Creates Hyper.Cfg.Dirs with work_dir/0 (config.toml-only, default
/srv/hyper) and all 8 derived directory accessors. Migrates every
call-site away from Hyper.Config.*; removes now-unused aliases in
img.ex, oci_loader.ex, umoci.ex. Resolves the last undefined-accessor
warning: firecracker_install_dir/0.

Delete the now-redundant Hyper.Config module (all accessors have been
re-homed under Hyper.Cfg.*). Migrate the two test files that still
referenced it, and remove the three dead flat keys (cgroup_parent,
uid_gid_range, layer_dir) from config/config.exs that were never read
via Application.get_env.

Rename and relocate Hyper.Node.Config.Budget to Hyper.Cfg.Budget,
update the runtime.exs app-env key, and fix all aliases/call-sites.

Delete the hardcoded @period_ms/@tau_s module attributes from the four
/proc monitors and replace period/0 + tau/0 with delegations to the new
Hyper.Cfg.Mon module. Operators can now override sampling cadence per
metric via config :hyper, Hyper.Cfg.Mon, cpu: [period_ms: .., tau_s: ..].

- alphabetize aliases in node_state.ex/gc.ex/tools_test.exs (credo --strict)
- mix format the longer Hyper.Cfg.* call-sites (oci_loader.ex, img/server.ex)
- restore anti-thrash rationale comment in layer/server.ex moduledoc
- add Jails.range_from/1 non-integer-list refusal test
- drop unused Hyper.Cfg.Toml.path/0 (YAGNI)

…>timeout

…y facade

… modules

- runtime.exs: add cpu_max_cap default to Budget block
- mix format the phase-2 modules (drift from subagent commits)
- credo: sigil @doc in Unit.Time, alphabetize aliases in img/vm_linux tests

…ples

…; doc grpc adapter_opts

- drop Gc.enabled: the layer GC is core, always runs (Img.Db.Gc.init always starts)
- Hyper.Cfg.Mon no longer reads runtime config; sampling cadence is a fixed internal
- document the gRPC adapter_opts field

Split the numeric prefix from the suffix with Integer.parse/1 and validate the
suffix by map lookup, replacing the anchored-alternation regex whose ns|us|ms|s|m|h
ordering relied on backtracking. Same accepted/rejected inputs.

… tools_test

- parse suites: one generated test per suffix/reject case (data-table driven)
- toml: parametrize fetch_in traversal cases
- vm_linux: keep only the arch-atom mapping + unconfigured-arch omission
  (precedence is covered generically by resolver_test)
- delete tools_test: every case duplicated resolver_test's generic resolution

- parse suites: one generated test per suffix/reject case (data-table driven)
- toml: parametrize fetch_in traversal cases
- vm_linux: keep only the arch-atom mapping + unconfigured-arch omission
  (precedence is covered generically by resolver_test)

…Cfg.Mon

The cadence is a fixed internal of the monitoring subsystem, not operator
config. Each monitor now owns its prime period + EWMA tau directly instead of
routing through a thin config module.

…per.Cfg.Timeouts

Timeouts was an artificial grab-bag of unrelated values. The idle-grace now
lives in each server (img/layer/mutable) and the per-call cap in the Firecracker
client, beside the behavior each governs.

- drop the {900_000, 999_999} default band: operators must declare the
  uid/gid range; absent -> MissingError, non-integer pair -> ArgumentError
- strip Honeycomb specifics from Otel: endpoint comes from the standard
  OTEL_EXPORTER_OTLP_ENDPOINT env var, headers only from config

resolver_test already covers generic get_cfg precedence/MissingError, and the
unit parse suites cover Unit parsing. Delete tests that merely re-ran that glue
(facades, img_db, gc, dirs, img); trim grpc to its cred coercion and budget to
its toml-string coercion + required-field error.

Configure clustering under config :hyper, Hyper.Cfg.Cluster, topologies: [...]
(config.exs-only, libcluster syntax forwarded straight through) instead of
leaking raw config :libcluster into operator config. Default [] = single node.
Documents the previously-TODO Cluster Topology section.

Otel resolves config.exs from an explicit keyword (it runs during runtime.exs
boot, before app env exists) — the one resolution path not expressed by get_cfg.
Add an {:exs, {kw, key}} source so that case lives in the central resolver; the
bespoke 13-line pick/3 becomes a one-line delegate.

…sted

Budget.load just calls Unit.{Information,Bandwidth}.parse! on TOML strings; the
"4GiB"/"1GiBps" coercion it asserted is covered by the parametrized parse
suites in test/unit. Nothing Budget-specific was left worth a dedicated file.

- work_dir default is /srv/hyper, store default is <work_dir>/layers (were '-')
- budget: cpu/disk_bw/net_bw are all $\beta$ (soft) per architecture.md;
  cpu_max_cap/disk_bw_max_load/net_bw_max_load were mislabelled $\alpha$
- budget: cpu_max_load/cpu_max_cap/*_max_load are floats (load fraction / core
  count), not [unit] quantities; cpu_max_cap is optional (default nil)
- img.db: keys override the repo's compiled-in config, no 'hyper' default
- mark jails uid_gid_range required; drop 'large set of flags' overstatement
- typos: exclusively, compile-time config.exs