chore(deps): update otel/weaver docker tag to v0.24.2

chore(deps): update otel/weaver docker tag to v0.24.1
chore(deps): update otel/weaver docker tag to v0.24.0
2026-06-23 18:00:57 +00:00 · 2026-06-21 21:01:00 +00:00 · 2026-06-20 00:01:07 +00:00 · 2026-06-17 23:01:19 +00:00 · 2026-06-16 17:41:06 +00:00 · 2026-06-16 17:40:58 +00:00
120 changed files with 3763 additions and 1214 deletions
@@ -8,12 +8,17 @@ steps:
      - make check

  - name: xgettext-go
-    image: git.coopcloud.tech/toolshed/drone-xgettext-go:latest
-    settings:
-      keyword: i18n.G
-      keyword_ctx: i18n.GC
-      out: pkg/i18n/locales/abra.pot
-      comments_tag: translators
+    image: golang:1.26
+    environment:
+      GOPRIVATE: coopcloud.tech
+    commands:
+      - go run git.coopcloud.tech/toolshed/xgettext-go@latest
+        -o pkg/i18n/locales/abra.pot
+        --keyword=i18n.G
+        --keyword-ctx=i18n.GC
+        --sort-output
+        --add-comments-tag="translators"
+        $(find . -name "*.go" -not -path "*vendor*" | sort)
    depends_on:
      - make check
    when:
@@ -15,7 +15,7 @@ WORKDIR /app

 RUN CGO_ENABLED=0 make build

-FROM alpine:3.23
+FROM alpine:3.24

 RUN apk add --no-cache \
  ca-certificates \
@@ -1,5 +1,5 @@
 ABRA         := ./cmd/abra
-XGETTEXT     := ./bin/xgettext-go
+XGETTEXT     := go run git.coopcloud.tech/toolshed/xgettext-go@latest
 COMMIT       := $(shell git rev-list -1 HEAD)
 GOPATH       := $(shell go env GOPATH)
 GOVERSION    := 1.26
@@ -62,8 +62,8 @@ update-po:
 	done

 .PHONY: update-pot
-update-pot: $(XGETTEXT)
-	@${XGETTEXT} \
+update-pot:
+	@$(XGETTEXT) \
 		-o pkg/i18n/locales/$(DOMAIN).pot \
 		--keyword=i18n.G \
 		--keyword-ctx=i18n.GC \
@@ -71,11 +71,6 @@ update-pot: $(XGETTEXT)
 		--add-comments-tag="translators" \
 		$$(find . -name "*.go" -not -path "*vendor*" | sort)

-${XGETTEXT}:
-	@mkdir -p ./bin && \
-	wget -O ./bin/xgettext-go https://git.coopcloud.tech/toolshed/xgettext-go/raw/branch/main/xgettext-go && \
-	chmod +x ./bin/xgettext-go
-
 .PHONY: update-pot-po-metadata
 update-pot-po-metadata:
 	@sed -i "s/charset=CHARSET/charset=UTF-8/g" pkg/i18n/locales/*.po pkg/i18n/locales/*.pot
@@ -151,11 +151,12 @@ checkout as-is. Recipe commit hashes are also supported as values for

 		stackName := app.StackName()
 		deployOpts := stack.Deploy{
-			Composefiles: composeFiles,
-			Namespace:    stackName,
-			Prune:        false,
-			ResolveImage: stack.ResolveImageAlways,
-			Detach:       false,
+			Composefiles:     composeFiles,
+			Namespace:        stackName,
+			Prune:            false,
+			ResolveImage:     stack.ResolveImageAlways,
+			Detach:           false,
+			SendRegistryAuth: true,
 		}
 		compose, err := appPkg.GetAppComposeConfig(app.Name, deployOpts, app.Env)
 		if err != nil {
@@ -112,7 +112,11 @@ var AppNewCommand = &cobra.Command{
 				}
 			}

-			if len(recipeVersions) > 0 {
+			if recipeVersion != "" {
+				if _, err := recipe.EnsureVersion(recipeVersion); err != nil {
+					log.Fatal(err)
+				}
+			} else if len(recipeVersions) > 0 {
 				latest := recipeVersions[len(recipeVersions)-1]
 				for tag := range latest {
 					recipeVersion = tag
@@ -166,11 +166,12 @@ beforehand. See "abra app backup" for more.`),

 		stackName := app.StackName()
 		deployOpts := stack.Deploy{
-			Composefiles: composeFiles,
-			Namespace:    stackName,
-			Prune:        false,
-			ResolveImage: stack.ResolveImageAlways,
-			Detach:       false,
+			Composefiles:     composeFiles,
+			Namespace:        stackName,
+			Prune:            false,
+			ResolveImage:     stack.ResolveImageAlways,
+			Detach:           false,
+			SendRegistryAuth: true,
 		}

 		compose, err := appPkg.GetAppComposeConfig(app.Name, deployOpts, app.Env)
@@ -178,11 +178,12 @@ beforehand. See "abra app backup" for more.`),

 		stackName := app.StackName()
 		deployOpts := stack.Deploy{
-			Composefiles: composeFiles,
-			Namespace:    stackName,
-			Prune:        false,
-			ResolveImage: stack.ResolveImageAlways,
-			Detach:       false,
+			Composefiles:     composeFiles,
+			Namespace:        stackName,
+			Prune:            false,
+			ResolveImage:     stack.ResolveImageAlways,
+			Detach:           false,
+			SendRegistryAuth: true,
 		}

 		compose, err := appPkg.GetAppComposeConfig(app.Name, deployOpts, app.Env)
@@ -20,11 +20,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1777954456,
-        "narHash": "sha256-hGdgeU2Nk87RAuZyYjyDjFL6LK7dAZN5RE9+hrDTkDU=",
+        "lastModified": 1778443072,
+        "narHash": "sha256-zi7/fsqM/kFdNuED//4WOCUtezGtKKqRNORjMvfwjnA=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "549bd84d6279f9852cae6225e372cc67fb91a4c1",
+        "rev": "da5ad661ba4e5ef59ba743f0d112cbc30e474f32",
        "type": "github"
      },
      "original": {
@@ -13,14 +13,14 @@ require (
 	github.com/docker/cli v28.4.0+incompatible
 	github.com/docker/docker v28.5.2+incompatible
 	github.com/docker/go-units v0.5.0
-	github.com/go-git/go-git/v5 v5.19.0
+	github.com/go-git/go-git/v5 v5.19.1
 	github.com/google/go-cmp v0.7.0
 	github.com/leonelquinteros/gotext v1.7.2
 	github.com/moby/sys/signal v0.7.1
 	github.com/moby/term v0.5.2
 	github.com/pkg/errors v0.9.1
 	github.com/schollz/progressbar/v3 v3.19.0
-	golang.org/x/term v0.43.0
+	golang.org/x/term v0.44.0
 	gopkg.in/yaml.v3 v3.0.1
 	gotest.tools/v3 v3.5.2
 )
@@ -155,7 +155,7 @@ require (
 	github.com/stretchr/testify v1.11.1
 	github.com/theupdateframework/notary v0.7.0 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
-	golang.org/x/sys v0.44.0
+	golang.org/x/sys v0.46.0
 )

 replace github.com/docker/cli v28.4.0+incompatible => git.coopcloud.tech/toolshed/docker-cli v28.5.3-0.20260202112816-30df2d0b3a00+incompatible
@@ -393,8 +393,8 @@ github.com/go-git/go-billy/v5 v5.9.0 h1:jItGXszUDRtR/AlferWPTMN4j38BQ88XnXKbilmm
 github.com/go-git/go-billy/v5 v5.9.0/go.mod h1:jCnQMLj9eUgGU7+ludSTYoZL/GGmii14RxKFj7ROgHw=
 github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399 h1:eMje31YglSBqCdIqdhKBW8lokaMrL3uTkpGYlE2OOT4=
 github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399/go.mod h1:1OCfN199q1Jm3HZlxleg+Dw/mwps2Wbk9frAWm+4FII=
-github.com/go-git/go-git/v5 v5.19.0 h1:+WkVUQZSy/F1Gb13udrMKjIM2PrzsNfDKFSfo5tkMtc=
-github.com/go-git/go-git/v5 v5.19.0/go.mod h1:Pb1v0c7/g8aGQJwx9Us09W85yGoyvSwuhEGMH7zjDKQ=
+github.com/go-git/go-git/v5 v5.19.1 h1:nX27AnaU43/K5bKktKwgBmR9lawoYVe1Ckg0rgzzN00=
+github.com/go-git/go-git/v5 v5.19.1/go.mod h1:Pb1v0c7/g8aGQJwx9Us09W85yGoyvSwuhEGMH7zjDKQ=
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
@@ -1140,13 +1140,13 @@ golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.44.0 h1:ildZl3J4uzeKP07r2F++Op7E9B29JRUy+a27EibtBTQ=
-golang.org/x/sys v0.44.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/sys v0.46.0 h1:noSf2Fq6F8DBgS+LysIkx7rIExoNHJsxOAtPp4rthXw=
+golang.org/x/sys v0.46.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.43.0 h1:S4RLU2sB31O/NCl+zFN9Aru9A/Cq2aqKpTZJ6B+DwT4=
-golang.org/x/term v0.43.0/go.mod h1:lrhlHNdQJHO+1qVYiHfFKVuVioJIheAc3fBSMFYEIsk=
+golang.org/x/term v0.44.0 h1:0rLvDRCtNj0gZkyIXhCyOb2OAzEhLVqc4B+hrsBhrmc=
+golang.org/x/term v0.44.0/go.mod h1:7ze4MdzUzLXpSAoFP1H0bOI9aXDqveSvatT5vKcFh2Y=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -7,7 +7,7 @@
 msgid   ""
 msgstr  "Project-Id-Version: \n"
        "Report-Msgid-Bugs-To: EMAIL\n"
-        "POT-Creation-Date: 2026-04-11 11:34+0200\n"
+        "POT-Creation-Date: 2026-06-14 17:56+0200\n"
        "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
        "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
        "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -214,7 +214,7 @@ msgstr  ""
 msgid   "%s already exists?"
 msgstr  ""

-#: ./cli/app/new.go:202
+#: ./cli/app/new.go:206
 #, c-format
 msgid   "%s created (version: %s)"
 msgstr  ""
@@ -299,7 +299,7 @@ msgstr  ""
 msgid   "%s has no published versions?"
 msgstr  ""

-#: ./cli/app/new.go:311
+#: ./cli/app/new.go:315
 #, c-format
 msgid   "%s has no secrets to generate, skipping..."
 msgstr  ""
@@ -339,17 +339,17 @@ msgstr  ""
 msgid   "%s is missing the TYPE env var?"
 msgstr  ""

-#: ./cli/app/rollback.go:309 ./cli/app/rollback.go:313
+#: ./cli/app/rollback.go:310 ./cli/app/rollback.go:314
 #, c-format
 msgid   "%s is not a downgrade for %s?"
 msgstr  ""

-#: ./cli/app/upgrade.go:429 ./cli/app/upgrade.go:433
+#: ./cli/app/upgrade.go:430 ./cli/app/upgrade.go:434
 #, c-format
 msgid   "%s is not an upgrade for %s?"
 msgstr  ""

-#: ./cli/app/env.go:146 ./cli/app/logs.go:65 ./cli/app/ps.go:62 ./cli/app/restart.go:100 ./cli/app/services.go:55 ./cli/app/undeploy.go:66 ./cli/app/upgrade.go:450
+#: ./cli/app/env.go:146 ./cli/app/logs.go:65 ./cli/app/ps.go:62 ./cli/app/restart.go:100 ./cli/app/services.go:55 ./cli/app/undeploy.go:66 ./cli/app/upgrade.go:451
 #, c-format
 msgid   "%s is not deployed?"
 msgstr  ""
@@ -369,7 +369,7 @@ msgstr  ""
 msgid   "%s missing context, run \"abra server add %s\"?"
 msgstr  ""

-#: ./cli/app/deploy.go:194 ./cli/app/upgrade.go:210
+#: ./cli/app/deploy.go:195 ./cli/app/upgrade.go:211
 #, c-format
 msgid   "%s missing from %s.env"
 msgstr  ""
@@ -404,17 +404,17 @@ msgstr  ""
 msgid   "%s removed from pass store"
 msgstr  ""

-#: ./cli/app/new.go:220
+#: ./cli/app/new.go:224
 #, c-format
 msgid   "%s requires secret generation before deploy, run \"abra app secret generate %s --all\""
 msgstr  ""

-#: ./cli/app/new.go:224
+#: ./cli/app/new.go:228
 #, c-format
 msgid   "%s requires secret insertion before deploy (#generate=false)"
 msgstr  ""

-#: ./cli/app/new.go:151
+#: ./cli/app/new.go:155
 #, c-format
 msgid   "%s sanitised as %s for new app"
 msgstr  ""
@@ -549,12 +549,12 @@ msgstr  ""
 msgid   "%s: waiting %d seconds before next retry"
 msgstr  ""

-#: ./cli/app/upgrade.go:424
+#: ./cli/app/upgrade.go:425
 #, c-format
 msgid   "'%s' is not a known version"
 msgstr  ""

-#: ./cli/app/rollback.go:304 ./cli/app/upgrade.go:419
+#: ./cli/app/rollback.go:305 ./cli/app/upgrade.go:420
 #, c-format
 msgid   "'%s' is not a known version for %s"
 msgstr  ""
@@ -626,7 +626,7 @@ msgstr  ""
 msgid   "Both local recipe and live deployment labels are shown."
 msgstr  ""

-#: ./cli/app/backup.go:319 ./cli/app/backup.go:335 ./cli/app/check.go:95 ./cli/app/cmd.go:285 ./cli/app/cp.go:385 ./cli/app/deploy.go:414 ./cli/app/labels.go:143 ./cli/app/list.go:335 ./cli/app/new.go:407 ./cli/app/ps.go:213 ./cli/app/restart.go:163 ./cli/app/restore.go:138 ./cli/app/secret.go:569 ./cli/app/secret.go:609 ./cli/app/secret.go:633 ./cli/app/secret.go:641 ./cli/catalogue/catalogue.go:318 ./cli/recipe/lint.go:137
+#: ./cli/app/backup.go:319 ./cli/app/backup.go:335 ./cli/app/check.go:95 ./cli/app/cmd.go:285 ./cli/app/cp.go:385 ./cli/app/deploy.go:415 ./cli/app/labels.go:143 ./cli/app/list.go:335 ./cli/app/new.go:411 ./cli/app/ps.go:213 ./cli/app/restart.go:163 ./cli/app/restore.go:138 ./cli/app/secret.go:569 ./cli/app/secret.go:609 ./cli/app/secret.go:633 ./cli/app/secret.go:641 ./cli/catalogue/catalogue.go:318 ./cli/recipe/lint.go:137
 msgid   "C"
 msgstr  ""

@@ -767,7 +767,7 @@ msgid   "Creates a new app from a default recipe.\n"
        "on your $PATH."
 msgstr  ""

-#: ./cli/app/deploy.go:430 ./cli/app/new.go:383 ./cli/app/rollback.go:361 ./cli/app/upgrade.go:470
+#: ./cli/app/deploy.go:431 ./cli/app/new.go:387 ./cli/app/rollback.go:362 ./cli/app/upgrade.go:471
 msgid   "D"
 msgstr  ""

@@ -878,7 +878,7 @@ msgid   "Generate a report of all managed apps.\n"
        "Use \"--status/-S\" flag to query all servers for the live deployment status."
 msgstr  ""

-#: ./cli/app/new.go:317
+#: ./cli/app/new.go:321
 msgid   "Generate app secrets?"
 msgstr  ""

@@ -1257,7 +1257,7 @@ msgstr  ""
 msgid   "Run app commands"
 msgstr  ""

-#: ./cli/app/backup.go:303 ./cli/app/list.go:296 ./cli/app/logs.go:109 ./cli/app/new.go:399
+#: ./cli/app/backup.go:303 ./cli/app/list.go:296 ./cli/app/logs.go:109 ./cli/app/new.go:403
 msgid   "S"
 msgstr  ""

@@ -1265,7 +1265,7 @@ msgstr  ""
 msgid   "SECRETS"
 msgstr  ""

-#: ./cli/app/new.go:234
+#: ./cli/app/new.go:238
 msgid   "SECRETS OVERVIEW"
 msgstr  ""

@@ -1298,7 +1298,7 @@ msgstr  ""
 msgid   "STATUS"
 msgstr  ""

-#: ./cli/app/new.go:342
+#: ./cli/app/new.go:346
 msgid   "Select app server:"
 msgstr  ""

@@ -1330,7 +1330,7 @@ msgstr  ""
 msgid   "Specify a server name"
 msgstr  ""

-#: ./cli/app/new.go:293
+#: ./cli/app/new.go:297
 msgid   "Specify app domain"
 msgstr  ""

@@ -1462,7 +1462,7 @@ msgid   "To load completions:\n"
        "  # and source this file from your PowerShell profile."
 msgstr  ""

-#: ./cli/app/deploy.go:454 ./cli/app/rollback.go:377 ./cli/app/upgrade.go:494
+#: ./cli/app/deploy.go:455 ./cli/app/rollback.go:378 ./cli/app/upgrade.go:495
 msgid   "U"
 msgstr  ""

@@ -1835,7 +1835,7 @@ msgstr  ""
 msgid   "attempting to run %s"
 msgstr  ""

-#: ./cli/app/deploy.go:283 ./cli/app/upgrade.go:296
+#: ./cli/app/deploy.go:284 ./cli/app/upgrade.go:297
 #, c-format
 msgid   "attempting to run post deploy commands, saw: %s"
 msgstr  ""
@@ -1865,7 +1865,7 @@ msgstr  ""
 msgid   "autocomplete failed: %s"
 msgstr  ""

-#: ./cli/app/new.go:401
+#: ./cli/app/new.go:405
 msgid   "automatically generate secrets"
 msgstr  ""

@@ -1915,7 +1915,7 @@ msgstr  ""
 #. no spaces in between
 #. translators: `abra app cp` aliases. use a comma separated list of aliases with
 #. no spaces in between
-#: ./cli/app/backup.go:148 ./cli/app/cp.go:30 ./cli/app/deploy.go:438 ./cli/app/rollback.go:369 ./cli/app/upgrade.go:478
+#: ./cli/app/backup.go:148 ./cli/app/cp.go:30 ./cli/app/deploy.go:439 ./cli/app/rollback.go:370 ./cli/app/upgrade.go:479
 msgid   "c"
 msgstr  ""

@@ -1971,7 +1971,7 @@ msgstr  ""
 msgid   "cannot redeploy previous chaos version (%s), did you mean to use \"--chaos\"?"
 msgstr  ""

-#: ./cli/app/deploy.go:388
+#: ./cli/app/deploy.go:389
 #, c-format
 msgid   "cannot redeploy previous chaos version (%s), did you mean to use \"--chaos\"?\n"
        "     to return to a regular release, specify a release tag, commit SHA or use \"--latest\""
@@ -1990,7 +1990,7 @@ msgstr  ""
 msgid   "cannot use '[secret] [version]' and '--all' together"
 msgstr  ""

-#: ./cli/app/deploy.go:330
+#: ./cli/app/deploy.go:331
 msgid   "cannot use --chaos and --latest together"
 msgstr  ""

@@ -2014,11 +2014,11 @@ msgstr  ""
 msgid   "cannot use [service] and --all-services/-a together"
 msgstr  ""

-#: ./cli/app/deploy.go:322 ./cli/app/new.go:80
+#: ./cli/app/deploy.go:323 ./cli/app/new.go:80
 msgid   "cannot use [version] and --chaos together"
 msgstr  ""

-#: ./cli/app/deploy.go:326
+#: ./cli/app/deploy.go:327
 msgid   "cannot use [version] and --latest together"
 msgstr  ""

@@ -2054,7 +2054,7 @@ msgstr  ""
 msgid   "cfg"
 msgstr  ""

-#: ./cli/app/backup.go:318 ./cli/app/backup.go:334 ./cli/app/check.go:94 ./cli/app/cmd.go:284 ./cli/app/cp.go:384 ./cli/app/deploy.go:413 ./cli/app/labels.go:142 ./cli/app/list.go:334 ./cli/app/new.go:406 ./cli/app/ps.go:212 ./cli/app/restart.go:162 ./cli/app/restore.go:137 ./cli/app/secret.go:568 ./cli/app/secret.go:608 ./cli/app/secret.go:632 ./cli/app/secret.go:640 ./cli/catalogue/catalogue.go:317 ./cli/recipe/lint.go:136
+#: ./cli/app/backup.go:318 ./cli/app/backup.go:334 ./cli/app/check.go:94 ./cli/app/cmd.go:284 ./cli/app/cp.go:384 ./cli/app/deploy.go:414 ./cli/app/labels.go:142 ./cli/app/list.go:334 ./cli/app/new.go:410 ./cli/app/ps.go:212 ./cli/app/restart.go:162 ./cli/app/restore.go:137 ./cli/app/secret.go:568 ./cli/app/secret.go:608 ./cli/app/secret.go:632 ./cli/app/secret.go:640 ./cli/catalogue/catalogue.go:317 ./cli/recipe/lint.go:136
 msgid   "chaos"
 msgstr  ""

@@ -2068,7 +2068,7 @@ msgstr  ""
 msgid   "check <domain> [flags]"
 msgstr  ""

-#: ./cli/app/deploy.go:95 ./cli/app/undeploy.go:58 ./cli/app/upgrade.go:442
+#: ./cli/app/deploy.go:95 ./cli/app/undeploy.go:58 ./cli/app/upgrade.go:443
 #, c-format
 msgid   "checking whether %s is already deployed"
 msgstr  ""
@@ -2371,7 +2371,7 @@ msgstr  ""
 msgid   "critical errors present in %s config"
 msgstr  ""

-#: ./cli/app/rollback.go:299
+#: ./cli/app/rollback.go:300
 #, c-format
 msgid   "current deployment '%s' is not a known version for %s"
 msgstr  ""
@@ -2422,7 +2422,7 @@ msgstr  ""
 msgid   "deploy labels stanza present"
 msgstr  ""

-#: ./cli/app/deploy.go:448
+#: ./cli/app/deploy.go:449
 msgid   "deploy latest recipe version"
 msgstr  ""

@@ -2524,11 +2524,11 @@ msgstr  ""
 msgid   "dirty: %v, "
 msgstr  ""

-#: ./cli/app/deploy.go:440 ./cli/app/rollback.go:371 ./cli/app/upgrade.go:480
+#: ./cli/app/deploy.go:441 ./cli/app/rollback.go:372 ./cli/app/upgrade.go:481
 msgid   "disable converge logic checks"
 msgstr  ""

-#: ./cli/app/deploy.go:432 ./cli/app/rollback.go:363 ./cli/app/upgrade.go:472
+#: ./cli/app/deploy.go:433 ./cli/app/rollback.go:364 ./cli/app/upgrade.go:473
 msgid   "disable public DNS checks"
 msgstr  ""

@@ -2544,11 +2544,11 @@ msgstr  ""
 msgid   "docker: is the daemon running / your user has docker permissions?"
 msgstr  ""

-#: ./cli/app/new.go:382
+#: ./cli/app/new.go:386
 msgid   "domain"
 msgstr  ""

-#: ./cli/app/new.go:385
+#: ./cli/app/new.go:389
 msgid   "domain name for app"
 msgstr  ""

@@ -2737,7 +2737,7 @@ msgstr  ""

 #. translators: `abra recipe fetch` aliases. use a comma separated list of aliases
 #. with no spaces in between
-#: ./cli/app/deploy.go:422 ./cli/app/env.go:325 ./cli/app/remove.go:163 ./cli/app/rollback.go:353 ./cli/app/secret.go:593 ./cli/app/upgrade.go:462 ./cli/app/volume.go:217 ./cli/recipe/fetch.go:20 ./cli/recipe/fetch.go:138
+#: ./cli/app/deploy.go:423 ./cli/app/env.go:325 ./cli/app/remove.go:163 ./cli/app/rollback.go:354 ./cli/app/secret.go:593 ./cli/app/upgrade.go:463 ./cli/app/volume.go:217 ./cli/recipe/fetch.go:20 ./cli/recipe/fetch.go:138
 msgid   "f"
 msgstr  ""

@@ -2898,7 +2898,7 @@ msgstr  ""
 msgid   "failed to resize tty, using default size"
 msgstr  ""

-#: ./cli/app/new.go:134
+#: ./cli/app/new.go:138
 #, c-format
 msgid   "failed to retrieve latest commit for %s: %s"
 msgstr  ""
@@ -2988,7 +2988,7 @@ msgstr  ""
 msgid   "final merged env values for %s are: %s"
 msgstr  ""

-#: ./cli/app/deploy.go:421 ./cli/app/env.go:324 ./cli/app/remove.go:162 ./cli/app/rollback.go:352 ./cli/app/upgrade.go:461 ./cli/app/volume.go:216 ./cli/recipe/fetch.go:137
+#: ./cli/app/deploy.go:422 ./cli/app/env.go:324 ./cli/app/remove.go:162 ./cli/app/rollback.go:353 ./cli/app/upgrade.go:462 ./cli/app/volume.go:216 ./cli/recipe/fetch.go:137
 msgid   "force"
 msgstr  ""

@@ -3202,7 +3202,7 @@ msgstr  ""
 msgid   "id: %s, "
 msgstr  ""

-#: ./cli/app/backup.go:321 ./cli/app/backup.go:337 ./cli/app/check.go:97 ./cli/app/cmd.go:287 ./cli/app/cp.go:387 ./cli/app/deploy.go:416 ./cli/app/labels.go:145 ./cli/app/list.go:337 ./cli/app/new.go:409 ./cli/app/ps.go:215 ./cli/app/restart.go:165 ./cli/app/restore.go:140 ./cli/app/secret.go:571 ./cli/app/secret.go:611 ./cli/app/secret.go:635 ./cli/app/secret.go:643 ./cli/catalogue/catalogue.go:320 ./cli/recipe/lint.go:139
+#: ./cli/app/backup.go:321 ./cli/app/backup.go:337 ./cli/app/check.go:97 ./cli/app/cmd.go:287 ./cli/app/cp.go:387 ./cli/app/deploy.go:417 ./cli/app/labels.go:145 ./cli/app/list.go:337 ./cli/app/new.go:413 ./cli/app/ps.go:215 ./cli/app/restart.go:165 ./cli/app/restore.go:140 ./cli/app/secret.go:571 ./cli/app/secret.go:611 ./cli/app/secret.go:635 ./cli/app/secret.go:643 ./cli/catalogue/catalogue.go:320 ./cli/recipe/lint.go:139
 msgid   "ignore uncommitted recipes changes"
 msgstr  ""

@@ -3400,7 +3400,7 @@ msgstr  ""
 #. no spaces in between
 #. translators: `abra recipe lint` aliases. use a comma separated list of
 #. aliases with no spaces in between
-#: ./cli/app/cmd.go:261 ./cli/app/deploy.go:446 ./cli/app/logs.go:20 ./cli/recipe/lint.go:17 ./cli/server/add.go:207
+#: ./cli/app/cmd.go:261 ./cli/app/deploy.go:447 ./cli/app/logs.go:20 ./cli/recipe/lint.go:17 ./cli/server/add.go:207
 msgid   "l"
 msgstr  ""

@@ -3415,7 +3415,7 @@ msgstr  ""
 msgid   "labels <domain> [flags]"
 msgstr  ""

-#: ./cli/app/deploy.go:445 ./cli/app/list.go:186
+#: ./cli/app/deploy.go:446 ./cli/app/list.go:186
 msgid   "latest"
 msgstr  ""

@@ -3752,7 +3752,7 @@ msgstr  ""
 msgid   "no containers matching the %v filter found?"
 msgstr  ""

-#: ./cli/app/new.go:302 ./cli/internal/validate.go:129
+#: ./cli/app/new.go:306 ./cli/internal/validate.go:129
 msgid   "no domain provided"
 msgstr  ""

@@ -3779,7 +3779,7 @@ msgstr  ""
 msgid   "no recipe name provided"
 msgstr  ""

-#: ./cli/app/upgrade.go:241
+#: ./cli/app/upgrade.go:242
 #, c-format
 msgid   "no release notes for upgrading from %s to %s"
 msgstr  ""
@@ -3810,7 +3810,7 @@ msgstr  ""
 msgid   "no secrets to remove?"
 msgstr  ""

-#: ./cli/app/new.go:351 ./cli/internal/validate.go:167
+#: ./cli/app/new.go:355 ./cli/internal/validate.go:167
 msgid   "no server provided"
 msgstr  ""

@@ -3868,11 +3868,11 @@ msgstr  ""
 msgid   "no volumes to remove"
 msgstr  ""

-#: ./cli/app/deploy.go:437 ./cli/app/rollback.go:368 ./cli/app/upgrade.go:477
+#: ./cli/app/deploy.go:438 ./cli/app/rollback.go:369 ./cli/app/upgrade.go:478
 msgid   "no-converge-checks"
 msgstr  ""

-#: ./cli/app/deploy.go:429 ./cli/app/rollback.go:360 ./cli/app/upgrade.go:469
+#: ./cli/app/deploy.go:430 ./cli/app/rollback.go:361 ./cli/app/upgrade.go:470
 msgid   "no-domain-checks"
 msgstr  ""

@@ -3940,7 +3940,7 @@ msgstr  ""
 msgid   "only show errors"
 msgstr  ""

-#: ./cli/app/upgrade.go:488
+#: ./cli/app/upgrade.go:489
 msgid   "only show release notes"
 msgstr  ""

@@ -3952,7 +3952,7 @@ msgstr  ""
 #. with no spaces in between
 #. translators: `abra server prune` aliases. use a comma separated list of
 #. aliases with no spaces in between
-#: ./cli/app/backup.go:295 ./cli/app/new.go:391 ./cli/app/ps.go:29 ./cli/app/secret.go:561 ./cli/app/secret.go:585 ./cli/app/secret.go:625 ./cli/app/undeploy.go:169 ./cli/catalogue/catalogue.go:294 ./cli/recipe/list.go:112 ./cli/server/prune.go:18
+#: ./cli/app/backup.go:295 ./cli/app/new.go:395 ./cli/app/ps.go:29 ./cli/app/secret.go:561 ./cli/app/secret.go:585 ./cli/app/secret.go:625 ./cli/app/undeploy.go:169 ./cli/catalogue/catalogue.go:294 ./cli/recipe/list.go:112 ./cli/server/prune.go:18
 msgid   "p"
 msgstr  ""

@@ -3971,27 +3971,27 @@ msgstr  ""
 msgid   "parsed following command arguments: %s"
 msgstr  ""

-#: ./cli/app/upgrade.go:345
+#: ./cli/app/upgrade.go:346
 #, c-format
 msgid   "parsing chosen upgrade version failed: %s"
 msgstr  ""

-#: ./cli/app/upgrade.go:389
+#: ./cli/app/upgrade.go:390
 #, c-format
 msgid   "parsing deployed version failed: %s"
 msgstr  ""

-#: ./cli/app/upgrade.go:350
+#: ./cli/app/upgrade.go:351
 #, c-format
 msgid   "parsing deployment version failed: %s"
 msgstr  ""

-#: ./cli/app/upgrade.go:356 ./cli/app/upgrade.go:395
+#: ./cli/app/upgrade.go:357 ./cli/app/upgrade.go:396
 #, c-format
 msgid   "parsing recipe version failed: %s"
 msgstr  ""

-#: ./cli/app/new.go:390 ./cli/app/secret.go:560 ./cli/app/secret.go:584 ./cli/app/secret.go:624
+#: ./cli/app/new.go:394 ./cli/app/secret.go:560 ./cli/app/secret.go:584 ./cli/app/secret.go:624
 msgid   "pass"
 msgstr  ""

@@ -4011,7 +4011,7 @@ msgstr  ""
 msgid   "pattern"
 msgstr  ""

-#: ./cli/app/deploy.go:424 ./cli/app/env.go:327 ./cli/app/remove.go:165 ./cli/app/rollback.go:355 ./cli/app/upgrade.go:464 ./cli/app/volume.go:219
+#: ./cli/app/deploy.go:425 ./cli/app/env.go:327 ./cli/app/remove.go:165 ./cli/app/rollback.go:356 ./cli/app/upgrade.go:465 ./cli/app/volume.go:219
 msgid   "perform action without further prompt"
 msgstr  ""

@@ -4021,22 +4021,22 @@ msgstr  ""
 msgid   "pl,p"
 msgstr  ""

-#: ./cli/app/rollback.go:267
+#: ./cli/app/rollback.go:268
 #, c-format
 msgid   "please select a downgrade (version: %s):"
 msgstr  ""

-#: ./cli/app/rollback.go:272
+#: ./cli/app/rollback.go:273
 #, c-format
 msgid   "please select a downgrade (version: %s, chaos: %s):"
 msgstr  ""

-#: ./cli/app/upgrade.go:312
+#: ./cli/app/upgrade.go:313
 #, c-format
 msgid   "please select an upgrade (version: %s):"
 msgstr  ""

-#: ./cli/app/upgrade.go:317
+#: ./cli/app/upgrade.go:318
 #, c-format
 msgid   "please select an upgrade (version: %s, chaos: %s):"
 msgstr  ""
@@ -4119,7 +4119,7 @@ msgstr  ""
 #. with no spaces in between
 #. translators: `abra recipe` aliases. use a comma separated list of aliases
 #. with no spaces in between
-#: ./cli/app/backup.go:327 ./cli/app/list.go:304 ./cli/app/move.go:350 ./cli/app/run.go:23 ./cli/app/upgrade.go:486 ./cli/catalogue/catalogue.go:302 ./cli/recipe/recipe.go:12 ./cli/recipe/release.go:624
+#: ./cli/app/backup.go:327 ./cli/app/list.go:304 ./cli/app/move.go:350 ./cli/app/run.go:23 ./cli/app/upgrade.go:487 ./cli/catalogue/catalogue.go:302 ./cli/recipe/recipe.go:12 ./cli/recipe/release.go:624
 msgid   "r"
 msgstr  ""

@@ -4239,7 +4239,7 @@ msgstr  ""
 msgid   "release failed. any changes made have been reverted"
 msgstr  ""

-#: ./cli/app/upgrade.go:485
+#: ./cli/app/upgrade.go:486
 msgid   "releasenotes"
 msgstr  ""

@@ -4543,7 +4543,7 @@ msgstr  ""
 msgid   "run command locally"
 msgstr  ""

-#: ./cli/app/deploy.go:281 ./cli/app/upgrade.go:293
+#: ./cli/app/deploy.go:282 ./cli/app/upgrade.go:294
 #, c-format
 msgid   "run the following post-deploy commands: %s"
 msgstr  ""
@@ -4584,7 +4584,7 @@ msgstr  ""
 #. no spaces in between
 #. translators: `abra server` aliases. use a comma separated list of aliases
 #. with no spaces in between
-#: ./cli/app/backup.go:198 ./cli/app/backup.go:263 ./cli/app/backup.go:287 ./cli/app/env.go:333 ./cli/app/list.go:327 ./cli/app/logs.go:101 ./cli/app/new.go:368 ./cli/app/restore.go:114 ./cli/app/secret.go:535 ./cli/catalogue/catalogue.go:27 ./cli/catalogue/catalogue.go:310 ./cli/recipe/fetch.go:130 ./cli/server/server.go:12
+#: ./cli/app/backup.go:198 ./cli/app/backup.go:263 ./cli/app/backup.go:287 ./cli/app/env.go:333 ./cli/app/list.go:327 ./cli/app/logs.go:101 ./cli/app/new.go:372 ./cli/app/restore.go:114 ./cli/app/secret.go:535 ./cli/catalogue/catalogue.go:27 ./cli/catalogue/catalogue.go:310 ./cli/recipe/fetch.go:130 ./cli/server/server.go:12
 msgid   "s"
 msgstr  ""

@@ -4626,12 +4626,12 @@ msgstr  ""
 msgid   "secret not found: %s"
 msgstr  ""

-#: ./cli/app/deploy.go:358
+#: ./cli/app/deploy.go:359
 #, c-format
 msgid   "secret not generated: %s"
 msgstr  ""

-#: ./cli/app/deploy.go:356
+#: ./cli/app/deploy.go:357
 #, c-format
 msgid   "secret not inserted (#generate=false): %s"
 msgstr  ""
@@ -4641,27 +4641,27 @@ msgstr  ""
 msgid   "secret: %s removed"
 msgstr  ""

-#: ./cli/app/backup.go:302 ./cli/app/new.go:398
+#: ./cli/app/backup.go:302 ./cli/app/new.go:402
 msgid   "secrets"
 msgstr  ""

-#: ./cli/app/new.go:238
+#: ./cli/app/new.go:242
 #, c-format
 msgid   "secrets are %s shown again, please save them %s"
 msgstr  ""

-#: ./cli/app/deploy.go:306
+#: ./cli/app/deploy.go:307
 #, c-format
 msgid   "selected latest recipe version: %s (from %d available versions)"
 msgstr  ""

-#: ./cli/app/new.go:121
+#: ./cli/app/new.go:125
 #, c-format
 msgid   "selected recipe version: %s (from %d available versions)"
 msgstr  ""

 #. translators: `abra server` command for autocompletion
-#: ./cli/app/env.go:332 ./cli/app/env.go:339 ./cli/app/list.go:326 ./cli/app/list.go:341 ./cli/app/new.go:367 ./cli/app/new.go:374 ./cli/run.go:101
+#: ./cli/app/env.go:332 ./cli/app/env.go:339 ./cli/app/list.go:326 ./cli/app/list.go:341 ./cli/app/new.go:371 ./cli/app/new.go:378 ./cli/run.go:101
 msgid   "server"
 msgstr  ""

@@ -4775,7 +4775,7 @@ msgstr  ""
 msgid   "severity"
 msgstr  ""

-#: ./cli/app/deploy.go:456 ./cli/app/rollback.go:379 ./cli/app/upgrade.go:496
+#: ./cli/app/deploy.go:457 ./cli/app/rollback.go:380 ./cli/app/upgrade.go:497
 msgid   "show all configs & images, including unchanged ones"
 msgstr  ""

@@ -4799,7 +4799,7 @@ msgstr  ""
 msgid   "show debug messages"
 msgstr  ""

-#: ./cli/app/deploy.go:453 ./cli/app/rollback.go:376 ./cli/app/upgrade.go:493
+#: ./cli/app/deploy.go:454 ./cli/app/rollback.go:377 ./cli/app/upgrade.go:494
 msgid   "show-unchanged"
 msgstr  ""

@@ -4807,7 +4807,7 @@ msgstr  ""
 msgid   "since"
 msgstr  ""

-#: ./cli/app/new.go:336
+#: ./cli/app/new.go:340
 #, c-format
 msgid   "single server detected, choosing %s automatically"
 msgstr  ""
@@ -4847,11 +4847,11 @@ msgstr  ""
 msgid   "skipping converge logic checks"
 msgstr  ""

-#: ./cli/app/deploy.go:208
+#: ./cli/app/deploy.go:209
 msgid   "skipping domain checks"
 msgstr  ""

-#: ./cli/app/deploy.go:205
+#: ./cli/app/deploy.go:206
 msgid   "skipping domain checks, no DOMAIN=... configured"
 msgstr  ""

@@ -4907,7 +4907,7 @@ msgstr  ""
 msgid   "specify secret value"
 msgstr  ""

-#: ./cli/app/new.go:370
+#: ./cli/app/new.go:374
 msgid   "specify server for new app"
 msgstr  ""

@@ -4965,7 +4965,7 @@ msgstr  ""
 msgid   "store generated secrets in a local pass store"
 msgstr  ""

-#: ./cli/app/new.go:393
+#: ./cli/app/new.go:397
 msgid   "store secrets in a local pass store"
 msgstr  ""

@@ -5115,7 +5115,7 @@ msgstr  ""
 msgid   "trim input"
 msgstr  ""

-#: ./cli/app/new.go:263 ./pkg/app/app.go:141
+#: ./cli/app/new.go:267 ./pkg/app/app.go:141
 #, c-format
 msgid   "trimming %s to %s to avoid runtime limits"
 msgstr  ""
@@ -5653,27 +5653,27 @@ msgstr  ""
 msgid   "version wiped from %s.env"
 msgstr  ""

-#: ./cli/app/deploy.go:372
+#: ./cli/app/deploy.go:373
 #, c-format
 msgid   "version: taking chaos version: %s"
 msgstr  ""

-#: ./cli/app/deploy.go:398
+#: ./cli/app/deploy.go:399
 #, c-format
 msgid   "version: taking deployed version: %s"
 msgstr  ""

-#: ./cli/app/deploy.go:403
+#: ./cli/app/deploy.go:404
 #, c-format
 msgid   "version: taking new recipe version: %s"
 msgstr  ""

-#: ./cli/app/deploy.go:392
+#: ./cli/app/deploy.go:393
 #, c-format
 msgid   "version: taking version from .env file: %s"
 msgstr  ""

-#: ./cli/app/deploy.go:378
+#: ./cli/app/deploy.go:379
 #, c-format
 msgid   "version: taking version from cli arg: %s"
 msgstr  ""
@@ -5801,7 +5801,7 @@ msgstr  ""
 msgid   "writer: %v, "
 msgstr  ""

-#: ./cli/app/deploy.go:288 ./cli/app/new.go:251 ./cli/app/rollback.go:256 ./cli/app/undeploy.go:120 ./cli/app/upgrade.go:301
+#: ./cli/app/deploy.go:289 ./cli/app/new.go:255 ./cli/app/rollback.go:257 ./cli/app/undeploy.go:120 ./cli/app/upgrade.go:302
 #, c-format
 msgid   "writing recipe version failed: %s"
 msgstr  ""
@@ -2,7 +2,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: \n"
 "Report-Msgid-Bugs-To: EMAIL\n"
-"POT-Creation-Date: 2026-04-11 11:34+0200\n"
+"POT-Creation-Date: 2026-06-14 17:56+0200\n"
 "PO-Revision-Date: 2026-02-28 13:52+0000\n"
 "Last-Translator: chasqui <chasqui@cryptolab.net>\n"
 "Language-Team: Spanish <https://translate.coopcloud.tech/projects/co-op-cloud/abra/es/>\n"
@@ -318,7 +318,7 @@ msgstr "%s ya existe"
 msgid "%s already exists?"
 msgstr "%s ¿ya existe?"

-#: cli/app/new.go:202
+#: cli/app/new.go:206
 #, c-format
 msgid "%s created (version: %s)"
 msgstr "%s creado (versión: %s)"
@@ -403,7 +403,7 @@ msgstr "¿%s no tiene una aplicación principal?"
 msgid "%s has no published versions?"
 msgstr "¿%s no tiene versiones publicadas?"

-#: cli/app/new.go:311
+#: cli/app/new.go:315
 #, c-format
 msgid "%s has no secrets to generate, skipping..."
 msgstr "%s no tiene secretos para generar, omitiendo..."
@@ -443,19 +443,19 @@ msgstr "¿%s no tiene un archivo compose.yml o compose.*.yml?"
 msgid "%s is missing the TYPE env var?"
 msgstr "¿A %s le falta la variable de entorno TYPE?"

-#: cli/app/rollback.go:309 cli/app/rollback.go:313
+#: cli/app/rollback.go:310 cli/app/rollback.go:314
 #, c-format
 msgid "%s is not a downgrade for %s?"
 msgstr "¿%s no es un downgrade para %s?"

-#: cli/app/upgrade.go:429 cli/app/upgrade.go:433
+#: cli/app/upgrade.go:430 cli/app/upgrade.go:434
 #, c-format
 msgid "%s is not an upgrade for %s?"
 msgstr "¿%s no es una actualización para %s?"

 #: cli/app/env.go:146 cli/app/logs.go:65 cli/app/ps.go:62
 #: cli/app/restart.go:100 cli/app/services.go:55 cli/app/undeploy.go:66
-#: cli/app/upgrade.go:450
+#: cli/app/upgrade.go:451
 #, c-format
 msgid "%s is not deployed?"
 msgstr "¿%s no está desplegado?"
@@ -475,7 +475,7 @@ msgstr "%s todavía está desplegado. Ejecuta \"abra aplicacion plegar %s\""
 msgid "%s missing context, run \"abra server add %s\"?"
 msgstr "falta contexto %s, ¿ejecutar \"abra servidor agregar %s\"?"

-#: cli/app/deploy.go:194 cli/app/upgrade.go:210
+#: cli/app/deploy.go:195 cli/app/upgrade.go:211
 #, c-format
 msgid "%s missing from %s.env"
 msgstr "falta %s de %s.env"
@@ -510,17 +510,17 @@ msgstr "notas de la versión %s:"
 msgid "%s removed from pass store"
 msgstr "%s eliminado del almacén de contraseñas"

-#: cli/app/new.go:220
+#: cli/app/new.go:224
 #, c-format
 msgid "%s requires secret generation before deploy, run \"abra app secret generate %s --all\""
 msgstr "%s requiere generación de secretos antes del despliegue, ejecuta \"abra aplicacion secreto generar %s --all\""

-#: cli/app/new.go:224
+#: cli/app/new.go:228
 #, c-format
 msgid "%s requires secret insertion before deploy (#generate=false)"
 msgstr "%s requiere inserción de secretos antes del despliegue (#generate=false)"

-#: cli/app/new.go:151
+#: cli/app/new.go:155
 #, c-format
 msgid "%s sanitised as %s for new app"
 msgstr "%s sanitisado como %s para nueva aplicación"
@@ -655,12 +655,12 @@ msgstr "%s: no se puede resolver la dirección IPv4: %s"
 msgid "%s: waiting %d seconds before next retry"
 msgstr "%s: esperando %d segundos antes del siguiente reintento"

-#: cli/app/upgrade.go:424
+#: cli/app/upgrade.go:425
 #, c-format
 msgid "'%s' is not a known version"
 msgstr "'%s' no es una versión conocida"

-#: cli/app/rollback.go:304 cli/app/upgrade.go:419
+#: cli/app/rollback.go:305 cli/app/upgrade.go:420
 #, c-format
 msgid "'%s' is not a known version for %s"
 msgstr "'%s' no es una versión conocida para %s"
@@ -759,8 +759,8 @@ msgid "Both local recipe and live deployment labels are shown."
 msgstr "Se muestran tanto la receta local como las etiquetas del despliegue en vivo."

 #: cli/app/backup.go:319 cli/app/backup.go:335 cli/app/check.go:95
-#: cli/app/cmd.go:285 cli/app/cp.go:385 cli/app/deploy.go:414
-#: cli/app/labels.go:143 cli/app/list.go:335 cli/app/new.go:407
+#: cli/app/cmd.go:285 cli/app/cp.go:385 cli/app/deploy.go:415
+#: cli/app/labels.go:143 cli/app/list.go:335 cli/app/new.go:411
 #: cli/app/ps.go:213 cli/app/restart.go:163 cli/app/restore.go:138
 #: cli/app/secret.go:569 cli/app/secret.go:609 cli/app/secret.go:633
 #: cli/app/secret.go:641 cli/catalogue/catalogue.go:318 cli/recipe/lint.go:137
@@ -959,8 +959,8 @@ msgstr ""
 "en un almacén pass (ver passwordstore.org). El comando pass debe estar \n"
 "disponible en tu $PATH."

-#: cli/app/deploy.go:430 cli/app/new.go:383 cli/app/rollback.go:361
-#: cli/app/upgrade.go:470
+#: cli/app/deploy.go:431 cli/app/new.go:387 cli/app/rollback.go:362
+#: cli/app/upgrade.go:471
 msgid "D"
 msgstr ""

@@ -1112,7 +1112,7 @@ msgstr ""
 "\n"
 "Usa la opción \"--estado/-S\" para consultar en todos los servidores sobre el estado de despliegue."

-#: cli/app/new.go:317
+#: cli/app/new.go:321
 msgid "Generate app secrets?"
 msgstr "¿Generar secretos de la aplicación?"

@@ -1579,7 +1579,7 @@ msgid "Run app commands"
 msgstr "Ejecutar 💻 comando dentro una 🚀aplicación"

 #: cli/app/backup.go:303 cli/app/list.go:296 cli/app/logs.go:109
-#: cli/app/new.go:399
+#: cli/app/new.go:403
 msgid "S"
 msgstr ""

@@ -1587,7 +1587,7 @@ msgstr ""
 msgid "SECRETS"
 msgstr "🥷 SECRETOS"

-#: cli/app/new.go:234
+#: cli/app/new.go:238
 msgid "SECRETS OVERVIEW"
 msgstr "RESUMEN DE LOS 🥷 SECRETOS"

@@ -1621,7 +1621,7 @@ msgstr ""
 msgid "STATUS"
 msgstr "🩻 ESTADO"

-#: cli/app/new.go:342
+#: cli/app/new.go:346
 msgid "Select app server:"
 msgstr "Seleccionar servidor para la aplicación:"

@@ -1659,7 +1659,7 @@ msgstr "Especifica un 🌐 nombre de dominio (DNS)"
 msgid "Specify a server name"
 msgstr "Especifica un nombre de servidor"

-#: cli/app/new.go:293
+#: cli/app/new.go:297
 msgid "Specify app domain"
 msgstr "Especifica un 🌐 nombre de dominio (DNS) para la aplicación"

@@ -1881,7 +1881,7 @@ msgstr ""
 "  PS> abra autocomplete powershell > abra.ps1\n"
 "  # y fuente (source) ese archivo desde tu perfil de PowerShell."

-#: cli/app/deploy.go:454 cli/app/rollback.go:377 cli/app/upgrade.go:494
+#: cli/app/deploy.go:455 cli/app/rollback.go:378 cli/app/upgrade.go:495
 msgid "U"
 msgstr ""

@@ -2368,7 +2368,7 @@ msgstr "Intentando generar y almacenar %s en %s"
 msgid "attempting to run %s"
 msgstr "Intentando ejecutar %s"

-#: cli/app/deploy.go:283 cli/app/upgrade.go:296
+#: cli/app/deploy.go:284 cli/app/upgrade.go:297
 #, c-format
 msgid "attempting to run post deploy commands, saw: %s"
 msgstr "Intentando ejecutar los comandos posteriores al despliegue: %s"
@@ -2404,7 +2404,7 @@ msgstr "autocompletar [bash|zsh|fish|powershell]"
 msgid "autocomplete failed: %s"
 msgstr "autocompletar falló: %s"

-#: cli/app/new.go:401
+#: cli/app/new.go:405
 msgid "automatically generate secrets"
 msgstr "generar secretos automáticamente"

@@ -2454,8 +2454,8 @@ msgstr "enlace symlink roto en tus carpetas de configuración de abra: %s"
 #. no spaces in between
 #. translators: `abra app cp` aliases. use a comma separated list of aliases with
 #. no spaces in between
-#: cli/app/backup.go:148 cli/app/cp.go:30 cli/app/deploy.go:438
-#: cli/app/rollback.go:369 cli/app/upgrade.go:478
+#: cli/app/backup.go:148 cli/app/cp.go:30 cli/app/deploy.go:439
+#: cli/app/rollback.go:370 cli/app/upgrade.go:479
 msgid "c"
 msgstr ""

@@ -2511,7 +2511,7 @@ msgstr "no se puede obtener la etiqueta %s para %s"
 msgid "cannot redeploy previous chaos version (%s), did you mean to use \"--chaos\"?"
 msgstr "no se puede redeplegar la versión anterior de caos (%s), ¿Era tu intención usar \"--caos\"?"

-#: cli/app/deploy.go:388
+#: cli/app/deploy.go:389
 #, c-format
 msgid ""
 "cannot redeploy previous chaos version (%s), did you mean to use \"--chaos\"?\n"
@@ -2533,7 +2533,7 @@ msgstr "no se puede especificar una etiqueta y un tipo de incremento al mismo ti
 msgid "cannot use '[secret] [version]' and '--all' together"
 msgstr "no se puede usar '[secreto] [versión]' y '--todos' juntos"

-#: cli/app/deploy.go:330
+#: cli/app/deploy.go:331
 msgid "cannot use --chaos and --latest together"
 msgstr "no se puede usar --caos y --latest juntos"

@@ -2557,11 +2557,11 @@ msgstr "no se puede usar [server] y --local al mismo tiempo"
 msgid "cannot use [service] and --all-services/-a together"
 msgstr "no se puede usar [servicio] y --todos-los-servicios/-a juntos"

-#: cli/app/deploy.go:322 cli/app/new.go:80
+#: cli/app/deploy.go:323 cli/app/new.go:80
 msgid "cannot use [version] and --chaos together"
 msgstr "no se puede usar [versión] y --caos juntos"

-#: cli/app/deploy.go:326
+#: cli/app/deploy.go:327
 msgid "cannot use [version] and --latest together"
 msgstr "no se puede usar [versión] y --latest juntos"

@@ -2598,8 +2598,8 @@ msgid "cfg"
 msgstr ""

 #: cli/app/backup.go:318 cli/app/backup.go:334 cli/app/check.go:94
-#: cli/app/cmd.go:284 cli/app/cp.go:384 cli/app/deploy.go:413
-#: cli/app/labels.go:142 cli/app/list.go:334 cli/app/new.go:406
+#: cli/app/cmd.go:284 cli/app/cp.go:384 cli/app/deploy.go:414
+#: cli/app/labels.go:142 cli/app/list.go:334 cli/app/new.go:410
 #: cli/app/ps.go:212 cli/app/restart.go:162 cli/app/restore.go:137
 #: cli/app/secret.go:568 cli/app/secret.go:608 cli/app/secret.go:632
 #: cli/app/secret.go:640 cli/catalogue/catalogue.go:317 cli/recipe/lint.go:136
@@ -2616,7 +2616,7 @@ msgstr ""
 msgid "check <domain> [flags]"
 msgstr "verificar <aplicacion> [opciones]"

-#: cli/app/deploy.go:95 cli/app/undeploy.go:58 cli/app/upgrade.go:442
+#: cli/app/deploy.go:95 cli/app/undeploy.go:58 cli/app/upgrade.go:443
 #, c-format
 msgid "checking whether %s is already deployed"
 msgstr "verificando si %s ya está desplegado"
@@ -2919,7 +2919,7 @@ msgstr "crítico"
 msgid "critical errors present in %s config"
 msgstr "errores críticos presentes en la configuración de %s"

-#: cli/app/rollback.go:299
+#: cli/app/rollback.go:300
 #, c-format
 msgid "current deployment '%s' is not a known version for %s"
 msgstr "el despliegue actual '%s' no es una versión conocida para %s"
@@ -2971,7 +2971,7 @@ msgstr "despliegue en proceso 🟠"
 msgid "deploy labels stanza present"
 msgstr "stanza de etiquetas de despliegue presente"

-#: cli/app/deploy.go:448
+#: cli/app/deploy.go:449
 msgid "deploy latest recipe version"
 msgstr "desplegar la última versión de la receta"

@@ -3073,11 +3073,11 @@ msgstr "el directorio está vacío: %s"
 msgid "dirty: %v, "
 msgstr ""

-#: cli/app/deploy.go:440 cli/app/rollback.go:371 cli/app/upgrade.go:480
+#: cli/app/deploy.go:441 cli/app/rollback.go:372 cli/app/upgrade.go:481
 msgid "disable converge logic checks"
 msgstr "desactivar comprobaciones de lógica de convergencia"

-#: cli/app/deploy.go:432 cli/app/rollback.go:363 cli/app/upgrade.go:472
+#: cli/app/deploy.go:433 cli/app/rollback.go:364 cli/app/upgrade.go:473
 msgid "disable public DNS checks"
 msgstr "desactivar comprobaciones de DNS público"

@@ -3093,11 +3093,11 @@ msgstr "no solicitar un TTY"
 msgid "docker: is the daemon running / your user has docker permissions?"
 msgstr "docker: ¿está corriendo el daemon / tu usuario tiene permisos de Docker?"

-#: cli/app/new.go:382
+#: cli/app/new.go:386
 msgid "domain"
 msgstr "dominio"

-#: cli/app/new.go:385
+#: cli/app/new.go:389
 msgid "domain name for app"
 msgstr "nombre de dominio para la aplicación"

@@ -3288,8 +3288,8 @@ msgstr "extrayendo secreto %s en %s"

 #. translators: `abra recipe fetch` aliases. use a comma separated list of aliases
 #. with no spaces in between
-#: cli/app/deploy.go:422 cli/app/env.go:325 cli/app/remove.go:163
-#: cli/app/rollback.go:353 cli/app/secret.go:593 cli/app/upgrade.go:462
+#: cli/app/deploy.go:423 cli/app/env.go:325 cli/app/remove.go:163
+#: cli/app/rollback.go:354 cli/app/secret.go:593 cli/app/upgrade.go:463
 #: cli/app/volume.go:217 cli/recipe/fetch.go:20 cli/recipe/fetch.go:138
 msgid "f"
 msgstr ""
@@ -3451,7 +3451,7 @@ msgstr "🛑 No se pudo eliminar algunos recursos del stock: %s"
 msgid "failed to resize tty, using default size"
 msgstr "🛑 No se pudo redimensionar el TTY; se usará el tamaño predeterminado"

-#: cli/app/new.go:134
+#: cli/app/new.go:138
 #, c-format
 msgid "failed to retrieve latest commit for %s: %s"
 msgstr "🛑 No se pudo obtener el último commit de %s: %s"
@@ -3541,8 +3541,8 @@ msgstr "Filtrar por receta"
 msgid "final merged env values for %s are: %s"
 msgstr "Los valores finales combinados de entorno para %s son: %s"

-#: cli/app/deploy.go:421 cli/app/env.go:324 cli/app/remove.go:162
-#: cli/app/rollback.go:352 cli/app/upgrade.go:461 cli/app/volume.go:216
+#: cli/app/deploy.go:422 cli/app/env.go:324 cli/app/remove.go:162
+#: cli/app/rollback.go:353 cli/app/upgrade.go:462 cli/app/volume.go:216
 #: cli/recipe/fetch.go:137
 msgid "force"
 msgstr "forzar"
@@ -3758,8 +3758,8 @@ msgid "id: %s, "
 msgstr ""

 #: cli/app/backup.go:321 cli/app/backup.go:337 cli/app/check.go:97
-#: cli/app/cmd.go:287 cli/app/cp.go:387 cli/app/deploy.go:416
-#: cli/app/labels.go:145 cli/app/list.go:337 cli/app/new.go:409
+#: cli/app/cmd.go:287 cli/app/cp.go:387 cli/app/deploy.go:417
+#: cli/app/labels.go:145 cli/app/list.go:337 cli/app/new.go:413
 #: cli/app/ps.go:215 cli/app/restart.go:165 cli/app/restore.go:140
 #: cli/app/secret.go:571 cli/app/secret.go:611 cli/app/secret.go:635
 #: cli/app/secret.go:643 cli/catalogue/catalogue.go:320 cli/recipe/lint.go:139
@@ -3960,7 +3960,7 @@ msgstr "versión %s especificada inválida"
 #. no spaces in between
 #. translators: `abra recipe lint` aliases. use a comma separated list of
 #. aliases with no spaces in between
-#: cli/app/cmd.go:261 cli/app/deploy.go:446 cli/app/logs.go:20
+#: cli/app/cmd.go:261 cli/app/deploy.go:447 cli/app/logs.go:20
 #: cli/recipe/lint.go:17 cli/server/add.go:207
 msgid "l"
 msgstr ""
@@ -3976,7 +3976,7 @@ msgstr ""
 msgid "labels <domain> [flags]"
 msgstr "etiquetas <aplicacion> [opciones]"

-#: cli/app/deploy.go:445 cli/app/list.go:186
+#: cli/app/deploy.go:446 cli/app/list.go:186
 msgid "latest"
 msgstr "ultima"

@@ -4325,7 +4325,7 @@ msgstr "no hay configuraciones para eliminar"
 msgid "no containers matching the %v filter found?"
 msgstr "no se encontraron contenedores que coincidan con el filtro %v?"

-#: cli/app/new.go:302 cli/internal/validate.go:129
+#: cli/app/new.go:306 cli/internal/validate.go:129
 msgid "no domain provided"
 msgstr "no se proporcionó dominio"

@@ -4352,7 +4352,7 @@ msgstr "¿no existe la receta '%s'?"
 msgid "no recipe name provided"
 msgstr "no se proporcionó el nombre de la receta"

-#: cli/app/upgrade.go:241
+#: cli/app/upgrade.go:242
 #, fuzzy, c-format
 msgid "no release notes for upgrading from %s to %s"
 msgstr "ejecución de prueba: mover la nota de la versión de 'next' a %s"
@@ -4383,7 +4383,7 @@ msgstr "no hay secretos para eliminar"
 msgid "no secrets to remove?"
 msgstr "¿No hay secretos para eliminar?"

-#: cli/app/new.go:351 cli/internal/validate.go:167
+#: cli/app/new.go:355 cli/internal/validate.go:167
 msgid "no server provided"
 msgstr "no se proporcionó servidor"

@@ -4441,11 +4441,11 @@ msgstr "no se eliminaron volúmenes"
 msgid "no volumes to remove"
 msgstr "no hay volúmenes para eliminar"

-#: cli/app/deploy.go:437 cli/app/rollback.go:368 cli/app/upgrade.go:477
+#: cli/app/deploy.go:438 cli/app/rollback.go:369 cli/app/upgrade.go:478
 msgid "no-converge-checks"
 msgstr "sin-verificaciones-de-convergencia"

-#: cli/app/deploy.go:429 cli/app/rollback.go:360 cli/app/upgrade.go:469
+#: cli/app/deploy.go:430 cli/app/rollback.go:361 cli/app/upgrade.go:470
 msgid "no-domain-checks"
 msgstr "sin-verificaciones-de-dominio"

@@ -4513,7 +4513,7 @@ msgstr "solo se usaron etiquetas anotadas para la versión de la receta"
 msgid "only show errors"
 msgstr "mostrar solo errores"

-#: cli/app/upgrade.go:488
+#: cli/app/upgrade.go:489
 msgid "only show release notes"
 msgstr "solo mostrar notas de la versión"

@@ -4525,7 +4525,7 @@ msgstr "solo cola de stderr"
 #. with no spaces in between
 #. translators: `abra server prune` aliases. use a comma separated list of
 #. aliases with no spaces in between
-#: cli/app/backup.go:295 cli/app/new.go:391 cli/app/ps.go:29
+#: cli/app/backup.go:295 cli/app/new.go:395 cli/app/ps.go:29
 #: cli/app/secret.go:561 cli/app/secret.go:585 cli/app/secret.go:625
 #: cli/app/undeploy.go:169 cli/catalogue/catalogue.go:294
 #: cli/recipe/list.go:112 cli/server/prune.go:18
@@ -4547,27 +4547,27 @@ msgstr "parseado %s de %s"
 msgid "parsed following command arguments: %s"
 msgstr "parseados los siguientes argumentos del comando: %s"

-#: cli/app/upgrade.go:345
+#: cli/app/upgrade.go:346
 #, c-format
 msgid "parsing chosen upgrade version failed: %s"
 msgstr "falló la actualización de versión elegida para el parsing: %s"

-#: cli/app/upgrade.go:389
+#: cli/app/upgrade.go:390
 #, c-format
 msgid "parsing deployed version failed: %s"
 msgstr "parsing fallido de la versión desplegada: %s"

-#: cli/app/upgrade.go:350
+#: cli/app/upgrade.go:351
 #, c-format
 msgid "parsing deployment version failed: %s"
 msgstr "parsing fallido de la versión de despliegue: %s"

-#: cli/app/upgrade.go:356 cli/app/upgrade.go:395
+#: cli/app/upgrade.go:357 cli/app/upgrade.go:396
 #, c-format
 msgid "parsing recipe version failed: %s"
 msgstr "parsing fallido de la versión de la receta: %s"

-#: cli/app/new.go:390 cli/app/secret.go:560 cli/app/secret.go:584
+#: cli/app/new.go:394 cli/app/secret.go:560 cli/app/secret.go:584
 #: cli/app/secret.go:624
 msgid "pass"
 msgstr ""
@@ -4590,8 +4590,8 @@ msgstr "ruta"
 msgid "pattern"
 msgstr "patrón"

-#: cli/app/deploy.go:424 cli/app/env.go:327 cli/app/remove.go:165
-#: cli/app/rollback.go:355 cli/app/upgrade.go:464 cli/app/volume.go:219
+#: cli/app/deploy.go:425 cli/app/env.go:327 cli/app/remove.go:165
+#: cli/app/rollback.go:356 cli/app/upgrade.go:465 cli/app/volume.go:219
 msgid "perform action without further prompt"
 msgstr "realizar acción sin más avisos"

@@ -4601,22 +4601,22 @@ msgstr "realizar acción sin más avisos"
 msgid "pl,p"
 msgstr ""

-#: cli/app/rollback.go:267
+#: cli/app/rollback.go:268
 #, c-format
 msgid "please select a downgrade (version: %s):"
 msgstr "por favor, selecciona una versión anterior (downgrade) (versión: %s):"

-#: cli/app/rollback.go:272
+#: cli/app/rollback.go:273
 #, c-format
 msgid "please select a downgrade (version: %s, chaos: %s):"
 msgstr "por favor, selecciona una versión anterior (downgrade) (versión: %s, caos: %s):"

-#: cli/app/upgrade.go:312
+#: cli/app/upgrade.go:313
 #, c-format
 msgid "please select an upgrade (version: %s):"
 msgstr "por favor, selecciona una actualización (versión: %s):"

-#: cli/app/upgrade.go:317
+#: cli/app/upgrade.go:318
 #, c-format
 msgid "please select an upgrade (version: %s, chaos: %s):"
 msgstr "por favor, selecciona una actualización (versión: %s, caos: %s):"
@@ -4702,7 +4702,7 @@ msgstr "consultando servidores remotos..."
 #. translators: `abra recipe` aliases. use a comma separated list of aliases
 #. with no spaces in between
 #: cli/app/backup.go:327 cli/app/list.go:304 cli/app/move.go:350
-#: cli/app/run.go:23 cli/app/upgrade.go:486 cli/catalogue/catalogue.go:302
+#: cli/app/run.go:23 cli/app/upgrade.go:487 cli/catalogue/catalogue.go:302
 #: cli/recipe/recipe.go:12 cli/recipe/release.go:624
 msgid "r"
 msgstr ""
@@ -4827,7 +4827,7 @@ msgstr "publicar <receta> [version] [opciones]"
 msgid "release failed. any changes made have been reverted"
 msgstr ""

-#: cli/app/upgrade.go:485
+#: cli/app/upgrade.go:486
 msgid "releasenotes"
 msgstr "notas de la versión"

@@ -5132,7 +5132,7 @@ msgstr "ejecutar comando como usuario"
 msgid "run command locally"
 msgstr "ejecutar comando localmente"

-#: cli/app/deploy.go:281 cli/app/upgrade.go:293
+#: cli/app/deploy.go:282 cli/app/upgrade.go:294
 #, c-format
 msgid "run the following post-deploy commands: %s"
 msgstr "Ejecutar los siguientes comandos después del despliegue: %s"
@@ -5175,7 +5175,7 @@ msgstr "ejecutando el comando posterior '%s %s' en el contenedor %s"
 #. with no spaces in between
 #: cli/app/backup.go:198 cli/app/backup.go:263 cli/app/backup.go:287
 #: cli/app/env.go:333 cli/app/list.go:327 cli/app/logs.go:101
-#: cli/app/new.go:368 cli/app/restore.go:114 cli/app/secret.go:535
+#: cli/app/new.go:372 cli/app/restore.go:114 cli/app/secret.go:535
 #: cli/catalogue/catalogue.go:27 cli/catalogue/catalogue.go:310
 #: cli/recipe/fetch.go:130 cli/server/server.go:12
 msgid "s"
@@ -5219,12 +5219,12 @@ msgstr "datos del secreto no proporcionados en la línea de comandos o stdin, so
 msgid "secret not found: %s"
 msgstr "secreto no encontrado: %s"

-#: cli/app/deploy.go:358
+#: cli/app/deploy.go:359
 #, c-format
 msgid "secret not generated: %s"
 msgstr "secreto no generado: %s"

-#: cli/app/deploy.go:356
+#: cli/app/deploy.go:357
 #, c-format
 msgid "secret not inserted (#generate=false): %s"
 msgstr "secreto no insertado (#generate=false): %s"
@@ -5234,28 +5234,28 @@ msgstr "secreto no insertado (#generate=false): %s"
 msgid "secret: %s removed"
 msgstr "secreto: %s eliminado"

-#: cli/app/backup.go:302 cli/app/new.go:398
+#: cli/app/backup.go:302 cli/app/new.go:402
 msgid "secrets"
 msgstr "secretos"

-#: cli/app/new.go:238
+#: cli/app/new.go:242
 #, c-format
 msgid "secrets are %s shown again, please save them %s"
 msgstr "los secretos se muestran %s nuevamente, por favor guárdalos %s"

-#: cli/app/deploy.go:306
+#: cli/app/deploy.go:307
 #, c-format
 msgid "selected latest recipe version: %s (from %d available versions)"
 msgstr "versión de receta más reciente seleccionada: %s (de %d versiones disponibles)"

-#: cli/app/new.go:121
+#: cli/app/new.go:125
 #, c-format
 msgid "selected recipe version: %s (from %d available versions)"
 msgstr "versión de receta seleccionada: %s (de %d versiones disponibles)"

 #. translators: `abra server` command for autocompletion
 #: cli/app/env.go:332 cli/app/env.go:339 cli/app/list.go:326
-#: cli/app/list.go:341 cli/app/new.go:367 cli/app/new.go:374 cli/run.go:101
+#: cli/app/list.go:341 cli/app/new.go:371 cli/app/new.go:378 cli/run.go:101
 msgid "server"
 msgstr "servidor"

@@ -5369,7 +5369,7 @@ msgstr "establecer referencia: %s"
 msgid "severity"
 msgstr "gravedad"

-#: cli/app/deploy.go:456 cli/app/rollback.go:379 cli/app/upgrade.go:496
+#: cli/app/deploy.go:457 cli/app/rollback.go:380 cli/app/upgrade.go:497
 msgid "show all configs & images, including unchanged ones"
 msgstr "mostrar todas las configuraciones e imágenes, incluidas las no cambiadas"

@@ -5393,7 +5393,7 @@ msgstr "mostrar aplicaciones de un servidor específico"
 msgid "show debug messages"
 msgstr "mostrar mensajes para el debugeo"

-#: cli/app/deploy.go:453 cli/app/rollback.go:376 cli/app/upgrade.go:493
+#: cli/app/deploy.go:454 cli/app/rollback.go:377 cli/app/upgrade.go:494
 msgid "show-unchanged"
 msgstr "mostrar-sin-cambios"

@@ -5401,7 +5401,7 @@ msgstr "mostrar-sin-cambios"
 msgid "since"
 msgstr "desde"

-#: cli/app/new.go:336
+#: cli/app/new.go:340
 #, c-format
 msgid "single server detected, choosing %s automatically"
 msgstr "se ha detectado un único servidor, eligiendo %s automáticamente"
@@ -5441,11 +5441,11 @@ msgstr "omitiendo según lo solicitado, plegado aún está en progreso 🟠"
 msgid "skipping converge logic checks"
 msgstr "omitiendo comprobaciones de lógica de convergencia"

-#: cli/app/deploy.go:208
+#: cli/app/deploy.go:209
 msgid "skipping domain checks"
 msgstr "omitiendo comprobaciones de dominio"

-#: cli/app/deploy.go:205
+#: cli/app/deploy.go:206
 msgid "skipping domain checks, no DOMAIN=... configured"
 msgstr "omitiendo comprobaciones de dominio, no DOMAIN=... configurado"

@@ -5501,7 +5501,7 @@ msgstr "especificar archivo de secreto"
 msgid "specify secret value"
 msgstr "especificar valor de secreto"

-#: cli/app/new.go:370
+#: cli/app/new.go:374
 msgid "specify server for new app"
 msgstr "especificar servidor para la nueva aplicación"

@@ -5559,7 +5559,7 @@ msgstr ""
 msgid "store generated secrets in a local pass store"
 msgstr "almacenar secretos generados en un almacén de contraseñas local"

-#: cli/app/new.go:393
+#: cli/app/new.go:397
 msgid "store secrets in a local pass store"
 msgstr "almacenar secretos en un almacén de contraseñas local"

@@ -5710,7 +5710,7 @@ msgstr "recortar"
 msgid "trim input"
 msgstr "recortar entrada"

-#: cli/app/new.go:263 pkg/app/app.go:141
+#: cli/app/new.go:267 pkg/app/app.go:141
 #, c-format
 msgid "trimming %s to %s to avoid runtime limits"
 msgstr "recortando %s a %s para evitar límites de tiempo de ejecución"
@@ -6255,27 +6255,27 @@ msgstr "la versión parece inválida: %s"
 msgid "version wiped from %s.env"
 msgstr "versión eliminada de %s.env"

-#: cli/app/deploy.go:372
+#: cli/app/deploy.go:373
 #, c-format
 msgid "version: taking chaos version: %s"
 msgstr "versión: tomando la versión de caos: %s"

-#: cli/app/deploy.go:398
+#: cli/app/deploy.go:399
 #, c-format
 msgid "version: taking deployed version: %s"
 msgstr "versión: tomando la versión desplegada: %s"

-#: cli/app/deploy.go:403
+#: cli/app/deploy.go:404
 #, c-format
 msgid "version: taking new recipe version: %s"
 msgstr "versión: tomando la nueva versión de la receta: %s"

-#: cli/app/deploy.go:392
+#: cli/app/deploy.go:393
 #, c-format
 msgid "version: taking version from .env file: %s"
 msgstr "versión: tomando la versión desde el archivo .env: %s"

-#: cli/app/deploy.go:378
+#: cli/app/deploy.go:379
 #, c-format
 msgid "version: taking version from cli arg: %s"
 msgstr "versión: tomando la versión desde el argumento de la línea de comandos: %s"
@@ -6406,8 +6406,8 @@ msgstr "el directorio de trabajo no está limpio en %s, abortando"
 msgid "writer: %v, "
 msgstr ""

-#: cli/app/deploy.go:288 cli/app/new.go:251 cli/app/rollback.go:256
-#: cli/app/undeploy.go:120 cli/app/upgrade.go:301
+#: cli/app/deploy.go:289 cli/app/new.go:255 cli/app/rollback.go:257
+#: cli/app/undeploy.go:120 cli/app/upgrade.go:302
 #, c-format
 msgid "writing recipe version failed: %s"
 msgstr "escritura de la versión de la receta fallida: %s"
@@ -3,7 +3,7 @@ version: "3.8"

 services:
  app:
-    image: nginx:1.31.0
+    image: nginx:1.31.2
    secrets:
      - test_pass_one
      - test_pass_two
@@ -61,6 +61,16 @@ teardown(){
  run grep -q "TYPE=$TEST_RECIPE:0.3.0+1.21.0" \
    "$ABRA_DIR/servers/$TEST_SERVER/$TEST_APP_DOMAIN.env"
  assert_success
+
+  # 0.3.0-only
+  run grep -q "NETWORK_WITH_COMMENT=BAZ" \
+    "$ABRA_DIR/servers/$TEST_SERVER/$TEST_APP_DOMAIN.env"
+  assert_success
+
+  # latest-only
+  run grep -q "TIMEOUT=120" \
+    "$ABRA_DIR/servers/$TEST_SERVER/$TEST_APP_DOMAIN.env"
+  assert_failure
 }

@test "ensure recipe is up-to-date" {
@@ -100,6 +110,16 @@ teardown(){
  run grep -q "TYPE=$TEST_RECIPE:${tagHash}" \
    "$ABRA_DIR/servers/$TEST_SERVER/$TEST_APP_DOMAIN.env"
  assert_success
+
+  # 0.3.0-only
+  run grep -q "NETWORK_WITH_COMMENT=BAZ" \
+    "$ABRA_DIR/servers/$TEST_SERVER/$TEST_APP_DOMAIN.env"
+  assert_success
+
+  # latest-only
+  run grep -q "TIMEOUT=120" \
+    "$ABRA_DIR/servers/$TEST_SERVER/$TEST_APP_DOMAIN.env"
+  assert_failure
 }

@test "does not overwrite existing env files" {
@@ -3,7 +3,7 @@ version: "3.8"

 services:
  app:
-    image: nginx:1.31.0
+    image: nginx:1.31.2
    networks:
      - proxy
    deploy:
@@ -1,7 +1,7 @@
 # syntax=docker/dockerfile:1

 ARG GO_VERSION=1.20.8
-ARG ALPINE_VERSION=3.18
+ARG ALPINE_VERSION=3.24
 ARG XX_VERSION=1.2.1

 FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx
@@ -61,6 +61,16 @@ type Config struct {
 		CommentChar string
 		// RepositoryFormatVersion identifies the repository format and layout version.
 		RepositoryFormatVersion format.RepositoryFormatVersion
+		// ProtectNTFS controls whether NTFS-specific path protections are
+		// applied (e.g. rejecting .git trailing spaces/periods, alternate
+		// data streams, 8.3 short names). When unset, defaults to true on
+		// Windows.
+		ProtectNTFS OptBool
+		// ProtectHFS controls whether HFS+-specific path protections are
+		// applied (e.g. rejecting .git with Unicode zero-width or
+		// directional characters that HFS+ would normalize away).
+		// When unset, defaults to true on macOS.
+		ProtectHFS OptBool
 	}

 	User struct {
@@ -266,6 +276,8 @@ const (
 	repositoryFormatVersionKey = "repositoryformatversion"
 	objectFormat               = "objectformat"
 	mirrorKey                  = "mirror"
+	protectNTFSKey             = "protectNTFS"
+	protectHFSKey              = "protectHFS"

 	// DefaultPackWindow holds the number of previous objects used to
 	// generate deltas. The value 10 is the same used by git command.
@@ -309,6 +321,14 @@ func (c *Config) unmarshalCore() {

 	c.Core.Worktree = s.Options.Get(worktreeKey)
 	c.Core.CommentChar = s.Options.Get(commentCharKey)
+
+	if parsed := parseConfigBool(s.Options.Get(protectNTFSKey)); parsed.IsSet() {
+		c.Core.ProtectNTFS = parsed
+	}
+
+	if parsed := parseConfigBool(s.Options.Get(protectHFSKey)); parsed.IsSet() {
+		c.Core.ProtectHFS = parsed
+	}
 }

 func (c *Config) unmarshalUser() {
@@ -379,7 +399,8 @@ func unmarshalSubmodules(fc *format.Config, submodules map[string]*Submodule) {
 		m := &Submodule{}
 		m.unmarshal(sub)

-		if m.Validate() == ErrModuleBadPath {
+		if err := m.Validate(); errors.Is(err, ErrModuleBadPath) ||
+			errors.Is(err, ErrModuleBadName) {
 			continue
 		}

@@ -436,6 +457,14 @@ func (c *Config) marshalCore() {
 	if c.Core.Worktree != "" {
 		s.SetOption(worktreeKey, c.Core.Worktree)
 	}
+
+	if c.Core.ProtectNTFS.IsSet() {
+		s.SetOption(protectNTFSKey, c.Core.ProtectNTFS.FormatBool())
+	}
+
+	if c.Core.ProtectHFS.IsSet() {
+		s.SetOption(protectHFSKey, c.Core.ProtectHFS.FormatBool())
+	}
 }

 func (c *Config) marshalExtensions() {
@@ -3,8 +3,11 @@ package config
 import (
 	"bytes"
 	"errors"
+	"fmt"
 	"regexp"
+	"strings"

+	"github.com/go-git/go-git/v5/internal/pathutil"
 	format "github.com/go-git/go-git/v5/plumbing/format/config"
 )

@@ -12,6 +15,7 @@ var (
 	ErrModuleEmptyURL  = errors.New("module config: empty URL")
 	ErrModuleEmptyPath = errors.New("module config: empty path")
 	ErrModuleBadPath   = errors.New("submodule has an invalid path")
+	ErrModuleBadName   = errors.New("ignoring suspicious submodule name")
 )

 var (
@@ -94,6 +98,10 @@ type Submodule struct {

 // Validate validates the fields and sets the default values.
 func (m *Submodule) Validate() error {
+	if err := validSubmoduleName(m.Name); err != nil {
+		return fmt.Errorf("%w: %q", ErrModuleBadName, m.Name)
+	}
+
 	if m.Path == "" {
 		return ErrModuleEmptyPath
 	}
@@ -109,6 +117,50 @@ func (m *Submodule) Validate() error {
 	return nil
 }

+// validSubmoduleName mirrors canonical Git's check_submodule_name in
+// submodule-config.c [1]: reject empty names and any name with a ".."
+// path component, using both '/' and '\\' as separators so the rule
+// is consistent across platforms. The component check is delegated to
+// `pathutil.IsHFSDot` and `pathutil.IsNTFSDot` with `.` as the needle,
+// which both cover the bare ".." case and reject components that
+// resolve to ".." after HFS+ Unicode normalisation (ignored code
+// points, e.g. `.<U+200C>.`) or NTFS trailing-space/dot/ADS
+// canonicalisation (e.g. `.. `, `..::$INDEX_ALLOCATION`).
+// `.gitmodules` is attacker-controlled by definition, so both checks
+// run unconditionally regardless of host OS.
+//
+// The additional checks (bare ".", NUL byte, leading or trailing
+// separator, drive-letter prefix) close go-git-specific edge cases
+// the canonical loop does not exercise: canonical Git treats names
+// as opaque C strings, while Go strings carry NULs through and the
+// billy filesystem layer is path-aware in ways Git's working storage
+// is not.
+//
+// [1]: https://github.com/git/git/blob/v2.54.0/submodule-config.c#L214-L237
+func validSubmoduleName(name string) error {
+	if name == "" || name == "." {
+		return ErrModuleBadName
+	}
+	for _, seg := range strings.FieldsFunc(name, isPathSep) {
+		if pathutil.IsHFSDot(seg, ".") || pathutil.IsNTFSDot(seg, ".", "") {
+			return ErrModuleBadName
+		}
+	}
+	// go-git-specific defensive checks beyond canonical Git.
+	if strings.ContainsRune(name, 0) {
+		return ErrModuleBadName
+	}
+	if isPathSep(rune(name[0])) || isPathSep(rune(name[len(name)-1])) {
+		return ErrModuleBadName
+	}
+	if len(name) >= 2 && name[1] == ':' {
+		return ErrModuleBadName
+	}
+	return nil
+}
+
+func isPathSep(r rune) bool { return r == '/' || r == '\\' }
+
 func (m *Submodule) unmarshal(s *format.Subsection) {
 	m.raw = s

@@ -0,0 +1,82 @@
+package config
+
+import (
+	"strconv"
+	"strings"
+)
+
+// OptBool is a tri-state boolean: unset, explicitly false, or explicitly true.
+// Its zero value (OptBoolUnset) means the setting was not specified, which
+// allows merge logic based on reflect.Value.IsZero to skip unset fields while
+// still letting an explicit "false" override a previously set "true".
+type OptBool byte
+
+const (
+	// OptBoolUnset indicates the setting was not specified.
+	OptBoolUnset OptBool = iota
+	// OptBoolFalse indicates the setting was explicitly set to false.
+	OptBoolFalse
+	// OptBoolTrue indicates the setting was explicitly set to true.
+	OptBoolTrue
+)
+
+// NewOptBool converts a plain bool into an OptBool.
+func NewOptBool(v bool) OptBool {
+	if v {
+		return OptBoolTrue
+	}
+	return OptBoolFalse
+}
+
+// IsTrue returns whether the value is explicitly true.
+func (o OptBool) IsTrue() bool { return o == OptBoolTrue }
+
+// IsSet returns whether the value was explicitly specified (true or false).
+func (o OptBool) IsSet() bool { return o != OptBoolUnset }
+
+func (o OptBool) String() string {
+	switch o {
+	case OptBoolTrue:
+		return "true"
+	case OptBoolFalse:
+		return "false"
+	default:
+		return "unset"
+	}
+}
+
+// FormatBool returns the strconv-formatted value. Only meaningful when IsSet.
+func (o OptBool) FormatBool() string {
+	return strconv.FormatBool(o.IsTrue())
+}
+
+// parseConfigBool mirrors upstream Git's git_parse_maybe_bool: it
+// accepts true/yes/on (→ OptBoolTrue) and false/no/off (→
+// OptBoolFalse) case-insensitively, plus any decimal integer (zero
+// → OptBoolFalse, non-zero → OptBoolTrue). Empty or otherwise
+// unrecognised values return OptBoolUnset, leaving the caller's
+// platform default in place. The empty-string handling is the only
+// intentional divergence from upstream, which returns false for
+// empty: in our unmarshalCore caller, an empty value means the key
+// is unset and the platform default should apply.
+//
+// Reference: upstream Git git_parse_maybe_bool_text at parse.c
+// L157-L173 and git_parse_maybe_bool at parse.c L174-L182 in tag
+// v2.54.0[1].
+//
+// [1]: https://github.com/git/git/blob/v2.54.0/parse.c#L157-L182
+func parseConfigBool(v string) OptBool {
+	switch strings.ToLower(v) {
+	case "true", "yes", "on":
+		return OptBoolTrue
+	case "false", "no", "off":
+		return OptBoolFalse
+	}
+	if i, err := strconv.Atoi(v); err == nil {
+		if i != 0 {
+			return OptBoolTrue
+		}
+		return OptBoolFalse
+	}
+	return OptBoolUnset
+}
@@ -0,0 +1,21 @@
+package pathutil
+
+import "strings"
+
+// IsDotGitName reports whether name is `.git` or its 8.3 NTFS short
+// alias `git~1`, case-insensitively. Both are forbidden as path
+// components (and as submodule names) because they refer to the
+// repository's own metadata directory.
+//
+// File names that do not conform to the 8.3 format (up to eight
+// characters for the basename, three for the file extension) are
+// associated with a so-called "short name" on NTFS — at least on
+// the `C:` drive by default — which means that `git~1/` is a valid
+// way to refer to `.git/`.
+func IsDotGitName(name string) bool {
+	switch strings.ToLower(name) {
+	case ".git", "git~1":
+		return true
+	}
+	return false
+}
@@ -0,0 +1,99 @@
+package pathutil
+
+import "unicode"
+
+// hfsIgnoredCodepoints contains Unicode code points that HFS+ ignores
+// during path normalization. A path component containing these
+// characters between the bytes of ".git" (or ".gitmodules", etc.)
+// will be treated as that name by HFS+, so they have to be filtered
+// out before comparison.
+//
+// See upstream Git utf8.c next_hfs_char in tag v2.54.0[1].
+//
+// [1]: https://github.com/git/git/blob/v2.54.0/utf8.c#L703-L740
+var hfsIgnoredCodepoints = map[rune]struct{}{
+	0x200c: {}, // ZERO WIDTH NON-JOINER
+	0x200d: {}, // ZERO WIDTH JOINER
+	0x200e: {}, // LEFT-TO-RIGHT MARK
+	0x200f: {}, // RIGHT-TO-LEFT MARK
+	0x202a: {}, // LEFT-TO-RIGHT EMBEDDING
+	0x202b: {}, // RIGHT-TO-LEFT EMBEDDING
+	0x202c: {}, // POP DIRECTIONAL FORMATTING
+	0x202d: {}, // LEFT-TO-RIGHT OVERRIDE
+	0x202e: {}, // RIGHT-TO-LEFT OVERRIDE
+	0x206a: {}, // INHIBIT SYMMETRIC SWAPPING
+	0x206b: {}, // ACTIVATE SYMMETRIC SWAPPING
+	0x206c: {}, // INHIBIT ARABIC FORM SHAPING
+	0x206d: {}, // ACTIVATE ARABIC FORM SHAPING
+	0x206e: {}, // NATIONAL DIGIT SHAPES
+	0x206f: {}, // NOMINAL DIGIT SHAPES
+	0xfeff: {}, // ZERO WIDTH NO-BREAK SPACE
+}
+
+// IsHFSDot reports whether part would be treated as ".<needle>" on an
+// HFS+ filesystem after stripping ignored Unicode code points and
+// folding ASCII to lower case. The needle is the lowercase ASCII
+// suffix without the leading dot (e.g. "git", "gitmodules"). It
+// mirrors upstream Git's is_hfs_dot_generic and is the building
+// block of IsHFSDotGit / IsHFSDotGitmodules.
+//
+// Reference: upstream Git utf8.c is_hfs_dot_generic at L741-L774 and
+// the dotgit family at L784-L809 in tag v2.54.0[1].
+//
+// [1]: https://github.com/git/git/blob/v2.54.0/utf8.c#L741-L809
+func IsHFSDot(part, needle string) bool {
+	runes := []rune(part)
+	i := 0
+
+	// skip ignored code points, then expect '.'
+	for i < len(runes) {
+		if _, ok := hfsIgnoredCodepoints[runes[i]]; !ok {
+			break
+		}
+		i++
+	}
+	if i >= len(runes) || runes[i] != '.' {
+		return false
+	}
+	i++
+
+	// match needle case-insensitively, skipping ignored code points
+	for _, expected := range needle {
+		for i < len(runes) {
+			if _, ok := hfsIgnoredCodepoints[runes[i]]; !ok {
+				break
+			}
+			i++
+		}
+		if i >= len(runes) {
+			return false
+		}
+		r := runes[i]
+		if r > 127 {
+			return false
+		}
+		if unicode.ToLower(r) != expected {
+			return false
+		}
+		i++
+	}
+
+	// skip trailing ignored code points
+	for i < len(runes) {
+		if _, ok := hfsIgnoredCodepoints[runes[i]]; !ok {
+			break
+		}
+		i++
+	}
+
+	// must be at end of component
+	return i == len(runes)
+}
+
+// IsHFSDotGit reports whether part is an HFS+ equivalent of ".git".
+func IsHFSDotGit(part string) bool { return IsHFSDot(part, "git") }
+
+// IsHFSDotGitmodules reports whether part is an HFS+ equivalent of
+// ".gitmodules", catching attempts to plant the file via Unicode
+// code points that HFS+ would strip during normalisation.
+func IsHFSDotGitmodules(part string) bool { return IsHFSDot(part, "gitmodules") }
@@ -0,0 +1,187 @@
+package pathutil
+
+import "strings"
+
+// IsNTFSDotGit ports upstream Git's is_ntfs_dotgit. It detects path
+// components that NTFS would resolve to ".git": the canonical name
+// itself and its 8.3 short-name alias "git~1", each followed by any
+// number of trailing spaces or periods (which NTFS silently trims)
+// and an optional Alternate Data Stream suffix (":<stream>"). The
+// bare strings ".git" and "git~1" also match, mirroring upstream.
+//
+// Reference: upstream Git path.c is_ntfs_dotgit at L1415-L1449
+// in tag v2.54.0[1].
+//
+// [1]: https://github.com/git/git/blob/v2.54.0/path.c#L1415-L1449
+func IsNTFSDotGit(part string) bool {
+	var i int
+	switch {
+	case len(part) >= 4 && part[0] == '.' &&
+		asciiToLower(part[1]) == 'g' &&
+		asciiToLower(part[2]) == 'i' &&
+		asciiToLower(part[3]) == 't':
+		i = 4
+	case len(part) >= 5 &&
+		asciiToLower(part[0]) == 'g' &&
+		asciiToLower(part[1]) == 'i' &&
+		asciiToLower(part[2]) == 't' &&
+		part[3] == '~' && part[4] == '1':
+		i = 5
+	default:
+		return false
+	}
+
+	for ; i < len(part); i++ {
+		c := part[i]
+		if c == ':' {
+			return true
+		}
+		if c != '.' && c != ' ' {
+			return false
+		}
+	}
+	return true
+}
+
+// WindowsValidPath reports whether part is a valid Windows / NTFS
+// path component for the worktree filesystem abstraction. It rejects
+// NTFS-disguised variants of `.git` and `git~1` (trailing spaces,
+// periods, Alternate Data Streams) and Windows reserved device
+// names. Bare `.git` and `git~1` are allowed at this layer; the
+// caller decides whether they are permissible at the current path
+// position.
+func WindowsValidPath(part string) bool {
+	if IsNTFSDotGit(part) && !IsDotGitName(part) {
+		return false
+	}
+	return !isWindowsReservedName(part)
+}
+
+// windowsReservedNames lists the Windows reserved device names.
+// A path component is reserved if its base name (ignoring trailing
+// spaces, extensions, and NTFS Alternate Data Streams) matches one of
+// these case-insensitively.
+//
+// See upstream Git compat/mingw.c is_valid_win32_path().
+var windowsReservedNames = []string{
+	"CON", "PRN", "AUX", "NUL",
+	"COM1", "COM2", "COM3", "COM4", "COM5", "COM6", "COM7", "COM8", "COM9",
+	"LPT1", "LPT2", "LPT3", "LPT4", "LPT5", "LPT6", "LPT7", "LPT8", "LPT9",
+	"CONIN$", "CONOUT$",
+}
+
+func isWindowsReservedName(part string) bool {
+	for _, name := range windowsReservedNames {
+		if len(part) < len(name) {
+			continue
+		}
+		if !strings.EqualFold(part[:len(name)], name) {
+			continue
+		}
+		// Exact match or followed by space, dot, colon (ADS), or separator.
+		if len(part) == len(name) {
+			return true
+		}
+		switch part[len(name)] {
+		case ' ', '.', ':':
+			return true
+		}
+	}
+	return false
+}
+
+// IsNTFSDot ports upstream Git's is_ntfs_dot_generic. It detects NTFS
+// path-component variants of a dotfile name that attackers can use to
+// bypass case-insensitive comparisons against the canonical name on
+// Windows. The dotgit parameter is the lowercase name without the
+// leading dot (e.g. "gitmodules"); shortnamePrefix is the canonical
+// 6-character NTFS short-name prefix used as a fall-back match
+// (e.g. "gi7eba" for ".gitmodules").
+//
+// Reference: upstream Git path.c is_ntfs_dot_generic at L1451-L1507
+// in tag v2.54.0[1].
+//
+// [1]: https://github.com/git/git/blob/v2.54.0/path.c#L1451-L1507
+func IsNTFSDot(name, dotgit, shortnamePrefix string) bool {
+	// onlySpacesAndPeriods returns true when the suffix from start
+	// onwards consists only of trailing spaces and periods, possibly
+	// terminated by a NTFS Alternate Data Stream colon. Mirrors the
+	// only_spaces_and_periods label in upstream's is_ntfs_dot_generic.
+	onlySpacesAndPeriods := func(start int) bool {
+		for i := start; i < len(name); i++ {
+			c := name[i]
+			if c == ':' {
+				return true
+			}
+			if c != ' ' && c != '.' {
+				return false
+			}
+		}
+		return true
+	}
+
+	// Pattern 1: ".<dotgit>" prefix + trailing spaces / periods / ADS.
+	if len(name) >= len(dotgit)+1 && name[0] == '.' &&
+		strings.EqualFold(name[1:1+len(dotgit)], dotgit) {
+		if onlySpacesAndPeriods(len(dotgit) + 1) {
+			return true
+		}
+	}
+
+	// Pattern 2: standard NTFS short name <dotgit[:6]>~[1-4].
+	if len(dotgit) >= 6 && len(name) >= 8 &&
+		strings.EqualFold(name[:6], dotgit[:6]) &&
+		name[6] == '~' && name[7] >= '1' && name[7] <= '4' {
+		if onlySpacesAndPeriods(8) {
+			return true
+		}
+	}
+
+	// Pattern 3: fall-back NTFS short name keyed by shortnamePrefix.
+	if len(shortnamePrefix) < 6 || len(name) < 8 {
+		return false
+	}
+	sawTilde := false
+	i := 0
+	for i < 8 {
+		c := name[i]
+		switch {
+		case sawTilde:
+			if c < '0' || c > '9' {
+				return false
+			}
+		case c == '~':
+			i++
+			if i >= len(name) || name[i] < '1' || name[i] > '9' {
+				return false
+			}
+			sawTilde = true
+		case i >= 6:
+			return false
+		case c&0x80 != 0:
+			return false
+		default:
+			if asciiToLower(c) != shortnamePrefix[i] {
+				return false
+			}
+		}
+		i++
+	}
+	return onlySpacesAndPeriods(8)
+}
+
+// IsNTFSDotGitmodules reports whether part is an NTFS-equivalent of
+// ".gitmodules" — the file name (or any of its variants that NTFS
+// would resolve to it) that attackers can use to plant submodule
+// configuration disguised as a symlink. The 6-character canonical
+// short-name prefix "gi7eba" mirrors upstream Git's is_ntfs_dotgitmodules.
+func IsNTFSDotGitmodules(part string) bool {
+	return IsNTFSDot(part, "gitmodules", "gi7eba")
+}
+
+func asciiToLower(c byte) byte {
+	if c >= 'A' && c <= 'Z' {
+		return c + ('a' - 'A')
+	}
+	return c
+}
@@ -0,0 +1,66 @@
+package pathutil
+
+import (
+	"fmt"
+	"path/filepath"
+	"strings"
+)
+
+// ErrInvalidPath is returned by ValidTreePath when its argument is
+// not a safe path to materialise into the worktree.
+var ErrInvalidPath = fmt.Errorf("invalid path")
+
+// ValidTreePath rejects path strings that, if materialised into a
+// worktree, would let an attacker-controlled tree entry escape the
+// worktree or rewrite repository metadata. It rejects:
+//
+//   - control characters (< 0x20, 0x7f);
+//   - empty paths and "." / ".." components;
+//   - Windows volume name prefixes (e.g. C:);
+//   - .git, its 8.3 NTFS short-name git~1, plus their HFS+ and NTFS
+//     variants — at every position, not just the root.
+//
+// HFS+/NTFS variants of `.git` are always rejected at this layer
+// regardless of runtime config: tree paths are canonical UTF-8 with
+// no zero-width characters or NTFS short-name forms, so an entry
+// that looks like a disguised `.git` is suspicious anywhere. Windows
+// reserved device names (CON, NUL, etc.) are not policed here — they
+// are legitimate filenames on non-Windows filesystems and upstream
+// Git accepts them. The wrapper layer (validPath in package git)
+// rejects them at materialisation time when core.protectNTFS is on.
+//
+// Mirrors upstream Git's verify_path_internal at read-cache.c#L987
+// in tag v2.54.0[1] with protect_hfs / protect_ntfs treated as
+// always-on for `.git`-disguise detection (tree paths are not
+// application-supplied) and is_valid_win32_path left to the wrapper.
+//
+// [1]: https://github.com/git/git/blob/v2.54.0/read-cache.c#L987
+func ValidTreePath(p string) error {
+	for i := 0; i < len(p); i++ {
+		if p[i] < 0x20 || p[i] == 0x7f {
+			return fmt.Errorf("%w %q: contains control character", ErrInvalidPath, p)
+		}
+	}
+
+	parts := strings.FieldsFunc(p, func(r rune) bool { return r == '\\' || r == '/' })
+	if len(parts) == 0 {
+		return fmt.Errorf("%w: %q", ErrInvalidPath, p)
+	}
+
+	// Volume names are not supported, in both formats: \\ and <DRIVE_LETTER>:.
+	if vol := filepath.VolumeName(p); vol != "" {
+		return fmt.Errorf("%w: %q", ErrInvalidPath, p)
+	}
+
+	for _, part := range parts {
+		if part == "." || part == ".." {
+			return fmt.Errorf("%w %q: cannot use %q", ErrInvalidPath, p, part)
+		}
+
+		if IsDotGitName(part) || IsHFSDotGit(part) || IsNTFSDotGit(part) {
+			return fmt.Errorf("%w component: %q", ErrInvalidPath, p)
+		}
+	}
+
+	return nil
+}
@@ -2,12 +2,14 @@ package url

 import (
 	"regexp"
+	"runtime"
+	"strings"
 )

 var (
 	isSchemeRegExp = regexp.MustCompile(`^[^:]+://`)

-	// Ref: https://github.com/git/git/blob/master/Documentation/urls.txt#L37
+	// Ref: https://github.com/git/git/blob/v2.54.0/Documentation/urls.adoc#L41-L48
 	scpLikeUrlRegExp = regexp.MustCompile(`^(?:(?P<user>[^@]+)@)?(?P<host>[^:\s]+):(?:(?P<port>[0-9]{1,5}):)?(?P<path>[^\\].*)$`)
 )

@@ -20,7 +22,38 @@ func MatchesScheme(url string) bool {
 // MatchesScpLike returns true if the given string matches an SCP-like
 // format scheme.
 func MatchesScpLike(url string) bool {
-	return scpLikeUrlRegExp.MatchString(url)
+	if !scpLikeUrlRegExp.MatchString(url) {
+		return false
+	}
+	// Mirror canonical Git's url_is_local_not_ssh in connect.c[1] for
+	// the cases the regex above cannot disambiguate by itself: a URL
+	// is treated as a local path (not SCP-style SSH) when a `/`
+	// precedes the first `:` (e.g. `./relative:path`,
+	// `/abs/with:colon/file`), or — on Windows only — when it has a
+	// DOS drive prefix like `C:foo` where the host is a single
+	// ASCII letter.
+	//
+	// [1]: https://github.com/git/git/blob/v2.54.0/connect.c#L710-L716
+	if before, _, _ := strings.Cut(url, ":"); strings.Contains(before, "/") {
+		return false
+	}
+	if runtime.GOOS == "windows" && hasDosDrivePrefix(url) {
+		return false
+	}
+	return true
+}
+
+// hasDosDrivePrefix reports whether s begins with `<letter>:` (a
+// Windows drive prefix such as `C:` or `c:`). Mirrors canonical Git's
+// win32_has_dos_drive_prefix[1].
+//
+// [1]: https://github.com/git/git/blob/v2.54.0/compat/win32/path-utils.c#L20-L29
+func hasDosDrivePrefix(s string) bool {
+	if len(s) < 2 || s[1] != ':' {
+		return false
+	}
+	c := s[0]
+	return ('A' <= c && c <= 'Z') || ('a' <= c && c <= 'z')
 }

 // FindScpLikeComponents returns the user, host, port and path of the
@@ -7,6 +7,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"io/fs"

 	"github.com/go-git/go-git/v5/plumbing/hash"
 	"github.com/go-git/go-git/v5/utils/binary"
@@ -25,35 +26,88 @@ const (
 	objectIDLength = hash.Size
 )

+// Byte sizes of the idx v2 layout elements, used by the size formula
+// in [validateIdxV2Size]. See [gitformat-pack] for the canonical
+// layout.
+//
+// [gitformat-pack]: https://git-scm.com/docs/gitformat-pack
+const (
+	headerLen     = 8          // magic + version
+	fanoutLen     = fanout * 4 // uint32 per bucket
+	crc32Len      = 4          // CRC32 per object
+	offset32Len   = 4          // 32-bit offset per object
+	offset64Len   = 8          // 64-bit overflow offset
+	trailerHashes = 2          // pack checksum + idx checksum, each hashsz
+)
+
+// statInput is the optional shape the [Decoder] probes for at the
+// start of [Decoder.Decode] to learn the on-disk length of the idx
+// blob, which it uses to validate the canonical-Git size formula
+// before any allocations driven by the fanout table. Callers that
+// pass an [*os.File] or a `billy.File` backed by an `*os.File`
+// (the production call sites in `storage/filesystem`) satisfy it
+// directly; arbitrary [io.Reader]s do not, and decode for them
+// retains the pre-existing behaviour of erroring out at the
+// truncated-payload boundary instead.
+//
+// The interface is intentionally unexported so the public
+// [NewDecoder] signature stays compatible with v5.
+type statInput interface {
+	Stat() (fs.FileInfo, error)
+}
+
 // Decoder reads and decodes idx files from an input stream.
 type Decoder struct {
 	io.Reader
-	h hash.Hash
+	src io.Reader
+	h   hash.Hash
 }

 // NewDecoder builds a new idx stream decoder, that reads from r.
 func NewDecoder(r io.Reader) *Decoder {
 	h := hash.New(crypto.SHA1)
 	tr := io.TeeReader(r, h)
-	return &Decoder{tr, h}
+	return &Decoder{tr, r, h}
 }

 // Decode reads from the stream and decode the content into the MemoryIndex struct.
 func (d *Decoder) Decode(idx *MemoryIndex) error {
+	idxSize := int64(-1)
+	if in, ok := d.src.(statInput); ok {
+		fi, err := in.Stat()
+		if err != nil {
+			return fmt.Errorf("%w: stat input: %w", ErrMalformedIdxFile, err)
+		}
+		idxSize = fi.Size()
+	}
+
 	if err := validateHeader(d); err != nil {
 		return err
 	}

-	flow := []func(*MemoryIndex, io.Reader) error{
+	headerFlow := []func(*MemoryIndex, io.Reader) error{
 		readVersion,
 		readFanout,
+	}
+	for _, f := range headerFlow {
+		if err := f(idx, d); err != nil {
+			return err
+		}
+	}
+
+	if idxSize >= 0 {
+		if err := validateIdxV2Size(idx, idxSize); err != nil {
+			return err
+		}
+	}
+
+	bodyFlow := []func(*MemoryIndex, io.Reader) error{
 		readObjectNames,
 		readCRC32,
 		readOffsets,
 		readPackChecksum,
 	}
-
-	for _, f := range flow {
+	for _, f := range bodyFlow {
 		if err := f(idx, d); err != nil {
 			return err
 		}
@@ -199,3 +253,103 @@ func readIdxChecksum(idx *MemoryIndex, r io.Reader) error {

 	return nil
 }
+
+// validateIdxV2Size enforces the size formula used by canonical Git
+// load_idx for idx v2 files: the on-disk length must lie within
+// [minSize, maxSize] where
+//
+//	perObject = hashsz + crc32Len + offset32Len
+//	minSize   = headerLen + fanoutLen + trailerHashes*hashsz + nr*perObject
+//	maxSize   = minSize + (nr-1)*offset64Len     when nr > 0
+//
+// with nr taken from the last fanout entry and hashsz fixed at
+// [objectIDLength] (SHA-1 in v5). Multiplications use a self-checking
+// overflow guard so inputs whose claimed object count overflows the
+// formula are rejected rather than wrapping into a smaller value.
+func validateIdxV2Size(idx *MemoryIndex, idxSize int64) error {
+	nr := int64(idx.Fanout[fanout-1])
+	hashsz := int64(objectIDLength)
+
+	minSize := minIdxV2Size(nr, hashsz)
+	maxSize := maxIdxV2Size(nr, hashsz)
+	if minSize < 0 || maxSize < 0 {
+		return fmt.Errorf("%w: object count %d is inconsistent with file size", ErrMalformedIdxFile, nr)
+	}
+
+	if idxSize < minSize || idxSize > maxSize {
+		return fmt.Errorf("%w: file size %d is inconsistent with object count %d", ErrMalformedIdxFile, idxSize, nr)
+	}
+	return nil
+}
+
+// minIdxV2Size returns the minimum on-disk size of an idx v2 file
+// holding nr objects with the given hash size, mirroring the
+// computation in canonical Git load_idx. Returns -1 when any
+// intermediate multiplication or addition would overflow int64.
+func minIdxV2Size(nr, hashsz int64) int64 {
+	perObject := hashsz + crc32Len + offset32Len
+	fixed := int64(headerLen+fanoutLen) + trailerHashes*hashsz
+
+	objects, ok := mulInt64(nr, perObject)
+	if !ok {
+		return -1
+	}
+	sum, ok := addInt64(fixed, objects)
+	if !ok {
+		return -1
+	}
+	return sum
+}
+
+// maxIdxV2Size returns the maximum on-disk size of an idx v2 file
+// holding nr objects with the given hash size, mirroring the
+// computation in canonical Git load_idx. Returns -1 on overflow.
+func maxIdxV2Size(nr, hashsz int64) int64 {
+	minSize := minIdxV2Size(nr, hashsz)
+	if minSize < 0 {
+		return -1
+	}
+	if nr == 0 {
+		return minSize
+	}
+	overflow, ok := mulInt64(nr-1, offset64Len)
+	if !ok {
+		return -1
+	}
+	sum, ok := addInt64(minSize, overflow)
+	if !ok {
+		return -1
+	}
+	return sum
+}
+
+// mulInt64 returns a*b and whether the result fits in an int64 without
+// overflow. Negative operands or overflow yield ok=false. The overflow
+// check uses the standard self-inverse identity: a*b/b == a only when
+// the multiplication did not wrap.
+func mulInt64(a, b int64) (int64, bool) {
+	if a < 0 || b < 0 {
+		return 0, false
+	}
+	if a == 0 || b == 0 {
+		return 0, true
+	}
+	c := a * b
+	if c/b != a {
+		return 0, false
+	}
+	return c, true
+}
+
+// addInt64 returns a+b and whether the result fits in an int64 without
+// overflow. Negative operands or overflow yield ok=false.
+func addInt64(a, b int64) (int64, bool) {
+	if a < 0 || b < 0 {
+		return 0, false
+	}
+	c := a + b
+	if c < a {
+		return 0, false
+	}
+	return c, true
+}
@@ -2,6 +2,7 @@ package idxfile

 import (
 	"bytes"
+	"fmt"
 	"io"
 	"sort"
 	"sync"
@@ -126,7 +127,10 @@ func (idx *MemoryIndex) FindOffset(h plumbing.Hash) (int64, error) {
 		return 0, plumbing.ErrObjectNotFound
 	}

-	offset := idx.getOffset(k, i)
+	offset, err := idx.getOffset(k, i)
+	if err != nil {
+		return 0, err
+	}

 	// Save the offset for reverse lookup
 	idx.mu.Lock()
@@ -141,17 +145,19 @@ func (idx *MemoryIndex) FindOffset(h plumbing.Hash) (int64, error) {

 const isO64Mask = uint64(1) << 31

-func (idx *MemoryIndex) getOffset(firstLevel, secondLevel int) uint64 {
+func (idx *MemoryIndex) getOffset(firstLevel, secondLevel int) (uint64, error) {
 	offset := secondLevel << 2
 	ofs := encbin.BigEndian.Uint32(idx.Offset32[firstLevel][offset : offset+4])

 	if (uint64(ofs) & isO64Mask) != 0 {
 		offset := 8 * (uint64(ofs) & ^isO64Mask)
-		n := encbin.BigEndian.Uint64(idx.Offset64[offset : offset+8])
-		return n
+		if l := uint64(len(idx.Offset64)); l < 8 || offset > l-8 {
+			return 0, fmt.Errorf("%w: offset64 index out of range", ErrMalformedIdxFile)
+		}
+		return encbin.BigEndian.Uint64(idx.Offset64[offset : offset+8]), nil
 	}

-	return uint64(ofs)
+	return uint64(ofs), nil
 }

 // FindCRC32 implements the Index interface.
@@ -209,8 +215,11 @@ func (idx *MemoryIndex) genOffsetHash() error {
 		mappedFirstLevel := idx.FanoutMapping[firstLevel]
 		for secondLevel := uint32(0); i < fanoutValue; i++ {
 			copy(hash[:], idx.Names[mappedFirstLevel][secondLevel*objectIDLength:])
-			offset := int64(idx.getOffset(mappedFirstLevel, int(secondLevel)))
-			offsetHash[offset] = hash
+			off, err := idx.getOffset(mappedFirstLevel, int(secondLevel))
+			if err != nil {
+				return err
+			}
+			offsetHash[int64(off)] = hash
 			secondLevel++
 		}
 	}
@@ -291,7 +300,11 @@ func (i *idxfileEntryIter) Next() (*Entry, error) {
 		mappedFirstLevel := i.idx.FanoutMapping[i.firstLevel]
 		entry := new(Entry)
 		copy(entry.Hash[:], i.idx.Names[mappedFirstLevel][i.secondLevel*objectIDLength:])
-		entry.Offset = i.idx.getOffset(mappedFirstLevel, i.secondLevel)
+		var err error
+		entry.Offset, err = i.idx.getOffset(mappedFirstLevel, i.secondLevel)
+		if err != nil {
+			return nil, err
+		}
 		entry.CRC32 = i.idx.getCRC32(mappedFirstLevel, i.secondLevel)

 		i.secondLevel++
@@ -11,9 +11,10 @@ import (
 )

 var (
-	ErrClosed       = errors.New("objfile: already closed")
-	ErrHeader       = errors.New("objfile: invalid header")
-	ErrNegativeSize = errors.New("objfile: negative object size")
+	ErrClosed        = errors.New("objfile: already closed")
+	ErrHeader        = errors.New("objfile: invalid header")
+	ErrHeaderNotRead = errors.New("objfile: Header must be called before Read")
+	ErrNegativeSize  = errors.New("objfile: negative object size")
 )

 // Reader reads and decodes compressed objfile data from a provided io.Reader.
@@ -100,12 +101,23 @@ func (r *Reader) prepareForRead(t plumbing.ObjectType, size int64) {
 //
 // If Read encounters the end of the data stream it will return err == io.EOF,
 // either in the current call if n > 0 or in a subsequent call.
+//
+// Read returns ErrHeaderNotRead if Header has not been called successfully.
 func (r *Reader) Read(p []byte) (n int, err error) {
+	if r.multi == nil {
+		return 0, ErrHeaderNotRead
+	}
 	return r.multi.Read(p)
 }

 // Hash returns the hash of the object data stream that has been read so far.
+// It returns the zero plumbing.Hash if Header has not been called
+// successfully — guarding against the nil hasher that prepareForRead has
+// not yet allocated.
 func (r *Reader) Hash() plumbing.Hash {
+	if r.multi == nil {
+		return plumbing.ZeroHash
+	}
 	return r.hasher.Sum()
 }

@@ -19,9 +19,6 @@ const (
 	// https://github.com/git/git/blob/f7466e94375b3be27f229c78873f0acf8301c0a5/diff-delta.c#L428
 	// Max size of a copy operation (64KB).
 	maxCopySize = 64 * 1024
-
-	// Min size of a copy operation.
-	minCopySize = 4
 )

 // GetDelta returns an EncodedObject of type OFSDeltaObject. Base and Target object,
@@ -78,7 +78,13 @@ func (o *FSObject) Reader() (io.ReadCloser, error) {
 			_ = f.Close()
 			return nil, err
 		}
-		return ioutil.NewReadCloserWithCloser(r, f.Close), nil
+		// Cap the lazy stream at the resolved object size: well-formed
+		// content reaches EOF inside the bound, an inflated stream that
+		// runs past surfaces ErrInflatedSizeMismatch on the byte just
+		// past the limit. For delta-resolved objects o.size is the
+		// expanded size, which is what the caller is reading here.
+		bounded := newBoundedReadCloser(r, o.size)
+		return ioutil.NewReadCloserWithCloser(bounded, f.Close), nil
 	}
 	r, err := p.getObjectContent(o.offset)
 	if err != nil {
@@ -126,11 +126,17 @@ func (p *Packfile) nextObjectHeader() (*ObjectHeader, error) {
 	return h, err
 }

-func (p *Packfile) getDeltaObjectSize(buf *bytes.Buffer) int64 {
+func (p *Packfile) getDeltaObjectSize(buf *bytes.Buffer) (int64, error) {
 	delta := buf.Bytes()
-	_, delta = decodeLEB128(delta) // skip src size
-	sz, _ := decodeLEB128(delta)
-	return int64(sz)
+	_, delta, err := decodeLEB128(delta) // skip src size
+	if err != nil {
+		return 0, err
+	}
+	sz, _, err := decodeLEB128(delta)
+	if err != nil {
+		return 0, err
+	}
+	return int64(sz), nil
 }

 func (p *Packfile) getObjectSize(h *ObjectHeader) (int64, error) {
@@ -145,7 +151,7 @@ func (p *Packfile) getObjectSize(h *ObjectHeader) (int64, error) {
 			return 0, err
 		}

-		return p.getDeltaObjectSize(buf), nil
+		return p.getDeltaObjectSize(buf)
 	default:
 		return 0, ErrInvalidObject.AddDetails("type %q", h.Type)
 	}
@@ -233,7 +239,10 @@ func (p *Packfile) getNextObject(h *ObjectHeader, hash plumbing.Hash) (plumbing.
 			return nil, err
 		}

-		size = p.getDeltaObjectSize(buf)
+		size, err = p.getDeltaObjectSize(buf)
+		if err != nil {
+			return nil, err
+		}
 		if size <= smallObjectThreshold {
 			var obj = new(plumbing.MemoryObject)
 			obj.SetSize(size)
@@ -26,6 +26,45 @@ var (
 	ErrDeltaNotCached = errors.New("delta could not be found in cache")
 )

+// maxObjectPreallocBytes caps the up-front size hint passed to
+// bytes.Buffer.Grow when staging an object's contents, so a malformed length
+// cannot trigger a huge or out-of-range allocation. The buffer still grows
+// dynamically as data is written; this is purely a hint cap.
+const maxObjectPreallocBytes = 1 << 30 // 1 GiB
+
+// maxObjectsPrealloc caps the up-front capacity reserved from the pack's
+// declared object count, so a header advertising an absurd quantity cannot
+// trigger a multi-gigabyte allocation. The slice and maps still grow
+// organically beyond this hint.
+const maxObjectsPrealloc = 1 << 16 // 64 Ki entries
+
+// Match upstream Git's pack depth ceiling: pack-objects.h OE_DEPTH_BITS,
+// enforced in builtin/pack-objects.c as (1 << OE_DEPTH_BITS) - 1.
+const maxDeltaChainDepth = 4095
+
+// growHint returns a non-negative int64 size, clamped to a sane upper bound,
+// suitable for passing to bytes.Buffer.Grow.
+func growHint(n int64) int {
+	switch {
+	case n <= 0:
+		return 0
+	case n > maxObjectPreallocBytes:
+		return maxObjectPreallocBytes
+	default:
+		return int(n)
+	}
+}
+
+// objectsHint returns a non-negative count, clamped to maxObjectsPrealloc,
+// suitable for passing to make() as the capacity hint for slices or maps
+// sized from a pack's declared object count.
+func objectsHint(n uint32) int {
+	if n > maxObjectsPrealloc {
+		return maxObjectsPrealloc
+	}
+	return int(n)
+}
+
 // Observer interface is implemented by index encoders.
 type Observer interface {
 	// OnHeader is called when a new packfile is opened.
@@ -166,9 +205,10 @@ func (p *Parser) init() error {
 	}

 	p.count = c
-	p.oiByHash = make(map[plumbing.Hash]*objectInfo, p.count)
-	p.oiByOffset = make(map[int64]*objectInfo, p.count)
-	p.oi = make([]*objectInfo, p.count)
+	hint := objectsHint(p.count)
+	p.oiByHash = make(map[plumbing.Hash]*objectInfo, hint)
+	p.oiByOffset = make(map[int64]*objectInfo, hint)
+	p.oi = make([]*objectInfo, 0, hint)

 	return nil
 }
@@ -261,7 +301,7 @@ func (p *Parser) indexObjects() error {
 		}
 		if delta && !p.scanner.IsSeekable {
 			buf.Reset()
-			buf.Grow(int(oh.Length))
+			buf.Grow(growHint(oh.Length))
 			writers = append(writers, buf)
 		}

@@ -306,7 +346,7 @@ func (p *Parser) indexObjects() error {
 		}

 		p.oiByOffset[oh.Offset] = ota
-		p.oi[i] = ota
+		p.oi = append(p.oi, ota)
 	}

 	return nil
@@ -317,8 +357,12 @@ func (p *Parser) resolveDeltas() error {
 	defer sync.PutBytesBuffer(buf)

 	for _, obj := range p.oi {
+		if err := checkDeltaChainDepth(obj); err != nil {
+			return err
+		}
+
 		buf.Reset()
-		buf.Grow(int(obj.Length))
+		buf.Grow(growHint(obj.Length))
 		err := p.get(obj, buf)
 		if err != nil {
 			return err
@@ -337,6 +381,9 @@ func (p *Parser) resolveDeltas() error {
 			// create it once and reuse across all children.
 			r := bytes.NewReader(buf.Bytes())
 			for _, child := range obj.Children {
+				if err := checkDeltaChainDepth(child); err != nil {
+					return err
+				}
 				// Even though we are discarding the output, we still need to read it to
 				// so that the scanner can advance to the next object, and the SHA1 can be
 				// calculated.
@@ -356,6 +403,17 @@ func (p *Parser) resolveDeltas() error {
 	return nil
 }

+func checkDeltaChainDepth(o *objectInfo) error {
+	var depth int
+	for current := o; current != nil && current.DiskType.IsDelta(); current = current.Parent {
+		depth++
+		if depth > maxDeltaChainDepth {
+			return fmt.Errorf("%w: delta chain depth exceeds %d", ErrMalformedPackFile, maxDeltaChainDepth)
+		}
+	}
+	return nil
+}
+
 func (p *Parser) resolveExternalRef(o *objectInfo) {
 	if ref, ok := p.oiByHash[o.SHA1]; ok && ref.ExternalRef {
 		p.oiByHash[o.SHA1] = o
@@ -405,7 +463,7 @@ func (p *Parser) get(o *objectInfo, buf *bytes.Buffer) (err error) {
 	if o.DiskType.IsDelta() {
 		b := sync.GetBytesBuffer()
 		defer sync.PutBytesBuffer(b)
-		buf.Grow(int(o.Length))
+		buf.Grow(growHint(o.Length))
 		err := p.get(o.Parent, b)
 		if err != nil {
 			return err
@@ -31,10 +31,15 @@ const (
 	// premptively made available for a patch operation.
 	maxPatchPreemptionSize uint = 65536

-	// minDeltaSize defines the smallest size for a delta.
-	minDeltaSize = 4
+	// minDeltaSize is the smallest valid delta: a 1-byte srcSz LEB128
+	// header followed by a 1-byte targetSz LEB128 header (the
+	// shortest case being targetSz=0 with no operations).
+	minDeltaSize = 2
 )

+// uintBits is the bit width of uint on the current platform (32 or 64).
+const uintBits = 32 << (^uint(0) >> 63)
+
 type offset struct {
 	mask  byte
 	shift uint
@@ -142,7 +147,7 @@ func ReaderFromDelta(base plumbing.EncodedObject, deltaRC io.Reader) (io.ReadClo
 		baseBuf := bufio.NewReader(baseRd)
 		basePos := uint(0)

-		for {
+		for remainingTargetSz > 0 {
 			cmd, err := deltaBuf.ReadByte()
 			if err == io.EOF {
 				_ = dstWr.CloseWithError(ErrInvalidDelta)
@@ -166,9 +171,9 @@ func ReaderFromDelta(base plumbing.EncodedObject, deltaRC io.Reader) (io.ReadClo
 					return
 				}

-				if invalidSize(sz, targetSz) ||
+				if invalidSize(sz, remainingTargetSz) ||
 					invalidOffsetSize(offset, sz, srcSz) {
-					_ = dstWr.Close()
+					_ = dstWr.CloseWithError(ErrInvalidDelta)
 					return
 				}

@@ -210,7 +215,7 @@ func ReaderFromDelta(base plumbing.EncodedObject, deltaRC io.Reader) (io.ReadClo

 			case isCopyFromDelta(cmd):
 				sz := uint(cmd) // cmd is the size itself
-				if invalidSize(sz, targetSz) {
+				if invalidSize(sz, remainingTargetSz) {
 					_ = dstWr.CloseWithError(ErrInvalidDelta)
 					return
 				}
@@ -225,40 +230,48 @@ func ReaderFromDelta(base plumbing.EncodedObject, deltaRC io.Reader) (io.ReadClo
 				_ = dstWr.CloseWithError(ErrDeltaCmd)
 				return
 			}
-
-			if remainingTargetSz <= 0 {
-				_ = dstWr.Close()
-				return
-			}
 		}
+
+		// Mirror upstream's `data != top` post-loop check: every byte
+		// of the delta payload must be consumed.
+		if _, err := deltaBuf.ReadByte(); err == nil {
+			_ = dstWr.CloseWithError(ErrInvalidDelta)
+			return
+		} else if err != io.EOF {
+			_ = dstWr.CloseWithError(err)
+			return
+		}
+
+		_ = dstWr.Close()
 	}()

 	return dstRd, nil
 }

 func patchDelta(dst *bytes.Buffer, src, delta []byte) error {
-	if len(delta) < minCopySize {
-		return ErrInvalidDelta
+	srcSz, delta, err := decodeLEB128(delta)
+	if err != nil {
+		return fmt.Errorf("%w: %w", ErrInvalidDelta, err)
 	}
-
-	srcSz, delta := decodeLEB128(delta)
 	if srcSz != uint(len(src)) {
 		return ErrInvalidDelta
 	}

-	targetSz, delta := decodeLEB128(delta)
+	targetSz, delta, err := decodeLEB128(delta)
+	if err != nil {
+		return fmt.Errorf("%w: %w", ErrInvalidDelta, err)
+	}
 	remainingTargetSz := targetSz

-	var cmd byte
-
 	growSz := min(targetSz, maxPatchPreemptionSize)
 	dst.Grow(int(growSz))
-	for {
+
+	for remainingTargetSz > 0 {
 		if len(delta) == 0 {
 			return ErrInvalidDelta
 		}

-		cmd = delta[0]
+		cmd := delta[0]
 		delta = delta[1:]

 		switch {
@@ -275,16 +288,16 @@ func patchDelta(dst *bytes.Buffer, src, delta []byte) error {
 				return err
 			}

-			if invalidSize(sz, targetSz) ||
+			if invalidSize(sz, remainingTargetSz) ||
 				invalidOffsetSize(offset, sz, srcSz) {
-				break
+				return ErrInvalidDelta
 			}
 			dst.Write(src[offset : offset+sz])
 			remainingTargetSz -= sz

 		case isCopyFromDelta(cmd):
 			sz := uint(cmd) // cmd is the size itself
-			if invalidSize(sz, targetSz) {
+			if invalidSize(sz, remainingTargetSz) {
 				return ErrInvalidDelta
 			}

@@ -299,10 +312,12 @@ func patchDelta(dst *bytes.Buffer, src, delta []byte) error {
 		default:
 			return ErrDeltaCmd
 		}
+	}

-		if remainingTargetSz <= 0 {
-			break
-		}
+	// Mirror upstream's `data != top` post-loop check: every byte of
+	// the delta payload must be consumed.
+	if len(delta) != 0 {
+		return ErrInvalidDelta
 	}

 	return nil
@@ -354,7 +369,7 @@ func patchDeltaWriter(dst io.Writer, base io.ReaderAt, delta io.Reader,
 	baselr := io.LimitReader(sr, 0).(*io.LimitedReader)
 	deltalr := io.LimitReader(deltaBuf, 0).(*io.LimitedReader)

-	for {
+	for remainingTargetSz > 0 {
 		buf := *bufp
 		cmd, err := deltaBuf.ReadByte()
 		if err == io.EOF {
@@ -374,9 +389,9 @@ func patchDeltaWriter(dst io.Writer, base io.ReaderAt, delta io.Reader,
 				return 0, plumbing.ZeroHash, err
 			}

-			if invalidSize(sz, targetSz) ||
+			if invalidSize(sz, remainingTargetSz) ||
 				invalidOffsetSize(offset, sz, srcSz) {
-				return 0, plumbing.ZeroHash, err
+				return 0, plumbing.ZeroHash, ErrInvalidDelta
 			}

 			if _, err := sr.Seek(int64(offset), io.SeekStart); err != nil {
@@ -389,7 +404,7 @@ func patchDeltaWriter(dst io.Writer, base io.ReaderAt, delta io.Reader,
 			remainingTargetSz -= sz
 		} else if isCopyFromDelta(cmd) {
 			sz := uint(cmd) // cmd is the size itself
-			if invalidSize(sz, targetSz) {
+			if invalidSize(sz, remainingTargetSz) {
 				return 0, plumbing.ZeroHash, ErrInvalidDelta
 			}
 			deltalr.N = int64(sz)
@@ -399,30 +414,41 @@ func patchDeltaWriter(dst io.Writer, base io.ReaderAt, delta io.Reader,

 			remainingTargetSz -= sz
 		} else {
-			return 0, plumbing.ZeroHash, err
-		}
-		if remainingTargetSz <= 0 {
-			break
+			return 0, plumbing.ZeroHash, ErrDeltaCmd
 		}
 	}

+	// Mirror upstream's `data != top` post-loop check: every byte of
+	// the delta payload must be consumed.
+	if _, err := deltaBuf.ReadByte(); err == nil {
+		return 0, plumbing.ZeroHash, ErrInvalidDelta
+	} else if err != io.EOF {
+		return 0, plumbing.ZeroHash, err
+	}
+
 	return targetSz, hasher.Sum(), nil
 }

 // Decodes a number encoded as an unsigned LEB128 at the start of some
-// binary data and returns the decoded number and the rest of the
-// stream.
+// binary data and returns the decoded number, the rest of the stream,
+// and an error if the encoded value does not fit in a uint.
 //
 // This must be called twice on the delta data buffer, first to get the
 // expected source buffer size, and again to get the target buffer size.
-func decodeLEB128(input []byte) (uint, []byte) {
+func decodeLEB128(input []byte) (uint, []byte, error) {
 	if len(input) == 0 {
-		return 0, input
+		return 0, input, nil
 	}

 	var num, sz uint
 	var b byte
 	for {
+		// A continuation byte at shift > uintBits-7 cannot contribute
+		// without overflowing the accumulator.
+		if sz*7 > uintBits-7 {
+			return 0, input, ErrLengthOverflow
+		}
+
 		b = input[sz]
 		num |= (uint(b) & payload) << (sz * 7) // concats 7 bits chunks
 		sz++
@@ -432,12 +458,16 @@ func decodeLEB128(input []byte) (uint, []byte) {
 		}
 	}

-	return num, input[sz:]
+	return num, input[sz:], nil
 }

 func decodeLEB128ByteReader(input io.ByteReader) (uint, error) {
 	var num, sz uint
 	for {
+		if sz*7 > uintBits-7 {
+			return 0, ErrLengthOverflow
+		}
+
 		b, err := input.ReadByte()
 		if err != nil {
 			return 0, err
@@ -529,8 +559,9 @@ func decodeSize(cmd byte, delta []byte) (uint, []byte, error) {
 	return sz, delta, nil
 }

-func invalidSize(sz, targetSz uint) bool {
-	return sz > targetSz
+// invalidSize reports whether sz exceeds the remaining target size.
+func invalidSize(sz, remaining uint) bool {
+	return sz > remaining
 }

 func invalidOffsetSize(offset, sz, srcSz uint) bool {
@@ -29,8 +29,100 @@ var (
 	ErrSeekNotSupported = NewError("not seek support")
 	// ErrMalformedPackFile is returned by the parser when the pack file is corrupted.
 	ErrMalformedPackFile = errors.New("malformed PACK file")
+	// ErrLengthOverflow is returned when a variable-length integer would not
+	// fit into its accumulator because the input declares more continuation
+	// bytes than the type can hold.
+	ErrLengthOverflow = errors.New("variable-length integer overflow")
+	// ErrInflatedSizeMismatch is returned when a packfile object inflates to
+	// more bytes than the size declared in its object header. A well-formed
+	// packfile never produces more data than the declared size; exceeding it
+	// indicates a structurally invalid entry.
+	ErrInflatedSizeMismatch = errors.New("packfile: inflated object exceeds declared size")
 )

+// boundedWriter passes writes through to w up to limit bytes total, then
+// returns ErrInflatedSizeMismatch. It is used to enforce that a packfile
+// object's inflated length does not exceed the size declared in its header.
+type boundedWriter struct {
+	w     io.Writer
+	limit int64
+	n     int64
+}
+
+// Write forwards p to the underlying writer while keeping the running total
+// at or below limit. On overrun it forwards the legal prefix and reports
+// the number of bytes actually consumed alongside ErrInflatedSizeMismatch,
+// matching the contract in io.Writer. A write error from the underlying
+// writer during overrun-handling is joined with ErrInflatedSizeMismatch so
+// it is not silently dropped.
+func (b *boundedWriter) Write(p []byte) (int, error) {
+	if b.n+int64(len(p)) > b.limit {
+		remain := int(b.limit - b.n)
+		err := error(ErrInflatedSizeMismatch)
+		if remain > 0 {
+			n, werr := b.w.Write(p[:remain])
+			b.n += int64(n)
+			if werr != nil {
+				err = errors.Join(ErrInflatedSizeMismatch, werr)
+			}
+			return n, err
+		}
+		return 0, err
+	}
+	n, err := b.w.Write(p)
+	b.n += int64(n)
+	return n, err
+}
+
+// boundedReadCloser wraps a ReadCloser and reports ErrInflatedSizeMismatch
+// once more than limit bytes have been read. It is used by the on-demand
+// object reader returned from FSObject.Reader so that a lazy Read of a
+// packfile object cannot stream past its declared inflated size.
+//
+// The implementation builds on io.LimitedReader with the standard
+// overrun-detection trick: request limit+1 bytes from the underlying so
+// that the moment the sentinel byte materializes (LimitedReader.N drops
+// to zero) we know the source produced more than limit bytes.
+type boundedReadCloser struct {
+	lr      io.LimitedReader
+	closer  io.Closer
+	overrun bool
+}
+
+// newBoundedReadCloser wraps rc so that the cumulative bytes returned from
+// Read never exceed limit. The first call that would have returned a byte
+// past limit instead returns ErrInflatedSizeMismatch; subsequent calls
+// keep returning the same error. A negative limit is treated as zero, so
+// the first byte produced by rc surfaces ErrInflatedSizeMismatch.
+func newBoundedReadCloser(rc io.ReadCloser, limit int64) *boundedReadCloser {
+	if limit < 0 {
+		limit = 0
+	}
+	return &boundedReadCloser{
+		lr:     io.LimitedReader{R: rc, N: limit + 1},
+		closer: rc,
+	}
+}
+
+// Read forwards Read up to the configured byte limit. When the underlying
+// stream produces the limit+1 sentinel byte, the legal prefix is returned
+// alongside ErrInflatedSizeMismatch; on subsequent calls only the error
+// is returned.
+func (b *boundedReadCloser) Read(p []byte) (int, error) {
+	if b.overrun {
+		return 0, ErrInflatedSizeMismatch
+	}
+	n, err := b.lr.Read(p)
+	if b.lr.N == 0 {
+		b.overrun = true
+		return n - 1, ErrInflatedSizeMismatch
+	}
+	return n, err
+}
+
+// Close closes the underlying ReadCloser.
+func (b *boundedReadCloser) Close() error { return b.closer.Close() }
+
 // ObjectHeader contains the information related to the object, this information
 // is collected from the previous bytes to the content of the object.
 type ObjectHeader struct {
@@ -220,6 +312,13 @@ func (s *Scanner) nextObjectHeader() (*ObjectHeader, error) {
 			return nil, err
 		}

+		// An OFS-delta references a base object that appears earlier
+		// in the pack; the negative offset must be strictly positive
+		// and not larger than the current object's offset.
+		if no <= 0 || no > h.Offset {
+			return nil, fmt.Errorf("%w: invalid OFS delta offset", ErrMalformedPackFile)
+		}
+
 		h.OffsetReference = h.Offset - no
 	case plumbing.REFDeltaObject:
 		var err error
@@ -303,6 +402,13 @@ func (s *Scanner) readLength(first byte) (int64, error) {
 	shift := firstLengthBits
 	var err error
 	for c&maskContinue > 0 {
+		// Mirrors unpack_object_header_buffer in canonical Git's
+		// packfile.c: a continuation byte at shift > 64-7 cannot
+		// contribute without overflowing an int64.
+		if shift > 64-lengthBits {
+			return 0, fmt.Errorf("%w: %w", ErrMalformedPackFile, ErrLengthOverflow)
+		}
+
 		if c, err = s.r.ReadByte(); err != nil {
 			return 0, err
 		}
@@ -315,10 +421,18 @@ func (s *Scanner) readLength(first byte) (int64, error) {
 }

 // NextObject writes the content of the next object into the reader, returns
-// the number of bytes written, the CRC32 of the content and an error, if any
+// the number of bytes written, the CRC32 of the content and an error, if any.
+//
+// When a prior NextObjectHeader has stashed the object header in
+// pendingObject, the inflated stream is bounded by the header's declared
+// length and surfaces ErrInflatedSizeMismatch on overrun.
 func (s *Scanner) NextObject(w io.Writer) (written int64, crc32 uint32, err error) {
+	declaredSize := int64(-1)
+	if s.pendingObject != nil {
+		declaredSize = s.pendingObject.Length
+	}
 	s.pendingObject = nil
-	written, err = s.copyObject(w)
+	written, err = s.copyObject(w, declaredSize)

 	s.r.Flush()
 	crc32 = s.crc.Sum32()
@@ -327,23 +441,39 @@ func (s *Scanner) NextObject(w io.Writer) (written int64, crc32 uint32, err erro
 	return
 }

-// ReadObject returns a reader for the object content and an error
+// ReadObject returns a reader for the object content and an error.
+//
+// When a prior NextObjectHeader has stashed the object header in
+// pendingObject, the returned reader is bounded by the header's declared
+// length so callers cannot stream past the declared inflated size; an
+// overrun surfaces ErrInflatedSizeMismatch on the byte just past the
+// limit.
 func (s *Scanner) ReadObject() (io.ReadCloser, error) {
+	declaredSize := int64(-1)
+	if s.pendingObject != nil {
+		declaredSize = s.pendingObject.Length
+	}
 	s.pendingObject = nil
 	zr, err := sync.GetZlibReader(s.r)
 	if err != nil {
 		return nil, fmt.Errorf("zlib reset error: %s", err)
 	}

-	return ioutil.NewReadCloserWithCloser(zr.Reader, func() error {
+	rc := ioutil.NewReadCloserWithCloser(zr.Reader, func() error {
 		sync.PutZlibReader(zr)
 		return nil
-	}), nil
+	})
+	if declaredSize >= 0 {
+		return newBoundedReadCloser(rc, declaredSize), nil
+	}
+	return rc, nil
 }

-// ReadRegularObject reads and write a non-deltified object
-// from it zlib stream in an object entry in the packfile.
-func (s *Scanner) copyObject(w io.Writer) (n int64, err error) {
+// copyObject inflates a non-deltified object's zlib stream into w. When
+// declaredSize is non-negative, the write sink is wrapped in a
+// boundedWriter so an overrun surfaces ErrInflatedSizeMismatch instead
+// of being silently appended.
+func (s *Scanner) copyObject(w io.Writer, declaredSize int64) (n int64, err error) {
 	zr, err := sync.GetZlibReader(s.r)
 	defer sync.PutZlibReader(zr)

@@ -352,8 +482,14 @@ func (s *Scanner) copyObject(w io.Writer) (n int64, err error) {
 	}

 	defer ioutil.CheckClose(zr.Reader, &err)
+
+	sink := w
+	if declaredSize >= 0 {
+		sink = &boundedWriter{w: w, limit: declaredSize}
+	}
+
 	buf := sync.GetByteSlice()
-	n, err = io.CopyBuffer(w, zr.Reader, *buf)
+	n, err = io.CopyBuffer(sink, zr.Reader, *buf)
 	sync.PutByteSlice(buf)
 	return
 }
@@ -10,6 +10,7 @@ import (
 	"sort"
 	"strings"

+	"github.com/go-git/go-git/v5/internal/pathutil"
 	"github.com/go-git/go-git/v5/plumbing"
 	"github.com/go-git/go-git/v5/plumbing/filemode"
 	"github.com/go-git/go-git/v5/plumbing/storer"
@@ -118,7 +119,16 @@ func (t *Tree) Tree(path string) (*Tree, error) {
 }

 // TreeEntryFile returns the *File for a given *TreeEntry.
+//
+// The entry's name is validated against pathutil.ValidTreePath for
+// the same reason FindEntry validates: TreeEntryFile is a boundary
+// where attacker-controlled tree data leaves the trusted store as a
+// *File whose Name a caller can hand to filesystem ops.
 func (t *Tree) TreeEntryFile(e *TreeEntry) (*File, error) {
+	if err := pathutil.ValidTreePath(e.Name); err != nil {
+		return nil, err
+	}
+
 	blob, err := GetBlob(t.s, e.Hash)
 	if err != nil {
 		return nil, err
@@ -128,7 +138,16 @@ func (t *Tree) TreeEntryFile(e *TreeEntry) (*File, error) {
 }

 // FindEntry search a TreeEntry in this tree or any subtree.
+//
+// The lookup path is validated against pathutil.ValidTreePath to
+// prevent attacker-controlled tree contents from leaking past this
+// boundary as `.git`-shaped or path-traversal-shaped names. Callers
+// that legitimately need to look up unsafe paths should walk the
+// tree manually.
 func (t *Tree) FindEntry(path string) (*TreeEntry, error) {
+	if err := pathutil.ValidTreePath(path); err != nil {
+		return nil, err
+	}
 	if t.t == nil {
 		t.t = make(map[string]*Tree)
 	}
@@ -517,6 +536,10 @@ func (w *TreeWalker) Next() (name string, entry TreeEntry, err error) {
 			continue
 		}

+		if err := pathutil.ValidTreePath(entry.Name); err != nil {
+			return name, entry, err
+		}
+
 		if entry.Mode == filemode.Dir {
 			obj, err = GetTree(w.s, entry.Hash)
 		}
@@ -252,7 +252,39 @@ func (c *command) setAuthFromEndpoint() error {
 }

 func endpointToCommand(cmd string, ep *transport.Endpoint) string {
-	return fmt.Sprintf("%s '%s'", cmd, ep.Path)
+	var b strings.Builder
+	b.WriteString(cmd)
+	b.WriteByte(' ')
+	writeShellQuote(&b, ep.Path)
+	return b.String()
+}
+
+// writeShellQuote writes s to b, wrapped in single quotes with
+// embedded single quotes and exclamation marks escaped using the
+// POSIX close-escape-reopen idiom:
+//
+//	' becomes '\''
+//	! becomes '\!'
+//
+// It is a direct port of canonical Git's sq_quote_buf (quote.c).
+// The bang escape keeps the result safe when re-evaluated under
+// csh-derived shells that perform history expansion. The output is
+// safe to pass as a single argument through any POSIX shell and
+// round-trips through git-shell's sq_dequote_to_argv.
+func writeShellQuote(b *strings.Builder, s string) {
+	b.Grow(len(s) + 2)
+	b.WriteByte('\'')
+	for i := 0; i < len(s); i++ {
+		c := s[i]
+		if c == '\'' || c == '!' {
+			b.WriteString(`'\`)
+			b.WriteByte(c)
+			b.WriteByte('\'')
+			continue
+		}
+		b.WriteByte(c)
+	}
+	b.WriteByte('\'')
 }

 func overrideConfig(overrides *ssh.ClientConfig, c *ssh.ClientConfig) {
@@ -1530,7 +1530,18 @@ func (r *Repository) Worktree() (*Worktree, error) {
 		return nil, ErrIsBareRepository
 	}

-	return &Worktree{r: r, Filesystem: r.wt}, nil
+	protectNTFS := defaultProtectNTFS()
+	protectHFS := defaultProtectHFS()
+	if cfg, err := r.Config(); err == nil {
+		if cfg.Core.ProtectNTFS.IsSet() {
+			protectNTFS = cfg.Core.ProtectNTFS.IsTrue()
+		}
+		if cfg.Core.ProtectHFS.IsSet() {
+			protectHFS = cfg.Core.ProtectHFS.IsTrue()
+		}
+	}
+
+	return &Worktree{r: r, Filesystem: newWorktreeFilesystem(r.wt, protectNTFS, protectHFS)}, nil
 }

 func expand_ref(s storer.ReferenceStorer, ref plumbing.ReferenceName) (*plumbing.Reference, error) {
@@ -75,6 +75,10 @@ var (
 	// ErrEmptyRefFile is returned when a reference file is attempted to be read,
 	// but the file is empty
 	ErrEmptyRefFile = errors.New("ref file is empty")
+	// ErrModuleNameEscape is returned when a submodule name would
+	// resolve outside the modules/ subtree, mirroring canonical Git's
+	// "ignoring suspicious submodule name" defence.
+	ErrModuleNameEscape = errors.New("submodule name escapes modules/ directory")
 )

 // Options holds configuration for the storage.
@@ -1127,9 +1131,20 @@ func (d *DotGit) PackRefs() (err error) {
 	return nil
 }

-// Module return a billy.Filesystem pointing to the module folder
+// Module returns a billy.Filesystem pointing to the module folder.
+//
+// As a defence in depth against submodule name path traversal,
+// refuse names whose joined path leaves the modules/ subtree once
+// cleaned. The config-layer parser also validates submodule names,
+// but Module may be reached from any caller that constructs a
+// Submodule struct programmatically and so bypasses the parser.
 func (d *DotGit) Module(name string) (billy.Filesystem, error) {
-	return d.fs.Chroot(d.fs.Join(modulePath, name))
+	p := d.fs.Join(modulePath, name)
+	cleaned := path.Clean(filepath.ToSlash(p))
+	if cleaned != modulePath && !strings.HasPrefix(cleaned, modulePath+"/") {
+		return nil, ErrModuleNameEscape
+	}
+	return d.fs.Chroot(p)
 }

 func (d *DotGit) AddAlternate(remote string) error {
@@ -6,9 +6,12 @@ import (
 	"errors"
 	"fmt"
 	"path"
+	"path/filepath"

 	"github.com/go-git/go-billy/v5"
 	"github.com/go-git/go-git/v5/config"
+	"github.com/go-git/go-git/v5/internal/pathutil"
+	giturl "github.com/go-git/go-git/v5/internal/url"
 	"github.com/go-git/go-git/v5/plumbing"
 	"github.com/go-git/go-git/v5/plumbing/format/index"
 	"github.com/go-git/go-git/v5/plumbing/transport"
@@ -119,6 +122,16 @@ func (s *Submodule) Repository() (*Repository, error) {
 		exists = true
 	}

+	// s.c.Path is sourced from the worktree's .gitmodules and is
+	// therefore tree-controlled. Apply the strict tree-path validator
+	// before chroot — the wrapper's tolerant validPath would let a
+	// final-position .git component through (e.g. "submodule/.git"),
+	// which a malicious .gitmodules could use to chroot the submodule
+	// worktree into the repository's actual .git directory.
+	if err := pathutil.ValidTreePath(s.c.Path); err != nil {
+		return nil, err
+	}
+
 	var worktree billy.Filesystem
 	if worktree, err = s.w.Filesystem.Chroot(s.c.Path); err != nil {
 		return nil, err
@@ -138,18 +151,25 @@ func (s *Submodule) Repository() (*Repository, error) {
 		return nil, err
 	}

-	if !path.IsAbs(moduleEndpoint.Path) && moduleEndpoint.Protocol == "file" {
-		remotes, err := s.w.r.Remotes()
+	// A relative submodule URL such as "../X.git" must resolve against
+	// the parent repository's remote URL, not against the process CWD.
+	// Detect relativity from the raw configured URL because
+	// transport.NewEndpoint normalizes local paths to absolute form via
+	// filepath.Abs, which would otherwise mask the relative form here.
+	if giturl.IsLocalEndpoint(s.c.URL) &&
+		!path.IsAbs(s.c.URL) && !filepath.IsAbs(s.c.URL) {
+
+		base, err := defaultRemote(s.w.r)
+		if err != nil {
+			return nil, fmt.Errorf("resolving relative submodule URL: %w", err)
+		}
+
+		rootEndpoint, err := transport.NewEndpoint(base.URLs[0])
 		if err != nil {
 			return nil, err
 		}

-		rootEndpoint, err := transport.NewEndpoint(remotes[0].c.URLs[0])
-		if err != nil {
-			return nil, err
-		}
-
-		rootEndpoint.Path = path.Join(rootEndpoint.Path, moduleEndpoint.Path)
+		rootEndpoint.Path = path.Join(rootEndpoint.Path, s.c.URL)
 		*moduleEndpoint = *rootEndpoint
 	}

@@ -161,6 +181,52 @@ func (s *Submodule) Repository() (*Repository, error) {
 	return r, err
 }

+// defaultRemote returns the remote that relative submodule URLs are
+// resolved against, mirroring canonical Git's repo_default_remote
+// (remote.c) and resolve_relative_url (builtin/submodule--helper.c):
+//
+//  1. if HEAD is on a branch with branch.<name>.remote configured,
+//     use that remote;
+//  2. else if exactly one remote is configured, use it;
+//  3. otherwise fall back to DefaultRemoteName ("origin").
+//
+// Each rule falls through unconditionally: a branch lookup that
+// finds the branch but with an empty Remote does not short-circuit
+// rule (2). Returns an error when the chosen remote is not configured.
+func defaultRemote(r *Repository) (*config.RemoteConfig, error) {
+	cfg, err := r.Config()
+	if err != nil {
+		return nil, err
+	}
+
+	if ref, err := r.Reference(plumbing.HEAD, false); err == nil &&
+		ref.Type() == plumbing.SymbolicReference &&
+		ref.Target().IsBranch() {
+		if b, ok := cfg.Branches[ref.Target().Short()]; ok && b.Remote != "" {
+			return lookupRemote(cfg, b.Remote)
+		}
+	}
+
+	if len(cfg.Remotes) == 1 {
+		for name := range cfg.Remotes {
+			return lookupRemote(cfg, name)
+		}
+	}
+
+	return lookupRemote(cfg, DefaultRemoteName)
+}
+
+func lookupRemote(cfg *config.Config, name string) (*config.RemoteConfig, error) {
+	rc, ok := cfg.Remotes[name]
+	if !ok {
+		return nil, fmt.Errorf("remote %q not found", name)
+	}
+	if len(rc.URLs) == 0 {
+		return nil, fmt.Errorf("remote %q has no configured URL", name)
+	}
+	return rc, nil
+}
+
 // Update the registered submodule to match what the superproject expects, the
 // submodule should be initialized first calling the Init method or setting in
 // the options SubmoduleUpdateOptions.Init equals true
@@ -5,11 +5,18 @@ package binary
 import (
 	"bufio"
 	"encoding/binary"
+	"errors"
 	"io"
+	"math"

 	"github.com/go-git/go-git/v5/plumbing"
 )

+// ErrIntegerOverflow is returned when a Git-format variable-width integer
+// would not fit into an int64 because the input declares more continuation
+// bytes than the type can hold.
+var ErrIntegerOverflow = errors.New("variable-width integer overflow")
+
 // Read reads structured binary data from r into data. Bytes are read and
 // decoded in BigEndian order
 // https://golang.org/pkg/encoding/binary/#Read
@@ -92,6 +99,14 @@ func ReadVariableWidthInt(r io.Reader) (int64, error) {

 	var v = int64(c & maskLength)
 	for c&maskContinue > 0 {
+		// Reject input that, after the v++ and shift below, would
+		// not fit in an int64. With v < (MaxInt64-127)>>7, the
+		// post-increment v is at most (MaxInt64-127)>>7 and the
+		// final (v << 7) + (c & 0x7F) stays within int64.
+		if v >= (math.MaxInt64-int64(maskLength))>>lengthBits {
+			return 0, ErrIntegerOverflow
+		}
+
 		v++
 		if err := Read(r, &c); err != nil {
 			return 0, err
@@ -7,7 +7,6 @@ import (
 	"io"
 	"os"
 	"path/filepath"
-	"runtime"
 	"strings"

 	"github.com/go-git/go-billy/v5"
@@ -458,10 +457,6 @@ func (w *Worktree) resetWorktree(t *object.Tree, files []string) error {

 	filesMap := buildFilePathMap(files)
 	for _, ch := range changes {
-		if err := w.validChange(ch); err != nil {
-			return err
-		}
-
 		if len(files) > 0 {
 			file := ""
 			if ch.From != nil {
@@ -489,108 +484,6 @@ func (w *Worktree) resetWorktree(t *object.Tree, files []string) error {
 	return w.r.Storer.SetIndex(idx)
 }

-// worktreeDeny is a list of paths that are not allowed
-// to be used when resetting the worktree.
-var worktreeDeny = map[string]struct{}{
-	// .git
-	GitDirName: {},
-
-	// For other historical reasons, file names that do not conform to the 8.3
-	// format (up to eight characters for the basename, three for the file
-	// extension, certain characters not allowed such as `+`, etc) are associated
-	// with a so-called "short name", at least on the `C:` drive by default.
-	// Which means that `git~1/` is a valid way to refer to `.git/`.
-	"git~1": {},
-}
-
-// validPath checks whether paths are valid.
-// The rules around invalid paths could differ from upstream based on how
-// filesystems are managed within go-git, but they are largely the same.
-//
-// For upstream rules:
-// https://github.com/git/git/blob/564d0252ca632e0264ed670534a51d18a689ef5d/read-cache.c#L946
-// https://github.com/git/git/blob/564d0252ca632e0264ed670534a51d18a689ef5d/path.c#L1383
-func validPath(paths ...string) error {
-	for _, p := range paths {
-		parts := strings.FieldsFunc(p, func(r rune) bool { return (r == '\\' || r == '/') })
-		if len(parts) == 0 {
-			return fmt.Errorf("invalid path: %q", p)
-		}
-
-		if _, denied := worktreeDeny[strings.ToLower(parts[0])]; denied {
-			return fmt.Errorf("invalid path prefix: %q", p)
-		}
-
-		if runtime.GOOS == "windows" {
-			// Volume names are not supported, in both formats: \\ and <DRIVE_LETTER>:.
-			if vol := filepath.VolumeName(p); vol != "" {
-				return fmt.Errorf("invalid path: %q", p)
-			}
-
-			if !windowsValidPath(parts[0]) {
-				return fmt.Errorf("invalid path: %q", p)
-			}
-		}
-
-		for _, part := range parts {
-			if part == ".." {
-				return fmt.Errorf("invalid path %q: cannot use '..'", p)
-			}
-		}
-	}
-	return nil
-}
-
-// windowsPathReplacer defines the chars that need to be replaced
-// as part of windowsValidPath.
-var windowsPathReplacer *strings.Replacer
-
-func init() {
-	windowsPathReplacer = strings.NewReplacer(" ", "", ".", "")
-}
-
-func windowsValidPath(part string) bool {
-	if len(part) > 3 && strings.EqualFold(part[:4], GitDirName) {
-		// For historical reasons, file names that end in spaces or periods are
-		// automatically trimmed. Therefore, `.git . . ./` is a valid way to refer
-		// to `.git/`.
-		if windowsPathReplacer.Replace(part[4:]) == "" {
-			return false
-		}
-
-		// For yet other historical reasons, NTFS supports so-called "Alternate Data
-		// Streams", i.e. metadata associated with a given file, referred to via
-		// `<filename>:<stream-name>:<stream-type>`. There exists a default stream
-		// type for directories, allowing `.git/` to be accessed via
-		// `.git::$INDEX_ALLOCATION/`.
-		//
-		// For performance reasons, _all_ Alternate Data Streams of `.git/` are
-		// forbidden, not just `::$INDEX_ALLOCATION`.
-		if len(part) > 4 && part[4:5] == ":" {
-			return false
-		}
-	}
-	return true
-}
-
-func (w *Worktree) validChange(ch merkletrie.Change) error {
-	action, err := ch.Action()
-	if err != nil {
-		return nil
-	}
-
-	switch action {
-	case merkletrie.Delete:
-		return validPath(ch.From.String())
-	case merkletrie.Insert:
-		return validPath(ch.To.String())
-	case merkletrie.Modify:
-		return validPath(ch.From.String(), ch.To.String())
-	}
-
-	return nil
-}
-
 func (w *Worktree) checkoutChange(ch merkletrie.Change, t *object.Tree, idx *indexBuilder) error {
 	a, err := ch.Action()
 	if err != nil {
@@ -763,10 +656,10 @@ func (w *Worktree) checkoutFile(f *object.File) (err error) {
 }

 func (w *Worktree) checkoutFileSymlink(f *object.File) (err error) {
-	// https://github.com/git/git/commit/10ecfa76491e4923988337b2e2243b05376b40de
-	if strings.EqualFold(f.Name, gitmodulesFile) {
-		return ErrGitModulesSymlink
-	}
+	// .gitmodules symlink rejection (and its NTFS / HFS variants) is
+	// enforced by the worktreeFilesystem wrapper's Symlink method via
+	// validSymlinkName. See https://github.com/git/git/commit/10ecfa7
+	// for the upstream rationale.

 	from, err := f.Reader()
 	if err != nil {
@@ -0,0 +1,264 @@
+package git
+
+import (
+	"errors"
+	"fmt"
+	"os"
+	"path/filepath"
+	"runtime"
+	"strings"
+
+	"github.com/go-git/go-billy/v5"
+
+	"github.com/go-git/go-git/v5/internal/pathutil"
+)
+
+// defaultProtectHFS returns the default value for core.protectHFS
+// when not explicitly configured. Matches upstream Git's
+// PROTECT_HFS_DEFAULT[1], which the Makefile sets to 1 on Darwin
+// and leaves at 0 on every other platform.
+//
+// [1]: https://github.com/git/git/blob/v2.54.0/config.mak.uname#L146
+func defaultProtectHFS() bool {
+	return runtime.GOOS == "darwin"
+}
+
+// defaultProtectNTFS returns the default value for core.protectNTFS
+// when not explicitly configured. Matches upstream Git's
+// PROTECT_NTFS_DEFAULT, which has been 1 on every platform since
+// 9102f958ee5 (CVE-2019-1353)[1]: WSL allows Linux processes to
+// reach NTFS-mounted worktrees on Windows hosts, so the
+// is_ntfs_dotgit guard cannot safely be gated on the runtime OS.
+//
+// [1]: https://github.com/git/git/commit/9102f958ee5
+func defaultProtectNTFS() bool {
+	return true
+}
+
+// worktreeFilesystem wraps a billy.Filesystem and validates every path passed
+// to a mutating operation. This prevents writing to, or deleting from,
+// dangerous locations (e.g. .git/*, ../) regardless of which worktree
+// code path triggers the operation.
+type worktreeFilesystem struct {
+	billy.Filesystem
+	protectNTFS bool
+	protectHFS  bool
+}
+
+func newWorktreeFilesystem(fs billy.Filesystem, protectNTFS, protectHFS bool) *worktreeFilesystem {
+	return &worktreeFilesystem{Filesystem: fs, protectNTFS: protectNTFS, protectHFS: protectHFS}
+}
+
+func (sfs *worktreeFilesystem) Create(filename string) (billy.File, error) {
+	if err := sfs.validPath(filename); err != nil {
+		return nil, fmt.Errorf("create: %w", err)
+	}
+	return sfs.Filesystem.Create(filename)
+}
+
+func (sfs *worktreeFilesystem) Open(filename string) (billy.File, error) {
+	if err := sfs.validReadPath(filename); err != nil {
+		return nil, fmt.Errorf("open: %w", err)
+	}
+	return sfs.Filesystem.Open(filename)
+}
+
+func (sfs *worktreeFilesystem) OpenFile(filename string, flag int, perm os.FileMode) (billy.File, error) {
+	if err := sfs.validPath(filename); err != nil {
+		return nil, fmt.Errorf("openfile: %w", err)
+	}
+	return sfs.Filesystem.OpenFile(filename, flag, perm)
+}
+
+func (sfs *worktreeFilesystem) Stat(filename string) (os.FileInfo, error) {
+	if err := sfs.validReadPath(filename); err != nil {
+		return nil, fmt.Errorf("stat: %w", err)
+	}
+	return sfs.Filesystem.Stat(filename)
+}
+
+func (sfs *worktreeFilesystem) Remove(filename string) error {
+	if err := sfs.validPath(filename); err != nil {
+		return fmt.Errorf("remove: %w", err)
+	}
+	return sfs.Filesystem.Remove(filename)
+}
+
+func (sfs *worktreeFilesystem) Rename(from, to string) error {
+	if err := sfs.validPath(from, to); err != nil {
+		return fmt.Errorf("rename: %w", err)
+	}
+	return sfs.Filesystem.Rename(from, to)
+}
+
+func (sfs *worktreeFilesystem) ReadDir(path string) ([]os.FileInfo, error) {
+	if err := sfs.validReadPath(path); err != nil {
+		return nil, fmt.Errorf("readdir: %w", err)
+	}
+	return sfs.Filesystem.ReadDir(path)
+}
+
+func (sfs *worktreeFilesystem) Lstat(filename string) (os.FileInfo, error) {
+	if err := sfs.validReadPath(filename); err != nil {
+		return nil, fmt.Errorf("lstat: %w", err)
+	}
+	return sfs.Filesystem.Lstat(filename)
+}
+
+func (sfs *worktreeFilesystem) Symlink(target, link string) error {
+	if err := sfs.validPath(link); err != nil {
+		return fmt.Errorf("symlink: %w", err)
+	}
+	if err := sfs.validSymlinkName(link); err != nil {
+		return fmt.Errorf("symlink: %w", err)
+	}
+	return sfs.Filesystem.Symlink(target, link)
+}
+
+func (sfs *worktreeFilesystem) Readlink(link string) (string, error) {
+	if err := sfs.validReadPath(link); err != nil {
+		return "", fmt.Errorf("readlink: %w", err)
+	}
+	return sfs.Filesystem.Readlink(link)
+}
+
+func (sfs *worktreeFilesystem) MkdirAll(path string, perm os.FileMode) error {
+	// MkdirAll on the worktree root is a no-op: the root always exists,
+	// so there is nothing to materialise. Mirroring the tolerance that
+	// validReadPath gives to read-side operations avoids breaking callers
+	// that walk a directory tree and pass the relative-to-root prefix
+	// ("") through to the worktree FS.
+	if path == "" || path == "." || path == "/" {
+		return nil
+	}
+	if err := sfs.validPath(path); err != nil {
+		return fmt.Errorf("mkdirall: %w", err)
+	}
+	return sfs.Filesystem.MkdirAll(path, perm)
+}
+
+func (sfs *worktreeFilesystem) TempFile(_, _ string) (billy.File, error) {
+	return nil, fmt.Errorf("tempfile: %w", errUnsupportedOperation)
+}
+
+func (sfs *worktreeFilesystem) Chroot(path string) (billy.Filesystem, error) {
+	if err := sfs.validReadPath(path); err != nil {
+		return nil, fmt.Errorf("chroot: %w", err)
+	}
+	return sfs.Filesystem.Chroot(path)
+}
+
+// validReadPath is like validPath but treats the empty string and "." as
+// valid references to the worktree root. Read-side operations on the root
+// (e.g. ReadDir(""), Lstat(".")) are legitimate; mutating the root itself
+// is not, so write-side operations continue to use validPath directly.
+func (sfs *worktreeFilesystem) validReadPath(p string) error {
+	if p == "" || p == "." || p == "/" {
+		return nil
+	}
+	return sfs.validPath(p)
+}
+
+var errUnsupportedOperation = errors.New("unsupported operation")
+
+// isDotGitVariant reports whether part is .git, git~1, or an HFS+
+// equivalent of .git (when protectHFS is true). NTFS variants of .git
+// (e.g. ".git " with trailing space, ".git::$INDEX_ALLOCATION") are
+// detected separately by pathutil.WindowsValidPath, which applies
+// regardless of position in the path. Both validators reuse this
+// helper.
+func isDotGitVariant(part string, protectHFS bool) bool {
+	if pathutil.IsDotGitName(part) {
+		return true
+	}
+	if protectHFS && pathutil.IsHFSDotGit(part) {
+		return true
+	}
+	return false
+}
+
+// validPath checks whether paths are valid for the worktree
+// filesystem abstraction. It is intentionally tolerant of .git as
+// the final path component of a multi-component path
+// (e.g. "submodule/.git"), so that legitimate gitlink pointer files
+// can still be Stat'd, Read, and Removed via the wrapper during
+// submodule cleanup. Attacker-controlled tree-entry paths are
+// validated separately by pathutil.ValidTreePath at the boundaries
+// where data leaves the trusted store (Tree.FindEntry, the explicit
+// callers in CherryPick and Submodule.Repository).
+//
+// For upstream rules:
+// https://github.com/git/git/blob/v2.54.0/read-cache.c#L987
+// https://github.com/git/git/blob/v2.54.0/path.c#L1419
+func (sfs *worktreeFilesystem) validPath(paths ...string) error {
+	for _, p := range paths {
+		for i := 0; i < len(p); i++ {
+			if p[i] < 0x20 || p[i] == 0x7f {
+				return fmt.Errorf("invalid path %q: contains control character", p)
+			}
+		}
+
+		parts := strings.FieldsFunc(p, func(r rune) bool { return (r == '\\' || r == '/') })
+		if len(parts) == 0 {
+			return fmt.Errorf("invalid path: %q", p)
+		}
+
+		if sfs.protectNTFS {
+			// Volume names are not supported, in both formats: \\ and <DRIVE_LETTER>:.
+			if vol := filepath.VolumeName(p); vol != "" {
+				return fmt.Errorf("invalid path: %q", p)
+			}
+		}
+
+		for i, part := range parts {
+			if part == "." || part == ".." {
+				return fmt.Errorf("invalid path %q: cannot use %q", p, part)
+			}
+
+			// Reject .git (and equivalents) as a path component when it is
+			// either the first component (root-level .git) or a non-final
+			// component (traversal into a .git directory, e.g. "a/.git/config").
+			// A final non-first .git component (e.g. "submodule/.git") is
+			// allowed because submodule worktrees contain a .git pointer file.
+			if isDotGitVariant(part, sfs.protectHFS) && (i == 0 || i < len(parts)-1) {
+				return fmt.Errorf("invalid path component: %q", p)
+			}
+
+			if sfs.protectNTFS && !pathutil.WindowsValidPath(part) {
+				return fmt.Errorf("invalid path: %q", p)
+			}
+		}
+	}
+	return nil
+}
+
+// validSymlinkName checks the per-component name of a symlink for
+// dotfile names that attackers can use to trick a checkout into
+// writing a dangerous symlink. Each path component is compared
+// against .gitmodules case-insensitively, against its NTFS variants
+// (e.g. ".gitmodules .", ".gitmodules::$INDEX_ALLOCATION", or 8.3
+// short-name forms) when protectNTFS is on, and against its HFS+
+// variants (Unicode ignored code points folded into ".gitmodules")
+// when protectHFS is on.
+//
+// Reference: upstream Git verify_path_internal at read-cache.c#L1004-L1024
+// in tag v2.54.0[1].
+//
+// [1]: https://github.com/git/git/blob/v2.54.0/read-cache.c#L1004-L1024
+func (sfs *worktreeFilesystem) validSymlinkName(name string) error {
+	parts := strings.FieldsFunc(name, func(r rune) bool {
+		return r == '/' || r == '\\'
+	})
+	for _, part := range parts {
+		if strings.EqualFold(part, gitmodulesFile) {
+			return ErrGitModulesSymlink
+		}
+		if sfs.protectNTFS && pathutil.IsNTFSDotGitmodules(part) {
+			return ErrGitModulesSymlink
+		}
+		if sfs.protectHFS && pathutil.IsHFSDotGitmodules(part) {
+			return ErrGitModulesSymlink
+		}
+	}
+	return nil
+}
@@ -10,6 +10,7 @@ import (
 	"strings"

 	"github.com/go-git/go-billy/v5/util"
+	"github.com/go-git/go-git/v5/internal/pathutil"
 	"github.com/go-git/go-git/v5/plumbing"
 	"github.com/go-git/go-git/v5/plumbing/filemode"
 	"github.com/go-git/go-git/v5/plumbing/format/gitignore"
@@ -545,6 +546,14 @@ func (w *Worktree) addOrUpdateFileToIndex(idx *index.Index, filename string, h p
 }

 func (w *Worktree) doAddFileToIndex(idx *index.Index, filename string, h plumbing.Hash) error {
+	// Mirror upstream's Index.Add gate at the v5 caller boundary: the
+	// index feeds future trees, so a name that the tree-side
+	// pathutil.ValidTreePath gate would reject must not enter the
+	// index in the first place. v5 keeps Index.Add's existing signature
+	// for API compatibility, so the validation happens here.
+	if err := pathutil.ValidTreePath(filename); err != nil {
+		return err
+	}
 	return w.doUpdateFileToIndex(idx.Add(filename), filename, h)
 }

@@ -1,4 +1,4 @@
-FROM golang:1.26@sha256:313faae491b410a35402c05d35e7518ae99103d957308e940e1ae2cfa0aac29b
+FROM golang:1.26@sha256:68cb6d68bed024785b69195b89af7ac7a444f27791435f98647edff595aa0479

 ENV GOOS=linux
 ENV GOARCH=arm
@@ -1,4 +1,4 @@
-FROM golang:1.26@sha256:313faae491b410a35402c05d35e7518ae99103d957308e940e1ae2cfa0aac29b
+FROM golang:1.26@sha256:68cb6d68bed024785b69195b89af7ac7a444f27791435f98647edff595aa0479

 ENV GOOS=linux
 ENV GOARCH=arm64
@@ -1,4 +1,4 @@
 # This is a renovate-friendly source of Docker images.
 FROM python:3.13.6-slim-bullseye@sha256:e98b521460ee75bca92175c16247bdf7275637a8faaeb2bcfa19d879ae5c4b9a AS python
-FROM otel/weaver:v0.21.2@sha256:2401de985c38bdb98b43918e2f43aa36b2afed4aa5669ac1c1de0a17301cd36d AS weaver
+FROM otel/weaver:v0.24.2@sha256:d1fb16d279f39810c340fbbf1cf9e5e995a3a9cefa531938e9012437e3bc00c1 AS weaver
 FROM avtodev/markdown-lint:v1@sha256:6aeedc2f49138ce7a1cd0adffc1b1c0321b841dc2102408967d9301c031949ee AS markdown
@@ -152,13 +152,17 @@ var ARM struct {
 // The booleans in Loong64 contain the correspondingly named cpu feature bit.
 // The struct is padded to avoid false sharing.
 var Loong64 struct {
-	_         CacheLinePad
-	HasLSX    bool // support 128-bit vector extension
-	HasLASX   bool // support 256-bit vector extension
-	HasCRC32  bool // support CRC instruction
-	HasLAM_BH bool // support AM{SWAP/ADD}[_DB].{B/H} instruction
-	HasLAMCAS bool // support AMCAS[_DB].{B/H/W/D} instruction
-	_         CacheLinePad
+	_              CacheLinePad
+	HasLSX         bool // support 128-bit vector extension
+	HasLASX        bool // support 256-bit vector extension
+	HasCRC32       bool // support CRC instruction
+	HasLAMCAS      bool // support AMCAS[_DB].{B/H/W/D}
+	HasLAM_BH      bool // support AM{SWAP/ADD}[_DB].{B/H} instruction
+	HasLLACQ_SCREL bool // support LLACQ.{W/D}, SCREL.{W/D} instruction
+	HasSCQ         bool // support SC.Q instruction
+	HasDBAR_HINTS  bool // supports finer-grained DBAR hints
+
+	_ CacheLinePad
 }

 // MIPS64X contains the supported CPU features of the current mips64/mips64le
@@ -232,6 +236,7 @@ var RISCV64 struct {
 	HasZba            bool // Address generation instructions extension
 	HasZbb            bool // Basic bit-manipulation extension
 	HasZbs            bool // Single-bit instructions extension
+	HasZbc            bool // Carryless multiplication extension
 	HasZvbb           bool // Vector Basic Bit-manipulation
 	HasZvbc           bool // Vector Carryless Multiplication
 	HasZvkb           bool // Vector Cryptography Bit-manipulation
@@ -58,6 +58,7 @@ const (
 	riscv_HWPROBE_EXT_ZBA         = 0x8
 	riscv_HWPROBE_EXT_ZBB         = 0x10
 	riscv_HWPROBE_EXT_ZBS         = 0x20
+	riscv_HWPROBE_EXT_ZBC         = 0x80
 	riscv_HWPROBE_EXT_ZVBB        = 0x20000
 	riscv_HWPROBE_EXT_ZVBC        = 0x40000
 	riscv_HWPROBE_EXT_ZVKB        = 0x80000
@@ -108,6 +109,7 @@ func doinit() {
 			RISCV64.HasZba = isSet(v, riscv_HWPROBE_EXT_ZBA)
 			RISCV64.HasZbb = isSet(v, riscv_HWPROBE_EXT_ZBB)
 			RISCV64.HasZbs = isSet(v, riscv_HWPROBE_EXT_ZBS)
+			RISCV64.HasZbc = isSet(v, riscv_HWPROBE_EXT_ZBC)
 			RISCV64.HasZvbb = isSet(v, riscv_HWPROBE_EXT_ZVBB)
 			RISCV64.HasZvbc = isSet(v, riscv_HWPROBE_EXT_ZVBC)
 			RISCV64.HasZvkb = isSet(v, riscv_HWPROBE_EXT_ZVKB)
@@ -15,8 +15,13 @@ const (
 	cpucfg1_CRC32 = 1 << 25

 	// CPUCFG2 bits
-	cpucfg2_LAM_BH = 1 << 27
-	cpucfg2_LAMCAS = 1 << 28
+	cpucfg2_LAM_BH      = 1 << 27
+	cpucfg2_LAMCAS      = 1 << 28
+	cpucfg2_LLACQ_SCREL = 1 << 29
+	cpucfg2_SCQ         = 1 << 30
+
+	// CPUCFG3 bits
+	cpucfg3_DBAR_HINTS = 1 << 17
 )

 func initOptions() {
@@ -26,6 +31,9 @@ func initOptions() {
 		{Name: "crc32", Feature: &Loong64.HasCRC32},
 		{Name: "lam_bh", Feature: &Loong64.HasLAM_BH},
 		{Name: "lamcas", Feature: &Loong64.HasLAMCAS},
+		{Name: "llacq_screl", Feature: &Loong64.HasLLACQ_SCREL},
+		{Name: "scq", Feature: &Loong64.HasSCQ},
+		{Name: "dbar_hints", Feature: &Loong64.HasDBAR_HINTS},
 	}

 	// The CPUCFG data on Loong64 only reflects the hardware capabilities,
@@ -37,10 +45,14 @@ func initOptions() {
 	// through CPUCFG
 	cfg1 := get_cpucfg(1)
 	cfg2 := get_cpucfg(2)
+	cfg3 := get_cpucfg(3)

 	Loong64.HasCRC32 = cfgIsSet(cfg1, cpucfg1_CRC32)
 	Loong64.HasLAMCAS = cfgIsSet(cfg2, cpucfg2_LAMCAS)
 	Loong64.HasLAM_BH = cfgIsSet(cfg2, cpucfg2_LAM_BH)
+	Loong64.HasLLACQ_SCREL = cfgIsSet(cfg2, cpucfg2_LLACQ_SCREL)
+	Loong64.HasSCQ = cfgIsSet(cfg2, cpucfg2_SCQ)
+	Loong64.HasDBAR_HINTS = cfgIsSet(cfg3, cpucfg3_DBAR_HINTS)
 }

 func get_cpucfg(reg uint32) uint32
@@ -16,6 +16,7 @@ func initOptions() {
 		{Name: "zba", Feature: &RISCV64.HasZba},
 		{Name: "zbb", Feature: &RISCV64.HasZbb},
 		{Name: "zbs", Feature: &RISCV64.HasZbs},
+		{Name: "zbc", Feature: &RISCV64.HasZbc},
 		// RISC-V Cryptography Extensions
 		{Name: "zvbb", Feature: &RISCV64.HasZvbb},
 		{Name: "zvbc", Feature: &RISCV64.HasZvbc},
@@ -354,6 +354,9 @@ struct ltchars {
 // Renamed in v6.16, commit c6d732c38f93 ("net: ethtool: remove duplicate defines for family info")
 #define ETHTOOL_FAMILY_NAME	ETHTOOL_GENL_NAME
 #define ETHTOOL_FAMILY_VERSION	ETHTOOL_GENL_VERSION
+
+// Removed in v6.17, commit 760e6f7befba ("futex: Remove support for IMMUTABLE")
+#define PR_FUTEX_HASH_GET_IMMUTABLE 3
 '

 includes_NetBSD='
@@ -0,0 +1,103 @@
+// Copyright 2026 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build darwin || linux || openbsd
+
+package unix
+
+import "unsafe"
+
+// minIovec is the size of the small initial allocation used by
+// Readv, Writev, etc.
+//
+// This small allocation gets stack allocated, which lets the
+// common use case of len(iovs) <= minIovec avoid more expensive
+// heap allocations.
+const minIovec = 8
+
+// appendBytes converts bs to Iovecs and appends them to vecs.
+func appendBytes(vecs []Iovec, bs [][]byte) []Iovec {
+	for _, b := range bs {
+		var v Iovec
+		v.SetLen(len(b))
+		if len(b) > 0 {
+			v.Base = &b[0]
+		} else {
+			v.Base = (*byte)(unsafe.Pointer(&_zero))
+		}
+		vecs = append(vecs, v)
+	}
+	return vecs
+}
+
+// writevRaceDetect tells the race detector that the program
+// has read the first n bytes stored in iovecs.
+func writevRaceDetect(iovecs []Iovec, n int) {
+	if !raceenabled {
+		return
+	}
+	for i := 0; n > 0 && i < len(iovecs); i++ {
+		m := min(int(iovecs[i].Len), n)
+		n -= m
+		if m > 0 {
+			raceReadRange(unsafe.Pointer(iovecs[i].Base), m)
+		}
+	}
+}
+
+// readvRaceDetect tells the race detector that the program
+// has written to the first n bytes stored in iovecs.
+func readvRaceDetect(iovecs []Iovec, n int, err error) {
+	if !raceenabled {
+		return
+	}
+	for i := 0; n > 0 && i < len(iovecs); i++ {
+		m := min(int(iovecs[i].Len), n)
+		n -= m
+		if m > 0 {
+			raceWriteRange(unsafe.Pointer(iovecs[i].Base), m)
+		}
+	}
+	if err == nil {
+		raceAcquire(unsafe.Pointer(&ioSync))
+	}
+}
+
+func Readv(fd int, iovs [][]byte) (n int, err error) {
+	iovecs := make([]Iovec, 0, minIovec)
+	iovecs = appendBytes(iovecs, iovs)
+	n, err = readv(fd, iovecs)
+	readvRaceDetect(iovecs, n, err)
+	return n, err
+}
+
+func Preadv(fd int, iovs [][]byte, offset int64) (n int, err error) {
+	iovecs := make([]Iovec, 0, minIovec)
+	iovecs = appendBytes(iovecs, iovs)
+	n, err = preadv(fd, iovecs, offset)
+	readvRaceDetect(iovecs, n, err)
+	return n, err
+}
+
+func Writev(fd int, iovs [][]byte) (n int, err error) {
+	iovecs := make([]Iovec, 0, minIovec)
+	iovecs = appendBytes(iovecs, iovs)
+	if raceenabled {
+		raceReleaseMerge(unsafe.Pointer(&ioSync))
+	}
+	n, err = writev(fd, iovecs)
+	writevRaceDetect(iovecs, n)
+	return n, err
+}
+
+func Pwritev(fd int, iovs [][]byte, offset int64) (n int, err error) {
+	iovecs := make([]Iovec, 0, minIovec)
+	iovecs = appendBytes(iovecs, iovs)
+	if raceenabled {
+		raceReleaseMerge(unsafe.Pointer(&ioSync))
+	}
+	n, err = pwritev(fd, iovecs, offset)
+	writevRaceDetect(iovecs, n)
+	return n, err
+}
@@ -602,95 +602,6 @@ func Connectx(fd int, srcIf uint32, srcAddr, dstAddr Sockaddr, associd SaeAssocI
 	return
 }

-const minIovec = 8
-
-func Readv(fd int, iovs [][]byte) (n int, err error) {
-	iovecs := make([]Iovec, 0, minIovec)
-	iovecs = appendBytes(iovecs, iovs)
-	n, err = readv(fd, iovecs)
-	readvRacedetect(iovecs, n, err)
-	return n, err
-}
-
-func Preadv(fd int, iovs [][]byte, offset int64) (n int, err error) {
-	iovecs := make([]Iovec, 0, minIovec)
-	iovecs = appendBytes(iovecs, iovs)
-	n, err = preadv(fd, iovecs, offset)
-	readvRacedetect(iovecs, n, err)
-	return n, err
-}
-
-func Writev(fd int, iovs [][]byte) (n int, err error) {
-	iovecs := make([]Iovec, 0, minIovec)
-	iovecs = appendBytes(iovecs, iovs)
-	if raceenabled {
-		raceReleaseMerge(unsafe.Pointer(&ioSync))
-	}
-	n, err = writev(fd, iovecs)
-	writevRacedetect(iovecs, n)
-	return n, err
-}
-
-func Pwritev(fd int, iovs [][]byte, offset int64) (n int, err error) {
-	iovecs := make([]Iovec, 0, minIovec)
-	iovecs = appendBytes(iovecs, iovs)
-	if raceenabled {
-		raceReleaseMerge(unsafe.Pointer(&ioSync))
-	}
-	n, err = pwritev(fd, iovecs, offset)
-	writevRacedetect(iovecs, n)
-	return n, err
-}
-
-func appendBytes(vecs []Iovec, bs [][]byte) []Iovec {
-	for _, b := range bs {
-		var v Iovec
-		v.SetLen(len(b))
-		if len(b) > 0 {
-			v.Base = &b[0]
-		} else {
-			v.Base = (*byte)(unsafe.Pointer(&_zero))
-		}
-		vecs = append(vecs, v)
-	}
-	return vecs
-}
-
-func writevRacedetect(iovecs []Iovec, n int) {
-	if !raceenabled {
-		return
-	}
-	for i := 0; n > 0 && i < len(iovecs); i++ {
-		m := int(iovecs[i].Len)
-		if m > n {
-			m = n
-		}
-		n -= m
-		if m > 0 {
-			raceReadRange(unsafe.Pointer(iovecs[i].Base), m)
-		}
-	}
-}
-
-func readvRacedetect(iovecs []Iovec, n int, err error) {
-	if !raceenabled {
-		return
-	}
-	for i := 0; n > 0 && i < len(iovecs); i++ {
-		m := int(iovecs[i].Len)
-		if m > n {
-			m = n
-		}
-		n -= m
-		if m > 0 {
-			raceWriteRange(unsafe.Pointer(iovecs[i].Base), m)
-		}
-	}
-	if err == nil {
-		raceAcquire(unsafe.Pointer(&ioSync))
-	}
-}
-
 //sys	connectx(fd int, endpoints *SaEndpoints, associd SaeAssocID, flags uint32, iov []Iovec, n *uintptr, connid *SaeConnID) (err error)
 //sys	sendfile(infd int, outfd int, offset int64, len *int64, hdtr unsafe.Pointer, flags int) (err error)

@@ -2150,33 +2150,10 @@ func Signalfd(fd int, sigmask *Sigset_t, flags int) (newfd int, err error) {
 //sys	exitThread(code int) (err error) = SYS_EXIT
 //sys	readv(fd int, iovs []Iovec) (n int, err error) = SYS_READV
 //sys	writev(fd int, iovs []Iovec) (n int, err error) = SYS_WRITEV
-//sys	preadv(fd int, iovs []Iovec, offs_l uintptr, offs_h uintptr) (n int, err error) = SYS_PREADV
-//sys	pwritev(fd int, iovs []Iovec, offs_l uintptr, offs_h uintptr) (n int, err error) = SYS_PWRITEV
-//sys	preadv2(fd int, iovs []Iovec, offs_l uintptr, offs_h uintptr, flags int) (n int, err error) = SYS_PREADV2
-//sys	pwritev2(fd int, iovs []Iovec, offs_l uintptr, offs_h uintptr, flags int) (n int, err error) = SYS_PWRITEV2
-
-// minIovec is the size of the small initial allocation used by
-// Readv, Writev, etc.
-//
-// This small allocation gets stack allocated, which lets the
-// common use case of len(iovs) <= minIovs avoid more expensive
-// heap allocations.
-const minIovec = 8
-
-// appendBytes converts bs to Iovecs and appends them to vecs.
-func appendBytes(vecs []Iovec, bs [][]byte) []Iovec {
-	for _, b := range bs {
-		var v Iovec
-		v.SetLen(len(b))
-		if len(b) > 0 {
-			v.Base = &b[0]
-		} else {
-			v.Base = (*byte)(unsafe.Pointer(&_zero))
-		}
-		vecs = append(vecs, v)
-	}
-	return vecs
-}
+//sys	preadvSyscall(fd int, iovs []Iovec, offs_l uintptr, offs_h uintptr) (n int, err error) = SYS_PREADV
+//sys	pwritevSyscall(fd int, iovs []Iovec, offs_l uintptr, offs_h uintptr) (n int, err error) = SYS_PWRITEV
+//sys	preadv2Syscall(fd int, iovs []Iovec, offs_l uintptr, offs_h uintptr, flags int) (n int, err error) = SYS_PREADV2
+//sys	pwritev2Syscall(fd int, iovs []Iovec, offs_l uintptr, offs_h uintptr, flags int) (n int, err error) = SYS_PWRITEV2

 // offs2lohi splits offs into its low and high order bits.
 func offs2lohi(offs int64) (lo, hi uintptr) {
@@ -2184,69 +2161,23 @@ func offs2lohi(offs int64) (lo, hi uintptr) {
 	return uintptr(offs), uintptr(uint64(offs) >> (longBits - 1) >> 1) // two shifts to avoid false positive in vet
 }

-func Readv(fd int, iovs [][]byte) (n int, err error) {
-	iovecs := make([]Iovec, 0, minIovec)
-	iovecs = appendBytes(iovecs, iovs)
-	n, err = readv(fd, iovecs)
-	readvRacedetect(iovecs, n, err)
-	return n, err
-}
-
-func Preadv(fd int, iovs [][]byte, offset int64) (n int, err error) {
-	iovecs := make([]Iovec, 0, minIovec)
-	iovecs = appendBytes(iovecs, iovs)
+func preadv(fd int, iovecs []Iovec, offset int64) (n int, err error) {
 	lo, hi := offs2lohi(offset)
-	n, err = preadv(fd, iovecs, lo, hi)
-	readvRacedetect(iovecs, n, err)
-	return n, err
+	return preadvSyscall(fd, iovecs, lo, hi)
 }

 func Preadv2(fd int, iovs [][]byte, offset int64, flags int) (n int, err error) {
 	iovecs := make([]Iovec, 0, minIovec)
 	iovecs = appendBytes(iovecs, iovs)
 	lo, hi := offs2lohi(offset)
-	n, err = preadv2(fd, iovecs, lo, hi, flags)
-	readvRacedetect(iovecs, n, err)
+	n, err = preadv2Syscall(fd, iovecs, lo, hi, flags)
+	readvRaceDetect(iovecs, n, err)
 	return n, err
 }

-func readvRacedetect(iovecs []Iovec, n int, err error) {
-	if !raceenabled {
-		return
-	}
-	for i := 0; n > 0 && i < len(iovecs); i++ {
-		m := min(int(iovecs[i].Len), n)
-		n -= m
-		if m > 0 {
-			raceWriteRange(unsafe.Pointer(iovecs[i].Base), m)
-		}
-	}
-	if err == nil {
-		raceAcquire(unsafe.Pointer(&ioSync))
-	}
-}
-
-func Writev(fd int, iovs [][]byte) (n int, err error) {
-	iovecs := make([]Iovec, 0, minIovec)
-	iovecs = appendBytes(iovecs, iovs)
-	if raceenabled {
-		raceReleaseMerge(unsafe.Pointer(&ioSync))
-	}
-	n, err = writev(fd, iovecs)
-	writevRacedetect(iovecs, n)
-	return n, err
-}
-
-func Pwritev(fd int, iovs [][]byte, offset int64) (n int, err error) {
-	iovecs := make([]Iovec, 0, minIovec)
-	iovecs = appendBytes(iovecs, iovs)
-	if raceenabled {
-		raceReleaseMerge(unsafe.Pointer(&ioSync))
-	}
+func pwritev(fd int, iovecs []Iovec, offset int64) (n int, err error) {
 	lo, hi := offs2lohi(offset)
-	n, err = pwritev(fd, iovecs, lo, hi)
-	writevRacedetect(iovecs, n)
-	return n, err
+	return pwritevSyscall(fd, iovecs, lo, hi)
 }

 func Pwritev2(fd int, iovs [][]byte, offset int64, flags int) (n int, err error) {
@@ -2256,24 +2187,11 @@ func Pwritev2(fd int, iovs [][]byte, offset int64, flags int) (n int, err error)
 		raceReleaseMerge(unsafe.Pointer(&ioSync))
 	}
 	lo, hi := offs2lohi(offset)
-	n, err = pwritev2(fd, iovecs, lo, hi, flags)
-	writevRacedetect(iovecs, n)
+	n, err = pwritev2Syscall(fd, iovecs, lo, hi, flags)
+	writevRaceDetect(iovecs, n)
 	return n, err
 }

-func writevRacedetect(iovecs []Iovec, n int) {
-	if !raceenabled {
-		return
-	}
-	for i := 0; n > 0 && i < len(iovecs); i++ {
-		m := min(int(iovecs[i].Len), n)
-		n -= m
-		if m > 0 {
-			raceReadRange(unsafe.Pointer(iovecs[i].Base), m)
-		}
-	}
-}
-
 // mmap varies by architecture; see syscall_linux_*.go.
 //sys	munmap(addr uintptr, length uintptr) (err error)
 //sys	mremap(oldaddr uintptr, oldlength uintptr, newlength uintptr, flags int, newaddr uintptr) (xaddr uintptr, err error)
@@ -300,6 +300,10 @@ func Uname(uname *Utsname) error {
 //sys	Pathconf(path string, name int) (val int, err error)
 //sys	pread(fd int, p []byte, offset int64) (n int, err error)
 //sys	pwrite(fd int, p []byte, offset int64) (n int, err error)
+//sys	readv(fd int, iovecs []Iovec) (n int, err error)
+//sys	writev(fd int, iovecs []Iovec) (n int, err error)
+//sys	preadv(fd int, iovecs []Iovec, offset int64) (n int, err error)
+//sys	pwritev(fd int, iovecs []Iovec, offset int64) (n int, err error)
 //sys	read(fd int, p []byte) (n int, err error)
 //sys	Readlink(path string, buf []byte) (n int, err error)
 //sys	Readlinkat(dirfd int, path string, buf []byte) (n int, err error)
@@ -353,8 +353,10 @@ const (
 	AUDIT_MAC_IPSEC_EVENT                       = 0x587
 	AUDIT_MAC_MAP_ADD                           = 0x581
 	AUDIT_MAC_MAP_DEL                           = 0x582
+	AUDIT_MAC_OBJ_CONTEXTS                      = 0x592
 	AUDIT_MAC_POLICY_LOAD                       = 0x57b
 	AUDIT_MAC_STATUS                            = 0x57c
+	AUDIT_MAC_TASK_CONTEXTS                     = 0x591
 	AUDIT_MAC_UNLBL_ALLOW                       = 0x57e
 	AUDIT_MAC_UNLBL_STCADD                      = 0x588
 	AUDIT_MAC_UNLBL_STCDEL                      = 0x589
@@ -591,8 +593,13 @@ const (
 	CAN_CTRLMODE_LOOPBACK                       = 0x1
 	CAN_CTRLMODE_ONE_SHOT                       = 0x8
 	CAN_CTRLMODE_PRESUME_ACK                    = 0x40
+	CAN_CTRLMODE_RESTRICTED                     = 0x800
 	CAN_CTRLMODE_TDC_AUTO                       = 0x200
 	CAN_CTRLMODE_TDC_MANUAL                     = 0x400
+	CAN_CTRLMODE_XL                             = 0x1000
+	CAN_CTRLMODE_XL_TDC_AUTO                    = 0x2000
+	CAN_CTRLMODE_XL_TDC_MANUAL                  = 0x4000
+	CAN_CTRLMODE_XL_TMS                         = 0x8000
 	CAN_EFF_FLAG                                = 0x80000000
 	CAN_EFF_ID_BITS                             = 0x1d
 	CAN_EFF_MASK                                = 0x1fffffff
@@ -800,6 +807,8 @@ const (
 	DEVLINK_PORT_FN_CAP_IPSEC_PACKET            = 0x8
 	DEVLINK_PORT_FN_CAP_MIGRATABLE              = 0x2
 	DEVLINK_PORT_FN_CAP_ROCE                    = 0x1
+	DEVLINK_RATE_TCS_MAX                        = 0x8
+	DEVLINK_RATE_TC_INDEX_MAX                   = 0x7
 	DEVLINK_SB_THRESHOLD_TO_ALPHA_MAX           = 0x14
 	DEVLINK_SUPPORTED_FLASH_OVERWRITE_SECTIONS  = 0x3
 	DEVMEM_MAGIC                                = 0x454d444d
@@ -1186,6 +1195,7 @@ const (
 	ETH_P_MPLS_UC                               = 0x8847
 	ETH_P_MRP                                   = 0x88e3
 	ETH_P_MVRP                                  = 0x88f5
+	ETH_P_MXLGSW                                = 0x88c3
 	ETH_P_NCSI                                  = 0x88f8
 	ETH_P_NSH                                   = 0x894f
 	ETH_P_PAE                                   = 0x888e
@@ -1218,6 +1228,7 @@ const (
 	ETH_P_WCCP                                  = 0x883e
 	ETH_P_X25                                   = 0x805
 	ETH_P_XDSA                                  = 0xf8
+	ETH_P_YT921X                                = 0x9988
 	ET_CORE                                     = 0x4
 	ET_DYN                                      = 0x3
 	ET_EXEC                                     = 0x2
@@ -1258,6 +1269,7 @@ const (
 	FALLOC_FL_NO_HIDE_STALE                     = 0x4
 	FALLOC_FL_PUNCH_HOLE                        = 0x2
 	FALLOC_FL_UNSHARE_RANGE                     = 0x40
+	FALLOC_FL_WRITE_ZEROES                      = 0x80
 	FALLOC_FL_ZERO_RANGE                        = 0x10
 	FANOTIFY_METADATA_VERSION                   = 0x3
 	FAN_ACCESS                                  = 0x1
@@ -1477,6 +1489,7 @@ const (
 	GRND_INSECURE                               = 0x4
 	GRND_NONBLOCK                               = 0x1
 	GRND_RANDOM                                 = 0x2
+	GUEST_MEMFD_MAGIC                           = 0x474d454d
 	HDIO_DRIVE_CMD                              = 0x31f
 	HDIO_DRIVE_CMD_AEB                          = 0x31e
 	HDIO_DRIVE_CMD_HDR_SIZE                     = 0x4
@@ -1517,6 +1530,7 @@ const (
 	HDIO_SET_XFER                               = 0x306
 	HDIO_TRISTATE_HWIF                          = 0x31b
 	HDIO_UNREGISTER_HWIF                        = 0x32a
+	HIDIOCTL_LAST                               = 0xd
 	HID_MAX_DESCRIPTOR_SIZE                     = 0x1000
 	HOSTFS_SUPER_MAGIC                          = 0xc0ffee
 	HPFS_SUPER_MAGIC                            = 0xf995e849
@@ -1809,6 +1823,8 @@ const (
 	KEXEC_ARCH_X86_64                           = 0x3e0000
 	KEXEC_CRASH_HOTPLUG_SUPPORT                 = 0x8
 	KEXEC_FILE_DEBUG                            = 0x8
+	KEXEC_FILE_FORCE_DTB                        = 0x20
+	KEXEC_FILE_NO_CMA                           = 0x10
 	KEXEC_FILE_NO_INITRAMFS                     = 0x4
 	KEXEC_FILE_ON_CRASH                         = 0x2
 	KEXEC_FILE_UNLOAD                           = 0x1
@@ -1905,6 +1921,7 @@ const (
 	LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON      = 0x2
 	LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF    = 0x1
 	LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF   = 0x4
+	LANDLOCK_RESTRICT_SELF_TSYNC                = 0x8
 	LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET         = 0x1
 	LANDLOCK_SCOPE_SIGNAL                       = 0x2
 	LINUX_REBOOT_CMD_CAD_OFF                    = 0x0
@@ -2412,6 +2429,7 @@ const (
 	NN_PRXFPREG                                 = "LINUX"
 	NN_RISCV_CSR                                = "LINUX"
 	NN_RISCV_TAGGED_ADDR_CTRL                   = "LINUX"
+	NN_RISCV_USER_CFI                           = "LINUX"
 	NN_RISCV_VECTOR                             = "LINUX"
 	NN_S390_CTRS                                = "LINUX"
 	NN_S390_GS_BC                               = "LINUX"
@@ -2493,6 +2511,7 @@ const (
 	NT_PRXFPREG                                 = 0x46e62b7f
 	NT_RISCV_CSR                                = 0x900
 	NT_RISCV_TAGGED_ADDR_CTRL                   = 0x902
+	NT_RISCV_USER_CFI                           = 0x903
 	NT_RISCV_VECTOR                             = 0x901
 	NT_S390_CTRS                                = 0x304
 	NT_S390_GS_BC                               = 0x30c
@@ -2515,6 +2534,7 @@ const (
 	NT_X86_SHSTK                                = 0x204
 	NT_X86_XSAVE_LAYOUT                         = 0x205
 	NT_X86_XSTATE                               = 0x202
+	NULL_FS_MAGIC                               = 0x4e554c4c
 	OCFS2_SUPER_MAGIC                           = 0x7461636f
 	OCRNL                                       = 0x8
 	OFDEL                                       = 0x80
@@ -2594,6 +2614,7 @@ const (
 	PERF_ATTR_SIZE_VER6                         = 0x78
 	PERF_ATTR_SIZE_VER7                         = 0x80
 	PERF_ATTR_SIZE_VER8                         = 0x88
+	PERF_ATTR_SIZE_VER9                         = 0x90
 	PERF_AUX_FLAG_COLLISION                     = 0x8
 	PERF_AUX_FLAG_CORESIGHT_FORMAT_CORESIGHT    = 0x0
 	PERF_AUX_FLAG_CORESIGHT_FORMAT_RAW          = 0x100
@@ -2629,6 +2650,7 @@ const (
 	PERF_MEM_LVLNUM_ANY_CACHE                   = 0xb
 	PERF_MEM_LVLNUM_CXL                         = 0x9
 	PERF_MEM_LVLNUM_IO                          = 0xa
+	PERF_MEM_LVLNUM_L0                          = 0x7
 	PERF_MEM_LVLNUM_L1                          = 0x1
 	PERF_MEM_LVLNUM_L2                          = 0x2
 	PERF_MEM_LVLNUM_L2_MHB                      = 0x5
@@ -2662,6 +2684,23 @@ const (
 	PERF_MEM_OP_PFETCH                          = 0x8
 	PERF_MEM_OP_SHIFT                           = 0x0
 	PERF_MEM_OP_STORE                           = 0x4
+	PERF_MEM_REGION_L_NON_SHARE                 = 0x3
+	PERF_MEM_REGION_L_SHARE                     = 0x2
+	PERF_MEM_REGION_MEM0                        = 0x8
+	PERF_MEM_REGION_MEM1                        = 0x9
+	PERF_MEM_REGION_MEM2                        = 0xa
+	PERF_MEM_REGION_MEM3                        = 0xb
+	PERF_MEM_REGION_MEM4                        = 0xc
+	PERF_MEM_REGION_MEM5                        = 0xd
+	PERF_MEM_REGION_MEM6                        = 0xe
+	PERF_MEM_REGION_MEM7                        = 0xf
+	PERF_MEM_REGION_MMIO                        = 0x7
+	PERF_MEM_REGION_NA                          = 0x0
+	PERF_MEM_REGION_O_IO                        = 0x4
+	PERF_MEM_REGION_O_NON_SHARE                 = 0x6
+	PERF_MEM_REGION_O_SHARE                     = 0x5
+	PERF_MEM_REGION_RSVD                        = 0x1
+	PERF_MEM_REGION_SHIFT                       = 0x2e
 	PERF_MEM_REMOTE_REMOTE                      = 0x1
 	PERF_MEM_REMOTE_SHIFT                       = 0x25
 	PERF_MEM_SNOOPX_FWD                         = 0x1
@@ -2776,6 +2815,10 @@ const (
 	PR_CAP_AMBIENT_IS_SET                       = 0x1
 	PR_CAP_AMBIENT_LOWER                        = 0x3
 	PR_CAP_AMBIENT_RAISE                        = 0x2
+	PR_CFI_BRANCH_LANDING_PADS                  = 0x0
+	PR_CFI_DISABLE                              = 0x2
+	PR_CFI_ENABLE                               = 0x1
+	PR_CFI_LOCK                                 = 0x4
 	PR_ENDIAN_BIG                               = 0x0
 	PR_ENDIAN_LITTLE                            = 0x1
 	PR_ENDIAN_PPC_LITTLE                        = 0x2
@@ -2798,6 +2841,7 @@ const (
 	PR_FUTEX_HASH_GET_SLOTS                     = 0x2
 	PR_FUTEX_HASH_SET_SLOTS                     = 0x1
 	PR_GET_AUXV                                 = 0x41555856
+	PR_GET_CFI                                  = 0x50
 	PR_GET_CHILD_SUBREAPER                      = 0x25
 	PR_GET_DUMPABLE                             = 0x3
 	PR_GET_ENDIAN                               = 0x13
@@ -2834,6 +2878,7 @@ const (
 	PR_MDWE_REFUSE_EXEC_GAIN                    = 0x1
 	PR_MPX_DISABLE_MANAGEMENT                   = 0x2c
 	PR_MPX_ENABLE_MANAGEMENT                    = 0x2b
+	PR_MTE_STORE_ONLY                           = 0x80000
 	PR_MTE_TAG_MASK                             = 0x7fff8
 	PR_MTE_TAG_SHIFT                            = 0x3
 	PR_MTE_TCF_ASYNC                            = 0x4
@@ -2877,6 +2922,10 @@ const (
 	PR_RISCV_V_VSTATE_CTRL_NEXT_MASK            = 0xc
 	PR_RISCV_V_VSTATE_CTRL_OFF                  = 0x1
 	PR_RISCV_V_VSTATE_CTRL_ON                   = 0x2
+	PR_RSEQ_SLICE_EXTENSION                     = 0x4f
+	PR_RSEQ_SLICE_EXTENSION_GET                 = 0x1
+	PR_RSEQ_SLICE_EXTENSION_SET                 = 0x2
+	PR_RSEQ_SLICE_EXT_ENABLE                    = 0x1
 	PR_SCHED_CORE                               = 0x3e
 	PR_SCHED_CORE_CREATE                        = 0x1
 	PR_SCHED_CORE_GET                           = 0x0
@@ -2886,6 +2935,7 @@ const (
 	PR_SCHED_CORE_SCOPE_THREAD_GROUP            = 0x1
 	PR_SCHED_CORE_SHARE_FROM                    = 0x3
 	PR_SCHED_CORE_SHARE_TO                      = 0x2
+	PR_SET_CFI                                  = 0x51
 	PR_SET_CHILD_SUBREAPER                      = 0x24
 	PR_SET_DUMPABLE                             = 0x4
 	PR_SET_ENDIAN                               = 0x14
@@ -2951,11 +3001,14 @@ const (
 	PR_SVE_SET_VL_ONEXEC                        = 0x40000
 	PR_SVE_VL_INHERIT                           = 0x20000
 	PR_SVE_VL_LEN_MASK                          = 0xffff
+	PR_SYS_DISPATCH_EXCLUSIVE_ON                = 0x1
+	PR_SYS_DISPATCH_INCLUSIVE_ON                = 0x2
 	PR_SYS_DISPATCH_OFF                         = 0x0
 	PR_SYS_DISPATCH_ON                          = 0x1
 	PR_TAGGED_ADDR_ENABLE                       = 0x1
 	PR_TASK_PERF_EVENTS_DISABLE                 = 0x1f
 	PR_TASK_PERF_EVENTS_ENABLE                  = 0x20
+	PR_THP_DISABLE_EXCEPT_ADVISED               = 0x2
 	PR_TIMER_CREATE_RESTORE_IDS                 = 0x4d
 	PR_TIMER_CREATE_RESTORE_IDS_GET             = 0x2
 	PR_TIMER_CREATE_RESTORE_IDS_OFF             = 0x0
@@ -2987,8 +3040,10 @@ const (
 	PTP_STRICT_FLAGS                            = 0x8
 	PTP_SYS_OFFSET_EXTENDED                     = 0xc4c03d09
 	PTP_SYS_OFFSET_EXTENDED2                    = 0xc4c03d12
+	PTP_SYS_OFFSET_EXTENDED_CYCLES              = 0xc4c03d16
 	PTP_SYS_OFFSET_PRECISE                      = 0xc0403d08
 	PTP_SYS_OFFSET_PRECISE2                     = 0xc0403d11
+	PTP_SYS_OFFSET_PRECISE_CYCLES               = 0xc0403d15
 	PTRACE_ATTACH                               = 0x10
 	PTRACE_CONT                                 = 0x7
 	PTRACE_DETACH                               = 0x11
@@ -3330,8 +3385,9 @@ const (
 	RWF_DSYNC                                   = 0x2
 	RWF_HIPRI                                   = 0x1
 	RWF_NOAPPEND                                = 0x20
+	RWF_NOSIGNAL                                = 0x100
 	RWF_NOWAIT                                  = 0x8
-	RWF_SUPPORTED                               = 0xff
+	RWF_SUPPORTED                               = 0x1ff
 	RWF_SYNC                                    = 0x4
 	RWF_WRITE_LIFE_NOT_SET                      = 0x0
 	SCHED_BATCH                                 = 0x3
@@ -3714,7 +3770,7 @@ const (
 	TASKSTATS_GENL_NAME                         = "TASKSTATS"
 	TASKSTATS_GENL_VERSION                      = 0x1
 	TASKSTATS_TYPE_MAX                          = 0x6
-	TASKSTATS_VERSION                           = 0x10
+	TASKSTATS_VERSION                           = 0x11
 	TCIFLUSH                                    = 0x0
 	TCIOFF                                      = 0x2
 	TCIOFLUSH                                   = 0x2
@@ -4052,6 +4108,7 @@ const (
 	XDP_FLAGS_REPLACE                           = 0x10
 	XDP_FLAGS_SKB_MODE                          = 0x2
 	XDP_FLAGS_UPDATE_IF_NOEXIST                 = 0x1
+	XDP_MAX_TX_SKB_BUDGET                       = 0x9
 	XDP_MMAP_OFFSETS                            = 0x1
 	XDP_OPTIONS                                 = 0x8
 	XDP_OPTIONS_ZEROCOPY                        = 0x1
@@ -159,6 +159,7 @@ const (
 	NFDBITS                          = 0x20
 	NLDLY                            = 0x100
 	NOFLSH                           = 0x80
+	NS_GET_ID                        = 0x8008b70d
 	NS_GET_MNTNS_ID                  = 0x8008b705
 	NS_GET_NSTYPE                    = 0xb703
 	NS_GET_OWNER_UID                 = 0xb704
@@ -305,6 +306,7 @@ const (
 	RTC_WKALM_SET                    = 0x4028700f
 	SCM_DEVMEM_DMABUF                = 0x4f
 	SCM_DEVMEM_LINEAR                = 0x4e
+	SCM_INQ                          = 0x54
 	SCM_TIMESTAMPING                 = 0x25
 	SCM_TIMESTAMPING_OPT_STATS       = 0x36
 	SCM_TIMESTAMPING_PKTINFO         = 0x3a
@@ -352,6 +354,7 @@ const (
 	SO_ERROR                         = 0x4
 	SO_INCOMING_CPU                  = 0x31
 	SO_INCOMING_NAPI_ID              = 0x38
+	SO_INQ                           = 0x54
 	SO_KEEPALIVE                     = 0x9
 	SO_LINGER                        = 0xd
 	SO_LOCK_FILTER                   = 0x2c
@@ -596,6 +599,8 @@ const (
 	EDESTADDRREQ    = syscall.Errno(0x59)
 	EDOTDOT         = syscall.Errno(0x49)
 	EDQUOT          = syscall.Errno(0x7a)
+	EFSBADCRC       = syscall.Errno(0x4a)
+	EFSCORRUPTED    = syscall.Errno(0x75)
 	EHOSTDOWN       = syscall.Errno(0x70)
 	EHOSTUNREACH    = syscall.Errno(0x71)
 	EHWPOISON       = syscall.Errno(0x85)
@@ -819,7 +824,7 @@ var errorList = [...]struct {
 	{114, "EALREADY", "operation already in progress"},
 	{115, "EINPROGRESS", "operation now in progress"},
 	{116, "ESTALE", "stale file handle"},
-	{117, "EUCLEAN", "structure needs cleaning"},
+	{117, "EFSCORRUPTED", "structure needs cleaning"},
 	{118, "ENOTNAM", "not a XENIX named type file"},
 	{119, "ENAVAIL", "no XENIX semaphores available"},
 	{120, "EISNAM", "is a named type file"},
@@ -159,6 +159,7 @@ const (
 	NFDBITS                          = 0x40
 	NLDLY                            = 0x100
 	NOFLSH                           = 0x80
+	NS_GET_ID                        = 0x8008b70d
 	NS_GET_MNTNS_ID                  = 0x8008b705
 	NS_GET_NSTYPE                    = 0xb703
 	NS_GET_OWNER_UID                 = 0xb704
@@ -306,6 +307,7 @@ const (
 	RTC_WKALM_SET                    = 0x4028700f
 	SCM_DEVMEM_DMABUF                = 0x4f
 	SCM_DEVMEM_LINEAR                = 0x4e
+	SCM_INQ                          = 0x54
 	SCM_TIMESTAMPING                 = 0x25
 	SCM_TIMESTAMPING_OPT_STATS       = 0x36
 	SCM_TIMESTAMPING_PKTINFO         = 0x3a
@@ -353,6 +355,7 @@ const (
 	SO_ERROR                         = 0x4
 	SO_INCOMING_CPU                  = 0x31
 	SO_INCOMING_NAPI_ID              = 0x38
+	SO_INQ                           = 0x54
 	SO_KEEPALIVE                     = 0x9
 	SO_LINGER                        = 0xd
 	SO_LOCK_FILTER                   = 0x2c
@@ -596,6 +599,8 @@ const (
 	EDESTADDRREQ    = syscall.Errno(0x59)
 	EDOTDOT         = syscall.Errno(0x49)
 	EDQUOT          = syscall.Errno(0x7a)
+	EFSBADCRC       = syscall.Errno(0x4a)
+	EFSCORRUPTED    = syscall.Errno(0x75)
 	EHOSTDOWN       = syscall.Errno(0x70)
 	EHOSTUNREACH    = syscall.Errno(0x71)
 	EHWPOISON       = syscall.Errno(0x85)
@@ -819,7 +824,7 @@ var errorList = [...]struct {
 	{114, "EALREADY", "operation already in progress"},
 	{115, "EINPROGRESS", "operation now in progress"},
 	{116, "ESTALE", "stale file handle"},
-	{117, "EUCLEAN", "structure needs cleaning"},
+	{117, "EFSCORRUPTED", "structure needs cleaning"},
 	{118, "ENOTNAM", "not a XENIX named type file"},
 	{119, "ENAVAIL", "no XENIX semaphores available"},
 	{120, "EISNAM", "is a named type file"},
@@ -156,6 +156,7 @@ const (
 	NFDBITS                          = 0x20
 	NLDLY                            = 0x100
 	NOFLSH                           = 0x80
+	NS_GET_ID                        = 0x8008b70d
 	NS_GET_MNTNS_ID                  = 0x8008b705
 	NS_GET_NSTYPE                    = 0xb703
 	NS_GET_OWNER_UID                 = 0xb704
@@ -311,6 +312,7 @@ const (
 	RTC_WKALM_SET                    = 0x4028700f
 	SCM_DEVMEM_DMABUF                = 0x4f
 	SCM_DEVMEM_LINEAR                = 0x4e
+	SCM_INQ                          = 0x54
 	SCM_TIMESTAMPING                 = 0x25
 	SCM_TIMESTAMPING_OPT_STATS       = 0x36
 	SCM_TIMESTAMPING_PKTINFO         = 0x3a
@@ -358,6 +360,7 @@ const (
 	SO_ERROR                         = 0x4
 	SO_INCOMING_CPU                  = 0x31
 	SO_INCOMING_NAPI_ID              = 0x38
+	SO_INQ                           = 0x54
 	SO_KEEPALIVE                     = 0x9
 	SO_LINGER                        = 0xd
 	SO_LOCK_FILTER                   = 0x2c
@@ -601,6 +604,8 @@ const (
 	EDESTADDRREQ    = syscall.Errno(0x59)
 	EDOTDOT         = syscall.Errno(0x49)
 	EDQUOT          = syscall.Errno(0x7a)
+	EFSBADCRC       = syscall.Errno(0x4a)
+	EFSCORRUPTED    = syscall.Errno(0x75)
 	EHOSTDOWN       = syscall.Errno(0x70)
 	EHOSTUNREACH    = syscall.Errno(0x71)
 	EHWPOISON       = syscall.Errno(0x85)
@@ -824,7 +829,7 @@ var errorList = [...]struct {
 	{114, "EALREADY", "operation already in progress"},
 	{115, "EINPROGRESS", "operation now in progress"},
 	{116, "ESTALE", "stale file handle"},
-	{117, "EUCLEAN", "structure needs cleaning"},
+	{117, "EFSCORRUPTED", "structure needs cleaning"},
 	{118, "ENOTNAM", "not a XENIX named type file"},
 	{119, "ENAVAIL", "no XENIX semaphores available"},
 	{120, "EISNAM", "is a named type file"},
@@ -161,6 +161,7 @@ const (
 	NFDBITS                          = 0x40
 	NLDLY                            = 0x100
 	NOFLSH                           = 0x80
+	NS_GET_ID                        = 0x8008b70d
 	NS_GET_MNTNS_ID                  = 0x8008b705
 	NS_GET_NSTYPE                    = 0xb703
 	NS_GET_OWNER_UID                 = 0xb704
@@ -304,6 +305,7 @@ const (
 	RTC_WKALM_SET                    = 0x4028700f
 	SCM_DEVMEM_DMABUF                = 0x4f
 	SCM_DEVMEM_LINEAR                = 0x4e
+	SCM_INQ                          = 0x54
 	SCM_TIMESTAMPING                 = 0x25
 	SCM_TIMESTAMPING_OPT_STATS       = 0x36
 	SCM_TIMESTAMPING_PKTINFO         = 0x3a
@@ -351,6 +353,7 @@ const (
 	SO_ERROR                         = 0x4
 	SO_INCOMING_CPU                  = 0x31
 	SO_INCOMING_NAPI_ID              = 0x38
+	SO_INQ                           = 0x54
 	SO_KEEPALIVE                     = 0x9
 	SO_LINGER                        = 0xd
 	SO_LOCK_FILTER                   = 0x2c
@@ -598,6 +601,8 @@ const (
 	EDESTADDRREQ    = syscall.Errno(0x59)
 	EDOTDOT         = syscall.Errno(0x49)
 	EDQUOT          = syscall.Errno(0x7a)
+	EFSBADCRC       = syscall.Errno(0x4a)
+	EFSCORRUPTED    = syscall.Errno(0x75)
 	EHOSTDOWN       = syscall.Errno(0x70)
 	EHOSTUNREACH    = syscall.Errno(0x71)
 	EHWPOISON       = syscall.Errno(0x85)
@@ -821,7 +826,7 @@ var errorList = [...]struct {
 	{114, "EALREADY", "operation already in progress"},
 	{115, "EINPROGRESS", "operation now in progress"},
 	{116, "ESTALE", "stale file handle"},
-	{117, "EUCLEAN", "structure needs cleaning"},
+	{117, "EFSCORRUPTED", "structure needs cleaning"},
 	{118, "ENOTNAM", "not a XENIX named type file"},
 	{119, "ENAVAIL", "no XENIX semaphores available"},
 	{120, "EISNAM", "is a named type file"},
@@ -160,6 +160,7 @@ const (
 	NFDBITS                          = 0x40
 	NLDLY                            = 0x100
 	NOFLSH                           = 0x80
+	NS_GET_ID                        = 0x8008b70d
 	NS_GET_MNTNS_ID                  = 0x8008b705
 	NS_GET_NSTYPE                    = 0xb703
 	NS_GET_OWNER_UID                 = 0xb704
@@ -298,6 +299,7 @@ const (
 	RTC_WKALM_SET                    = 0x4028700f
 	SCM_DEVMEM_DMABUF                = 0x4f
 	SCM_DEVMEM_LINEAR                = 0x4e
+	SCM_INQ                          = 0x54
 	SCM_TIMESTAMPING                 = 0x25
 	SCM_TIMESTAMPING_OPT_STATS       = 0x36
 	SCM_TIMESTAMPING_PKTINFO         = 0x3a
@@ -345,6 +347,7 @@ const (
 	SO_ERROR                         = 0x4
 	SO_INCOMING_CPU                  = 0x31
 	SO_INCOMING_NAPI_ID              = 0x38
+	SO_INQ                           = 0x54
 	SO_KEEPALIVE                     = 0x9
 	SO_LINGER                        = 0xd
 	SO_LOCK_FILTER                   = 0x2c
@@ -588,6 +591,8 @@ const (
 	EDESTADDRREQ    = syscall.Errno(0x59)
 	EDOTDOT         = syscall.Errno(0x49)
 	EDQUOT          = syscall.Errno(0x7a)
+	EFSBADCRC       = syscall.Errno(0x4a)
+	EFSCORRUPTED    = syscall.Errno(0x75)
 	EHOSTDOWN       = syscall.Errno(0x70)
 	EHOSTUNREACH    = syscall.Errno(0x71)
 	EHWPOISON       = syscall.Errno(0x85)
@@ -811,7 +816,7 @@ var errorList = [...]struct {
 	{114, "EALREADY", "operation already in progress"},
 	{115, "EINPROGRESS", "operation now in progress"},
 	{116, "ESTALE", "stale file handle"},
-	{117, "EUCLEAN", "structure needs cleaning"},
+	{117, "EFSCORRUPTED", "structure needs cleaning"},
 	{118, "ENOTNAM", "not a XENIX named type file"},
 	{119, "ENAVAIL", "no XENIX semaphores available"},
 	{120, "EISNAM", "is a named type file"},
@@ -156,6 +156,7 @@ const (
 	NFDBITS                          = 0x20
 	NLDLY                            = 0x100
 	NOFLSH                           = 0x80
+	NS_GET_ID                        = 0x4008b70d
 	NS_GET_MNTNS_ID                  = 0x4008b705
 	NS_GET_NSTYPE                    = 0x2000b703
 	NS_GET_OWNER_UID                 = 0x2000b704
@@ -304,6 +305,7 @@ const (
 	RTC_WKALM_SET                    = 0x8028700f
 	SCM_DEVMEM_DMABUF                = 0x4f
 	SCM_DEVMEM_LINEAR                = 0x4e
+	SCM_INQ                          = 0x54
 	SCM_TIMESTAMPING                 = 0x25
 	SCM_TIMESTAMPING_OPT_STATS       = 0x36
 	SCM_TIMESTAMPING_PKTINFO         = 0x3a
@@ -351,6 +353,7 @@ const (
 	SO_ERROR                         = 0x1007
 	SO_INCOMING_CPU                  = 0x31
 	SO_INCOMING_NAPI_ID              = 0x38
+	SO_INQ                           = 0x54
 	SO_KEEPALIVE                     = 0x8
 	SO_LINGER                        = 0x80
 	SO_LOCK_FILTER                   = 0x2c
@@ -597,6 +600,8 @@ const (
 	EDESTADDRREQ    = syscall.Errno(0x60)
 	EDOTDOT         = syscall.Errno(0x49)
 	EDQUOT          = syscall.Errno(0x46d)
+	EFSBADCRC       = syscall.Errno(0x4d)
+	EFSCORRUPTED    = syscall.Errno(0x87)
 	EHOSTDOWN       = syscall.Errno(0x93)
 	EHOSTUNREACH    = syscall.Errno(0x94)
 	EHWPOISON       = syscall.Errno(0xa8)
@@ -814,7 +819,7 @@ var errorList = [...]struct {
 	{132, "ENOBUFS", "no buffer space available"},
 	{133, "EISCONN", "transport endpoint is already connected"},
 	{134, "ENOTCONN", "transport endpoint is not connected"},
-	{135, "EUCLEAN", "structure needs cleaning"},
+	{135, "EFSCORRUPTED", "structure needs cleaning"},
 	{137, "ENOTNAM", "not a XENIX named type file"},
 	{138, "ENAVAIL", "no XENIX semaphores available"},
 	{139, "EISNAM", "is a named type file"},
@@ -156,6 +156,7 @@ const (
 	NFDBITS                          = 0x40
 	NLDLY                            = 0x100
 	NOFLSH                           = 0x80
+	NS_GET_ID                        = 0x4008b70d
 	NS_GET_MNTNS_ID                  = 0x4008b705
 	NS_GET_NSTYPE                    = 0x2000b703
 	NS_GET_OWNER_UID                 = 0x2000b704
@@ -304,6 +305,7 @@ const (
 	RTC_WKALM_SET                    = 0x8028700f
 	SCM_DEVMEM_DMABUF                = 0x4f
 	SCM_DEVMEM_LINEAR                = 0x4e
+	SCM_INQ                          = 0x54
 	SCM_TIMESTAMPING                 = 0x25
 	SCM_TIMESTAMPING_OPT_STATS       = 0x36
 	SCM_TIMESTAMPING_PKTINFO         = 0x3a
@@ -351,6 +353,7 @@ const (
 	SO_ERROR                         = 0x1007
 	SO_INCOMING_CPU                  = 0x31
 	SO_INCOMING_NAPI_ID              = 0x38
+	SO_INQ                           = 0x54
 	SO_KEEPALIVE                     = 0x8
 	SO_LINGER                        = 0x80
 	SO_LOCK_FILTER                   = 0x2c
@@ -597,6 +600,8 @@ const (
 	EDESTADDRREQ    = syscall.Errno(0x60)
 	EDOTDOT         = syscall.Errno(0x49)
 	EDQUOT          = syscall.Errno(0x46d)
+	EFSBADCRC       = syscall.Errno(0x4d)
+	EFSCORRUPTED    = syscall.Errno(0x87)
 	EHOSTDOWN       = syscall.Errno(0x93)
 	EHOSTUNREACH    = syscall.Errno(0x94)
 	EHWPOISON       = syscall.Errno(0xa8)
@@ -814,7 +819,7 @@ var errorList = [...]struct {
 	{132, "ENOBUFS", "no buffer space available"},
 	{133, "EISCONN", "transport endpoint is already connected"},
 	{134, "ENOTCONN", "transport endpoint is not connected"},
-	{135, "EUCLEAN", "structure needs cleaning"},
+	{135, "EFSCORRUPTED", "structure needs cleaning"},
 	{137, "ENOTNAM", "not a XENIX named type file"},
 	{138, "ENAVAIL", "no XENIX semaphores available"},
 	{139, "EISNAM", "is a named type file"},
@@ -156,6 +156,7 @@ const (
 	NFDBITS                          = 0x40
 	NLDLY                            = 0x100
 	NOFLSH                           = 0x80
+	NS_GET_ID                        = 0x4008b70d
 	NS_GET_MNTNS_ID                  = 0x4008b705
 	NS_GET_NSTYPE                    = 0x2000b703
 	NS_GET_OWNER_UID                 = 0x2000b704
@@ -304,6 +305,7 @@ const (
 	RTC_WKALM_SET                    = 0x8028700f
 	SCM_DEVMEM_DMABUF                = 0x4f
 	SCM_DEVMEM_LINEAR                = 0x4e
+	SCM_INQ                          = 0x54
 	SCM_TIMESTAMPING                 = 0x25
 	SCM_TIMESTAMPING_OPT_STATS       = 0x36
 	SCM_TIMESTAMPING_PKTINFO         = 0x3a
@@ -351,6 +353,7 @@ const (
 	SO_ERROR                         = 0x1007
 	SO_INCOMING_CPU                  = 0x31
 	SO_INCOMING_NAPI_ID              = 0x38
+	SO_INQ                           = 0x54
 	SO_KEEPALIVE                     = 0x8
 	SO_LINGER                        = 0x80
 	SO_LOCK_FILTER                   = 0x2c
@@ -597,6 +600,8 @@ const (
 	EDESTADDRREQ    = syscall.Errno(0x60)
 	EDOTDOT         = syscall.Errno(0x49)
 	EDQUOT          = syscall.Errno(0x46d)
+	EFSBADCRC       = syscall.Errno(0x4d)
+	EFSCORRUPTED    = syscall.Errno(0x87)
 	EHOSTDOWN       = syscall.Errno(0x93)
 	EHOSTUNREACH    = syscall.Errno(0x94)
 	EHWPOISON       = syscall.Errno(0xa8)
@@ -814,7 +819,7 @@ var errorList = [...]struct {
 	{132, "ENOBUFS", "no buffer space available"},
 	{133, "EISCONN", "transport endpoint is already connected"},
 	{134, "ENOTCONN", "transport endpoint is not connected"},
-	{135, "EUCLEAN", "structure needs cleaning"},
+	{135, "EFSCORRUPTED", "structure needs cleaning"},
 	{137, "ENOTNAM", "not a XENIX named type file"},
 	{138, "ENAVAIL", "no XENIX semaphores available"},
 	{139, "EISNAM", "is a named type file"},
@@ -156,6 +156,7 @@ const (
 	NFDBITS                          = 0x20
 	NLDLY                            = 0x100
 	NOFLSH                           = 0x80
+	NS_GET_ID                        = 0x4008b70d
 	NS_GET_MNTNS_ID                  = 0x4008b705
 	NS_GET_NSTYPE                    = 0x2000b703
 	NS_GET_OWNER_UID                 = 0x2000b704
@@ -304,6 +305,7 @@ const (
 	RTC_WKALM_SET                    = 0x8028700f
 	SCM_DEVMEM_DMABUF                = 0x4f
 	SCM_DEVMEM_LINEAR                = 0x4e
+	SCM_INQ                          = 0x54
 	SCM_TIMESTAMPING                 = 0x25
 	SCM_TIMESTAMPING_OPT_STATS       = 0x36
 	SCM_TIMESTAMPING_PKTINFO         = 0x3a
@@ -351,6 +353,7 @@ const (
 	SO_ERROR                         = 0x1007
 	SO_INCOMING_CPU                  = 0x31
 	SO_INCOMING_NAPI_ID              = 0x38
+	SO_INQ                           = 0x54
 	SO_KEEPALIVE                     = 0x8
 	SO_LINGER                        = 0x80
 	SO_LOCK_FILTER                   = 0x2c
@@ -597,6 +600,8 @@ const (
 	EDESTADDRREQ    = syscall.Errno(0x60)
 	EDOTDOT         = syscall.Errno(0x49)
 	EDQUOT          = syscall.Errno(0x46d)
+	EFSBADCRC       = syscall.Errno(0x4d)
+	EFSCORRUPTED    = syscall.Errno(0x87)
 	EHOSTDOWN       = syscall.Errno(0x93)
 	EHOSTUNREACH    = syscall.Errno(0x94)
 	EHWPOISON       = syscall.Errno(0xa8)
@@ -814,7 +819,7 @@ var errorList = [...]struct {
 	{132, "ENOBUFS", "no buffer space available"},
 	{133, "EISCONN", "transport endpoint is already connected"},
 	{134, "ENOTCONN", "transport endpoint is not connected"},
-	{135, "EUCLEAN", "structure needs cleaning"},
+	{135, "EFSCORRUPTED", "structure needs cleaning"},
 	{137, "ENOTNAM", "not a XENIX named type file"},
 	{138, "ENAVAIL", "no XENIX semaphores available"},
 	{139, "EISNAM", "is a named type file"},
@@ -158,6 +158,7 @@ const (
 	NL3                              = 0x300
 	NLDLY                            = 0x300
 	NOFLSH                           = 0x80000000
+	NS_GET_ID                        = 0x4008b70d
 	NS_GET_MNTNS_ID                  = 0x4008b705
 	NS_GET_NSTYPE                    = 0x2000b703
 	NS_GET_OWNER_UID                 = 0x2000b704
@@ -359,6 +360,7 @@ const (
 	RTC_WKALM_SET                    = 0x8028700f
 	SCM_DEVMEM_DMABUF                = 0x4f
 	SCM_DEVMEM_LINEAR                = 0x4e
+	SCM_INQ                          = 0x54
 	SCM_TIMESTAMPING                 = 0x25
 	SCM_TIMESTAMPING_OPT_STATS       = 0x36
 	SCM_TIMESTAMPING_PKTINFO         = 0x3a
@@ -406,6 +408,7 @@ const (
 	SO_ERROR                         = 0x4
 	SO_INCOMING_CPU                  = 0x31
 	SO_INCOMING_NAPI_ID              = 0x38
+	SO_INQ                           = 0x54
 	SO_KEEPALIVE                     = 0x9
 	SO_LINGER                        = 0xd
 	SO_LOCK_FILTER                   = 0x2c
@@ -653,6 +656,8 @@ const (
 	EDESTADDRREQ    = syscall.Errno(0x59)
 	EDOTDOT         = syscall.Errno(0x49)
 	EDQUOT          = syscall.Errno(0x7a)
+	EFSBADCRC       = syscall.Errno(0x4a)
+	EFSCORRUPTED    = syscall.Errno(0x75)
 	EHOSTDOWN       = syscall.Errno(0x70)
 	EHOSTUNREACH    = syscall.Errno(0x71)
 	EHWPOISON       = syscall.Errno(0x85)
@@ -877,7 +882,7 @@ var errorList = [...]struct {
 	{114, "EALREADY", "operation already in progress"},
 	{115, "EINPROGRESS", "operation now in progress"},
 	{116, "ESTALE", "stale file handle"},
-	{117, "EUCLEAN", "structure needs cleaning"},
+	{117, "EFSCORRUPTED", "structure needs cleaning"},
 	{118, "ENOTNAM", "not a XENIX named type file"},
 	{119, "ENAVAIL", "no XENIX semaphores available"},
 	{120, "EISNAM", "is a named type file"},
@@ -158,6 +158,7 @@ const (
 	NL3                              = 0x300
 	NLDLY                            = 0x300
 	NOFLSH                           = 0x80000000
+	NS_GET_ID                        = 0x4008b70d
 	NS_GET_MNTNS_ID                  = 0x4008b705
 	NS_GET_NSTYPE                    = 0x2000b703
 	NS_GET_OWNER_UID                 = 0x2000b704
@@ -363,6 +364,7 @@ const (
 	RTC_WKALM_SET                    = 0x8028700f
 	SCM_DEVMEM_DMABUF                = 0x4f
 	SCM_DEVMEM_LINEAR                = 0x4e
+	SCM_INQ                          = 0x54
 	SCM_TIMESTAMPING                 = 0x25
 	SCM_TIMESTAMPING_OPT_STATS       = 0x36
 	SCM_TIMESTAMPING_PKTINFO         = 0x3a
@@ -410,6 +412,7 @@ const (
 	SO_ERROR                         = 0x4
 	SO_INCOMING_CPU                  = 0x31
 	SO_INCOMING_NAPI_ID              = 0x38
+	SO_INQ                           = 0x54
 	SO_KEEPALIVE                     = 0x9
 	SO_LINGER                        = 0xd
 	SO_LOCK_FILTER                   = 0x2c
@@ -657,6 +660,8 @@ const (
 	EDESTADDRREQ    = syscall.Errno(0x59)
 	EDOTDOT         = syscall.Errno(0x49)
 	EDQUOT          = syscall.Errno(0x7a)
+	EFSBADCRC       = syscall.Errno(0x4a)
+	EFSCORRUPTED    = syscall.Errno(0x75)
 	EHOSTDOWN       = syscall.Errno(0x70)
 	EHOSTUNREACH    = syscall.Errno(0x71)
 	EHWPOISON       = syscall.Errno(0x85)
@@ -881,7 +886,7 @@ var errorList = [...]struct {
 	{114, "EALREADY", "operation already in progress"},
 	{115, "EINPROGRESS", "operation now in progress"},
 	{116, "ESTALE", "stale file handle"},
-	{117, "EUCLEAN", "structure needs cleaning"},
+	{117, "EFSCORRUPTED", "structure needs cleaning"},
 	{118, "ENOTNAM", "not a XENIX named type file"},
 	{119, "ENAVAIL", "no XENIX semaphores available"},
 	{120, "EISNAM", "is a named type file"},
@@ -158,6 +158,7 @@ const (
 	NL3                              = 0x300
 	NLDLY                            = 0x300
 	NOFLSH                           = 0x80000000
+	NS_GET_ID                        = 0x4008b70d
 	NS_GET_MNTNS_ID                  = 0x4008b705
 	NS_GET_NSTYPE                    = 0x2000b703
 	NS_GET_OWNER_UID                 = 0x2000b704
@@ -363,6 +364,7 @@ const (
 	RTC_WKALM_SET                    = 0x8028700f
 	SCM_DEVMEM_DMABUF                = 0x4f
 	SCM_DEVMEM_LINEAR                = 0x4e
+	SCM_INQ                          = 0x54
 	SCM_TIMESTAMPING                 = 0x25
 	SCM_TIMESTAMPING_OPT_STATS       = 0x36
 	SCM_TIMESTAMPING_PKTINFO         = 0x3a
@@ -410,6 +412,7 @@ const (
 	SO_ERROR                         = 0x4
 	SO_INCOMING_CPU                  = 0x31
 	SO_INCOMING_NAPI_ID              = 0x38
+	SO_INQ                           = 0x54
 	SO_KEEPALIVE                     = 0x9
 	SO_LINGER                        = 0xd
 	SO_LOCK_FILTER                   = 0x2c
@@ -657,6 +660,8 @@ const (
 	EDESTADDRREQ    = syscall.Errno(0x59)
 	EDOTDOT         = syscall.Errno(0x49)
 	EDQUOT          = syscall.Errno(0x7a)
+	EFSBADCRC       = syscall.Errno(0x4a)
+	EFSCORRUPTED    = syscall.Errno(0x75)
 	EHOSTDOWN       = syscall.Errno(0x70)
 	EHOSTUNREACH    = syscall.Errno(0x71)
 	EHWPOISON       = syscall.Errno(0x85)
@@ -881,7 +886,7 @@ var errorList = [...]struct {
 	{114, "EALREADY", "operation already in progress"},
 	{115, "EINPROGRESS", "operation now in progress"},
 	{116, "ESTALE", "stale file handle"},
-	{117, "EUCLEAN", "structure needs cleaning"},
+	{117, "EFSCORRUPTED", "structure needs cleaning"},
 	{118, "ENOTNAM", "not a XENIX named type file"},
 	{119, "ENAVAIL", "no XENIX semaphores available"},
 	{120, "EISNAM", "is a named type file"},
@@ -156,6 +156,7 @@ const (
 	NFDBITS                          = 0x40
 	NLDLY                            = 0x100
 	NOFLSH                           = 0x80
+	NS_GET_ID                        = 0x8008b70d
 	NS_GET_MNTNS_ID                  = 0x8008b705
 	NS_GET_NSTYPE                    = 0xb703
 	NS_GET_OWNER_UID                 = 0xb704
@@ -367,6 +368,7 @@ const (
 	RTC_WKALM_SET                    = 0x4028700f
 	SCM_DEVMEM_DMABUF                = 0x4f
 	SCM_DEVMEM_LINEAR                = 0x4e
+	SCM_INQ                          = 0x54
 	SCM_TIMESTAMPING                 = 0x25
 	SCM_TIMESTAMPING_OPT_STATS       = 0x36
 	SCM_TIMESTAMPING_PKTINFO         = 0x3a
@@ -414,6 +416,7 @@ const (
 	SO_ERROR                         = 0x4
 	SO_INCOMING_CPU                  = 0x31
 	SO_INCOMING_NAPI_ID              = 0x38
+	SO_INQ                           = 0x54
 	SO_KEEPALIVE                     = 0x9
 	SO_LINGER                        = 0xd
 	SO_LOCK_FILTER                   = 0x2c
@@ -657,6 +660,8 @@ const (
 	EDESTADDRREQ    = syscall.Errno(0x59)
 	EDOTDOT         = syscall.Errno(0x49)
 	EDQUOT          = syscall.Errno(0x7a)
+	EFSBADCRC       = syscall.Errno(0x4a)
+	EFSCORRUPTED    = syscall.Errno(0x75)
 	EHOSTDOWN       = syscall.Errno(0x70)
 	EHOSTUNREACH    = syscall.Errno(0x71)
 	EHWPOISON       = syscall.Errno(0x85)
@@ -880,7 +885,7 @@ var errorList = [...]struct {
 	{114, "EALREADY", "operation already in progress"},
 	{115, "EINPROGRESS", "operation now in progress"},
 	{116, "ESTALE", "stale file handle"},
-	{117, "EUCLEAN", "structure needs cleaning"},
+	{117, "EFSCORRUPTED", "structure needs cleaning"},
 	{118, "ENOTNAM", "not a XENIX named type file"},
 	{119, "ENAVAIL", "no XENIX semaphores available"},
 	{120, "EISNAM", "is a named type file"},
@@ -161,6 +161,7 @@ const (
 	NFDBITS                          = 0x40
 	NLDLY                            = 0x100
 	NOFLSH                           = 0x80
+	NS_GET_ID                        = 0x4008b70d
 	NS_GET_MNTNS_ID                  = 0x4008b705
 	NS_GET_NSTYPE                    = 0x2000b703
 	NS_GET_OWNER_UID                 = 0x2000b704
@@ -358,6 +359,7 @@ const (
 	RTC_WKALM_SET                    = 0x8028700f
 	SCM_DEVMEM_DMABUF                = 0x58
 	SCM_DEVMEM_LINEAR                = 0x57
+	SCM_INQ                          = 0x5d
 	SCM_TIMESTAMPING                 = 0x23
 	SCM_TIMESTAMPING_OPT_STATS       = 0x38
 	SCM_TIMESTAMPING_PKTINFO         = 0x3c
@@ -453,6 +455,7 @@ const (
 	SO_ERROR                         = 0x1007
 	SO_INCOMING_CPU                  = 0x33
 	SO_INCOMING_NAPI_ID              = 0x3a
+	SO_INQ                           = 0x5d
 	SO_KEEPALIVE                     = 0x8
 	SO_LINGER                        = 0x80
 	SO_LOCK_FILTER                   = 0x28
@@ -694,6 +697,8 @@ const (
 	EDESTADDRREQ    = syscall.Errno(0x27)
 	EDOTDOT         = syscall.Errno(0x58)
 	EDQUOT          = syscall.Errno(0x45)
+	EFSBADCRC       = syscall.Errno(0x4c)
+	EFSCORRUPTED    = syscall.Errno(0x75)
 	EHOSTDOWN       = syscall.Errno(0x40)
 	EHOSTUNREACH    = syscall.Errno(0x41)
 	EHWPOISON       = syscall.Errno(0x87)
@@ -921,7 +926,7 @@ var errorList = [...]struct {
 	{114, "ELIBACC", "can not access a needed shared library"},
 	{115, "ENOTUNIQ", "name not unique on network"},
 	{116, "ERESTART", "interrupted system call should be restarted"},
-	{117, "EUCLEAN", "structure needs cleaning"},
+	{117, "EFSCORRUPTED", "structure needs cleaning"},
 	{118, "ENOTNAM", "not a XENIX named type file"},
 	{119, "ENAVAIL", "no XENIX semaphores available"},
 	{120, "EISNAM", "is a named type file"},
@@ -1785,7 +1785,7 @@ func writev(fd int, iovs []Iovec) (n int, err error) {

 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT

-func preadv(fd int, iovs []Iovec, offs_l uintptr, offs_h uintptr) (n int, err error) {
+func preadvSyscall(fd int, iovs []Iovec, offs_l uintptr, offs_h uintptr) (n int, err error) {
 	var _p0 unsafe.Pointer
 	if len(iovs) > 0 {
 		_p0 = unsafe.Pointer(&iovs[0])
@@ -1802,7 +1802,7 @@ func preadv(fd int, iovs []Iovec, offs_l uintptr, offs_h uintptr) (n int, err er

 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT

-func pwritev(fd int, iovs []Iovec, offs_l uintptr, offs_h uintptr) (n int, err error) {
+func pwritevSyscall(fd int, iovs []Iovec, offs_l uintptr, offs_h uintptr) (n int, err error) {
 	var _p0 unsafe.Pointer
 	if len(iovs) > 0 {
 		_p0 = unsafe.Pointer(&iovs[0])
@@ -1819,7 +1819,7 @@ func pwritev(fd int, iovs []Iovec, offs_l uintptr, offs_h uintptr) (n int, err e

 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT

-func preadv2(fd int, iovs []Iovec, offs_l uintptr, offs_h uintptr, flags int) (n int, err error) {
+func preadv2Syscall(fd int, iovs []Iovec, offs_l uintptr, offs_h uintptr, flags int) (n int, err error) {
 	var _p0 unsafe.Pointer
 	if len(iovs) > 0 {
 		_p0 = unsafe.Pointer(&iovs[0])
@@ -1836,7 +1836,7 @@ func preadv2(fd int, iovs []Iovec, offs_l uintptr, offs_h uintptr, flags int) (n

 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT

-func pwritev2(fd int, iovs []Iovec, offs_l uintptr, offs_h uintptr, flags int) (n int, err error) {
+func pwritev2Syscall(fd int, iovs []Iovec, offs_l uintptr, offs_h uintptr, flags int) (n int, err error) {
 	var _p0 unsafe.Pointer
 	if len(iovs) > 0 {
 		_p0 = unsafe.Pointer(&iovs[0])
@@ -1633,6 +1633,90 @@ var libc_pwrite_trampoline_addr uintptr

 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT

+func readv(fd int, iovecs []Iovec) (n int, err error) {
+	var _p0 unsafe.Pointer
+	if len(iovecs) > 0 {
+		_p0 = unsafe.Pointer(&iovecs[0])
+	} else {
+		_p0 = unsafe.Pointer(&_zero)
+	}
+	r0, _, e1 := syscall_syscall(libc_readv_trampoline_addr, uintptr(fd), uintptr(_p0), uintptr(len(iovecs)))
+	n = int(r0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+var libc_readv_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_readv readv "libc.so"
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func writev(fd int, iovecs []Iovec) (n int, err error) {
+	var _p0 unsafe.Pointer
+	if len(iovecs) > 0 {
+		_p0 = unsafe.Pointer(&iovecs[0])
+	} else {
+		_p0 = unsafe.Pointer(&_zero)
+	}
+	r0, _, e1 := syscall_syscall(libc_writev_trampoline_addr, uintptr(fd), uintptr(_p0), uintptr(len(iovecs)))
+	n = int(r0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+var libc_writev_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_writev writev "libc.so"
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func preadv(fd int, iovecs []Iovec, offset int64) (n int, err error) {
+	var _p0 unsafe.Pointer
+	if len(iovecs) > 0 {
+		_p0 = unsafe.Pointer(&iovecs[0])
+	} else {
+		_p0 = unsafe.Pointer(&_zero)
+	}
+	r0, _, e1 := syscall_syscall6(libc_preadv_trampoline_addr, uintptr(fd), uintptr(_p0), uintptr(len(iovecs)), uintptr(offset), uintptr(offset>>32), 0)
+	n = int(r0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+var libc_preadv_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_preadv preadv "libc.so"
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func pwritev(fd int, iovecs []Iovec, offset int64) (n int, err error) {
+	var _p0 unsafe.Pointer
+	if len(iovecs) > 0 {
+		_p0 = unsafe.Pointer(&iovecs[0])
+	} else {
+		_p0 = unsafe.Pointer(&_zero)
+	}
+	r0, _, e1 := syscall_syscall6(libc_pwritev_trampoline_addr, uintptr(fd), uintptr(_p0), uintptr(len(iovecs)), uintptr(offset), uintptr(offset>>32), 0)
+	n = int(r0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+var libc_pwritev_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_pwritev pwritev "libc.so"
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
 func read(fd int, p []byte) (n int, err error) {
 	var _p0 unsafe.Pointer
 	if len(p) > 0 {
@@ -498,6 +498,26 @@ TEXT libc_pwrite_trampoline<>(SB),NOSPLIT,$0-0
 GLOBL	·libc_pwrite_trampoline_addr(SB), RODATA, $4
 DATA	·libc_pwrite_trampoline_addr(SB)/4, $libc_pwrite_trampoline<>(SB)

+TEXT libc_readv_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_readv(SB)
+GLOBL	·libc_readv_trampoline_addr(SB), RODATA, $4
+DATA	·libc_readv_trampoline_addr(SB)/4, $libc_readv_trampoline<>(SB)
+
+TEXT libc_writev_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_writev(SB)
+GLOBL	·libc_writev_trampoline_addr(SB), RODATA, $4
+DATA	·libc_writev_trampoline_addr(SB)/4, $libc_writev_trampoline<>(SB)
+
+TEXT libc_preadv_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_preadv(SB)
+GLOBL	·libc_preadv_trampoline_addr(SB), RODATA, $4
+DATA	·libc_preadv_trampoline_addr(SB)/4, $libc_preadv_trampoline<>(SB)
+
+TEXT libc_pwritev_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_pwritev(SB)
+GLOBL	·libc_pwritev_trampoline_addr(SB), RODATA, $4
+DATA	·libc_pwritev_trampoline_addr(SB)/4, $libc_pwritev_trampoline<>(SB)
+
 TEXT libc_read_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_read(SB)
 GLOBL	·libc_read_trampoline_addr(SB), RODATA, $4
@@ -1633,6 +1633,90 @@ var libc_pwrite_trampoline_addr uintptr

 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT

+func readv(fd int, iovecs []Iovec) (n int, err error) {
+	var _p0 unsafe.Pointer
+	if len(iovecs) > 0 {
+		_p0 = unsafe.Pointer(&iovecs[0])
+	} else {
+		_p0 = unsafe.Pointer(&_zero)
+	}
+	r0, _, e1 := syscall_syscall(libc_readv_trampoline_addr, uintptr(fd), uintptr(_p0), uintptr(len(iovecs)))
+	n = int(r0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+var libc_readv_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_readv readv "libc.so"
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func writev(fd int, iovecs []Iovec) (n int, err error) {
+	var _p0 unsafe.Pointer
+	if len(iovecs) > 0 {
+		_p0 = unsafe.Pointer(&iovecs[0])
+	} else {
+		_p0 = unsafe.Pointer(&_zero)
+	}
+	r0, _, e1 := syscall_syscall(libc_writev_trampoline_addr, uintptr(fd), uintptr(_p0), uintptr(len(iovecs)))
+	n = int(r0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+var libc_writev_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_writev writev "libc.so"
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func preadv(fd int, iovecs []Iovec, offset int64) (n int, err error) {
+	var _p0 unsafe.Pointer
+	if len(iovecs) > 0 {
+		_p0 = unsafe.Pointer(&iovecs[0])
+	} else {
+		_p0 = unsafe.Pointer(&_zero)
+	}
+	r0, _, e1 := syscall_syscall6(libc_preadv_trampoline_addr, uintptr(fd), uintptr(_p0), uintptr(len(iovecs)), uintptr(offset), 0, 0)
+	n = int(r0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+var libc_preadv_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_preadv preadv "libc.so"
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func pwritev(fd int, iovecs []Iovec, offset int64) (n int, err error) {
+	var _p0 unsafe.Pointer
+	if len(iovecs) > 0 {
+		_p0 = unsafe.Pointer(&iovecs[0])
+	} else {
+		_p0 = unsafe.Pointer(&_zero)
+	}
+	r0, _, e1 := syscall_syscall6(libc_pwritev_trampoline_addr, uintptr(fd), uintptr(_p0), uintptr(len(iovecs)), uintptr(offset), 0, 0)
+	n = int(r0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+var libc_pwritev_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_pwritev pwritev "libc.so"
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
 func read(fd int, p []byte) (n int, err error) {
 	var _p0 unsafe.Pointer
 	if len(p) > 0 {
@@ -498,6 +498,26 @@ TEXT libc_pwrite_trampoline<>(SB),NOSPLIT,$0-0
 GLOBL	·libc_pwrite_trampoline_addr(SB), RODATA, $8
 DATA	·libc_pwrite_trampoline_addr(SB)/8, $libc_pwrite_trampoline<>(SB)

+TEXT libc_readv_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_readv(SB)
+GLOBL	·libc_readv_trampoline_addr(SB), RODATA, $8
+DATA	·libc_readv_trampoline_addr(SB)/8, $libc_readv_trampoline<>(SB)
+
+TEXT libc_writev_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_writev(SB)
+GLOBL	·libc_writev_trampoline_addr(SB), RODATA, $8
+DATA	·libc_writev_trampoline_addr(SB)/8, $libc_writev_trampoline<>(SB)
+
+TEXT libc_preadv_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_preadv(SB)
+GLOBL	·libc_preadv_trampoline_addr(SB), RODATA, $8
+DATA	·libc_preadv_trampoline_addr(SB)/8, $libc_preadv_trampoline<>(SB)
+
+TEXT libc_pwritev_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_pwritev(SB)
+GLOBL	·libc_pwritev_trampoline_addr(SB), RODATA, $8
+DATA	·libc_pwritev_trampoline_addr(SB)/8, $libc_pwritev_trampoline<>(SB)
+
 TEXT libc_read_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_read(SB)
 GLOBL	·libc_read_trampoline_addr(SB), RODATA, $8
@@ -1633,6 +1633,90 @@ var libc_pwrite_trampoline_addr uintptr

 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT

+func readv(fd int, iovecs []Iovec) (n int, err error) {
+	var _p0 unsafe.Pointer
+	if len(iovecs) > 0 {
+		_p0 = unsafe.Pointer(&iovecs[0])
+	} else {
+		_p0 = unsafe.Pointer(&_zero)
+	}
+	r0, _, e1 := syscall_syscall(libc_readv_trampoline_addr, uintptr(fd), uintptr(_p0), uintptr(len(iovecs)))
+	n = int(r0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+var libc_readv_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_readv readv "libc.so"
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func writev(fd int, iovecs []Iovec) (n int, err error) {
+	var _p0 unsafe.Pointer
+	if len(iovecs) > 0 {
+		_p0 = unsafe.Pointer(&iovecs[0])
+	} else {
+		_p0 = unsafe.Pointer(&_zero)
+	}
+	r0, _, e1 := syscall_syscall(libc_writev_trampoline_addr, uintptr(fd), uintptr(_p0), uintptr(len(iovecs)))
+	n = int(r0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+var libc_writev_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_writev writev "libc.so"
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func preadv(fd int, iovecs []Iovec, offset int64) (n int, err error) {
+	var _p0 unsafe.Pointer
+	if len(iovecs) > 0 {
+		_p0 = unsafe.Pointer(&iovecs[0])
+	} else {
+		_p0 = unsafe.Pointer(&_zero)
+	}
+	r0, _, e1 := syscall_syscall6(libc_preadv_trampoline_addr, uintptr(fd), uintptr(_p0), uintptr(len(iovecs)), 0, uintptr(offset), uintptr(offset>>32))
+	n = int(r0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+var libc_preadv_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_preadv preadv "libc.so"
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func pwritev(fd int, iovecs []Iovec, offset int64) (n int, err error) {
+	var _p0 unsafe.Pointer
+	if len(iovecs) > 0 {
+		_p0 = unsafe.Pointer(&iovecs[0])
+	} else {
+		_p0 = unsafe.Pointer(&_zero)
+	}
+	r0, _, e1 := syscall_syscall6(libc_pwritev_trampoline_addr, uintptr(fd), uintptr(_p0), uintptr(len(iovecs)), 0, uintptr(offset), uintptr(offset>>32))
+	n = int(r0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+var libc_pwritev_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_pwritev pwritev "libc.so"
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
 func read(fd int, p []byte) (n int, err error) {
 	var _p0 unsafe.Pointer
 	if len(p) > 0 {
@@ -498,6 +498,26 @@ TEXT libc_pwrite_trampoline<>(SB),NOSPLIT,$0-0
 GLOBL	·libc_pwrite_trampoline_addr(SB), RODATA, $4
 DATA	·libc_pwrite_trampoline_addr(SB)/4, $libc_pwrite_trampoline<>(SB)

+TEXT libc_readv_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_readv(SB)
+GLOBL	·libc_readv_trampoline_addr(SB), RODATA, $4
+DATA	·libc_readv_trampoline_addr(SB)/4, $libc_readv_trampoline<>(SB)
+
+TEXT libc_writev_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_writev(SB)
+GLOBL	·libc_writev_trampoline_addr(SB), RODATA, $4
+DATA	·libc_writev_trampoline_addr(SB)/4, $libc_writev_trampoline<>(SB)
+
+TEXT libc_preadv_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_preadv(SB)
+GLOBL	·libc_preadv_trampoline_addr(SB), RODATA, $4
+DATA	·libc_preadv_trampoline_addr(SB)/4, $libc_preadv_trampoline<>(SB)
+
+TEXT libc_pwritev_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_pwritev(SB)
+GLOBL	·libc_pwritev_trampoline_addr(SB), RODATA, $4
+DATA	·libc_pwritev_trampoline_addr(SB)/4, $libc_pwritev_trampoline<>(SB)
+
 TEXT libc_read_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_read(SB)
 GLOBL	·libc_read_trampoline_addr(SB), RODATA, $4
@@ -1633,6 +1633,90 @@ var libc_pwrite_trampoline_addr uintptr

 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT

+func readv(fd int, iovecs []Iovec) (n int, err error) {
+	var _p0 unsafe.Pointer
+	if len(iovecs) > 0 {
+		_p0 = unsafe.Pointer(&iovecs[0])
+	} else {
+		_p0 = unsafe.Pointer(&_zero)
+	}
+	r0, _, e1 := syscall_syscall(libc_readv_trampoline_addr, uintptr(fd), uintptr(_p0), uintptr(len(iovecs)))
+	n = int(r0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+var libc_readv_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_readv readv "libc.so"
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func writev(fd int, iovecs []Iovec) (n int, err error) {
+	var _p0 unsafe.Pointer
+	if len(iovecs) > 0 {
+		_p0 = unsafe.Pointer(&iovecs[0])
+	} else {
+		_p0 = unsafe.Pointer(&_zero)
+	}
+	r0, _, e1 := syscall_syscall(libc_writev_trampoline_addr, uintptr(fd), uintptr(_p0), uintptr(len(iovecs)))
+	n = int(r0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+var libc_writev_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_writev writev "libc.so"
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func preadv(fd int, iovecs []Iovec, offset int64) (n int, err error) {
+	var _p0 unsafe.Pointer
+	if len(iovecs) > 0 {
+		_p0 = unsafe.Pointer(&iovecs[0])
+	} else {
+		_p0 = unsafe.Pointer(&_zero)
+	}
+	r0, _, e1 := syscall_syscall6(libc_preadv_trampoline_addr, uintptr(fd), uintptr(_p0), uintptr(len(iovecs)), uintptr(offset), 0, 0)
+	n = int(r0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+var libc_preadv_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_preadv preadv "libc.so"
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func pwritev(fd int, iovecs []Iovec, offset int64) (n int, err error) {
+	var _p0 unsafe.Pointer
+	if len(iovecs) > 0 {
+		_p0 = unsafe.Pointer(&iovecs[0])
+	} else {
+		_p0 = unsafe.Pointer(&_zero)
+	}
+	r0, _, e1 := syscall_syscall6(libc_pwritev_trampoline_addr, uintptr(fd), uintptr(_p0), uintptr(len(iovecs)), uintptr(offset), 0, 0)
+	n = int(r0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+var libc_pwritev_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_pwritev pwritev "libc.so"
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
 func read(fd int, p []byte) (n int, err error) {
 	var _p0 unsafe.Pointer
 	if len(p) > 0 {
@@ -498,6 +498,26 @@ TEXT libc_pwrite_trampoline<>(SB),NOSPLIT,$0-0
 GLOBL	·libc_pwrite_trampoline_addr(SB), RODATA, $8
 DATA	·libc_pwrite_trampoline_addr(SB)/8, $libc_pwrite_trampoline<>(SB)

+TEXT libc_readv_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_readv(SB)
+GLOBL	·libc_readv_trampoline_addr(SB), RODATA, $8
+DATA	·libc_readv_trampoline_addr(SB)/8, $libc_readv_trampoline<>(SB)
+
+TEXT libc_writev_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_writev(SB)
+GLOBL	·libc_writev_trampoline_addr(SB), RODATA, $8
+DATA	·libc_writev_trampoline_addr(SB)/8, $libc_writev_trampoline<>(SB)
+
+TEXT libc_preadv_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_preadv(SB)
+GLOBL	·libc_preadv_trampoline_addr(SB), RODATA, $8
+DATA	·libc_preadv_trampoline_addr(SB)/8, $libc_preadv_trampoline<>(SB)
+
+TEXT libc_pwritev_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_pwritev(SB)
+GLOBL	·libc_pwritev_trampoline_addr(SB), RODATA, $8
+DATA	·libc_pwritev_trampoline_addr(SB)/8, $libc_pwritev_trampoline<>(SB)
+
 TEXT libc_read_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_read(SB)
 GLOBL	·libc_read_trampoline_addr(SB), RODATA, $8
@@ -1633,6 +1633,90 @@ var libc_pwrite_trampoline_addr uintptr

 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT

+func readv(fd int, iovecs []Iovec) (n int, err error) {
+	var _p0 unsafe.Pointer
+	if len(iovecs) > 0 {
+		_p0 = unsafe.Pointer(&iovecs[0])
+	} else {
+		_p0 = unsafe.Pointer(&_zero)
+	}
+	r0, _, e1 := syscall_syscall(libc_readv_trampoline_addr, uintptr(fd), uintptr(_p0), uintptr(len(iovecs)))
+	n = int(r0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+var libc_readv_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_readv readv "libc.so"
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func writev(fd int, iovecs []Iovec) (n int, err error) {
+	var _p0 unsafe.Pointer
+	if len(iovecs) > 0 {
+		_p0 = unsafe.Pointer(&iovecs[0])
+	} else {
+		_p0 = unsafe.Pointer(&_zero)
+	}
+	r0, _, e1 := syscall_syscall(libc_writev_trampoline_addr, uintptr(fd), uintptr(_p0), uintptr(len(iovecs)))
+	n = int(r0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+var libc_writev_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_writev writev "libc.so"
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func preadv(fd int, iovecs []Iovec, offset int64) (n int, err error) {
+	var _p0 unsafe.Pointer
+	if len(iovecs) > 0 {
+		_p0 = unsafe.Pointer(&iovecs[0])
+	} else {
+		_p0 = unsafe.Pointer(&_zero)
+	}
+	r0, _, e1 := syscall_syscall6(libc_preadv_trampoline_addr, uintptr(fd), uintptr(_p0), uintptr(len(iovecs)), uintptr(offset), 0, 0)
+	n = int(r0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+var libc_preadv_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_preadv preadv "libc.so"
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func pwritev(fd int, iovecs []Iovec, offset int64) (n int, err error) {
+	var _p0 unsafe.Pointer
+	if len(iovecs) > 0 {
+		_p0 = unsafe.Pointer(&iovecs[0])
+	} else {
+		_p0 = unsafe.Pointer(&_zero)
+	}
+	r0, _, e1 := syscall_syscall6(libc_pwritev_trampoline_addr, uintptr(fd), uintptr(_p0), uintptr(len(iovecs)), uintptr(offset), 0, 0)
+	n = int(r0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+var libc_pwritev_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_pwritev pwritev "libc.so"
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
 func read(fd int, p []byte) (n int, err error) {
 	var _p0 unsafe.Pointer
 	if len(p) > 0 {
@@ -498,6 +498,26 @@ TEXT libc_pwrite_trampoline<>(SB),NOSPLIT,$0-0
 GLOBL	·libc_pwrite_trampoline_addr(SB), RODATA, $8
 DATA	·libc_pwrite_trampoline_addr(SB)/8, $libc_pwrite_trampoline<>(SB)

+TEXT libc_readv_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_readv(SB)
+GLOBL	·libc_readv_trampoline_addr(SB), RODATA, $8
+DATA	·libc_readv_trampoline_addr(SB)/8, $libc_readv_trampoline<>(SB)
+
+TEXT libc_writev_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_writev(SB)
+GLOBL	·libc_writev_trampoline_addr(SB), RODATA, $8
+DATA	·libc_writev_trampoline_addr(SB)/8, $libc_writev_trampoline<>(SB)
+
+TEXT libc_preadv_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_preadv(SB)
+GLOBL	·libc_preadv_trampoline_addr(SB), RODATA, $8
+DATA	·libc_preadv_trampoline_addr(SB)/8, $libc_preadv_trampoline<>(SB)
+
+TEXT libc_pwritev_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_pwritev(SB)
+GLOBL	·libc_pwritev_trampoline_addr(SB), RODATA, $8
+DATA	·libc_pwritev_trampoline_addr(SB)/8, $libc_pwritev_trampoline<>(SB)
+
 TEXT libc_read_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_read(SB)
 GLOBL	·libc_read_trampoline_addr(SB), RODATA, $8
@@ -1633,6 +1633,90 @@ var libc_pwrite_trampoline_addr uintptr

 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT

+func readv(fd int, iovecs []Iovec) (n int, err error) {
+	var _p0 unsafe.Pointer
+	if len(iovecs) > 0 {
+		_p0 = unsafe.Pointer(&iovecs[0])
+	} else {
+		_p0 = unsafe.Pointer(&_zero)
+	}
+	r0, _, e1 := syscall_syscall(libc_readv_trampoline_addr, uintptr(fd), uintptr(_p0), uintptr(len(iovecs)))
+	n = int(r0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+var libc_readv_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_readv readv "libc.so"
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func writev(fd int, iovecs []Iovec) (n int, err error) {
+	var _p0 unsafe.Pointer
+	if len(iovecs) > 0 {
+		_p0 = unsafe.Pointer(&iovecs[0])
+	} else {
+		_p0 = unsafe.Pointer(&_zero)
+	}
+	r0, _, e1 := syscall_syscall(libc_writev_trampoline_addr, uintptr(fd), uintptr(_p0), uintptr(len(iovecs)))
+	n = int(r0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+var libc_writev_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_writev writev "libc.so"
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func preadv(fd int, iovecs []Iovec, offset int64) (n int, err error) {
+	var _p0 unsafe.Pointer
+	if len(iovecs) > 0 {
+		_p0 = unsafe.Pointer(&iovecs[0])
+	} else {
+		_p0 = unsafe.Pointer(&_zero)
+	}
+	r0, _, e1 := syscall_syscall6(libc_preadv_trampoline_addr, uintptr(fd), uintptr(_p0), uintptr(len(iovecs)), uintptr(offset), 0, 0)
+	n = int(r0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+var libc_preadv_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_preadv preadv "libc.so"
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func pwritev(fd int, iovecs []Iovec, offset int64) (n int, err error) {
+	var _p0 unsafe.Pointer
+	if len(iovecs) > 0 {
+		_p0 = unsafe.Pointer(&iovecs[0])
+	} else {
+		_p0 = unsafe.Pointer(&_zero)
+	}
+	r0, _, e1 := syscall_syscall6(libc_pwritev_trampoline_addr, uintptr(fd), uintptr(_p0), uintptr(len(iovecs)), uintptr(offset), 0, 0)
+	n = int(r0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+var libc_pwritev_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_pwritev pwritev "libc.so"
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
 func read(fd int, p []byte) (n int, err error) {
 	var _p0 unsafe.Pointer
 	if len(p) > 0 {
@@ -597,6 +597,30 @@ TEXT libc_pwrite_trampoline<>(SB),NOSPLIT,$0-0
 GLOBL	·libc_pwrite_trampoline_addr(SB), RODATA, $8
 DATA	·libc_pwrite_trampoline_addr(SB)/8, $libc_pwrite_trampoline<>(SB)

+TEXT libc_readv_trampoline<>(SB),NOSPLIT,$0-0
+	CALL	libc_readv(SB)
+	RET
+GLOBL	·libc_readv_trampoline_addr(SB), RODATA, $8
+DATA	·libc_readv_trampoline_addr(SB)/8, $libc_readv_trampoline<>(SB)
+
+TEXT libc_writev_trampoline<>(SB),NOSPLIT,$0-0
+	CALL	libc_writev(SB)
+	RET
+GLOBL	·libc_writev_trampoline_addr(SB), RODATA, $8
+DATA	·libc_writev_trampoline_addr(SB)/8, $libc_writev_trampoline<>(SB)
+
+TEXT libc_preadv_trampoline<>(SB),NOSPLIT,$0-0
+	CALL	libc_preadv(SB)
+	RET
+GLOBL	·libc_preadv_trampoline_addr(SB), RODATA, $8
+DATA	·libc_preadv_trampoline_addr(SB)/8, $libc_preadv_trampoline<>(SB)
+
+TEXT libc_pwritev_trampoline<>(SB),NOSPLIT,$0-0
+	CALL	libc_pwritev(SB)
+	RET
+GLOBL	·libc_pwritev_trampoline_addr(SB), RODATA, $8
+DATA	·libc_pwritev_trampoline_addr(SB)/8, $libc_pwritev_trampoline<>(SB)
+
 TEXT libc_read_trampoline<>(SB),NOSPLIT,$0-0
 	CALL	libc_read(SB)
 	RET
@@ -1633,6 +1633,90 @@ var libc_pwrite_trampoline_addr uintptr

 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT

+func readv(fd int, iovecs []Iovec) (n int, err error) {
+	var _p0 unsafe.Pointer
+	if len(iovecs) > 0 {
+		_p0 = unsafe.Pointer(&iovecs[0])
+	} else {
+		_p0 = unsafe.Pointer(&_zero)
+	}
+	r0, _, e1 := syscall_syscall(libc_readv_trampoline_addr, uintptr(fd), uintptr(_p0), uintptr(len(iovecs)))
+	n = int(r0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+var libc_readv_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_readv readv "libc.so"
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func writev(fd int, iovecs []Iovec) (n int, err error) {
+	var _p0 unsafe.Pointer
+	if len(iovecs) > 0 {
+		_p0 = unsafe.Pointer(&iovecs[0])
+	} else {
+		_p0 = unsafe.Pointer(&_zero)
+	}
+	r0, _, e1 := syscall_syscall(libc_writev_trampoline_addr, uintptr(fd), uintptr(_p0), uintptr(len(iovecs)))
+	n = int(r0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+var libc_writev_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_writev writev "libc.so"
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func preadv(fd int, iovecs []Iovec, offset int64) (n int, err error) {
+	var _p0 unsafe.Pointer
+	if len(iovecs) > 0 {
+		_p0 = unsafe.Pointer(&iovecs[0])
+	} else {
+		_p0 = unsafe.Pointer(&_zero)
+	}
+	r0, _, e1 := syscall_syscall6(libc_preadv_trampoline_addr, uintptr(fd), uintptr(_p0), uintptr(len(iovecs)), uintptr(offset), 0, 0)
+	n = int(r0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+var libc_preadv_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_preadv preadv "libc.so"
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func pwritev(fd int, iovecs []Iovec, offset int64) (n int, err error) {
+	var _p0 unsafe.Pointer
+	if len(iovecs) > 0 {
+		_p0 = unsafe.Pointer(&iovecs[0])
+	} else {
+		_p0 = unsafe.Pointer(&_zero)
+	}
+	r0, _, e1 := syscall_syscall6(libc_pwritev_trampoline_addr, uintptr(fd), uintptr(_p0), uintptr(len(iovecs)), uintptr(offset), 0, 0)
+	n = int(r0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+var libc_pwritev_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_pwritev pwritev "libc.so"
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
 func read(fd int, p []byte) (n int, err error) {
 	var _p0 unsafe.Pointer
 	if len(p) > 0 {
@@ -498,6 +498,26 @@ TEXT libc_pwrite_trampoline<>(SB),NOSPLIT,$0-0
 GLOBL	·libc_pwrite_trampoline_addr(SB), RODATA, $8
 DATA	·libc_pwrite_trampoline_addr(SB)/8, $libc_pwrite_trampoline<>(SB)

+TEXT libc_readv_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_readv(SB)
+GLOBL	·libc_readv_trampoline_addr(SB), RODATA, $8
+DATA	·libc_readv_trampoline_addr(SB)/8, $libc_readv_trampoline<>(SB)
+
+TEXT libc_writev_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_writev(SB)
+GLOBL	·libc_writev_trampoline_addr(SB), RODATA, $8
+DATA	·libc_writev_trampoline_addr(SB)/8, $libc_writev_trampoline<>(SB)
+
+TEXT libc_preadv_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_preadv(SB)
+GLOBL	·libc_preadv_trampoline_addr(SB), RODATA, $8
+DATA	·libc_preadv_trampoline_addr(SB)/8, $libc_preadv_trampoline<>(SB)
+
+TEXT libc_pwritev_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_pwritev(SB)
+GLOBL	·libc_pwritev_trampoline_addr(SB), RODATA, $8
+DATA	·libc_pwritev_trampoline_addr(SB)/8, $libc_pwritev_trampoline<>(SB)
+
 TEXT libc_read_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_read(SB)
 GLOBL	·libc_read_trampoline_addr(SB), RODATA, $8
@@ -463,4 +463,8 @@ const (
 	SYS_LISTXATTRAT                  = 465
 	SYS_REMOVEXATTRAT                = 466
 	SYS_OPEN_TREE_ATTR               = 467
+	SYS_FILE_GETATTR                 = 468
+	SYS_FILE_SETATTR                 = 469
+	SYS_LISTNS                       = 470
+	SYS_RSEQ_SLICE_YIELD             = 471
 )
@@ -342,6 +342,7 @@ const (
 	SYS_IO_PGETEVENTS           = 333
 	SYS_RSEQ                    = 334
 	SYS_URETPROBE               = 335
+	SYS_UPROBE                  = 336
 	SYS_PIDFD_SEND_SIGNAL       = 424
 	SYS_IO_URING_SETUP          = 425
 	SYS_IO_URING_ENTER          = 426
@@ -386,4 +387,8 @@ const (
 	SYS_LISTXATTRAT             = 465
 	SYS_REMOVEXATTRAT           = 466
 	SYS_OPEN_TREE_ATTR          = 467
+	SYS_FILE_GETATTR            = 468
+	SYS_FILE_SETATTR            = 469
+	SYS_LISTNS                  = 470
+	SYS_RSEQ_SLICE_YIELD        = 471
 )
@@ -427,4 +427,8 @@ const (
 	SYS_LISTXATTRAT                  = 465
 	SYS_REMOVEXATTRAT                = 466
 	SYS_OPEN_TREE_ATTR               = 467
+	SYS_FILE_GETATTR                 = 468
+	SYS_FILE_SETATTR                 = 469
+	SYS_LISTNS                       = 470
+	SYS_RSEQ_SLICE_YIELD             = 471
 )
@@ -330,4 +330,8 @@ const (
 	SYS_LISTXATTRAT             = 465
 	SYS_REMOVEXATTRAT           = 466
 	SYS_OPEN_TREE_ATTR          = 467
+	SYS_FILE_GETATTR            = 468
+	SYS_FILE_SETATTR            = 469
+	SYS_LISTNS                  = 470
+	SYS_RSEQ_SLICE_YIELD        = 471
 )
@@ -306,6 +306,7 @@ const (
 	SYS_LANDLOCK_CREATE_RULESET = 444
 	SYS_LANDLOCK_ADD_RULE       = 445
 	SYS_LANDLOCK_RESTRICT_SELF  = 446
+	SYS_MEMFD_SECRET            = 447
 	SYS_PROCESS_MRELEASE        = 448
 	SYS_FUTEX_WAITV             = 449
 	SYS_SET_MEMPOLICY_HOME_NODE = 450
@@ -326,4 +327,8 @@ const (
 	SYS_LISTXATTRAT             = 465
 	SYS_REMOVEXATTRAT           = 466
 	SYS_OPEN_TREE_ATTR          = 467
+	SYS_FILE_GETATTR            = 468
+	SYS_FILE_SETATTR            = 469
+	SYS_LISTNS                  = 470
+	SYS_RSEQ_SLICE_YIELD        = 471
 )
@@ -447,4 +447,8 @@ const (
 	SYS_LISTXATTRAT                  = 4465
 	SYS_REMOVEXATTRAT                = 4466
 	SYS_OPEN_TREE_ATTR               = 4467
+	SYS_FILE_GETATTR                 = 4468
+	SYS_FILE_SETATTR                 = 4469
+	SYS_LISTNS                       = 4470
+	SYS_RSEQ_SLICE_YIELD             = 4471
 )
@@ -377,4 +377,8 @@ const (
 	SYS_LISTXATTRAT             = 5465
 	SYS_REMOVEXATTRAT           = 5466
 	SYS_OPEN_TREE_ATTR          = 5467
+	SYS_FILE_GETATTR            = 5468
+	SYS_FILE_SETATTR            = 5469
+	SYS_LISTNS                  = 5470
+	SYS_RSEQ_SLICE_YIELD        = 5471
 )
@@ -377,4 +377,8 @@ const (
 	SYS_LISTXATTRAT             = 5465
 	SYS_REMOVEXATTRAT           = 5466
 	SYS_OPEN_TREE_ATTR          = 5467
+	SYS_FILE_GETATTR            = 5468
+	SYS_FILE_SETATTR            = 5469
+	SYS_LISTNS                  = 5470
+	SYS_RSEQ_SLICE_YIELD        = 5471
 )
@@ -447,4 +447,8 @@ const (
 	SYS_LISTXATTRAT                  = 4465
 	SYS_REMOVEXATTRAT                = 4466
 	SYS_OPEN_TREE_ATTR               = 4467
+	SYS_FILE_GETATTR                 = 4468
+	SYS_FILE_SETATTR                 = 4469
+	SYS_LISTNS                       = 4470
+	SYS_RSEQ_SLICE_YIELD             = 4471
 )
@@ -454,4 +454,8 @@ const (
 	SYS_LISTXATTRAT                  = 465
 	SYS_REMOVEXATTRAT                = 466
 	SYS_OPEN_TREE_ATTR               = 467
+	SYS_FILE_GETATTR                 = 468
+	SYS_FILE_SETATTR                 = 469
+	SYS_LISTNS                       = 470
+	SYS_RSEQ_SLICE_YIELD             = 471
 )
@@ -426,4 +426,8 @@ const (
 	SYS_LISTXATTRAT             = 465
 	SYS_REMOVEXATTRAT           = 466
 	SYS_OPEN_TREE_ATTR          = 467
+	SYS_FILE_GETATTR            = 468
+	SYS_FILE_SETATTR            = 469
+	SYS_LISTNS                  = 470
+	SYS_RSEQ_SLICE_YIELD        = 471
 )
@@ -426,4 +426,8 @@ const (
 	SYS_LISTXATTRAT             = 465
 	SYS_REMOVEXATTRAT           = 466
 	SYS_OPEN_TREE_ATTR          = 467
+	SYS_FILE_GETATTR            = 468
+	SYS_FILE_SETATTR            = 469
+	SYS_LISTNS                  = 470
+	SYS_RSEQ_SLICE_YIELD        = 471
 )
@@ -331,4 +331,8 @@ const (
 	SYS_LISTXATTRAT             = 465
 	SYS_REMOVEXATTRAT           = 466
 	SYS_OPEN_TREE_ATTR          = 467
+	SYS_FILE_GETATTR            = 468
+	SYS_FILE_SETATTR            = 469
+	SYS_LISTNS                  = 470
+	SYS_RSEQ_SLICE_YIELD        = 471
 )
@@ -392,4 +392,8 @@ const (
 	SYS_LISTXATTRAT             = 465
 	SYS_REMOVEXATTRAT           = 466
 	SYS_OPEN_TREE_ATTR          = 467
+	SYS_FILE_GETATTR            = 468
+	SYS_FILE_SETATTR            = 469
+	SYS_LISTNS                  = 470
+	SYS_RSEQ_SLICE_YIELD        = 471
 )
@@ -374,6 +374,7 @@ const (
 	SYS_FSMOUNT                 = 432
 	SYS_FSPICK                  = 433
 	SYS_PIDFD_OPEN              = 434
+	SYS_CLONE3                  = 435
 	SYS_CLOSE_RANGE             = 436
 	SYS_OPENAT2                 = 437
 	SYS_PIDFD_GETFD             = 438
@@ -405,4 +406,8 @@ const (
 	SYS_LISTXATTRAT             = 465
 	SYS_REMOVEXATTRAT           = 466
 	SYS_OPEN_TREE_ATTR          = 467
+	SYS_FILE_GETATTR            = 468
+	SYS_FILE_SETATTR            = 469
+	SYS_LISTNS                  = 470
+	SYS_RSEQ_SLICE_YIELD        = 471
 )
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
renovate-bot	f3943d25d1	chore(deps): update otel/weaver docker tag to v0.24.2	2026-06-23 18:00:57 +00:00
renovate-bot	9859ff46f5	chore(deps): update otel/weaver docker tag to v0.24.1	2026-06-21 21:01:00 +00:00
renovate-bot	3109a0da82	chore(deps): update otel/weaver docker tag to v0.24.0	2026-06-20 00:01:07 +00:00
renovate-bot	b1146a707e	chore(deps): update nginx docker tag to v1.31.2	2026-06-17 23:01:19 +00:00
Weblate	6d13d14d75	chore: update translation files Updated by "Update PO files to match POT (msgmerge)" add-on in Weblate. Translation: Co-op Cloud/abra Translate-URL: https://translate.coopcloud.tech/projects/co-op-cloud/abra/	2026-06-16 17:41:06 +00:00
Linus Gasser	427ec22cab	Running i18n	2026-06-16 17:40:58 +00:00
Linus Gasser	1111b69f12	Use docker login credentials from host I had a lot of failures for pulling the docker images lately, so I was looking for a way to connect using docker login. This PR sends the docker login credentials from the host to the swarm server.	2026-06-16 17:40:58 +00:00
Linus Gasser	1541e6aa6a	Also use xgettext-go@latest for .drone.yml	2026-06-14 18:37:34 +02:00
Linus Gasser	14ee80582a	Use go run for xgettext-go Before: on a mac, the Makefile downloaded a linux file, which did not work for updating the i18n. Now: use 'go run' to run the xgettext-go file. go caches it, so it compiles only once.	2026-06-14 18:28:45 +02:00
renovate-bot	e5c65b8fa0	chore(deps): update alpine docker tag to v3.24	2026-06-09 21:00:57 +00:00
Weblate	e1b10f6020	chore: update translation files Updated by "Update PO files to match POT (msgmerge)" add-on in Weblate. Translation: Co-op Cloud/abra Translate-URL: https://translate.coopcloud.tech/projects/co-op-cloud/abra/	2026-06-09 14:36:32 +00:00
moritz	8e4ed7b689	chore: make i18n	2026-06-09 16:30:08 +02:00
moritz	a44fde2df2	fix(new): checkout given recipeVersion before generating env closes #862	2026-06-09 16:09:58 +02:00
renovate-bot	e623f55852	chore(deps): update golang docker tag	2026-06-08 17:01:04 +00:00
renovate-bot	11e6f28a60	chore(deps): update module golang.org/x/term to v0.44.0	2026-06-08 16:01:46 +00:00
renovate-bot	acec067d76	chore(deps): update golang docker tag	2026-06-08 14:01:12 +00:00
renovate-bot	f50a57af7a	chore(deps): update module golang.org/x/sys to v0.46.0	2026-06-08 13:01:32 +00:00
renovate-bot	776693acc0	chore(deps): update golang docker tag	2026-05-22 23:01:07 +00:00
renovate-bot	5dea5f7746	chore(deps): update module golang.org/x/sys to v0.45.0	2026-05-22 22:01:49 +00:00
renovate-bot	1d9a289888	chore(deps): update nginx docker tag to v1.31.1	2026-05-22 21:00:50 +00:00
devydave	c7bd55e371	feat: adds nix flake	2026-05-20 22:29:47 +00:00
renovate-bot	4276337b0f	chore(deps): update golang docker tag	2026-05-18 22:01:06 +00:00
renovate-bot	90ca856b64	chore(deps): update module github.com/go-git/go-git/v5 to v5.19.1	2026-05-18 21:01:33 +00:00