fix(validation): reject deprecated top-level schema keys

roles/global_defaults/tasks/validation.yml

@@ -79,6 +79,62 @@
     fail_msg: "Unsupported system keys: {{ system_unknown_keys | join(', ') }}"
     quiet: true
 
+- name: Reject deprecated top-level input keys
+  vars:
+    deprecated_input_keys:
+      - install_type
+      - vm_ip
+      - vm_id
+      - vm_name
+      - vm_cpus
+      - memory_mb
+      - balloon_mb
+      - dns_servers
+      - dns_search
+      - extra_packages
+      - user_name
+      - user_password
+      - user_public_key
+      - root_password
+      - luks_enabled
+      - luks_passphrase
+      - luks_mapper_name
+      - luks_auto_decrypt
+      - luks_auto_decrypt_method
+      - luks_tpm2_device
+      - luks_tpm2_pcrs
+      - luks_keyfile_size
+      - firewall_enabled
+      - firewall_backend
+      - firewall_toolkit
+      - ssh_enabled
+      - cis
+      - selinux_enabled
+      - zstd_enabled
+      - swap_enabled
+      - motd_enabled
+      - sudo_banner_enabled
+      - chroot_tool
+      - hypervisor_url
+      - hypervisor_username
+      - hypervisor_password
+      - hypervisor_node
+      - hypervisor_storage
+      - hypervisor_datacenter
+      - hypervisor_cluster
+      - hypervisor_validate_certs
+      - hypervisor_ssh
+      - hypervisor_path
+    top_level_input_keys: "{{ (hostvars[inventory_hostname] | dict2items | map(attribute='key') | list) }}"
+    deprecated_input_keys_present: "{{ top_level_input_keys | intersect(deprecated_input_keys) }}"
+  ansible.builtin.assert:
+    that:
+      - deprecated_input_keys_present | length == 0
+    fail_msg: >-
+      Unsupported top-level keys found: {{ deprecated_input_keys_present | join(', ') }}.
+      Use only the `system` and `hypervisor` dictionaries for runtime configuration.
+    quiet: true
+
 - name: Validate nested system schema
   vars:
     dns_allowed_keys: [servers, search]