build/rfs: integrate RFS flists + runtime orchestration

• Add standalone RFS tooling: scripts/rfs/common.sh, pack-modules.sh, pack-firmware.sh, verify-flist.sh

• Patch flist route.url with read-only Garage S3 credentials; optional HTTPS store row; optional manifest upload via mcli

• Build integration: stage_rfs_flists in scripts/build.sh to pack and embed manifests under initramfs/etc/rfs

• Runtime: add zinit units rfs-modules (after: network), rfs-firmware (after: network) as daemons; add udev-rfs oneshot post-mount

• Keep early udev-trigger oneshot to coldplug NICs before RFS mounts

• Firmware flist reproducible naming: respect FIRMWARE_TAG from env or config/build.conf, default to latest

• Docs: update docs/rfs-flists.md with runtime ordering, reproducible tagging, verification steps

docs/rfs-flists.md

@@ -110,3 +110,57 @@ Note on route URL vs HTTP endpoint
   - READ_ACCESS_KEY / READ_SECRET_KEY: read-only credentials
   - ROUTE_ENDPOINT (defaults to S3_ENDPOINT), ROUTE_PATH=/blobs, ROUTE_REGION=garage
 - Do not set ROUTE_PATH to S3_PREFIX. ROUTE_PATH is the gateway’s blob route (usually /blobs). S3_PREFIX is only for the pack-time store path.
+
+## Runtime units and ordering (zinit)
+
+This repo now includes runtime zinit units and init scripts to mount the RFS flists and perform dual udev coldplug sequences.
+
+- Early coldplug (before RFS mounts):
+  - [config/zinit/udev-trigger.yaml](config/zinit/udev-trigger.yaml) calls [config/zinit/init/udev.sh](config/zinit/init/udev.sh).
+  - Runs after depmod/udev daemons to initialize NICs and other devices using what is already in the initramfs.
+  - Purpose: bring up networking so RFS can reach Garage S3.
+
+- RFS mounts (daemons, after network):
+  - [config/zinit/rfs-modules.yaml](config/zinit/rfs-modules.yaml) runs [config/zinit/init/modules.sh](config/zinit/init/modules.sh) to mount modules-$(uname -r).fl onto /lib/modules/$(uname -r).
+  - [config/zinit/rfs-firmware.yaml](config/zinit/rfs-firmware.yaml) runs [config/zinit/init/firmware.sh](config/zinit/init/firmware.sh) to mount firmware-latest.fl onto /usr/lib/firmware.
+  - Both are defined as restart: always and include after: network to ensure the Garage S3 route is reachable.
+
+- Post-mount coldplug (after RFS mounts):
+  - [config/zinit/udev-rfs.yaml](config/zinit/udev-rfs.yaml) performs:
+    - udevadm control --reload
+    - udevadm trigger --action=add --type=subsystems
+    - udevadm trigger --action=add --type=devices
+    - udevadm settle
+  - This re-probes hardware so new modules/firmware from the overmounted flists are considered.
+
+- Embedded manifests in initramfs:
+  - The build embeds the flists under /etc/rfs:
+    - modules-KERNEL_FULL_VERSION.fl
+    - firmware-latest.fl
+  - Creation happens in [scripts/rfs/pack-modules.sh](scripts/rfs/pack-modules.sh) and [scripts/rfs/pack-firmware.sh](scripts/rfs/pack-firmware.sh), and embedding is orchestrated by [scripts/build.sh](scripts/build.sh).
+
+## Reproducible firmware tagging
+
+- The firmware flist name can be pinned via FIRMWARE_TAG in [config/build.conf](config/build.conf).
+  - If set: firmware-FIRMWARE_TAG.fl
+  - If unset: the build uses firmware-latest.fl for embedding (standalone pack may default to date-based).
+- The build logic picks the tag with this precedence:
+  1) Environment FIRMWARE_TAG
+  2) FIRMWARE_TAG from [config/build.conf](config/build.conf)
+  3) "latest"
+- Build integration implemented in [scripts/build.sh](scripts/build.sh).
+
+Example:
+- Set FIRMWARE_TAG in config: add FIRMWARE_TAG="20250908" in [config/build.conf](config/build.conf)
+- Or export at build time: export FIRMWARE_TAG="v1"
+
+## Verifying flists
+
+Use the helper to inspect a manifest, optionally listing entries and testing a local mount (root + proper FUSE policy required):
+
+- Inspect only:
+  - scripts/rfs/verify-flist.sh -m dist/flists/modules-6.12.44-Zero-OS.fl
+- Inspect + tree:
+  - scripts/rfs/verify-flist.sh -m dist/flists/firmware-latest.fl --tree
+- Inspect + mount test to a temp dir:
+  - sudo scripts/rfs/verify-flist.sh -m dist/flists/modules-6.12.44-Zero-OS.fl --mount