From c5de46e3e1e8485537289b34e54a94c63e5a1281 Mon Sep 17 00:00:00 2001
From: Jason Volk <jason@zemos.net>
Date: Sat, 15 Mar 2025 04:23:24 +0000
Subject: [PATCH] Docker Bake Harness

Co-authored-by: Nineko <cnotsomark@gmail.com>
Signed-off-by: Jason Volk <jason@zemos.net>
---
 .dockerignore                                 |   20 +-
 .github/workflows/bake.yml                    |   90 ++
 .github/workflows/build.yml                   |  165 +++
 Cargo.toml                                    |   26 +-
 docker/Dockerfile.cargo                       |   37 +
 docker/Dockerfile.complement                  |  269 ++++
 docker/Dockerfile.cookware                    |   63 +
 docker/Dockerfile.deps                        |   47 +
 docker/Dockerfile.diner                       |   53 +
 docker/Dockerfile.ingredients                 |   83 ++
 docker/Dockerfile.install                     |   75 ++
 docker/Dockerfile.kitchen                     |   30 +
 docker/Dockerfile.rocksdb                     |   77 ++
 docker/Dockerfile.smoketest                   |   69 +
 docker/bake.hcl                               | 1188 +++++++++++++++++
 docker/bake.sh                                |  118 ++
 docker/run.sh                                 |   31 +
 .../complement/test_results.jsonl             |    4 +-
 18 files changed, 2418 insertions(+), 27 deletions(-)
 create mode 100644 .github/workflows/bake.yml
 create mode 100644 .github/workflows/build.yml
 create mode 100644 docker/Dockerfile.cargo
 create mode 100644 docker/Dockerfile.complement
 create mode 100644 docker/Dockerfile.cookware
 create mode 100644 docker/Dockerfile.deps
 create mode 100644 docker/Dockerfile.diner
 create mode 100644 docker/Dockerfile.ingredients
 create mode 100644 docker/Dockerfile.install
 create mode 100644 docker/Dockerfile.kitchen
 create mode 100644 docker/Dockerfile.rocksdb
 create mode 100644 docker/Dockerfile.smoketest
 create mode 100644 docker/bake.hcl
 create mode 100755 docker/bake.sh
 create mode 100755 docker/run.sh

diff --git a/.dockerignore b/.dockerignore
index 35d35e1b..dcdd5d15 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,27 +1,31 @@
 # Local build and dev artifacts
-target
-tests
+target/
+#tests
 
 # Docker files
 Dockerfile*
+docker/
 
 # IDE files
 .vscode
 .idea
 *.iml
 
+.
+
 # Git folder
-.git
-.gitea
-.gitlab
-.github
+#.git
+#.gitea
+#.gitlab
+#.github
 
 # Dot files
 .env
-.gitignore
+#.gitignore
 
 # Toml files
-rustfmt.toml
+#rustfmt.toml
 
 # Documentation
 #*.md
+*.hcl
diff --git a/.github/workflows/bake.yml b/.github/workflows/bake.yml
new file mode 100644
index 00000000..79f6d01f
--- /dev/null
+++ b/.github/workflows/bake.yml
@@ -0,0 +1,90 @@
+name: Bakery
+
+on:
+  workflow_call:
+    inputs:
+      bake_targets:
+        type: string
+        required: false
+        default: '["default"]'
+        description: Bake targets
+      cargo_profiles:
+        type: string
+        required: false
+        default: '["test", "bench"]'
+        description: Cargo profiles
+      docker_id:
+        type: string
+        required: false
+        description: Dockerhub acct/repo identity.
+      feat_sets:
+        type: string
+        required: false
+        default: '["none", "default", "all"]'
+        description: Cargo feature groups
+      machines:
+        type: string
+        required: false
+        default: '["x86_64"]'
+        description: Hardware platform vector
+      rust_targets:
+        type: string
+        required: false
+        default: '["x86_64-unknown-linux-gnu"]'
+        description: Rust targets
+      rust_toolchains:
+        type: string
+        required: false
+        default: '["nightly", "stable"]'
+        description: Rust toolchains
+      sys_names:
+        type: string
+        required: false
+        default: '["debian"]'
+        description: System names
+      sys_targets:
+        type: string
+        required: false
+        default: '["x86_64-linux-gnu"]'
+        description: System targets
+      sys_versions:
+        type: string
+        required: false
+        default: '["testing-slim"]'
+        description: System versions
+
+env:
+  docker_id: ${{inputs.docker_id}}
+
+jobs:
+  task:
+    runs-on: ${{matrix.machine}}
+    strategy:
+      fail-fast: false
+      matrix:
+        bake_target: ${{fromJSON(inputs.bake_targets)}}
+        cargo_profile: ${{fromJSON(inputs.cargo_profiles)}}
+        feat_set: ${{fromJSON(inputs.feat_sets)}}
+        machine: ${{fromJSON(inputs.machines)}}
+        rust_target: ${{fromJSON(inputs.rust_targets)}}
+        rust_toolchain: ${{fromJSON(inputs.rust_toolchains)}}
+        sys_name: ${{fromJSON(inputs.sys_names)}}
+        sys_target: ${{fromJSON(inputs.sys_targets)}}
+        sys_version: ${{fromJSON(inputs.sys_versions)}}
+
+    steps:
+    - uses: actions/checkout@v3
+    - name: Task
+      env:
+        bake_target: ${{matrix.bake_target}}
+        cargo_profile: ${{matrix.cargo_profile}}
+        feat_set: ${{matrix.feat_set}}
+        machine: ${{matrix.machine}}
+        rust_target: ${{matrix.rust_target}}
+        rust_toolchain: ${{matrix.rust_toolchain}}
+        sys_name: ${{matrix.sys_name}}
+        sys_target: ${{matrix.sys_target}}
+        sys_version: ${{matrix.sys_version}}
+
+      run: |
+        docker/bake.sh ${{matrix.bake_target}}
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
new file mode 100644
index 00000000..36b42b9c
--- /dev/null
+++ b/.github/workflows/build.yml
@@ -0,0 +1,165 @@
+name: Build
+
+on:
+  push:
+    branches:
+      - main
+
+  workflow_dispatch:
+    inputs:
+      bake:
+        type: string
+        required: false
+        description: JSON Object of inputs passed to the environment
+
+concurrency:
+  group: ${{github.workflow}}-${{github.ref}}
+  cancel-in-progress: true
+
+env:
+  docker_id: ${{vars.DOCKER_ID}}
+  inputs: ${{github.event.inputs}}
+
+jobs:
+  systems:
+    name: Base Environment
+    uses: ./.github/workflows/bake.yml
+    with:
+      bake_targets: '["systems"]'
+      cargo_profiles: ${{vars.CARGO_PROFILES}}
+      docker_id: ${{github.env.docker_id}}
+      feat_sets: ${{vars.FEAT_SETS}}
+      machines: ${{vars.MACHINES}}
+      rust_targets: ${{vars.RUST_TARGETS}}
+      rust_toolchains: ${{vars.RUST_TOOLCHAINS}}
+      sys_names: ${{vars.SYS_NAMES}}
+      sys_targets: ${{vars.SYS_TARGETS}}
+      sys_versions: ${{vars.SYS_VERSIONS}}
+
+  buildsys:
+    name: Build Environment
+    uses: ./.github/workflows/bake.yml
+    needs: [systems]
+    with:
+      bake_targets: '["buildsys"]'
+      cargo_profiles: ${{vars.CARGO_PROFILES}}
+      docker_id: ${{github.env.docker_id}}
+      feat_sets: ${{vars.FEAT_SETS}}
+      machines: ${{vars.MACHINES}}
+      rust_targets: ${{vars.RUST_TARGETS}}
+      rust_toolchains: ${{vars.RUST_TOOLCHAINS}}
+      sys_names: ${{vars.SYS_NAMES}}
+      sys_targets: ${{vars.SYS_TARGETS}}
+      sys_versions: ${{vars.SYS_VERSIONS}}
+
+  sources:
+    name: Acquire Source
+    uses: ./.github/workflows/bake.yml
+    needs: [buildsys]
+    with:
+      bake_targets: '["sources"]'
+      cargo_profiles: ${{vars.CARGO_PROFILES}}
+      docker_id: ${{github.env.docker_id}}
+      feat_sets: ${{vars.FEAT_SETS}}
+      machines: ${{vars.MACHINES}}
+      rust_targets: ${{vars.RUST_TARGETS}}
+      rust_toolchains: ${{vars.RUST_TOOLCHAINS}}
+      sys_names: ${{vars.SYS_NAMES}}
+      sys_targets: ${{vars.SYS_TARGETS}}
+      sys_versions: ${{vars.SYS_VERSIONS}}
+
+  rocksdb:
+    name: Build RocksDB
+    uses: ./.github/workflows/bake.yml
+    needs: [sources]
+    with:
+      bake_targets: '["rocksdb"]'
+      cargo_profiles: ${{vars.CARGO_PROFILES}}
+      docker_id: ${{github.env.docker_id}}
+      feat_sets: ${{vars.FEAT_SETS}}
+      machines: ${{vars.MACHINES}}
+      rust_targets: ${{vars.RUST_TARGETS}}
+      rust_toolchains: ${{vars.RUST_TOOLCHAINS}}
+      sys_names: ${{vars.SYS_NAMES}}
+      sys_targets: ${{vars.SYS_TARGETS}}
+      sys_versions: ${{vars.SYS_VERSIONS}}
+
+  deps:
+    name: Build Dependencies
+    uses: ./.github/workflows/bake.yml
+    needs: [rocksdb]
+    with:
+      bake_targets: '["deps"]'
+      cargo_profiles: ${{vars.CARGO_PROFILES}}
+      docker_id: ${{github.env.docker_id}}
+      feat_sets: ${{vars.FEAT_SETS}}
+      machines: ${{vars.MACHINES}}
+      rust_targets: ${{vars.RUST_TARGETS}}
+      rust_toolchains: ${{vars.RUST_TOOLCHAINS}}
+      sys_names: ${{vars.SYS_NAMES}}
+      sys_targets: ${{vars.SYS_TARGETS}}
+      sys_versions: ${{vars.SYS_VERSIONS}}
+
+  clippy:
+    name: Clippy Lints
+    uses: ./.github/workflows/bake.yml
+    needs: [deps]
+    with:
+      bake_targets: '["clippy"]'
+      cargo_profiles: ${{vars.CARGO_PROFILES}}
+      docker_id: ${{github.env.docker_id}}
+      feat_sets: ${{vars.FEAT_SETS}}
+      machines: ${{vars.MACHINES}}
+      rust_targets: ${{vars.RUST_TARGETS}}
+      rust_toolchains: ${{vars.RUST_TOOLCHAINS}}
+      sys_names: ${{vars.SYS_NAMES}}
+      sys_targets: ${{vars.SYS_TARGETS}}
+      sys_versions: ${{vars.SYS_VERSIONS}}
+
+  install:
+    name: Install
+    uses: ./.github/workflows/bake.yml
+    needs: [deps]
+    with:
+      bake_targets: '["install"]'
+      cargo_profiles: ${{vars.CARGO_PROFILES}}
+      docker_id: ${{github.env.docker_id}}
+      feat_sets: ${{vars.FEAT_SETS}}
+      machines: ${{vars.MACHINES}}
+      rust_targets: ${{vars.RUST_TARGETS}}
+      rust_toolchains: ${{vars.RUST_TOOLCHAINS}}
+      sys_names: ${{vars.SYS_NAMES}}
+      sys_targets: ${{vars.SYS_TARGETS}}
+      sys_versions: ${{vars.SYS_VERSIONS}}
+
+  tests-unit:
+    name: Unit Tests
+    uses: ./.github/workflows/bake.yml
+    needs: [deps]
+    with:
+      bake_targets: '["tests-unit"]'
+      cargo_profiles: ${{vars.CARGO_PROFILES}}
+      docker_id: ${{github.env.docker_id}}
+      feat_sets: ${{vars.FEAT_SETS}}
+      machines: ${{vars.MACHINES}}
+      rust_targets: ${{vars.RUST_TARGETS}}
+      rust_toolchains: ${{vars.RUST_TOOLCHAINS}}
+      sys_names: ${{vars.SYS_NAMES}}
+      sys_targets: ${{vars.SYS_TARGETS}}
+      sys_versions: ${{vars.SYS_VERSIONS}}
+
+  smoketest:
+    name: Smoke Tests
+    uses: ./.github/workflows/bake.yml
+    needs: [install]
+    with:
+      bake_targets: '["tests-smoke"]'
+      cargo_profiles: ${{vars.CARGO_PROFILES}}
+      docker_id: ${{github.env.docker_id}}
+      feat_sets: ${{vars.FEAT_SETS}}
+      machines: ${{vars.MACHINES}}
+      rust_targets: ${{vars.RUST_TARGETS}}
+      rust_toolchains: ${{vars.RUST_TOOLCHAINS}}
+      sys_names: ${{vars.SYS_NAMES}}
+      sys_targets: ${{vars.SYS_TARGETS}}
+      sys_versions: ${{vars.SYS_VERSIONS}}
diff --git a/Cargo.toml b/Cargo.toml
index 36ac8e8f..15135c23 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -668,7 +668,8 @@ lto = "fat"
 codegen-units = 1
 panic = "abort"
 
-# do not use without profile-rustflags enabled
+# do not use without profile-rustflags enabled. uncomment ALL the sections for
+# profile.release-max-perf
 [profile.release-max-perf]
 inherits = "release"
 strip = "symbols"
@@ -710,7 +711,8 @@ inherits = "release-max-perf.build-override"
 #]
 
 [profile.bench]
-inherits = "release"
+debug = "limited"
+strip = false
 #rustflags = [
 #	"-Cremark=all",
 #	'-Ztime-passes',
@@ -731,10 +733,6 @@ inherits = "release"
 
 [profile.dev]
 debug = "full"
-opt-level = 0
-panic = "unwind"
-debug-assertions = true
-incremental = true
 #rustflags = [
 #	'--cfg', 'tuwunel_mods',
 #	'-Ztime-passes',
@@ -794,7 +792,7 @@ inherits = "dev"
 
 [profile.dev.package.'*']
 inherits = "dev"
-debug = 'limited'
+debug = "limited"
 incremental = false
 codegen-units = 1
 opt-level = 'z'
@@ -813,19 +811,13 @@ opt-level = 'z'
 
 # primarily used for CI
 [profile.test]
-inherits = "dev"
-strip = false
-opt-level = 0
-codegen-units = 16
-incremental = false
+debug = "limited"
 
 [profile.test.package.'*']
-inherits = "dev"
-debug = 0
-strip = false
-opt-level = 0
-codegen-units = 16
+inherits = "test"
 incremental = false
+codegen-units = 1
+opt-level = 'z'
 
 ###############################################################################
 #
diff --git a/docker/Dockerfile.cargo b/docker/Dockerfile.cargo
new file mode 100644
index 00000000..9ff7a325
--- /dev/null
+++ b/docker/Dockerfile.cargo
@@ -0,0 +1,37 @@
+# syntax = docker/dockerfile:1.11-labs
+
+FROM input AS cargo
+ARG sys_target
+ARG rust_toolchain
+ARG RUSTUP_HOME
+ARG CARGO_HOME
+ARG CARGO_TARGET
+ARG CARGO_TARGET_DIR
+ARG cargo_profile
+ARG cargo_features
+ARG cargo_cmd
+ARG cargo_args=""
+
+WORKDIR /usr/lib/${sys_target}
+COPY --link --from=rocksdb . .
+
+WORKDIR /usr/src/tuwunel
+RUN \
+--mount=type=cache,dst=${RUSTUP_HOME},sharing=locked \
+--mount=type=cache,dst=${CARGO_HOME},sharing=locked \
+--mount=type=cache,dst=${CARGO_TARGET_DIR},sharing=shared \
+<<EOF
+    env
+    set -eux
+    rustup run ${rust_toolchain} \
+        cargo ${cargo_cmd} \
+            --frozen \
+            --workspace \
+            --no-default-features \
+            --features "${cargo_features}" \
+            --profile "${cargo_profile}" \
+            --target "${CARGO_TARGET}" \
+            --target-dir "${CARGO_TARGET_DIR}" \
+            --manifest-path Cargo.toml \
+            ${cargo_args}
+EOF
diff --git a/docker/Dockerfile.complement b/docker/Dockerfile.complement
new file mode 100644
index 00000000..0f4e9840
--- /dev/null
+++ b/docker/Dockerfile.complement
@@ -0,0 +1,269 @@
+# syntax = docker/dockerfile:1.11-labs
+
+FROM input AS key-gen-base
+ARG var_cache
+ARG var_lib_apt
+
+RUN \
+--mount=type=cache,dst=${var_cache},sharing=locked \
+--mount=type=cache,dst=${var_lib_apt},sharing=locked \
+<<EOF
+    set -eux
+    apt-get -y -U install --no-install-recommends openssl gawk
+EOF
+
+
+FROM key-gen-base AS key-gen
+
+WORKDIR /complement
+COPY <<EOF v3.ext
+    authorityKeyIdentifier=keyid,issuer
+    basicConstraints=CA:FALSE
+    keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
+    subjectAltName = @alt_names
+    [alt_names]
+    DNS.1 = hs1
+    DNS.2 = hs2
+    DNS.3 = hs3
+EOF
+RUN <<EOF
+    set -eux
+    mkdir ca
+    openssl genrsa \
+        -out private_key.pem \
+        2048
+
+    openssl req \
+        -new \
+        -sha256 \
+        -key private_key.pem \
+        -subj "/C=US/ST=CA/O=MyOrg, Inc./CN=hs1" \
+        -addext "subjectAltName = DNS:hs1, DNS:hs2, DNS:hs3" \
+        -out signing_request.csr
+
+    openssl x509 \
+        -req \
+        -extfile v3.ext \
+        -in signing_request.csr \
+        -key private_key.pem \
+        -out certificate.crt \
+        -days 1 \
+        -sha256
+EOF
+RUN [ -f certificate.crt ] && [ -f private_key.pem ]
+
+
+FROM scratch AS complement-config
+WORKDIR /complement
+COPY --from=key-gen /complement/* .
+COPY --from=source /usr/src/tuwunel/tests/test_results/complement/test_results.jsonl old_results.jsonl
+COPY <<EOF complement.toml
+    [global]
+    address = "0.0.0.0"
+    allow_device_name_federation = true
+    allow_guest_registration = true
+    allow_public_room_directory_over_federation = true
+    allow_public_room_directory_without_auth = true
+    allow_registration = true
+    database_path = "/database"
+    log = "debug,tuwunel=trace,h2=warn,hyper=warn"
+    port = [8008, 8448]
+    trusted_servers = []
+    only_query_trusted_key_servers = false
+    query_trusted_key_servers_first = false
+    query_trusted_key_servers_first_on_join = false
+    yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse = true
+    ip_range_denylist = []
+    url_preview_domain_contains_allowlist = ["*"]
+    url_preview_domain_explicit_denylist = ["*"]
+    media_compat_file_link = false
+    media_startup_check = true
+    prune_missing_media = true
+    log_colors = false
+    admin_room_notices = false
+    allow_check_for_updates = false
+    intentionally_unknown_config_option_for_testing = true
+    rocksdb_log_level = "debug"
+    rocksdb_max_log_files = 1
+    rocksdb_recovery_mode = 0
+    rocksdb_paranoid_file_checks = true
+    log_guest_registrations = false
+    allow_legacy_media = true
+    startup_netburst = true
+    startup_netburst_keep = -1
+    # valgrind makes things so slow
+    dns_timeout = 60
+    dns_attempts = 20
+    request_conn_timeout = 60
+    request_timeout = 120
+    well_known_conn_timeout = 60
+    well_known_timeout = 60
+    federation_idle_timeout = 300
+    sender_timeout = 300
+    sender_idle_timeout = 300
+    sender_retry_backoff_limit = 300
+    allow_invalid_tls_certificates_yes_i_know_what_the_fuck_i_am_doing_with_this_and_i_know_this_is_insecure = true
+
+    [global.tls]
+    certs = "/complement/certificate.crt"
+    dual_protocol = true
+    key = "/complement/private_key.pem"
+EOF
+
+
+FROM input AS complement-testee
+
+EXPOSE 8008 8448
+RUN mkdir /database
+COPY --from=complement-config * /complement/
+ENV TUWUNEL_CONFIG="/complement/complement.toml"
+ENTRYPOINT tuwunel -Oserver_name=\""$SERVER_NAME\""
+
+
+FROM input AS complement-testee-valgrind
+
+EXPOSE 8008 8448
+RUN mkdir /database
+COPY --from=complement-config * /complement/
+ENV TUWUNEL_CONFIG="/complement/complement.toml"
+ENTRYPOINT valgrind \
+    --leak-check=no \
+    --undef-value-errors=no \
+    --exit-on-first-error=yes \
+    --error-exitcode=1 \
+    tuwunel \
+        -Oserver_name=\""$SERVER_NAME\""
+
+
+FROM input AS complement-base
+ARG var_cache
+ARG var_lib_apt
+ARG complement_tags="tuwunel_blacklist"
+ARG complement_tests="./tests/..."
+ARG complement_run=".*"
+
+WORKDIR /
+RUN \
+--mount=type=cache,dst=${var_cache},sharing=locked \
+--mount=type=cache,dst=${var_lib_apt},sharing=locked \
+--mount=type=cache,dst=/go/pkg/mod/cache,sharing=locked \
+<<EOF
+    set -eux
+    apt-get -y -U install --no-install-recommends golang-go jq
+EOF
+
+WORKDIR /usr/src
+ADD https://github.com/matrix-construct/complement.git complement
+
+WORKDIR /usr/src/complement
+ENV COMPLEMENT_BASE_IMAGE="complement-testee"
+RUN \
+--mount=type=cache,dst=/go/pkg/mod/cache,sharing=locked \
+<<EOF
+    env
+    set -eux
+    go test -tags="$complement_tags" -list="$complement_run" $complement_tests
+EOF
+
+
+FROM input AS complement-tester
+ARG complement_debug=0
+ARG complement_count=1
+ARG complement_parallel=16
+ARG complement_shuffle=1337
+ARG complement_timeout="1h"
+ARG complement_run=".*"
+ARG complement_skip=""
+ARG complement_tags="tuwunel_blacklist"
+ARG complement_tests="./tests/..."
+ARG complement_base_image
+
+ENV COMPLEMENT_DEBUG=$complement_debug
+ENV complement_parallel="$complement_parallel"
+ENV complement_shuffle="$complement_shuffle"
+ENV complement_tags="$complement_tags"
+ENV complement_timeout="$complement_timeout"
+ENV complement_count="$complement_count"
+ENV complement_tests="$complement_tests"
+ENV complement_skip="$complement_skip"
+ENV complement_run="$complement_run"
+ENV complement_tests="$complement_tests"
+ENV COMPLEMENT_HOSTNAME_RUNNING_COMPLEMENT="host.docker.internal"
+ENV COMPLEMENT_HOST_MOUNTS="/var/run/docker.sock:/var/run/docker.sock"
+ENV jq_res='{Action: .Action, Test: .Test}'
+ENV jq_sel='select((.Action == \"pass\" or .Action == \"fail\" or .Action == \"skip\") and .Test != null)'
+ENV jq_tab='([\"RESULT\",\"TEST\"] | (., map(length*\"-\"))), (.[] | [.Action, .Test]) | @tsv'
+WORKDIR /usr/src/complement
+COPY --from=complement-config /complement/old_results.jsonl .
+COPY <<EOF uwu.sh
+    env;
+    set -eux;
+
+    COMPLEMENT_BASE_IMAGE="\${1:-$complement_base_image}"
+    go test
+        -json
+        -shuffle="${complement_shuffle}"
+        -parallel="${complement_parallel}"
+        -timeout="${complement_timeout}"
+        -count="${complement_count}"
+        -tags="${complement_tags}"
+        -skip="${complement_skip}"
+        -run="${complement_run}"
+        "${complement_tests}"
+    | jq -c "${jq_sel} | ${jq_res}"
+    | tee results.jsonl
+    | jq -s -r "${jq_tab}"
+    ;
+
+    jq -s -c "sort_by(.Test)[]" < results.jsonl | uniq > new_results.jsonl;
+
+    wc -l old_results.jsonl new_results.jsonl;
+
+    diff -w -y -t --width=275 --suppress-common-lines old_results.jsonl new_results.jsonl;
+EOF
+RUN echo $(tr -d '\n' < uwu.sh) > uwu.sh
+ENTRYPOINT ["/bin/bash", "/usr/src/complement/uwu.sh"]
+
+
+FROM input AS complement-tester-valgrind
+ARG complement_debug=0
+ARG complement_count=1
+ARG complement_parallel=16
+ARG complement_shuffle=1337
+ARG complement_timeout="1h"
+ARG complement_run=".*"
+ARG complement_skip=""
+ARG complement_tags="tuwunel_blacklist"
+ARG complement_tests="./tests/..."
+ARG complement_base_image
+
+ENV COMPLEMENT_DEBUG=$complement_debug
+ENV complement_parallel="$complement_parallel"
+ENV complement_shuffle="$complement_shuffle"
+ENV complement_tags="$complement_tags"
+ENV complement_timeout="$complement_timeout"
+ENV complement_count="$complement_count"
+ENV complement_tests="$complement_tests"
+ENV complement_skip="$complement_skip"
+ENV complement_run="$complement_run"
+ENV complement_tests="$complement_tests"
+ENV COMPLEMENT_HOSTNAME_RUNNING_COMPLEMENT="host.docker.internal"
+ENV COMPLEMENT_HOST_MOUNTS="/var/run/docker.sock:/var/run/docker.sock"
+WORKDIR /usr/src/complement
+COPY <<EOF valgrind.sh
+    env;
+    set -eux;
+
+    COMPLEMENT_BASE_IMAGE="\${1:-$complement_base_image}"
+    go test
+        -shuffle="${complement_shuffle}"
+        -parallel="${complement_parallel}"
+        -timeout="${complement_timeout}"
+        -count="${complement_count}"
+        -tags="${complement_tags}"
+        -skip="${complement_skip}"
+        -run="${complement_run}"
+        "${complement_tests}"
+EOF
+RUN echo $(tr -d '\n' < valgrind.sh) > valgrind.sh
+ENTRYPOINT ["/bin/bash", "/usr/src/complement/valgrind.sh"]
diff --git a/docker/Dockerfile.cookware b/docker/Dockerfile.cookware
new file mode 100644
index 00000000..0f0d1e24
--- /dev/null
+++ b/docker/Dockerfile.cookware
@@ -0,0 +1,63 @@
+# syntax = docker/dockerfile:1.11-labs
+
+FROM input AS cookware
+ARG rust_toolchain
+ARG RUSTUP_HOME
+ARG CARGO_HOME
+ARG CARGO_TARGET
+ARG rustup_version="1.28.1"
+
+WORKDIR /opt
+RUN \
+--mount=type=cache,dst=${RUSTUP_HOME},sharing=locked \
+--mount=type=cache,dst=${CARGO_HOME},sharing=locked \
+<<EOF
+    env
+    set -eux
+
+    url="https://static.rust-lang.org/rustup/archive/${rustup_version}/${CARGO_TARGET}/rustup-init"
+    curl -S -O -s "$url"
+    chmod o+x rustup-init
+    ./rustup-init -y \
+        --verbose \
+        --profile minimal \
+        --no-modify-path \
+        --no-update-default-toolchain \
+        --default-host ${CARGO_TARGET} \
+        --default-toolchain ${rust_toolchain}
+
+    chmod -R go+rw $CARGO_HOME $RUSTUP_HOME
+    rm rustup-init
+EOF
+ENV PATH="${CARGO_HOME}/bin:$PATH"
+RUN \
+--mount=type=cache,dst=${RUSTUP_HOME},sharing=locked \
+--mount=type=cache,dst=${CARGO_HOME},sharing=locked \
+<<EOF
+    env
+    set -eux
+    rustup component add \
+        --toolchain ${rust_toolchain} \
+        --target ${CARGO_TARGET} \
+        clippy
+EOF
+
+
+FROM input AS chef
+ARG rust_toolchain
+ARG RUSTUP_HOME
+ARG CARGO_HOME
+ARG CARGO_TARGET
+
+RUN \
+--mount=type=cache,dst=${RUSTUP_HOME},sharing=locked \
+--mount=type=cache,dst=${CARGO_HOME},sharing=locked \
+<<EOF
+    env
+    set -eux
+    rustup run --install ${rust_toolchain} \
+        cargo install \
+            --locked \
+            --target ${CARGO_TARGET} \
+            cargo-chef
+EOF
diff --git a/docker/Dockerfile.deps b/docker/Dockerfile.deps
new file mode 100644
index 00000000..e14a4453
--- /dev/null
+++ b/docker/Dockerfile.deps
@@ -0,0 +1,47 @@
+# syntax = docker/dockerfile:1.11-labs
+
+FROM input AS deps
+ARG sys_target
+ARG rust_toolchain
+ARG RUSTUP_HOME
+ARG CARGO_HOME
+ARG CARGO_TARGET
+ARG CARGO_TARGET_DIR
+ARG cargo_profile
+ARG cargo_features
+ARG cook_args
+ARG git_checkout
+
+WORKDIR /usr/lib/${sys_target}
+COPY --from=rocksdb . .
+
+WORKDIR /usr/src/tuwunel
+COPY --link --from=recipe recipe.json .
+
+RUN \
+--mount=type=cache,dst=${RUSTUP_HOME},sharing=locked \
+--mount=type=cache,dst=${CARGO_HOME},sharing=locked \
+--mount=type=cache,dst=${CARGO_TARGET_DIR},sharing=locked \
+<<EOF
+    env
+    set -eux
+    rustup run ${rust_toolchain} \
+        cargo chef cook ${cook_args} \
+            --frozen \
+            --workspace \
+            --no-default-features \
+            --features "${cargo_features}" \
+            --profile "${cargo_profile}" \
+            --target "${CARGO_TARGET}" \
+            --target-dir "${CARGO_TARGET_DIR}" \
+            --manifest-path Cargo.toml \
+            --recipe-path recipe.json
+
+    # If this image is further reused with other cargo commands, all
+    # modifications made by cargo chef cook outside of target-dir have to be
+    # cleared. If not, resulting build artifacts will link incorrectly, even
+    # without error. For example, a target executable may be produced which
+    # does nothing except exit(0). If you have observed a smoketest failing in
+    # such a manner, investigate this as a cause of the issue.
+    git restore -W -S --source=${git_checkout} .
+EOF
diff --git a/docker/Dockerfile.diner b/docker/Dockerfile.diner
new file mode 100644
index 00000000..86f7e5aa
--- /dev/null
+++ b/docker/Dockerfile.diner
@@ -0,0 +1,53 @@
+# syntax = docker/dockerfile:1.11-labs
+
+ARG sys_name=debian
+ARG sys_version=testing-slim
+
+FROM ${sys_name}:${sys_version} AS system
+
+
+FROM input AS diner
+ARG var_cache
+ARG var_lib_apt
+ARG packages
+
+ENV packages="ca-certificates ${packages}"
+RUN \
+--mount=type=cache,dst=${var_cache},sharing=locked \
+--mount=type=cache,dst=${var_lib_apt},sharing=locked \
+<<EOF
+    echo $(uname -a) $0 $-
+    set -eux
+
+    keep_downloaded='Binary::apt::APT::Keep-Downloaded-Packages "true";'
+    echo "$keep_downloaded" > /etc/apt/apt.conf.d/keep-downloaded
+    rm -f /etc/apt/apt.conf.d/docker-clean
+
+    apt-get -y -U install --no-install-recommends ${packages}
+EOF
+
+
+FROM input AS valgrind
+ARG var_cache
+ARG var_lib_apt
+
+RUN \
+--mount=type=cache,dst=${var_cache},sharing=locked \
+--mount=type=cache,dst=${var_lib_apt},sharing=locked \
+<<EOF
+    set -eux
+    apt-get -y -U install --no-install-recommends valgrind
+EOF
+
+
+FROM input AS perf
+ARG var_cache
+ARG var_lib_apt
+
+RUN \
+--mount=type=cache,dst=${var_cache},sharing=locked \
+--mount=type=cache,dst=${var_lib_apt},sharing=locked \
+<<EOF
+    set -eux
+    apt-get -y -U install --no-install-recommends perf-tools-unstable
+EOF
diff --git a/docker/Dockerfile.ingredients b/docker/Dockerfile.ingredients
new file mode 100644
index 00000000..2d00f077
--- /dev/null
+++ b/docker/Dockerfile.ingredients
@@ -0,0 +1,83 @@
+# syntax = docker/dockerfile:1.11-labs
+
+FROM input AS source
+ARG git_checkout
+
+ADD --keep-git-dir . /usr/src/tuwunel
+WORKDIR /usr/src/tuwunel
+RUN <<EOF
+    env
+    set -eux
+    git reset \
+        --hard \
+        --no-recurse-submodules \
+        ${git_checkout}
+EOF
+
+
+FROM input AS ingredients
+ARG sys_target
+ARG rust_toolchain
+ARG RUSTUP_HOME
+ARG CARGO_HOME
+ARG CARGO_TARGET
+ARG CARGO_TARGET_DIR
+
+WORKDIR /usr/src/tuwunel
+COPY --link --from=source /usr/src/tuwunel .
+
+RUN \
+--mount=type=cache,dst=${RUSTUP_HOME},sharing=locked \
+--mount=type=cache,dst=${CARGO_HOME},sharing=locked \
+--mount=type=cache,dst=${CARGO_TARGET_DIR},sharing=locked \
+<<EOF
+    env
+    set -eux
+    git submodule update \
+        --remote \
+        --no-fetch \
+        --recursive \
+        --checkout \
+        --init
+
+    rustup run ${rust_toolchain} \
+        cargo fetch \
+            --locked \
+            --target ${CARGO_TARGET}
+EOF
+
+
+FROM input AS preparing
+ARG rust_toolchain
+ARG RUSTUP_HOME
+ARG CARGO_HOME
+ARG CARGO_TARGET
+ARG CARGO_TARGET_DIR
+
+WORKDIR /usr/src/tuwunel
+RUN \
+--mount=type=cache,dst=${RUSTUP_HOME},sharing=locked \
+--mount=type=cache,dst=${CARGO_HOME},sharing=locked \
+--mount=type=cache,dst=${CARGO_TARGET_DIR},sharing=locked \
+<<EOF
+    env
+    set -euxo pipefail
+    rustup run ${rust_toolchain} \
+        cargo chef prepare \
+            --recipe-path recipe.json
+
+    manifest="Cargo.toml"
+    package="rust-librocksdb-sys"
+    cmd="cargo tree --manifest-path ${manifest} -f {r} -p ${package}"
+    url="$(rustup run ${rust_toolchain} ${cmd} | head -n 1)"
+    echo "$url" > rocksdb.url
+
+    sha1sum recipe.json rocksdb.url
+EOF
+
+
+FROM scratch AS recipe
+
+WORKDIR /
+COPY --from=preparing /usr/src/tuwunel/recipe.json .
+COPY --from=preparing /usr/src/tuwunel/rocksdb.url .
diff --git a/docker/Dockerfile.install b/docker/Dockerfile.install
new file mode 100644
index 00000000..b0eb5c96
--- /dev/null
+++ b/docker/Dockerfile.install
@@ -0,0 +1,75 @@
+# syntax = docker/dockerfile:1.11-labs
+
+FROM input AS installer
+ARG sys_target
+ARG rust_toolchain
+ARG RUSTUP_HOME
+ARG CARGO_HOME
+ARG CARGO_TARGET
+ARG CARGO_TARGET_DIR
+ARG cargo_profile
+ARG cargo_features
+ARG cargo_args=""
+ARG crate_path="src/main"
+ARG crate_ident=""
+ARG install_temp="/usr/src/tuwunel/install"
+
+WORKDIR /usr/lib/${sys_target}
+COPY --link --from=rocksdb . .
+
+WORKDIR /usr/src/tuwunel
+RUN \
+--mount=type=cache,dst=${RUSTUP_HOME},sharing=locked \
+--mount=type=cache,dst=${CARGO_HOME},sharing=locked \
+--mount=type=cache,dst=${CARGO_TARGET_DIR},sharing=shared \
+<<EOF
+    env
+    set -eux
+    case "$cargo_profile" in
+            "dev") profile_dir="debug";;
+           "test") profile_dir="debug";;
+        "release") profile_dir="release";;
+          "bench") profile_dir="release";;
+                *) profile_dir="$cargp_profile";;
+    esac
+
+    rustup run ${rust_toolchain} \
+        cargo install \
+            --locked \
+            --no-track \
+            --no-default-features \
+            --features "${cargo_features}" \
+            --profile "${cargo_profile}" \
+            --target "${CARGO_TARGET}" \
+            --target-dir "${CARGO_TARGET_DIR}" \
+            --root "${install_temp}" \
+            --path "${crate_path}" \
+            ${cargo_args} \
+            ${crate_ident}
+EOF
+RUN [ -f "${install_temp}/bin/tuwunel" ]
+
+
+FROM input AS install
+ARG sys_target
+ARG CARGO_INSTALL_ROOT
+ARG install_temp="/usr/src/tuwunel/install"
+
+WORKDIR /usr/lib/${sys_target}
+COPY --from=rocksdb --exclude=librocksdb.a . .
+
+WORKDIR /
+RUN \
+--mount=type=bind,from=output,src=${install_temp},dst=/mnt/install \
+<<EOF
+    env
+    set -eux
+    cp -ndR --preserve=all -t ${CARGO_INSTALL_ROOT} /mnt/install/*
+EOF
+ENV bin_path="${CARGO_INSTALL_ROOT}/bin/tuwunel"
+RUN <<EOF
+    set -eux
+    ldd -v ${bin_path}
+    du -h ${bin_path}
+    sha1sum ${bin_path}
+EOF
diff --git a/docker/Dockerfile.kitchen b/docker/Dockerfile.kitchen
new file mode 100644
index 00000000..8892039b
--- /dev/null
+++ b/docker/Dockerfile.kitchen
@@ -0,0 +1,30 @@
+# syntax = docker/dockerfile:1.11-labs
+
+FROM input AS kitchen
+ARG var_cache
+ARG var_lib_apt
+ARG packages
+
+ENV DEBIAN_FRONTEND="noninteractive"
+ENV packages="\
+bzip2 \
+ca-certificates \
+clang \
+cmake \
+curl \
+git \
+libc6-dev \
+make \
+pkg-config \
+pkgconf \
+xz-utils \
+${packages} \
+"
+
+RUN  \
+--mount=type=cache,dst=${var_cache},sharing=locked \
+--mount=type=cache,dst=${var_lib_apt},sharing=locked \
+<<EOF
+    set -eux
+    apt-get -y -U install --no-install-recommends ${packages}
+EOF
diff --git a/docker/Dockerfile.rocksdb b/docker/Dockerfile.rocksdb
new file mode 100644
index 00000000..0a0115b7
--- /dev/null
+++ b/docker/Dockerfile.rocksdb
@@ -0,0 +1,77 @@
+# syntax = docker/dockerfile:1.11-labs
+
+FROM input AS rocksdb-fetch
+WORKDIR /usr/src
+COPY --link --from=recipe rocksdb.url .
+RUN <<EOF
+    set -eux
+    submodule="librocksdb-sys/rocksdb"
+    url="$(cat rocksdb.url)"
+    git clone \
+        --depth 1 \
+        --recurse-submodules="${submodule}" \
+        "${url}" \
+        /usr/src/rocksdb
+EOF
+
+
+FROM input AS rocksdb-build
+ARG rocksdb_shared=0
+ARG rocksdb_portable=1
+ARG rocksdb_opt_level="3"
+ARG rocksdb_build_type="Release"
+ARG rocksdb_cxx_flags="-ftls-model=initial-exec"
+ARG rocksdb_make_verbose="ON"
+ARG rocksdb_make_rule_messages="OFF"
+ARG rocksdb_jemalloc=1
+ARG rocksdb_iouring=1
+ARG rocksdb_zstd=1
+ARG rocksdb_lz4=0
+ARG rocksdb_bz2=0
+ARG rocksdb_zlib=0
+ARG rocksdb_snappy=0
+ARG nprocs
+
+ENV CC="clang"
+ENV CXX="clang++"
+WORKDIR /usr/src/rocksdb/librocksdb-sys/rocksdb
+ENV nprocs=${nprocs}
+RUN <<EOF
+    set -eux
+
+    LDFLAGS="-Wl,--strip-all" \
+    cmake -H. -Bbuild \
+        "-DCMAKE_RULE_MESSAGES:BOOL=${rocksdb_make_rule_messages}" \
+        "-DCMAKE_VERBOSE_MAKEFILE:BOOL=${rocksdb_make_verbose}" \
+        "-DCMAKE_BUILD_TYPE=${rocksdb_build_type}" \
+        "-DBUILD_SHARED_LIBS=${rocksdb_shared}" \
+        "-DCMAKE_CXX_FLAGS:STRING=${rocksdb_cxx_flags}" \
+        "-DCMAKE_CXX_FLAGS_RELEASE:STRING=-g0 -O${rocksdb_opt_level}" \
+        "-DPORTABLE=${rocksdb_portable}" \
+        "-DFAIL_ON_WARNINGS=0" \
+        "-DUSE_RTTI=1" \
+        "-DWITH_JNI=0" \
+        "-DWITH_BENCHMARK_TOOLS=0" \
+        "-DWITH_TRACE_TOOLS=0" \
+        "-DWITH_CORE_TOOLS=0" \
+        "-DWITH_TOOLS=0" \
+        "-DWITH_TESTS=0" \
+        "-DWITH_GFLAGS=0" \
+        "-DWITH_LIBURING=${rocksdb_iouring}" \
+        "-DWITH_JEMALLOC=${rocksdb_jemalloc}" \
+        "-DWITH_ZSTD=${rocksdb_zstd}" \
+        "-DWITH_LZ4=${rocksdb_lz4}" \
+        "-DWITH_BZ2=${rocksdb_bz2}" \
+        "-DWITH_ZLIB=${rocksdb_zlib}" \
+        "-DWITH_SNAPPY=${rocksdb_snappy}"
+
+    nprocs=${nprocs:=$(nproc)}
+    cmake \
+        --build build \
+        --target install \
+        --parallel ${nprocs}
+EOF
+
+
+FROM scratch AS rocksdb
+COPY --from=input /usr/src/rocksdb/librocksdb-sys/rocksdb/build/librocksdb.* .
diff --git a/docker/Dockerfile.smoketest b/docker/Dockerfile.smoketest
new file mode 100644
index 00000000..62369c0d
--- /dev/null
+++ b/docker/Dockerfile.smoketest
@@ -0,0 +1,69 @@
+# syntax = docker/dockerfile:1.11-labs
+
+FROM input AS smoketest-version
+
+RUN <<EOF
+    set -eux
+    tuwunel -V
+    version=$(tuwunel -V)
+    /bin/test -n "$version"
+EOF
+
+
+FROM input AS smoketest-startup
+
+ENV TUWUNEL_LOG="info"
+ENV TUWUNEL_DATABASE_PATH="/tmp/smoketest.db"
+RUN <<EOF
+    set -eux
+    tuwunel \
+        -Otest='["smoke"]' \
+        -Oserver_name=\"localhost\" \
+        -Odatabase_path=\"${TUWUNEL_DATABASE_PATH}\"
+
+    rm -rf "${TUWUNEL_DATABASE_PATH}"
+EOF
+
+
+FROM input AS smoketest-valgrind
+
+WORKDIR /
+COPY --link --from=valgrind . .
+
+ENV TUWUNEL_LOG="info"
+ENV TUWUNEL_DATABASE_PATH="/tmp/smoketest.db"
+RUN <<EOF
+    set -eux
+    valgrind \
+        --leak-check=no \
+        --undef-value-errors=no \
+        --exit-on-first-error=yes \
+        --error-exitcode=1 \
+        tuwunel \
+            -Otest='["smoke"]' \
+            -Oserver_name=\"localhost\" \
+            -Odatabase_path=\"${TUWUNEL_DATABASE_PATH}\"
+
+    rm -rf "${TUWUNEL_DATABASE_PATH}"
+EOF
+
+
+FROM input AS smoketest-perf
+
+WORKDIR /
+COPY --link --from=perf . .
+
+ENV TUWUNEL_LOG="error"
+ENV TUWUNEL_DATABASE_PATH="/tmp/smoketest.db"
+RUN <<EOF
+    set -eux
+    perf stat \
+        -j \
+        -ddd \
+        tuwunel \
+            -Otest='["smoke"]' \
+            -Oserver_name=\"localhost\" \
+            -Odatabase_path=\"${TUWUNEL_DATABASE_PATH}\"
+
+    rm -rf "${TUWUNEL_DATABASE_PATH}"
+EOF
diff --git a/docker/bake.hcl b/docker/bake.hcl
new file mode 100644
index 00000000..53053ff6
--- /dev/null
+++ b/docker/bake.hcl
@@ -0,0 +1,1188 @@
+variable "acct" {}
+variable "repo" {}
+
+cargo_feat_sets = {
+    none = ""
+    default = "brotli_compression,element_hacks,gzip_compression,io_uring,jemalloc,jemalloc_conf,media_thumbnail,release_max_log_level,systemd,url_preview,zstd_compression"
+    all = "blurhashing,brotli_compression,tuwunel_mods,console,default,direct_tls,element_hacks,gzip_compression,io_uring,jemalloc,jemalloc_conf,jemalloc_prof,jemalloc_stats,media_thumbnail,perf_measurements,release_max_log_level,sentry_telemetry,systemd,tokio_console,url_preview,zstd_compression"
+}
+
+variable "cargo_features_always" {
+    default = "direct_tls"
+}
+
+variable "feat_sets" {
+    default = "[\"none\", \"default\", \"all\"]"
+}
+variable "cargo_profiles" {
+    default = "[\"test\", \"bench\"]"
+}
+variable "cargo_install_root" {
+    default = "/usr"
+}
+
+variable "rust_toolchains" {
+    default = "[\"nightly\", \"stable\"]"
+}
+variable "rust_targets" {
+    default = "[\"x86_64-unknown-linux-gnu\"]"
+}
+
+variable "sys_targets" {
+    default = "[\"x86_64-linux-gnu\"]"
+}
+variable "sys_versions" {
+    default = "[\"testing-slim\"]"
+}
+variable "sys_names" {
+    default = "[\"debian\"]"
+}
+
+# RocksDB options
+variable "rocksdb_portable" {
+    default = 1
+}
+variable "rocksdb_opt_level" {
+    default = "3"
+}
+variable "rocksdb_build_type" {
+    default = "Release"
+}
+variable "rocksdb_make_verbose" {
+    default = "ON"
+}
+
+# Complement options
+variable "complement_count" {
+    default = 1
+}
+variable "complement_debug" {
+    default = 0
+}
+variable "complement_run" {
+    default = ".*"
+}
+variable "complement_skip" {
+    default = ""
+}
+
+# Package metadata inputs
+variable "package_name" {
+    default = "tuwunel"
+}
+variable "package_authors" {
+    default = "Jason Volk <jason@zemos.net>"
+}
+variable "package_version" {
+    default = "0.5"
+}
+variable "package_revision" {
+    default = ""
+}
+variable "package_last_modified" {
+    default = ""
+}
+
+# Use the cargo-chef layering strategy to separate and pre-build dependencies
+# in a lower-layer image; only workspace crates will rebuild unless
+# dependencies themselves change (default). This option can be set to false for
+# bypassing chef, building within a single layer.
+variable "use_chef" {
+    default = "true"
+}
+
+# Options for output verbosity
+variable "BUILDKIT_PROGRESS" {}
+variable "CARGO_TERM_VERBOSE" {
+    default = BUILDKIT_PROGRESS == "plain"? 1: 0
+}
+
+# Override the project checkout
+variable "git_checkout" {
+    default = "HEAD"
+}
+
+nightly_rustflags = [
+    "--cfg tokio_unstable",
+    "--cfg tuwunel_bench",
+    "--allow=unstable-features",
+    "-Zcrate-attr=feature(test)",
+    "-Zenforce-type-length-limit",
+]
+
+#
+# Default
+#
+
+group "default" {
+    targets = [
+        "lints",
+        "tests",
+    ]
+}
+
+group "lints" {
+    targets = [
+        "check",
+        "clippy",
+    ]
+}
+
+group "tests" {
+    targets = [
+        "tests-unit",
+        "tests-bench",
+        "tests-smoke",
+        "complement",
+    ]
+}
+
+#
+# Common matrices
+#
+
+cargo_rust_feat_sys = {
+    cargo_profile = jsondecode(cargo_profiles)
+    rust_toolchain = jsondecode(rust_toolchains)
+    rust_target = jsondecode(rust_targets)
+    feat_set = jsondecode(feat_sets)
+    sys_name = jsondecode(sys_names)
+    sys_version = jsondecode(sys_versions)
+    sys_target = jsondecode(sys_targets)
+}
+
+rust_feat_sys = {
+    rust_toolchain = jsondecode(rust_toolchains)
+    rust_target = jsondecode(rust_targets)
+    feat_set = jsondecode(feat_sets)
+    sys_name = jsondecode(sys_names)
+    sys_version = jsondecode(sys_versions)
+    sys_target = jsondecode(sys_targets)
+}
+
+feat_sys = {
+    feat_set = jsondecode(feat_sets)
+    sys_name = jsondecode(sys_names)
+    sys_version = jsondecode(sys_versions)
+    sys_target = jsondecode(sys_targets)
+}
+
+sys = {
+    sys_name = jsondecode(sys_names)
+    sys_version = jsondecode(sys_versions)
+    sys_target = jsondecode(sys_targets)
+}
+
+#
+# Complement tests
+#
+
+group "complement" {
+    targets = [
+        "complement-tester",
+        "complement-testee",
+        "complement-tester-valgrind",
+        "complement-testee-valgrind",
+    ]
+}
+
+complement_args = {
+    complement_count = "${complement_count}"
+    complement_debug = "${complement_debug}"
+    complement_run = "${complement_run}"
+    complement_skip = "${complement_skip}"
+}
+
+target "complement-testee-valgrind" {
+    name = elem("complement-testee-valgrind", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
+    tags = [
+        elem_tag("complement-testee-valgrind", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target], "latest"),
+    ]
+    target = "complement-testee-valgrind"
+    entitlements = ["network.host"]
+    dockerfile = "docker/Dockerfile.complement"
+    matrix = cargo_rust_feat_sys
+    inherits = [
+        elem("smoketest-valgrind", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target]),
+        elem("complement-testee", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
+    ]
+    contexts = {
+        input = elem("target:smoketest-valgrind", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
+    }
+}
+
+target "complement-testee" {
+    name = elem("complement-testee", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
+    tags = [
+        elem_tag("complement-testee", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target], "latest"),
+    ]
+    target = "complement-testee"
+    entitlements = ["network.host"]
+    dockerfile = "docker/Dockerfile.complement"
+    labels = {
+        "_group" = "complement"
+        "_cache" = "leaf"
+    }
+    matrix = cargo_rust_feat_sys
+    inherits = [
+        elem("install", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
+    ]
+    contexts = {
+        input = elem("target:install", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
+        complement-config = elem("target:complement-config", [feat_set, sys_name, sys_version, sys_target])
+    }
+    args = {
+        RUST_BACKTRACE = "full"
+    }
+}
+
+target "complement-tester-valgrind" {
+    name = elem("complement-tester-valgrind", [feat_set, sys_name, sys_version, sys_target])
+    tags = [
+        elem_tag("complement-tester-valgrind", [feat_set, sys_name, sys_version, sys_target], "latest"),
+    ]
+    target = "complement-tester-valgrind"
+    entitlements = ["network.host"]
+    matrix = feat_sys
+    inherits = [
+        elem("complement-tester", [feat_set, sys_name, sys_version, sys_target]),
+    ]
+    contexts = {
+        input = elem("target:complement-tester", [feat_set, sys_name, sys_version, sys_target])
+    }
+}
+
+target "complement-tester" {
+    name = elem("complement-tester", [feat_set, sys_name, sys_version, sys_target])
+    tags = [
+        elem_tag("complement-tester", [feat_set, sys_name, sys_version, sys_target], "latest"),
+    ]
+    target = "complement-tester"
+    output = ["type=docker,compression=zstd,mode=min"]
+    entitlements = ["network.host"]
+    matrix = feat_sys
+    inherits = [
+        elem("complement-base", [feat_set, sys_name, sys_version, sys_target])
+    ]
+    contexts = {
+        input = elem("target:complement-base", [feat_set, sys_name, sys_version, sys_target])
+        complement-config = elem("target:complement-config", [feat_set, sys_name, sys_version, sys_target])
+    }
+}
+
+target "complement-base" {
+    name = elem("complement-base", [feat_set, sys_name, sys_version, sys_target])
+    tags = [
+        elem_tag("complement-base", [feat_set, sys_name, sys_version, sys_target], "latest")
+    ]
+    target = "complement-base"
+    matrix = feat_sys
+    inherits = [
+        elem("complement-config", [feat_set, sys_name, sys_version, sys_target])
+    ]
+    contexts = {
+        input = elem("target:diner", [feat_set, sys_name, sys_version, sys_target])
+    }
+    args = complement_args
+}
+
+target "complement-config" {
+    name = elem("complement-config", [feat_set, sys_name, sys_version, sys_target])
+    tags = [
+        elem_tag("complement-config", [feat_set, sys_name, sys_version, sys_target], "latest")
+    ]
+    target = "complement-config"
+    dockerfile = "docker/Dockerfile.complement"
+    labels = {
+        "_group" = "complement"
+        "_cache" = "trunk"
+    }
+    matrix = feat_sys
+    inherits = [
+        elem("source", [feat_set, sys_name, sys_version, sys_target])
+    ]
+    contexts = {
+        source = elem("target:source", [feat_set, sys_name, sys_version, sys_target])
+    }
+}
+
+#
+# Smoke tests
+#
+
+group "tests-smoke" {
+    targets = [
+        "smoketest-version",
+        "smoketest-startup",
+        #"smoketest-valgrind",
+        #"smoketest-perf",
+    ]
+}
+
+target "smoketest-valgrind" {
+    name = elem("smoketest-valgrind", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
+    tags = [
+        elem_tag("smoketest-valgrind", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target], "latest"),
+    ]
+    target = "smoketest-valgrind"
+    entitlements = ["security.insecure"]
+    matrix = cargo_rust_feat_sys
+    inherits = [
+        elem("valgrind", [feat_set, sys_name, sys_version, sys_target]),
+        elem("smoketest", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
+    ]
+    contexts = {
+        valgrind = elem("target:valgrind", [feat_set, sys_name, sys_version, sys_target])
+    }
+}
+
+target "smoketest-perf" {
+    name = elem("smoketest-perf", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
+    tags = [
+        elem_tag("smoketest-perf", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target], "latest"),
+    ]
+    target = "smoketest-perf"
+    entitlements = ["security.insecure"]
+    matrix = cargo_rust_feat_sys
+    inherits = [
+        elem("perf", [feat_set, sys_name, sys_version, sys_target]),
+        elem("smoketest", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
+    ]
+    contexts = {
+        perf = elem("target:valgrind", [feat_set, sys_name, sys_version, sys_target])
+    }
+}
+
+target "smoketest-startup" {
+    name = elem("smoketest-startup", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
+    tags = [
+        elem_tag("smoketest-startup", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target], "latest")
+    ]
+    target = "smoketest-startup"
+    matrix = cargo_rust_feat_sys
+    inherits = [
+        elem("smoketest", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
+    ]
+}
+
+target "smoketest-version" {
+    name = elem("smoketest-version", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
+    tags = [
+        elem_tag("smoketest-version", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target], "latest"),
+    ]
+    target = "smoketest-version"
+    matrix = cargo_rust_feat_sys
+    inherits = [
+        elem("smoketest", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
+    ]
+}
+
+target "smoketest" {
+    name = elem("smoketest", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
+    tags = [
+        elem_tag("smoketest", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target], "latest"),
+    ]
+    output = ["type=docker,compression=zstd,mode=min"]
+    dockerfile = "docker/Dockerfile.smoketest"
+    labels = {
+        "_group" = "smoketest"
+        "_cache" = "leaf"
+    }
+    matrix = cargo_rust_feat_sys
+    inherits = [
+        elem("install", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target]),
+    ]
+    contexts = {
+        input = elem("target:install", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
+    }
+}
+
+#
+# Installation
+#
+
+install_labels = {
+    "org.opencontainers.image.authors" = "${package_authors}"
+    "org.opencontainers.image.created" ="${package_last_modified}"
+    "org.opencontainers.image.description" = "Enterprise Matrix Chat Server in Rust"
+    "org.opencontainers.image.documentation" = "https://github.com/matrix-construct/tuwunel/tree/main/docs/"
+    "org.opencontainers.image.licenses" = "Apache-2.0"
+    "org.opencontainers.image.revision" = "${package_revision}"
+    "org.opencontainers.image.source" = "https://github.com/matrix-construct/tuwunel"
+    "org.opencontainers.image.title" = "${package_name}"
+    "org.opencontainers.image.url" = "https://github.com/matrix-construct/tuwunel"
+    "org.opencontainers.image.vendor" = "matrix-construct"
+    "org.opencontainers.image.version" = "${package_version}"
+}
+
+target "install" {
+    name = elem("install", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
+    tags = [
+        elem_tag("install", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target], "latest"),
+    ]
+    target = "install"
+    labels = install_labels
+    output = ["type=docker,compression=zstd,mode=min"]
+    cache_to = ["type=local,compression=zstd,mode=min"]
+    matrix = cargo_rust_feat_sys
+    inherits = [
+        elem("installer", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target]),
+    ]
+    contexts = {
+        input = elem("target:diner", [feat_set, sys_name, sys_version, sys_target])
+        output = elem("target:installer", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target]),
+    }
+}
+
+target "installer" {
+    name = elem("installer", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
+    tags = [
+        elem_tag("installer", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target], "latest"),
+    ]
+    target = "installer"
+    dockerfile = "docker/Dockerfile.install"
+    labels = {
+        "_group" = "install"
+        "_cache" = "trunk"
+    }
+    matrix = cargo_rust_feat_sys
+    inherits = [
+        elem("deps-build-bins", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target]),
+        elem("cargo", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target]),
+    ]
+    contexts = {
+        input = elem("target:deps-build-bins", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target]),
+    }
+    args = {
+        cargo_args = "--bins"
+        CARGO_INSTALL_ROOT = cargo_install_root
+    }
+}
+
+#
+# Unit tests
+#
+
+cargo_bench_matrix = {
+    cargo_profile = ["bench"]
+    rust_toolchain = ["nightly"]
+    rust_target = cargo_rust_feat_sys.rust_target
+    feat_set = cargo_rust_feat_sys.feat_set
+    sys_name = cargo_rust_feat_sys.sys_name
+    sys_version = cargo_rust_feat_sys.sys_version
+    sys_target = cargo_rust_feat_sys.sys_target
+}
+
+target "tests-bench" {
+    name = elem("tests-bench", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
+    tags = [
+        elem_tag("tests-bench", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target], "latest"),
+    ]
+    target = "cargo"
+    output = ["type=docker,compression=zstd,mode=min"]
+    labels = {
+        "_group" = "tests"
+        "_cache" = "leaf"
+    }
+    matrix = cargo_bench_matrix
+    inherits = [
+        elem("build-bench", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target]),
+    ]
+    contexts = {
+        input = elem("target:build-bench", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
+    }
+    args = {
+        cargo_cmd = "bench"
+        cargo_args = "--no-fail-fast"
+    }
+}
+
+target "tests-unit" {
+    name = elem("tests-unit", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
+    tags = [
+        elem_tag("tests-unit", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target], "latest"),
+    ]
+    target = "cargo"
+    output = ["type=docker,compression=zstd,mode=min"]
+    labels = {
+        "_group" = "tests"
+        "_cache" = "leaf"
+    }
+    matrix = cargo_rust_feat_sys
+    inherits = [
+        elem("build-tests", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target]),
+    ]
+    contexts = {
+        input = elem("target:build-tests", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
+    }
+    args = {
+        cargo_cmd = "test"
+        cargo_args = "--no-fail-fast"
+    }
+}
+
+#
+# Workspace builds
+#
+
+target "build-bins" {
+    name = elem("build-bins", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
+    tags = [
+        elem_tag("build-bins", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target], "latest"),
+    ]
+    matrix = cargo_rust_feat_sys
+    inherits = [
+        elem("deps-build-bins", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target]),
+        elem("build", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target]),
+    ]
+    contexts = {
+        input = (use_chef == "true"?
+            elem("target:deps-build-bins", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target]):
+            elem("target:build", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
+        )
+    }
+    args = {
+        cargo_cmd = "build"
+        cargo_args = "--bins"
+    }
+}
+
+target "build-bench" {
+    name = elem("build-bench", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
+    tags = [
+        elem_tag("build-bench", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target], "latest"),
+    ]
+    matrix = cargo_bench_matrix
+    inherits = [
+        elem("deps-build-bench", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target]),
+        elem("build", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target]),
+    ]
+    contexts = {
+        input = (use_chef == "true"?
+            elem("target:deps-build-bench", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target]):
+            elem("target:build", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
+        )
+    }
+    args = {
+        cargo_cmd = "bench"
+        cargo_args = "--no-run"
+    }
+}
+
+target "build-tests" {
+    name = elem("build-tests", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
+    tags = [
+        elem_tag("build-tests", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target], "latest"),
+    ]
+    matrix = cargo_rust_feat_sys
+    inherits = [
+        elem("deps-build-tests", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target]),
+        elem("build", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target]),
+    ]
+    contexts = {
+        input = (use_chef == "true"?
+            elem("target:deps-build-tests", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target]):
+            elem("target:build", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
+        )
+    }
+    args = {
+        cargo_cmd = "test"
+        cargo_args = "--no-run"
+    }
+}
+
+target "build" {
+    name = elem("build", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
+    tags = [
+        elem_tag("build", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target], "latest"),
+    ]
+    matrix = cargo_rust_feat_sys
+    inherits = [
+        elem("deps-build", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target]),
+        elem("cargo", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target]),
+    ]
+    contexts = {
+        input = (use_chef == "true"?
+            elem("target:deps-build", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target]):
+            elem("target:ingredients", [rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
+        )
+    }
+    args = {
+        cargo_cmd = "build"
+        cargo_args = "--all-targets"
+    }
+}
+
+target "clippy" {
+    name = elem("clippy", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
+    tags = [
+        elem_tag("clippy", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target], "latest"),
+    ]
+    matrix = cargo_rust_feat_sys
+    inherits = [
+        elem("deps-clippy", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target]),
+        elem("cargo", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target]),
+    ]
+    contexts = {
+        input = (use_chef == "true"?
+            elem("target:deps-clippy", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target]):
+            elem("target:ingredients", [rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
+        )
+    }
+    args = {
+        cargo_cmd = "clippy"
+        cargo_args = "--all-targets --no-deps -- -D warnings -A unstable-features"
+    }
+}
+
+target "check" {
+    name = elem("check", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
+    tags = [
+        elem_tag("check", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target], "latest"),
+    ]
+    matrix = cargo_rust_feat_sys
+    inherits = [
+        elem("deps-check", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target]),
+        elem("cargo", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target]),
+    ]
+    contexts = {
+        input = (use_chef == "true"?
+            elem("target:deps-check", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target]):
+            elem("target:ingredients", [rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
+        )
+    }
+    args = {
+        cargo_cmd = "check"
+        cargo_args = "--all-targets"
+    }
+}
+
+target "cargo" {
+    name = elem("cargo", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
+    target = "cargo"
+    output = ["type=docker,compression=zstd,mode=min"]
+    cache_to = ["type=local,compression=zstd,mode=min"]
+    dockerfile = "docker/Dockerfile.cargo"
+    labels = {
+        "_group" = "cargo"
+        "_cache" = "trunk"
+    }
+    matrix = cargo_rust_feat_sys
+    inherits = [
+        elem("deps-base", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
+    ]
+}
+
+#
+# Dependency builds
+#
+
+group "deps" {
+    targets = [
+        #"deps-check",
+        "deps-clippy",
+        #"deps-build",
+        "deps-build-tests",
+        #"deps-build-bench",
+        "deps-build-bins",
+    ]
+}
+
+target "deps-build-bins" {
+    name = elem("deps-build-bins", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
+    tags = [
+        elem_tag("deps-build-bins", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target], "latest"),
+    ]
+    matrix = cargo_rust_feat_sys
+    inherits = [
+        elem("deps-base", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
+    ]
+    args = {
+        cook_args = "--bins"
+    }
+}
+
+target "deps-build-bench" {
+    name = elem("deps-build-bench", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
+    tags = [
+        elem_tag("deps-build-bench", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target], "latest"),
+    ]
+    matrix = cargo_bench_matrix
+    inherits = [
+        elem("deps-base", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
+    ]
+    args = {
+        cook_args = "--benches"
+    }
+}
+
+target "deps-build-tests" {
+    name = elem("deps-build-tests", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
+    tags = [
+        elem_tag("deps-build-tests", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target], "latest"),
+    ]
+    matrix = cargo_rust_feat_sys
+    inherits = [
+        elem("deps-base", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
+    ]
+    args = {
+        cook_args = "--tests"
+    }
+}
+
+target "deps-build" {
+    name = elem("deps-build", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
+    tags = [
+        elem_tag("deps-build", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target], "latest"),
+    ]
+    matrix = cargo_rust_feat_sys
+    inherits = [
+        elem("deps-base", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
+    ]
+    args = {
+        cook_args = "--all-targets"
+    }
+}
+
+target "deps-clippy" {
+    name = elem("deps-clippy", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
+    tags = [
+        elem_tag("deps-clippy", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target], "latest"),
+    ]
+    matrix = cargo_rust_feat_sys
+    inherits = [
+        elem("deps-base", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
+    ]
+    args = {
+        cook_args = "--all-targets --clippy"
+    }
+}
+
+target "deps-check" {
+    name = elem("deps-check", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
+    tags = [
+        elem_tag("deps-check", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target], "latest"),
+    ]
+    matrix = cargo_rust_feat_sys
+    inherits = [
+        elem("deps-base", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
+    ]
+    args = {
+        cook_args = "--all-targets --check"
+    }
+}
+
+target "deps-base" {
+    name = elem("deps-base", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
+    tags = [
+        elem_tag("deps-base", [cargo_profile, rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target], "latest")
+    ]
+    target = "deps"
+    output = ["type=docker,compression=zstd,mode=min"]
+    cache_to = ["type=local,compression=zstd,mode=min"]
+    dockerfile = "docker/Dockerfile.deps"
+    labels = {
+        "_group" = "deps"
+        "_cache" = "trunk"
+    }
+    matrix = cargo_rust_feat_sys
+    inherits = [
+        elem("recipe", [rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
+    ]
+    contexts = {
+        input = elem("target:ingredients", [rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
+        recipe = elem("target:recipe", [rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
+        rocksdb = elem("target:rocksdb", [rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
+    }
+    args = {
+        cook_args = "--all-targets --no-build"
+        cargo_profile = cargo_profile
+    }
+}
+
+#
+# Special-cased dependency builds
+#
+
+target "rocksdb" {
+    name = elem("rocksdb", [rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
+    tags = [
+        elem_tag("rocksdb", [rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target], "latest"),
+    ]
+    target = "rocksdb"
+    output = ["type=docker,compression=zstd,mode=min"]
+    matrix = rust_feat_sys
+    inherits = [
+        elem("rocksdb-build", [rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
+    ]
+    contexts = {
+        input = elem("target:rocksdb-build", [rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
+    }
+}
+
+target "rocksdb-build" {
+    name = elem("rocksdb-build", [rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
+    tags = [
+        elem_tag("rocksdb-build", [rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target], "latest")
+    ]
+    target = "rocksdb-build"
+    matrix = rust_feat_sys
+    inherits = [
+        elem("rocksdb-fetch", [rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
+    ]
+    contexts = {
+        input = elem("target:rocksdb-fetch", [rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
+    }
+    args = {
+        rocksdb_zstd = contains(split(",", cargo_feat_sets[feat_set]), "zstd_compression")? 1: 0,
+        rocksdb_jemalloc = contains(split(",", cargo_feat_sets[feat_set]), "jemalloc")? 1: 0,
+        rocksdb_iouring = contains(split(",", cargo_feat_sets[feat_set]), "io_uring")? 1: 0,
+        rocksdb_build_type = rocksdb_build_type
+        rocksdb_opt_level = rocksdb_opt_level
+        rocksdb_portable = rocksdb_portable
+        rocksdb_shared = 0
+    }
+}
+
+target "rocksdb-fetch" {
+    name = elem("rocksdb-fetch", [rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
+    tags = [
+        elem_tag("rocksdb-fetch", [rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target], "latest"),
+    ]
+    target = "rocksdb-fetch"
+    dockerfile = "docker/Dockerfile.rocksdb"
+    labels = {
+        "_group" = "rocksdb"
+        "_cache" = "trunk"
+    }
+    matrix = rust_feat_sys
+    inherits = [
+        elem("recipe", [rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target]),
+        elem("kitchen", [feat_set, sys_name, sys_version, sys_target]),
+    ]
+    contexts = {
+        input = elem("target:kitchen", [feat_set, sys_name, sys_version, sys_target])
+        recipe = elem("target:recipe", [rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
+    }
+}
+
+###############################################################################
+#
+# Project source and dependency acquisition
+#
+
+group "sources" {
+    targets = [
+        "source",
+        "ingredients",
+        "recipe",
+    ]
+}
+
+target "recipe" {
+    name = elem("recipe", [rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
+    tags = [
+        elem_tag("recipe", [rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target], "latest")
+    ]
+    target =  "recipe"
+    output = ["type=docker,compression=zstd,mode=min"]
+    matrix = rust_feat_sys
+    inherits = [
+        elem("preparing", [rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
+    ]
+    contexts = {
+        input = elem("target:preparing", [rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
+    }
+}
+
+target "preparing" {
+    name = elem("preparing", [rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
+    tags = [
+        elem_tag("preparing", [rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target], "latest")
+    ]
+    target =  "preparing"
+    matrix = rust_feat_sys
+    inherits = [
+        elem("ingredients", [rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
+    ]
+    contexts = {
+        input = elem("target:ingredients", [rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
+    }
+}
+
+target "ingredients" {
+    name = elem("ingredients", [rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
+    tags = [
+        elem_tag("ingredients", [rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target], "latest"),
+    ]
+    target =  "ingredients"
+    dockerfile = "docker/Dockerfile.ingredients"
+    matrix = rust_feat_sys
+    inherits = [
+        elem("source", [feat_set, sys_name, sys_version, sys_target]),
+        elem("chef", [rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target]),
+    ]
+    contexts = {
+        input = elem("target:chef", [rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
+        source = elem("target:source", [feat_set, sys_name, sys_version, sys_target])
+    }
+    args = {
+        CARGO_PROFILE_test_DEBUG = "0"
+        CARGO_PROFILE_bench_DEBUG = "0"
+        CARGO_PROFILE_bench_LTO = "0"
+        CARGO_PROFILE_bench_CODEGEN_UNITS = "1"
+        cargo_features = join(",", [
+            cargo_feat_sets[feat_set],
+            cargo_features_always,
+        ])
+        CARGO_TARGET_DIR = "/usr/src/tuwunel/target/${sys_name}/${sys_version}/${rust_toolchain}"
+        CARGO_BUILD_RUSTFLAGS = (
+            rust_toolchain == "nightly"?
+                join(" ", nightly_rustflags): ""
+        )
+        RUST_BACKTRACE = "full"
+        ROCKSDB_LIB_DIR="/usr/lib/${sys_target}"
+        JEMALLOC_OVERRIDE="/usr/lib/${sys_target}/libjemalloc.so"
+        ZSTD_SYS_USE_PKG_CONFIG = (
+            contains(split(",", cargo_feat_sets[feat_set]), "zstd_compression")? 1: 0
+        )
+    }
+}
+
+target "source" {
+    name = elem("source", [feat_set, sys_name, sys_version, sys_target])
+    tags = [
+        elem_tag("source", [feat_set, sys_name, sys_version, sys_target], "latest")
+    ]
+    target =  "source"
+    dockerfile = "docker/Dockerfile.ingredients"
+    labels = {
+        "_group" = "sources"
+        "_cache" = "trunk"
+    }
+    matrix = feat_sys
+    inherits = [
+        elem("kitchen", [feat_set, sys_name, sys_version, sys_target])
+    ]
+    contexts = {
+        input = elem("target:kitchen", [feat_set, sys_name, sys_version, sys_target])
+    }
+    args = {
+        git_checkout = "${git_checkout}"
+    }
+}
+
+###############################################################################
+#
+# Build Systems
+#
+
+group "buildsys" {
+    targets = [
+        "kitchen",
+        "cookware",
+        "chef",
+    ]
+}
+
+#
+# Rust build environment
+#
+
+target "chef" {
+    name = elem("chef", [rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
+    tags = [
+        elem_tag("chef", [rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target], "latest"),
+    ]
+    target = "chef"
+    matrix = rust_feat_sys
+    inherits = [
+        elem("cookware", [rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
+    ]
+    contexts = {
+        input = elem("target:cookware", [rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
+    }
+}
+
+target "cookware" {
+    name = elem("cookware", [rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target])
+    tags = [
+        elem_tag("cookware", [rust_toolchain, rust_target, feat_set, sys_name, sys_version, sys_target], "latest"),
+    ]
+    target = "cookware"
+    dockerfile = "docker/Dockerfile.cookware"
+    matrix = rust_feat_sys
+    inherits = [
+        elem("kitchen", [feat_set, sys_name, sys_version, sys_target])
+    ]
+    contexts = {
+        input = elem("target:kitchen", [feat_set, sys_name, sys_version, sys_target])
+    }
+    args = {
+        rust_toolchain = rust_toolchain
+        RUSTUP_HOME = "/opt/rustup"
+        CARGO_HOME = "/opt/${sys_name}/${sys_target}/cargo"
+        CARGO_TARGET = rust_target
+        CARGO_TERM_VERBOSE = CARGO_TERM_VERBOSE
+    }
+}
+
+#
+# Base build environment
+#
+
+target "kitchen" {
+    description = "Base build environment; sans Rust"
+    name = elem("kitchen", [feat_set, sys_name, sys_version, sys_target])
+    tags = [
+        elem_tag("kitchen", [feat_set, sys_name, sys_version, sys_target], "latest"),
+    ]
+    target = "kitchen"
+    dockerfile = "docker/Dockerfile.kitchen"
+    labels = {
+        "_group" = "buildsys"
+        "_cache" = "trunk"
+    }
+    matrix = feat_sys
+    inherits = [
+        elem("diner", [feat_set, sys_name, sys_version, sys_target])
+    ]
+    contexts = {
+        input = elem("target:diner", [feat_set, sys_name, sys_version, sys_target])
+    }
+    args = {
+        packages = join(" ", [
+            "bzip2",
+            contains(split(",", cargo_feat_sets[feat_set]), "io_uring")? "liburing-dev": "",
+            contains(split(",", cargo_feat_sets[feat_set]), "zstd_compression")? "libzstd-dev": "",
+            contains(split(",", cargo_feat_sets[feat_set]), "jemalloc")? "libjemalloc-dev": "",
+        ])
+    }
+}
+
+###############################################################################
+#
+# Base Systems
+#
+
+group "systems" {
+    targets = [
+        "system",
+        "diner",
+        "valgrind",
+        "perf",
+    ]
+}
+
+target "perf" {
+    description = "Base runtime environment with linux-perf installed."
+    name = elem("perf", [feat_set, sys_name, sys_version, sys_target])
+    tags = [
+        elem_tag("perf", [feat_set, sys_name, sys_version, sys_target], "latest"),
+    ]
+    target = "perf"
+    matrix = feat_sys
+    inherits = [
+        elem("diner", [feat_set, sys_name, sys_version, sys_target])
+    ]
+    contexts = {
+        input = elem("target:diner", [feat_set, sys_name, sys_version, sys_target])
+    }
+}
+
+target "valgrind" {
+    description = "Base runtime environment with valgrind installed."
+    name = elem("valgrind", [feat_set, sys_name, sys_version, sys_target])
+    tags = [
+        elem_tag("valgrind", [feat_set, sys_name, sys_version, sys_target], "latest"),
+    ]
+    target = "valgrind"
+    matrix = feat_sys
+    inherits = [
+        elem("diner", [feat_set, sys_name, sys_version, sys_target])
+    ]
+    contexts = {
+        input = elem("target:diner", [feat_set, sys_name, sys_version, sys_target])
+    }
+}
+
+#
+# Base Runtime
+#
+
+target "diner" {
+    description = "Base runtime environment for executing the application."
+    name = elem("diner", [feat_set, sys_name, sys_version, sys_target])
+    tags = [
+        elem_tag("diner", [feat_set, sys_name, sys_version, sys_target], "latest"),
+    ]
+    target = "diner"
+    output = ["type=docker,compression=zstd,mode=min"]
+    dockerfile = "docker/Dockerfile.diner"
+    matrix = feat_sys
+    variable "cargo_feat_set" {
+        default = cargo_feat_sets[feat_set]
+    }
+    variable "cargo_features" {
+        default = split(",", cargo_feat_set)
+    }
+    inherits = [
+        elem("system", [sys_name, sys_version, sys_target])
+    ]
+    contexts = {
+        input = elem("target:system", [sys_name, sys_version, sys_target])
+    }
+    args = {
+        DEBIAN_FRONTEND="noninteractive"
+        var_lib_apt = "/var/lib/apt"
+        var_cache = "/var/cache"
+        packages = join(" ", [
+            contains(split(",", cargo_feat_sets[feat_set]), "io_uring")? "liburing2": "",
+            contains(split(",", cargo_feat_sets[feat_set]), "zstd_compression")? "libzstd1": "",
+            contains(split(",", cargo_feat_sets[feat_set]), "jemalloc")? "libjemalloc2": "",
+        ])
+    }
+}
+
+#
+# Base System
+#
+
+target "system" {
+    description = "Base system. Root of all our layers."
+    name = elem("system", [sys_name, sys_version, sys_target])
+    tags = [
+        elem_tag("system", [sys_name, sys_version, sys_target], "latest"),
+    ]
+    target = "system"
+    output = ["type=docker,compression=zstd,mode=min"]
+    cache_to = ["type=local,compression=zstd,mode=max"]
+    cache_from = ["type=local"]
+    dockerfile = "docker/Dockerfile.diner"
+    labels = {
+        "_group" = "systems"
+        "_cache" = "trunk"
+    }
+    matrix = sys
+    context = "."
+    args = {
+        sys_name = sys_name
+        sys_version = sys_version
+        sys_target = sys_target
+    }
+}
+
+###############################################################################
+#
+# Utils
+#
+
+function "elem_tag" {
+    params = [prefix, matrix, tag]
+    result = join(":", [elem(prefix, matrix), tag])
+}
+
+function "elem" {
+    params = [prefix, matrix]
+    result = join("--", [prefix, join("--", matrix)])
+}
diff --git a/docker/bake.sh b/docker/bake.sh
new file mode 100755
index 00000000..61cd4ee9
--- /dev/null
+++ b/docker/bake.sh
@@ -0,0 +1,118 @@
+#!/bin/bash
+set -eo pipefail
+
+default_docker_id="jevolk/tuwunel"
+docker_id=${docker_id:=$default_docker_id}
+docker_acct=${docker_acct:=$(echo $docker_id | cut -d"/" -f1)}
+docker_repo=${docker_repo:=$(echo $docker_id | cut -d"/" -f2)}
+
+CI="${CI:-true}"
+BASEDIR=$(dirname "$0")
+
+default_cargo_profiles='["test", "bench"]'
+default_feat_sets='["none", "default", "all"]'
+default_rust_toolchains='["nightly", "stable"]'
+default_rust_targets='["x86_64-unknown-linux-gnu"]'
+default_sys_names='["debian"]'
+default_sys_targets='["x86_64-linux-gnu"]'
+default_sys_versions='["testing-slim"]'
+
+if test ! -z "$cargo_profile"; then
+    env_cargo_profiles="[\"${cargo_profile}\"]"
+fi
+
+if test ! -z "$feat_set"; then
+    env_feat_sets="[\"${feat_set}\"]"
+fi
+
+if test ! -z "$rust_target"; then
+    env_rust_targets="[\"${rust_target}\"]"
+fi
+
+if test ! -z "$rust_toolchain"; then
+    env_rust_toolchains="[\"${rust_toolchain}\"]"
+fi
+
+if test ! -z "$sys_name"; then
+    env_sys_name="[\"${sys_name}\"]"
+fi
+
+if test ! -z "$sys_target"; then
+    env_sys_target="[\"${sys_target}\"]"
+fi
+
+if test ! -z "$sys_version"; then
+    env_sys_version="[\"${sys_version}\"]"
+fi
+
+set -a
+bake_target="${bake_target:-$@}"
+cargo_profiles="${env_cargo_profiles:-$default_cargo_profiles}"
+feat_sets="${env_feat_sets:-$default_feat_sets}"
+rust_targets="${env_rust_targets:-$default_rust_targets}"
+rust_toolchains="${env_rust_toolchains:-$default_rust_toolchains}"
+sys_names="${env_sys_names:-$default_sys_names}"
+sys_targets="${env_sys_targets:-$default_sys_targets}"
+sys_versions="${env_sys_versions:-$default_sys_versions}"
+
+runner_name=$(echo $RUNNER_NAME | cut -d"." -f1)
+runner_num=$(echo $RUNNER_NAME | cut -d"." -f2)
+rocksdb_opt_level=3
+rocksdb_portable=1
+git_checkout="HEAD"
+use_chef="true"
+complement_count=1
+complement_skip="TestPartialStateJoin.*"
+complement_skip="${complement_skip}|TestRoomDeleteAlias/Pa.*/Can_delete_canonical_alias"
+complement_skip="${complement_skip}|TestUnbanViaInvite.*"
+complement_skip="${complement_skip}|TestRoomDeleteAlias/Pa.*/Regular_users_can_add_and_delete_aliases_when.*"
+complement_skip="${complement_skip}|TestToDeviceMessagesOverFederation/stopped_server"
+complement_run=".*"
+set +a
+
+###############################################################################
+
+export DOCKER_BUILDKIT=1
+if test "$CI" = "true"; then
+    export BUILDKIT_PROGRESS="plain"
+    echo "plain"
+fi
+
+uwu_docker_build_args=""
+args="$uwu_docker_build_args"
+args="$args --builder owo"
+args="$args --set *.platform=${sys_platform}"
+
+if test ! -z "$runner_num"; then
+    #cpu_num=$(expr $runner_num % $(nproc))
+    #args="$args --cpuset-cpus=${cpu_num}"
+    #args="$args --set *.args.nprocs=1"
+    # https://github.com/moby/buildkit/issues/1276
+    :
+else
+    nprocs=$(nproc)
+    args="$args --set *.args.nprocs=${nprocs}"
+    :
+fi
+
+trap 'set +x; date; echo -e "\033[1;41;37mFAIL\033[0m"' ERR
+env
+date
+
+arg="$args -f $BASEDIR/bake.hcl"
+if test "$BUILDKIT_PROGRESS" = "plain"; then
+	echo "PRINTING"
+    docker buildx bake --print $arg $bake_target
+fi
+
+if test "$NO_BAKE" = "1"; then
+    exit 0
+fi
+
+trap '' ERR
+set -ux
+
+docker buildx bake $arg $bake_target
+
+set +x
+echo -e "\033[1;42;37mPASS\033[0m"
diff --git a/docker/run.sh b/docker/run.sh
new file mode 100755
index 00000000..49c15cd0
--- /dev/null
+++ b/docker/run.sh
@@ -0,0 +1,31 @@
+#!/bin/bash
+set -eo pipefail
+
+default_uwu_id="jevolk/tuwunel"
+uwu_id=${uwu_id:=$default_uwu_id}
+uwu_acct=${uwu_acct:=$(echo $uwu_id | cut -d"/" -f1)}
+uwu_repo=${uwu_repo:=$(echo $uwu_id | cut -d"/" -f2)}
+
+CI="${CI:-0}"
+BASEDIR=$(dirname "$0")
+
+runner_name=$(echo $RUNNER_NAME | cut -d"." -f1)
+runner_num=$(echo $RUNNER_NAME | cut -d"." -f2)
+
+###############################################################################
+
+tester_image="complement-tester--none--debian--testing-slim--x86_64-linux-gnu"
+testee_image="complement-testee--test--nightly--x86_64-unknown-linux-gnu--none--debian--testing-slim--x86_64-linux-gnu"
+name="complement_tester_nightly"
+sock="/var/run/docker.sock"
+arg="--rm --name $name -v $sock:$sock --network=host $tester_image ${testee_image}"
+
+trap 'set +x; date; echo -e "\033[1;41;37mFAIL\033[0m"' ERR
+date
+env
+set -x -e
+cid=$(docker run -d $arg)
+set +x
+trap 'docker container stop $cid; set +x; date; echo -e "\033[1;41;37mFAIL\033[0m"' INT
+docker wait "$cid" 2>/dev/null
+echo -e "\033[1;42;37mPASS\033[0m"
diff --git a/tests/test_results/complement/test_results.jsonl b/tests/test_results/complement/test_results.jsonl
index 97c2e1b1..37907dd3 100644
--- a/tests/test_results/complement/test_results.jsonl
+++ b/tests/test_results/complement/test_results.jsonl
@@ -502,6 +502,7 @@
 {"Action":"pass","Test":"TestRoomDeleteAlias/Parallel/Deleting_a_non-existent_alias_should_return_a_404"}
 {"Action":"pass","Test":"TestRoomDeleteAlias/Parallel/Regular_users_can_add_and_delete_aliases_in_the_default_room_configuration"}
 {"Action":"pass","Test":"TestRoomDeleteAlias/Parallel/Users_can't_delete_other's_aliases"}
+{"Action":"pass","Test":"TestRoomDeleteAlias/Parallel/Users_with_sufficient_power-level_can_delete_other's_aliases"}
 {"Action":"fail","Test":"TestRoomForget"}
 {"Action":"fail","Test":"TestRoomForget/Parallel"}
 {"Action":"pass","Test":"TestRoomForget/Parallel/Can't_forget_room_you're_still_in"}
@@ -606,10 +607,9 @@
 {"Action":"fail","Test":"TestThreadedReceipts"}
 {"Action":"fail","Test":"TestThreadsEndpoint"}
 {"Action":"pass","Test":"TestToDeviceMessages"}
-{"Action":"fail","Test":"TestToDeviceMessagesOverFederation"}
+{"Action":"pass","Test":"TestToDeviceMessagesOverFederation"}
 {"Action":"pass","Test":"TestToDeviceMessagesOverFederation/good_connectivity"}
 {"Action":"pass","Test":"TestToDeviceMessagesOverFederation/interrupted_connectivity"}
-{"Action":"fail","Test":"TestToDeviceMessagesOverFederation/stopped_server"}
 {"Action":"fail","Test":"TestTxnIdWithRefreshToken"}
 {"Action":"fail","Test":"TestTxnIdempotency"}
 {"Action":"pass","Test":"TestTxnIdempotencyScopedToDevice"}