid=65534,resgid=65534 0 0",
+        "/dev/vdb /opt/rclone squashfs ro,relatime,errors=continue 0 0",
         "tmpfs /run tmpfs rw,nosuid,nodev,noexec,relatime,size=204800k,mode=755 0 0",
         "tmpfs /tmp tmpfs rw,nosuid,nodev,noatime 0 0",
-        "/dev/sda2 / ext4 rw,relatime,errors=remount-ro 0 0",
-        "/dev/sda1 /boot ext4 rw,relatime 0 0",
-        "tmpfs /dev/shm tmpfs rw,nosuid,nodev 0 0",
-        "devpts /dev/pts devpts rw,nosuid,noexec,relatime,mode=620,ptmxmode=000 0 0",
-        "squashfs /snap/core squashfs ro,nodev,relatime 0 0",
     ].join("\n")}\n`;
     write(vfs, "/proc/mounts", mountsContent);
     ensureDir(vfs, "/proc/self");
     write(vfs, "/proc/self/mounts", mountsContent);
-    // /proc/partitions
+    // /proc/net
+    ensureDir(vfs, "/proc/net");
+    write(vfs, "/proc/net/dev", `${[
+        "Inter-|   Receive                                                |  Transmit",
+        " face |bytes    packets errs drop fifo frame compressed multicast|bytes    packets errs drop fifo colls carrier compressed",
+        "    lo:       0       0    0    0    0     0          0         0        0       0    0    0    0     0       0          0",
+        "  eth0:  128628    1230    0   19    0     0          0         0 52027469    2045    0    0    0     0       0          0",
+    ].join("\n")}\n`);
+    write(vfs, "/proc/net/if_inet6", "");
+    write(vfs, "/proc/net/tcp", "  sl  local_address rem_address   st tx_queue rx_queue tr tm->when retrnsmt   uid  timeout inode\n");
+    write(vfs, "/proc/net/tcp6", "  sl  local_address                         remote_address                        st tx_queue rx_queue tr tm->when retrnsmt   uid  timeout inode\n");
+    write(vfs, "/proc/net/udp", "  sl  local_address rem_address   st tx_queue rx_queue tr tm->when retrnsmt   uid  timeout inode\n");
+    write(vfs, "/proc/net/route", "Iface\tDestination\tGateway\tFlags\tRefCnt\tUse\tMetric\tMask\t\tMTU\tWindow\tIRTT\n" +
+        "eth0\t00000000\t0101A8C0\t0003\t0\t0\t100\t00000000\t0\t0\t0\n" +
+        "eth0\t0000A8C0\t00000000\t0001\t0\t0\t100\t00FFFFFF\t0\t0\t0\n");
+    write(vfs, "/proc/net/arp", "IP address       HW type     Flags       HW address            Mask     Device\n");
+    write(vfs, "/proc/net/fib_trie", "Local:\n  +-- 0.0.0.0/0 3 0 5\n");
+    write(vfs, "/proc/net/unix", "Num       RefCount Protocol Flags    Type St Inode Path\n" +
+        "0000000000000000: 00000002 00000000 00010000 0001 01 10000 /run/dbus/system_bus_socket\n");
+    write(vfs, "/proc/net/sockstat", "sockets: used 8\nTCP: inuse 0 orphan 0 tw 0 alloc 0 mem 0\nUDP: inuse 0 mem 0\nUDPLITE: inuse 0\nRAW: inuse 0\nFRAG: inuse 0 memory 0\n");
+    // /proc/partitions — virtio block devices
     write(vfs, "/proc/partitions", `${[
         "major minor  #blocks  name",
         "",
-        "   8        0   41943040 sda",
-        "   8        1     524288 sda1",
-        "   8        2   41417216 sda2",
-        "   7        0   10485760 loop0",
+        " 254        0 268435456 vda",
+        " 254       16      9664 vdb",
+        " 254       32       656 vdc",
+        " 254       48      5464 vdd",
+    ].join("\n")}\n`);
+    // /proc/swaps — no swap (matches real env: SwapTotal 0)
+    write(vfs, "/proc/swaps", "Filename\t\t\t\tType\t\tSize\t\tUsed\t\tPriority\n");
+    // /proc/diskstats — virtio block device I/O counters
+    write(vfs, "/proc/diskstats", `${[
+        " 254       0 vda 1000 0 8000 500 200 0 1600 100 0 600 600 0 0 0 0",
+        " 254      16 vdb 100 0 800 50 0 0 0 0 0 50 50 0 0 0 0",
+        " 254      32 vdc 50 0 400 25 0 0 0 0 0 25 25 0 0 0 0",
+        " 254      48 vdd 80 0 640 40 0 0 0 0 0 40 40 0 0 0 0",
     ].join("\n")}\n`);
-    // /proc/swaps
-    write(vfs, "/proc/swaps", "Filename\t\t\t\tType\t\tSize\t\tUsed\t\tPriority\n" +
-        `/dev/sda3\t\t\t\tpartition\t${Math.floor(os.totalmem() / 2048)}\t\t0\t\t-2\n`);
-    // /proc/sys — sysctl virtual tree
+    // /proc/interrupts
+    write(vfs, "/proc/interrupts", `           CPU0\n  0:         ${Math.floor(uptimeSec * 250)}  IO-APIC   2-edge   timer\n  1:             9  IO-APIC   1-edge   i8042\n NMI:             0  Non-maskable interrupts\n ERR:             0\n MIS:             0\n PIN:             0  Posted-interrupt notification event\n NPI:             0  Nested posted-interrupt event\n PIW:             0  Posted-interrupt wakeup event\n`);
+    // /proc/sys — sysctl virtual tree (real values)
     ensureDir(vfs, "/proc/sys");
     ensureDir(vfs, "/proc/sys/kernel");
     ensureDir(vfs, "/proc/sys/net");
+    ensureDir(vfs, "/proc/sys/net/ipv4");
+    ensureDir(vfs, "/proc/sys/net/ipv6");
+    ensureDir(vfs, "/proc/sys/net/core");
     ensureDir(vfs, "/proc/sys/vm");
-    ensureFile(vfs, "/proc/sys/kernel/hostname", `${hostname}\n`);
-    ensureFile(vfs, "/proc/sys/kernel/ostype", "Linux\n");
-    ensureFile(vfs, "/proc/sys/kernel/osrelease", `${props.kernel}\n`);
-    ensureFile(vfs, "/proc/sys/kernel/pid_max", "32768\n");
-    ensureFile(vfs, "/proc/sys/kernel/threads-max", "65536\n");
-    ensureFile(vfs, "/proc/sys/kernel/randomize_va_space", "2\n");
-    ensureFile(vfs, "/proc/sys/kernel/dmesg_restrict", "0\n");
-    ensureFile(vfs, "/proc/sys/net/ipv4/ip_forward", "0\n");
-    ensureFile(vfs, "/proc/sys/vm/swappiness", "60\n");
-    ensureFile(vfs, "/proc/sys/vm/overcommit_memory", "0\n");
+    ensureDir(vfs, "/proc/sys/fs");
+    ensureDir(vfs, "/proc/sys/fs/inotify");
+    write(vfs, "/proc/sys/kernel/hostname", `${hostname}\n`);
+    write(vfs, "/proc/sys/kernel/ostype", "Linux\n");
+    write(vfs, "/proc/sys/kernel/osrelease", `${props.kernel}\n`);
+    write(vfs, "/proc/sys/kernel/pid_max", "32768\n");
+    write(vfs, "/proc/sys/kernel/threads-max", "31968\n");
+    write(vfs, "/proc/sys/kernel/randomize_va_space", "2\n");
+    write(vfs, "/proc/sys/kernel/dmesg_restrict", "0\n");
+    write(vfs, "/proc/sys/kernel/kptr_restrict", "0\n");
+    write(vfs, "/proc/sys/kernel/perf_event_paranoid", "2\n");
+    write(vfs, "/proc/sys/kernel/printk", "4\t4\t1\t7\n");
+    write(vfs, "/proc/sys/kernel/sysrq", "176\n");
+    write(vfs, "/proc/sys/kernel/panic", "1\n");
+    write(vfs, "/proc/sys/kernel/panic_on_oops", "1\n");
+    write(vfs, "/proc/sys/kernel/core_pattern", "core\n");
+    write(vfs, "/proc/sys/kernel/core_uses_pid", "0\n");
+    write(vfs, "/proc/sys/kernel/ngroups_max", "65536\n");
+    write(vfs, "/proc/sys/kernel/cap_last_cap", "40\n");
+    write(vfs, "/proc/sys/kernel/unprivileged_userns_clone", "1\n");
+    write(vfs, "/proc/sys/net/ipv4/ip_forward", "0\n");
+    write(vfs, "/proc/sys/net/ipv4/tcp_syncookies", "1\n");
+    write(vfs, "/proc/sys/net/ipv4/tcp_fin_timeout", "60\n");
+    write(vfs, "/proc/sys/net/ipv4/tcp_keepalive_time", "7200\n");
+    write(vfs, "/proc/sys/net/ipv4/conf/all/rp_filter", "2\n");
+    write(vfs, "/proc/sys/net/ipv6/conf/all/disable_ipv6", "1\n");
+    write(vfs, "/proc/sys/net/core/somaxconn", "4096\n");
+    write(vfs, "/proc/sys/net/core/rmem_max", "212992\n");
+    write(vfs, "/proc/sys/net/core/wmem_max", "212992\n");
+    write(vfs, "/proc/sys/vm/swappiness", "60\n");
+    write(vfs, "/proc/sys/vm/overcommit_memory", "0\n");
+    write(vfs, "/proc/sys/vm/overcommit_ratio", "50\n");
+    write(vfs, "/proc/sys/vm/dirty_ratio", "20\n");
+    write(vfs, "/proc/sys/vm/dirty_background_ratio", "10\n");
+    write(vfs, "/proc/sys/vm/min_free_kbytes", "65536\n");
+    write(vfs, "/proc/sys/vm/vfs_cache_pressure", "100\n");
+    write(vfs, "/proc/sys/fs/file-max", "1048576\n");
+    write(vfs, "/proc/sys/fs/inotify/max_user_watches", "524288\n");
+    write(vfs, "/proc/sys/fs/inotify/max_user_instances", "512\n");
+    write(vfs, "/proc/sys/fs/inotify/max_queued_events", "16384\n");
+    // /proc/cgroups — v1 hierarchy
+    write(vfs, "/proc/cgroups", `${[
+        "#subsys_name\thierarchy\tnum_cgroups\tenabled",
+        "cpuset\t5\t1\t1",
+        "cpu\t1\t1\t1",
+        "cpuacct\t2\t1\t1",
+        "blkio\t6\t1\t1",
+        "memory\t3\t1\t1",
+        "devices\t4\t1\t1",
+        "freezer\t7\t1\t1",
+        "pids\t8\t1\t1",
+    ].join("\n")}\n`);
     // init process (PID 1)
     writeProcPid(vfs, 1, "root", "pts/0", "/sbin/init", new Date(shellStartTime).toISOString(), {});
     // per-session processes
@@ -331,19 +757,22 @@ export function refreshProc(vfs, props, hostname, shellStartTime, sessions = [])
             HOME: `/home/${session.username}`,
             TERM: "xterm-256color",
             SHELL: "/bin/bash",
+            LANG: "en_US.UTF-8",
+            PATH: "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+            LOGNAME: session.username,
         });
     }
-    // /proc/self — mirror of most recent session, or init
+    // /proc/self — mirror of most recent session
     const selfPid = sessions.length > 0 ? ttyToPid(sessions[sessions.length - 1].tty) : 1;
-    if (vfs.exists("/proc/self")) {
-        try {
-            vfs.remove("/proc/self");
-        }
-        catch { /* ignore */ }
+    try {
+        vfs.remove("/proc/self");
     }
+    catch { /* ignore */ }
     const selfSrc = `/proc/${selfPid}`;
     ensureDir(vfs, "/proc/self");
     ensureDir(vfs, "/proc/self/fd");
+    ensureDir(vfs, "/proc/self/fdinfo");
+    ensureDir(vfs, "/proc/self/net");
     if (vfs.exists(selfSrc)) {
         for (const entry of vfs.list(selfSrc)) {
             const srcPath = `${selfSrc}/${entry}`;
@@ -353,11 +782,10 @@ export function refreshProc(vfs, props, hostname, shellStartTime, sessions = [])
                 if (st.type === "file")
                     write(vfs, dstPath, vfs.readFile(srcPath));
             }
-            catch { /* skip unreadable entries */ }
+            catch { /* skip */ }
         }
     }
     else {
-        // Minimal fallback
         write(vfs, "/proc/self/cmdline", "bash\0");
         write(vfs, "/proc/self/comm", "bash");
         write(vfs, "/proc/self/status", "Name:\tbash\nState:\tS (sleeping)\nPid:\t1\nPPid:\t0\n");
@@ -369,11 +797,70 @@ export function refreshProc(vfs, props, hostname, shellStartTime, sessions = [])
 // ─── /sys ─────────────────────────────────────────────────────────────────────
 function bootstrapSys(vfs, hostname, props) {
     ensureDir(vfs, "/sys");
+    // No real DMI in Firecracker — /sys/devices/virtual/dmi/id does not exist.
+    // Expose /sys/class/net, /sys/fs/cgroup, /sys/kernel only.
     ensureDir(vfs, "/sys/devices");
     ensureDir(vfs, "/sys/devices/virtual");
+    ensureDir(vfs, "/sys/devices/system");
+    ensureDir(vfs, "/sys/devices/system/cpu");
+    ensureDir(vfs, "/sys/devices/system/cpu/cpu0");
+    ensureFile(vfs, "/sys/devices/system/cpu/cpu0/online", "1\n");
+    ensureFile(vfs, "/sys/devices/system/cpu/online", "0\n");
+    ensureFile(vfs, "/sys/devices/system/cpu/possible", "0\n");
+    ensureFile(vfs, "/sys/devices/system/cpu/present", "0\n");
+    ensureDir(vfs, "/sys/devices/system/node");
+    ensureDir(vfs, "/sys/devices/system/node/node0");
+    ensureFile(vfs, "/sys/devices/system/node/node0/cpumap", "1\n");
+    ensureDir(vfs, "/sys/class");
+    ensureDir(vfs, "/sys/class/net");
+    ensureDir(vfs, "/sys/class/net/eth0");
+    ensureFile(vfs, "/sys/class/net/eth0/operstate", "up\n");
+    ensureFile(vfs, "/sys/class/net/eth0/carrier", "1\n");
+    ensureFile(vfs, "/sys/class/net/eth0/mtu", "1500\n");
+    ensureFile(vfs, "/sys/class/net/eth0/speed", "10000\n");
+    ensureFile(vfs, "/sys/class/net/eth0/duplex", "full\n");
+    ensureFile(vfs, "/sys/class/net/eth0/address", "aa:bb:cc:dd:ee:ff\n");
+    ensureFile(vfs, "/sys/class/net/eth0/tx_queue_len", "1000\n");
+    const seed = fnv1a(hostname);
+    const macSeed = seed.toString(16).padStart(8, "0");
+    ensureFile(vfs, "/sys/class/net/eth0/address", `52:54:00:${macSeed.slice(0, 2)}:${macSeed.slice(2, 4)}:${macSeed.slice(4, 6)}\n`);
+    ensureDir(vfs, "/sys/class/net/lo");
+    ensureFile(vfs, "/sys/class/net/lo/operstate", "unknown\n");
+    ensureFile(vfs, "/sys/class/net/lo/carrier", "1\n");
+    ensureFile(vfs, "/sys/class/net/lo/mtu", "65536\n");
+    ensureFile(vfs, "/sys/class/net/lo/address", "00:00:00:00:00:00\n");
+    ensureDir(vfs, "/sys/class/block");
+    ensureDir(vfs, "/sys/class/block/vda");
+    ensureFile(vfs, "/sys/class/block/vda/size", "536870912\n");
+    ensureFile(vfs, "/sys/class/block/vda/ro", "0\n");
+    ensureFile(vfs, "/sys/class/block/vda/removable", "0\n");
+    // cgroup fs
+    ensureDir(vfs, "/sys/fs");
+    ensureDir(vfs, "/sys/fs/cgroup");
+    for (const subsys of ["cpu", "cpuacct", "memory", "devices", "blkio", "pids", "freezer", "unified"]) {
+        ensureDir(vfs, `/sys/fs/cgroup/${subsys}`);
+        if (subsys !== "unified") {
+            ensureFile(vfs, `/sys/fs/cgroup/${subsys}/tasks`, "1\n");
+            ensureFile(vfs, `/sys/fs/cgroup/${subsys}/notify_on_release`, "0\n");
+            ensureFile(vfs, `/sys/fs/cgroup/${subsys}/release_agent`, "");
+        }
+    }
+    ensureFile(vfs, "/sys/fs/cgroup/memory/memory.limit_in_bytes", `${os.totalmem()}\n`);
+    ensureFile(vfs, "/sys/fs/cgroup/memory/memory.usage_in_bytes", `${os.totalmem() - os.freemem()}\n`);
+    ensureFile(vfs, "/sys/fs/cgroup/memory/memory.memsw.limit_in_bytes", `${os.totalmem()}\n`);
+    ensureFile(vfs, "/sys/fs/cgroup/cpu/cpu.cfs_period_us", "100000\n");
+    ensureFile(vfs, "/sys/fs/cgroup/cpu/cpu.cfs_quota_us", "-1\n");
+    ensureFile(vfs, "/sys/fs/cgroup/cpu/cpu.shares", "1024\n");
+    ensureDir(vfs, "/sys/kernel");
+    ensureFile(vfs, "/sys/kernel/hostname", `${hostname}\n`);
+    ensureFile(vfs, "/sys/kernel/osrelease", `${props.kernel}\n`);
+    ensureFile(vfs, "/sys/kernel/ostype", "Linux\n");
+    // security
+    ensureDir(vfs, "/sys/kernel/security");
+    // Still; we will create virtual dmi
+    ensureDir(vfs, "/sys/devices/virtual");
     ensureDir(vfs, "/sys/devices/virtual/dmi");
     ensureDir(vfs, "/sys/devices/virtual/dmi/id");
-    const seed = fnv1a(hostname);
     const product = `VirtualNode-${(seed % 10000).toString().padStart(4, "0")}`;
     // Full DMI table — deterministic, seeded from hostname
     const dmi = {
@@ -405,34 +892,62 @@ function bootstrapSys(vfs, hostname, props) {
 // ─── /dev ─────────────────────────────────────────────────────────────────────
 function bootstrapDev(vfs) {
     ensureDir(vfs, "/dev");
-    // character devices
+    // character devices — matching real Firecracker container
     ensureFile(vfs, "/dev/null", "", 0o666);
     ensureFile(vfs, "/dev/zero", "", 0o666);
     ensureFile(vfs, "/dev/full", "", 0o666);
     ensureFile(vfs, "/dev/random", "", 0o444);
     ensureFile(vfs, "/dev/urandom", "", 0o444);
     ensureFile(vfs, "/dev/mem", "", 0o640);
+    ensureFile(vfs, "/dev/port", "", 0o640);
+    ensureFile(vfs, "/dev/kmsg", "", 0o660);
+    ensureFile(vfs, "/dev/hwrng", "", 0o660);
+    ensureFile(vfs, "/dev/fuse", "", 0o660);
+    ensureFile(vfs, "/dev/autofs", "", 0o660);
+    ensureFile(vfs, "/dev/userfaultfd", "", 0o660);
+    ensureFile(vfs, "/dev/cpu_dma_latency", "", 0o660);
+    ensureFile(vfs, "/dev/ptp0", "", 0o660);
+    // snapshot (KVM-specific)
+    ensureFile(vfs, "/dev/snapshot", "", 0o660);
     // terminal devices
     ensureFile(vfs, "/dev/console", "", 0o600);
     ensureFile(vfs, "/dev/tty", "", 0o666);
-    ensureFile(vfs, "/dev/tty0", "", 0o620);
-    ensureFile(vfs, "/dev/tty1", "", 0o620);
     ensureFile(vfs, "/dev/ttyS0", "", 0o660);
-    // loop devices
+    ensureFile(vfs, "/dev/ptmx", "", 0o666);
+    // tty0–63 (like real env)
+    for (let i = 0; i <= 63; i++) {
+        ensureFile(vfs, `/dev/tty${i}`, "", 0o620);
+    }
+    // vcs devices
+    ensureFile(vfs, "/dev/vcs", "", 0o620);
+    ensureFile(vfs, "/dev/vcs1", "", 0o620);
+    ensureFile(vfs, "/dev/vcsa", "", 0o620);
+    ensureFile(vfs, "/dev/vcsa1", "", 0o620);
+    ensureFile(vfs, "/dev/vcsu", "", 0o620);
+    ensureFile(vfs, "/dev/vcsu1", "", 0o620);
+    // loop devices (0–7)
     for (let i = 0; i < 8; i++) {
         ensureFile(vfs, `/dev/loop${i}`, "", 0o660);
     }
     ensureDir(vfs, "/dev/loop-control");
-    // block device stubs (sda + partitions)
-    ensureFile(vfs, "/dev/sda", "", 0o660);
-    ensureFile(vfs, "/dev/sda1", "", 0o660);
-    ensureFile(vfs, "/dev/sda2", "", 0o660);
+    // virtio block devices (vda–vdd matching mounts)
+    ensureFile(vfs, "/dev/vda", "", 0o660);
+    ensureFile(vfs, "/dev/vdb", "", 0o660);
+    ensureFile(vfs, "/dev/vdc", "", 0o660);
+    ensureFile(vfs, "/dev/vdd", "", 0o660);
+    // network tun
+    ensureDir(vfs, "/dev/net");
+    ensureFile(vfs, "/dev/net/tun", "", 0o660);
     // misc
     ensureDir(vfs, "/dev/pts");
     ensureDir(vfs, "/dev/shm");
+    ensureDir(vfs, "/dev/cpu");
     ensureFile(vfs, "/dev/stdin", "", 0o666);
     ensureFile(vfs, "/dev/stdout", "", 0o666);
     ensureFile(vfs, "/dev/stderr", "", 0o666);
+    ensureDir(vfs, "/dev/fd");
+    ensureFile(vfs, "/dev/vga_arbiter", "", 0o660);
+    ensureFile(vfs, "/dev/vsock", "", 0o660);
 }
 // ─── /usr ─────────────────────────────────────────────────────────────────────
 function bootstrapUsr(vfs) {
@@ -443,12 +958,30 @@ function bootstrapUsr(vfs) {
     ensureDir(vfs, "/usr/local/bin");
     ensureDir(vfs, "/usr/local/lib");
     ensureDir(vfs, "/usr/local/share");
+    ensureDir(vfs, "/usr/local/include");
+    ensureDir(vfs, "/usr/local/sbin");
     ensureDir(vfs, "/usr/share");
     ensureDir(vfs, "/usr/share/doc");
     ensureDir(vfs, "/usr/share/man");
     ensureDir(vfs, "/usr/share/man/man1");
+    ensureDir(vfs, "/usr/share/man/man5");
+    ensureDir(vfs, "/usr/share/man/man8");
+    ensureDir(vfs, "/usr/share/common-licenses");
+    ensureDir(vfs, "/usr/share/ca-certificates");
+    ensureDir(vfs, "/usr/share/zoneinfo");
     ensureDir(vfs, "/usr/lib");
-    // Stubs so `which` can resolve built-in commands
+    ensureDir(vfs, "/usr/lib/x86_64-linux-gnu");
+    ensureDir(vfs, "/usr/lib/python3");
+    ensureDir(vfs, "/usr/lib/python3/dist-packages");
+    ensureDir(vfs, "/usr/lib/python3.12");
+    ensureDir(vfs, "/usr/lib/jvm");
+    ensureDir(vfs, "/usr/lib/jvm/java-21-openjdk-amd64");
+    ensureDir(vfs, "/usr/lib/jvm/java-21-openjdk-amd64/bin");
+    ensureDir(vfs, "/usr/lib/node_modules");
+    ensureDir(vfs, "/usr/lib/node_modules/npm");
+    ensureDir(vfs, "/usr/include");
+    ensureDir(vfs, "/usr/src");
+    // builtins — all bins present in the real container
     const builtins = [
         "sh", "bash", "ls", "cat", "echo", "grep", "find", "sort",
         "head", "tail", "cut", "tr", "sed", "awk", "wc", "tee",
@@ -457,50 +990,433 @@ function bootstrapUsr(vfs) {
         "hostname", "uname", "ps", "kill", "df", "du", "curl", "wget",
         "nano", "diff", "uniq", "xargs", "base64",
     ];
+    // From a real container
+    // const builtins = [
+    // 	// core
+    // 	"sh", "bash", "dash",
+    // 	"ls", "cat", "echo", "grep", "find", "sort",
+    // 	"head", "tail", "cut", "tr", "sed", "awk", "mawk", "gawk",
+    // 	"wc", "tee", "tar", "gzip", "gunzip", "bzip2", "xz",
+    // 	"touch", "mkdir", "rm", "mv", "cp", "ln", "pwd",
+    // 	"chmod", "chown", "chgrp", "env", "date", "sleep",
+    // 	"id", "whoami", "hostname", "uname", "ps", "kill",
+    // 	"df", "du", "dd", "stat", "file",
+    // 	// net
+    // 	"curl", "wget", "nc", "netcat", "ss", "ip",
+    // 	// editors
+    // 	"nano", "vi",
+    // 	// text
+    // 	"diff", "uniq", "xargs", "base64", "md5sum", "sha256sum",
+    // 	"strings", "hexdump", "od", "column", "fmt", "paste",
+    // 	"join", "comm", "split", "csplit", "fold", "expand",
+    // 	// archive
+    // 	"zip", "unzip",
+    // 	// process
+    // 	"top", "htop", "free", "uptime", "dmesg", "lsof",
+    // 	"strace", "ltrace", "pgrep", "pkill", "nohup", "nice",
+    // 	// fs
+    // 	"mount", "umount", "lsblk", "fdisk", "blkid", "e2fsck",
+    // 	// misc
+    // 	"bc", "expr", "seq", "yes", "true", "false", "test",
+    // 	"readlink", "realpath", "dirname", "basename", "mktemp",
+    // 	"install", "make",
+    // 	// dev tools
+    // 	"gcc", "gcc-13", "g++", "g++-13", "cpp", "as", "ld",
+    // 	"ar", "nm", "objdump", "objcopy", "strip", "size",
+    // 	"cc", "c++", "pkg-config",
+    // 	// package
+    // 	"apt", "apt-get", "apt-cache", "dpkg", "dpkg-query",
+    // 	"lsb_release", "add-apt-repository",
+    // 	// scripting
+    // 	"perl", "python3", "python3.12", "pipx",
+    // 	// node/npm
+    // 	"node", "npm", "npx",
+    // 	// java
+    // 	"java", "javac", "jar", "javadoc",
+    // 	// security
+    // 	"openssl", "gpg", "gpg2", "gpgv", "ssh", "ssh-keygen",
+    // 	"sudo", "su", "passwd", "adduser", "useradd",
+    // 	// misc system
+    // 	"systemctl", "journalctl", "loginctl",
+    // 	"timedatectl", "localectl",
+    // 	"lshw", "lscpu", "lsusb", "lspci",
+    // 	// text proc
+    // 	"jq", "xmllint", "pandoc",
+    // 	// multimedia
+    // 	"ffmpeg",
+    // ];
     for (const bin of builtins) {
         ensureFile(vfs, `/usr/bin/${bin}`, `#!/bin/sh\nexec builtin ${bin} "$@"\n`, 0o755);
     }
-    ensureFile(vfs, "/usr/bin/lsb_release", '#!/bin/sh\nexec lsb_release "$@"\n', 0o755);
+    // sbin equivalents
+    const sbins = [
+        "nologin", "useradd", "userdel", "groupadd", "groupdel",
+        "adduser", "deluser", "shutdown", "reboot", "halt",
+        "init", "service", "update-alternatives", "update-rc.d",
+        "depmod", "modprobe", "insmod", "rmmod", "lsmod",
+        "ifconfig", "route", "iptables", "ip6tables",
+        "arp", "iwconfig", "ethtool",
+        "fdisk", "parted", "mkfs.ext4", "fsck",
+        "ldconfig", "ldconfig.real",
+    ];
+    for (const bin of sbins) {
+        ensureFile(vfs, `/usr/sbin/${bin}`, `#!/bin/sh\nexec builtin ${bin} "$@"\n`, 0o755);
+    }
+    // versioned python symlink stubs
+    ensureFile(vfs, "/usr/bin/python3.12", `#!/bin/sh\nexec python3 "$@"\n`, 0o755);
+    ensureFile(vfs, "/usr/bin/python3", `#!/bin/sh\nexec python3.12 "$@"\n`, 0o755);
+    // node version stubs
+    ensureFile(vfs, "/usr/bin/node", `#!/bin/sh\nexec node "$@"\n`, 0o755);
+    ensureFile(vfs, "/usr/bin/npm", `#!/bin/sh\nexec npm "$@"\n`, 0o755);
+    ensureFile(vfs, "/usr/bin/npx", `#!/bin/sh\nexec npx "$@"\n`, 0o755);
+    // java stubs
+    ensureFile(vfs, "/usr/lib/jvm/java-21-openjdk-amd64/bin/java", `#!/bin/sh\nexec java "$@"\n`, 0o755);
+    ensureFile(vfs, "/usr/lib/jvm/java-21-openjdk-amd64/bin/javac", `#!/bin/sh\nexec javac "$@"\n`, 0o755);
+    // /usr/share/common-licenses stubs
+    ensureFile(vfs, "/usr/share/common-licenses/GPL-2", "GNU General Public License v2\n");
+    ensureFile(vfs, "/usr/share/common-licenses/GPL-3", "GNU General Public License v3\n");
+    ensureFile(vfs, "/usr/share/common-licenses/LGPL-2.1", "GNU Lesser General Public License v2.1\n");
+    ensureFile(vfs, "/usr/share/common-licenses/Apache-2.0", "Apache License 2.0\n");
+    ensureFile(vfs, "/usr/share/common-licenses/MIT", "MIT License\n");
 }
 // ─── /var ─────────────────────────────────────────────────────────────────────
+/** Realistic dpkg status database from real container package list */
+const DPKG_STATUS = `\
+Package: bash
+Status: install ok installed
+Priority: required
+Section: shells
+Installed-Size: 7012
+Maintainer: Fortune Maintainers <maintainers@fortune.local>
+Architecture: amd64
+Version: 5.2.21-2nyx1
+Depends: base-files (>= 2.1.12), fortune-utils (>= 1.0)
+Description: GNU Bourne Again SHell
+ bash is an sh-compatible command language interpreter that executes commands
+ read from the standard input or from a file.
+
+Package: coreutils
+Status: install ok installed
+Priority: required
+Section: utils
+Installed-Size: 18272
+Maintainer: Fortune Maintainers <maintainers@fortune.local>
+Architecture: amd64
+Version: 9.4-3nyx1
+Depends: libacl1 (>= 2.2.23), libattr1 (>= 1:2.4.44), libc6 (>= 2.17)
+Description: GNU core utilities
+ This package contains the basic file, shell and text manipulation utilities.
+
+Package: nodejs
+Status: install ok installed
+Priority: optional
+Section: web
+Installed-Size: 107120
+Maintainer: NodeSource <nodejs@nodesource.com>
+Architecture: amd64
+Version: 22.22.2-1nyx1
+Depends: libc6 (>= 2.17), libgcc-s1 (>= 3.0), libstdc++6 (>= 9.0)
+Description: Node.js event-based server-side javascript engine
+ Node.js is similar in design to and influenced by systems like Ruby's Twisted.
+
+Package: python3
+Status: install ok installed
+Priority: important
+Section: python
+Installed-Size: 68
+Maintainer: Fortune Maintainers <maintainers@fortune.local>
+Architecture: amd64
+Version: 3.12.3-0nyx1
+Depends: python3.12 (>= 3.12.3-0nyx1)
+Description: interactive high-level object-oriented language (default python3)
+ Python, the high-level, interactive object oriented language, includes an
+ extensive class library with lots of goodies for network programming.
+
+Package: python3.12
+Status: install ok installed
+Priority: optional
+Section: python
+Installed-Size: 36
+Maintainer: Fortune Maintainers <maintainers@fortune.local>
+Architecture: amd64
+Version: 3.12.3-1nyx1
+Depends: python3.12-minimal (= 3.12.3-1nyx1), libpython3.12-stdlib
+Description: Interactive high-level object-oriented language (version 3.12)
+ Python is a high-level, interactive, object-oriented language. Its 3.12 version
+ includes an extensive class library.
+
+Package: gcc-13
+Status: install ok installed
+Priority: optional
+Section: devel
+Installed-Size: 70460
+Maintainer: Fortune GCC Maintainers <gcc@fortune.local>
+Architecture: amd64
+Version: 13.3.0-6nyx1
+Depends: cpp-13 (= 13.3.0-6nyx1), gcc-13-base (= 13.3.0-6nyx1)
+Description: GNU C compiler
+ This is the GNU C compiler, a fairly portable optimizing compiler for C.
+
+Package: openjdk-21-jre-headless
+Status: install ok installed
+Priority: optional
+Section: java
+Installed-Size: 174488
+Maintainer: Fortune Maintainers <maintainers@fortune.local>
+Architecture: amd64
+Version: 21.0.10+7-1~nyx
+Depends: libc6 (>= 2.17), libgcc-s1 (>= 3.4)
+Description: OpenJDK Java runtime, using Hotspot JIT (headless)
+ Minimal Java runtime - needed for executing non-graphical Java programs.
+
+Package: curl
+Status: install ok installed
+Priority: standard
+Section: web
+Installed-Size: 544
+Maintainer: Fortune Maintainers <maintainers@fortune.local>
+Architecture: amd64
+Version: 8.5.0-2nyx1
+Depends: libcurl4 (= 8.5.0-2nyx1), zlib1g (>= 1:1.1.4)
+Description: command line tool for transferring data with URL syntax
+ curl is a command line tool for transferring data with URL syntax, supporting
+ DICT, FILE, FTP, FTPS, GOPHER, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, POP3,
+ POP3S, RTMP, RTSP, SCP, SFTP, SMTP, SMTPS, TELNET and TFTP.
+
+Package: git
+Status: install ok installed
+Priority: optional
+Section: vcs
+Installed-Size: 36552
+Maintainer: Fortune VCS Team <vcs@fortune.local>
+Architecture: amd64
+Version: 1:2.43.0-1nyx1
+Depends: liberror-perl, git-man, libc6 (>= 2.34), libcurl3-gnutls
+Description: fast, scalable, distributed revision control system
+ Git is popular version control system designed to handle very large projects
+ with speed and efficiency; it is used mainly for various open source projects.
+
+Package: openssl
+Status: install ok installed
+Priority: optional
+Section: utils
+Installed-Size: 1320
+Maintainer: Fortune Security Team <security@fortune.local>
+Architecture: amd64
+Version: 3.0.13-0nyx1
+Depends: libssl3 (>= 3.0.13)
+Description: Secure Sockets Layer toolkit - cryptographic utility
+ This package is part of the OpenSSL project's implementation of the SSL and TLS
+ cryptographic protocols and related technologies.
+
+Package: wget
+Status: install ok installed
+Priority: standard
+Section: web
+Installed-Size: 1100
+Maintainer: Fortune Maintainers <maintainers@fortune.local>
+Architecture: amd64
+Version: 1.21.4-1nyx1
+Depends: libc6 (>= 2.17), libgnutls30 (>= 3.7.9), libidn2-0 (>= 2.0.0)
+Description: retrieves files from the web
+ GNU Wget is a program for retrieving files from the web, supporting the HTTP,
+ HTTPS and FTP protocols.
+
+Package: make
+Status: install ok installed
+Priority: optional
+Section: devel
+Installed-Size: 556
+Maintainer: Fortune Maintainers <maintainers@fortune.local>
+Architecture: amd64
+Version: 4.3-4.1nyx1
+Depends: libc6 (>= 2.17)
+Description: utility for directing compilation
+ GNU Make is a utility which controls the generation of executables and other
+ target files of a program from the program's source files.
+
+Package: ffmpeg
+Status: install ok installed
+Priority: optional
+Section: video
+Installed-Size: 2184
+Maintainer: Fortune Multimedia Team <multimedia@fortune.local>
+Architecture: amd64
+Version: 7:6.1.1-3nyx1
+Depends: libavcodec60, libavdevice60, libavfilter9, libavformat60, libavutil58
+Description: Tools for transcoding, streaming and playing of multimedia files
+ FFmpeg is a complete, cross-platform solution to record, convert and stream
+ audio and video.
+
+Package: pandoc
+Status: install ok installed
+Priority: optional
+Section: text
+Installed-Size: 96248
+Maintainer: Fortune Haskell Group <haskell@fortune.local>
+Architecture: amd64
+Version: 3.1.3+ds-2
+Depends: libgmp10, libgcc-s1, libffi8
+Description: general markup converter
+ Pandoc is a Haskell library for converting from one markup format to another.
+
+Package: tesseract-ocr
+Status: install ok installed
+Priority: optional
+Section: graphics
+Installed-Size: 1736
+Maintainer: Fortune OCR Team <ocr@fortune.local>
+Architecture: amd64
+Version: 5.3.4-1build5
+Depends: libc6 (>= 2.14), libleptonica-dev
+Description: Tesseract Open Source OCR Engine
+ Tesseract is an Open Source OCR Engine, originally developed by HP and now
+ sponsored by Google.
+
+Package: dpkg
+Status: install ok installed
+Priority: required
+Section: admin
+Installed-Size: 6800
+Maintainer: Fortune Package Team <dpkg@fortune.local>
+Architecture: amd64
+Version: 1.22.6nyx1
+Depends: libc6 (>= 2.17), libzstd1 (>= 1.5.5)
+Description: Fortune package management system
+ This package provides the low-level infrastructure for handling the
+ installation and removal of Fortune software packages.
+
+Package: apt
+Status: install ok installed
+Priority: important
+Section: admin
+Installed-Size: 4236
+Maintainer: Fortune Package Team <apt@fortune.local>
+Architecture: amd64
+Version: 2.8.3nyx1
+Depends: libapt-pkg6.0 (>= 2.8.3), adduser, gpgv
+Description: commandline package manager
+ This package provides commandline tools for searching and managing as well as
+ querying information about packages as a low-level access to all features of
+ the libapt-pkg library.
+
+Package: systemd
+Status: install ok installed
+Priority: optional
+Section: admin
+Installed-Size: 36476
+Maintainer: Fortune System Team <systemd@fortune.local>
+Architecture: amd64
+Version: 255.4-1nyx1
+Depends: libacl1 (>= 2.2.23), libblkid1 (>= 2.24), libc6 (>= 2.39)
+Description: system and service manager
+ systemd is a system and service manager for Linux. It provides aggressive
+ parallelization capabilities, uses socket and D-Bus activation for starting
+ services, offers on-demand starting of daemons, keeps track of processes using
+ Linux cgroups, maintains mount and automount points, and implements an
+ elaborate transactional dependency-based service control logic.
+
+Package: nano
+Status: install ok installed
+Priority: important
+Section: editors
+Installed-Size: 888
+Maintainer: Fortune Maintainers <maintainers@fortune.local>
+Architecture: amd64
+Version: 7.2-2
+Depends: libc6 (>= 2.17), libncursesw6 (>= 6)
+Description: small, friendly text editor inspired by Pico
+ GNU nano is an easy-to-use text editor originally designed as a replacement
+ for Pico, the ncurses-based editor from the non-free mailer package Pine.
+
+Package: less
+Status: install ok installed
+Priority: important
+Section: text
+Installed-Size: 344
+Maintainer: Fortune Maintainers <maintainers@fortune.local>
+Architecture: amd64
+Version: 1:640-2build2
+Depends: libc6 (>= 2.17), libtinfo6 (>= 6)
+Description: pager program similar to more
+ This package provides the \`less\` command, which is similar to more but allows
+ you to move backwards through the file.
+
+`;
 function bootstrapVar(vfs) {
     ensureDir(vfs, "/var");
     ensureDir(vfs, "/var/log");
     ensureDir(vfs, "/var/log/apt");
+    ensureDir(vfs, "/var/log/journal");
+    ensureDir(vfs, "/var/log/private");
     ensureDir(vfs, "/var/tmp");
     ensureDir(vfs, "/var/cache");
     ensureDir(vfs, "/var/cache/apt");
     ensureDir(vfs, "/var/cache/apt/archives");
+    ensureDir(vfs, "/var/cache/apt/archives/partial");
+    ensureDir(vfs, "/var/cache/debconf");
+    ensureDir(vfs, "/var/cache/ldconfig");
+    ensureDir(vfs, "/var/cache/fontconfig");
+    ensureDir(vfs, "/var/cache/PackageKit");
     ensureDir(vfs, "/var/lib");
     ensureDir(vfs, "/var/lib/apt");
     ensureDir(vfs, "/var/lib/apt/lists");
+    ensureDir(vfs, "/var/lib/apt/lists/partial");
     ensureDir(vfs, "/var/lib/dpkg");
     ensureDir(vfs, "/var/lib/dpkg/info");
+    ensureDir(vfs, "/var/lib/dpkg/updates");
+    ensureDir(vfs, "/var/lib/dpkg/alternatives");
     ensureDir(vfs, "/var/lib/misc");
+    ensureDir(vfs, "/var/lib/systemd");
+    ensureDir(vfs, "/var/lib/systemd/coredump");
+    ensureDir(vfs, "/var/lib/pam");
+    ensureDir(vfs, "/var/lib/git");
+    ensureDir(vfs, "/var/lib/PackageKit");
+    ensureDir(vfs, "/var/lib/python");
     ensureDir(vfs, "/var/spool");
     ensureDir(vfs, "/var/spool/cron");
+    ensureDir(vfs, "/var/spool/mail");
     ensureDir(vfs, "/var/mail");
-    // dpkg status — starts empty, VirtualPackageManager populates it
-    ensureFile(vfs, "/var/lib/dpkg/status", "");
+    ensureDir(vfs, "/var/backups");
+    ensureDir(vfs, "/var/www");
+    // dpkg status — realistic package database
+    ensureFile(vfs, "/var/lib/dpkg/status", DPKG_STATUS);
     ensureFile(vfs, "/var/lib/dpkg/available", "");
+    ensureFile(vfs, "/var/lib/dpkg/lock", "");
+    ensureFile(vfs, "/var/lib/dpkg/lock-frontend", "");
+    // apt state
+    ensureFile(vfs, "/var/lib/apt/lists/lock", "");
+    ensureFile(vfs, "/var/cache/apt/pkgcache.bin", "");
+    ensureFile(vfs, "/var/cache/apt/srcpkgcache.bin", "");
     // syslog stubs
-    ensureFile(vfs, "/var/log/syslog", `${new Date().toUTCString()} fortune kernel: Virtual container started\n`);
+    ensureFile(vfs, "/var/log/syslog", `${new Date().toUTCString()} ${""} kernel: Virtual container started\n`);
     ensureFile(vfs, "/var/log/auth.log", "");
     ensureFile(vfs, "/var/log/kern.log", "");
     ensureFile(vfs, "/var/log/dpkg.log", "");
     ensureFile(vfs, "/var/log/apt/history.log", "");
     ensureFile(vfs, "/var/log/apt/term.log", "");
-    // /run — systemd tmpfs runtime dir (canonical on modern Debian)
-    // /var/run is a legacy symlink to /run
+    ensureFile(vfs, "/var/log/faillog", "");
+    ensureFile(vfs, "/var/log/lastlog", "");
+    ensureFile(vfs, "/var/log/wtmp", "");
+    ensureFile(vfs, "/var/log/btmp", "");
+    ensureFile(vfs, "/var/log/alternatives.log", "");
+    // /run
     ensureDir(vfs, "/run");
     ensureDir(vfs, "/run/lock");
+    ensureDir(vfs, "/run/lock/subsys");
     ensureDir(vfs, "/run/systemd");
+    ensureDir(vfs, "/run/systemd/ask-password");
+    ensureDir(vfs, "/run/systemd/sessions");
+    ensureDir(vfs, "/run/systemd/users");
     ensureDir(vfs, "/run/user");
+    ensureDir(vfs, "/run/dbus");
+    ensureDir(vfs, "/run/adduser");
     ensureFile(vfs, "/run/utmp", "");
+    ensureFile(vfs, "/run/dbus/system_bus_socket", "");
 }
 // ─── /bin + /sbin symlinks ────────────────────────────────────────────────────
 function bootstrapBin(vfs) {
-    // Modern Debian: /bin and /sbin are symlinks to /usr/bin and /usr/sbin
+    // Modern Fortune Nyx: /bin and /sbin are symlinks to /usr/bin and /usr/sbin
     if (!vfs.exists("/bin"))
         vfs.symlink("/usr/bin", "/bin");
     if (!vfs.exists("/sbin"))
@@ -512,51 +1428,64 @@ function bootstrapBin(vfs) {
     ensureDir(vfs, "/lib64");
     ensureDir(vfs, "/lib/x86_64-linux-gnu");
     ensureDir(vfs, "/lib/modules");
+    // lib64 symlink (standard on x86_64)
+    if (!vfs.exists("/lib64/ld-linux-x86-64.so.2")) {
+        ensureFile(vfs, "/lib64/ld-linux-x86-64.so.2", "", 0o755);
+    }
 }
 // ─── /tmp ─────────────────────────────────────────────────────────────────────
 function bootstrapTmp(vfs) {
     ensureDir(vfs, "/tmp", 0o1777);
+    // node compile cache dir (present in real env)
+    ensureDir(vfs, "/tmp/node-compile-cache", 0o1777);
 }
 // ─── /root home ───────────────────────────────────────────────────────────────
 function bootstrapRoot(vfs) {
     ensureDir(vfs, "/root", 0o700);
+    ensureDir(vfs, "/root/.ssh", 0o700);
+    ensureDir(vfs, "/root/.config", 0o755);
+    ensureDir(vfs, "/root/.config/pip", 0o755);
+    ensureDir(vfs, "/root/.local", 0o755);
+    ensureDir(vfs, "/root/.local/share", 0o755);
     ensureFile(vfs, "/root/.bashrc", `${[
         "# root .bashrc",
         "export PS1='\\[\\033[0;31m\\]\\u@\\h\\[\\033[0m\\]:\\[\\033[0;34m\\]\\w\\[\\033[0m\\]# '",
         "export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+        "export LANG=en_US.UTF-8",
         "alias ll='ls -la'",
         "alias la='ls -A'",
+        "alias l='ls -CF'",
     ].join("\n")}\n`);
     ensureFile(vfs, "/root/.profile", "[ -f ~/.bashrc ] && . ~/.bashrc\n");
+    ensureFile(vfs, "/root/.bash_logout", "# ~/.bash_logout\n");
+    ensureFile(vfs, "/root/.config/pip/pip.conf", "[global]\nbreak-system-packages = true\n");
 }
-// ─── /opt /srv /mnt /media /home ─────────────────────────────────────────────
+// ─── /opt /srv /mnt /media ────────────────────────────────────────────────────
 function bootstrapMisc(vfs, props) {
     ensureDir(vfs, "/opt");
+    ensureDir(vfs, "/opt/rclone");
     ensureDir(vfs, "/srv");
     ensureDir(vfs, "/mnt");
     ensureDir(vfs, "/media");
-    ensureDir(vfs, "/home");
-    // /boot — grub + kernel images
+    // /boot — no kernel images in Firecracker containers (kernel is external),
+    // but maintain the directory structure for tool compatibility
     ensureDir(vfs, "/boot");
     ensureDir(vfs, "/boot/grub");
-    ensureDir(vfs, "/boot/grub/grub.cfg.d");
     ensureFile(vfs, "/boot/grub/grub.cfg", `${[
         "# GRUB configuration (virtual)",
         "set default=0",
-        "set timeout=5",
+        "set timeout=0",
         "",
         `menuentry "Fortune GNU/Linux" {`,
-        `  linux   /vmlinuz root=/dev/sda2 ro quiet splash`,
-        `  initrd  /initrd.img`,
+        `  linux   /vmlinuz-${props.kernel} root=/dev/vda rw console=ttyS0`,
+        `  initrd  /initrd.img-${props.kernel}`,
         `}`,
     ].join("\n")}\n`);
-    // kernel + initrd stubs in /boot
     const kver = props.kernel;
     ensureFile(vfs, `/boot/vmlinuz-${kver}`, "", 0o644);
     ensureFile(vfs, `/boot/initrd.img-${kver}`, "", 0o644);
     ensureFile(vfs, `/boot/System.map-${kver}`, `${kver} virtual\n`, 0o644);
-    ensureFile(vfs, `/boot/config-${kver}`, `# Linux kernel config ${kver}\n`, 0o644);
-    // root-level symlinks (Debian convention)
+    ensureFile(vfs, `/boot/config-${kver}`, `# Linux kernel config ${kver}\nCONFIG_VIRTIO=y\nCONFIG_VIRTIO_BLK=y\nCONFIG_VIRTIO_NET=y\nCONFIG_KVM_GUEST=y\n`, 0o644);
     if (!vfs.exists("/vmlinuz"))
         vfs.symlink(`/boot/vmlinuz-${kver}`, "/vmlinuz");
     if (!vfs.exists("/vmlinuz.old"))
@@ -565,17 +1494,14 @@ function bootstrapMisc(vfs, props) {
         vfs.symlink(`/boot/initrd.img-${kver}`, "/initrd.img");
     if (!vfs.exists("/initrd.img.old"))
         vfs.symlink(`/boot/initrd.img-${kver}`, "/initrd.img.old");
-    // /snap — snapd mount namespace root
-    ensureDir(vfs, "/snap");
-    ensureDir(vfs, "/snap/bin");
-    // /lost+found — ext4 fsck recovery dir (mode 0o700, root only)
+    // No /snap — not present in Firecracker container
+    // /proc/cmdline confirms: no snapd boot args
+    // /lost+found — ext4 recovery
     ensureDir(vfs, "/lost+found", 0o700);
+    // /home — users managed by bootstrapRoot + syncEtcPasswd
+    ensureDir(vfs, "/home");
 }
 // ── Static rootfs snapshot cache ─────────────────────────────────────────────
-// The static parts of the rootfs (dev, usr, var, bin, tmp, etc, sys, misc)
-// are identical for all shells sharing the same hostname+props.
-// We build them once, serialise to VFSB binary, and clone via decodeVfs()
-// for each new shell — avoiding ~250 JS object allocations per instance.
 const _staticRootfsCache = new Map();
 function _staticCacheKey(hostname, props) {
     return `${hostname}|${props.kernel}|${props.os}|${props.arch}`;
@@ -591,7 +1517,6 @@ export function getStaticRootfsSnapshot(hostname, props) {
     const cached = _staticRootfsCache.get(key);
     if (cached)
         return cached;
-    // Build the static subset into a temporary VFS
     const tmp = new VirtualFileSystem({ mode: "memory" });
     bootstrapEtc(tmp, hostname, props);
     bootstrapSys(tmp, hostname, props);
@@ -619,14 +1544,20 @@ export function getStaticRootfsSnapshot(hostname, props) {
  * @param sessions       Active sessions (for /proc/<pid> population).
  */
 export function bootstrapLinuxRootfs(vfs, users, hostname, props, shellStartTime, sessions = []) {
-    // Fast path: clone the cached static rootfs snapshot (VFSB decode ~0.07ms)
-    // instead of rebuilding ~250 JS objects from scratch each time.
     const snapshot = getStaticRootfsSnapshot(hostname, props);
-    vfs.importRootTree(decodeVfs(snapshot));
-    // Dynamic parts: per-instance data injected after the static clone
-    bootstrapRoot(vfs); // /root home dir + .bashrc
-    refreshProc(vfs, props, hostname, shellStartTime, sessions); // /proc live data
-    syncEtcPasswd(vfs, users); // /etc/passwd|group|shadow
+    const hasRestoredData = vfs.getMode() === "fs" && vfs.exists("/home");
+    if (hasRestoredData) {
+        // Snapshot was already restored — merge static rootfs without
+        // clobbering user files and directories.
+        vfs.mergeRootTree(decodeVfs(snapshot));
+    }
+    else {
+        // Fresh start — replace the empty tree with the full static rootfs.
+        vfs.importRootTree(decodeVfs(snapshot));
+    }
+    bootstrapRoot(vfs);
+    refreshProc(vfs, props, hostname, shellStartTime, sessions);
+    syncEtcPasswd(vfs, users);
 }
 // ─── optional live engine ─────────────────────────────────────────────────────
 /**