Non-goals and deferred scope
Graft keeps a visible list of deliberate non-goals so small renderer issues do not silently become product decisions.
A non-goal is not necessarily rejected forever. It means the current phase should not implement it without a separate issue or design pass.
Current v0.2 scope
The v0.2 renderer work focuses on safe, useful Quadlet output from resolved TOML. It intentionally does not try to cover the full TOML schema or every Podman, Quadlet, and systemd feature.
Deferred for v0.2:
- no port syntax parser for
PublishPort=values - no filesystem path existence checks for volumes
- no volume mode allowlist beyond line-safety validation
- no Quadlet
.volumeor.networkunit generation - no automatic firewall, DNS, or network alias management
- no systemd timespan parser for service timing values
- no
[Install], autostart, service type,remainAfterExit, orrestartIfChangedrendering - no supplemental groups, UID/GID mapping, or user namespace policy from the group renderer
- no secrets materialisation or host environment passthrough
- no generated environment files
Architecture boundaries
These boundaries are intentional:
- TOML is user intent, not raw Quadlet.
- TOML is not a second NixOS module language.
- The CLI owns defaults, validation, dependency resolution, and semantic decisions.
- NixOS and Home Manager modules are dumb materialisers.
- Nix evaluation must stay deterministic and side-effect free.
- Hidden state between modules or commands should be avoided.
- Packages are declared in TOML and realised by Nix; they are not installed ad-hoc inside containers.
Runtime and product workflow deferred scope
The current renderer work does not yet implement the larger Graft product flow. Deferred topics include:
- Git-aware copied workspace workflows
- context-aware template variables
- named instances and dynamic hostname strategy
- promote and diff workflows
- CLI runtime control beyond the agreed future command direction
- local TOML linting and host-aware doctor diagnostics
- host login policy in TOML, such as enabling systemd user linger from a container definition
- dedicated security hardening defaults such as
userns=auto, limited UIDs, workdir-only writes, resource limits, and secrets support
The agreed future lifecycle command names remain:
graft up
graft down
No graft shell command is planned.
Literal passthrough policy
Some upstream syntaxes are broad and already validated by Podman, Quadlet, or systemd. For those fields, Graft should prefer line-safe passthrough until a separate policy issue exists.
Current examples:
PublishPort=valuesVolume=strings assembled from TOML parts- systemd service timing values such as
RestartSec=andTimeoutStartSec=
Line-safe passthrough means:
- reject empty or whitespace-only values where the field is present
- reject control characters
- render mechanically
- do not add a parser, allowlist, or policy by accident
When to update this page
Update this page when implementation or review finds a repeated phrase like:
- “out of scope”
- “not yet”
- “deferred”
- “no parser yet”
- “no policy yet”
- “separate design issue”
If a non-goal later becomes planned work, create or link the issue and move the specific item out of this page when the implementation lands.
Related tracking issues:
- #11: Design named instances and dynamic hostname strategy
- #12: Design context-aware template variables for repo branch worktree and agent
- #13: Backlog: reduce Nix module rendering complexity
- #27: Design Git-aware copied workspace workflow
- #100: Add graft lint for TOML diagnostics
- #101: Add graft doctor for local environment diagnostics