Can't review right now, but I already have some (incomplete) thoughts:

• If you haven't already, please read / be aware of [Reverted] Module-builtin assertions, disabling assertions and submodule assertions #97023
  It was reverted because triggering the checks at the right time is tricky. I don't think this PR changes that, which is good, but it may have other design aspects that could be interesting.
• Disabling whole trees of checks mkIf- or enable-style (or similar) will be good for laziness / performance and module DX
• We may consider not to translate existing checks into the new structure, but just trigger two independent check systems
• I've said checks to generalize assertions and warnings just now, but maybe we want to reserve that term for derivations that check things (for example, checks as in flakes, or system.checks in NixOS)

ofborg seems to fail due to an assertion message that is now being evaluated eagerly. It is building nixos-vm, which causes the failure.

$ nix-instantiate --arg nixpkgs ./. ./pkgs/top-level/release.nix -A unstable

...

… while evaluating definitions from `/home/h7x4/nixpkgs/nixos/modules/misc/nixpkgs.nix':

… while evaluating the option `nixpkgs.localSystem':

… while evaluating the option `nixpkgs.system':

nixosExpectedSystem (due to config.nixpkgs.localSystem.config) here causes the failure.

# nixos/modules/misc/nixpkgs.nix:354
let
  nixosExpectedSystem =
    if config.nixpkgs.crossSystem != null
    then config.nixpkgs.crossSystem.system or (lib.systems.parse.doubleFromSystem (lib.systems.parse.mkSystemFromString config.nixpkgs.crossSystem.config))
    else config.nixpkgs.localSystem.system or (lib.systems.parse.doubleFromSystem (lib.systems.parse.mkSystemFromString config.nixpkgs.localSystem.config));
  nixosOption =
    if config.nixpkgs.crossSystem != null
    then "nixpkgs.crossSystem"
    else "nixpkgs.localSystem";
  pkgsSystem = finalPkgs.stdenv.targetPlatform.system;
in {
  assertion = constructedByMe -> !hasPlatform -> nixosExpectedSystem == pkgsSystem;
  message = "The NixOS nixpkgs.pkgs option was set to a Nixpkgs invocation that compiles to target system ${pkgsSystem} but NixOS was configured for system ${nixosExpectedSystem} via NixOS option ${nixosOption}. The NixOS system settings must match the Nixpkgs target system.";
}

Eventually leading to triggering the throw in nixpkgs.system

# nixos/modules/misc/nixpkgs.nix:283
system = lib.mkOption {
  type = lib.types.str;
  example = "i686-linux";
  default =
    if opt.hostPlatform.isDefined
    then
      throw ''
        Neither ${opt.system} nor any other option in nixpkgs.* is meant
        to be read by modules and configurations.
        Use pkgs.stdenv.hostPlatform instead.
      ''
    else
      throw ''
        Neither ${opt.hostPlatform} nor the legacy option ${opt.system} has been set.
        You can set ${opt.hostPlatform} in hardware-configuration.nix by re-running
        a recent version of nixos-generate-config.
        The option ${opt.system} is still fully supported for NixOS 22.05 interoperability,
        but will be deprecated in the future, so we recommend to set ${opt.hostPlatform}.
      '';
  defaultText = lib.literalMD ''
    Traditionally `builtins.currentSystem`, but unset when invoking NixOS through `lib.nixosSystem`.
  '';
  ...
};

Sorry to ping you about this @roberth, but I could really use some help to decide how to go about this. I currently see 3 possible solutions:

• Rewrite the assertion message or somehow should rewrite nixosExpectedSystem to not refer to nixpkgs.system (not sure where to start, or whether this even inherently makes sense)
• Add a lazy bool option to assertion/warning to allow for disabling type checking/eval of message
• Disable this part of the eval test or somehow modify it to set nixpkgs.system so it doesn't throw (however, I'm not sure what implications this has, but it doesn't seem very desirable).

I've verified that the command (and then probably also ofborg) evaluates completely if I remove ${nixosExpectedSystem} from the message.

I see that you're trying to do a good job with thorough checking, which as a fan of good DX and static checking, I can very much relate to. However, the module system is very different from most other languages or configuration systems, by virtue of its fairly unique architecture, doing runtime checks in a lazy language. This has profound implications for the implementation trade-offs.

The module system is very sensitive when it comes to the specifics of its behavior, especially regarding strictness (laziness). It is very important for it to be as lazy as possible, so that it avoids running into errors that shouldn't be triggered, or infinite recursions.

We also need to care for users who write their own modules with assertions and warnings. By forcing them to migrate their code immediately, you put them in a position where they have to choose whether to support NixOS stable or unstable. This isn't great for end users, but particularly problematic for maintainers who need their module to work on both releases. For this reason, we can't accept an immediate breaking change in the assertions/warnings type. However, this can be resolved by translating list-based definitions to attributes like "anon-${i}".
For this you need something like coercedTo but using imap instead of map in the merge function.

• Rewrite the assertion message or somehow should rewrite nixosExpectedSystem to not refer to nixpkgs.system (not sure where to start, or whether this even inherently makes sense)

As said, we must not regress in laziness, so this should be solved in the module system; not the code that uses the module system.

• Add a lazy bool option to assertion/warning to allow for disabling type checking/eval of message

Lazy and unchecked are fast. The module system will check the message because it's a submodule anyway; just later than you envisaged. This will make it run a bit faster, and a bit more reliably.
Ideally infrequently used values, like the message, are checked in a static way, such as with a test. Anything that's important is worth testing.

• Disable this part of the eval test or somehow modify it to set nixpkgs.system so it doesn't throw (however, I'm not sure what implications this has, but it doesn't seem very desirable).

That module already needs to balance complicated compatibility and error reporting at the cost of basically no simplicity and very little room to spare in terms of making literally anything more strict. I would be happy to review or discuss changes that improve the end user experience of that module, which I believe is still possible, but I feel like this may be the wrong reason.
I don't know if you've studied it in detail; if not, it's probably best to that module untouched and solve the problem in the module system itself.

I hope my earlier suggestion helps to make it work again.

Okay, so I've had another go at it. Turns out that the message was evaluated in 3 places:

1. While being typechecked by the module system

This was expected, mitigated by adding the lazy option, which disables typechecking and preserves lazyness. This is not needed for warnings, because all legacy warnings already are behind a mkIf or similar. I've added a note recommending people not to enable it unless absolutely necessary, so we can typecheck as much as possible, as well as a warning stating that you should make sure to verify the message yourself if you do end up enabling it. I would count the nixpkgs.config assertion as a location where it's necessary.

All legacy options are lazy by default to ensure we don't break any out-of-tree modules.

2. During coercion while being hashed before being added to assertions.legacy

This is the most problematic part. We can't hash the message without evaling the message. Currently, I've switched to using the lib.imap0 (i: ... "anon-${toString i}") strategy, but the indices will shift everytime someone adds/removes an anonymous assertion and so you cannot disable an assertion in a stable manner. I'm tempted to make assertions.legacy into a list and handle it separately, but that might just add more convoluted coercion handling with little added value. We could also run through all legacy assertions, check if the user has disabled them and warn them that this is unstable?

I am also not sure how much I should strive to make this common with warnings. For warnings, there shouldn't be any problem with using the hashString approach, and it would make for a stable interface to let users disable legacy warnings. Is this property more important than similarity to legacy assertions?

3. While running the collect' before displaying warnings in nixos/modules/system/activation/top-level.nix

The collect' would further recurse into the attrset if the condition didn't trigger, and accidentally evaluate the message. I've made a custom version of collect' that has a stop condition when it finds something that looks like an assertion but is marked as lazy. The use for this function seems fairly niche, so I haven't added it to lib.attrsets, but I'd be happy to do so if someone asks. warnings still uses lib.collect'