fix(docs+commands): pass 12 doc-vs-code drift + case-handling rationale

apply-safety-gates-test-plan.md described 'init --update non-tty UX
gap (#174)' as a known limitation in two places (Setup section and
Known limitations section), but #174 is closed by this PR — the
overwrite policy resolves to NonInteractive in non-tty contexts
with a hint-bearing error, and --force accepts all preset-template
diffs non-interactively. Both stale references replaced with the
correct guidance ('pass --force for non-interactive refresh').

manual-test-plan.md's J0-1 footgun example cited 192.168.1.1
(real RFC 1918 private). Replaced with 198.51.100.1 (RFC 5737
TEST-NET-2) to match the documentation-IP convention used
elsewhere in the file.

predicateType (selector.go) lowercases sel.Type before the type
switch, accepting 'SSD' / 'NVMe' that Talos rejects with
'unsupported disk type "SSD"'. The previous godoc claim that
predicateType 'mirrors Talos's v1alpha1 type-selector resolution'
was accurate for the lookup logic but elided the case-handling
divergence. Comment expanded to document the intentional
permissiveness — Phase 1 catches declared-resource mismatches,
not Talos's input-format strictness; tightening would duplicate
Talos's check without operator benefit. No code change.

Assisted-By: Claude <noreply@anthropic.com>
Signed-off-by: Aleksei Sviridkin <f@lex.la>

Author: lexfrei

docs/apply-safety-gates-test-plan.md

@@ -137,7 +137,7 @@ Before requesting human review, exercise the gates against a live Talos node.
 cd /path/to/your/talm/values/tree
 ```
 
-Use a 3-node Talos cluster (replace placeholders below with your own node IPs — examples use RFC 5737 documentation ranges). The vendored talm library in `charts/talm/` may need `talm init --update --preset cozystack` to pick up new helpers; preset templates (`templates/_helpers.tpl`) require interactive confirm and won't auto-update non-tty (known gap, see #174).
+Use a 3-node Talos cluster (replace placeholders below with your own node IPs — examples use RFC 5737 documentation ranges). The vendored talm library in `charts/talm/` may need `talm init --update --preset cozystack` to pick up new helpers; pass `--force` for non-interactive refresh (CI, scripted), or run under a tty for the interactive prompt.
 
 ### Sanity check
 
@@ -203,7 +203,6 @@ go vet ./...
 
 ## Known limitations / follow-ups
 
-- **`talm init --update` non-tty UX gap** (#174): preset-template overwrites require interactive confirmation, so a CI-driven refresh leaves the operator on a stale preset that doesn't surface new validation logic. Work around by copying preset templates from the repo manually or running update under a tty.
 - **Talos-mutated-field allowlist** (open in #172): Phase 2B reports cert hashes / timestamps as divergence today; the verify is off by default until an allowlist lands.
 - **`talm upgrade` has no pre-upgrade gates** (Phase 2C runs *after*, not before): the upgrade flow wraps `talosctl upgrade` and doesn't route through `buildApplyClosure` / `applyOneFileDirectPatchMode`, so Phase 1 / Phase 2A do not run. Phase 2C (post-upgrade version verify) was added precisely to catch the silent-rollback class without that refactor. Full pre-upgrade gates would require reproducing the gate calls in `upgrade_handler.go` or refactoring the apply flow.
 - **Phase 1/2 on `--insecure`**: the safety gates can't run before the chart renders, and the chart's `lookup` calls need an authenticated COSI connection. Insecure path = effectively no gates today.

docs/manual-test-plan.md

@@ -407,7 +407,7 @@ Expected: every shell prints a script that parses (for bash/zsh syntax-check con
 
 Expected: with the post-#163 chart, fails fast with `talm: floatingIP "0700" is not a valid IPv4 / IPv6 literal`. Pre-#163 chart silently renders an invalid VIP.
 
-**Operator footgun**: `--set floatingIP=192.168.1.1` *may* be parsed as the float `192.168 × 1.1` by Helm's loose type-coercion. For IPs use `--set-string floatingIP="192.168.1.1"` or put it in `values.yaml`.
+**Operator footgun**: `--set floatingIP=198.51.100.1` *may* be parsed as the float `198.51 × 100.1` by Helm's loose type-coercion. For IPs use `--set-string floatingIP="198.51.100.1"` or put it in `values.yaml`.
 
 ### J0-2. `--set-literal` keeps dotted keys intact
 

pkg/applycheck/selector.go

@@ -120,6 +120,19 @@ var diskPredicates = []diskPredicate{
 //	type: ssd  -> Rotational == false
 //
 // An empty selector type is "don't care".
+//
+// Case handling intentionally diverges from Talos: predicateType
+// lowercases sel.Type before the switch, whereas Talos returns
+// `unsupported disk type "SSD"` for mixed-case input. Phase 1's job
+// is to surface declared-resource mismatches at render time, NOT to
+// re-implement Talos's case-strict input validation — an operator
+// who declared `type: SSD` in values.yaml will get either (a) a
+// match here and a downstream Talos error at apply, or (b) the
+// "matches zero disks" finding from the rest of the selector logic.
+// Case (a) is acceptable: Phase 1 didn't introduce the typo, and
+// the Talos error itself is clear. Tightening this branch would
+// require its own enum hint and offer no protection beyond
+// duplicating Talos's check.
 func predicateType(sel *DiskSelector, disk *DiskInfo) bool {
 	if sel.Type == "" {
 		return true