refactor: fail loud, tighten types, remove speculative abstraction

Fail loud at the boundary:
- substitute_template raises ConfigError on unresolved {{...}}; no more
  silent literal placeholders in download URLs.
- parse_profile raises ConfigError when 'os' is missing -- no
  raw.get("os", "linux") default that silently masks typos.
- urllib download failures wrapped to FlowError.
- bootstrap _execute_action dispatches phases explicitly and raises
  on unhandled phase; no more "anything else runs as shell".

Direct access over defensive wrapping:
- plan_bootstrap requires env; plan_install requires pm. Drop the
  dead `or os.environ` / `or detect_package_manager()` fallbacks.
- InstalledState.from_dict raises ConfigError on missing fields
  rather than .get(..., default).
- Replace `x or {}` chains with explicit `x if x is not None else {}`
  in package resolution; catalog validates type/platform-map/install
  shapes at parse.

One canonical form / direct access:
- Path.home() replaced with paths.HOME in services/packages.py and
  commands/completion.py. paths.HOME is the single source now.
- Use Path.is_relative_to for install-path containment instead of
  str.startswith.

Domain purity:
- domain/containers/resolution.resolve_mounts takes a filesystem_check
  predicate; service passes the probe in. Domain no longer touches
  the filesystem directly.

No speculative abstraction:
- Drop the `allow_sudo` field entirely. The _script_uses_sudo check
  it gated was bypassable (substring match) and gave false confidence;
  the manifest is fully user-trusted anyway.
- Delete dead terminfo_fix_command + RemoteService.fix_terminfo
  (no command surface exposes them).
- FileSystem.remove_tree no longer swallows errors via ignore_errors;
  callers opt into missing_ok if needed.

Typed enums:
- PackageDef.type, AppConfig.container_runtime as Literal[...].
  container_runtime values validated at config parse.

Completion bypasses runtime no longer:
- complete(ctx, ...) threads context; ContainerRuntime and state-file
  reads go through ctx.runtime instead of constructing primitives.

Tests added for: template raise, missing os raise, env/pm required,
unknown phase raise, no allow_sudo gate, URL download failure, install
path escape, corrupt installed.json, container_runtime Literal,
filesystem_check controls mounts.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

tests/test_completion.py

@@ -3,10 +3,24 @@
 import subprocess
 
 from flow.commands.completion import complete
+from flow.core.config import AppConfig, FlowContext
+from flow.core.console import Console
+from flow.core.platform import PlatformInfo
+from flow.core.runtime import SystemRuntime
+
+
+def _make_ctx():
+    return FlowContext(
+        config=AppConfig(),
+        manifest={},
+        platform=PlatformInfo(),
+        console=Console(color=False),
+        runtime=SystemRuntime(),
+    )
 
 
 def test_complete_top_level():
-    result = complete(["flow", ""], 1)
+    result = complete(_make_ctx(), ["flow", ""], 1)
     assert "dotfiles" in result
     assert "packages" in result
     assert "setup" in result
@@ -16,12 +30,12 @@ def test_complete_top_level():
 
 
 def test_complete_top_level_prefix():
-    result = complete(["flow", "do"], 1)
+    result = complete(_make_ctx(), ["flow", "do"], 1)
     assert result == ["dotfiles"]
 
 
 def test_complete_dotfiles_subcommands():
-    result = complete(["flow", "dotfiles", ""], 2)
+    result = complete(_make_ctx(), ["flow", "dotfiles", ""], 2)
     assert "link" in result
     assert "unlink" in result
     assert "status" in result
@@ -36,7 +50,7 @@ def test_complete_dotfiles_subcommands():
 
 
 def test_complete_dotfiles_repos_subcommands():
-    result = complete(["flow", "dotfiles", "repos", ""], 3)
+    result = complete(_make_ctx(), ["flow", "dotfiles", "repos", ""], 3)
     assert "list" in result
     assert "status" in result
     assert "pull" in result
@@ -44,43 +58,41 @@ def test_complete_dotfiles_repos_subcommands():
 
 
 def test_complete_dotfiles_repos_pull_flags():
-    result = complete(["flow", "dotfiles", "repos", "pull", "--"], 4)
+    result = complete(_make_ctx(), ["flow", "dotfiles", "repos", "pull", "--"], 4)
     assert "--repo" in result
     assert "--dry-run" in result
 
 
 def test_complete_dotfiles_edit_packages():
-    result = complete(["flow", "dotfiles", "edit", "--"], 3)
+    result = complete(_make_ctx(), ["flow", "dotfiles", "edit", "--"], 3)
     assert "--no-commit" in result
 
 
 def test_complete_dotfiles_link_flags():
-    result = complete(["flow", "dotfiles", "link", "--"], 3)
+    result = complete(_make_ctx(), ["flow", "dotfiles", "link", "--"], 3)
     assert "--profile" in result
     assert "--dry-run" in result
 
 
 def test_complete_unknown_command():
-    result = complete(["flow", "unknown", ""], 2)
+    result = complete(_make_ctx(), ["flow", "unknown", ""], 2)
     assert result == []
 
 
 def test_complete_packages_subcommands():
-    result = complete(["flow", "packages", ""], 2)
+    result = complete(_make_ctx(), ["flow", "packages", ""], 2)
     assert "install" in result
     assert "remove" in result
     assert "list" in result
 
 
-def test_complete_dev_attach_returns_empty_on_timeout(monkeypatch):
-    class FakeRuntime:
-        def __init__(self, runner, *, mode="auto"):
-            self.runner = runner
+def test_complete_dev_attach_returns_empty_on_timeout():
+    ctx = _make_ctx()
 
-        def ps(self, **kwargs):
-            assert kwargs["timeout"] == 1.0
-            raise subprocess.TimeoutExpired("docker ps", kwargs["timeout"])
+    def fake_ps(**kwargs):
+        assert kwargs["timeout"] == 1.0
+        raise subprocess.TimeoutExpired("docker ps", kwargs["timeout"])
 
-    monkeypatch.setattr("flow.commands.completion.ContainerRuntime", FakeRuntime)
-    result = complete(["flow", "dev", "attach", ""], 3)
+    ctx.runtime.containers.ps = fake_ps  # type: ignore[method-assign]
+    result = complete(ctx, ["flow", "dev", "attach", ""], 3)
     assert result == []