• Added support for embedding the pasta userspace networking binary directly into nsjail (memfd)
• Improved mount handling so both legacy and new mount APIs more reliably enforce read-only remounts
• Fixed seccomp policy assembly so repeated seccomp_string entries are combined and compiled together
• Expanded built-in test coverage for chroot/read-write mount behavior