diff --git a/.clangd b/.clangd
new file mode 100644
index 0000000..28192a0
--- /dev/null
+++ b/.clangd
@@ -0,0 +1,17 @@
+# Tell clangd how the BPF units are compiled (mirrors build/bpf.mk), so the
+# editor resolves vmlinux.h, the libbpf headers, and the __u* types instead of
+# flagging them. vmlinux.h is generated by `make`, so run it once for full
+# resolution.
+#
+# -I../v/include points at the vendored libbpf SDK headers when editing inside
+# the bootstrap repo (where v/ is a sibling). In a scaffolded project the
+# headers live in the shared toolchain cache instead; clangd harmlessly
+# ignores the missing path there. clangd resolves these relative to the
+# project root (the compile working directory).
+CompileFlags:
+  Add:
+    - -target
+    - bpf
+    - -Isrc/bpf/include
+    - -I../v/include
+    - -D__BPF_TRACING__
diff --git a/.github/workflows/kernel-matrix.yml b/.github/workflows/kernel-matrix.yml
new file mode 100644
index 0000000..a6f4743
--- /dev/null
+++ b/.github/workflows/kernel-matrix.yml
@@ -0,0 +1,198 @@
+name: kernel-matrix
+
+# Build the BPF object once per job, then boot a range of kernels and confirm
+# each one's verifier accepts every program in bin/probe.bpf.o. The check is
+# the vendored static `veristat` (it loads each program and reports a verdict);
+# kernels come from cilium's little-vm-helper (quay.io/lvh-images), booted under
+# QEMU/KVM on the runner. Each job writes a detail table to its step summary and
+# uploads its result; the final `matrix` job pivots them into one ✅/❌ grid.
+#
+# Tune `matrix.kernel` to the kernel lines your script must support (`6.6`,
+# `bpf-next`, …). Each line is resolved to a concrete image at run time rather
+# than using the floating `<ver>-main` tag, which the action can't consume:
+# little-vm-helper@v0.0.30 derives the VM image filename by stripping a trailing
+# *numeric* build stamp, so a `-main` tag yields a name that doesn't match the
+# file `lvh` actually unpacks and the run dies with "invalid reference format".
+# So each job looks up the newest date-stamped tag (`<ver>-YYYYMMDD.HHMMSS`,
+# which the action handles) from the quay registry — always tracking the latest
+# build, with no tag to bump and immune to quay's pruning of old stamps. httptop
+# attaches at the TC layer via TCX (Linux 6.6+), so the list starts at 6.6 —
+# older kernels can't load the tcx/* programs at all.
+
+on:
+  workflow_dispatch:
+  push:
+    branches: [master, main]
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  verify:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        # Kernel lines to verify. Each is resolved to its newest date-stamped
+        # lvh image at run time (see the header). httptop needs TCX (Linux
+        # 6.6+), so the list starts at 6.6 — older kernels can't load the tcx/*
+        # programs at all.
+        kernel:
+          - '6.6'    # oldest LTS with TCX (Linux 6.6) — the floor
+          - '6.12'   # LTS
+          - '6.18'   # recent mainline
+          - 'bpf-next'
+    name: kernel ${{ matrix.kernel }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Resolve newest lvh image tag
+        id: img
+        env:
+          KERNEL: ${{ matrix.kernel }}
+        run: |
+          set -euo pipefail
+          # Newest <line>-YYYYMMDD.HHMMSS tag (date-stamps sort
+          # lexicographically, so tail -1 is the most recent build).
+          newest="$(curl -sf "https://quay.io/api/v1/repository/lvh-images/kind/tag/?onlyActiveTags=true&limit=100&filter_tag_name=like:${KERNEL}-" \
+            | jq -r '.tags[].name' \
+            | grep -E "^${KERNEL}-[0-9]{8}\.[0-9]+$" | sort | tail -1)"
+          [ -n "$newest" ] || { echo "::error::no date-stamped tag found for kernel line '${KERNEL}'"; exit 1; }
+          echo "resolved ${KERNEL} -> ${newest}"
+          echo "tag=${newest}" >> "$GITHUB_OUTPUT"
+
+      - name: Build BPF object + stage veristat
+        run: |
+          set -euo pipefail
+          # Builds bin/probe.bpf.o with the vendored static toolchain, also
+          # populating the per-machine toolchain cache (clang/bpftool/veristat).
+          make bpf
+
+          # Resolve the vendored static veristat the same way build/toolchain.mk
+          # does, and stage it into bin/ so the VM finds it under /host. It is
+          # fully static, so it runs in any kernel image's rootfs.
+          . build/toolchain.lock
+          arch="$(uname -m)"; [ "$arch" = arm64 ] && arch=aarch64
+          cache="${XDG_CACHE_HOME:-$HOME/.cache}/yeet/toolchain/v${TOOLCHAIN_VERSION}/${arch}"
+          if [ ! -x "$cache/veristat" ]; then
+            echo "::error::veristat is not in the pinned toolchain (v${TOOLCHAIN_VERSION}). Bump build/toolchain.lock to a toolchain release that ships veristat."
+            exit 1
+          fi
+          install -Dm755 "$cache/veristat" bin/veristat
+          file bin/veristat bin/probe.bpf.o
+
+      - name: Verify on kernel ${{ matrix.kernel }}
+        uses: cilium/little-vm-helper@v0.0.30
+        with:
+          test-name: veristat-${{ matrix.kernel }}
+          image: kind
+          image-version: ${{ steps.img.outputs.tag }}
+          host-mount: ${{ github.workspace }}
+          install-dependencies: 'true'
+          cmd: |
+            cd /host
+            OUT_CSV=/host/.kmatrix/result.csv sh build/verify-kernel.sh
+
+      - name: Render kernel summary
+        if: always()
+        env:
+          KVER: ${{ matrix.kernel }}
+          KCSV: ${{ github.workspace }}/.kmatrix/result.csv
+        run: |
+          python3 - <<'PY' >> "$GITHUB_STEP_SUMMARY"
+          import csv, os
+          kver, path = os.environ["KVER"], os.environ["KCSV"]
+          if not os.path.exists(path):
+              print(f"### kernel `{kver}` — ⚠️ no result (build or boot failed)\n")
+              raise SystemExit
+          rows = list(csv.DictReader(open(path)))
+          mark = lambda v: "✅" if v == "success" else "❌"
+          ok = all(r["verdict"] == "success" for r in rows)
+          head = "✅ all programs loaded" if ok else "❌ verifier rejected a program"
+          print(f"### kernel `{kver}` — {head}\n")
+          print("| Program | Verdict | Insns | States |")
+          print("|---|:---:|--:|--:|")
+          for r in rows:
+              print(f"| `{r['prog_name']}` | {mark(r['verdict'])} | {r['total_insns']} | {r['total_states']} |")
+          print()
+          PY
+
+      - name: Upload result
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: kmatrix-${{ matrix.kernel }}
+          path: ${{ github.workspace }}/.kmatrix/result.csv
+          if-no-files-found: ignore
+
+  matrix:
+    needs: verify
+    if: always()
+    runs-on: ubuntu-latest
+    name: matrix summary
+    steps:
+      - uses: actions/download-artifact@v4
+        with:
+          path: results
+          pattern: kmatrix-*
+
+      - name: Render matrix
+        run: |
+          python3 - <<'PY' >> "$GITHUB_STEP_SUMMARY"
+          import csv, glob, os, re
+
+          # One CSV per kernel under results/kmatrix-<kernel>/result.csv.
+          data, kernels, progs = {}, [], []
+          for d in sorted(glob.glob("results/kmatrix-*")):
+              kver = os.path.basename(d)[len("kmatrix-"):]
+              f = os.path.join(d, "result.csv")
+              if not os.path.exists(f):
+                  data[kver] = None
+                  kernels.append(kver)
+                  continue
+              data[kver] = {r["prog_name"]: r["verdict"] for r in csv.DictReader(open(f))}
+              kernels.append(kver)
+              for p in data[kver]:
+                  if p not in progs:
+                      progs.append(p)
+
+          # Order kernels by version, bpf-next last.
+          def keyf(k):
+              m = re.match(r"(\d+)\.(\d+)", k)
+              return (1, 0, 0) if not m else (0, int(m.group(1)), int(m.group(2)))
+          kernels.sort(key=keyf)
+          short = lambda k: re.sub(r"-(main|\d{8}\.\d+)$", "", k)
+
+          print("## 🐧 Kernel verification matrix\n")
+          if not progs:
+              print("⚠️ No results were produced — check the per-kernel job logs.\n")
+              raise SystemExit
+          print("| Program | " + " | ".join(short(k) for k in kernels) + " |")
+          print("|---|" + "|".join(":-:" for _ in kernels) + "|")
+          fail = 0
+          for p in progs:
+              cells = []
+              for k in kernels:
+                  d = data[k]
+                  if d is None or p not in d:
+                      cells.append("⚪")
+                  elif d[p] == "success":
+                      cells.append("✅")
+                  else:
+                      cells.append("❌"); fail += 1
+              print(f"| `{p}` | " + " | ".join(cells) + " |")
+          print()
+          print("✅ accepted · ❌ rejected · ⚪ not run\n")
+          total = len(progs) * len([k for k in kernels if data[k] is not None])
+          verb = "all programs loaded on every kernel" if fail == 0 else f"{fail} of {total} program×kernel checks failed"
+          print(f"**{len(progs)} program(s) × {len(kernels)} kernel(s) — {verb}.**")
+          PY
+
+      - name: Gate on any rejection
+        run: |
+          # Fail the run if any per-kernel job failed (a rejection or a build/boot error).
+          if [ "${{ contains(needs.verify.result, 'failure') }}" = "true" ] || [ "${{ needs.verify.result }}" = "failure" ]; then
+            echo "::error::one or more kernels rejected a program (see the matrix summary)"
+            exit 1
+          fi
diff --git a/.gitignore b/.gitignore
index 5fc53cb..e768112 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,10 +1,15 @@
 # build artifacts
-/bin/
-*.o
-*.o.tmp
+/node_modules/
+/src/index.jsx
+/.build/
 
-# generated from the running kernel's BTF (run `make` to regenerate)
-/include/vmlinux.h
+# compiled BPF objects + generated CO-RE header
+/bin/*
+!/bin/.gitkeep
+/src/bpf/include/vmlinux.h
+
+# kernel-matrix run output (build/kernel-matrix.sh)
+/.kmatrix/
 
 # python bytecode (demo/)
 __pycache__/
diff --git a/AGENTS.md b/AGENTS.md
new file mode 100644
index 0000000..34ce154
--- /dev/null
+++ b/AGENTS.md
@@ -0,0 +1,668 @@
+# Building yeet dashboards
+
+This is a **yeet** script: a reactive JSX TUI that runs in the daemon's V8
+isolate, fed by live kernel data (eBPF + a process/system graph). This file
+is the API contract and gotcha list for editing it. For build/run mechanics,
+layout, and the `@/`/`#/` aliases, see `README.md` — don't duplicate that here.
+
+## Mental model
+
+It reads like React but it is **signals, not a vdom**. No hooks, no
+reconciliation, no `useState`. A node re-renders exactly when a signal it
+*read* changes — and the only way to "read inside a node" is to pass a
+**thunk** (`() => …`) as a prop or child. A plain value is static forever; a
+thunk is reactive.
+
+```jsx
+<Text>{() => `load ${load.get().toFixed(2)}`}</Text>   // re-renders on load change
+<Text>{`load ${load.get()}`}</Text>                    // snapshot, never updates
+```
+
+Three layers, composed:
+
+```
+probes/  (BPF-aware)  →  signals  →  components/ (pure UI, read signals)
+                          ↑
+                   graph queries / timers
+```
+
+`probes/` is the *only* code that touches `yeet:bpf`; it exposes plain
+signals. Components never see BPF — they read signals. `lib/` is pure helpers.
+
+## Build bottom-up: data → component → layout
+
+Build a dashboard from the inside out. Each layer is verifiable on its own, so
+mistakes surface where they're cheap — at the data, not three layers up where a
+blank panel could mean anything.
+
+### 1. Get the data right first, in isolation
+
+Before any JSX, confirm the kernel actually gives you the fields and types you
+think it does. Guard a self-test with `import.meta.main` — it's `true` **only**
+when this module is the run entry, so the block runs when you point `yeet run`
+at the module and stays dormant once `main.jsx` imports it.
+
+Verify the **raw source**, not a `from()` signal (a `from()` producer doesn't
+run until something watches it — there's no UI here):
+
+```js
+// probes/conns.js
+import { BpfObject, RingBuf } from "yeet:bpf";
+import { from } from "yeet:tui";
+
+const ctl = await new BpfObject({ exe: "../bin/probe.bpf.o", base: import.meta.dirname })
+  .bind("events", { kind: "ringbuf", btf_struct: "conn_event" })
+  .start();
+const events = new RingBuf(ctl, "events");
+
+export const conns = from((state) => { /* …wrap events into a signal… */ }, []);
+
+// Standalone correctness probe — dumps real records so you can eyeball field
+// names, the btf_struct envelope, and which numbers came back as BigInt.
+if (import.meta.main) {
+  await events.subscribe((w) => console.log(JSON.stringify(w, (_k, v) =>
+    typeof v === "bigint" ? `${v}n` : v)));        // JSON.stringify chokes on BigInt
+}
+```
+
+For a graph probe the self-test is a one-shot dump:
+
+```js
+if (import.meta.main) {
+  const { data } = await yeet.graph.query(QUERY);
+  console.log(JSON.stringify(data, null, 2));
+  yeet.exit();
+}
+```
+
+Run it directly — `yeet run src/probes/conns.js`. **Caveat:** `@/` and `#/` are
+bundle-time aliases, so a standalone module must reach its siblings by relative
+path (`./probe.js`), or be bundled as its own entry. Switching `JSON.stringify`
+to flag BigInt up front saves you the "why does math give NaN" detour — wrap
+64-bit values with `Number(...)` once you've seen them.
+
+### 2. Build each component against a fake signal
+
+A component is a pure function of signals, so prove it in isolation with a
+hand-fed signal before any real data exists. Mount just the one:
+
+```jsx
+// scratch entry while developing components/gauge.jsx
+import { mount, signal } from "yeet:tui";
+import Gauge from "@/components/gauge.jsx";
+
+const fake = signal(0.3);
+setInterval(() => fake.set(Math.random()), 700);   // exercise the reactive path
+mount(() => <Gauge frac={fake} label="cpu" />);
+await new Promise(() => {});
+```
+
+You're checking one thing: does it repaint when the signal changes, and does it
+fit its box? Get sizing and the thunk wiring right here, with data you control,
+before it has to share the screen.
+
+### 3. Layout and routing last
+
+Only once the pieces work do you compose them. The layout is a single thunk
+that reads the size signal (reflow on resize) and a view signal (which panel is
+showing) — responsive breakpoints and "routing" are the same branch:
+
+```jsx
+const view = signal("cpu");
+tty.on("keydown", (e) => {
+  if (e.key === "1") view.set("cpu");
+  else if (e.key === "2") view.set("net");
+});
+
+const Root = (size) => (
+  <Box>
+    <TitleBar view={view} />
+    <Box height="1fr" overflow="hidden">
+      {() => {
+        const { cols } = size.get();
+        if (cols < 80) return <Stacked view={view} />;     // responsive
+        switch (view.get()) {                               // routing
+          case "cpu": return <CpuPanel cpu={cpu} />;
+          case "net": return <NetPanel conns={conns} />;
+        }
+      }}
+    </Box>
+    <Footer />
+  </Box>
+);
+```
+
+By now each panel is already known-good, so if the screen looks wrong it's the
+layout math — `1fr`/`fit`/fixed and `overflow`, nothing deeper.
+
+## Entry shape
+
+JSX is the **automatic runtime** (`jsxImportSource: yeet:tui` in tsconfig +
+esbuild) — write JSX directly, no pragma import. The entry mounts a root that
+receives the terminal's reactive size signal, then parks forever:
+
+```jsx
+import { Box, Text, mount, signal } from "yeet:tui";
+
+const Root = (size) => (
+  <Box>                              {/* default direction is COLUMN, not row */}
+    <Header />
+    <Box height="1fr" overflow="hidden">
+      {() => renderBody(size.get())} {/* reading size.get() reflows on resize */}
+    </Box>
+    <Footer />
+  </Box>
+);
+
+mount(Root);
+await new Promise(() => {}); // keep the script alive; the TUI owns the screen
+```
+
+## Signals (state) — from `yeet:tui`
+
+```js
+import { signal, computed, from } from "yeet:tui";
+
+const n = signal(0);          n.get();  n.set(v);  n.update(x => x + 1);
+const doubled = computed(() => n.get() * 2);
+```
+
+`from(producer, initial)` is **the** idiom for turning a subscription or poll
+into a signal — the producer runs when the signal is first watched and its
+cleanup runs when no one watches, so the kernel work is tied to the UI:
+
+```js
+export const cpus = from((state) => {
+  const sub = events.subscribe(w => { /* accumulate */ });
+  const h = setInterval(() => state.set(snapshot()), 500); // publish a window
+  return () => { clearInterval(h); sub.then(s => s.unsubscribe()); };
+}, initialValue);
+```
+
+**Never `.set()` during a render/computed eval** — defer with `setInterval`,
+a subscription callback, or `Promise.resolve().then(() => sig.set(…))`.
+
+## Components — `yeet:tui`
+
+- `Box(opts, ...kids)` — flow container. `direction="row"|"column"` (**column
+  default**). `width/height/left/top/right/bottom`, `border`, `padding`,
+  `overflow="hidden"|"visible"`, `z`, `bg`.
+- `Layer(opts, ...kids)` — z-stack; child insets are absolute in the rect.
+- `Text(opts, content)` — `break="word"|"anywhere"|"none"`,
+  `overflow="hidden"|"ellipsis"|"visible"`.
+- `CellBuffer({rows, cols})` — raster surface: `.blit(x,y,str)`,
+  `.tint(x,y,w,h,color)`, `.clear()` for pixel/game drawing.
+- `Effect(fn)` — invisible lifecycle leaf; `fn` runs on mount, returns teardown.
+
+**Sizing** — every dimension is a `Size`, accepted as a string or via the
+`Size` helper: `"1fr"` (flex weight), `"10"`/`Size.fixed(10)`, `"50%"`,
+`"fit"`, `"50vw"`, `Size.min/max/clamp/add/sub(...)`. **Frame the root with
+`1fr` or a fixed size or the tree collapses to 0.**
+
+**Color & faces** — combinators wrap a string (innermost wins):
+`fg(color)`, `bg(color)`, `bold`, `dim`, `italic`, `underline`, `reverse`,
+`strike`. Colors: `idx(0..255)`, `rgb(0xRRGGBB)` / `rgb(r,g,b)`,
+`rgba(...,a)`, `color("#ff0080")`, `DEFAULT`.
+
+```jsx
+<Text>{() => bold(fg(idx(2))(`${pct(frac.get())}`))}</Text>
+```
+
+(There's also a separate `style.red(s)` / `style.bold(s)` global — that's for
+raw `tty.write` line-mode tools, *not* the JSX tree. Use face combinators here.)
+
+## Data sources
+
+**Graph** — process/system state as GraphQL:
+
+```js
+const { data } = await yeet.graph.query(`{ procs { stat { pid comm rss_bytes } } }`);
+// streaming: import { subscribe } from "yeet:graph"
+```
+
+⚠️ **Race big queries against a timeout.** A pathological query (e.g. full
+memory maps of a huge process) can wedge the daemon for *all* runs until it's
+restarted.
+
+**BPF** — bind maps on the shared object, then read them (`yeet:bpf`):
+
+```js
+import { BpfObject, RingBuf, ArrayMap, HashMap, DataSec } from "yeet:bpf";
+
+const ctl = await new BpfObject({ exe: "../bin/probe.bpf.o", base: import.meta.dirname })
+  .bind("events", { kind: "ringbuf", btf_struct: "sched_event" })
+  .bind("probe.data", { kind: "data" })   // .data/.rodata/.bss section
+  .bind("runq_hist", { kind: "array" })
+  .start();                                // probes auto-attach
+
+const events = new RingBuf(ctl, "events");
+await events.subscribe(w => {
+  const e = w?.sched_event ?? w;           // ⚠️ event is WRAPPED under btf_struct name
+  // e.cpu, e.prev_comm, e.slice_ns, …
+});
+
+const hist = new ArrayMap(ctl, "runq_hist");   // poll: await hist.lookup(i)
+const knobs = new DataSec(ctl, "probe.data");  // write: knobs.patch({ field: … })
+```
+
+`kind` values: `ringbuf`, `hash-map`, `lru-hash-map`, `array`, `percpu-*`,
+`lpm-trie`, `bloom-filter`, `data`. In `.bind()`, **every key except `kind` is
+a top-level option** (`btf_struct`, `capacity`, …) — nesting under `opts`
+fails silently. Map methods: `lookup/update/delete/entries/lookupBatch` (hash),
+`lookup/update` (array), `read/patch` (data-sec), per-CPU lookups return an
+array per CPU.
+
+## Input — global `tty`
+
+```js
+tty.enableMouse();
+tty.on("keydown", e => {                  // {code, key, ctrlKey, shiftKey, altKey, repeat, preventDefault()}
+  const k = (e.key ?? "").toLowerCase();
+  if (e.code === "Escape" || k === "q") return yeet.exit();
+  if (e.code === "ArrowDown" || k === "j") move(1);
+});
+tty.on("wheel",     e => move(e.deltaY > 0 ? 3 : -3));   // {deltaX, deltaY, clientX, clientY}
+tty.on("mousedown", e => { if (e.button === 0) select(e.clientY); }); // {button, clientX, clientY}
+tty.on("resize",    s => viewport.set(s));               // {rows, cols}
+```
+
+Coordinates are 0-indexed. `tty.size()` → `{rows, cols}`. `e.preventDefault()`
+suppresses the Ctrl-C kill / Ctrl-D detach defaults. `tty.frame(cb)` batches
+writes atomically. `yeet.exit()` tears the script down.
+
+## Composition patterns
+
+- **Responsive layout** — derive breakpoints from a size computed, branch in a
+  thunk: `{() => columns.get() === 1 ? <Narrow/> : <Wide/>}`.
+- **Sparkline / bars** — `"▁▂▃▄▅▆▇█"[Math.min(7, Math.floor(v/peak*7.99))]`.
+- **Fill / background** — a Box's `bg` prop tints its whole rect (color or
+  `(x,y,w,h) => color` shader). Don't paint spaces — `wrap` trims them; if you
+  must fill with *text*, use non-breaking spaces.
+- **Proportional gauge** — two `Box`es with computed `1fr` widths that sum to a
+  constant, each `bg`-filled (see the worked example).
+- **Color-by-value** — `const heat = f => f < 0.6 ? GREEN : f < 0.85 ? AMBER : RED`.
+- **Table** — fixed `Text` header + `{() => rows.get().slice(0, h).map(r => <Text>{cells(r)}</Text>)}`.
+- **Rate** — accumulate in a window, `setInterval(1000)` pushes to a bounded
+  history array signal and resets the window.
+
+## Gotchas that bite
+
+1. **No `Intl`, no `TextDecoder`/`TextEncoder`** — `localeCompare`,
+   `toLocaleString`, `Intl.*` all throw. Hand-roll formatting; decode `comm`
+   byte arrays with a `String.fromCharCode` loop, stopping at the first `\0`.
+2. **64-bit map fields need `BigInt`** — `knobs.patch({ x: BigInt(n) })`;
+   smaller ints take plain numbers. Ring-buffer `__u64` fields arrive as
+   `BigInt` — `Number(e.slice_ns)` to use them in math.
+3. **Set-during-render throws** — defer signal writes out of the render path.
+4. **`column` is the default Box direction** (Yoga, not CSS) — set
+   `direction="row"` explicitly for horizontal.
+5. **Use `fg`/`bg`/`bold`** in the tree — never `color`/`style`/`backgroundColor`.
+6. **Ring-buffer events are wrapped** under the `btf_struct` name — unwrap with
+   `w?.<struct> ?? w`.
+7. **`@/` and `#/` are bundle-time only** — the runtime resolver doesn't know
+   them, which is why the BPF object is located with `import.meta.dirname`.
+8. **`console.log` goes to the daemon log, not the screen** (and strips ANSI) —
+   render in-pane via the JSX tree or `tty.write`.
+9. **No Node builtins** (`fs`, `net`, …) — only packages that run in bare V8
+   bundle cleanly.
+10. **Don't `.set()` per high-rate event** — a busy ring buffer fires thousands
+    of times a second; accumulate in a plain variable and publish a snapshot on
+    a `setInterval` window (250–1000 ms). One re-render per frame, not per event.
+11. **Guard the pre-data state** — signals start at their initial value (often
+    `null`/`[]`), so every render thunk runs once before data arrives. Use
+    `x?.field` / `if (!data) return …` or the first frame throws.
+12. **Uncaught errors get dumped over your UI** — there's no `unhandledrejection`
+    hook; the daemon renders the exception to the screen. Catch at the
+    boundaries (see *Crash handling*) so a failing probe degrades to a status
+    line instead of wrecking the display.
+13. **`yeet.args` is minimist-parsed** — positionals in `yeet.args._`, flags as
+    named keys (`yeet run . -- --pid 42 eth0` → `{_: ["eth0"], pid: 42}`). Use
+    it to parameterize a dashboard (target pid, interface, refresh rate).
+
+## Worked examples
+
+### A complete component (pure UI, reads a signal)
+
+A horizontal gauge. It takes a `frac` signal and paints a heat-colored fill
+against a rail, with a percentage on the right. A Box's `bg` prop **tints its
+whole rect** — that's how you fill (don't paint a string of spaces; `wrap`
+trims trailing ones, and filling with *text* would need non-breaking spaces).
+Two boxes whose `fr` weights sum to a constant make a proportional bar; both
+widths read `frac`, so each fill is a thunk child that re-mints its Box when
+`frac` changes — only those parts re-render.
+
+```jsx
+// components/gauge.jsx
+import { Box, Text, bold, fg, idx } from "yeet:tui";
+
+const RAIL = idx(238);
+const heat = (f) => (f < 0.6 ? idx(2) : f < 0.85 ? idx(3) : idx(1));
+const pct = (f) => `${Math.round(f * 100)}%`;
+const lpad = (s, n) => `${s}`.padStart(n);
+
+export default function Gauge({ frac, label }) {
+  return (
+    <Box height="1" direction="row">
+      <Text width="8">{fg(idx(244))(label)}</Text>
+      {() => <Box width={`${1 + Math.round(frac.get() * 998)}fr`} bg={heat(frac.get())} />}
+      {() => <Box width={`${1 + Math.round((1 - frac.get()) * 998)}fr`} bg={RAIL} />}
+      <Text width="5">{() => bold(lpad(pct(frac.get()), 5))}</Text>
+    </Box>
+  );
+}
+```
+
+### A complete probe (kernel → signal, polled graph)
+
+No BPF needed — poll the system graph on a timer and expose a `cpu` fraction
+signal. `from()` ties the timer's lifecycle to the UI watching it.
+
+```js
+// probes/sysload.js
+import { computed, from } from "yeet:tui";
+
+// Whole-host CPU busy fraction, sampled once a second from the kernel graph.
+const QUERY = `{ kernel_stats { total { user nice system irq softirq idle iowait } } }`;
+const busy = (t) => t.user + t.nice + t.system + t.irq + t.softirq;
+const total = (t) => busy(t) + t.idle + t.iowait;
+
+export const cpu = from((state) => {
+  let prev = null;
+  const tick = async () => {
+    const { data } = await yeet.graph.query(QUERY);
+    const t = data.kernel_stats.total;
+    if (prev) {
+      const db = busy(t) - busy(prev);
+      const dt = total(t) - total(prev);
+      state.set(dt > 0 ? db / dt : 0);    // delta between samples, not absolute
+    }
+    prev = t;
+  };
+  const h = setInterval(() => tick().catch(() => {}), 1000);
+  tick().catch(() => {});
+  return () => clearInterval(h);
+}, 0);
+
+export const cpuPct = computed(() => Math.round(cpu.get() * 100));
+```
+
+### Wiring it together
+
+```jsx
+// main.jsx
+import { Box, Text, bold, mount } from "yeet:tui";
+import { cpu } from "@/probes/sysload.js";
+import Gauge from "@/components/gauge.jsx";
+
+tty.on("keydown", (e) => {
+  if (e.code === "Escape" || (e.key ?? "").toLowerCase() === "q") yeet.exit();
+});
+
+const Root = () => (
+  <Box>
+    <Text height="1">{bold(" sysload  —  q to quit")}</Text>
+    <Box height="1fr" overflow="hidden">
+      <Gauge frac={cpu} label="cpu" />
+    </Box>
+  </Box>
+);
+
+mount(Root);
+await new Promise(() => {});
+```
+
+### Live BPF feed → scrolling list
+
+The starter's `cpusched` is the full version; this is the minimal shape — a
+ring-buffer subscription pushed into a bounded list signal that a component
+renders.
+
+```js
+// probes/conns.js
+import { BpfObject, RingBuf } from "yeet:bpf";
+import { from } from "yeet:tui";
+
+const MAX = 50;
+
+export const conns = from((state) => {
+  const rows = [];
+  const ctl = new BpfObject({ exe: "../bin/probe.bpf.o", base: import.meta.dirname })
+    .bind("events", { kind: "ringbuf", btf_struct: "conn_event" });
+  const sub = ctl.start().then((c) =>
+    new RingBuf(c, "events").subscribe((w) => {
+      const e = w?.conn_event ?? w;                 // unwrap the btf_struct envelope
+      rows.unshift({ comm: e.comm, port: e.dport });
+      if (rows.length > MAX) rows.pop();
+      state.set(rows.slice());                      // publish a fresh array → re-render
+    }),
+  );
+  return () => sub.then((s) => s.unsubscribe());
+}, []);
+```
+
+```jsx
+// components/conns.jsx — reads the signal in a thunk, one Text per row
+import { Box, Text } from "yeet:tui";
+
+export default function Conns({ conns }) {
+  return (
+    <Box height="1fr" overflow="hidden">
+      {() => conns.get().map((r) => <Text height="1">{`${r.comm.padEnd(16)} :${r.port}`}</Text>)}
+    </Box>
+  );
+}
+```
+
+## More BPF patterns
+
+### Effect-scoped subscription (a "BPF effect")
+
+`from()` ties a subscription to *a signal* being watched. `Effect` ties one to
+*a subtree being mounted* — so an expensive probe runs only while its panel is
+on screen and tears down when you navigate away. The `Effect` re-runs whenever
+a signal it reads changes, so it also re-targets cleanly.
+
+```jsx
+// components/detail.jsx — subscribe only while this panel is visible
+import { Box, Effect, Text, signal } from "yeet:tui";
+import { RingBuf } from "yeet:bpf";
+import { control } from "@/probes/probe.js";
+
+export default function Detail({ pid }) {
+  const lines = signal([]);
+  return (
+    <Box height="1fr" overflow="hidden">
+      <Effect>
+        {() => {
+          const target = pid.get();                 // read → re-runs when pid changes
+          const rb = new RingBuf(control, "syscalls");
+          const sub = rb.subscribe((w) => {
+            const e = w?.syscall_event ?? w;
+            if (e.pid !== target) return;
+            lines.set([e.name, ...lines.get()].slice(0, 200));
+          });
+          return () => sub.then((s) => s.unsubscribe()); // teardown on unmount / re-run
+        }}
+      </Effect>
+      {() => lines.get().map((l) => <Text height="1">{l}</Text>)}
+    </Box>
+  );
+}
+```
+
+`Effect`'s teardown accepts a function or a `{ unsubscribe }`. Its reads do
+**not** become render dependencies of the surrounding tree — it has its own
+lifecycle. An `Effect` leaf is invisible and zero-sized, so drop it anywhere.
+
+### user → kernel: a live knob (DataSec.patch)
+
+JS only sees events the kernel emits — push a filter *into* the program by
+patching a global in its `.data` section. 64-bit fields want a `BigInt`.
+
+```js
+// probes/knob.js
+import { DataSec } from "yeet:bpf";
+import { signal } from "yeet:tui";
+import { control } from "@/probes/probe.js";
+
+const knobs = new DataSec(control, "probe.data");
+
+export const minSliceUs = signal(1000);             // mirror the compiled default
+
+export function setMinSlice(us) {
+  us = Math.max(0, us);
+  minSliceUs.set(us);                               // UI reads this
+  knobs.patch({ min_slice_ns: BigInt(us * 1000) }); // kernel re-filters live
+}
+// read the whole section back with knobs.read(), or one field: knobs.read("min_slice_ns")
+```
+
+```js
+// in main.jsx input handler
+if (k === "+") setMinSlice(minSliceUs.get() + 100);
+if (k === "-") setMinSlice(minSliceUs.get() - 100);
+```
+
+### HashMap aggregation → top-N table
+
+Poll a hash map on a timer, iterate, sort, publish. `entries()` pages
+transparently; iteration order is unstable under churn, so collect-then-act.
+
+```js
+// probes/syscount.js — map keyed by comm[16], value is a __u64 counter
+import { HashMap } from "yeet:bpf";
+import { from } from "yeet:tui";
+import { control } from "@/probes/probe.js";
+
+const counts = new HashMap(control, "counts");
+const comm = (u8) => { let s = ""; for (const b of u8) { if (!b) break; s += String.fromCharCode(b); } return s; };
+
+export const top = from((state) => {
+  const h = setInterval(async () => {
+    const rows = [];
+    for await (const [k, v] of counts.entries()) rows.push({ comm: comm(k.comm), n: Number(v) });
+    rows.sort((a, b) => b.n - a.n);
+    state.set(rows.slice(0, 20));
+  }, 1000);
+  return () => clearInterval(h);
+}, []);
+
+// per-CPU counter map? lookup → array per CPU; sum with BigInt:
+//   const total = (await pcMap.lookup(key)).reduce((a, b) => a + b, 0n);
+```
+
+### Polled histogram → log2 bar chart
+
+The other egress: the kernel aggregates into an array map, JS just reads slots.
+
+```jsx
+// components/histogram.jsx — `latency` is a signal of per-bucket counts
+import { Box, Text, fg, idx } from "yeet:tui";
+
+const BARS = "▁▂▃▄▅▆▇█";
+const lo = (i) => (i === 0 ? 0 : 1 << (i - 1));     // log2 bucket lower bound (ns)
+
+export default function Histogram({ latency }) {
+  return (
+    <Box height="1fr" overflow="hidden">
+      {() => {
+        const slots = latency.get();
+        const peak = Math.max(...slots, 1);
+        return slots.map((n, i) => (
+          <Text height="1">
+            {`${String(lo(i)).padStart(12)}ns `}
+            {fg(idx(4))(BARS[Math.min(7, Math.floor((n / peak) * 7.99))].repeat(Math.ceil((n / peak) * 40)))}
+            {`  ${n}`}
+          </Text>
+        ));
+      }}
+    </Box>
+  );
+}
+```
+
+(The probe side is `runqlat.js` in the starter: `ArrayMap.lookup(i)` per slot
+on a timer, published through `from()`.)
+
+## Crash handling (a BSOD)
+
+There's no global `unhandledrejection`/`onerror` hook in JS — when something
+throws uncaught, the daemon paints the raw exception over your screen. That's
+ugly and loses the alt-screen/cursor state. Better to catch at the two
+boundaries you control and show your own crash screen.
+
+**Boundary 1 — async probe failures degrade to a status line.** A probe that
+can't load (missing BTF, no root, bad bind) should set an error signal, not
+reject into the void:
+
+```js
+export const status = signal("starting…");
+
+export const start = async () => {
+  try {
+    const ctl = await new BpfObject({ exe: "../bin/probe.bpf.o", base: import.meta.dirname })
+      .bind("events", { kind: "ringbuf", btf_struct: "conn_event" })
+      .start();
+    /* … wire maps … */
+    status.set("tracing");
+  } catch (e) {
+    status.set(`probe failed: ${e.message ?? e}`);   // UI shows this, app stays up
+  }
+};
+```
+
+**Boundary 2 — wrap `mount` so a setup throw shows a BSOD instead of a stack
+dump.** `mount` owns the alt screen and cursor; re-mounting a crash component
+keeps that lifecycle clean:
+
+```jsx
+// main.jsx
+import { mount } from "yeet:tui";
+import App from "@/components/app.jsx";
+import Bsod from "@/components/bsod.jsx";
+
+tty.on("keydown", (e) => {
+  if (e.code === "Escape" || (e.key ?? "").toLowerCase() === "q") yeet.exit();
+});
+
+try {
+  mount(App);
+} catch (e) {
+  mount(() => <Bsod error={e} />);   // any key still quits via the handler above
+}
+await new Promise(() => {});
+```
+
+The crash screen itself is just a `bg`-filled box — no special API:
+
+```jsx
+// components/bsod.jsx
+import { Box, Text, bold, fg, idx } from "yeet:tui";
+
+const BLUE = idx(20);
+const WHITE = idx(15);
+
+export default function Bsod({ error }) {
+  const lines = String(error?.stack ?? error?.message ?? error).split("\n");
+  return (
+    <Box bg={BLUE} width="1fr" height="1fr" padding={2}>
+      <Text height="1">{bold(fg(WHITE)(":(  your dashboard hit an error"))}</Text>
+      <Text height="1">{" "}</Text>
+      {lines.map((l) => <Text height="1">{fg(WHITE)(l)}</Text>)}
+      <Text height="1">{" "}</Text>
+      <Text height="1">{fg(idx(250))("press q to quit")}</Text>
+    </Box>
+  );
+}
+```
+
+Note this only catches *synchronous* setup errors. Errors thrown later inside a
+render thunk (e.g. reading a field off a `null` signal — gotcha 11) happen
+during a re-render that `try/catch` can't wrap, which is exactly why you guard
+the pre-data state at the source instead.
+
+## System info
+
+`system.numCpus`, `system.arch`, `system.os`, `system.kernel`
+(`{major, minor, patch}`), `system.endianness`. `setTimeout`/`setInterval`/
+`clearInterval`/`queueMicrotask` are available.
diff --git a/CLAUDE.md b/CLAUDE.md
new file mode 120000
index 0000000..47dc3e3
--- /dev/null
+++ b/CLAUDE.md
@@ -0,0 +1 @@
+AGENTS.md
\ No newline at end of file
diff --git a/Makefile b/Makefile
index 6e31011..c6c94dd 100644
--- a/Makefile
+++ b/Makefile
@@ -1,40 +1,70 @@
-.PHONY: all clean distclean vmlinux
+# Build the yeet script project.
+#
+#   make         — build everything (BPF objects + JS bundle)
+#   make bpf     — compile bpf/*.bpf.c into bin/* only
+#   make veristat — load the built object with veristat (verifier check on this kernel)
+#   make bundle  — resolve npm/jsr deps and bundle the JS entry
+#   make postgen — finalize a freshly generated project (git init)
+#   make clangd  — write a local .clangd pointing at the resolved toolchain
+#   make clean   — remove build artifacts
+#
+# This is the build *frontend*: it orchestrates two independent
+# compilers — clang for the BPF objects, esbuild for the JS bundle.
+# Neither understands the other; the JS references compiled objects in
+# bin/ only by path, resolved at runtime. `yeet run` invokes `make`
+# automatically when running this project from a trusted remote source,
+# so the default goal must leave the project runnable.
+#
+# clang, bpftool and esbuild come from the static toolchain resolved by
+# build/toolchain.mk (a shared per-machine cache, or binaries vendored in
+# the bootstrap repo) — so the build needs no system C/BPF toolchain.
 
-ARCH    ?= $(shell uname -m | sed 's/x86_64/x86/; s/aarch64/arm64/')
-CLANG   ?= clang
-# `bpftool btf dump` reads /sys/kernel/btf/vmlinux. On some hardened kernels
-# that node is root-only — set BPFTOOL='sudo bpftool' if the dump fails for you.
-BPFTOOL ?= /usr/sbin/bpftool
+.DEFAULT_GOAL := all
 
-# BPF headers (bpf_helpers.h, bpf_endian.h) from libbpf.
-# Install via your distro's libbpf / libbpf-dev package.
-LIBBPF_INCLUDE ?= /usr/include
+include build/toolchain.mk
+include build/bpf.mk
 
-OBJ     := bin/httptop.bpf.o
-VMLINUX := include/vmlinux.h
+NPM ?= npm
 
-CFLAGS = -O2 -g -Wall -target bpf \
-         -D__TARGET_ARCH_$(ARCH) \
-         -Iinclude -I$(LIBBPF_INCLUDE)
+all: bpf bundle
 
-all: $(OBJ)
+# Bundle the entry with the vendored esbuild. esbuild inlines node_modules
+# and honors tsconfig `paths` (so `@/` resolves at bundle time), while
+# `yeet:*` builtins and `*.bpf.o` objects stay external. The bundle is
+# written to src/index.jsx, which the entry ladder prefers over src/main.jsx
+# — so once built, that is what runs. The .jsx extension keeps the bundle
+# eligible for component auto-mount. Compiled BPF objects in bin/ are loaded
+# by path at runtime, never imported, so they are not bundled.
+#
+# `npm install` still runs first: esbuild resolves the project's own
+# dependencies out of node_modules when inlining them.
+ESBUILD_FLAGS := --bundle --format=esm --platform=neutral \
+	--main-fields=module,main --conditions=import,module \
+	--outfile=src/index.jsx --jsx=automatic --jsx-import-source=yeet:tui
 
-# Kernel type definitions for CO-RE, dumped from the running kernel's BTF.
-# Regenerated automatically when missing; `make vmlinux` forces a refresh.
-$(VMLINUX):
-	@mkdir -p include
-	$(BPFTOOL) btf dump file /sys/kernel/btf/vmlinux format c > $@
+bundle: node_modules | toolchain
+	$(ESBUILD) src/main.jsx $(ESBUILD_FLAGS) '--external:yeet:*' '--external:*.bpf.o'
 
-vmlinux:
-	@rm -f $(VMLINUX)
-	@$(MAKE) $(VMLINUX)
+node_modules: package.json
+	$(NPM) install
+	@touch node_modules
 
-$(OBJ): httptop.bpf.c $(VMLINUX)
-	@mkdir -p bin
-	$(CLANG) $(CFLAGS) -c $< -o $@
+# Post-generation finalize: initialize a git repository with the vendored git
+# (fetched via `vendored-git`). Idempotent — skipped if this is already a repo.
+# The scaffolders (`yeet new`, `scripts/new`) run `make postgen` after creating
+# the project, so the CLI itself stays a thin caller of make.
+postgen: | vendored-git
+	@g="$(GIT)"; [ -x "$$g" ] || g="$$(command -v git 2>/dev/null || true)"; \
+	if [ -e .git ]; then \
+		echo "postgen: already a git repository"; \
+	elif [ -n "$$g" ]; then \
+		echo "postgen: git init"; \
+		"$$g" -c init.templateDir= init -q . || echo "warning: 'git init' failed" >&2; \
+	else \
+		echo "warning: no git available (vendored or host); skipping 'git init'" >&2; \
+	fi
 
-clean:
-	rm -f $(OBJ)
+clean: clean-bpf
+	rm -rf node_modules dist src/index.jsx
 
-distclean: clean
-	rm -f $(VMLINUX)
+.PHONY: all bundle clean postgen
diff --git a/README.md b/README.md
index 496fda8..e87b285 100644
--- a/README.md
+++ b/README.md
@@ -22,12 +22,12 @@
 
 ```sh
 curl -fsSL https://yeet.cx | sh
-make            # compile bin/httptop.bpf.o (needs clang + bpftool)
+make            # compile bin/probe.bpf.o + bundle the JS (toolchain auto-fetched)
 yeet run .      # watch every up interface, including loopback
 ```
 [Manual install guide](https://yeet.cx/docs/install/manual-installation) | Linux only
 
-With any plaintext HTTP flowing on the box, that's it — `httpinspect` enumerates the up interfaces, attaches at the TC layer, and starts ranking endpoints. Flags tune what it watches and how it groups:
+With any plaintext HTTP flowing on the box, that's it — `httpinspect` enumerates the up interfaces, attaches at the TC layer, and starts ranking endpoints. Flags tune what it watches and how it groups (pass them after `--`, so the runtime routes them to the script):
 
 | flag             | default       | meaning                                                              |
 | ---------------- | ------------- | -------------------------------------------------------------------- |
@@ -35,8 +35,8 @@ With any plaintext HTTP flowing on the box, that's it — `httpinspect` enumerat
 | `--keep-query`   | off           | keep query strings distinct — `/x?id=1` and `/x?id=2` stay separate rows instead of collapsing into one |
 
 ```sh
-yeet run . --iface lo,eth0   # only these interfaces
-yeet run . --keep-query      # /x?id=1 and /x?id=2 stay separate rows
+yeet run . -- --iface lo,eth0   # only these interfaces
+yeet run . -- --keep-query      # /x?id=1 and /x?id=2 stay separate rows
 ```
 
 Runs until `Ctrl-C`. Resize the terminal and the table reflows; needs a real terminal (it's a TUI — don't pipe or redirect the output).
@@ -63,7 +63,7 @@ The mental model for what `httpinspect` reads:
 ## What you're looking at
 
 ```
-httpinspect · watching all (3) · plaintext HTTP only
+httpinspect · iface: all (3) · plaintext HTTP only
  #  METHOD  HOST            PATH              COUNT   REQ/S   LAST
  1  GET     shop.internal   /api/products      1843    27     0s
  2  POST    auth.internal   /login              512     4      1s
@@ -109,7 +109,18 @@ It updates in place as new traffic arrives — no need to back out and re-enter.
 
 ## How it works
 
-The core is in [`httptop.bpf.c`](httptop.bpf.c) and the JS rendering layer rooted at [`main.jsx`](main.jsx).
+The project follows the standard yeet-script layout: `src/probes/` is the only BPF-aware code (it owns the object and exposes plain signals), `src/components/` is pure presentation that reads those signals, and `src/lib/` is pure helpers. They reference each other through the `@/` source alias; `src/main.jsx` wires them together and owns input.
+
+```
+src/bpf/httptop.bpf.c    TC programs: detect + capture HTTP segments → ringbuf
+src/probes/probe.js      loads the shared BPF object, attaches TCX, exposes `control`
+src/probes/httptop.js    ingest: parse, pair responses for latency, aggregate → signals
+src/lib/format.js        formatters, method colors, column widths, sparkline (pure)
+src/components/*.jsx     pure UI: statusbar, list, detail, footer, legend
+src/main.jsx             entry: tty guard, navigation, mount, key input
+bin/probe.bpf.o          the linked BPF object lands here (built by `make`)
+demo/                    fake server + load generator for the recording
+```
 
 ### The BPF side
 
@@ -128,12 +139,13 @@ The one map connecting kernel to userspace is `events` — a `RINGBUF` bound by
 
 The dashboard runs in yeet's V8 runtime, subscribing to that ring buffer and rendering the terminal UI with `yeet:tui`:
 
-| file            | responsibility                                                                                  |
-| --------------- | ----------------------------------------------------------------------------------------------- |
-| `main.jsx`      | entry: tty guard, interface discovery, BPF attach, ringbuf subscribe, mount, key input          |
-| `state.js`      | live data + request/response ingest, latency pairing, status tally, rate ticks, selection       |
-| `render.jsx`    | formatters, method colors, column widths, sparkline (pure)                                      |
-| `dashboard.jsx` | panels + layout: the list and endpoint-detail screens (the Dashboard view)                      |
+| file                    | responsibility                                                                                   |
+| ----------------------- | ------------------------------------------------------------------------------------------------ |
+| `src/probes/probe.js`   | interface discovery, BPF load + TCX attach; exports the shared `control` and the iface label     |
+| `src/probes/httptop.js` | request/response ingest, latency pairing, status tally, rate ticks → the `rows` / `tick` signals |
+| `src/lib/format.js`     | formatters, method colors, column widths, sparkline (pure)                                       |
+| `src/components/*.jsx`  | the list and endpoint-detail screens, status bar, footer, legend (pure UI reading signals)       |
+| `src/main.jsx`          | tty guard, selection/navigation state, mount, key input                                          |
 
 In userspace, each response is paired with the oldest unmatched request on the same flow — the unordered port pair, since a response travels the reverse direction. The timestamp delta is the **on-the-wire latency**, and the status line gives the **code**; both are aggregated per endpoint.
 
@@ -141,10 +153,41 @@ In userspace, each response is paired with the oldest unmatched request on the s
 
 Reading requests at the TC layer means there's nothing to point traffic through and no app to reconfigure — the programs observe and copy request segments as the kernel moves them, including loopback, so local service-to-service chatter is covered without instrumenting anything. And because the method/`HTTP/` check happens in the kernel, ACKs and non-HTTP traffic never cost a ring-buffer write.
 
+## Building from source
+
+```sh
+make           # build bin/probe.bpf.o (clang + bpftool) + bundle the JS (esbuild)
+make bpf       # just the BPF object
+make bundle    # just the JS bundle (src/main.jsx -> src/index.jsx)
+make clean     # remove build artifacts
+```
+
+`make` runs two independent compilers: **clang + bpftool** compile every `src/bpf/*.bpf.c` and link them into one loadable object `bin/probe.bpf.o`; **esbuild** bundles `src/main.jsx` into `src/index.jsx`, inlining npm deps and the `@/` alias and leaving `yeet:*` builtins external. The toolchain (clang, bpftool, esbuild) is fetched into a per-machine cache on first build — no system C/BPF toolchain required. The generated CO-RE header `src/bpf/include/vmlinux.h` and `bin/` are build artifacts (gitignored).
+
+`#/` (project root) and `@/` (source root) are **bundle-time aliases** that esbuild resolves via `tsconfig` `paths`; the runtime resolver doesn't know them, which is why the BPF object is located with `import.meta.dirname` in `probes/probe.js`.
+
+## Testing across kernels
+
+A BPF program that loads on your laptop can be rejected by an older kernel's verifier. Run `make veristat` to load `bin/probe.bpf.o` with veristat on **your** kernel — a quick check that every program passes, plus per-program complexity. Loading programs needs privileges, so use `sudo`.
+
+`.github/workflows/kernel-matrix.yml` runs the same check across a matrix of kernels in CI (booting each in a VM and running veristat against the object), and `make veristat-matrix` runs that matrix locally on Linux + KVM. See the comments in `build/bpf.mk` for tuning the kernel set.
+
+## Try it without real traffic
+
+`demo/` is a self-contained traffic source so you can see the dashboard fill on a quiet box:
+
+```sh
+python3 demo/server.py &            # fake plaintext-HTTP server on 127.0.0.1:8731
+PORT=8731 bash demo/traffic.sh      # steady, weighted request mix over loopback
+yeet run . -- --iface lo            # watch it on loopback
+```
+
+`demo/record.sh` drives the same setup under `termgif` to regenerate `assets/http-endpoint.gif`.
+
 ## Requirements
 
 > [!IMPORTANT]
-> Linux with **BTF** (`CONFIG_DEBUG_INFO_BTF=y`) — needed for the TC context structs and the `sock` types the programs read. Default on current Arch, Fedora, Ubuntu, and Debian 12+. CO-RE means no per-kernel recompile.
+> Linux with **BTF** (`CONFIG_DEBUG_INFO_BTF=y`) — needed to generate `vmlinux.h` and for the TC context structs the programs read. Default on current Arch, Fedora, Ubuntu, and Debian 12+. CO-RE means no per-kernel recompile.
 >
 > A reasonably recent kernel with **TCX** support (`tcx` links, Linux 6.6+), plus the yeet daemon, which handles the privileged BPF load. `curl -fsSL https://yeet.cx | sh` installs it.
 
@@ -175,24 +218,12 @@ Because it's encrypted before it hits the wire. At the TC layer the payload is c
 That's the `Host:` header the client sent. Services addressed by name show their name; those addressed by IP show the IP.
 
 **Can I get a quick check without the full TUI?**
-Yes. `yeet run verify.js` attaches the probe, aggregates for ~4s, and prints the counts before exiting — a headless sanity check of the capture + parse pipeline.
-
-## Building from source
-
-```sh
-make          # generates include/vmlinux.h, builds bin/httptop.bpf.o
-make vmlinux  # force-refresh the kernel type header
-make clean    # remove the build artifacts
-```
-
-Needs `clang` (BPF target) and `bpftool`, plus your distro's `libbpf` / `libbpf-dev` for headers. The generated `include/vmlinux.h` and `bin/` are build artifacts (gitignored).
+Yes. `yeet run src/probes/probe.js` attaches the probe, aggregates for ~4s, and prints the counts before exiting — a headless sanity check of the capture + parse pipeline.
 
 ## License
 
-GPL-2.0. The BPF program declares `char LICENSE[] SEC("license") = "GPL"` in [`httptop.bpf.c`](httptop.bpf.c), required for the kernel helpers it uses.
+GPL-2.0. The BPF program declares `char LICENSE[] SEC("license") = "GPL"` in [`src/bpf/httptop.bpf.c`](src/bpf/httptop.bpf.c), required for the kernel helpers it uses.
 
 ---
 
 Built with [yeet](https://yeet.cx/docs/?utm_source=github&utm_medium=readme&utm_campaign=httpinspect), a JS runtime for writing eBPF programs and live system dashboards on Linux. Join us on [discord](https://discord.gg/dYZu9PjKB?utm_source=github&utm_medium=readme&utm_campaign=httpinspect).
-</content>
-</invoke>
diff --git a/bin/.gitkeep b/bin/.gitkeep
new file mode 100644
index 0000000..e69de29
diff --git a/build/bpf.mk b/build/bpf.mk
new file mode 100644
index 0000000..0650851
--- /dev/null
+++ b/build/bpf.mk
@@ -0,0 +1,108 @@
+# Reusable BPF build rules, included by the project Makefile.
+#
+# The BPF program is modular: each src/bpf/*.bpf.c is a unit, compiled on
+# its own, and all units are statically linked into ONE loadable object,
+# bin/probe.bpf.o, with `bpftool gen object` — the same linker libbpf uses
+# internally. Split the program across as many .bpf.c files as you like;
+# share structs, maps and helpers through headers in src/bpf/include/ and
+# the linker merges the duplicates. vmlinux.h (CO-RE) is generated there.
+#
+# To add another independent object, give it its own link target alongside
+# bin/probe.bpf.o below — there is intentionally no per-object magic here.
+
+# CLANG/BPFTOOL are normally resolved by build/toolchain.mk (vendored static
+# toolchain or shared cache), included before this file. These are the last
+# resort when neither is available: whatever is on PATH. bpftool frequently
+# lives in /usr/sbin, which isn't always on a non-root user's PATH; fall back
+# to it before giving up.
+CLANG   ?= clang
+BPFTOOL ?= $(shell command -v bpftool 2>/dev/null || echo /usr/sbin/bpftool)
+
+# Map the host machine to the __TARGET_ARCH_* clang expects.
+UNAME_M := $(shell uname -m)
+ARCH    := $(UNAME_M:x86_64=x86)
+ARCH    := $(ARCH:aarch64=arm64)
+
+VMLINUX  := src/bpf/include/vmlinux.h
+BPF_SRCS := $(wildcard src/bpf/*.bpf.c)
+# One intermediate object per unit. They live under .build/ so they are
+# never mistaken for the loadable object in bin/.
+BPF_OBJS := $(patsubst src/bpf/%.bpf.c,.build/bpf/%.bpf.o,$(BPF_SRCS))
+# The single linked object. Its `.bpf.o` suffix is what the JS side loads
+# with `import probe from "../bin/probe.bpf.o"` (the loader's
+# BpfObjectRule matches on that suffix).
+BPF_OUT  := bin/probe.bpf.o
+
+BPF_CFLAGS ?= -g -O2 -Wall -target bpf -D__TARGET_ARCH_$(ARCH) -mcpu=v3 -I src/bpf/include
+# Add the vendored libbpf program headers (<bpf/bpf_helpers.h>, …) when a
+# vendored toolchain supplies them; resolved by build/toolchain.mk. Without
+# it, the build falls back to a host libbpf-dev on the default include path.
+BPF_CFLAGS += $(if $(BPF_SYSINCLUDE),-I$(BPF_SYSINCLUDE))
+
+bpf: $(BPF_OUT)
+
+# `| toolchain` (order-only) ensures the vendored clang/bpftool are present in
+# the cache before any rule shells out to them, without forcing rebuilds.
+$(VMLINUX): | toolchain
+	@command -v $(BPFTOOL) >/dev/null 2>&1 || { echo "error: bpftool not found — install bpftool / linux-tools"; exit 1; }
+	sh build/gen-vmlinux.sh $(BPFTOOL) $@
+
+# Compile each unit to an intermediate object.
+.build/bpf/%.bpf.o: src/bpf/%.bpf.c $(VMLINUX) | toolchain
+	@command -v $(CLANG) >/dev/null 2>&1 || { echo "error: clang not found — install clang"; exit 1; }
+	@mkdir -p $(dir $@)
+	$(CLANG) $(BPF_CFLAGS) -c $< -o $@
+
+# Statically link every unit into the single loadable object.
+$(BPF_OUT): $(BPF_OBJS) | bin toolchain
+	@command -v $(BPFTOOL) >/dev/null 2>&1 || { echo "error: bpftool not found — install bpftool / linux-tools"; exit 1; }
+	$(BPFTOOL) gen object $@ $(BPF_OBJS)
+
+bin:
+	mkdir -p bin
+
+clean-bpf:
+	rm -rf $(BPF_OUT) .build $(VMLINUX)
+
+# Load the linked object with veristat to confirm THIS kernel's verifier
+# accepts every program, and to see per-program complexity (insns/states) — a
+# local counterpart to the kernel-matrix CI, which runs the same check across
+# many kernels. Loading BPF programs needs privileges, so run with sudo (as
+# `yeet run` does). VERISTAT is resolved by build/toolchain.mk (the vendored
+# static binary, or `veristat` on PATH).
+.PHONY: veristat
+veristat: $(BPF_OUT) | toolchain
+	@command -v $(VERISTAT) >/dev/null 2>&1 || { echo "error: veristat not found ($(VERISTAT)) — bump build/toolchain.lock to a toolchain that ships veristat, or install veristat on PATH"; exit 1; }
+	$(VERISTAT) $(BPF_OUT)
+
+# Run the same verifier check across a matrix of kernels locally (Linux + KVM),
+# the local counterpart to .github/workflows/kernel-matrix.yml. Boots
+# quay.io/lvh-images/kind images with cilium's lvh + QEMU; pass kernels as
+# KERNELS="6.6-main bpf-next-main" or rely on the script's default spread.
+.PHONY: veristat-matrix
+veristat-matrix: $(BPF_OUT) | toolchain
+	VERISTAT="$(VERISTAT)" sh build/kernel-matrix.sh $(KERNELS)
+
+# Write a local .clangd so the editor resolves vmlinux.h, the libbpf SDK
+# headers and __u* types using the *resolved* toolchain include path — unlike
+# the committed .clangd (which only covers in-repo editing), this picks up the
+# shared-cache path in a scaffolded project. Run after `make` so vmlinux.h
+# exists. The result can hold a machine-specific cache path, so leave it
+# untracked. Falls back to host headers when no vendored toolchain is found.
+.PHONY: clangd
+clangd:
+	@printf '%s\n' \
+	  '# Generated by `make clangd` — editor flags mirroring build/bpf.mk.' \
+	  '# Regenerate after moving machines or bumping the toolchain version.' \
+	  'CompileFlags:' \
+	  '  Add:' \
+	  '    - -target' \
+	  '    - bpf' \
+	  '    - -Isrc/bpf/include' \
+	  $(if $(BPF_SYSINCLUDE),'    - -I$(BPF_SYSINCLUDE)') \
+	  '    - -D__TARGET_ARCH_$(ARCH)' \
+	  '    - -D__BPF_TRACING__' \
+	  > .clangd
+	@echo "wrote .clangd (libbpf headers: $(if $(BPF_SYSINCLUDE),$(BPF_SYSINCLUDE),<host include path>))"
+
+.PHONY: bpf clean-bpf
diff --git a/build/fetch-toolchain.sh b/build/fetch-toolchain.sh
new file mode 100755
index 0000000..eff6a87
--- /dev/null
+++ b/build/fetch-toolchain.sh
@@ -0,0 +1,98 @@
+#!/bin/sh
+# Populate a shared toolchain cache directory, downloading only missing tools.
+# Every artifact comes from one immutable, version-tagged release of the
+# toolchain repo (releases/download/v<TOOLCHAIN_VERSION>/) and is
+# checksum-verified against the pins in the lock.
+#
+#   build/fetch-toolchain.sh <dest-dir> <uname-arch> <lock> [tool...]
+#
+# With no trailing tool names, all tools are fetched (the build's `toolchain`
+# target). Pass names (e.g. `git`) to fetch only those — `postgen` uses this to
+# grab just git at generation time without pulling the whole toolchain.
+
+set -eu
+
+DIR="${1:?usage: fetch-toolchain.sh <dest-dir> <arch> <lock> [tool...]}"
+ARCH="${2:?missing arch}"
+LOCK="${3:?missing lock}"
+shift 3
+FILTER="$*"   # empty = all tools
+
+# shellcheck disable=SC1090
+. "$LOCK"
+
+# Apple/BSD report arm64; the release assets are named aarch64.
+[ "$ARCH" = arm64 ] && ARCH=aarch64
+
+# The binaries are Linux musl-static — they can't run on any other OS. Skip
+# cleanly there (exit 0) so callers fall back to host tools instead of failing.
+# Normally toolchain.mk already no-ops the fetch off-Linux; this guards direct
+# invocation too.
+OS="$(uname -s)"
+if [ "$OS" != Linux ]; then
+	echo "note: vendored toolchain is Linux-only; on $OS the build uses host tools on PATH" >&2
+	exit 0
+fi
+
+case "$ARCH" in
+	x86_64 | aarch64) ;;
+	*) echo "error: unsupported arch '$ARCH'" >&2; exit 1 ;;
+esac
+
+mkdir -p "$DIR"
+
+# The one immutable release every asset is fetched from.
+REL="${TOOLCHAIN_BASE_URL}/v${TOOLCHAIN_VERSION}"
+
+want() { [ -z "$FILTER" ] && return 0; case " $FILTER " in *" $1 "*) return 0 ;; esac; return 1; }
+
+sha() {
+	if command -v sha256sum >/dev/null 2>&1; then sha256sum "$1" | awk '{print $1}'
+	elif command -v shasum    >/dev/null 2>&1; then shasum -a 256 "$1" | awk '{print $1}'
+	else echo "error: no sha256 tool (sha256sum/shasum) found" >&2; return 1; fi
+}
+
+verify() { # file want-sha label
+	[ -n "$2" ] || { echo "warning: no pinned checksum for $3 — skipping verify" >&2; return 0; }
+	got="$(sha "$1")"
+	[ "$got" = "$2" ] || { echo "error: $3 checksum mismatch: got $got want $2" >&2; return 1; }
+}
+
+get_sha() { eval "printf '%s' \"\${${1}_SHA256_${ARCH}:-}\""; }  # get_sha CLANG
+
+# fetch_bin <tool-name> — asset is <tool>-<arch> inside the version release.
+# Atomic: download beside the target, verify, then rename.
+fetch_bin() {
+	name="$1"
+	want "$name" || return 0
+	[ -x "$DIR/$name" ] && return 0
+	echo ">> fetch ${name} (${ARCH}, v${TOOLCHAIN_VERSION})"
+	tmp="$DIR/.${name}.$$"
+	curl -fSL --retry 3 -o "$tmp" "${REL}/${name}-${ARCH}"
+	verify "$tmp" "$(get_sha "$(echo "$name" | tr a-z A-Z)")" "$name" || { rm -f "$tmp"; exit 1; }
+	chmod +x "$tmp"
+	mv -f "$tmp" "$DIR/$name"
+}
+
+fetch_bin make
+fetch_bin clang
+fetch_bin bpftool
+fetch_bin veristat
+fetch_bin esbuild
+fetch_bin git
+fetch_bin gh
+
+# libbpf program headers: arch-independent, one copy per version, beside the
+# per-arch tool dirs ($key/include/bpf/*.h).
+INC="$(dirname "$DIR")/include"
+if want headers && [ ! -e "$INC/bpf/bpf_helpers.h" ]; then
+	echo ">> fetch libbpf headers (v${TOOLCHAIN_VERSION})"
+	td="$(mktemp -d)"
+	curl -fSL --retry 3 -o "$td/h.tgz" "${REL}/libbpf-headers.tar.gz"
+	verify "$td/h.tgz" "${LIBBPF_HEADERS_SHA256:-}" "libbpf-headers" || { rm -rf "$td"; exit 1; }
+	mkdir -p "$INC"
+	tar xzf "$td/h.tgz" -C "$INC"   # tarball holds a top-level bpf/ dir
+	rm -rf "$td"
+fi
+
+echo ">> toolchain ready: $DIR${FILTER:+ ($FILTER)}"
diff --git a/build/gen-vmlinux.sh b/build/gen-vmlinux.sh
new file mode 100644
index 0000000..a51768b
--- /dev/null
+++ b/build/gen-vmlinux.sh
@@ -0,0 +1,19 @@
+#!/bin/sh
+# Generate vmlinux.h from the running kernel's BTF — the CO-RE header
+# every BPF program in this project includes.
+#
+#   build/gen-vmlinux.sh <bpftool> <output-path>
+
+set -eu
+
+BPFTOOL="${1:-bpftool}"
+OUT="${2:-src/bpf/include/vmlinux.h}"
+
+if [ ! -r /sys/kernel/btf/vmlinux ]; then
+	echo "error: /sys/kernel/btf/vmlinux is not readable — kernel BTF (CONFIG_DEBUG_INFO_BTF) is required" >&2
+	exit 1
+fi
+
+mkdir -p "$(dirname "$OUT")"
+"$BPFTOOL" btf dump file /sys/kernel/btf/vmlinux format c >"$OUT"
+echo "generated $OUT"
diff --git a/build/kernel-matrix.sh b/build/kernel-matrix.sh
new file mode 100755
index 0000000..3f128c7
--- /dev/null
+++ b/build/kernel-matrix.sh
@@ -0,0 +1,167 @@
+#!/bin/sh
+# Boot a matrix of kernels locally and run the verifier check (build/verify-
+# kernel.sh) in each — the local counterpart to .github/workflows/kernel-
+# matrix.yml. This is a TEST HARNESS, not part of the build, and needs a
+# Linux host (ideally with /dev/kvm; without it QEMU falls back to slow TCG).
+#
+#   build/kernel-matrix.sh [kernel ...]      # default: an LTS spread + bpf-next
+#   make veristat-matrix                      # same, via the Makefile
+#
+# It uses cilium's lvh + QEMU to boot quay.io/lvh-images/kind:<kernel> images.
+# Neither lvh nor qemu is part of the build toolchain (they're VM infra needing
+# host KVM/root, not self-contained build tools), so both are fetched on demand:
+#   - lvh:  an `lvh` on PATH, else extracted from the quay.io/lvh-images/lvh image.
+#   - qemu: the vendored static qemu-<arch>.tar.gz from the toolchain release
+#           (checksum-pinned in build/toolchain.lock), extracted to the toolchain
+#           cache and prepended to PATH; falls back to a system qemu-system.
+# veristat is the vendored static binary, resolved like the build.
+
+set -eu
+
+KERNELS=${*:-"5.10-main 5.15-main 6.1-main 6.6-main 6.12-main bpf-next-main"}
+LVH_VERSION="${LVH_VERSION:-v0.0.30}"
+SSH_PORT="${SSH_PORT:-2222}"
+MON_PORT="${MON_PORT:-45454}"
+OBJ="${OBJ:-bin/probe.bpf.o}"
+
+case "$(uname -s)" in
+	Linux) ;;
+	*) echo "error: the kernel matrix needs a Linux host (QEMU/KVM); on $(uname -s) use the CI workflow instead." >&2; exit 1 ;;
+esac
+
+# ARCH = uname machine (toolchain asset naming); QARCH = lvh/qemu platform name.
+ARCH="$(uname -m)"
+case "$ARCH" in
+	x86_64)  QARCH=amd64 ;;
+	aarch64) QARCH=arm64 ;;
+	*) echo "error: unsupported arch '$ARCH'" >&2; exit 1 ;;
+esac
+QEMU="qemu-system-${ARCH}"
+
+need() { command -v "$1" >/dev/null 2>&1 || { echo "error: '$1' not found — $2" >&2; exit 1; }; }
+sha256() { if command -v sha256sum >/dev/null 2>&1; then sha256sum "$1" | awk '{print $1}'; else shasum -a 256 "$1" | awk '{print $1}'; fi; }
+need ssh "install openssh-client"
+
+# --- resolve qemu: prefer the vendored static qemu from the toolchain release,
+# fall back to a system qemu-system on PATH. lvh finds qemu via PATH and the
+# static qemu finds its firmware blobs relative to its own binary, so we just
+# prepend the extracted bin dir to PATH — no -L plumbing into lvh needed.
+if [ -f build/toolchain.lock ]; then
+	. ./build/toolchain.lock
+	qsha="$(eval "printf '%s' \"\${QEMU_SHA256_${ARCH}:-}\"")"
+	QDIR="${XDG_CACHE_HOME:-$HOME/.cache}/yeet/toolchain/v${TOOLCHAIN_VERSION}/${ARCH}/qemu"
+	if [ ! -x "$QDIR/bin/$QEMU" ] && [ -n "$qsha" ] && [ -n "${TOOLCHAIN_BASE_URL:-}" ]; then
+		echo ">> fetching static qemu (${ARCH}, v${TOOLCHAIN_VERSION})"
+		tmp="$(mktemp -d)"
+		if curl -fSL --retry 3 -o "$tmp/q.tgz" "${TOOLCHAIN_BASE_URL}/v${TOOLCHAIN_VERSION}/qemu-${ARCH}.tar.gz"; then
+			got="$(sha256 "$tmp/q.tgz")"
+			if [ "$got" = "$qsha" ]; then
+				mkdir -p "$QDIR"; tar xzf "$tmp/q.tgz" -C "$QDIR"; chmod +x "$QDIR/bin/$QEMU" 2>/dev/null || true
+			else
+				echo "warning: qemu checksum mismatch (got $got, want $qsha); using system qemu" >&2
+			fi
+		else
+			echo "warning: could not download qemu; using system qemu" >&2
+		fi
+		rm -rf "$tmp"
+	fi
+	if [ -x "$QDIR/bin/$QEMU" ]; then
+		PATH="$QDIR/bin:$PATH"; export PATH
+		echo ">> using vendored static qemu: $QDIR/bin/$QEMU"
+	fi
+fi
+need "$QEMU" "no vendored qemu in build/toolchain.lock and none on PATH — bump the lock to a toolchain that ships qemu, or install qemu-system"
+
+# --- resolve lvh (PATH, else extract from the OCI image with docker) ----------
+LVH="$(command -v lvh || true)"
+if [ -z "$LVH" ]; then
+	need docker "needed to fetch lvh (or put an 'lvh' binary on PATH)"
+	echo ">> fetching lvh ${LVH_VERSION} from quay.io/lvh-images/lvh"
+	docker pull "quay.io/lvh-images/lvh:${LVH_VERSION}" >/dev/null
+	cid="$(docker create "quay.io/lvh-images/lvh:${LVH_VERSION}")"
+	LVH="$(mktemp -d)/lvh"
+	docker cp "$cid:/usr/bin/lvh" "$LVH" >/dev/null
+	docker rm "$cid" >/dev/null
+	chmod +x "$LVH"
+fi
+
+[ -e /dev/kvm ] && ACCEL="--cpu-kind host" || { ACCEL="--no-hw-accel"; echo "note: /dev/kvm absent — running under TCG emulation (slow)"; }
+
+# --- build the object and stage the vendored static veristat ------------------
+echo ">> building $OBJ"
+make bpf >/dev/null
+VERISTAT="${VERISTAT:-}"
+if [ -z "$VERISTAT" ] && [ -f build/toolchain.lock ]; then
+	. ./build/toolchain.lock
+	VERISTAT="${XDG_CACHE_HOME:-$HOME/.cache}/yeet/toolchain/v${TOOLCHAIN_VERSION}/${ARCH}/veristat"
+fi
+[ -n "$VERISTAT" ] && [ -x "$VERISTAT" ] || VERISTAT="$(command -v veristat || true)"
+[ -n "$VERISTAT" ] && [ -x "$VERISTAT" ] || { echo "error: veristat not found — bump build/toolchain.lock to a toolchain that ships it, or install veristat" >&2; exit 1; }
+install -Dm755 "$VERISTAT" bin/veristat
+
+# --- per-kernel: pull image, boot, verify, stop -------------------------------
+WORK="$(mktemp -d)"
+OUTDIR="$PWD/.kmatrix"; rm -rf "$OUTDIR"; mkdir -p "$OUTDIR"
+overall=0
+
+stop_vm() { printf 'quit\n' | { nc -N 127.0.0.1 "$MON_PORT" 2>/dev/null || nc 127.0.0.1 "$MON_PORT" 2>/dev/null; } || true; sleep 1; }
+trap 'stop_vm' EXIT INT TERM
+
+for k in $KERNELS; do
+	echo ">> ==== kernel $k ===="
+	imgdir="$WORK/img/$k"; mkdir -p "$imgdir"
+	"$LVH" images pull "quay.io/lvh-images/kind:$k" --dir "$imgdir" --platform "linux/$QARCH"
+	img="$(find "$imgdir" -name '*.qcow2' | head -1)"
+	[ -n "$img" ] || { echo "::skip:: no image for $k" >&2; overall=1; continue; }
+
+	sudo "$LVH" run --image "$img" --host-mount "$PWD" --daemonize \
+		-p "${SSH_PORT}:22" --serial-port 0 --qemu-monitor-port "$MON_PORT" \
+		--console-log-file "$WORK/console-$k.log" --qemu-arch "$QARCH" $ACCEL
+
+	# wait for sshd
+	n=0; up=0
+	while [ "$n" -lt 120 ]; do
+		if ssh -p "$SSH_PORT" -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null \
+			-o ConnectTimeout=2 root@127.0.0.1 true 2>/dev/null; then up=1; break; fi
+		n=$((n+1)); sleep 1
+	done
+	if [ "$up" = 0 ]; then echo "::error:: $k VM never came up"; cat "$WORK/console-$k.log" 2>/dev/null | tail -20; overall=1; stop_vm; continue; fi
+
+	# run the gate in the VM; CSV lands in the host-mounted .kmatrix via /host
+	if ssh -p "$SSH_PORT" -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null root@127.0.0.1 \
+		"cd /host && OUT_CSV=/host/.kmatrix/$k.csv sh build/verify-kernel.sh"; then :; else overall=1; fi
+	stop_vm
+done
+trap - EXIT INT TERM
+
+# --- render a terminal matrix from the per-kernel CSVs ------------------------
+echo
+KERNELS="$KERNELS" python3 - "$OUTDIR" <<'PY' || echo "(install python3 for the summary table; per-kernel CSVs are in .kmatrix/)"
+import csv, glob, os, sys
+outdir = sys.argv[1]
+kernels = os.environ["KERNELS"].split()
+data, progs = {}, []
+for k in kernels:
+    f = os.path.join(outdir, f"{k}.csv")
+    if not os.path.exists(f):
+        data[k] = None; continue
+    data[k] = {r["prog_name"]: r["verdict"] for r in csv.DictReader(open(f))}
+    for p in data[k]:
+        if p not in progs: progs.append(p)
+short = lambda k: k.replace("-main", "")
+if not progs:
+    print("no results — check the per-kernel output above"); raise SystemExit(0)
+w = max(len(p) for p in progs) + 2
+cols = [short(k) for k in kernels]
+print(" " * w + "  ".join(f"{c:>9}" for c in cols))
+cell = {"success": "    ok   ", "failure": "   FAIL  "}
+for p in progs:
+    row = [p.ljust(w)]
+    for k in kernels:
+        d = data[k]
+        row.append("    -    " if d is None or p not in d else cell.get(d[p], "    ?    "))
+    print("  ".join(row))
+PY
+
+[ "$overall" = 0 ] && echo ">> matrix: all programs loaded on every kernel" || echo ">> matrix: at least one kernel rejected a program (or failed to boot)"
+exit "$overall"
diff --git a/build/toolchain.lock b/build/toolchain.lock
new file mode 100644
index 0000000..ac204f1
--- /dev/null
+++ b/build/toolchain.lock
@@ -0,0 +1,96 @@
+# Pinned versions for the vendored build toolchain. Sourced by the build
+# and fetch scripts and by CI so every arch is built from identical inputs.
+
+# Toolchain bundle version. Each publish is an immutable, version-tagged
+# release `v<TOOLCHAIN_VERSION>` holding the whole set; consumers pin this one
+# number, and the cache is keyed by it (cache/yeet/toolchain/v<N>/<arch>/). CI
+# sets it to the next semver tag it computes from the [bump:*] commit markers
+# (default minor; see the README). A release is cut only when build/ or the
+# vendor workflow changes.
+TOOLCHAIN_VERSION=0.10.0
+
+# Where a consumer fetches assets from: the version-tagged release. The fetch
+# appends `/v<TOOLCHAIN_VERSION>/<tool>-<arch>`.
+TOOLCHAIN_BASE_URL=https://github.com/yeet-src/toolchain/releases/download
+
+# LLVM/clang — built fully-static from source (see Dockerfile.clang). clang is
+# the one tool we build rather than fetch, so consumers download the prebuilt
+# binary from our release assets; CI fills these checksums after building.
+# Empty until vendor.yml has published a build.
+LLVM_VERSION=22.1.8
+CLANG_SHA256_x86_64=440c6dbe473502e3d328fb155a3888bd3fdef7d81926afce048cd7e699c4aefa
+CLANG_SHA256_aarch64=105fb2d324095127a127bcba56702a86229ed8892ce6429802d30585fa270603
+
+# bpftool — official static binary from libbpf/bpftool, re-hosted on our
+# "toolchain" release so the build fetches everything from one place. CI
+# records the binary checksum (consumers verify the binary, not the upstream
+# tarball). The matching libbpf program headers (v/include/bpf) ride the same
+# version; CI records the headers-tarball checksum too.
+BPFTOOL_VERSION=7.7.0
+BPFTOOL_SHA256_x86_64=74bd16335aa1c40714fb50287a42766c6faa4958f969cce32fef89485ce4934c
+BPFTOOL_SHA256_aarch64=2b3fc4dd5e4e40bd8d670c5f1fa9693b3f879a122c0f6a3eb806dfc6735da6b7
+LIBBPF_HEADERS_SHA256=d712858662168e4e04cdc35e4a962a6056c429ed57461b974ec59b819c60e3c3
+
+# veristat — BPF verifier statistics tool, used to check that built `*.bpf.o`
+# programs load and to track verifier complexity. Official static binary from
+# libbpf/veristat (a mirror of the kernel tree's tool), re-hosted on our
+# "toolchain" release like bpftool. CI records the per-arch binary checksums
+# (consumers verify the binary, not the upstream tarball).
+VERISTAT_VERSION=0.5.1
+VERISTAT_SHA256_x86_64=fa81d2da6b0d33f73c5469e5a97e7d0afaf4e216635f57ae15428402381b95c0
+VERISTAT_SHA256_aarch64=847aa761493055f23ecc758468e8d17869a4905ff6b5eedadb993c1e9f75d1bd
+
+# GNU make — the build driver. Built static from source (tiny, fast). Since
+# make can't fetch itself, `yeet build` bootstraps it into the cache at the
+# shell level before invoking it. CI records the per-arch checksums.
+MAKE_VERSION=4.4.1
+MAKE_SHA256_x86_64=a92853c409617e84c2460672955ddc6c9f40032257c24cf743b237c5c235995d
+MAKE_SHA256_aarch64=d5d5a80c7d57795d9f13c57ecd5315b9602327370094830d7fa9e490fa2137eb
+
+# git — used to `git init` a freshly generated project. Built static from
+# source, lean (NO_CURL/NO_OPENSSL): init/add/commit/local ops only, no https
+# remotes (host git or yeet's resolver handle those). CI records checksums.
+GIT_VERSION=2.54.0
+GIT_SHA256_x86_64=0e9dff2f8fc0d44fa67971c01c46ddba710d07a2911278f7f066abec422f24b6
+GIT_SHA256_aarch64=19c6dda22c811324649e6e4aa8c369a8d822463d61d794d0e23e72fb77b5376c
+
+# esbuild — official static (Go) binary from the @esbuild/<platform> npm
+# package, re-hosted on our "toolchain" release. CI records the binary
+# checksum. Keep ESBUILD_VERSION in sync with template/package.json.
+ESBUILD_VERSION=0.28.1
+ESBUILD_SHA256_x86_64=0c6588b092a2c291a72bab90659f3c9e0e25e0fe59c9ac12b4dae4d945e5548c
+ESBUILD_SHA256_aarch64=51e829ba36f36be6d9aea6e329ddc4f9350302339b16aaca96a3cb97f64a8ebb
+
+# gh — the GitHub CLI, for release/PR automation (CI and consumer tooling).
+# Official static (Go) binary from cli/cli, re-hosted on our "toolchain"
+# release like esbuild. CI records the per-arch binary checksum (consumers
+# verify the binary, not the upstream tarball).
+GH_VERSION=2.95.0
+GH_SHA256_x86_64=62c11fbaa08835168c3d1acf8a645ac6268a13a5682c73581388c9df0c622617
+GH_SHA256_aarch64=706b030846db08d0dac0392d6f74416e0bbf0d9ac5ecbd54c9046305c10eac59
+
+# qemu — NOT part of the build toolchain: a fully-static qemu-system for the
+# optional kernel-matrix test runner (boots lvh kernel images). Built per-arch
+# from source (see Dockerfile.qemu / build-qemu.sh), trimmed to the binary plus
+# the few firmware blobs its machine loads. Needs host KVM + root at runtime, so
+# it's fetched on demand by the harness, never resolved by `make`. LIBSLIRP is a
+# build-time dep (user-mode networking) compiled static since Alpine has no
+# -static package for it.
+QEMU_VERSION=9.1.2
+LIBSLIRP_VERSION=4.8.0
+
+# lvh (cilium's little-vm-helper) — NOT a build tool: the VM orchestrator the
+# kernel-matrix test runner uses to boot kernel images, paired with the qemu
+# above. It's a single fully-static Go binary distributed only as an OCI image,
+# so we re-host it like bpftool/esbuild (see fetch-lvh.sh). CI records the
+# per-arch binary checksum; the runner fetches it on demand, never `make`.
+LVH_VERSION=v0.0.30
+LVH_SHA256_x86_64=ca3b958ffc08a4b65e4c6c8d29a4dad077acd11f146bc84f75a30ecaa031e900
+LVH_SHA256_aarch64=49b7cef6376c445c0ab23465ecc984a771e06b3b37c39b486a4fed7fb1ded476
+# Per-arch checksum of the published qemu-<arch>.tar.gz (binary + minimal
+# share/qemu blobs). CI records these; the matrix runner verifies the tarball.
+QEMU_SHA256_x86_64=2e26722e965018c145bab180cee8feace50f91841bf51b350f14527c0d5da637
+QEMU_SHA256_aarch64=6fe353ef43918c14088c7a3741bfac54e6c17084ea462454a5b2a525ba0aa330
+
+# Alpine base used for the musl-static clang build.
+ALPINE_TAG=alpine:3.21
diff --git a/build/toolchain.mk b/build/toolchain.mk
new file mode 100644
index 0000000..6cb5f18
--- /dev/null
+++ b/build/toolchain.mk
@@ -0,0 +1,70 @@
+# Resolve the static build toolchain (clang, bpftool, veristat, esbuild, git, gh) — included
+# by the project Makefile before build/bpf.mk, so the tools are set before any
+# rule uses them. A `make CLANG=…` CLI override beats this.
+#
+# Tools come from a shared, per-machine cache keyed by the project's pinned
+# toolchain version (build/toolchain.lock). `make toolchain` fills it,
+# downloading each missing tool once from the vendored toolchain release
+# (github.com/yeet-src/toolchain). The cache key is the toolchain version,
+# never the template version — so updating the template reuses an existing
+# cached toolchain, and bumping a tool adds a new entry beside the old one.
+# Falls back to host tools on PATH when no lock is present.
+#
+# The vendored binaries are Linux musl-static, so the cache is only used on
+# Linux. On any other host (macOS, BSD) we leave CLANG/BPFTOOL/ESBUILD/GIT/GH
+# unset, falling through to host tools on PATH — macOS is an edit-here,
+# build-on-Linux host for BPF work.
+
+UNAME_S := $(shell uname -s)
+UNAME_M := $(shell uname -m)
+# Apple/BSD report arm64; the release assets are named aarch64. Normalize so
+# the cache key and asset names line up across hosts.
+UNAME_M := $(UNAME_M:arm64=aarch64)
+
+# Only engage the vendored cache on Linux; elsewhere TOOLCHAIN_LOCK stays empty
+# so the PATH fallbacks below win and the fetch targets become no-ops.
+ifeq ($(UNAME_S),Linux)
+TOOLCHAIN_LOCK := $(firstword $(wildcard build/toolchain.lock))
+endif
+ifneq ($(TOOLCHAIN_LOCK),)
+  include $(TOOLCHAIN_LOCK)
+  TOOLCHAIN_KEY  := v$(TOOLCHAIN_VERSION)
+  YEET_CACHE_DIR ?= $(if $(XDG_CACHE_HOME),$(XDG_CACHE_HOME),$(HOME)/.cache)/yeet
+  TOOLCHAIN_DIR  := $(YEET_CACHE_DIR)/toolchain/$(TOOLCHAIN_KEY)/$(UNAME_M)
+  CLANG    ?= $(TOOLCHAIN_DIR)/clang
+  BPFTOOL  ?= $(TOOLCHAIN_DIR)/bpftool
+  VERISTAT ?= $(TOOLCHAIN_DIR)/veristat
+  ESBUILD  ?= $(TOOLCHAIN_DIR)/esbuild
+  GIT      ?= $(TOOLCHAIN_DIR)/git
+  GH       ?= $(TOOLCHAIN_DIR)/gh
+  # libbpf program headers are arch-independent: one copy per version key,
+  # beside the per-arch tool dirs.
+  BPF_SYSINCLUDE ?= $(YEET_CACHE_DIR)/toolchain/$(TOOLCHAIN_KEY)/include
+endif
+
+# PATH fallbacks (bpf.mk supplies the clang/bpftool fallbacks).
+VERISTAT ?= veristat
+ESBUILD  ?= esbuild
+GIT      ?= git
+GH       ?= gh
+
+# Fill the cache for this arch, downloading any missing tool once. A no-op
+# when no lock is present (PATH case).
+.PHONY: toolchain
+toolchain:
+ifneq ($(TOOLCHAIN_LOCK),)
+	@sh build/fetch-toolchain.sh "$(TOOLCHAIN_DIR)" "$(UNAME_M)" "$(TOOLCHAIN_LOCK)"
+else
+	@:
+endif
+
+# Fetch only git into the cache — used by `postgen` so generating a project
+# doesn't pull the whole build toolchain just to initialize a repo.
+.PHONY: vendored-git
+vendored-git:
+ifneq ($(TOOLCHAIN_LOCK),)
+	@sh build/fetch-toolchain.sh "$(TOOLCHAIN_DIR)" "$(UNAME_M)" "$(TOOLCHAIN_LOCK)" git \
+		|| echo "note: vendored git unavailable; postgen will fall back to host git" >&2
+else
+	@:
+endif
diff --git a/build/verify-kernel.sh b/build/verify-kernel.sh
new file mode 100755
index 0000000..c4ba606
--- /dev/null
+++ b/build/verify-kernel.sh
@@ -0,0 +1,51 @@
+#!/bin/sh
+# CI helper — runs INSIDE a per-kernel VM. Loads the built BPF object with the
+# vendored static veristat and fails if the running kernel's verifier rejects
+# any program. Driven by .github/workflows/kernel-matrix.yml, which boots each
+# kernel with cilium's little-vm-helper and mounts the project at /host; the
+# workflow stages the static veristat into bin/ before booting.
+#
+#   sh build/verify-kernel.sh [bpf-object]   (default: bin/probe.bpf.o)
+#
+# Set OUT_CSV=<path> to also write a machine-readable result (file,prog,verdict,
+# insns,states) — the workflow points it at the mounted workspace so the runner
+# can render a summary table from it after the VM exits.
+#
+# Why parse output instead of trusting the exit code: veristat returns 0 even
+# when a program fails to load — a rejected program shows up as a VERDICT of
+# "failure" in its table, not as a non-zero status. So the gate reads the verdict
+# column. (veristat only exits non-zero on infra errors: missing file, OOM, etc.)
+
+set -eu
+
+OBJ="${1:-bin/probe.bpf.o}"
+VERISTAT="${VERISTAT:-./bin/veristat}"
+# verdict LAST so the gate below can match it at end-of-line. veristat's CSV
+# header uses each stat's canonical name, so the columns come out as
+# file_name,prog_name,total_insns,total_states,verdict.
+COLS="file,prog,insns,states,verdict"
+
+[ -x "$VERISTAT" ] || { echo "error: veristat not found/executable at $VERISTAT" >&2; exit 1; }
+[ -f "$OBJ" ]      || { echo "error: BPF object not found at $OBJ" >&2; exit 1; }
+
+KREL="$(uname -r)"
+echo ">> kernel $KREL: loading $OBJ"
+
+# Human-readable table for the console log (full default columns).
+"$VERISTAT" "$OBJ" || true
+
+# Machine-readable pass: the verdict column is the gate; the rest feeds the
+# workflow's summary table.
+csv="$("$VERISTAT" -o csv -e "$COLS" "$OBJ")"
+if [ -n "${OUT_CSV:-}" ]; then
+	mkdir -p "$(dirname "$OUT_CSV")"
+	printf '%s\n' "$csv" > "$OUT_CSV"
+fi
+
+# Drop the header row; fail if any program's verdict is not "success".
+if printf '%s\n' "$csv" | tail -n +2 | grep -q ',failure$'; then
+	echo "::error::BPF verifier rejected a program on kernel $KREL" >&2
+	exit 1
+fi
+
+echo ">> all programs loaded on kernel $KREL"
diff --git a/dashboard.jsx b/dashboard.jsx
deleted file mode 100644
index 919e39b..0000000
--- a/dashboard.jsx
+++ /dev/null
@@ -1,180 +0,0 @@
-/* Panels + layout. `Dashboard` is the view passed to `mount`. It has two
- * screens, switched by the `focusKey` signal:
- *
- *   list   — a status bar, a bordered endpoint table that flexes to fill
- *            (the highlighted row tracks the `sel` signal), and a footer.
- *   detail — a per-endpoint breakdown for the endpoint Enter was pressed on.
- *
- * The bodies read signals from state.js, so they redraw reactively as state
- * ticks and as the user navigates. */
-
-import { Box, Text, bold, dim, fg } from "yeet:tui";
-
-import { rows, totals, info, endpointCount, sel, focusKey, endpoint, tick } from "./state.js";
-import {
-  METHOD_COLORS, METHOD_FALLBACK, accent, rateOn, grid, selBg, label,
-  W_RANK, W_METHOD, W_COUNT, W_RATE, W_HOST, W_LAST,
-  pad, padEnd, fmtCount, fmtBytes, fmtAgo, fmtUptime, fmtMs, percentile, statusColor, sparkline,
-} from "./render.jsx";
-
-const methodColor = (m) => METHOD_COLORS[m] || METHOD_FALLBACK;
-
-/* ---- status bar / footer ------------------------------------------ */
-function StatusBar() {
-  return (
-    <Box direction="row" height="fit">
-      <Text>{bold(fg(accent)("httpinspect"))}</Text>
-      <Text width="1fr">{() => dim(`  iface: ${info.ifaceLabel}  ·  plaintext HTTP only`)}</Text>
-    </Box>
-  );
-}
-
-function Footer() {
-  return (
-    <Text>{() => dim(
-      `${fmtCount(totals.reqs)} reqs  ·  ${endpointCount()} endpoints  ·  ` +
-      `${fmtBytes(totals.bytes)} seen  ·  up ${fmtUptime(Date.now() - totals.startMs)}`
-    )}</Text>
-  );
-}
-
-/* Mode-aware key legend pinned to the bottom: keys in accent, labels dimmed. */
-function Legend() {
-  return (
-    <Text>{() => {
-      const keys = focusKey.get()
-        ? [["esc / ←", "back"], ["q", "list"], ["Ctrl-C", "quit"]]
-        : [["↑/↓", "move"], ["PgUp/Dn", "page"], ["⏎", "details"], ["q / Ctrl-C", "quit"]];
-      return keys.flatMap(([k, d], i) => [i ? dim("    ") : "", fg(accent)(k), dim(" " + d)]);
-    }}</Text>
-  );
-}
-
-/* ---- list screen -------------------------------------------------- */
-function HeaderRow() {
-  return (
-    <Box direction="row" height="fit">
-      <Text width={W_RANK}>{dim("#")}</Text>
-      <Text width={W_METHOD}>{bold("METHOD")}</Text>
-      <Text width={W_HOST}>{bold("HOST")}</Text>
-      <Text width="1fr">{bold("PATH")}</Text>
-      <Text width={W_COUNT}>{bold(pad("COUNT", W_COUNT))}</Text>
-      <Text width={W_RATE}>{bold(pad("REQ/S", W_RATE))}</Text>
-      <Text width={W_LAST}>{bold(pad("LAST", W_LAST))}</Text>
-    </Box>
-  );
-}
-
-function Row({ row, rank, selected }) {
-  const rateStr = row.rate > 0 ? pad(fmtCount(row.rate), W_RATE) : dim(pad("·", W_RATE));
-  return (
-    <Box direction="row" height="fit" bg={selected ? selBg : undefined}>
-      <Text width={W_RANK}>{selected ? fg(accent)("› " + pad(rank, 2).slice(1)) : dim(pad(rank, 2) + " ")}</Text>
-      <Text width={W_METHOD}>{fg(methodColor(row.method))(padEnd(row.method, W_METHOD))}</Text>
-      <Text width={W_HOST} overflow="ellipsis">{dim(row.host)}</Text>
-      <Text width="1fr" overflow="ellipsis">{row.path}</Text>
-      <Text width={W_COUNT}>{bold(fg(accent)(pad(fmtCount(row.count), W_COUNT)))}</Text>
-      <Text width={W_RATE}>{row.rate > 0 ? fg(rateOn)(rateStr) : rateStr}</Text>
-      <Text width={W_LAST}>{dim(pad(fmtAgo(Date.now() - row.last), W_LAST))}</Text>
-    </Box>
-  );
-}
-
-/* Scroll window top, kept across renders so the highlight stays on-screen as
- * the user pages past the visible rows. */
-let listTop = 0;
-
-function ListPanel({ size }) {
-  return (
-    <Box border={{ line: "round", fg: grid }} padding={[0, 1]} direction="column"
-      width="1fr" height="1fr" overflow="hidden">
-      <HeaderRow />
-      <Text width="1fr" break="none" overflow="hidden">{dim("─".repeat(400))}</Text>
-      {() => {
-        const data = rows.get();
-        const vis = Math.max(3, size.get().rows - 8);
-        if (data.length === 0) {
-          return <Text>{dim("waiting for HTTP requests…  (try: curl http://localhost:PORT/path)")}</Text>;
-        }
-        const cur = Math.max(0, Math.min(data.length - 1, sel.get()));
-        // Keep the selection inside the visible window [listTop, listTop+vis).
-        if (cur < listTop) listTop = cur;
-        else if (cur >= listTop + vis) listTop = cur - vis + 1;
-        listTop = Math.max(0, Math.min(listTop, Math.max(0, data.length - vis)));
-        return data.slice(listTop, listTop + vis).map((row, i) =>
-          <Row row={row} rank={listTop + i + 1} selected={listTop + i === cur} />);
-      }}
-    </Box>
-  );
-}
-
-/* ---- detail screen ------------------------------------------------ */
-// Components are called `(opts, ...children)` by the JSX runtime, so read the
-// value pieces from the rest args — not a `children` prop.
-function Field(opts, ...children) {
-  return (
-    <Box direction="row" height="fit">
-      <Text width={12}>{fg(label)(opts.name)}</Text>
-      <Text width="1fr" overflow="ellipsis">{children.flat(Infinity)}</Text>
-    </Box>
-  );
-}
-
-/* Status-code tallies as colored "200×120  404×3" spans, busiest first. */
-function statusSpans(status) {
-  const codes = Object.entries(status).sort((a, b) => b[1] - a[1]).slice(0, 6);
-  if (codes.length === 0) return dim("— no responses paired yet");
-  return codes.flatMap(([code, n], i) =>
-    [i ? "  " : "", fg(statusColor(Number(code)))(code), dim(`×${n}`)]);
-}
-
-function DetailPanel({ size }) {
-  return (
-    <Box border={{ line: "round", fg: grid }} padding={1} direction="column"
-      width="1fr" height="1fr" overflow="hidden">
-      {() => {
-        tick.get(); // re-render on each state tick (fields below mutate in place)
-        const r = endpoint(focusKey.get());
-        if (!r) return <Text>{dim("endpoint no longer tracked — press esc to go back")}</Text>;
-        const now = Date.now();
-        const share = totals.reqs ? (r.count / totals.reqs) * 100 : 0;
-        const sparkW = Math.max(10, Math.min(r.hist.length || 1, size.get().cols - 18));
-        const lat = r.lat.length
-          ? `p50 ${fmtMs(percentile(r.lat, 50))}  ·  p95 ${fmtMs(percentile(r.lat, 95))}  ·  ` +
-            `max ${fmtMs(Math.max(...r.lat))}  ${"·"}  ${r.lat.length} samples`
-          : dim("no responses paired yet");
-        return [
-          <Box direction="row" height="fit">
-            <Text width={W_METHOD + 1}>{bold(fg(methodColor(r.method))(r.method))}</Text>
-            <Text width="1fr" overflow="ellipsis">{bold(`${r.host}${r.path}`)}</Text>
-          </Box>,
-          <Text> </Text>,
-          <Field name="Requests">{bold(fg(accent)(fmtCount(r.count)))}{dim(`  (${r.count})`)}</Field>,
-          <Field name="Share">{`${share.toFixed(1)}% of all requests`}</Field>,
-          <Field name="Req/s now">{r.rate > 0 ? fg(rateOn)(String(r.rate)) : dim("0")}{dim(`   peak ${r.peak}/s`)}</Field>,
-          <Field name="Latency">{lat}</Field>,
-          <Field name="Status">{statusSpans(r.status)}</Field>,
-          <Field name="Bytes">{fmtBytes(r.bytes)}{dim(" on the wire")}</Field>,
-          <Field name="First seen">{`${fmtAgo(now - r.first)} ago`}</Field>,
-          <Field name="Last seen">{`${fmtAgo(now - r.last)} ago`}</Field>,
-          <Text> </Text>,
-          <Text>{fg(label)("Req/s, last minute")}</Text>,
-          <Text overflow="hidden">{fg(rateOn)(sparkline(r.hist, sparkW, r.peak))}</Text>,
-          <Text> </Text>,
-          <Text>{fg(label)("Latency, recent responses")}</Text>,
-          <Text overflow="hidden">{fg(accent)(sparkline(r.lat, sparkW))}</Text>,
-        ];
-      }}
-    </Box>
-  );
-}
-
-/* ---- root --------------------------------------------------------- */
-export const Dashboard = (size) => (
-  <Box direction="column" width="1fr" height="1fr" padding={[0, 1]}>
-    <StatusBar />
-    {() => focusKey.get() ? <DetailPanel size={size} /> : <ListPanel size={size} />}
-    <Footer />
-    <Legend />
-  </Box>
-);
diff --git a/demo/record.sh b/demo/record.sh
new file mode 100755
index 0000000..ecb5d2a
--- /dev/null
+++ b/demo/record.sh
@@ -0,0 +1,54 @@
+#!/usr/bin/env bash
+# Record the httptop demo gif with real traffic flowing.
+#
+# Spins up a fake HTTP server + load generator (demo/traffic.sh) as background
+# traffic via `termgif --bg`, so the dashboard fills with live endpoints, status
+# codes, and latency — then captures `yeet run .`.
+#
+#   demo/record.sh                       # -> assets/http-endpoint.gif
+#   demo/record.sh path/to/out.gif       # custom output
+#   PORT=9001 demo/record.sh             # use a different server port
+#
+# Needs: termgif on PATH (~/src/bin), the yeet daemon, clang + bpftool (for make),
+# python3 + curl. Run from anywhere — paths resolve relative to this script.
+set -euo pipefail
+
+HERE="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+ROOT="$(cd "$HERE/.." && pwd)"
+PORT="${PORT:-8731}"
+OUT="${1:-$ROOT/assets/http-endpoint.gif}"
+
+command -v termgif >/dev/null 2>&1 || { echo "record: termgif not on PATH (try: export PATH=\"\$HOME/src/bin:\$PATH\")" >&2; exit 1; }
+
+# Make sure the probe is built before we record.
+make -C "$ROOT"
+
+# Once the recording is visible, walk down the list and open an endpoint's
+# detail screen, then step back out — so the gif shows the dashboard being
+# driven, not just sitting there. termgif injects these into the tape after the
+# table is on screen; the Sleeps here set the gif's pacing and total length.
+KEYS='Sleep 2500ms
+Down
+Sleep 700ms
+Down
+Sleep 700ms
+Down
+Sleep 1200ms
+Enter
+Sleep 4500ms
+Escape
+Sleep 2000ms'
+
+# termgif starts --bg before the recorded command and kills its process group
+# when done. We give a long warmup so the server is up and the table + req/s
+# rates have settled before the recording becomes visible.
+cd "$ROOT"
+PORT="$PORT" termgif \
+  -o "$OUT" \
+  -c 92 -r 28 -f 16 \
+  --warmup 5000 \
+  --keys "$KEYS" \
+  --bg "PORT=$PORT bash '$HERE/traffic.sh'" \
+  -- yeet run .
+
+echo "record: wrote $OUT" >&2
diff --git a/demo/server.py b/demo/server.py
new file mode 100755
index 0000000..3e702a7
--- /dev/null
+++ b/demo/server.py
@@ -0,0 +1,66 @@
+#!/usr/bin/env python3
+"""Tiny plaintext-HTTP server for the httptop demo recording.
+
+Routes return canned JSON with a route-specific, jittered latency and a mix of
+status codes, so the dashboard fills with realistic endpoints, methods, 2xx/
+4xx/5xx codes, and a spread of p50/p95 latencies. Binds loopback only.
+
+    python3 server.py [port]      # default 8731
+"""
+import random
+import re
+import sys
+import time
+from http.server import BaseHTTPRequestHandler, ThreadingHTTPServer
+
+# (method, path regex) -> (status, base_ms, jitter_ms)
+ROUTES = [
+    ("GET",    r"/healthz$",            200, 2,   3),
+    ("GET",    r"/api/products$",       200, 15,  12),
+    ("GET",    r"/api/products/\d+$",   200, 22,  18),
+    ("POST",   r"/api/cart$",           201, 40,  30),
+    ("DELETE", r"/api/cart/\d+$",       204, 28,  15),
+    ("POST",   r"/auth/login$",         200, 65,  45),
+    ("GET",    r"/api/orders$",         200, 80,  60),   # occasionally 500 (below)
+    ("GET",    r"/api/recommendations$", 200, 130, 90),  # the slow path
+]
+
+
+class Handler(BaseHTTPRequestHandler):
+    protocol_version = "HTTP/1.1"
+
+    def _route(self):
+        path = self.path.split("?", 1)[0]
+        status, base, jit = 404, 4, 4  # default: not found
+        for method, rx, st, b, j in ROUTES:
+            if self.command == method and re.search(rx, path):
+                status, base, jit = st, b, j
+                break
+        if path == "/api/orders" and random.random() < 0.08:
+            status = 500  # flaky endpoint, for a splash of red
+        return status, base, jit
+
+    def _handle(self):
+        status, base, jit = self._route()
+        time.sleep((base + random.random() * jit) / 1000.0)  # simulate work
+        body = b"" if status in (204, 304) else (
+            b'{"ok":true}\n' if status < 400 else b'{"error":true}\n')
+        self.send_response(status)
+        self.send_header("Content-Type", "application/json")
+        self.send_header("Content-Length", str(len(body)))
+        self.end_headers()
+        if self.command != "HEAD" and body:
+            try:
+                self.wfile.write(body)
+            except BrokenPipeError:
+                pass
+
+    do_GET = do_POST = do_PUT = do_DELETE = do_PATCH = do_HEAD = _handle
+
+    def log_message(self, *args):
+        pass  # stay quiet; the dashboard is the output
+
+
+if __name__ == "__main__":
+    port = int(sys.argv[1]) if len(sys.argv) > 1 else 8731
+    ThreadingHTTPServer(("127.0.0.1", port), Handler).serve_forever()
diff --git a/demo/traffic.sh b/demo/traffic.sh
new file mode 100755
index 0000000..9adfe0a
--- /dev/null
+++ b/demo/traffic.sh
@@ -0,0 +1,46 @@
+#!/usr/bin/env bash
+# Background load for the httptop demo (the `termgif --bg` payload).
+#
+# Starts the fake server, waits for it to accept connections, then sends a
+# steady, weighted mix of plaintext HTTP requests over loopback until killed.
+# `--bg` runs this in its own session and SIGTERMs the group when the recording
+# ends; the trap below tears the server down with it.
+#
+# The requests go to 127.0.0.1 (so httptop captures them on `lo`), but each
+# carries a `Host:` header — httptop keys on that, so the dashboard shows
+# realistic hostnames (shop.internal, auth.internal, …) instead of the loopback
+# address.
+set -uo pipefail
+
+HERE="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PORT="${PORT:-8731}"
+BASE="http://127.0.0.1:${PORT}"
+
+python3 "$HERE/server.py" "$PORT" &
+SERVER=$!
+trap 'kill "$SERVER" 2>/dev/null || true' EXIT INT TERM
+
+# Wait (up to ~5s) for the server to come up.
+for _ in $(seq 1 50); do
+  curl -s -o /dev/null "$BASE/healthz" && break || sleep 0.1
+done
+
+# method path host  — one request over a fresh connection.
+req() { curl -s -o /dev/null -X "$1" -H "Host: $3" "$BASE$2"; }
+
+# Weighted mix: healthz is chatty, recommendations is rare and slow. Methods
+# and hosts vary so every dashboard column has something to show.
+while true; do
+  req GET    /healthz                            shop.internal
+  req GET    /api/products                       shop.internal
+  req GET    "/api/products/$((RANDOM % 900 + 100))" shop.internal
+  req GET    /healthz                            shop.internal
+  req POST   /api/cart                           shop.internal
+  req GET    /api/orders                         shop.internal
+  req GET    /healthz                            shop.internal
+  req POST   /auth/login                         auth.internal
+  req DELETE "/api/cart/$((RANDOM % 900 + 100))" shop.internal
+  req GET    /static/app.js                      cdn.internal
+  req GET    /api/recommendations                reco.internal
+  sleep 0.15
+done
diff --git a/main.jsx b/main.jsx
deleted file mode 100644
index abd11d5..0000000
--- a/main.jsx
+++ /dev/null
@@ -1,104 +0,0 @@
-// SPDX-License-Identifier: GPL-2.0
-// httptop — a live dashboard of the most active plaintext HTTP endpoints on
-// this host. An eBPF program at the TC layer ships HTTP request lines to JS;
-// state.js parses method + Host + path and aggregates by endpoint, and
-// dashboard.js renders a sorted, auto-refreshing table.
-//
-//   yeet run .                 # watch every up interface (incl. loopback)
-//   yeet run . --iface lo,eth0 # only these interfaces
-//   yeet run . --keep-query    # don't collapse the query string into the path
-//
-// Plaintext HTTP only — HTTPS payloads are ciphertext at this layer.
-
-import { RingBuf } from "yeet:bpf";
-import { mount } from "yeet:tui";
-import bpf from "./bin/httptop.bpf.o";
-
-import { onEvent, startTicks, info, moveSel, enterDetail, exitDetail, focusKey } from "./state.js";
-import { Dashboard } from "./dashboard.jsx";
-
-// The TUI needs a real terminal: in non-TTY mode (piped/redirected output)
-// yeet never installs the `tty` global, and `mount`'s `term = tty` default
-// would throw a bare `ReferenceError: tty is not defined` with no output.
-// Fail loudly instead.
-if (typeof tty === "undefined") {
-  console.error("[httptop] needs an interactive terminal — don't pipe or redirect output (and avoid --no-tty).");
-  yeet.exit();
-}
-
-// Which interfaces to watch. The TCX wildcard skips loopback, so we always
-// enumerate every up interface explicitly (incl. `lo`) — that's where most
-// local HTTP lives. `--iface a,b` narrows to named interfaces.
-const wanted = yeet.args.iface
-  ? new Set(String(yeet.args.iface).split(",").map((s) => s.trim()).filter(Boolean))
-  : null;
-
-let ifaces = [];
-try {
-  const { data, errors } = await yeet.graph.query(
-    `{ network_interfaces { index name is_up } }`
-  );
-  if (errors) throw new Error(errors[0].message);
-  ifaces = (data.network_interfaces || [])
-    .filter((i) => i.is_up && (!wanted || wanted.has(i.name)));
-} catch (err) {
-  console.error(`[httptop] could not list interfaces: ${err.message}`);
-  yeet.exit();
-}
-const ifindexes = ifaces.map((i) => i.index);
-if (ifindexes.length === 0) {
-  console.error("[httptop] no matching up interfaces to watch");
-  yeet.exit();
-}
-info.ifaceLabel = wanted ? ifaces.map((i) => i.name).join(",") : `all (${ifaces.length})`;
-
-// ── load + attach the probe ────────────────────────────────────────────────
-const tcxSpec = { kind: "tcx", ifindex: ifindexes };
-let control;
-try {
-  control = await bpf
-    .bind("events", { kind: "ringbuf", btf_struct: "http_event" })
-    .attach("on_ingress", tcxSpec)
-    .attach("on_egress", tcxSpec)
-    .start();
-} catch (err) {
-  console.error(`[httptop] failed to load eBPF: ${err.message}`);
-  console.error("[httptop] need CAP_BPF/root and a compiled bin/httptop.bpf.o (run `make`).");
-  yeet.exit();
-}
-
-new RingBuf(control, "events").subscribe(
-  onEvent,
-  (err) => console.error("[httptop] ringbuf error:", err.message),
-);
-
-startTicks();
-mount(Dashboard);
-
-// ── keyboard navigation ─────────────────────────────────────────────────────
-// Arrow keys (or j/k) move the selection in the list; Enter opens the focused
-// endpoint's detail screen; Esc (or ←/q) returns to the list. The runtime
-// disables input automatically when the isolate exits, so no teardown.
-tty.enableKittyKeyboard();
-tty.on("keydown", (e) => {
-  if (e.ctrlKey && e.code === "c") { yeet.exit(); return; }
-
-  if (focusKey.get()) {
-    if (e.code === "Escape" || e.code === "ArrowLeft" || e.key === "q") exitDetail();
-    return;
-  }
-
-  switch (e.code) {
-    case "ArrowDown": moveSel(1); break;
-    case "ArrowUp": moveSel(-1); break;
-    case "PageDown": moveSel(10); break;
-    case "PageUp": moveSel(-10); break;
-    case "Enter": enterDetail(); break;
-    default:
-      if (e.key === "j") moveSel(1);
-      else if (e.key === "k") moveSel(-1);
-      else if (e.key === "q") yeet.exit();
-  }
-});
-
-await new Promise(() => {}); // run until Ctrl-C
diff --git a/package-lock.json b/package-lock.json
new file mode 100644
index 0000000..3b33881
--- /dev/null
+++ b/package-lock.json
@@ -0,0 +1,499 @@
+{
+  "name": "httpinspect",
+  "version": "0.1.0",
+  "lockfileVersion": 3,
+  "requires": true,
+  "packages": {
+    "": {
+      "name": "httpinspect",
+      "version": "0.1.0",
+      "devDependencies": {
+        "esbuild": "^0.28.1"
+      }
+    },
+    "node_modules/@esbuild/aix-ppc64": {
+      "version": "0.28.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/aix-ppc64/-/aix-ppc64-0.28.1.tgz",
+      "integrity": "sha512-Svl7tq8k/08+p6CXPpRjQ1fKX+1odH/BQbb48fV6fj3CWHhsoIOoY87w1oHXm0qEpkIK3ZfVgp0hed3XBXzXMQ==",
+      "cpu": [
+        "ppc64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "aix"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/android-arm": {
+      "version": "0.28.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/android-arm/-/android-arm-0.28.1.tgz",
+      "integrity": "sha512-0k2F129Xdio1TdJfzJ8sy1Q47vUD2NnwdhiAf7drUN1EBTfPf4hsFCtmMgu/6m8JSzsBrlmVjudMBQqOfG8usQ==",
+      "cpu": [
+        "arm"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "android"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/android-arm64": {
+      "version": "0.28.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/android-arm64/-/android-arm64-0.28.1.tgz",
+      "integrity": "sha512-34EGEbCIAgosYz6goLcopX6Mo7NyGv9tfwEM2/7Ce2VcVRk568iSvniGWcUXIy7wEDR1wzolcxcriFVrWYcwBg==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "android"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/android-x64": {
+      "version": "0.28.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/android-x64/-/android-x64-0.28.1.tgz",
+      "integrity": "sha512-dbwY7ltSMDWsRatcRpCnES4F+im88OCUgGZjy52shC7GqHRE/cYlxNbB4Z4UpJswpcc4Qxd2oE/ufM0p61IKng==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "android"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/darwin-arm64": {
+      "version": "0.28.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/darwin-arm64/-/darwin-arm64-0.28.1.tgz",
+      "integrity": "sha512-TZbWkQY7kvTAXbXUT7uVACR5cMHsDiSz9z7ZKAX/RTq/WJEk3QyRr0wZpNhBDX+/0CtdqUIJlOiodQcta6tY3Q==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/darwin-x64": {
+      "version": "0.28.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/darwin-x64/-/darwin-x64-0.28.1.tgz",
+      "integrity": "sha512-zfdzgK9ACBNZLI/CyHTOx81SyNbM6YXn7rxSgX97VjyiPl9W1i4Ka4fgKECEoFCKGpvBj5qArWIGgQjOwkgskQ==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/freebsd-arm64": {
+      "version": "0.28.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/freebsd-arm64/-/freebsd-arm64-0.28.1.tgz",
+      "integrity": "sha512-wG2EA8ENdEI0qhkSZMjfqrdY+ziCYCPMmtZjjIwOmXFjmyzEHn+UUxk5of+SYsjtfs3VpnlC7QLzSI5hY/rOAw==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "freebsd"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/freebsd-x64": {
+      "version": "0.28.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/freebsd-x64/-/freebsd-x64-0.28.1.tgz",
+      "integrity": "sha512-i7dZ9vQgnvSCzi/rYCXNgtF/U+eKZNJBzu3eTQbRgHnM7tNSizLOkRFAl3qzVc/Op/u5YkHHa4pf/3DOYHthLQ==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "freebsd"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/linux-arm": {
+      "version": "0.28.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-arm/-/linux-arm-0.28.1.tgz",
+      "integrity": "sha512-qVXBOHQS+d5Y722GwJzJUtOLlX7km3CraOaGormF1pDtPd2C/l1SHRPgjLunLGe51Sh5YYWKMFDyV4SxgMQYTQ==",
+      "cpu": [
+        "arm"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/linux-arm64": {
+      "version": "0.28.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-arm64/-/linux-arm64-0.28.1.tgz",
+      "integrity": "sha512-yHs+0uc8+nvEAfAfxrWQKK5peSNzBc4PegcMO0EJ2hT71uA7vB8Ihg2e77R2P7SG5uYjPbHlLLmve4LLLRCf0g==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/linux-ia32": {
+      "version": "0.28.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-ia32/-/linux-ia32-0.28.1.tgz",
+      "integrity": "sha512-d1z4ZuP0ajrfz/FhGT4vv278rX8KnPPJx8i5+AtK7TYbx9Le9F1hyzurZpkEyjkGa9dUGhQow4C1NmeGvqxN2w==",
+      "cpu": [
+        "ia32"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/linux-loong64": {
+      "version": "0.28.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-loong64/-/linux-loong64-0.28.1.tgz",
+      "integrity": "sha512-M5sRjUVZrkm1OAPR3dlOYzNmN+loZKGVi1VUQGrwuqLcbR6qeAz+famMhjASeH3YVKvZz+zT1jlh/keC3Rj/lg==",
+      "cpu": [
+        "loong64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/linux-mips64el": {
+      "version": "0.28.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-mips64el/-/linux-mips64el-0.28.1.tgz",
+      "integrity": "sha512-mRObBZeHh2OxcBFPWE/FjylkRgZdYuiTR3vaTozquCGOH14iP9oN4x4Ge81CoIDYQrXmIxpFumJBu5MtZpnQJQ==",
+      "cpu": [
+        "mips64el"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/linux-ppc64": {
+      "version": "0.28.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-ppc64/-/linux-ppc64-0.28.1.tgz",
+      "integrity": "sha512-slScBsMAb3GFDcdrCgLwZtPYRoH2H/youv10QiZyRjmsP48fznoveWytSgCI/R0ZcUgpc0ZhIUEx6LHts8yrfQ==",
+      "cpu": [
+        "ppc64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/linux-riscv64": {
+      "version": "0.28.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-riscv64/-/linux-riscv64-0.28.1.tgz",
+      "integrity": "sha512-kw0owk1o0GFETUJyW0jc0G4Yzs0BHZn0JDZ8JRT088vjJYX777BAs1fDGxAC+q831qOs2DTC96mNsG2opdfyyQ==",
+      "cpu": [
+        "riscv64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/linux-s390x": {
+      "version": "0.28.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-s390x/-/linux-s390x-0.28.1.tgz",
+      "integrity": "sha512-/lAIjX8aYFRByhh6L5rYtPEDRqa9de/4V/juOXcta5frjvzXO4/sqEtyytse0g3zZFuWu5cDN0MkLz2qRDD2Ag==",
+      "cpu": [
+        "s390x"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/linux-x64": {
+      "version": "0.28.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-x64/-/linux-x64-0.28.1.tgz",
+      "integrity": "sha512-u/anNYF2mmVOEDwLtnQ1wOr3EZ9sTNGLWrsYGYwHWzGA3Si84IOkHXlbWTD1NB+9/1lcnweYKO54uhxZydNzfA==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/netbsd-arm64": {
+      "version": "0.28.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/netbsd-arm64/-/netbsd-arm64-0.28.1.tgz",
+      "integrity": "sha512-oks0DYbLwWMmaakTsCb+zL4E+aHRVLom9IJZOAthMQEPiQmydXHkziYEsGYRx0uNV/IjEKGAV941JzH02pflqw==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "netbsd"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/netbsd-x64": {
+      "version": "0.28.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/netbsd-x64/-/netbsd-x64-0.28.1.tgz",
+      "integrity": "sha512-aeL6lAnN89Hz43Mlh1G8ARasbuoYvSITDEx0tHh5b7jJnHcssqgjy9Yx430GDpmCa6OyrKoS0aNRjKundRizGg==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "netbsd"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/openbsd-arm64": {
+      "version": "0.28.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/openbsd-arm64/-/openbsd-arm64-0.28.1.tgz",
+      "integrity": "sha512-MEFJe5C3R8pwXdZ5Y21oo6m7ePiS0d9pWucn99O/wvyJZChoIQKrQDxKrGeW8F5+T0okTHesAmDeiHDTIq0V/Q==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "openbsd"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/openbsd-x64": {
+      "version": "0.28.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/openbsd-x64/-/openbsd-x64-0.28.1.tgz",
+      "integrity": "sha512-i/ZLIOafE0Z8cI/XANJAixoJL/uRAoS2xOA3rb0xN+KK0K177cMAsQYkzHtBrtMXAKuAc7HGgcWiZ/sRC1Nxgw==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "openbsd"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/openharmony-arm64": {
+      "version": "0.28.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/openharmony-arm64/-/openharmony-arm64-0.28.1.tgz",
+      "integrity": "sha512-ge+Z7EXFNt2BO1oAMsVpiQ8EwndV9i1xXerAeTIK7AtPs3bKFXQM7nlRxDSIUIMeueR1CNXxqztLzdNeReKBJg==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "openharmony"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/sunos-x64": {
+      "version": "0.28.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/sunos-x64/-/sunos-x64-0.28.1.tgz",
+      "integrity": "sha512-BEjgtECkL3vY+SaSQ6nzVfiALUeFxpawyp8Jmf5PtYhf1Ug40N1h/hxlhts+f1FvSvarEigdxS3BlSMI2PJLcQ==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "sunos"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/win32-arm64": {
+      "version": "0.28.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/win32-arm64/-/win32-arm64-0.28.1.tgz",
+      "integrity": "sha512-lCv9eK/H6ZJWbE7bh2nw54CZ9M2nupBxJcTsdk/QQnWkdSjKGuxmmH8/GWrlT1eMmZfn4dGcCjRte397WqfQXA==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "win32"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/win32-ia32": {
+      "version": "0.28.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/win32-ia32/-/win32-ia32-0.28.1.tgz",
+      "integrity": "sha512-zvb/mB2bSCoJOpoCBgYKKpX6YM6mJBlBUVUtVj41DlZJVEB6/0CKlRYxP5wWl1C1ILiCoAU5wZZ4q1P3qeS6Eg==",
+      "cpu": [
+        "ia32"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "win32"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/win32-x64": {
+      "version": "0.28.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/win32-x64/-/win32-x64-0.28.1.tgz",
+      "integrity": "sha512-bm4Mowrv+GXMlpWX++EcXw/iLyd1o3+bJkC2DkWXYVvgZCqD/bSj9ctZeAMC3cIxgjRVR2Dufaiu4YPxr5gW1A==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "win32"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/esbuild": {
+      "version": "0.28.1",
+      "resolved": "https://registry.npmjs.org/esbuild/-/esbuild-0.28.1.tgz",
+      "integrity": "sha512-HrJrvZv5ayxBzPfwphOoNzkzOIIlifzk0KJrGK2c8R4+LKpMtpYLQeUdjnwjWv/LZlkH2laZk+4w78pi99D4Vw==",
+      "dev": true,
+      "hasInstallScript": true,
+      "license": "MIT",
+      "bin": {
+        "esbuild": "bin/esbuild"
+      },
+      "engines": {
+        "node": ">=18"
+      },
+      "optionalDependencies": {
+        "@esbuild/aix-ppc64": "0.28.1",
+        "@esbuild/android-arm": "0.28.1",
+        "@esbuild/android-arm64": "0.28.1",
+        "@esbuild/android-x64": "0.28.1",
+        "@esbuild/darwin-arm64": "0.28.1",
+        "@esbuild/darwin-x64": "0.28.1",
+        "@esbuild/freebsd-arm64": "0.28.1",
+        "@esbuild/freebsd-x64": "0.28.1",
+        "@esbuild/linux-arm": "0.28.1",
+        "@esbuild/linux-arm64": "0.28.1",
+        "@esbuild/linux-ia32": "0.28.1",
+        "@esbuild/linux-loong64": "0.28.1",
+        "@esbuild/linux-mips64el": "0.28.1",
+        "@esbuild/linux-ppc64": "0.28.1",
+        "@esbuild/linux-riscv64": "0.28.1",
+        "@esbuild/linux-s390x": "0.28.1",
+        "@esbuild/linux-x64": "0.28.1",
+        "@esbuild/netbsd-arm64": "0.28.1",
+        "@esbuild/netbsd-x64": "0.28.1",
+        "@esbuild/openbsd-arm64": "0.28.1",
+        "@esbuild/openbsd-x64": "0.28.1",
+        "@esbuild/openharmony-arm64": "0.28.1",
+        "@esbuild/sunos-x64": "0.28.1",
+        "@esbuild/win32-arm64": "0.28.1",
+        "@esbuild/win32-ia32": "0.28.1",
+        "@esbuild/win32-x64": "0.28.1"
+      }
+    }
+  }
+}
diff --git a/package.json b/package.json
new file mode 100644
index 0000000..761d320
--- /dev/null
+++ b/package.json
@@ -0,0 +1,13 @@
+{
+  "name": "httpinspect",
+  "version": "0.1.0",
+  "private": true,
+  "type": "module",
+  "description": "httpinspect — top for the plaintext HTTP endpoints on your host, built with yeet + eBPF.",
+  "scripts": {
+    "build": "esbuild src/main.jsx --bundle --format=esm --platform=neutral --main-fields=module,main --conditions=import,module --outfile=src/index.jsx --jsx=automatic --jsx-import-source=yeet:tui '--external:yeet:*' '--external:*.bpf.o'"
+  },
+  "devDependencies": {
+    "esbuild": "^0.28.1"
+  }
+}
diff --git a/httptop.bpf.c b/src/bpf/httptop.bpf.c
similarity index 100%
rename from httptop.bpf.c
rename to src/bpf/httptop.bpf.c
diff --git a/src/components/detail.jsx b/src/components/detail.jsx
new file mode 100644
index 0000000..14c6702
--- /dev/null
+++ b/src/components/detail.jsx
@@ -0,0 +1,69 @@
+// Detail screen: a per-endpoint breakdown for the endpoint the user pressed
+// Enter on. Reads `focusKey` (which endpoint) and `tick` — the endpoint's
+// fields mutate in place, so reading `tick` is what re-renders this panel as
+// they change. `endpoint()` looks the row up; `totals` gives the share.
+import { Box, Text, bold, dim, fg } from "yeet:tui";
+import {
+  methodColor, accent, rateOn, grid, label, W_METHOD,
+  fmtCount, fmtBytes, fmtAgo, fmtMs, percentile, statusColor, sparkline,
+} from "@/lib/format.js";
+
+// Components are called `(opts, ...children)` by the JSX runtime, so read the
+// value pieces from the rest args — not a `children` prop.
+function Field(opts, ...children) {
+  return (
+    <Box direction="row" height="fit">
+      <Text width={12}>{fg(label)(opts.name)}</Text>
+      <Text width="1fr" overflow="ellipsis">{children.flat(Infinity)}</Text>
+    </Box>
+  );
+}
+
+/* Status-code tallies as colored "200×120  404×3" spans, busiest first. */
+function statusSpans(status) {
+  const codes = Object.entries(status).sort((a, b) => b[1] - a[1]).slice(0, 6);
+  if (codes.length === 0) return dim("— no responses paired yet");
+  return codes.flatMap(([code, n], i) =>
+    [i ? "  " : "", fg(statusColor(Number(code)))(code), dim(`×${n}`)]);
+}
+
+export default function DetailPanel({ focusKey, tick, endpoint, totals, size }) {
+  return (
+    <Box border={{ line: "round", fg: grid }} padding={1} direction="column"
+      width="1fr" height="1fr" overflow="hidden">
+      {() => {
+        tick.get(); // re-render on each state tick (fields below mutate in place)
+        const r = endpoint(focusKey.get());
+        if (!r) return <Text>{dim("endpoint no longer tracked — press esc to go back")}</Text>;
+        const now = Date.now();
+        const share = totals.reqs ? (r.count / totals.reqs) * 100 : 0;
+        const sparkW = Math.max(10, Math.min(r.hist.length || 1, size.get().cols - 18));
+        const lat = r.lat.length
+          ? `p50 ${fmtMs(percentile(r.lat, 50))}  ·  p95 ${fmtMs(percentile(r.lat, 95))}  ·  ` +
+            `max ${fmtMs(Math.max(...r.lat))}  ${"·"}  ${r.lat.length} samples`
+          : dim("no responses paired yet");
+        return [
+          <Box direction="row" height="fit">
+            <Text width={W_METHOD + 1}>{bold(fg(methodColor(r.method))(r.method))}</Text>
+            <Text width="1fr" overflow="ellipsis">{bold(`${r.host}${r.path}`)}</Text>
+          </Box>,
+          <Text> </Text>,
+          <Field name="Requests">{bold(fg(accent)(fmtCount(r.count)))}{dim(`  (${r.count})`)}</Field>,
+          <Field name="Share">{`${share.toFixed(1)}% of all requests`}</Field>,
+          <Field name="Req/s now">{r.rate > 0 ? fg(rateOn)(String(r.rate)) : dim("0")}{dim(`   peak ${r.peak}/s`)}</Field>,
+          <Field name="Latency">{lat}</Field>,
+          <Field name="Status">{statusSpans(r.status)}</Field>,
+          <Field name="Bytes">{fmtBytes(r.bytes)}{dim(" on the wire")}</Field>,
+          <Field name="First seen">{`${fmtAgo(now - r.first)} ago`}</Field>,
+          <Field name="Last seen">{`${fmtAgo(now - r.last)} ago`}</Field>,
+          <Text> </Text>,
+          <Text>{fg(label)("Req/s, last minute")}</Text>,
+          <Text overflow="hidden">{fg(rateOn)(sparkline(r.hist, sparkW, r.peak))}</Text>,
+          <Text> </Text>,
+          <Text>{fg(label)("Latency, recent responses")}</Text>,
+          <Text overflow="hidden">{fg(accent)(sparkline(r.lat, sparkW))}</Text>,
+        ];
+      }}
+    </Box>
+  );
+}
diff --git a/src/components/footer.jsx b/src/components/footer.jsx
new file mode 100644
index 0000000..755cffd
--- /dev/null
+++ b/src/components/footer.jsx
@@ -0,0 +1,14 @@
+// Running totals pinned to the bottom. Reads the plain `totals` object every
+// render; the uptime ticks because the surrounding tree re-renders on state
+// ticks (the list via `rows`, the detail screen via `tick`).
+import { Text, dim } from "yeet:tui";
+import { fmtCount, fmtBytes, fmtUptime } from "@/lib/format.js";
+
+export default function Footer({ totals, endpointCount }) {
+  return (
+    <Text>{() => dim(
+      `${fmtCount(totals.reqs)} reqs  ·  ${endpointCount()} endpoints  ·  ` +
+      `${fmtBytes(totals.bytes)} seen  ·  up ${fmtUptime(Date.now() - totals.startMs)}`
+    )}</Text>
+  );
+}
diff --git a/src/components/legend.jsx b/src/components/legend.jsx
new file mode 100644
index 0000000..c578897
--- /dev/null
+++ b/src/components/legend.jsx
@@ -0,0 +1,15 @@
+// Mode-aware key legend: keys in accent, labels dimmed. Reads `focusKey` so it
+// swaps between the list-screen and detail-screen bindings reactively.
+import { Text, dim, fg } from "yeet:tui";
+import { accent } from "@/lib/format.js";
+
+export default function Legend({ focusKey }) {
+  return (
+    <Text>{() => {
+      const keys = focusKey.get()
+        ? [["esc / ←", "back"], ["q", "list"], ["Ctrl-C", "quit"]]
+        : [["↑/↓", "move"], ["PgUp/Dn", "page"], ["⏎", "details"], ["q / Ctrl-C", "quit"]];
+      return keys.flatMap(([k, d], i) => [i ? dim("    ") : "", fg(accent)(k), dim(" " + d)]);
+    }}</Text>
+  );
+}
diff --git a/src/components/list.jsx b/src/components/list.jsx
new file mode 100644
index 0000000..e622c12
--- /dev/null
+++ b/src/components/list.jsx
@@ -0,0 +1,66 @@
+// List screen: a bordered, flex-filling endpoint table sorted by request
+// count. Reads `rows` (the sorted endpoint snapshot) and `sel` (the
+// highlighted index); `size` reflows the visible window on resize.
+import { Box, Text, bold, dim, fg } from "yeet:tui";
+import {
+  methodColor, accent, rateOn, grid, selBg,
+  W_RANK, W_METHOD, W_COUNT, W_RATE, W_HOST, W_LAST,
+  pad, padEnd, fmtCount, fmtAgo,
+} from "@/lib/format.js";
+
+function HeaderRow() {
+  return (
+    <Box direction="row" height="fit">
+      <Text width={W_RANK}>{dim("#")}</Text>
+      <Text width={W_METHOD}>{bold("METHOD")}</Text>
+      <Text width={W_HOST}>{bold("HOST")}</Text>
+      <Text width="1fr">{bold("PATH")}</Text>
+      <Text width={W_COUNT}>{bold(pad("COUNT", W_COUNT))}</Text>
+      <Text width={W_RATE}>{bold(pad("REQ/S", W_RATE))}</Text>
+      <Text width={W_LAST}>{bold(pad("LAST", W_LAST))}</Text>
+    </Box>
+  );
+}
+
+function Row({ row, rank, selected }) {
+  const rateStr = row.rate > 0 ? pad(fmtCount(row.rate), W_RATE) : dim(pad("·", W_RATE));
+  return (
+    <Box direction="row" height="fit" bg={selected ? selBg : undefined}>
+      <Text width={W_RANK}>{selected ? fg(accent)("› " + pad(rank, 2).slice(1)) : dim(pad(rank, 2) + " ")}</Text>
+      <Text width={W_METHOD}>{fg(methodColor(row.method))(padEnd(row.method, W_METHOD))}</Text>
+      <Text width={W_HOST} overflow="ellipsis">{dim(row.host)}</Text>
+      <Text width="1fr" overflow="ellipsis">{row.path}</Text>
+      <Text width={W_COUNT}>{bold(fg(accent)(pad(fmtCount(row.count), W_COUNT)))}</Text>
+      <Text width={W_RATE}>{row.rate > 0 ? fg(rateOn)(rateStr) : rateStr}</Text>
+      <Text width={W_LAST}>{dim(pad(fmtAgo(Date.now() - row.last), W_LAST))}</Text>
+    </Box>
+  );
+}
+
+/* Scroll window top, kept across renders so the highlight stays on-screen as
+ * the user pages past the visible rows. */
+let listTop = 0;
+
+export default function ListPanel({ rows, sel, size }) {
+  return (
+    <Box border={{ line: "round", fg: grid }} padding={[0, 1]} direction="column"
+      width="1fr" height="1fr" overflow="hidden">
+      <HeaderRow />
+      <Text width="1fr" break="none" overflow="hidden">{dim("─".repeat(400))}</Text>
+      {() => {
+        const data = rows.get();
+        const vis = Math.max(3, size.get().rows - 8);
+        if (data.length === 0) {
+          return <Text>{dim("waiting for HTTP requests…  (try: curl http://localhost:PORT/path)")}</Text>;
+        }
+        const cur = Math.max(0, Math.min(data.length - 1, sel.get()));
+        // Keep the selection inside the visible window [listTop, listTop+vis).
+        if (cur < listTop) listTop = cur;
+        else if (cur >= listTop + vis) listTop = cur - vis + 1;
+        listTop = Math.max(0, Math.min(listTop, Math.max(0, data.length - vis)));
+        return data.slice(listTop, listTop + vis).map((row, i) =>
+          <Row row={row} rank={listTop + i + 1} selected={listTop + i === cur} />);
+      }}
+    </Box>
+  );
+}
diff --git a/src/components/statusbar.jsx b/src/components/statusbar.jsx
new file mode 100644
index 0000000..66bb722
--- /dev/null
+++ b/src/components/statusbar.jsx
@@ -0,0 +1,13 @@
+// Top status bar: the brand on the left, the watched-interface label on the
+// right. Pure UI — `ifaceLabel` is the static string the probe resolved.
+import { Box, Text, bold, dim, fg } from "yeet:tui";
+import { accent } from "@/lib/format.js";
+
+export default function StatusBar({ ifaceLabel }) {
+  return (
+    <Box direction="row" height="fit">
+      <Text>{bold(fg(accent)("httpinspect"))}</Text>
+      <Text width="1fr">{dim(`  iface: ${ifaceLabel}  ·  plaintext HTTP only`)}</Text>
+    </Box>
+  );
+}
diff --git a/render.jsx b/src/lib/format.js
similarity index 91%
rename from render.jsx
rename to src/lib/format.js
index f0bad0f..562b406 100644
--- a/render.jsx
+++ b/src/lib/format.js
@@ -1,6 +1,6 @@
-/* Pure presentation toolkit: number/time formatters, method colors, and the
- * table's column widths. No application state — safe to import anywhere. */
-
+// Pure presentation helpers — strings, color, and the table's column widths.
+// No signals or BPF, so it's safe to import anywhere; the components reach it
+// through the `@/` alias (resolved at bundle time).
 import { rgb, idx } from "yeet:tui";
 
 /* Per-method accent colors; unknown methods fall back to plain grey. */
@@ -10,6 +10,8 @@ export const METHOD_COLORS = {
   OPTIONS: rgb(0x808080), CONNECT: rgb(0x808080), TRACE: rgb(0x808080),
 };
 export const METHOD_FALLBACK = idx(7);
+export const methodColor = (m) => METHOD_COLORS[m] || METHOD_FALLBACK;
+
 export const accent = rgb(0x4fc1ff); /* httptop brand + count column */
 export const rateOn = rgb(0x4ec9b0); /* a live (>0) req/s value */
 export const grid = idx(8);          /* table border */
diff --git a/src/main.jsx b/src/main.jsx
new file mode 100644
index 0000000..7534b48
--- /dev/null
+++ b/src/main.jsx
@@ -0,0 +1,100 @@
+// httptop — a live dashboard of the most active plaintext HTTP endpoints on
+// this host. An eBPF program at the TC layer ships HTTP request lines to JS;
+// probes/httptop.js parses method + Host + path and aggregates by endpoint,
+// and the components render a sorted, auto-refreshing table.
+//
+//   yeet run .                 # watch every up interface (incl. loopback)
+//   yeet run . -- --iface lo,eth0   # only these interfaces
+//   yeet run . -- --keep-query      # don't collapse the query string into the path
+//
+// Plaintext HTTP only — HTTPS payloads are ciphertext at this layer.
+//
+// Layout follows the project convention: probes/ (BPF-aware) → components/
+// (pure UI) → lib/ (pure helpers), composed here through the `@/` source
+// alias. This module owns input and navigation; the data layer is loaded by
+// importing probes/probe.js (the shared object) and probes/httptop.js (ingest).
+import { Box, mount, signal } from "yeet:tui";
+import { ifaceLabel } from "@/probes/probe.js";
+import { rows, totals, tick, endpoint, endpointCount, keyOf } from "@/probes/httptop.js";
+import StatusBar from "@/components/statusbar.jsx";
+import ListPanel from "@/components/list.jsx";
+import DetailPanel from "@/components/detail.jsx";
+import Footer from "@/components/footer.jsx";
+import Legend from "@/components/legend.jsx";
+
+// The TUI needs a real terminal: in non-TTY mode (piped/redirected output)
+// yeet never installs the `tty` global, and `mount`'s `term = tty` default
+// would throw a bare `ReferenceError: tty is not defined` with no output.
+// Fail loudly instead.
+if (typeof tty === "undefined") {
+  console.error("[httptop] needs an interactive terminal — don't pipe or redirect output (and avoid --no-tty).");
+  yeet.exit();
+}
+
+// ── navigation ───────────────────────────────────────────────────────────────
+// The dashboard has two screens. In the list, `sel` is the highlighted row
+// index. `focusKey` is null in the list and the pinned endpoint key when the
+// per-endpoint detail screen is open. Both are signals so the view reacts.
+const sel = signal(0);
+const focusKey = signal(null);
+
+function moveSel(delta) {
+  const n = rows.get().length;
+  if (n === 0) return;
+  sel.set(Math.max(0, Math.min(n - 1, sel.get() + delta)));
+}
+
+/* Enter the detail screen for the currently highlighted endpoint. */
+function enterDetail() {
+  const data = rows.get();
+  if (data.length === 0) return;
+  const row = data[Math.max(0, Math.min(data.length - 1, sel.get()))];
+  if (row) focusKey.set(keyOf(row));
+}
+
+const exitDetail = () => focusKey.set(null);
+
+// ── root ─────────────────────────────────────────────────────────────────────
+// `view(size)` hands us the terminal's reactive size signal; reading it inside
+// the body thunk reflows the active panel on resize. The body switches screens
+// on `focusKey`; the data layer feeds it through the props.
+const Root = (size) => (
+  <Box direction="column" width="1fr" height="1fr" padding={[0, 1]}>
+    <StatusBar ifaceLabel={ifaceLabel} />
+    {() => focusKey.get()
+      ? <DetailPanel focusKey={focusKey} tick={tick} endpoint={endpoint} totals={totals} size={size} />
+      : <ListPanel rows={rows} sel={sel} size={size} />}
+    <Footer totals={totals} endpointCount={endpointCount} />
+    <Legend focusKey={focusKey} />
+  </Box>
+);
+
+mount(Root);
+
+// ── keyboard navigation ───────────────────────────────────────────────────────
+// Arrow keys (or j/k) move the selection; Enter opens the focused endpoint's
+// detail screen; Esc (or ←/q) returns to the list. The runtime disables input
+// automatically when the isolate exits, so no teardown.
+tty.enableKittyKeyboard();
+tty.on("keydown", (e) => {
+  if (e.ctrlKey && e.code === "c") { yeet.exit(); return; }
+
+  if (focusKey.get()) {
+    if (e.code === "Escape" || e.code === "ArrowLeft" || e.key === "q") exitDetail();
+    return;
+  }
+
+  switch (e.code) {
+    case "ArrowDown": moveSel(1); break;
+    case "ArrowUp": moveSel(-1); break;
+    case "PageDown": moveSel(10); break;
+    case "PageUp": moveSel(-10); break;
+    case "Enter": enterDetail(); break;
+    default:
+      if (e.key === "j") moveSel(1);
+      else if (e.key === "k") moveSel(-1);
+      else if (e.key === "q") yeet.exit();
+  }
+});
+
+await new Promise(() => {}); // keep the script alive; the TUI owns the screen
diff --git a/state.js b/src/probes/httptop.js
similarity index 80%
rename from state.js
rename to src/probes/httptop.js
index b3c85c8..2ca472c 100644
--- a/state.js
+++ b/src/probes/httptop.js
@@ -1,10 +1,18 @@
-/* Application state + HTTP request ingest. Holds the live data the panels
- * read: a `rows` signal of endpoints sorted by count, plus running totals.
- * `startTicks()` drives the per-second rate computation and redraw cadence. */
-
+// HTTP ingest + aggregation — the kernel → user data layer. It subscribes to
+// the `events` ring buffer on the shared object, parses method + Host + path
+// out of each captured request, pairs responses to measure on-the-wire
+// latency, and aggregates by endpoint into the reactive signals the
+// components read (`rows`, `tick`) plus the `totals` / `endpoint()` lookups.
+//
+// Unlike the from() idiom (subscription tied to a signal being watched), the
+// subscription and tick timers are started eagerly at module load: ingestion
+// has to keep running on *both* screens, and the detail screen never reads
+// `rows`, so a from() over `rows` would tear the ring buffer down whenever
+// detail is open. A daemon-style always-on feed is the right shape here.
 import { signal } from "yeet:tui";
-
-import { fmtCount } from "./render.jsx";
+import { RingBuf } from "yeet:bpf";
+import { control } from "@/probes/probe.js";
+import { fmtCount } from "@/lib/format.js";
 
 export const TICK_MS = 400; /* redraw cadence between per-second rate samples */
 
@@ -12,10 +20,6 @@ export const TICK_MS = 400; /* redraw cadence between per-second rate samples */
  * `--keep-query` keeps them distinct. */
 const keepQuery = !!yeet.args.keep_query;
 
-/* What the status bar shows for the watched interfaces; set by main once the
- * interface list is known. */
-export const info = { ifaceLabel: "" };
-
 /* endpoint key -> { method, host, path, count, prev, rate, peak, bytes,
  * first, last, hist, lat, status, lastMs } */
 const stats = new Map();
@@ -23,6 +27,7 @@ export const rows = signal([]);
 export const totals = { reqs: 0, bytes: 0, startMs: Date.now() };
 export const endpointCount = () => stats.size;
 export const endpoint = (key) => stats.get(key) ?? null;
+export const keyOf = (r) => `${r.method} ${r.host} ${r.path}`;
 
 /* Bumped every redraw tick. The detail screen reads it so it re-renders as an
  * endpoint's in-place fields (rate, latency, …) change — those mutations don't
@@ -32,31 +37,6 @@ export const tick = signal(0);
 export const HIST_LEN = 60;  /* req/s samples kept per endpoint (≈1 min) */
 export const LAT_LEN = 200;  /* recent response latencies kept (ms) */
 
-/* ---- navigation ---------------------------------------------------- */
-/* The dashboard has two screens. In the list, `sel` is the highlighted row
- * index. `focusKey` is null in the list and the pinned endpoint key when the
- * per-endpoint detail screen is open. Both are signals so the view reacts. */
-export const sel = signal(0);
-export const focusKey = signal(null);
-
-const endpointKey = (r) => `${r.method} ${r.host} ${r.path}`;
-
-export function moveSel(delta) {
-  const n = rows.get().length;
-  if (n === 0) return;
-  sel.set(Math.max(0, Math.min(n - 1, sel.get() + delta)));
-}
-
-/* Enter the detail screen for the currently highlighted endpoint. */
-export function enterDetail() {
-  const data = rows.get();
-  if (data.length === 0) return;
-  const row = data[Math.max(0, Math.min(data.length - 1, sel.get()))];
-  if (row) focusKey.set(endpointKey(row));
-}
-
-export function exitDetail() { focusKey.set(null); }
-
 /* ---- parsing ------------------------------------------------------ */
 function bytesToLatin1(bytes, max) {
   let s = "";
@@ -135,8 +115,8 @@ function isDuplicate(ev, now) {
 const pending = new Map(); // flowKey -> [entry, …]
 const flowKey = (ev) => `${ev.family}:${Math.min(ev.sport, ev.dport)}-${Math.max(ev.sport, ev.dport)}`;
 
-/* one ring-buffer event (an `http_event`) */
-export function onEvent(raw) {
+/* one ring-buffer event (an `http_event`, wrapped under its btf_struct name) */
+function onEvent(raw) {
   const ev = raw.http_event ?? raw;
   const now = Date.now();
   if (isDuplicate(ev, now)) return;
@@ -153,7 +133,7 @@ function onRequest(ev, data, now) {
   const req = parseRequest(data.subarray(0, Number(ev.captured)));
   if (!req) return;
 
-  const key = `${req.method} ${req.host} ${req.path}`;
+  const key = keyOf(req);
   let row = stats.get(key);
   if (!row) {
     row = { ...req, count: 0, prev: 0, rate: 0, peak: 0, bytes: 0,
@@ -224,13 +204,17 @@ function sampleRates() {
   tick.set(tick.get() + 1); // wake the detail screen (see `tick`)
 
   // Reflect live totals in the terminal title. `tty` is only defined in TTY
-  // mode (absent when piped/redirected, e.g. verify.js), so guard it.
+  // mode (absent when piped/redirected), so guard it.
   if (typeof tty !== "undefined") {
     tty.title(`httpinspect · ${fmtCount(totals.reqs)} reqs · ${stats.size} endpoints`);
   }
 }
 
-export function startTicks() {
-  setInterval(sampleRates, 1000);
-  setInterval(refresh, TICK_MS); // snappier redraw between rate ticks
-}
+// Start the feed. The ring buffer is single-consumer and ingestion is
+// always-on (see the module header), so wire it up at load time.
+new RingBuf(control, "events").subscribe(
+  onEvent,
+  (err) => console.error("[httptop] ringbuf error:", err.message),
+);
+setInterval(sampleRates, 1000);
+setInterval(refresh, TICK_MS); // snappier redraw between rate ticks
diff --git a/src/probes/probe.js b/src/probes/probe.js
new file mode 100644
index 0000000..93fd19f
--- /dev/null
+++ b/src/probes/probe.js
@@ -0,0 +1,99 @@
+// Shared BPF object. The single src/bpf/httptop.bpf.c unit is compiled and
+// linked into bin/probe.bpf.o and loaded once here; the feature probe
+// (httptop.js) imports this `control` and reads the `events` ring buffer.
+// All binds + attaches happen before the single start(), so they live here.
+//
+// httptop attaches at the TC layer (TCX, ingress + egress) on every up
+// interface. The TCX wildcard skips loopback, so we enumerate explicitly
+// (incl. `lo`, where most local HTTP lives); `--iface a,b` narrows to named
+// interfaces. This module imports only yeet:bpf — no `@/` aliases — so it
+// stays runnable on its own for the import.meta.main self-test below.
+import { BpfObject, RingBuf } from "yeet:bpf";
+
+const wanted = yeet.args.iface
+  ? new Set(String(yeet.args.iface).split(",").map((s) => s.trim()).filter(Boolean))
+  : null;
+
+let ifaces = [];
+try {
+  const { data, errors } = await yeet.graph.query(
+    `{ network_interfaces { index name is_up } }`,
+  );
+  if (errors) throw new Error(errors[0].message);
+  ifaces = (data.network_interfaces || []).filter((i) => i.is_up && (!wanted || wanted.has(i.name)));
+} catch (err) {
+  console.error(`[httptop] could not list interfaces: ${err.message}`);
+  yeet.exit();
+}
+
+const ifindexes = ifaces.map((i) => i.index);
+if (ifindexes.length === 0) {
+  console.error("[httptop] no matching up interfaces to watch");
+  yeet.exit();
+}
+
+// What the status bar shows for the watched interfaces.
+export const ifaceLabel = wanted ? ifaces.map((i) => i.name).join(",") : `all (${ifaces.length})`;
+
+// `base: import.meta.dirname` resolves the object path against the running bundle.
+const tcx = { kind: "tcx", ifindex: ifindexes };
+const probe = new BpfObject({ exe: "../bin/probe.bpf.o", base: import.meta.dirname });
+
+export const control = await (async () => {
+  try {
+    return await probe
+      .bind("events", { kind: "ringbuf", btf_struct: "http_event" })
+      .attach("on_ingress", tcx)
+      .attach("on_egress", tcx)
+      .start();
+  } catch (err) {
+    console.error(`[httptop] failed to load eBPF: ${err.message}`);
+    console.error("[httptop] need CAP_BPF/root and a compiled bin/probe.bpf.o (run `make`).");
+    yeet.exit();
+  }
+})();
+
+// Standalone correctness probe — `yeet run src/probes/probe.js` dumps the
+// endpoints it aggregates over a few seconds, so you can eyeball that the
+// kernel filter, the btf_struct envelope, and the loopback dedup all behave
+// before any UI exists. Dormant once httptop.js imports `control`.
+if (import.meta.main) {
+  const REQ = /^([A-Z]+) +(\S+) +HTTP\/\d\.\d$/;
+  const parse = (bytes) => {
+    let t = "";
+    for (let i = 0; i < bytes.length; i++) { const c = bytes[i]; if (c === 0) break; t += String.fromCharCode(c); }
+    const lines = t.split("\r\n\r\n")[0].split("\r\n");
+    const m = REQ.exec(lines[0] || "");
+    if (!m) return null;
+    let host = "-";
+    for (let i = 1; i < lines.length; i++) {
+      const c = lines[i].indexOf(":");
+      if (c > 0 && lines[i].slice(0, c).toLowerCase() === "host") { host = lines[i].slice(c + 1).trim(); break; }
+    }
+    let path = m[2]; const q = path.indexOf("?"); if (q >= 0) path = path.slice(0, q);
+    return { method: m[1], host, path };
+  };
+
+  const stats = new Map();
+  const seen = new Set();
+  let dupes = 0;
+  await new RingBuf(control, "events").subscribe((raw) => {
+    const ev = raw.http_event ?? raw;
+    const k = `${ev.family}:${ev.sport}>${ev.dport}#${ev.seq}`;
+    if (seen.has(k)) { dupes++; return; }
+    seen.add(k);
+    const d = ev.data instanceof Uint8Array ? ev.data : Uint8Array.from(Object.values(ev.data));
+    const r = parse(d.subarray(0, Number(ev.captured)));
+    if (!r) return;
+    const key = `${r.method} ${r.host} ${r.path}`;
+    stats.set(key, (stats.get(key) || 0) + 1);
+  });
+
+  await new Promise((r) => setTimeout(r, 4500));
+  console.log(`[verify] watching ifindexes ${ifindexes.join(",")}`);
+  console.log(`[verify] deduped ${dupes} loopback double-sightings`);
+  console.log("[verify] aggregated endpoints (count desc):");
+  [...stats.entries()].sort((a, b) => b[1] - a[1]).forEach(([k, c]) => console.log(`  ${String(c).padStart(3)}  ${k}`));
+  await control.stop();
+  yeet.exit();
+}
diff --git a/tsconfig.json b/tsconfig.json
new file mode 100644
index 0000000..ac0d0fa
--- /dev/null
+++ b/tsconfig.json
@@ -0,0 +1,21 @@
+{
+  "compilerOptions": {
+    "target": "ES2022",
+    "module": "ESNext",
+    "moduleResolution": "Bundler",
+    "jsx": "react-jsx",
+    "jsxImportSource": "yeet:tui",
+    "baseUrl": ".",
+    "paths": {
+      "#/*": ["./*"],
+      "@/*": ["./src/*"]
+    },
+    "types": [],
+    "strict": true,
+    "noEmit": true,
+    "allowJs": true,
+    "skipLibCheck": true
+  },
+  "include": ["src"],
+  "exclude": ["node_modules", "dist", "src/index.jsx"]
+}
diff --git a/verify.js b/verify.js
deleted file mode 100644
index 5a1ff72..0000000
--- a/verify.js
+++ /dev/null
@@ -1,47 +0,0 @@
-import { BpfObject, RingBuf } from "yeet:bpf";
-
-const { data } = await yeet.graph.query(`{ network_interfaces { index name is_up } }`);
-const ifindexes = data.network_interfaces.filter((i) => i.is_up).map((i) => i.index);
-console.log("[verify] attaching to ifindexes", ifindexes.join(","));
-
-const probe = new BpfObject({ exe: "./bin/httptop.bpf.o", base: import.meta.dirname });
-const control = await probe
-  .bind("events", { kind: "ringbuf", btf_struct: "http_event" })
-  .attach("on_ingress", { kind: "tcx", ifindex: ifindexes })
-  .attach("on_egress", { kind: "tcx", ifindex: ifindexes })
-  .start();
-
-const REQ = /^([A-Z]+) +(\S+) +HTTP\/\d\.\d$/;
-function parse(bytes) {
-  let t = "";
-  for (let i = 0; i < bytes.length; i++) { const c = bytes[i]; if (c === 0) break; t += String.fromCharCode(c); }
-  const head = t.split("\r\n\r\n")[0];
-  const lines = head.split("\r\n");
-  const m = REQ.exec(lines[0] || ""); if (!m) return null;
-  let host = "-";
-  for (let i = 1; i < lines.length; i++) { const c = lines[i].indexOf(":"); if (c > 0 && lines[i].slice(0, c).toLowerCase() === "host") { host = lines[i].slice(c + 1).trim(); break; } }
-  let path = m[2]; const q = path.indexOf("?"); if (q >= 0) path = path.slice(0, q);
-  return { method: m[1], host, path };
-}
-
-const stats = new Map();
-const seen = new Set();
-let dupes = 0;
-await new RingBuf(control, "events").subscribe((raw) => {
-  const ev = raw.http_event ?? raw;
-  const k = `${ev.family}:${ev.sport}>${ev.dport}#${ev.seq}`;
-  if (seen.has(k)) { dupes++; return; }
-  seen.add(k);
-  const d = ev.data instanceof Uint8Array ? ev.data : Uint8Array.from(Object.values(ev.data));
-  const r = parse(d.subarray(0, Number(ev.captured)));
-  if (!r) return;
-  const key = `${r.method} ${r.host} ${r.path}`;
-  stats.set(key, (stats.get(key) || 0) + 1);
-});
-
-await new Promise((r) => setTimeout(r, 4500));
-console.log(`[verify] deduped ${dupes} loopback double-sightings`);
-console.log("[verify] aggregated endpoints (count desc):");
-[...stats.entries()].sort((a, b) => b[1] - a[1]).forEach(([k, c]) => console.log(`  ${String(c).padStart(3)}  ${k}`));
-await control.stop();
-yeet.exit();