Plan: System Configuration Slice 3

Overview

Slice 3 of the System Configuration and Operator Extensibility track from docs/proposals/system-configuration-proposal.md. Slices 1 and 2 are landed: the shared defaults package exists at cue/defaults/defaults.cue and the repo-root packaged default boot manifest already imports it. Many focused-proof manifests are migrated onto the defaults package; this plan finishes migrating the remaining focused-proof variants and tightens the manifest decoder boundary.

The track is ad-hoc until explicitly selected; treat this plan as parallel-safe alongside the selected milestone because it edits CUE files and limited tooling, not kernel core.

Conflict Surface

Owned by this plan:

• cue/defaults/defaults.cue and any new cue/defaults/*.cue modules
• capos-config/ (the manifest decoder/loader and its host tests; Task 3 tightens the decoder boundary here). Coordinate with the Device Driver Foundation plan when DDF Task 5 adds ProcessSpawner/manifest plumbing, since DDF declares the same overlap on capos-config/ and tools/mkmanifest/. Run the manifest-shape change on a single branch at a time so the focused-proof migration and DDF authority caps do not race the same loader.
• Repo-root focused-proof manifests: system-spawn.cue, system-shell.cue, system-terminal.cue, system-credential.cue, system-login.cue, system-local-users.cue, system-login-setup.cue, system-network-client.cue, system-revocable-read.cue, system-memoryobject-shared.cue, system-restricted-shell-launcher.cue, system-telnet.cue, system-chat.cue. system-measure.cue is owned by docs/plans/measure-mode-repair.md while the regression repair is open; migrate it onto the defaults package only after that plan closes, and only in a separate batch from this slice.
• cue.mod/module.cue (only when the CUE language version changes)
• tools/mkmanifest/ only when the manifest input shape changes
• system.local.cue.example
• docs/proposals/system-configuration-proposal.md, docs/configuration.md

Do not touch from this plan:

• system.cue (default boot manifest) outside import-line adjustments required by the slice
• system-paperclips.cue and system-adventure.cue – demo-owned manifests; coordinate via the demo plans
• Kernel-core, capability schema, runtime, scheduler, device manager
• tools/remote-session-client/ (owned by remote-session plan)

Validation Commands

• make fmt-check
• cargo test-config
• cargo test-mkmanifest
• make generated-code-check
• make run-smoke
• make run-spawn
• make run-shell
• make run-terminal

Per-batch QEMU gates – run the matching make run-* target for each manifest the batch migrated, in addition to the always-on commands above. Treat any of these as required when the batch touches the corresponding manifest:

• make run-credential for system-credential.cue
• make run-login for system-login.cue
• make run-login-setup for system-login-setup.cue
• make run-local-users for system-local-users.cue
• make run-network-client for system-network-client.cue
• make run-revocable-read for system-revocable-read.cue
• make run-memoryobject-shared for system-memoryobject-shared.cue
• make run-restricted-shell-launcher for system-restricted-shell-launcher.cue
• make run-telnet for system-telnet.cue
• make run-chat for system-chat.cue

Success Criteria

Slice 3 is recorded done when every focused-proof manifest listed above imports the defaults package, the manifest decoder rejects unknown top-level fields cleanly, the make run-* target for each manifest remains green, and docs/proposals/system-configuration-proposal.md records the slice closeout with commit hash and minute-precision timestamp.

Task 1: Inventory the remaining focused-proof manifests

• Enumerate every repo-root system-*.cue manifest, their current package status, and the make run-* target each one drives.
• Note which manifests already import the defaults package (Slice 2 landings) and which still ship without it. Update the legacy enumeration in CLAUDE.md if it has drifted.
• Capture the migration order: prefer manifests whose make run-* target is host-runnable in CI before manifests requiring operator-driven QEMU runs.

Task 2: Migrate focused-proof manifests in batches

• Migrate one batch of manifests (5-7 files) onto the defaults package per task iteration. Each batch must keep the matching make run-* target green.
• Keep the per-manifest diff small: import the defaults package and project only the manifest-specific fields. Each focused-proof manifest must keep its own distinct CUE package (package spawn, package chat, package adventure, etc.) so package-mode cue export for the default boot does not merge unrelated focused manifests with system.cue/system.local.cue (those use package capos).
• Record each batch in docs/proposals/system-configuration-proposal.md with the manifests covered.

Task 3: Tighten the manifest decoder boundary

• After every focused-proof manifest is migrated, tighten the decoder/loader to reject unknown top-level fields and verify that legacy unmigrated layouts now fail closed.
• Add a cargo test-config host test that exercises the rejection path so regressions are caught before QEMU runs.
• Document the strictness change in docs/proposals/system-configuration-proposal.md and docs/configuration.md.

Task 4: Operator overlay worked example refresh

• Refresh system.local.cue.example so it covers an operator extension that exercises the migrated defaults package without needing tools/mkmanifest flag changes.
• Verify the example by copying it to repo-root system.local.cue (gitignored) and rerunning make run. Document the test in the proposal.
• Update docs/configuration.md to match the refreshed example.

Task 5: Closeout

• Update docs/proposals/system-configuration-proposal.md slice 3 status, mark the migrated manifests, and pin the closeout commit.
• Update WORKPLAN.md’s System Configuration ad-hoc bullet to record Slice 3 done and to flag any successor slice (e.g. richer operator overlays) for future selection.
• Add a docs/changelog.md entry referencing the closeout commit.