Merge pull request #461 from holos-run/jeff/node22-cloudflare

website: update to node 22 for cloudflare builds
website: move .nvmrc to repository root
2026-03-03 03:28:55 +00:00 · 2026-01-24 20:52:51 -08:00 · 2026-01-24 20:48:30 -08:00 · 2026-01-24 17:31:50 -08:00 · 2026-01-24 17:26:51 -08:00 · 2026-01-24 17:01:19 -08:00
1587 changed files with 79966 additions and 231317 deletions
--- a/.claude/settings.json
+++ b/.claude/settings.json
@@ -0,0 +1,13 @@
+{
+  "permissions": {
+    "allow": [
+      "Bash(cd:*)",
+      "Bash(holos:*)",
+      "Bash(cue:*)",
+      "Bash(git commit:*)",
+      "Bash(git add:*)",
+      "Bash(make:*)"
+    ],
+    "deny": []
+  }
+}
--- a/.cspell.json
+++ b/.cspell.json
@@ -5,103 +5,358 @@
    "mdx"
  ],
  "words": [
+    "acmesolver",
+    "acraccesstoken",
+    "acraccesstokens",
+    "admissionregistration",
+    "alertmanager",
+    "alertmanagers",
+    "anchore",
+    "anthos",
+    "apiextensions",
+    "apimachinery",
+    "apiobjects",
+    "apiservers",
    "applicationset",
+    "applicationsets",
+    "appproject",
+    "appprojects",
    "argoproj",
+    "argumentless",
    "authcode",
+    "authorizationpolicies",
+    "authorizationpolicy",
    "authpolicy",
    "authproxy",
    "authroutes",
+    "autoload",
+    "automount",
+    "automounting",
+    "autoscaler",
+    "balancereader",
+    "blackbox",
    "buildplan",
+    "buildplans",
+    "Buildx",
+    "builtinpluginloadingoptions",
+    "cachedir",
+    "cadvisor",
    "cainjector",
+    "CAROOT",
+    "certificaterequest",
+    "certificaterequests",
+    "certificatesigningrequests",
+    "chartmuseum",
+    "clientset",
    "clsx",
+    "clusterexternalsecret",
+    "clusterexternalsecrets",
    "clusterissuer",
+    "clusterissuers",
+    "clusterrole",
+    "clusterrolebinding",
+    "clustersecretstore",
+    "clustersecretstores",
+    "clusterwide",
+    "Cmds",
+    "CNCF",
+    "CODEOWNERS",
+    "compinit",
+    "componentconfig",
+    "configdir",
+    "configmap",
+    "configmapargs",
+    "connectrpc",
    "cookiesecret",
    "coredns",
+    "corev",
    "CRD's",
    "crds",
    "creds",
    "crossplane",
+    "crunchydata",
+    "ctxt",
    "cuecontext",
    "cuelang",
+    "customresourcedefinition",
+    "daemonset",
+    "deploymentruntimeconfig",
+    "destinationrule",
+    "destinationrules",
+    "devel",
    "devicecode",
+    "distroless",
    "dnsmasq",
    "dscacheutil",
+    "ecrauthorizationtoken",
+    "ecrauthorizationtokens",
+    "edns",
+    "endpointslices",
    "entgo",
+    "envoyfilter",
+    "envoyfilters",
+    "errdetails",
    "errgroup",
+    "etcdsnapshotfiles",
+    "externalsecret",
+    "externalsecrets",
+    "fctr",
    "fieldmaskpb",
+    "fieldspec",
    "flushcache",
+    "fluxcd",
+    "fsys",
+    "fullname",
+    "gatewayclass",
+    "gatewayclasses",
+    "gcraccesstoken",
+    "gcraccesstokens",
    "gendoc",
+    "generationbehavior",
+    "generatorargs",
+    "generatoroptions",
+    "genproto",
+    "ggnpl",
    "ghaction",
+    "githubaccesstoken",
+    "githubaccesstokens",
    "gitops",
+    "GOBIN",
    "godoc",
    "golangci",
+    "gomarkdoc",
+    "googleapis",
    "goreleaser",
+    "gotypesalias",
    "grpcreflect",
+    "grpcroute",
+    "grpcroutes",
    "grpcurl",
+    "hcfg",
+    "healthchecks",
+    "healthz",
+    "helmchartargs",
+    "helmchartconfigs",
+    "helmcharts",
+    "Hiera",
    "holos",
    "holoslogger",
+    "horizontalpodautoscaler",
+    "horizontalpodautoscalers",
+    "Hostaliases",
+    "Hostnames",
+    "htpasswd",
    "httpbin",
+    "httproute",
+    "httproutes",
+    "iampolicygenerator",
+    "incpatch",
    "Infima",
+    "intstr",
    "isatty",
    "istiod",
+    "jbrx",
+    "jeffmccune",
    "jetstack",
+    "jiralert",
    "Jsonnet",
+    "Kargo",
+    "kfbh",
    "killall",
    "kubeadm",
    "kubeconfig",
+    "kubelet",
    "kubelogin",
+    "kubernetesobjects",
+    "kubeversion",
    "Kustomization",
    "Kustomizations",
    "kustomize",
+    "kustomizebuild",
+    "kvpairsources",
+    "labeldrop",
+    "labelmap",
    "ldflags",
+    "leaderelection",
+    "ledgerwriter",
    "libnss",
+    "limitranges",
+    "livez",
    "loadbalancer",
+    "loadrestrictions",
+    "logfmt",
+    "lxnl",
    "mattn",
+    "mccutchen",
+    "metav",
+    "mindmap",
    "mktemp",
+    "msqbn",
+    "mtls",
    "Multicluster",
+    "mutatingwebhookconfiguration",
+    "mutatingwebhookconfigurations",
+    "mvdan",
    "mxcl",
+    "mychart",
    "myhostname",
+    "myRegistrKeySecretName",
+    "mysecret",
+    "nameofclusterrole",
    "nameserver",
+    "namespacedname",
+    "ndots",
+    "networkpolicies",
+    "nodename",
+    "nolint",
+    "oauthproxy",
+    "objectmap",
+    "objectmeta",
+    "omitempty",
    "organizationconnect",
    "orgid",
    "otelconnect",
+    "outfile",
+    "overriden",
    "Parentspanid",
+    "patchstrategicmerge",
+    "pcfg",
+    "pcjc",
+    "peerauthentication",
+    "peerauthentications",
+    "persistentvolumeclaim",
+    "persistentvolumeclaims",
+    "persistentvolumes",
    "pflag",
+    "pgadmin",
+    "pgupgrade",
+    "pipefail",
    "PKCE",
    "platformconnect",
+    "pluginconfig",
+    "pluginrestrictions",
+    "podcli",
+    "poddisruptionbudget",
+    "poddisruptionbudgets",
    "podinfo",
+    "podmonitor",
+    "portmapping",
+    "postgrescluster",
+    "privs",
+    "prometheuses",
    "promhttp",
    "protobuf",
    "protojson",
+    "providerconfig",
+    "proxyconfig",
+    "proxyconfigs",
    "Pulumi",
+    "pushgateway",
+    "pushsecret",
+    "pushsecrets",
    "putenv",
+    "qjbp",
    "quickstart",
+    "QVRFLS",
+    "readyz",
+    "referencegrant",
+    "referencegrants",
+    "Registr",
+    "replacementfield",
+    "replicasets",
+    "replicationcontrollers",
+    "requestauthentication",
+    "requestauthentications",
+    "resourcequotas",
    "retryable",
+    "rogpeppe",
+    "rolebinding",
+    "rootfs",
    "ropc",
+    "sboms",
+    "seccomp",
+    "secretargs",
    "SECRETKEY",
+    "secretstore",
    "secretstores",
+    "serverlb",
+    "serverside",
+    "serviceaccount",
+    "servicebindings",
+    "serviceentries",
+    "serviceentry",
+    "servicemonitor",
+    "sigstore",
+    "somevalue",
+    "SOMEVAR",
+    "sortoptions",
    "spanid",
    "spiffe",
+    "stackdriver",
    "startupapicheck",
+    "statefulset",
+    "statefulsets",
+    "stefanprodan",
+    "storageclasses",
+    "streamwatcher",
+    "stretchr",
+    "struct",
    "structpb",
+    "subcharts",
+    "subjectaccessreviews",
+    "svclb",
+    "sysfs",
    "systemconnect",
    "tablewriter",
+    "templatable",
+    "testscript",
+    "testutil",
+    "thanos",
    "Tiltfile",
    "timestamppb",
    "Timoni",
    "tlsclientconfig",
    "tokencache",
    "Tokener",
+    "tolerations",
+    "TOPLEVEL",
    "Traceid",
    "traefik",
+    "transactionhistory",
+    "tsdb",
+    "txtar",
+    "typemeta",
+    "udev",
    "uibutton",
+    "Unmarshal",
+    "unmarshals",
+    "unshallow",
+    "unstage",
    "untar",
+    "upbound",
    "Upsert",
    "urandom",
    "usecases",
    "userconnect",
    "userdata",
+    "userservice",
+    "validatingwebhookconfiguration",
+    "validatingwebhookconfigurations",
+    "vaultdynamicsecret",
+    "vaultdynamicsecrets",
+    "virtualservice",
+    "virtualservices",
+    "volumeattachments",
+    "wasmplugin",
+    "wasmplugins",
+    "workdir",
+    "workloadentries",
+    "workloadentry",
+    "workloadgroup",
+    "workloadgroups",
+    "yournamespace",
    "zerolog",
-    "zitadel"
+    "zitadel",
+    "ztunnel"
  ]
 }
--- a/.envrc
+++ b/.envrc
@@ -0,0 +1,7 @@
+if ! use flake .#default --accept-flake-config --print-build-logs
+then
+  echo "nix flake could not be built; update flake.nix and run direnv allow/reload" >&2
+fi
+
+watch_file nix/*.nix
+watch_file flake.nix
--- a/.github/ISSUE_TEMPLATE/bug-report.md
+++ b/.github/ISSUE_TEMPLATE/bug-report.md
@@ -0,0 +1,131 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: ''
+labels: NeedsInvestigation, Triage
+assignees: ''
+---
+
+<!--
+Please answer these questions before submitting your issue. Thanks!
+To ask questions, see https://github.com/holos-run/holos/discussions
+-->
+
+### What version of holos are you using (`holos --version`)?
+
+```
+0.0.0
+```
+
+### Does this issue reproduce with the latest release?
+
+<!--
+Get the latest release with:
+
+    brew install holos-run/tap/holos
+
+Or see https://holos.run/docs/v1alpha5/tutorial/setup/
+-->
+
+### What did you do?
+
+<!--
+Please provide a testscript that should pass, but does not because of the bug.
+See the below example.
+
+You can create a txtar from a directory with:
+
+  holos txtar ./path/to/dir
+
+Refer to: https://github.com/rogpeppe/go-internal/tree/master/cmd/testscript
+-->
+
+Steps to reproduce:
+
+```shell
+testscript -v -continue <<EOF
+```
+
+```txtar
+# Have: an error related to the imported Kustomize schemas.
+# Want: holos show buildplans to work.
+exec holos --version
+exec holos init platform v1alpha5 --force
+# remove the fix to trigger the bug
+rm cue.mod/pkg/sigs.k8s.io/kustomize/api/types/var.cue
+# want a BuildPlan shown
+exec holos show buildplans
+cmp stdout buildplan.yaml
+# want this error to go away
+! stderr 'cannot convert non-concrete value string'
+-- buildplan.yaml --
+kind: BuildPlan
+-- platform/example.cue --
+package holos
+
+Platform: Components: example: {
+	name: "example"
+	path: "components/example"
+}
+-- components/example/example.cue --
+package holos
+
+import "encoding/yaml"
+
+holos: Component.BuildPlan
+
+Component: #Kustomize & {
+	KustomizeConfig: Kustomization: patches: [
+		{
+			target: kind: "CustomResourceDefinition"
+			patch: yaml.Marshal([{
+				op:    "add"
+				path:  "/metadata/annotations/example"
+				value: "example-value"
+			}])
+		},
+	]
+}
+```
+```shell
+EOF
+```
+
+### What did you expect to see?
+
+The testscript should pass.
+
+### What did you see instead?
+
+The testscript fails because of the bug.
+
+```txt
+# Have: an error related to the imported Kustomize schemas.
+# Want: holos show buildplans to work. (0.168s)
+> exec holos --version
+[stdout]
+0.100.1-2-g9b10e23-dirty
+> exec holos init platform v1alpha5 --force
+# remove the fix to trigger the bug (0.000s)
+> rm cue.mod/pkg/sigs.k8s.io/kustomize/api/types/var.cue
+# want a BuildPlan shown (0.091s)
+> exec holos show buildplans
+[stderr]
+could not run: holos.spec.artifacts.0.transformers.0.kustomize.kustomization.patches.0.target.name: cannot convert non-concrete value string at builder/v1alpha5/builder.go:218
+holos.spec.artifacts.0.transformers.0.kustomize.kustomization.patches.0.target.name: cannot convert non-concrete value string:
+    $WORK/cue.mod/gen/sigs.k8s.io/kustomize/api/types/var_go_gen.cue:33:2
+[exit status 1]
+FAIL: <stdin>:8: unexpected command failure
+> cmp stdout buildplan.yaml
+diff stdout buildplan.yaml
+--- stdout
+++ buildplan.yaml
+@@ -0,0 +1,1 @@
+kind: BuildPlan
+
+FAIL: <stdin>:9: stdout and buildplan.yaml differ
+# want this error to go away (0.000s)
+> ! stderr 'cannot convert non-concrete value string'
+FAIL: <stdin>:11: unexpected match for `cannot convert non-concrete value string` found in stderr: cannot convert non-concrete value string
+failed run
+```
--- a/.github/workflows/container.yaml
+++ b/.github/workflows/container.yaml
@@ -0,0 +1,143 @@
+name: Container
+
+# Only allow actors with write permission to the repository to trigger this
+# workflow.
+permissions:
+  contents: write
+
+on:
+  push:
+    tags:
+      - 'v*'
+  workflow_dispatch:
+    inputs:
+      git_ref:
+        description: 'Git ref to build (e.g., refs/tags/v1.2.3, refs/heads/main)'
+        required: true
+        type: string
+
+jobs:
+  buildx:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      attestations: write
+      id-token: write
+    steps:
+      - name: Set tag from trigger event
+        id: opts
+        run: |
+          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
+            echo "ref=${{ inputs.git_ref }}" >> $GITHUB_OUTPUT
+          else
+            echo "ref=${GITHUB_REF}" >> $GITHUB_OUTPUT
+          fi
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ steps.opts.outputs.ref }}
+      - name: SHA
+        id: sha
+        run: echo "sha=$(/usr/bin/git log -1 --format='%H')" >> $GITHUB_OUTPUT
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Fetch tags
+        run: git fetch --prune --unshallow --tags
+      - name: Set Tags
+        id: tags
+        run: |
+          echo "detail=$(/usr/bin/git describe --tags HEAD)" >> $GITHUB_OUTPUT
+          echo "suffix=$(test -n "$(git status --porcelain)" && echo '-dirty' || echo '')" >> $GITHUB_OUTPUT
+          echo "tag=$(/usr/bin/git describe --tags HEAD)$(test -n "$(git status --porcelain)" && echo '-dirty' || echo '')" >> $GITHUB_OUTPUT
+
+      - name: Login to ghcr.io
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Build and push container images
+        id: build-and-push
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: |
+            ghcr.io/holos-run/holos:${{ steps.tags.outputs.tag }}
+            ghcr.io/holos-run/holos:${{ steps.sha.outputs.sha }}${{ steps.tags.outputs.suffix }}
+      - name: Setup Cosign to sign container images
+        uses: sigstore/cosign-installer@v3.7.0
+      - name: Sign with GitHub OIDC Token
+        env:
+          DIGEST: ${{ steps.build-and-push.outputs.digest }}
+        run: |
+          cosign sign --yes ghcr.io/holos-run/holos:${{ steps.tags.outputs.tag }}@${DIGEST}
+          cosign sign --yes ghcr.io/holos-run/holos:${{ steps.sha.outputs.sha }}${{ steps.tags.outputs.suffix }}@${DIGEST}
+
+      - uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          owner: ${{ github.repository_owner }}
+          app-id: ${{ vars.GORELEASER_APP_ID }}
+          private-key: ${{ secrets.GORELEASER_APP_PRIVATE_KEY }}
+      - name: Get GitHub App User ID
+        id: get-user-id
+        run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+      - run: |
+          git config --global user.name '${{ steps.app-token.outputs.app-slug }}[bot]'
+          git config --global user.email '${{ steps.get-user-id.outputs.user-id }}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com'
+      - name: Update holos-run/holos-action
+        env:
+          IMAGE: ghcr.io/holos-run/holos:v0.102.1
+          VERSION: ${{ steps.tags.outputs.tag }}
+          USER_ID: ${{ steps.get-user-id.outputs.user-id }}
+          TOKEN: ${{ steps.app-token.outputs.token }}
+        run: |
+          set -euo pipefail
+          git clone "https://github.com/holos-run/holos-action"
+          cd holos-action
+          git remote set-url origin https://${USER_ID}:${TOKEN}@github.com/holos-run/holos-action
+          docker pull --quiet "${IMAGE}"
+          docker run -v $(pwd):/app --workdir /app --rm "${IMAGE}"  \
+            holos cue export --out yaml action.cue -t "version=${VERSION}" > action.yml
+          git add action.yml
+          git commit -m "ci: update holos to ${VERSION} - https://github.com/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}" || (echo "No changes to commit"; exit 0)
+          git push origin HEAD:main HEAD:v0 HEAD:v1
+
+      - name: Login to quay.io
+        uses: docker/login-action@v3
+        with:
+          registry: quay.io
+          username: ${{ secrets.QUAY_USER }}
+          password: ${{ secrets.QUAY_TOKEN }}
+      - name: Push to quay.io
+        env:
+          DIGEST: ${{ steps.build-and-push.outputs.digest }}
+        run: |
+          # docker push quay.io/holos-run/holos:${{ steps.tags.outputs.tag }}
+          docker pull --quiet ghcr.io/holos-run/holos:${{ steps.tags.outputs.tag }}@${DIGEST}
+          docker tag ghcr.io/holos-run/holos:${{ steps.tags.outputs.tag }}@${DIGEST} \
+                     quay.io/holos-run/holos:${{ steps.tags.outputs.tag }}
+          docker push quay.io/holos-run/holos:${{ steps.tags.outputs.tag }}
+
+          docker pull --quiet ghcr.io/holos-run/holos:${{ steps.sha.outputs.sha }}${{ steps.tags.outputs.suffix }}@${DIGEST}
+          docker tag ghcr.io/holos-run/holos:${{ steps.sha.outputs.sha }}${{ steps.tags.outputs.suffix }}@${DIGEST} \
+                     quay.io/holos-run/holos:${{ steps.sha.outputs.sha }}${{ steps.tags.outputs.suffix }}
+          docker push quay.io/holos-run/holos:${{ steps.sha.outputs.sha }}${{ steps.tags.outputs.suffix }}
+      - name: Sign quay.io image
+        env:
+          DIGEST: ${{ steps.build-and-push.outputs.digest }}
+        run: |
+          cosign sign --yes quay.io/holos-run/holos:${{ steps.tags.outputs.tag }}@${DIGEST}
+          cosign sign --yes quay.io/holos-run/holos:${{ steps.sha.outputs.sha }}${{ steps.tags.outputs.suffix }}@${DIGEST}
+
+    outputs:
+      tag: ${{ steps.tags.outputs.tag }}
+      detail: ${{ steps.tags.outputs.detail }}
--- a/.github/workflows/dev-deploy.yaml
+++ b/.github/workflows/dev-deploy.yaml
@@ -2,7 +2,7 @@ name: Dev Deploy

 on:
  push:
-    branches: ['main', 'dev-deploy']
+    branches: ['dev-deploy']

 jobs:
  deploy:
--- a/.github/workflows/golangci-lint.yaml
+++ b/.github/workflows/golangci-lint.yaml
@@ -25,6 +25,6 @@ jobs:
        with:
          go-version: stable
      - name: golangci-lint
-        uses: golangci/golangci-lint-action@v6
+        uses: golangci/golangci-lint-action@v7
        with:
-          version: v1.60
+          version: v2.1.6
--- a/.github/workflows/lint.yaml
+++ b/.github/workflows/lint.yaml
@@ -1,42 +0,0 @@
---
-# https://github.com/golangci/golangci-lint-action?tab=readme-ov-file#how-to-use
-name: Lint
-"on":
-  push:
-    branches:
-      - main
-      - test
-  pull_request:
-    types: [opened, synchronize]
-
-permissions:
-  contents: read
-
-jobs:
-  lint:
-    name: lint
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Set up Node
-        uses: actions/setup-node@v4
-        with:
-          node-version: 20
-
-      - name: Set up Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: stable
-
-      ## Not needed on ubuntu-latest
-      # - name: Install Packages
-      #   run: sudo apt update && sudo apt -qq -y install git curl zip unzip tar bzip2 make
-
-      - name: Install Tools
-        run: make tools
-
-      - name: Lint
-        # golangci-lint runs in a separate workflow.
-        run: make lint -o golangci-lint
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -35,6 +35,9 @@ jobs:
        with:
          go-version: stable

+      - name: Setup Syft
+        uses: anchore/sbom-action/download-syft@1ca97d9028b51809cf6d3c934c3e160716e1b605 # v0.17.5
+
      # Necessary to run these outside of goreleaser, otherwise
      # /home/runner/_work/holos/holos/internal/frontend/node_modules/.bin/protoc-gen-connect-query is not in PATH
      - name: Install Tools
@@ -54,11 +57,19 @@ jobs:
      - name: Git diff
        run: git diff

+      - uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          owner: ${{ github.repository_owner }}
+          app-id: ${{ vars.GORELEASER_APP_ID }}
+          private-key: ${{ secrets.GORELEASER_APP_PRIVATE_KEY }}
+
      - name: Run GoReleaser
        uses: goreleaser/goreleaser-action@v5
        with:
          distribution: goreleaser
-          version: latest
+          version: '~> v2'
          args: release --clean
        env:
+          HOMEBREW_TAP_GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/spelling.yaml
+++ b/.github/workflows/spelling.yaml
@@ -0,0 +1,17 @@
+---
+name: Spelling
+"on":
+  push:
+    branches:
+      - main
+      - test
+  pull_request:
+    types: [opened, synchronize]
+permissions:
+  contents: read
+jobs:
+  cspell:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - run: ./hack/cspell
--- a/.github/workflows.disabed/test.yaml
+++ b/.github/workflows.disabed/test.yaml
@@ -13,7 +13,7 @@ permissions:

 jobs:
  test:
-    runs-on: gha-rs
+    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
@@ -28,19 +28,16 @@ jobs:
        with:
          go-version: stable

-      - name: Install Packages
-        run: sudo apt update && sudo apt -qq -y install git curl zip unzip tar bzip2 make
-
      - name: Set up Helm
        uses: azure/setup-helm@v4
+        with:
+          version: '3.17.3'

      - name: Set up Kubectl
-        uses: azure/setup-kubectl@v3
+        uses: azure/setup-kubectl@v4

-      - name: Install Tools
-        run: |
-          set -x
-          make tools
+      - name: Install holos
+        run: make install

      - name: Test
        run: ./scripts/test
--- a/.gitignore
+++ b/.gitignore
@@ -12,3 +12,11 @@ tmp/
 /holos-k3d/
 /holos-infra/
 node_modules/
+.tmp/
+
+# nix
+/.direnv/
+result
+
+# claude
+/.claude/settings.local.json
--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -1,2 +1,20 @@
-run:
-  timeout: 5m
+version: "2"
+linters:
+  exclusions:
+    generated: lax
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
+formatters:
+  exclusions:
+    generated: lax
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -6,7 +6,7 @@
 # yaml-language-server: $schema=https://goreleaser.com/static/schema.json
 # vim: set ts=2 sw=2 tw=0 fo=cnqoj

-version: 1
+version: 2

 before:
  hooks:
@@ -50,3 +50,39 @@ changelog:
    exclude:
      - "^docs:"
      - "^test:"
+
+source:
+  enabled: true
+  name_template: '{{ .ProjectName }}_{{ .Version }}_source_code'
+
+sboms:
+  - id: source
+    artifacts: source
+    documents:
+      - "{{ .ProjectName }}_{{ .Version }}_sbom.spdx.json"
+
+brews:
+  - name: holos
+    repository:
+      owner: holos-run
+      name: homebrew-tap
+      branch: main
+      token: "{{ .Env.HOMEBREW_TAP_GITHUB_TOKEN }}"
+    directory: Formula
+    homepage: "https://holos.run"
+    description: "Holos CLI"
+    dependencies:
+      - name: helm
+        type: optional
+      - name: kubectl
+        type: optional
+    install: |
+      bin.install "holos"
+      bash_output = Utils.safe_popen_read(bin/"holos", "completion", "bash")
+      (bash_completion/"holos").write bash_output
+      zsh_output = Utils.safe_popen_read(bin/"holos", "completion", "zsh")
+      (zsh_completion/"_holos").write zsh_output
+      fish_output = Utils.safe_popen_read(bin/"holos", "completion", "fish")
+      (fish_completion/"holos.fish").write fish_output
+    test: |
+      system "#{bin}/holos --version"
--- a/.ko.yaml
+++ b/.ko.yaml
@@ -1,13 +0,0 @@
-# Refer to https://ko.build/configuration/#overriding-go-build-settings
-builds:
- id: holos
-  dir: .
-  main: ./cmd/holos
-  env:
-  - GOPRIVATE=github.com/holos-run/\*
-  ldflags:
-  - -s
-  - -w
-  - -X
-  # Makefile provides GIT_DETAIL and GIT_SUFFIX.
-  - github.com/holos-run/holos/version.GitDescribe={{.Env.GIT_DETAIL}}{{.Env.GIT_SUFFIX}}
--- a/.nvmrc
+++ b/.nvmrc
@@ -0,0 +1 @@
+22
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -0,0 +1,115 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## Project Overview
+
+Holos is a configuration management tool for Kubernetes that implements the rendered manifests pattern using CUE. It unifies Helm charts, Kustomize bases, and raw Kubernetes manifests into a single, declarative pipeline.
+
+### Core Flow
+```
+Platform → Components → BuildPlan → Generators → Transformers → Validators → Manifests
+```
+
+## Key Commands
+
+```bash
+# Development
+make build         # Build the binary
+make install       # Install binary (REQUIRED before testing holos commands)
+make test          # Run all tests
+make fmt           # Format Go code
+make lint          # Run linters
+make coverage      # Generate coverage report
+
+# Documentation
+make update-docs   # Update generated docs
+make website       # Build the documentation website
+
+# Usage (run 'make install' first to test code changes)
+holos render platform    # Render entire platform
+holos render component   # Render single component
+holos show buildplans    # Show build plans
+holos init platform      # Initialize new platform
+```
+
+## Architecture
+
+### Directory Structure
+- `/api/` - API definitions (v1alpha5 stable, v1alpha6 in development)
+- `/cmd/` - CLI entry point
+- `/internal/cli/` - Command implementations
+- `/internal/component/` - Component handling logic
+- `/internal/platform/` - Platform handling logic
+- `/internal/generate/` - Code generation
+
+### Key Files
+- `/internal/cli/render/render.go` - Core render logic
+- `/internal/component/component.go` - Component processing
+- `/api/core/v1alpha*/types.go` - API type definitions
+
+### Component Types
+1. **Helm** - Wraps Helm charts
+2. **Kustomize** - Wraps Kustomize bases  
+3. **Kubernetes** - Raw Kubernetes manifests
+
+## CUE Patterns
+
+Components are defined in CUE:
+```cue
+package holos
+
+holos: Component.BuildPlan
+
+Component: #Helm & {
+    Name: "example"
+    Chart: {
+        version: "1.0.0"
+        repository: {
+            name: "example"
+            url:  "https://charts.example.com"
+        }
+    }
+}
+```
+
+## Testing
+
+- Unit tests: `*_test.go` files colocated with source
+- Integration tests: `/cmd/holos/tests/`
+- Example platforms: `/internal/testutil/fixtures/`
+- Run single test: `go test -run TestName ./path/to/package`
+
+## Development Patterns
+
+1. Error handling: Prefer `errors.Format()` from `/internal/errors/` over `fmt.Errorf()`
+2. Logging: Use structured `slog`, get logger with `logger.FromContext(ctx)`
+3. CLI commands: Follow Cobra patterns in `/internal/cli/`
+4. CUE formatting: Always run `cue fmt` on CUE files
+5. Go formatting: Always run `go fmt` on go files
+6. Develop against v1alpha6 packages.
+7. Commits: Use the package name as the first word in the commit, lower case.  Commit without asking permission.  Always run `make lint` and `make test` before committing.
+
+## Version Management
+
+- Version files: `/version/embedded/{major,minor,patch}`
+- Bump version: `make bump`
+- API versions: v1alpha5 (stable), v1alpha6 (development)
+
+## Key Concepts
+
+- **Platform**: Top-level configuration containing all components
+- **Component**: Unit of configuration (DAG of Tasks producing deployment configs for one component)
+- **TaskSet**: DAG of Tasks (Similar to how make tasks behave)
+- **BuildPlan**: Instructions for building a component.  Deprecated in v1alpha6, use TaskSet instead.
+- **Generator**: Creates manifests (Helm, Kustomize, etc.) author schema only in v1alpha6
+- **Transformer**: Modifies generated manifests, author schema only in v1alpha6
+- **Validator**: Validates final manifests, author schema only in v1alpha6
+
+## Resources
+
+- Tutorials: `/doc/md/tutorial/`
+- Platform templates: `/internal/generate/platforms/`
+- Test fixtures: `/internal/testutil/fixtures/`
+- Core schemas: `/api/core/` (Abstraction over low level data pipeline tasks)
+- Author schemas: `/api/author/` (User facing abstractions over core Schemas)
--- a/46
+++ b/46
@@ -1,8 +1,38 @@
-FROM quay.io/holos-run/debian:bullseye AS final
-USER root
-WORKDIR /app
-ADD bin bin
-RUN chown -R app: /app
-# Kubernetes requires the user to be numeric
-USER 8192
-ENTRYPOINT bin/holos server
+FROM registry.k8s.io/kubectl:v1.33.4 AS kubectl
+# https://github.com/GoogleContainerTools/distroless
+FROM golang:1.24 AS build
+
+WORKDIR /go/src/app
+COPY . .
+
+RUN CGO_ENABLED=0 make install
+RUN CGO_ENABLED=0 go install sigs.k8s.io/kustomize/kustomize/v5
+
+# Install helm to /usr/local/bin/helm
+# https://helm.sh/docs/intro/install/#from-script
+# https://holos.run/docs/v1alpha5/tutorial/setup/#dependencies
+RUN curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 \
+  && chmod 700 get_helm.sh \
+  && DESIRED_VERSION=v3.16.2 ./get_helm.sh \
+  && rm -f get_helm.sh
+
+COPY --from=kubectl /bin/kubectl /usr/local/bin/
+
+# Use debian slim instead of distroless to get package management.
+FROM public.ecr.aws/docker/library/debian:13-slim AS final
+COPY --from=build \
+     /go/bin/holos \
+     /go/bin/kustomize \
+     /usr/local/bin/kubectl \
+     /usr/local/bin/helm \
+     /bin/
+
+# Extra packages
+# git - https://github.com/holos-run/holos/issues/440
+RUN apt update && \
+    apt install -y --no-install-recommends git ca-certificates && \
+    apt clean && \
+    rm -rf /var/lib/apt/lists/*
+
+# Usage: docker run -v $(pwd):/app --workdir /app --rm -it quay.io/holos-run/holos holos render platform
+CMD ["/bin/holos"]
--- a/51
+++ b/51
@@ -32,17 +32,20 @@ bump: bumppatch
 .PHONY: bumppatch
 bumppatch: ## Bump the patch version.
 	scripts/bump patch
+	HOLOS_UPDATE_SCRIPTS=1 scripts/test

 .PHONY: bumpminor
 bumpminor: ## Bump the minor version.
 	scripts/bump minor
 	scripts/bump patch 0
+	HOLOS_UPDATE_SCRIPTS=1 scripts/test

 .PHONY: bumpmajor
 bumpmajor: ## Bump the major version.
 	scripts/bump major
 	scripts/bump minor 0
 	scripts/bump patch 0
+	HOLOS_UPDATE_SCRIPTS=1 scripts/test

 .PHONY: show-version
 show-version: ## Print the full version.
@@ -58,8 +61,8 @@ tidy: ## Tidy go module.

 .PHONY: fmt
 fmt: ## Format code.
-	cd internal/generate/platforms && cue fmt ./...
 	go fmt ./...
+	cue fmt ./...

 .PHONY: vet
 vet: ## Vet Go code.
@@ -75,10 +78,11 @@ build: ## Build holos executable.
 	@echo "GOPATH=${GOPATH}"
 	go build -trimpath -o bin/$(BIN_NAME) -ldflags $(LD_FLAGS) $(REPO_PATH)/cmd/$(BIN_NAME)

-linux: ## Build holos executable for tilt.
-	@echo "building ${BIN_NAME}.linux ${VERSION}"
+.PHONY: debug
+debug: ## Build debug executable.
+	@echo "building ${BIN_NAME}-debug ${VERSION}"
 	@echo "GOPATH=${GOPATH}"
-	GOOS=linux go build -trimpath -o bin/$(BIN_NAME).linux -ldflags $(LD_FLAGS) $(REPO_PATH)/cmd/$(BIN_NAME)
+	go build -o bin/$(BIN_NAME)-debug $(REPO_PATH)/cmd/$(BIN_NAME)

 .PHONY: install
 install: build ## Install holos to GOPATH/bin
@@ -97,9 +101,7 @@ golangci-lint:
 	golangci-lint run

 .PHONY: lint
-lint: golangci-lint ## Run linters.
-	buf lint
-	cd internal/frontend/holos && ng lint
+lint: vet golangci-lint ## Run linters.
 	./hack/cspell

 .PHONY: coverage
@@ -111,45 +113,32 @@ snapshot:  ## Go release snapshot
 	goreleaser release --snapshot --clean

 .PHONY: tools
-tools: go-deps frontend-deps website-deps ## install tool dependencies
+tools: go-deps website-deps ## install tool dependencies

 .PHONY: go-deps
 go-deps: ## tool versions pinned in tools.go
 	go install cuelang.org/go/cmd/cue
-	go install github.com/bufbuild/buf/cmd/buf
-	go install github.com/fullstorydev/grpcurl/cmd/grpcurl
-	go install google.golang.org/protobuf/cmd/protoc-gen-go
-	go install connectrpc.com/connect/cmd/protoc-gen-connect-go
-	go install honnef.co/go/tools/cmd/staticcheck
-	go install golang.org/x/tools/cmd/godoc
 	go install github.com/princjef/gomarkdoc/cmd/gomarkdoc
-	go install github.com/google/ko
+	go install github.com/rogpeppe/go-internal/cmd/testscript
 	# curl https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | bash

-.PHONY: frontend-deps
-frontend-deps: ## Install Angular deps for go generate
-	cd internal/frontend/holos && npm install
-
 .PHONY: website-deps
 website-deps: ## Install Docusaurus deps for go generate
 	cd doc/website && npm install

-.PHONY: image # refer to .ko.yaml as well
-image:  ## Container image build for workflows/publish.yaml
-	KO_DOCKER_REPO=$(DOCKER_REPO) GIT_DETAIL=$(GIT_DETAIL) GIT_SUFFIX=$(GIT_SUFFIX) ko build --platform=all --bare ./cmd/holos --tags $(GIT_DETAIL)$(GIT_SUFFIX) --tags latest
-
-.PHONY: prod-deploy
-prod-deploy: install image  ## deploy to PROD
-	GIT_DETAIL=$(GIT_DETAIL) GIT_SUFFIX=$(GIT_SUFFIX) bash ./hack/deploy
-
-.PHONY: dev-deploy
-dev-deploy: install image  ## deploy to dev
-	GIT_DETAIL=$(GIT_DETAIL) GIT_SUFFIX=$(GIT_SUFFIX) bash ./hack/deploy-dev
-
 .PHONY: website
 website: ## Build website
 	./hack/build-website

+.PHONY: unity
+unity: ## https://cuelabs.dev/unity/
+	./scripts/unity
+
+.PHONY: update-docs
+update-docs: ## Update doc examples
+	HOLOS_UPDATE_SCRIPTS=1 go test -v ./doc/md/...
+	HOLOS_UPDATE_SCRIPTS=1 go test -v ./doc/website/versioned_docs/...
+
 .PHONY: help
 help:  ## Display this help menu.
 	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m<target>\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf "  \033[36m%-20s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)
--- a/README.md
+++ b/README.md
@@ -1,35 +1,130 @@
-## Holos - A Holistic Development Platform
+# Holos

 <img width="50%"
 align="right"
 style="display: block; margin: 40px auto;"
 src="https://openinfrastructure.co/blog/2016/02/27/logo/logorectangle.png">

-Building and maintaining a software development platform is a complex and time
-consuming endeavour.  Organizations often dedicate a team of 3-4 who need 6-12
-months to build the platform.
+[Holos] is a configuration management tool for Kubernetes implementing the
+[rendered manifests pattern]. It handles configurations ranging from single
+resources to multi-cluster platforms across regions.

-Holos is a tool and a reference platform to reduce the complexity and speed up
-the process of building a modern, cloud native software development platform.
+Key components:
+- Platform schemas defining component integration
+- Building blocks unifying Helm, Kustomize and Kubernetes configs with CUE
+- BuildPlan pipeline for generating, transforming and validating manifests

- **Accelerate new projects** - Reduce time to market and operational complexity by starting your new project on top of the Holos reference platform.
- **Modernize existing projects** - Incrementally incorporate your existing platform services into Holos for simpler integration.
- **Unified configuration model** - Increase safety and reduce the risk of config changes with CUE.
- **First class Helm and Kustomize support** - Leverage and reuse your existing investment in existing configuration tools such as Helm and Kustomize.
- **Modern Authentication and Authorization** - Holos seamlessly integrates platform identity and access management with zero-trust beyond corp style authorization policy.
+```mermaid
+---
+title: Rendering Overview
+---
+graph LR
+    Platform[<a href="https://holos.run/docs/v1alpha5/api/author/#Platform">Platform</a>]
+    Component[<a href="https://holos.run/docs/v1alpha5/api/author/#ComponentConfig">Components</a>]

-## Quick Installation
+    Helm[<a href="https://holos.run/docs/v1alpha5/api/author/#Helm">Helm</a>]
+    Kustomize[<a href="https://holos.run/docs/v1alpha5/api/author/#Kustomize">Kustomize</a>]
+    Kubernetes[<a href="https://holos.run/docs/v1alpha5/api/author/#Kubernetes">Kubernetes</a>]

-```console
-go install github.com/holos-run/holos/cmd/holos@latest
+    BuildPlan[<a href="https://holos.run/docs/v1alpha5/api/core/#BuildPlan">BuildPlan</a>]
+
+    ResourcesArtifact[<a href="https://holos.run/docs/v1alpha5/api/core/#Artifact">Resources<br/>Artifact</a>]
+    GitOpsArtifact[<a href="https://holos.run/docs/v1alpha5/api/core/#Artifact">GitOps<br/>Artifact</a>]
+
+    Generators[<a href="https://holos.run/docs/v1alpha5/api/core/#Generator">Generators</a>]
+    Transformers[<a href="https://holos.run/docs/v1alpha5/api/core/#Transformer">Transformers</a>]
+    Validators[<a href="https://holos.run/docs/v1alpha5/api/core/#Validator">Validators</a>]
+    Files[Manifest<br/>Files]
+
+    Platform --> Component
+    Component --> Helm --> BuildPlan
+    Component --> Kubernetes --> BuildPlan
+    Component --> Kustomize --> BuildPlan
+
+    BuildPlan --> ResourcesArtifact --> Generators
+    BuildPlan --> GitOpsArtifact --> Generators
+
+    Generators --> Transformers --> Validators --> Files
 ```

-## Docs and Support
+## Setup

-The documentation for developing and using Holos is available at: https://holos.run
+```shell
+brew install holos-run/tap/holos
+```

-For discussion and support, [open a discussion](https://github.com/orgs/holos-run/discussions/new/choose).
+Refer to [setup] for other installation methods and dependencies.
+
+## Example
+
+See our [tutorial] for a complete hello world example.
+
+```cue showLineNumbers
+package holos
+
+holos: Component.BuildPlan
+
+Component: #Helm & {
+	Name: "podinfo"
+	Chart: {
+		version: "6.6.2"
+		repository: {
+			name: "podinfo"
+			url:  "https://stefanprodan.github.io/podinfo"
+		}
+	}
+	Values: ui: {
+		message: string | *"Hello World" @tag(message, type=string)
+	}
+}
+```
+
+## Organizational Role
+
+Platform engineers use Holos to generate Kubernetes manifests, both locally and
+in CI pipelines. The manifests are committed to version control and deployed via
+GitOps tools like ArgoCD or Flux.
+
+Holos integrates seamlessly with existing Helm charts, Kustomize bases, and
+other version-controlled configurations.
+
+## Advantages of Holos
+
+### Safe
+
+Holos leverages [CUE] for strong typing and validation of configuration data,
+ensuring consistent output from Helm and other tools.
+
+### Consistent
+
+A unified pipeline processes all configurations - whether from CUE, Helm, or
+Kustomize - through the same well-defined stages.
+
+### Flexible
+
+Composable building blocks for generation, transformation, validation and
+integration let teams assemble workflows that match their needs.
+
+The core is intentionally unopinionated about platform configuration patterns.
+Common needs like environments and clusters are provided as customizable
+[topics] recipes rather than enforced structures.
+
+## Getting Help
+
+Get support through our [Discord] channel or [GitHub discussions]. Configuration
+challenges arise at all experience levels - we welcome your questions and are
+here to help.

 ## License

 Holos is licensed under Apache 2.0 as found in the [LICENSE file](LICENSE).
+
+[Holos]: https://holos.run/docs/overview/
+[rendered manifests pattern]: https://akuity.io/blog/the-rendered-manifests-pattern
+[CUE]: https://cuelang.org/
+[Discord]: https://discord.gg/JgDVbNpye7
+[GitHub discussions]: https://github.com/holos-run/holos/discussions
+[Why CUE for Configuration]: https://holos.run/blog/why-cue-for-configuration/
+[tutorial]: https://holos.run/docs/overview/
+[setup]: https://holos.run/docs/setup/
+[topics]: https://holos.run/docs/topics/
--- a/110
+++ b/110
@@ -1,110 +0,0 @@
-# -*- mode: Python -*-
-# This Tiltfile manages a Go project with live reload in Kubernetes
-
-listen_port = 3000
-metrics_port = 9090
-
-# Use our wrapper to set the kube namespace
-if os.getenv('TILT_WRAPPER') != '1':
-    fail("could not run, ./hack/tilt/bin/tilt was not used to start tilt")
-
-# Resource ids
-holos_backend = 'Holos Server'
-compile_id = 'Go Build'
-
-# Default Registry.
-# See: https://github.com/tilt-dev/tilt.build/blob/master/docs/choosing_clusters.md#manual-configuration
-# Note, Tilt will append the image name to the registry uri path
-# default_registry('{account}.dkr.ecr.{region}.amazonaws.com/holos-run/holos'.format(account=aws_account, region=aws_region))
-
-# Set a name prefix specific to the user.  Multiple developers share the tilt-holos namespace.
-developer = os.getenv('USER')
-holos_server = 'holos'
-
-# We always develop against the k3d-workload cluster
-os.putenv('KUBECONFIG', os.path.abspath('./hack/tilt/kubeconfig'))
-
-# Extensions are open-source, pre-packaged functions that extend Tilt
-#
-#   More info: https://github.com/tilt-dev/tilt-extensions
-#   More info: https://docs.tilt.dev/extensions.html
-load('ext://restart_process', 'docker_build_with_restart')
-load('ext://k8s_attach', 'k8s_attach')
-load('ext://git_resource', 'git_checkout')
-load('ext://uibutton', 'cmd_button')
-
-# Paths edited by the developer Tilt watches to trigger compilation.
-# Generated files should be excluded to avoid an infinite build loop.
-developer_paths = [
-    './cmd',
-    './internal/server',
-    './internal/ent/schema',
-    './frontend/package-lock.json',
-    './frontend/src',
-    './go.mod',
-    './pkg',
-    './service/holos',
-]
-
-# Builds the holos executable GOOS=linux
-local_resource(compile_id, 'make linux', deps=developer_paths)
-
-# Build Docker image
-#   Tilt will automatically associate image builds with the resource(s)
-#   that reference them (e.g. via Kubernetes or Docker Compose YAML).
-#
-#   More info: https://docs.tilt.dev/api.html#api.docker_build
-#
-docker_build_with_restart(
-    'k3d-registry.holos.localhost:5100/holos',
-    context='.',
-    entrypoint=[
-        '/app/bin/holos.linux',
-        'server',
-        '--log-format=text',
-        '--oidc-issuer=https://login.holos.run',
-        '--oidc-audience=275804490387516853@holos_quickstart', # auth proxy
-        '--oidc-audience=270319630705329162@holos_platform', # holos cli
-    ],
-    dockerfile='./Dockerfile',
-    only=['./bin'],
-    # (Recommended) Updating a running container in-place
-    # https://docs.tilt.dev/live_update_reference.html
-    live_update=[
-        # Sync files from host to container
-        sync('./bin/', '/app/bin/'),
-    ],
-)
-
-# Troubleshooting
-def resource_name(id):
-    print('resource: {}'.format(id))
-    return id.name
-
-workload_to_resource_function(resource_name)
-
-# Customize a Kubernetes resource
-#   By default, Kubernetes resource names are automatically assigned
-#   based on objects in the YAML manifests, e.g. Deployment name.
-#
-#   Tilt strives for sane defaults, so calling k8s_resource is
-#   optional, and you only need to pass the arguments you want to
-#   override.
-#
-#   More info: https://docs.tilt.dev/api.html#api.k8s_resource
-#
-k8s_yaml(blob(str(read_file('./hack/tilt/k8s/dev-holos-app/deployment.yaml'))))
-
-# Backend server process
-k8s_resource(
-    workload=holos_server,
-    new_name=holos_backend,
-    objects=[],
-    resource_deps=[compile_id],
-    links=[
-        link('https://app.holos.localhost/ui/'.format(developer), "Holos Web UI")
-    ],
-)
-
-# Database
-print("✨ Tiltfile evaluated")
--- a/api/author/v1alpha5/definitions.go
+++ b/api/author/v1alpha5/definitions.go
@@ -0,0 +1,155 @@
+// Package author contains a standard set of schemas for component authors to
+// generate common [core] BuildPlans.
+//
+// Holos values stability, flexibility, and composition.  This package
+// intentionally defines only the minimal necessary set of structures.
+// Component authors are encouraged to define their own structures building on
+// our example [topics].
+//
+// The Holos Maintainers may add definitions to this package if the community
+// identifies nearly all users must define the exact same structure.  Otherwise,
+// definitions should be added as a customizable example in [topics].
+//
+// For example, structures representing a cluster and environment almost always
+// need to be defined.  Their definition varies from one organization to the
+// next.  Therefore, customizable definitions for a cluster and environment are
+// best maintained in [topics], not standardized in this package.
+//
+// [core]: https://holos.run/docs/api/core/
+// [topics]: https://holos.run/docs/topics/
+package author
+
+import core "github.com/holos-run/holos/api/core/v1alpha5"
+
+//go:generate ../../../hack/gendoc
+
+// Platform assembles a core Platform in the Resource field for the holos render
+// platform command.  Use the Components field to register components with the
+// platform.
+type Platform struct {
+	Name       string
+	Components map[NameLabel]core.Component
+	Resource   core.Platform
+}
+
+// ComponentConfig represents the configuration common to all kinds of
+// components for use with the holos render component command.  All component
+// kinds may be transformed with [kustomize] configured with the
+// [KustomizeConfig] field.
+//
+//   - [Helm] charts.
+//   - [Kubernetes] resources generated from CUE.
+//   - [Kustomize] bases.
+//
+// [kustomize]: https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/
+type ComponentConfig struct {
+	// Name represents the BuildPlan metadata.name field.  Used to construct the
+	// fully rendered manifest file path.
+	Name string
+	// Labels represent the BuildPlan metadata.labels field.
+	Labels map[string]string
+	// Annotations represent the BuildPlan metadata.annotations field.
+	Annotations map[string]string
+
+	// Path represents the path to the component producing the BuildPlan.
+	Path string
+	// Parameters are useful to reuse a component with various parameters.
+	// Injected as CUE @tag variables.  Parameters with a "holos_" prefix are
+	// reserved for use by the Holos Authors.
+	Parameters map[string]string
+	// OutputBaseDir represents the output base directory used when assembling
+	// artifacts.  Useful to organize components by clusters or other parameters.
+	// For example, holos writes resource manifests to
+	// {WriteTo}/{OutputBaseDir}/components/{Name}/{Name}.gen.yaml
+	OutputBaseDir string `cue:"string | *\"\""`
+
+	// Resources represents kubernetes resources mixed into the rendered manifest.
+	Resources core.Resources
+	// KustomizeConfig represents the kustomize configuration.
+	KustomizeConfig KustomizeConfig
+	// Validators represent checks that must pass for output to be written.
+	Validators map[NameLabel]core.Validator
+	// Artifacts represents additional artifacts to mix in.  Useful for adding
+	// GitOps resources.  Each Artifact is unified without modification into the
+	// BuildPlan.
+	Artifacts map[NameLabel]core.Artifact
+}
+
+// Helm assembles a BuildPlan rendering a helm chart.  Useful to mix in
+// additional resources from CUE and transform the helm output with kustomize.
+type Helm struct {
+	ComponentConfig `json:",inline"`
+
+	// Chart represents a Helm chart.
+	Chart core.Chart
+	// Values represents data to marshal into a values.yaml for helm.
+	Values core.Values
+	// ValueFiles represents value files for migration from helm value
+	// hierarchies.  Use Values instead.
+	ValueFiles []core.ValueFile `json:",omitempty"`
+	// EnableHooks enables helm hooks when executing the `helm template` command.
+	EnableHooks bool `cue:"true | *false"`
+	// Namespace sets the helm chart namespace flag if provided.
+	Namespace string `json:",omitempty"`
+	// APIVersions represents the helm template --api-versions flag
+	APIVersions []string `json:",omitempty"`
+	// KubeVersion represents the helm template --kube-version flag
+	KubeVersion string `json:",omitempty"`
+
+	// BuildPlan represents the derived BuildPlan produced for the holos render
+	// component command.
+	BuildPlan core.BuildPlan
+}
+
+// Kubernetes assembles a BuildPlan containing inline resources exported from
+// CUE.
+type Kubernetes struct {
+	ComponentConfig `json:",inline"`
+
+	// BuildPlan represents the derived BuildPlan produced for the holos render
+	// component command.
+	BuildPlan core.BuildPlan
+}
+
+// Kustomize assembles a BuildPlan rendering manifests from a [kustomize]
+// kustomization.
+//
+// [kustomize]: https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/
+type Kustomize struct {
+	ComponentConfig `json:",inline"`
+
+	// BuildPlan represents the derived BuildPlan produced for the holos render
+	// component command.
+	BuildPlan core.BuildPlan
+}
+
+// KustomizeConfig represents the configuration for [kustomize] post processing.
+// Use the Files field to mix in plain manifest files located in the component
+// directory.  Use the Resources field to mix in manifests from network urls.
+//
+// [kustomize]: https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/
+type KustomizeConfig struct {
+	// Kustomization represents the kustomization used to transform resources.
+	// Note the resources field is internally managed from the Files and Resources fields.
+	Kustomization map[string]any `json:",omitempty"`
+	// Files represents files to copy from the component directory for kustomization.
+	Files map[string]struct{ Source string } `cue:"{[NAME=_]: Source: NAME}"`
+	// Resources represents additional entries to included in the resources list.
+	Resources map[string]struct{ Source string } `cue:"{[NAME=_]: Source: NAME}"`
+	// CommonLabels represents common labels added without including selectors.
+	CommonLabels map[string]string
+}
+
+// NameLabel represents the common use case of converting a struct to a list
+// where the name field of each value unifies with the field name of the outer
+// struct.
+//
+// For example:
+//
+//	S: [NameLabel=string]: name: NameLabel
+//	S: jeff: _
+//	S: gary: _
+//	S: nate: _
+//	L: [for x in S {x}]
+//	// L is [{name: "jeff"}, {name: "gary"}, {name: "nate"}]
+type NameLabel string
--- a/api/author/v1alpha5/header.yaml
+++ b/api/author/v1alpha5/header.yaml
@@ -0,0 +1,5 @@
+---
+title: Author Schemas
+description: Standardized schemas for component authors.
+sidebar_position: 200
+---
--- a/api/author/v1alpha6/definitions.go
+++ b/api/author/v1alpha6/definitions.go
@@ -0,0 +1,155 @@
+// Package author contains a standard set of schemas for component authors to
+// generate common [core] BuildPlans.
+//
+// Holos values stability, flexibility, and composition.  This package
+// intentionally defines only the minimal necessary set of structures.
+// Component authors are encouraged to define their own structures building on
+// our example [topics].
+//
+// The Holos Maintainers may add definitions to this package if the community
+// identifies nearly all users must define the exact same structure.  Otherwise,
+// definitions should be added as a customizable example in [topics].
+//
+// For example, structures representing a cluster and environment almost always
+// need to be defined.  Their definition varies from one organization to the
+// next.  Therefore, customizable definitions for a cluster and environment are
+// best maintained in [topics], not standardized in this package.
+//
+// [core]: https://holos.run/docs/api/core/
+// [topics]: https://holos.run/docs/topics/
+package author
+
+import core "github.com/holos-run/holos/api/core/v1alpha6"
+
+//go:generate ../../../hack/gendoc
+
+// Platform assembles a core Platform in the Resource field for the holos render
+// platform command.  Use the Components field to register components with the
+// platform.
+type Platform struct {
+	Name       string                       `json:"name" yaml:"name" cue:"string | *\"default\""`
+	Components map[NameLabel]core.Component `json:"components" yaml:"components"`
+	Resource   core.Platform                `json:"resource" yaml:"resource"`
+}
+
+// ComponentConfig represents the configuration common to all kinds of
+// components for use with the holos render component command.  All component
+// kinds may be transformed with [kustomize] configured with the
+// [KustomizeConfig] field.
+//
+//   - [Helm] charts.
+//   - [Kubernetes] resources generated from CUE.
+//   - [Kustomize] bases.
+//
+// [kustomize]: https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/
+type ComponentConfig struct {
+	// Name represents the BuildPlan metadata.name field.  Used to construct the
+	// fully rendered manifest file path.
+	Name string
+	// Labels represent the BuildPlan metadata.labels field.
+	Labels map[string]string
+	// Annotations represent the BuildPlan metadata.annotations field.
+	Annotations map[string]string
+
+	// Path represents the path to the component producing the BuildPlan.
+	Path string
+	// Parameters are useful to reuse a component with various parameters.
+	// Injected as CUE @tag variables.  Parameters with a "holos_" prefix are
+	// reserved for use by the Holos Authors.
+	Parameters map[string]string
+	// OutputBaseDir represents the output base directory used when assembling
+	// artifacts.  Useful to organize components by clusters or other parameters.
+	// For example, holos writes resource manifests to
+	// {WriteTo}/{OutputBaseDir}/components/{Name}/{Name}.gen.yaml
+	OutputBaseDir string `cue:"string | *\"\""`
+
+	// Resources represents kubernetes resources mixed into the rendered manifest.
+	Resources core.Resources
+	// KustomizeConfig represents the kustomize configuration.
+	KustomizeConfig KustomizeConfig
+	// Validators represent checks that must pass for output to be written.
+	Validators map[NameLabel]core.Validator
+	// Artifacts represents additional artifacts to mix in.  Useful for adding
+	// GitOps resources.  Each Artifact is unified without modification into the
+	// BuildPlan.
+	Artifacts map[NameLabel]core.Artifact
+}
+
+// Helm assembles a BuildPlan rendering a helm chart.  Useful to mix in
+// additional resources from CUE and transform the helm output with kustomize.
+type Helm struct {
+	ComponentConfig `json:",inline"`
+
+	// Chart represents a Helm chart.
+	Chart core.Chart
+	// Values represents data to marshal into a values.yaml for helm.
+	Values core.Values
+	// ValueFiles represents value files for migration from helm value
+	// hierarchies.  Use Values instead.
+	ValueFiles []core.ValueFile `json:",omitempty"`
+	// EnableHooks enables helm hooks when executing the `helm template` command.
+	EnableHooks bool `cue:"true | *false"`
+	// Namespace sets the helm chart namespace flag if provided.
+	Namespace string `json:",omitempty"`
+	// APIVersions represents the helm template --api-versions flag
+	APIVersions []string `json:",omitempty"`
+	// KubeVersion represents the helm template --kube-version flag
+	KubeVersion string `json:",omitempty"`
+
+	// BuildPlan represents the derived BuildPlan produced for the holos render
+	// component command.
+	BuildPlan core.BuildPlan
+}
+
+// Kubernetes assembles a BuildPlan containing inline resources exported from
+// CUE.
+type Kubernetes struct {
+	ComponentConfig `json:",inline"`
+
+	// BuildPlan represents the derived BuildPlan produced for the holos render
+	// component command.
+	BuildPlan core.BuildPlan
+}
+
+// Kustomize assembles a BuildPlan rendering manifests from a [kustomize]
+// kustomization.
+//
+// [kustomize]: https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/
+type Kustomize struct {
+	ComponentConfig `json:",inline"`
+
+	// BuildPlan represents the derived BuildPlan produced for the holos render
+	// component command.
+	BuildPlan core.BuildPlan
+}
+
+// KustomizeConfig represents the configuration for [kustomize] post processing.
+// Use the Files field to mix in plain manifest files located in the component
+// directory.  Use the Resources field to mix in manifests from network urls.
+//
+// [kustomize]: https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/
+type KustomizeConfig struct {
+	// Kustomization represents the kustomization used to transform resources.
+	// Note the resources field is internally managed from the Files and Resources fields.
+	Kustomization map[string]any `json:",omitempty"`
+	// Files represents files to copy from the component directory for kustomization.
+	Files map[string]struct{ Source string } `cue:"{[NAME=_]: Source: NAME}"`
+	// Resources represents additional entries to included in the resources list.
+	Resources map[string]struct{ Source string } `cue:"{[NAME=_]: Source: NAME}"`
+	// CommonLabels represents common labels added without including selectors.
+	CommonLabels map[string]string
+}
+
+// NameLabel represents the common use case of converting a struct to a list
+// where the name field of each value unifies with the field name of the outer
+// struct.
+//
+// For example:
+//
+//	S: [NameLabel=string]: name: NameLabel
+//	S: jeff: _
+//	S: gary: _
+//	S: nate: _
+//	L: [for x in S {x}]
+//	// L is [{name: "jeff"}, {name: "gary"}, {name: "nate"}]
+type NameLabel string
--- a/api/author/v1alpha6/header.yaml
+++ b/api/author/v1alpha6/header.yaml
@@ -0,0 +1,5 @@
+---
+title: Author Schemas
+description: Standardized schemas for component authors.
+sidebar_position: 200
+---
--- a/api/core/v1alpha2/apiobjects.go
+++ b/api/core/v1alpha2/apiobjects.go
@@ -1,44 +0,0 @@
-package v1alpha2
-
-import "google.golang.org/protobuf/types/known/structpb"
-
-// Label is an arbitrary unique identifier internal to holos itself.  The holos
-// cli is expected to never write a Label value to rendered output files,
-// therefore use a [Label] then the identifier must be unique and internal.
-// Defined as a type for clarity and type checking.
-//
-// A Label is useful to convert a CUE struct to a list, for example producing a list of [APIObject] resources from an [APIObjectMap].  A CUE struct using
-// Label keys is guaranteed to not lose data when rendering output because a
-// Label is expected to never be written to the final output.
-type Label string
-
-// Kind is a kubernetes api object kind. Defined as a type for clarity and type checking.
-type Kind string
-
-// APIObject represents the most basic generic form of a single kubernetes api
-// object.  Represented as a JSON object internally for compatibility between
-// tools, for example loading from CUE.
-type APIObject structpb.Struct
-
-// APIObjectMap represents the marshalled yaml representation of kubernetes api
-// objects.  Do not produce an APIObjectMap directly, instead use [APIObjects]
-// to produce the marshalled yaml representation from CUE data, then provide the
-// result to [HolosComponent].
-type APIObjectMap map[Kind]map[Label]string
-
-// APIObjects represents Kubernetes API objects defined directly from CUE code.
-// Useful to mix in resources to any kind of [HolosComponent], for example
-// adding an ExternalSecret resource to a [HelmChart].
-//
-// [Kind] must be the resource kind, e.g. Deployment or Service.
-//
-// [Label] is an arbitrary internal identifier to uniquely identify the resource
-// within the context of a `holos` command.  Holos will never write the
-// intermediate label to rendered output.
-//
-// Refer to [HolosComponent] which accepts an [APIObjectMap] field provided by
-// [APIObjects].
-type APIObjects struct {
-	APIObjects   map[Kind]map[Label]APIObject `json:"apiObjects"`
-	APIObjectMap APIObjectMap                 `json:"apiObjectMap"`
-}
--- a/api/core/v1alpha2/buildplan.go
+++ b/api/core/v1alpha2/buildplan.go
@@ -1,96 +0,0 @@
-package v1alpha2
-
-// FilePath represents a file path.
-type FilePath string
-
-// FileContent represents file contents.
-type FileContent string
-
-// FileContentMap represents a mapping of file paths to file contents.  Paths
-// are relative to the `holos` output "deploy" directory, and may contain
-// sub-directories.
-type FileContentMap map[FilePath]FileContent
-
-// BuildPlan represents a build plan for the holos cli to execute.  The purpose
-// of a BuildPlan is to define one or more [HolosComponent] kinds.  For example a
-// [HelmChart], [KustomizeBuild], or [KubernetesObjects].
-//
-// A BuildPlan usually has an additional empty [KubernetesObjects] for the
-// purpose of using the [HolosComponent] DeployFiles field to deploy an ArgoCD
-// or Flux gitops resource for the holos component.
-type BuildPlan struct {
-	Kind       string        `json:"kind" cue:"\"BuildPlan\""`
-	APIVersion string        `json:"apiVersion" cue:"string | *\"v1alpha2\""`
-	Spec       BuildPlanSpec `json:"spec"`
-}
-
-// BuildPlanSpec represents the specification of the build plan.
-type BuildPlanSpec struct {
-	// Disabled causes the holos cli to take no action over the [BuildPlan].
-	Disabled bool `json:"disabled,omitempty"`
-	// Components represents multiple [HolosComponent] kinds to manage.
-	Components BuildPlanComponents `json:"components,omitempty"`
-}
-
-type BuildPlanComponents struct {
-	Resources             map[Label]KubernetesObjects `json:"resources,omitempty"`
-	KubernetesObjectsList []KubernetesObjects         `json:"kubernetesObjectsList,omitempty"`
-	HelmChartList         []HelmChart                 `json:"helmChartList,omitempty"`
-	KustomizeBuildList    []KustomizeBuild            `json:"kustomizeBuildList,omitempty"`
-}
-
-// HolosComponent defines the fields common to all holos component kinds.  Every
-// holos component kind should embed HolosComponent.
-type HolosComponent struct {
-	// Kind is a string value representing the resource this object represents.
-	Kind string `json:"kind"`
-	// APIVersion represents the versioned schema of this representation of an object.
-	APIVersion string `json:"apiVersion" cue:"string | *\"v1alpha2\""`
-	// Metadata represents data about the holos component such as the Name.
-	Metadata Metadata `json:"metadata"`
-
-	// APIObjectMap holds the marshalled representation of api objects.  Useful to
-	// mix in resources to each HolosComponent type, for example adding an
-	// ExternalSecret to a HelmChart HolosComponent.  Refer to [APIObjects].
-	APIObjectMap APIObjectMap `json:"apiObjectMap,omitempty"`
-
-	// DeployFiles represents file paths relative to the cluster deploy directory
-	// with the value representing the file content.  Intended for defining the
-	// ArgoCD Application resource or Flux Kustomization resource from within CUE,
-	// but may be used to render any file related to the build plan from CUE.
-	DeployFiles FileContentMap `json:"deployFiles,omitempty"`
-
-	// Kustomize represents a kubectl kustomize build post-processing step.
-	Kustomize `json:"kustomize,omitempty"`
-
-	// Skip causes holos to take no action regarding this component.
-	Skip bool `json:"skip" cue:"bool | *false"`
-}
-
-// Metadata represents data about the holos component such as the Name.
-type Metadata struct {
-	// Name represents the name of the holos component.
-	Name string `json:"name"`
-	// Namespace is the primary namespace of the holos component.  A holos
-	// component may manage resources in multiple namespaces, in this case
-	// consider setting the component namespace to default.
-	//
-	// This field is optional because not all resources require a namespace,
-	// particularly CRD's and DeployFiles functionality.
-	// +optional
-	Namespace string `json:"namespace,omitempty"`
-}
-
-// Kustomize represents resources necessary to execute a kustomize build.
-// Intended for at least two use cases:
-//
-//  1. Process a [KustomizeBuild] [HolosComponent] which represents raw yaml
-//     file resources in a holos component directory.
-//  2. Post process a [HelmChart] [HolosComponent] to inject istio, patch jobs,
-//     add custom labels, etc...
-type Kustomize struct {
-	// KustomizeFiles holds file contents for kustomize, e.g. patch files.
-	KustomizeFiles FileContentMap `json:"kustomizeFiles,omitempty"`
-	// ResourcesFile is the file name used for api objects in kustomization.yaml
-	ResourcesFile string `json:"resourcesFile,omitempty"`
-}
--- a/api/core/v1alpha2/constants.go
+++ b/api/core/v1alpha2/constants.go
@@ -1,11 +0,0 @@
-package v1alpha2
-
-const (
-	APIVersion    = "v1alpha2"
-	BuildPlanKind = "BuildPlan"
-	HelmChartKind = "HelmChart"
-	// ChartDir is the directory name created in the holos component directory to cache a chart.
-	ChartDir = "vendor"
-	// ResourcesFile is the file name used to store component output when post-processing with kustomize.
-	ResourcesFile = "resources.yaml"
-)
--- a/api/core/v1alpha2/core.go
+++ b/api/core/v1alpha2/core.go
@@ -1,44 +0,0 @@
-package v1alpha2
-
-import "google.golang.org/protobuf/types/known/structpb"
-
-type PlatformMetadata struct {
-	// Name represents the Platform name.
-	Name string `json:"name"`
-}
-
-// Platform represents a platform to manage.  A Platform resource informs holos
-// which components to build.  The platform resource also acts as a container
-// for the platform model form values provided by the PlatformService.  The
-// primary use case is to collect the cluster names, cluster types, platform
-// model, and holos components to build into one resource.
-type Platform struct {
-	// Kind is a string value representing the resource this object represents.
-	Kind string `json:"kind" cue:"\"Platform\""`
-	// APIVersion represents the versioned schema of this representation of an object.
-	APIVersion string `json:"apiVersion" cue:"string | *\"v1alpha2\""`
-	// Metadata represents data about the object such as the Name.
-	Metadata PlatformMetadata `json:"metadata"`
-
-	// Spec represents the specification.
-	Spec PlatformSpec `json:"spec"`
-}
-
-// PlatformSpec represents the specification of a Platform.  Think of a platform
-// specification as a list of platform components to apply to a list of
-// kubernetes clusters combined with the user-specified Platform Model.
-type PlatformSpec struct {
-	// Model represents the platform model holos gets from from the
-	// PlatformService.GetPlatform rpc method and provides to CUE using a tag.
-	Model structpb.Struct `json:"model"`
-	// Components represents a list of holos components to manage.
-	Components []PlatformSpecComponent `json:"components"`
-}
-
-// PlatformSpecComponent represents a holos component to build or render.
-type PlatformSpecComponent struct {
-	// Path is the path of the component relative to the platform root.
-	Path string `json:"path"`
-	// Cluster is the cluster name to provide when rendering the component.
-	Cluster string `json:"cluster"`
-}
--- a/api/core/v1alpha2/doc.go
+++ b/api/core/v1alpha2/doc.go
@@ -1,26 +0,0 @@
-// Package v1alpha2 contains the core API contract between the holos cli and CUE
-// configuration code.  Platform designers, operators, and software developers
-// use this API to write configuration in CUE which `holos` loads.  The overall
-// shape of the API defines imperative actions `holos` should carry out to
-// render the complete yaml that represents a Platform.
-//
-// [Platform] defines the complete configuration of a platform.  With the holos
-// reference platform this takes the shape of one management cluster and at
-// least two workload cluster.  Each cluster has multiple [HolosComponent]
-// resources applied to it.
-//
-// Each holos component path, e.g. `components/namespaces` produces exactly one
-// [BuildPlan] which in turn contains a set of [HolosComponent] kinds.
-//
-// The primary kinds of [HolosComponent] are:
-//
-//  1. [HelmChart] to render config from a helm chart.
-//  2. [KustomizeBuild] to render config from [Kustomize]
-//  3. [KubernetesObjects] to render [APIObjects] defined directly in CUE
-//     configuration.
-//
-// Note that Holos operates as a data pipeline, so the output of a [HelmChart]
-// may be provided to [Kustomize] for post-processing.
-package v1alpha2
-
-//go:generate ../../../hack/gendoc
--- a/api/core/v1alpha2/helm.go
+++ b/api/core/v1alpha2/helm.go
@@ -1,38 +0,0 @@
-package v1alpha2
-
-// HelmChart represents a holos component which wraps around an upstream helm
-// chart.  Holos orchestrates helm by providing values obtained from CUE,
-// renders the output using `helm template`, then post-processes the helm output
-// yaml using the general functionality provided by [HolosComponent], for
-// example [Kustomize] post-rendering and mixing in additional kubernetes api
-// objects.
-type HelmChart struct {
-	HolosComponent `json:",inline"`
-	Kind           string `json:"kind" cue:"\"HelmChart\""`
-
-	// Chart represents a helm chart to manage.
-	Chart Chart `json:"chart"`
-	// ValuesContent represents the values.yaml file holos passes to the `helm
-	// template` command.
-	ValuesContent string `json:"valuesContent"`
-	// EnableHooks enables helm hooks when executing the `helm template` command.
-	EnableHooks bool `json:"enableHooks" cue:"bool | *false"`
-}
-
-// Chart represents a helm chart.
-type Chart struct {
-	// Name represents the chart name.
-	Name string `json:"name"`
-	// Version represents the chart version.
-	Version string `json:"version"`
-	// Release represents the chart release when executing helm template.
-	Release string `json:"release"`
-	// Repository represents the repository to fetch the chart from.
-	Repository Repository `json:"repository,omitempty"`
-}
-
-// Repository represents a helm chart repository.
-type Repository struct {
-	Name string `json:"name"`
-	URL  string `json:"url"`
-}
--- a/api/core/v1alpha2/kubernetesobjects.go
+++ b/api/core/v1alpha2/kubernetesobjects.go
@@ -1,10 +0,0 @@
-package v1alpha2
-
-const KubernetesObjectsKind = "KubernetesObjects"
-
-// KubernetesObjects represents a [HolosComponent] composed of Kubernetes API
-// objects provided directly from CUE using [APIObjects].
-type KubernetesObjects struct {
-	HolosComponent `json:",inline"`
-	Kind           string `json:"kind" cue:"\"KubernetesObjects\""`
-}
--- a/api/core/v1alpha2/kustomizebuild.go
+++ b/api/core/v1alpha2/kustomizebuild.go
@@ -1,8 +0,0 @@
-package v1alpha2
-
-// KustomizeBuild represents a [HolosComponent] that renders plain yaml files in
-// the holos component directory using `kubectl kustomize build`.
-type KustomizeBuild struct {
-	HolosComponent `json:",inline"`
-	Kind           string `json:"kind" cue:"\"KustomizeBuild\""`
-}
--- a/api/core/v1alpha3/apiobjects.go
+++ b/api/core/v1alpha3/apiobjects.go
@@ -1,47 +0,0 @@
-package v1alpha3
-
-import "google.golang.org/protobuf/types/known/structpb"
-
-// InternalLabel is an arbitrary unique identifier internal to holos itself.
-// The holos cli is expected to never write a InternalLabel value to rendered
-// output files, therefore use a [InternalLabel] when the identifier must be
-// unique and internal.  Defined as a type for clarity and type checking.
-//
-// A InternalLabel is useful to convert a CUE struct to a list, for example
-// producing a list of [APIObject] resources from an [APIObjectMap].  A CUE
-// struct using InternalLabel keys is guaranteed to not lose data when rendering
-// output because a InternalLabel is expected to never be written to the final
-// output.
-type InternalLabel string
-
-// Kind is a kubernetes api object kind. Defined as a type for clarity and type
-// checking.
-type Kind string
-
-// APIObject represents the most basic generic form of a single kubernetes api
-// object.  Represented as a JSON object internally for compatibility between
-// tools, for example loading from CUE.
-type APIObject structpb.Struct
-
-// APIObjectMap represents the marshalled yaml representation of kubernetes api
-// objects.  Do not produce an APIObjectMap directly, instead use [APIObjects]
-// to produce the marshalled yaml representation from CUE data, then provide the
-// result to [Component].
-type APIObjectMap map[Kind]map[InternalLabel]string
-
-// APIObjects represents Kubernetes API objects defined directly from CUE code.
-// Useful to mix in resources to any kind of [Component], for example
-// adding an ExternalSecret resource to a [HelmChart].
-//
-// [Kind] must be the resource kind, e.g. Deployment or Service.
-//
-// [InternalLabel] is an arbitrary internal identifier to uniquely identify the resource
-// within the context of a `holos` command.  Holos will never write the
-// intermediate label to rendered output.
-//
-// Refer to [Component] which accepts an [APIObjectMap] field provided by
-// [APIObjects].
-type APIObjects struct {
-	APIObjects   map[Kind]map[InternalLabel]APIObject `json:"apiObjects"`
-	APIObjectMap APIObjectMap                         `json:"apiObjectMap"`
-}
--- a/api/core/v1alpha3/buildplan.go
+++ b/api/core/v1alpha3/buildplan.go
@@ -1,52 +0,0 @@
-package v1alpha3
-
-// FilePath represents a file path.
-type FilePath string
-
-// FileContent represents file contents.
-type FileContent string
-
-// FileContentMap represents a mapping of file paths to file contents.
-type FileContentMap map[FilePath]FileContent
-
-// BuildPlan represents a build plan for the holos cli to execute.  The purpose
-// of a BuildPlan is to define one or more [Component] kinds.  For example a
-// [HelmChart], [KustomizeBuild], or [KubernetesObjects].
-//
-// A BuildPlan usually has an additional empty [KubernetesObjects] for the
-// purpose of using the [Component] DeployFiles field to deploy an ArgoCD
-// or Flux gitops resource for the holos component.
-type BuildPlan struct {
-	Kind       string        `json:"kind" cue:"\"BuildPlan\""`
-	APIVersion string        `json:"apiVersion" cue:"string | *\"v1alpha3\""`
-	Spec       BuildPlanSpec `json:"spec"`
-}
-
-// BuildPlanSpec represents the specification of the build plan.
-type BuildPlanSpec struct {
-	// Disabled causes the holos cli to take no action over the [BuildPlan].
-	Disabled bool `json:"disabled,omitempty"`
-	// Components represents multiple [HolosComponent] kinds to manage.
-	Components BuildPlanComponents `json:"components,omitempty"`
-}
-
-type BuildPlanComponents struct {
-	Resources             map[InternalLabel]KubernetesObjects `json:"resources,omitempty"`
-	KubernetesObjectsList []KubernetesObjects                 `json:"kubernetesObjectsList,omitempty"`
-	HelmChartList         []HelmChart                         `json:"helmChartList,omitempty"`
-	KustomizeBuildList    []KustomizeBuild                    `json:"kustomizeBuildList,omitempty"`
-}
-
-// Kustomize represents resources necessary to execute a kustomize build.
-// Intended for at least two use cases:
-//
-//  1. Process a [KustomizeBuild] [Component] which represents raw yaml
-//     file resources in a holos component directory.
-//  2. Post process a [HelmChart] [Component] to inject istio, patch jobs,
-//     add custom labels, etc...
-type Kustomize struct {
-	// KustomizeFiles holds file contents for kustomize, e.g. patch files.
-	KustomizeFiles FileContentMap `json:"kustomizeFiles,omitempty"`
-	// ResourcesFile is the file name used for api objects in kustomization.yaml
-	ResourcesFile string `json:"resourcesFile,omitempty"`
-}
--- a/api/core/v1alpha3/component.go
+++ b/api/core/v1alpha3/component.go
@@ -1,43 +0,0 @@
-package v1alpha3
-
-// Component defines the fields common to all holos component kinds.  Every
-// holos component kind should embed Component.
-type Component struct {
-	// Kind is a string value representing the resource this object represents.
-	Kind string `json:"kind"`
-	// APIVersion represents the versioned schema of this representation of an object.
-	APIVersion string `json:"apiVersion" cue:"\"v1alpha3\""`
-	// Metadata represents data about the holos component such as the Name.
-	Metadata Metadata `json:"metadata"`
-
-	// APIObjectMap holds the marshalled representation of api objects.  Useful to
-	// mix in resources to each Component type, for example adding an
-	// ExternalSecret to a [HelmChart] Component.  Refer to [APIObjects].
-	APIObjectMap APIObjectMap `json:"apiObjectMap,omitempty"`
-
-	// DeployFiles represents file paths relative to the cluster deploy directory
-	// with the value representing the file content.  Intended for defining the
-	// ArgoCD Application resource or Flux Kustomization resource from within CUE,
-	// but may be used to render any file related to the build plan from CUE.
-	DeployFiles FileContentMap `json:"deployFiles,omitempty"`
-
-	// Kustomize represents a kubectl kustomize build post-processing step.
-	Kustomize `json:"kustomize,omitempty"`
-
-	// Skip causes holos to take no action regarding this component.
-	Skip bool `json:"skip" cue:"bool | *false"`
-}
-
-// Metadata represents data about the object such as the Name.
-type Metadata struct {
-	// Name represents the name of the holos component.
-	Name string `json:"name"`
-	// Namespace is the primary namespace of the holos component.  A holos
-	// component may manage resources in multiple namespaces, in this case
-	// consider setting the component namespace to default.
-	//
-	// This field is optional because not all resources require a namespace,
-	// particularly CRDs and DeployFiles functionality.
-	// +optional
-	Namespace string `json:"namespace,omitempty"`
-}
--- a/api/core/v1alpha3/constants.go
+++ b/api/core/v1alpha3/constants.go
@@ -1,11 +0,0 @@
-package v1alpha3
-
-const (
-	APIVersion    = "v1alpha3"
-	BuildPlanKind = "BuildPlan"
-	HelmChartKind = "HelmChart"
-	// ChartDir is the directory name created in the holos component directory to cache a chart.
-	ChartDir = "vendor"
-	// ResourcesFile is the file name used to store component output when post-processing with kustomize.
-	ResourcesFile = "resources.yaml"
-)
--- a/api/core/v1alpha3/doc.go
+++ b/api/core/v1alpha3/doc.go
@@ -1,26 +0,0 @@
-// Package v1alpha3 contains the core API contract between the holos cli and CUE
-// configuration code.  Platform designers, operators, and software developers
-// use this API to write configuration in CUE which `holos` loads.  The overall
-// shape of the API defines imperative actions `holos` should carry out to
-// render the complete yaml that represents a Platform.
-//
-// [Platform] defines the complete configuration of a platform.  With the holos
-// reference platform this takes the shape of one management cluster and at
-// least two workload cluster.  Each cluster has multiple [Component]
-// resources applied to it.
-//
-// Each holos component path, e.g. `components/namespaces` produces exactly one
-// [BuildPlan] which in turn contains a set of [Component] kinds.
-//
-// The primary kinds of [Component] are:
-//
-//  1. [HelmChart] to render config from a helm chart.
-//  2. [KustomizeBuild] to render config from [Kustomize]
-//  3. [KubernetesObjects] to render [APIObjects] defined directly in CUE
-//     configuration.
-//
-// Note that Holos operates as a data pipeline, so the output of a [HelmChart]
-// may be provided to [Kustomize] for post-processing.
-package v1alpha3
-
-//go:generate ../../../hack/gendoc
--- a/api/core/v1alpha3/helm.go
+++ b/api/core/v1alpha3/helm.go
@@ -1,38 +0,0 @@
-package v1alpha3
-
-// HelmChart represents a holos component which wraps around an upstream helm
-// chart.  Holos orchestrates helm by providing values obtained from CUE,
-// renders the output using `helm template`, then post-processes the helm output
-// yaml using the general functionality provided by [Component], for
-// example [Kustomize] post-rendering and mixing in additional kubernetes api
-// objects.
-type HelmChart struct {
-	Component `json:",inline"`
-	Kind      string `json:"kind" cue:"\"HelmChart\""`
-
-	// Chart represents a helm chart to manage.
-	Chart Chart `json:"chart"`
-	// ValuesContent represents the values.yaml file holos passes to the `helm
-	// template` command.
-	ValuesContent string `json:"valuesContent"`
-	// EnableHooks enables helm hooks when executing the `helm template` command.
-	EnableHooks bool `json:"enableHooks" cue:"bool | *false"`
-}
-
-// Chart represents a helm chart.
-type Chart struct {
-	// Name represents the chart name.
-	Name string `json:"name"`
-	// Version represents the chart version.
-	Version string `json:"version"`
-	// Release represents the chart release when executing helm template.
-	Release string `json:"release"`
-	// Repository represents the repository to fetch the chart from.
-	Repository Repository `json:"repository,omitempty"`
-}
-
-// Repository represents a helm chart repository.
-type Repository struct {
-	Name string `json:"name"`
-	URL  string `json:"url"`
-}
--- a/api/core/v1alpha3/kubernetesobjects.go
+++ b/api/core/v1alpha3/kubernetesobjects.go
@@ -1,10 +0,0 @@
-package v1alpha3
-
-const KubernetesObjectsKind = "KubernetesObjects"
-
-// KubernetesObjects represents a [Component] composed of Kubernetes API
-// objects provided directly from CUE using [APIObjects].
-type KubernetesObjects struct {
-	Component `json:",inline"`
-	Kind      string `json:"kind" cue:"\"KubernetesObjects\""`
-}
--- a/api/core/v1alpha3/kustomizebuild.go
+++ b/api/core/v1alpha3/kustomizebuild.go
@@ -1,8 +0,0 @@
-package v1alpha3
-
-// KustomizeBuild represents a [Component] that renders plain yaml files in
-// the holos component directory using `kubectl kustomize build`.
-type KustomizeBuild struct {
-	Component `json:",inline"`
-	Kind      string `json:"kind" cue:"\"KustomizeBuild\""`
-}
--- a/api/core/v1alpha3/platform.go
+++ b/api/core/v1alpha3/platform.go
@@ -1,44 +0,0 @@
-package v1alpha3
-
-import "google.golang.org/protobuf/types/known/structpb"
-
-// Platform represents a platform to manage.  A Platform resource informs holos
-// which components to build.  The platform resource also acts as a container
-// for the platform model form values provided by the PlatformService.  The
-// primary use case is to collect the cluster names, cluster types, platform
-// model, and holos components to build into one resource.
-type Platform struct {
-	// Kind is a string value representing the resource this object represents.
-	Kind string `json:"kind" cue:"\"Platform\""`
-	// APIVersion represents the versioned schema of this representation of an object.
-	APIVersion string `json:"apiVersion" cue:"string | *\"v1alpha3\""`
-	// Metadata represents data about the object such as the Name.
-	Metadata PlatformMetadata `json:"metadata"`
-
-	// Spec represents the specification.
-	Spec PlatformSpec `json:"spec"`
-}
-
-type PlatformMetadata struct {
-	// Name represents the Platform name.
-	Name string `json:"name"`
-}
-
-// PlatformSpec represents the specification of a Platform.  Think of a platform
-// specification as a list of platform components to apply to a list of
-// kubernetes clusters combined with the user-specified Platform Model.
-type PlatformSpec struct {
-	// Model represents the platform model holos gets from from the
-	// PlatformService.GetPlatform rpc method and provides to CUE using a tag.
-	Model structpb.Struct `json:"model" cue:"{...}"`
-	// Components represents a list of holos components to manage.
-	Components []PlatformSpecComponent `json:"components"`
-}
-
-// PlatformSpecComponent represents a holos component to build or render.
-type PlatformSpecComponent struct {
-	// Path is the path of the component relative to the platform root.
-	Path string `json:"path"`
-	// Cluster is the cluster name to provide when rendering the component.
-	Cluster string `json:"cluster"`
-}
--- a/api/core/v1alpha5/header.yaml
+++ b/api/core/v1alpha5/header.yaml
@@ -0,0 +1,5 @@
+---
+title: Core Schemas
+description: BuildPlan defines the holos rendering pipeline.
+sidebar_position: 100
+---
--- a/api/core/v1alpha5/types.go
+++ b/api/core/v1alpha5/types.go
@@ -0,0 +1,388 @@
+// Package core contains schemas for a [Platform] and [BuildPlan].  Holos takes
+// a [Platform] as input, then iterates over each [Component] to produce a
+// [BuildPlan].  Holos evaluates the [BuildPlan] to produce fully rendered
+// manifests, each an [Artifact].
+package core
+
+// BuildContextTag represents the cue tag holos render component uses to inject
+// the json representation of a [BuildContext] for use in a BuildPlan.
+const BuildContextTag string = "holos_build_context"
+
+// ComponentNameTag represents the cue tag holos uses to inject a [Component]
+// name from the holos render platform command to the holos render component
+// command.
+const ComponentNameTag string = "holos_component_name"
+
+// ComponentPathTag represents the cue tag holos uses to inject a [Component]
+// path relative to the cue module root from the holos render platform command
+// to the holos render component command.
+const ComponentPathTag string = "holos_component_path"
+
+// ComponentLabelsTag represents the cue tag holos uses to inject the json
+// representation of [Component] metadata labels from the holos render platform
+// command to the holos render component command.
+const ComponentLabelsTag string = "holos_component_labels"
+
+// ComponentAnnotationsTag represents the tag holos uses to inject the json
+// representation of [Component] metadata annotations from the holos render
+// platform command to the holos render component command.
+const ComponentAnnotationsTag = "holos_component_annotations"
+
+//go:generate ../../../hack/gendoc
+
+// BuildPlan represents an implementation of the [rendered manifest pattern].
+// Holos processes a BuildPlan to produce one or more [Artifact] output files.
+// BuildPlan artifact files usually contain Kubernetes manifests, but they may
+// have any content.
+//
+// A BuildPlan usually produces two artifacts.  One artifact contains a manifest
+// of resources.  A second artifact contains a GitOps resource to manage the
+// first, usually an ArgoCD Application resource.
+//
+// Holos uses CUE to construct a BuildPlan.  A future enhancement will support
+// user defined executables providing a BuildPlan to Holos in the style of an
+// [external credential provider].
+//
+// [rendered manifest pattern]: https://akuity.io/blog/the-rendered-manifests-pattern
+// [external credential provider]: https://github.com/kubernetes/enhancements/blob/313ad8b59c80819659e1fbf0f165230f633f2b22/keps/sig-auth/541-external-credential-providers/README.md
+type BuildPlan struct {
+	// Kind represents the type of the resource.
+	Kind string `json:"kind" yaml:"kind" cue:"\"BuildPlan\""`
+	// APIVersion represents the versioned schema of the resource.
+	APIVersion string `json:"apiVersion" yaml:"apiVersion" cue:"string | *\"v1alpha5\""`
+	// Metadata represents data about the resource such as the Name.
+	Metadata Metadata `json:"metadata" yaml:"metadata"`
+	// Spec specifies the desired state of the resource.
+	Spec BuildPlanSpec `json:"spec" yaml:"spec"`
+}
+
+// BuildPlanSpec represents the specification of the [BuildPlan].
+type BuildPlanSpec struct {
+	// Artifacts represents the artifacts for holos to build.
+	Artifacts []Artifact `json:"artifacts" yaml:"artifacts"`
+	// Disabled causes the holos cli to disregard the build plan.
+	Disabled bool `json:"disabled,omitempty" yaml:"disabled,omitempty"`
+}
+
+// Artifact represents one fully rendered manifest produced by a [Transformer]
+// sequence, which transforms a [Generator] collection.  A [BuildPlan] produces
+// an [Artifact] collection.
+//
+// Each Artifact produces one manifest file artifact.  Generator Output values
+// are used as Transformer Inputs.  The Output field of the final [Transformer]
+// should have the same value as the Artifact field.
+//
+// When there is more than one [Generator] there must be at least one
+// [Transformer] to combine outputs into one Artifact.  If there is a single
+// Generator, it may directly produce the Artifact output.
+//
+// An Artifact is processed concurrently with other artifacts in the same
+// [BuildPlan].  An Artifact should not use an output from another Artifact as
+// an input.  Each [Generator] may also run concurrently.  Each [Transformer] is
+// executed sequentially starting after all generators have completed.
+//
+// Output fields are write-once.  It is an error for multiple Generators or
+// Transformers to produce the same Output value within the context of a
+// [BuildPlan].
+type Artifact struct {
+	Artifact     FilePath      `json:"artifact,omitempty" yaml:"artifact,omitempty"`
+	Generators   []Generator   `json:"generators,omitempty" yaml:"generators,omitempty"`
+	Transformers []Transformer `json:"transformers,omitempty" yaml:"transformers,omitempty"`
+	Validators   []Validator   `json:"validators,omitempty" yaml:"validators,omitempty"`
+	Skip         bool          `json:"skip,omitempty" yaml:"skip,omitempty"`
+}
+
+// Generator generates Kubernetes resources.  [Helm] and [Resources] are the
+// most commonly used, often paired together to mix-in resources to an
+// unmodified Helm chart.  A simple [File] generator is also available for use
+// with the [Kustomize] transformer.
+//
+// Each Generator in an [Artifact] must have a distinct Output value for a
+// [Transformer] to reference.
+//
+//  1. [Resources] - Generates resources from CUE code.
+//  2. [Helm] - Generates rendered yaml from a [Chart].
+//  3. [File] - Generates data by reading a file from the component directory.
+type Generator struct {
+	// Kind represents the kind of generator.  Must be Resources, Helm, or File.
+	Kind string `json:"kind" yaml:"kind" cue:"\"Resources\" | \"Helm\" | \"File\""`
+	// Output represents a file for a Transformer or Artifact to consume.
+	Output FilePath `json:"output" yaml:"output"`
+	// Resources generator. Ignored unless kind is Resources.  Resources are
+	// stored as a two level struct.  The top level key is the Kind of resource,
+	// e.g. Namespace or Deployment.  The second level key is an arbitrary
+	// InternalLabel.  The third level is a map[string]any representing the
+	// Resource.
+	Resources Resources `json:"resources,omitempty" yaml:"resources,omitempty"`
+	// Helm generator. Ignored unless kind is Helm.
+	Helm Helm `json:"helm,omitempty" yaml:"helm,omitempty"`
+	// File generator. Ignored unless kind is File.
+	File File `json:"file,omitempty" yaml:"file,omitempty"`
+}
+
+// Resource represents one kubernetes api object.
+type Resource map[string]any
+
+// Resources represents Kubernetes resources.  Most commonly used to mix
+// resources into the [BuildPlan] generated from CUE, but may be generated from
+// elsewhere.
+type Resources map[Kind]map[InternalLabel]Resource
+
+// File represents a simple single file copy [Generator].  Useful with a
+// [Kustomize] [Transformer] to process plain manifest files stored in the
+// component directory.  Multiple File generators may be used to transform
+// multiple resources.
+type File struct {
+	// Source represents a file sub-path relative to the component path.
+	Source FilePath `json:"source" yaml:"source"`
+}
+
+// Helm represents a [Chart] manifest [Generator].
+type Helm struct {
+	// Chart represents a helm chart to manage.
+	Chart Chart `json:"chart" yaml:"chart"`
+	// Values represents values for holos to marshal into values.yaml when
+	// rendering the chart.  Values follow ValueFiles when both are provided.
+	Values Values `json:"values" yaml:"values"`
+	// ValueFiles represents hierarchial value files passed in order to the helm
+	// template -f flag.  Useful for migration from an ApplicationSet.  Use Values
+	// instead.  ValueFiles precede Values when both are provided.
+	ValueFiles []ValueFile `json:"valueFiles,omitempty" yaml:"valueFiles,omitempty"`
+	// EnableHooks enables helm hooks when executing the `helm template` command.
+	EnableHooks bool `json:"enableHooks,omitempty" yaml:"enableHooks,omitempty"`
+	// Namespace represents the helm namespace flag
+	Namespace string `json:"namespace,omitempty" yaml:"namespace,omitempty"`
+	// APIVersions represents the helm template --api-versions flag
+	APIVersions []string `json:"apiVersions,omitempty" yaml:"apiVersions,omitempty"`
+	// KubeVersion represents the helm template --kube-version flag
+	KubeVersion string `json:"kubeVersion,omitempty" yaml:"kubeVersion,omitempty"`
+}
+
+// ValueFile represents one Helm value file produced from CUE.
+type ValueFile struct {
+	// Name represents the file name, e.g. "region-values.yaml"
+	Name string `json:"name" yaml:"name"`
+	// Kind is a discriminator.
+	Kind string `json:"kind" yaml:"kind" cue:"\"Values\""`
+	// Values represents values for holos to marshal into the file name specified
+	// by Name when rendering the chart.
+	Values Values `json:"values,omitempty" yaml:"values,omitempty"`
+}
+
+// Values represents [Helm] Chart values generated from CUE.
+type Values map[string]any
+
+// Chart represents a [Helm] Chart.
+type Chart struct {
+	// Name represents the chart name.
+	Name string `json:"name" yaml:"name"`
+	// Version represents the chart version.
+	Version string `json:"version" yaml:"version"`
+	// Release represents the chart release when executing helm template.
+	Release string `json:"release" yaml:"release"`
+	// Repository represents the repository to fetch the chart from.
+	Repository Repository `json:"repository,omitempty" yaml:"repository,omitempty"`
+}
+
+// Repository represents a [Helm] [Chart] repository.
+//
+// The Auth field is useful to configure http basic authentication to the Helm
+// repository.  Holos gets the username and password from the environment
+// variables represented by the Auth field.
+type Repository struct {
+	Name string `json:"name" yaml:"name"`
+	URL  string `json:"url" yaml:"url"`
+	Auth Auth   `json:"auth,omitempty" yaml:"auth,omitempty"`
+}
+
+// Auth represents environment variable names containing auth credentials.
+type Auth struct {
+	Username AuthSource `json:"username" yaml:"username"`
+	Password AuthSource `json:"password" yaml:"password"`
+}
+
+// AuthSource represents a source for the value of an [Auth] field.
+type AuthSource struct {
+	Value   string `json:"value,omitempty" yaml:"value,omitempty"`
+	FromEnv string `json:"fromEnv,omitempty" yaml:"fromEnv,omitempty"`
+}
+
+// Transformer combines multiple inputs from prior [Generator] or [Transformer]
+// outputs into one output.  [Kustomize] is the most commonly used transformer.
+// A simple [Join] is also supported for use with plain manifest files.
+//
+//  1. [Kustomize] - Patch and transform the output from prior generators or
+//     transformers.  See [Introduction to Kustomize].
+//  2. [Join] - Concatenate multiple prior outputs into one output.
+//
+// [Introduction to Kustomize]: https://kubectl.docs.kubernetes.io/guides/config_management/introduction/
+type Transformer struct {
+	// Kind represents the kind of transformer. Must be Kustomize, or Join.
+	Kind string `json:"kind" yaml:"kind" cue:"\"Kustomize\" | \"Join\""`
+	// Inputs represents the files to transform. The Output of prior Generators
+	// and Transformers.
+	Inputs []FilePath `json:"inputs" yaml:"inputs"`
+	// Output represents a file for a subsequent Transformer or Artifact to
+	// consume.
+	Output FilePath `json:"output" yaml:"output"`
+	// Kustomize transformer. Ignored unless kind is Kustomize.
+	Kustomize Kustomize `json:"kustomize,omitempty" yaml:"kustomize,omitempty"`
+	// Join transformer. Ignored unless kind is Join.
+	Join Join `json:"join,omitempty" yaml:"join,omitempty"`
+}
+
+// Join represents a [Transformer] using [bytes.Join] to concatenate multiple
+// inputs into one output with a separator.  Useful for combining output from
+// [Helm] and [Resources] together into one [Artifact] when [Kustomize] is
+// otherwise unnecessary.
+//
+// [bytes.Join]: https://pkg.go.dev/bytes#Join
+type Join struct {
+	Separator string `json:"separator,omitempty" yaml:"separator,omitempty"`
+}
+
+// Kustomize represents a kustomization [Transformer].
+type Kustomize struct {
+	// Kustomization represents the decoded kustomization.yaml file
+	Kustomization Kustomization `json:"kustomization" yaml:"kustomization"`
+	// Files holds file contents for kustomize, e.g. patch files.
+	Files FileContentMap `json:"files,omitempty" yaml:"files,omitempty"`
+}
+
+// Kustomization represents a kustomization.yaml file for use with the
+// [Kustomize] [Transformer].  Untyped to avoid tightly coupling holos to
+// kubectl versions which was a problem for the Flux maintainers.  Type checking
+// is expected to happen in CUE against the kubectl version the user prefers.
+type Kustomization map[string]any
+
+// FileContentMap represents a mapping of file paths to file contents.
+type FileContentMap map[FilePath]FileContent
+
+// FilePath represents a file path.
+type FilePath string
+
+// FileContent represents file contents.
+type FileContent string
+
+// Validator validates files.  Useful to validate an [Artifact] prior to writing
+// it out to the final destination.  Holos may execute validators concurrently.
+// See the [validators] tutorial for an end to end example.
+//
+// [validators]: https://holos.run/docs/v1alpha5/tutorial/validators/
+type Validator struct {
+	// Kind represents the kind of transformer. Must be Kustomize, or Join.
+	Kind string `json:"kind" yaml:"kind" cue:"\"Command\""`
+	// Inputs represents the files to validate.  Usually the final Artifact.
+	Inputs []FilePath `json:"inputs" yaml:"inputs"`
+	// Command represents a validation command.  Ignored unless kind is Command.
+	Command Command `json:"command,omitempty" yaml:"command,omitempty"`
+}
+
+// Command represents a command vetting one or more artifacts.  Holos appends
+// fully qualified input file paths to the end of the args list, then executes
+// the command.  Inputs are written into a temporary directory prior to
+// executing the command and removed afterwards.
+type Command struct {
+	Args []string `json:"args,omitempty" yaml:"args,omitempty"`
+}
+
+// InternalLabel is an arbitrary unique identifier internal to holos itself.
+// The holos cli is expected to never write a InternalLabel value to rendered
+// output files, therefore use a InternalLabel when the identifier must be
+// unique and internal.  Defined as a type for clarity and type checking.
+type InternalLabel string
+
+// Kind is a discriminator. Defined as a type for clarity and type checking.
+type Kind string
+
+// Metadata represents data about the resource such as the Name.
+type Metadata struct {
+	// Name represents the resource name.
+	Name string `json:"name" yaml:"name"`
+	// Labels represents a resource selector.
+	Labels map[string]string `json:"labels,omitempty" yaml:"labels,omitempty"`
+	// Annotations represents arbitrary non-identifying metadata.  For example
+	// holos uses the `app.holos.run/description` annotation to log resources in a
+	// user customized way.
+	Annotations map[string]string `json:"annotations,omitempty" yaml:"annotations,omitempty"`
+}
+
+// Platform represents a platform to manage.  A Platform specifies a [Component]
+// collection and integrates the components together into a holistic platform.
+// Holos iterates over the [Component] collection producing a [BuildPlan] for
+// each, which holos then executes to render manifests.
+//
+// Inspect a Platform resource holos would process by executing:
+//
+//	cue export --out yaml ./platform
+type Platform struct {
+	// Kind is a string value representing the resource.
+	Kind string `json:"kind" yaml:"kind" cue:"\"Platform\""`
+	// APIVersion represents the versioned schema of this resource.
+	APIVersion string `json:"apiVersion" yaml:"apiVersion" cue:"string | *\"v1alpha5\""`
+	// Metadata represents data about the resource such as the Name.
+	Metadata Metadata `json:"metadata" yaml:"metadata"`
+
+	// Spec represents the platform specification.
+	Spec PlatformSpec `json:"spec" yaml:"spec"`
+}
+
+// PlatformSpec represents the platform specification.
+type PlatformSpec struct {
+	// Components represents a collection of holos components to manage.
+	Components []Component `json:"components" yaml:"components"`
+}
+
+// Component represents the complete context necessary to produce a [BuildPlan]
+// from a path containing parameterized CUE configuration.
+type Component struct {
+	// Name represents the name of the component. Injected as the tag variable
+	// "holos_component_name".
+	Name string `json:"name" yaml:"name"`
+	// Path represents the path of the component relative to the platform root.
+	// Injected as the tag variable "holos_component_path".
+	Path string `json:"path" yaml:"path"`
+	// Instances represents additional cue instance paths to unify with Path.
+	// Useful to unify data files into a component BuildPlan.  Added in holos
+	// 0.101.7.
+	Instances []Instance `json:"instances,omitempty" yaml:"instances,omitempty"`
+	// WriteTo represents the holos render component --write-to flag.  If empty,
+	// the default value for the --write-to flag is used.
+	WriteTo string `json:"writeTo,omitempty" yaml:"writeTo,omitempty"`
+	// Parameters represent user defined input variables to produce various
+	// [BuildPlan] resources from one component path.  Injected as CUE @tag
+	// variables.  Parameters with a "holos_" prefix are reserved for use by the
+	// Holos Authors.  Multiple environments are a prime example of an input
+	// parameter that should always be user defined, never defined by Holos.
+	Parameters map[string]string `json:"parameters,omitempty" yaml:"parameters,omitempty"`
+	// Labels represent selector labels for the component.  Copied to the
+	// resulting BuildPlan.
+	Labels map[string]string `json:"labels,omitempty" yaml:"labels,omitempty"`
+	// Annotations represents arbitrary non-identifying metadata.  Use the
+	// `app.holos.run/description` to customize the log message of each BuildPlan.
+	Annotations map[string]string `json:"annotations,omitempty" yaml:"annotations,omitempty"`
+}
+
+// Instance represents a data instance to unify with the configuration.
+//
+// Useful to unify json and yaml files with cue configuration files for
+// integration with other tools.  For example, executing holos render platform
+// from a pull request workflow after [Kargo] executes the [yaml update] and
+// [git wait for pr] promotion steps.
+//
+// [Kargo]: https://docs.kargo.io/
+// [yaml update]: https://docs.kargo.io/references/promotion-steps#yaml-update
+// [git wait for pr]: https://docs.kargo.io/references/promotion-steps#git-wait-for-pr
+type Instance struct {
+	// Kind is a discriminator.
+	Kind string `json:"kind" yaml:"kind" cue:"\"ExtractYAML\""`
+	// Ignored unless kind is ExtractYAML.
+	ExtractYAML ExtractYAML `json:"extractYAML,omitempty" yaml:"extractYAML,omitempty"`
+}
+
+// ExtractYAML represents a cue data instance encoded as yaml or json. If Path
+// refers to a directory all files in the directory are extracted
+// non-recursively.  Otherwise, path must refer to a file.
+type ExtractYAML struct {
+	Path string `json:"path" yaml:"path"`
+}
--- a/api/core/v1alpha6/header.yaml
+++ b/api/core/v1alpha6/header.yaml
@@ -0,0 +1,5 @@
+---
+title: Core Schemas
+description: BuildPlan defines the holos rendering pipeline.
+sidebar_position: 100
+---
--- a/api/core/v1alpha6/types.go
+++ b/api/core/v1alpha6/types.go
@@ -0,0 +1,453 @@
+// Package core contains schemas for a [Platform] and [BuildPlan].  Holos takes
+// a [Platform] as input, then iterates over each [Component] to produce a
+// [BuildPlan].  Holos processes the [BuildPlan] to produce fully rendered
+// manifests, each an [Artifact].
+package core
+
+// BuildContextTag represents the cue tag holos render component uses to inject
+// the json representation of a [BuildContext] for use in a BuildPlan.
+const BuildContextTag string = "holos_build_context"
+
+// ComponentNameTag represents the cue tag holos uses to inject a [Component]
+// name from the holos render platform command to the holos render component
+// command.
+const ComponentNameTag string = "holos_component_name"
+
+// ComponentPathTag represents the cue tag holos uses to inject a [Component]
+// path relative to the cue module root from the holos render platform command
+// to the holos render component command.
+const ComponentPathTag string = "holos_component_path"
+
+// ComponentLabelsTag represents the cue tag holos uses to inject the json
+// representation of [Component] metadata labels from the holos render platform
+// command to the holos render component command.
+const ComponentLabelsTag string = "holos_component_labels"
+
+// ComponentAnnotationsTag represents the tag holos uses to inject the json
+// representation of [Component] metadata annotations from the holos render
+// platform command to the holos render component command.
+const ComponentAnnotationsTag = "holos_component_annotations"
+
+//go:generate ../../../hack/gendoc
+
+// BuildPlan represents an implementation of the [rendered manifest pattern].
+// Holos processes a BuildPlan to produce one or more [Artifact] output files.
+// BuildPlan artifact files usually contain Kubernetes manifests, but they may
+// have any content.
+//
+// A BuildPlan usually produces two artifacts.  One artifact contains a manifest
+// of resources.  A second artifact contains a GitOps resource to manage the
+// first, usually an ArgoCD Application resource.
+//
+// Holos uses CUE to construct a BuildPlan.  Holos injects late binding values
+// such as the build temp dir using the [BuildContext].
+//
+// [rendered manifest pattern]: https://akuity.io/blog/the-rendered-manifests-pattern
+//
+// [external credential provider]: https://github.com/kubernetes/enhancements/blob/313ad8b59c80819659e1fbf0f165230f633f2b22/keps/sig-auth/541-external-credential-providers/README.md
+type BuildPlan struct {
+	// APIVersion represents the versioned schema of the resource.
+	APIVersion string `json:"apiVersion" yaml:"apiVersion" cue:"\"v1alpha6\""`
+	// Kind represents the type of the resource.
+	Kind string `json:"kind" yaml:"kind" cue:"\"BuildPlan\""`
+	// Metadata represents data about the resource such as the Name.
+	Metadata Metadata `json:"metadata" yaml:"metadata"`
+	// Spec specifies the desired state of the resource.
+	Spec BuildPlanSpec `json:"spec" yaml:"spec"`
+	// BuildContext represents values injected by holos just before evaluating a
+	// BuildPlan, for example the tempDir used for the build.
+	BuildContext BuildContext `json:"buildContext" yaml:"buildContext"`
+}
+
+// BuildContext represents build context values owned by the holos render
+// component command.  End users should not manage context field values.  End
+// users may reference fields from within CUE to refer to late binding
+// concrete values defined just before holos executes a [BuildPlan].
+//
+// Holos injects build context values by marshalling this struct to json through
+// the holos_build_context cue tag.
+//
+// Example usage from cue to produce a [BuildPlan]:
+//
+//	package holos
+//
+//	import (
+//	  "encoding/json"
+//	  "github.com/holos-run/holos/api/core/v1alpha6:core"
+//	)
+//
+//	_BuildContextJSON: string | *"{}" @tag(holos_build_context, type=string)
+//	BuildContext: core.#BuildContext & json.Unmarshal(_BuildContextJSON)
+//
+//	holos: core.#BuildPlan & {
+//	  buildContext: BuildContext
+//	  "spec": {
+//	    "artifacts": [
+//	      {
+//	        artifact: "components/slice",
+//	        "transformers": [
+//	          {
+//	            "kind": "Command"
+//	            "inputs": ["resources.gen.yaml"]
+//	            "output": artifact
+//	            "command": {
+//	              "args": [
+//	                "kubectl-slice",
+//	                "-f",
+//	                "\(buildContext.tempDir)/resources.gen.yaml",
+//	                "-o",
+//	                "\(buildContext.tempDir)/\(artifact)",
+//	              ]
+//	            }
+//	          }
+//	        ]
+//	      }
+//	    ]
+//	  }
+//	}
+type BuildContext struct {
+	// TempDir represents the temporary directory managed and owned by the holos
+	// render component command for the execution of one BuildPlan.  Multiple
+	// tasks in the build plan share this temporary directory and therefore should
+	// avoid reading and writing into the same sub-directories as one another.
+	TempDir string `json:"tempDir" yaml:"tempDir" cue:"string | *\"${TEMP_DIR_PLACEHOLDER}\""`
+	// RootDir represents the fully qualified path to the platform root directory.
+	// Useful to construct arguments for commands in BuildPlan tasks.
+	RootDir string `json:"rootDir" yaml:"rootDir" cue:"string | *\"${ROOT_DIR_PLACEHOLDER}\""`
+	// LeafDir represents the cleaned path to the holos component relative to the
+	// platform root.  Useful to construct arguments for commands in BuildPlan
+	// tasks.
+	LeafDir string `json:"leafDir" yaml:"leafDir" cue:"string | *\"${LEAF_DIR_PLACEHOLDER}\""`
+	// HolosExecutable represents the fully qualified path to the holos
+	// executable.  Useful to execute tools embedded as subcommands such as holos
+	// cue vet.
+	HolosExecutable string `json:"holosExecutable" yaml:"holosExecutable" cue:"string | *\"holos\""`
+}
+
+// TODO(jjm): Decide if RootDir and LeafDir are useful.  We have
+// [Component.Path] and [Command] executes with the platform root as the current
+// working directory.
+
+// BuildPlanSpec represents the specification of the [BuildPlan].
+type BuildPlanSpec struct {
+	// Artifacts represents the artifacts for holos to build.
+	Artifacts []Artifact `json:"artifacts" yaml:"artifacts"`
+	// Disabled causes the holos render platform command to skip the BuildPlan.
+	Disabled bool `json:"disabled,omitempty" yaml:"disabled,omitempty"`
+}
+
+// Artifact represents one fully rendered manifest produced by a [Transformer]
+// sequence, which transforms a [Generator] collection.  A [BuildPlan] produces
+// an [Artifact] collection.
+//
+// Each Artifact produces one manifest file or directory artifact.  Generator
+// Output values are used as Transformer Inputs.  The Output field of the final
+// [Transformer] should have the same value as the Artifact field.
+//
+// When there is more than one [Generator] there should be at least one
+// [Transformer] to combine outputs into one Artifact file, or the final
+// artifact should be a directory containing the outputs of the generators.  If
+// there is a single Generator, it may directly produce the Artifact output.
+//
+// An Artifact is processed concurrently with other artifacts in the same
+// [BuildPlan].  One Artifact must not use an output of another Artifact as an
+// input.  Each [Generator] within an artifact also runs concurrently with
+// generators of the same artifact.  Each [Transformer] is executed sequentially
+// starting after all generators have completed.
+//
+// Output fields are write-once.  It is an error for multiple Generators or
+// Transformers to produce the same Output value within the context of a
+// [BuildPlan].
+//
+// When directories are used as inputs or outputs, they behave similar to how
+// `git` works with directories.  When the output field references a directory,
+// all files within the directory are recursively stored using their relative
+// path as a key.  Similar to git add .  When the input field references an
+// absent file, a / is appended and the resulting value is used as a prefix
+// match against all previous task outputs.
+type Artifact struct {
+	Artifact     FileOrDirectoryPath `json:"artifact,omitempty" yaml:"artifact,omitempty"`
+	Generators   []Generator         `json:"generators,omitempty" yaml:"generators,omitempty"`
+	Transformers []Transformer       `json:"transformers,omitempty" yaml:"transformers,omitempty"`
+	Validators   []Validator         `json:"validators,omitempty" yaml:"validators,omitempty"`
+	Skip         bool                `json:"skip,omitempty" yaml:"skip,omitempty"`
+}
+
+// Generator generates Kubernetes resources.  [Helm] and [Resources] are the
+// most commonly used, often paired together to mix-in resources to an
+// unmodified Helm chart.  A simple [File] generator is also available for use
+// with the [Kustomize] transformer.
+//
+// Each Generator in an [Artifact] must have a distinct Output value for a
+// [Transformer] to reference.
+//
+//  1. [Resources] - Generates resources from CUE code.
+//  2. [Helm] - Generates rendered yaml from a [Chart].
+//  3. [File] - Generates data by reading a file from the component directory.
+//  4. [Command] - Generates data by executing an user defined command.
+type Generator struct {
+	// Kind represents the kind of generator.  Must be Resources, Helm, or File.
+	Kind string `json:"kind" yaml:"kind" cue:"\"Resources\" | \"Helm\" | \"File\" | \"Command\""`
+	// Output represents a file for a Transformer or Artifact to consume.
+	Output FileOrDirectoryPath `json:"output" yaml:"output"`
+	// Resources generator. Ignored unless kind is Resources.  Resources are
+	// stored as a two level struct.  The top level key is the Kind of resource,
+	// e.g. Namespace or Deployment.  The second level key is an arbitrary
+	// InternalLabel.  The third level is a map[string]any representing the
+	// Resource.
+	Resources Resources `json:"resources,omitempty" yaml:"resources,omitempty"`
+	// Helm generator. Ignored unless kind is Helm.
+	Helm Helm `json:"helm,omitempty" yaml:"helm,omitempty"`
+	// File generator. Ignored unless kind is File.
+	File File `json:"file,omitempty" yaml:"file,omitempty"`
+	// Command generator. Ignored unless kind is Command.
+	Command Command `json:"command,omitempty" yaml:"command,omitempty"`
+}
+
+// Resource represents one kubernetes api object.
+type Resource map[string]any
+
+// Resources represents Kubernetes resources.  Most commonly used to mix
+// resources into the [BuildPlan] generated from CUE, but may be generated from
+// elsewhere.
+type Resources map[Kind]map[InternalLabel]Resource
+
+// File represents a simple single file copy [Generator].  Useful with a
+// [Kustomize] [Transformer] to process plain manifest files stored in the
+// component directory.  Multiple File generators may be used to transform
+// multiple resources.
+type File struct {
+	// Source represents a file sub-path relative to the component path.
+	Source FilePath `json:"source" yaml:"source"`
+}
+
+// Helm represents a [Chart] manifest [Generator].
+type Helm struct {
+	// Chart represents a helm chart to manage.
+	Chart Chart `json:"chart" yaml:"chart"`
+	// Values represents values for holos to marshal into values.yaml when
+	// rendering the chart.  Values follow ValueFiles when both are provided.
+	Values Values `json:"values" yaml:"values"`
+	// ValueFiles represents hierarchial value files passed in order to the helm
+	// template -f flag.  Useful for migration from an ApplicationSet.  Use Values
+	// instead.  ValueFiles precede Values when both are provided.
+	ValueFiles []ValueFile `json:"valueFiles,omitempty" yaml:"valueFiles,omitempty"`
+	// EnableHooks enables helm hooks when executing the `helm template` command.
+	EnableHooks bool `json:"enableHooks,omitempty" yaml:"enableHooks,omitempty"`
+	// Namespace represents the helm namespace flag
+	Namespace string `json:"namespace,omitempty" yaml:"namespace,omitempty"`
+	// APIVersions represents the helm template --api-versions flag
+	APIVersions []string `json:"apiVersions,omitempty" yaml:"apiVersions,omitempty"`
+	// KubeVersion represents the helm template --kube-version flag
+	KubeVersion string `json:"kubeVersion,omitempty" yaml:"kubeVersion,omitempty"`
+}
+
+// ValueFile represents one Helm value file produced from CUE.
+type ValueFile struct {
+	// Name represents the file name, e.g. "region-values.yaml"
+	Name string `json:"name" yaml:"name"`
+	// Kind is a discriminator.
+	Kind string `json:"kind" yaml:"kind" cue:"\"Values\""`
+	// Values represents values for holos to marshal into the file name specified
+	// by Name when rendering the chart.
+	Values Values `json:"values,omitempty" yaml:"values,omitempty"`
+}
+
+// Values represents [Helm] Chart values generated from CUE.
+type Values map[string]any
+
+// Chart represents a [Helm] Chart.
+type Chart struct {
+	// Name represents the chart name.
+	Name string `json:"name" yaml:"name"`
+	// Version represents the chart version.
+	Version string `json:"version" yaml:"version"`
+	// Release represents the chart release when executing helm template.
+	Release string `json:"release" yaml:"release"`
+	// Repository represents the repository to fetch the chart from.
+	Repository Repository `json:"repository,omitempty" yaml:"repository,omitempty"`
+}
+
+// Repository represents a [Helm] [Chart] repository.
+//
+// The Auth field is useful to configure http basic authentication to the Helm
+// repository.  Holos gets the username and password from the environment
+// variables represented by the Auth field.
+type Repository struct {
+	Name string `json:"name,omitempty" yaml:"name,omitempty"`
+	URL  string `json:"url,omitempty" yaml:"url,omitempty"`
+	Auth Auth   `json:"auth,omitempty" yaml:"auth,omitempty"`
+}
+
+// Auth represents environment variable names containing auth credentials.
+type Auth struct {
+	Username AuthSource `json:"username" yaml:"username"`
+	Password AuthSource `json:"password" yaml:"password"`
+}
+
+// AuthSource represents a source for the value of an [Auth] field.
+type AuthSource struct {
+	Value   string `json:"value,omitempty" yaml:"value,omitempty"`
+	FromEnv string `json:"fromEnv,omitempty" yaml:"fromEnv,omitempty"`
+}
+
+// Transformer combines multiple inputs from prior [Generator] or [Transformer]
+// outputs into one output.  [Kustomize] is the most commonly used transformer.
+// A simple [Join] is also supported for use with plain manifest files.
+//
+//  1. [Kustomize] - Patch and transform the output from prior generators or
+//     transformers.  See [Introduction to Kustomize].
+//  2. [Join] - Concatenate multiple prior outputs into one output.
+//  3. [Command] - Transforms data by executing an user defined command.
+//
+// [Introduction to Kustomize]: https://kubectl.docs.kubernetes.io/guides/config_management/introduction/
+type Transformer struct {
+	// Kind represents the kind of transformer. Must be Kustomize, or Join.
+	Kind string `json:"kind" yaml:"kind" cue:"\"Kustomize\" | \"Join\" | \"Command\""`
+	// Inputs represents the files to transform. The Output of prior Generators
+	// and Transformers.
+	Inputs []FileOrDirectoryPath `json:"inputs" yaml:"inputs"`
+	// Output represents a file or directory for a subsequent Transformer or
+	// Artifact to consume.
+	Output FileOrDirectoryPath `json:"output" yaml:"output"`
+	// Kustomize transformer. Ignored unless kind is Kustomize.
+	Kustomize Kustomize `json:"kustomize,omitempty" yaml:"kustomize,omitempty"`
+	// Join transformer. Ignored unless kind is Join.
+	Join Join `json:"join,omitempty" yaml:"join,omitempty"`
+	// Command transformer. Ignored unless kind is Command.
+	Command Command `json:"command,omitempty" yaml:"command,omitempty"`
+}
+
+// Join represents a [Transformer] using [bytes.Join] to concatenate multiple
+// inputs into one output with a separator.  Useful for combining output from
+// [Helm] and [Resources] together into one [Artifact] when [Kustomize] is
+// otherwise unnecessary.
+//
+// [bytes.Join]: https://pkg.go.dev/bytes#Join
+type Join struct {
+	Separator string `json:"separator,omitempty" yaml:"separator,omitempty"`
+}
+
+// Kustomize represents a kustomization [Transformer].
+type Kustomize struct {
+	// Kustomization represents the decoded kustomization.yaml file
+	Kustomization Kustomization `json:"kustomization" yaml:"kustomization"`
+	// Files holds file contents for kustomize, e.g. patch files.
+	Files FileContentMap `json:"files,omitempty" yaml:"files,omitempty"`
+}
+
+// Kustomization represents a kustomization.yaml file for use with the
+// [Kustomize] [Transformer].  Untyped to avoid tightly coupling holos to
+// kubectl versions which was a problem for the Flux maintainers.  Type checking
+// is expected to happen in CUE against the kubectl version the user prefers.
+type Kustomization map[string]any
+
+// FileContentMap represents a mapping of file paths to file contents.
+type FileContentMap map[FilePath]FileContent
+
+// FilePath represents a file path.
+type FilePath string
+
+// FileOrDirectoryPath represents a file or a directory path.
+type FileOrDirectoryPath string
+
+// FileContent represents file contents.
+type FileContent string
+
+// Validator validates files.  Useful to validate an [Artifact] prior to writing
+// it out to the final destination.  Holos may execute validators concurrently.
+// See the [validators] tutorial for an end to end example.
+//
+// [validators]: https://holos.run/docs/v1alpha6/tutorial/validators/
+type Validator struct {
+	// Kind represents the kind of transformer. Must be Kustomize, or Join.
+	Kind string `json:"kind" yaml:"kind" cue:"\"Command\""`
+	// Inputs represents the files to validate.  Usually the final Artifact.
+	Inputs []FileOrDirectoryPath `json:"inputs" yaml:"inputs"`
+	// Command validator.  Ignored unless kind is Command.
+	Command Command `json:"command,omitempty" yaml:"command,omitempty"`
+}
+
+// Command represents a [BuildPlan] task implemented by executing an user
+// defined system command.  A task is defined as a [Generator], [Transformer],
+// or [Validator].  Commands are executed with the working directory set to the
+// platform root.
+type Command struct {
+	// DisplayName of the command.  The basename of args[0] is used if empty.
+	DisplayName string `json:"displayName,omitempty" yaml:"displayName,omitempty"`
+	// Args represents the argument vector passed to the os. to execute the
+	// command.
+	Args []string `json:"args,omitempty" yaml:"args,omitempty"`
+	// IsStdoutOutput captures the command stdout as the task output if true.
+	IsStdoutOutput bool `json:"isStdoutOutput,omitempty" yaml:"isStdoutOutput,omitempty"`
+}
+
+// InternalLabel is an arbitrary unique identifier internal to holos itself.
+// The holos cli is expected to never write a InternalLabel value to rendered
+// output files, therefore use a InternalLabel when the identifier must be
+// unique and internal.  Defined as a type for clarity and type checking.
+type InternalLabel string
+
+// Kind is a discriminator. Defined as a type for clarity and type checking.
+type Kind string
+
+// Metadata represents data about the resource such as the Name.
+type Metadata struct {
+	// Name represents the resource name.
+	Name string `json:"name" yaml:"name"`
+	// Labels represents a resource selector.
+	Labels map[string]string `json:"labels,omitempty" yaml:"labels,omitempty"`
+	// Annotations represents arbitrary non-identifying metadata.  For example
+	// holos uses the `app.holos.run/description` annotation to log resources in a
+	// user customized way.
+	Annotations map[string]string `json:"annotations,omitempty" yaml:"annotations,omitempty"`
+}
+
+// Platform represents a platform to manage.  A Platform specifies a [Component]
+// collection and integrates the components together into a holistic platform.
+// Holos iterates over the [Component] collection producing a [BuildPlan] for
+// each, which holos then executes to render manifests.
+//
+// Inspect a Platform resource holos would process by executing:
+//
+//	cue export --out yaml ./platform
+type Platform struct {
+	// APIVersion represents the versioned schema of this resource.
+	APIVersion string `json:"apiVersion" yaml:"apiVersion" cue:"string | *\"v1alpha6\""`
+	// Kind is a string value representing the resource.
+	Kind string `json:"kind" yaml:"kind" cue:"\"Platform\""`
+	// Metadata represents data about the resource such as the Name.
+	Metadata Metadata `json:"metadata" yaml:"metadata"`
+
+	// Spec represents the platform specification.
+	Spec PlatformSpec `json:"spec" yaml:"spec"`
+}
+
+// PlatformSpec represents the platform specification.
+type PlatformSpec struct {
+	// Components represents a collection of holos components to manage.
+	Components []Component `json:"components" yaml:"components"`
+}
+
+// Component represents the complete context necessary to produce a [BuildPlan]
+// from a path containing parameterized CUE configuration.
+type Component struct {
+	// Name represents the name of the component. Injected as the tag variable
+	// "holos_component_name".
+	Name string `json:"name" yaml:"name"`
+	// Path represents the path of the component relative to the platform root.
+	// Injected as the tag variable "holos_component_path".
+	Path string `json:"path" yaml:"path"`
+	// Parameters represent user defined input variables to produce various
+	// [BuildPlan] resources from one component path.  Injected as CUE @tag
+	// variables.  Parameters with a "holos_" prefix are reserved for use by the
+	// Holos Authors.  Multiple environments are a prime example of an input
+	// parameter that should always be user defined, never defined by Holos.
+	Parameters map[string]string `json:"parameters,omitempty" yaml:"parameters,omitempty"`
+	// Labels represent selector labels for the component.  Holos copies Labels
+	// from the Component to the resulting BuildPlan.
+	Labels map[string]string `json:"labels,omitempty" yaml:"labels,omitempty"`
+	// Annotations represents arbitrary non-identifying metadata.  Use the
+	// `app.holos.run/description` to customize the log message of each BuildPlan.
+	Annotations map[string]string `json:"annotations,omitempty" yaml:"annotations,omitempty"`
+}
--- a/api/meta/v1alpha2/meta.go
+++ b/api/meta/v1alpha2/meta.go
@@ -1,37 +0,0 @@
-package v1alpha2
-
-// TypeMeta describes an individual object in an API response or request with
-// strings representing the type of the object and its API schema version.
-// Structures that are versioned or persisted should inline TypeMeta.
-type TypeMeta struct {
-	// Kind is a string value representing the resource this object represents.
-	Kind string `json:"kind"`
-	// APIVersion defines the versioned schema of this representation of an object.
-	APIVersion string `json:"apiVersion" cue:"string | *\"v1alpha2\""`
-}
-
-func (tm *TypeMeta) GetKind() string {
-	return tm.Kind
-}
-
-func (tm *TypeMeta) GetAPIVersion() string {
-	return tm.APIVersion
-}
-
-// Discriminator discriminates the kind of an api object.
-type Discriminator interface {
-	// GetKind returns Kind.
-	GetKind() string
-	// GetAPIVersion returns APIVersion.
-	GetAPIVersion() string
-}
-
-// ObjectMeta represents metadata of a holos component object. The fields are a
-// copy of upstream kubernetes api machinery but are holos objects distinct from
-// kubernetes api objects.
-type ObjectMeta struct {
-	// Name uniquely identifies the holos component instance and must be suitable as a file name.
-	Name string `json:"name,omitempty"`
-	// Namespace confines a holos component to a single namespace via kustomize if set.
-	Namespace string `json:"namespace,omitempty"`
-}
--- a/api/schema/v1alpha3/definitions.go
+++ b/api/schema/v1alpha3/definitions.go
@@ -1,150 +0,0 @@
-// Package v1alpha3 contains CUE definitions intended as convenience wrappers
-// around the core data types defined in package core.  The purpose of these
-// wrappers is to make life easier for platform engineers by reducing boiler
-// plate code and generating component build plans in a consistent manner.
-package v1alpha3
-
-import (
-	core "github.com/holos-run/holos/api/core/v1alpha3"
-	"google.golang.org/protobuf/types/known/structpb"
-)
-
-//go:generate ../../../hack/gendoc
-
-// Helm provides a BuildPlan via the Output field which contains one HelmChart
-// from package core.  Useful as a convenience wrapper to render a HelmChart
-// with optional mix-in resources and Kustomization post-processing.
-type Helm struct {
-	// Name represents the chart name.
-	Name string
-	// Version represents the chart version.
-	Version string
-	// Namespace represents the helm namespace option when rendering the chart.
-	Namespace string
-	// Resources are kubernetes api objects to mix into the output.
-	Resources map[string]any `cue:"{...}"`
-
-	// Repo represents the chart repository
-	Repo struct {
-		Name string `json:"name"`
-		URL  string `json:"url"`
-	}
-
-	// Values represents data to marshal into a values.yaml for helm.
-	Values interface{} `cue:"{...}"`
-
-	// Chart represents the derived HelmChart for inclusion in the BuildPlan
-	// Output field value.  The default HelmChart field values are derived from
-	// other Helm field values and should be sufficient for most use cases.
-	Chart core.HelmChart
-
-	// EnableKustomizePostProcessor processes helm output with kustomize if true.
-	EnableKustomizePostProcessor bool `cue:"true | *false"`
-
-	// KustomizeFiles represents additional files to include in a Kustomization
-	// resources list.  Useful to patch helm output.  The implementation is a
-	// struct with filename keys and structs as values.  Holos encodes the struct
-	// value to yaml then writes the result to the filename key.  Component
-	// authors may then reference the filename in the kustomization.yaml resources
-	// or patches lists.
-	// Requires EnableKustomizePostProcessor: true.
-	KustomizeFiles map[string]any `cue:"{[string]: {...}}"`
-
-	// KustomizePatches represents patches to apply to the helm output.  Requires
-	// EnableKustomizePostProcessor: true.
-	KustomizePatches map[core.InternalLabel]any `cue:"{[string]: {...}}"`
-
-	// KustomizeResources represents additional resources files to include in the
-	// kustomize resources list.
-	KustomizeResources map[string]any `cue:"{[string]: {...}}"`
-
-	// ArgoConfig represents the ArgoCD GitOps configuration for this Component.
-	ArgoConfig ArgoConfig
-
-	// Output represents the derived BuildPlan for the Holos cli to render.
-	Output core.BuildPlan
-}
-
-// Resources represents the default schema for a Kubernetes API object resource.
-// For example, a Service, Namespace or Deployment.  The top level key is the
-// kind of resource so default behavior and strict schema enforcement may be
-// enforced for the kind.  The second level keys are an arbitrary internal
-// label, which serves as the default value for the resource metadata name
-// field, but may differ for situations where the same resource kind and name
-// are managed in different namespaces.
-//
-// Refer to [definitions.cue] for the CUE schema definition as an example to
-// build on when defining your own Components.
-//
-// [definitions.cue]: https://github.com/holos-run/holos/blob/main/internal/generate/platforms/cue.mod/pkg/github.com/holos-run/holos/api/schema/v1alpha3/definitions.cue#L9
-// type Resources map[string]map[string]any
-
-// ArgoConfig represents the ArgoCD GitOps configuration for a Component.
-// Useful to define once at the root of the Platform configuration and reuse
-// across all Components.
-type ArgoConfig struct {
-	// Enabled causes holos to render an ArgoCD Application resource for GitOps if true.
-	Enabled bool `cue:"true | *false"`
-	// ClusterName represents the cluster within the platform the Application
-	// resource is intended for.
-	ClusterName string
-	// DeployRoot represents the path from the git repository root to the `deploy`
-	// rendering output directory.  Used as a prefix for the
-	// Application.spec.source.path field.
-	DeployRoot string `cue:"string | *\".\""`
-	// RepoURL represents the value passed to the Application.spec.source.repoURL
-	// field.
-	RepoURL string
-	// TargetRevision represents the value passed to the
-	// Application.spec.source.targetRevision field.  Defaults to the branch named
-	// main.
-	TargetRevision string `cue:"string | *\"main\""`
-}
-
-// Cluster represents a cluster managed by the Platform.
-type Cluster struct {
-	// Name represents the cluster name, for example "east1", "west1", or
-	// "management".
-	Name string `json:"name"`
-	// Primary represents if the cluster is marked as the primary among a set of
-	// candidate clusters.  Useful for promotion of database leaders.
-	Primary bool `json:"primary" cue:"true | *false"`
-}
-
-// Fleet represents a named collection of similarly configured Clusters.  Useful
-// to segregate workload clusters from their management cluster.
-type Fleet struct {
-	Name string `json:"name"`
-	// Clusters represents a mapping of Clusters by their name.
-	Clusters map[string]Cluster `json:"clusters" cue:"{[Name=_]: name: Name}"`
-}
-
-// StandardFleets represents the standard set of Clusters in a Platform
-// segmented into Fleets by their purpose.  The management Fleet contains a
-// single Cluster, for example a GKE autopilot cluster with no workloads
-// deployed for reliability and cost efficiency.  The workload Fleet contains
-// all other Clusters which contain workloads and sync Secrets from the
-// management cluster.
-type StandardFleets struct {
-	// Workload represents a Fleet of zero or more workload Clusters.
-	Workload Fleet `json:"workload" cue:"{name: \"workload\"}"`
-	// Management represents a Fleet with one Cluster named management.
-	Management Fleet `json:"management" cue:"{name: \"management\", clusters: management: _}"`
-}
-
-// Platform is a convenience structure to produce a core Platform specification
-// value in the Output field.  Useful to collect components at the root of the
-// Platform configuration tree as a struct, which are automatically converted
-// into a list for the core Platform spec output.
-type Platform struct {
-	// Name represents the Platform name.
-	Name string `cue:"string | *\"holos\""`
-	// Components is a structured map of components to manage by their name.
-	Components map[string]core.PlatformSpecComponent
-	// Model represents the Platform model holos gets from from the
-	// PlatformService.GetPlatform rpc method and provides to CUE using a tag.
-	Model structpb.Struct `cue:"{...}"`
-	// Output represents the core Platform spec for the holos cli to iterate over
-	// and render each listed Component, injecting the Model.
-	Output core.Platform
-}
--- a/api/v1alpha1/buildplan.go
+++ b/api/v1alpha1/buildplan.go
@@ -1,56 +0,0 @@
-package v1alpha1
-
-import (
-	"errors"
-	"fmt"
-	"strings"
-)
-
-// BuildPlan is the primary interface between CUE and the Holos cli.
-type BuildPlan struct {
-	TypeMeta `json:",inline" yaml:",inline"`
-	// Metadata represents the holos component name
-	Metadata ObjectMeta    `json:"metadata,omitempty" yaml:"metadata,omitempty"`
-	Spec     BuildPlanSpec `json:"spec,omitempty" yaml:"spec,omitempty"`
-}
-
-type BuildPlanSpec struct {
-	Disabled   bool                `json:"disabled,omitempty" yaml:"disabled,omitempty"`
-	Components BuildPlanComponents `json:"components,omitempty" yaml:"components,omitempty"`
-	// DeployFiles keys represent file paths relative to the cluster deploy
-	// directory.  Map values represent the string encoded file contents.  Used to
-	// write the argocd Application, but may be used to render any file from CUE.
-	DeployFiles FileContentMap `json:"deployFiles,omitempty" yaml:"deployFiles,omitempty"`
-}
-
-type BuildPlanComponents struct {
-	HelmChartList         []HelmChart                  `json:"helmChartList,omitempty" yaml:"helmChartList,omitempty"`
-	KubernetesObjectsList []KubernetesObjects          `json:"kubernetesObjectsList,omitempty" yaml:"kubernetesObjectsList,omitempty"`
-	KustomizeBuildList    []KustomizeBuild             `json:"kustomizeBuildList,omitempty" yaml:"kustomizeBuildList,omitempty"`
-	Resources             map[string]KubernetesObjects `json:"resources,omitempty" yaml:"resources,omitempty"`
-}
-
-func (bp *BuildPlan) Validate() error {
-	errs := make([]string, 0, 2)
-	if bp.Kind != BuildPlanKind {
-		errs = append(errs, fmt.Sprintf("kind invalid: want: %s have: %s", BuildPlanKind, bp.Kind))
-	}
-	if bp.APIVersion != APIVersion {
-		errs = append(errs, fmt.Sprintf("apiVersion invalid: want: %s have: %s", APIVersion, bp.APIVersion))
-	}
-	if len(errs) > 0 {
-		return errors.New("invalid BuildPlan: " + strings.Join(errs, ", "))
-	}
-	return nil
-}
-
-func (bp *BuildPlan) ResultCapacity() (count int) {
-	if bp == nil {
-		return 0
-	}
-	count = len(bp.Spec.Components.HelmChartList) +
-		len(bp.Spec.Components.KubernetesObjectsList) +
-		len(bp.Spec.Components.KustomizeBuildList) +
-		len(bp.Spec.Components.Resources)
-	return count
-}
--- a/api/v1alpha1/component.go
+++ b/api/v1alpha1/component.go
@@ -1,30 +0,0 @@
-package v1alpha1
-
-// HolosComponent defines the fields common to all holos component kinds including the Render Result.
-type HolosComponent struct {
-	TypeMeta `json:",inline" yaml:",inline"`
-	// Metadata represents the holos component name
-	Metadata ObjectMeta `json:"metadata,omitempty" yaml:"metadata,omitempty"`
-	// APIObjectMap holds the marshalled representation of api objects. Think of
-	// these as resources overlaid at the back of the render pipeline.
-	APIObjectMap APIObjectMap `json:"apiObjectMap,omitempty" yaml:"apiObjectMap,omitempty"`
-	// Kustomization holds the marshalled representation of the flux kustomization
-	// which reconciles resources in git with the api server.
-	Kustomization `json:",inline" yaml:",inline"`
-	// Kustomize represents a kubectl kustomize build post-processing step.
-	Kustomize `json:",inline" yaml:",inline"`
-	// Skip causes holos to take no action regarding the component.
-	Skip bool
-}
-
-func (hc *HolosComponent) NewResult() *Result {
-	return &Result{HolosComponent: *hc}
-}
-
-func (hc *HolosComponent) GetAPIVersion() string {
-	return hc.APIVersion
-}
-
-func (hc *HolosComponent) GetKind() string {
-	return hc.Kind
-}
--- a/api/v1alpha1/constants.go
+++ b/api/v1alpha1/constants.go
@@ -1,11 +0,0 @@
-package v1alpha1
-
-const (
-	APIVersion    = "holos.run/v1alpha1"
-	BuildPlanKind = "BuildPlan"
-	HelmChartKind = "HelmChart"
-	// ChartDir is the directory name created in the holos component directory to cache a chart.
-	ChartDir = "vendor"
-	// ResourcesFile is the file name used to store component output when post-processing with kustomize.
-	ResourcesFile = "resources.yaml"
-)
--- a/api/v1alpha1/doc.go
+++ b/api/v1alpha1/doc.go
@@ -1,2 +0,0 @@
-// Package v1alpha1 defines the api boundary between CUE and Holos.
-package v1alpha1
--- a/api/v1alpha1/form.go
+++ b/api/v1alpha1/form.go
@@ -1,13 +0,0 @@
-package v1alpha1
-
-import object "github.com/holos-run/holos/service/gen/holos/object/v1alpha1"
-
-// Form represents a collection of Formly json powered form.
-type Form struct {
-	TypeMeta `json:",inline" yaml:",inline"`
-	Spec     FormSpec `json:"spec" yaml:"spec"`
-}
-
-type FormSpec struct {
-	Form object.Form `json:"form" yaml:"form"`
-}
--- a/api/v1alpha1/helm.go
+++ b/api/v1alpha1/helm.go
@@ -1,184 +0,0 @@
-package v1alpha1
-
-import (
-	"context"
-	"fmt"
-	"os"
-	"path/filepath"
-	"strings"
-	"syscall"
-
-	"github.com/holos-run/holos"
-	"github.com/holos-run/holos/internal/errors"
-	"github.com/holos-run/holos/internal/logger"
-	"github.com/holos-run/holos/internal/util"
-)
-
-// A HelmChart represents a helm command to provide chart values in order to render kubernetes api objects.
-type HelmChart struct {
-	HolosComponent `json:",inline" yaml:",inline"`
-	// Namespace is the namespace to install into.  TODO: Use metadata.namespace instead.
-	Namespace     string `json:"namespace"`
-	Chart         Chart  `json:"chart"`
-	ValuesContent string `json:"valuesContent"`
-	EnableHooks   bool   `json:"enableHooks"`
-}
-
-type Chart struct {
-	Name       string     `json:"name"`
-	Version    string     `json:"version"`
-	Release    string     `json:"release"`
-	Repository Repository `json:"repository,omitempty"`
-}
-
-type Repository struct {
-	Name string `json:"name"`
-	URL  string `json:"url"`
-}
-
-func (hc *HelmChart) Render(ctx context.Context, path holos.InstancePath) (*Result, error) {
-	result := Result{HolosComponent: hc.HolosComponent}
-	if err := hc.helm(ctx, &result, path); err != nil {
-		return nil, err
-	}
-	result.addObjectMap(ctx, hc.APIObjectMap)
-	if err := result.kustomize(ctx); err != nil {
-		return nil, errors.Wrap(fmt.Errorf("could not kustomize: %w", err))
-	}
-	return &result, nil
-}
-
-// runHelm provides the values produced by CUE to helm template and returns
-// the rendered kubernetes api objects in the result.
-func (hc *HelmChart) helm(ctx context.Context, r *Result, path holos.InstancePath) error {
-	log := logger.FromContext(ctx).With("chart", hc.Chart.Name)
-	if hc.Chart.Name == "" {
-		log.WarnContext(ctx, "skipping helm: no chart name specified, use a different component type")
-		return nil
-	}
-
-	cachedChartPath := filepath.Join(string(path), ChartDir, filepath.Base(hc.Chart.Name))
-	if isNotExist(cachedChartPath) {
-		// Add repositories
-		repo := hc.Chart.Repository
-		if repo.URL != "" {
-			out, err := util.RunCmd(ctx, "helm", "repo", "add", repo.Name, repo.URL)
-			if err != nil {
-				log.ErrorContext(ctx, "could not run helm", "stderr", out.Stderr.String(), "stdout", out.Stdout.String())
-				return errors.Wrap(fmt.Errorf("could not run helm repo add: %w", err))
-			}
-			// Update repository
-			out, err = util.RunCmd(ctx, "helm", "repo", "update", repo.Name)
-			if err != nil {
-				log.ErrorContext(ctx, "could not run helm", "stderr", out.Stderr.String(), "stdout", out.Stdout.String())
-				return errors.Wrap(fmt.Errorf("could not run helm repo update: %w", err))
-			}
-		} else {
-			log.DebugContext(ctx, "no chart repository url proceeding assuming oci chart")
-		}
-
-		// Cache the chart
-		if err := cacheChart(ctx, path, ChartDir, hc.Chart); err != nil {
-			return fmt.Errorf("could not cache chart: %w", err)
-		}
-	}
-
-	// Write values file
-	tempDir, err := os.MkdirTemp("", "holos")
-	if err != nil {
-		return errors.Wrap(fmt.Errorf("could not make temp dir: %w", err))
-	}
-	defer util.Remove(ctx, tempDir)
-
-	valuesPath := filepath.Join(tempDir, "values.yaml")
-	if err := os.WriteFile(valuesPath, []byte(hc.ValuesContent), 0644); err != nil {
-		return errors.Wrap(fmt.Errorf("could not write values: %w", err))
-	}
-	log.DebugContext(ctx, "helm: wrote values", "path", valuesPath, "bytes", len(hc.ValuesContent))
-
-	// Run charts
-	chart := hc.Chart
-	args := []string{"template"}
-	if !hc.EnableHooks {
-		args = append(args, "--no-hooks")
-	}
-	namespace := hc.Namespace
-	args = append(args, "--include-crds", "--values", valuesPath, "--namespace", namespace, "--kubeconfig", "/dev/null", "--version", chart.Version, chart.Release, cachedChartPath)
-	helmOut, err := util.RunCmd(ctx, "helm", args...)
-	if err != nil {
-		stderr := helmOut.Stderr.String()
-		lines := strings.Split(stderr, "\n")
-		for _, line := range lines {
-			if strings.HasPrefix(line, "Error:") {
-				err = fmt.Errorf("%s: %w", line, err)
-			}
-		}
-		return errors.Wrap(fmt.Errorf("could not run helm template: %w", err))
-	}
-
-	r.accumulatedOutput = helmOut.Stdout.String()
-
-	return nil
-}
-
-// cacheChart stores a cached copy of Chart in the chart subdirectory of path.
-//
-// It is assumed that the only method responsible for writing to chartDir is
-// cacheChart itself.
-//
-// This relies on the atomicity of moving temporary directories into place on
-// the same filesystem via os.Rename. If a syscall.EEXIST error occurs during
-// renaming, it indicates that the cached chart already exists, which is an
-// expected scenario when this function is called concurrently.
-func cacheChart(ctx context.Context, path holos.InstancePath, chartDir string, chart Chart) error {
-	log := logger.FromContext(ctx)
-
-	cacheTemp, err := os.MkdirTemp(string(path), chartDir)
-	if err != nil {
-		return errors.Wrap(fmt.Errorf("could not make temp dir: %w", err))
-	}
-	defer util.Remove(ctx, cacheTemp)
-
-	chartName := chart.Name
-	if chart.Repository.Name != "" {
-		chartName = fmt.Sprintf("%s/%s", chart.Repository.Name, chart.Name)
-	}
-	helmOut, err := util.RunCmd(ctx, "helm", "pull", "--destination", cacheTemp, "--untar=true", "--version", chart.Version, chartName)
-	if err != nil {
-		return errors.Wrap(fmt.Errorf("could not run helm pull: %w", err))
-	}
-	log.Debug("helm pull", "stdout", helmOut.Stdout, "stderr", helmOut.Stderr)
-
-	cachePath := filepath.Join(string(path), chartDir)
-
-	if err := os.MkdirAll(cachePath, 0777); err != nil {
-		return errors.Wrap(fmt.Errorf("could not mkdir: %w", err))
-	}
-
-	items, err := os.ReadDir(cacheTemp)
-	if err != nil {
-		return errors.Wrap(fmt.Errorf("could not read directory: %w", err))
-	}
-
-	for _, item := range items {
-		src := filepath.Join(cacheTemp, item.Name())
-		dst := filepath.Join(cachePath, item.Name())
-		log.DebugContext(ctx, "rename", "src", src, "dst", dst)
-		if err := os.Rename(src, dst); err != nil {
-			var linkErr *os.LinkError
-			if errors.As(err, &linkErr) && errors.Is(linkErr.Err, syscall.EEXIST) {
-				log.DebugContext(ctx, "cache already exists", "chart", chart.Name, "chart_version", chart.Version, "path", cachePath)
-			} else {
-				return errors.Wrap(fmt.Errorf("could not rename: %w", err))
-			}
-		}
-	}
-
-	log.InfoContext(ctx, "cached", "chart", chart.Name, "chart_version", chart.Version, "path", cachePath)
-
-	return nil
-}
-func isNotExist(path string) bool {
-	_, err := os.Stat(path)
-	return os.IsNotExist(err)
-}
--- a/api/v1alpha1/kubernetesobjects.go
+++ b/api/v1alpha1/kubernetesobjects.go
@@ -1,21 +0,0 @@
-package v1alpha1
-
-import (
-	"context"
-
-	"github.com/holos-run/holos"
-)
-
-const KubernetesObjectsKind = "KubernetesObjects"
-
-// KubernetesObjects represents CUE output which directly provides Kubernetes api objects to holos.
-type KubernetesObjects struct {
-	HolosComponent `json:",inline" yaml:",inline"`
-}
-
-// Render produces kubernetes api objects from the APIObjectMap
-func (o *KubernetesObjects) Render(ctx context.Context, path holos.InstancePath) (*Result, error) {
-	result := Result{HolosComponent: o.HolosComponent}
-	result.addObjectMap(ctx, o.APIObjectMap)
-	return &result, nil
-}
--- a/api/v1alpha1/kustomization.go
+++ b/api/v1alpha1/kustomization.go
@@ -1,7 +0,0 @@
-package v1alpha1
-
-// Kustomization holds the rendered flux kustomization api object content for git ops.
-type Kustomization struct {
-	// KsContent is the yaml representation of the flux kustomization for gitops.
-	KsContent string `json:"ksContent,omitempty" yaml:"ksContent,omitempty"`
-}
--- a/api/v1alpha1/kustomize.go
+++ b/api/v1alpha1/kustomize.go
@@ -1,47 +0,0 @@
-package v1alpha1
-
-import (
-	"context"
-
-	"github.com/holos-run/holos"
-	"github.com/holos-run/holos/internal/errors"
-	"github.com/holos-run/holos/internal/logger"
-	"github.com/holos-run/holos/internal/util"
-)
-
-const KustomizeBuildKind = "KustomizeBuild"
-
-// Kustomize represents resources necessary to execute a kustomize build.
-// Intended for at least two use cases:
-//
-//  1. Process raw yaml file resources in a holos component directory.
-//  2. Post process a HelmChart to inject istio, add custom labels, etc...
-type Kustomize struct {
-	// KustomizeFiles holds file contents for kustomize, e.g. patch files.
-	KustomizeFiles FileContentMap `json:"kustomizeFiles,omitempty" yaml:"kustomizeFiles,omitempty"`
-	// ResourcesFile is the file name used for api objects in kustomization.yaml
-	ResourcesFile string `json:"resourcesFile,omitempty" yaml:"resourcesFile,omitempty"`
-}
-
-// KustomizeBuild renders plain yaml files in the holos component directory using kubectl kustomize build.
-type KustomizeBuild struct {
-	HolosComponent `json:",inline" yaml:",inline"`
-}
-
-// Render produces a Result by executing kubectl kustomize on the holos
-// component path. Useful for processing raw yaml files.
-func (kb *KustomizeBuild) Render(ctx context.Context, path holos.InstancePath) (*Result, error) {
-	log := logger.FromContext(ctx)
-	result := Result{HolosComponent: kb.HolosComponent}
-	// Run kustomize.
-	kOut, err := util.RunCmd(ctx, "kubectl", "kustomize", string(path))
-	if err != nil {
-		log.ErrorContext(ctx, kOut.Stderr.String())
-		return nil, errors.Wrap(err)
-	}
-	// Replace the accumulated output
-	result.accumulatedOutput = kOut.Stdout.String()
-	// Add CUE based api objects.
-	result.addObjectMap(ctx, kb.APIObjectMap)
-	return &result, nil
-}
--- a/api/v1alpha1/objectmap.go
+++ b/api/v1alpha1/objectmap.go
@@ -1,14 +0,0 @@
-package v1alpha1
-
-// Label is an arbitrary unique identifier.  Defined as a type for clarity and type checking.
-type Label string
-
-// Kind is a kubernetes api object kind. Defined as a type for clarity and type checking.
-type Kind string
-
-// APIObjectMap is the shape of marshalled api objects returned from cue to the
-// holos cli. A map is used to improve the clarity of error messages from cue.
-type APIObjectMap map[Kind]map[Label]string
-
-// FileContentMap is a map of file names to file contents.
-type FileContentMap map[string]string
--- a/api/v1alpha1/objectmeta.go
+++ b/api/v1alpha1/objectmeta.go
@@ -1,15 +0,0 @@
-package v1alpha1
-
-// ObjectMeta represents metadata of a holos component object. The fields are a
-// copy of upstream kubernetes api machinery but are by holos objects distinct
-// from kubernetes api objects.
-type ObjectMeta struct {
-	// Name uniquely identifies the holos component instance and must be suitable as a file name.
-	Name string `json:"name,omitempty" yaml:"name,omitempty"`
-	// Namespace confines a holos component to a single namespace via kustomize if set.
-	Namespace string `json:"namespace,omitempty" yaml:"namespace,omitempty"`
-	// Labels are not used but are copied from api machinery ObjectMeta for completeness.
-	Labels map[string]string `json:"labels,omitempty" yaml:"labels,omitempty"`
-	// Annotations are not used but are copied from api machinery ObjectMeta for completeness.
-	Annotations map[string]string `json:"annotations,omitempty" yaml:"annotations,omitempty"`
-}
--- a/api/v1alpha1/platform.go
+++ b/api/v1alpha1/platform.go
@@ -1,32 +0,0 @@
-package v1alpha1
-
-import "google.golang.org/protobuf/types/known/structpb"
-
-// Platform represents a platform to manage.  A Platform resource informs holos
-// which components to build.  The platform resource also acts as a container
-// for the platform model form values provided by the PlatformService.  The
-// primary use case is to collect the cluster names, cluster types, platform
-// model, and holos components to build into one resource.
-type Platform struct {
-	TypeMeta `json:",inline" yaml:",inline"`
-	Metadata ObjectMeta   `json:"metadata" yaml:"metadata"`
-	Spec     PlatformSpec `json:"spec" yaml:"spec"`
-}
-
-// PlatformSpec represents the platform build plan specification.
-type PlatformSpec struct {
-	// Model represents the platform model holos gets from from the
-	// holos.platform.v1alpha1.PlatformService.GetPlatform method and provides to
-	// CUE using a tag.
-	Model      structpb.Struct         `json:"model" yaml:"model"`
-	Components []PlatformSpecComponent `json:"components" yaml:"components"`
-}
-
-// PlatformSpecComponent represents a component to build or render with flags to
-// pass, for example the cluster name.
-type PlatformSpecComponent struct {
-	// Path is the path of the component relative to the platform root.
-	Path string `json:"path" yaml:"path"`
-	// Cluster is the cluster name to use when building the component.
-	Cluster string `json:"cluster" yaml:"cluster"`
-}
--- a/api/v1alpha1/render.go
+++ b/api/v1alpha1/render.go
@@ -1,22 +0,0 @@
-package v1alpha1
-
-import (
-	"context"
-
-	"github.com/holos-run/holos"
-)
-
-type Renderer interface {
-	GetKind() string
-	Render(ctx context.Context, path holos.InstancePath) (*Result, error)
-}
-
-// Render produces a Result representing the kubernetes api objects to
-// configure. Each of the various holos component types, e.g. Helm, Kustomize,
-// et al, should implement the Renderer interface. This process is best
-// conceptualized as a data pipeline, for example a component may render a
-// result by first calling helm template, then passing the result through
-// kustomize, then mixing in overlay api objects.
-func Render(ctx context.Context, r Renderer, path holos.InstancePath) (*Result, error) {
-	return r.Render(ctx, path)
-}
--- a/api/v1alpha1/result.go
+++ b/api/v1alpha1/result.go
@@ -1,165 +0,0 @@
-package v1alpha1
-
-import (
-	"context"
-	"fmt"
-	"os"
-	"path/filepath"
-	"slices"
-
-	"github.com/holos-run/holos/internal/errors"
-	"github.com/holos-run/holos/internal/logger"
-	"github.com/holos-run/holos/internal/util"
-)
-
-// Result is the build result for display or writing.  Holos components Render the Result as a data pipeline.
-type Result struct {
-	HolosComponent
-	// accumulatedOutput accumulates rendered api objects.
-	accumulatedOutput string
-	// DeployFiles keys represent file paths relative to the cluster deploy
-	// directory.  Map values represent the string encoded file contents.  Used to
-	// write the argocd Application, but may be used to render any file from CUE.
-	DeployFiles FileContentMap `json:"deployFiles,omitempty" yaml:"deployFiles,omitempty"`
-}
-
-// Continue returns true if Skip is true indicating the result is to be skipped over.
-func (r *Result) Continue() bool {
-	if r == nil {
-		return false
-	}
-	return r.Skip
-}
-
-func (r *Result) Name() string {
-	return r.Metadata.Name
-}
-
-func (r *Result) Filename(writeTo string, cluster string) string {
-	name := r.Metadata.Name
-	return filepath.Join(writeTo, "clusters", cluster, "components", name, name+".gen.yaml")
-}
-
-func (r *Result) KustomizationFilename(writeTo string, cluster string) string {
-	return filepath.Join(writeTo, "clusters", cluster, "holos", "components", r.Metadata.Name+"-kustomization.gen.yaml")
-}
-
-// AccumulatedOutput returns the accumulated rendered output.
-func (r *Result) AccumulatedOutput() string {
-	return r.accumulatedOutput
-}
-
-// addObjectMap renders the provided APIObjectMap into the accumulated output.
-func (r *Result) addObjectMap(ctx context.Context, objectMap APIObjectMap) {
-	log := logger.FromContext(ctx)
-	b := []byte(r.AccumulatedOutput())
-	kinds := make([]Kind, 0, len(objectMap))
-	// Sort the keys
-	for kind := range objectMap {
-		kinds = append(kinds, kind)
-	}
-	slices.Sort(kinds)
-
-	for _, kind := range kinds {
-		v := objectMap[kind]
-		// Sort the keys
-		names := make([]Label, 0, len(v))
-		for name := range v {
-			names = append(names, name)
-		}
-		slices.Sort(names)
-
-		for _, name := range names {
-			yamlString := v[name]
-			log.Debug(fmt.Sprintf("%s/%s", kind, name), "kind", kind, "name", name)
-			b = util.EnsureNewline(b)
-			header := fmt.Sprintf("---\n# Source: CUE apiObjects.%s.%s\n", kind, name)
-			b = append(b, []byte(header+yamlString)...)
-			b = util.EnsureNewline(b)
-		}
-	}
-	r.accumulatedOutput = string(b)
-}
-
-// kustomize replaces the accumulated output with the output of kustomize build
-func (r *Result) kustomize(ctx context.Context) error {
-	log := logger.FromContext(ctx)
-	if r.ResourcesFile == "" {
-		log.DebugContext(ctx, "skipping kustomize: no resourcesFile")
-		return nil
-	}
-	if len(r.KustomizeFiles) < 1 {
-		log.DebugContext(ctx, "skipping kustomize: no kustomizeFiles")
-		return nil
-	}
-	tempDir, err := os.MkdirTemp("", "holos.kustomize")
-	if err != nil {
-		return errors.Wrap(err)
-	}
-	defer util.Remove(ctx, tempDir)
-
-	// Write the main api object resources file for kustomize.
-	target := filepath.Join(tempDir, r.ResourcesFile)
-	b := []byte(r.AccumulatedOutput())
-	b = util.EnsureNewline(b)
-	if err := os.WriteFile(target, b, 0644); err != nil {
-		return errors.Wrap(fmt.Errorf("could not write resources: %w", err))
-	}
-	log.DebugContext(ctx, "wrote: "+target, "op", "write", "path", target, "bytes", len(b))
-
-	// Write the kustomization tree, kustomization.yaml must be in this map for kustomize to work.
-	for file, content := range r.KustomizeFiles {
-		target := filepath.Join(tempDir, file)
-		if err := os.MkdirAll(filepath.Dir(target), 0755); err != nil {
-			return errors.Wrap(err)
-		}
-		b := []byte(content)
-		b = util.EnsureNewline(b)
-		if err := os.WriteFile(target, b, 0644); err != nil {
-			return errors.Wrap(fmt.Errorf("could not write: %w", err))
-		}
-		log.DebugContext(ctx, "wrote: "+target, "op", "write", "path", target, "bytes", len(b))
-	}
-
-	// Run kustomize.
-	kOut, err := util.RunCmd(ctx, "kubectl", "kustomize", tempDir)
-	if err != nil {
-		log.ErrorContext(ctx, kOut.Stderr.String())
-		return errors.Wrap(err)
-	}
-	// Replace the accumulated output
-	r.accumulatedOutput = kOut.Stdout.String()
-	return nil
-}
-
-func (r *Result) WriteDeployFiles(ctx context.Context, path string) error {
-	log := logger.FromContext(ctx)
-	if len(r.DeployFiles) == 0 {
-		return nil
-	}
-	for k, content := range r.DeployFiles {
-		path := filepath.Join(path, k)
-		if err := r.Save(ctx, path, content); err != nil {
-			return errors.Wrap(err)
-		}
-		log.InfoContext(ctx, "wrote deploy file", "path", path, "bytes", len(content))
-	}
-	return nil
-}
-
-// Save writes the content to the filesystem for git ops.
-func (r *Result) Save(ctx context.Context, path string, content string) error {
-	log := logger.FromContext(ctx)
-	dir := filepath.Dir(path)
-	if err := os.MkdirAll(dir, os.FileMode(0775)); err != nil {
-		log.WarnContext(ctx, "could not mkdir", "path", dir, "err", err)
-		return errors.Wrap(err)
-	}
-	// Write the file content
-	if err := os.WriteFile(path, []byte(content), os.FileMode(0644)); err != nil {
-		log.WarnContext(ctx, "could not write", "path", path, "err", err)
-		return errors.Wrap(err)
-	}
-	log.DebugContext(ctx, "out: wrote "+path, "action", "write", "path", path, "status", "ok")
-	return nil
-}
--- a/api/v1alpha1/typemeta.go
+++ b/api/v1alpha1/typemeta.go
@@ -1,20 +0,0 @@
-package v1alpha1
-
-type TypeMeta struct {
-	Kind       string `json:"kind,omitempty" yaml:"kind,omitempty"`
-	APIVersion string `json:"apiVersion,omitempty" yaml:"apiVersion,omitempty"`
-}
-
-func (tm *TypeMeta) GetKind() string {
-	return tm.Kind
-}
-
-func (tm *TypeMeta) GetAPIVersion() string {
-	return tm.APIVersion
-}
-
-// Discriminator is an interface to discriminate the kind api object.
-type Discriminator interface {
-	GetKind() string
-	GetAPIVersion() string
-}
--- a/buf.gen.yaml
+++ b/buf.gen.yaml
@@ -1,20 +0,0 @@
-# Generates gRPC and ConnectRPC bindings for Go and TypeScript
-#
-# Note: protoc-gen-connect-query is the primary method of wiring up the React
-# frontend.
-version: v1
-plugins:
-  - plugin: go
-    out: service/gen
-    opt: paths=source_relative
-  - plugin: connect-go
-    out: service/gen
-    opt: paths=source_relative
-  - plugin: es
-    out: internal/frontend/holos/src/app/gen
-    opt:
-      - target=ts
-  - plugin: connect-es
-    out: internal/frontend/holos/src/app/gen
-    opt:
-      - target=ts
--- a/buf.lock
+++ b/buf.lock
@@ -1,8 +0,0 @@
-# Generated by buf. DO NOT EDIT.
-version: v1
-deps:
-  - remote: buf.build
-    owner: bufbuild
-    repository: protovalidate
-    commit: b983156c5e994cc9892e0ce3e64e17e0
-    digest: shake256:fb47a62989d38c2529bcc5cd86ded43d800eb84cee82b42b9e8a9e815d4ee8134a0fb9d0ce8299b27c2d2bbb7d6ade0c4ad5a8a4d467e1e2c7ca619ae9f634e2
--- a/buf.work.yaml
+++ b/buf.work.yaml
@@ -1,3 +0,0 @@
-version: v1
-directories:
-  - service
--- a/cmd/cmd.go
+++ b/cmd/cmd.go
@@ -0,0 +1,34 @@
+package cmd
+
+import (
+	"context"
+	"fmt"
+	"log/slog"
+	"os"
+
+	"github.com/holos-run/holos/internal/cli"
+	"github.com/holos-run/holos/internal/holos"
+	"github.com/holos-run/holos/version"
+)
+
+// MakeMain makes a main function for the cli or tests.
+func MakeMain(options ...holos.Option) func() int {
+	return func() (exitCode int) {
+		// TODO(jjm): check HOLOS_CHDIR and chdir if set for tests.
+		if len(os.Args) >= 2 && os.Args[1] == "version" {
+			if _, err := fmt.Println(version.GetVersion()); err != nil {
+				panic(err)
+			}
+			return 0
+		}
+		cfg := holos.New(options...)
+		slog.SetDefault(cfg.Logger())
+		ctx := context.Background()
+		cmd := cli.New(cfg)
+
+		if err := cmd.ExecuteContext(ctx); err != nil {
+			return cli.HandleError(ctx, err, cfg)
+		}
+		return 0
+	}
+}
--- a/cmd/holos/main.go
+++ b/cmd/holos/main.go
@@ -3,9 +3,9 @@ package main
 import (
 	"os"

-	"github.com/holos-run/holos/internal/cli"
+	"github.com/holos-run/holos/cmd"
 )

 func main() {
-	os.Exit(cli.MakeMain()())
+	os.Exit(cmd.MakeMain()())
 }
--- a/cmd/holos/main_test.go
+++ b/cmd/holos/main_test.go
@@ -2,20 +2,51 @@ package main

 import (
 	"os"
+	"path/filepath"
 	"testing"

-	"github.com/holos-run/holos/internal/cli"
+	cue "cuelang.org/go/cmd/cue/cmd"
+	"github.com/holos-run/holos/cmd"
 	"github.com/rogpeppe/go-internal/testscript"
 )

 func TestMain(m *testing.M) {
-	os.Exit(testscript.RunMain(m, map[string]func() int{
-		"holos": cli.MakeMain(),
-	}))
-}
-
-func TestGetSecrets(t *testing.T) {
-	testscript.Run(t, testscript.Params{
-		Dir: "testdata",
+	holosMain := cmd.MakeMain()
+	testscript.Main(m, map[string]func(){
+		"holos": func() { os.Exit(holosMain()) },
+		"cue":   func() { os.Exit(cue.Main()) },
 	})
 }
+
+func TestGuides_v1alpha5(t *testing.T) {
+	testscript.Run(t, params(filepath.Join("v1alpha5", "guides")))
+}
+
+func TestSchemas_v1alpha5(t *testing.T) {
+	testscript.Run(t, params(filepath.Join("v1alpha5", "schemas")))
+}
+
+func TestIssues_v1alpha5(t *testing.T) {
+	testscript.Run(t, params(filepath.Join("v1alpha5", "issues")))
+}
+
+func TestCLI(t *testing.T) {
+	testscript.Run(t, params("cli"))
+}
+
+func params(dir string) testscript.Params {
+	return testscript.Params{
+		Dir:                 filepath.Join("tests", dir),
+		RequireExplicitExec: true,
+		RequireUniqueNames:  os.Getenv("HOLOS_WORKDIR_ROOT") == "",
+		WorkdirRoot:         os.Getenv("HOLOS_WORKDIR_ROOT"),
+		UpdateScripts:       os.Getenv("HOLOS_UPDATE_SCRIPTS") != "",
+		Setup: func(env *testscript.Env) error {
+			// Just like cmd/cue/cmd.TestScript, set up separate cache and config dirs per test.
+			env.Setenv("CUE_CACHE_DIR", filepath.Join(env.WorkDir, "tmp/cachedir"))
+			configDir := filepath.Join(env.WorkDir, "tmp/configdir")
+			env.Setenv("CUE_CONFIG_DIR", configDir)
+			return nil
+		},
+	}
+}
--- a/cmd/holos/testdata/constraints.txt
+++ b/cmd/holos/testdata/constraints.txt
@@ -1,34 +0,0 @@
-# Want support for intermediary constraints
-exec holos build ./foo/... --log-level debug
-stdout '^bf2bc7f9-9ba0-4f9e-9bd2-9a205627eb0b$'
-
-- platform.config.json --
-{}
-- cue.mod --
-package holos
-- foo/constraints.cue --
-package holos
-
-metadata: name: "jeff"
-- foo/bar/bar.cue --
-package holos
-
-spec: components: KubernetesObjectsList: [
-  #KubernetesObjects & {
-    apiObjectMap: foo: bar: "bf2bc7f9-9ba0-4f9e-9bd2-9a205627eb0b"
-  }
-]
-- schema.cue --
-package holos
-
-_cluster: string @tag(cluster, string)
-_platform_config: string @tag(platform_config, string)
-
-#KubernetesObjects: {
-	apiVersion: "holos.run/v1alpha1"
-	kind: "KubernetesObjects"
-	apiObjectMap: {...}
-}
-
-apiVersion: "holos.run/v1alpha1"
-kind: "BuildPlan"
--- a/cmd/holos/testdata/issue15_cue_errors.txt
+++ b/cmd/holos/testdata/issue15_cue_errors.txt
@@ -1,20 +0,0 @@
-# Want cue errors to show files and lines
-! exec holos build .
-stderr 'apiObjectMap.foo.bar: cannot convert incomplete value'
-stderr '/component.cue:\d+:\d+$'
-
-- platform.config.json --
-{}
-- cue.mod --
-package holos
-- component.cue --
-package holos
-
-_cluster: string @tag(cluster, string)
-_platform_config: string @tag(platform_config, string)
-
-apiVersion: "holos.run/v1alpha1"
-kind: "BuildPlan"
-spec: components: KubernetesObjectsList: [{apiObjectMap: foo: bar: _baz}]
-
-_baz: string
--- a/cmd/holos/testdata/issue25_apiobjects_cue.txt
+++ b/cmd/holos/testdata/issue25_apiobjects_cue.txt
@@ -1,61 +0,0 @@
-# Want kube api objects in the apiObjects output.
-exec holos build .
-stdout '^kind: SecretStore$'
-stdout '# Source: CUE apiObjects.SecretStore.default'
-
-- platform.config.json --
-{}
-- cue.mod --
-package holos
-- component.cue --
-package holos
-
-apiVersion: "holos.run/v1alpha1"
-kind: "BuildPlan"
-spec: components: KubernetesObjectsList: [{apiObjectMap: #APIObjects.apiObjectMap}]
-
-_cluster: string @tag(cluster, string)
-_platform_config: string @tag(platform_config, string)
-
-#SecretStore: {
-    kind: string
-    metadata: name: string
-}
-
-#APIObjects: {
-  apiObjects: {
-    SecretStore: {
-      default: #SecretStore & { metadata: name: "default" }
-    }
-  }
-}
-
-
-- schema.cue --
-package holos
-
-// #APIObjects is the output type for api objects produced by cue.  A map is used to aid debugging and clarity.
-import "encoding/yaml"
-
-#APIObjects: {
-	// apiObjects holds each the api objects produced by cue.
-	apiObjects: {
-		[Kind=_]: {
-			[Name=_]: {
-				kind: Kind
-				metadata: name: Name
-			}
-		}
-	}
-
-	// apiObjectsContent holds the marshalled representation of apiObjects
-	apiObjectMap: {
-		for kind, v in apiObjects {
-			"\(kind)": {
-				for name, obj in v {
-				  "\(name)": yaml.Marshal(obj)
-			  }
-			}
-		}
-	}
-}
--- a/cmd/holos/testdata/issue25_apiobjects_helm.txt
+++ b/cmd/holos/testdata/issue25_apiobjects_helm.txt
@@ -1,62 +0,0 @@
-# Want kube api objects in the apiObjects output.
-exec holos build .
-stdout '^kind: SecretStore$'
-stdout '# Source: CUE apiObjects.SecretStore.default'
-stderr 'skipping helm: no chart name specified'
-
-- platform.config.json --
-{}
-- cue.mod --
-package holos
-- component.cue --
-package holos
-
-apiVersion: "holos.run/v1alpha1"
-kind: "BuildPlan"
-spec: components: HelmChartList: [{apiObjectMap: #APIObjects.apiObjectMap}]
-
-_cluster: string @tag(cluster, string)
-_platform_config: string @tag(platform_config, string)
-
-#SecretStore: {
-    kind: string
-    metadata: name: string
-}
-
-#APIObjects: {
-  apiObjects: {
-    SecretStore: {
-      default: #SecretStore & { metadata: name: "default" }
-    }
-  }
-}
-
-
-- schema.cue --
-package holos
-
-// #APIObjects is the output type for api objects produced by cue.  A map is used to aid debugging and clarity.
-import "encoding/yaml"
-
-#APIObjects: {
-	// apiObjects holds each the api objects produced by cue.
-	apiObjects: {
-		[Kind=_]: {
-			[Name=_]: {
-				kind: Kind
-				metadata: name: Name
-			}
-		}
-	}
-
-	// apiObjectsContent holds the marshalled representation of apiObjects
-	apiObjectMap: {
-		for kind, v in apiObjects {
-			"\(kind)": {
-				for name, obj in v {
-				  "\(name)": yaml.Marshal(obj)
-			  }
-			}
-		}
-	}
-}
--- a/cmd/holos/testdata/issue25_show_object_names.txt
+++ b/cmd/holos/testdata/issue25_show_object_names.txt
@@ -1,25 +0,0 @@
-# Want api object kind and name in errors
-! exec holos build .
-stderr 'apiObjects.secretstore.default.foo: field not allowed'
-
-- platform.config.json --
-{}
-- cue.mod --
-package holos
-- component.cue --
-package holos
-
-apiVersion: "holos.run/v1alpha1"
-kind: "KubernetesObjects"
-cluster: string @tag(cluster, string)
-_platform_config: string @tag(platform_config, string)
-
-#SecretStore: {
-    metadata: name: string
-}
-
-apiObjects: {
-  secretstore: {
-    default: #SecretStore & { foo: "not allowed" }
-  }
-}
--- a/cmd/holos/testdata/issue33_helm_stderr.txt
+++ b/cmd/holos/testdata/issue33_helm_stderr.txt
@@ -1,289 +0,0 @@
-# Want helm errors to show up
-! exec holos build .
-stderr 'Error: execution error at \(zitadel/templates/secret_zitadel-masterkey.yaml:2:4\): Either set .Values.zitadel.masterkey xor .Values.zitadel.masterkeySecretName'
-
-- platform.config.json --
-{}
-- cue.mod --
-package holos
-- zitadel.cue --
-package holos
-
-apiVersion: "holos.run/v1alpha1"
-kind: "BuildPlan"
-spec: components: HelmChartList: [_HelmChart]
-
-_cluster: string @tag(cluster, string)
-_platform_config: string @tag(platform_config, string)
-
-_HelmChart: {
-  apiVersion: "holos.run/v1alpha1"
-  kind: "HelmChart"
-  metadata: name: "zitadel"
-  namespace: "zitadel"
-  chart: {
-    name:    "zitadel"
-    version: "7.9.0"
-    release: name
-    repository: {
-      name: "zitadel"
-      url:  "https://charts.zitadel.com"
-    }
-  }
-}
-
-- vendor/zitadel/templates/secret_zitadel-masterkey.yaml --
-{{- if (or (and .Values.zitadel.masterkey .Values.zitadel.masterkeySecretName) (and (not .Values.zitadel.masterkey) (not .Values.zitadel.masterkeySecretName)) ) }}
-{{- fail "Either set .Values.zitadel.masterkey xor .Values.zitadel.masterkeySecretName" }}
-{{- end }}
-{{- if .Values.zitadel.masterkey -}}
-apiVersion: v1
-kind: Secret
-type: Opaque
-metadata:
-  name: zitadel-masterkey
-  {{- with .Values.zitadel.masterkeyAnnotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-  labels:
-    {{- include "zitadel.labels" . | nindent 4 }}
-stringData:
-  masterkey: {{ .Values.zitadel.masterkey }}
-{{- end -}}
-- vendor/zitadel/Chart.yaml --
-apiVersion: v2
-appVersion: v2.46.0
-description: A Helm chart for ZITADEL
-icon: https://zitadel.com/zitadel-logo-dark.svg
-kubeVersion: '>= 1.21.0-0'
-maintainers:
- email: support@zitadel.com
-  name: zitadel
-  url: https://zitadel.com
-name: zitadel
-type: application
-version: 7.9.0
-- vendor/zitadel/values.yaml --
-# Default values for zitadel.
-zitadel:
-  # The ZITADEL config under configmapConfig is written to a Kubernetes ConfigMap
-  # See all defaults here:
-  # https://github.com/zitadel/zitadel/blob/main/cmd/defaults.yaml
-  configmapConfig:
-    ExternalSecure: true
-    Machine:
-      Identification:
-        Hostname:
-          Enabled: true
-        Webhook:
-          Enabled: false
-
-  # The ZITADEL config under secretConfig is written to a Kubernetes Secret
-  # See all defaults here:
-  # https://github.com/zitadel/zitadel/blob/main/cmd/defaults.yaml
-  secretConfig:
-
-  # Annotations set on secretConfig secret
-  secretConfigAnnotations:
-    helm.sh/hook: pre-install,pre-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation
-    helm.sh/hook-weight: "0"
-
-  # Reference the name of a secret that contains ZITADEL configuration.
-  configSecretName:
-  # The key under which the ZITADEL configuration is located in the secret.
-  configSecretKey: config-yaml
-
-  # ZITADEL uses the masterkey for symmetric encryption.
-  # You can generate it for example with tr -dc A-Za-z0-9 </dev/urandom | head -c 32
-  masterkey: ""
-  # Reference the name of the secret that contains the masterkey. The key should be named "masterkey".
-  # Note: Either zitadel.masterkey or zitadel.masterkeySecretName must be set
-  masterkeySecretName: ""
-
-  # Annotations set on masterkey secret
-  masterkeyAnnotations:
-    helm.sh/hook: pre-install,pre-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation
-    helm.sh/hook-weight: "0"
-
-  # The CA Certificate needed for establishing secure database connections
-  dbSslCaCrt: ""
-
-  # The Secret containing the CA certificate at key ca.crt needed for establishing secure database connections
-  dbSslCaCrtSecret: ""
-
-  # The db admins secret containing the client certificate and key at tls.crt and tls.key needed for establishing secure database connections
-  dbSslAdminCrtSecret: ""
-
-  # The db users secret containing the client certificate and key at tls.crt and tls.key needed for establishing secure database connections
-  dbSslUserCrtSecret: ""
-
-  # Generate a self-signed certificate using an init container
-  # This will also mount the generated files to /etc/tls/ so that you can reference them in the pod.
-  # E.G. KeyPath: /etc/tls/tls.key CertPath: /etc/tls/tls.crt
-  # By default, the SAN DNS names include, localhost, the POD IP address and the POD name. You may include one more by using additionalDnsName like "my.zitadel.fqdn".
-  selfSignedCert:
-    enabled: false
-    additionalDnsName:
-
-replicaCount: 3
-
-image:
-  repository: ghcr.io/zitadel/zitadel
-  pullPolicy: IfNotPresent
-  # Overrides the image tag whose default is the chart appVersion.
-  tag: ""
-
-chownImage:
-  repository: alpine
-  pullPolicy: IfNotPresent
-  tag: "3.19"
-
-imagePullSecrets: []
-nameOverride: ""
-fullnameOverride: ""
-
-# Annotations to add to the deployment
-annotations: {}
-
-# Annotations to add to the configMap
-configMap:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation
-    helm.sh/hook-weight: "0"
-
-serviceAccount:
-  # Specifies whether a service account should be created
-  create: true
-  # Annotations to add to the service account
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation
-    helm.sh/hook-weight: "0"
-  # The name of the service account to use.
-  # If not set and create is true, a name is generated using the fullname template
-  name: ""
-
-podAnnotations: {}
-
-podAdditionalLabels: {}
-
-podSecurityContext:
-  runAsNonRoot: true
-  runAsUser: 1000
-
-securityContext: {}
-
-# Additional environment variables
-env:
-  []
-  # - name: ZITADEL_DATABASE_POSTGRES_HOST
-  #   valueFrom:
-  #     secretKeyRef:
-  #       name: postgres-pguser-postgres
-  #       key: host
-
-service:
-  type: ClusterIP
-  # If service type is "ClusterIP", this can optionally be set to a fixed IP address.
-  clusterIP: ""
-  port: 8080
-  protocol: http2
-  annotations: {}
-  scheme: HTTP
-
-ingress:
-  enabled: false
-  className: ""
-  annotations: {}
-  hosts:
-    - host: localhost
-      paths:
-        - path: /
-          pathType: Prefix
-  tls: []
-
-resources: {}
-
-nodeSelector: {}
-
-tolerations: []
-
-affinity: {}
-
-topologySpreadConstraints: []
-
-initJob:
-  # Once ZITADEL is installed, the initJob can be disabled.
-  enabled: true
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation
-    helm.sh/hook-weight: "1"
-  resources: {}
-  backoffLimit: 5
-  activeDeadlineSeconds: 300
-  extraContainers: []
-  podAnnotations: {}
-  # Available init commands :
-  # "": initialize ZITADEL instance (without skip anything)
-  # database: initialize only the database
-  # grant: set ALL grant to user
-  # user: initialize only the database user
-  # zitadel: initialize ZITADEL internals (skip "create user" and "create database")
-  command: ""
-
-setupJob:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation
-    helm.sh/hook-weight: "2"
-  resources: {}
-  activeDeadlineSeconds: 300
-  extraContainers: []
-  podAnnotations: {}
-  additionalArgs:
-    - "--init-projections=true"
-  machinekeyWriter:
-    image:
-      repository: bitnami/kubectl
-      tag: ""
-    resources: {}
-
-readinessProbe:
-  enabled: true
-  initialDelaySeconds: 0
-  periodSeconds: 5
-  failureThreshold: 3
-
-livenessProbe:
-  enabled: true
-  initialDelaySeconds: 0
-  periodSeconds: 5
-  failureThreshold: 3
-
-startupProbe:
-  enabled: true
-  periodSeconds: 1
-  failureThreshold: 30
-
-metrics:
-  enabled: false
-  serviceMonitor:
-    # If true, the chart creates a ServiceMonitor that is compatible with Prometheus Operator
-    # https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#monitoring.coreos.com/v1.ServiceMonitor.
-    # The Prometheus community Helm chart installs this operator
-    # https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack#kube-prometheus-stack
-    enabled: false
-    honorLabels: false
-    honorTimestamps: true
-
-pdb:
-  enabled: false
-  # these values are used for the PDB and are mutally exclusive
-  minAvailable: 1
-  # maxUnavailable: 1
-  annotations: {}
--- a/cmd/holos/testdata/issue42_kustomize_build_kind.txt
+++ b/cmd/holos/testdata/issue42_kustomize_build_kind.txt
@@ -1,39 +0,0 @@
-# Kustomize is a supported holos component kind
-exec holos render component --cluster-name=mycluster . --log-level=debug
-
-# Want generated output
-cmp want.yaml deploy/clusters/mycluster/components/kstest/kstest.gen.yaml
-
-- platform.config.json --
-{}
-- cue.mod --
-package holos
-- component.cue --
-package holos
-
-_cluster: string @tag(cluster, string)
-_platform_config: string @tag(platform_config, string)
-
-apiVersion: "holos.run/v1alpha1"
-kind: "BuildPlan"
-spec: components: KustomizeBuildList: [{metadata: name: "kstest"}]
-
-- kustomization.yaml --
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-namespace: mynamespace
-resources:
- serviceaccount.yaml
-
-- serviceaccount.yaml --
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: test
-
-- want.yaml --
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: test
-  namespace: mynamespace
--- a/cmd/holos/testdata/issue72_disallow_unknown_fields.txt
+++ b/cmd/holos/testdata/issue72_disallow_unknown_fields.txt
@@ -1,17 +0,0 @@
-# https://github.com/holos-run/holos/issues/72
-# Want holos to fail on unknown fields to catch typos and aid refactors
-! exec holos build .
-stderr 'unknown field \\"TypoKubernetesObjectsList\\"'
-
-- platform.config.json --
-{}
-- cue.mod --
-package holos
-- component.cue --
-package holos
-_cluster: string @tag(cluster, string)
-_platform_config: string @tag(platform_config, string)
-
-apiVersion: "holos.run/v1alpha1"
-kind: "BuildPlan"
-spec: components: TypoKubernetesObjectsList: []
--- a/cmd/holos/tests/cli/cue-vet.txt
+++ b/cmd/holos/tests/cli/cue-vet.txt
@@ -0,0 +1,12 @@
+# https://github.com/holos-run/holos/issues/358
+# holos cue vet should fail verifications with exit code 1
+! exec holos cue vet ./policy --path strings.ToLower(kind) ./data/secret.yaml
+# holos cue vet should report validation errors to stderr
+stderr 'Forbidden. Use an ExternalSecret instead.'
+
+-- data/secret.yaml --
+kind: Secret
+-- policy/validators.cue --
+package policy
+
+secret: kind: "Forbidden. Use an ExternalSecret instead."
--- a/cmd/holos/tests/cli/first-impression.txt
+++ b/cmd/holos/tests/cli/first-impression.txt
@@ -0,0 +1,7 @@
+# https://github.com/holos-run/holos/issues/334
+exec holos
+stdout Usage
+exec holos --version
+stdout \d+\.\d+\.\d+
+exec holos version
+stdout \d+\.\d+\.\d+
--- a/cmd/holos/tests/cli/version.txt
+++ b/cmd/holos/tests/cli/version.txt
--- a/cmd/holos/tests/v1alpha5/guides/helm.txt
+++ b/cmd/holos/tests/v1alpha5/guides/helm.txt
--- a/cmd/holos/tests/v1alpha5/issues/issue348-kustomize-patch-name.txt
+++ b/cmd/holos/tests/v1alpha5/issues/issue348-kustomize-patch-name.txt
@@ -0,0 +1,65 @@
+# https://github.com/holos-run/holos/issues/348
+# when the optional kustomize patch name field is omitted
+exec holos init platform v1alpha5 --force
+# want a buildplan shown
+exec holos show buildplans
+cp stdout buildplan-output.yaml
+exec holos compare yaml buildplan-output.yaml buildplan.yaml
+# want this error to go away
+! stderr 'cannot convert non-concrete value string'
+-- platform/example.cue --
+package holos
+
+Platform: Components: example: {
+	name: "example"
+	path: "components/example"
+}
+-- components/example/example.cue --
+package holos
+
+import "encoding/yaml"
+
+holos: Component.BuildPlan
+
+Component: #Kustomize & {
+	KustomizeConfig: Kustomization: patches: [
+		{
+			target: kind: "CustomResourceDefinition"
+			patch: yaml.Marshal([{
+				op:    "add"
+				path:  "/metadata/annotations/example"
+				value: "example-value"
+			}])
+		},
+	]
+}
+-- buildplan.yaml --
+kind: BuildPlan
+apiVersion: v1alpha5
+metadata:
+  name: example
+spec:
+  artifacts:
+    - artifact: components/example/example.gen.yaml
+      generators:
+        - kind: Resources
+          output: resources.gen.yaml
+      transformers:
+        - kind: Kustomize
+          inputs:
+            - resources.gen.yaml
+          output: components/example/example.gen.yaml
+          kustomize:
+            kustomization:
+              apiVersion: kustomize.config.k8s.io/v1beta1
+              kind: Kustomization
+              patches:
+                - patch: |
+                    - op: add
+                      path: /metadata/annotations/example
+                      value: example-value
+                  target:
+                    kind: CustomResourceDefinition
+                    name: ""
+              resources:
+                - resources.gen.yaml
--- a/cmd/holos/tests/v1alpha5/issues/issue366-cue-build-tags.txt
+++ b/cmd/holos/tests/v1alpha5/issues/issue366-cue-build-tags.txt
@@ -0,0 +1,52 @@
+# https://github.com/holos-run/holos/issues/366
+# Build tags conditionally include CUE files.
+env HOME=$WORK
+
+exec holos init platform v1alpha5 --force
+exec holos show platform
+cp stdout empty.yaml
+exec holos compare yaml empty.yaml want/empty.yaml
+
+exec holos show platform -t foo
+cp stdout foo.yaml
+exec holos compare yaml foo.yaml want/foo.yaml
+
+-- platform/empty.cue --
+@if(foo)
+package holos
+
+Platform: Components: foo: _
+-- platform/metadata.cue --
+package holos
+
+Platform: Components: [NAME=string]: {
+  name: NAME
+  path: "components/empty"
+  labels: "app.holos.run/name": NAME
+  annotations: "app.holos.run/description": "\(NAME) empty test case"
+}
+-- components/empty/empty.cue --
+package holos
+
+Component: #Kubernetes & {}
+holos: Component.BuildPlan
+-- want/empty.yaml --
+kind: Platform
+apiVersion: v1alpha5
+metadata:
+  name: default
+spec:
+  components: []
+-- want/foo.yaml --
+kind: Platform
+apiVersion: v1alpha5
+metadata:
+  name: default
+spec:
+  components:
+    - name: foo
+      path: components/empty
+      labels:
+        app.holos.run/name: foo
+      annotations:
+        app.holos.run/description: foo empty test case
--- a/cmd/holos/tests/v1alpha5/schemas/capabilities.txt
+++ b/cmd/holos/tests/v1alpha5/schemas/capabilities.txt
@@ -0,0 +1,147 @@
+# https://github.com/holos-run/holos/issues/330
+# take care to install helm 3.17.3 otherwise kube versions may not align
+exec holos init platform v1alpha5 --force
+# Make sure the helm chart works with plain helm
+exec helm template ./components/capabilities/vendor/0.1.0/capabilities
+stdout 'name: has-foo-v1beta1'
+stdout 'kubeVersion: v'
+exec holos render platform ./platform
+# When no capabilities are specified
+exec holos compare yaml deploy/components/capabilities/capabilities.gen.yaml want/when-no-capabilities-specified.yaml
+# With APIVersions specified
+exec holos compare yaml deploy/components/specified/specified.gen.yaml want/with-capabilities-specified.yaml
+# With KubeVersion specified
+exec holos compare yaml deploy/components/kubeversion1/kubeversion1.gen.yaml want/with-kubeversion-specified.yaml
+# With both APIVersions and KubeVersion specified
+exec holos compare yaml deploy/components/kubeversion2/kubeversion2.gen.yaml want/with-both-specified.yaml
+-- want/with-both-specified.yaml --
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    kubeVersion: v1.20.0
+  name: has-foo-v1
+spec:
+  ports:
+  - name: http
+    port: 80
+    protocol: TCP
+    targetPort: http
+-- want/with-kubeversion-specified.yaml --
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    kubeVersion: v1.20.0
+  name: has-foo-v1beta1
+spec:
+  ports:
+  - name: http
+    port: 80
+    protocol: TCP
+    targetPort: http
+-- want/when-no-capabilities-specified.yaml --
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    kubeVersion: v1.99.0
+  name: has-foo-v1beta1
+spec:
+  ports:
+  - name: http
+    port: 80
+    protocol: TCP
+    targetPort: http
+-- want/with-capabilities-specified.yaml --
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    kubeVersion: v1.99.0
+  name: has-foo-v1
+spec:
+  ports:
+  - name: http
+    port: 80
+    protocol: TCP
+    targetPort: http
+-- platform/capabilities.cue --
+package holos
+
+import "encoding/json"
+
+Platform: Components: capabilities: {
+        name: "capabilities"
+        path: "components/capabilities"
+}
+Platform: Components: specified: {
+        name: "specified"
+        path: "components/capabilities"
+        parameters: apiVersions: json.Marshal(["foo/v1","bar/v1"])
+}
+Platform: Components: kubeversion1: {
+        name: "kubeversion1"
+        path: "components/capabilities"
+        parameters: kubeVersion: "v1.20.0"
+}
+Platform: Components: kubeversion2: {
+        name: "kubeversion2"
+        path: "components/capabilities"
+        parameters: kubeVersion: "v1.20.0"
+        parameters: apiVersions: json.Marshal(["foo/v1","bar/v1"])
+}
+-- components/capabilities/capabilities.cue --
+package holos
+
+import "encoding/json"
+
+holos: Component.BuildPlan
+
+Component: #Helm & {
+        Name: string @tag(holos_component_name, type=string)
+        Chart: name: "capabilities"
+        Chart: version: "0.1.0"
+        _APIVersions: string | *"[]" @tag(apiVersions, type=string)
+        APIVersions: json.Unmarshal(_APIVersions)
+        KubeVersion: string | *"v1.99.0" @tag(kubeVersion, type=string)
+}
+-- components/capabilities/vendor/0.1.0/capabilities/Chart.yaml --
+apiVersion: v2
+name: capabilities
+description: A Helm chart for Kubernetes
+type: application
+version: 0.1.0
+appVersion: "1.16.0"
+-- components/capabilities/vendor/0.1.0/capabilities/templates/service.yaml --
+apiVersion: v1
+kind: Service
+metadata:
+{{- if .Capabilities.APIVersions.Has "foo/v1" }}
+  name: has-foo-v1
+{{- else }}
+  name: has-foo-v1beta1
+{{- end }}
+  annotations:
+    kubeVersion: {{ .Capabilities.KubeVersion }}
+spec:
+  ports:
+    - port: 80
+      targetPort: http
+      protocol: TCP
+      name: http
+-- want/helm-template.yaml --
+---
+# Source: capabilities/templates/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: has-foo-v1beta1
+  annotations:
+    kubeVersion: v1.99.0
+spec:
+  ports:
+    - port: 80
+      targetPort: http
+      protocol: TCP
+      name: http
--- a/cmd/holos/tests/v1alpha5/schemas/kubernetes.txt
+++ b/cmd/holos/tests/v1alpha5/schemas/kubernetes.txt
@@ -0,0 +1,46 @@
+# author.#Kubernetes
+
+# Start in an empty directory.
+cd $WORK
+
+# Generate the directory structure we're going to work in.
+exec holos init platform v1alpha5 --force
+
+# Platforms are empty by default.
+exec holos render platform
+stderr -count=1 '^rendered platform'
+
+# When author.#Kubernetes is empty
+exec holos cue export --expression holos --out=yaml ./components/empty
+cp stdout empty.yaml
+exec holos compare yaml empty.yaml want.txt
+
+-- components/empty/empty.cue --
+package holos
+
+Kubernetes: #Kubernetes & {}
+holos: Kubernetes.BuildPlan
+-- want.txt --
+kind: BuildPlan
+apiVersion: v1alpha5
+metadata:
+  name: no-name
+spec:
+  artifacts:
+    - artifact: components/no-name/no-name.gen.yaml
+      generators:
+        - kind: Resources
+          output: resources.gen.yaml
+          resources: {}
+      transformers:
+        - kind: Kustomize
+          inputs:
+            - resources.gen.yaml
+          output: components/no-name/no-name.gen.yaml
+          kustomize:
+            kustomization:
+              apiVersion: kustomize.config.k8s.io/v1beta1
+              kind: Kustomization
+              resources:
+                - resources.gen.yaml
+      validators: []
--- a/cmd/holos/tests/v1alpha5/schemas/validators.txt
+++ b/cmd/holos/tests/v1alpha5/schemas/validators.txt
@@ -0,0 +1,37 @@
+# https://github.com/holos-run/holos/issues/357
+exec holos init platform v1alpha5 --force
+! exec holos render platform
+stderr 'secret.kind: conflicting values "Forbidden. Use an ExternalSecret instead." and "Secret"'
+
+-- validators.cue --
+package holos
+
+import "github.com/holos-run/holos/api/author/v1alpha5:author"
+
+#ComponentConfig: author.#ComponentConfig & {
+	Validators: cue: {
+		kind: "Command"
+		command: args: ["holos", "cue", "vet", "./policy", "--path", "strings.ToLower(kind)"]
+	}
+}
+-- policy/validations.cue --
+package validations
+
+secret: kind: "Forbidden. Use an ExternalSecret instead."
+-- platform/example.cue --
+package holos
+
+Platform: Components: example: {
+	name: "example"
+	path: "components/example"
+}
+-- components/example/secret.cue --
+package holos
+
+holos: Component.BuildPlan
+
+Component: #Kubernetes & {
+	Resources: Secret: test: {
+		metadata: name: "test"
+	}
+}
--- a/doc/md/api.mdx
+++ b/doc/md/api.mdx
@@ -0,0 +1,10 @@
+---
+slug: api
+description: Schema Reference
+---
+
+import DocCardList from '@theme/DocCardList';
+
+# Schema Reference
+
+<DocCardList />
--- a/doc/md/api/author.md
+++ b/doc/md/api/author.md
@@ -0,0 +1,189 @@
+---
+title: Author Schemas
+description: Standardized schemas for component authors.
+sidebar_position: 200
+---
+<!-- Code generated by gomarkdoc. DO NOT EDIT -->
+
+
+```go
+import "github.com/holos-run/holos/api/author/v1alpha6"
+```
+
+Package author contains a standard set of schemas for component authors to generate common [core](<https://holos.run/docs/api/core/>) BuildPlans.
+
+Holos values stability, flexibility, and composition. This package intentionally defines only the minimal necessary set of structures. Component authors are encouraged to define their own structures building on our example [topics](<https://holos.run/docs/topics/>).
+
+The Holos Maintainers may add definitions to this package if the community identifies nearly all users must define the exact same structure. Otherwise, definitions should be added as a customizable example in [topics](<https://holos.run/docs/topics/>).
+
+For example, structures representing a cluster and environment almost always need to be defined. Their definition varies from one organization to the next. Therefore, customizable definitions for a cluster and environment are best maintained in [topics](<https://holos.run/docs/topics/>), not standardized in this package.
+
+## Index
+
+- [type ComponentConfig](<#ComponentConfig>)
+- [type Helm](<#Helm>)
+- [type Kubernetes](<#Kubernetes>)
+- [type Kustomize](<#Kustomize>)
+- [type KustomizeConfig](<#KustomizeConfig>)
+- [type NameLabel](<#NameLabel>)
+- [type Platform](<#Platform>)
+
+
+<a name="ComponentConfig"></a>
+## type ComponentConfig {#ComponentConfig}
+
+ComponentConfig represents the configuration common to all kinds of components for use with the holos render component command. All component kinds may be transformed with [kustomize](<https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/>) configured with the [KustomizeConfig](<#KustomizeConfig>) field.
+
+- [Helm](<#Helm>) charts.
+- [Kubernetes](<#Kubernetes>) resources generated from CUE.
+- [Kustomize](<#Kustomize>) bases.
+
+```go
+type ComponentConfig struct {
+    // Name represents the BuildPlan metadata.name field.  Used to construct the
+    // fully rendered manifest file path.
+    Name string
+    // Labels represent the BuildPlan metadata.labels field.
+    Labels map[string]string
+    // Annotations represent the BuildPlan metadata.annotations field.
+    Annotations map[string]string
+
+    // Path represents the path to the component producing the BuildPlan.
+    Path string
+    // Parameters are useful to reuse a component with various parameters.
+    // Injected as CUE @tag variables.  Parameters with a "holos_" prefix are
+    // reserved for use by the Holos Authors.
+    Parameters map[string]string
+    // OutputBaseDir represents the output base directory used when assembling
+    // artifacts.  Useful to organize components by clusters or other parameters.
+    // For example, holos writes resource manifests to
+    // {WriteTo}/{OutputBaseDir}/components/{Name}/{Name}.gen.yaml
+    OutputBaseDir string `cue:"string | *\"\""`
+
+    // Resources represents kubernetes resources mixed into the rendered manifest.
+    Resources core.Resources
+    // KustomizeConfig represents the kustomize configuration.
+    KustomizeConfig KustomizeConfig
+    // Validators represent checks that must pass for output to be written.
+    Validators map[NameLabel]core.Validator
+    // Artifacts represents additional artifacts to mix in.  Useful for adding
+    // GitOps resources.  Each Artifact is unified without modification into the
+    // BuildPlan.
+    Artifacts map[NameLabel]core.Artifact
+}
+```
+
+<a name="Helm"></a>
+## type Helm {#Helm}
+
+Helm assembles a BuildPlan rendering a helm chart. Useful to mix in additional resources from CUE and transform the helm output with kustomize.
+
+```go
+type Helm struct {
+    ComponentConfig `json:",inline"`
+
+    // Chart represents a Helm chart.
+    Chart core.Chart
+    // Values represents data to marshal into a values.yaml for helm.
+    Values core.Values
+    // ValueFiles represents value files for migration from helm value
+    // hierarchies.  Use Values instead.
+    ValueFiles []core.ValueFile `json:",omitempty"`
+    // EnableHooks enables helm hooks when executing the `helm template` command.
+    EnableHooks bool `cue:"true | *false"`
+    // Namespace sets the helm chart namespace flag if provided.
+    Namespace string `json:",omitempty"`
+    // APIVersions represents the helm template --api-versions flag
+    APIVersions []string `json:",omitempty"`
+    // KubeVersion represents the helm template --kube-version flag
+    KubeVersion string `json:",omitempty"`
+
+    // BuildPlan represents the derived BuildPlan produced for the holos render
+    // component command.
+    BuildPlan core.BuildPlan
+}
+```
+
+<a name="Kubernetes"></a>
+## type Kubernetes {#Kubernetes}
+
+Kubernetes assembles a BuildPlan containing inline resources exported from CUE.
+
+```go
+type Kubernetes struct {
+    ComponentConfig `json:",inline"`
+
+    // BuildPlan represents the derived BuildPlan produced for the holos render
+    // component command.
+    BuildPlan core.BuildPlan
+}
+```
+
+<a name="Kustomize"></a>
+## type Kustomize {#Kustomize}
+
+Kustomize assembles a BuildPlan rendering manifests from a [kustomize](<https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/>) kustomization.
+
+```go
+type Kustomize struct {
+    ComponentConfig `json:",inline"`
+
+    // BuildPlan represents the derived BuildPlan produced for the holos render
+    // component command.
+    BuildPlan core.BuildPlan
+}
+```
+
+<a name="KustomizeConfig"></a>
+## type KustomizeConfig {#KustomizeConfig}
+
+KustomizeConfig represents the configuration for [kustomize](<https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/>) post processing. Use the Files field to mix in plain manifest files located in the component directory. Use the Resources field to mix in manifests from network urls.
+
+```go
+type KustomizeConfig struct {
+    // Kustomization represents the kustomization used to transform resources.
+    // Note the resources field is internally managed from the Files and Resources fields.
+    Kustomization map[string]any `json:",omitempty"`
+    // Files represents files to copy from the component directory for kustomization.
+    Files map[string]struct{ Source string } `cue:"{[NAME=_]: Source: NAME}"`
+    // Resources represents additional entries to included in the resources list.
+    Resources map[string]struct{ Source string } `cue:"{[NAME=_]: Source: NAME}"`
+    // CommonLabels represents common labels added without including selectors.
+    CommonLabels map[string]string
+}
+```
+
+<a name="NameLabel"></a>
+## type NameLabel {#NameLabel}
+
+NameLabel represents the common use case of converting a struct to a list where the name field of each value unifies with the field name of the outer struct.
+
+For example:
+
+```
+S: [NameLabel=string]: name: NameLabel
+S: jeff: _
+S: gary: _
+S: nate: _
+L: [for x in S {x}]
+// L is [{name: "jeff"}, {name: "gary"}, {name: "nate"}]
+```
+
+```go
+type NameLabel string
+```
+
+<a name="Platform"></a>
+## type Platform {#Platform}
+
+Platform assembles a core Platform in the Resource field for the holos render platform command. Use the Components field to register components with the platform.
+
+```go
+type Platform struct {
+    Name       string                       `json:"name" yaml:"name" cue:"string | *\"default\""`
+    Components map[NameLabel]core.Component `json:"components" yaml:"components"`
+    Resource   core.Platform                `json:"resource" yaml:"resource"`
+}
+```
+
+Generated by [gomarkdoc](<https://github.com/princjef/gomarkdoc>)
--- a/doc/md/api/core.md
+++ b/doc/md/api/core.md
@@ -0,0 +1,621 @@
+---
+title: Core Schemas
+description: BuildPlan defines the holos rendering pipeline.
+sidebar_position: 100
+---
+<!-- Code generated by gomarkdoc. DO NOT EDIT -->
+
+
+```go
+import "github.com/holos-run/holos/api/core/v1alpha6"
+```
+
+Package core contains schemas for a [Platform](<#Platform>) and [BuildPlan](<#BuildPlan>). Holos takes a [Platform](<#Platform>) as input, then iterates over each [Component](<#Component>) to produce a [BuildPlan](<#BuildPlan>). Holos processes the [BuildPlan](<#BuildPlan>) to produce fully rendered manifests, each an [Artifact](<#Artifact>).
+
+## Index
+
+- [Constants](<#constants>)
+- [type Artifact](<#Artifact>)
+- [type Auth](<#Auth>)
+- [type AuthSource](<#AuthSource>)
+- [type BuildContext](<#BuildContext>)
+- [type BuildPlan](<#BuildPlan>)
+- [type BuildPlanSpec](<#BuildPlanSpec>)
+- [type Chart](<#Chart>)
+- [type Command](<#Command>)
+- [type Component](<#Component>)
+- [type File](<#File>)
+- [type FileContent](<#FileContent>)
+- [type FileContentMap](<#FileContentMap>)
+- [type FileOrDirectoryPath](<#FileOrDirectoryPath>)
+- [type FilePath](<#FilePath>)
+- [type Generator](<#Generator>)
+- [type Helm](<#Helm>)
+- [type InternalLabel](<#InternalLabel>)
+- [type Join](<#Join>)
+- [type Kind](<#Kind>)
+- [type Kustomization](<#Kustomization>)
+- [type Kustomize](<#Kustomize>)
+- [type Metadata](<#Metadata>)
+- [type Platform](<#Platform>)
+- [type PlatformSpec](<#PlatformSpec>)
+- [type Repository](<#Repository>)
+- [type Resource](<#Resource>)
+- [type Resources](<#Resources>)
+- [type Transformer](<#Transformer>)
+- [type Validator](<#Validator>)
+- [type ValueFile](<#ValueFile>)
+- [type Values](<#Values>)
+
+
+## Constants
+
+<a name="BuildContextTag"></a>BuildContextTag represents the cue tag holos render component uses to inject the json representation of a [BuildContext](<#BuildContext>) for use in a BuildPlan.
+
+```go
+const BuildContextTag string = "holos_build_context"
+```
+
+<a name="ComponentAnnotationsTag"></a>ComponentAnnotationsTag represents the tag holos uses to inject the json representation of [Component](<#Component>) metadata annotations from the holos render platform command to the holos render component command.
+
+```go
+const ComponentAnnotationsTag = "holos_component_annotations"
+```
+
+<a name="ComponentLabelsTag"></a>ComponentLabelsTag represents the cue tag holos uses to inject the json representation of [Component](<#Component>) metadata labels from the holos render platform command to the holos render component command.
+
+```go
+const ComponentLabelsTag string = "holos_component_labels"
+```
+
+<a name="ComponentNameTag"></a>ComponentNameTag represents the cue tag holos uses to inject a [Component](<#Component>) name from the holos render platform command to the holos render component command.
+
+```go
+const ComponentNameTag string = "holos_component_name"
+```
+
+<a name="ComponentPathTag"></a>ComponentPathTag represents the cue tag holos uses to inject a [Component](<#Component>) path relative to the cue module root from the holos render platform command to the holos render component command.
+
+```go
+const ComponentPathTag string = "holos_component_path"
+```
+
+<a name="Artifact"></a>
+## type Artifact {#Artifact}
+
+Artifact represents one fully rendered manifest produced by a [Transformer](<#Transformer>) sequence, which transforms a [Generator](<#Generator>) collection. A [BuildPlan](<#BuildPlan>) produces an [Artifact](<#Artifact>) collection.
+
+Each Artifact produces one manifest file or directory artifact. Generator Output values are used as Transformer Inputs. The Output field of the final [Transformer](<#Transformer>) should have the same value as the Artifact field.
+
+When there is more than one [Generator](<#Generator>) there should be at least one [Transformer](<#Transformer>) to combine outputs into one Artifact file, or the final artifact should be a directory containing the outputs of the generators. If there is a single Generator, it may directly produce the Artifact output.
+
+An Artifact is processed concurrently with other artifacts in the same [BuildPlan](<#BuildPlan>). One Artifact must not use an output of another Artifact as an input. Each [Generator](<#Generator>) within an artifact also runs concurrently with generators of the same artifact. Each [Transformer](<#Transformer>) is executed sequentially starting after all generators have completed.
+
+Output fields are write\-once. It is an error for multiple Generators or Transformers to produce the same Output value within the context of a [BuildPlan](<#BuildPlan>).
+
+When directories are used as inputs or outputs, they behave similar to how \`git\` works with directories. When the output field references a directory, all files within the directory are recursively stored using their relative path as a key. Similar to git add . When the input field references an absent file, a / is appended and the resulting value is used as a prefix match against all previous task outputs.
+
+```go
+type Artifact struct {
+    Artifact     FileOrDirectoryPath `json:"artifact,omitempty" yaml:"artifact,omitempty"`
+    Generators   []Generator         `json:"generators,omitempty" yaml:"generators,omitempty"`
+    Transformers []Transformer       `json:"transformers,omitempty" yaml:"transformers,omitempty"`
+    Validators   []Validator         `json:"validators,omitempty" yaml:"validators,omitempty"`
+    Skip         bool                `json:"skip,omitempty" yaml:"skip,omitempty"`
+}
+```
+
+<a name="Auth"></a>
+## type Auth {#Auth}
+
+Auth represents environment variable names containing auth credentials.
+
+```go
+type Auth struct {
+    Username AuthSource `json:"username" yaml:"username"`
+    Password AuthSource `json:"password" yaml:"password"`
+}
+```
+
+<a name="AuthSource"></a>
+## type AuthSource {#AuthSource}
+
+AuthSource represents a source for the value of an [Auth](<#Auth>) field.
+
+```go
+type AuthSource struct {
+    Value   string `json:"value,omitempty" yaml:"value,omitempty"`
+    FromEnv string `json:"fromEnv,omitempty" yaml:"fromEnv,omitempty"`
+}
+```
+
+<a name="BuildContext"></a>
+## type BuildContext {#BuildContext}
+
+BuildContext represents build context values owned by the holos render component command. End users should not manage context field values. End users may reference fields from within CUE to refer to late binding concrete values defined just before holos executes a [BuildPlan](<#BuildPlan>).
+
+Holos injects build context values by marshalling this struct to json through the holos\_build\_context cue tag.
+
+Example usage from cue to produce a [BuildPlan](<#BuildPlan>):
+
+```
+package holos
+
+import (
+  "encoding/json"
+  "github.com/holos-run/holos/api/core/v1alpha6:core"
+)
+
+_BuildContextJSON: string | *"{}" @tag(holos_build_context, type=string)
+BuildContext: core.#BuildContext & json.Unmarshal(_BuildContextJSON)
+
+holos: core.#BuildPlan & {
+  buildContext: BuildContext
+  "spec": {
+    "artifacts": [
+      {
+        artifact: "components/slice",
+        "transformers": [
+          {
+            "kind": "Command"
+            "inputs": ["resources.gen.yaml"]
+            "output": artifact
+            "command": {
+              "args": [
+                "kubectl-slice",
+                "-f",
+                "\(buildContext.tempDir)/resources.gen.yaml",
+                "-o",
+                "\(buildContext.tempDir)/\(artifact)",
+              ]
+            }
+          }
+        ]
+      }
+    ]
+  }
+}
+```
+
+```go
+type BuildContext struct {
+    // TempDir represents the temporary directory managed and owned by the holos
+    // render component command for the execution of one BuildPlan.  Multiple
+    // tasks in the build plan share this temporary directory and therefore should
+    // avoid reading and writing into the same sub-directories as one another.
+    TempDir string `json:"tempDir" yaml:"tempDir" cue:"string | *\"${TEMP_DIR_PLACEHOLDER}\""`
+    // RootDir represents the fully qualified path to the platform root directory.
+    // Useful to construct arguments for commands in BuildPlan tasks.
+    RootDir string `json:"rootDir" yaml:"rootDir" cue:"string | *\"${ROOT_DIR_PLACEHOLDER}\""`
+    // LeafDir represents the cleaned path to the holos component relative to the
+    // platform root.  Useful to construct arguments for commands in BuildPlan
+    // tasks.
+    LeafDir string `json:"leafDir" yaml:"leafDir" cue:"string | *\"${LEAF_DIR_PLACEHOLDER}\""`
+    // HolosExecutable represents the fully qualified path to the holos
+    // executable.  Useful to execute tools embedded as subcommands such as holos
+    // cue vet.
+    HolosExecutable string `json:"holosExecutable" yaml:"holosExecutable" cue:"string | *\"holos\""`
+}
+```
+
+<a name="BuildPlan"></a>
+## type BuildPlan {#BuildPlan}
+
+BuildPlan represents an implementation of the [rendered manifest pattern](<https://akuity.io/blog/the-rendered-manifests-pattern>). Holos processes a BuildPlan to produce one or more [Artifact](<#Artifact>) output files. BuildPlan artifact files usually contain Kubernetes manifests, but they may have any content.
+
+A BuildPlan usually produces two artifacts. One artifact contains a manifest of resources. A second artifact contains a GitOps resource to manage the first, usually an ArgoCD Application resource.
+
+Holos uses CUE to construct a BuildPlan. Holos injects late binding values such as the build temp dir using the [BuildContext](<#BuildContext>).
+
+```go
+type BuildPlan struct {
+    // APIVersion represents the versioned schema of the resource.
+    APIVersion string `json:"apiVersion" yaml:"apiVersion" cue:"\"v1alpha6\""`
+    // Kind represents the type of the resource.
+    Kind string `json:"kind" yaml:"kind" cue:"\"BuildPlan\""`
+    // Metadata represents data about the resource such as the Name.
+    Metadata Metadata `json:"metadata" yaml:"metadata"`
+    // Spec specifies the desired state of the resource.
+    Spec BuildPlanSpec `json:"spec" yaml:"spec"`
+    // BuildContext represents values injected by holos just before evaluating a
+    // BuildPlan, for example the tempDir used for the build.
+    BuildContext BuildContext `json:"buildContext" yaml:"buildContext"`
+}
+```
+
+<a name="BuildPlanSpec"></a>
+## type BuildPlanSpec {#BuildPlanSpec}
+
+BuildPlanSpec represents the specification of the [BuildPlan](<#BuildPlan>).
+
+```go
+type BuildPlanSpec struct {
+    // Artifacts represents the artifacts for holos to build.
+    Artifacts []Artifact `json:"artifacts" yaml:"artifacts"`
+    // Disabled causes the holos render platform command to skip the BuildPlan.
+    Disabled bool `json:"disabled,omitempty" yaml:"disabled,omitempty"`
+}
+```
+
+<a name="Chart"></a>
+## type Chart {#Chart}
+
+Chart represents a [Helm](<#Helm>) Chart.
+
+```go
+type Chart struct {
+    // Name represents the chart name.
+    Name string `json:"name" yaml:"name"`
+    // Version represents the chart version.
+    Version string `json:"version" yaml:"version"`
+    // Release represents the chart release when executing helm template.
+    Release string `json:"release" yaml:"release"`
+    // Repository represents the repository to fetch the chart from.
+    Repository Repository `json:"repository,omitempty" yaml:"repository,omitempty"`
+}
+```
+
+<a name="Command"></a>
+## type Command {#Command}
+
+Command represents a [BuildPlan](<#BuildPlan>) task implemented by executing an user defined system command. A task is defined as a [Generator](<#Generator>), [Transformer](<#Transformer>), or [Validator](<#Validator>). Commands are executed with the working directory set to the platform root.
+
+```go
+type Command struct {
+    // DisplayName of the command.  The basename of args[0] is used if empty.
+    DisplayName string `json:"displayName,omitempty" yaml:"displayName,omitempty"`
+    // Args represents the argument vector passed to the os. to execute the
+    // command.
+    Args []string `json:"args,omitempty" yaml:"args,omitempty"`
+    // IsStdoutOutput captures the command stdout as the task output if true.
+    IsStdoutOutput bool `json:"isStdoutOutput,omitempty" yaml:"isStdoutOutput,omitempty"`
+}
+```
+
+<a name="Component"></a>
+## type Component {#Component}
+
+Component represents the complete context necessary to produce a [BuildPlan](<#BuildPlan>) from a path containing parameterized CUE configuration.
+
+```go
+type Component struct {
+    // Name represents the name of the component. Injected as the tag variable
+    // "holos_component_name".
+    Name string `json:"name" yaml:"name"`
+    // Path represents the path of the component relative to the platform root.
+    // Injected as the tag variable "holos_component_path".
+    Path string `json:"path" yaml:"path"`
+    // Parameters represent user defined input variables to produce various
+    // [BuildPlan] resources from one component path.  Injected as CUE @tag
+    // variables.  Parameters with a "holos_" prefix are reserved for use by the
+    // Holos Authors.  Multiple environments are a prime example of an input
+    // parameter that should always be user defined, never defined by Holos.
+    Parameters map[string]string `json:"parameters,omitempty" yaml:"parameters,omitempty"`
+    // Labels represent selector labels for the component.  Holos copies Labels
+    // from the Component to the resulting BuildPlan.
+    Labels map[string]string `json:"labels,omitempty" yaml:"labels,omitempty"`
+    // Annotations represents arbitrary non-identifying metadata.  Use the
+    // `app.holos.run/description` to customize the log message of each BuildPlan.
+    Annotations map[string]string `json:"annotations,omitempty" yaml:"annotations,omitempty"`
+}
+```
+
+<a name="File"></a>
+## type File {#File}
+
+File represents a simple single file copy [Generator](<#Generator>). Useful with a [Kustomize](<#Kustomize>) [Transformer](<#Transformer>) to process plain manifest files stored in the component directory. Multiple File generators may be used to transform multiple resources.
+
+```go
+type File struct {
+    // Source represents a file sub-path relative to the component path.
+    Source FilePath `json:"source" yaml:"source"`
+}
+```
+
+<a name="FileContent"></a>
+## type FileContent {#FileContent}
+
+FileContent represents file contents.
+
+```go
+type FileContent string
+```
+
+<a name="FileContentMap"></a>
+## type FileContentMap {#FileContentMap}
+
+FileContentMap represents a mapping of file paths to file contents.
+
+```go
+type FileContentMap map[FilePath]FileContent
+```
+
+<a name="FileOrDirectoryPath"></a>
+## type FileOrDirectoryPath {#FileOrDirectoryPath}
+
+FileOrDirectoryPath represents a file or a directory path.
+
+```go
+type FileOrDirectoryPath string
+```
+
+<a name="FilePath"></a>
+## type FilePath {#FilePath}
+
+FilePath represents a file path.
+
+```go
+type FilePath string
+```
+
+<a name="Generator"></a>
+## type Generator {#Generator}
+
+Generator generates Kubernetes resources. [Helm](<#Helm>) and [Resources](<#Resources>) are the most commonly used, often paired together to mix\-in resources to an unmodified Helm chart. A simple [File](<#File>) generator is also available for use with the [Kustomize](<#Kustomize>) transformer.
+
+Each Generator in an [Artifact](<#Artifact>) must have a distinct Output value for a [Transformer](<#Transformer>) to reference.
+
+1. [Resources](<#Resources>) \- Generates resources from CUE code.
+2. [Helm](<#Helm>) \- Generates rendered yaml from a [Chart](<#Chart>).
+3. [File](<#File>) \- Generates data by reading a file from the component directory.
+4. [Command](<#Command>) \- Generates data by executing an user defined command.
+
+```go
+type Generator struct {
+    // Kind represents the kind of generator.  Must be Resources, Helm, or File.
+    Kind string `json:"kind" yaml:"kind" cue:"\"Resources\" | \"Helm\" | \"File\" | \"Command\""`
+    // Output represents a file for a Transformer or Artifact to consume.
+    Output FileOrDirectoryPath `json:"output" yaml:"output"`
+    // Resources generator. Ignored unless kind is Resources.  Resources are
+    // stored as a two level struct.  The top level key is the Kind of resource,
+    // e.g. Namespace or Deployment.  The second level key is an arbitrary
+    // InternalLabel.  The third level is a map[string]any representing the
+    // Resource.
+    Resources Resources `json:"resources,omitempty" yaml:"resources,omitempty"`
+    // Helm generator. Ignored unless kind is Helm.
+    Helm Helm `json:"helm,omitempty" yaml:"helm,omitempty"`
+    // File generator. Ignored unless kind is File.
+    File File `json:"file,omitempty" yaml:"file,omitempty"`
+    // Command generator. Ignored unless kind is Command.
+    Command Command `json:"command,omitempty" yaml:"command,omitempty"`
+}
+```
+
+<a name="Helm"></a>
+## type Helm {#Helm}
+
+Helm represents a [Chart](<#Chart>) manifest [Generator](<#Generator>).
+
+```go
+type Helm struct {
+    // Chart represents a helm chart to manage.
+    Chart Chart `json:"chart" yaml:"chart"`
+    // Values represents values for holos to marshal into values.yaml when
+    // rendering the chart.  Values follow ValueFiles when both are provided.
+    Values Values `json:"values" yaml:"values"`
+    // ValueFiles represents hierarchial value files passed in order to the helm
+    // template -f flag.  Useful for migration from an ApplicationSet.  Use Values
+    // instead.  ValueFiles precede Values when both are provided.
+    ValueFiles []ValueFile `json:"valueFiles,omitempty" yaml:"valueFiles,omitempty"`
+    // EnableHooks enables helm hooks when executing the `helm template` command.
+    EnableHooks bool `json:"enableHooks,omitempty" yaml:"enableHooks,omitempty"`
+    // Namespace represents the helm namespace flag
+    Namespace string `json:"namespace,omitempty" yaml:"namespace,omitempty"`
+    // APIVersions represents the helm template --api-versions flag
+    APIVersions []string `json:"apiVersions,omitempty" yaml:"apiVersions,omitempty"`
+    // KubeVersion represents the helm template --kube-version flag
+    KubeVersion string `json:"kubeVersion,omitempty" yaml:"kubeVersion,omitempty"`
+}
+```
+
+<a name="InternalLabel"></a>
+## type InternalLabel {#InternalLabel}
+
+InternalLabel is an arbitrary unique identifier internal to holos itself. The holos cli is expected to never write a InternalLabel value to rendered output files, therefore use a InternalLabel when the identifier must be unique and internal. Defined as a type for clarity and type checking.
+
+```go
+type InternalLabel string
+```
+
+<a name="Join"></a>
+## type Join {#Join}
+
+Join represents a [Transformer](<#Transformer>) using [bytes.Join](<https://pkg.go.dev/bytes#Join>) to concatenate multiple inputs into one output with a separator. Useful for combining output from [Helm](<#Helm>) and [Resources](<#Resources>) together into one [Artifact](<#Artifact>) when [Kustomize](<#Kustomize>) is otherwise unnecessary.
+
+```go
+type Join struct {
+    Separator string `json:"separator,omitempty" yaml:"separator,omitempty"`
+}
+```
+
+<a name="Kind"></a>
+## type Kind {#Kind}
+
+Kind is a discriminator. Defined as a type for clarity and type checking.
+
+```go
+type Kind string
+```
+
+<a name="Kustomization"></a>
+## type Kustomization {#Kustomization}
+
+Kustomization represents a kustomization.yaml file for use with the [Kustomize](<#Kustomize>) [Transformer](<#Transformer>). Untyped to avoid tightly coupling holos to kubectl versions which was a problem for the Flux maintainers. Type checking is expected to happen in CUE against the kubectl version the user prefers.
+
+```go
+type Kustomization map[string]any
+```
+
+<a name="Kustomize"></a>
+## type Kustomize {#Kustomize}
+
+Kustomize represents a kustomization [Transformer](<#Transformer>).
+
+```go
+type Kustomize struct {
+    // Kustomization represents the decoded kustomization.yaml file
+    Kustomization Kustomization `json:"kustomization" yaml:"kustomization"`
+    // Files holds file contents for kustomize, e.g. patch files.
+    Files FileContentMap `json:"files,omitempty" yaml:"files,omitempty"`
+}
+```
+
+<a name="Metadata"></a>
+## type Metadata {#Metadata}
+
+Metadata represents data about the resource such as the Name.
+
+```go
+type Metadata struct {
+    // Name represents the resource name.
+    Name string `json:"name" yaml:"name"`
+    // Labels represents a resource selector.
+    Labels map[string]string `json:"labels,omitempty" yaml:"labels,omitempty"`
+    // Annotations represents arbitrary non-identifying metadata.  For example
+    // holos uses the `app.holos.run/description` annotation to log resources in a
+    // user customized way.
+    Annotations map[string]string `json:"annotations,omitempty" yaml:"annotations,omitempty"`
+}
+```
+
+<a name="Platform"></a>
+## type Platform {#Platform}
+
+Platform represents a platform to manage. A Platform specifies a [Component](<#Component>) collection and integrates the components together into a holistic platform. Holos iterates over the [Component](<#Component>) collection producing a [BuildPlan](<#BuildPlan>) for each, which holos then executes to render manifests.
+
+Inspect a Platform resource holos would process by executing:
+
+```
+cue export --out yaml ./platform
+```
+
+```go
+type Platform struct {
+    // APIVersion represents the versioned schema of this resource.
+    APIVersion string `json:"apiVersion" yaml:"apiVersion" cue:"string | *\"v1alpha6\""`
+    // Kind is a string value representing the resource.
+    Kind string `json:"kind" yaml:"kind" cue:"\"Platform\""`
+    // Metadata represents data about the resource such as the Name.
+    Metadata Metadata `json:"metadata" yaml:"metadata"`
+
+    // Spec represents the platform specification.
+    Spec PlatformSpec `json:"spec" yaml:"spec"`
+}
+```
+
+<a name="PlatformSpec"></a>
+## type PlatformSpec {#PlatformSpec}
+
+PlatformSpec represents the platform specification.
+
+```go
+type PlatformSpec struct {
+    // Components represents a collection of holos components to manage.
+    Components []Component `json:"components" yaml:"components"`
+}
+```
+
+<a name="Repository"></a>
+## type Repository {#Repository}
+
+Repository represents a [Helm](<#Helm>) [Chart](<#Chart>) repository.
+
+The Auth field is useful to configure http basic authentication to the Helm repository. Holos gets the username and password from the environment variables represented by the Auth field.
+
+```go
+type Repository struct {
+    Name string `json:"name" yaml:"name"`
+    URL  string `json:"url" yaml:"url"`
+    Auth Auth   `json:"auth,omitempty" yaml:"auth,omitempty"`
+}
+```
+
+<a name="Resource"></a>
+## type Resource {#Resource}
+
+Resource represents one kubernetes api object.
+
+```go
+type Resource map[string]any
+```
+
+<a name="Resources"></a>
+## type Resources {#Resources}
+
+Resources represents Kubernetes resources. Most commonly used to mix resources into the [BuildPlan](<#BuildPlan>) generated from CUE, but may be generated from elsewhere.
+
+```go
+type Resources map[Kind]map[InternalLabel]Resource
+```
+
+<a name="Transformer"></a>
+## type Transformer {#Transformer}
+
+Transformer combines multiple inputs from prior [Generator](<#Generator>) or [Transformer](<#Transformer>) outputs into one output. [Kustomize](<#Kustomize>) is the most commonly used transformer. A simple [Join](<#Join>) is also supported for use with plain manifest files.
+
+1. [Kustomize](<#Kustomize>) \- Patch and transform the output from prior generators or transformers. See [Introduction to Kustomize](<https://kubectl.docs.kubernetes.io/guides/config_management/introduction/>).
+2. [Join](<#Join>) \- Concatenate multiple prior outputs into one output.
+3. [Command](<#Command>) \- Transforms data by executing an user defined command.
+
+```go
+type Transformer struct {
+    // Kind represents the kind of transformer. Must be Kustomize, or Join.
+    Kind string `json:"kind" yaml:"kind" cue:"\"Kustomize\" | \"Join\" | \"Command\""`
+    // Inputs represents the files to transform. The Output of prior Generators
+    // and Transformers.
+    Inputs []FileOrDirectoryPath `json:"inputs" yaml:"inputs"`
+    // Output represents a file or directory for a subsequent Transformer or
+    // Artifact to consume.
+    Output FileOrDirectoryPath `json:"output" yaml:"output"`
+    // Kustomize transformer. Ignored unless kind is Kustomize.
+    Kustomize Kustomize `json:"kustomize,omitempty" yaml:"kustomize,omitempty"`
+    // Join transformer. Ignored unless kind is Join.
+    Join Join `json:"join,omitempty" yaml:"join,omitempty"`
+    // Command transformer. Ignored unless kind is Command.
+    Command Command `json:"command,omitempty" yaml:"command,omitempty"`
+}
+```
+
+<a name="Validator"></a>
+## type Validator {#Validator}
+
+Validator validates files. Useful to validate an [Artifact](<#Artifact>) prior to writing it out to the final destination. Holos may execute validators concurrently. See the [validators](<https://holos.run/docs/v1alpha6/tutorial/validators/>) tutorial for an end to end example.
+
+```go
+type Validator struct {
+    // Kind represents the kind of transformer. Must be Kustomize, or Join.
+    Kind string `json:"kind" yaml:"kind" cue:"\"Command\""`
+    // Inputs represents the files to validate.  Usually the final Artifact.
+    Inputs []FileOrDirectoryPath `json:"inputs" yaml:"inputs"`
+    // Command validator.  Ignored unless kind is Command.
+    Command Command `json:"command,omitempty" yaml:"command,omitempty"`
+}
+```
+
+<a name="ValueFile"></a>
+## type ValueFile {#ValueFile}
+
+ValueFile represents one Helm value file produced from CUE.
+
+```go
+type ValueFile struct {
+    // Name represents the file name, e.g. "region-values.yaml"
+    Name string `json:"name" yaml:"name"`
+    // Kind is a discriminator.
+    Kind string `json:"kind" yaml:"kind" cue:"\"Values\""`
+    // Values represents values for holos to marshal into the file name specified
+    // by Name when rendering the chart.
+    Values Values `json:"values,omitempty" yaml:"values,omitempty"`
+}
+```
+
+<a name="Values"></a>
+## type Values {#Values}
+
+Values represents [Helm](<#Helm>) Chart values generated from CUE.
+
+```go
+type Values map[string]any
+```
+
+Generated by [gomarkdoc](<https://github.com/princjef/gomarkdoc>)
--- a/doc/md/api/core/index.md
+++ b/doc/md/api/core/index.md
@@ -1,3 +0,0 @@
-# Core API
-
- [v1alpha2](v1alpha2)
--- a/doc/md/api/core/v1alpha2.md
+++ b/doc/md/api/core/v1alpha2.md
@@ -1,403 +0,0 @@
-<!-- Code generated by gomarkdoc. DO NOT EDIT -->
-
-# v1alpha2
-
-```go
-import "github.com/holos-run/holos/api/core/v1alpha2"
-```
-
-Package v1alpha2 contains the core API contract between the holos cli and CUE configuration code. Platform designers, operators, and software developers use this API to write configuration in CUE which \`holos\` loads. The overall shape of the API defines imperative actions \`holos\` should carry out to render the complete yaml that represents a Platform.
-
-[Platform](<#Platform>) defines the complete configuration of a platform. With the holos reference platform this takes the shape of one management cluster and at least two workload cluster. Each cluster has multiple [HolosComponent](<#HolosComponent>) resources applied to it.
-
-Each holos component path, e.g. \`components/namespaces\` produces exactly one [BuildPlan](<#BuildPlan>) which in turn contains a set of [HolosComponent](<#HolosComponent>) kinds.
-
-The primary kinds of [HolosComponent](<#HolosComponent>) are:
-
-1. [HelmChart](<#HelmChart>) to render config from a helm chart.
-2. [KustomizeBuild](<#KustomizeBuild>) to render config from [Kustomize](<#Kustomize>)
-3. [KubernetesObjects](<#KubernetesObjects>) to render [APIObjects](<#APIObjects>) defined directly in CUE configuration.
-
-Note that Holos operates as a data pipeline, so the output of a [HelmChart](<#HelmChart>) may be provided to [Kustomize](<#Kustomize>) for post\-processing.
-
-## Index
-
- [Constants](<#constants>)
- [type APIObject](<#APIObject>)
- [type APIObjectMap](<#APIObjectMap>)
- [type APIObjects](<#APIObjects>)
- [type BuildPlan](<#BuildPlan>)
- [type BuildPlanComponents](<#BuildPlanComponents>)
- [type BuildPlanSpec](<#BuildPlanSpec>)
- [type Chart](<#Chart>)
- [type FileContent](<#FileContent>)
- [type FileContentMap](<#FileContentMap>)
- [type FilePath](<#FilePath>)
- [type HelmChart](<#HelmChart>)
- [type HolosComponent](<#HolosComponent>)
- [type Kind](<#Kind>)
- [type KubernetesObjects](<#KubernetesObjects>)
- [type Kustomize](<#Kustomize>)
- [type KustomizeBuild](<#KustomizeBuild>)
- [type Label](<#Label>)
- [type Metadata](<#Metadata>)
- [type Platform](<#Platform>)
- [type PlatformMetadata](<#PlatformMetadata>)
- [type PlatformSpec](<#PlatformSpec>)
- [type PlatformSpecComponent](<#PlatformSpecComponent>)
- [type Repository](<#Repository>)
-
-
-## Constants
-
-<a name="APIVersion"></a>
-
-```go
-const (
-    APIVersion    = "v1alpha2"
-    BuildPlanKind = "BuildPlan"
-    HelmChartKind = "HelmChart"
-    // ChartDir is the directory name created in the holos component directory to cache a chart.
-    ChartDir = "vendor"
-    // ResourcesFile is the file name used to store component output when post-processing with kustomize.
-    ResourcesFile = "resources.yaml"
-)
-```
-
-<a name="KubernetesObjectsKind"></a>
-
-```go
-const KubernetesObjectsKind = "KubernetesObjects"
-```
-
-<a name="APIObject"></a>
-## type APIObject {#APIObject}
-
-APIObject represents the most basic generic form of a single kubernetes api object. Represented as a JSON object internally for compatibility between tools, for example loading from CUE.
-
-```go
-type APIObject structpb.Struct
-```
-
-<a name="APIObjectMap"></a>
-## type APIObjectMap {#APIObjectMap}
-
-APIObjectMap represents the marshalled yaml representation of kubernetes api objects. Do not produce an APIObjectMap directly, instead use [APIObjects](<#APIObjects>) to produce the marshalled yaml representation from CUE data, then provide the result to [HolosComponent](<#HolosComponent>).
-
-```go
-type APIObjectMap map[Kind]map[Label]string
-```
-
-<a name="APIObjects"></a>
-## type APIObjects {#APIObjects}
-
-APIObjects represents Kubernetes API objects defined directly from CUE code. Useful to mix in resources to any kind of [HolosComponent](<#HolosComponent>), for example adding an ExternalSecret resource to a [HelmChart](<#HelmChart>).
-
-[Kind](<#Kind>) must be the resource kind, e.g. Deployment or Service.
-
-[Label](<#Label>) is an arbitrary internal identifier to uniquely identify the resource within the context of a \`holos\` command. Holos will never write the intermediate label to rendered output.
-
-Refer to [HolosComponent](<#HolosComponent>) which accepts an [APIObjectMap](<#APIObjectMap>) field provided by [APIObjects](<#APIObjects>).
-
-```go
-type APIObjects struct {
-    APIObjects   map[Kind]map[Label]APIObject `json:"apiObjects"`
-    APIObjectMap APIObjectMap                 `json:"apiObjectMap"`
-}
-```
-
-<a name="BuildPlan"></a>
-## type BuildPlan {#BuildPlan}
-
-BuildPlan represents a build plan for the holos cli to execute. The purpose of a BuildPlan is to define one or more [HolosComponent](<#HolosComponent>) kinds. For example a [HelmChart](<#HelmChart>), [KustomizeBuild](<#KustomizeBuild>), or [KubernetesObjects](<#KubernetesObjects>).
-
-A BuildPlan usually has an additional empty [KubernetesObjects](<#KubernetesObjects>) for the purpose of using the [HolosComponent](<#HolosComponent>) DeployFiles field to deploy an ArgoCD or Flux gitops resource for the holos component.
-
-```go
-type BuildPlan struct {
-    Kind       string        `json:"kind" cue:"\"BuildPlan\""`
-    APIVersion string        `json:"apiVersion" cue:"string | *\"v1alpha2\""`
-    Spec       BuildPlanSpec `json:"spec"`
-}
-```
-
-<a name="BuildPlanComponents"></a>
-## type BuildPlanComponents {#BuildPlanComponents}
-
-
-
-```go
-type BuildPlanComponents struct {
-    Resources             map[Label]KubernetesObjects `json:"resources,omitempty"`
-    KubernetesObjectsList []KubernetesObjects         `json:"kubernetesObjectsList,omitempty"`
-    HelmChartList         []HelmChart                 `json:"helmChartList,omitempty"`
-    KustomizeBuildList    []KustomizeBuild            `json:"kustomizeBuildList,omitempty"`
-}
-```
-
-<a name="BuildPlanSpec"></a>
-## type BuildPlanSpec {#BuildPlanSpec}
-
-BuildPlanSpec represents the specification of the build plan.
-
-```go
-type BuildPlanSpec struct {
-    // Disabled causes the holos cli to take no action over the [BuildPlan].
-    Disabled bool `json:"disabled,omitempty"`
-    // Components represents multiple [HolosComponent] kinds to manage.
-    Components BuildPlanComponents `json:"components,omitempty"`
-}
-```
-
-<a name="Chart"></a>
-## type Chart {#Chart}
-
-Chart represents a helm chart.
-
-```go
-type Chart struct {
-    // Name represents the chart name.
-    Name string `json:"name"`
-    // Version represents the chart version.
-    Version string `json:"version"`
-    // Release represents the chart release when executing helm template.
-    Release string `json:"release"`
-    // Repository represents the repository to fetch the chart from.
-    Repository Repository `json:"repository,omitempty"`
-}
-```
-
-<a name="FileContent"></a>
-## type FileContent {#FileContent}
-
-FileContent represents file contents.
-
-```go
-type FileContent string
-```
-
-<a name="FileContentMap"></a>
-## type FileContentMap {#FileContentMap}
-
-FileContentMap represents a mapping of file paths to file contents. Paths are relative to the \`holos\` output "deploy" directory, and may contain sub\-directories.
-
-```go
-type FileContentMap map[FilePath]FileContent
-```
-
-<a name="FilePath"></a>
-## type FilePath {#FilePath}
-
-FilePath represents a file path.
-
-```go
-type FilePath string
-```
-
-<a name="HelmChart"></a>
-## type HelmChart {#HelmChart}
-
-HelmChart represents a holos component which wraps around an upstream helm chart. Holos orchestrates helm by providing values obtained from CUE, renders the output using \`helm template\`, then post\-processes the helm output yaml using the general functionality provided by [HolosComponent](<#HolosComponent>), for example [Kustomize](<#Kustomize>) post\-rendering and mixing in additional kubernetes api objects.
-
-```go
-type HelmChart struct {
-    HolosComponent `json:",inline"`
-    Kind           string `json:"kind" cue:"\"HelmChart\""`
-
-    // Chart represents a helm chart to manage.
-    Chart Chart `json:"chart"`
-    // ValuesContent represents the values.yaml file holos passes to the `helm
-    // template` command.
-    ValuesContent string `json:"valuesContent"`
-    // EnableHooks enables helm hooks when executing the `helm template` command.
-    EnableHooks bool `json:"enableHooks" cue:"bool | *false"`
-}
-```
-
-<a name="HolosComponent"></a>
-## type HolosComponent {#HolosComponent}
-
-HolosComponent defines the fields common to all holos component kinds. Every holos component kind should embed HolosComponent.
-
-```go
-type HolosComponent struct {
-    // Kind is a string value representing the resource this object represents.
-    Kind string `json:"kind"`
-    // APIVersion represents the versioned schema of this representation of an object.
-    APIVersion string `json:"apiVersion" cue:"string | *\"v1alpha2\""`
-    // Metadata represents data about the holos component such as the Name.
-    Metadata Metadata `json:"metadata"`
-
-    // APIObjectMap holds the marshalled representation of api objects.  Useful to
-    // mix in resources to each HolosComponent type, for example adding an
-    // ExternalSecret to a HelmChart HolosComponent.  Refer to [APIObjects].
-    APIObjectMap APIObjectMap `json:"apiObjectMap,omitempty"`
-
-    // DeployFiles represents file paths relative to the cluster deploy directory
-    // with the value representing the file content.  Intended for defining the
-    // ArgoCD Application resource or Flux Kustomization resource from within CUE,
-    // but may be used to render any file related to the build plan from CUE.
-    DeployFiles FileContentMap `json:"deployFiles,omitempty"`
-
-    // Kustomize represents a kubectl kustomize build post-processing step.
-    Kustomize `json:"kustomize,omitempty"`
-
-    // Skip causes holos to take no action regarding this component.
-    Skip bool `json:"skip" cue:"bool | *false"`
-}
-```
-
-<a name="Kind"></a>
-## type Kind {#Kind}
-
-Kind is a kubernetes api object kind. Defined as a type for clarity and type checking.
-
-```go
-type Kind string
-```
-
-<a name="KubernetesObjects"></a>
-## type KubernetesObjects {#KubernetesObjects}
-
-KubernetesObjects represents a [HolosComponent](<#HolosComponent>) composed of Kubernetes API objects provided directly from CUE using [APIObjects](<#APIObjects>).
-
-```go
-type KubernetesObjects struct {
-    HolosComponent `json:",inline"`
-    Kind           string `json:"kind" cue:"\"KubernetesObjects\""`
-}
-```
-
-<a name="Kustomize"></a>
-## type Kustomize {#Kustomize}
-
-Kustomize represents resources necessary to execute a kustomize build. Intended for at least two use cases:
-
-1. Process a [KustomizeBuild](<#KustomizeBuild>) [HolosComponent](<#HolosComponent>) which represents raw yaml file resources in a holos component directory.
-2. Post process a [HelmChart](<#HelmChart>) [HolosComponent](<#HolosComponent>) to inject istio, patch jobs, add custom labels, etc...
-
-```go
-type Kustomize struct {
-    // KustomizeFiles holds file contents for kustomize, e.g. patch files.
-    KustomizeFiles FileContentMap `json:"kustomizeFiles,omitempty"`
-    // ResourcesFile is the file name used for api objects in kustomization.yaml
-    ResourcesFile string `json:"resourcesFile,omitempty"`
-}
-```
-
-<a name="KustomizeBuild"></a>
-## type KustomizeBuild {#KustomizeBuild}
-
-KustomizeBuild represents a [HolosComponent](<#HolosComponent>) that renders plain yaml files in the holos component directory using \`kubectl kustomize build\`.
-
-```go
-type KustomizeBuild struct {
-    HolosComponent `json:",inline"`
-    Kind           string `json:"kind" cue:"\"KustomizeBuild\""`
-}
-```
-
-<a name="Label"></a>
-## type Label {#Label}
-
-Label is an arbitrary unique identifier internal to holos itself. The holos cli is expected to never write a Label value to rendered output files, therefore use a [Label](<#Label>) then the identifier must be unique and internal. Defined as a type for clarity and type checking.
-
-A Label is useful to convert a CUE struct to a list, for example producing a list of [APIObject](<#APIObject>) resources from an [APIObjectMap](<#APIObjectMap>). A CUE struct using Label keys is guaranteed to not lose data when rendering output because a Label is expected to never be written to the final output.
-
-```go
-type Label string
-```
-
-<a name="Metadata"></a>
-## type Metadata {#Metadata}
-
-Metadata represents data about the holos component such as the Name.
-
-```go
-type Metadata struct {
-    // Name represents the name of the holos component.
-    Name string `json:"name"`
-    // Namespace is the primary namespace of the holos component.  A holos
-    // component may manage resources in multiple namespaces, in this case
-    // consider setting the component namespace to default.
-    //
-    // This field is optional because not all resources require a namespace,
-    // particularly CRD's and DeployFiles functionality.
-    // +optional
-    Namespace string `json:"namespace,omitempty"`
-}
-```
-
-<a name="Platform"></a>
-## type Platform {#Platform}
-
-Platform represents a platform to manage. A Platform resource informs holos which components to build. The platform resource also acts as a container for the platform model form values provided by the PlatformService. The primary use case is to collect the cluster names, cluster types, platform model, and holos components to build into one resource.
-
-```go
-type Platform struct {
-    // Kind is a string value representing the resource this object represents.
-    Kind string `json:"kind" cue:"\"Platform\""`
-    // APIVersion represents the versioned schema of this representation of an object.
-    APIVersion string `json:"apiVersion" cue:"string | *\"v1alpha2\""`
-    // Metadata represents data about the object such as the Name.
-    Metadata PlatformMetadata `json:"metadata"`
-
-    // Spec represents the specification.
-    Spec PlatformSpec `json:"spec"`
-}
-```
-
-<a name="PlatformMetadata"></a>
-## type PlatformMetadata {#PlatformMetadata}
-
-
-
-```go
-type PlatformMetadata struct {
-    // Name represents the Platform name.
-    Name string `json:"name"`
-}
-```
-
-<a name="PlatformSpec"></a>
-## type PlatformSpec {#PlatformSpec}
-
-PlatformSpec represents the specification of a Platform. Think of a platform specification as a list of platform components to apply to a list of kubernetes clusters combined with the user\-specified Platform Model.
-
-```go
-type PlatformSpec struct {
-    // Model represents the platform model holos gets from from the
-    // PlatformService.GetPlatform rpc method and provides to CUE using a tag.
-    Model structpb.Struct `json:"model"`
-    // Components represents a list of holos components to manage.
-    Components []PlatformSpecComponent `json:"components"`
-}
-```
-
-<a name="PlatformSpecComponent"></a>
-## type PlatformSpecComponent {#PlatformSpecComponent}
-
-PlatformSpecComponent represents a holos component to build or render.
-
-```go
-type PlatformSpecComponent struct {
-    // Path is the path of the component relative to the platform root.
-    Path string `json:"path"`
-    // Cluster is the cluster name to provide when rendering the component.
-    Cluster string `json:"cluster"`
-}
-```
-
-<a name="Repository"></a>
-## type Repository {#Repository}
-
-Repository represents a helm chart repository.
-
-```go
-type Repository struct {
-    Name string `json:"name"`
-    URL  string `json:"url"`
-}
-```
-
-Generated by [gomarkdoc](<https://github.com/princjef/gomarkdoc>)
--- a/doc/md/api/core/v1alpha3.md
+++ b/doc/md/api/core/v1alpha3.md
@@ -1,403 +0,0 @@
-<!-- Code generated by gomarkdoc. DO NOT EDIT -->
-
-# v1alpha3
-
-```go
-import "github.com/holos-run/holos/api/core/v1alpha3"
-```
-
-Package v1alpha3 contains the core API contract between the holos cli and CUE configuration code. Platform designers, operators, and software developers use this API to write configuration in CUE which \`holos\` loads. The overall shape of the API defines imperative actions \`holos\` should carry out to render the complete yaml that represents a Platform.
-
-[Platform](<#Platform>) defines the complete configuration of a platform. With the holos reference platform this takes the shape of one management cluster and at least two workload cluster. Each cluster has multiple [Component](<#Component>) resources applied to it.
-
-Each holos component path, e.g. \`components/namespaces\` produces exactly one [BuildPlan](<#BuildPlan>) which in turn contains a set of [Component](<#Component>) kinds.
-
-The primary kinds of [Component](<#Component>) are:
-
-1. [HelmChart](<#HelmChart>) to render config from a helm chart.
-2. [KustomizeBuild](<#KustomizeBuild>) to render config from [Kustomize](<#Kustomize>)
-3. [KubernetesObjects](<#KubernetesObjects>) to render [APIObjects](<#APIObjects>) defined directly in CUE configuration.
-
-Note that Holos operates as a data pipeline, so the output of a [HelmChart](<#HelmChart>) may be provided to [Kustomize](<#Kustomize>) for post\-processing.
-
-## Index
-
- [Constants](<#constants>)
- [type APIObject](<#APIObject>)
- [type APIObjectMap](<#APIObjectMap>)
- [type APIObjects](<#APIObjects>)
- [type BuildPlan](<#BuildPlan>)
- [type BuildPlanComponents](<#BuildPlanComponents>)
- [type BuildPlanSpec](<#BuildPlanSpec>)
- [type Chart](<#Chart>)
- [type Component](<#Component>)
- [type FileContent](<#FileContent>)
- [type FileContentMap](<#FileContentMap>)
- [type FilePath](<#FilePath>)
- [type HelmChart](<#HelmChart>)
- [type InternalLabel](<#InternalLabel>)
- [type Kind](<#Kind>)
- [type KubernetesObjects](<#KubernetesObjects>)
- [type Kustomize](<#Kustomize>)
- [type KustomizeBuild](<#KustomizeBuild>)
- [type Metadata](<#Metadata>)
- [type Platform](<#Platform>)
- [type PlatformMetadata](<#PlatformMetadata>)
- [type PlatformSpec](<#PlatformSpec>)
- [type PlatformSpecComponent](<#PlatformSpecComponent>)
- [type Repository](<#Repository>)
-
-
-## Constants
-
-<a name="APIVersion"></a>
-
-```go
-const (
-    APIVersion    = "v1alpha3"
-    BuildPlanKind = "BuildPlan"
-    HelmChartKind = "HelmChart"
-    // ChartDir is the directory name created in the holos component directory to cache a chart.
-    ChartDir = "vendor"
-    // ResourcesFile is the file name used to store component output when post-processing with kustomize.
-    ResourcesFile = "resources.yaml"
-)
-```
-
-<a name="KubernetesObjectsKind"></a>
-
-```go
-const KubernetesObjectsKind = "KubernetesObjects"
-```
-
-<a name="APIObject"></a>
-## type APIObject {#APIObject}
-
-APIObject represents the most basic generic form of a single kubernetes api object. Represented as a JSON object internally for compatibility between tools, for example loading from CUE.
-
-```go
-type APIObject structpb.Struct
-```
-
-<a name="APIObjectMap"></a>
-## type APIObjectMap {#APIObjectMap}
-
-APIObjectMap represents the marshalled yaml representation of kubernetes api objects. Do not produce an APIObjectMap directly, instead use [APIObjects](<#APIObjects>) to produce the marshalled yaml representation from CUE data, then provide the result to [Component](<#Component>).
-
-```go
-type APIObjectMap map[Kind]map[InternalLabel]string
-```
-
-<a name="APIObjects"></a>
-## type APIObjects {#APIObjects}
-
-APIObjects represents Kubernetes API objects defined directly from CUE code. Useful to mix in resources to any kind of [Component](<#Component>), for example adding an ExternalSecret resource to a [HelmChart](<#HelmChart>).
-
-[Kind](<#Kind>) must be the resource kind, e.g. Deployment or Service.
-
-[InternalLabel](<#InternalLabel>) is an arbitrary internal identifier to uniquely identify the resource within the context of a \`holos\` command. Holos will never write the intermediate label to rendered output.
-
-Refer to [Component](<#Component>) which accepts an [APIObjectMap](<#APIObjectMap>) field provided by [APIObjects](<#APIObjects>).
-
-```go
-type APIObjects struct {
-    APIObjects   map[Kind]map[InternalLabel]APIObject `json:"apiObjects"`
-    APIObjectMap APIObjectMap                         `json:"apiObjectMap"`
-}
-```
-
-<a name="BuildPlan"></a>
-## type BuildPlan {#BuildPlan}
-
-BuildPlan represents a build plan for the holos cli to execute. The purpose of a BuildPlan is to define one or more [Component](<#Component>) kinds. For example a [HelmChart](<#HelmChart>), [KustomizeBuild](<#KustomizeBuild>), or [KubernetesObjects](<#KubernetesObjects>).
-
-A BuildPlan usually has an additional empty [KubernetesObjects](<#KubernetesObjects>) for the purpose of using the [Component](<#Component>) DeployFiles field to deploy an ArgoCD or Flux gitops resource for the holos component.
-
-```go
-type BuildPlan struct {
-    Kind       string        `json:"kind" cue:"\"BuildPlan\""`
-    APIVersion string        `json:"apiVersion" cue:"string | *\"v1alpha3\""`
-    Spec       BuildPlanSpec `json:"spec"`
-}
-```
-
-<a name="BuildPlanComponents"></a>
-## type BuildPlanComponents {#BuildPlanComponents}
-
-
-
-```go
-type BuildPlanComponents struct {
-    Resources             map[InternalLabel]KubernetesObjects `json:"resources,omitempty"`
-    KubernetesObjectsList []KubernetesObjects                 `json:"kubernetesObjectsList,omitempty"`
-    HelmChartList         []HelmChart                         `json:"helmChartList,omitempty"`
-    KustomizeBuildList    []KustomizeBuild                    `json:"kustomizeBuildList,omitempty"`
-}
-```
-
-<a name="BuildPlanSpec"></a>
-## type BuildPlanSpec {#BuildPlanSpec}
-
-BuildPlanSpec represents the specification of the build plan.
-
-```go
-type BuildPlanSpec struct {
-    // Disabled causes the holos cli to take no action over the [BuildPlan].
-    Disabled bool `json:"disabled,omitempty"`
-    // Components represents multiple [HolosComponent] kinds to manage.
-    Components BuildPlanComponents `json:"components,omitempty"`
-}
-```
-
-<a name="Chart"></a>
-## type Chart {#Chart}
-
-Chart represents a helm chart.
-
-```go
-type Chart struct {
-    // Name represents the chart name.
-    Name string `json:"name"`
-    // Version represents the chart version.
-    Version string `json:"version"`
-    // Release represents the chart release when executing helm template.
-    Release string `json:"release"`
-    // Repository represents the repository to fetch the chart from.
-    Repository Repository `json:"repository,omitempty"`
-}
-```
-
-<a name="Component"></a>
-## type Component {#Component}
-
-Component defines the fields common to all holos component kinds. Every holos component kind should embed Component.
-
-```go
-type Component struct {
-    // Kind is a string value representing the resource this object represents.
-    Kind string `json:"kind"`
-    // APIVersion represents the versioned schema of this representation of an object.
-    APIVersion string `json:"apiVersion" cue:"\"v1alpha3\""`
-    // Metadata represents data about the holos component such as the Name.
-    Metadata Metadata `json:"metadata"`
-
-    // APIObjectMap holds the marshalled representation of api objects.  Useful to
-    // mix in resources to each Component type, for example adding an
-    // ExternalSecret to a [HelmChart] Component.  Refer to [APIObjects].
-    APIObjectMap APIObjectMap `json:"apiObjectMap,omitempty"`
-
-    // DeployFiles represents file paths relative to the cluster deploy directory
-    // with the value representing the file content.  Intended for defining the
-    // ArgoCD Application resource or Flux Kustomization resource from within CUE,
-    // but may be used to render any file related to the build plan from CUE.
-    DeployFiles FileContentMap `json:"deployFiles,omitempty"`
-
-    // Kustomize represents a kubectl kustomize build post-processing step.
-    Kustomize `json:"kustomize,omitempty"`
-
-    // Skip causes holos to take no action regarding this component.
-    Skip bool `json:"skip" cue:"bool | *false"`
-}
-```
-
-<a name="FileContent"></a>
-## type FileContent {#FileContent}
-
-FileContent represents file contents.
-
-```go
-type FileContent string
-```
-
-<a name="FileContentMap"></a>
-## type FileContentMap {#FileContentMap}
-
-FileContentMap represents a mapping of file paths to file contents.
-
-```go
-type FileContentMap map[FilePath]FileContent
-```
-
-<a name="FilePath"></a>
-## type FilePath {#FilePath}
-
-FilePath represents a file path.
-
-```go
-type FilePath string
-```
-
-<a name="HelmChart"></a>
-## type HelmChart {#HelmChart}
-
-HelmChart represents a holos component which wraps around an upstream helm chart. Holos orchestrates helm by providing values obtained from CUE, renders the output using \`helm template\`, then post\-processes the helm output yaml using the general functionality provided by [Component](<#Component>), for example [Kustomize](<#Kustomize>) post\-rendering and mixing in additional kubernetes api objects.
-
-```go
-type HelmChart struct {
-    Component `json:",inline"`
-    Kind      string `json:"kind" cue:"\"HelmChart\""`
-
-    // Chart represents a helm chart to manage.
-    Chart Chart `json:"chart"`
-    // ValuesContent represents the values.yaml file holos passes to the `helm
-    // template` command.
-    ValuesContent string `json:"valuesContent"`
-    // EnableHooks enables helm hooks when executing the `helm template` command.
-    EnableHooks bool `json:"enableHooks" cue:"bool | *false"`
-}
-```
-
-<a name="InternalLabel"></a>
-## type InternalLabel {#InternalLabel}
-
-InternalLabel is an arbitrary unique identifier internal to holos itself. The holos cli is expected to never write a InternalLabel value to rendered output files, therefore use a [InternalLabel](<#InternalLabel>) when the identifier must be unique and internal. Defined as a type for clarity and type checking.
-
-A InternalLabel is useful to convert a CUE struct to a list, for example producing a list of [APIObject](<#APIObject>) resources from an [APIObjectMap](<#APIObjectMap>). A CUE struct using InternalLabel keys is guaranteed to not lose data when rendering output because a InternalLabel is expected to never be written to the final output.
-
-```go
-type InternalLabel string
-```
-
-<a name="Kind"></a>
-## type Kind {#Kind}
-
-Kind is a kubernetes api object kind. Defined as a type for clarity and type checking.
-
-```go
-type Kind string
-```
-
-<a name="KubernetesObjects"></a>
-## type KubernetesObjects {#KubernetesObjects}
-
-KubernetesObjects represents a [Component](<#Component>) composed of Kubernetes API objects provided directly from CUE using [APIObjects](<#APIObjects>).
-
-```go
-type KubernetesObjects struct {
-    Component `json:",inline"`
-    Kind      string `json:"kind" cue:"\"KubernetesObjects\""`
-}
-```
-
-<a name="Kustomize"></a>
-## type Kustomize {#Kustomize}
-
-Kustomize represents resources necessary to execute a kustomize build. Intended for at least two use cases:
-
-1. Process a [KustomizeBuild](<#KustomizeBuild>) [Component](<#Component>) which represents raw yaml file resources in a holos component directory.
-2. Post process a [HelmChart](<#HelmChart>) [Component](<#Component>) to inject istio, patch jobs, add custom labels, etc...
-
-```go
-type Kustomize struct {
-    // KustomizeFiles holds file contents for kustomize, e.g. patch files.
-    KustomizeFiles FileContentMap `json:"kustomizeFiles,omitempty"`
-    // ResourcesFile is the file name used for api objects in kustomization.yaml
-    ResourcesFile string `json:"resourcesFile,omitempty"`
-}
-```
-
-<a name="KustomizeBuild"></a>
-## type KustomizeBuild {#KustomizeBuild}
-
-KustomizeBuild represents a [Component](<#Component>) that renders plain yaml files in the holos component directory using \`kubectl kustomize build\`.
-
-```go
-type KustomizeBuild struct {
-    Component `json:",inline"`
-    Kind      string `json:"kind" cue:"\"KustomizeBuild\""`
-}
-```
-
-<a name="Metadata"></a>
-## type Metadata {#Metadata}
-
-Metadata represents data about the object such as the Name.
-
-```go
-type Metadata struct {
-    // Name represents the name of the holos component.
-    Name string `json:"name"`
-    // Namespace is the primary namespace of the holos component.  A holos
-    // component may manage resources in multiple namespaces, in this case
-    // consider setting the component namespace to default.
-    //
-    // This field is optional because not all resources require a namespace,
-    // particularly CRDs and DeployFiles functionality.
-    // +optional
-    Namespace string `json:"namespace,omitempty"`
-}
-```
-
-<a name="Platform"></a>
-## type Platform {#Platform}
-
-Platform represents a platform to manage. A Platform resource informs holos which components to build. The platform resource also acts as a container for the platform model form values provided by the PlatformService. The primary use case is to collect the cluster names, cluster types, platform model, and holos components to build into one resource.
-
-```go
-type Platform struct {
-    // Kind is a string value representing the resource this object represents.
-    Kind string `json:"kind" cue:"\"Platform\""`
-    // APIVersion represents the versioned schema of this representation of an object.
-    APIVersion string `json:"apiVersion" cue:"string | *\"v1alpha3\""`
-    // Metadata represents data about the object such as the Name.
-    Metadata PlatformMetadata `json:"metadata"`
-
-    // Spec represents the specification.
-    Spec PlatformSpec `json:"spec"`
-}
-```
-
-<a name="PlatformMetadata"></a>
-## type PlatformMetadata {#PlatformMetadata}
-
-
-
-```go
-type PlatformMetadata struct {
-    // Name represents the Platform name.
-    Name string `json:"name"`
-}
-```
-
-<a name="PlatformSpec"></a>
-## type PlatformSpec {#PlatformSpec}
-
-PlatformSpec represents the specification of a Platform. Think of a platform specification as a list of platform components to apply to a list of kubernetes clusters combined with the user\-specified Platform Model.
-
-```go
-type PlatformSpec struct {
-    // Model represents the platform model holos gets from from the
-    // PlatformService.GetPlatform rpc method and provides to CUE using a tag.
-    Model structpb.Struct `json:"model" cue:"{...}"`
-    // Components represents a list of holos components to manage.
-    Components []PlatformSpecComponent `json:"components"`
-}
-```
-
-<a name="PlatformSpecComponent"></a>
-## type PlatformSpecComponent {#PlatformSpecComponent}
-
-PlatformSpecComponent represents a holos component to build or render.
-
-```go
-type PlatformSpecComponent struct {
-    // Path is the path of the component relative to the platform root.
-    Path string `json:"path"`
-    // Cluster is the cluster name to provide when rendering the component.
-    Cluster string `json:"cluster"`
-}
-```
-
-<a name="Repository"></a>
-## type Repository {#Repository}
-
-Repository represents a helm chart repository.
-
-```go
-type Repository struct {
-    Name string `json:"name"`
-    URL  string `json:"url"`
-}
-```
-
-Generated by [gomarkdoc](<https://github.com/princjef/gomarkdoc>)
--- a/doc/md/api/schema/v1alpha3.md
+++ b/doc/md/api/schema/v1alpha3.md
@@ -1,168 +0,0 @@
-<!-- Code generated by gomarkdoc. DO NOT EDIT -->
-
-# v1alpha3
-
-```go
-import "github.com/holos-run/holos/api/schema/v1alpha3"
-```
-
-Package v1alpha3 contains CUE definitions intended as convenience wrappers around the core data types defined in package core. The purpose of these wrappers is to make life easier for platform engineers by reducing boiler plate code and generating component build plans in a consistent manner.
-
-## Index
-
- [type ArgoConfig](<#ArgoConfig>)
- [type Cluster](<#Cluster>)
- [type Fleet](<#Fleet>)
- [type Helm](<#Helm>)
- [type Platform](<#Platform>)
- [type StandardFleets](<#StandardFleets>)
-
-
-<a name="ArgoConfig"></a>
-## type ArgoConfig {#ArgoConfig}
-
-ArgoConfig represents the ArgoCD GitOps configuration for a Component. Useful to define once at the root of the Platform configuration and reuse across all Components.
-
-```go
-type ArgoConfig struct {
-    // Enabled causes holos to render an ArgoCD Application resource for GitOps if true.
-    Enabled bool `cue:"true | *false"`
-    // ClusterName represents the cluster within the platform the Application
-    // resource is intended for.
-    ClusterName string
-    // DeployRoot represents the path from the git repository root to the `deploy`
-    // rendering output directory.  Used as a prefix for the
-    // Application.spec.source.path field.
-    DeployRoot string `cue:"string | *\".\""`
-    // RepoURL represents the value passed to the Application.spec.source.repoURL
-    // field.
-    RepoURL string
-    // TargetRevision represents the value passed to the
-    // Application.spec.source.targetRevision field.  Defaults to the branch named
-    // main.
-    TargetRevision string `cue:"string | *\"main\""`
-}
-```
-
-<a name="Cluster"></a>
-## type Cluster {#Cluster}
-
-Cluster represents a cluster managed by the Platform.
-
-```go
-type Cluster struct {
-    // Name represents the cluster name, for example "east1", "west1", or
-    // "management".
-    Name string `json:"name"`
-    // Primary represents if the cluster is marked as the primary among a set of
-    // candidate clusters.  Useful for promotion of database leaders.
-    Primary bool `json:"primary" cue:"true | *false"`
-}
-```
-
-<a name="Fleet"></a>
-## type Fleet {#Fleet}
-
-Fleet represents a named collection of similarly configured Clusters. Useful to segregate workload clusters from their management cluster.
-
-```go
-type Fleet struct {
-    Name string `json:"name"`
-    // Clusters represents a mapping of Clusters by their name.
-    Clusters map[string]Cluster `json:"clusters" cue:"{[Name=_]: name: Name}"`
-}
-```
-
-<a name="Helm"></a>
-## type Helm {#Helm}
-
-Helm provides a BuildPlan via the Output field which contains one HelmChart from package core. Useful as a convenience wrapper to render a HelmChart with optional mix\-in resources and Kustomization post\-processing.
-
-```go
-type Helm struct {
-    // Name represents the chart name.
-    Name string
-    // Version represents the chart version.
-    Version string
-    // Namespace represents the helm namespace option when rendering the chart.
-    Namespace string
-    // Resources are kubernetes api objects to mix into the output.
-    Resources map[string]any `cue:"{...}"`
-
-    // Repo represents the chart repository
-    Repo struct {
-        Name string `json:"name"`
-        URL  string `json:"url"`
-    }
-
-    // Values represents data to marshal into a values.yaml for helm.
-    Values interface{} `cue:"{...}"`
-
-    // Chart represents the derived HelmChart for inclusion in the BuildPlan
-    // Output field value.  The default HelmChart field values are derived from
-    // other Helm field values and should be sufficient for most use cases.
-    Chart core.HelmChart
-
-    // EnableKustomizePostProcessor processes helm output with kustomize if true.
-    EnableKustomizePostProcessor bool `cue:"true | *false"`
-
-    // KustomizeFiles represents additional files to include in a Kustomization
-    // resources list.  Useful to patch helm output.  The implementation is a
-    // struct with filename keys and structs as values.  Holos encodes the struct
-    // value to yaml then writes the result to the filename key.  Component
-    // authors may then reference the filename in the kustomization.yaml resources
-    // or patches lists.
-    // Requires EnableKustomizePostProcessor: true.
-    KustomizeFiles map[string]any `cue:"{[string]: {...}}"`
-
-    // KustomizePatches represents patches to apply to the helm output.  Requires
-    // EnableKustomizePostProcessor: true.
-    KustomizePatches map[core.InternalLabel]any `cue:"{[string]: {...}}"`
-
-    // KustomizeResources represents additional resources files to include in the
-    // kustomize resources list.
-    KustomizeResources map[string]any `cue:"{[string]: {...}}"`
-
-    // ArgoConfig represents the ArgoCD GitOps configuration for this Component.
-    ArgoConfig ArgoConfig
-
-    // Output represents the derived BuildPlan for the Holos cli to render.
-    Output core.BuildPlan
-}
-```
-
-<a name="Platform"></a>
-## type Platform {#Platform}
-
-Platform is a convenience structure to produce a core Platform specification value in the Output field. Useful to collect components at the root of the Platform configuration tree as a struct, which are automatically converted into a list for the core Platform spec output.
-
-```go
-type Platform struct {
-    // Name represents the Platform name.
-    Name string `cue:"string | *\"holos\""`
-    // Components is a structured map of components to manage by their name.
-    Components map[string]core.PlatformSpecComponent
-    // Model represents the Platform model holos gets from from the
-    // PlatformService.GetPlatform rpc method and provides to CUE using a tag.
-    Model structpb.Struct `cue:"{...}"`
-    // Output represents the core Platform spec for the holos cli to iterate over
-    // and render each listed Component, injecting the Model.
-    Output core.Platform
-}
-```
-
-<a name="StandardFleets"></a>
-## type StandardFleets {#StandardFleets}
-
-StandardFleets represents the standard set of Clusters in a Platform segmented into Fleets by their purpose. The management Fleet contains a single Cluster, for example a GKE autopilot cluster with no workloads deployed for reliability and cost efficiency. The workload Fleet contains all other Clusters which contain workloads and sync Secrets from the management cluster.
-
-```go
-type StandardFleets struct {
-    // Workload represents a Fleet of zero or more workload Clusters.
-    Workload Fleet `json:"workload" cue:"{name: \"workload\"}"`
-    // Management represents a Fleet with one Cluster named management.
-    Management Fleet `json:"management" cue:"{name: \"management\", clusters: management: _}"`
-}
-```
-
-Generated by [gomarkdoc](<https://github.com/princjef/gomarkdoc>)
--- a/doc/md/backstory.md
+++ b/doc/md/backstory.md
@@ -1,3 +0,0 @@
-# Backstory
-
-Holos is a tool intended to lighten the burden of managing Kubernetes resources.  In 2020 we set out to develop a holistic platform composed from open source cloud native components.  We quickly became frustrated with how each of the major components packaged and distributed their software in a different way.  Many projects choose to distribute their software with Helm charts, while others provide plain yaml files and Kustomize bases.  The popular Kube Prometheus Stack project provides Jsonnet to render and update Kubernetes yaml manifests.
--- a/doc/md/cli.md
+++ b/doc/md/cli.md
@@ -1,3 +0,0 @@
-# CLI
-
-Use the `holos` command line interface (CLI) to render individual platform components, entire platforms, and push/pull the platform model.
--- a/doc/md/common/example-component-integrate.mdx
+++ b/doc/md/common/example-component-integrate.mdx
@@ -0,0 +1,16 @@
+Integrate the `podinfo` component into the platform.
+
+```bash
+cat <<EOF >platform/podinfo.cue
+```
+```cue showLineNumbers
+package holos
+
+Platform: Components: podinfo: {
+	name: "podinfo"
+	path: "components/podinfo"
+}
+```
+```bash
+EOF
+```
--- a/doc/md/common/example-component.mdx
+++ b/doc/md/common/example-component.mdx
@@ -0,0 +1,34 @@
+Create a directory for the example `podinfo` component we'll use to render
+platform manifests.
+
+```bash
+mkdir -p components/podinfo
+```
+
+Create the CUE configuration for the example `podinfo` component.
+
+```bash
+cat <<EOF >components/podinfo/podinfo.cue
+```
+```cue showLineNumbers
+package holos
+
+holos: Component.BuildPlan
+
+Component: #Helm & {
+	Name: "podinfo"
+	Chart: {
+		version: "6.6.2"
+		repository: {
+			name: "podinfo"
+			url:  "https://stefanprodan.github.io/podinfo"
+		}
+	}
+	Values: ui: {
+		message: string | *"Hello World" @tag(message, type=string)
+	}
+}
+```
+```bash
+EOF
+```
--- a/doc/md/comparison.md
+++ b/doc/md/comparison.md
@@ -1,65 +0,0 @@
-# Comparison with other tools
-
-:::tip
-
-Holos is designed to complement and improve, not replace, existing tools in the cloud native ecosystem.
-
-:::
-
-## Helm
-
-### Chart Users
-
-Describe how things are different when using an upstream helm chart.
-
-### Chart Authors
-
-Describe how things are different when writing a new helm chart.
-
-## Kustomize
-
-TODO
-
-## ArgoCD
-
-TODO
-
-## Flux
-
-TODO
-
-## Timoni
-
-| Aspect | Timoni | Holos | Comment |
-| -- | -- | -- | -- |
-| Language | CUE | CUE | Like Holos, Timoni is also built on CUE. |
-| Artifact | OCI Image | Plain YAML Files | The Holos Authors find plain files easier to work with and reason about than OCI images. |
-| Outputs to | OCI Image Repository | Local Git repository | Holos is designed for use with existing GitOps tools. |
-| Concept | Module | Component | A Timoni Module is analogous to a Holos Component. |
-| Concept | Bundle | Platform | A Timoni Bundle is somewhat similar, but smaller in scope to a Holos Platform. |
-
-:::important
-
-The Holos Authors are deeply grateful to Stefan and Timoni for the capability of
-importing Kubernetes custom resource definitions into CUE.  Without this
-functionality, much of the Kubernetes ecosystem would be more difficult to
-manage in CUE and therefore in Holos.
-
-:::
-
-
-## KubeVela
-
-1. Also built on CUE.
-2. Intended to create an Application abstraction.
-3. Holos prioritizes composition over abstraction.
-4. An abstraction of an Application acts as a filter that removes all but the lowest common denominator functionality.  The Holos Authors have found this filtering effect to create excessive friction for software developers.
-5. Holos focuses instead on composition to empower developers and platform engineers to leverage the unique features and functionality of their software and platform.
-
-## Pulumi
-
-TODO
-
-## Jsonnet
-
-TODO
--- a/doc/md/concepts.md
+++ b/doc/md/concepts.md
@@ -1,341 +0,0 @@
-# Concepts
-
-## Introduction
-
-This page is intended as a high level conceptual overview of the key concepts in
-Holos.  Refer to the [Core API](/docs/api/core/) for low level reference
-documentation.
-
-Holos is a tool built for platform engineers.  The Holos authors share three
-core values which guide our design decisions for the tool.
-
-1. Safety
-2. Ease of use
-3. Consistency
-
-Each of the following concepts are intended to support and strengthen one or
-more of these core values.  In this way we hope to lighten the burden carried by
-platform engineers.
-
-## Concepts
-
- [Component](<#component>) - The primary building block in Holos, wraps a Helm chart, Kustomize base, or plain resources defined in CUE.
- [Platform](<#platform>) - A collection of Components integrated into a software development platform.
- [Model](<#model>) - Structured data included in the Platform specification, available to all Components.  For example, your organization's domain name.
- [Rendering](<#rendering>) - Holos is a tool that makes the process of rendering Kubernetes manifests safer, easier, and consistent.
-
-```mermaid
-graph BT
-    Platform[<a href="#platform">Platform</a>]
-    Component[<a href="#component">Components</a>]
-    Helm[<a href="#component">Helm</a>]
-    Kustomize[<a href="#component">Kustomize</a>]
-    CUE[<a href="#component">CUE</a>]
-
-    Component --> Platform
-    Helm --> Component
-    Kustomize --> Component
-    CUE --> Component
-```
-
-<!--
-
-```mermaid
---
-title: Figure 1 - Holos Concepts
---
-mindmap
-  root((Holos))
-    Platform
-      Components
-        HelmChart
-        KustomizeBuild
-        KubernetesObjects
-      Model
-        name: Example Org
-        domain: example.com
-    Renders
-      YAML Files
-        Kubernetes Manifests
-        ArgoCD Application
-        FluxCD Kustomization
-```
-
-->
-
-
-## Component
-
-A Component is the primary building block when managing software with Holos.  A
-software project you wish to integrate into your platform, for example ArgoCD,
-is managed using one or more components.
-
-The primary Component kinds are:
-
-1. **HelmChart** to render config provided by Helm.
-2. **KustomizeBuild** to render config provided by Kustomize.
-3. **KubernetesObjects** to render config provided by CUE.
-
-Components are intended to integrate unmodified upstream software releases into
-your Platform.  In this way, the focus of a Component is more about the unique
-differentiating aspects of your platform than the upstream software contained in
-the Component.
-
-#### Example HelmChart Component
-
-The ArgoCD Component is a good example of a HelmChart component because it takes
-advantage of most of the key features that empower you to focus on the key
-differentiators of your unique platform.
-
-Take note of the following key points in this example ArgoCD Component:
-
-1. The Component wraps the ArgoCD Helm Chart in a way that's easy to upgrade and maintain over time.
-2. Newer Gateway API resources are mixed-in replacing the older Ingress resource included in the chart.
-3. Helm output is passed through Kustomize to configure secure mutual TLS encryption.
-4. Helm values are easier and safer to manipulate with CUE instead of text markup.
-5. Kustomize is easier and safer to manipulate with CUE instead of text markup.
-6. Platform data Model values are easily accessible, for example the OIDC issuer and the organizations's domain name.
-
-The Component wraps around the unmodified upstream ArgoCD helm chart
-providing easier upgrades as new versions are released.
-
-Note how the Component facilitates composition by allowing us to mix-in new
-functionality from the ecosystem without modifying the upstream chart.  The
-Platform this Component integrates with uses the new Gateway API, but the
-upstream helm chart does not yet support Gateway API.  See how the Resources
-field is used to mix-in a ReferenceGrant from the Gateway API without modifying
-the upstream helm chart.
-
-The Platform uses Istio to implement service to service encryption with mutual
-TLS.  The Component passes the Helm output to Kustomize to integrate with Istio.
-Kustomize is used to patch the argocd-server Deployment resource to inject the
-Istio sidecar for mutual TLS.
-
-Helm values are safer and easier to work with in CUE.  Note how you can modify
-helm values using well defined data instead of manipulating text yaml files.
-Similarly, the yaml files used for Kustomize are produced by CUE, which is again
-safer and easier because the Kustomize spec has been imported into CUE and is
-validated.
-
-Finally, the domain name used by this Platform is easily accessible from the
-PlatformSpec which is defined at the root level and made available to all
-components integrated into the platform.  Similarly, data values shared by all
-of the Components that make up ArgoCD is defined in a structure accessible by
-each of these components.
-
-```cue
-package holos
-
-import (
-	"encoding/yaml"
-	"strings"
-)
-
-// Produce a helm chart build plan.
-(#Helm & Chart).Output
-
-let Chart = {
-	Name:      "argo-cd"
-	Namespace: "argocd"
-	Version:   "7.1.1"
-
-	Chart: chart: release: "argocd"
-
-	// The upstream chart uses a Job to create the argocd-redis Secret.  Enable
-	// hooks to enable the Job.
-	Chart: enableHooks: true
-
-	Repo: name: "argocd"
-	Repo: url:  "https://argoproj.github.io/argo-helm"
-
-	// Ensure all of our mix-in resources go into the same namespace as the Chart.
-	Resources: [_]: [_]: metadata: namespace: Namespace
-
-	// Grant the Gateway namespace the ability to refer to the backend service
-	// from HTTPRoute resources.
-	Resources: ReferenceGrant: (#IstioGatewaysNamespace): #ReferenceGrant
-
-	// Pass the helm output through kustomize.
-	EnableKustomizePostProcessor: true
-
-	// Force all resources into the component namespace, some resources in the
-	// helm chart do not specify the namespace so they will get mis-applied
-	// when the kubectl (client-go) context is another namespace.
-	KustomizeFiles: "kustomization.yaml": namespace: Namespace
-
-	// Patch the backend with the service mesh sidecar.
-	KustomizePatches: {
-		mesh: {
-			target: {
-				group:   "apps"
-				version: "v1"
-				kind:    "Deployment"
-				name:    "argocd-server"
-			}
-			patch: yaml.Marshal(IstioInject)
-		}
-	}
-
-	Values: #Values & {
-		kubeVersionOverride: "1.29.0"
-		// handled in the argo-crds component
-		crds: install:  false
-		global: domain: "argocd.\(_Platform.Model.org.domain)"
-		dex: enabled:   false
-		// the service mesh handles secure mTLS
-		configs: params: "server.insecure": true
-		configs: cm: {
-			"admin.enabled":           false
-			"oidc.config":             yaml.Marshal(OIDCConfig)
-			"users.anonymous.enabled": "false"
-		}
-
-		// Refer to https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/
-		let Policy = [
-			"g, argocd-view, role:readonly",
-			"g, prod-cluster-view, role:readonly",
-			"g, prod-cluster-edit, role:readonly",
-			"g, prod-cluster-admin, role:admin",
-		]
-
-		configs: rbac: "policy.csv": strings.Join(Policy, "\n")
-	}
-}
-
-let IstioInject = [{
-	op:    "add",
-	path:  "/spec/template/metadata/labels/sidecar.istio.io~1inject",
-	value: "true",
-}]
-
-let OIDCConfig = {
-	name:            "Holos Platform"
-	issuer:          _ArgoCD.issuerURL
-	clientID:        _ArgoCD.clientID
-	requestedScopes: _ArgoCD.scopesList
-	// Set redirect uri to https://argocd.example.com/pkce/verify
-	enablePKCEAuthentication: true
-	// groups is essential for rbac
-	requestedIDTokenClaims: groups: essential: true
-}
-```
-
-## Platform
-
-A Platform refers to all of the software and services integrated together to
-provide your organization's software development platform.  Holos is designed to
-manage all of the resources that compose your Platform using the [Kubernetes
-Resource Model][krm] (KRM).  Nearly all platforms are larger than Kubernetes
-itself.  For example, your developers likely need a GCS or S3 bucket to store
-data.  Holos takes advantage of Crossplane to manage resources in a consistent
-way.
-
-Holos defines a [Platform][Platform] object which collects multiple Components
-together along with organizational data defined by your Model.  Consider the
-following example, which is a Platform that manages a single Component which
-manages namespaces for each cluster in the Platform.
-
-```cue
-package holos
-
-import v1 "github.com/holos-run/holos/api/v1alpha2"
-
-v1.#Platform & {
-	metadata: name: "example"
-
-	spec: components: [{
-		path:    "components/namespaces"
-		cluster: "cluster1"
-	}]
-}
-```
-
-This platform is rendered by the command:
-
-```bash
-holos render platform ./platform
-```
-
-When Holos renders the platform, it iterates over each component, generates and
-executes a [BuildPlan][BuildPlan], then writes the fully rendered output of the
-component to the filesystem.  In this simple example, two files are produced:
-
-1. `deploy/clusters/cluster1/components/namespaces/namespaces.gen.yaml`
-2. `deploy/clusters/cluster1/gitops/namespaces.application.gen.yaml`
-
-The first file is a plain kubernetes manifest containing Namespace resources.
-The second file is an ArgoCD Application resource to deploy and manage the
-resources defined in the first file.
-
-## Model
-
-The Platform Model is where you store top-level data values used throughout
-multiple components in your Platform.  Your organization's domain name is a
-prime example of the kind of data stored in the Model.  Many components derive
-host names from your organization's domain name.  CUE makes this process safe,
-easy, and consistent.  For example:
-
-```cue
-hostname: "argocd.\(_Platform.Model.org.domain)"
-```
-
-When Holos renders a Platform, the model is loaded from a JSON file in the local
-filesystem.  The platform model file is intended to be committed to version
-control along with the rest of the Holos Platform and Component code.
-
-Holos additionally provides a web ui and form to make it easy to enter and
-validate top level configuration data.  You have complete control over the web
-form, it's rendered from JSON data defined by CUE.  Customizing the web form is
-an advanced topic, the key concept to take away is the Model is for top level,
-platform-wide data.  You control the shape and structure of the Model, and you
-have the ability to collect Model values using a simple web form.
-
-## Rendering
-
-Holos uses the Kubernetes resource model to manage configuration.  The Holos
-command line interface is the primary method you'll use to manage your platform.
-Holos uses CUE to provide a unified configuration model of the platform.  This
-unified configuration is built up from components packaged with Helm, Kustomize,
-CUE, or any other tool that can produce Kubernetes resource manifests as output.
-
-This process can be thought of as a data **rendering pipeline**.  The key
-concept is that Holos will always produce fully rendered output, but delegates
-the _application_ of the configuration to other tools like kubectl apply,
-ArgoCD, or Flux.
-
-```mermaid
---
-title: Figure 2 - Render Pipeline
---
-graph LR
-    PS[<a href="/docs/api/core/v1alpha2#PlatformSpec">PlatformSpec</a>]
-    BP[<a href="/docs/api/core/v1alpha2#BuildPlan">BuildPlan</a>]
-    HC[<a href="/docs/api/core/v1alpha2#HolosComponent">Components</a>]
-
-    H[<a href="/docs/api/core/v1alpha2#HelmChart">HelmChart</a>]
-    K[<a href="/docs/api/core/v1alpha2#KustomizeBuild">KustomizeBuild</a>]
-    O[<a href="/docs/api/core/v1alpha2#KubernetesObjects">KubernetesObjects</a>]
-
-    P[<a href="/docs/api/core/v1alpha2#Kustomize">Kustomize</a>]
-    Y[Kubernetes <br/>Resources]
-    G[GitOps <br/>Resource]
-    FS[Local Files]
-
-    C[Kube API Server]
-
-    PS --> BP --> HC
-    HC --> H --> P
-    HC --> K --> P
-    HC --> O --> P
-
-    P --> Y --> FS
-    P --> G --> FS
-
-    FS --> ArgoCD --> C
-    FS --> Flux --> C
-    FS --> kubectl --> C
-```
-
-[krm]: https://docs.google.com/document/d/1RmHXdLhNbyOWPW_AtnnowaRfGejw-qlKQIuLKQWlwzs/view#heading=h.sa6p0aye4ide
-[Platform]: /docs/api/core/v1alpha2/#Platform
-[BuildPlan]: /docs/api/core/v1alpha2/#BuildPlan
--- a/doc/md/design/rendering.md
+++ b/doc/md/design/rendering.md
@@ -1,47 +0,0 @@
-# Rendering
-
-:::tip
-
-This document provides a brief overview of the rendering process, a core design
-element in Holos.
-
-:::
-
-Holos uses the Kubernetes resource model to manage configuration.  The `holos`
-command line interface is the primary method you'll use to manage your platform.
-Holos uses CUE to provide a unified configuration model of the platform.  This
-unified configuration is built up from components packaged with Helm, Kustomize,
-CUE, or any other tool that can produce Kubernetes resource manifests as output.
-
-This process can be thought of as a data **rendering pipeline**.  The key
-concept is that `holos` will always produce fully rendered output, but delegates
-the _application_ of the configuration to other tools like `kubectl apply`,
-ArgoCD, or Flux.
-
-```mermaid
---
-title: Figure 2 - Render Pipeline
---
-graph LR
-    PS[<a href="/docs/api/core/v1alpha2#PlatformSpec">PlatformSpec</a>]
-    BP[<a href="/docs/api/core/v1alpha2#BuildPlan">BuildPlan</a>]
-    HC[<a href="/docs/api/core/v1alpha2#HolosComponent">HolosComponent</a>]
-
-    H[<a href="/docs/api/core/v1alpha2#HelmChart">HelmChart</a>]
-    K[<a href="/docs/api/core/v1alpha2#KustomizeBuild">KustomizeBuild</a>]
-    O[<a href="/docs/api/core/v1alpha2#KubernetesObjects">KubernetesObjects</a>]
-
-    P[<a href="/docs/api/core/v1alpha2#Kustomize">Kustomize</a>]
-    Y[Kubernetes <br>Resources]
-    G[GitOps <br>Resource]
-
-    C[Kube API Server]
-
-    PS --> BP --> HC
-    HC --> H --> P
-    HC --> K --> P
-    HC --> O --> P
-
-    P --> Y --> C
-    P --> G --> C
-```
--- a/Show More
+++ b/Show More