refactor(packages): mios.toml is the only runtime SSOT; PACKAGES.md is documentation

Kabuki94 · Kabuki94 · commit 4f3ca0c3f8a1 · 2026-05-05T19:41:07.000-04:00
Removes the legacy PACKAGES.md fenced-block fallback from the runtime path.
mios.toml [packages.&lt;section&gt;].pkgs is now the single source consulted by
automation/lib/packages.sh, resolved through the documented overlay chain
(MIOS_TOML override -&gt; ~/.config -&gt; /etc/mios -&gt; /ctx/mios-bootstrap -&gt;
/usr/share/mios -&gt; /ctx/usr/share/mios).

Touched files:
  - automation/lib/packages.sh: drop Tier-2 sed/awk PACKAGES.md scrape;
    get_packages / get_packages_strict / install_packages_optional now take
    only a section name.
  - automation/build.sh: export MIOS_TOML instead of PACKAGES_MD; FATAL when
    the TOML is missing.
  - automation/install-bootstrap.sh: source packages.sh and aggregate every
    [packages.*] section discovered via awk so the ignition path matches
    what the OCI build chain installs.
  - Containerfile + Containerfile.minimal: drop the COPY of PACKAGES.md and
    the export PACKAGES_MD; pass MIOS_TOML pointing at the already-shipped
    /tmp/build/usr/share/mios/mios.toml.
  - build-mios.ps1: required-file check verifies usr/share/mios/mios.toml,
    not usr/share/mios/PACKAGES.md.
  - usr/share/mios/env.defaults: replace MIOS_PACKAGES_MD with MIOS_TOML.
  - usr/libexec/mios-verify: probe the new doc-tree PACKAGES.md location +
    keep mios.toml as a hard-required vendor file.
  - 11 automation/*.sh comment-only fixups: each "from PACKAGES.md
    packages-X" header now reads "from mios.toml [packages.X]".
  - usr/share/mios/PACKAGES.md -&gt; usr/share/doc/mios/reference/PACKAGES.md
    (legacy reference moved to the docs tree, header rewritten to state the
    fallback is fully removed in v0.2.4).
  - llms.txt + usr/share/doc/mios/reference/credits.md: citation pointers
    updated to the new docs-tree path and to mios.toml as the SSOT.

Why: completes the user's "deprecate -&gt; consolidate -&gt; remove" arc for
PACKAGES.md. The TOML manifest is what the configurator HTML edits and
what every operator override layer expects; keeping the fenced-block
fallback in code drifted away from that. The 44 [packages.&lt;section&gt;]
tables in mios.toml were already authoritative for every section the
build chain touches.

Verified: bash -n on all 14 modified scripts; get_packages_from_toml
smoke-tested for base/ai/glibc-hwcaps-v3 + nonexistent section against
the live usr/share/mios/mios.toml.
diff --git a/Containerfile b/Containerfile
@@ -7,7 +7,10 @@ COPY usr/                  /ctx/usr/
 COPY etc/                  /ctx/etc/
 # /home/ is bootstrap territory (mios-bootstrap.git stages user homes via
 # profile/ in Phase-3); the build no longer pulls it.
-COPY usr/share/mios/PACKAGES.md /ctx/PACKAGES.md
+# SSOT: mios.toml [packages.<section>].pkgs lives at
+# usr/share/mios/mios.toml and is already shipped via the COPY usr/ above.
+# build.sh exports $MIOS_TOML to /ctx/usr/share/mios/mios.toml so
+# automation/lib/packages.sh resolves the canonical TOML manifest.
 COPY VERSION               /ctx/VERSION
 COPY config/artifacts/     /ctx/bib-configs/
 COPY tools/                /ctx/tools/
@@ -50,7 +53,7 @@ RUN --mount=type=bind,from=ctx,source=/ctx,target=/ctx,ro \
     --mount=type=cache,dst=/var/cache/dnf,sharing=locked \
     set -ex; \
     install -d -m 0755 /tmp/build; \
-    cp -a /ctx/automation /ctx/usr /ctx/etc /ctx/PACKAGES.md /ctx/VERSION /ctx/bib-configs /ctx/tools /tmp/build/; \
+    cp -a /ctx/automation /ctx/usr /ctx/etc /ctx/VERSION /ctx/bib-configs /ctx/tools /tmp/build/; \
     # Defensive CRLF -> LF normalization. .gitattributes already pins
     # *.sh / *.toml / *.conf / *.yaml / *.json / *.md to LF, but Windows
     # build hosts (OneDrive sync in particular) bypass git's filter and
@@ -69,7 +72,7 @@ RUN --mount=type=bind,from=ctx,source=/ctx,target=/ctx,ro \
            -o -name "*.volume" -o -name "*.repo" -o -name "*.policy" \
            -o -name "*.rules" \) \
         -exec sed -i 's/\r$//' {} +; \
-    export PACKAGES_MD=/tmp/build/PACKAGES.md; \
+    export MIOS_TOML=/tmp/build/usr/share/mios/mios.toml; \
     bash /tmp/build/automation/lib/packages.sh >/dev/null 2>&1 || true; \
     source /tmp/build/automation/lib/packages.sh; \
     # Purge any stale/corrupt repo metadata left in the buildkit cache mount
diff --git a/Containerfile.minimal b/Containerfile.minimal
@@ -51,7 +51,10 @@ FROM scratch AS ctx
 COPY automation/           /ctx/automation/
 COPY usr/                  /ctx/usr/
 COPY etc/                  /ctx/etc/
-COPY usr/share/mios/PACKAGES.md /ctx/PACKAGES.md
+# SSOT: mios.toml [packages.<section>].pkgs (resolved by lib/packages.sh).
+# usr/ already carries usr/share/mios/mios.toml -- the COPY above lands it
+# at /ctx/usr/share/mios/mios.toml, which is the lowest-precedence default
+# the resolver picks up via $MIOS_TOML below.
 COPY VERSION               /ctx/VERSION
 COPY tools/                /ctx/tools/
 
@@ -88,7 +91,7 @@ RUN --mount=type=bind,from=ctx,source=/ctx,target=/ctx,ro \
     --mount=type=cache,dst=/var/cache/dnf,sharing=locked \
     set -ex; \
     install -d -m 0755 /tmp/build; \
-    cp -a /ctx/automation /ctx/usr /ctx/etc /ctx/PACKAGES.md /ctx/VERSION /ctx/tools /tmp/build/; \
+    cp -a /ctx/automation /ctx/usr /ctx/etc /ctx/VERSION /ctx/tools /tmp/build/; \
     # Same defensive CRLF normalization as the canonical Containerfile.
     find /tmp/build -type f \
         \( -name "*.sh" -o -name "*.toml" -o -name "*.conf" \
@@ -99,7 +102,7 @@ RUN --mount=type=bind,from=ctx,source=/ctx,target=/ctx,ro \
            -o -name "*.volume" -o -name "*.repo" -o -name "*.policy" \
            -o -name "*.rules" \) \
         -exec sed -i 's/\r$//' {} +; \
-    export PACKAGES_MD=/tmp/build/PACKAGES.md; \
+    export MIOS_TOML=/tmp/build/usr/share/mios/mios.toml; \
     export MIOS_VARIANT=minimal; \
     source /tmp/build/automation/lib/packages.sh; \
     ${DNF_BIN:-dnf5} clean metadata 2>/dev/null || true; \
diff --git a/automation/10-gnome.sh b/automation/10-gnome.sh
@@ -24,12 +24,12 @@ SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 source "${SCRIPT_DIR}/lib/packages.sh"
 
 # ═════════════════════════════════════════════════════════════════════════════
-# GNOME 50 -- Install from PACKAGES.md (build-up, NOT strip-down)
+# GNOME 50 -- Install from mios.toml [packages.gnome] (build-up, NOT strip-down)
 # ═════════════════════════════════════════════════════════════════════════════
 echo "[10-gnome] Installing GNOME 50 desktop (pure build-up)..."
 install_packages "gnome"
 
-# Optional GNOME Core Apps (all commented out by default in PACKAGES.md)
+# Optional GNOME Core Apps (empty pkgs[] in [packages.gnome-core-apps] by default)
 install_packages_optional "gnome-core-apps"
 
 # ═════════════════════════════════════════════════════════════════════════════
diff --git a/automation/11-hardware.sh b/automation/11-hardware.sh
@@ -9,7 +9,8 @@
 #             NVIDIA acceleration - image still works for everything else.
 #
 # Mesa (AMD/Intel/software fallback) and ROCm + intel-compute-runtime are
-# installed from PACKAGES.md. They have no kernel-version coupling.
+# installed from mios.toml [packages.gpu-amd] / [packages.gpu-intel]. They
+# have no kernel-version coupling.
 #
 # CHANGELOG:
 #   v0.2.0: Dropped COPY-layer fallback. ucore-hci IS already built from
diff --git a/automation/21-moby-engine.sh b/automation/21-moby-engine.sh
@@ -9,8 +9,8 @@ source "$(dirname "$0")/lib/packages.sh"
 source "$(dirname "$0")/lib/common.sh"
 
 # moby-engine conflicts with podman-docker over /usr/bin/docker. install_packages
-# routes through dnf which resolves the conflict at install time; PACKAGES.md is
-# the SSOT for every RPM (see CLAUDE.md / CONTRIBUTING.md).
+# routes through dnf which resolves the conflict at install time; mios.toml
+# [packages.moby] is the SSOT for every RPM (see CLAUDE.md / CONTRIBUTING.md).
 install_packages "moby"
 
 # Enable the Docker socket to ensure it's available on boot
diff --git a/automation/23-uki-render.sh b/automation/23-uki-render.sh
@@ -7,10 +7,11 @@ echo "==> Preparing Unified Kernel Image (UKI) configuration..."
 source "$(dirname "$0")/lib/packages.sh"
 source "$(dirname "$0")/lib/common.sh"
 
-# packages-boot already pulls systemd-ukify; reinstall via the SSOT block as a
-# safety net in case --skip-unavailable dropped it on a constrained mirror.
+# [packages.boot] already pulls systemd-ukify; reinstall via the SSOT
+# [packages.uki] section as a safety net in case --skip-unavailable dropped
+# it on a constrained mirror.
 if ! rpm -q systemd-ukify >/dev/null 2>&1; then
-    echo "==> systemd-ukify not found via boot-section install; reinstalling via PACKAGES.md..."
+    echo "==> systemd-ukify not found via boot-section install; reinstalling via mios.toml [packages.uki]..."
     install_packages_strict "uki"
 fi
 
diff --git a/automation/43-uupd-installer.sh b/automation/43-uupd-installer.sh
@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
-# 43-uupd-installer.sh - install uupd + greenboot (from PACKAGES.md
-# packages-updater section) and disable the updaters it supersedes.
+# 43-uupd-installer.sh - install uupd + greenboot (from mios.toml
+# [packages.updater]) and disable the updaters it supersedes.
 set -euo pipefail
 
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
diff --git a/automation/44-podman-machine-compat.sh b/automation/44-podman-machine-compat.sh
@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 # 44-podman-machine-compat.sh - Podman-machine backend compatibility.
-# Package installs moved to PACKAGES.md (packages-containers, packages-utils).
+# Package installs moved to mios.toml [packages.containers] / [packages.utils].
 # This script only does the runtime config that cannot be expressed as packages:
 #   - create the 'core' user (Podman machine convention)
 #   - enable services needed for machine backend operation
diff --git a/automation/45-nvidia-cdi-refresh.sh b/automation/45-nvidia-cdi-refresh.sh
@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 # 45-nvidia-cdi-refresh.sh - wire up NVIDIA CDI auto-refresh services.
-# Package installs live in PACKAGES.md (packages-gpu-nvidia section).
+# Package installs live in mios.toml [packages.gpu-nvidia].
 #
 # Key invariants:
 #   - nvidia-container-toolkit ≥ 1.18 for nvidia-cdi-refresh.service/path.
diff --git a/automation/46-greenboot.sh b/automation/46-greenboot.sh
@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
-# 46-greenboot.sh - wire greenboot services; package installs via PACKAGES.md
-# (packages-updater section: greenboot, greenboot-default-health-checks).
+# 46-greenboot.sh - wire greenboot services; package installs via mios.toml
+# [packages.updater] (greenboot, greenboot-default-health-checks).
 set -euo pipefail
 source "$(dirname "${BASH_SOURCE[0]}")/lib/common.sh"
 
diff --git a/automation/47-hardening.sh b/automation/47-hardening.sh
@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 # 47-hardening.sh - enable hardening services (USBGuard, auditd).
-# Package installs moved to PACKAGES.md (packages-security).
+# Package installs moved to mios.toml [packages.security].
 # sysctl drop-in shipped via usr/lib/sysctl.d/99-mios-hardening.conf.
 set -euo pipefail
 source "$(dirname "${BASH_SOURCE[0]}")/lib/common.sh"
diff --git a/automation/90-generate-sbom.sh b/automation/90-generate-sbom.sh
@@ -13,7 +13,7 @@ ARTIFACT_DIR="${MIOS_USR_DIR}/artifacts/sbom"
 mkdir -p "$ARTIFACT_DIR"
 
 if ! command -v syft &> /dev/null; then
-    echo "[90-generate-sbom] WARN: Syft not found. Attempting to install via PACKAGES.md..."
+    echo "[90-generate-sbom] WARN: Syft not found. Attempting to install via mios.toml [packages.sbom-tools]..."
     install_packages "sbom-tools"
     # install_packages is best-effort and returns 0 even on miss; re-check
     # presence and bail out cleanly if syft still isn't on PATH.
diff --git a/automation/91-strip-build-toolchain.sh b/automation/91-strip-build-toolchain.sh
@@ -12,7 +12,7 @@
 # does not compile on the host -- it ships in containers/Flatpaks/VMs
 # that bring their own toolchains where needed.
 #
-# Block parsed from PACKAGES.md `packages-build-toolchain`. The strip is
+# Block resolved from mios.toml [packages.build-toolchain]. The strip is
 # best-effort: a missing package is fine (host already lean), but a
 # failed dnf transaction is logged loud since it leaves the toolchain in
 # place.
diff --git a/automation/build.sh b/automation/build.sh
@@ -9,7 +9,13 @@ source "${SCRIPT_DIR}/lib/common.sh"
 source "${SCRIPT_DIR}/lib/packages.sh"
 register_common_masks
 
-export PACKAGES_MD="${PACKAGES_MD:-/ctx/PACKAGES.md}"
+# SSOT: mios.toml is the only runtime source for [packages.<section>].pkgs.
+# Legacy PACKAGES.md is documentation under usr/share/doc/mios/reference/
+# and is no longer consulted at build time. Resolution chain (highest first):
+#   $MIOS_TOML override, ~/.config/mios/mios.toml, /etc/mios/mios.toml,
+#   /ctx/mios-bootstrap/mios.toml, /usr/share/mios/mios.toml,
+#   /ctx/usr/share/mios/mios.toml -- see _resolve_mios_toml in lib/packages.sh.
+export MIOS_TOML="${MIOS_TOML:-/ctx/usr/share/mios/mios.toml}"
 BUILD_LOG="/tmp/mios-build.log"
 VERSION_STR="$(cat "${SCRIPT_DIR}/../VERSION" 2>/dev/null || cat /ctx/VERSION 2>/dev/null || echo 'v0.2.4')"
 
@@ -170,8 +176,10 @@ _final_summary() {
 export SYSTEMD_OFFLINE=1
 export container=podman
 
-if [[ ! -f "$PACKAGES_MD" ]]; then
-    printf '[FATAL] PACKAGES_MD not found: %s\n' "$PACKAGES_MD" >&2
+if [[ ! -f "$MIOS_TOML" ]]; then
+    printf '[FATAL] mios.toml SSOT not found: %s\n' "$MIOS_TOML" >&2
+    printf '        Set $MIOS_TOML to the path of the package manifest\n' >&2
+    printf '        (default: /ctx/usr/share/mios/mios.toml during OCI build)\n' >&2
     exit 1
 fi
 
diff --git a/automation/install-bootstrap.sh b/automation/install-bootstrap.sh
@@ -185,23 +185,39 @@ main() {
     log_ok "'MiOS' source tree merged to root."
 
     # --- 4. Package Installation ---
+    # SSOT: mios.toml [packages.<section>].pkgs (resolved via packages.sh).
+    # We source packages.sh from the freshly-staged repo so the ignition
+    # path uses the same TOML-only resolver as the OCI build chain.
     log_phase "Installing 'MiOS' System Stack"
-    if [[ -f "${MIOS_SHARE_DIR}/PACKAGES.md" ]]; then
-        log_info "Extracting package list from ${MIOS_SHARE_DIR}/PACKAGES.md..."
-        local pkgs
-        pkgs=$(sed -n '/^```packages-/,/^```$/{/^```/d;/^#/d;/^$/d;p}' ${MIOS_SHARE_DIR}/PACKAGES.md | tr '\n' ' ')
-        
-        if [[ -n "$pkgs" ]]; then
-            local dnf_cmd="dnf"
-            command -v dnf5 >/dev/null 2>&1 && dnf_cmd="dnf5"
-            log_info "Executing: $dnf_cmd install -y --skip-unavailable --best [PACKAGES]"
-            $dnf_cmd install -y --skip-unavailable --best $pkgs || log_warn "Some packages failed to install."
-            log_ok "Package stack installation complete."
-        else
-            log_err "No packages found in manifest!"
-        fi
+    local toml_path="${MIOS_SHARE_DIR}/mios.toml"
+    [[ -f "$toml_path" ]] || toml_path="${MIOS_STAGE}/usr/share/mios/mios.toml"
+    if [[ ! -f "$toml_path" ]]; then
+        log_err "CRITICAL: mios.toml SSOT not found at ${MIOS_SHARE_DIR}/ or staging."
+        exit 1
+    fi
+
+    log_info "Sourcing package resolver from ${MIOS_STAGE}/automation/lib/packages.sh"
+    # shellcheck source=automation/lib/packages.sh
+    export MIOS_TOML="$toml_path"
+    source "${MIOS_STAGE}/automation/lib/packages.sh"
+
+    # Aggregate every declared section so a fresh-host ignition matches the
+    # full vendor manifest (the OCI build chain installs section-by-section
+    # for staging discipline; bootstrap collapses them into one transaction).
+    local section pkgs all_pkgs=""
+    for section in $(awk -F'[][.]' '/^\[packages\./ { print $3 }' "$toml_path" | sort -u); do
+        pkgs=$(get_packages "$section" 2>/dev/null || true)
+        [[ -n "${pkgs// }" ]] && all_pkgs+=" $pkgs"
+    done
+
+    if [[ -n "${all_pkgs// }" ]]; then
+        local dnf_cmd="dnf"
+        command -v dnf5 >/dev/null 2>&1 && dnf_cmd="dnf5"
+        log_info "Executing: $dnf_cmd install -y --skip-unavailable --best [PACKAGES]"
+        $dnf_cmd install -y --skip-unavailable --best $all_pkgs || log_warn "Some packages failed to install."
+        log_ok "Package stack installation complete."
     else
-        log_err "CRITICAL: ${MIOS_SHARE_DIR}/PACKAGES.md not found!"
+        log_err "No [packages.*] sections found in ${toml_path}!"
         exit 1
     fi
 
diff --git a/automation/lib/packages.sh b/automation/lib/packages.sh
diff --git a/build-mios.ps1 b/build-mios.ps1
diff --git a/llms.txt b/llms.txt
diff --git a/usr/libexec/mios-verify b/usr/libexec/mios-verify
diff --git a/usr/share/doc/mios/reference/PACKAGES.md b/usr/share/doc/mios/reference/PACKAGES.md
diff --git a/usr/share/doc/mios/reference/credits.md b/usr/share/doc/mios/reference/credits.md
diff --git a/usr/share/mios/env.defaults b/usr/share/mios/env.defaults

Original file line number	Diff line number	Diff line change
`@@ -9,7 +9,8 @@`
`9`	`9`	`# NVIDIA acceleration - image still works for everything else.`
`10`	`10`	`#`
`11`	`11`	`# Mesa (AMD/Intel/software fallback) and ROCm + intel-compute-runtime are`
`12`		`-# installed from PACKAGES.md. They have no kernel-version coupling.`
	`12`	`+# installed from mios.toml [packages.gpu-amd] / [packages.gpu-intel]. They`
	`13`	`+# have no kernel-version coupling.`
`13`	`14`	`#`
`14`	`15`	`# CHANGELOG:`
`15`	`16`	`# v0.2.0: Dropped COPY-layer fallback. ucore-hci IS already built from`
Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`#!/usr/bin/env bash`
`2`	`2`	`# 45-nvidia-cdi-refresh.sh - wire up NVIDIA CDI auto-refresh services.`
`3`		`-# Package installs live in PACKAGES.md (packages-gpu-nvidia section).`
	`3`	`+# Package installs live in mios.toml [packages.gpu-nvidia].`
`4`	`4`	`#`
`5`	`5`	`# Key invariants:`
`6`	`6`	`# - nvidia-container-toolkit ≥ 1.18 for nvidia-cdi-refresh.service/path.`