refactor: fail loud, tighten types, remove speculative abstraction

Fail loud at the boundary:
- substitute_template raises ConfigError on unresolved {{...}}; no more
  silent literal placeholders in download URLs.
- parse_profile raises ConfigError when 'os' is missing -- no
  raw.get("os", "linux") default that silently masks typos.
- urllib download failures wrapped to FlowError.
- bootstrap _execute_action dispatches phases explicitly and raises
  on unhandled phase; no more "anything else runs as shell".

Direct access over defensive wrapping:
- plan_bootstrap requires env; plan_install requires pm. Drop the
  dead `or os.environ` / `or detect_package_manager()` fallbacks.
- InstalledState.from_dict raises ConfigError on missing fields
  rather than .get(..., default).
- Replace `x or {}` chains with explicit `x if x is not None else {}`
  in package resolution; catalog validates type/platform-map/install
  shapes at parse.

One canonical form / direct access:
- Path.home() replaced with paths.HOME in services/packages.py and
  commands/completion.py. paths.HOME is the single source now.
- Use Path.is_relative_to for install-path containment instead of
  str.startswith.

Domain purity:
- domain/containers/resolution.resolve_mounts takes a filesystem_check
  predicate; service passes the probe in. Domain no longer touches
  the filesystem directly.

No speculative abstraction:
- Drop the `allow_sudo` field entirely. The _script_uses_sudo check
  it gated was bypassable (substring match) and gave false confidence;
  the manifest is fully user-trusted anyway.
- Delete dead terminfo_fix_command + RemoteService.fix_terminfo
  (no command surface exposes them).
- FileSystem.remove_tree no longer swallows errors via ignore_errors;
  callers opt into missing_ok if needed.

Typed enums:
- PackageDef.type, AppConfig.container_runtime as Literal[...].
  container_runtime values validated at config parse.

Completion bypasses runtime no longer:
- complete(ctx, ...) threads context; ContainerRuntime and state-file
  reads go through ctx.runtime instead of constructing primitives.

Tests added for: template raise, missing os raise, env/pm required,
unknown phase raise, no allow_sudo gate, URL download failure, install
path escape, corrupt installed.json, container_runtime Literal,
filesystem_check controls mounts.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

tests/test_core_config.py

@@ -5,6 +5,7 @@ from pathlib import Path
 import pytest
 
 from flow.core.config import AppConfig, load_config, load_manifest
+from flow.core.errors import ConfigError
 
 
 def test_load_config_missing_path(tmp_path):
@@ -141,3 +142,22 @@ def test_load_config_container_runtime(tmp_path):
     )
     cfg = load_config(tmp_path)
     assert cfg.container_runtime == "podman-rootful"
+
+
+@pytest.mark.parametrize("runtime", ["auto", "docker", "podman", "podman-rootful"])
+def test_load_config_container_runtime_accepts_known_values(tmp_path, runtime):
+    (tmp_path / "config.yaml").write_text(
+        "defaults:\n"
+        f"  container-runtime: {runtime}\n"
+    )
+    cfg = load_config(tmp_path)
+    assert cfg.container_runtime == runtime
+
+
+def test_load_config_container_runtime_rejects_unknown(tmp_path):
+    (tmp_path / "config.yaml").write_text(
+        "defaults:\n"
+        "  container-runtime: nspawn\n"
+    )
+    with pytest.raises(ConfigError, match="Invalid container-runtime"):
+        load_config(tmp_path)