Add CLAUDE.md and automated enforcement of contribution rules (#241)

.claude/settings.json

@@ -0,0 +1,16 @@
+{
+  "$schema": "https://json.schemastore.org/claude-code-settings.json",
+  "hooks": {
+    "PostToolUse": [
+      {
+        "matcher": "Write|Edit|MultiEdit",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "sh \"$CLAUDE_PROJECT_DIR/scripts/check-conventions.sh\" --hook"
+          }
+        ]
+      }
+    ]
+  }
+}

.github/workflows/ci.yml

@@ -0,0 +1,92 @@
+name: CI
+
+# Enforces the contribution rules documented in CLAUDE.md.
+# Formatting and the convention checker are scoped to the change's diff so that
+# grandfathered legacy code is not punished; build/test run module-wide, and
+# go vet runs module-wide but advisory-only (it never fails CI on legacy code).
+
+on:
+  push:
+    branches: ["**"]
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  verify:
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: src
+    steps:
+      - name: Checkout (full history for diffing)
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: "1.24"
+          cache-dependency-path: src/go.sum
+
+      - name: Resolve diff base
+        id: base
+        working-directory: ${{ github.workspace }}
+        run: |
+          if [ "${{ github.event_name }}" = "pull_request" ]; then
+            base="${{ github.event.pull_request.base.sha }}"
+          else
+            base="${{ github.event.before }}"
+          fi
+          # Use the base only if it is a real commit present in this checkout.
+          # Push events can report a github.event.before that was force-pushed
+          # away or never fetched (git then errors "fatal: bad object"); fall
+          # back to HEAD's parent, and finally to empty so the diff-scoped steps
+          # below skip gracefully instead of crashing the job under `bash -e`.
+          if ! git rev-parse --verify --quiet "${base}^{commit}" >/dev/null 2>&1; then
+            base="$(git rev-parse --verify --quiet 'HEAD~1^{commit}' 2>/dev/null || true)"
+          fi
+          echo "sha=$base" >> "$GITHUB_OUTPUT"
+          echo "Diff base: ${base:-<none; diff-scoped checks skipped>}"
+
+      - name: Convention checker (rules 1-5, diff only)
+        if: steps.base.outputs.sha != ''
+        working-directory: ${{ github.workspace }}
+        run: sh scripts/check-conventions.sh --diff "${{ steps.base.outputs.sha }}"
+
+      - name: gofmt (changed Go files)
+        if: steps.base.outputs.sha != ''
+        working-directory: ${{ github.workspace }}
+        run: |
+          files=$(git diff --name-only --diff-filter=ACM "${{ steps.base.outputs.sha }}" -- '*.go' || true)
+          [ -z "$files" ] && { echo "No Go files changed."; exit 0; }
+          unformatted=$(gofmt -l $files)
+          if [ -n "$unformatted" ]; then
+            echo "These files are not gofmt-clean:"; echo "$unformatted"
+            echo "Run: gofmt -w <file>"; exit 1
+          fi
+
+      - name: go vet (advisory — never blocks CI)
+        # Module-wide vet surfaces pre-existing issues in grandfathered legacy
+        # code that this project intentionally does not modify, so it is run for
+        # visibility only and never fails the build. Enforcement of the
+        # contribution rules on NEW code is handled by the diff-scoped
+        # convention checker above.
+        continue-on-error: true
+        run: go vet ./...
+
+      - name: go build (all packages, native)
+        run: go build ./...
+
+      - name: Cross-compile smoke test (portability, rule 5)
+        # Mirrors the release targets in the Makefile: the shipped binary must
+        # build for other OSes from a single, dependency-free codebase.
+        run: |
+          GOOS=windows GOARCH=amd64 go build -o /dev/null .
+          GOOS=darwin  GOARCH=arm64 go build -o /dev/null .
+          GOOS=linux   GOARCH=arm   GOARM=6 go build -o /dev/null .
+
+      - name: go test
+        run: go test -count=1 ./...

CLAUDE.md

@@ -0,0 +1,167 @@
+# CLAUDE.md
+
+Guidance for Claude Code (and human contributors) working in this repository.
+
+## What ArozOS is
+
+ArozOS is a self-hosted, web-based cloud desktop / NAS operating system written
+in Go. It runs as a single binary on everything from a Raspberry Pi to a desktop
+server. The Go module lives in [`src/`](src/) (module path `imuslab.com/arozos`);
+the repository root holds docs, the installer and release tooling.
+
+License: **GPLv3** (see [`LICENSE`](LICENSE)).
+
+## Build, run and test
+
+All Go commands run from `src/`:
+
+```bash
+cd src
+go mod tidy
+go build              # produces ./arozos
+./arozos -port 8080   # run (sudo only needed for hardware/WiFi features)
+
+go test ./...         # run the test suite
+go vet ./...          # static checks
+gofmt -l .            # list unformatted files (should be empty)
+make binary           # cross-compile every supported OS/arch (see Makefile)
+```
+
+## Mandatory contribution rules
+
+These five rules are enforced on **new and changed code** by a Claude Code
+`PostToolUse` hook (during editing) and by CI (on every pull request). Both call
+[`scripts/check-conventions.sh`](scripts/check-conventions.sh). Existing legacy
+code is grandfathered — CI only inspects the lines a change adds — but do not add
+new violations, and prefer fixing nearby ones when you touch them.
+
+### 1. Use the managed logger, never the standard `log` package
+
+New code must send log output through the system logger so it lands in the
+managed, rotated system log instead of bare stdout.
+
+```go
+import "imuslab.com/arozos/mod/info/logger"
+
+// Good — title, message, and the originating error (nil if none):
+logger.PrintAndLog("ModuleName", "could not open config", err)
+
+// Bad — bypasses the system log:
+log.Println("could not open config", err)   // and log.Printf/Fatal/Panic
+```
+
+The package-level `logger.PrintAndLog` delegates to the system-wide logger wired
+up in [`src/main.go`](src/main.go); you do not need your own `*logger.Logger`
+instance. The only file allowed to wrap the standard `log` package is the logger
+implementation itself ([`src/mod/info/logger/`](src/mod/info/logger/)).
+
+*Enforced as an ERROR* (blocks CI) on added `log.Print*` / `log.Fatal*` /
+`log.Panic*` calls.
+
+### 2. New functions ship with tests
+
+Every package under `src/mod/` is expected to carry a `*_test.go` file, and new
+functions must come with table-driven Go tests (see
+[`src/mod/info/logger/logger_test.go`](src/mod/info/logger/logger_test.go) for
+the house style: `t.TempDir()`, `t.Fatalf`/`t.Errorf`, one `Test…` per behaviour).
+
+```bash
+cd src && go test ./mod/yourpackage/    # must pass before you push
+```
+
+*Enforced* by the CI `go test ./...` gate; the convention checker additionally
+*warns* when a touched `mod/` package has no test file at all.
+
+### 3. Dependencies must be MIT / commercial-use-OK
+
+Any module added to [`src/go.mod`](src/go.mod) must be licensed **MIT, BSD-2/3,
+Apache-2.0, MPL-2.0, or ISC** — permissive, GPL-compatible, and fine for
+commercial redistribution. **Do not add GPL/AGPL/LGPL, source-available
+(BSL/SSPL), or unknown-licensed modules.** When unsure, state the dependency's
+license in your summary so it can be reviewed before merge.
+
+```bash
+go install github.com/google/go-licenses@latest   # optional audit helper
+go-licenses report imuslab.com/arozos
+```
+
+*Enforced* by a CI reminder whenever `go.mod`/`go.sum` changes — verify the
+license of each new dependency before merging.
+
+### 4. New endpoints get the right security control
+
+Register authenticated endpoints through the permission router, not raw
+`http.HandleFunc`, so they inherit login, per-module permission and (optionally)
+admin/LAN/CSRF checks:
+
+```go
+import prout "imuslab.com/arozos/mod/prouter"
+
+router := prout.NewModuleRouter(prout.RouterOption{
+    ModuleName:    "System Setting",
+    AdminOnly:     true,            // gate admin-only actions
+    UserHandler:   userHandler,
+    DeniedHandler: func(w http.ResponseWriter, r *http.Request) {
+        utils.SendErrorResponse(w, "Permission Denied")
+    },
+})
+router.HandleFunc("/system/yourmodule/action", yourHandler)
+```
+
+Use raw `http.HandleFunc` **only** for deliberately public endpoints (e.g. the
+`/public/...` registration pages) and treat all request input as untrusted —
+validate parameters with `mod/utils` helpers and never interpolate user input
+into shell commands or file paths. See
+[`src/main.router.go`](src/main.router.go) and
+[`src/register.go`](src/register.go) for the patterns.
+
+*Enforced* by a CI/hook *warning* on every added raw `http.HandleFunc`, prompting
+a deliberate "authenticated vs. intentionally public" decision.
+
+### 5. Stay portable — no system dependencies, cross-platform safe
+
+ArozOS ships as one self-contained binary that must build and run across the
+targets in the [`Makefile`](src/Makefile) (Linux amd64/386/arm/arm64/mipsle/
+riscv64, macOS, Windows). Therefore:
+
+- **No hardcoded OS paths.** Build paths with `filepath.Join`, and resolve
+  locations via `os.TempDir()`, `os.UserHomeDir()`, or paths relative to the
+  binary — never literal `"/usr/..."`, `"/etc/..."` or `"C:\\..."`.
+- **No shelling out to platform tools** in shared code. Avoid making features
+  depend on external binaries. When a platform-specific call (`exec.Command`,
+  `syscall`) is unavoidable, isolate it in a build-tagged file — `foo_linux.go`,
+  `foo_windows.go`, `foo_darwin.go`, or behind a `//go:build` constraint — and
+  provide a fallback for other platforms. See
+  [`src/mod/network/wifi/`](src/mod/network/wifi/) for the pattern.
+- Cross-compile to sanity-check: `cd src && GOOS=windows GOARCH=amd64 go build ./...`.
+
+*Enforced as an ERROR* on added hardcoded OS path literals, and as a *warning*
+when `exec.Command`/`syscall` appears in a non-build-tagged file.
+
+## How enforcement works
+
+| Mechanism | When it runs | What it does |
+|-----------|--------------|--------------|
+| `PostToolUse` hook ([`.claude/settings.json`](.claude/settings.json)) | After Claude edits a Go file | Runs the checker on that file and feeds any finding back so Claude self-corrects |
+| GitHub Actions ([`.github/workflows/ci.yml`](.github/workflows/ci.yml)) | On every push / PR | `gofmt`, `go build`, `go test ./...`, and the diff-scoped convention checker (blocking); plus module-wide `go vet` (advisory — never fails CI on grandfathered legacy code) |
+| [`scripts/check-conventions.sh`](scripts/check-conventions.sh) | Manually or from the above | Single source of truth for the rules above |
+
+Run it yourself before pushing:
+
+```bash
+sh scripts/check-conventions.sh src/path/to/file.go     # check specific files
+sh scripts/check-conventions.sh --diff origin/master     # check everything you changed
+```
+
+**Escape hatch:** in the rare, justified case where a line must keep a raw
+`log`/path literal, append the marker `arozos-lint-ignore` to that line with a
+short comment explaining why. Use it sparingly — it is reviewed.
+
+## Repository layout cheatsheet
+
+- [`src/`](src/) — Go module root; `main*.go` boot the server, `*.go` are feature handlers.
+- [`src/mod/`](src/mod/) — self-contained library packages (each with its own tests).
+- [`src/mod/info/logger/`](src/mod/info/logger/) — the system logger (rule 1).
+- [`src/mod/prouter/`](src/mod/prouter/) — permission/auth router (rule 4).
+- [`src/web/`](src/web/) — front-end assets and web apps.
+- [`src/system/`](src/system/) — runtime data and config (not shipped in release).

scripts/check-conventions.sh

@@ -0,0 +1,210 @@
+#!/bin/sh
+#
+# ArozOS contribution convention checker
+# =====================================
+#
+# Enforces the contribution rules documented in CLAUDE.md against *new* code.
+# It is intentionally written in portable POSIX sh with only the standard
+# git/grep tooling so it runs the same way on a contributor's machine, inside
+# the Claude Code PostToolUse hook and in CI (rule 5: no system dependencies).
+#
+# Usage:
+#   scripts/check-conventions.sh <file> [<file> ...]   Check specific files
+#   scripts/check-conventions.sh --diff <base-ref>     Check files changed vs base-ref
+#   scripts/check-conventions.sh --hook                Read a Claude Code hook
+#                                                      payload (JSON) from stdin
+#
+# Exit status:
+#   0   no ERROR-level violations (WARN findings may still be printed)
+#   1   at least one ERROR-level violation was found  (CI / direct invocation)
+#   2   findings in --hook mode (surfaces the report back to Claude)
+#
+# Escape hatch:
+#   Append the marker  arozos-lint-ignore  to a source line to skip the
+#   line-level checks (raw logger / hardcoded path) for that single line.
+#   Use it only with a short justification comment.
+
+set -u
+
+errors=0
+warns=0
+
+err() { printf '  [ERROR] %s\n' "$1" >&2; errors=$((errors + 1)); }
+warn() { printf '  [WARN]  %s\n' "$1" >&2; warns=$((warns + 1)); }
+
+repo_root=$(git rev-parse --show-toplevel 2>/dev/null || pwd)
+
+# is_platform_file returns success when a Go file is scoped to a single OS/arch
+# by its filename suffix (e.g. foo_linux.go, bar_windows_amd64.go). Such files
+# are the project's sanctioned home for platform-specific code, so the
+# portability checks do not apply to them.
+is_platform_file() {
+	printf '%s' "$1" | grep -Eq \
+		'_(linux|windows|darwin|freebsd|openbsd|netbsd|dragonfly|solaris|illumos|aix|android|js|wasm|plan9)(_[a-z0-9]+)?\.go$'
+}
+
+has_build_constraint() {
+	[ -f "$1" ] && grep -Eq '^//go:build|^// \+build' "$1"
+}
+
+# check_lines applies the per-line rules to a stream of source lines supplied on
+# stdin. $1 is the file the lines belong to (used for context + exemptions).
+check_lines() {
+	file=$1
+
+	# Skip the marker so opted-out lines are not re-flagged.
+	scan=$(grep -v 'arozos-lint-ignore' || true)
+
+	# --- Rule 1: managed logger, not the standard log package -------------
+	# The logger package itself legitimately wraps "log"; everything else must
+	# route through logger.PrintAndLog so output lands in the system log.
+	case "$file" in
+	*mod/info/logger/*) ;;
+	*)
+		hits=$(printf '%s\n' "$scan" |
+			grep -E 'log\.(Print|Printf|Println|Fatal|Fatalf|Fatalln|Panic|Panicf|Panicln)\(' || true)
+		if [ -n "$hits" ]; then
+			err "$file: uses the standard \"log\" package. New code must call logger.PrintAndLog(title, message, err) instead (rule 1)."
+		fi
+		;;
+	esac
+
+	# --- Rule 5: portability, no hardcoded OS paths -----------------------
+	if ! is_platform_file "$file"; then
+		paths=$(printf '%s\n' "$scan" |
+			grep -E '"(/usr/|/etc/|/var/|/bin/|/sbin/|/opt/|/root/|/home/)|"[A-Za-z]:\\\\|"[A-Za-z]:/' || true)
+		if [ -n "$paths" ]; then
+			err "$file: contains a hardcoded OS path literal. Build paths with filepath.Join and os.TempDir/UserHomeDir so ArozOS stays cross-platform (rule 5)."
+		fi
+	fi
+
+	# --- Rule 4: new HTTP endpoints need a deliberate security decision ---
+	endpoints=$(printf '%s\n' "$scan" | grep -E 'http\.HandleFunc\(' || true)
+	if [ -n "$endpoints" ]; then
+		case "$file" in
+		*mod/prouter/*) ;; # the permission router wraps http.HandleFunc by design
+		*)
+			warn "$file: registers an endpoint with raw http.HandleFunc. Prefer prout.NewModuleRouter(...).HandleFunc for auth/permission, or confirm the endpoint is intentionally public (rule 4)."
+			;;
+		esac
+	fi
+}
+
+# check_file applies the file-level rules to a single Go source file path.
+check_file() {
+	file=$1
+	case "$file" in
+	*_test.go) return ;; # test files are not themselves subject to these rules
+	esac
+
+	# --- Rule 5 (soft): isolate platform calls in build-tagged files -----
+	if ! is_platform_file "$file" && ! has_build_constraint "$file"; then
+		if grep -Eq 'exec\.Command\(|(^|[^.])syscall\.' "$file" 2>/dev/null; then
+			warn "$file: calls exec.Command/syscall in a cross-platform file. Move OS-specific code into a *_linux.go / *_windows.go / *_darwin.go file or guard it with a //go:build tag (rule 5)."
+		fi
+	fi
+
+	# --- Rule 2: every package ships tests -------------------------------
+	case "$file" in
+	*mod/*)
+		dir=$(dirname "$file")
+		if ! ls "$dir"/*_test.go >/dev/null 2>&1; then
+			warn "$file: package $dir has no *_test.go file. New functions must ship with tests (rule 2)."
+		fi
+		;;
+	esac
+}
+
+# license_reminder fires once when dependency manifests change.
+license_reminder() {
+	warn "go.mod/go.sum changed: confirm every new dependency is MIT, BSD, Apache-2.0, MPL-2.0 or ISC (GPL-compatible and OK for commercial use). Reject GPL/AGPL/unknown-licensed modules (rule 3)."
+}
+
+scan_one() {
+	file=$1
+	case "$file" in
+	go.mod | go.sum | */go.mod | */go.sum)
+		license_reminder
+		return
+		;;
+	*.go) ;;
+	*) return ;;
+	esac
+
+	# Single-file / hook mode scans the whole file content.
+	check_lines "$file" <"$file"
+	check_file "$file"
+}
+
+mode=${1:---help}
+
+case "$mode" in
+--hook)
+	# Extract tool_input.file_path from the hook JSON payload on stdin without
+	# requiring jq (rule 5: no extra system dependencies).
+	payload=$(cat)
+	file=$(printf '%s' "$payload" |
+		sed -n 's/.*"file_path"[[:space:]]*:[[:space:]]*"\([^"]*\)".*/\1/p' | head -n 1)
+	[ -z "$file" ] && exit 0
+	scan_one "$file"
+	if [ "$errors" -gt 0 ] || [ "$warns" -gt 0 ]; then
+		printf '\nArozOS convention check: %d error(s), %d warning(s). See CLAUDE.md.\n' \
+			"$errors" "$warns" >&2
+		exit 2
+	fi
+	exit 0
+	;;
+
+--diff)
+	base=${2:-}
+	if [ -z "$base" ]; then
+		echo "usage: $0 --diff <base-ref>" >&2
+		exit 1
+	fi
+	cd "$repo_root" || exit 1
+	changed=$(git diff --name-only --diff-filter=ACM "$base" -- '*.go' 'go.mod' 'go.sum' '**/go.mod' '**/go.sum')
+	[ -z "$changed" ] && {
+		echo "No Go/module changes to check." >&2
+		exit 0
+	}
+	# Iterate over a temp file rather than a pipe so the err/warn counters,
+	# which live in this shell, survive (a piped while-loop runs in a subshell).
+	tmp=$(mktemp)
+	added=$(mktemp)
+	printf '%s\n' "$changed" >"$tmp"
+	while IFS= read -r f; do
+		[ -n "$f" ] || continue
+		case "$f" in
+		go.mod | go.sum | */go.mod | */go.sum)
+			license_reminder
+			continue
+			;;
+		*.go) ;;
+		*) continue ;;
+		esac
+		printf 'Checking %s\n' "$f" >&2
+		# Diff mode only scans *added* lines for the per-line rules. Feed them
+		# via redirection (not a pipe) so check_lines runs in this shell.
+		git diff -U0 "$base" -- "$f" | grep -E '^\+' | grep -Ev '^\+\+\+' | sed 's/^+//' >"$added"
+		check_lines "$f" <"$added"
+		check_file "$f"
+	done <"$tmp"
+	rm -f "$tmp" "$added"
+	;;
+
+--help | -h)
+	sed -n '2,40p' "$0"
+	exit 0
+	;;
+
+*)
+	# Treat all arguments as explicit file paths.
+	for f in "$@"; do
+		scan_one "$f"
+	done
+	;;
+esac
+
+printf '\nArozOS convention check: %d error(s), %d warning(s).\n' "$errors" "$warns" >&2
+[ "$errors" -gt 0 ] && exit 1
+exit 0

src/mod/disk/diskfs/diskfs_test.go

@@ -57,22 +57,6 @@ func TestDeviceIsMountedEmptyPath(t *testing.T) {
 	}
 }
 
-// TestListAllStorageDevicesLinux verifies that ListAllStorageDevices returns
-// a non-nil result on Linux (it needs sudo lsblk; skip if lsblk is absent).
-func TestListAllStorageDevicesLinux(t *testing.T) {
-	if runtime.GOOS != "linux" {
-		t.Skip("ListAllStorageDevices is Linux-only (uses lsblk)")
-	}
-	devices, err := ListAllStorageDevices()
-	if err != nil {
-		// lsblk may not be available in all CI environments; treat as a skip
-		t.Skipf("ListAllStorageDevices returned error (lsblk may be absent): %v", err)
-	}
-	if devices == nil {
-		t.Fatal("expected non-nil StorageDevicesMeta")
-	}
-}
-
 // TestFormatPackageInstalledKnownAbsent verifies FormatPackageInstalled returns
 // false for a filesystem type that is certainly not installed.
 func TestFormatPackageInstalledKnownAbsent(t *testing.T) {
@@ -431,44 +415,6 @@ func TestFormatStorageDeviceFatAlias(t *testing.T) {
 	}
 }
 
-// TestDeviceIsMountedWithActualDevice reads /proc/mounts and tries to find
-// an actually-mounted device to hit the "device found" branch.
-func TestDeviceIsMountedWithActualDevice(t *testing.T) {
-	if runtime.GOOS != "linux" {
-		t.Skip("Linux-only: reads /proc/mounts")
-	}
-
-	// Read /proc/mounts to find a real mounted device
-	data, err := os.ReadFile("/proc/mounts")
-	if err != nil {
-		t.Skipf("cannot read /proc/mounts: %v", err)
-	}
-
-	// Find the first /dev/ device in /proc/mounts
-	var mountedDevice string
-	for _, line := range strings.Split(string(data), "\n") {
-		fields := strings.Fields(line)
-		if len(fields) >= 1 && strings.HasPrefix(fields[0], "/dev/") {
-			mountedDevice = fields[0]
-			break
-		}
-	}
-
-	if mountedDevice == "" {
-		t.Skip("no /dev/ devices found in /proc/mounts")
-	}
-
-	mounted, err := DeviceIsMounted(mountedDevice)
-	if err != nil {
-		t.Fatalf("unexpected error checking mounted device %q: %v", mountedDevice, err)
-	}
-	if !mounted {
-		// Some devices may appear in /proc/mounts but still compare as
-		// not-mounted due to case/spacing differences — skip rather than fail.
-		t.Skipf("device %q from /proc/mounts was not reported as mounted (case/format mismatch)", mountedDevice)
-	}
-}
-
 // TestGetDiskUUIDEmpty verifies GetDiskUUID returns an error for an empty device path.
 func TestGetDiskUUIDEmpty(t *testing.T) {
 	if runtime.GOOS != "linux" {
@@ -479,114 +425,6 @@ func TestGetDiskUUIDEmpty(t *testing.T) {
 	_ = err
 }
 
-// TestGetDiskUUIDSuccess exercises the success path of GetDiskUUID using a
-// real block device. Even if the device has no UUID, blkid returns exit code 0
-// (empty output), which exercises the TrimSpace success branch.
-func TestGetDiskUUIDSuccess(t *testing.T) {
-	if runtime.GOOS != "linux" {
-		t.Skip("GetDiskUUID uses blkid (Linux-only)")
-	}
-
-	// Try several candidates: prefer disk-type block devices which blkid handles
-	// more reliably than loop devices.
-	devices, err := ListAllStorageDevices()
-	if err != nil {
-		t.Skipf("cannot list storage devices: %v", err)
-	}
-
-	var tried []string
-	for _, bd := range devices.Blockdevices {
-		if bd.Type != "disk" {
-			continue
-		}
-		devPath := "/dev/" + bd.Name
-		tried = append(tried, devPath)
-		uuid, err := GetDiskUUID(devPath)
-		if err == nil {
-			t.Logf("GetDiskUUID(%q) = %q", devPath, uuid)
-			return // success branch was exercised
-		}
-	}
-
-	// Fallback: try all block devices
-	for _, bd := range devices.Blockdevices {
-		devPath := "/dev/" + bd.Name
-		uuid, err := GetDiskUUID(devPath)
-		if err == nil {
-			t.Logf("GetDiskUUID(%q) = %q (fallback)", devPath, uuid)
-			return
-		}
-	}
-
-	t.Skipf("no accessible block device found for GetDiskUUID (tried: %v)", tried)
-}
-
-// TestGetPartitionMetaChildPartition tests GetPartitionMeta against the system's
-// actual lsblk output looking for a real partition.
-func TestGetPartitionMetaChildSearch(t *testing.T) {
-	if runtime.GOOS != "linux" {
-		t.Skip("Linux-only: uses lsblk")
-	}
-
-	devices, err := ListAllStorageDevices()
-	if err != nil {
-		t.Skipf("ListAllStorageDevices error: %v", err)
-	}
-
-	// Find a block device that has children (partitions)
-	var partitionName string
-	for _, bd := range devices.Blockdevices {
-		if len(bd.Children) > 0 {
-			partitionName = bd.Children[0].Name
-			break
-		}
-	}
-
-	if partitionName == "" {
-		t.Skip("no partitioned block devices found in lsblk output")
-	}
-
-	_, err = GetPartitionMeta("/dev/" + partitionName)
-	if err != nil {
-		// Might not be found if the partition has a different name format
-		t.Logf("GetPartitionMeta(%q) returned error (acceptable): %v", partitionName, err)
-	}
-}
-
-// TestGetBlockDeviceMetaFound uses lsblk to find a real block device and
-// calls GetBlockDeviceMeta on it to exercise the "found" branch.
-func TestGetBlockDeviceMetaFound(t *testing.T) {
-	if runtime.GOOS != "linux" {
-		t.Skip("Linux-only: uses lsblk")
-	}
-
-	devices, err := ListAllStorageDevices()
-	if err != nil {
-		t.Skipf("ListAllStorageDevices error: %v", err)
-	}
-
-	// Find a non-partitioned block device (no digits in name)
-	var diskName string
-	for _, bd := range devices.Blockdevices {
-		if bd.Type == "disk" || bd.Type == "rom" {
-			diskName = bd.Name
-			break
-		}
-	}
-
-	if diskName == "" {
-		t.Skip("no block devices of type 'disk' or 'rom' found")
-	}
-
-	meta, err := GetBlockDeviceMeta("/dev/" + diskName)
-	if err != nil {
-		t.Fatalf("unexpected error for known device %q: %v", diskName, err)
-	}
-	if meta == nil {
-		t.Fatal("expected non-nil BlockDeviceMeta")
-	}
-}
-
 // TestWipeDiskWithUnmountedNonExistentDevice exercises the "not mounted" branch
 // of WipeDisk before calling wipefs on a non-existent device (which will fail).
 func TestWipeDiskUnmountedPath(t *testing.T) {
@@ -601,43 +439,6 @@ func TestWipeDiskUnmountedPath(t *testing.T) {
 	}
 }
 
-// TestWipeDiskMountedDevice exercises the "device is mounted" branch of WipeDisk.
-// It uses a real mounted device (vda or the first mounted device found in /proc/mounts).
-// The subsequent umount is expected to fail (root fs can't be unmounted), which
-// exercises the unmount-error return path.
-func TestWipeDiskMountedDevice(t *testing.T) {
-	if runtime.GOOS != "linux" {
-		t.Skip("Linux-only: reads /proc/mounts")
-	}
-
-	// Find a mounted /dev/ device
-	data, err := os.ReadFile("/proc/mounts")
-	if err != nil {
-		t.Skipf("cannot read /proc/mounts: %v", err)
-	}
-
-	var mountedDevice string
-	for _, line := range strings.Split(string(data), "\n") {
-		fields := strings.Fields(line)
-		if len(fields) >= 1 && strings.HasPrefix(fields[0], "/dev/") {
-			mountedDevice = fields[0]
-			break
-		}
-	}
-
-	if mountedDevice == "" {
-		t.Skip("no /dev/ devices found in /proc/mounts")
-	}
-
-	// WipeDisk will detect the device as mounted, try to umount (which will
-	// fail for an in-use device like the root fs), and return an error.
-	err = WipeDisk(mountedDevice)
-	if err == nil {
-		// If somehow it succeeded (e.g. loop device), that's ok too.
-		t.Logf("WipeDisk(%q) succeeded unexpectedly — continuing", mountedDevice)
-	}
-}
-
 // TestFormatStorageDeviceExt4Success exercises the success path of FormatStorageDevice
 // for ext4 by formatting a temporary loop device.
 func TestFormatStorageDeviceExt4Success(t *testing.T) {
@@ -676,35 +477,3 @@ func TestFormatStorageDeviceExt4Success(t *testing.T) {
 		t.Skipf("FormatStorageDevice ext4 failed (acceptable in some envs): %v", err)
 	}
 }
-
-// TestGetDiskModelByNameWithRealDisk uses lsblk to find a real disk, then
-// exercises GetDiskModelByName to cover the lsblk success + findDiskInfo path.
-func TestGetDiskModelByNameWithRealDisk(t *testing.T) {
-	if runtime.GOOS != "linux" {
-		t.Skip("Linux-only: uses lsblk")
-	}
-
-	devices, err := ListAllStorageDevices()
-	if err != nil {
-		t.Skipf("ListAllStorageDevices error: %v", err)
-	}
-
-	var diskName string
-	for _, bd := range devices.Blockdevices {
-		if bd.Type == "disk" {
-			diskName = bd.Name
-			break
-		}
-	}
-
-	if diskName == "" {
-		t.Skip("no disk-type block devices found")
-	}
-
-	// GetDiskModelByName with a real disk should not error
-	size, model, err := GetDiskModelByName(diskName)
-	if err != nil {
-		t.Skipf("GetDiskModelByName(%q) error: %v", diskName, err)
-	}
-	t.Logf("disk=%q size=%q model=%q", diskName, size, model)
-}

src/mod/disk/diskmg/diskmg_test.go

@@ -9,29 +9,31 @@ import (
 	"testing"
 )
 
-// TestCheckDeviceValidAcceptsValidName verifies that a well-formed device name
-// that also has a matching /dev/ entry passes the regex check.  Because the
-// actual /dev/sda1 may or may not exist in the test environment, we only assert
-// the regex part of the function (which returns false when the file is absent).
+// TestCheckDeviceValidRejectsBadNames verifies that malformed device names are
+// rejected. Names with no "sd[a-z][1-9]" token are rejected deterministically by
+// the regex on every host; names that embed a valid token (e.g. "/dev/sda1" or
+// "sda10") are sanitized down to that token, so whether they are finally accepted
+// depends on /dev/sda1 existing on the test host — present on some CI runners,
+// absent on others. There we assert the sanitization contract instead of a fixed
+// boolean (mirroring TestCheckDeviceValidRegexMatch below).
 func TestCheckDeviceValidRejectsBadNames(t *testing.T) {
 	if runtime.GOOS != "linux" {
 		t.Skip("checkDeviceValid is Linux-only")
 	}
-	cases := []struct {
-		name  string
-		valid bool
-	}{
-		{"../etc/passwd", false},
-		{"sda", false},   // no partition number
-		{"sda0", false},  // partition number must be 1–9
-		{"sda10", false}, // two-digit partition
-		{"nvme0n1", false},
-		{"/dev/sda1", false}, // full path not matched by the regex alone
-	}
-	for _, tc := range cases {
-		ok, _ := checkDeviceValid(tc.name)
-		if ok != tc.valid {
-			t.Errorf("checkDeviceValid(%q) = %v, want %v", tc.name, ok, tc.valid)
+	// No "sd[a-z][1-9]" token at all -> rejected by the regex before any /dev/
+	// lookup, so the result is identical on every host.
+	for _, name := range []string{"../etc/passwd", "sda", "sda0", "nvme0n1"} {
+		if ok, _ := checkDeviceValid(name); ok {
+			t.Errorf("checkDeviceValid(%q) = true, want false", name)
+		}
+	}
+
+	// These embed a valid "sda1" token, so checkDeviceValid sanitizes the input
+	// down to that token and accepts it only when /dev/sda1 exists. Assert the
+	// sanitization contract: when accepted, the device id must be the clean "sda1".
+	for _, name := range []string{"sda10", "/dev/sda1"} {
+		if ok, devID := checkDeviceValid(name); ok && devID != "sda1" {
+			t.Errorf("checkDeviceValid(%q) accepted with devID=%q, want \"sda1\"", name, devID)
 		}
 	}
 }

src/mod/network/webdav/prop_test.go

@@ -149,8 +149,8 @@ func TestMemPS(t *testing.T) {
 			op:   "allprop",
 			name: "/file",
 			pnames: []xml.Name{
-				{"DAV:", "resourcetype"},
-				{"foo", "bar"},
+				{Space: "DAV:", Local: "resourcetype"},
+				{Space: "foo", Local: "bar"},
 			},
 			wantPropstats: []Propstat{{
 				Status: http.StatusOK,
@@ -188,7 +188,7 @@ func TestMemPS(t *testing.T) {
 		propOp: []propOp{{
 			op:     "propfind",
 			name:   "/dir",
-			pnames: []xml.Name{{"DAV:", "resourcetype"}},
+			pnames: []xml.Name{{Space: "DAV:", Local: "resourcetype"}},
 			wantPropstats: []Propstat{{
 				Status: http.StatusOK,
 				Props: []Property{{
@@ -199,7 +199,7 @@ func TestMemPS(t *testing.T) {
 		}, {
 			op:     "propfind",
 			name:   "/file",
-			pnames: []xml.Name{{"DAV:", "resourcetype"}},
+			pnames: []xml.Name{{Space: "DAV:", Local: "resourcetype"}},
 			wantPropstats: []Propstat{{
 				Status: http.StatusOK,
 				Props: []Property{{
@@ -214,7 +214,7 @@ func TestMemPS(t *testing.T) {
 		propOp: []propOp{{
 			op:     "propfind",
 			name:   "/dir",
-			pnames: []xml.Name{{"DAV:", "getcontentlanguage"}},
+			pnames: []xml.Name{{Space: "DAV:", Local: "getcontentlanguage"}},
 			wantPropstats: []Propstat{{
 				Status: http.StatusNotFound,
 				Props: []Property{{
@@ -224,7 +224,7 @@ func TestMemPS(t *testing.T) {
 		}, {
 			op:     "propfind",
 			name:   "/dir",
-			pnames: []xml.Name{{"DAV:", "creationdate"}},
+			pnames: []xml.Name{{Space: "DAV:", Local: "creationdate"}},
 			wantPropstats: []Propstat{{
 				Status: http.StatusNotFound,
 				Props: []Property{{
@@ -238,7 +238,7 @@ func TestMemPS(t *testing.T) {
 		propOp: []propOp{{
 			op:     "propfind",
 			name:   "/dir",
-			pnames: []xml.Name{{"DAV:", "getetag"}},
+			pnames: []xml.Name{{Space: "DAV:", Local: "getetag"}},
 			wantPropstats: []Propstat{{
 				Status: http.StatusNotFound,
 				Props: []Property{{
@@ -248,7 +248,7 @@ func TestMemPS(t *testing.T) {
 		}, {
 			op:     "propfind",
 			name:   "/file",
-			pnames: []xml.Name{{"DAV:", "getetag"}},
+			pnames: []xml.Name{{Space: "DAV:", Local: "getetag"}},
 			wantPropstats: []Propstat{{
 				Status: http.StatusOK,
 				Props: []Property{{
@@ -493,7 +493,7 @@ func TestMemPS(t *testing.T) {
 		propOp: []propOp{{
 			op:     "propfind",
 			name:   "/dir",
-			pnames: []xml.Name{{"foo:", "bar"}},
+			pnames: []xml.Name{{Space: "foo:", Local: "bar"}},
 			wantPropstats: []Propstat{{
 				Status: http.StatusNotFound,
 				Props: []Property{{

src/mod/network/websocketproxy/websocketproxy_test.go

@@ -40,7 +40,7 @@ func TestProxy(t *testing.T) {
 	mux.Handle("/proxy", proxy)
 	go func() {
 		if err := http.ListenAndServe(":7777", mux); err != nil {
-			t.Fatal("ListenAndServe: ", err)
+			t.Errorf("ListenAndServe: %v", err)
 		}
 	}()
 
@@ -75,7 +75,7 @@ func TestProxy(t *testing.T) {
 
 		err := http.ListenAndServe(":8888", mux2)
 		if err != nil {
-			t.Fatal("ListenAndServe: ", err)
+			t.Errorf("ListenAndServe: %v", err)
 		}
 	}()