diff --git a/.bootc-dev-infra-commit.txt b/.bootc-dev-infra-commit.txt
index ff1331f..9464827 100644
--- a/.bootc-dev-infra-commit.txt
+++ b/.bootc-dev-infra-commit.txt
@@ -1 +1 @@
-61b769aee4ec165dcbfd993aeaa10a7fae2cb629
+7b396396c7dcbcfe104a756ae0db45155394dadb
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
index 678171b..f1b43a8 100644
--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@@ -1,30 +1,25 @@
 {
   "name": "bootc-devenv-debian",
-  // TODO override this back to prod image
   "image": "ghcr.io/bootc-dev/devenv-debian",
   "customizations": {
     "vscode": {
-      // Abitrary, but most of our code is in one of these two
+      // Arbitrary, but most of our code is in one of these two
       "extensions": [
         "rust-lang.rust-analyzer",
         "golang.Go"
       ]
+    },
+    "devaipod": {
+      // When running under devaipod, use minimal capabilities
+      // (SYS_ADMIN, NET_ADMIN, etc.) instead of full --privileged.
+      "nestedContainers": true
     }
   },
   "features": {},
-  "runArgs": [
-    // In general we hope that the outer environment has set up
-    // a user namespace to keep this secure.
-    "--cap-add=all",
-    // Required for mounting /proc in nested user namespace
-    "--security-opt", "label=disable",
-    // Allows access to /proc paths needed for nested containers
-    "--security-opt", "unmask=/proc/*",
-    // Device access for nested containers and VMs
-    "--device", "/dev/net/tun",
-    // I always want KVM
-    "--device", "/dev/kvm"
-  ],
+  // Use privileged mode for broad compatibility (Codespaces, Docker,
+  // stock devcontainer CLI). devaipod overrides this with tighter
+  // security via the nestedContainers customization above.
+  "privileged": true,
   "postCreateCommand": {
     // Our init script
     "devenv-init": "sudo /usr/local/bin/devenv-init.sh"
@@ -33,4 +28,3 @@
     "PATH": "${containerEnv:PATH}:/usr/local/cargo/bin"
   }
 }
-
diff --git a/.github/actions/bootc-ubuntu-setup/action.yml b/.github/actions/bootc-ubuntu-setup/action.yml
deleted file mode 100644
index 5f533b9..0000000
--- a/.github/actions/bootc-ubuntu-setup/action.yml
+++ /dev/null
@@ -1,97 +0,0 @@
-name: 'Bootc Ubuntu Setup'
-description: 'Default host setup'
-inputs:
-  libvirt:
-    description: 'Install libvirt and virtualization stack'
-    required: false
-    default: 'false'
-runs:
-  using: 'composite'
-  steps:
-    # The default runners have TONS of crud on them...
-    - name: Free up disk space on runner
-      shell: bash
-      run: |
-        set -xeuo pipefail
-        sudo df -h
-        # Use globs for package patterns (apt and dpkg both support fnmatch globs)
-        unwanted_pkgs=('aspnetcore-*' 'dotnet-*' 'llvm-*' 'php*' 'mongodb-*' 'mysql-*'
-                       azure-cli google-chrome-stable firefox mono-devel)
-        unwanted_dirs=(/usr/share/dotnet /opt/ghc /usr/local/lib/android /opt/hostedtoolcache/CodeQL)
-        # Start background removal operations as systemd units; if this causes
-        # races in the future around disk space we can look at waiting for cleanup
-        # before starting further jobs, but right now we spent a lot of time waiting
-        # on the network and scripts and such below, giving these plenty of time to run.
-        n=0
-        runcleanup() {
-          sudo systemd-run -r -u action-cleanup-${n} -- "$@"
-          n=$(($n + 1))
-        }
-        runcleanup docker image prune --all --force
-        for x in ${unwanted_dirs[@]}; do
-          runcleanup rm -rf "$x"
-        done
-        # Apt removals in foreground, as we can't parallelize these.
-        # Only attempt removal if matching packages are installed.
-        for x in ${unwanted_pkgs[@]}; do
-          if dpkg -l "$x" >/dev/null 2>&1; then
-            /bin/time -f '%E %C' sudo apt-get remove -y "$x"
-          fi
-        done
-    # We really want support for heredocs
-    - name: Update podman and install just
-      shell: bash
-      run: |
-        set -eux
-        # Require the runner is ubuntu-24.04
-        IDV=$(. /usr/lib/os-release && echo ${ID}-${VERSION_ID})
-        test "${IDV}" = "ubuntu-24.04"
-        # plucky is the next release
-        echo 'deb http://azure.archive.ubuntu.com/ubuntu plucky universe main' | sudo tee /etc/apt/sources.list.d/plucky.list
-        /bin/time -f '%E %C' sudo apt update
-        # skopeo is currently older in plucky for some reason hence --allow-downgrades
-        /bin/time -f '%E %C' sudo apt install -y --allow-downgrades crun/plucky podman/plucky skopeo/plucky just
-    # This is the default on e.g. Fedora derivatives, but not Debian
-    - name: Enable unprivileged /dev/kvm access
-      shell: bash
-      run: |
-        set -xeuo pipefail
-        echo 'KERNEL=="kvm", GROUP="kvm", MODE="0666", OPTIONS+="static_node=kvm"' | sudo tee /etc/udev/rules.d/99-kvm4all.rules
-        sudo udevadm control --reload-rules
-        sudo udevadm trigger --name-match=kvm
-        ls -l /dev/kvm
-    # Used by a few workflows, but generally useful
-    - name: Set architecture variable
-      id: set_arch
-      shell: bash
-      run: echo "ARCH=$(arch)" >> $GITHUB_ENV
-    # Install libvirt stack if requested
-    - name: Install libvirt and virtualization stack
-      if: ${{ inputs.libvirt == 'true' }}
-      shell: bash
-      run: |
-        set -xeuo pipefail
-        # renovate: datasource=github-releases depName=bootc-dev/bcvk
-        export BCVK_VERSION=0.11.0
-        # see https://github.com/bootc-dev/bcvk/issues/176
-        /bin/time -f '%E %C' sudo apt install -y libkrb5-dev pkg-config libvirt-dev genisoimage qemu-utils qemu-kvm virtiofsd libvirt-daemon-system python3-virt-firmware
-        # Something in the stack is overriding this, but we want session right now for bcvk
-        echo LIBVIRT_DEFAULT_URI=qemu:///session >> $GITHUB_ENV
-        td=$(mktemp -d)
-        cd $td
-        # Install bcvk
-        target=bcvk-$(arch)-unknown-linux-gnu
-        /bin/time -f '%E %C' curl -LO https://github.com/bootc-dev/bcvk/releases/download/v${BCVK_VERSION}/${target}.tar.gz
-        tar xzf ${target}.tar.gz
-        sudo install -T ${target} /usr/bin/bcvk
-        cd -
-        rm -rf "$td"
-
-        # Also bump the default fd limit as a workaround for https://github.com/bootc-dev/bcvk/issues/65
-        sudo sed -i -e 's,^\* hard nofile 65536,* hard nofile 524288,' /etc/security/limits.conf
-    - name: Cleanup status
-      shell: bash
-      run: |
-        set -xeuo pipefail
-        systemctl list-units 'action-cleanup*'
-        df -h
diff --git a/.github/actions/setup-rust/action.yml b/.github/actions/setup-rust/action.yml
deleted file mode 100644
index f2f5e06..0000000
--- a/.github/actions/setup-rust/action.yml
+++ /dev/null
@@ -1,20 +0,0 @@
-name: 'Setup Rust'
-description: 'Install Rust toolchain with caching and nextest'
-runs:
-  using: 'composite'
-  steps:
-    - name: Install Rust toolchain
-      uses: dtolnay/rust-toolchain@stable
-    - name: Install nextest
-      uses: taiki-e/install-action@v2
-      with:
-        tool: nextest
-    - name: Setup Rust cache
-      uses: Swatinem/rust-cache@v2
-      with:
-        cache-all-crates: true
-        # Only generate caches on push to git main
-        save-if: ${{ github.ref == 'refs/heads/main' }}
-        # Suppress actually using the cache for builds running from
-        # git main so that we avoid incremental compilation bugs
-        lookup-only: ${{ github.ref == 'refs/heads/main' }}
diff --git a/.github/workflows/openssf-scorecard-gate.yml b/.github/workflows/openssf-scorecard-gate.yml
deleted file mode 100644
index 830564a..0000000
--- a/.github/workflows/openssf-scorecard-gate.yml
+++ /dev/null
@@ -1,28 +0,0 @@
-# Gate PRs on OpenSSF Scorecard regressions.
-#
-# See also: https://github.com/ossf/scorecard/issues/1270
-name: OpenSSF Scorecard
-
-on:
-  pull_request:
-    branches:
-      - main
-
-permissions:
-  contents: read
-
-jobs:
-  scorecard:
-    name: Scorecard
-    runs-on: ubuntu-24.04
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-        with:
-          fetch-depth: 0
-
-      - name: Check for regressions
-        uses: bootc-dev/actions/openssf-scorecard@main
-        with:
-          base-sha: ${{ github.event.pull_request.base.sha }}
-          head-sha: ${{ github.event.pull_request.head.sha }}
diff --git a/.github/workflows/rebase.yml b/.github/workflows/rebase.yml
deleted file mode 100644
index 68f329a..0000000
--- a/.github/workflows/rebase.yml
+++ /dev/null
@@ -1,45 +0,0 @@
-name: Automatic Rebase
-on:
-  pull_request:
-    types: [labeled]
-
-permissions:
-  contents: read
-
-jobs:
-  rebase:
-    name: Rebase
-    if: github.event.label.name == 'needs-rebase'
-    runs-on: ubuntu-latest
-    steps:
-      - name: Generate Actions Token
-        id: token
-        uses: actions/create-github-app-token@v2
-        with:
-          app-id: ${{ secrets.APP_ID }}
-          private-key: ${{ secrets.APP_PRIVATE_KEY }}
-          owner: ${{ github.repository_owner }}
-
-      - name: Checkout
-        uses: actions/checkout@v6
-        with:
-          token: ${{ steps.token.outputs.token }}
-          fetch-depth: 0
-
-      - name: Automatic Rebase
-        uses: peter-evans/rebase@v4
-        with:
-          token: ${{ steps.token.outputs.token }}
-
-      - name: Remove needs-rebase label
-        if: always()
-        uses: actions/github-script@v8
-        with:
-          github-token: ${{ steps.token.outputs.token }}
-          script: |
-            await github.rest.issues.removeLabel({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              issue_number: context.issue.number,
-              name: 'needs-rebase'
-            });