agent/tmpfiles: fix agent bootstrap chain; create all missing resolution paths

- .gitignore: whitelist CLAUDE.md, GEMINI.md, system-prompt.md (tracked but
  not whitelisted -- would be silently lost on gitignore resets)
- system-prompt.md: new symlink -> usr/share/mios/ai/system.md; satisfies
  fallback path referenced in GEMINI.md and AGENTS.md for off-host agents
- tmpfiles.d/mios-infra.conf: declare /etc/mios/ai and /etc/mios/env.d so
  the directories exist at first boot before the bootstrap installer runs;
  any agent following the 3-layer system prompt cascade can now resolve all
  paths without 'no such file' failures
- .cursorrules, .clinerules: rewrite to OpenAI-standard redirector format;
  remove emoji and wrong file references, add full load order, architectural
  laws, and sanitization rules consistent with GEMINI.md / AGENTS.md stubs

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: Kabuki94

.clinerules

@@ -1,8 +1,25 @@
-# MiOS Architectural Purity Rules
-# MANDATE: Enforce AI-native surface contract without conversational artifacts.
-
-- **System Integrity:** Maintain absolute FHS compliance and immutable root purity.
-- **Declarative Hardware:** All hardware delegation must be in /usr/lib/bootc/kargs.d/.
-- **Zero-Trust:** Deny-by-default for execution (fapolicyd) and networking (firewalld).
-- **Automation:** Use "set -euo pipefail" for all shell logic.
-- **Surface:** /v1/ endpoints are pure relational schemas for local LLM discovery.
+# MiOS development agent rules — Cline/AI extension context.
+# Load /usr/share/mios/ai/system.md as the canonical system prompt.
+# Apply /etc/mios/ai/system-prompt.md as host-local override if present.
+# Apply ~/.config/mios/system-prompt.md as per-user override if present.
+# This file carries no tool-specific deltas — follow system.md verbatim.
+
+## Architectural laws (non-negotiable)
+
+1. USR-OVER-ETC: static config in /usr/lib/<component>.d/; /etc/ = admin overrides only
+2. NO-MKDIR-IN-VAR: every /var/ path declared via usr/lib/tmpfiles.d/*.conf
+3. BOUND-IMAGES: every Quadlet sidecar image symlinked in /usr/lib/bootc/bound-images.d/
+4. BOOTC-CONTAINER-LINT: RUN bootc container lint is the final Containerfile instruction
+5. UNIFIED-AI-REDIRECTS: MIOS_AI_ENDPOINT/MODEL/KEY target http://localhost:8080/v1; zero vendor URLs
+6. UNPRIVILEGED-QUADLETS: every Quadlet defines User=, Group=, Delegate=yes
+
+## Repo structure
+
+The working directory is the OS root /. File paths are FHS paths, not repo-relative.
+System overlay (mios.git): /Containerfile, /Justfile, /automation/, /usr/share/mios/, /usr/lib/
+User overlay (mios-bootstrap.git): /etc/mios/, /usr/share/mios/ai/, /usr/share/mios/knowledge/
+
+## AI artifact sanitization
+
+No vendor/corporate names in persisted artifacts. No chat metadata. No foreign sandbox paths.
+All AI endpoints target http://localhost:8080/v1. Direct declarative prose only.

.cursorrules

@@ -1,21 +1,28 @@
-# MiOS .cursorrules — Engineering Standards (Day 0)
+# MiOS development agent rules — cursor/IDE AI assistant context.
+# Load /usr/share/mios/ai/system.md as the canonical system prompt.
+# Apply /etc/mios/ai/system-prompt.md as host-local override if present.
+# Apply ~/.config/mios/system-prompt.md as per-user override if present.
+# This file carries no tool-specific deltas — follow system.md verbatim.
 
-You are assisting in the development of the **MiOS** repository. MiOS is an immutable, AI-native workstation.
+## Architectural laws (non-negotiable)
 
-## ⚖️ Immutable Appliance Laws
-1. **USR-OVER-ETC**: Static config goes in `/usr/lib/`. No `/etc` in build context.
-2. **NO-MKDIR-IN-VAR**: Persistence via `tmpfiles.d`. No `/var` in build context.
-3. **UNPRIVILEGED-QUADLETS**: sidecars MUST define `User=`/`Group=` and `Delegate=yes`.
-4. **BOOTC-NATIVE**: Always ensure `bootc container lint` passes.
+1. USR-OVER-ETC: static config in /usr/lib/<component>.d/; /etc/ = admin overrides only
+2. NO-MKDIR-IN-VAR: every /var/ path declared via usr/lib/tmpfiles.d/*.conf
+3. BOUND-IMAGES: every Quadlet sidecar image symlinked in /usr/lib/bootc/bound-images.d/
+4. BOOTC-CONTAINER-LINT: RUN bootc container lint is the final Containerfile instruction
+5. UNIFIED-AI-REDIRECTS: MIOS_AI_ENDPOINT/MODEL/KEY target http://localhost:8080/v1; zero vendor URLs
+6. UNPRIVILEGED-QUADLETS: every Quadlet defines User=, Group=, Delegate=yes
 
-## 🛠 Coding Standards
-- **Pure FOSS**: No proprietary cloud APIs or services.
-- **Local AI**: Target the OpenAI-compatible proxy at `http://localhost:8080/v1`.
-- **Bash**: `set -euo pipefail`. Use `VAR=$((VAR + 1))`. Quote all variables.
-- **SSOT**: Consult `INDEX.md` for all architectural and API surface contracts.
+## Build standards
 
-## 📂 Key Directories
-- `usr/`: Immutable rootfs content.
-- `etc/`: Persistence templates.
-- `tools/`: Utility toolchain.
-- `specs/`: Research and blueprints.
+- Packages: /usr/share/mios/PACKAGES.md only (fenced packages-<category> blocks)
+- Shell: set -euo pipefail; VAR=$((VAR+1)) not ((VAR++)); dnf5: install_weak_deps=False
+- kargs: flat kargs = [...] array; no [kargs] header; no delete key
+- Never upgrade kernel/kernel-core; only kernel-modules-extra, kernel-devel, kernel-headers
+- All version pins, ports, paths defined in /usr/share/mios/env.defaults (MIOS_* vars)
+- Deliverables: complete replacement files only; no diffs, no patches
+
+## AI artifact sanitization
+
+No vendor/corporate names in persisted artifacts. No chat metadata. No foreign sandbox paths.
+All AI endpoints target http://localhost:8080/v1. Direct declarative prose only.

.gitignore

@@ -26,6 +26,9 @@
 !/.github/**
 !/AGENTS.md
 !/AI.md
+!/CLAUDE.md
+!/GEMINI.md
+!/system-prompt.md
 !/ARCHITECTURE.md
 !/CONTRIBUTING.md
 !/Containerfile

system-prompt.md

@@ -0,0 +1 @@
+usr/share/mios/ai/system.md

usr/lib/tmpfiles.d/mios-infra.conf

@@ -29,6 +29,8 @@ d /etc/ceph                   0755 root root -
 
 # ── MiOS Component Skeletons ──────────────────────────────────────────────
 d /etc/mios                0755 root root -
+d /etc/mios/ai             0755 root root -
+d /etc/mios/env.d          0755 root root -
 # Seed role.conf from the image-baked example if admin has not overridden it
 C /etc/mios/role.conf      0644 root root - /usr/share/mios/role.conf.example