core: define generic command core type for all kinds of tasks

Previously the Command core type was only useful for Validators and was
a bit hacky in that Holos appends the directory to the end of the
argument vector.

This patch changes the Command type to represent a generic command for
use as a Generator, Transformer, or Validator.  The type is extended to
support the semantics of reading output from a file, directory, or
standard output pipe.

Go templates are used to fill in Holos managed data values, for example
the temporary directory associated with the pipeline task.  The TaskData
structu represents these values passed into the template engine.

.cspell.json

@@ -6,10 +6,12 @@
   ],
   "words": [
     "acmesolver",
+    "acraccesstoken",
     "acraccesstokens",
     "admissionregistration",
     "alertmanager",
     "alertmanagers",
+    "anchore",
     "anthos",
     "apiextensions",
     "apimachinery",
@@ -27,12 +29,15 @@
     "authpolicy",
     "authproxy",
     "authroutes",
+    "autoload",
     "automount",
     "automounting",
     "autoscaler",
     "balancereader",
     "blackbox",
     "buildplan",
+    "buildplans",
+    "Buildx",
     "builtinpluginloadingoptions",
     "cachedir",
     "cadvisor",
@@ -41,6 +46,7 @@
     "certificaterequest",
     "certificaterequests",
     "certificatesigningrequests",
+    "chartmuseum",
     "clientset",
     "clsx",
     "clusterexternalsecret",
@@ -55,6 +61,8 @@
     "Cmds",
     "CNCF",
     "CODEOWNERS",
+    "compinit",
+    "componentconfig",
     "configdir",
     "configmap",
     "configmapargs",
@@ -67,6 +75,7 @@
     "creds",
     "crossplane",
     "crunchydata",
+    "ctxt",
     "cuecontext",
     "cuelang",
     "customresourcedefinition",
@@ -74,9 +83,12 @@
     "deploymentruntimeconfig",
     "destinationrule",
     "destinationrules",
+    "devel",
     "devicecode",
+    "distroless",
     "dnsmasq",
     "dscacheutil",
+    "ecrauthorizationtoken",
     "ecrauthorizationtokens",
     "edns",
     "endpointslices",
@@ -92,9 +104,11 @@
     "fieldmaskpb",
     "fieldspec",
     "flushcache",
+    "fluxcd",
     "fullname",
     "gatewayclass",
     "gatewayclasses",
+    "gcraccesstoken",
     "gcraccesstokens",
     "gendoc",
     "generationbehavior",
@@ -103,6 +117,7 @@
     "genproto",
     "ggnpl",
     "ghaction",
+    "githubaccesstoken",
     "githubaccesstokens",
     "gitops",
     "GOBIN",
@@ -133,6 +148,7 @@
     "httproute",
     "httproutes",
     "iampolicygenerator",
+    "incpatch",
     "Infima",
     "intstr",
     "isatty",
@@ -142,6 +158,7 @@
     "jetstack",
     "jiralert",
     "Jsonnet",
+    "Kargo",
     "kfbh",
     "killall",
     "kubeadm",
@@ -149,6 +166,7 @@
     "kubelet",
     "kubelogin",
     "kubernetesobjects",
+    "kubeversion",
     "Kustomization",
     "Kustomizations",
     "kustomize",
@@ -165,6 +183,7 @@
     "loadbalancer",
     "loadrestrictions",
     "logfmt",
+    "lxnl",
     "mattn",
     "mccutchen",
     "metav",
@@ -177,6 +196,7 @@
     "mutatingwebhookconfigurations",
     "mvdan",
     "mxcl",
+    "mychart",
     "myhostname",
     "myRegistrKeySecretName",
     "mysecret",
@@ -190,6 +210,7 @@
     "oauthproxy",
     "objectmap",
     "objectmeta",
+    "omitempty",
     "organizationconnect",
     "orgid",
     "otelconnect",
@@ -249,6 +270,7 @@
     "rolebinding",
     "rootfs",
     "ropc",
+    "sboms",
     "seccomp",
     "secretargs",
     "SECRETKEY",
@@ -261,6 +283,7 @@
     "serviceentries",
     "serviceentry",
     "servicemonitor",
+    "sigstore",
     "somevalue",
     "SOMEVAR",
     "sortoptions",
@@ -291,13 +314,17 @@
     "tokencache",
     "Tokener",
     "tolerations",
+    "TOPLEVEL",
     "Traceid",
     "traefik",
     "transactionhistory",
     "tsdb",
+    "txtar",
     "typemeta",
     "udev",
     "uibutton",
+    "Unmarshal",
+    "unshallow",
     "unstage",
     "untar",
     "upbound",
@@ -309,6 +336,7 @@
     "userservice",
     "validatingwebhookconfiguration",
     "validatingwebhookconfigurations",
+    "vaultdynamicsecret",
     "vaultdynamicsecrets",
     "virtualservice",
     "virtualservices",

.github/ISSUE_TEMPLATE/bug-report.md

@@ -0,0 +1,131 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: ''
+labels: NeedsInvestigation, Triage
+assignees: ''
+---
+
+<!--
+Please answer these questions before submitting your issue. Thanks!
+To ask questions, see https://github.com/holos-run/holos/discussions
+-->
+
+### What version of holos are you using (`holos --version`)?
+
+```
+0.0.0
+```
+
+### Does this issue reproduce with the latest release?
+
+<!--
+Get the latest release with:
+
+    brew install holos-run/tap/holos
+
+Or see https://holos.run/docs/v1alpha5/tutorial/setup/
+-->
+
+### What did you do?
+
+<!--
+Please provide a testscript that should pass, but does not because of the bug.
+See the below example.
+
+You can create a txtar from a directory with:
+
+  holos txtar ./path/to/dir
+
+Refer to: https://github.com/rogpeppe/go-internal/tree/master/cmd/testscript
+-->
+
+Steps to reproduce:
+
+```shell
+testscript -v -continue <<EOF
+```
+
+```txtar
+# Have: an error related to the imported Kustomize schemas.
+# Want: holos show buildplans to work.
+exec holos --version
+exec holos init platform v1alpha5 --force
+# remove the fix to trigger the bug
+rm cue.mod/pkg/sigs.k8s.io/kustomize/api/types/var.cue
+# want a BuildPlan shown
+exec holos show buildplans
+cmp stdout buildplan.yaml
+# want this error to go away
+! stderr 'cannot convert non-concrete value string'
+-- buildplan.yaml --
+kind: BuildPlan
+-- platform/example.cue --
+package holos
+
+Platform: Components: example: {
+	name: "example"
+	path: "components/example"
+}
+-- components/example/example.cue --
+package holos
+
+import "encoding/yaml"
+
+holos: Component.BuildPlan
+
+Component: #Kustomize & {
+	KustomizeConfig: Kustomization: patches: [
+		{
+			target: kind: "CustomResourceDefinition"
+			patch: yaml.Marshal([{
+				op:    "add"
+				path:  "/metadata/annotations/example"
+				value: "example-value"
+			}])
+		},
+	]
+}
+```
+```shell
+EOF
+```
+
+### What did you expect to see?
+
+The testscript should pass.
+
+### What did you see instead?
+
+The testscript fails because of the bug.
+
+```txt
+# Have: an error related to the imported Kustomize schemas.
+# Want: holos show buildplans to work. (0.168s)
+> exec holos --version
+[stdout]
+0.100.1-2-g9b10e23-dirty
+> exec holos init platform v1alpha5 --force
+# remove the fix to trigger the bug (0.000s)
+> rm cue.mod/pkg/sigs.k8s.io/kustomize/api/types/var.cue
+# want a BuildPlan shown (0.091s)
+> exec holos show buildplans
+[stderr]
+could not run: holos.spec.artifacts.0.transformers.0.kustomize.kustomization.patches.0.target.name: cannot convert non-concrete value string at builder/v1alpha5/builder.go:218
+holos.spec.artifacts.0.transformers.0.kustomize.kustomization.patches.0.target.name: cannot convert non-concrete value string:
+    $WORK/cue.mod/gen/sigs.k8s.io/kustomize/api/types/var_go_gen.cue:33:2
+[exit status 1]
+FAIL: <stdin>:8: unexpected command failure
+> cmp stdout buildplan.yaml
+diff stdout buildplan.yaml
+--- stdout
++++ buildplan.yaml
+@@ -0,0 +1,1 @@
++kind: BuildPlan
+
+FAIL: <stdin>:9: stdout and buildplan.yaml differ
+# want this error to go away (0.000s)
+> ! stderr 'cannot convert non-concrete value string'
+FAIL: <stdin>:11: unexpected match for `cannot convert non-concrete value string` found in stderr: cannot convert non-concrete value string
+failed run
+```

.github/workflows/container.yaml

@@ -0,0 +1,143 @@
+name: Container
+
+# Only allow actors with write permission to the repository to trigger this
+# workflow.
+permissions:
+  contents: write
+
+on:
+  push:
+    tags:
+      - 'v*'
+  workflow_dispatch:
+    inputs:
+      git_ref:
+        description: 'Git ref to build (e.g., refs/tags/v1.2.3, refs/heads/main)'
+        required: true
+        type: string
+
+jobs:
+  buildx:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      attestations: write
+      id-token: write
+    steps:
+      - name: Set tag from trigger event
+        id: opts
+        run: |
+          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
+            echo "ref=${{ inputs.git_ref }}" >> $GITHUB_OUTPUT
+          else
+            echo "ref=${GITHUB_REF}" >> $GITHUB_OUTPUT
+          fi
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ steps.opts.outputs.ref }}
+      - name: SHA
+        id: sha
+        run: echo "sha=$(/usr/bin/git log -1 --format='%H')" >> $GITHUB_OUTPUT
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Fetch tags
+        run: git fetch --prune --unshallow --tags
+      - name: Set Tags
+        id: tags
+        run: |
+          echo "detail=$(/usr/bin/git describe --tags HEAD)" >> $GITHUB_OUTPUT
+          echo "suffix=$(test -n "$(git status --porcelain)" && echo '-dirty' || echo '')" >> $GITHUB_OUTPUT
+          echo "tag=$(/usr/bin/git describe --tags HEAD)$(test -n "$(git status --porcelain)" && echo '-dirty' || echo '')" >> $GITHUB_OUTPUT
+
+      - name: Login to ghcr.io
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Build and push container images
+        id: build-and-push
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: |
+            ghcr.io/holos-run/holos:${{ steps.tags.outputs.tag }}
+            ghcr.io/holos-run/holos:${{ steps.sha.outputs.sha }}${{ steps.tags.outputs.suffix }}
+      - name: Setup Cosign to sign container images
+        uses: sigstore/cosign-installer@v3.7.0
+      - name: Sign with GitHub OIDC Token
+        env:
+          DIGEST: ${{ steps.build-and-push.outputs.digest }}
+        run: |
+          cosign sign --yes ghcr.io/holos-run/holos:${{ steps.tags.outputs.tag }}@${DIGEST}
+          cosign sign --yes ghcr.io/holos-run/holos:${{ steps.sha.outputs.sha }}${{ steps.tags.outputs.suffix }}@${DIGEST}
+
+      - uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          owner: ${{ github.repository_owner }}
+          app-id: ${{ vars.GORELEASER_APP_ID }}
+          private-key: ${{ secrets.GORELEASER_APP_PRIVATE_KEY }}
+      - name: Get GitHub App User ID
+        id: get-user-id
+        run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+      - run: |
+          git config --global user.name '${{ steps.app-token.outputs.app-slug }}[bot]'
+          git config --global user.email '${{ steps.get-user-id.outputs.user-id }}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com'
+      - name: Update holos-run/holos-action
+        env:
+          IMAGE: ghcr.io/holos-run/holos:v0.102.1
+          VERSION: ${{ steps.tags.outputs.tag }}
+          USER_ID: ${{ steps.get-user-id.outputs.user-id }}
+          TOKEN: ${{ steps.app-token.outputs.token }}
+        run: |
+          set -euo pipefail
+          git clone "https://github.com/holos-run/holos-action"
+          cd holos-action
+          git remote set-url origin https://${USER_ID}:${TOKEN}@github.com/holos-run/holos-action
+          docker pull --quiet "${IMAGE}"
+          docker run -v $(pwd):/app --workdir /app --rm "${IMAGE}"  \
+            holos cue export --out yaml action.cue -t "version=${VERSION}" > action.yml
+          git add action.yml
+          git commit -m "ci: update holos to ${VERSION} - https://github.com/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}" || (echo "No changes to commit"; exit 0)
+          git push origin HEAD:main HEAD:v0 HEAD:v1
+
+      - name: Login to quay.io
+        uses: docker/login-action@v3
+        with:
+          registry: quay.io
+          username: ${{ secrets.QUAY_USER }}
+          password: ${{ secrets.QUAY_TOKEN }}
+      - name: Push to quay.io
+        env:
+          DIGEST: ${{ steps.build-and-push.outputs.digest }}
+        run: |
+          # docker push quay.io/holos-run/holos:${{ steps.tags.outputs.tag }}
+          docker pull --quiet ghcr.io/holos-run/holos:${{ steps.tags.outputs.tag }}@${DIGEST}
+          docker tag ghcr.io/holos-run/holos:${{ steps.tags.outputs.tag }}@${DIGEST} \
+                     quay.io/holos-run/holos:${{ steps.tags.outputs.tag }}
+          docker push quay.io/holos-run/holos:${{ steps.tags.outputs.tag }}
+
+          docker pull --quiet ghcr.io/holos-run/holos:${{ steps.sha.outputs.sha }}${{ steps.tags.outputs.suffix }}@${DIGEST}
+          docker tag ghcr.io/holos-run/holos:${{ steps.sha.outputs.sha }}${{ steps.tags.outputs.suffix }}@${DIGEST} \
+                     quay.io/holos-run/holos:${{ steps.sha.outputs.sha }}${{ steps.tags.outputs.suffix }}
+          docker push quay.io/holos-run/holos:${{ steps.sha.outputs.sha }}${{ steps.tags.outputs.suffix }}
+      - name: Sign quay.io image
+        env:
+          DIGEST: ${{ steps.build-and-push.outputs.digest }}
+        run: |
+          cosign sign --yes quay.io/holos-run/holos:${{ steps.tags.outputs.tag }}@${DIGEST}
+          cosign sign --yes quay.io/holos-run/holos:${{ steps.sha.outputs.sha }}${{ steps.tags.outputs.suffix }}@${DIGEST}
+
+    outputs:
+      tag: ${{ steps.tags.outputs.tag }}
+      detail: ${{ steps.tags.outputs.detail }}

.github/workflows/dev-deploy.yaml

@@ -2,7 +2,7 @@ name: Dev Deploy
 
 on:
   push:
-    branches: ['main', 'dev-deploy']
+    branches: ['dev-deploy']
 
 jobs:
   deploy:

.github/workflows/golangci-lint.yaml

@@ -27,4 +27,4 @@ jobs:
       - name: golangci-lint
         uses: golangci/golangci-lint-action@v6
         with:
-          version: v1.60
+          version: v1.64.5

.github/workflows/lint.yaml

@@ -1,6 +1,5 @@
 ---
-# https://github.com/golangci/golangci-lint-action?tab=readme-ov-file#how-to-use
-name: Lint
+name: Spelling
 "on":
   push:
     branches:
@@ -8,35 +7,11 @@ name: Lint
       - test
   pull_request:
     types: [opened, synchronize]
-
 permissions:
   contents: read
-
 jobs:
-  lint:
-    name: lint
+  cspell:
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Set up Node
-        uses: actions/setup-node@v4
-        with:
-          node-version: 20
-
-      - name: Set up Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: stable
-
-      ## Not needed on ubuntu-latest
-      # - name: Install Packages
-      #   run: sudo apt update && sudo apt -qq -y install git curl zip unzip tar bzip2 make
-
-      - name: Install Tools
-        run: make tools
-
-      - name: Lint
-        # golangci-lint runs in a separate workflow.
-        run: make lint -o golangci-lint
+      - uses: actions/checkout@v4
+      - run: ./hack/cspell

.github/workflows/release.yaml

@@ -35,6 +35,9 @@ jobs:
         with:
           go-version: stable
 
+      - name: Setup Syft
+        uses: anchore/sbom-action/download-syft@1ca97d9028b51809cf6d3c934c3e160716e1b605 # v0.17.5
+
       # Necessary to run these outside of goreleaser, otherwise
       # /home/runner/_work/holos/holos/internal/frontend/node_modules/.bin/protoc-gen-connect-query is not in PATH
       - name: Install Tools
@@ -54,11 +57,19 @@ jobs:
       - name: Git diff
         run: git diff
 
+      - uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          owner: ${{ github.repository_owner }}
+          app-id: ${{ vars.GORELEASER_APP_ID }}
+          private-key: ${{ secrets.GORELEASER_APP_PRIVATE_KEY }}
+
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v5
         with:
           distribution: goreleaser
-          version: latest
+          version: '~> v2'
           args: release --clean
         env:
+          HOMEBREW_TAP_GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/test.yaml

@@ -28,19 +28,11 @@ jobs:
         with:
           go-version: stable
 
-      - name: Install Packages
-        run: sudo apt update && sudo apt -qq -y install git curl zip unzip tar bzip2 make
-
       - name: Set up Helm
         uses: azure/setup-helm@v4
 
       - name: Set up Kubectl
         uses: azure/setup-kubectl@v4
 
-      - name: Install Tools
-        run: |
-          set -x
-          make tools
-
       - name: Test
         run: ./scripts/test

.gitignore

@@ -12,3 +12,4 @@ tmp/
 /holos-k3d/
 /holos-infra/
 node_modules/
+.tmp/

.goreleaser.yaml

@@ -6,7 +6,7 @@
 # yaml-language-server: $schema=https://goreleaser.com/static/schema.json
 # vim: set ts=2 sw=2 tw=0 fo=cnqoj
 
-version: 1
+version: 2
 
 before:
   hooks:
@@ -50,3 +50,39 @@ changelog:
     exclude:
       - "^docs:"
       - "^test:"
+
+source:
+  enabled: true
+  name_template: '{{ .ProjectName }}_{{ .Version }}_source_code'
+
+sboms:
+  - id: source
+    artifacts: source
+    documents:
+      - "{{ .ProjectName }}_{{ .Version }}_sbom.spdx.json"
+
+brews:
+  - name: holos
+    repository:
+      owner: holos-run
+      name: homebrew-tap
+      branch: main
+      token: "{{ .Env.HOMEBREW_TAP_GITHUB_TOKEN }}"
+    directory: Formula
+    homepage: "https://holos.run"
+    description: "Holos CLI"
+    dependencies:
+      - name: helm
+        type: optional
+      - name: kubectl
+        type: optional
+    install: |
+      bin.install "holos"
+      bash_output = Utils.safe_popen_read(bin/"holos", "completion", "bash")
+      (bash_completion/"holos").write bash_output
+      zsh_output = Utils.safe_popen_read(bin/"holos", "completion", "zsh")
+      (zsh_completion/"_holos").write zsh_output
+      fish_output = Utils.safe_popen_read(bin/"holos", "completion", "fish")
+      (fish_completion/"holos.fish").write fish_output
+    test: |
+      system "#{bin}/holos --version"

Dockerfile

@@ -1,8 +1,31 @@
-FROM quay.io/holos-run/debian:bullseye AS final
-USER root
-WORKDIR /app
-ADD bin bin
-RUN chown -R app: /app
-# Kubernetes requires the user to be numeric
-USER 8192
-ENTRYPOINT bin/holos server
+FROM registry.k8s.io/kubectl:v1.31.0 AS kubectl
+# https://github.com/GoogleContainerTools/distroless
+FROM golang:1.23 AS build
+
+WORKDIR /go/src/app
+COPY . .
+
+RUN CGO_ENABLED=0 make install
+RUN CGO_ENABLED=0 go install sigs.k8s.io/kustomize/kustomize/v5
+
+# Install helm to /usr/local/bin/helm
+# https://helm.sh/docs/intro/install/#from-script
+# https://holos.run/docs/v1alpha5/tutorial/setup/#dependencies
+RUN curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 \
+  && chmod 700 get_helm.sh \
+  && DESIRED_VERSION=v3.16.2 ./get_helm.sh \
+  && rm -f get_helm.sh
+
+COPY --from=kubectl /bin/kubectl /usr/local/bin/
+
+# distroless
+FROM gcr.io/distroless/static-debian12 AS final
+COPY --from=build \
+     /go/bin/holos \
+     /go/bin/kustomize \
+     /usr/local/bin/kubectl \
+     /usr/local/bin/helm \
+     /bin/
+
+# Usage: docker run -v $(pwd):/app --workdir /app --rm -it quay.io/holos-run/holos holos render platform
+CMD ["/bin/holos"]

Makefile

@@ -32,17 +32,20 @@ bump: bumppatch
 .PHONY: bumppatch
 bumppatch: ## Bump the patch version.
 	scripts/bump patch
+	HOLOS_UPDATE_SCRIPTS=1 scripts/test
 
 .PHONY: bumpminor
 bumpminor: ## Bump the minor version.
 	scripts/bump minor
 	scripts/bump patch 0
+	HOLOS_UPDATE_SCRIPTS=1 scripts/test
 
 .PHONY: bumpmajor
 bumpmajor: ## Bump the major version.
 	scripts/bump major
 	scripts/bump minor 0
 	scripts/bump patch 0
+	HOLOS_UPDATE_SCRIPTS=1 scripts/test
 
 .PHONY: show-version
 show-version: ## Print the full version.
@@ -75,6 +78,12 @@ build: ## Build holos executable.
 	@echo "GOPATH=${GOPATH}"
 	go build -trimpath -o bin/$(BIN_NAME) -ldflags $(LD_FLAGS) $(REPO_PATH)/cmd/$(BIN_NAME)
 
+.PHONY: debug
+debug: ## Build debug executable.
+	@echo "building ${BIN_NAME}-debug ${VERSION}"
+	@echo "GOPATH=${GOPATH}"
+	go build -o bin/$(BIN_NAME)-debug $(REPO_PATH)/cmd/$(BIN_NAME)
+
 linux: ## Build holos executable for tilt.
 	@echo "building ${BIN_NAME}.linux ${VERSION}"
 	@echo "GOPATH=${GOPATH}"
@@ -154,6 +163,10 @@ website: ## Build website
 unity: ## https://cuelabs.dev/unity/
 	./scripts/unity
 
+.PHONY: update-docs
+update-docs: ## Update doc examples
+	HOLOS_UPDATE_SCRIPTS=1 go test -v ./doc/md/...
+
 .PHONY: help
 help:  ## Display this help menu.
 	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m<target>\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf "  \033[36m%-20s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)

README.md

@@ -1,35 +1,130 @@
-## Holos - A Holistic Development Platform
+# Holos
 
 <img width="50%"
 align="right"
 style="display: block; margin: 40px auto;"
 src="https://openinfrastructure.co/blog/2016/02/27/logo/logorectangle.png">
 
-Building and maintaining a software development platform is a complex and time
-consuming endeavour.  Organizations often dedicate a team of 3-4 who need 6-12
-months to build the platform.
+[Holos] is a configuration management tool for Kubernetes implementing the
+[rendered manifests pattern]. It handles configurations ranging from single
+resources to multi-cluster platforms across regions.
 
-Holos is a tool and a reference platform to reduce the complexity and speed up
-the process of building a modern, cloud native software development platform.
+Key components:
+- Platform schemas defining component integration
+- Building blocks unifying Helm, Kustomize and Kubernetes configs with CUE
+- BuildPlan pipeline for generating, transforming and validating manifests
 
-- **Accelerate new projects** - Reduce time to market and operational complexity by starting your new project on top of the Holos reference platform.
-- **Modernize existing projects** - Incrementally incorporate your existing platform services into Holos for simpler integration.
-- **Unified configuration model** - Increase safety and reduce the risk of config changes with CUE.
-- **First class Helm and Kustomize support** - Leverage and reuse your existing investment in existing configuration tools such as Helm and Kustomize.
-- **Modern Authentication and Authorization** - Holos seamlessly integrates platform identity and access management with zero-trust beyond corp style authorization policy.
+```mermaid
+---
+title: Rendering Overview
+---
+graph LR
+    Platform[<a href="https://holos.run/docs/v1alpha5/api/author/#Platform">Platform</a>]
+    Component[<a href="https://holos.run/docs/v1alpha5/api/author/#ComponentConfig">Components</a>]
 
-## Quick Installation
+    Helm[<a href="https://holos.run/docs/v1alpha5/api/author/#Helm">Helm</a>]
+    Kustomize[<a href="https://holos.run/docs/v1alpha5/api/author/#Kustomize">Kustomize</a>]
+    Kubernetes[<a href="https://holos.run/docs/v1alpha5/api/author/#Kubernetes">Kubernetes</a>]
 
-```console
-go install github.com/holos-run/holos/cmd/holos@latest
+    BuildPlan[<a href="https://holos.run/docs/v1alpha5/api/core/#BuildPlan">BuildPlan</a>]
+
+    ResourcesArtifact[<a href="https://holos.run/docs/v1alpha5/api/core/#Artifact">Resources<br/>Artifact</a>]
+    GitOpsArtifact[<a href="https://holos.run/docs/v1alpha5/api/core/#Artifact">GitOps<br/>Artifact</a>]
+
+    Generators[<a href="https://holos.run/docs/v1alpha5/api/core/#Generator">Generators</a>]
+    Transformers[<a href="https://holos.run/docs/v1alpha5/api/core/#Transformer">Transformers</a>]
+    Validators[<a href="https://holos.run/docs/v1alpha5/api/core/#Validator">Validators</a>]
+    Files[Manifest<br/>Files]
+
+    Platform --> Component
+    Component --> Helm --> BuildPlan
+    Component --> Kubernetes --> BuildPlan
+    Component --> Kustomize --> BuildPlan
+
+    BuildPlan --> ResourcesArtifact --> Generators
+    BuildPlan --> GitOpsArtifact --> Generators
+
+    Generators --> Transformers --> Validators --> Files
 ```
 
-## Docs and Support
+## Setup
 
-The documentation for developing and using Holos is available at: https://holos.run
+```shell
+brew install holos-run/tap/holos
+```
 
-For discussion and support, [open a discussion](https://github.com/orgs/holos-run/discussions/new/choose).
+Refer to [setup] for other installation methods and dependencies.
+
+## Example
+
+See our [tutorial] for a complete hello world example.
+
+```cue showLineNumbers
+package holos
+
+holos: Component.BuildPlan
+
+Component: #Helm & {
+	Name: "podinfo"
+	Chart: {
+		version: "6.6.2"
+		repository: {
+			name: "podinfo"
+			url:  "https://stefanprodan.github.io/podinfo"
+		}
+	}
+	Values: ui: {
+		message: string | *"Hello World" @tag(message, type=string)
+	}
+}
+```
+
+## Organizational Role
+
+Platform engineers use Holos to generate Kubernetes manifests, both locally and
+in CI pipelines. The manifests are committed to version control and deployed via
+GitOps tools like ArgoCD or Flux.
+
+Holos integrates seamlessly with existing Helm charts, Kustomize bases, and
+other version-controlled configurations.
+
+## Advantages of Holos
+
+### Safe
+
+Holos leverages [CUE] for strong typing and validation of configuration data,
+ensuring consistent output from Helm and other tools.
+
+### Consistent
+
+A unified pipeline processes all configurations - whether from CUE, Helm, or
+Kustomize - through the same well-defined stages.
+
+### Flexible
+
+Composable building blocks for generation, transformation, validation and
+integration let teams assemble workflows that match their needs.
+
+The core is intentionally unopinionated about platform configuration patterns.
+Common needs like environments and clusters are provided as customizable
+[topics] recipes rather than enforced structures.
+
+## Getting Help
+
+Get support through our [Discord] channel or [GitHub discussions]. Configuration
+challenges arise at all experience levels - we welcome your questions and are
+here to help.
 
 ## License
 
 Holos is licensed under Apache 2.0 as found in the [LICENSE file](LICENSE).
+
+[Holos]: https://holos.run/docs/overview/
+[rendered manifests pattern]: https://akuity.io/blog/the-rendered-manifests-pattern
+[CUE]: https://cuelang.org/
+[Discord]: https://discord.gg/JgDVbNpye7
+[GitHub discussions]: https://github.com/holos-run/holos/discussions
+[Why CUE for Configuration]: https://holos.run/blog/why-cue-for-configuration/
+[tutorial]: https://holos.run/docs/overview/
+[setup]: https://holos.run/docs/setup/
+[topics]: https://holos.run/docs/topics/

api/author/v1alpha5/definitions.go

@@ -0,0 +1,155 @@
+// Package author contains a standard set of schemas for component authors to
+// generate common [core] BuildPlans.
+//
+// Holos values stability, flexibility, and composition.  This package
+// intentionally defines only the minimal necessary set of structures.
+// Component authors are encouraged to define their own structures building on
+// our example [topics].
+//
+// The Holos Maintainers may add definitions to this package if the community
+// identifies nearly all users must define the exact same structure.  Otherwise,
+// definitions should be added as a customizable example in [topics].
+//
+// For example, structures representing a cluster and environment almost always
+// need to be defined.  Their definition varies from one organization to the
+// next.  Therefore, customizable definitions for a cluster and environment are
+// best maintained in [topics], not standardized in this package.
+//
+// [core]: https://holos.run/docs/api/core/
+// [topics]: https://holos.run/docs/topics/
+package author
+
+import core "github.com/holos-run/holos/api/core/v1alpha5"
+
+//go:generate ../../../hack/gendoc
+
+// Platform assembles a core Platform in the Resource field for the holos render
+// platform command.  Use the Components field to register components with the
+// platform.
+type Platform struct {
+	Name       string
+	Components map[NameLabel]core.Component
+	Resource   core.Platform
+}
+
+// ComponentConfig represents the configuration common to all kinds of
+// components for use with the holos render component command.  All component
+// kinds may be transformed with [kustomize] configured with the
+// [KustomizeConfig] field.
+//
+//   - [Helm] charts.
+//   - [Kubernetes] resources generated from CUE.
+//   - [Kustomize] bases.
+//
+// [kustomize]: https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/
+type ComponentConfig struct {
+	// Name represents the BuildPlan metadata.name field.  Used to construct the
+	// fully rendered manifest file path.
+	Name string
+	// Labels represent the BuildPlan metadata.labels field.
+	Labels map[string]string
+	// Annotations represent the BuildPlan metadata.annotations field.
+	Annotations map[string]string
+
+	// Path represents the path to the component producing the BuildPlan.
+	Path string
+	// Parameters are useful to reuse a component with various parameters.
+	// Injected as CUE @tag variables.  Parameters with a "holos_" prefix are
+	// reserved for use by the Holos Authors.
+	Parameters map[string]string
+	// OutputBaseDir represents the output base directory used when assembling
+	// artifacts.  Useful to organize components by clusters or other parameters.
+	// For example, holos writes resource manifests to
+	// {WriteTo}/{OutputBaseDir}/components/{Name}/{Name}.gen.yaml
+	OutputBaseDir string `cue:"string | *\"\""`
+
+	// Resources represents kubernetes resources mixed into the rendered manifest.
+	Resources core.Resources
+	// KustomizeConfig represents the kustomize configuration.
+	KustomizeConfig KustomizeConfig
+	// Validators represent checks that must pass for output to be written.
+	Validators map[NameLabel]core.Validator
+	// Artifacts represents additional artifacts to mix in.  Useful for adding
+	// GitOps resources.  Each Artifact is unified without modification into the
+	// BuildPlan.
+	Artifacts map[NameLabel]core.Artifact
+}
+
+// Helm assembles a BuildPlan rendering a helm chart.  Useful to mix in
+// additional resources from CUE and transform the helm output with kustomize.
+type Helm struct {
+	ComponentConfig `json:",inline"`
+
+	// Chart represents a Helm chart.
+	Chart core.Chart
+	// Values represents data to marshal into a values.yaml for helm.
+	Values core.Values
+	// ValueFiles represents value files for migration from helm value
+	// hierarchies.  Use Values instead.
+	ValueFiles []core.ValueFile `json:",omitempty"`
+	// EnableHooks enables helm hooks when executing the `helm template` command.
+	EnableHooks bool `cue:"true | *false"`
+	// Namespace sets the helm chart namespace flag if provided.
+	Namespace string `json:",omitempty"`
+	// APIVersions represents the helm template --api-versions flag
+	APIVersions []string `json:",omitempty"`
+	// KubeVersion represents the helm template --kube-version flag
+	KubeVersion string `json:",omitempty"`
+
+	// BuildPlan represents the derived BuildPlan produced for the holos render
+	// component command.
+	BuildPlan core.BuildPlan
+}
+
+// Kubernetes assembles a BuildPlan containing inline resources exported from
+// CUE.
+type Kubernetes struct {
+	ComponentConfig `json:",inline"`
+
+	// BuildPlan represents the derived BuildPlan produced for the holos render
+	// component command.
+	BuildPlan core.BuildPlan
+}
+
+// Kustomize assembles a BuildPlan rendering manifests from a [kustomize]
+// kustomization.
+//
+// [kustomize]: https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/
+type Kustomize struct {
+	ComponentConfig `json:",inline"`
+
+	// BuildPlan represents the derived BuildPlan produced for the holos render
+	// component command.
+	BuildPlan core.BuildPlan
+}
+
+// KustomizeConfig represents the configuration for [kustomize] post processing.
+// Use the Files field to mix in plain manifest files located in the component
+// directory.  Use the Resources field to mix in manifests from network urls.
+//
+// [kustomize]: https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/
+type KustomizeConfig struct {
+	// Kustomization represents the kustomization used to transform resources.
+	// Note the resources field is internally managed from the Files and Resources fields.
+	Kustomization map[string]any `json:",omitempty"`
+	// Files represents files to copy from the component directory for kustomization.
+	Files map[string]struct{ Source string } `cue:"{[NAME=_]: Source: NAME}"`
+	// Resources represents additional entries to included in the resources list.
+	Resources map[string]struct{ Source string } `cue:"{[NAME=_]: Source: NAME}"`
+	// CommonLabels represents common labels added without including selectors.
+	CommonLabels map[string]string
+}
+
+// NameLabel represents the common use case of converting a struct to a list
+// where the name field of each value unifies with the field name of the outer
+// struct.
+//
+// For example:
+//
+//	S: [NameLabel=string]: name: NameLabel
+//	S: jeff: _
+//	S: gary: _
+//	S: nate: _
+//	L: [for x in S {x}]
+//	// L is [{name: "jeff"}, {name: "gary"}, {name: "nate"}]
+type NameLabel string

api/author/v1alpha5/header.yaml

@@ -0,0 +1,5 @@
+---
+title: Author Schemas
+description: Standardized schemas for component authors.
+sidebar_position: 200
+---

api/core/v1alpha5/header.yaml

@@ -0,0 +1,5 @@
+---
+title: Core Schemas
+description: BuildPlan defines the holos rendering pipeline.
+sidebar_position: 100
+---

api/core/v1alpha5/types.go

@@ -0,0 +1,400 @@
+// Package core contains schemas for a [Platform] and [BuildPlan].  Holos takes
+// a [Platform] as input, then iterates over each [Component] to produce a
+// [BuildPlan].  Holos processes the [BuildPlan] to produce fully rendered
+// manifests, each an [Artifact].
+package core
+
+//go:generate ../../../hack/gendoc
+
+// BuildPlan represents an implementation of the [rendered manifest pattern].
+// Holos processes a BuildPlan to produce one or more [Artifact] output files.
+// BuildPlan artifact files usually contain Kubernetes manifests, but they may
+// have any content.
+//
+// A BuildPlan usually produces two artifacts.  One artifact contains a manifest
+// of resources.  A second artifact contains a GitOps resource to manage the
+// first, usually an ArgoCD Application resource.
+//
+// Holos uses CUE to construct a BuildPlan.  A future enhancement will support
+// user defined executables providing a BuildPlan to Holos in the style of an
+// [external credential provider].
+//
+// [rendered manifest pattern]: https://akuity.io/blog/the-rendered-manifests-pattern
+// [external credential provider]: https://github.com/kubernetes/enhancements/blob/313ad8b59c80819659e1fbf0f165230f633f2b22/keps/sig-auth/541-external-credential-providers/README.md
+type BuildPlan struct {
+	// Kind represents the type of the resource.
+	Kind string `json:"kind" yaml:"kind" cue:"\"BuildPlan\""`
+	// APIVersion represents the versioned schema of the resource.
+	APIVersion string `json:"apiVersion" yaml:"apiVersion" cue:"string | *\"v1alpha5\""`
+	// Metadata represents data about the resource such as the Name.
+	Metadata Metadata `json:"metadata" yaml:"metadata"`
+	// Spec specifies the desired state of the resource.
+	Spec BuildPlanSpec `json:"spec" yaml:"spec"`
+}
+
+// BuildPlanSpec represents the specification of the [BuildPlan].
+type BuildPlanSpec struct {
+	// Artifacts represents the artifacts for holos to build.
+	Artifacts []Artifact `json:"artifacts" yaml:"artifacts"`
+	// Disabled causes the holos cli to disregard the build plan.
+	Disabled bool `json:"disabled,omitempty" yaml:"disabled,omitempty"`
+}
+
+// Artifact represents one fully rendered manifest produced by a [Transformer]
+// sequence, which transforms a [Generator] collection.  A [BuildPlan] produces
+// an [Artifact] collection.
+//
+// Each Artifact produces one manifest file artifact.  Generator Output values
+// are used as Transformer Inputs.  The Output field of the final [Transformer]
+// should have the same value as the Artifact field.
+//
+// When there is more than one [Generator] there must be at least one
+// [Transformer] to combine outputs into one Artifact.  If there is a single
+// Generator, it may directly produce the Artifact output.
+//
+// An Artifact is processed concurrently with other artifacts in the same
+// [BuildPlan].  An Artifact should not use an output from another Artifact as
+// an input.  Each [Generator] may also run concurrently.  Each [Transformer] is
+// executed sequentially starting after all generators have completed.
+//
+// Output fields are write-once.  It is an error for multiple Generators or
+// Transformers to produce the same Output value within the context of a
+// [BuildPlan].
+type Artifact struct {
+	Artifact     FilePath      `json:"artifact,omitempty" yaml:"artifact,omitempty"`
+	Generators   []Generator   `json:"generators,omitempty" yaml:"generators,omitempty"`
+	Transformers []Transformer `json:"transformers,omitempty" yaml:"transformers,omitempty"`
+	Validators   []Validator   `json:"validators,omitempty" yaml:"validators,omitempty"`
+	Skip         bool          `json:"skip,omitempty" yaml:"skip,omitempty"`
+}
+
+// Generator generates Kubernetes resources.  [Helm] and [Resources] are the
+// most commonly used, often paired together to mix-in resources to an
+// unmodified Helm chart.  A simple [File] generator is also available for use
+// with the [Kustomize] transformer.
+//
+// Each Generator in an [Artifact] must have a distinct Output value for a
+// [Transformer] to reference.
+//
+//  1. [Resources] - Generates resources from CUE code.
+//  2. [Helm] - Generates rendered yaml from a [Chart].
+//  3. [File] - Generates data by reading a file from the component directory.
+type Generator struct {
+	// Kind represents the kind of generator.  Must be Resources, Helm, or File.
+	Kind string `json:"kind" yaml:"kind" cue:"\"Resources\" | \"Helm\" | \"File\""`
+	// Output represents a file for a Transformer or Artifact to consume.
+	Output FilePath `json:"output" yaml:"output"`
+	// Resources generator. Ignored unless kind is Resources.  Resources are
+	// stored as a two level struct.  The top level key is the Kind of resource,
+	// e.g. Namespace or Deployment.  The second level key is an arbitrary
+	// InternalLabel.  The third level is a map[string]any representing the
+	// Resource.
+	Resources Resources `json:"resources,omitempty" yaml:"resources,omitempty"`
+	// Helm generator. Ignored unless kind is Helm.
+	Helm Helm `json:"helm,omitempty" yaml:"helm,omitempty"`
+	// File generator. Ignored unless kind is File.
+	File File `json:"file,omitempty" yaml:"file,omitempty"`
+}
+
+// Resource represents one kubernetes api object.
+type Resource map[string]any
+
+// Resources represents Kubernetes resources.  Most commonly used to mix
+// resources into the [BuildPlan] generated from CUE, but may be generated from
+// elsewhere.
+type Resources map[Kind]map[InternalLabel]Resource
+
+// File represents a simple single file copy [Generator].  Useful with a
+// [Kustomize] [Transformer] to process plain manifest files stored in the
+// component directory.  Multiple File generators may be used to transform
+// multiple resources.
+type File struct {
+	// Source represents a file sub-path relative to the component path.
+	Source FilePath `json:"source" yaml:"source"`
+}
+
+// Helm represents a [Chart] manifest [Generator].
+type Helm struct {
+	// Chart represents a helm chart to manage.
+	Chart Chart `json:"chart" yaml:"chart"`
+	// Values represents values for holos to marshal into values.yaml when
+	// rendering the chart.  Values follow ValueFiles when both are provided.
+	Values Values `json:"values" yaml:"values"`
+	// ValueFiles represents hierarchial value files passed in order to the helm
+	// template -f flag.  Useful for migration from an ApplicationSet.  Use Values
+	// instead.  ValueFiles precede Values when both are provided.
+	ValueFiles []ValueFile `json:"valueFiles,omitempty" yaml:"valueFiles,omitempty"`
+	// EnableHooks enables helm hooks when executing the `helm template` command.
+	EnableHooks bool `json:"enableHooks,omitempty" yaml:"enableHooks,omitempty"`
+	// Namespace represents the helm namespace flag
+	Namespace string `json:"namespace,omitempty" yaml:"namespace,omitempty"`
+	// APIVersions represents the helm template --api-versions flag
+	APIVersions []string `json:"apiVersions,omitempty" yaml:"apiVersions,omitempty"`
+	// KubeVersion represents the helm template --kube-version flag
+	KubeVersion string `json:"kubeVersion,omitempty" yaml:"kubeVersion,omitempty"`
+}
+
+// ValueFile represents one Helm value file produced from CUE.
+type ValueFile struct {
+	// Name represents the file name, e.g. "region-values.yaml"
+	Name string `json:"name" yaml:"name"`
+	// Kind is a discriminator.
+	Kind string `json:"kind" yaml:"kind" cue:"\"Values\""`
+	// Values represents values for holos to marshal into the file name specified
+	// by Name when rendering the chart.
+	Values Values `json:"values,omitempty" yaml:"values,omitempty"`
+}
+
+// Values represents [Helm] Chart values generated from CUE.
+type Values map[string]any
+
+// Chart represents a [Helm] Chart.
+type Chart struct {
+	// Name represents the chart name.
+	Name string `json:"name" yaml:"name"`
+	// Version represents the chart version.
+	Version string `json:"version" yaml:"version"`
+	// Release represents the chart release when executing helm template.
+	Release string `json:"release" yaml:"release"`
+	// Repository represents the repository to fetch the chart from.
+	Repository Repository `json:"repository,omitempty" yaml:"repository,omitempty"`
+}
+
+// Repository represents a [Helm] [Chart] repository.
+//
+// The Auth field is useful to configure http basic authentication to the Helm
+// repository.  Holos gets the username and password from the environment
+// variables represented by the Auth field.
+type Repository struct {
+	Name string `json:"name" yaml:"name"`
+	URL  string `json:"url" yaml:"url"`
+	Auth Auth   `json:"auth,omitempty" yaml:"auth,omitempty"`
+}
+
+// Auth represents environment variable names containing auth credentials.
+type Auth struct {
+	Username AuthSource `json:"username" yaml:"username"`
+	Password AuthSource `json:"password" yaml:"password"`
+}
+
+// AuthSource represents a source for the value of an [Auth] field.
+type AuthSource struct {
+	Value   string `json:"value,omitempty" yaml:"value,omitempty"`
+	FromEnv string `json:"fromEnv,omitempty" yaml:"fromEnv,omitempty"`
+}
+
+// Transformer combines multiple inputs from prior [Generator] or [Transformer]
+// outputs into one output.  [Kustomize] is the most commonly used transformer.
+// A simple [Join] is also supported for use with plain manifest files.
+//
+//  1. [Kustomize] - Patch and transform the output from prior generators or
+//     transformers.  See [Introduction to Kustomize].
+//  2. [Join] - Concatenate multiple prior outputs into one output.
+//  3. [Slice] - Slice an artifact into multiple artifacts using [kubectl-slice].
+//
+// [Introduction to Kustomize]: https://kubectl.docs.kubernetes.io/guides/config_management/introduction/
+// [kubectl-slice]: https://github.com/patrickdappollonio/kubectl-slice
+type Transformer struct {
+	// Kind represents the kind of transformer. Must be Kustomize, or Join.
+	Kind string `json:"kind" yaml:"kind" cue:"\"Kustomize\" | \"Join\" | \"Slice\""`
+	// Inputs represents the files to transform. The Output of prior Generators
+	// and Transformers.
+	Inputs []FilePath `json:"inputs" yaml:"inputs"`
+	// Output represents a file for a subsequent Transformer or Artifact to
+	// consume.
+	Output FilePath `json:"output" yaml:"output"`
+	// Kustomize transformer. Ignored unless kind is Kustomize.
+	Kustomize Kustomize `json:"kustomize,omitempty" yaml:"kustomize,omitempty"`
+	// Join transformer. Ignored unless kind is Join.
+	Join Join `json:"join,omitempty" yaml:"join,omitempty"`
+}
+
+// Join represents a [Transformer] using [bytes.Join] to concatenate multiple
+// inputs into one output with a separator.  Useful for combining output from
+// [Helm] and [Resources] together into one [Artifact] when [Kustomize] is
+// otherwise unnecessary.
+//
+// [bytes.Join]: https://pkg.go.dev/bytes#Join
+type Join struct {
+	Separator string `json:"separator,omitempty" yaml:"separator,omitempty"`
+}
+
+// Kustomize represents a kustomization [Transformer].
+type Kustomize struct {
+	// Kustomization represents the decoded kustomization.yaml file
+	Kustomization Kustomization `json:"kustomization" yaml:"kustomization"`
+	// Files holds file contents for kustomize, e.g. patch files.
+	Files FileContentMap `json:"files,omitempty" yaml:"files,omitempty"`
+}
+
+// Kustomization represents a kustomization.yaml file for use with the
+// [Kustomize] [Transformer].  Untyped to avoid tightly coupling holos to
+// kubectl versions which was a problem for the Flux maintainers.  Type checking
+// is expected to happen in CUE against the kubectl version the user prefers.
+type Kustomization map[string]any
+
+// FileContentMap represents a mapping of file paths to file contents.
+type FileContentMap map[FilePath]FileContent
+
+// FilePath represents a file path.
+type FilePath string
+
+// FileContent represents file contents.
+type FileContent string
+
+// Validator validates files.  Useful to validate an [Artifact] prior to writing
+// it out to the final destination.  Holos may execute validators concurrently.
+// See the [validators] tutorial for an end to end example.
+//
+// [validators]: https://holos.run/docs/v1alpha5/tutorial/validators/
+type Validator struct {
+	// Kind represents the kind of transformer. Must be Kustomize, or Join.
+	Kind string `json:"kind" yaml:"kind" cue:"\"Command\""`
+	// Inputs represents the files to validate.  Usually the final Artifact.
+	Inputs []FilePath `json:"inputs" yaml:"inputs"`
+	// Command represents a validation command.  Ignored unless kind is Command.
+	Command Command `json:"command,omitempty" yaml:"command,omitempty"`
+}
+
+// Command represents a generic command for use as a Generator, Transformer, or
+// Validator.  Holos uses the Go template engine to render the Args field using
+// data provided by the TaskData field.  For example to fill in the fully
+// qualified temporary directory used to provide inputs to the task.
+type Command struct {
+	// DisplayName represents a friendly display name for the command.
+	DisplayName string `json:"displayName,omitempty" yaml:"displayName,omitempty"`
+	// Args represents the complete command argument vector as a go template.
+	Args []string `json:"args,omitempty" yaml:"args,omitempty"`
+	// OutputRef references the source of the output data.
+	OutputRef OutputRef `json:"outputRef,omitempty" yaml:"outputRef,omitempty"`
+	// TaskData populated by Holos for template rendering.
+	TaskData TaskData `json:"taskData,omitempty" yaml:"taskData,omitempty"`
+	// TODO(jjm): add command environment variable support similar to args.
+}
+
+// TaskData represents data values associated with a pipeline task necessary to
+// execute the task.  For example, the randomly generated temporary directory
+// used to read and write artifact files when executing user defined task
+// commands.  Values of this struct are intended for the Go template engine.
+//
+// Holos populates this struct as needed.  Holos may treat user provided values
+// as an error condition.
+type TaskData struct {
+	// TempDir represents the temp directory holos manages for task artifacts.
+	TempDir string `json:"tempDir,omitempty" yaml:"tempDir,omitempty"`
+}
+
+// OutputRef represents a reference to the data source used as the output of a
+// task.  For example, a Generator output may be sourced from standard output or
+// a file path.
+type OutputRef struct {
+	// Kind represents the kind of output produced.
+	Kind string `json:"kind,omitempty" yaml:"kind,omitempty" cue:"string | *\"Pipe\" | \"Path\""`
+	// Pipe represents stdout or stderr.  Ignored unless kind is Pipe.
+	Pipe string `json:"pipe,omitempty" yaml:"pipe,omitempty" cue:"string | *\"stdout\" | \"stderr\""`
+	// Path represents an artifact path relative to the task temp directory.
+	// Ignored unless kind is Path.
+	Path string `json:"path,omitempty" yaml:"path,omitempty"`
+	// TODO(jjm): support jsonpath or cel references to the output data maybe?
+}
+
+// InternalLabel is an arbitrary unique identifier internal to holos itself.
+// The holos cli is expected to never write a InternalLabel value to rendered
+// output files, therefore use a InternalLabel when the identifier must be
+// unique and internal.  Defined as a type for clarity and type checking.
+type InternalLabel string
+
+// Kind is a discriminator. Defined as a type for clarity and type checking.
+type Kind string
+
+// Metadata represents data about the resource such as the Name.
+type Metadata struct {
+	// Name represents the resource name.
+	Name string `json:"name" yaml:"name"`
+	// Labels represents a resource selector.
+	Labels map[string]string `json:"labels,omitempty" yaml:"labels,omitempty"`
+	// Annotations represents arbitrary non-identifying metadata.  For example
+	// holos uses the `app.holos.run/description` annotation to log resources in a
+	// user customized way.
+	Annotations map[string]string `json:"annotations,omitempty" yaml:"annotations,omitempty"`
+}
+
+// Platform represents a platform to manage.  A Platform specifies a [Component]
+// collection and integrates the components together into a holistic platform.
+// Holos iterates over the [Component] collection producing a [BuildPlan] for
+// each, which holos then executes to render manifests.
+//
+// Inspect a Platform resource holos would process by executing:
+//
+//	cue export --out yaml ./platform
+type Platform struct {
+	// Kind is a string value representing the resource.
+	Kind string `json:"kind" yaml:"kind" cue:"\"Platform\""`
+	// APIVersion represents the versioned schema of this resource.
+	APIVersion string `json:"apiVersion" yaml:"apiVersion" cue:"string | *\"v1alpha5\""`
+	// Metadata represents data about the resource such as the Name.
+	Metadata Metadata `json:"metadata" yaml:"metadata"`
+
+	// Spec represents the platform specification.
+	Spec PlatformSpec `json:"spec" yaml:"spec"`
+}
+
+// PlatformSpec represents the platform specification.
+type PlatformSpec struct {
+	// Components represents a collection of holos components to manage.
+	Components []Component `json:"components" yaml:"components"`
+}
+
+// Component represents the complete context necessary to produce a [BuildPlan]
+// from a path containing parameterized CUE configuration.
+type Component struct {
+	// Name represents the name of the component. Injected as the tag variable
+	// "holos_component_name".
+	Name string `json:"name" yaml:"name"`
+	// Path represents the path of the component relative to the platform root.
+	// Injected as the tag variable "holos_component_path".
+	Path string `json:"path" yaml:"path"`
+	// Instances represents additional cue instance paths to unify with Path.
+	// Useful to unify data files into a component BuildPlan.  Added in holos
+	// 0.101.7.
+	Instances []Instance `json:"instances,omitempty" yaml:"instances,omitempty"`
+	// WriteTo represents the holos render component --write-to flag.  If empty,
+	// the default value for the --write-to flag is used.
+	WriteTo string `json:"writeTo,omitempty" yaml:"writeTo,omitempty"`
+	// Parameters represent user defined input variables to produce various
+	// [BuildPlan] resources from one component path.  Injected as CUE @tag
+	// variables.  Parameters with a "holos_" prefix are reserved for use by the
+	// Holos Authors.  Multiple environments are a prime example of an input
+	// parameter that should always be user defined, never defined by Holos.
+	Parameters map[string]string `json:"parameters,omitempty" yaml:"parameters,omitempty"`
+	// Labels represent selector labels for the component.  Copied to the
+	// resulting BuildPlan.
+	Labels map[string]string `json:"labels,omitempty" yaml:"labels,omitempty"`
+	// Annotations represents arbitrary non-identifying metadata.  Use the
+	// `app.holos.run/description` to customize the log message of each BuildPlan.
+	Annotations map[string]string `json:"annotations,omitempty" yaml:"annotations,omitempty"`
+}
+
+// Instance represents a data instance to unify with the configuration.
+//
+// Useful to unify json and yaml files with cue configuration files for
+// integration with other tools.  For example, executing holos render platform
+// from a pull request workflow after [Kargo] executes the [yaml update] and
+// [git wait for pr] promotion steps.
+//
+// [Kargo]: https://docs.kargo.io/
+// [yaml update]: https://docs.kargo.io/references/promotion-steps#yaml-update
+// [git wait for pr]: https://docs.kargo.io/references/promotion-steps#git-wait-for-pr
+type Instance struct {
+	// Kind is a discriminator.
+	Kind string `json:"kind" yaml:"kind" cue:"\"ExtractYAML\""`
+	// Ignored unless kind is ExtractYAML.
+	ExtractYAML ExtractYAML `json:"extractYAML,omitempty" yaml:"extractYAML,omitempty"`
+}
+
+// ExtractYAML represents a cue data instance encoded as yaml or json. If Path
+// refers to a directory all files in the directory are extracted
+// non-recursively.  Otherwise, path must refer to a file.
+type ExtractYAML struct {
+	Path string `json:"path" yaml:"path"`
+}

api/v1alpha1/buildplan.go

@@ -1,56 +0,0 @@
-package v1alpha1
-
-import (
-	"errors"
-	"fmt"
-	"strings"
-)
-
-// BuildPlan is the primary interface between CUE and the Holos cli.
-type BuildPlan struct {
-	TypeMeta `json:",inline" yaml:",inline"`
-	// Metadata represents the holos component name
-	Metadata ObjectMeta    `json:"metadata,omitempty" yaml:"metadata,omitempty"`
-	Spec     BuildPlanSpec `json:"spec,omitempty" yaml:"spec,omitempty"`
-}
-
-type BuildPlanSpec struct {
-	Disabled   bool                `json:"disabled,omitempty" yaml:"disabled,omitempty"`
-	Components BuildPlanComponents `json:"components,omitempty" yaml:"components,omitempty"`
-	// DeployFiles keys represent file paths relative to the cluster deploy
-	// directory.  Map values represent the string encoded file contents.  Used to
-	// write the argocd Application, but may be used to render any file from CUE.
-	DeployFiles FileContentMap `json:"deployFiles,omitempty" yaml:"deployFiles,omitempty"`
-}
-
-type BuildPlanComponents struct {
-	HelmChartList         []HelmChart                  `json:"helmChartList,omitempty" yaml:"helmChartList,omitempty"`
-	KubernetesObjectsList []KubernetesObjects          `json:"kubernetesObjectsList,omitempty" yaml:"kubernetesObjectsList,omitempty"`
-	KustomizeBuildList    []KustomizeBuild             `json:"kustomizeBuildList,omitempty" yaml:"kustomizeBuildList,omitempty"`
-	Resources             map[string]KubernetesObjects `json:"resources,omitempty" yaml:"resources,omitempty"`
-}
-
-func (bp *BuildPlan) Validate() error {
-	errs := make([]string, 0, 2)
-	if bp.Kind != BuildPlanKind {
-		errs = append(errs, fmt.Sprintf("kind invalid: want: %s have: %s", BuildPlanKind, bp.Kind))
-	}
-	if bp.APIVersion != APIVersion {
-		errs = append(errs, fmt.Sprintf("apiVersion invalid: want: %s have: %s", APIVersion, bp.APIVersion))
-	}
-	if len(errs) > 0 {
-		return errors.New("invalid BuildPlan: " + strings.Join(errs, ", "))
-	}
-	return nil
-}
-
-func (bp *BuildPlan) ResultCapacity() (count int) {
-	if bp == nil {
-		return 0
-	}
-	count = len(bp.Spec.Components.HelmChartList) +
-		len(bp.Spec.Components.KubernetesObjectsList) +
-		len(bp.Spec.Components.KustomizeBuildList) +
-		len(bp.Spec.Components.Resources)
-	return count
-}

api/v1alpha1/component.go

@@ -1,30 +0,0 @@
-package v1alpha1
-
-// HolosComponent defines the fields common to all holos component kinds including the Render Result.
-type HolosComponent struct {
-	TypeMeta `json:",inline" yaml:",inline"`
-	// Metadata represents the holos component name
-	Metadata ObjectMeta `json:"metadata,omitempty" yaml:"metadata,omitempty"`
-	// APIObjectMap holds the marshalled representation of api objects. Think of
-	// these as resources overlaid at the back of the render pipeline.
-	APIObjectMap APIObjectMap `json:"apiObjectMap,omitempty" yaml:"apiObjectMap,omitempty"`
-	// Kustomization holds the marshalled representation of the flux kustomization
-	// which reconciles resources in git with the api server.
-	Kustomization `json:",inline" yaml:",inline"`
-	// Kustomize represents a kubectl kustomize build post-processing step.
-	Kustomize `json:",inline" yaml:",inline"`
-	// Skip causes holos to take no action regarding the component.
-	Skip bool
-}
-
-func (hc *HolosComponent) NewResult() *Result {
-	return &Result{HolosComponent: *hc}
-}
-
-func (hc *HolosComponent) GetAPIVersion() string {
-	return hc.APIVersion
-}
-
-func (hc *HolosComponent) GetKind() string {
-	return hc.Kind
-}

api/v1alpha1/constants.go

@@ -1,11 +0,0 @@
-package v1alpha1
-
-const (
-	APIVersion    = "holos.run/v1alpha1"
-	BuildPlanKind = "BuildPlan"
-	HelmChartKind = "HelmChart"
-	// ChartDir is the directory name created in the holos component directory to cache a chart.
-	ChartDir = "vendor"
-	// ResourcesFile is the file name used to store component output when post-processing with kustomize.
-	ResourcesFile = "resources.yaml"
-)

api/v1alpha1/doc.go

@@ -1,2 +0,0 @@
-// Package v1alpha1 defines the api boundary between CUE and Holos.
-package v1alpha1

api/v1alpha1/form.go

@@ -1,13 +0,0 @@
-package v1alpha1
-
-import object "github.com/holos-run/holos/service/gen/holos/object/v1alpha1"
-
-// Form represents a collection of Formly json powered form.
-type Form struct {
-	TypeMeta `json:",inline" yaml:",inline"`
-	Spec     FormSpec `json:"spec" yaml:"spec"`
-}
-
-type FormSpec struct {
-	Form object.Form `json:"form" yaml:"form"`
-}

api/v1alpha1/helm.go

@@ -1,184 +0,0 @@
-package v1alpha1
-
-import (
-	"context"
-	"fmt"
-	"os"
-	"path/filepath"
-	"strings"
-	"syscall"
-
-	"github.com/holos-run/holos"
-	"github.com/holos-run/holos/internal/errors"
-	"github.com/holos-run/holos/internal/logger"
-	"github.com/holos-run/holos/internal/util"
-)
-
-// A HelmChart represents a helm command to provide chart values in order to render kubernetes api objects.
-type HelmChart struct {
-	HolosComponent `json:",inline" yaml:",inline"`
-	// Namespace is the namespace to install into.  TODO: Use metadata.namespace instead.
-	Namespace     string `json:"namespace"`
-	Chart         Chart  `json:"chart"`
-	ValuesContent string `json:"valuesContent"`
-	EnableHooks   bool   `json:"enableHooks"`
-}
-
-type Chart struct {
-	Name       string     `json:"name"`
-	Version    string     `json:"version"`
-	Release    string     `json:"release"`
-	Repository Repository `json:"repository,omitempty"`
-}
-
-type Repository struct {
-	Name string `json:"name"`
-	URL  string `json:"url"`
-}
-
-func (hc *HelmChart) Render(ctx context.Context, path holos.InstancePath) (*Result, error) {
-	result := Result{HolosComponent: hc.HolosComponent}
-	if err := hc.helm(ctx, &result, path); err != nil {
-		return nil, err
-	}
-	result.addObjectMap(ctx, hc.APIObjectMap)
-	if err := result.kustomize(ctx); err != nil {
-		return nil, errors.Wrap(fmt.Errorf("could not kustomize: %w", err))
-	}
-	return &result, nil
-}
-
-// runHelm provides the values produced by CUE to helm template and returns
-// the rendered kubernetes api objects in the result.
-func (hc *HelmChart) helm(ctx context.Context, r *Result, path holos.InstancePath) error {
-	log := logger.FromContext(ctx).With("chart", hc.Chart.Name)
-	if hc.Chart.Name == "" {
-		log.WarnContext(ctx, "skipping helm: no chart name specified, use a different component type")
-		return nil
-	}
-
-	cachedChartPath := filepath.Join(string(path), ChartDir, filepath.Base(hc.Chart.Name))
-	if isNotExist(cachedChartPath) {
-		// Add repositories
-		repo := hc.Chart.Repository
-		if repo.URL != "" {
-			out, err := util.RunCmd(ctx, "helm", "repo", "add", repo.Name, repo.URL)
-			if err != nil {
-				log.ErrorContext(ctx, "could not run helm", "stderr", out.Stderr.String(), "stdout", out.Stdout.String())
-				return errors.Wrap(fmt.Errorf("could not run helm repo add: %w", err))
-			}
-			// Update repository
-			out, err = util.RunCmd(ctx, "helm", "repo", "update", repo.Name)
-			if err != nil {
-				log.ErrorContext(ctx, "could not run helm", "stderr", out.Stderr.String(), "stdout", out.Stdout.String())
-				return errors.Wrap(fmt.Errorf("could not run helm repo update: %w", err))
-			}
-		} else {
-			log.DebugContext(ctx, "no chart repository url proceeding assuming oci chart")
-		}
-
-		// Cache the chart
-		if err := cacheChart(ctx, path, ChartDir, hc.Chart); err != nil {
-			return fmt.Errorf("could not cache chart: %w", err)
-		}
-	}
-
-	// Write values file
-	tempDir, err := os.MkdirTemp("", "holos")
-	if err != nil {
-		return errors.Wrap(fmt.Errorf("could not make temp dir: %w", err))
-	}
-	defer util.Remove(ctx, tempDir)
-
-	valuesPath := filepath.Join(tempDir, "values.yaml")
-	if err := os.WriteFile(valuesPath, []byte(hc.ValuesContent), 0644); err != nil {
-		return errors.Wrap(fmt.Errorf("could not write values: %w", err))
-	}
-	log.DebugContext(ctx, "helm: wrote values", "path", valuesPath, "bytes", len(hc.ValuesContent))
-
-	// Run charts
-	chart := hc.Chart
-	args := []string{"template"}
-	if !hc.EnableHooks {
-		args = append(args, "--no-hooks")
-	}
-	namespace := hc.Namespace
-	args = append(args, "--include-crds", "--values", valuesPath, "--namespace", namespace, "--kubeconfig", "/dev/null", "--version", chart.Version, chart.Release, cachedChartPath)
-	helmOut, err := util.RunCmd(ctx, "helm", args...)
-	if err != nil {
-		stderr := helmOut.Stderr.String()
-		lines := strings.Split(stderr, "\n")
-		for _, line := range lines {
-			if strings.HasPrefix(line, "Error:") {
-				err = fmt.Errorf("%s: %w", line, err)
-			}
-		}
-		return errors.Wrap(fmt.Errorf("could not run helm template: %w", err))
-	}
-
-	r.accumulatedOutput = helmOut.Stdout.String()
-
-	return nil
-}
-
-// cacheChart stores a cached copy of Chart in the chart subdirectory of path.
-//
-// It is assumed that the only method responsible for writing to chartDir is
-// cacheChart itself.
-//
-// This relies on the atomicity of moving temporary directories into place on
-// the same filesystem via os.Rename. If a syscall.EEXIST error occurs during
-// renaming, it indicates that the cached chart already exists, which is an
-// expected scenario when this function is called concurrently.
-func cacheChart(ctx context.Context, path holos.InstancePath, chartDir string, chart Chart) error {
-	log := logger.FromContext(ctx)
-
-	cacheTemp, err := os.MkdirTemp(string(path), chartDir)
-	if err != nil {
-		return errors.Wrap(fmt.Errorf("could not make temp dir: %w", err))
-	}
-	defer util.Remove(ctx, cacheTemp)
-
-	chartName := chart.Name
-	if chart.Repository.Name != "" {
-		chartName = fmt.Sprintf("%s/%s", chart.Repository.Name, chart.Name)
-	}
-	helmOut, err := util.RunCmd(ctx, "helm", "pull", "--destination", cacheTemp, "--untar=true", "--version", chart.Version, chartName)
-	if err != nil {
-		return errors.Wrap(fmt.Errorf("could not run helm pull: %w", err))
-	}
-	log.Debug("helm pull", "stdout", helmOut.Stdout, "stderr", helmOut.Stderr)
-
-	cachePath := filepath.Join(string(path), chartDir)
-
-	if err := os.MkdirAll(cachePath, 0777); err != nil {
-		return errors.Wrap(fmt.Errorf("could not mkdir: %w", err))
-	}
-
-	items, err := os.ReadDir(cacheTemp)
-	if err != nil {
-		return errors.Wrap(fmt.Errorf("could not read directory: %w", err))
-	}
-
-	for _, item := range items {
-		src := filepath.Join(cacheTemp, item.Name())
-		dst := filepath.Join(cachePath, item.Name())
-		log.DebugContext(ctx, "rename", "src", src, "dst", dst)
-		if err := os.Rename(src, dst); err != nil {
-			var linkErr *os.LinkError
-			if errors.As(err, &linkErr) && errors.Is(linkErr.Err, syscall.EEXIST) {
-				log.DebugContext(ctx, "cache already exists", "chart", chart.Name, "chart_version", chart.Version, "path", cachePath)
-			} else {
-				return errors.Wrap(fmt.Errorf("could not rename: %w", err))
-			}
-		}
-	}
-
-	log.InfoContext(ctx, "cached", "chart", chart.Name, "chart_version", chart.Version, "path", cachePath)
-
-	return nil
-}
-func isNotExist(path string) bool {
-	_, err := os.Stat(path)
-	return os.IsNotExist(err)
-}

api/v1alpha1/kubernetesobjects.go

@@ -1,21 +0,0 @@
-package v1alpha1
-
-import (
-	"context"
-
-	"github.com/holos-run/holos"
-)
-
-const KubernetesObjectsKind = "KubernetesObjects"
-
-// KubernetesObjects represents CUE output which directly provides Kubernetes api objects to holos.
-type KubernetesObjects struct {
-	HolosComponent `json:",inline" yaml:",inline"`
-}
-
-// Render produces kubernetes api objects from the APIObjectMap
-func (o *KubernetesObjects) Render(ctx context.Context, path holos.InstancePath) (*Result, error) {
-	result := Result{HolosComponent: o.HolosComponent}
-	result.addObjectMap(ctx, o.APIObjectMap)
-	return &result, nil
-}

api/v1alpha1/kustomization.go

@@ -1,7 +0,0 @@
-package v1alpha1
-
-// Kustomization holds the rendered flux kustomization api object content for git ops.
-type Kustomization struct {
-	// KsContent is the yaml representation of the flux kustomization for gitops.
-	KsContent string `json:"ksContent,omitempty" yaml:"ksContent,omitempty"`
-}

api/v1alpha1/kustomize.go

@@ -1,47 +0,0 @@
-package v1alpha1
-
-import (
-	"context"
-
-	"github.com/holos-run/holos"
-	"github.com/holos-run/holos/internal/errors"
-	"github.com/holos-run/holos/internal/logger"
-	"github.com/holos-run/holos/internal/util"
-)
-
-const KustomizeBuildKind = "KustomizeBuild"
-
-// Kustomize represents resources necessary to execute a kustomize build.
-// Intended for at least two use cases:
-//
-//  1. Process raw yaml file resources in a holos component directory.
-//  2. Post process a HelmChart to inject istio, add custom labels, etc...
-type Kustomize struct {
-	// KustomizeFiles holds file contents for kustomize, e.g. patch files.
-	KustomizeFiles FileContentMap `json:"kustomizeFiles,omitempty" yaml:"kustomizeFiles,omitempty"`
-	// ResourcesFile is the file name used for api objects in kustomization.yaml
-	ResourcesFile string `json:"resourcesFile,omitempty" yaml:"resourcesFile,omitempty"`
-}
-
-// KustomizeBuild renders plain yaml files in the holos component directory using kubectl kustomize build.
-type KustomizeBuild struct {
-	HolosComponent `json:",inline" yaml:",inline"`
-}
-
-// Render produces a Result by executing kubectl kustomize on the holos
-// component path. Useful for processing raw yaml files.
-func (kb *KustomizeBuild) Render(ctx context.Context, path holos.InstancePath) (*Result, error) {
-	log := logger.FromContext(ctx)
-	result := Result{HolosComponent: kb.HolosComponent}
-	// Run kustomize.
-	kOut, err := util.RunCmd(ctx, "kubectl", "kustomize", string(path))
-	if err != nil {
-		log.ErrorContext(ctx, kOut.Stderr.String())
-		return nil, errors.Wrap(err)
-	}
-	// Replace the accumulated output
-	result.accumulatedOutput = kOut.Stdout.String()
-	// Add CUE based api objects.
-	result.addObjectMap(ctx, kb.APIObjectMap)
-	return &result, nil
-}

api/v1alpha1/objectmap.go

@@ -1,14 +0,0 @@
-package v1alpha1
-
-// Label is an arbitrary unique identifier.  Defined as a type for clarity and type checking.
-type Label string
-
-// Kind is a kubernetes api object kind. Defined as a type for clarity and type checking.
-type Kind string
-
-// APIObjectMap is the shape of marshalled api objects returned from cue to the
-// holos cli. A map is used to improve the clarity of error messages from cue.
-type APIObjectMap map[Kind]map[Label]string
-
-// FileContentMap is a map of file names to file contents.
-type FileContentMap map[string]string

api/v1alpha1/objectmeta.go

@@ -1,15 +0,0 @@
-package v1alpha1
-
-// ObjectMeta represents metadata of a holos component object. The fields are a
-// copy of upstream kubernetes api machinery but are by holos objects distinct
-// from kubernetes api objects.
-type ObjectMeta struct {
-	// Name uniquely identifies the holos component instance and must be suitable as a file name.
-	Name string `json:"name,omitempty" yaml:"name,omitempty"`
-	// Namespace confines a holos component to a single namespace via kustomize if set.
-	Namespace string `json:"namespace,omitempty" yaml:"namespace,omitempty"`
-	// Labels are not used but are copied from api machinery ObjectMeta for completeness.
-	Labels map[string]string `json:"labels,omitempty" yaml:"labels,omitempty"`
-	// Annotations are not used but are copied from api machinery ObjectMeta for completeness.
-	Annotations map[string]string `json:"annotations,omitempty" yaml:"annotations,omitempty"`
-}

api/v1alpha1/platform.go

@@ -1,32 +0,0 @@
-package v1alpha1
-
-import "google.golang.org/protobuf/types/known/structpb"
-
-// Platform represents a platform to manage.  A Platform resource informs holos
-// which components to build.  The platform resource also acts as a container
-// for the platform model form values provided by the PlatformService.  The
-// primary use case is to collect the cluster names, cluster types, platform
-// model, and holos components to build into one resource.
-type Platform struct {
-	TypeMeta `json:",inline" yaml:",inline"`
-	Metadata ObjectMeta   `json:"metadata" yaml:"metadata"`
-	Spec     PlatformSpec `json:"spec" yaml:"spec"`
-}
-
-// PlatformSpec represents the platform build plan specification.
-type PlatformSpec struct {
-	// Model represents the platform model holos gets from from the
-	// holos.platform.v1alpha1.PlatformService.GetPlatform method and provides to
-	// CUE using a tag.
-	Model      structpb.Struct         `json:"model" yaml:"model"`
-	Components []PlatformSpecComponent `json:"components" yaml:"components"`
-}
-
-// PlatformSpecComponent represents a component to build or render with flags to
-// pass, for example the cluster name.
-type PlatformSpecComponent struct {
-	// Path is the path of the component relative to the platform root.
-	Path string `json:"path" yaml:"path"`
-	// Cluster is the cluster name to use when building the component.
-	Cluster string `json:"cluster" yaml:"cluster"`
-}

api/v1alpha1/render.go

@@ -1,22 +0,0 @@
-package v1alpha1
-
-import (
-	"context"
-
-	"github.com/holos-run/holos"
-)
-
-type Renderer interface {
-	GetKind() string
-	Render(ctx context.Context, path holos.InstancePath) (*Result, error)
-}
-
-// Render produces a Result representing the kubernetes api objects to
-// configure. Each of the various holos component types, e.g. Helm, Kustomize,
-// et al, should implement the Renderer interface. This process is best
-// conceptualized as a data pipeline, for example a component may render a
-// result by first calling helm template, then passing the result through
-// kustomize, then mixing in overlay api objects.
-func Render(ctx context.Context, r Renderer, path holos.InstancePath) (*Result, error) {
-	return r.Render(ctx, path)
-}

api/v1alpha1/result.go

@@ -1,165 +0,0 @@
-package v1alpha1
-
-import (
-	"context"
-	"fmt"
-	"os"
-	"path/filepath"
-	"slices"
-
-	"github.com/holos-run/holos/internal/errors"
-	"github.com/holos-run/holos/internal/logger"
-	"github.com/holos-run/holos/internal/util"
-)
-
-// Result is the build result for display or writing.  Holos components Render the Result as a data pipeline.
-type Result struct {
-	HolosComponent
-	// accumulatedOutput accumulates rendered api objects.
-	accumulatedOutput string
-	// DeployFiles keys represent file paths relative to the cluster deploy
-	// directory.  Map values represent the string encoded file contents.  Used to
-	// write the argocd Application, but may be used to render any file from CUE.
-	DeployFiles FileContentMap `json:"deployFiles,omitempty" yaml:"deployFiles,omitempty"`
-}
-
-// Continue returns true if Skip is true indicating the result is to be skipped over.
-func (r *Result) Continue() bool {
-	if r == nil {
-		return false
-	}
-	return r.Skip
-}
-
-func (r *Result) Name() string {
-	return r.Metadata.Name
-}
-
-func (r *Result) Filename(writeTo string, cluster string) string {
-	name := r.Metadata.Name
-	return filepath.Join(writeTo, "clusters", cluster, "components", name, name+".gen.yaml")
-}
-
-func (r *Result) KustomizationFilename(writeTo string, cluster string) string {
-	return filepath.Join(writeTo, "clusters", cluster, "holos", "components", r.Metadata.Name+"-kustomization.gen.yaml")
-}
-
-// AccumulatedOutput returns the accumulated rendered output.
-func (r *Result) AccumulatedOutput() string {
-	return r.accumulatedOutput
-}
-
-// addObjectMap renders the provided APIObjectMap into the accumulated output.
-func (r *Result) addObjectMap(ctx context.Context, objectMap APIObjectMap) {
-	log := logger.FromContext(ctx)
-	b := []byte(r.AccumulatedOutput())
-	kinds := make([]Kind, 0, len(objectMap))
-	// Sort the keys
-	for kind := range objectMap {
-		kinds = append(kinds, kind)
-	}
-	slices.Sort(kinds)
-
-	for _, kind := range kinds {
-		v := objectMap[kind]
-		// Sort the keys
-		names := make([]Label, 0, len(v))
-		for name := range v {
-			names = append(names, name)
-		}
-		slices.Sort(names)
-
-		for _, name := range names {
-			yamlString := v[name]
-			log.Debug(fmt.Sprintf("%s/%s", kind, name), "kind", kind, "name", name)
-			b = util.EnsureNewline(b)
-			header := fmt.Sprintf("---\n# Source: CUE apiObjects.%s.%s\n", kind, name)
-			b = append(b, []byte(header+yamlString)...)
-			b = util.EnsureNewline(b)
-		}
-	}
-	r.accumulatedOutput = string(b)
-}
-
-// kustomize replaces the accumulated output with the output of kustomize build
-func (r *Result) kustomize(ctx context.Context) error {
-	log := logger.FromContext(ctx)
-	if r.ResourcesFile == "" {
-		log.DebugContext(ctx, "skipping kustomize: no resourcesFile")
-		return nil
-	}
-	if len(r.KustomizeFiles) < 1 {
-		log.DebugContext(ctx, "skipping kustomize: no kustomizeFiles")
-		return nil
-	}
-	tempDir, err := os.MkdirTemp("", "holos.kustomize")
-	if err != nil {
-		return errors.Wrap(err)
-	}
-	defer util.Remove(ctx, tempDir)
-
-	// Write the main api object resources file for kustomize.
-	target := filepath.Join(tempDir, r.ResourcesFile)
-	b := []byte(r.AccumulatedOutput())
-	b = util.EnsureNewline(b)
-	if err := os.WriteFile(target, b, 0644); err != nil {
-		return errors.Wrap(fmt.Errorf("could not write resources: %w", err))
-	}
-	log.DebugContext(ctx, "wrote: "+target, "op", "write", "path", target, "bytes", len(b))
-
-	// Write the kustomization tree, kustomization.yaml must be in this map for kustomize to work.
-	for file, content := range r.KustomizeFiles {
-		target := filepath.Join(tempDir, file)
-		if err := os.MkdirAll(filepath.Dir(target), 0755); err != nil {
-			return errors.Wrap(err)
-		}
-		b := []byte(content)
-		b = util.EnsureNewline(b)
-		if err := os.WriteFile(target, b, 0644); err != nil {
-			return errors.Wrap(fmt.Errorf("could not write: %w", err))
-		}
-		log.DebugContext(ctx, "wrote: "+target, "op", "write", "path", target, "bytes", len(b))
-	}
-
-	// Run kustomize.
-	kOut, err := util.RunCmd(ctx, "kubectl", "kustomize", tempDir)
-	if err != nil {
-		log.ErrorContext(ctx, kOut.Stderr.String())
-		return errors.Wrap(err)
-	}
-	// Replace the accumulated output
-	r.accumulatedOutput = kOut.Stdout.String()
-	return nil
-}
-
-func (r *Result) WriteDeployFiles(ctx context.Context, path string) error {
-	log := logger.FromContext(ctx)
-	if len(r.DeployFiles) == 0 {
-		return nil
-	}
-	for k, content := range r.DeployFiles {
-		path := filepath.Join(path, k)
-		if err := r.Save(ctx, path, content); err != nil {
-			return errors.Wrap(err)
-		}
-		log.InfoContext(ctx, "wrote deploy file", "path", path, "bytes", len(content))
-	}
-	return nil
-}
-
-// Save writes the content to the filesystem for git ops.
-func (r *Result) Save(ctx context.Context, path string, content string) error {
-	log := logger.FromContext(ctx)
-	dir := filepath.Dir(path)
-	if err := os.MkdirAll(dir, os.FileMode(0775)); err != nil {
-		log.WarnContext(ctx, "could not mkdir", "path", dir, "err", err)
-		return errors.Wrap(err)
-	}
-	// Write the file content
-	if err := os.WriteFile(path, []byte(content), os.FileMode(0644)); err != nil {
-		log.WarnContext(ctx, "could not write", "path", path, "err", err)
-		return errors.Wrap(err)
-	}
-	log.DebugContext(ctx, "out: wrote "+path, "action", "write", "path", path, "status", "ok")
-	return nil
-}

api/v1alpha1/typemeta.go

@@ -1,20 +0,0 @@
-package v1alpha1
-
-type TypeMeta struct {
-	Kind       string `json:"kind,omitempty" yaml:"kind,omitempty"`
-	APIVersion string `json:"apiVersion,omitempty" yaml:"apiVersion,omitempty"`
-}
-
-func (tm *TypeMeta) GetKind() string {
-	return tm.Kind
-}
-
-func (tm *TypeMeta) GetAPIVersion() string {
-	return tm.APIVersion
-}
-
-// Discriminator is an interface to discriminate the kind api object.
-type Discriminator interface {
-	GetKind() string
-	GetAPIVersion() string
-}

cmd/cmd.go

@@ -0,0 +1,63 @@
+package cmd
+
+import (
+	"context"
+	"fmt"
+	"log/slog"
+	"os"
+	"runtime/pprof"
+	"runtime/trace"
+
+	"github.com/holos-run/holos/internal/cli"
+	"github.com/holos-run/holos/internal/holos"
+)
+
+// MakeMain makes a main function for the cli or tests.
+func MakeMain(options ...holos.Option) func() int {
+	return func() (exitCode int) {
+		cfg := holos.New(options...)
+		slog.SetDefault(cfg.Logger())
+		ctx := context.Background()
+
+		if format := os.Getenv("HOLOS_CPU_PROFILE"); format != "" {
+			f, _ := os.Create(fmt.Sprintf(format, os.Getppid(), os.Getpid()))
+			err := pprof.StartCPUProfile(f)
+			defer func() {
+				pprof.StopCPUProfile()
+				f.Close()
+			}()
+			if err != nil {
+				return cli.HandleError(ctx, err, cfg)
+			}
+		}
+		defer memProfile(ctx, cfg)
+
+		if format := os.Getenv("HOLOS_TRACE"); format != "" {
+			f, _ := os.Create(fmt.Sprintf(format, os.Getppid(), os.Getpid()))
+			err := trace.Start(f)
+			defer func() {
+				trace.Stop()
+				f.Close()
+			}()
+			if err != nil {
+				return cli.HandleError(ctx, err, cfg)
+			}
+		}
+
+		feature := &holos.EnvFlagger{}
+		if err := cli.New(cfg, feature).ExecuteContext(ctx); err != nil {
+			return cli.HandleError(ctx, err, cfg)
+		}
+		return 0
+	}
+}
+
+func memProfile(ctx context.Context, cfg *holos.Config) {
+	if format := os.Getenv("HOLOS_MEM_PROFILE"); format != "" {
+		f, _ := os.Create(fmt.Sprintf(format, os.Getppid(), os.Getpid()))
+		defer f.Close()
+		if err := pprof.WriteHeapProfile(f); err != nil {
+			_ = cli.HandleError(ctx, err, cfg)
+		}
+	}
+}

cmd/holos/main.go

@@ -3,9 +3,9 @@ package main
 import (
 	"os"
 
-	"github.com/holos-run/holos/internal/cli"
+	"github.com/holos-run/holos/cmd"
 )
 
 func main() {
-	os.Exit(cli.MakeMain()())
+	os.Exit(cmd.MakeMain()())
 }

cmd/holos/main_test.go

@@ -6,19 +6,28 @@ import (
 	"testing"
 
 	cue "cuelang.org/go/cmd/cue/cmd"
-	"github.com/holos-run/holos/internal/cli"
+	"github.com/holos-run/holos/cmd"
 	"github.com/rogpeppe/go-internal/testscript"
 )
 
 func TestMain(m *testing.M) {
-	os.Exit(testscript.RunMain(m, map[string]func() int{
-		"holos": cli.MakeMain(),
-		"cue":   cue.Main,
-	}))
+	holosMain := cmd.MakeMain()
+	testscript.Main(m, map[string]func(){
+		"holos": func() { os.Exit(holosMain()) },
+		"cue":   func() { os.Exit(cue.Main()) },
+	})
 }
 
-func TestGuides(t *testing.T) {
-	testscript.Run(t, params(filepath.Join("v1alpha4", "guides")))
+func TestGuides_v1alpha5(t *testing.T) {
+	testscript.Run(t, params(filepath.Join("v1alpha5", "guides")))
+}
+
+func TestSchemas_v1alpha5(t *testing.T) {
+	testscript.Run(t, params(filepath.Join("v1alpha5", "schemas")))
+}
+
+func TestIssues_v1alpha5(t *testing.T) {
+	testscript.Run(t, params(filepath.Join("v1alpha5", "issues")))
 }
 
 func TestCLI(t *testing.T) {
@@ -29,7 +38,9 @@ func params(dir string) testscript.Params {
 	return testscript.Params{
 		Dir:                 filepath.Join("tests", dir),
 		RequireExplicitExec: true,
-		RequireUniqueNames:  true,
+		RequireUniqueNames:  os.Getenv("HOLOS_WORKDIR_ROOT") == "",
+		WorkdirRoot:         os.Getenv("HOLOS_WORKDIR_ROOT"),
+		UpdateScripts:       os.Getenv("HOLOS_UPDATE_SCRIPTS") != "",
 		Setup: func(env *testscript.Env) error {
 			// Just like cmd/cue/cmd.TestScript, set up separate cache and config dirs per test.
 			env.Setenv("CUE_CACHE_DIR", filepath.Join(env.WorkDir, "tmp/cachedir"))

cmd/holos/tests/cli/cue-vet.txt

@@ -0,0 +1,12 @@
+# https://github.com/holos-run/holos/issues/358
+# holos cue vet should fail verifications with exit code 1
+! exec holos cue vet ./policy --path strings.ToLower(kind) ./data/secret.yaml
+# holos cue vet should report validation errors to stderr
+stderr 'Forbidden. Use an ExternalSecret instead.'
+
+-- data/secret.yaml --
+kind: Secret
+-- policy/validators.cue --
+package policy
+
+secret: kind: "Forbidden. Use an ExternalSecret instead."

cmd/holos/tests/cli/first-impression.txt

@@ -0,0 +1,2 @@
+# https://github.com/holos-run/holos/issues/334
+exec holos

cmd/holos/tests/v1alpha5/guides/helm.txt

@@ -4,14 +4,14 @@
 cd $WORK
 
 # Generate the directory structure we're going to work in.
-exec holos generate platform v1alpha4
+exec holos generate platform v1alpha5 --force
 
 # Platforms are empty by default.
-exec holos render platform ./platform
+exec holos render platform
 stderr -count=1 '^rendered platform'
 
 # Holos uses CUE to build a platform specification.
-exec cue export --out=yaml ./platform
+exec holos show platform
 cmp stdout want/1.platform_spec.yaml
 
 # Define the host and port in projects/blackbox.schema.cue
@@ -22,10 +22,10 @@ mv projects/platform/components/prometheus/prometheus.cue.disabled projects/plat
 mv platform/prometheus.cue.disabled platform/prometheus.cue
 
 # Render the platform to render the prometheus chart.
-exec holos render platform ./platform
-stderr -count=1 '^rendered prometheus for cluster local'
+exec holos render platform
+stderr -count=1 '^rendered prometheus'
 stderr -count=1 '^rendered platform'
-cmp deploy/clusters/local/components/prometheus/prometheus.gen.yaml want/1.prometheus.gen.yaml
+cmp deploy/components/prometheus/prometheus.gen.yaml want/1.prometheus.gen.yaml
 
 # Add the CUE configuration to manage the blackbox Helm Chart component.
 mv projects/platform/components/blackbox/blackbox.cue.disabled projects/platform/components/blackbox/blackbox.cue
@@ -34,14 +34,14 @@ mv platform/blackbox.cue.disabled platform/blackbox.cue
 
 # Render the platform to render both the prometheus and blackbox charts.
 exec holos render platform ./platform
-stderr -count=1 '^rendered prometheus for cluster local'
-stderr -count=1 '^rendered blackbox for cluster local'
+stderr -count=1 '^rendered prometheus'
+stderr -count=1 '^rendered blackbox'
 stderr -count=1 '^rendered platform'
-cmp deploy/clusters/local/components/blackbox/blackbox.gen.yaml want/1.blackbox.gen.yaml
+cmp deploy/components/blackbox/blackbox.gen.yaml want/1.blackbox.gen.yaml
 
 # Import helm values
-exec cue import --package holos --path '_Helm: Values:' --outfile projects/platform/components/prometheus/values.cue projects/platform/components/prometheus/vendor/25.27.0/prometheus/values.yaml
-exec cue import --package holos --path '_Helm: Values:' --outfile projects/platform/components/blackbox/values.cue projects/platform/components/blackbox/vendor/9.0.1/prometheus-blackbox-exporter/values.yaml
+exec cue import --package holos --path 'Helm: Values:' --outfile projects/platform/components/prometheus/values.cue projects/platform/components/prometheus/vendor/25.27.0/prometheus/values.yaml
+exec cue import --package holos --path 'Helm: Values:' --outfile projects/platform/components/blackbox/values.cue projects/platform/components/blackbox/vendor/9.0.1/prometheus-blackbox-exporter/values.yaml
 # Patch imported values
 stdin values.patch
 exec patch -p1
@@ -54,12 +54,27 @@ mv platform/httpbin.cue.disabled platform/httpbin.cue
 
 # Render the platform with httpbin
 exec holos render platform ./platform
-stderr -count=1 '^rendered httpbin for cluster'
-cmp deploy/clusters/local/components/httpbin/httpbin.gen.yaml want/1.httpbin.gen.yaml
+stderr -count=1 '^rendered httpbin'
+cmp deploy/components/httpbin/httpbin.gen.yaml want/1.httpbin.gen.yaml
 
+# Verify the labels are correct
+grep 'replacement: blackbox:9115' deploy/components/prometheus/prometheus.gen.yaml
+# Check the blackbox fullnameOverride
+grep -count=4 '^  name: blackbox$' deploy/components/blackbox/blackbox.gen.yaml
+# Check the blackbox Service port
+grep -count=1 '^    port: 9115$' deploy/components/blackbox/blackbox.gen.yaml
+
+-- projects/output.cue --
+package holos
+
+import "github.com/holos-run/holos/api/core/v1alpha5:core"
+
+core.#BuildPlan & {
+	metadata: name: _Tags.component.name
+}
 -- want/1.platform_spec.yaml --
+apiVersion: v1alpha5
 kind: Platform
-apiVersion: v1alpha4
 metadata:
   name: default
 spec:
@@ -74,9 +89,7 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: alertmanager
     app.kubernetes.io/version: v0.27.0
-    argocd.argoproj.io/instance: prometheus
     helm.sh/chart: alertmanager-1.12.0
-    holos.run/component.name: prometheus
   name: prometheus-alertmanager
   namespace: default
 ---
@@ -91,9 +104,7 @@ metadata:
     app.kubernetes.io/name: kube-state-metrics
     app.kubernetes.io/part-of: kube-state-metrics
     app.kubernetes.io/version: 2.13.0
-    argocd.argoproj.io/instance: prometheus
     helm.sh/chart: kube-state-metrics-5.25.1
-    holos.run/component.name: prometheus
   name: prometheus-kube-state-metrics
   namespace: default
 ---
@@ -108,9 +119,7 @@ metadata:
     app.kubernetes.io/name: prometheus-node-exporter
     app.kubernetes.io/part-of: prometheus-node-exporter
     app.kubernetes.io/version: 1.8.2
-    argocd.argoproj.io/instance: prometheus
     helm.sh/chart: prometheus-node-exporter-4.39.0
-    holos.run/component.name: prometheus
   name: prometheus-prometheus-node-exporter
   namespace: default
 ---
@@ -123,9 +132,7 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: prometheus-pushgateway
     app.kubernetes.io/version: v1.9.0
-    argocd.argoproj.io/instance: prometheus
     helm.sh/chart: prometheus-pushgateway-2.14.0
-    holos.run/component.name: prometheus
   name: prometheus-prometheus-pushgateway
   namespace: default
 ---
@@ -139,9 +146,7 @@ metadata:
     app.kubernetes.io/name: prometheus
     app.kubernetes.io/part-of: prometheus
     app.kubernetes.io/version: v2.54.1
-    argocd.argoproj.io/instance: prometheus
     helm.sh/chart: prometheus-25.27.0
-    holos.run/component.name: prometheus
   name: prometheus-server
   namespace: default
 ---
@@ -155,9 +160,7 @@ metadata:
     app.kubernetes.io/name: kube-state-metrics
     app.kubernetes.io/part-of: kube-state-metrics
     app.kubernetes.io/version: 2.13.0
-    argocd.argoproj.io/instance: prometheus
     helm.sh/chart: kube-state-metrics-5.25.1
-    holos.run/component.name: prometheus
   name: prometheus-kube-state-metrics
 rules:
 - apiGroups:
@@ -371,9 +374,7 @@ metadata:
     app.kubernetes.io/name: prometheus
     app.kubernetes.io/part-of: prometheus
     app.kubernetes.io/version: v2.54.1
-    argocd.argoproj.io/instance: prometheus
     helm.sh/chart: prometheus-25.27.0
-    holos.run/component.name: prometheus
   name: prometheus-server
 rules:
 - apiGroups:
@@ -424,9 +425,7 @@ metadata:
     app.kubernetes.io/name: kube-state-metrics
     app.kubernetes.io/part-of: kube-state-metrics
     app.kubernetes.io/version: 2.13.0
-    argocd.argoproj.io/instance: prometheus
     helm.sh/chart: kube-state-metrics-5.25.1
-    holos.run/component.name: prometheus
   name: prometheus-kube-state-metrics
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -447,9 +446,7 @@ metadata:
     app.kubernetes.io/name: prometheus
     app.kubernetes.io/part-of: prometheus
     app.kubernetes.io/version: v2.54.1
-    argocd.argoproj.io/instance: prometheus
     helm.sh/chart: prometheus-25.27.0
-    holos.run/component.name: prometheus
   name: prometheus-server
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -480,9 +477,7 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: alertmanager
     app.kubernetes.io/version: v0.27.0
-    argocd.argoproj.io/instance: prometheus
     helm.sh/chart: alertmanager-1.12.0
-    holos.run/component.name: prometheus
   name: prometheus-alertmanager
   namespace: default
 ---
@@ -836,9 +831,7 @@ metadata:
     app.kubernetes.io/name: prometheus
     app.kubernetes.io/part-of: prometheus
     app.kubernetes.io/version: v2.54.1
-    argocd.argoproj.io/instance: prometheus
     helm.sh/chart: prometheus-25.27.0
-    holos.run/component.name: prometheus
   name: prometheus-server
   namespace: default
 ---
@@ -850,9 +843,7 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: alertmanager
     app.kubernetes.io/version: v0.27.0
-    argocd.argoproj.io/instance: prometheus
     helm.sh/chart: alertmanager-1.12.0
-    holos.run/component.name: prometheus
   name: prometheus-alertmanager
   namespace: default
 spec:
@@ -864,8 +855,6 @@ spec:
   selector:
     app.kubernetes.io/instance: prometheus
     app.kubernetes.io/name: alertmanager
-    argocd.argoproj.io/instance: prometheus
-    holos.run/component.name: prometheus
   type: ClusterIP
 ---
 apiVersion: v1
@@ -876,9 +865,7 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: alertmanager
     app.kubernetes.io/version: v0.27.0
-    argocd.argoproj.io/instance: prometheus
     helm.sh/chart: alertmanager-1.12.0
-    holos.run/component.name: prometheus
   name: prometheus-alertmanager-headless
   namespace: default
 spec:
@@ -891,8 +878,6 @@ spec:
   selector:
     app.kubernetes.io/instance: prometheus
     app.kubernetes.io/name: alertmanager
-    argocd.argoproj.io/instance: prometheus
-    holos.run/component.name: prometheus
 ---
 apiVersion: v1
 kind: Service
@@ -906,9 +891,7 @@ metadata:
     app.kubernetes.io/name: kube-state-metrics
     app.kubernetes.io/part-of: kube-state-metrics
     app.kubernetes.io/version: 2.13.0
-    argocd.argoproj.io/instance: prometheus
     helm.sh/chart: kube-state-metrics-5.25.1
-    holos.run/component.name: prometheus
   name: prometheus-kube-state-metrics
   namespace: default
 spec:
@@ -920,8 +903,6 @@ spec:
   selector:
     app.kubernetes.io/instance: prometheus
     app.kubernetes.io/name: kube-state-metrics
-    argocd.argoproj.io/instance: prometheus
-    holos.run/component.name: prometheus
   type: ClusterIP
 ---
 apiVersion: v1
@@ -936,9 +917,7 @@ metadata:
     app.kubernetes.io/name: prometheus-node-exporter
     app.kubernetes.io/part-of: prometheus-node-exporter
     app.kubernetes.io/version: 1.8.2
-    argocd.argoproj.io/instance: prometheus
     helm.sh/chart: prometheus-node-exporter-4.39.0
-    holos.run/component.name: prometheus
   name: prometheus-prometheus-node-exporter
   namespace: default
 spec:
@@ -950,8 +929,6 @@ spec:
   selector:
     app.kubernetes.io/instance: prometheus
     app.kubernetes.io/name: prometheus-node-exporter
-    argocd.argoproj.io/instance: prometheus
-    holos.run/component.name: prometheus
   type: ClusterIP
 ---
 apiVersion: v1
@@ -964,9 +941,7 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: prometheus-pushgateway
     app.kubernetes.io/version: v1.9.0
-    argocd.argoproj.io/instance: prometheus
     helm.sh/chart: prometheus-pushgateway-2.14.0
-    holos.run/component.name: prometheus
   name: prometheus-prometheus-pushgateway
   namespace: default
 spec:
@@ -978,8 +953,6 @@ spec:
   selector:
     app.kubernetes.io/instance: prometheus
     app.kubernetes.io/name: prometheus-pushgateway
-    argocd.argoproj.io/instance: prometheus
-    holos.run/component.name: prometheus
   type: ClusterIP
 ---
 apiVersion: v1
@@ -992,9 +965,7 @@ metadata:
     app.kubernetes.io/name: prometheus
     app.kubernetes.io/part-of: prometheus
     app.kubernetes.io/version: v2.54.1
-    argocd.argoproj.io/instance: prometheus
     helm.sh/chart: prometheus-25.27.0
-    holos.run/component.name: prometheus
   name: prometheus-server
   namespace: default
 spec:
@@ -1007,8 +978,6 @@ spec:
     app.kubernetes.io/component: server
     app.kubernetes.io/instance: prometheus
     app.kubernetes.io/name: prometheus
-    argocd.argoproj.io/instance: prometheus
-    holos.run/component.name: prometheus
   sessionAffinity: None
   type: ClusterIP
 ---
@@ -1022,9 +991,7 @@ metadata:
     app.kubernetes.io/name: prometheus
     app.kubernetes.io/part-of: prometheus
     app.kubernetes.io/version: v2.54.1
-    argocd.argoproj.io/instance: prometheus
     helm.sh/chart: prometheus-25.27.0
-    holos.run/component.name: prometheus
   name: prometheus-server
   namespace: default
 spec:
@@ -1044,9 +1011,7 @@ metadata:
     app.kubernetes.io/name: kube-state-metrics
     app.kubernetes.io/part-of: kube-state-metrics
     app.kubernetes.io/version: 2.13.0
-    argocd.argoproj.io/instance: prometheus
     helm.sh/chart: kube-state-metrics-5.25.1
-    holos.run/component.name: prometheus
   name: prometheus-kube-state-metrics
   namespace: default
 spec:
@@ -1056,8 +1021,6 @@ spec:
     matchLabels:
       app.kubernetes.io/instance: prometheus
       app.kubernetes.io/name: kube-state-metrics
-      argocd.argoproj.io/instance: prometheus
-      holos.run/component.name: prometheus
   strategy:
     type: RollingUpdate
   template:
@@ -1069,9 +1032,7 @@ spec:
         app.kubernetes.io/name: kube-state-metrics
         app.kubernetes.io/part-of: kube-state-metrics
         app.kubernetes.io/version: 2.13.0
-        argocd.argoproj.io/instance: prometheus
         helm.sh/chart: kube-state-metrics-5.25.1
-        holos.run/component.name: prometheus
     spec:
       automountServiceAccountToken: true
       containers:
@@ -1131,9 +1092,7 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: prometheus-pushgateway
     app.kubernetes.io/version: v1.9.0
-    argocd.argoproj.io/instance: prometheus
     helm.sh/chart: prometheus-pushgateway-2.14.0
-    holos.run/component.name: prometheus
   name: prometheus-prometheus-pushgateway
   namespace: default
 spec:
@@ -1142,8 +1101,6 @@ spec:
     matchLabels:
       app.kubernetes.io/instance: prometheus
       app.kubernetes.io/name: prometheus-pushgateway
-      argocd.argoproj.io/instance: prometheus
-      holos.run/component.name: prometheus
   strategy:
     type: Recreate
   template:
@@ -1153,9 +1110,7 @@ spec:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: prometheus-pushgateway
         app.kubernetes.io/version: v1.9.0
-        argocd.argoproj.io/instance: prometheus
         helm.sh/chart: prometheus-pushgateway-2.14.0
-        holos.run/component.name: prometheus
     spec:
       automountServiceAccountToken: true
       containers:
@@ -1201,9 +1156,7 @@ metadata:
     app.kubernetes.io/name: prometheus
     app.kubernetes.io/part-of: prometheus
     app.kubernetes.io/version: v2.54.1
-    argocd.argoproj.io/instance: prometheus
     helm.sh/chart: prometheus-25.27.0
-    holos.run/component.name: prometheus
   name: prometheus-server
   namespace: default
 spec:
@@ -1214,8 +1167,6 @@ spec:
       app.kubernetes.io/component: server
       app.kubernetes.io/instance: prometheus
       app.kubernetes.io/name: prometheus
-      argocd.argoproj.io/instance: prometheus
-      holos.run/component.name: prometheus
   strategy:
     rollingUpdate: null
     type: Recreate
@@ -1228,9 +1179,7 @@ spec:
         app.kubernetes.io/name: prometheus
         app.kubernetes.io/part-of: prometheus
         app.kubernetes.io/version: v2.54.1
-        argocd.argoproj.io/instance: prometheus
         helm.sh/chart: prometheus-25.27.0
-        holos.run/component.name: prometheus
     spec:
       containers:
       - args:
@@ -1323,9 +1272,7 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: alertmanager
     app.kubernetes.io/version: v0.27.0
-    argocd.argoproj.io/instance: prometheus
     helm.sh/chart: alertmanager-1.12.0
-    holos.run/component.name: prometheus
   name: prometheus-alertmanager
   namespace: default
 spec:
@@ -1336,8 +1283,6 @@ spec:
     matchLabels:
       app.kubernetes.io/instance: prometheus
       app.kubernetes.io/name: alertmanager
-      argocd.argoproj.io/instance: prometheus
-      holos.run/component.name: prometheus
   serviceName: prometheus-alertmanager-headless
   template:
     metadata:
@@ -1346,8 +1291,6 @@ spec:
       labels:
         app.kubernetes.io/instance: prometheus
         app.kubernetes.io/name: alertmanager
-        argocd.argoproj.io/instance: prometheus
-        holos.run/component.name: prometheus
     spec:
       automountServiceAccountToken: true
       containers:
@@ -1397,9 +1340,6 @@ spec:
         name: config
   volumeClaimTemplates:
   - metadata:
-      labels:
-        argocd.argoproj.io/instance: prometheus
-        holos.run/component.name: prometheus
       name: storage
     spec:
       accessModes:
@@ -1418,9 +1358,7 @@ metadata:
     app.kubernetes.io/name: prometheus-node-exporter
     app.kubernetes.io/part-of: prometheus-node-exporter
     app.kubernetes.io/version: 1.8.2
-    argocd.argoproj.io/instance: prometheus
     helm.sh/chart: prometheus-node-exporter-4.39.0
-    holos.run/component.name: prometheus
   name: prometheus-prometheus-node-exporter
   namespace: default
 spec:
@@ -1429,8 +1367,6 @@ spec:
     matchLabels:
       app.kubernetes.io/instance: prometheus
       app.kubernetes.io/name: prometheus-node-exporter
-      argocd.argoproj.io/instance: prometheus
-      holos.run/component.name: prometheus
   template:
     metadata:
       annotations:
@@ -1442,9 +1378,7 @@ spec:
         app.kubernetes.io/name: prometheus-node-exporter
         app.kubernetes.io/part-of: prometheus-node-exporter
         app.kubernetes.io/version: 1.8.2
-        argocd.argoproj.io/instance: prometheus
         helm.sh/chart: prometheus-node-exporter-4.39.0
-        holos.run/component.name: prometheus
     spec:
       automountServiceAccountToken: false
       containers:
@@ -1536,8 +1470,6 @@ metadata:
     prometheus.io/probe: "true"
   labels:
     app.kubernetes.io/name: httpbin
-    argocd.argoproj.io/instance: httpbin
-    holos.run/component.name: httpbin
   name: httpbin
 spec:
   ports:
@@ -1548,29 +1480,21 @@ spec:
     targetPort: http
   selector:
     app.kubernetes.io/name: httpbin
-    argocd.argoproj.io/instance: httpbin
-    holos.run/component.name: httpbin
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
     app.kubernetes.io/name: httpbin
-    argocd.argoproj.io/instance: httpbin
-    holos.run/component.name: httpbin
   name: httpbin
 spec:
   selector:
     matchLabels:
       app.kubernetes.io/name: httpbin
-      argocd.argoproj.io/instance: httpbin
-      holos.run/component.name: httpbin
   template:
     metadata:
       labels:
         app.kubernetes.io/name: httpbin
-        argocd.argoproj.io/instance: httpbin
-        holos.run/component.name: httpbin
     spec:
       containers:
       - image: mccutchen/go-httpbin
@@ -1597,9 +1521,7 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: prometheus-blackbox-exporter
     app.kubernetes.io/version: v0.25.0
-    argocd.argoproj.io/instance: blackbox
     helm.sh/chart: prometheus-blackbox-exporter-9.0.1
-    holos.run/component.name: blackbox
   name: prometheus-blackbox-exporter
   namespace: default
 ---
@@ -1623,9 +1545,7 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: prometheus-blackbox-exporter
     app.kubernetes.io/version: v0.25.0
-    argocd.argoproj.io/instance: blackbox
     helm.sh/chart: prometheus-blackbox-exporter-9.0.1
-    holos.run/component.name: blackbox
   name: prometheus-blackbox-exporter
   namespace: default
 ---
@@ -1637,9 +1557,7 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: prometheus-blackbox-exporter
     app.kubernetes.io/version: v0.25.0
-    argocd.argoproj.io/instance: blackbox
     helm.sh/chart: prometheus-blackbox-exporter-9.0.1
-    holos.run/component.name: blackbox
   name: prometheus-blackbox-exporter
   namespace: default
 spec:
@@ -1651,8 +1569,6 @@ spec:
   selector:
     app.kubernetes.io/instance: prometheus-blackbox-exporter
     app.kubernetes.io/name: prometheus-blackbox-exporter
-    argocd.argoproj.io/instance: blackbox
-    holos.run/component.name: blackbox
   type: ClusterIP
 ---
 apiVersion: apps/v1
@@ -1663,9 +1579,7 @@ metadata:
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: prometheus-blackbox-exporter
     app.kubernetes.io/version: v0.25.0
-    argocd.argoproj.io/instance: blackbox
     helm.sh/chart: prometheus-blackbox-exporter-9.0.1
-    holos.run/component.name: blackbox
   name: prometheus-blackbox-exporter
   namespace: default
 spec:
@@ -1674,8 +1588,6 @@ spec:
     matchLabels:
       app.kubernetes.io/instance: prometheus-blackbox-exporter
       app.kubernetes.io/name: prometheus-blackbox-exporter
-      argocd.argoproj.io/instance: blackbox
-      holos.run/component.name: blackbox
   strategy:
     rollingUpdate:
       maxSurge: 1
@@ -1688,8 +1600,6 @@ spec:
       labels:
         app.kubernetes.io/instance: prometheus-blackbox-exporter
         app.kubernetes.io/name: prometheus-blackbox-exporter
-        argocd.argoproj.io/instance: blackbox
-        holos.run/component.name: blackbox
     spec:
       automountServiceAccountToken: false
       containers:
@@ -1730,61 +1640,60 @@ spec:
           name: prometheus-blackbox-exporter
         name: config
 -- values.patch --
+diff --git a/projects/platform/components/blackbox/values.cue b/projects/platform/components/blackbox/values.cue
+index 6e29043..e3fa9ce 100644
 --- a/projects/platform/components/blackbox/values.cue
 +++ b/projects/platform/components/blackbox/values.cue
-@@ -2,6 +2,9 @@ package holos
+@@ -1,6 +1,8 @@
+ package holos
  
- _Helm: {
- 	Values: {
-+		// the upstream chart authors forgot to add the fullnameOverride value used in the service template.
-+		fullnameOverride: _blackbox.host
+ Helm: Values: {
++	fullnameOverride: _blackbox.host
 +
- 		global: {
- 			//# Global image registry to use if it needs to be overriden for some specific use cases (e.g local registries, custom images, ...)
- 			//#
-@@ -193,7 +196,7 @@ _Helm: {
- 			annotations: {}
- 			labels: {}
- 			type: "ClusterIP"
--			port: 9115
-+			port: _blackbox.port
- 			ipDualStack: {
- 				enabled: false
- 				ipFamilies: ["IPv6", "IPv4"]
+ 	global: {
+ 		//# Global image registry to use if it needs to be overriden for some specific use cases (e.g local registries, custom images, ...)
+ 		//#
+@@ -192,7 +194,7 @@ Helm: Values: {
+ 		annotations: {}
+ 		labels: {}
+ 		type: "ClusterIP"
+-		port: 9115
++		port: _blackbox.port
+ 		ipDualStack: {
+ 			enabled: false
+ 			ipFamilies: ["IPv6", "IPv4"]
+diff --git a/projects/platform/components/prometheus/values.cue b/projects/platform/components/prometheus/values.cue
+index 869b11d..119c608 100644
 --- a/projects/platform/components/prometheus/values.cue
 +++ b/projects/platform/components/prometheus/values.cue
-@@ -1084,7 +1084,7 @@ _Helm: {
- 						target_label: "__param_target"
- 					}, {
- 						target_label: "__address__"
--						replacement:  "blackbox"
-+						replacement:  "\(_blackbox.host):\(_blackbox.port)"
- 					}, {
- 						source_labels: ["__param_target"]
- 						target_label: "instance"
+@@ -1083,7 +1083,7 @@ Helm: Values: {
+ 					target_label: "__param_target"
+ 				}, {
+ 					target_label: "__address__"
+-					replacement:  "blackbox"
++					replacement:  "\(_blackbox.host):\(_blackbox.port)"
+ 				}, {
+ 					source_labels: ["__param_target"]
+ 					target_label: "instance"
+
 -- platform/httpbin.cue.disabled --
 package holos
 
-_Platform: Components: httpbin: {
-	name:      "httpbin"
-	component: "projects/platform/components/httpbin"
-	cluster:   "local"
+Platform: Components: httpbin: {
+	name: "httpbin"
+	path: "projects/platform/components/httpbin"
 }
 -- platform/blackbox.cue.disabled --
 package holos
 
-_Platform: Components: blackbox: {
-	name:      "blackbox"
-	component: "projects/platform/components/blackbox"
-	cluster:   "local"
+Platform: Components: blackbox: {
+	name: "blackbox"
+	path: "projects/platform/components/blackbox"
 }
 -- projects/platform/components/blackbox/blackbox.cue.disabled --
 package holos
 
-// Produce a helm chart build plan.
-_Helm.BuildPlan
-
-_Helm: #Helm & {
+Helm: #Helm & {
 	Chart: {
 		name:    "prometheus-blackbox-exporter"
 		version: "9.0.1"
@@ -1794,6 +1703,9 @@ _Helm: #Helm & {
 		}
 	}
 }
+
+// Produce a helm chart build plan.
+holos: Helm.BuildPlan
 -- projects/blackbox.schema.cue.disabled --
 package holos
 
@@ -1813,10 +1725,7 @@ _blackbox: #blackbox & {
 -- projects/platform/components/prometheus/prometheus.cue.disabled --
 package holos
 
-// Produce a helm chart build plan.
-_Helm.BuildPlan
-
-_Helm: #Helm & {
+Helm: #Helm & {
 	Chart: {
 		name:    "prometheus"
 		version: "25.27.0"
@@ -1826,13 +1735,15 @@ _Helm: #Helm & {
 		}
 	}
 }
+
+// Produce a helm chart build plan.
+holos: Helm.BuildPlan
 -- platform/prometheus.cue.disabled --
 package holos
 
-_Platform: Components: prometheus: {
-	name:      "prometheus"
-	component: "projects/platform/components/prometheus"
-	cluster:   "local"
+Platform: Components: prometheus: {
+	name: "prometheus"
+	path: "projects/platform/components/prometheus"
 }
 -- projects/platform/components/prometheus/vendor/25.27.0/prometheus/.helmignore --
 # Patterns to ignore when building packages.
@@ -14983,11 +14894,8 @@ package holos
 
 import "encoding/yaml"
 
-// Produce a Kustomize BuildPlan for Holos
-_Kustomize.BuildPlan
-
 // https://github.com/mccutchen/go-httpbin/blob/v2.15.0/kustomize/README.md
-_Kustomize: #Kustomize & {
+Kustomize: #Kustomize & {
 	KustomizeConfig: Files: "resources.yaml": _
 	KustomizeConfig: Kustomization: {
 		commonLabels: "app.kubernetes.io/name": "httpbin"
@@ -15004,6 +14912,9 @@ _Kustomize: #Kustomize & {
 		patches: [for x in _patches {x}]
 	}
 }
+
+// Produce a Kustomize BuildPlan for Holos
+holos: Kustomize.BuildPlan
 -- projects/platform/components/httpbin/resources.yaml --
 apiVersion: apps/v1
 kind: Deployment

cmd/holos/tests/v1alpha5/issues/holos-show.txt

@@ -0,0 +1,422 @@
+# https://github.com/holos-run/holos/issues/331
+# ensure holos show components --labels selects correctly.
+# ensure BuildPlan includes labels and annotations from the platform component.
+# ensure holos render platform injects the holos_component_labels and
+# holos_component_annotations tags.
+env HOME=$WORK
+
+exec holos init platform v1alpha5 --force
+exec holos show platform
+cmp stdout want/platform.yaml
+
+# all buildplans are selected by default
+exec holos show buildplans
+cmp stdout want/all-buildplans.yaml
+
+# one = works in the selector
+exec holos show buildplans --selector app.holos.run/name=empty1-label
+cmp stdout want/buildplans.1.yaml
+
+# double == works in the selector
+exec holos show buildplans --selector app.holos.run/name==empty2-label
+cmp stdout want/buildplans.2.yaml
+
+# not equal != negates the selection
+exec holos show buildplans --selector app.holos.run/name!=empty3-label
+cmp stdout want/buildplans.3.yaml
+exec holos show buildplans --selector app.holos.run/name!=something-else
+cmp stdout want/buildplans.4.yaml
+
+-- platform/empty.cue --
+package holos
+
+Platform: Components: {
+  empty1: _
+  empty2: _
+  empty3: _
+  empty4: _
+}
+-- platform/metadata.cue --
+package holos
+
+Platform: Components: [NAME=string]: {
+  name: NAME
+  path: "components/empty"
+  labels: "app.holos.run/name": "\(name)-label"
+  annotations: "app.holos.run/description": "\(name)-annotation empty test case"
+}
+-- components/empty/empty.cue --
+package holos
+
+Component: #Kubernetes & {}
+holos: Component.BuildPlan
+-- want/platform.yaml --
+apiVersion: v1alpha5
+kind: Platform
+metadata:
+  name: default
+spec:
+  components:
+    - annotations:
+        app.holos.run/description: empty1-annotation empty test case
+      labels:
+        app.holos.run/name: empty1-label
+      name: empty1
+      path: components/empty
+    - annotations:
+        app.holos.run/description: empty2-annotation empty test case
+      labels:
+        app.holos.run/name: empty2-label
+      name: empty2
+      path: components/empty
+    - annotations:
+        app.holos.run/description: empty3-annotation empty test case
+      labels:
+        app.holos.run/name: empty3-label
+      name: empty3
+      path: components/empty
+    - annotations:
+        app.holos.run/description: empty4-annotation empty test case
+      labels:
+        app.holos.run/name: empty4-label
+      name: empty4
+      path: components/empty
+-- want/empty.yaml --
+-- want/all-buildplans.yaml --
+kind: BuildPlan
+apiVersion: v1alpha5
+metadata:
+  name: empty1
+  labels:
+    app.holos.run/name: empty1-label
+  annotations:
+    app.holos.run/description: empty1-annotation empty test case
+spec:
+  artifacts:
+    - artifact: components/empty1/empty1.gen.yaml
+      generators:
+        - kind: Resources
+          output: resources.gen.yaml
+      transformers:
+        - kind: Kustomize
+          inputs:
+            - resources.gen.yaml
+          output: components/empty1/empty1.gen.yaml
+          kustomize:
+            kustomization:
+              apiVersion: kustomize.config.k8s.io/v1beta1
+              kind: Kustomization
+              resources:
+                - resources.gen.yaml
+---
+kind: BuildPlan
+apiVersion: v1alpha5
+metadata:
+  name: empty2
+  labels:
+    app.holos.run/name: empty2-label
+  annotations:
+    app.holos.run/description: empty2-annotation empty test case
+spec:
+  artifacts:
+    - artifact: components/empty2/empty2.gen.yaml
+      generators:
+        - kind: Resources
+          output: resources.gen.yaml
+      transformers:
+        - kind: Kustomize
+          inputs:
+            - resources.gen.yaml
+          output: components/empty2/empty2.gen.yaml
+          kustomize:
+            kustomization:
+              apiVersion: kustomize.config.k8s.io/v1beta1
+              kind: Kustomization
+              resources:
+                - resources.gen.yaml
+---
+kind: BuildPlan
+apiVersion: v1alpha5
+metadata:
+  name: empty3
+  labels:
+    app.holos.run/name: empty3-label
+  annotations:
+    app.holos.run/description: empty3-annotation empty test case
+spec:
+  artifacts:
+    - artifact: components/empty3/empty3.gen.yaml
+      generators:
+        - kind: Resources
+          output: resources.gen.yaml
+      transformers:
+        - kind: Kustomize
+          inputs:
+            - resources.gen.yaml
+          output: components/empty3/empty3.gen.yaml
+          kustomize:
+            kustomization:
+              apiVersion: kustomize.config.k8s.io/v1beta1
+              kind: Kustomization
+              resources:
+                - resources.gen.yaml
+---
+kind: BuildPlan
+apiVersion: v1alpha5
+metadata:
+  name: empty4
+  labels:
+    app.holos.run/name: empty4-label
+  annotations:
+    app.holos.run/description: empty4-annotation empty test case
+spec:
+  artifacts:
+    - artifact: components/empty4/empty4.gen.yaml
+      generators:
+        - kind: Resources
+          output: resources.gen.yaml
+      transformers:
+        - kind: Kustomize
+          inputs:
+            - resources.gen.yaml
+          output: components/empty4/empty4.gen.yaml
+          kustomize:
+            kustomization:
+              apiVersion: kustomize.config.k8s.io/v1beta1
+              kind: Kustomization
+              resources:
+                - resources.gen.yaml
+-- want/buildplans.1.yaml --
+kind: BuildPlan
+apiVersion: v1alpha5
+metadata:
+  name: empty1
+  labels:
+    app.holos.run/name: empty1-label
+  annotations:
+    app.holos.run/description: empty1-annotation empty test case
+spec:
+  artifacts:
+    - artifact: components/empty1/empty1.gen.yaml
+      generators:
+        - kind: Resources
+          output: resources.gen.yaml
+      transformers:
+        - kind: Kustomize
+          inputs:
+            - resources.gen.yaml
+          output: components/empty1/empty1.gen.yaml
+          kustomize:
+            kustomization:
+              apiVersion: kustomize.config.k8s.io/v1beta1
+              kind: Kustomization
+              resources:
+                - resources.gen.yaml
+-- want/buildplans.2.yaml --
+kind: BuildPlan
+apiVersion: v1alpha5
+metadata:
+  name: empty2
+  labels:
+    app.holos.run/name: empty2-label
+  annotations:
+    app.holos.run/description: empty2-annotation empty test case
+spec:
+  artifacts:
+    - artifact: components/empty2/empty2.gen.yaml
+      generators:
+        - kind: Resources
+          output: resources.gen.yaml
+      transformers:
+        - kind: Kustomize
+          inputs:
+            - resources.gen.yaml
+          output: components/empty2/empty2.gen.yaml
+          kustomize:
+            kustomization:
+              apiVersion: kustomize.config.k8s.io/v1beta1
+              kind: Kustomization
+              resources:
+                - resources.gen.yaml
+-- want/buildplans.3.yaml --
+kind: BuildPlan
+apiVersion: v1alpha5
+metadata:
+  name: empty1
+  labels:
+    app.holos.run/name: empty1-label
+  annotations:
+    app.holos.run/description: empty1-annotation empty test case
+spec:
+  artifacts:
+    - artifact: components/empty1/empty1.gen.yaml
+      generators:
+        - kind: Resources
+          output: resources.gen.yaml
+      transformers:
+        - kind: Kustomize
+          inputs:
+            - resources.gen.yaml
+          output: components/empty1/empty1.gen.yaml
+          kustomize:
+            kustomization:
+              apiVersion: kustomize.config.k8s.io/v1beta1
+              kind: Kustomization
+              resources:
+                - resources.gen.yaml
+---
+kind: BuildPlan
+apiVersion: v1alpha5
+metadata:
+  name: empty2
+  labels:
+    app.holos.run/name: empty2-label
+  annotations:
+    app.holos.run/description: empty2-annotation empty test case
+spec:
+  artifacts:
+    - artifact: components/empty2/empty2.gen.yaml
+      generators:
+        - kind: Resources
+          output: resources.gen.yaml
+      transformers:
+        - kind: Kustomize
+          inputs:
+            - resources.gen.yaml
+          output: components/empty2/empty2.gen.yaml
+          kustomize:
+            kustomization:
+              apiVersion: kustomize.config.k8s.io/v1beta1
+              kind: Kustomization
+              resources:
+                - resources.gen.yaml
+---
+kind: BuildPlan
+apiVersion: v1alpha5
+metadata:
+  name: empty4
+  labels:
+    app.holos.run/name: empty4-label
+  annotations:
+    app.holos.run/description: empty4-annotation empty test case
+spec:
+  artifacts:
+    - artifact: components/empty4/empty4.gen.yaml
+      generators:
+        - kind: Resources
+          output: resources.gen.yaml
+      transformers:
+        - kind: Kustomize
+          inputs:
+            - resources.gen.yaml
+          output: components/empty4/empty4.gen.yaml
+          kustomize:
+            kustomization:
+              apiVersion: kustomize.config.k8s.io/v1beta1
+              kind: Kustomization
+              resources:
+                - resources.gen.yaml
+-- want/buildplans.4.yaml --
+kind: BuildPlan
+apiVersion: v1alpha5
+metadata:
+  name: empty1
+  labels:
+    app.holos.run/name: empty1-label
+  annotations:
+    app.holos.run/description: empty1-annotation empty test case
+spec:
+  artifacts:
+    - artifact: components/empty1/empty1.gen.yaml
+      generators:
+        - kind: Resources
+          output: resources.gen.yaml
+      transformers:
+        - kind: Kustomize
+          inputs:
+            - resources.gen.yaml
+          output: components/empty1/empty1.gen.yaml
+          kustomize:
+            kustomization:
+              apiVersion: kustomize.config.k8s.io/v1beta1
+              kind: Kustomization
+              resources:
+                - resources.gen.yaml
+---
+kind: BuildPlan
+apiVersion: v1alpha5
+metadata:
+  name: empty2
+  labels:
+    app.holos.run/name: empty2-label
+  annotations:
+    app.holos.run/description: empty2-annotation empty test case
+spec:
+  artifacts:
+    - artifact: components/empty2/empty2.gen.yaml
+      generators:
+        - kind: Resources
+          output: resources.gen.yaml
+      transformers:
+        - kind: Kustomize
+          inputs:
+            - resources.gen.yaml
+          output: components/empty2/empty2.gen.yaml
+          kustomize:
+            kustomization:
+              apiVersion: kustomize.config.k8s.io/v1beta1
+              kind: Kustomization
+              resources:
+                - resources.gen.yaml
+---
+kind: BuildPlan
+apiVersion: v1alpha5
+metadata:
+  name: empty3
+  labels:
+    app.holos.run/name: empty3-label
+  annotations:
+    app.holos.run/description: empty3-annotation empty test case
+spec:
+  artifacts:
+    - artifact: components/empty3/empty3.gen.yaml
+      generators:
+        - kind: Resources
+          output: resources.gen.yaml
+      transformers:
+        - kind: Kustomize
+          inputs:
+            - resources.gen.yaml
+          output: components/empty3/empty3.gen.yaml
+          kustomize:
+            kustomization:
+              apiVersion: kustomize.config.k8s.io/v1beta1
+              kind: Kustomization
+              resources:
+                - resources.gen.yaml
+---
+kind: BuildPlan
+apiVersion: v1alpha5
+metadata:
+  name: empty4
+  labels:
+    app.holos.run/name: empty4-label
+  annotations:
+    app.holos.run/description: empty4-annotation empty test case
+spec:
+  artifacts:
+    - artifact: components/empty4/empty4.gen.yaml
+      generators:
+        - kind: Resources
+          output: resources.gen.yaml
+      transformers:
+        - kind: Kustomize
+          inputs:
+            - resources.gen.yaml
+          output: components/empty4/empty4.gen.yaml
+          kustomize:
+            kustomization:
+              apiVersion: kustomize.config.k8s.io/v1beta1
+              kind: Kustomization
+              resources:
+                - resources.gen.yaml

cmd/holos/tests/v1alpha5/issues/issue348-kustomize-patch-name.txt

@@ -0,0 +1,64 @@
+# https://github.com/holos-run/holos/issues/348
+# when the optional kustomize patch name field is omitted
+exec holos init platform v1alpha5 --force
+# want a buildplan shown
+exec holos show buildplans
+cmp stdout buildplan.yaml
+# want this error to go away
+! stderr 'cannot convert non-concrete value string'
+-- platform/example.cue --
+package holos
+
+Platform: Components: example: {
+	name: "example"
+	path: "components/example"
+}
+-- components/example/example.cue --
+package holos
+
+import "encoding/yaml"
+
+holos: Component.BuildPlan
+
+Component: #Kustomize & {
+	KustomizeConfig: Kustomization: patches: [
+		{
+			target: kind: "CustomResourceDefinition"
+			patch: yaml.Marshal([{
+				op:    "add"
+				path:  "/metadata/annotations/example"
+				value: "example-value"
+			}])
+		},
+	]
+}
+-- buildplan.yaml --
+kind: BuildPlan
+apiVersion: v1alpha5
+metadata:
+  name: example
+spec:
+  artifacts:
+    - artifact: components/example/example.gen.yaml
+      generators:
+        - kind: Resources
+          output: resources.gen.yaml
+      transformers:
+        - kind: Kustomize
+          inputs:
+            - resources.gen.yaml
+          output: components/example/example.gen.yaml
+          kustomize:
+            kustomization:
+              apiVersion: kustomize.config.k8s.io/v1beta1
+              kind: Kustomization
+              patches:
+                - patch: |
+                    - op: add
+                      path: /metadata/annotations/example
+                      value: example-value
+                  target:
+                    kind: CustomResourceDefinition
+                    name: ""
+              resources:
+                - resources.gen.yaml

cmd/holos/tests/v1alpha5/issues/issue366-cue-build-tags.txt

@@ -0,0 +1,50 @@
+# https://github.com/holos-run/holos/issues/366
+# Build tags conditionally include CUE files.
+env HOME=$WORK
+
+exec holos init platform v1alpha5 --force
+exec holos show platform
+cmp stdout want/empty.yaml
+
+exec holos show platform -t foo
+cmp stdout want/foo.yaml
+
+-- platform/empty.cue --
+@if(foo)
+package holos
+
+Platform: Components: foo: _
+-- platform/metadata.cue --
+package holos
+
+Platform: Components: [NAME=string]: {
+  name: NAME
+  path: "components/empty"
+  labels: "app.holos.run/name": NAME
+  annotations: "app.holos.run/description": "\(NAME) empty test case"
+}
+-- components/empty/empty.cue --
+package holos
+
+Component: #Kubernetes & {}
+holos: Component.BuildPlan
+-- want/empty.yaml --
+apiVersion: v1alpha5
+kind: Platform
+metadata:
+  name: default
+spec:
+  components: []
+-- want/foo.yaml --
+apiVersion: v1alpha5
+kind: Platform
+metadata:
+  name: default
+spec:
+  components:
+    - annotations:
+        app.holos.run/description: foo empty test case
+      labels:
+        app.holos.run/name: foo
+      name: foo
+      path: components/empty

cmd/holos/tests/v1alpha5/schemas/capabilities.txt

@@ -0,0 +1,146 @@
+# https://github.com/holos-run/holos/issues/330
+exec holos init platform v1alpha5 --force
+# Make sure the helm chart works with plain helm
+exec helm template ./components/capabilities/vendor/0.1.0/capabilities
+stdout 'name: has-foo-v1beta1'
+stdout 'kubeVersion: v'
+exec holos render platform ./platform
+# When no capabilities are specified
+cmp deploy/components/capabilities/capabilities.gen.yaml want/when-no-capabilities-specified.yaml
+# With APIVersions specified
+cmp deploy/components/specified/specified.gen.yaml want/with-capabilities-specified.yaml
+# With KubeVersion specified
+cmp deploy/components/kubeversion1/kubeversion1.gen.yaml want/with-kubeversion-specified.yaml
+# With both APIVersions and KubeVersion specified
+cmp deploy/components/kubeversion2/kubeversion2.gen.yaml want/with-both-specified.yaml
+-- want/with-both-specified.yaml --
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    kubeVersion: v1.20.0
+  name: has-foo-v1
+spec:
+  ports:
+  - name: http
+    port: 80
+    protocol: TCP
+    targetPort: http
+-- want/with-kubeversion-specified.yaml --
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    kubeVersion: v1.20.0
+  name: has-foo-v1beta1
+spec:
+  ports:
+  - name: http
+    port: 80
+    protocol: TCP
+    targetPort: http
+-- want/when-no-capabilities-specified.yaml --
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    kubeVersion: v1.31.0
+  name: has-foo-v1beta1
+spec:
+  ports:
+  - name: http
+    port: 80
+    protocol: TCP
+    targetPort: http
+-- want/with-capabilities-specified.yaml --
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    kubeVersion: v1.31.0
+  name: has-foo-v1
+spec:
+  ports:
+  - name: http
+    port: 80
+    protocol: TCP
+    targetPort: http
+-- platform/capabilities.cue --
+package holos
+
+import "encoding/json"
+
+Platform: Components: capabilities: {
+        name: "capabilities"
+        path: "components/capabilities"
+}
+Platform: Components: specified: {
+        name: "specified"
+        path: "components/capabilities"
+        parameters: apiVersions: json.Marshal(["foo/v1","bar/v1"])
+}
+Platform: Components: kubeversion1: {
+        name: "kubeversion1"
+        path: "components/capabilities"
+        parameters: kubeVersion: "v1.20.0"
+}
+Platform: Components: kubeversion2: {
+        name: "kubeversion2"
+        path: "components/capabilities"
+        parameters: kubeVersion: "v1.20.0"
+        parameters: apiVersions: json.Marshal(["foo/v1","bar/v1"])
+}
+-- components/capabilities/capabilities.cue --
+package holos
+
+import "encoding/json"
+
+holos: Component.BuildPlan
+
+Component: #Helm & {
+        Name: string @tag(holos_component_name, type=string)
+        Chart: name: "capabilities"
+        Chart: version: "0.1.0"
+        _APIVersions: string | *"[]" @tag(apiVersions, type=string)
+        APIVersions: json.Unmarshal(_APIVersions)
+        KubeVersion: string | *"v1.31.0" @tag(kubeVersion, type=string)
+}
+-- components/capabilities/vendor/0.1.0/capabilities/Chart.yaml --
+apiVersion: v2
+name: capabilities
+description: A Helm chart for Kubernetes
+type: application
+version: 0.1.0
+appVersion: "1.16.0"
+-- components/capabilities/vendor/0.1.0/capabilities/templates/service.yaml --
+apiVersion: v1
+kind: Service
+metadata:
+{{- if .Capabilities.APIVersions.Has "foo/v1" }}
+  name: has-foo-v1
+{{- else }}
+  name: has-foo-v1beta1
+{{- end }}
+  annotations:
+    kubeVersion: {{ .Capabilities.KubeVersion }}
+spec:
+  ports:
+    - port: 80
+      targetPort: http
+      protocol: TCP
+      name: http
+-- want/helm-template.yaml --
+---
+# Source: capabilities/templates/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: has-foo-v1beta1
+  annotations:
+    kubeVersion: v1.31.0
+spec:
+  ports:
+    - port: 80
+      targetPort: http
+      protocol: TCP
+      name: http

cmd/holos/tests/v1alpha5/schemas/kubernetes.txt

@@ -0,0 +1,45 @@
+# author.#Kubernetes
+
+# Start in an empty directory.
+cd $WORK
+
+# Generate the directory structure we're going to work in.
+exec holos init platform v1alpha5 --force
+
+# Platforms are empty by default.
+exec holos render platform
+stderr -count=1 '^rendered platform'
+
+# When author.#Kubernetes is empty
+exec holos cue export --expression holos --out=yaml ./components/empty
+cmp stdout want.txt
+
+-- components/empty/empty.cue --
+package holos
+
+Kubernetes: #Kubernetes & {}
+holos: Kubernetes.BuildPlan
+-- want.txt --
+kind: BuildPlan
+apiVersion: v1alpha5
+metadata:
+  name: no-name
+spec:
+  artifacts:
+    - artifact: components/no-name/no-name.gen.yaml
+      generators:
+        - kind: Resources
+          output: resources.gen.yaml
+          resources: {}
+      transformers:
+        - kind: Kustomize
+          inputs:
+            - resources.gen.yaml
+          output: components/no-name/no-name.gen.yaml
+          kustomize:
+            kustomization:
+              apiVersion: kustomize.config.k8s.io/v1beta1
+              kind: Kustomization
+              resources:
+                - resources.gen.yaml
+      validators: []

cmd/holos/tests/v1alpha5/schemas/validators.txt

@@ -0,0 +1,37 @@
+# https://github.com/holos-run/holos/issues/357
+exec holos init platform v1alpha5 --force
+! exec holos render platform
+stderr 'secret.kind: conflicting values "Forbidden. Use an ExternalSecret instead." and "Secret"'
+
+-- validators.cue --
+package holos
+
+import "github.com/holos-run/holos/api/author/v1alpha5:author"
+
+#ComponentConfig: author.#ComponentConfig & {
+	Validators: cue: {
+		kind: "Command"
+		command: args: ["holos", "cue", "vet", "./policy", "--path", "strings.ToLower(kind)"]
+	}
+}
+-- policy/validations.cue --
+package validations
+
+secret: kind: "Forbidden. Use an ExternalSecret instead."
+-- platform/example.cue --
+package holos
+
+Platform: Components: example: {
+	name: "example"
+	path: "components/example"
+}
+-- components/example/secret.cue --
+package holos
+
+holos: Component.BuildPlan
+
+Component: #Kubernetes & {
+	Resources: Secret: test: {
+		metadata: name: "test"
+	}
+}

doc/md.archive/technical-overview.mdx

@@ -23,7 +23,7 @@ improves cross team collaboration through well defined, typed structures at the
 integration layer.  These definitions provide golden paths for other teams to
 easily integrate their own services into the platform.
 
-<!-- truncate -->
+{/* truncate */}
 
 ## The Problem
 

doc/md/api.md

@@ -1,5 +0,0 @@
-import DocCardList from '@theme/DocCardList';
-
-# API Reference
-
-<DocCardList />

doc/md/api.mdx

@@ -0,0 +1,10 @@
+---
+slug: api
+description: Schema Reference
+---
+
+import DocCardList from '@theme/DocCardList';
+
+# Schema Reference
+
+<DocCardList />

doc/md/api/author.md

@@ -1,3 +1,189 @@
-# Author Schema
+---
+title: Author Schemas
+description: Standardized schemas for component authors.
+sidebar_position: 200
+---
+<!-- Code generated by gomarkdoc. DO NOT EDIT -->
 
-v1alpha5
+
+```go
+import "github.com/holos-run/holos/api/author/v1alpha5"
+```
+
+Package author contains a standard set of schemas for component authors to generate common [core](<https://holos.run/docs/api/core/>) BuildPlans.
+
+Holos values stability, flexibility, and composition. This package intentionally defines only the minimal necessary set of structures. Component authors are encouraged to define their own structures building on our example [topics](<https://holos.run/docs/topics/>).
+
+The Holos Maintainers may add definitions to this package if the community identifies nearly all users must define the exact same structure. Otherwise, definitions should be added as a customizable example in [topics](<https://holos.run/docs/topics/>).
+
+For example, structures representing a cluster and environment almost always need to be defined. Their definition varies from one organization to the next. Therefore, customizable definitions for a cluster and environment are best maintained in [topics](<https://holos.run/docs/topics/>), not standardized in this package.
+
+## Index
+
+- [type ComponentConfig](<#ComponentConfig>)
+- [type Helm](<#Helm>)
+- [type Kubernetes](<#Kubernetes>)
+- [type Kustomize](<#Kustomize>)
+- [type KustomizeConfig](<#KustomizeConfig>)
+- [type NameLabel](<#NameLabel>)
+- [type Platform](<#Platform>)
+
+
+<a name="ComponentConfig"></a>
+## type ComponentConfig {#ComponentConfig}
+
+ComponentConfig represents the configuration common to all kinds of components for use with the holos render component command. All component kinds may be transformed with [kustomize](<https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/>) configured with the [KustomizeConfig](<#KustomizeConfig>) field.
+
+- [Helm](<#Helm>) charts.
+- [Kubernetes](<#Kubernetes>) resources generated from CUE.
+- [Kustomize](<#Kustomize>) bases.
+
+```go
+type ComponentConfig struct {
+    // Name represents the BuildPlan metadata.name field.  Used to construct the
+    // fully rendered manifest file path.
+    Name string
+    // Labels represent the BuildPlan metadata.labels field.
+    Labels map[string]string
+    // Annotations represent the BuildPlan metadata.annotations field.
+    Annotations map[string]string
+
+    // Path represents the path to the component producing the BuildPlan.
+    Path string
+    // Parameters are useful to reuse a component with various parameters.
+    // Injected as CUE @tag variables.  Parameters with a "holos_" prefix are
+    // reserved for use by the Holos Authors.
+    Parameters map[string]string
+    // OutputBaseDir represents the output base directory used when assembling
+    // artifacts.  Useful to organize components by clusters or other parameters.
+    // For example, holos writes resource manifests to
+    // {WriteTo}/{OutputBaseDir}/components/{Name}/{Name}.gen.yaml
+    OutputBaseDir string `cue:"string | *\"\""`
+
+    // Resources represents kubernetes resources mixed into the rendered manifest.
+    Resources core.Resources
+    // KustomizeConfig represents the kustomize configuration.
+    KustomizeConfig KustomizeConfig
+    // Validators represent checks that must pass for output to be written.
+    Validators map[NameLabel]core.Validator
+    // Artifacts represents additional artifacts to mix in.  Useful for adding
+    // GitOps resources.  Each Artifact is unified without modification into the
+    // BuildPlan.
+    Artifacts map[NameLabel]core.Artifact
+}
+```
+
+<a name="Helm"></a>
+## type Helm {#Helm}
+
+Helm assembles a BuildPlan rendering a helm chart. Useful to mix in additional resources from CUE and transform the helm output with kustomize.
+
+```go
+type Helm struct {
+    ComponentConfig `json:",inline"`
+
+    // Chart represents a Helm chart.
+    Chart core.Chart
+    // Values represents data to marshal into a values.yaml for helm.
+    Values core.Values
+    // ValueFiles represents value files for migration from helm value
+    // hierarchies.  Use Values instead.
+    ValueFiles []core.ValueFile `json:",omitempty"`
+    // EnableHooks enables helm hooks when executing the `helm template` command.
+    EnableHooks bool `cue:"true | *false"`
+    // Namespace sets the helm chart namespace flag if provided.
+    Namespace string `json:",omitempty"`
+    // APIVersions represents the helm template --api-versions flag
+    APIVersions []string `json:",omitempty"`
+    // KubeVersion represents the helm template --kube-version flag
+    KubeVersion string `json:",omitempty"`
+
+    // BuildPlan represents the derived BuildPlan produced for the holos render
+    // component command.
+    BuildPlan core.BuildPlan
+}
+```
+
+<a name="Kubernetes"></a>
+## type Kubernetes {#Kubernetes}
+
+Kubernetes assembles a BuildPlan containing inline resources exported from CUE.
+
+```go
+type Kubernetes struct {
+    ComponentConfig `json:",inline"`
+
+    // BuildPlan represents the derived BuildPlan produced for the holos render
+    // component command.
+    BuildPlan core.BuildPlan
+}
+```
+
+<a name="Kustomize"></a>
+## type Kustomize {#Kustomize}
+
+Kustomize assembles a BuildPlan rendering manifests from a [kustomize](<https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/>) kustomization.
+
+```go
+type Kustomize struct {
+    ComponentConfig `json:",inline"`
+
+    // BuildPlan represents the derived BuildPlan produced for the holos render
+    // component command.
+    BuildPlan core.BuildPlan
+}
+```
+
+<a name="KustomizeConfig"></a>
+## type KustomizeConfig {#KustomizeConfig}
+
+KustomizeConfig represents the configuration for [kustomize](<https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/>) post processing. Use the Files field to mix in plain manifest files located in the component directory. Use the Resources field to mix in manifests from network urls.
+
+```go
+type KustomizeConfig struct {
+    // Kustomization represents the kustomization used to transform resources.
+    // Note the resources field is internally managed from the Files and Resources fields.
+    Kustomization map[string]any `json:",omitempty"`
+    // Files represents files to copy from the component directory for kustomization.
+    Files map[string]struct{ Source string } `cue:"{[NAME=_]: Source: NAME}"`
+    // Resources represents additional entries to included in the resources list.
+    Resources map[string]struct{ Source string } `cue:"{[NAME=_]: Source: NAME}"`
+    // CommonLabels represents common labels added without including selectors.
+    CommonLabels map[string]string
+}
+```
+
+<a name="NameLabel"></a>
+## type NameLabel {#NameLabel}
+
+NameLabel represents the common use case of converting a struct to a list where the name field of each value unifies with the field name of the outer struct.
+
+For example:
+
+```
+S: [NameLabel=string]: name: NameLabel
+S: jeff: _
+S: gary: _
+S: nate: _
+L: [for x in S {x}]
+// L is [{name: "jeff"}, {name: "gary"}, {name: "nate"}]
+```
+
+```go
+type NameLabel string
+```
+
+<a name="Platform"></a>
+## type Platform {#Platform}
+
+Platform assembles a core Platform in the Resource field for the holos render platform command. Use the Components field to register components with the platform.
+
+```go
+type Platform struct {
+    Name       string
+    Components map[NameLabel]core.Component
+    Resource   core.Platform
+}
+```
+
+Generated by [gomarkdoc](<https://github.com/princjef/gomarkdoc>)

doc/md/api/core.md

@@ -1,3 +1,568 @@
-# Core Schema
+---
+title: Core Schemas
+description: BuildPlan defines the holos rendering pipeline.
+sidebar_position: 100
+---
+<!-- Code generated by gomarkdoc. DO NOT EDIT -->
 
-v1alpha5
+
+```go
+import "github.com/holos-run/holos/api/core/v1alpha5"
+```
+
+Package core contains schemas for a [Platform](<#Platform>) and [BuildPlan](<#BuildPlan>). Holos takes a [Platform](<#Platform>) as input, then iterates over each [Component](<#Component>) to produce a [BuildPlan](<#BuildPlan>). Holos processes the [BuildPlan](<#BuildPlan>) to produce fully rendered manifests, each an [Artifact](<#Artifact>).
+
+## Index
+
+- [type Artifact](<#Artifact>)
+- [type Auth](<#Auth>)
+- [type AuthSource](<#AuthSource>)
+- [type BuildPlan](<#BuildPlan>)
+- [type BuildPlanSpec](<#BuildPlanSpec>)
+- [type Chart](<#Chart>)
+- [type Command](<#Command>)
+- [type Component](<#Component>)
+- [type ExtractYAML](<#ExtractYAML>)
+- [type File](<#File>)
+- [type FileContent](<#FileContent>)
+- [type FileContentMap](<#FileContentMap>)
+- [type FilePath](<#FilePath>)
+- [type Generator](<#Generator>)
+- [type Helm](<#Helm>)
+- [type Instance](<#Instance>)
+- [type InternalLabel](<#InternalLabel>)
+- [type Join](<#Join>)
+- [type Kind](<#Kind>)
+- [type Kustomization](<#Kustomization>)
+- [type Kustomize](<#Kustomize>)
+- [type Metadata](<#Metadata>)
+- [type OutputRef](<#OutputRef>)
+- [type Platform](<#Platform>)
+- [type PlatformSpec](<#PlatformSpec>)
+- [type Repository](<#Repository>)
+- [type Resource](<#Resource>)
+- [type Resources](<#Resources>)
+- [type TaskData](<#TaskData>)
+- [type Transformer](<#Transformer>)
+- [type Validator](<#Validator>)
+- [type ValueFile](<#ValueFile>)
+- [type Values](<#Values>)
+
+
+<a name="Artifact"></a>
+## type Artifact {#Artifact}
+
+Artifact represents one fully rendered manifest produced by a [Transformer](<#Transformer>) sequence, which transforms a [Generator](<#Generator>) collection. A [BuildPlan](<#BuildPlan>) produces an [Artifact](<#Artifact>) collection.
+
+Each Artifact produces one manifest file artifact. Generator Output values are used as Transformer Inputs. The Output field of the final [Transformer](<#Transformer>) should have the same value as the Artifact field.
+
+When there is more than one [Generator](<#Generator>) there must be at least one [Transformer](<#Transformer>) to combine outputs into one Artifact. If there is a single Generator, it may directly produce the Artifact output.
+
+An Artifact is processed concurrently with other artifacts in the same [BuildPlan](<#BuildPlan>). An Artifact should not use an output from another Artifact as an input. Each [Generator](<#Generator>) may also run concurrently. Each [Transformer](<#Transformer>) is executed sequentially starting after all generators have completed.
+
+Output fields are write\-once. It is an error for multiple Generators or Transformers to produce the same Output value within the context of a [BuildPlan](<#BuildPlan>).
+
+```go
+type Artifact struct {
+    Artifact     FilePath      `json:"artifact,omitempty" yaml:"artifact,omitempty"`
+    Generators   []Generator   `json:"generators,omitempty" yaml:"generators,omitempty"`
+    Transformers []Transformer `json:"transformers,omitempty" yaml:"transformers,omitempty"`
+    Validators   []Validator   `json:"validators,omitempty" yaml:"validators,omitempty"`
+    Skip         bool          `json:"skip,omitempty" yaml:"skip,omitempty"`
+}
+```
+
+<a name="Auth"></a>
+## type Auth {#Auth}
+
+Auth represents environment variable names containing auth credentials.
+
+```go
+type Auth struct {
+    Username AuthSource `json:"username" yaml:"username"`
+    Password AuthSource `json:"password" yaml:"password"`
+}
+```
+
+<a name="AuthSource"></a>
+## type AuthSource {#AuthSource}
+
+AuthSource represents a source for the value of an [Auth](<#Auth>) field.
+
+```go
+type AuthSource struct {
+    Value   string `json:"value,omitempty" yaml:"value,omitempty"`
+    FromEnv string `json:"fromEnv,omitempty" yaml:"fromEnv,omitempty"`
+}
+```
+
+<a name="BuildPlan"></a>
+## type BuildPlan {#BuildPlan}
+
+BuildPlan represents an implementation of the [rendered manifest pattern](<https://akuity.io/blog/the-rendered-manifests-pattern>). Holos processes a BuildPlan to produce one or more [Artifact](<#Artifact>) output files. BuildPlan artifact files usually contain Kubernetes manifests, but they may have any content.
+
+A BuildPlan usually produces two artifacts. One artifact contains a manifest of resources. A second artifact contains a GitOps resource to manage the first, usually an ArgoCD Application resource.
+
+Holos uses CUE to construct a BuildPlan. A future enhancement will support user defined executables providing a BuildPlan to Holos in the style of an [external credential provider](<https://github.com/kubernetes/enhancements/blob/313ad8b59c80819659e1fbf0f165230f633f2b22/keps/sig-auth/541-external-credential-providers/README.md>).
+
+```go
+type BuildPlan struct {
+    // Kind represents the type of the resource.
+    Kind string `json:"kind" yaml:"kind" cue:"\"BuildPlan\""`
+    // APIVersion represents the versioned schema of the resource.
+    APIVersion string `json:"apiVersion" yaml:"apiVersion" cue:"string | *\"v1alpha5\""`
+    // Metadata represents data about the resource such as the Name.
+    Metadata Metadata `json:"metadata" yaml:"metadata"`
+    // Spec specifies the desired state of the resource.
+    Spec BuildPlanSpec `json:"spec" yaml:"spec"`
+}
+```
+
+<a name="BuildPlanSpec"></a>
+## type BuildPlanSpec {#BuildPlanSpec}
+
+BuildPlanSpec represents the specification of the [BuildPlan](<#BuildPlan>).
+
+```go
+type BuildPlanSpec struct {
+    // Artifacts represents the artifacts for holos to build.
+    Artifacts []Artifact `json:"artifacts" yaml:"artifacts"`
+    // Disabled causes the holos cli to disregard the build plan.
+    Disabled bool `json:"disabled,omitempty" yaml:"disabled,omitempty"`
+}
+```
+
+<a name="Chart"></a>
+## type Chart {#Chart}
+
+Chart represents a [Helm](<#Helm>) Chart.
+
+```go
+type Chart struct {
+    // Name represents the chart name.
+    Name string `json:"name" yaml:"name"`
+    // Version represents the chart version.
+    Version string `json:"version" yaml:"version"`
+    // Release represents the chart release when executing helm template.
+    Release string `json:"release" yaml:"release"`
+    // Repository represents the repository to fetch the chart from.
+    Repository Repository `json:"repository,omitempty" yaml:"repository,omitempty"`
+}
+```
+
+<a name="Command"></a>
+## type Command {#Command}
+
+Command represents a generic command for use as a Generator, Transformer, or Validator. Holos uses the Go template engine to render the Args field using data provided by the TaskData field. For example to fill in the fully qualified temporary directory used to provide inputs to the task.
+
+```go
+type Command struct {
+    // DisplayName represents a friendly display name for the command.
+    DisplayName string `json:"displayName,omitempty" yaml:"displayName,omitempty"`
+    // Args represents the complete command argument vector as a go template.
+    Args []string `json:"args,omitempty" yaml:"args,omitempty"`
+    // OutputRef references the source of the output data.
+    OutputRef OutputRef `json:"outputRef,omitempty" yaml:"outputRef,omitempty"`
+    // TaskData populated by Holos for template rendering.
+    TaskData TaskData `json:"taskData,omitempty" yaml:"taskData,omitempty"`
+}
+```
+
+<a name="Component"></a>
+## type Component {#Component}
+
+Component represents the complete context necessary to produce a [BuildPlan](<#BuildPlan>) from a path containing parameterized CUE configuration.
+
+```go
+type Component struct {
+    // Name represents the name of the component. Injected as the tag variable
+    // "holos_component_name".
+    Name string `json:"name" yaml:"name"`
+    // Path represents the path of the component relative to the platform root.
+    // Injected as the tag variable "holos_component_path".
+    Path string `json:"path" yaml:"path"`
+    // Instances represents additional cue instance paths to unify with Path.
+    // Useful to unify data files into a component BuildPlan.  Added in holos
+    // 0.101.7.
+    Instances []Instance `json:"instances,omitempty" yaml:"instances,omitempty"`
+    // WriteTo represents the holos render component --write-to flag.  If empty,
+    // the default value for the --write-to flag is used.
+    WriteTo string `json:"writeTo,omitempty" yaml:"writeTo,omitempty"`
+    // Parameters represent user defined input variables to produce various
+    // [BuildPlan] resources from one component path.  Injected as CUE @tag
+    // variables.  Parameters with a "holos_" prefix are reserved for use by the
+    // Holos Authors.  Multiple environments are a prime example of an input
+    // parameter that should always be user defined, never defined by Holos.
+    Parameters map[string]string `json:"parameters,omitempty" yaml:"parameters,omitempty"`
+    // Labels represent selector labels for the component.  Copied to the
+    // resulting BuildPlan.
+    Labels map[string]string `json:"labels,omitempty" yaml:"labels,omitempty"`
+    // Annotations represents arbitrary non-identifying metadata.  Use the
+    // `app.holos.run/description` to customize the log message of each BuildPlan.
+    Annotations map[string]string `json:"annotations,omitempty" yaml:"annotations,omitempty"`
+}
+```
+
+<a name="ExtractYAML"></a>
+## type ExtractYAML {#ExtractYAML}
+
+ExtractYAML represents a cue data instance encoded as yaml or json. If Path refers to a directory all files in the directory are extracted non\-recursively. Otherwise, path must refer to a file.
+
+```go
+type ExtractYAML struct {
+    Path string `json:"path" yaml:"path"`
+}
+```
+
+<a name="File"></a>
+## type File {#File}
+
+File represents a simple single file copy [Generator](<#Generator>). Useful with a [Kustomize](<#Kustomize>) [Transformer](<#Transformer>) to process plain manifest files stored in the component directory. Multiple File generators may be used to transform multiple resources.
+
+```go
+type File struct {
+    // Source represents a file sub-path relative to the component path.
+    Source FilePath `json:"source" yaml:"source"`
+}
+```
+
+<a name="FileContent"></a>
+## type FileContent {#FileContent}
+
+FileContent represents file contents.
+
+```go
+type FileContent string
+```
+
+<a name="FileContentMap"></a>
+## type FileContentMap {#FileContentMap}
+
+FileContentMap represents a mapping of file paths to file contents.
+
+```go
+type FileContentMap map[FilePath]FileContent
+```
+
+<a name="FilePath"></a>
+## type FilePath {#FilePath}
+
+FilePath represents a file path.
+
+```go
+type FilePath string
+```
+
+<a name="Generator"></a>
+## type Generator {#Generator}
+
+Generator generates Kubernetes resources. [Helm](<#Helm>) and [Resources](<#Resources>) are the most commonly used, often paired together to mix\-in resources to an unmodified Helm chart. A simple [File](<#File>) generator is also available for use with the [Kustomize](<#Kustomize>) transformer.
+
+Each Generator in an [Artifact](<#Artifact>) must have a distinct Output value for a [Transformer](<#Transformer>) to reference.
+
+1. [Resources](<#Resources>) \- Generates resources from CUE code.
+2. [Helm](<#Helm>) \- Generates rendered yaml from a [Chart](<#Chart>).
+3. [File](<#File>) \- Generates data by reading a file from the component directory.
+
+```go
+type Generator struct {
+    // Kind represents the kind of generator.  Must be Resources, Helm, or File.
+    Kind string `json:"kind" yaml:"kind" cue:"\"Resources\" | \"Helm\" | \"File\""`
+    // Output represents a file for a Transformer or Artifact to consume.
+    Output FilePath `json:"output" yaml:"output"`
+    // Resources generator. Ignored unless kind is Resources.  Resources are
+    // stored as a two level struct.  The top level key is the Kind of resource,
+    // e.g. Namespace or Deployment.  The second level key is an arbitrary
+    // InternalLabel.  The third level is a map[string]any representing the
+    // Resource.
+    Resources Resources `json:"resources,omitempty" yaml:"resources,omitempty"`
+    // Helm generator. Ignored unless kind is Helm.
+    Helm Helm `json:"helm,omitempty" yaml:"helm,omitempty"`
+    // File generator. Ignored unless kind is File.
+    File File `json:"file,omitempty" yaml:"file,omitempty"`
+}
+```
+
+<a name="Helm"></a>
+## type Helm {#Helm}
+
+Helm represents a [Chart](<#Chart>) manifest [Generator](<#Generator>).
+
+```go
+type Helm struct {
+    // Chart represents a helm chart to manage.
+    Chart Chart `json:"chart" yaml:"chart"`
+    // Values represents values for holos to marshal into values.yaml when
+    // rendering the chart.  Values follow ValueFiles when both are provided.
+    Values Values `json:"values" yaml:"values"`
+    // ValueFiles represents hierarchial value files passed in order to the helm
+    // template -f flag.  Useful for migration from an ApplicationSet.  Use Values
+    // instead.  ValueFiles precede Values when both are provided.
+    ValueFiles []ValueFile `json:"valueFiles,omitempty" yaml:"valueFiles,omitempty"`
+    // EnableHooks enables helm hooks when executing the `helm template` command.
+    EnableHooks bool `json:"enableHooks,omitempty" yaml:"enableHooks,omitempty"`
+    // Namespace represents the helm namespace flag
+    Namespace string `json:"namespace,omitempty" yaml:"namespace,omitempty"`
+    // APIVersions represents the helm template --api-versions flag
+    APIVersions []string `json:"apiVersions,omitempty" yaml:"apiVersions,omitempty"`
+    // KubeVersion represents the helm template --kube-version flag
+    KubeVersion string `json:"kubeVersion,omitempty" yaml:"kubeVersion,omitempty"`
+}
+```
+
+<a name="Instance"></a>
+## type Instance {#Instance}
+
+Instance represents a data instance to unify with the configuration.
+
+Useful to unify json and yaml files with cue configuration files for integration with other tools. For example, executing holos render platform from a pull request workflow after [Kargo](<https://docs.kargo.io/>) executes the [yaml update](<https://docs.kargo.io/references/promotion-steps#yaml-update>) and [git wait for pr](<https://docs.kargo.io/references/promotion-steps#git-wait-for-pr>) promotion steps.
+
+```go
+type Instance struct {
+    // Kind is a discriminator.
+    Kind string `json:"kind" yaml:"kind" cue:"\"ExtractYAML\""`
+    // Ignored unless kind is ExtractYAML.
+    ExtractYAML ExtractYAML `json:"extractYAML,omitempty" yaml:"extractYAML,omitempty"`
+}
+```
+
+<a name="InternalLabel"></a>
+## type InternalLabel {#InternalLabel}
+
+InternalLabel is an arbitrary unique identifier internal to holos itself. The holos cli is expected to never write a InternalLabel value to rendered output files, therefore use a InternalLabel when the identifier must be unique and internal. Defined as a type for clarity and type checking.
+
+```go
+type InternalLabel string
+```
+
+<a name="Join"></a>
+## type Join {#Join}
+
+Join represents a [Transformer](<#Transformer>) using [bytes.Join](<https://pkg.go.dev/bytes#Join>) to concatenate multiple inputs into one output with a separator. Useful for combining output from [Helm](<#Helm>) and [Resources](<#Resources>) together into one [Artifact](<#Artifact>) when [Kustomize](<#Kustomize>) is otherwise unnecessary.
+
+```go
+type Join struct {
+    Separator string `json:"separator,omitempty" yaml:"separator,omitempty"`
+}
+```
+
+<a name="Kind"></a>
+## type Kind {#Kind}
+
+Kind is a discriminator. Defined as a type for clarity and type checking.
+
+```go
+type Kind string
+```
+
+<a name="Kustomization"></a>
+## type Kustomization {#Kustomization}
+
+Kustomization represents a kustomization.yaml file for use with the [Kustomize](<#Kustomize>) [Transformer](<#Transformer>). Untyped to avoid tightly coupling holos to kubectl versions which was a problem for the Flux maintainers. Type checking is expected to happen in CUE against the kubectl version the user prefers.
+
+```go
+type Kustomization map[string]any
+```
+
+<a name="Kustomize"></a>
+## type Kustomize {#Kustomize}
+
+Kustomize represents a kustomization [Transformer](<#Transformer>).
+
+```go
+type Kustomize struct {
+    // Kustomization represents the decoded kustomization.yaml file
+    Kustomization Kustomization `json:"kustomization" yaml:"kustomization"`
+    // Files holds file contents for kustomize, e.g. patch files.
+    Files FileContentMap `json:"files,omitempty" yaml:"files,omitempty"`
+}
+```
+
+<a name="Metadata"></a>
+## type Metadata {#Metadata}
+
+Metadata represents data about the resource such as the Name.
+
+```go
+type Metadata struct {
+    // Name represents the resource name.
+    Name string `json:"name" yaml:"name"`
+    // Labels represents a resource selector.
+    Labels map[string]string `json:"labels,omitempty" yaml:"labels,omitempty"`
+    // Annotations represents arbitrary non-identifying metadata.  For example
+    // holos uses the `app.holos.run/description` annotation to log resources in a
+    // user customized way.
+    Annotations map[string]string `json:"annotations,omitempty" yaml:"annotations,omitempty"`
+}
+```
+
+<a name="OutputRef"></a>
+## type OutputRef {#OutputRef}
+
+OutputRef represents a reference to the data source used as the output of a task. For example, a Generator output may be sourced from standard output or a file path.
+
+```go
+type OutputRef struct {
+    // Kind represents the kind of output produced.
+    Kind string `json:"kind,omitempty" yaml:"kind,omitempty" cue:"string | *\"Pipe\" | \"Path\""`
+    // Pipe represents stdout or stderr.  Ignored unless kind is Pipe.
+    Pipe string `json:"pipe,omitempty" yaml:"pipe,omitempty" cue:"string | *\"stdout\" | \"stderr\""`
+    // Path represents an artifact path relative to the task temp directory.
+    // Ignored unless kind is Path.
+    Path string `json:"path,omitempty" yaml:"path,omitempty"`
+}
+```
+
+<a name="Platform"></a>
+## type Platform {#Platform}
+
+Platform represents a platform to manage. A Platform specifies a [Component](<#Component>) collection and integrates the components together into a holistic platform. Holos iterates over the [Component](<#Component>) collection producing a [BuildPlan](<#BuildPlan>) for each, which holos then executes to render manifests.
+
+Inspect a Platform resource holos would process by executing:
+
+```
+cue export --out yaml ./platform
+```
+
+```go
+type Platform struct {
+    // Kind is a string value representing the resource.
+    Kind string `json:"kind" yaml:"kind" cue:"\"Platform\""`
+    // APIVersion represents the versioned schema of this resource.
+    APIVersion string `json:"apiVersion" yaml:"apiVersion" cue:"string | *\"v1alpha5\""`
+    // Metadata represents data about the resource such as the Name.
+    Metadata Metadata `json:"metadata" yaml:"metadata"`
+
+    // Spec represents the platform specification.
+    Spec PlatformSpec `json:"spec" yaml:"spec"`
+}
+```
+
+<a name="PlatformSpec"></a>
+## type PlatformSpec {#PlatformSpec}
+
+PlatformSpec represents the platform specification.
+
+```go
+type PlatformSpec struct {
+    // Components represents a collection of holos components to manage.
+    Components []Component `json:"components" yaml:"components"`
+}
+```
+
+<a name="Repository"></a>
+## type Repository {#Repository}
+
+Repository represents a [Helm](<#Helm>) [Chart](<#Chart>) repository.
+
+The Auth field is useful to configure http basic authentication to the Helm repository. Holos gets the username and password from the environment variables represented by the Auth field.
+
+```go
+type Repository struct {
+    Name string `json:"name" yaml:"name"`
+    URL  string `json:"url" yaml:"url"`
+    Auth Auth   `json:"auth,omitempty" yaml:"auth,omitempty"`
+}
+```
+
+<a name="Resource"></a>
+## type Resource {#Resource}
+
+Resource represents one kubernetes api object.
+
+```go
+type Resource map[string]any
+```
+
+<a name="Resources"></a>
+## type Resources {#Resources}
+
+Resources represents Kubernetes resources. Most commonly used to mix resources into the [BuildPlan](<#BuildPlan>) generated from CUE, but may be generated from elsewhere.
+
+```go
+type Resources map[Kind]map[InternalLabel]Resource
+```
+
+<a name="TaskData"></a>
+## type TaskData {#TaskData}
+
+TaskData represents data values associated with a pipeline task necessary to execute the task. For example, the randomly generated temporary directory used to read and write artifact files when executing user defined task commands. Values of this struct are intended for the Go template engine.
+
+Holos populates this struct as needed. Holos may treat user provided values as an error condition.
+
+```go
+type TaskData struct {
+    // TempDir represents the temp directory holos manages for task artifacts.
+    TempDir string `json:"tempDir,omitempty" yaml:"tempDir,omitempty"`
+}
+```
+
+<a name="Transformer"></a>
+## type Transformer {#Transformer}
+
+Transformer combines multiple inputs from prior [Generator](<#Generator>) or [Transformer](<#Transformer>) outputs into one output. [Kustomize](<#Kustomize>) is the most commonly used transformer. A simple [Join](<#Join>) is also supported for use with plain manifest files.
+
+1. [Kustomize](<#Kustomize>) \- Patch and transform the output from prior generators or transformers. See [Introduction to Kustomize](<https://kubectl.docs.kubernetes.io/guides/config_management/introduction/>).
+2. [Join](<#Join>) \- Concatenate multiple prior outputs into one output.
+3. \[Slice\] \- Slice an artifact into multiple artifacts using [kubectl\\\-slice](<https://github.com/patrickdappollonio/kubectl-slice>).
+
+```go
+type Transformer struct {
+    // Kind represents the kind of transformer. Must be Kustomize, or Join.
+    Kind string `json:"kind" yaml:"kind" cue:"\"Kustomize\" | \"Join\" | \"Slice\""`
+    // Inputs represents the files to transform. The Output of prior Generators
+    // and Transformers.
+    Inputs []FilePath `json:"inputs" yaml:"inputs"`
+    // Output represents a file for a subsequent Transformer or Artifact to
+    // consume.
+    Output FilePath `json:"output" yaml:"output"`
+    // Kustomize transformer. Ignored unless kind is Kustomize.
+    Kustomize Kustomize `json:"kustomize,omitempty" yaml:"kustomize,omitempty"`
+    // Join transformer. Ignored unless kind is Join.
+    Join Join `json:"join,omitempty" yaml:"join,omitempty"`
+}
+```
+
+<a name="Validator"></a>
+## type Validator {#Validator}
+
+Validator validates files. Useful to validate an [Artifact](<#Artifact>) prior to writing it out to the final destination. Holos may execute validators concurrently. See the [validators](<https://holos.run/docs/v1alpha5/tutorial/validators/>) tutorial for an end to end example.
+
+```go
+type Validator struct {
+    // Kind represents the kind of transformer. Must be Kustomize, or Join.
+    Kind string `json:"kind" yaml:"kind" cue:"\"Command\""`
+    // Inputs represents the files to validate.  Usually the final Artifact.
+    Inputs []FilePath `json:"inputs" yaml:"inputs"`
+    // Command represents a validation command.  Ignored unless kind is Command.
+    Command Command `json:"command,omitempty" yaml:"command,omitempty"`
+}
+```
+
+<a name="ValueFile"></a>
+## type ValueFile {#ValueFile}
+
+ValueFile represents one Helm value file produced from CUE.
+
+```go
+type ValueFile struct {
+    // Name represents the file name, e.g. "region-values.yaml"
+    Name string `json:"name" yaml:"name"`
+    // Kind is a discriminator.
+    Kind string `json:"kind" yaml:"kind" cue:"\"Values\""`
+    // Values represents values for holos to marshal into the file name specified
+    // by Name when rendering the chart.
+    Values Values `json:"values,omitempty" yaml:"values,omitempty"`
+}
+```
+
+<a name="Values"></a>
+## type Values {#Values}
+
+Values represents [Helm](<#Helm>) Chart values generated from CUE.
+
+```go
+type Values map[string]any
+```
+
+Generated by [gomarkdoc](<https://github.com/princjef/gomarkdoc>)

doc/md/common/example-component-integrate.mdx

@@ -0,0 +1,16 @@
+Integrate the `podinfo` component into the platform.
+
+```bash
+cat <<EOF >platform/podinfo.cue
+```
+```cue showLineNumbers
+package holos
+
+Platform: Components: podinfo: {
+	name: "podinfo"
+	path: "components/podinfo"
+}
+```
+```bash
+EOF
+```

doc/md/common/example-component.mdx

@@ -0,0 +1,34 @@
+Create a directory for the example `podinfo` component we'll use to render
+platform manifests.
+
+```bash
+mkdir -p components/podinfo
+```
+
+Create the CUE configuration for the example `podinfo` component.
+
+```bash
+cat <<EOF >components/podinfo/podinfo.cue
+```
+```cue showLineNumbers
+package holos
+
+holos: Component.BuildPlan
+
+Component: #Helm & {
+	Name: "podinfo"
+	Chart: {
+		version: "6.6.2"
+		repository: {
+			name: "podinfo"
+			url:  "https://stefanprodan.github.io/podinfo"
+		}
+	}
+	Values: ui: {
+		message: string | *"Hello World" @tag(message, type=string)
+	}
+}
+```
+```bash
+EOF
+```

doc/md/support.mdx

@@ -1,14 +1,17 @@
 ---
 description: Get Support for Holos
-slug: /support
-sidebar_position: 900
+slug: support
+sidebar_position: 2000
 ---
 
 # Support
 
 ## Community Support
 
-You can ask questions in our community forums in [GitHub Discussions](https://github.com/holos-run/holos/discussions), [Discord](https://discord.gg/JgDVbNpye7), or [Google Groups](https://groups.google.com/g/holos-discuss).
+You can ask questions in our community forums in [GitHub
+Discussions](https://github.com/holos-run/holos/discussions),
+[Discord](https://discord.gg/JgDVbNpye7), or [Google
+Groups](https://groups.google.com/g/holos-discuss).
 
 ## Commercial Support and Services
 

doc/md/topics/1-multiple-clusters.mdx

@@ -1 +0,0 @@
-# Multi Cluster

doc/md/topics/4-local-cluster.mdx

@@ -1,272 +0,0 @@
----
-description: Build a local Cluster to use with these guides.
----
-
-import Tabs from '@theme/Tabs';
-import TabItem from '@theme/TabItem';
-import Admonition from '@theme/Admonition';
-
-# Local Cluster
-
-In this guide we'll set up a local k3d cluster to apply and explore the
-configuration described in our other guides.  After completing this guide you'll
-have a standard Kubernetes API server with proper DNS and TLS certificates.
-You'll be able to easily reset the cluster to a known good state to iterate on
-your own Platform.
-
-## Reset the Cluster
-
-If you've already followed this guide, reset the cluster by running the
-following commands.  Skip this section if you're creating a cluster for the
-first time.
-
-First, delete the cluster.
-
-<Tabs groupId="k3d-cluster-delete">
-  <TabItem value="command" label="Command">
-```bash
-k3d cluster delete workload
-```
-  </TabItem>
-  <TabItem value="output" label="Output">
-```txt showLineNumbers
-INFO[0000] Deleting cluster 'workload'
-INFO[0000] Deleting cluster network 'k3d-workload'
-INFO[0000] Deleting 1 attached volumes...
-INFO[0000] Removing cluster details from default kubeconfig...
-INFO[0000] Removing standalone kubeconfig file (if there is one)...
-INFO[0000] Successfully deleted cluster workload!
-```
-  </TabItem>
-</Tabs>
-
-Then create the cluster again.
-
-<Tabs groupId="k3d-cluster-create">
-  <TabItem value="command" label="Command">
-```bash
-k3d cluster create workload \
-  --registry-use k3d-registry.holos.localhost:5100 \
-  --port "443:443@loadbalancer" \
-  --k3s-arg "--disable=traefik@server:0"
-```
-  </TabItem>
-  <TabItem value="output" label="Output">
-```txt showLineNumbers
-INFO[0000] portmapping '443:443' targets the loadbalancer: defaulting to [servers:*:proxy agents:*:proxy]
-INFO[0000] Prep: Network
-INFO[0000] Created network 'k3d-workload'
-INFO[0000] Created image volume k3d-workload-images
-INFO[0000] Starting new tools node...
-INFO[0000] Starting node 'k3d-workload-tools'
-INFO[0001] Creating node 'k3d-workload-server-0'
-INFO[0001] Creating LoadBalancer 'k3d-workload-serverlb'
-INFO[0001] Using the k3d-tools node to gather environment information
-INFO[0001] HostIP: using network gateway 172.17.0.1 address
-INFO[0001] Starting cluster 'workload'
-INFO[0001] Starting servers...
-INFO[0001] Starting node 'k3d-workload-server-0'
-INFO[0003] All agents already running.
-INFO[0003] Starting helpers...
-INFO[0003] Starting node 'k3d-workload-serverlb'
-INFO[0009] Injecting records for hostAliases (incl. host.k3d.internal) and for 3 network members into CoreDNS configmap...
-INFO[0012] Cluster 'workload' created successfully!
-INFO[0012] You can now use it like this:
-kubectl cluster-info
-```
-  </TabItem>
-</Tabs>
-
-Finally, add your trusted certificate authority.
-
-<Tabs groupId="apply-local-ca">
-  <TabItem value="command" label="Command">
-```bash
-kubectl apply --server-side=true -f "$(mkcert -CAROOT)/namespace.yaml"
-kubectl apply --server-side=true -n cert-manager -f "$(mkcert -CAROOT)/local-ca.yaml"
-```
-  </TabItem>
-  <TabItem value="output" label="Output">
-```txt showLineNumbers
-namespace/cert-manager serverside-applied
-secret/local-ca serverside-applied
-```
-  </TabItem>
-</Tabs>
-
-You're back to the same state as the first time you completed this guide.
-
-## What you'll need {#requirements}
-
-You'll need the following tools installed to complete this guide.
-
-1. [holos](/docs/install) - to build the platform.
-2. [helm](https://helm.sh/docs/intro/install/) - to render Holos components that wrap upstream Helm charts.
-3. [k3d](https://k3d.io/#installation) - to provide a k8s api server.
-4. [OrbStack](https://docs.orbstack.dev/install) or [Docker](https://docs.docker.com/get-docker/) - to use k3d.
-5. [kubectl](https://kubernetes.io/docs/tasks/tools/) - to interact with the k8s api server.
-6. [mkcert](https://github.com/FiloSottile/mkcert?tab=readme-ov-file#installation) - to make trusted TLS certificates.
-7. [jq](https://jqlang.github.io/jq/download/) - to fiddle with JSON output.
-
-## Configure DNS {#configure-dns}
-
-Configure your machine to resolve `*.holos.localhost` to your loopback
-interface.  This is necessary for requests to reach the workload cluster.  Save
-this script to a file and execute it.
-
-```bash showLineNumbers
-#! /bin/bash
-#
-
-set -euo pipefail
-
-tmpdir="$(mktemp -d)"
-finish() {
-  [[ -d "$tmpdir" ]] && rm -rf "$tmpdir"
-}
-trap finish EXIT
-cd "$tmpdir"
-
-brew install dnsmasq
-
-cat <<EOF >"$(brew --prefix)/etc/dnsmasq.d/holos.localhost.conf"
-# Refer to https://holos.run/docs/tutorial/local/k3d/
-address=/holos.localhost/127.0.0.1
-EOF
-
-if [[ -r /Library/LaunchDaemons/homebrew.mxcl.dnsmasq.plist ]]; then
-  echo "dnsmasq already configured"
-else
-  sudo cp "$(brew list dnsmasq | grep 'dnsmasq.plist$')" \
-    /Library/LaunchDaemons/homebrew.mxcl.dnsmasq.plist
-  sudo launchctl unload /Library/LaunchDaemons/homebrew.mxcl.dnsmasq.plist
-  sudo launchctl load /Library/LaunchDaemons/homebrew.mxcl.dnsmasq.plist
-  dscacheutil -flushcache
-  echo "dnsmasq configured"
-fi
-
-sudo mkdir -p /etc/resolver
-sudo tee /etc/resolver/holos.localhost <<EOF
-domain holos.localhost
-nameserver 127.0.0.1
-EOF
-sudo killall -HUP mDNSResponder
-
-echo "all done."
-```
-
-## Create the Cluster {#create-the-cluster}
-
-The Workload Cluster is where your applications and services will be deployed.
-In production this is usually an EKS, GKE, or AKS cluster.
-
-:::tip
-
-Holos supports all compliant Kubernetes clusters. Holos was developed and tested
-on GKE, EKS, Talos, k3s, and Kubeadm clusters.
-
-:::
-
-Create a local registry to speed up image builds and pulls.
-
-```bash
-k3d registry create registry.holos.localhost --port 5100
-```
-
-Create the workload cluster configured to use the local registry.
-
-```bash
-k3d cluster create workload \
-  --registry-use k3d-registry.holos.localhost:5100 \
-  --port "443:443@loadbalancer" \
-  --k3s-arg "--disable=traefik@server:0"
-```
-
-Traefik is disabled because Istio provides the same functionality.
-
-## Setup Root CA {#setup-root-ca}
-
-Platforms most often use cert-manager to issue tls certificates.  The browser
-and tools we're using need to trust these certificates to work together.
-Generate a local, trusted root certificate authority with the following script.
-
-Admin access is necessary for `mkcert` to manage the certificate into your trust
-stores.
-
-```bash
-sudo -v
-```
-
-Manage the local CA and copy the CA key to the workload cluster so that cert
-manager can manage trusted certificates.
-
-Save this script to a file and execute it to configure a trusted certificate
-authority.
-
-```bash showLineNumbers
-#! /bin/bash
-#
-
-set -euo pipefail
-
-mkcert --install
-
-tmpdir="$(mktemp -d)"
-finish() {
-  [[ -d "$tmpdir" ]] && rm -rf "$tmpdir"
-}
-trap finish EXIT
-cd "$tmpdir"
-
-# Create the local CA Secret with ca.crt, tls.crt, tls.key
-
-mkdir local-ca
-cd local-ca
-CAROOT="$(mkcert -CAROOT)"
-cp -p "${CAROOT}/rootCA.pem" ca.crt
-cp -p "${CAROOT}/rootCA.pem" tls.crt
-cp -p "${CAROOT}/rootCA-key.pem" tls.key
-kubectl create secret generic --from-file=.  --dry-run=client -o yaml local-ca > ../local-ca.yaml
-echo 'type: kubernetes.io/tls' >> ../local-ca.yaml
-
-cd ..
-
-cat <<EOF > namespace.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    kubernetes.io/metadata.name: cert-manager
-  name: cert-manager
-spec:
-  finalizers:
-  - kubernetes
-EOF
-kubectl apply --server-side=true -f namespace.yaml
-kubectl apply -n cert-manager --server-side=true -f local-ca.yaml
-
-# Save the Secret to easily reset the cluster later.
-install -m 0644 namespace.yaml "${CAROOT}/namespace.yaml"
-install -m 0600 local-ca.yaml "${CAROOT}/local-ca.yaml"
-```
-
-:::warning
-
-Take care to run the local-ca script each time you create the workload cluster
-so that Certificates are issued correctly.
-
-:::
-
-## Clean Up {#clean-up}
-
-If you'd like to clean up the resources you created in this guide, remove them
-with:
-
-```bash
-k3d cluster delete workload
-```
-
-## Next Steps
-
-Now that you have a real cluster, continue your Holos journey by following the
-[Tutorial](../tutorial/1-overview.mdx) and setting up your own Platform.

doc/md/topics/architecture.mdx

@@ -0,0 +1,18 @@
+---
+description: Architecture diagrams.
+slug: architecture
+sidebar_position: 100
+---
+
+import RenderPlatformDiagram from '@site/src/diagrams/render-platform-sequence.mdx';
+import RenderComponentDiagram from '@site/src/diagrams/render-component-sequence.mdx';
+
+# Architecture
+
+## Platform Rendering Sequence
+
+<RenderPlatformDiagram />
+
+## Component Rendering Sequence
+
+<RenderComponentDiagram />

doc/md/topics/comparison.mdx

@@ -0,0 +1,57 @@
+---
+description: Holos compared to other tools
+sidebar_label: Comparison
+slug: comparison
+sidebar_position: 40
+---
+
+{/* cspell:ignore Prodan, rollouts */}
+
+# Holos compared to other tools
+
+## Timoni
+
+Holos and Timoni both aim to solve similar problems but approach them at
+different levels of the stack.
+
+Timoni focuses on managing applications by evaluating [CUE] stored in OCI
+containers. Its creator, Stephan Prodan, envisions a controller that applies the
+resulting manifests. In this process, Timoni defers to [Flux] for managing Helm
+charts within the cluster.
+
+In contrast, Holos implements the [Rendered Manifests Pattern] and takes a
+different approach, particularly in how it handles [Helm] charts. Like
+[ArgoCD], Holos renders Helm charts into manifests using the `helm template`
+command in its rendering pipeline. Holos differs from Timoni in several important
+ways:
+
+1. **Separation of Responsibilities:**  Holos stops short of applying
+rendered manifests to a cluster, leaving that task to existing tools like
+[ArgoCD], [Flux], or even basic `kubectl apply` commands.
+
+2. **Ecosystem Integration:**  By focusing solely on rendering Kubernetes
+manifests, Holos creates space for other tools to handle deployment and
+management. For instance, Holos integrates seamlessly with [Kargo] for
+progressive rollouts, as [Kargo] operates between Holos and the Kubernetes API.
+This approach ensures that you're not locked into any specific tool and can
+choose the best solution for each task.
+
+3. **Platform Integration:** Holos focuses on integrating multiple Components
+into a larger Platform. In Holos terminology, a Component refers to a wrapper
+for [Helm] charts, [Kustomize] bases, or raw YAML files, integrated into the
+rendering pipeline through [CUE].  A Platform represents the full combination of
+these components.
+
+4. **Explicit Rendering Pipeline:** Holos emphasizes flexibility in its
+rendering pipeline. The system allows any tool that generates Kubernetes
+manifests to be wrapped in a Generator, which can then feed into existing
+transformers like [Kustomize]. This explicit separation makes Holos highly
+adaptable for different workflows.
+
+[Kargo]: https://kargo.io/
+[Flux]: https://fluxcd.io
+[Helm]: https://helm.sh
+[ArgoCD]: https://argoproj.github.io/cd/
+[Kustomize]: https://kustomize.io/
+[CUE]: https://cuelang.org/
+[Rendered Manifests Pattern]: https://akuity.io/blog/the-rendered-manifests-pattern

doc/md/topics/gitops/argocd-application.mdx

@@ -0,0 +1,223 @@
+---
+slug: argocd-application
+title: ArgoCD Application
+description: Configuring an Application for each Component.
+sidebar_position: 110
+---
+
+import Tabs from '@theme/Tabs';
+import TabItem from '@theme/TabItem';
+import CommonComponent from '../../common/example-component.mdx';
+import CommonComponentIntegrate from '../../common/example-component-integrate.mdx';
+
+# ArgoCD Application
+
+## Overview
+
+This topic covers how to mix in an ArgoCD Application to all components.  We'll
+use the `Artifacts` field of [ComponentConfig] defined by the author schema.
+
+## The Code
+
+### Generating the structure
+
+Use `holos` to generate a minimal platform directory structure.  Start by
+creating a blank directory to hold the platform configuration.
+
+```shell
+mkdir holos-argocd-application && cd holos-argocd-application
+```
+
+```shell
+holos init platform v1alpha5
+```
+
+### Creating an example Component
+
+<CommonComponent />
+<CommonComponentIntegrate />
+
+## Adding ArgoCD Application
+
+Configure Holos to render an [Application] by defining an [Artifact] for it in
+every BuildPlan holos produces.  We're unifying our custom configuration with
+the existing `#ComponentConfig` defined in `schema.cue`.
+
+```bash
+cat <<EOF >argocd-application.cue
+```
+```cue showLineNumbers
+package holos
+
+import (
+	"path"
+	app "argoproj.io/application/v1alpha1"
+)
+
+#ComponentConfig: {
+	Name:          _
+	OutputBaseDir: _
+
+	let ArtifactPath = path.Join([OutputBaseDir, "gitops", "\(Name).application.gen.yaml"], path.Unix)
+	let ResourcesPath = path.Join(["deploy", OutputBaseDir, "components", Name], path.Unix)
+
+	Artifacts: "\(Name)-application": {
+		artifact: ArtifactPath
+		generators: [{
+			kind:   "Resources"
+			output: artifact
+			resources: Application: (Name): app.#Application & {
+				metadata: name:      Name
+				metadata: namespace: "argocd"
+				spec: {
+					destination: server: "https://kubernetes.default.svc"
+					project: "default"
+					source: {
+						path:           ResourcesPath
+						repoURL:        "https://example.com/example.git"
+						targetRevision: "main"
+					}
+				}
+			}
+		}]
+	}
+}
+```
+```bash
+EOF
+```
+
+## Inspecting the BuildPlan
+
+Our customized `#ComponentConfig` results in the following `BuildPlan`.
+
+:::note
+The second artifact around line 40 contains the configured `Application`
+resource.
+:::
+
+<Tabs groupId="55075C71-02E8-4222-88C0-2D52C82D18FC">
+  <TabItem value="command" label="Command">
+```bash
+holos cue export --expression holos --out=yaml ./components/podinfo
+```
+  </TabItem>
+  <TabItem value="output" label="Output">
+```yaml showLineNumbers
+kind: BuildPlan
+apiVersion: v1alpha5
+metadata:
+  name: podinfo
+spec:
+  artifacts:
+    - artifact: components/podinfo/podinfo.gen.yaml
+      generators:
+        - kind: Helm
+          output: helm.gen.yaml
+          helm:
+            chart:
+              name: podinfo
+              version: 6.6.2
+              release: podinfo
+              repository:
+                name: podinfo
+                url: https://stefanprodan.github.io/podinfo
+            values: {}
+            enableHooks: false
+        - kind: Resources
+          output: resources.gen.yaml
+          resources: {}
+      transformers:
+        - kind: Kustomize
+          inputs:
+            - helm.gen.yaml
+            - resources.gen.yaml
+          output: components/podinfo/podinfo.gen.yaml
+          kustomize:
+            kustomization:
+              labels:
+                - includeSelectors: false
+                  pairs: {}
+              resources:
+                - helm.gen.yaml
+                - resources.gen.yaml
+              kind: Kustomization
+              apiVersion: kustomize.config.k8s.io/v1beta1
+    - artifact: gitops/podinfo.application.gen.yaml
+      generators:
+        - kind: Resources
+          output: gitops/podinfo.application.gen.yaml
+          resources:
+            Application:
+              podinfo:
+                apiVersion: argoproj.io/v1alpha1
+                kind: Application
+                metadata:
+                  name: podinfo
+                  namespace: argocd
+                spec:
+                  destination:
+                    server: https://kubernetes.default.svc
+                  project: default
+                  source:
+                    path: deploy/components/podinfo
+                    repoURL: https://example.com/example.git
+                    targetRevision: main
+source:
+  component:
+    name: podinfo
+    path: no-path
+    parameters: {}
+```
+  </TabItem>
+</Tabs>
+
+## Rendering manifests
+
+<Tabs groupId="E150C802-7162-4FBF-82A7-77D9ADAEE847">
+  <TabItem value="command" label="Command">
+```bash
+holos render platform
+```
+  </TabItem>
+  <TabItem value="output" label="Output">
+```
+cached podinfo 6.6.2
+rendered podinfo in 1.938665041s
+rendered platform in 1.938759417s
+```
+  </TabItem>
+</Tabs>
+
+## Reviewing the Application
+
+The Artifact we added to `#ComponentConfig` will produce an ArgoCD Application
+resource for every component in the platform.  The output in this example is
+located at:
+
+```txt
+deploy/gitops/podinfo.application.gen.yaml
+```
+```yaml showLineNumbers
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+    name: podinfo
+    namespace: argocd
+spec:
+    destination:
+        server: https://kubernetes.default.svc
+    project: default
+    source:
+        path: deploy/components/podinfo
+        repoURL: https://example.com/example.git
+        targetRevision: main
+```
+
+[podinfo]: https://github.com/stefanprodan/podinfo
+[CUE Module]: https://cuelang.org/docs/reference/modules/
+[CUE Tags]: https://cuelang.org/docs/howto/inject-value-into-evaluation-using-tag-attribute/
+[Application]: https://argo-cd.readthedocs.io/en/stable/user-guide/application-specification/
+[Platform]: ../../api/author.md#Platform
+[ComponentConfig]: ../../api/author.md#ComponentConfig
+[Artifact]: ../../api/core.md#Artifact

doc/md/topics/gitops/flux-kustomization.mdx

@@ -0,0 +1,218 @@
+---
+slug: flux-kustomization
+title: Flux Kustomization
+description: Configuring a Kustomization for each Component.
+sidebar_position: 120
+---
+
+import Tabs from '@theme/Tabs';
+import TabItem from '@theme/TabItem';
+import CommonComponent from '../../common/example-component.mdx';
+import CommonComponentIntegrate from '../../common/example-component-integrate.mdx';
+
+# Flux Kustomization
+
+## Overview
+
+This topic covers how to mix in a Flux Kustomization to all components.  We'll
+use the `Artifacts` field of [ComponentConfig] defined by the author schema.
+
+## The Code
+
+### Generating the structure
+
+Use `holos` to generate a minimal platform directory structure.  Start by
+creating a blank directory to hold the platform configuration.
+
+```shell
+mkdir holos-flux-kustomization && cd holos-flux-kustomization
+```
+
+```shell
+holos init platform v1alpha5
+```
+
+### Creating an example Component
+
+<CommonComponent />
+<CommonComponentIntegrate />
+
+## Adding Flux Kustomizations
+
+Configure Holos to render a [Kustomization] by defining an [Artifact] for it in
+every BuildPlan holos produces.  We're unifying our custom configuration with
+the existing `#ComponentConfig` defined in `schema.cue`.
+
+```bash
+cat <<EOF >flux-kustomization.cue
+```
+```cue showLineNumbers
+package holos
+
+import (
+	"path"
+	flux "kustomize.toolkit.fluxcd.io/kustomization/v1"
+)
+
+#ComponentConfig: {
+	Name:          _
+	OutputBaseDir: _
+
+	let ArtifactPath = path.Join([OutputBaseDir, "gitops", "\(Name).kustomization.gen.yaml"], path.Unix)
+	let ResourcesPath = path.Join(["deploy", OutputBaseDir, "components", Name], path.Unix)
+
+	Artifacts: "\(Name)-kustomization": {
+		artifact: ArtifactPath
+		generators: [{
+			kind:   "Resources"
+			output: artifact
+			resources: Kustomization: (Name): flux.#Kustomization & {
+				metadata: name:      Name
+				metadata: namespace: "default"
+				spec: {
+					interval: "5m"
+					timeout:  "1m"
+					prune:    true
+					path:     ResourcesPath
+					sourceRef: {
+						kind: "GitRepository"
+						name: "webapp"
+					}
+				}
+			}
+		}]
+	}
+}
+```
+```bash
+EOF
+```
+
+## Inspecting the BuildPlan
+
+Our customized `#ComponentConfig` results in the following `BuildPlan`.
+
+:::note
+The second artifact around line 40 contains the configured `Kustomization`
+resource.
+:::
+
+<Tabs groupId="55075C71-02E8-4222-88C0-2D52C82D18FC">
+  <TabItem value="command" label="Command">
+```bash
+holos cue export --expression holos --out=yaml ./components/podinfo
+```
+  </TabItem>
+  <TabItem value="output" label="Output">
+```yaml showLineNumbers
+kind: BuildPlan
+apiVersion: v1alpha5
+metadata:
+  name: podinfo
+spec:
+  artifacts:
+    - artifact: components/podinfo/podinfo.gen.yaml
+      generators:
+        - kind: Helm
+          output: helm.gen.yaml
+          helm:
+            chart:
+              name: podinfo
+              version: 6.6.2
+              release: podinfo
+              repository:
+                name: podinfo
+                url: https://stefanprodan.github.io/podinfo
+            values:
+              ui:
+                message: Hello World
+            enableHooks: false
+        - kind: Resources
+          output: resources.gen.yaml
+          resources: {}
+      validators: []
+      transformers:
+        - kind: Kustomize
+          inputs:
+            - helm.gen.yaml
+            - resources.gen.yaml
+          output: components/podinfo/podinfo.gen.yaml
+          kustomize:
+            kustomization:
+              resources:
+                - helm.gen.yaml
+                - resources.gen.yaml
+              kind: Kustomization
+              apiVersion: kustomize.config.k8s.io/v1beta1
+    - artifact: gitops/podinfo.kustomization.gen.yaml
+      generators:
+        - kind: Resources
+          output: gitops/podinfo.kustomization.gen.yaml
+          resources:
+            Kustomization:
+              podinfo:
+                apiVersion: kustomize.toolkit.fluxcd.io/v1
+                kind: Kustomization
+                metadata:
+                  name: podinfo
+                  namespace: default
+                spec:
+                  interval: 5m
+                  path: deploy/components/podinfo
+                  prune: true
+                  sourceRef:
+                    kind: GitRepository
+                    name: webapp
+                  timeout: 1m
+```
+  </TabItem>
+</Tabs>
+
+## Rendering manifests
+
+<Tabs groupId="E150C802-7162-4FBF-82A7-77D9ADAEE847">
+  <TabItem value="command" label="Command">
+```bash
+holos render platform
+```
+  </TabItem>
+  <TabItem value="output" label="Output">
+```
+rendered podinfo in 140.341417ms
+rendered platform in 140.441333ms
+```
+  </TabItem>
+</Tabs>
+
+## Reviewing the Kustomization
+
+The Artifact we added to `#ComponentConfig` will produce a Flux Kustomization
+resource for every component in the platform.  The output in this example is
+located at:
+
+```txt
+deploy/gitops/podinfo.kustomization.gen.yaml
+```
+```yaml showLineNumbers
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+    name: podinfo
+    namespace: default
+spec:
+    interval: 5m
+    path: deploy/components/podinfo
+    prune: true
+    sourceRef:
+        kind: GitRepository
+        name: webapp
+    timeout: 1m
+```
+
+[podinfo]: https://github.com/stefanprodan/podinfo
+[CUE Module]: https://cuelang.org/docs/reference/modules/
+[CUE Tags]: https://cuelang.org/docs/howto/inject-value-into-evaluation-using-tag-attribute/
+[Kustomization]: https://fluxcd.io/flux/components/kustomize/kustomizations/
+[Platform]: ../../api/author.md#Platform
+[ComponentConfig]: ../../api/author.md#ComponentConfig
+[Artifact]: ../../api/core.md#Artifact

doc/md/topics/gitops/index.mdx

@@ -0,0 +1,19 @@
+---
+slug: .
+title: GitOps
+description: Managing resources with GitOps.
+sidebar_position: 120
+---
+import DocCardList from '@theme/DocCardList';
+
+# GitOps
+
+This section has self contained articles covering how to manage resources using
+GitOps tooling like [ArgoCD] and [Flux].
+
+---
+
+<DocCardList />
+
+[ArgoCD]: https://argo-cd.readthedocs.io/en/stable/
+[Flux]: https://fluxcd.io/

doc/md/topics/kargo.mdx

@@ -0,0 +1,20 @@
+---
+description: Kargo
+slug: kargo
+sidebar_position: 110
+---
+
+# Kargo
+
+Holos pairs nicely with [Kargo], offering a holistic solution for code
+promotion across stages.
+
+Watch this space for a more detailed write up of the integration being
+developed.
+
+If you're interested in this topic, please thumbs up the [Kargo
+Topic](https://github.com/holos-run/holos/issues/378) issue, or drop into
+[Discord] and let us know about your use case.
+
+[Kargo]: https://kargo.io/
+[Discord]: https://discord.gg/JgDVbNpye7

doc/md/topics/local-cluster.mdx

@@ -1,7 +1,7 @@
 ---
-description: Build a local Cluster to use with these guides.
-slug: /guides/local-cluster
-sidebar_position: 999
+description: Build a local cluster for use with Holos.
+slug: local-cluster
+sidebar_position: 50
 ---
 
 import Tabs from '@theme/Tabs';
@@ -16,8 +16,7 @@ have a standard Kubernetes API server with proper DNS and TLS certificates.
 You'll be able to easily reset the cluster to a known good state to iterate on
 your own Platform.
 
-The [Concepts](/docs/concepts) page defines capitalized terms such as Platform
-and Component.
+The [Glossary] page defines capitalized terms such as Platform and Component.
 
 ## Reset the Cluster
 
@@ -105,7 +104,7 @@ You're back to the same state as the first time you completed this guide.
 
 You'll need the following tools installed to complete this guide.
 
-1. [holos](/docs/install) - to build the platform.
+1. [holos](../tutorial/setup.mdx) - to build the platform.
 2. [helm](https://helm.sh/docs/intro/install/) - to render Holos components that wrap upstream Helm charts.
 3. [k3d](https://k3d.io/#installation) - to provide a k8s api server.
 4. [OrbStack](https://docs.orbstack.dev/install) or [Docker](https://docs.docker.com/get-docker/) - to use k3d.
@@ -274,4 +273,7 @@ k3d cluster delete workload
 ## Next Steps
 
 Now that you have a real cluster, apply and explore the manifests Holos renders
-in the [Quickstart](/docs/quickstart) guide.
+in the [Tutorial].
+
+[Glossary]: ../glossary.mdx
+[Tutorial]: ../tutorial.mdx

doc/md/topics/oci-helm-charts.mdx

@@ -0,0 +1,65 @@
+---
+description: OCI Helm Charts
+slug: oci-helm-charts
+sidebar_position: 710
+---
+
+# OCI Helm Charts
+
+Holos supports OCI Helm charts.  Use the following example to get started.
+
+```bash
+mkdir -p oci-helm && cd oci-helm
+holos init platform v1alpha5
+```
+
+```bash
+mkdir -p components/podinfo-oci
+cat <<EOF > components/podinfo-oci/podinfo-oci.cue
+```
+```cue showLineNumbers
+package holos
+
+holos: Component.BuildPlan
+
+Component: #Helm & {
+	Chart: {
+		name:    "oci://ghcr.io/stefanprodan/charts/podinfo"
+		release: "podinfo"
+		version: "6.6.2"
+	}
+}
+```
+```bash
+EOF
+```
+
+Register the component with the platform.
+
+```bash
+cat <<EOF >platform/podinfo-oci.cue
+```
+```cue showLineNumbers
+package holos
+
+Platform: Components: podinfo: {
+	name: "podinfo-oci"
+	path: "components/podinfo-oci"
+}
+```
+```bash
+EOF
+```
+
+The OCI chart is cached in the vendor directory and rendered.
+
+```bash
+holos render platform
+```
+
+```txt
+Pulled: ghcr.io/stefanprodan/charts/podinfo:6.6.2
+Digest: sha256:83295d47de6d6ca634ed4b952a7572fc176bcc38854d0c11ca0fa197bc5f1154
+rendered podinfo-oci in 7.21581325s
+rendered platform in 7.216199167s
+```

doc/md/topics/private-helm.mdx

@@ -0,0 +1,183 @@
+---
+description: Private Helm Repositories
+slug: private-helm
+sidebar_position: 700
+---
+
+# Private Helm
+
+Holos supports private Helm repositories accessed with http basic authentication
+since `v0.101.4`.  Use the following command to update your author and core
+schemas to support this configuration.
+
+```bash
+holos init platform v1alpha5 --force
+```
+
+## Configuration
+
+Holos uses the Helm SDK and defers to it for authentication to private
+repositories.  Each Helm Generator supports providing http basic authentication
+credentials from environment variables.
+
+For example, the following BuildPlan causes `holos` to get the admin username
+password from the `HOLOS_TEST_PASS` environment variable.
+
+```bash
+mkdir -p projects/holos/components/private-chart
+cat <<EOF > projects/holos/components/private-chart/private-chart.cue
+```
+```cue showLineNumbers
+package holos
+
+holos: Component.BuildPlan
+
+// Test holos can access a private repository with basic auth.
+// https://github.com/holos-run/holos/issues/370
+Component: #Helm & {
+	Chart: {
+		name:    "mychart"
+		version: "0.1.0"
+		repository: {
+			name: "holos-test"
+			url:  "https://charts.holos.localhost"
+			// auth: username: fromEnv:   "HOLOS_TEST_USER"
+			auth: username: value:   "admin"
+			auth: password: fromEnv: "HOLOS_TEST_PASS"
+		}
+	}
+}
+```
+```bash
+EOF
+```
+
+## Verification
+
+Verify `holos` can access a private Helm repository by setting [ChartMuseum] up
+on a [Local Cluster].  We'll use https with basic auth to authenticate to the
+chart repository.
+
+Using the [bank of holos] repository, deploy chart museum:
+
+```bash
+holos render platform -t ChartMuseum
+```
+
+Apply the manifests:
+
+```bash
+kubectl apply --server-side=true -f deploy/clusters/workload/projects/holos/components/chart-museum
+kubectl apply --server-side=true -f deploy/clusters/workload/projects/network/components/httproutes
+```
+
+Get the admin password:
+
+```bash
+kubectl get secret -n holos chartmuseum-auth -o json \
+  | jq --exit-status -r '.data.password | @base64d'
+```
+
+Add a local repo:
+
+```bash
+helm repo add holos-test https://charts.holos.localhost --username admin
+```
+```txt
+Password:
+"holos-test" has been added to your repositories
+```
+
+:::note
+Helm by default stores this password in `~/Library/Preferences/helm/repositories.yaml`
+:::
+
+Create a chart:
+
+```bash
+helm create mychart
+```
+```txt
+Creating mychart
+```
+
+Package it up.
+
+```bash
+helm package mychart
+```
+```txt
+Successfully packaged chart and saved it to: mychart-0.1.0.tgz
+```
+
+Publish it.
+
+```bash
+curl --user "admin:$(pbpaste)" --data-binary "@mychart-0.1.0.tgz" https://charts.holos.localhost/api/charts
+```
+```json
+{"saved":true}
+```
+
+Remove all cached charts:
+
+```bash
+find . -name vendor | xargs rm -rf
+```
+
+Render the chart:
+
+```bash
+cat <<EOF > test-private-repo.cue
+```
+```cue showLineNumbers
+@if(TestPrivateRepo)
+package holos
+
+// Test holos can access a private repository with basic auth.
+// https://github.com/holos-run/holos/issues/370
+Projects: holos: #ProjectBuilder & {
+        team: "holos-authors"
+
+        namespaces: holos:            _
+        _components: "private-chart": _
+}
+```
+```bash
+EOF
+```
+
+```
+time holos render platform -t TestPrivateRepo
+```
+
+Check the chart was pulled and cached:
+
+```shell
+tree ./projects/holos/components/private-chart/vendor
+```
+```txt
+./projects/holos/components/private-chart/vendor
+└── 0.1.0
+    ├── mychart
+    │   ├── Chart.yaml
+    │   ├── mychart-0.1.0.tgz
+    │   ├── templates
+    │   │   ├── NOTES.txt
+    │   │   ├── _helpers.tpl
+    │   │   ├── deployment.yaml
+    │   │   ├── hpa.yaml
+    │   │   ├── ingress.yaml
+    │   │   ├── service.yaml
+    │   │   ├── serviceaccount.yaml
+    │   │   └── tests
+    │   │       └── test-connection.yaml
+    │   └── values.yaml
+    └── mychart-0.1.0.tgz
+
+6 directories, 11 files
+```
+
+[Local Cluster]: ./local-cluster.mdx
+[ChartMuseum]: https://chartmuseum.com/docs/
+[bank of holos]: https://github.com/holos-run/bank-of-holos

doc/md/topics/structures/clusters.mdx

@@ -0,0 +1,425 @@
+---
+slug: clusters
+title: Clusters
+description: Managing clusters - management and workload sets.
+sidebar_position: 100
+---
+
+import Tabs from '@theme/Tabs';
+import TabItem from '@theme/TabItem';
+import CommonComponent from '../../common/example-component.mdx';
+
+# Clusters
+
+## Overview
+
+This topic covers one common method to manage multiple clusters with Holos.  We'll
+define two schemas to hold cluster attributes.  First, a single `#Cluster` then
+a `#Clusters` collection.  We'll use a `Clusters: #Clusters` struct to look up
+configuration data using a key.  We'll use the cluster name as the lookup key
+identifying the cluster.
+
+We'll also organize sets of similar clusters by defining `#ClusterSet` and
+`#ClusterSets`.  We'll use a `ClusterSets:
+#ClusterSets` struct to configure a management cluster and iterate over all
+workload clusters.
+
+## The Code
+
+### Initializing the structure
+
+Use `holos` to generate a minimal platform directory structure.  Start by
+creating a blank directory to hold the platform configuration.
+
+```shell
+mkdir holos-multiple-clusters && cd holos-multiple-clusters
+```
+
+```shell
+holos init platform v1alpha5
+```
+
+### Using an example Component
+
+<CommonComponent />
+
+We'll integrate the component with the platform after we define the
+configuration structures.
+
+## Defining Clusters
+
+We'll define a `#Cluster` schema and a `#Clusters` collection in this section.
+We'll use these schemas to define a `Clusters` structure we use to manage
+multiple clusters.
+
+### Assumptions
+
+We'll make the following assumptions, which hold true for many real world
+environments.
+
+1. There are two sets of clusters, workload clusters and management clusters.
+2. There is one management cluster.
+3. There are multiple workload clusters.
+4. Each workload cluster is configured similarly, but not identically, to the
+others.
+
+### Prototyping the data
+
+Before we define the schema, let's prototype the data structure we want to work
+with.  We want a structure that makes it easy to iterate over each cluster in
+two distinct sets of clusters, management clusters and workload clusters.  The
+following `ClusterSets` struct accomplishes this goal.
+
+```yaml showLineNumbers
+management:
+  name: management
+  clusters:
+    management:
+      name: management
+      region: us-central1
+      set: management
+workload:
+  name: workload
+  clusters:
+    e1:
+      name: e1
+      region: us-east1
+      set: workload
+    w1:
+      name: w1
+      region: us-west1
+      set: workload
+```
+
+:::tip
+The `ClusterSets` data structure supports iterating over each cluster in each
+cluster set.
+:::
+
+:::important
+You're free to define your own fields and structures like we define `region` in
+this topic.
+:::
+
+### Defining the schema
+
+Armed with a concrete example of the structure, we can write a schema to define
+and validate the data.
+
+In CUE, schema definitions are usually defined at the root so they're accessible
+in all subdirectories.  The following is one example schema, you're free to
+modify it to your situation.  Holos is flexible, supporting schemas that match
+your unique use case.
+
+```bash
+cat <<EOF > clusters.schema.cue
+```
+```cue showLineNumbers
+package holos
+
+import "strings"
+
+// #Cluster represents one cluster
+#Cluster: {
+	// name represents the cluster name.
+	name: string & =~"[a-z][a-z0-9]+" & strings.MinRunes(2) & strings.MaxRunes(63)
+	// Constrain the regions.  No default, the region must be specified.
+	region: "us-east1" | "us-central1" | "us-west1"
+	// Each cluster must be in only one set of clusters.  All but one cluster are
+	// workload clusters, so make it the default.
+	set: "management" | *"workload"
+}
+
+// #Clusters represents a cluster collection structure
+#Clusters: {
+	// name is the lookup key for the collection.
+	[NAME=string]: #Cluster & {
+		// name must match the struct field name.
+		name: NAME
+	}
+}
+
+// #ClusterSet represents a set of clusters.
+#ClusterSet: {
+	// name represents the cluster set name.
+	name: string & =~"[a-z][a-z0-9]+" & strings.MinRunes(2) & strings.MaxRunes(63)
+	clusters: #Clusters & {
+		// Constrain the cluster set to clusters having the same set.  Ensures
+		// clusters are never mis-categorized.
+		[_]: set: name
+	}
+}
+
+// #ClusterSets represents a cluster set collection.
+#ClusterSets: {
+	// name is the lookup key for the collection.
+	[NAME=string]: #ClusterSet & {
+		// name must match the struct field name.
+		name: NAME
+	}
+}
+```
+```bash
+EOF
+```
+
+### Defining the data
+
+With a schema defined, we also define the data close to the root so it's
+accessible through the unified configuration tree.
+
+```bash
+cat <<EOF > clusters.cue
+```
+```cue showLineNumbers
+package holos
+
+Clusters: #Clusters & {
+	// Management Cluster
+	management: region: "us-central1"
+	management: set:    "management"
+	// Local Cluster
+	local: region: "us-west1"
+	// Some example clusters.  Add new clusters to the Clusters struct like this.
+	e1: region: "us-east1"
+	e2: region: "us-east1"
+	e3: region: "us-east1"
+	w1: region: "us-west1"
+	w2: region: "us-west1"
+	w3: region: "us-west1"
+}
+
+// ClusterSets is dynamically built from the Clusters structure.
+ClusterSets: #ClusterSets & {
+	// Map every cluster into the correct set.
+	for CLUSTER in Clusters {
+		(CLUSTER.set): clusters: (CLUSTER.name): CLUSTER
+	}
+}
+```
+```bash
+EOF
+```
+
+### Inspecting the data
+
+We'll use the `holos cue` command to inspect the `ClusterSets` data structure we
+just defined.
+
+<Tabs groupId="9190BDAD-B4C5-4386-9C94-8E178AA6178A">
+  <TabItem value="command" label="Command">
+```bash
+holos cue export --expression ClusterSets --out=yaml ./
+```
+  </TabItem>
+  <TabItem value="output" label="Output">
+```yaml showLineNumbers
+management:
+  name: management
+  clusters:
+    management:
+      name: management
+      region: us-central1
+      set: management
+workload:
+  name: workload
+  clusters:
+    local:
+      name: local
+      region: us-west1
+      set: workload
+    e1:
+      name: e1
+      region: us-east1
+      set: workload
+    e2:
+      name: e2
+      region: us-east1
+      set: workload
+    e3:
+      name: e3
+      region: us-east1
+      set: workload
+    w1:
+      name: w1
+      region: us-west1
+      set: workload
+    w2:
+      name: w2
+      region: us-west1
+      set: workload
+    w3:
+      name: w3
+      region: us-west1
+      set: workload
+```
+  </TabItem>
+</Tabs>
+
+This looks like our prototype, we're confident we can iterate over each cluster
+in each set.
+
+## Integrating Components
+
+The `ClusterSets` data structure unlocks the capability to iterate over each
+cluster in each cluster set.  We'll use this capability to integrate the
+`podinfo` component with each cluster in the platform.
+
+### Configuring the Output directory
+
+We need to configure `holos` to write output manifests into a cluster specific
+output directory.  We'll use the [ComponentConfig] `OutputBaseDir` field for
+this purpose.  We'll pass the value of this field as a component parameter.
+
+```bash
+cat <<EOF > componentconfig.cue
+```
+```cue showLineNumbers
+package holos
+
+#ComponentConfig: {
+	// Inject the output base directory from platform component parameters.
+	OutputBaseDir: string @tag(outputBaseDir, type=string)
+}
+```
+```bash
+EOF
+```
+
+### Integrating Podinfo
+
+```bash
+cat <<EOF >platform/podinfo.cue
+```
+```cue showLineNumbers
+package holos
+
+// Manage podinfo on all workload clusters.
+for CLUSTER in ClusterSets.workload.clusters {
+	// We use the cluster name to disambiguate different podinfo build plans.
+	Platform: Components: "\(CLUSTER.name)-podinfo": {
+		name: "podinfo"
+		// Reuse the same component across multiple workload clusters.
+		path: "components/podinfo"
+		// Configure a cluster-unique message in the podinfo UI.
+		parameters: message: "Hello, I am cluster \(CLUSTER.name) in region \(CLUSTER.region)"
+		// Write to deploy/{outputBaseDir}/components/{name}/{name}.gen.yaml
+		parameters: outputBaseDir: "clusters/\(CLUSTER.name)"
+	}
+}
+```
+```bash
+EOF
+```
+
+## Rendering manifests
+
+### Rendering the Platform
+
+Render the platform to configure `podinfo` on each cluster.
+
+<Tabs groupId="34A2D80B-0E86-4142-B65B-7DF70C47E1D2">
+  <TabItem value="command" label="Command">
+```bash
+holos render platform
+```
+  </TabItem>
+  <TabItem value="output" label="Output">
+```txt
+cached podinfo 6.6.2
+rendered podinfo in 164.278583ms
+rendered podinfo in 165.48525ms
+rendered podinfo in 165.186208ms
+rendered podinfo in 165.831792ms
+rendered podinfo in 166.845208ms
+rendered podinfo in 167.000208ms
+rendered podinfo in 167.012208ms
+rendered platform in 167.06525ms
+```
+  </TabItem>
+</Tabs>
+
+### Inspecting the Tree
+
+Rendering the platform produces the following rendered manifests.
+
+```bash
+tree deploy
+```
+```txt showLineNumbers
+deploy
+└── clusters
+    ├── e1
+    │   └── components
+    │       └── podinfo
+    │           └── podinfo.gen.yaml
+    ├── e2
+    │   └── components
+    │       └── podinfo
+    │           └── podinfo.gen.yaml
+    ├── e3
+    │   └── components
+    │       └── podinfo
+    │           └── podinfo.gen.yaml
+    ├── local
+    │   └── components
+    │       └── podinfo
+    │           └── podinfo.gen.yaml
+    ├── w1
+    │   └── components
+    │       └── podinfo
+    │           └── podinfo.gen.yaml
+    ├── w2
+    │   └── components
+    │       └── podinfo
+    │           └── podinfo.gen.yaml
+    └── w3
+        └── components
+            └── podinfo
+                └── podinfo.gen.yaml
+
+23 directories, 7 files
+```
+
+### Inspecting the Variation
+
+Note how each component has slight variation using the component parameters.
+
+```bash
+diff -U2 deploy/clusters/{e,w}1/components/podinfo/podinfo.gen.yaml
+```
+
+```diff
+--- deploy/clusters/e1/components/podinfo/podinfo.gen.yaml	2024-11-17 14:20:17
++++ deploy/clusters/w1/components/podinfo/podinfo.gen.yaml	2024-11-17 14:20:17
+@@ -61,5 +61,5 @@
+         env:
+         - name: PODINFO_UI_MESSAGE
+-          value: Hello, I am cluster e1 in region us-east1
++          value: Hello, I am cluster w1 in region us-west1
+         - name: PODINFO_UI_COLOR
+           value: '#34577c'
+
+```
+
+## Concluding Remarks
+
+In this topic we covered how to use CUE structures to organize multiple clusters
+into various sets.
+
+1. Clusters are defined in one place at the root of the configuration.
+2. Clusters may be organized into sets by their purpose.
+3. Most organizations have at least two sets, a set of workload clusters and a
+set of management clusters.
+4. Holos uses CUE, a super set of JSON.  New clusters may be added by dropping a
+JSON file into the root of the repository.
+5. The pattern of defining a `#Cluster` and a `#Clusters` collection is a
+general pattern.  We'll see the same pattern for environments, projects, owners,
+and more.
+6. Component parameters are a flexible way to inject user defined configuration
+from the platform level into a reusable component.
+
+[ClusterSet]: https://multicluster.sigs.k8s.io/api-types/cluster-set/
+[Environments]: ./environments.mdx
+[Namespace Sameness - SIG Multicluster Position Statement]: https://github.com/kubernetes/community/blob/master/sig-multicluster/namespace-sameness-position-statement.md
+[ComponentConfig]: ../../api/author.md#ComponentConfig

doc/md/topics/structures/environments.mdx

@@ -0,0 +1,521 @@
+---
+slug: environments
+title: Environments
+description: Managing Environments - dev, test, stage, prod.
+sidebar_position: 130
+---
+
+import Tabs from '@theme/Tabs';
+import TabItem from '@theme/TabItem';
+import CommonComponent from '../../common/example-component.mdx';
+
+# Environments
+
+## Overview
+
+This topic covers how to model environments in Holos. We'll define schemas for
+`#Environment` and `#Environments` to represent one environment and a
+collection. The `Environments: #Environments` struct maps environment names to
+configurations.
+
+:::note
+This approach unifies the component definition with the overall platform
+configuration, creating a tight coupling between the two.
+:::
+
+This tight coupling is appropriate when you're configuring your own platform.
+For example:
+
+1. When you're integrating third party software into your own platform.
+2. When you're configuring first party in-house software into your own platform.
+
+This approach is not well suited to writing a component to share outside of your
+own organization, which we can think of as configuring someone else's platform.
+
+## The Code
+
+### Generating the structure
+
+Use `holos init platform` to generate a minimal platform structure:
+
+```shell
+mkdir holos-environments-tutorial && cd holos-environments-tutorial
+holos init platform v1alpha5
+```
+
+### Using an example Component
+
+Create a directory for the example `podinfo` component we'll use to render
+platform manifests.
+
+```bash
+mkdir -p components/podinfo
+```
+
+Create the CUE configuration for the example `podinfo` component.
+
+```bash
+cat <<EOF >components/podinfo/podinfo.cue
+```
+```cue showLineNumbers
+package holos
+
+holos: Component.BuildPlan
+
+Component: #Helm & {
+	Chart: {
+		name:    "podinfo"
+		version: "6.6.2"
+		repository: {
+			name: "podinfo"
+			url:  "https://stefanprodan.github.io/podinfo"
+		}
+	}
+	Values: ui: {
+		message: string | *"Hello World" @tag(message, type=string)
+	}
+}
+```
+```bash
+EOF
+```
+
+We'll integrate the component with the platform after we define the
+configuration structures.
+
+## Defining Environments
+
+We'll define an `#Environment` schema `#Environments` collection.  We'll use
+these schemas to define an `Environments` struct of concrete configuration
+values.
+
+### Assumptions
+
+There are two tiers of environments, prod and nonprod.  Prod environments
+organized along broad jurisdictions, for example US and EU.  Nonprod
+environments are organized by purpose, dev, test, and stage.
+
+### Prototyping the data
+
+Before we define the schema, let's prototype the data structure we want to work
+with from the perspective of each component.
+
+Let's imagine we're configuring `podinfo` to comply with regulations.  When
+podinfo is deployed to production in the EU, we'll configure opt-in behavior.
+In the US we'll configure opt-out behavior.
+
+We'll pass the environment name as a component parameter.  The component
+definition can then look up the jurisdiction to determine the appropriate
+configuration values.
+
+```shell
+holos cue export --out=yaml --expression Environments
+```
+
+```yaml showLineNumbers
+prod-pdx:
+  name: prod-pdx
+  tier: prod
+  jurisdiction: us
+  state: oregon
+prod-cmh:
+  name: prod-cmh
+  tier: prod
+  jurisdiction: us
+  state: ohio
+prod-ams:
+  name: prod-ams
+  tier: prod
+  jurisdiction: eu
+  state: netherlands
+dev:
+  name: dev
+  tier: nonprod
+  jurisdiction: us
+  state: oregon
+test:
+  name: test
+  tier: nonprod
+  jurisdiction: us
+  state: oregon
+stage:
+  name: stage
+  tier: nonprod
+  jurisdiction: us
+  state: oregon
+```
+
+### Defining the schema
+
+Given the example structure, we can write a schema to define and validate the
+data.
+
+```shell
+cat <<EOF > environments.schema.cue
+```
+```cue showLineNumbers
+package holos
+
+#Environment: {
+	name:         string
+	tier:         "prod" | "nonprod"
+	jurisdiction: "us" | "eu" | "uk" | "global"
+	state:        "oregon" | "ohio" | "germany" | "netherlands" | "england" | "global"
+
+	// Prod environment names must be prefixed with prod for clarity.
+	if tier == "prod" {
+		name: "prod" | =~"^prod-"
+	}
+}
+
+#Environments: {
+	[NAME=string]: #Environment & {
+		name: NAME
+	}
+}
+```
+```shell
+EOF
+```
+
+### Adding configuration
+
+With a schema defined, we can fill in the concrete values.
+
+```shell
+cat <<EOF > environments.cue
+```
+```cue showLineNumbers
+package holos
+
+// Injected from Platform.spec.components.parameters.EnvironmentName
+EnvironmentName: string @tag(EnvironmentName)
+
+Environments: #Environments & {
+	"prod-pdx": {
+		tier:         "prod"
+		jurisdiction: "us"
+		state:        "oregon"
+	}
+	"prod-cmh": {
+		tier:         "prod"
+		jurisdiction: "us"
+		state:        "ohio"
+	}
+	"prod-ams": {
+		tier:         "prod"
+		jurisdiction: "eu"
+		state:        "netherlands"
+	}
+	// Nonprod environments are colocated together.
+	_nonprod: {
+		tier:         "nonprod"
+		jurisdiction: "us"
+		state:        "oregon"
+	}
+	dev:   _nonprod
+	test:  _nonprod
+	stage: _nonprod
+}
+```
+```shell
+EOF
+```
+
+### Inspecting the configuration
+
+Inspect the `Environments` data structure to verify the schema and concrete
+values are what we want.
+
+<Tabs groupId="FF820F5A-A85F-464D-B299-39CAAFFCE5C6">
+  <TabItem value="command" label="Command">
+```bash
+holos cue export --out=yaml --expression Environments
+```
+  </TabItem>
+  <TabItem value="output" label="Output">
+```yaml showLineNumbers
+prod-pdx:
+  name: prod-pdx
+  tier: prod
+  jurisdiction: us
+  state: oregon
+prod-cmh:
+  name: prod-cmh
+  tier: prod
+  jurisdiction: us
+  state: ohio
+prod-ams:
+  name: prod-ams
+  tier: prod
+  jurisdiction: eu
+  state: netherlands
+dev:
+  name: dev
+  tier: nonprod
+  jurisdiction: us
+  state: oregon
+test:
+  name: test
+  tier: nonprod
+  jurisdiction: us
+  state: oregon
+stage:
+  name: stage
+  tier: nonprod
+  jurisdiction: us
+  state: oregon
+```
+  </TabItem>
+</Tabs>
+
+This looks like our prototype, we're confident we can iterate over each
+environment and get a handle on the configuration values we need.
+
+## Integrating components
+
+The `Environments` data structure unlocks the capability to look up concrete
+values specific to a named environment.  We'll use this capability to configure
+the `podinfo` component in compliance with the regulations of the jurisdiction.
+
+### Configuring the environment
+
+Inject the environment name when we integrate `podinfo` with the platform.
+
+```shell
+cat <<EOF > platform/podinfo.cue
+```
+```cue showLineNumbers
+package holos
+
+Platform: Components: {
+	podinfoPDX: ProdPodinfo & {_city: "pdx"}
+	podinfoCMH: ProdPodinfo & {_city: "cmh"}
+	podinfoAMS: ProdPodinfo & {_city: "ams"}
+	podinfoDEV: {
+		name: "podinfo-dev"
+		path: "components/podinfo"
+		labels: "app.holos.run/component": "podinfo"
+		parameters: EnvironmentName:       "dev"
+	}
+}
+
+let ProdPodinfo = {
+	_city: string
+	name:  "podinfo-\(_city)"
+	path:  "components/podinfo"
+	labels: "app.holos.run/component": "podinfo"
+	labels: "app.holos.run/tier":      "prod"
+	labels: "app.holos.run/city":      _city
+	parameters: EnvironmentName:       "prod-\(_city)"
+}
+```
+```
+EOF
+```
+
+### Using the environment
+
+Now we can configure `podinfo` based on the jurisdiction of the environment.
+
+```shell
+cat <<EOF > components/podinfo/cookie-consent.cue
+```
+```cue showLineNumbers
+package holos
+
+// Schema definition for our configuration.
+#Values: {
+	ui: enableCookieConsent: *true | false
+	ui: message:             string
+}
+
+// Map jurisdiction to helm values
+JurisdictionValues: {
+	// Enable cookie consent by default in any jurisdiction.
+	[_]: #Values
+	// Disable in the US.
+	us: ui: enableCookieConsent: false
+	eu: ui: enableCookieConsent: true
+}
+
+// Look up the configuration values associated with the environment name.
+Component: Values: JurisdictionValues[Environments[EnvironmentName].jurisdiction]
+```
+```shell
+EOF
+```
+
+### Inspecting the BuildPlans
+
+With the above configuration, we can inspect the buildplans for this component.
+The prod environment in Amsterdam has cookie consent enabled on line 26.
+
+<Tabs groupId="6EC991F3-F78C-43F1-8A6D-E68D8BDAF58B">
+  <TabItem value="command" label="Command">
+```bash
+holos show buildplans --selector app.holos.run/city=ams
+```
+  </TabItem>
+  <TabItem value="output" label="Output">
+```yaml showLineNumbers
+kind: BuildPlan
+apiVersion: v1alpha5
+metadata:
+  name: podinfo-ams
+  labels:
+    app.holos.run/city: ams
+    app.holos.run/component: podinfo
+    app.holos.run/name: podinfo-ams
+    app.holos.run/tier: prod
+spec:
+  artifacts:
+    - artifact: components/podinfo-ams/podinfo-ams.gen.yaml
+      generators:
+        - kind: Helm
+          output: helm.gen.yaml
+          helm:
+            chart:
+              name: podinfo
+              version: 6.6.2
+              release: podinfo
+              repository:
+                name: podinfo
+                url: https://stefanprodan.github.io/podinfo
+            values:
+              ui:
+                # highlight-next-line
+                enableCookieConsent: true
+                message: Hello World
+        - kind: Resources
+          output: resources.gen.yaml
+      transformers:
+        - kind: Kustomize
+          inputs:
+            - helm.gen.yaml
+            - resources.gen.yaml
+          output: components/podinfo-ams/podinfo-ams.gen.yaml
+          kustomize:
+            kustomization:
+              apiVersion: kustomize.config.k8s.io/v1beta1
+              kind: Kustomization
+              labels:
+                - includeSelectors: false
+                  pairs: {}
+              resources:
+                - helm.gen.yaml
+                - resources.gen.yaml
+    - artifact: gitops/podinfo-ams.application.gen.yaml
+      generators:
+        - kind: Resources
+          output: gitops/podinfo-ams.application.gen.yaml
+          resources:
+            Application:
+              podinfo-ams:
+                apiVersion: argoproj.io/v1alpha1
+                kind: Application
+                metadata:
+                  name: podinfo-ams
+                  namespace: argocd
+                spec:
+                  destination:
+                    server: https://kubernetes.default.svc
+                  project: default
+                  source:
+                    path: deploy/components/podinfo-ams
+                    repoURL: https://github.com/brenix/holos-demo.git
+                    targetRevision: main
+```
+  </TabItem>
+</Tabs>
+
+In Portland cookie consent is disabled.
+
+<Tabs groupId="3438335B-1FFC-4838-B8DE-C54B8346CDB4">
+  <TabItem value="command" label="Command">
+```bash
+holos show buildplans --selector app.holos.run/city=pdx
+```
+  </TabItem>
+  <TabItem value="output" label="Output">
+```yaml showLineNumbers
+kind: BuildPlan
+apiVersion: v1alpha5
+metadata:
+  name: podinfo-pdx
+  labels:
+    app.holos.run/city: pdx
+    app.holos.run/component: podinfo
+    app.holos.run/name: podinfo-pdx
+    app.holos.run/tier: prod
+spec:
+  artifacts:
+    - artifact: components/podinfo-pdx/podinfo-pdx.gen.yaml
+      generators:
+        - kind: Helm
+          output: helm.gen.yaml
+          helm:
+            chart:
+              name: podinfo
+              version: 6.6.2
+              release: podinfo
+              repository:
+                name: podinfo
+                url: https://stefanprodan.github.io/podinfo
+            values:
+              ui:
+                # highlight-next-line
+                enableCookieConsent: false
+                message: Hello World
+        - kind: Resources
+          output: resources.gen.yaml
+      transformers:
+        - kind: Kustomize
+          inputs:
+            - helm.gen.yaml
+            - resources.gen.yaml
+          output: components/podinfo-pdx/podinfo-pdx.gen.yaml
+          kustomize:
+            kustomization:
+              apiVersion: kustomize.config.k8s.io/v1beta1
+              kind: Kustomization
+              labels:
+                - includeSelectors: false
+                  pairs: {}
+              resources:
+                - helm.gen.yaml
+                - resources.gen.yaml
+    - artifact: gitops/podinfo-pdx.application.gen.yaml
+      generators:
+        - kind: Resources
+          output: gitops/podinfo-pdx.application.gen.yaml
+          resources:
+            Application:
+              podinfo-pdx:
+                apiVersion: argoproj.io/v1alpha1
+                kind: Application
+                metadata:
+                  name: podinfo-pdx
+                  namespace: argocd
+                spec:
+                  destination:
+                    server: https://kubernetes.default.svc
+                  project: default
+                  source:
+                    path: deploy/components/podinfo-pdx
+                    repoURL: https://github.com/brenix/holos-demo.git
+                    targetRevision: main
+```
+  </TabItem>
+</Tabs>
+
+## Concluding Remarks
+
+In this topic we covered how to use a CUE structure to define attributes of prod
+and nonprod environments.
+
+1. We passed the environment name as a parameter to each component using a CUE `@tag`.
+2. The component definition uses the environment name as a key to get a handle
+on attributes. For example, the jurisdiction a service operates within.
+3. The example podinfo component uses an additional structure to map
+jurisdictions to concrete configuration values.

doc/md/topics/structures/index.mdx

@@ -0,0 +1,25 @@
+---
+slug: .
+title: Structures
+description: Commonly used CUE structures.
+sidebar_position: 120
+---
+import DocCardList from '@theme/DocCardList';
+
+# Structures
+
+This section has self contained articles covering commonly used CUE structures.
+These structures are organized and presented as recipes you may adopt and adjust
+to your unique organization.
+
+:::important
+Structures are defined by Holos Users, unlike the standardized [Core] and
+[Author] schemas defined by the Holos Authors.
+:::
+
+---
+
+<DocCardList />
+
+[Core]: ../../api/core.md
+[Author]: ../../api/author.md

doc/md/tutorial/1-overview.mdx

@@ -1,94 +0,0 @@
-# Overview
-
-Holos is an open-source tool that simplifies software integration for platform
-teams. While most Kubernetes tools focus on application management, Holos takes
-a holistic infrastructure-as-code (IaC) approach, targeting the integration
-layer where applications and organizational data converge. By providing
-well-defined, typed structures for consistent validation, Holos reduces errors,
-streamlines integration, and creates clear pathways for teams to easily
-integrate their services.
-
-# How Holos works
-
-Holos implements the [rendered manifests pattern][rmp], generating fully
-rendered Kubernetes manifests from [CUE language][CUE] abstractions called
-Components. These Components can model [Helm charts][Helm], [Kustomize
-bases][Kustomize], or native Kubernetes resources. A Holos Platform consists of
-one or more Components and is applied to one or more Kubernetes clusters.
-
-```mermaid
-graph BT
-    Platform[Platform]
-    Cluster[Cluster]
-    Component[Component]
-    Helm[Helm]
-    Kustomize[Kustomize]
-    CUE[CUE]
-
-    Platform --> Cluster
-    Component --> Platform
-    Helm --> Component
-    Kustomize --> Component
-    CUE --> Component
-```
-
-# Holos' role in your workflow
-
-Holos generates, but does not apply, rendered manifests, allowing teams to use
-`git diff` to clearly see changes and assess the impact on clusters and services
-before deploying. Instead, Holos manages the GitOps configuration for tools like
-ArgoCD and Flux CD, enabling continuous deployment of resource changes with the
-full visibility and control that these tools provide. As a result, expect Holos
-to sit at the very end of a CI pipeline.
-
-# Advantages of using Holos
-
-### Safety
-
-* CUE constraints on Holos Components surface validation errors early in the
-development process, reducing the number of failed deployments and the time
-spent troubleshooting them.
-* Holos natively provides a "blast radius" to code
-changes by identifying the rendered manifests across your fleet of Kubernetes
-clusters that will be affected by the change.
-* CUE's unification strategy allows multiples teams to contribute to the desired
-state of a service:
-    * The Platform team provides definitions for shared resources.
-    * Engineering teams populate definitions with service-specific data.
-    * The Security team provides concrete values that cannot be changed to harden the company's security posture.
-
-### Flexibility
-
-* CUE is adept at modeling variation and organizational complexity at scale,
-while Holos enables seamless integration of CUE data with native Kubernetes
-tools such as [Helm][Helm] and [Kustomize][Kustomize].
-* Holos is extensible, allowing Holos Components to be modeled from any tool that
-generates (e.g. `helm`) or transforms (e.g.  `kustomize`) manifest data.
-
-### Consistency
-
-* Holos manages the execution context for Helm and Kustomize, ensuring that
-rendered manifests are consistently and reliably reproducible, no matter where
-Holos is run.
-* CUE constraints ensure that data abstractions include the required information
-in the expected format, triggering early failures if any required data is
-missing.
-
-
-# When not to use Holos
-
-Holos excels at configuration management and is most effective when integrated
-into a broader Kubernetes deployment strategy. If you need a single tool to
-manage the entire lifecycle of a Kubernetes cluster, Holos may not fully meet
-your needs on its own.
-
-# Next Steps
-
-Now that you have a base understanding of how Holos works, continue
-to the [Setup page](./2-setup.mdx) that guides you through installing Holos and
-initializing your first Platform.
-
-[rmp]: https://akuity.io/blog/the-rendered-manifests-pattern
-[Helm]: https://helm.sh/
-[Kustomize]: https://kustomize.io/
-[CUE]: https://cuelang.org/

doc/md/tutorial/2-setup.mdx

@@ -1,85 +0,0 @@
-import Tabs from '@theme/Tabs';
-import TabItem from '@theme/TabItem';
-
-# Setup
-
-This tutorial will guide you through the installation of Holos and its
-dependencies, as well as the initialization of a minimal Platform that you can
-extend to meet your specific needs.
-
-# Prerequisites
-
-Holos integrates with the following tools that should be installed to enable
-their functionality.
-
-* [Helm][helm] to fetch and render Helm chart Components
-* [Kubectl][kubectl] to [kustomize][kustomize] components.
-
-# Install Holos
-
-Holos is distributed as a single file executable that can be installed in a couple of ways.
-
-### Releases
-
-Download `holos` from the [releases](https://github.com/holos-run/holos/releases) page and place the executable into your shell path.
-
-### Go install
-
-Alternatively, install directly into your go bin path using:
-
-```shell
-go install github.com/holos-run/holos/cmd/holos@latest
-```
-
-# Do I need a Kubernetes cluster?
-
-Holos only generates rendered Kubernetes manifests, so you don't need a
-Kubernetes cluster to start using the tool or understand its workflow. However,
-you will need a cluster eventually to apply the rendered manifests and verify
-that they achieve the desired end state.
-
-We recommend using [k3d](https://k3d.io/) to set up a minimal Kubernetes cluster with
-[Orbstack](https://docs.orbstack.dev/install) or
-[Docker](https://docs.docker.com/get-started/get-docker/). To simplify this,
-we've created [the Local Cluster guide](../topics/4-local-cluster.mdx) which
-automates the process, ensuring proper DNS and TLS certificates, and includes a
-script to reset the cluster to a known good state.
-
-When you're ready to experiment with a live Kubernetes cluster, refer to [the
-Local Cluster guide](../topics/4-local-cluster.mdx).
-
-# Initialize a new Platform
-
-Use Holos to generate a minimal platform using the recommended directory structure
-by creating an empty directory and then using the `holos generate platform` subcommand:
-
-<Tabs groupId="tutorial-setup-generate-platform">
-  <TabItem value="command" label="Command">
-```bash
-mkdir holos_platform
-cd holos_platform
-holos generate platform v1alpha4
-```
-  </TabItem>
-  <TabItem value="output" label="Output">
-```txt
-no output
-```
-  </TabItem>
-</Tabs>
-
-Holos creates a `platform` directory with a `platform.gen.cue` file that serves
-as the foundation for your newly initialized Holos Platform. For each Holos
-Component you model, you'll add a new CUE file to the platform directory,
-mapping it to the location of the Component's CUE code, and extending the
-capabilities of your platform.
-
-# Next Steps
-
-Now that you've got Holos and its prerequisites installed, continue on to the
-[Hello Holos page](./3-hello-holos.mdx) where we will guide you through the
-process of creating your first Component and modeling a Helm chart.
-
-[helm]: https://github.com/helm/helm/releases
-[kubectl]: https://kubernetes.io/docs/tasks/tools/
-[kustomize]: https://kustomize.io/

doc/md/tutorial/3-hello-holos.mdx

@@ -1,74 +0,0 @@
-import Tabs from '@theme/Tabs';
-import TabItem from '@theme/TabItem';
-
-# Hello Holos
-
-One of the first exercises you perform when learning a new programming language
-is to print out the "Hello World!" greeting. For Holos, our "Hello Holos"
-exercise involves modeling the [podinfo Helm chart][podinfo] that produces a
-similar greeting message from a Kubernetes Pod.
-
-By the end of this tutorial you will gain the understanding of how to model
-an individual Holos Component using a Helm chart as its source.
-
-# The code
-
-### Podinfo Helm Chart
-
-Let's start by creating a directory for `podinfo`, touching an empty CUE file,
-and then populating it with the CUE code below:
-
-<Tabs groupId="tutorial-hello-podinfo-helm-cue-code">
-  <TabItem value="projects/tutorial/components/podinfo/podinfo.cue" label="Podinfo Helm Chart">
-```bash
-mkdir -p projects/tutorial/components/podinfo
-touch projects/tutorial/components/podinfo/podinfo.cue
-```
-```cue showLineNumbers
-package holos
-
-// Produce a helm chart build plan.
-_HelmChart.BuildPlan
-
-_HelmChart: #Helm & {
-	Name: "podinfo"
-	Chart: {
-		version: "6.6.2"
-		repository: {
-			name: "podinfo"
-			url:  "https://stefanprodan.github.io/podinfo"
-		}
-	}
-}
-```
-  </TabItem>
-</Tabs>
-
-### Register the podinfo component
-
-Now let's register the code modeling the `podinfo` Helm chart as a Holos
-Component and assign it to a cluser. For this we will need a create new file in
-the `platform` directory with the following contents:
-
-<Tabs groupId="tutorial-hello-register-podinfo-component">
-  <TabItem value="platform/podinfo.cue" label="Register Podinfo">
-```bash
-touch plaform/podinfo.cue
-```
-```cue showLineNumbers
-_Platform: Components: podinfo: {
-	name:      "podinfo"
-	component: "projects/tutorial/components/podinfo"
-	cluster:   "local"
-}
-```
-  </TabItem>
-</Tabs>
-
-
-
-
-
-
-
-[podinfo]: https://github.com/stefanprodan/podinfo

doc/md/tutorial/4-helm.mdx

@@ -1 +0,0 @@
-# Helm

doc/md/tutorial/5-kustomize.mdx

@@ -1 +0,0 @@
-# Kustomize

doc/md/tutorial/6-cue.mdx

@@ -1 +0,0 @@
-# CUE

doc/md/tutorial/7-mix-ins.mdx

@@ -1 +0,0 @@
-# Mix Ins

doc/md/tutorial/8-core-api.mdx

@@ -1 +0,0 @@
-# Core API

doc/md/tutorial/9-author-api.mdx

@@ -1 +0,0 @@
-# Author API

doc/md/tutorial/_hello-holos/examples/01-holos-version.txt

@@ -0,0 +1,7 @@
+exec bash -c 'bash -euo pipefail $WORK/command.sh 2>&1'
+cmp stdout $WORK/output.txt
+
+-- command.sh --
+holos --version
+-- output.txt --
+0.104.1

doc/md/tutorial/_hello-holos/examples/02-hello-holos.txt

@@ -0,0 +1,126 @@
+# Set $HOME because:
+#   - Helm uses it for temporary files
+#   - Git requires it for setting author name/email globally
+env HOME=$WORK/.tmp
+chmod 0755 $WORK/update.sh
+
+# Configure git author for testscript execution
+exec git config --global user.name 'Holos Docs'
+exec git config --global user.email 'hello@holos.run'
+exec git config --global init.defaultBranch main
+
+# Remove the tutorial directory if it already exists
+exec rm -rf holos-tutorial
+
+# Create and change to the tutorial directory, and then initialize the Holos platform
+exec bash -c 'bash -euo pipefail $WORK/mkdir-and-init.sh'
+cd holos-tutorial
+
+# Create the components directory
+exec bash -c 'bash -euo pipefail $WORK/mkdir-components.sh'
+
+# Combine and execute the multiline podinfo component header/body/trailer files
+exec cat $WORK/podinfo-component-header.sh ../podinfo-component-body.cue ../eof-trailer.sh
+stdin stdout
+exec bash -xeuo pipefail
+
+# Combine and execute the multiline platform registration header/body/trailer files
+exec cat $WORK/register-podinfo-header.sh ../register-podinfo-body.cue ../eof-trailer.sh
+stdin stdout
+exec bash -xeuo pipefail
+
+# Render the platform, capture stdout, and use update.sh to gate whether the
+# output file should be updated.
+#
+# NOTE: The [net] condition will test whether external network access is available
+[net] exec bash -c 'bash -euo pipefail $WORK/render.sh 2>&1'
+[net] stdin stdout
+exec $WORK/update.sh $WORK/register-components-output.txt
+
+# Generate and update the tree of the tutorial directory (omitting the cue.mod directory)
+exec bash -c 'bash -euo pipefail $WORK/tree.sh'
+stdin stdout
+exec $WORK/update.sh $WORK/tree.txt
+
+# Split the rendered manifest into two separate files to display separately
+exec bash -c 'bash -euo pipefail $WORK/split-rendered-manifest.sh $WORK/holos-tutorial/deploy/components/podinfo/podinfo.gen.yaml $WORK'
+
+# Grep for the Hello Holos message and write the output file
+exec bash -c 'bash -euo pipefail $WORK/grep-for-message.sh'
+stdin stdout
+exec $WORK/update.sh $WORK/grepped-output.txt
+
+# Clean up the tutorial directory and tmp $HOME directory
+cd $WORK
+exec rm -rf holos-tutorial
+exec rm -rf $HOME
+
+-- update.sh --
+#! /bin/bash
+set -euo pipefail
+[[ -s "$1" ]] && [[ -z "${HOLOS_UPDATE_SCRIPTS:-}" ]] && exit 0
+cat > "$1"
+-- mkdir-and-init.sh --
+mkdir holos-tutorial && cd holos-tutorial
+holos init platform v1alpha5
+-- tree.sh --
+tree -L 3 -I cue.mod .
+-- mkdir-components.sh --
+mkdir -p components/podinfo
+-- podinfo-component-header.sh --
+cat <<EOF > components/podinfo/podinfo.cue
+-- podinfo-component-body.cue --
+package holos
+
+// Produce a helm chart build plan.
+holos: HelmChart.BuildPlan
+
+HelmChart: #Helm & {
+	Name: "podinfo"
+	Chart: {
+		version: "6.6.2"
+		repository: {
+			name: "podinfo"
+			url:  "https://stefanprodan.github.io/podinfo"
+		}
+	}
+	// Holos marshals Values into values.yaml for Helm.
+	Values: {
+		// message is a string with a default value.  @tag indicates a value may
+		// be injected from the platform spec component parameters.
+		ui: {
+			message: string | *"Hello World" @tag(greeting, type=string)
+		}
+	}
+}
+-- eof-trailer.sh --
+EOF
+-- register-podinfo-header.sh --
+cat <<EOF > platform/podinfo.cue
+-- register-podinfo-body.cue --
+package holos
+
+Platform: Components: podinfo: {
+	name: "podinfo"
+	path: "components/podinfo"
+	// Inject a value into the component.
+	parameters: greeting: "Hello Holos!"
+}
+-- render.sh --
+holos render platform
+-- register-components-output.txt --
+cached podinfo 6.6.2
+rendered podinfo in 1.938665041s
+rendered platform in 1.938759417s
+-- podinfo-rendered-path.sh --
+deploy/components/podinfo/podinfo.gen.yaml
+-- split-rendered-manifest.sh --
+awk 'BEGIN {RS="---"} NR==1 {print > "service.yaml"} NR==2 {print > "deployment.yaml"}' $1
+mv service.yaml $2/rendered-service.yaml
+mv deployment.yaml $2/rendered-deployment.yaml
+-- grep-for-message.sh --
+grep -B2 Hello deploy/components/podinfo/podinfo.gen.yaml
+-- grepped-output.txt --
+        env:
+        - name: PODINFO_UI_MESSAGE
+          value: Hello Holos!

doc/md/tutorial/_hello-holos/script-01-holos-version/command.sh

@@ -0,0 +1 @@
+holos --version

doc/md/tutorial/_hello-holos/script-01-holos-version/output.txt

@@ -0,0 +1 @@
+0.104.1

doc/md/tutorial/_hello-holos/script-02-hello-holos/eof-trailer.sh

@@ -0,0 +1 @@
+EOF

doc/md/tutorial/_hello-holos/script-02-hello-holos/grep-for-message.sh

@@ -0,0 +1 @@
+grep -B2 Hello deploy/components/podinfo/podinfo.gen.yaml

doc/md/tutorial/_hello-holos/script-02-hello-holos/grepped-output.txt

@@ -0,0 +1,3 @@
+        env:
+        - name: PODINFO_UI_MESSAGE
+          value: Hello Holos!

doc/md/tutorial/_hello-holos/script-02-hello-holos/mkdir-and-init.sh

@@ -0,0 +1,2 @@
+mkdir holos-tutorial && cd holos-tutorial
+holos init platform v1alpha5

doc/md/tutorial/_hello-holos/script-02-hello-holos/mkdir-components.sh

@@ -0,0 +1 @@
+mkdir -p components/podinfo

doc/md/tutorial/_hello-holos/script-02-hello-holos/podinfo-component-body.cue

@@ -0,0 +1,23 @@
+package holos
+
+// Produce a helm chart build plan.
+holos: HelmChart.BuildPlan
+
+HelmChart: #Helm & {
+	Name: "podinfo"
+	Chart: {
+		version: "6.6.2"
+		repository: {
+			name: "podinfo"
+			url:  "https://stefanprodan.github.io/podinfo"
+		}
+	}
+	// Holos marshals Values into values.yaml for Helm.
+	Values: {
+		// message is a string with a default value.  @tag indicates a value may
+		// be injected from the platform spec component parameters.
+		ui: {
+			message: string | *"Hello World" @tag(greeting, type=string)
+		}
+	}
+}

doc/md/tutorial/_hello-holos/script-02-hello-holos/podinfo-component-header.sh

@@ -0,0 +1 @@
+cat <<EOF > components/podinfo/podinfo.cue

doc/md/tutorial/_hello-holos/script-02-hello-holos/podinfo-rendered-path.sh

@@ -0,0 +1 @@
+deploy/components/podinfo/podinfo.gen.yaml

doc/md/tutorial/_hello-holos/script-02-hello-holos/register-components-output.txt

@@ -0,0 +1,2 @@
+rendered podinfo in 312.472625ms
+rendered platform in 312.557375ms

doc/md/tutorial/_hello-holos/script-02-hello-holos/register-podinfo-body.cue

@@ -0,0 +1,8 @@
+package holos
+
+Platform: Components: podinfo: {
+	name: "podinfo"
+	path: "components/podinfo"
+	// Inject a value into the component.
+	parameters: greeting: "Hello Holos!"
+}

doc/md/tutorial/_hello-holos/script-02-hello-holos/register-podinfo-header.sh

@@ -0,0 +1 @@
+cat <<EOF > platform/podinfo.cue

doc/md/tutorial/_hello-holos/script-02-hello-holos/render.sh

@@ -0,0 +1 @@
+holos render platform

doc/md/tutorial/_hello-holos/script-02-hello-holos/rendered-deployment.yaml

@@ -0,0 +1,93 @@
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: podinfo
+    app.kubernetes.io/version: 6.6.2
+    helm.sh/chart: podinfo-6.6.2
+  name: podinfo
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: podinfo
+  strategy:
+    rollingUpdate:
+      maxUnavailable: 1
+    type: RollingUpdate
+  template:
+    metadata:
+      annotations:
+        prometheus.io/port: "9898"
+        prometheus.io/scrape: "true"
+      labels:
+        app.kubernetes.io/name: podinfo
+    spec:
+      containers:
+      - command:
+        - ./podinfo
+        - --port=9898
+        - --cert-path=/data/cert
+        - --port-metrics=9797
+        - --grpc-port=9999
+        - --grpc-service-name=podinfo
+        - --level=info
+        - --random-delay=false
+        - --random-error=false
+        env:
+        - name: PODINFO_UI_MESSAGE
+          value: Hello Holos!
+        - name: PODINFO_UI_COLOR
+          value: '#34577c'
+        image: ghcr.io/stefanprodan/podinfo:6.6.2
+        imagePullPolicy: IfNotPresent
+        livenessProbe:
+          exec:
+            command:
+            - podcli
+            - check
+            - http
+            - localhost:9898/healthz
+          failureThreshold: 3
+          initialDelaySeconds: 1
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 5
+        name: podinfo
+        ports:
+        - containerPort: 9898
+          name: http
+          protocol: TCP
+        - containerPort: 9797
+          name: http-metrics
+          protocol: TCP
+        - containerPort: 9999
+          name: grpc
+          protocol: TCP
+        readinessProbe:
+          exec:
+            command:
+            - podcli
+            - check
+            - http
+            - localhost:9898/readyz
+          failureThreshold: 3
+          initialDelaySeconds: 1
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 5
+        resources:
+          limits: null
+          requests:
+            cpu: 1m
+            memory: 16Mi
+        volumeMounts:
+        - mountPath: /data
+          name: data
+      terminationGracePeriodSeconds: 30
+      volumes:
+      - emptyDir: {}
+        name: data
+

doc/md/tutorial/_hello-holos/script-02-hello-holos/rendered-service.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: podinfo
+    app.kubernetes.io/version: 6.6.2
+    helm.sh/chart: podinfo-6.6.2
+  name: podinfo
+spec:
+  ports:
+  - name: http
+    port: 9898
+    protocol: TCP
+    targetPort: http
+  - name: grpc
+    port: 9999
+    protocol: TCP
+    targetPort: grpc
+  selector:
+    app.kubernetes.io/name: podinfo
+  type: ClusterIP
+

doc/md/tutorial/_hello-holos/script-02-hello-holos/split-rendered-manifest.sh

@@ -0,0 +1,3 @@
+awk 'BEGIN {RS="---"} NR==1 {print > "service.yaml"} NR==2 {print > "deployment.yaml"}' $1
+mv service.yaml $2/rendered-service.yaml
+mv deployment.yaml $2/rendered-deployment.yaml

doc/md/tutorial/_hello-holos/script-02-hello-holos/tree.sh

@@ -0,0 +1 @@
+tree -L 3 -I cue.mod .

doc/md/tutorial/_hello-holos/script-02-hello-holos/tree.txt

@@ -0,0 +1,17 @@
+.
+|-- components
+|   `-- podinfo
+|       |-- podinfo.cue
+|       `-- vendor
+|-- deploy
+|   `-- components
+|       `-- podinfo
+|-- platform
+|   |-- platform.gen.cue
+|   `-- podinfo.cue
+|-- platform.metadata.json
+|-- resources.cue
+|-- schema.cue
+`-- tags.cue
+
+8 directories, 7 files

doc/md/tutorial/_hello-holos/script-02-hello-holos/update.sh

@@ -0,0 +1,4 @@
+#! /bin/bash
+set -euo pipefail
+[[ -s "$1" ]] && [[ -z "${HOLOS_UPDATE_SCRIPTS:-}" ]] && exit 0
+cat > "$1"

doc/md/tutorial/_helm-values/examples/01-holos-version.txt

@@ -0,0 +1,7 @@
+exec bash -c 'bash -euo pipefail $WORK/command.sh 2>&1'
+cmp stdout $WORK/output.txt
+
+-- command.sh --
+holos --version
+-- output.txt --
+0.104.1