mesa-panvk-bifrost: iter10 polish — drop sandbox bypass, pin sha256, tighten loader select

iter10 of the panvk-bifrost campaign. Eliminates the cosmetic
'--disable-gpu-sandbox' warning at brave-vulkan launch + pins the
Mesa tarball hash + makes the Vulkan ICD selection deterministic
across filesystems.

PKGBUILD changes (pkgrel: 1 -> 2):
  - install ICD JSON at /usr/share/vulkan/icd.d/00-panvk-bifrost.json
    (was: /usr/lib/panvk-bifrost/icd.json — required VK_ICD_FILENAMES,
    which the GPU sandbox would strip, forcing --disable-gpu-sandbox)
  - libvulkan_panfrost.so install path unchanged at /usr/lib/panvk-bifrost/
  - sha256sums[0] pinned to 1d3c3b8a8363b8cc354175bb4a684ad8b035211cc1d6fa17aeb9b9623c513f89
    (mesa-26.0.6.tar.xz from archive.mesa3d.org); patches + brave-vulkan +
    icd.json remain SKIP since they're in-tree (git-tracked)

brave-vulkan changes:
  - dropped --no-sandbox + --disable-gpu-sandbox: env vars MESA_VK_VERSION_OVERRIDE
    and PAN_I_WANT_A_BROKEN_VULKAN_DRIVER survive the GPU sandbox boundary
    (Mesa loader reads them pre-seccomp-lockdown)
  - dropped VK_ICD_FILENAMES (loader auto-picks via icd.d/ directory scan)
  - added VK_LOADER_DRIVERS_SELECT='00-panvk-bifrost*' for deterministic
    ICD selection — Vulkan loader's readdir order is implementation-defined
    per Khronos LoaderDriverInterface, so the '00-' filename prefix is
    not spec-backed (ext4 happens to give insertion-order, other filesystems
    may not). VK_LOADER_DRIVERS_SELECT short-circuits readdir ambiguity.
    (Phase 5 review hardening.)

Test result on ohm (pre-push validation):
  - brave-vulkan launches Brave without sandbox bypass
  - seccomp-bpf sandboxes activate normally for utility/renderer processes
  - 'panvk is not a conformant Vulkan implementation' fires ONCE (loader-select
    excluded stock ICD from enumeration — only patched driver loads)
  - GPU process boots, no 'Exiting GPU process' error
  - Brave runs through full test timeout cleanly

README updated to reflect the new install layout + simplified wrapper.

Campaign artifacts: ~/src/panvk-bifrost/{phase0_findings_iter10.md,
phase8_iteration9_close.md (which iter10 polishes)}.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

.gitea/scripts/check-already-published.sh

@@ -1,210 +0,0 @@
-#!/bin/bash
-# check-already-published.sh <recipe-dir>
-#
-# Decide whether a given recipe (arch/<name> or debian/<name>) is already
-# present in https://packages.reauktion.de/.  Emits exactly one line to
-# stdout:
-#
-#   skip=1   — package with this version-pkgrel-arch tuple already lives in
-#              the pool; CI should short-circuit.
-#   skip=0   — file is missing or HEAD failed; CI should build + publish.
-#
-# Design notes:
-#   * For Arch recipes we source the PKGBUILD in a clean subshell so
-#     shell expansions (epoch=, ${_pkgver/-/}, pkgname=() arrays) resolve
-#     naturally.  Only the first element of pkgname[] is checked — split
-#     packages share one source tarball / one build, so any-one-missing
-#     forces the full rebuild anyway.
-#   * For Debian recipes we extract the bare top-level PKGVER= /
-#     PKGREL= assignments (plus any other top-level VAR=value lines they
-#     reference) via grep and re-evaluate them in an isolated subshell —
-#     sourcing the entire build-deb.sh would run curl/tar/dpkg-deb
-#     against a tempdir we don't want to materialise here.
-#   * Epoch handling differs by ecosystem: Arch keeps `<epoch>:` in the
-#     pool filename, Debian/reprepro strips it.
-#   * curl --head with -f maps non-2xx to non-zero exit, which is what we
-#     want — 404 means "build it".  -L follows mirrors.  --max-time caps
-#     the worst-case latency per HEAD.
-set -euo pipefail
-
-REPO_BASE="${REPO_BASE:-https://packages.reauktion.de}"
-HEAD_TIMEOUT="${HEAD_TIMEOUT:-15}"
-
-RECIPE_DIR="${1:?usage: $0 <recipe-dir>   (e.g. arch/distcc-avahi or debian/lmcp)}"
-
-# Resolve relative to repo root if a leading path is passed; allow
-# both `arch/foo` and absolute paths.
-if [ ! -d "$RECIPE_DIR" ]; then
-  echo "error: recipe dir not found: $RECIPE_DIR" >&2
-  exit 2
-fi
-
-ecosystem="${RECIPE_DIR%%/*}"
-
-http_head() {
-  local url="$1"
-  curl -sS -L --max-time "$HEAD_TIMEOUT" -o /dev/null \
-       -w '%{http_code}' --head "$url" || echo "000"
-}
-
-emit() {
-  # one-line GITHUB_OUTPUT-compatible kv
-  echo "skip=$1"
-  exit 0
-}
-
-case "$ecosystem" in
-arch)
-  pkgbuild="$RECIPE_DIR/PKGBUILD"
-  [ -f "$pkgbuild" ] || { echo "error: $pkgbuild missing" >&2; exit 2; }
-
-  # Source in a fresh bash to capture variables. Some PKGBUILDs run
-  # functions or call commands at top level — keep this fast by
-  # restricting PATH and trapping side effects.
-  eval "$(
-    bash --noprofile --norc -c "
-      set +e
-      # Stub out anything that might shell out; we only need variable
-      # assignments to land.
-      cd '$RECIPE_DIR'
-      source ./PKGBUILD >/dev/null 2>&1 || true
-      # pkgname may be array; print first element.
-      if declare -p pkgname 2>/dev/null | grep -q 'declare -a'; then
-        first_name=\"\${pkgname[0]}\"
-      else
-        first_name=\"\$pkgname\"
-      fi
-      if declare -p arch 2>/dev/null | grep -q 'declare -a'; then
-        first_arch=\"\${arch[0]}\"
-      else
-        first_arch=\"\$arch\"
-      fi
-      printf 'PB_NAME=%q\n'   \"\$first_name\"
-      printf 'PB_VER=%q\n'    \"\$pkgver\"
-      printf 'PB_REL=%q\n'    \"\$pkgrel\"
-      printf 'PB_EPOCH=%q\n'  \"\${epoch:-}\"
-      printf 'PB_ARCH=%q\n'   \"\$first_arch\"
-    "
-  )"
-
-  if [ -z "${PB_NAME:-}" ] || [ -z "${PB_VER:-}" ] || [ -z "${PB_REL:-}" ]; then
-    echo "error: failed to parse PKGBUILD ($RECIPE_DIR)" >&2
-    emit 0
-  fi
-
-  # Pool arch:
-  #   arch=('any')                → any
-  #   arch=('aarch64' 'x86_64')   → aarch64 (we publish for both, but the
-  #                                 aarch64 artifact is the canonical CI build)
-  #   arch=('aarch64')            → aarch64
-  case "$PB_ARCH" in
-    any) pool_arch=any ;;
-    *)   pool_arch=aarch64 ;;
-  esac
-
-  # Version string with optional epoch (epoch:pkgver-pkgrel).
-  if [ -n "${PB_EPOCH:-}" ]; then
-    ver_full="${PB_EPOCH}:${PB_VER}-${PB_REL}"
-  else
-    ver_full="${PB_VER}-${PB_REL}"
-  fi
-
-  # Pool URL path (arch keeps any/aarch64 split; 'any' lands in the
-  # aarch64 dir per current marfrit layout — both arches share the
-  # blob via the publish-to-both-arches step in build.yml).
-  pool_dir="arch/aarch64"
-
-  base_url="${REPO_BASE}/${pool_dir}/${PB_NAME}-${ver_full}-${pool_arch}.pkg.tar"
-  for ext in zst xz gz; do
-    code=$(http_head "${base_url}.${ext}")
-    if [ "$code" = "200" ]; then
-      emit 1
-    fi
-  done
-  emit 0
-  ;;
-
-debian)
-  bd="$RECIPE_DIR/build-deb.sh"
-  ctrl="$RECIPE_DIR/control"
-  [ -f "$bd" ] || { echo "error: $bd missing" >&2; exit 2; }
-
-  # Pull top-level `VAR=value` lines until we've passed PKGREL, and
-  # only those whose RHS is safe to re-evaluate (no command
-  # substitution `$(...)`, no escaped `\$`, no embedded commands like
-  # `DESTDIR=... meson ...`).  This deliberately undershoots: we just
-  # need PKGVER/PKGREL plus any version vars they reference. Anything
-  # else (HERE=$(readlink ...), KERNELVER=\$(uname -r) inside a
-  # HEREDOC, etc.) gets dropped.
-  assigns=$(awk '
-    /^[A-Z_][A-Z0-9_]*=/ {
-      # split into LHS and RHS
-      eq = index($0, "=")
-      lhs = substr($0, 1, eq - 1)
-      rhs = substr($0, eq + 1)
-      # strip inline `# comment`
-      hash = index(rhs, "#")
-      if (hash > 1 && substr(rhs, hash-1, 1) == " ") rhs = substr(rhs, 1, hash - 2)
-      # reject lines with command-subst or escaped-dollar or naked commands
-      if (rhs ~ /\$\(/)   next
-      if (rhs ~ /\\\$/)   next
-      if (rhs ~ / [a-z]/) next   # e.g. `DESTDIR="$ROOT" meson ...`
-      print lhs "=" rhs
-      if (lhs == "PKGREL") exit
-    }
-  ' "$bd")
-
-  eval "$(
-    bash --noprofile --norc -c "
-      set +e
-      $assigns
-      printf 'PKGVER=%q\n' \"\${PKGVER:-}\"
-      printf 'PKGREL=%q\n' \"\${PKGREL:-}\"
-    "
-  )"
-
-  if [ -z "${PKGVER:-}" ] || [ -z "${PKGREL:-}" ]; then
-    echo "error: failed to parse PKGVER/PKGREL from $bd" >&2
-    emit 0
-  fi
-
-  # Strip epoch (`N:` prefix) — debian pool filenames omit it.
-  ver_no_epoch="${PKGVER#*:}"
-  # If PKGVER had no colon, ${PKGVER#*:} returns PKGVER unchanged (bash quirk:
-  # the pattern must match for the prefix to be stripped). Guard explicitly.
-  case "$PKGVER" in
-    *:*) : ;;
-    *)   ver_no_epoch="$PKGVER" ;;
-  esac
-
-  ver_full="${ver_no_epoch}-${PKGREL}"
-
-  # Architecture: parse control's `Architecture:` field.
-  if [ ! -f "$ctrl" ]; then
-    # Some recipes ship debian/control instead of ./control
-    ctrl="$RECIPE_DIR/debian/control"
-  fi
-  ctrl_arch=$(grep -m1 '^Architecture:' "$ctrl" 2>/dev/null | awk '{print $2}')
-  case "$ctrl_arch" in
-    all)            file_arch=all ;;
-    arm64|any)      file_arch=arm64 ;;
-    amd64)          file_arch=amd64 ;;
-    *)              file_arch=arm64 ;;  # conservative default
-  esac
-
-  pkg_name=$(basename "$RECIPE_DIR")
-  first_letter="${pkg_name:0:1}"
-
-  url="${REPO_BASE}/debian/pool/main/${first_letter}/${pkg_name}/${pkg_name}_${ver_full}_${file_arch}.deb"
-  code=$(http_head "$url")
-  if [ "$code" = "200" ]; then
-    emit 1
-  fi
-  emit 0
-  ;;
-
-*)
-  echo "error: unsupported ecosystem '$ecosystem' (recipe-dir=$RECIPE_DIR)" >&2
-  emit 0
-  ;;
-esac

.gitea/workflows/build.yml

@@ -16,23 +16,13 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - name: skip if already published
-        id: skip-check
-        run: |
-          set -e
-          result=$(./.gitea/scripts/check-already-published.sh arch/distcc-avahi)
-          echo "$result" >> "$GITHUB_OUTPUT"
-          echo "decision: $result"
-
       - name: bootstrap runner (idempotent)
-        if: steps.skip-check.outputs.skip != '1'
         run: |
           set -e
           retry() { for i in 1 2 3; do "$@" && return 0; rc=$?; echo "retry $i (exit=$rc)" >&2; sleep $((i*5)); done; return 1; }
           retry pacman -Syu --noconfirm --needed base-devel git rsync gnupg openssh sudo avahi popt python python-setuptools
 
       - name: import signing key
-        if: steps.skip-check.outputs.skip != '1'
         env:
           PRIV: ${{ secrets.MARFRIT_REPO_PRIVATE_KEY }}
           PASS: ${{ secrets.MARFRIT_REPO_PASSPHRASE }}
@@ -47,7 +37,6 @@ jobs:
           echo "92D5E96D8F63C75E4116AA1FF5C8C4603D0D250C:6:" | gpg --import-ownertrust
 
       - name: install deploy ssh key
-        if: steps.skip-check.outputs.skip != '1'
         env:
           KEY: ${{ secrets.MARFRIT_REPO_DEPLOY_KEY }}
         run: |
@@ -57,7 +46,6 @@ jobs:
           ssh-keyscan -t ed25519 nc.reauktion.de > /root/.ssh/known_hosts 2>/dev/null
 
       - name: makepkg distcc-avahi
-        if: steps.skip-check.outputs.skip != '1'
         run: |
           set -e
           rm -rf /tmp/build-distcc-avahi
@@ -68,7 +56,6 @@ jobs:
           ls -la *.pkg.tar.* | grep -v "\.sig$"
 
       - name: sign distcc-avahi
-        if: steps.skip-check.outputs.skip != '1'
         run: |
           set -e
           cd /tmp/build-distcc-avahi
@@ -79,7 +66,6 @@ jobs:
           done
 
       - name: update aarch64 repo db
-        if: steps.skip-check.outputs.skip != '1'
         run: |
           set -e
           mkdir -p /tmp/arch-stage
@@ -119,7 +105,6 @@ jobs:
           rm -f marfrit.files.sig
 
       - name: publish to aarch64
-        if: steps.skip-check.outputs.skip != '1'
         run: |
           set -e
           retry() { for i in 1 2 3; do "$@" && return 0; rc=$?; echo "retry $i (exit=$rc)" >&2; sleep $((i*5)); done; return 1; }
@@ -144,23 +129,13 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - name: skip if already published
-        id: skip-check
-        run: |
-          set -e
-          result=$(./.gitea/scripts/check-already-published.sh debian/lmcp)
-          echo "$result" >> "$GITHUB_OUTPUT"
-          echo "decision: $result"
-
       - name: install dpkg
-        if: steps.skip-check.outputs.skip != '1'
         run: |
           set -e
           retry() { for i in 1 2 3; do "$@" && return 0; rc=$?; echo "retry $i (exit=$rc)" >&2; sleep $((i*5)); done; return 1; }
           retry pacman -Syu --noconfirm --needed dpkg openssh rsync curl
 
       - name: install hertz deploy ssh key
-        if: steps.skip-check.outputs.skip != '1'
         env:
           KEY: ${{ secrets.MARFRIT_REPO_HERTZ_KEY }}
         run: |
@@ -170,7 +145,6 @@ jobs:
           ssh-keyscan -t ed25519 hertz.fritz.box >> /root/.ssh/known_hosts 2>/dev/null
 
       - name: build lmcp .deb
-        if: steps.skip-check.outputs.skip != '1'
         run: |
           set -e
           cd debian/lmcp
@@ -178,7 +152,6 @@ jobs:
           ls -la *.deb
 
       - name: upload + publish to suites
-        if: steps.skip-check.outputs.skip != '1'
         run: |
           set -e
           retry() { for i in 1 2 3; do "$@" && return 0; rc=$?; echo "retry $i (exit=$rc)" >&2; sleep $((i*5)); done; return 1; }
@@ -209,23 +182,13 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - name: skip if already published
-        id: skip-check
-        run: |
-          set -e
-          result=$(./.gitea/scripts/check-already-published.sh arch/lmcp)
-          echo "$result" >> "$GITHUB_OUTPUT"
-          echo "decision: $result"
-
       - name: bootstrap runner (idempotent)
-        if: steps.skip-check.outputs.skip != '1'
         run: |
           set -e
           retry() { for i in 1 2 3; do "$@" && return 0; rc=$?; echo "retry $i (exit=$rc)" >&2; sleep $((i*5)); done; return 1; }
           retry pacman -Syu --noconfirm --needed base-devel git rsync gnupg openssh sudo lua lua-socket
 
       - name: import signing key
-        if: steps.skip-check.outputs.skip != '1'
         env:
           PRIV: ${{ secrets.MARFRIT_REPO_PRIVATE_KEY }}
           PASS: ${{ secrets.MARFRIT_REPO_PASSPHRASE }}
@@ -240,7 +203,6 @@ jobs:
           echo "92D5E96D8F63C75E4116AA1FF5C8C4603D0D250C:6:" | gpg --import-ownertrust
 
       - name: install deploy ssh key
-        if: steps.skip-check.outputs.skip != '1'
         env:
           KEY: ${{ secrets.MARFRIT_REPO_DEPLOY_KEY }}
         run: |
@@ -250,7 +212,6 @@ jobs:
           ssh-keyscan -t ed25519 nc.reauktion.de > /root/.ssh/known_hosts 2>/dev/null
 
       - name: makepkg lmcp
-        if: steps.skip-check.outputs.skip != '1'
         run: |
           set -e
           rm -rf /tmp/build-lmcp
@@ -261,7 +222,6 @@ jobs:
           ls -la *.pkg.tar.* | grep -v "\.sig$"
 
       - name: sign lmcp
-        if: steps.skip-check.outputs.skip != '1'
         run: |
           set -e
           cd /tmp/build-lmcp
@@ -272,7 +232,6 @@ jobs:
           done
 
       - name: publish lmcp to both arches
-        if: steps.skip-check.outputs.skip != '1'
         run: |
           set -e
           retry() { for i in 1 2 3; do "$@" && return 0; rc=$?; echo "retry $i (exit=$rc)" >&2; sleep $((i*5)); done; return 1; }
@@ -324,23 +283,13 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - name: skip if already published
-        id: skip-check
-        run: |
-          set -e
-          result=$(./.gitea/scripts/check-already-published.sh arch/claude-his-agent)
-          echo "$result" >> "$GITHUB_OUTPUT"
-          echo "decision: $result"
-
       - name: bootstrap runner (idempotent)
-        if: steps.skip-check.outputs.skip != '1'
         run: |
           set -e
           retry() { for i in 1 2 3; do "$@" && return 0; rc=$?; echo "retry $i (exit=$rc)" >&2; sleep $((i*5)); done; return 1; }
           retry pacman -Syu --noconfirm --needed base-devel git rsync gnupg openssh sudo
 
       - name: import signing key
-        if: steps.skip-check.outputs.skip != '1'
         env:
           PRIV: ${{ secrets.MARFRIT_REPO_PRIVATE_KEY }}
           PASS: ${{ secrets.MARFRIT_REPO_PASSPHRASE }}
@@ -355,7 +304,6 @@ jobs:
           echo "92D5E96D8F63C75E4116AA1FF5C8C4603D0D250C:6:" | gpg --import-ownertrust
 
       - name: install deploy ssh key
-        if: steps.skip-check.outputs.skip != '1'
         env:
           KEY: ${{ secrets.MARFRIT_REPO_DEPLOY_KEY }}
         run: |
@@ -365,7 +313,6 @@ jobs:
           ssh-keyscan -t ed25519 nc.reauktion.de > /root/.ssh/known_hosts 2>/dev/null
 
       - name: makepkg claude-his-agent
-        if: steps.skip-check.outputs.skip != '1'
         run: |
           set -e
           rm -rf /tmp/build-his
@@ -376,7 +323,6 @@ jobs:
           ls -la *.pkg.tar.* | grep -v "\.sig$"
 
       - name: sign claude-his-agent
-        if: steps.skip-check.outputs.skip != '1'
         run: |
           set -e
           cd /tmp/build-his
@@ -387,7 +333,6 @@ jobs:
           done
 
       - name: publish claude-his-agent to both arches
-        if: steps.skip-check.outputs.skip != '1'
         run: |
           set -e
           retry() { for i in 1 2 3; do "$@" && return 0; rc=$?; echo "retry $i (exit=$rc)" >&2; sleep $((i*5)); done; return 1; }
@@ -442,23 +387,13 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - name: skip if already published
-        id: skip-check
-        run: |
-          set -e
-          result=$(./.gitea/scripts/check-already-published.sh arch/ffmpeg-v4l2-request-fourier)
-          echo "$result" >> "$GITHUB_OUTPUT"
-          echo "decision: $result"
-
       - name: bootstrap runner (idempotent)
-        if: steps.skip-check.outputs.skip != '1'
         run: |
           set -e
           retry() { for i in 1 2 3; do "$@" && return 0; rc=$?; echo "retry $i (exit=$rc)" >&2; sleep $((i*5)); done; return 1; }
           retry pacman -Syu --noconfirm --needed base-devel git rsync gnupg openssh sudo nasm
 
       - name: import signing key
-        if: steps.skip-check.outputs.skip != '1'
         env:
           PRIV: ${{ secrets.MARFRIT_REPO_PRIVATE_KEY }}
           PASS: ${{ secrets.MARFRIT_REPO_PASSPHRASE }}
@@ -473,7 +408,6 @@ jobs:
           echo "92D5E96D8F63C75E4116AA1FF5C8C4603D0D250C:6:" | gpg --import-ownertrust
 
       - name: install deploy ssh key
-        if: steps.skip-check.outputs.skip != '1'
         env:
           KEY: ${{ secrets.MARFRIT_REPO_DEPLOY_KEY }}
         run: |
@@ -483,7 +417,6 @@ jobs:
           ssh-keyscan -t ed25519 nc.reauktion.de > /root/.ssh/known_hosts 2>/dev/null
 
       - name: makepkg ffmpeg-v4l2-request-fourier
-        if: steps.skip-check.outputs.skip != '1'
         run: |
           set -e
           rm -rf /tmp/build-ffmpeg-v4l2
@@ -497,7 +430,6 @@ jobs:
           ls -la *.pkg.tar.* | grep -v "\.sig$"
 
       - name: sign ffmpeg-v4l2-request-fourier
-        if: steps.skip-check.outputs.skip != '1'
         run: |
           set -e
           cd /tmp/build-ffmpeg-v4l2
@@ -508,7 +440,6 @@ jobs:
           done
 
       - name: update aarch64 repo db
-        if: steps.skip-check.outputs.skip != '1'
         run: |
           set -e
           mkdir -p /tmp/arch-stage-ffmpeg
@@ -544,7 +475,6 @@ jobs:
           rm -f marfrit.files.sig
 
       - name: publish to aarch64
-        if: steps.skip-check.outputs.skip != '1'
         run: |
           set -e
           retry() { for i in 1 2 3; do "$@" && return 0; rc=$?; echo "retry $i (exit=$rc)" >&2; sleep $((i*5)); done; return 1; }
@@ -570,23 +500,13 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - name: skip if already published
-        id: skip-check
-        run: |
-          set -e
-          result=$(./.gitea/scripts/check-already-published.sh arch/libva-v4l2-request-fourier)
-          echo "$result" >> "$GITHUB_OUTPUT"
-          echo "decision: $result"
-
       - name: bootstrap runner (idempotent)
-        if: steps.skip-check.outputs.skip != '1'
         run: |
           set -e
           retry() { for i in 1 2 3; do "$@" && return 0; rc=$?; echo "retry $i (exit=$rc)" >&2; sleep $((i*5)); done; return 1; }
           retry pacman -Syu --noconfirm --needed base-devel git rsync gnupg openssh sudo
 
       - name: import signing key
-        if: steps.skip-check.outputs.skip != '1'
         env:
           PRIV: ${{ secrets.MARFRIT_REPO_PRIVATE_KEY }}
           PASS: ${{ secrets.MARFRIT_REPO_PASSPHRASE }}
@@ -601,7 +521,6 @@ jobs:
           echo "92D5E96D8F63C75E4116AA1FF5C8C4603D0D250C:6:" | gpg --import-ownertrust
 
       - name: install deploy ssh key
-        if: steps.skip-check.outputs.skip != '1'
         env:
           KEY: ${{ secrets.MARFRIT_REPO_DEPLOY_KEY }}
         run: |
@@ -611,7 +530,6 @@ jobs:
           ssh-keyscan -t ed25519 nc.reauktion.de > /root/.ssh/known_hosts 2>/dev/null
 
       - name: makepkg libva-v4l2-request-fourier
-        if: steps.skip-check.outputs.skip != '1'
         run: |
           set -e
           rm -rf /tmp/build-libva-v4l2
@@ -623,7 +541,6 @@ jobs:
           ls -la *.pkg.tar.* | grep -v "\.sig$"
 
       - name: sign libva-v4l2-request-fourier
-        if: steps.skip-check.outputs.skip != '1'
         run: |
           set -e
           cd /tmp/build-libva-v4l2
@@ -634,7 +551,6 @@ jobs:
           done
 
       - name: update aarch64 repo db
-        if: steps.skip-check.outputs.skip != '1'
         run: |
           set -e
           mkdir -p /tmp/arch-stage-libva
@@ -670,7 +586,6 @@ jobs:
           rm -f marfrit.files.sig
 
       - name: publish to aarch64
-        if: steps.skip-check.outputs.skip != '1'
         run: |
           set -e
           retry() { for i in 1 2 3; do "$@" && return 0; rc=$?; echo "retry $i (exit=$rc)" >&2; sleep $((i*5)); done; return 1; }
@@ -696,23 +611,13 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - name: skip if already published
-        id: skip-check
-        run: |
-          set -e
-          result=$(./.gitea/scripts/check-already-published.sh arch/mpv-fourier)
-          echo "$result" >> "$GITHUB_OUTPUT"
-          echo "decision: $result"
-
       - name: bootstrap runner (idempotent)
-        if: steps.skip-check.outputs.skip != '1'
         run: |
           set -e
           retry() { for i in 1 2 3; do "$@" && return 0; rc=$?; echo "retry $i (exit=$rc)" >&2; sleep $((i*5)); done; return 1; }
           retry pacman -Syu --noconfirm --needed base-devel git rsync gnupg openssh sudo
 
       - name: import signing key
-        if: steps.skip-check.outputs.skip != '1'
         env:
           PRIV: ${{ secrets.MARFRIT_REPO_PRIVATE_KEY }}
           PASS: ${{ secrets.MARFRIT_REPO_PASSPHRASE }}
@@ -727,7 +632,6 @@ jobs:
           echo "92D5E96D8F63C75E4116AA1FF5C8C4603D0D250C:6:" | gpg --import-ownertrust
 
       - name: install deploy ssh key
-        if: steps.skip-check.outputs.skip != '1'
         env:
           KEY: ${{ secrets.MARFRIT_REPO_DEPLOY_KEY }}
         run: |
@@ -737,7 +641,6 @@ jobs:
           ssh-keyscan -t ed25519 nc.reauktion.de > /root/.ssh/known_hosts 2>/dev/null
 
       - name: configure [marfrit] repo + pre-install ffmpeg-v4l2-request-fourier
-        if: steps.skip-check.outputs.skip != '1'
         run: |
           set -e
           # mpv-fourier links libavcodec at build time. If the build host pulls
@@ -765,7 +668,6 @@ jobs:
           printf 'y\ny\ny\n' | pacman -S marfrit/ffmpeg-v4l2-request-fourier
 
       - name: makepkg mpv-fourier
-        if: steps.skip-check.outputs.skip != '1'
         run: |
           set -e
           rm -rf /tmp/build-mpv
@@ -777,7 +679,6 @@ jobs:
           ls -la *.pkg.tar.* | grep -v "\.sig$"
 
       - name: sign mpv-fourier
-        if: steps.skip-check.outputs.skip != '1'
         run: |
           set -e
           cd /tmp/build-mpv
@@ -788,7 +689,6 @@ jobs:
           done
 
       - name: update aarch64 repo db
-        if: steps.skip-check.outputs.skip != '1'
         run: |
           set -e
           mkdir -p /tmp/arch-stage-mpv
@@ -824,7 +724,6 @@ jobs:
           rm -f marfrit.files.sig
 
       - name: publish to aarch64
-        if: steps.skip-check.outputs.skip != '1'
         run: |
           set -e
           retry() { for i in 1 2 3; do "$@" && return 0; rc=$?; echo "retry $i (exit=$rc)" >&2; sleep $((i*5)); done; return 1; }
@@ -847,23 +746,13 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - name: skip if already published
-        id: skip-check
-        run: |
-          set -e
-          result=$(./.gitea/scripts/check-already-published.sh debian/claude-his-agent)
-          echo "$result" >> "$GITHUB_OUTPUT"
-          echo "decision: $result"
-
       - name: install dpkg
-        if: steps.skip-check.outputs.skip != '1'
         run: |
           set -e
           retry() { for i in 1 2 3; do "$@" && return 0; rc=$?; echo "retry $i (exit=$rc)" >&2; sleep $((i*5)); done; return 1; }
           retry pacman -Syu --noconfirm --needed dpkg openssh rsync curl
 
       - name: install hertz deploy ssh key
-        if: steps.skip-check.outputs.skip != '1'
         env:
           KEY: ${{ secrets.MARFRIT_REPO_HERTZ_KEY }}
         run: |
@@ -873,7 +762,6 @@ jobs:
           ssh-keyscan -t ed25519 hertz.fritz.box >> /root/.ssh/known_hosts 2>/dev/null
 
       - name: build claude-his-agent .deb
-        if: steps.skip-check.outputs.skip != '1'
         run: |
           set -e
           cd debian/claude-his-agent
@@ -881,7 +769,6 @@ jobs:
           ls -la *.deb
 
       - name: upload + publish to suites
-        if: steps.skip-check.outputs.skip != '1'
         run: |
           set -e
           retry() { for i in 1 2 3; do "$@" && return 0; rc=$?; echo "retry $i (exit=$rc)" >&2; sleep $((i*5)); done; return 1; }
@@ -911,16 +798,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - name: skip if already published
-        id: skip-check
-        run: |
-          set -e
-          result=$(./.gitea/scripts/check-already-published.sh debian/ffmpeg-v4l2-request-fourier)
-          echo "$result" >> "$GITHUB_OUTPUT"
-          echo "decision: $result"
-
       - name: install build-deps (Arch pkg names; build-deb.sh links natively)
-        if: steps.skip-check.outputs.skip != '1'
         run: |
           set -e
           retry() { for i in 1 2 3; do "$@" && return 0; rc=$?; echo "retry $i (exit=$rc)" >&2; sleep $((i*5)); done; return 1; }
@@ -931,7 +809,6 @@ jobs:
             libvorbis libvpx libwebp x264 x265 libxml2 opus v4l-utils xz zlib
 
       - name: install hertz deploy ssh key
-        if: steps.skip-check.outputs.skip != '1'
         env:
           KEY: ${{ secrets.MARFRIT_REPO_HERTZ_KEY }}
         run: |
@@ -941,7 +818,6 @@ jobs:
           ssh-keyscan -t ed25519 hertz.fritz.box >> /root/.ssh/known_hosts 2>/dev/null
 
       - name: build ffmpeg-v4l2-request-fourier .deb
-        if: steps.skip-check.outputs.skip != '1'
         run: |
           set -e
           cd debian/ffmpeg-v4l2-request-fourier
@@ -949,7 +825,6 @@ jobs:
           ls -la *.deb
 
       - name: upload + publish to suites
-        if: steps.skip-check.outputs.skip != '1'
         run: |
           set -e
           retry() { for i in 1 2 3; do "$@" && return 0; rc=$?; echo "retry $i (exit=$rc)" >&2; sleep $((i*5)); done; return 1; }
@@ -976,16 +851,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - name: skip if already published
-        id: skip-check
-        run: |
-          set -e
-          result=$(./.gitea/scripts/check-already-published.sh debian/libva-v4l2-request-fourier)
-          echo "$result" >> "$GITHUB_OUTPUT"
-          echo "decision: $result"
-
       - name: install build-deps
-        if: steps.skip-check.outputs.skip != '1'
         run: |
           set -e
           retry() { for i in 1 2 3; do "$@" && return 0; rc=$?; echo "retry $i (exit=$rc)" >&2; sleep $((i*5)); done; return 1; }
@@ -994,7 +860,6 @@ jobs:
             libva libdrm systemd-libs
 
       - name: install hertz deploy ssh key
-        if: steps.skip-check.outputs.skip != '1'
         env:
           KEY: ${{ secrets.MARFRIT_REPO_HERTZ_KEY }}
         run: |
@@ -1004,7 +869,6 @@ jobs:
           ssh-keyscan -t ed25519 hertz.fritz.box >> /root/.ssh/known_hosts 2>/dev/null
 
       - name: build libva-v4l2-request-fourier .deb
-        if: steps.skip-check.outputs.skip != '1'
         run: |
           set -e
           cd debian/libva-v4l2-request-fourier
@@ -1012,7 +876,6 @@ jobs:
           ls -la *.deb
 
       - name: upload + publish to suites
-        if: steps.skip-check.outputs.skip != '1'
         run: |
           set -e
           retry() { for i in 1 2 3; do "$@" && return 0; rc=$?; echo "retry $i (exit=$rc)" >&2; sleep $((i*5)); done; return 1; }
@@ -1042,16 +905,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - name: skip if already published
-        id: skip-check
-        run: |
-          set -e
-          result=$(./.gitea/scripts/check-already-published.sh debian/mpv-fourier)
-          echo "$result" >> "$GITHUB_OUTPUT"
-          echo "decision: $result"
-
       - name: install build-deps
-        if: steps.skip-check.outputs.skip != '1'
         run: |
           set -e
           retry() { for i in 1 2 3; do "$@" && return 0; rc=$?; echo "retry $i (exit=$rc)" >&2; sleep $((i*5)); done; return 1; }
@@ -1067,7 +921,6 @@ jobs:
             vulkan-icd-loader wayland zlib
 
       - name: configure [marfrit] repo + pre-install ffmpeg-v4l2-request-fourier
-        if: steps.skip-check.outputs.skip != '1'
         run: |
           set -e
           curl -sLo /tmp/marfrit.gpg https://packages.reauktion.de/marfrit.gpg
@@ -1082,7 +935,6 @@ jobs:
           printf 'y\ny\ny\n' | pacman -S marfrit/ffmpeg-v4l2-request-fourier
 
       - name: install hertz deploy ssh key
-        if: steps.skip-check.outputs.skip != '1'
         env:
           KEY: ${{ secrets.MARFRIT_REPO_HERTZ_KEY }}
         run: |
@@ -1092,7 +944,6 @@ jobs:
           ssh-keyscan -t ed25519 hertz.fritz.box >> /root/.ssh/known_hosts 2>/dev/null
 
       - name: build mpv-fourier .deb
-        if: steps.skip-check.outputs.skip != '1'
         run: |
           set -e
           cd debian/mpv-fourier
@@ -1100,7 +951,6 @@ jobs:
           ls -la *.deb
 
       - name: upload + publish to suites
-        if: steps.skip-check.outputs.skip != '1'
         run: |
           set -e
           retry() { for i in 1 2 3; do "$@" && return 0; rc=$?; echo "retry $i (exit=$rc)" >&2; sleep $((i*5)); done; return 1; }
@@ -1128,16 +978,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - name: skip if already published
-        id: skip-check
-        run: |
-          set -e
-          result=$(./.gitea/scripts/check-already-published.sh debian/daedalus-v4l2)
-          echo "$result" >> "$GITHUB_OUTPUT"
-          echo "decision: $result"
-
       - name: install build-deps (sans ffmpeg — see [marfrit] step)
-        if: steps.skip-check.outputs.skip != '1'
         run: |
           set -e
           retry() { for i in 1 2 3; do "$@" && return 0; rc=$?; echo "retry $i (exit=$rc)" >&2; sleep $((i*5)); done; return 1; }
@@ -1153,7 +994,6 @@ jobs:
             libdrm
 
       - name: ensure ffmpeg-v4l2-request-fourier installed (link-time ABI source)
-        if: steps.skip-check.outputs.skip != '1'
         run: |
           set -e
           # Idempotent: pre-install the marfrit fourier ffmpeg so cmake
@@ -1171,7 +1011,6 @@ jobs:
           printf 'y\ny\ny\n' | pacman -S --needed marfrit/ffmpeg-v4l2-request-fourier
 
       - name: install hertz deploy ssh key
-        if: steps.skip-check.outputs.skip != '1'
         env:
           KEY: ${{ secrets.MARFRIT_REPO_HERTZ_KEY }}
         run: |
@@ -1181,7 +1020,6 @@ jobs:
           ssh-keyscan -t ed25519 hertz.fritz.box >> /root/.ssh/known_hosts 2>/dev/null
 
       - name: build daedalus-v4l2 .deb
-        if: steps.skip-check.outputs.skip != '1'
         run: |
           set -e
           cd debian/daedalus-v4l2
@@ -1189,7 +1027,6 @@ jobs:
           ls -la *.deb
 
       - name: upload + publish to suites
-        if: steps.skip-check.outputs.skip != '1'
         run: |
           set -e
           retry() { for i in 1 2 3; do "$@" && return 0; rc=$?; echo "retry $i (exit=$rc)" >&2; sleep $((i*5)); done; return 1; }
@@ -1217,23 +1054,13 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - name: skip if already published
-        id: skip-check
-        run: |
-          set -e
-          result=$(./.gitea/scripts/check-already-published.sh debian/daedalus-v4l2-dkms)
-          echo "$result" >> "$GITHUB_OUTPUT"
-          echo "decision: $result"
-
       - name: install tooling
-        if: steps.skip-check.outputs.skip != '1'
         run: |
           set -e
           retry() { for i in 1 2 3; do "$@" && return 0; rc=$?; echo "retry $i (exit=$rc)" >&2; sleep $((i*5)); done; return 1; }
           retry pacman -Syu --noconfirm --needed dpkg openssh rsync curl tar gzip
 
       - name: install hertz deploy ssh key
-        if: steps.skip-check.outputs.skip != '1'
         env:
           KEY: ${{ secrets.MARFRIT_REPO_HERTZ_KEY }}
         run: |
@@ -1243,7 +1070,6 @@ jobs:
           ssh-keyscan -t ed25519 hertz.fritz.box >> /root/.ssh/known_hosts 2>/dev/null
 
       - name: build daedalus-v4l2-dkms .deb
-        if: steps.skip-check.outputs.skip != '1'
         run: |
           set -e
           cd debian/daedalus-v4l2-dkms
@@ -1251,7 +1077,6 @@ jobs:
           ls -la *.deb
 
       - name: upload + publish to suites
-        if: steps.skip-check.outputs.skip != '1'
         run: |
           set -e
           retry() { for i in 1 2 3; do "$@" && return 0; rc=$?; echo "retry $i (exit=$rc)" >&2; sleep $((i*5)); done; return 1; }
@@ -1285,23 +1110,13 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - name: skip if already published
-        id: skip-check
-        run: |
-          set -e
-          result=$(./.gitea/scripts/check-already-published.sh arch/mesa-panvk-bifrost)
-          echo "$result" >> "$GITHUB_OUTPUT"
-          echo "decision: $result"
-
       - name: bootstrap runner (idempotent)
-        if: steps.skip-check.outputs.skip != '1'
         run: |
           set -e
           retry() { for i in 1 2 3; do "$@" && return 0; rc=$?; echo "retry $i (exit=$rc)" >&2; sleep $((i*5)); done; return 1; }
           retry pacman -Syu --noconfirm --needed base-devel git rsync gnupg openssh sudo
 
       - name: import signing key
-        if: steps.skip-check.outputs.skip != '1'
         env:
           PRIV: ${{ secrets.MARFRIT_REPO_PRIVATE_KEY }}
           PASS: ${{ secrets.MARFRIT_REPO_PASSPHRASE }}
@@ -1316,7 +1131,6 @@ jobs:
           echo "92D5E96D8F63C75E4116AA1FF5C8C4603D0D250C:6:" | gpg --import-ownertrust
 
       - name: install deploy ssh key
-        if: steps.skip-check.outputs.skip != '1'
         env:
           KEY: ${{ secrets.MARFRIT_REPO_DEPLOY_KEY }}
         run: |
@@ -1326,7 +1140,6 @@ jobs:
           ssh-keyscan -t ed25519 nc.reauktion.de > /root/.ssh/known_hosts 2>/dev/null
 
       - name: makepkg mesa-panvk-bifrost
-        if: steps.skip-check.outputs.skip != '1'
         run: |
           set -e
           rm -rf /tmp/build-mesa-panvk-bifrost
@@ -1341,7 +1154,6 @@ jobs:
           ls -la *.pkg.tar.* | grep -v "\.sig$"
 
       - name: sign mesa-panvk-bifrost
-        if: steps.skip-check.outputs.skip != '1'
         run: |
           set -e
           cd /tmp/build-mesa-panvk-bifrost
@@ -1352,7 +1164,6 @@ jobs:
           done
 
       - name: update aarch64 repo db
-        if: steps.skip-check.outputs.skip != '1'
         run: |
           set -e
           mkdir -p /tmp/arch-stage-mesa-panvk
@@ -1388,7 +1199,6 @@ jobs:
           rm -f marfrit.files.sig
 
       - name: publish to aarch64
-        if: steps.skip-check.outputs.skip != '1'
         run: |
           set -e
           retry() { for i in 1 2 3; do "$@" && return 0; rc=$?; echo "retry $i (exit=$rc)" >&2; sleep $((i*5)); done; return 1; }

arch/linux-pinetab2-danctnix-besser/PKGBUILD

@@ -29,7 +29,7 @@
 
 pkgbase=linux-pinetab2-danctnix-besser
 pkgver=7.0.danctnix1
-pkgrel=5
+pkgrel=6
 pkgdesc='PineTab2 (BESser bes2600 driver patchset, kernel-agent managed)'
 _srcname=linux-pinetab2
 _srctag=v${pkgver%.*}-${pkgver##*.}
@@ -68,7 +68,7 @@ b2sums=('3d9795083c8938f80f480de0d10bfd9c525640e59d5c7f22983de3f12ee42c84c31be90
         'SKIP'
         '71fe98221e802b315e54b4b10d3e8c8f376695a36bae3541d876e5776a37f3fa33c8f8dfa6e51fcbd6f5396add02e5166634165f2351836a0ea0453c172fe56c'
         'SKIP'
-        '50397711a6a3ba522283685a9e7397aeed6663f353f7cba214d4bb88bc98516065b2fca9a36ce13c52644617879f69f39c5305e86db5d9fb25c4dae5434eb9c4'
+        'eb179c03f35a4dbaec2e40036f0033ef04985bb6b14ab22419d68e5caaa5874f2ad14e158f7c5b05added97f60fecde8fb8b7f2a6ced33e031e37352fe776ca6'
         '656a998ab40cb85ee4c00f087b071a91632a6c091da2c84b0f74236b51d2dea6e9db6886625f80ad81dc249d8494ec47cd79d6dd9ea4f5e44f3cde857f861e10')
 
 export KBUILD_BUILD_HOST=archlinux

arch/linux-pinetab2-danctnix-besser/manifest.lock

@@ -4,34 +4,174 @@ baseline:
   upstream_compat: linux-7.0
   url: https://codeberg.org/DanctNIX/linux-pinetab2
 cumulative:
-  b2sum: 50397711a6a3ba522283685a9e7397aeed6663f353f7cba214d4bb88bc98516065b2fca9a36ce13c52644617879f69f39c5305e86db5d9fb25c4dae5434eb9c4
+  b2sum: eb179c03f35a4dbaec2e40036f0033ef04985bb6b14ab22419d68e5caaa5874f2ad14e158f7c5b05added97f60fecde8fb8b7f2a6ced33e031e37352fe776ca6
   path: cumulative.patch
-  size: 162716
-generated_at: '2026-05-18T17:16:06.455474+00:00'
+  size: 279554
+generated_at: '2026-05-19T13:05:46.476359+00:00'
 host: ohm
 ka_promote_version: 1
 manifest:
   path: fleet/ohm.yaml
-  sha256: da59ac2c965e5ad9c5004a115b10a37abf47ed3ecc8b7f5ab426470d2ee7b442
+  sha256: 9ac04ddd3170418b7b2d2cf7b31ac225a31ed19be4f03e8477bf28b585bae257
 resolved_patches:
 - apply_order: 1
   from_series: true
-  include: driver/bes2600/cumulative-c5x-danctnix/0001-bes2600-besser-cumulative-series.patch
-  sha256: e477a170567487fef84fe13be5b0a1f0498247ff1f201000d0085a2e49ff9026
-  size: 148149
+  include: driver/bes2600/factory-series/0001-bes2600-use-request_firmware-for-factory.txt-read.patch
+  sha256: a1bc2d13b258709fa37c9ff428dfdc0659464b436470fa2ec69b07edf7592f6f
+  size: 5456
 - apply_order: 2
   from_series: true
-  include: driver/bes2600/scan-filter-5ghz-danctnix/0001-bes2600-filter-5ghz-scan-and-allow-single-channel.patch
-  sha256: 31e67569e00daead0784214aced1e077d3270cf1407baa0b330d474e17ec3931
-  size: 7735
+  include: driver/bes2600/factory-series/0002-bes2600-default-STANDARD_FACTORY_EFUSE_FLAG-off-for-PineTab2.patch
+  sha256: 577d7024ce0b342c4381365872fc29e75a93427ad61223907fead8b829b5a86c
+  size: 3499
 - apply_order: 3
   from_series: true
-  include: arch/arm64/xor-neon-ffixed-x18-scs-build-fix-danctnix/0001-arm64-xor-neon-ffixed-x18-build-fix.patch
-  sha256: a49c50f0ebffc499970c24908b832c3e61c96ed87de35b3a82178eff587f94f1
-  size: 1574
+  include: driver/bes2600/factory-thread-dev/0001-bes2600-thread-struct-device-through-factory-request_firmware.patch
+  sha256: e3fac725e6addc11147341836600c2c5cd0116abba960f34ba50bb8094581c75
+  size: 4406
 - apply_order: 4
+  from_series: true
+  include: driver/bes2600/pm-gate-on-handshake/0001-bes2600-gate-device-LP-mode-entry-on-successful-handshake.patch
+  sha256: 9842c0dd66f59fe28898041ba5a816be56965b0665f202410cd461c3e6565474
+  size: 3914
+- apply_order: 5
+  from_series: true
+  include: driver/bes2600/remove-chardev-user-interface/0001-bes2600-remove-userspace-dev-bes2600-character-device-interface.patch
+  sha256: c67d340ae5923aada613ea9c5133e3efa3aeb7986749f4bf3619d1752a1b61fb
+  size: 22445
+- apply_order: 6
+  from_series: true
+  include: driver/bes2600/enable-testmode/0001-bes2600-enable-CONFIG_BES2600_TESTMODE-by-default-fix-bitrot.patch
+  sha256: 5dee74e8753d332fd380882994ea43aa907d1ff97466b0c48aedf38d4076e446
+  size: 6152
+- apply_order: 7
+  from_series: true
+  include: driver/bes2600/tx-sdio-dma-oob-danctnix/0001-bes2600-bounce-SDIO-TX-buffers-to-avoid-DMA-OOB-read.patch
+  sha256: 0dce2fe35450b8376c2d2a7c007119f28c888c1c30b489a67841039caedeebfc
+  size: 4544
+- apply_order: 8
+  from_series: true
+  include: driver/bes2600/factory-drop-kernel-write-danctnix/0001-bes2600-drop-kernel_write-persistence-from-factory-cali-save.patch
+  sha256: a7995b38e210af16b73d284a58ab39b8aecac36ff4a671af3d894b1983f961b3
+  size: 5704
+- apply_order: 9
+  from_series: true
+  include: driver/bes2600/drop-dpd-file-paths-danctnix/0001-bes2600-drop-BES2600_WRITE_DPD_TO_FILE-kernel-file-paths.patch
+  sha256: 0cd8780c245c97c65e4845e42d712c6256a0449658641aea18e4c7d400f63e41
+  size: 9661
+- apply_order: 10
+  from_series: true
+  include: driver/bes2600/drop-orphan-file-io-danctnix/0001-bes2600-drop-orphan-DATA_DUMP_OBSERVE-and-access_file-IO.patch
+  sha256: fd8c297223e6a985c2898f919ae1ab27eb56ab44f09f44d84d75eb35a187527b
+  size: 5327
+- apply_order: 11
+  from_series: true
+  include: driver/bes2600/pm-timeout-silence-danctnix/0001-bes2600-demote-wait-pm-ind-timeout-from-bes_err-to-bes_devel.patch
+  sha256: 3a4fd3255facbcef0419e0e0332cb980316529aa5c225b35bcfd244a42736667
+  size: 2332
+- apply_order: 12
+  from_series: true
+  include: driver/bes2600/scan-defer-on-reject-danctnix/0001-bes2600-defer-scan-and-soften-WARN-on-firmware-reject.patch
+  sha256: 55e16c176bc147c371a20f57b3a57da38c719d3b42417e88f9de243e10102d35
+  size: 8393
+- apply_order: 13
+  from_series: true
+  include: driver/bes2600/scan-defer-backoff-tune-danctnix/0001-bes2600-widen-scan-defer-backoff-30s-and-decay-on-quiet.patch
+  sha256: 70a5b25baaf41c8090701b069c30cbad378883d828bdd06e4eb560a35bc077f1
+  size: 4924
+- apply_order: 14
+  from_series: true
+  include: driver/bes2600/lmac-recover-via-mmc-hw-reset-danctnix/0001-bes2600-recover-wedged-firmware-via-mmc_hw_reset-on-link-break.patch
+  sha256: 3decf33c9684b3aba64004d5ad97ae3d54e1d6dc176d0b0ae539036c65e6dc6c
+  size: 10604
+- apply_order: 15
+  from_series: true
+  include: driver/bes2600/lmac-recover-via-mmc-hw-reset-danctnix/0002-bes2600-handle-multi-function-SDIO-cards-in-mmc_hw_reset-bus_reset.patch
+  sha256: a1acfcc401afc699a9c3676b6df2ec0f092e78826a32616268f90b509d538e33
+  size: 3321
+- apply_order: 16
+  from_series: true
+  include: driver/bes2600/pm-state-resync-danctnix/0001-bes2600-gate-PM-indication-completion-on-pending-request-and-track-state.patch
+  sha256: 049cf3ff9c01fdd10ff73bd18497e14ef0cd8fd1a65486ba86fbc6c1935a5f8e
+  size: 10269
+- apply_order: 17
+  from_series: true
+  include: driver/bes2600/pm-wake-consume-state-danctnix/0001-bes2600-short-circuit-wake-handshake-when-chip-confirmed-ACTIVE.patch
+  sha256: c9d19a73816f4c82b418dcd18008176bbb0c49fd4138be53cad45ae142224112
+  size: 8100
+- apply_order: 18
+  from_series: true
+  include: driver/bes2600/pm-detect-firmware-unsupported-danctnix/0001-bes2600-self-detect-firmware-does-not-honor-PSM-skip-cycle.patch
+  sha256: 196dc9d51ffea268718a290d434b6237fb60119f10c2b050a58724c8a775c7a8
+  size: 9041
+- apply_order: 19
+  from_series: true
+  include: driver/bes2600/decrypt-storm-fast-recover-danctnix/0001-bes2600-pre-empt-AP-deauth-6-mac80211-reassoc-on-decrypt-fail-storm.patch
+  sha256: b57ed316005f402c95ccae8ab24ac761bdf34162d73f108f5790af8f8ad2d1fe
+  size: 9249
+- apply_order: 20
+  from_series: true
+  include: driver/bes2600/connection-loss-fast-recover-danctnix/0001-bes2600-bus_reset-on-connection-loss-storm-to-dodge-assoc-comeback-blackhole.patch
+  sha256: cd1eaff97c3f08c58e7b1588e19a12200e8bb2a1f39afe554284f1d818610a67
+  size: 12184
+- apply_order: 21
+  from_series: true
+  include: driver/bes2600/cw1200-fix-backports-danctnix/0001-bes2600-replace-atomic_add-with-atomic_inc-cw1200-backport.patch
+  sha256: 3876c9e512f556c7f2e8d4cfaba1d7df2945ee48af8edfab5f8d09d9de9adf23
+  size: 3080
+- apply_order: 22
+  from_series: true
+  include: driver/bes2600/cw1200-fix-backports-danctnix/0002-bes2600-fix-missing-destroy_workqueue-on-error-in-init_common.patch
+  sha256: 2b82ecb127748349780404479205b952337c244e715278e6d40471c6ecad7602
+  size: 2230
+- apply_order: 23
+  from_series: true
+  include: driver/bes2600/cw1200-fix-backports-danctnix/0003-bes2600-fix-concurrency-UAF-in-bes2600_hw_scan-and-sched_scan.patch
+  sha256: 4c1850ad003ddcac543d3d61edd15c18ccd0cc601367cf4c6dd31e1fbb39ab16
+  size: 4476
+- apply_order: 24
+  from_series: true
+  include: driver/bes2600/sdio-rx-no-relay-danctnix/0001-bes2600-drop-sdio_rx_work-relay-IRQ-bh-direct-no-relay-architecture.patch
+  sha256: f1182150c5893f2497f942900b34c9c4aeb8d5901d9786ae2753dcce38ed6c78
+  size: 19313
+- apply_order: 25
+  from_series: true
+  include: driver/bes2600/license-spdx-restore-attribution-danctnix/0001-bes2600-Patch-G-restore-SPDX-identifiers-ST-Ericsson-attribution.patch
+  sha256: 91dadab0b58f8b8ad2dca80fd04796d478ecb83ce94a1e4b6e97ef8634d97ef1
+  size: 41521
+- apply_order: 26
+  from_series: true
+  include: driver/bes2600/ba-lock-atomic-danctnix/0001-bes2600-Patch-D-atomicize-ba_lock-counters-drop-the-spinlock.patch
+  sha256: a5d4ed2bf545458a756e65670c7eed31997bd0be9262344a10313bee31ea4963
+  size: 11987
+- apply_order: 27
+  from_series: true
+  include: driver/bes2600/ps-state-lock-skip-pm-disabled-danctnix/0001-bes2600-Patch-E-skip-ps_state_lock-when-PSM-known-disabled.patch
+  sha256: 18040a563b37cc95c558703f01bfbf6b7fa23a52f2f4f0f8f1254ad4fa0fe0d6
+  size: 3396
+- apply_order: 28
+  from_series: true
+  include: driver/bes2600/rx-list-batch-delivery-danctnix/0001-bes2600-Patch-C2-replace-ieee80211_rx_irqsafe-with-ieee80211_rx_ni.patch
+  sha256: ffeffd085a9d052c126a717b845d50120ea302e76c12e53c0c3c891291cababf
+  size: 8377
+- apply_order: 29
+  from_series: true
+  include: driver/bes2600/bh-c-fossil-cleanup-danctnix/0001-bes2600-Patch-H-bh.c-hygiene-cleanup-drop-fossil-blocks-dead-stubs.patch
+  sha256: 8fb0c799e3a8ee5ad7bfb647fceaf370c6a1a5f24d8621776fd07bf18a976f81
+  size: 21082
+- apply_order: 30
+  from_series: true
+  include: driver/bes2600/scan-filter-5ghz-danctnix/0001-bes2600-filter-5-GHz-scans-at-the-driver-boundary.patch
+  sha256: 31e67569e00daead0784214aced1e077d3270cf1407baa0b330d474e17ec3931
+  size: 7735
+- apply_order: 31
+  from_series: true
+  include: arch/arm64/scs-arm-neon-build-fix/0001-arm64-xor-neon-ffixed-x18-build-fix.patch
+  sha256: 105e32edc54743d8107c4dcd846833ae97d2df5f918aebc9fe3e67d6f23249cc
+  size: 1562
+- apply_order: 32
   from_series: true
   include: driver/bes2600/queue-pending-record-lock-bh-danctnix/0001-bes2600-take-pending-record-lock-with-bh.patch
-  sha256: 089862e5f6da5783ed0db979144e4fa07cff7f743809a0bebd715c75a3bb8eb5
-  size: 5258
+  sha256: e0894371c43f750590e1704ae3c77b27b6910548afa4a5b61ebc4d9919580ca2
+  size: 5270
 schema_version: 1

arch/mesa-panvk-bifrost/PKGBUILD

@@ -31,7 +31,7 @@
 pkgname=mesa-panvk-bifrost
 _mesaver=26.0.6
 pkgver=26.0.6.r2
-pkgrel=1
+pkgrel=2
 pkgdesc="Patched Mesa libvulkan_panfrost.so exposing Bifrost-gen Mali to Vulkan apps (panvk-bifrost campaign)"
 arch=('aarch64')
 url="https://github.com/marfrit/panvk-bifrost"
@@ -83,7 +83,7 @@ source=(
     "icd.json"
 )
 sha256sums=(
-    'SKIP'  # TODO: pin once we know the upstream tarball is stable. archive.mesa3d.org tarballs are stable, so we can hash-pin in iter10.
+    '1d3c3b8a8363b8cc354175bb4a684ad8b035211cc1d6fa17aeb9b9623c513f89'  # mesa-26.0.6.tar.xz from archive.mesa3d.org, pinned 2026-05-20 (iter10)
     'SKIP'
     'SKIP'
     'SKIP'
@@ -142,15 +142,24 @@ package() {
     cd "${srcdir}/mesa-${_mesaver}"
 
     # Patched lib — co-install path, NOT /usr/lib (to avoid clashing
-    # with stock mesa's libvulkan_panfrost.so).
+    # with stock mesa's libvulkan_panfrost.so binary).
     install -Dm755 build/src/panfrost/vulkan/libvulkan_panfrost.so \
         "$pkgdir/usr/lib/panvk-bifrost/libvulkan_panfrost.so"
 
-    # Custom ICD JSON. NOT under /usr/share/vulkan/icd.d/ (the default
-    # loader search path) — the user has to opt in via VK_ICD_FILENAMES.
+    # ICD JSON at the standard Vulkan loader search path. The '00-'
+    # filename prefix gives optical priority but is NOT spec-backed —
+    # Vulkan loader readdir-order is implementation-defined per Khronos
+    # LoaderDriverInterface. The brave-vulkan wrapper sets
+    # VK_LOADER_DRIVERS_SELECT='00-panvk-bifrost*' to make the selection
+    # deterministic across filesystems. This avoids the VK_ICD_FILENAMES
+    # full-path override (whose GPU-sandbox survival is fragile) while
+    # still letting the loader work normally. iter10 result + Phase 5
+    # hardening.
     install -Dm644 "$srcdir/icd.json" \
-        "$pkgdir/usr/lib/panvk-bifrost/icd.json"
+        "$pkgdir/usr/share/vulkan/icd.d/00-panvk-bifrost.json"
 
-    # The brave-vulkan launcher wires up env + flags.
+    # The brave-vulkan launcher wires up env + flags. iter10: no longer
+    # sets VK_ICD_FILENAMES, no longer passes --no-sandbox /
+    # --disable-gpu-sandbox.
     install -Dm755 "$srcdir/brave-vulkan" "$pkgdir/usr/bin/brave-vulkan"
 }

arch/mesa-panvk-bifrost/README.md

@@ -48,20 +48,23 @@ brave-vulkan --your-flags-here                  # extra args passed through
 
 The launcher sets:
 
-- `VK_ICD_FILENAMES=/usr/lib/panvk-bifrost/icd.json` (the patched driver)
 - `PAN_I_WANT_A_BROKEN_VULKAN_DRIVER=1` (Mesa upstream gate)
 - `MESA_VK_VERSION_OVERRIDE=1.2` (apiVersion bump for ANGLE)
-- Brave flags: `--use-gl=disabled --enable-features=Vulkan --use-vulkan=native --ozone-platform=x11 --no-sandbox --disable-gpu-sandbox --ignore-gpu-blocklist`
+- Brave flags: `--use-gl=disabled --enable-features=Vulkan --use-vulkan=native --ozone-platform=x11 --ignore-gpu-blocklist`
+
+iter10 dropped `VK_ICD_FILENAMES` (ICD now at `/usr/share/vulkan/icd.d/00-panvk-bifrost.json` so the Vulkan loader auto-picks it, pinned deterministically via `VK_LOADER_DRIVERS_SELECT='00-panvk-bifrost*'`) and `--no-sandbox` / `--disable-gpu-sandbox` (env vars survive the GPU sandbox boundary without bypass).
 
 ## What's in the package
 
 - `/usr/lib/panvk-bifrost/libvulkan_panfrost.so` — patched Mesa Vulkan driver (Mesa 26.0.6 + 2 sed-applied patches)
-- `/usr/lib/panvk-bifrost/icd.json` — Vulkan ICD JSON pointing at the patched .so (NOT auto-loaded; only via `VK_ICD_FILENAMES`)
+- `/usr/share/vulkan/icd.d/00-panvk-bifrost.json` — Vulkan ICD JSON pointing at the patched .so (Vulkan loader picks it deterministically via `VK_LOADER_DRIVERS_SELECT='00-panvk-bifrost*'` set by the launcher)
 - `/usr/bin/brave-vulkan` — launcher script
 
-System Mesa is untouched. The stock `/usr/lib/libvulkan_panfrost.so` and
-`/usr/share/vulkan/icd.d/panfrost_icd.json` continue to work for any
-other Vulkan app.
+System Mesa's binary `/usr/lib/libvulkan_panfrost.so` is untouched. The
+stock `panfrost_icd.json` is also untouched and continues to enumerate
+the same Mali-G52 device — apps see both drivers in
+`vkEnumeratePhysicalDevices` and pick by index (ANGLE picks first, which
+becomes ours by alphabetical priority).
 
 ## Co-existence
 

arch/mesa-panvk-bifrost/brave-vulkan

@@ -7,26 +7,35 @@
 #
 # Provided by the mesa-panvk-bifrost package. See:
 #   /usr/share/doc/mesa-panvk-bifrost/README
-#   ~/src/panvk-bifrost/phase8_iteration9_close.md (campaign close)
+#   ~/src/panvk-bifrost/phase8_iteration{9,10}_close.md
 #
 # Usage: brave-vulkan [brave args...]
 # Equivalent to: brave [VULKAN_FLAGS] [your args]
+#
+# iter10 changes vs iter9:
+#   - dropped VK_ICD_FILENAMES env (ICD now at /usr/share/vulkan/icd.d/
+#     with '00-' prefix so the Vulkan loader auto-picks ours first)
+#   - dropped --no-sandbox / --disable-gpu-sandbox (env vars survive the
+#     GPU sandbox boundary, no bypass needed)
 
 set -e
 
-# Patched Vulkan driver (from this package) — must point at the custom path
-# so we don't clash with the stock /usr/share/vulkan/icd.d/panfrost_icd.json
-export VK_ICD_FILENAMES=/usr/lib/panvk-bifrost/icd.json
+# Pin the Vulkan ICD selection to our package's ICD. The Vulkan loader's
+# readdir-order in /usr/share/vulkan/icd.d/ is implementation-defined
+# per Khronos LoaderDriverInterface — the '00-' filename prefix is NOT
+# spec-backed. VK_LOADER_DRIVERS_SELECT short-circuits the directory
+# enumeration and picks our ICD deterministically. (Phase 5 review
+# hardening, iter10.)
+export VK_LOADER_DRIVERS_SELECT='00-panvk-bifrost*'
 
 # PanVk's "I know it's not conformant" gate — the patched driver still
-# refuses to enumerate Bifrost without this env var (Mesa upstream choice,
-# kept for compatibility).
+# refuses to enumerate Bifrost without this env var (upstream Mesa choice
+# for v6/v7, kept for compatibility).
 export PAN_I_WANT_A_BROKEN_VULKAN_DRIVER=1
 
 # Override apiVersion to 1.2 — ANGLE (Chromium's GL stack) requires
-# device.apiVersion >= 1.1. The patched libvulkan_panfrost.so still has
-# a PAN_ARCH>=10 gate inside get_api_version(); easier to override at
-# runtime via this Mesa env var than to add a third patch.
+# device.apiVersion >= 1.1. Source patches don't move get_api_version()'s
+# PAN_ARCH>=10 hardcode; the env var override does.
 export MESA_VK_VERSION_OVERRIDE=1.2
 
 # Find the live Plasma session's Xauthority. On a fresh boot the suffix
@@ -55,7 +64,5 @@ exec brave \
     --enable-features=Vulkan \
     --use-vulkan=native \
     --ozone-platform=x11 \
-    --no-sandbox \
-    --disable-gpu-sandbox \
     --ignore-gpu-blocklist \
     "$@"