Merge pull request #461 from holos-run/jeff/node22-cloudflare

website: update to node 22 for cloudflare builds
website: move .nvmrc to repository root
2026-03-03 05:49:54 +00:00 · 2026-01-24 20:52:51 -08:00 · 2026-01-24 20:48:30 -08:00 · 2026-01-24 17:31:50 -08:00 · 2026-01-24 17:26:51 -08:00 · 2026-01-24 17:01:19 -08:00
917 changed files with 37945 additions and 102735 deletions
--- a/.claude/settings.json
+++ b/.claude/settings.json
@@ -0,0 +1,13 @@
+{
+  "permissions": {
+    "allow": [
+      "Bash(cd:*)",
+      "Bash(holos:*)",
+      "Bash(cue:*)",
+      "Bash(git commit:*)",
+      "Bash(git add:*)",
+      "Bash(make:*)"
+    ],
+    "deny": []
+  }
+}
--- a/.cspell.json
+++ b/.cspell.json
@@ -37,6 +37,7 @@
    "blackbox",
    "buildplan",
    "buildplans",
+    "Buildx",
    "builtinpluginloadingoptions",
    "cachedir",
    "cadvisor",
@@ -84,6 +85,7 @@
    "destinationrules",
    "devel",
    "devicecode",
+    "distroless",
    "dnsmasq",
    "dscacheutil",
    "ecrauthorizationtoken",
@@ -103,6 +105,7 @@
    "fieldspec",
    "flushcache",
    "fluxcd",
+    "fsys",
    "fullname",
    "gatewayclass",
    "gatewayclasses",
@@ -129,6 +132,7 @@
    "grpcroute",
    "grpcroutes",
    "grpcurl",
+    "hcfg",
    "healthchecks",
    "healthz",
    "helmchartargs",
@@ -216,6 +220,7 @@
    "overriden",
    "Parentspanid",
    "patchstrategicmerge",
+    "pcfg",
    "pcjc",
    "peerauthentication",
    "peerauthentications",
@@ -281,6 +286,7 @@
    "serviceentries",
    "serviceentry",
    "servicemonitor",
+    "sigstore",
    "somevalue",
    "SOMEVAR",
    "sortoptions",
@@ -293,6 +299,7 @@
    "stefanprodan",
    "storageclasses",
    "streamwatcher",
+    "stretchr",
    "struct",
    "structpb",
    "subcharts",
@@ -303,6 +310,7 @@
    "tablewriter",
    "templatable",
    "testscript",
+    "testutil",
    "thanos",
    "Tiltfile",
    "timestamppb",
@@ -321,6 +329,8 @@
    "udev",
    "uibutton",
    "Unmarshal",
+    "unmarshals",
+    "unshallow",
    "unstage",
    "untar",
    "upbound",
--- a/.envrc
+++ b/.envrc
@@ -0,0 +1,7 @@
+if ! use flake .#default --accept-flake-config --print-build-logs
+then
+  echo "nix flake could not be built; update flake.nix and run direnv allow/reload" >&2
+fi
+
+watch_file nix/*.nix
+watch_file flake.nix
--- a/.github/workflows/container.yaml
+++ b/.github/workflows/container.yaml
@@ -0,0 +1,143 @@
+name: Container
+
+# Only allow actors with write permission to the repository to trigger this
+# workflow.
+permissions:
+  contents: write
+
+on:
+  push:
+    tags:
+      - 'v*'
+  workflow_dispatch:
+    inputs:
+      git_ref:
+        description: 'Git ref to build (e.g., refs/tags/v1.2.3, refs/heads/main)'
+        required: true
+        type: string
+
+jobs:
+  buildx:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      attestations: write
+      id-token: write
+    steps:
+      - name: Set tag from trigger event
+        id: opts
+        run: |
+          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
+            echo "ref=${{ inputs.git_ref }}" >> $GITHUB_OUTPUT
+          else
+            echo "ref=${GITHUB_REF}" >> $GITHUB_OUTPUT
+          fi
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ steps.opts.outputs.ref }}
+      - name: SHA
+        id: sha
+        run: echo "sha=$(/usr/bin/git log -1 --format='%H')" >> $GITHUB_OUTPUT
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Fetch tags
+        run: git fetch --prune --unshallow --tags
+      - name: Set Tags
+        id: tags
+        run: |
+          echo "detail=$(/usr/bin/git describe --tags HEAD)" >> $GITHUB_OUTPUT
+          echo "suffix=$(test -n "$(git status --porcelain)" && echo '-dirty' || echo '')" >> $GITHUB_OUTPUT
+          echo "tag=$(/usr/bin/git describe --tags HEAD)$(test -n "$(git status --porcelain)" && echo '-dirty' || echo '')" >> $GITHUB_OUTPUT
+
+      - name: Login to ghcr.io
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Build and push container images
+        id: build-and-push
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: |
+            ghcr.io/holos-run/holos:${{ steps.tags.outputs.tag }}
+            ghcr.io/holos-run/holos:${{ steps.sha.outputs.sha }}${{ steps.tags.outputs.suffix }}
+      - name: Setup Cosign to sign container images
+        uses: sigstore/cosign-installer@v3.7.0
+      - name: Sign with GitHub OIDC Token
+        env:
+          DIGEST: ${{ steps.build-and-push.outputs.digest }}
+        run: |
+          cosign sign --yes ghcr.io/holos-run/holos:${{ steps.tags.outputs.tag }}@${DIGEST}
+          cosign sign --yes ghcr.io/holos-run/holos:${{ steps.sha.outputs.sha }}${{ steps.tags.outputs.suffix }}@${DIGEST}
+
+      - uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          owner: ${{ github.repository_owner }}
+          app-id: ${{ vars.GORELEASER_APP_ID }}
+          private-key: ${{ secrets.GORELEASER_APP_PRIVATE_KEY }}
+      - name: Get GitHub App User ID
+        id: get-user-id
+        run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+      - run: |
+          git config --global user.name '${{ steps.app-token.outputs.app-slug }}[bot]'
+          git config --global user.email '${{ steps.get-user-id.outputs.user-id }}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com'
+      - name: Update holos-run/holos-action
+        env:
+          IMAGE: ghcr.io/holos-run/holos:v0.102.1
+          VERSION: ${{ steps.tags.outputs.tag }}
+          USER_ID: ${{ steps.get-user-id.outputs.user-id }}
+          TOKEN: ${{ steps.app-token.outputs.token }}
+        run: |
+          set -euo pipefail
+          git clone "https://github.com/holos-run/holos-action"
+          cd holos-action
+          git remote set-url origin https://${USER_ID}:${TOKEN}@github.com/holos-run/holos-action
+          docker pull --quiet "${IMAGE}"
+          docker run -v $(pwd):/app --workdir /app --rm "${IMAGE}"  \
+            holos cue export --out yaml action.cue -t "version=${VERSION}" > action.yml
+          git add action.yml
+          git commit -m "ci: update holos to ${VERSION} - https://github.com/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}" || (echo "No changes to commit"; exit 0)
+          git push origin HEAD:main HEAD:v0 HEAD:v1
+
+      - name: Login to quay.io
+        uses: docker/login-action@v3
+        with:
+          registry: quay.io
+          username: ${{ secrets.QUAY_USER }}
+          password: ${{ secrets.QUAY_TOKEN }}
+      - name: Push to quay.io
+        env:
+          DIGEST: ${{ steps.build-and-push.outputs.digest }}
+        run: |
+          # docker push quay.io/holos-run/holos:${{ steps.tags.outputs.tag }}
+          docker pull --quiet ghcr.io/holos-run/holos:${{ steps.tags.outputs.tag }}@${DIGEST}
+          docker tag ghcr.io/holos-run/holos:${{ steps.tags.outputs.tag }}@${DIGEST} \
+                     quay.io/holos-run/holos:${{ steps.tags.outputs.tag }}
+          docker push quay.io/holos-run/holos:${{ steps.tags.outputs.tag }}
+
+          docker pull --quiet ghcr.io/holos-run/holos:${{ steps.sha.outputs.sha }}${{ steps.tags.outputs.suffix }}@${DIGEST}
+          docker tag ghcr.io/holos-run/holos:${{ steps.sha.outputs.sha }}${{ steps.tags.outputs.suffix }}@${DIGEST} \
+                     quay.io/holos-run/holos:${{ steps.sha.outputs.sha }}${{ steps.tags.outputs.suffix }}
+          docker push quay.io/holos-run/holos:${{ steps.sha.outputs.sha }}${{ steps.tags.outputs.suffix }}
+      - name: Sign quay.io image
+        env:
+          DIGEST: ${{ steps.build-and-push.outputs.digest }}
+        run: |
+          cosign sign --yes quay.io/holos-run/holos:${{ steps.tags.outputs.tag }}@${DIGEST}
+          cosign sign --yes quay.io/holos-run/holos:${{ steps.sha.outputs.sha }}${{ steps.tags.outputs.suffix }}@${DIGEST}
+
+    outputs:
+      tag: ${{ steps.tags.outputs.tag }}
+      detail: ${{ steps.tags.outputs.detail }}
--- a/.github/workflows/golangci-lint.yaml
+++ b/.github/workflows/golangci-lint.yaml
@@ -25,6 +25,6 @@ jobs:
        with:
          go-version: stable
      - name: golangci-lint
-        uses: golangci/golangci-lint-action@v6
+        uses: golangci/golangci-lint-action@v7
        with:
-          version: v1.60
+          version: v2.1.6
--- a/.github/workflows/lint.yaml
+++ b/.github/workflows/lint.yaml
@@ -1,42 +0,0 @@
---
-# https://github.com/golangci/golangci-lint-action?tab=readme-ov-file#how-to-use
-name: Lint
-"on":
-  push:
-    branches:
-      - main
-      - test
-  pull_request:
-    types: [opened, synchronize]
-
-permissions:
-  contents: read
-
-jobs:
-  lint:
-    name: lint
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Set up Node
-        uses: actions/setup-node@v4
-        with:
-          node-version: 20
-
-      - name: Set up Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: stable
-
-      ## Not needed on ubuntu-latest
-      # - name: Install Packages
-      #   run: sudo apt update && sudo apt -qq -y install git curl zip unzip tar bzip2 make
-
-      - name: Install Tools
-        run: make tools
-
-      - name: Lint
-        # golangci-lint runs in a separate workflow.
-        run: make lint -o golangci-lint
--- a/.github/workflows/spelling.yaml
+++ b/.github/workflows/spelling.yaml
@@ -0,0 +1,17 @@
+---
+name: Spelling
+"on":
+  push:
+    branches:
+      - main
+      - test
+  pull_request:
+    types: [opened, synchronize]
+permissions:
+  contents: read
+jobs:
+  cspell:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - run: ./hack/cspell
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -28,19 +28,16 @@ jobs:
        with:
          go-version: stable

-      - name: Install Packages
-        run: sudo apt update && sudo apt -qq -y install git curl zip unzip tar bzip2 make
-
      - name: Set up Helm
        uses: azure/setup-helm@v4
+        with:
+          version: '3.17.3'

      - name: Set up Kubectl
        uses: azure/setup-kubectl@v4

-      - name: Install Tools
-        run: |
-          set -x
-          make tools
+      - name: Install holos
+        run: make install

      - name: Test
        run: ./scripts/test
--- a/.gitignore
+++ b/.gitignore
@@ -12,3 +12,11 @@ tmp/
 /holos-k3d/
 /holos-infra/
 node_modules/
+.tmp/
+
+# nix
+/.direnv/
+result
+
+# claude
+/.claude/settings.local.json
--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -1,2 +1,20 @@
-run:
-  timeout: 5m
+version: "2"
+linters:
+  exclusions:
+    generated: lax
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
+formatters:
+  exclusions:
+    generated: lax
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
--- a/.ko.yaml
+++ b/.ko.yaml
@@ -1,13 +0,0 @@
-# Refer to https://ko.build/configuration/#overriding-go-build-settings
-builds:
- id: holos
-  dir: .
-  main: ./cmd/holos
-  env:
-  - GOPRIVATE=github.com/holos-run/\*
-  ldflags:
-  - -s
-  - -w
-  - -X
-  # Makefile provides GIT_DETAIL and GIT_SUFFIX.
-  - github.com/holos-run/holos/version.GitDescribe={{.Env.GIT_DETAIL}}{{.Env.GIT_SUFFIX}}
--- a/.nvmrc
+++ b/.nvmrc
@@ -0,0 +1 @@
+22
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -0,0 +1,115 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## Project Overview
+
+Holos is a configuration management tool for Kubernetes that implements the rendered manifests pattern using CUE. It unifies Helm charts, Kustomize bases, and raw Kubernetes manifests into a single, declarative pipeline.
+
+### Core Flow
+```
+Platform → Components → BuildPlan → Generators → Transformers → Validators → Manifests
+```
+
+## Key Commands
+
+```bash
+# Development
+make build         # Build the binary
+make install       # Install binary (REQUIRED before testing holos commands)
+make test          # Run all tests
+make fmt           # Format Go code
+make lint          # Run linters
+make coverage      # Generate coverage report
+
+# Documentation
+make update-docs   # Update generated docs
+make website       # Build the documentation website
+
+# Usage (run 'make install' first to test code changes)
+holos render platform    # Render entire platform
+holos render component   # Render single component
+holos show buildplans    # Show build plans
+holos init platform      # Initialize new platform
+```
+
+## Architecture
+
+### Directory Structure
+- `/api/` - API definitions (v1alpha5 stable, v1alpha6 in development)
+- `/cmd/` - CLI entry point
+- `/internal/cli/` - Command implementations
+- `/internal/component/` - Component handling logic
+- `/internal/platform/` - Platform handling logic
+- `/internal/generate/` - Code generation
+
+### Key Files
+- `/internal/cli/render/render.go` - Core render logic
+- `/internal/component/component.go` - Component processing
+- `/api/core/v1alpha*/types.go` - API type definitions
+
+### Component Types
+1. **Helm** - Wraps Helm charts
+2. **Kustomize** - Wraps Kustomize bases  
+3. **Kubernetes** - Raw Kubernetes manifests
+
+## CUE Patterns
+
+Components are defined in CUE:
+```cue
+package holos
+
+holos: Component.BuildPlan
+
+Component: #Helm & {
+    Name: "example"
+    Chart: {
+        version: "1.0.0"
+        repository: {
+            name: "example"
+            url:  "https://charts.example.com"
+        }
+    }
+}
+```
+
+## Testing
+
+- Unit tests: `*_test.go` files colocated with source
+- Integration tests: `/cmd/holos/tests/`
+- Example platforms: `/internal/testutil/fixtures/`
+- Run single test: `go test -run TestName ./path/to/package`
+
+## Development Patterns
+
+1. Error handling: Prefer `errors.Format()` from `/internal/errors/` over `fmt.Errorf()`
+2. Logging: Use structured `slog`, get logger with `logger.FromContext(ctx)`
+3. CLI commands: Follow Cobra patterns in `/internal/cli/`
+4. CUE formatting: Always run `cue fmt` on CUE files
+5. Go formatting: Always run `go fmt` on go files
+6. Develop against v1alpha6 packages.
+7. Commits: Use the package name as the first word in the commit, lower case.  Commit without asking permission.  Always run `make lint` and `make test` before committing.
+
+## Version Management
+
+- Version files: `/version/embedded/{major,minor,patch}`
+- Bump version: `make bump`
+- API versions: v1alpha5 (stable), v1alpha6 (development)
+
+## Key Concepts
+
+- **Platform**: Top-level configuration containing all components
+- **Component**: Unit of configuration (DAG of Tasks producing deployment configs for one component)
+- **TaskSet**: DAG of Tasks (Similar to how make tasks behave)
+- **BuildPlan**: Instructions for building a component.  Deprecated in v1alpha6, use TaskSet instead.
+- **Generator**: Creates manifests (Helm, Kustomize, etc.) author schema only in v1alpha6
+- **Transformer**: Modifies generated manifests, author schema only in v1alpha6
+- **Validator**: Validates final manifests, author schema only in v1alpha6
+
+## Resources
+
+- Tutorials: `/doc/md/tutorial/`
+- Platform templates: `/internal/generate/platforms/`
+- Test fixtures: `/internal/testutil/fixtures/`
+- Core schemas: `/api/core/` (Abstraction over low level data pipeline tasks)
+- Author schemas: `/api/author/` (User facing abstractions over core Schemas)
--- a/46
+++ b/46
@@ -1,8 +1,38 @@
-FROM quay.io/holos-run/debian:bullseye AS final
-USER root
-WORKDIR /app
-ADD bin bin
-RUN chown -R app: /app
-# Kubernetes requires the user to be numeric
-USER 8192
-ENTRYPOINT bin/holos server
+FROM registry.k8s.io/kubectl:v1.33.4 AS kubectl
+# https://github.com/GoogleContainerTools/distroless
+FROM golang:1.24 AS build
+
+WORKDIR /go/src/app
+COPY . .
+
+RUN CGO_ENABLED=0 make install
+RUN CGO_ENABLED=0 go install sigs.k8s.io/kustomize/kustomize/v5
+
+# Install helm to /usr/local/bin/helm
+# https://helm.sh/docs/intro/install/#from-script
+# https://holos.run/docs/v1alpha5/tutorial/setup/#dependencies
+RUN curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 \
+  && chmod 700 get_helm.sh \
+  && DESIRED_VERSION=v3.16.2 ./get_helm.sh \
+  && rm -f get_helm.sh
+
+COPY --from=kubectl /bin/kubectl /usr/local/bin/
+
+# Use debian slim instead of distroless to get package management.
+FROM public.ecr.aws/docker/library/debian:13-slim AS final
+COPY --from=build \
+     /go/bin/holos \
+     /go/bin/kustomize \
+     /usr/local/bin/kubectl \
+     /usr/local/bin/helm \
+     /bin/
+
+# Extra packages
+# git - https://github.com/holos-run/holos/issues/440
+RUN apt update && \
+    apt install -y --no-install-recommends git ca-certificates && \
+    apt clean && \
+    rm -rf /var/lib/apt/lists/*
+
+# Usage: docker run -v $(pwd):/app --workdir /app --rm -it quay.io/holos-run/holos holos render platform
+CMD ["/bin/holos"]
--- a/47
+++ b/47
@@ -32,17 +32,20 @@ bump: bumppatch
 .PHONY: bumppatch
 bumppatch: ## Bump the patch version.
 	scripts/bump patch
+	HOLOS_UPDATE_SCRIPTS=1 scripts/test

 .PHONY: bumpminor
 bumpminor: ## Bump the minor version.
 	scripts/bump minor
 	scripts/bump patch 0
+	HOLOS_UPDATE_SCRIPTS=1 scripts/test

 .PHONY: bumpmajor
 bumpmajor: ## Bump the major version.
 	scripts/bump major
 	scripts/bump minor 0
 	scripts/bump patch 0
+	HOLOS_UPDATE_SCRIPTS=1 scripts/test

 .PHONY: show-version
 show-version: ## Print the full version.
@@ -58,8 +61,8 @@ tidy: ## Tidy go module.

 .PHONY: fmt
 fmt: ## Format code.
-	cd internal/generate/platforms && cue fmt ./...
 	go fmt ./...
+	cue fmt ./...

 .PHONY: vet
 vet: ## Vet Go code.
@@ -75,10 +78,11 @@ build: ## Build holos executable.
 	@echo "GOPATH=${GOPATH}"
 	go build -trimpath -o bin/$(BIN_NAME) -ldflags $(LD_FLAGS) $(REPO_PATH)/cmd/$(BIN_NAME)

-linux: ## Build holos executable for tilt.
-	@echo "building ${BIN_NAME}.linux ${VERSION}"
+.PHONY: debug
+debug: ## Build debug executable.
+	@echo "building ${BIN_NAME}-debug ${VERSION}"
 	@echo "GOPATH=${GOPATH}"
-	GOOS=linux go build -trimpath -o bin/$(BIN_NAME).linux -ldflags $(LD_FLAGS) $(REPO_PATH)/cmd/$(BIN_NAME)
+	go build -o bin/$(BIN_NAME)-debug $(REPO_PATH)/cmd/$(BIN_NAME)

 .PHONY: install
 install: build ## Install holos to GOPATH/bin
@@ -97,9 +101,7 @@ golangci-lint:
 	golangci-lint run

 .PHONY: lint
-lint: golangci-lint ## Run linters.
-	buf lint
-	cd internal/frontend/holos && ng lint
+lint: vet golangci-lint ## Run linters.
 	./hack/cspell

 .PHONY: coverage
@@ -111,41 +113,19 @@ snapshot:  ## Go release snapshot
 	goreleaser release --snapshot --clean

 .PHONY: tools
-tools: go-deps frontend-deps website-deps ## install tool dependencies
+tools: go-deps website-deps ## install tool dependencies

 .PHONY: go-deps
 go-deps: ## tool versions pinned in tools.go
 	go install cuelang.org/go/cmd/cue
-	go install github.com/bufbuild/buf/cmd/buf
-	go install github.com/fullstorydev/grpcurl/cmd/grpcurl
-	go install google.golang.org/protobuf/cmd/protoc-gen-go
-	go install connectrpc.com/connect/cmd/protoc-gen-connect-go
-	go install honnef.co/go/tools/cmd/staticcheck
-	go install golang.org/x/tools/cmd/godoc
 	go install github.com/princjef/gomarkdoc/cmd/gomarkdoc
-	go install github.com/google/ko
+	go install github.com/rogpeppe/go-internal/cmd/testscript
 	# curl https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | bash

-.PHONY: frontend-deps
-frontend-deps: ## Install Angular deps for go generate
-	cd internal/frontend/holos && npm install
-
 .PHONY: website-deps
 website-deps: ## Install Docusaurus deps for go generate
 	cd doc/website && npm install

-.PHONY: image # refer to .ko.yaml as well
-image:  ## Container image build for workflows/publish.yaml
-	KO_DOCKER_REPO=$(DOCKER_REPO) GIT_DETAIL=$(GIT_DETAIL) GIT_SUFFIX=$(GIT_SUFFIX) ko build --platform=all --bare ./cmd/holos --tags $(GIT_DETAIL)$(GIT_SUFFIX) --tags latest
-
-.PHONY: prod-deploy
-prod-deploy: install image  ## deploy to PROD
-	GIT_DETAIL=$(GIT_DETAIL) GIT_SUFFIX=$(GIT_SUFFIX) bash ./hack/deploy
-
-.PHONY: dev-deploy
-dev-deploy: install image  ## deploy to dev
-	GIT_DETAIL=$(GIT_DETAIL) GIT_SUFFIX=$(GIT_SUFFIX) bash ./hack/deploy-dev
-
 .PHONY: website
 website: ## Build website
 	./hack/build-website
@@ -154,6 +134,11 @@ website: ## Build website
 unity: ## https://cuelabs.dev/unity/
 	./scripts/unity

+.PHONY: update-docs
+update-docs: ## Update doc examples
+	HOLOS_UPDATE_SCRIPTS=1 go test -v ./doc/md/...
+	HOLOS_UPDATE_SCRIPTS=1 go test -v ./doc/website/versioned_docs/...
+
 .PHONY: help
 help:  ## Display this help menu.
 	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m<target>\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf "  \033[36m%-20s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)
--- a/README.md
+++ b/README.md
@@ -119,12 +119,12 @@ here to help.

 Holos is licensed under Apache 2.0 as found in the [LICENSE file](LICENSE).

-[Holos]: https://holos.run
+[Holos]: https://holos.run/docs/overview/
 [rendered manifests pattern]: https://akuity.io/blog/the-rendered-manifests-pattern
 [CUE]: https://cuelang.org/
 [Discord]: https://discord.gg/JgDVbNpye7
 [GitHub discussions]: https://github.com/holos-run/holos/discussions
 [Why CUE for Configuration]: https://holos.run/blog/why-cue-for-configuration/
-[topics]: https://holos.run/docs/topics/
+[tutorial]: https://holos.run/docs/overview/
 [setup]: https://holos.run/docs/setup/
-[tutorial]: https://holos.run/docs/tutorial/
+[topics]: https://holos.run/docs/topics/
--- a/110
+++ b/110
@@ -1,110 +0,0 @@
-# -*- mode: Python -*-
-# This Tiltfile manages a Go project with live reload in Kubernetes
-
-listen_port = 3000
-metrics_port = 9090
-
-# Use our wrapper to set the kube namespace
-if os.getenv('TILT_WRAPPER') != '1':
-    fail("could not run, ./hack/tilt/bin/tilt was not used to start tilt")
-
-# Resource ids
-holos_backend = 'Holos Server'
-compile_id = 'Go Build'
-
-# Default Registry.
-# See: https://github.com/tilt-dev/tilt.build/blob/master/docs/choosing_clusters.md#manual-configuration
-# Note, Tilt will append the image name to the registry uri path
-# default_registry('{account}.dkr.ecr.{region}.amazonaws.com/holos-run/holos'.format(account=aws_account, region=aws_region))
-
-# Set a name prefix specific to the user.  Multiple developers share the tilt-holos namespace.
-developer = os.getenv('USER')
-holos_server = 'holos'
-
-# We always develop against the k3d-workload cluster
-os.putenv('KUBECONFIG', os.path.abspath('./hack/tilt/kubeconfig'))
-
-# Extensions are open-source, pre-packaged functions that extend Tilt
-#
-#   More info: https://github.com/tilt-dev/tilt-extensions
-#   More info: https://docs.tilt.dev/extensions.html
-load('ext://restart_process', 'docker_build_with_restart')
-load('ext://k8s_attach', 'k8s_attach')
-load('ext://git_resource', 'git_checkout')
-load('ext://uibutton', 'cmd_button')
-
-# Paths edited by the developer Tilt watches to trigger compilation.
-# Generated files should be excluded to avoid an infinite build loop.
-developer_paths = [
-    './cmd',
-    './internal/server',
-    './internal/ent/schema',
-    './frontend/package-lock.json',
-    './frontend/src',
-    './go.mod',
-    './pkg',
-    './service/holos',
-]
-
-# Builds the holos executable GOOS=linux
-local_resource(compile_id, 'make linux', deps=developer_paths)
-
-# Build Docker image
-#   Tilt will automatically associate image builds with the resource(s)
-#   that reference them (e.g. via Kubernetes or Docker Compose YAML).
-#
-#   More info: https://docs.tilt.dev/api.html#api.docker_build
-#
-docker_build_with_restart(
-    'k3d-registry.holos.localhost:5100/holos',
-    context='.',
-    entrypoint=[
-        '/app/bin/holos.linux',
-        'server',
-        '--log-format=text',
-        '--oidc-issuer=https://login.holos.run',
-        '--oidc-audience=275804490387516853@holos_quickstart', # auth proxy
-        '--oidc-audience=270319630705329162@holos_platform', # holos cli
-    ],
-    dockerfile='./Dockerfile',
-    only=['./bin'],
-    # (Recommended) Updating a running container in-place
-    # https://docs.tilt.dev/live_update_reference.html
-    live_update=[
-        # Sync files from host to container
-        sync('./bin/', '/app/bin/'),
-    ],
-)
-
-# Troubleshooting
-def resource_name(id):
-    print('resource: {}'.format(id))
-    return id.name
-
-workload_to_resource_function(resource_name)
-
-# Customize a Kubernetes resource
-#   By default, Kubernetes resource names are automatically assigned
-#   based on objects in the YAML manifests, e.g. Deployment name.
-#
-#   Tilt strives for sane defaults, so calling k8s_resource is
-#   optional, and you only need to pass the arguments you want to
-#   override.
-#
-#   More info: https://docs.tilt.dev/api.html#api.k8s_resource
-#
-k8s_yaml(blob(str(read_file('./hack/tilt/k8s/dev-holos-app/deployment.yaml'))))
-
-# Backend server process
-k8s_resource(
-    workload=holos_server,
-    new_name=holos_backend,
-    objects=[],
-    resource_deps=[compile_id],
-    links=[
-        link('https://app.holos.localhost/ui/'.format(developer), "Holos Web UI")
-    ],
-)
-
-# Database
-print("✨ Tiltfile evaluated")
--- a/api/author/v1alpha3/definitions.go
+++ b/api/author/v1alpha3/definitions.go
@@ -1,226 +0,0 @@
-// Package v1alpha3 contains CUE definitions intended as convenience wrappers
-// around the core data types defined in package core.  The purpose of these
-// wrappers is to make life easier for platform engineers by reducing boiler
-// plate code and generating component build plans in a consistent manner.
-package v1alpha3
-
-import (
-	core "github.com/holos-run/holos/api/core/v1alpha3"
-	"google.golang.org/protobuf/types/known/structpb"
-)
-
-//go:generate ../../../hack/gendoc
-
-// Component represents the fields common the different kinds of component.  All
-// components have a name, support mixing in resources, and produce a BuildPlan.
-type ComponentFields struct {
-	// Name represents the Component name.
-	Name string
-	// Resources are kubernetes api objects to mix into the output.
-	Resources map[string]any
-	// ArgoConfig represents the ArgoCD GitOps configuration for this Component.
-	ArgoConfig ArgoConfig
-	// BuildPlan represents the derived BuildPlan for the Holos cli to render.
-	BuildPlan core.BuildPlan
-}
-
-// Helm provides a BuildPlan via the Output field which contains one HelmChart
-// from package core.  Useful as a convenience wrapper to render a HelmChart
-// with optional mix-in resources and Kustomization post-processing.
-type Helm struct {
-	ComponentFields `json:",inline"`
-
-	// Version represents the chart version.
-	Version string
-	// Namespace represents the helm namespace option when rendering the chart.
-	Namespace string
-
-	// Repo represents the chart repository
-	Repo struct {
-		Name string `json:"name"`
-		URL  string `json:"url"`
-	}
-
-	// Values represents data to marshal into a values.yaml for helm.
-	Values interface{} `cue:"{...}"`
-
-	// Chart represents the derived HelmChart for inclusion in the BuildPlan
-	// Output field value.  The default HelmChart field values are derived from
-	// other Helm field values and should be sufficient for most use cases.
-	Chart core.HelmChart
-
-	// EnableKustomizePostProcessor processes helm output with kustomize if true.
-	EnableKustomizePostProcessor bool `cue:"true | *false"`
-
-	// KustomizeFiles represents additional files to include in a Kustomization
-	// resources list.  Useful to patch helm output.  The implementation is a
-	// struct with filename keys and structs as values.  Holos encodes the struct
-	// value to yaml then writes the result to the filename key.  Component
-	// authors may then reference the filename in the kustomization.yaml resources
-	// or patches lists.
-	// Requires EnableKustomizePostProcessor: true.
-	KustomizeFiles map[string]any `cue:"{[string]: {...}}"`
-
-	// KustomizePatches represents patches to apply to the helm output.  Requires
-	// EnableKustomizePostProcessor: true.
-	KustomizePatches map[core.InternalLabel]any `cue:"{[string]: {...}}"`
-
-	// KustomizeResources represents additional resources files to include in the
-	// kustomize resources list.
-	KustomizeResources map[string]any `cue:"{[string]: {...}}"`
-}
-
-// Kustomize provides a BuildPlan via the Output field which contains one
-// KustomizeBuild from package core.
-type Kustomize struct {
-	ComponentFields `json:",inline"`
-	// Kustomization represents the kustomize build plan for holos to render.
-	Kustomization core.KustomizeBuild
-}
-
-// Kubernetes provides a BuildPlan via the Output field which contains inline
-// API Objects provided directly from CUE.
-type Kubernetes struct {
-	ComponentFields `json:",inline"`
-	// Objects represents the kubernetes api objects for the Component.
-	Objects core.KubernetesObjects
-}
-
-// ArgoConfig represents the ArgoCD GitOps configuration for a Component.
-// Useful to define once at the root of the Platform configuration and reuse
-// across all Components.
-type ArgoConfig struct {
-	// Enabled causes holos to render an ArgoCD Application resource for GitOps if true.
-	Enabled bool `cue:"true | *false"`
-	// ClusterName represents the cluster within the platform the Application
-	// resource is intended for.
-	ClusterName string
-	// DeployRoot represents the path from the git repository root to the `deploy`
-	// rendering output directory.  Used as a prefix for the
-	// Application.spec.source.path field.
-	DeployRoot string `cue:"string | *\".\""`
-	// RepoURL represents the value passed to the Application.spec.source.repoURL
-	// field.
-	RepoURL string
-	// TargetRevision represents the value passed to the
-	// Application.spec.source.targetRevision field.  Defaults to the branch named
-	// main.
-	TargetRevision string `cue:"string | *\"main\""`
-	// AppProject represents the ArgoCD Project to associate the Application with.
-	AppProject string `cue:"string | *\"default\""`
-}
-
-// Cluster represents a cluster managed by the Platform.
-type Cluster struct {
-	// Name represents the cluster name, for example "east1", "west1", or
-	// "management".
-	Name string `json:"name"`
-	// Primary represents if the cluster is marked as the primary among a set of
-	// candidate clusters.  Useful for promotion of database leaders.
-	Primary bool `json:"primary" cue:"true | *false"`
-}
-
-// Fleet represents a named collection of similarly configured Clusters.  Useful
-// to segregate workload clusters from their management cluster.
-type Fleet struct {
-	Name string `json:"name"`
-	// Clusters represents a mapping of Clusters by their name.
-	Clusters map[string]Cluster `json:"clusters" cue:"{[Name=_]: name: Name}"`
-}
-
-// StandardFleets represents the standard set of Clusters in a Platform
-// segmented into Fleets by their purpose.  The management Fleet contains a
-// single Cluster, for example a GKE autopilot cluster with no workloads
-// deployed for reliability and cost efficiency.  The workload Fleet contains
-// all other Clusters which contain workloads and sync Secrets from the
-// management cluster.
-type StandardFleets struct {
-	// Workload represents a Fleet of zero or more workload Clusters.
-	Workload Fleet `json:"workload" cue:"{name: \"workload\"}"`
-	// Management represents a Fleet with one Cluster named management.
-	Management Fleet `json:"management" cue:"{name: \"management\"}"`
-}
-
-// Platform is a convenience structure to produce a core Platform specification
-// value in the Output field.  Useful to collect components at the root of the
-// Platform configuration tree as a struct, which are automatically converted
-// into a list for the core Platform spec output.
-type Platform struct {
-	// Name represents the Platform name.
-	Name string `cue:"string | *\"holos\""`
-	// Components is a structured map of components to manage by their name.
-	Components map[string]core.PlatformSpecComponent
-	// Model represents the Platform model holos gets from from the
-	// PlatformService.GetPlatform rpc method and provides to CUE using a tag.
-	Model structpb.Struct `cue:"{...}"`
-	// Output represents the core Platform spec for the holos cli to iterate over
-	// and render each listed Component, injecting the Model.
-	Output core.Platform
-	// Domain represents the primary domain the Platform operates in.  This field
-	// is intended as a sensible default for component authors to reference and
-	// platform operators to define.
-	Domain string `cue:"string | *\"holos.localhost\""`
-}
-
-// Organization represents organizational metadata useful across the platform.
-type Organization struct {
-	Name        string
-	DisplayName string
-	Domain      string
-}
-
-// OrganizationStrict represents organizational metadata useful across the
-// platform.  This is an example of using CUE regular expressions to constrain
-// and validate configuration.
-type OrganizationStrict struct {
-	Organization `json:",inline"`
-	// Name represents the organization name as a resource name.  Must be 63
-	// characters or less.  Must start with a letter.  May contain non-repeating
-	// hyphens, letters, and numbers.  Must end with a letter or number.
-	Name string `cue:"=~ \"^[a-z][0-9a-z-]{1,61}[0-9a-z]$\" & !~ \"--\""`
-	// DisplayName represents the human readable organization name.
-	DisplayName string `cue:"=~ \"^[0-9A-Za-z][0-9A-Za-z ]{2,61}[0-9A-Za-z]$\" & !~ \"  \""`
-}
-
-// Projects represents projects managed by the platform team for use by other
-// teams using the platform.
-type Projects map[core.NameLabel]Project
-
-// Project represents logical grouping of components owned by one or more teams.
-// Useful for the platform team to manage resources for project teams to use.
-type Project struct {
-	// Name represents project name.
-	Name string
-	// Owner represents the team who own this project.
-	Owner Owner
-	// Namespaces represents the namespaces assigned to this project.
-	Namespaces map[core.NameLabel]Namespace
-	// Hostnames represents the host names to expose for this project.
-	Hostnames map[core.NameLabel]Hostname
-}
-
-// Owner represents the owner of a resource.  For example, the name and email
-// address of an engineering team.
-type Owner struct {
-	Name  string
-	Email string
-}
-
-// Namespace represents a Kubernetes namespace.
-type Namespace struct {
-	Name string
-}
-
-// Hostname represents the left most dns label of a domain name.
-type Hostname struct {
-	// Name represents the subdomain to expose, e.g. "www"
-	Name string
-	// Namespace represents the namespace metadata.name field of backend object
-	// reference.
-	Namespace string
-	// Service represents the Service metadata.name field of backend object
-	// reference.
-	Service string
-	// Port represents the Service port of the backend object reference.
-	Port int
-}
--- a/api/author/v1alpha3/header.yaml
+++ b/api/author/v1alpha3/header.yaml
@@ -1,4 +0,0 @@
---
-description: Simplified abstraction to generate core v1alpha3 components.
-sidebar_position: 997
---
--- a/api/author/v1alpha4/definitions.go
+++ b/api/author/v1alpha4/definitions.go
@@ -1,290 +0,0 @@
-// # Author API
-//
-// Package v1alpha4 contains ergonomic CUE definitions for Holos component
-// authors.  These definitions serve as adapters to produce [Core API] resources
-// for the holos command line tool.
-//
-// [Core API]: https://holos.run/docs/api/core/v1alpha4/
-package v1alpha4
-
-import core "github.com/holos-run/holos/api/core/v1alpha4"
-
-//go:generate ../../../hack/gendoc
-
-// Platform assembles a Core API [Platform] in the Resource field for the holos
-// render platform command.  Use the Components field to register components
-// with the platform using a struct.  This struct is converted into a list for
-// final output to holos.
-//
-// See related:
-//
-//   - [Component] collection of components composing the platform.
-//   - [Platform] resource assembled for holos to process.
-//
-// [Platform]: https://holos.run/docs/api/core/v1alpha4/#Platform
-// [Component]: https://holos.run/docs/api/core/v1alpha4/#Component
-type Platform struct {
-	Name       string
-	Components map[NameLabel]core.Component
-	Resource   core.Platform
-}
-
-// Cluster represents a cluster managed by the Platform.
-type Cluster struct {
-	// Name represents the cluster name, for example "east1", "west1", or
-	// "management".
-	Name string `json:"name"`
-	// Primary represents if the cluster is marked as the primary among a set of
-	// candidate clusters.  Useful for promotion of database leaders.
-	Primary bool `json:"primary" cue:"true | *false"`
-}
-
-// Fleet represents a named collection of similarly configured Clusters.  Useful
-// to segregate workload clusters from their management cluster.
-type Fleet struct {
-	Name string `json:"name"`
-	// Clusters represents a mapping of Clusters by their name.
-	Clusters map[string]Cluster `json:"clusters" cue:"{[Name=_]: name: Name}"`
-}
-
-// StandardFleets represents the standard set of Clusters in a Platform
-// segmented into Fleets by their purpose.  The management Fleet contains a
-// single Cluster, for example a GKE autopilot cluster with no workloads
-// deployed for reliability and cost efficiency.  The workload Fleet contains
-// all other Clusters which contain workloads and sync Secrets from the
-// management cluster.
-type StandardFleets struct {
-	// Workload represents a Fleet of zero or more workload Clusters.
-	Workload Fleet `json:"workload" cue:"{name: \"workload\"}"`
-	// Management represents a Fleet with one Cluster named management.
-	Management Fleet `json:"management" cue:"{name: \"management\"}"`
-}
-
-// ArgoConfig represents the ArgoCD GitOps configuration associated with a
-// [BuildPlan].  Useful to define once at the root of the Platform configuration
-// and reuse across all components.
-//
-// [BuildPlan]: https://holos.run/docs/api/core/v1alpha4/#buildplan
-type ArgoConfig struct {
-	// Enabled causes holos to render an Application resource when true.
-	Enabled bool `cue:"true | *false"`
-	// RepoURL represents the value passed to the Application.spec.source.repoURL
-	// field.
-	RepoURL string
-	// Root represents the path from the git repository root to the WriteTo output
-	// directory, the behavior of the holos render component --write-to flag and
-	// the Core API Component WriteTo field.  Used as a prefix for the
-	// Application.spec.source.path field.
-	Root string `cue:"string | *\"deploy\""`
-	// TargetRevision represents the value passed to the
-	// Application.spec.source.targetRevision field.  Defaults to the branch named
-	// main.
-	TargetRevision string `cue:"string | *\"main\""`
-	// AppProject represents the ArgoCD Project to associate the Application with.
-	AppProject string `cue:"string | *\"default\""`
-}
-
-// Organization represents organizational metadata useful across the platform.
-type Organization struct {
-	Name        string
-	DisplayName string
-	Domain      string
-}
-
-// OrganizationStrict represents organizational metadata useful across the
-// platform.  This is an example of using CUE regular expressions to constrain
-// and validate configuration.
-type OrganizationStrict struct {
-	Organization `json:",inline"`
-	// Name represents the organization name as a resource name.  Must be 63
-	// characters or less.  Must start with a letter.  May contain non-repeating
-	// hyphens, letters, and numbers.  Must end with a letter or number.
-	Name string `cue:"=~ \"^[a-z][0-9a-z-]{1,61}[0-9a-z]$\" & !~ \"--\""`
-	// DisplayName represents the human readable organization name.
-	DisplayName string `cue:"=~ \"^[0-9A-Za-z][0-9A-Za-z ]{2,61}[0-9A-Za-z]$\" & !~ \"  \""`
-}
-
-// Kubernetes provides a [BuildPlan] via the Output field which contains inline
-// API Objects provided directly from CUE in the Resources field of
-// [ComponentConfig].
-//
-// See related:
-//
-//   - [ComponentConfig]
-//   - [BuildPlan]
-//
-// [BuildPlan]: https://holos.run/docs/api/core/v1alpha4/#BuildPlan
-type Kubernetes struct {
-	ComponentConfig `json:",inline"`
-
-	// BuildPlan represents the derived BuildPlan produced for the holos render
-	// component command.
-	BuildPlan core.BuildPlan
-}
-
-// Helm provides a [BuildPlan] via the Output field which generates manifests
-// from a helm chart with optional mix-in resources provided directly from CUE
-// in the Resources field.
-//
-// This definition is a convenient way to produce a [BuildPlan] composed of
-// three [Resources] generators with one [Kustomize] transformer.
-//
-// See related:
-//
-//   - [ComponentConfig]
-//   - [Chart]
-//   - [Values]
-//   - [BuildPlan]
-//
-// [BuildPlan]: https://holos.run/docs/api/core/v1alpha4/#BuildPlan
-// [Chart]: https://holos.run/docs/api/core/v1alpha4/#Chart
-// [Values]: https://holos.run/docs/api/core/v1alpha4/#Values
-type Helm struct {
-	ComponentConfig `json:",inline"`
-
-	// Chart represents a Helm chart.
-	Chart core.Chart
-	// Values represents data to marshal into a values.yaml for helm.
-	Values core.Values
-	// EnableHooks enables helm hooks when executing the `helm template` command.
-	EnableHooks bool
-
-	// BuildPlan represents the derived BuildPlan produced for the holos render
-	// component command.
-	BuildPlan core.BuildPlan
-}
-
-// Kustomize provides a [BuildPlan] via the Output field which generates
-// manifests from a kustomize kustomization with optional mix-in resources
-// provided directly from CUE in the Resources field.
-//
-// See related:
-//
-//   - [ComponentConfig]
-//   - [BuildPlan]
-//
-// [BuildPlan]: https://holos.run/docs/api/core/v1alpha4/#buildplan
-type Kustomize struct {
-	ComponentConfig `json:",inline"`
-
-	// BuildPlan represents the derived BuildPlan produced for the holos render
-	// component command.
-	BuildPlan core.BuildPlan
-}
-
-// ComponentConfig represents the configuration common to all kinds of
-// component.
-//
-//   - [Helm] charts.
-//   - [Kubernetes] resources generated from CUE.
-//   - [Kustomize] bases.
-//
-// See the following resources for additional details:
-//
-//   - [Resources]
-//   - [ArgoConfig]
-//   - [KustomizeConfig]
-//   - [BuildPlan]
-//
-// [BuildPlan]: https://holos.run/docs/api/core/v1alpha4/#BuildPlan
-// [Resources]: https://holos.run/docs/api/core/v1alpha4/#Resources
-type ComponentConfig struct {
-	// Name represents the BuildPlan metadata.name field.  Used to construct the
-	// fully rendered manifest file path.
-	Name string
-	// Component represents the path to the component producing the BuildPlan.
-	Component string
-	// Cluster represents the name of the cluster this BuildPlan is for.
-	Cluster string
-	// Resources represents kubernetes resources mixed into the rendered manifest.
-	Resources core.Resources
-	// ArgoConfig represents the ArgoCD GitOps configuration for this BuildPlan.
-	ArgoConfig ArgoConfig
-	// CommonLabels represents common labels to manage on all rendered manifests.
-	CommonLabels map[string]string
-	// Namespace manages the metadata.namespace field on all resources except the
-	// ArgoCD Application.
-	Namespace string `json:",omitempty"`
-
-	// KustomizeConfig represents the configuration for kustomize.
-	KustomizeConfig KustomizeConfig
-}
-
-// KustomizeConfig represents the configuration for kustomize post processing.
-// The Files field is used to mixing in static manifest files from the component
-// directory.  The Resources field is used for mixing in manifests from network
-// locations urls.
-//
-// See related:
-//
-//   - [ComponentConfig]
-//   - [Kustomization]
-//
-// [Kustomization]: https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/
-type KustomizeConfig struct {
-	// Kustomization represents the kustomization used to transform resources.
-	// Note the resources field is internally managed from the Files and Resources fields.
-	Kustomization map[string]any `json:",omitempty"`
-	// Files represents files to copy from the component directory for kustomization.
-	Files map[string]struct{ Source string } `cue:"{[NAME=_]: Source: NAME}"`
-	// Resources represents additional entries to included in the resources list.
-	Resources map[string]struct{ Source string } `cue:"{[NAME=_]: Source: NAME}"`
-}
-
-// Projects represents projects managed by the platform team for use by other
-// teams using the platform.
-type Projects map[NameLabel]Project
-
-// Project represents logical grouping of components owned by one or more teams.
-// Useful for the platform team to manage resources for project teams to use.
-type Project struct {
-	// Name represents project name.
-	Name string
-	// Owner represents the team who own this project.
-	Owner Owner
-	// Namespaces represents the namespaces assigned to this project.
-	Namespaces map[NameLabel]Namespace
-	// Hostnames represents the host names to expose for this project.
-	Hostnames map[NameLabel]Hostname
-	// CommonLabels represents common labels to manage on all rendered manifests.
-	CommonLabels map[string]string
-}
-
-// Owner represents the owner of a resource.  For example, the name and email
-// address of an engineering team.
-type Owner struct {
-	Name  string
-	Email string
-}
-
-// Namespace represents a Kubernetes namespace.
-type Namespace struct {
-	Name string
-}
-
-// Hostname represents the left most dns label of a domain name.
-type Hostname struct {
-	// Name represents the subdomain to expose, e.g. "www"
-	Name string
-	// Namespace represents the namespace metadata.name field of backend object
-	// reference.
-	Namespace string
-	// Service represents the Service metadata.name field of backend object
-	// reference.
-	Service string
-	// Port represents the Service port of the backend object reference.
-	Port int
-}
-
-// NameLabel signals the common use case of converting a struct to a list where
-// the name field of each value unifies with the field name of the outer struct.
-//
-// For example:
-//
-//	S: [NameLabel=string]: name: NameLabel
-//	S: jeff: _
-//	S: gary: _
-//	S: nate: _
-//	L: [for x in S {x}]
-//	// L is [{name: "jeff"}, {name: "gary"}, {name: "nate"}]
-type NameLabel string
--- a/api/author/v1alpha4/header.yaml
+++ b/api/author/v1alpha4/header.yaml
@@ -1,4 +0,0 @@
---
-description: Simplified abstraction to generate core v1alpha4 build plans.
-sidebar_position: 996
---
--- a/api/author/v1alpha5/definitions.go
+++ b/api/author/v1alpha5/definitions.go
@@ -84,6 +84,9 @@ type Helm struct {
 	Chart core.Chart
 	// Values represents data to marshal into a values.yaml for helm.
 	Values core.Values
+	// ValueFiles represents value files for migration from helm value
+	// hierarchies.  Use Values instead.
+	ValueFiles []core.ValueFile `json:",omitempty"`
 	// EnableHooks enables helm hooks when executing the `helm template` command.
 	EnableHooks bool `cue:"true | *false"`
 	// Namespace sets the helm chart namespace flag if provided.
--- a/api/author/v1alpha6/definitions.go
+++ b/api/author/v1alpha6/definitions.go
@@ -0,0 +1,155 @@
+// Package author contains a standard set of schemas for component authors to
+// generate common [core] BuildPlans.
+//
+// Holos values stability, flexibility, and composition.  This package
+// intentionally defines only the minimal necessary set of structures.
+// Component authors are encouraged to define their own structures building on
+// our example [topics].
+//
+// The Holos Maintainers may add definitions to this package if the community
+// identifies nearly all users must define the exact same structure.  Otherwise,
+// definitions should be added as a customizable example in [topics].
+//
+// For example, structures representing a cluster and environment almost always
+// need to be defined.  Their definition varies from one organization to the
+// next.  Therefore, customizable definitions for a cluster and environment are
+// best maintained in [topics], not standardized in this package.
+//
+// [core]: https://holos.run/docs/api/core/
+// [topics]: https://holos.run/docs/topics/
+package author
+
+import core "github.com/holos-run/holos/api/core/v1alpha6"
+
+//go:generate ../../../hack/gendoc
+
+// Platform assembles a core Platform in the Resource field for the holos render
+// platform command.  Use the Components field to register components with the
+// platform.
+type Platform struct {
+	Name       string                       `json:"name" yaml:"name" cue:"string | *\"default\""`
+	Components map[NameLabel]core.Component `json:"components" yaml:"components"`
+	Resource   core.Platform                `json:"resource" yaml:"resource"`
+}
+
+// ComponentConfig represents the configuration common to all kinds of
+// components for use with the holos render component command.  All component
+// kinds may be transformed with [kustomize] configured with the
+// [KustomizeConfig] field.
+//
+//   - [Helm] charts.
+//   - [Kubernetes] resources generated from CUE.
+//   - [Kustomize] bases.
+//
+// [kustomize]: https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/
+type ComponentConfig struct {
+	// Name represents the BuildPlan metadata.name field.  Used to construct the
+	// fully rendered manifest file path.
+	Name string
+	// Labels represent the BuildPlan metadata.labels field.
+	Labels map[string]string
+	// Annotations represent the BuildPlan metadata.annotations field.
+	Annotations map[string]string
+
+	// Path represents the path to the component producing the BuildPlan.
+	Path string
+	// Parameters are useful to reuse a component with various parameters.
+	// Injected as CUE @tag variables.  Parameters with a "holos_" prefix are
+	// reserved for use by the Holos Authors.
+	Parameters map[string]string
+	// OutputBaseDir represents the output base directory used when assembling
+	// artifacts.  Useful to organize components by clusters or other parameters.
+	// For example, holos writes resource manifests to
+	// {WriteTo}/{OutputBaseDir}/components/{Name}/{Name}.gen.yaml
+	OutputBaseDir string `cue:"string | *\"\""`
+
+	// Resources represents kubernetes resources mixed into the rendered manifest.
+	Resources core.Resources
+	// KustomizeConfig represents the kustomize configuration.
+	KustomizeConfig KustomizeConfig
+	// Validators represent checks that must pass for output to be written.
+	Validators map[NameLabel]core.Validator
+	// Artifacts represents additional artifacts to mix in.  Useful for adding
+	// GitOps resources.  Each Artifact is unified without modification into the
+	// BuildPlan.
+	Artifacts map[NameLabel]core.Artifact
+}
+
+// Helm assembles a BuildPlan rendering a helm chart.  Useful to mix in
+// additional resources from CUE and transform the helm output with kustomize.
+type Helm struct {
+	ComponentConfig `json:",inline"`
+
+	// Chart represents a Helm chart.
+	Chart core.Chart
+	// Values represents data to marshal into a values.yaml for helm.
+	Values core.Values
+	// ValueFiles represents value files for migration from helm value
+	// hierarchies.  Use Values instead.
+	ValueFiles []core.ValueFile `json:",omitempty"`
+	// EnableHooks enables helm hooks when executing the `helm template` command.
+	EnableHooks bool `cue:"true | *false"`
+	// Namespace sets the helm chart namespace flag if provided.
+	Namespace string `json:",omitempty"`
+	// APIVersions represents the helm template --api-versions flag
+	APIVersions []string `json:",omitempty"`
+	// KubeVersion represents the helm template --kube-version flag
+	KubeVersion string `json:",omitempty"`
+
+	// BuildPlan represents the derived BuildPlan produced for the holos render
+	// component command.
+	BuildPlan core.BuildPlan
+}
+
+// Kubernetes assembles a BuildPlan containing inline resources exported from
+// CUE.
+type Kubernetes struct {
+	ComponentConfig `json:",inline"`
+
+	// BuildPlan represents the derived BuildPlan produced for the holos render
+	// component command.
+	BuildPlan core.BuildPlan
+}
+
+// Kustomize assembles a BuildPlan rendering manifests from a [kustomize]
+// kustomization.
+//
+// [kustomize]: https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/
+type Kustomize struct {
+	ComponentConfig `json:",inline"`
+
+	// BuildPlan represents the derived BuildPlan produced for the holos render
+	// component command.
+	BuildPlan core.BuildPlan
+}
+
+// KustomizeConfig represents the configuration for [kustomize] post processing.
+// Use the Files field to mix in plain manifest files located in the component
+// directory.  Use the Resources field to mix in manifests from network urls.
+//
+// [kustomize]: https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/
+type KustomizeConfig struct {
+	// Kustomization represents the kustomization used to transform resources.
+	// Note the resources field is internally managed from the Files and Resources fields.
+	Kustomization map[string]any `json:",omitempty"`
+	// Files represents files to copy from the component directory for kustomization.
+	Files map[string]struct{ Source string } `cue:"{[NAME=_]: Source: NAME}"`
+	// Resources represents additional entries to included in the resources list.
+	Resources map[string]struct{ Source string } `cue:"{[NAME=_]: Source: NAME}"`
+	// CommonLabels represents common labels added without including selectors.
+	CommonLabels map[string]string
+}
+
+// NameLabel represents the common use case of converting a struct to a list
+// where the name field of each value unifies with the field name of the outer
+// struct.
+//
+// For example:
+//
+//	S: [NameLabel=string]: name: NameLabel
+//	S: jeff: _
+//	S: gary: _
+//	S: nate: _
+//	L: [for x in S {x}]
+//	// L is [{name: "jeff"}, {name: "gary"}, {name: "nate"}]
+type NameLabel string
--- a/api/author/v1alpha6/header.yaml
+++ b/api/author/v1alpha6/header.yaml
@@ -0,0 +1,5 @@
+---
+title: Author Schemas
+description: Standardized schemas for component authors.
+sidebar_position: 200
+---
--- a/api/core/v1alpha2/apiobjects.go
+++ b/api/core/v1alpha2/apiobjects.go
@@ -1,44 +0,0 @@
-package v1alpha2
-
-import "google.golang.org/protobuf/types/known/structpb"
-
-// Label is an arbitrary unique identifier internal to holos itself.  The holos
-// cli is expected to never write a Label value to rendered output files,
-// therefore use a [Label] then the identifier must be unique and internal.
-// Defined as a type for clarity and type checking.
-//
-// A Label is useful to convert a CUE struct to a list, for example producing a list of [APIObject] resources from an [APIObjectMap].  A CUE struct using
-// Label keys is guaranteed to not lose data when rendering output because a
-// Label is expected to never be written to the final output.
-type Label string
-
-// Kind is a kubernetes api object kind. Defined as a type for clarity and type checking.
-type Kind string
-
-// APIObject represents the most basic generic form of a single kubernetes api
-// object.  Represented as a JSON object internally for compatibility between
-// tools, for example loading from CUE.
-type APIObject structpb.Struct
-
-// APIObjectMap represents the marshalled yaml representation of kubernetes api
-// objects.  Do not produce an APIObjectMap directly, instead use [APIObjects]
-// to produce the marshalled yaml representation from CUE data, then provide the
-// result to [HolosComponent].
-type APIObjectMap map[Kind]map[Label]string
-
-// APIObjects represents Kubernetes API objects defined directly from CUE code.
-// Useful to mix in resources to any kind of [HolosComponent], for example
-// adding an ExternalSecret resource to a [HelmChart].
-//
-// [Kind] must be the resource kind, e.g. Deployment or Service.
-//
-// [Label] is an arbitrary internal identifier to uniquely identify the resource
-// within the context of a `holos` command.  Holos will never write the
-// intermediate label to rendered output.
-//
-// Refer to [HolosComponent] which accepts an [APIObjectMap] field provided by
-// [APIObjects].
-type APIObjects struct {
-	APIObjects   map[Kind]map[Label]APIObject `json:"apiObjects"`
-	APIObjectMap APIObjectMap                 `json:"apiObjectMap"`
-}
--- a/api/core/v1alpha2/buildplan.go
+++ b/api/core/v1alpha2/buildplan.go
@@ -1,96 +0,0 @@
-package v1alpha2
-
-// FilePath represents a file path.
-type FilePath string
-
-// FileContent represents file contents.
-type FileContent string
-
-// FileContentMap represents a mapping of file paths to file contents.  Paths
-// are relative to the `holos` output "deploy" directory, and may contain
-// sub-directories.
-type FileContentMap map[FilePath]FileContent
-
-// BuildPlan represents a build plan for the holos cli to execute.  The purpose
-// of a BuildPlan is to define one or more [HolosComponent] kinds.  For example a
-// [HelmChart], [KustomizeBuild], or [KubernetesObjects].
-//
-// A BuildPlan usually has an additional empty [KubernetesObjects] for the
-// purpose of using the [HolosComponent] DeployFiles field to deploy an ArgoCD
-// or Flux gitops resource for the holos component.
-type BuildPlan struct {
-	Kind       string        `json:"kind" cue:"\"BuildPlan\""`
-	APIVersion string        `json:"apiVersion" cue:"string | *\"v1alpha2\""`
-	Spec       BuildPlanSpec `json:"spec"`
-}
-
-// BuildPlanSpec represents the specification of the build plan.
-type BuildPlanSpec struct {
-	// Disabled causes the holos cli to take no action over the [BuildPlan].
-	Disabled bool `json:"disabled,omitempty"`
-	// Components represents multiple [HolosComponent] kinds to manage.
-	Components BuildPlanComponents `json:"components,omitempty"`
-}
-
-type BuildPlanComponents struct {
-	Resources             map[Label]KubernetesObjects `json:"resources,omitempty"`
-	KubernetesObjectsList []KubernetesObjects         `json:"kubernetesObjectsList,omitempty"`
-	HelmChartList         []HelmChart                 `json:"helmChartList,omitempty"`
-	KustomizeBuildList    []KustomizeBuild            `json:"kustomizeBuildList,omitempty"`
-}
-
-// HolosComponent defines the fields common to all holos component kinds.  Every
-// holos component kind should embed HolosComponent.
-type HolosComponent struct {
-	// Kind is a string value representing the resource this object represents.
-	Kind string `json:"kind"`
-	// APIVersion represents the versioned schema of this representation of an object.
-	APIVersion string `json:"apiVersion" cue:"string | *\"v1alpha2\""`
-	// Metadata represents data about the holos component such as the Name.
-	Metadata Metadata `json:"metadata"`
-
-	// APIObjectMap holds the marshalled representation of api objects.  Useful to
-	// mix in resources to each HolosComponent type, for example adding an
-	// ExternalSecret to a HelmChart HolosComponent.  Refer to [APIObjects].
-	APIObjectMap APIObjectMap `json:"apiObjectMap,omitempty"`
-
-	// DeployFiles represents file paths relative to the cluster deploy directory
-	// with the value representing the file content.  Intended for defining the
-	// ArgoCD Application resource or Flux Kustomization resource from within CUE,
-	// but may be used to render any file related to the build plan from CUE.
-	DeployFiles FileContentMap `json:"deployFiles,omitempty"`
-
-	// Kustomize represents a kubectl kustomize build post-processing step.
-	Kustomize `json:"kustomize,omitempty"`
-
-	// Skip causes holos to take no action regarding this component.
-	Skip bool `json:"skip" cue:"bool | *false"`
-}
-
-// Metadata represents data about the holos component such as the Name.
-type Metadata struct {
-	// Name represents the name of the holos component.
-	Name string `json:"name"`
-	// Namespace is the primary namespace of the holos component.  A holos
-	// component may manage resources in multiple namespaces, in this case
-	// consider setting the component namespace to default.
-	//
-	// This field is optional because not all resources require a namespace,
-	// particularly CRD's and DeployFiles functionality.
-	// +optional
-	Namespace string `json:"namespace,omitempty"`
-}
-
-// Kustomize represents resources necessary to execute a kustomize build.
-// Intended for at least two use cases:
-//
-//  1. Process a [KustomizeBuild] [HolosComponent] which represents raw yaml
-//     file resources in a holos component directory.
-//  2. Post process a [HelmChart] [HolosComponent] to inject istio, patch jobs,
-//     add custom labels, etc...
-type Kustomize struct {
-	// KustomizeFiles holds file contents for kustomize, e.g. patch files.
-	KustomizeFiles FileContentMap `json:"kustomizeFiles,omitempty"`
-	// ResourcesFile is the file name used for api objects in kustomization.yaml
-	ResourcesFile string `json:"resourcesFile,omitempty"`
-}
--- a/api/core/v1alpha2/constants.go
+++ b/api/core/v1alpha2/constants.go
@@ -1,11 +0,0 @@
-package v1alpha2
-
-const (
-	APIVersion    = "v1alpha2"
-	BuildPlanKind = "BuildPlan"
-	HelmChartKind = "HelmChart"
-	// ChartDir is the directory name created in the holos component directory to cache a chart.
-	ChartDir = "vendor"
-	// ResourcesFile is the file name used to store component output when post-processing with kustomize.
-	ResourcesFile = "resources.yaml"
-)
--- a/api/core/v1alpha2/core.go
+++ b/api/core/v1alpha2/core.go
@@ -1,44 +0,0 @@
-package v1alpha2
-
-import "google.golang.org/protobuf/types/known/structpb"
-
-type PlatformMetadata struct {
-	// Name represents the Platform name.
-	Name string `json:"name"`
-}
-
-// Platform represents a platform to manage.  A Platform resource informs holos
-// which components to build.  The platform resource also acts as a container
-// for the platform model form values provided by the PlatformService.  The
-// primary use case is to collect the cluster names, cluster types, platform
-// model, and holos components to build into one resource.
-type Platform struct {
-	// Kind is a string value representing the resource this object represents.
-	Kind string `json:"kind" cue:"\"Platform\""`
-	// APIVersion represents the versioned schema of this representation of an object.
-	APIVersion string `json:"apiVersion" cue:"string | *\"v1alpha2\""`
-	// Metadata represents data about the object such as the Name.
-	Metadata PlatformMetadata `json:"metadata"`
-
-	// Spec represents the specification.
-	Spec PlatformSpec `json:"spec"`
-}
-
-// PlatformSpec represents the specification of a Platform.  Think of a platform
-// specification as a list of platform components to apply to a list of
-// kubernetes clusters combined with the user-specified Platform Model.
-type PlatformSpec struct {
-	// Model represents the platform model holos gets from from the
-	// PlatformService.GetPlatform rpc method and provides to CUE using a tag.
-	Model structpb.Struct `json:"model"`
-	// Components represents a list of holos components to manage.
-	Components []PlatformSpecComponent `json:"components"`
-}
-
-// PlatformSpecComponent represents a holos component to build or render.
-type PlatformSpecComponent struct {
-	// Path is the path of the component relative to the platform root.
-	Path string `json:"path"`
-	// Cluster is the cluster name to provide when rendering the component.
-	Cluster string `json:"cluster"`
-}
--- a/api/core/v1alpha2/doc.go
+++ b/api/core/v1alpha2/doc.go
@@ -1,26 +0,0 @@
-// Package v1alpha2 contains the core API contract between the holos cli and CUE
-// configuration code.  Platform designers, operators, and software developers
-// use this API to write configuration in CUE which `holos` loads.  The overall
-// shape of the API defines imperative actions `holos` should carry out to
-// render the complete yaml that represents a Platform.
-//
-// [Platform] defines the complete configuration of a platform.  With the holos
-// reference platform this takes the shape of one management cluster and at
-// least two workload cluster.  Each cluster has multiple [HolosComponent]
-// resources applied to it.
-//
-// Each holos component path, e.g. `components/namespaces` produces exactly one
-// [BuildPlan] which in turn contains a set of [HolosComponent] kinds.
-//
-// The primary kinds of [HolosComponent] are:
-//
-//  1. [HelmChart] to render config from a helm chart.
-//  2. [KustomizeBuild] to render config from [Kustomize]
-//  3. [KubernetesObjects] to render [APIObjects] defined directly in CUE
-//     configuration.
-//
-// Note that Holos operates as a data pipeline, so the output of a [HelmChart]
-// may be provided to [Kustomize] for post-processing.
-package v1alpha2
-
-//go:generate ../../../hack/gendoc
--- a/api/core/v1alpha2/header.yaml
+++ b/api/core/v1alpha2/header.yaml
@@ -1,4 +0,0 @@
---
-description: Core v1alpha4 schema for advanced use cases.
-sidebar_position: 998
---
--- a/api/core/v1alpha2/helm.go
+++ b/api/core/v1alpha2/helm.go
@@ -1,38 +0,0 @@
-package v1alpha2
-
-// HelmChart represents a holos component which wraps around an upstream helm
-// chart.  Holos orchestrates helm by providing values obtained from CUE,
-// renders the output using `helm template`, then post-processes the helm output
-// yaml using the general functionality provided by [HolosComponent], for
-// example [Kustomize] post-rendering and mixing in additional kubernetes api
-// objects.
-type HelmChart struct {
-	HolosComponent `json:",inline"`
-	Kind           string `json:"kind" cue:"\"HelmChart\""`
-
-	// Chart represents a helm chart to manage.
-	Chart Chart `json:"chart"`
-	// ValuesContent represents the values.yaml file holos passes to the `helm
-	// template` command.
-	ValuesContent string `json:"valuesContent"`
-	// EnableHooks enables helm hooks when executing the `helm template` command.
-	EnableHooks bool `json:"enableHooks" cue:"bool | *false"`
-}
-
-// Chart represents a helm chart.
-type Chart struct {
-	// Name represents the chart name.
-	Name string `json:"name"`
-	// Version represents the chart version.
-	Version string `json:"version"`
-	// Release represents the chart release when executing helm template.
-	Release string `json:"release"`
-	// Repository represents the repository to fetch the chart from.
-	Repository Repository `json:"repository,omitempty"`
-}
-
-// Repository represents a helm chart repository.
-type Repository struct {
-	Name string `json:"name"`
-	URL  string `json:"url"`
-}
--- a/api/core/v1alpha2/kubernetesobjects.go
+++ b/api/core/v1alpha2/kubernetesobjects.go
@@ -1,10 +0,0 @@
-package v1alpha2
-
-const KubernetesObjectsKind = "KubernetesObjects"
-
-// KubernetesObjects represents a [HolosComponent] composed of Kubernetes API
-// objects provided directly from CUE using [APIObjects].
-type KubernetesObjects struct {
-	HolosComponent `json:",inline"`
-	Kind           string `json:"kind" cue:"\"KubernetesObjects\""`
-}
--- a/api/core/v1alpha2/kustomizebuild.go
+++ b/api/core/v1alpha2/kustomizebuild.go
@@ -1,8 +0,0 @@
-package v1alpha2
-
-// KustomizeBuild represents a [HolosComponent] that renders plain yaml files in
-// the holos component directory using `kubectl kustomize build`.
-type KustomizeBuild struct {
-	HolosComponent `json:",inline"`
-	Kind           string `json:"kind" cue:"\"KustomizeBuild\""`
-}
--- a/api/core/v1alpha3/apiobjects.go
+++ b/api/core/v1alpha3/apiobjects.go
@@ -1,53 +0,0 @@
-package v1alpha3
-
-import "google.golang.org/protobuf/types/known/structpb"
-
-// InternalLabel is an arbitrary unique identifier internal to holos itself.
-// The holos cli is expected to never write a InternalLabel value to rendered
-// output files, therefore use a [InternalLabel] when the identifier must be
-// unique and internal.  Defined as a type for clarity and type checking.
-//
-// A InternalLabel is useful to convert a CUE struct to a list, for example
-// producing a list of [APIObject] resources from an [APIObjectMap].  A CUE
-// struct using InternalLabel keys is guaranteed to not lose data when rendering
-// output because a InternalLabel is expected to never be written to the final
-// output.
-type InternalLabel string
-
-// NameLabel is a unique identifier useful to convert a CUE struct to a list
-// when the values have a Name field with a default value.  This type is
-// intended to indicate the common use case of converting a struct to a list
-// where the Name field of the value aligns with the struct field name.
-type NameLabel string
-
-// Kind is a kubernetes api object kind. Defined as a type for clarity and type
-// checking.
-type Kind string
-
-// APIObject represents the most basic generic form of a single kubernetes api
-// object.  Represented as a JSON object internally for compatibility between
-// tools, for example loading from CUE.
-type APIObject structpb.Struct
-
-// APIObjectMap represents the marshalled yaml representation of kubernetes api
-// objects.  Do not produce an APIObjectMap directly, instead use [APIObjects]
-// to produce the marshalled yaml representation from CUE data, then provide the
-// result to [Component].
-type APIObjectMap map[Kind]map[InternalLabel]string
-
-// APIObjects represents Kubernetes API objects defined directly from CUE code.
-// Useful to mix in resources to any kind of [Component], for example
-// adding an ExternalSecret resource to a [HelmChart].
-//
-// [Kind] must be the resource kind, e.g. Deployment or Service.
-//
-// [InternalLabel] is an arbitrary internal identifier to uniquely identify the resource
-// within the context of a `holos` command.  Holos will never write the
-// intermediate label to rendered output.
-//
-// Refer to [Component] which accepts an [APIObjectMap] field provided by
-// [APIObjects].
-type APIObjects struct {
-	APIObjects   map[Kind]map[InternalLabel]APIObject `json:"apiObjects"`
-	APIObjectMap APIObjectMap                         `json:"apiObjectMap"`
-}
--- a/api/core/v1alpha3/buildplan.go
+++ b/api/core/v1alpha3/buildplan.go
@@ -1,52 +0,0 @@
-package v1alpha3
-
-// FilePath represents a file path.
-type FilePath string
-
-// FileContent represents file contents.
-type FileContent string
-
-// FileContentMap represents a mapping of file paths to file contents.
-type FileContentMap map[FilePath]FileContent
-
-// BuildPlan represents a build plan for the holos cli to execute.  The purpose
-// of a BuildPlan is to define one or more [Component] kinds.  For example a
-// [HelmChart], [KustomizeBuild], or [KubernetesObjects].
-//
-// A BuildPlan usually has an additional empty [KubernetesObjects] for the
-// purpose of using the [Component] DeployFiles field to deploy an ArgoCD
-// or Flux gitops resource for the holos component.
-type BuildPlan struct {
-	Kind       string        `json:"kind" cue:"\"BuildPlan\""`
-	APIVersion string        `json:"apiVersion" cue:"string | *\"v1alpha3\""`
-	Spec       BuildPlanSpec `json:"spec"`
-}
-
-// BuildPlanSpec represents the specification of the build plan.
-type BuildPlanSpec struct {
-	// Disabled causes the holos cli to take no action over the [BuildPlan].
-	Disabled bool `json:"disabled,omitempty"`
-	// Components represents multiple [HolosComponent] kinds to manage.
-	Components BuildPlanComponents `json:"components,omitempty"`
-}
-
-type BuildPlanComponents struct {
-	Resources             map[InternalLabel]KubernetesObjects `json:"resources,omitempty"`
-	KubernetesObjectsList []KubernetesObjects                 `json:"kubernetesObjectsList,omitempty"`
-	HelmChartList         []HelmChart                         `json:"helmChartList,omitempty"`
-	KustomizeBuildList    []KustomizeBuild                    `json:"kustomizeBuildList,omitempty"`
-}
-
-// Kustomize represents resources necessary to execute a kustomize build.
-// Intended for at least two use cases:
-//
-//  1. Process a [KustomizeBuild] [Component] which represents raw yaml
-//     file resources in a holos component directory.
-//  2. Post process a [HelmChart] [Component] to inject istio, patch jobs,
-//     add custom labels, etc...
-type Kustomize struct {
-	// KustomizeFiles holds file contents for kustomize, e.g. patch files.
-	KustomizeFiles FileContentMap `json:"kustomizeFiles,omitempty"`
-	// ResourcesFile is the file name used for api objects in kustomization.yaml
-	ResourcesFile string `json:"resourcesFile,omitempty"`
-}
--- a/api/core/v1alpha3/component.go
+++ b/api/core/v1alpha3/component.go
@@ -1,43 +0,0 @@
-package v1alpha3
-
-// Component defines the fields common to all holos component kinds.  Every
-// holos component kind should embed Component.
-type Component struct {
-	// Kind is a string value representing the resource this object represents.
-	Kind string `json:"kind"`
-	// APIVersion represents the versioned schema of this representation of an object.
-	APIVersion string `json:"apiVersion" cue:"\"v1alpha3\""`
-	// Metadata represents data about the holos component such as the Name.
-	Metadata Metadata `json:"metadata"`
-
-	// APIObjectMap holds the marshalled representation of api objects.  Useful to
-	// mix in resources to each Component type, for example adding an
-	// ExternalSecret to a [HelmChart] Component.  Refer to [APIObjects].
-	APIObjectMap APIObjectMap `json:"apiObjectMap,omitempty"`
-
-	// DeployFiles represents file paths relative to the cluster deploy directory
-	// with the value representing the file content.  Intended for defining the
-	// ArgoCD Application resource or Flux Kustomization resource from within CUE,
-	// but may be used to render any file related to the build plan from CUE.
-	DeployFiles FileContentMap `json:"deployFiles,omitempty"`
-
-	// Kustomize represents a kubectl kustomize build post-processing step.
-	Kustomize `json:"kustomize,omitempty"`
-
-	// Skip causes holos to take no action regarding this component.
-	Skip bool `json:"skip" cue:"bool | *false"`
-}
-
-// Metadata represents data about the object such as the Name.
-type Metadata struct {
-	// Name represents the name of the holos component.
-	Name string `json:"name"`
-	// Namespace is the primary namespace of the holos component.  A holos
-	// component may manage resources in multiple namespaces, in this case
-	// consider setting the component namespace to default.
-	//
-	// This field is optional because not all resources require a namespace,
-	// particularly CRDs and DeployFiles functionality.
-	// +optional
-	Namespace string `json:"namespace,omitempty"`
-}
--- a/api/core/v1alpha3/constants.go
+++ b/api/core/v1alpha3/constants.go
@@ -1,11 +0,0 @@
-package v1alpha3
-
-const (
-	APIVersion    = "v1alpha3"
-	BuildPlanKind = "BuildPlan"
-	HelmChartKind = "HelmChart"
-	// ChartDir is the directory name created in the holos component directory to cache a chart.
-	ChartDir = "vendor"
-	// ResourcesFile is the file name used to store component output when post-processing with kustomize.
-	ResourcesFile = "resources.yaml"
-)
--- a/api/core/v1alpha3/doc.go
+++ b/api/core/v1alpha3/doc.go
@@ -1,26 +0,0 @@
-// Package v1alpha3 contains the core API contract between the holos cli and CUE
-// configuration code.  Platform designers, operators, and software developers
-// use this API to write configuration in CUE which `holos` loads.  The overall
-// shape of the API defines imperative actions `holos` should carry out to
-// render the complete yaml that represents a Platform.
-//
-// [Platform] defines the complete configuration of a platform.  With the holos
-// reference platform this takes the shape of one management cluster and at
-// least two workload cluster.  Each cluster has multiple [Component]
-// resources applied to it.
-//
-// Each holos component path, e.g. `components/namespaces` produces exactly one
-// [BuildPlan] which in turn contains a set of [Component] kinds.
-//
-// The primary kinds of [Component] are:
-//
-//  1. [HelmChart] to render config from a helm chart.
-//  2. [KustomizeBuild] to render config from [Kustomize]
-//  3. [KubernetesObjects] to render [APIObjects] defined directly in CUE
-//     configuration.
-//
-// Note that Holos operates as a data pipeline, so the output of a [HelmChart]
-// may be provided to [Kustomize] for post-processing.
-package v1alpha3
-
-//go:generate ../../../hack/gendoc
--- a/api/core/v1alpha3/header.yaml
+++ b/api/core/v1alpha3/header.yaml
@@ -1,4 +0,0 @@
---
-description: Core v1alpha3 schema for advanced use cases.
-sidebar_position: 997
---
--- a/api/core/v1alpha3/helm.go
+++ b/api/core/v1alpha3/helm.go
@@ -1,38 +0,0 @@
-package v1alpha3
-
-// HelmChart represents a holos component which wraps around an upstream helm
-// chart.  Holos orchestrates helm by providing values obtained from CUE,
-// renders the output using `helm template`, then post-processes the helm output
-// yaml using the general functionality provided by [Component], for
-// example [Kustomize] post-rendering and mixing in additional kubernetes api
-// objects.
-type HelmChart struct {
-	Component `json:",inline"`
-	Kind      string `json:"kind" cue:"\"HelmChart\""`
-
-	// Chart represents a helm chart to manage.
-	Chart Chart `json:"chart"`
-	// ValuesContent represents the values.yaml file holos passes to the `helm
-	// template` command.
-	ValuesContent string `json:"valuesContent"`
-	// EnableHooks enables helm hooks when executing the `helm template` command.
-	EnableHooks bool `json:"enableHooks" cue:"bool | *false"`
-}
-
-// Chart represents a helm chart.
-type Chart struct {
-	// Name represents the chart name.
-	Name string `json:"name"`
-	// Version represents the chart version.
-	Version string `json:"version"`
-	// Release represents the chart release when executing helm template.
-	Release string `json:"release"`
-	// Repository represents the repository to fetch the chart from.
-	Repository Repository `json:"repository,omitempty"`
-}
-
-// Repository represents a helm chart repository.
-type Repository struct {
-	Name string `json:"name"`
-	URL  string `json:"url"`
-}
--- a/api/core/v1alpha3/kubernetesobjects.go
+++ b/api/core/v1alpha3/kubernetesobjects.go
@@ -1,10 +0,0 @@
-package v1alpha3
-
-const KubernetesObjectsKind = "KubernetesObjects"
-
-// KubernetesObjects represents a [Component] composed of Kubernetes API
-// objects provided directly from CUE using [APIObjects].
-type KubernetesObjects struct {
-	Component `json:",inline"`
-	Kind      string `json:"kind" cue:"\"KubernetesObjects\""`
-}
--- a/api/core/v1alpha3/kustomizebuild.go
+++ b/api/core/v1alpha3/kustomizebuild.go
@@ -1,8 +0,0 @@
-package v1alpha3
-
-// KustomizeBuild represents a [Component] that renders plain yaml files in
-// the holos component directory using `kubectl kustomize build`.
-type KustomizeBuild struct {
-	Component `json:",inline"`
-	Kind      string `json:"kind" cue:"\"KustomizeBuild\""`
-}
--- a/api/core/v1alpha3/platform.go
+++ b/api/core/v1alpha3/platform.go
@@ -1,44 +0,0 @@
-package v1alpha3
-
-import "google.golang.org/protobuf/types/known/structpb"
-
-// Platform represents a platform to manage.  A Platform resource informs holos
-// which components to build.  The platform resource also acts as a container
-// for the platform model form values provided by the PlatformService.  The
-// primary use case is to collect the cluster names, cluster types, platform
-// model, and holos components to build into one resource.
-type Platform struct {
-	// Kind is a string value representing the resource this object represents.
-	Kind string `json:"kind" cue:"\"Platform\""`
-	// APIVersion represents the versioned schema of this representation of an object.
-	APIVersion string `json:"apiVersion" cue:"string | *\"v1alpha3\""`
-	// Metadata represents data about the object such as the Name.
-	Metadata PlatformMetadata `json:"metadata"`
-
-	// Spec represents the specification.
-	Spec PlatformSpec `json:"spec"`
-}
-
-type PlatformMetadata struct {
-	// Name represents the Platform name.
-	Name string `json:"name"`
-}
-
-// PlatformSpec represents the specification of a Platform.  Think of a platform
-// specification as a list of platform components to apply to a list of
-// kubernetes clusters combined with the user-specified Platform Model.
-type PlatformSpec struct {
-	// Model represents the platform model holos gets from from the
-	// PlatformService.GetPlatform rpc method and provides to CUE using a tag.
-	Model structpb.Struct `json:"model" cue:"{...}"`
-	// Components represents a list of holos components to manage.
-	Components []PlatformSpecComponent `json:"components"`
-}
-
-// PlatformSpecComponent represents a holos component to build or render.
-type PlatformSpecComponent struct {
-	// Path is the path of the component relative to the platform root.
-	Path string `json:"path"`
-	// Cluster is the cluster name to provide when rendering the component.
-	Cluster string `json:"cluster"`
-}
--- a/api/core/v1alpha4/header.yaml
+++ b/api/core/v1alpha4/header.yaml
@@ -1,4 +0,0 @@
---
-description: Core schema for holos to render a component BuildPlan.
-sidebar_position: 100
---
--- a/api/core/v1alpha4/types.go
+++ b/api/core/v1alpha4/types.go
@@ -1,402 +0,0 @@
-// # Core API
-//
-// Package v1alpha4 contains the core API contract between the holos cli and CUE
-// configuration code.  Platform designers, operators, and software developers
-// use this API to write configuration in CUE which holos loads.  The Core API
-// is declarative.  Each resource represents a desired state necessary for holos
-// to fully render Kubernetes manifests into plain files.
-//
-// The following resources provide important context for the Core API.  The
-// [Author API] is intended for component authors as a convenient adapter for
-// the Core API resources Holos expects.
-//
-//  1. [Technical Overview]
-//  2. [Quickstart]
-//  3. [Author API]
-//
-// # Platform
-//
-// [Platform] defines the complete configuration of a platform.  A platform
-// represents a [Component] collection.
-//
-// Inspect a Platform resource holos would process by executing:
-//
-//	cue export --out yaml ./platform
-//
-// # Component
-//
-// A [Component] is the combination of CUE code along one path relative to the
-// platform root directory plus data injected from the [PlatformSpec] via CUE tags.
-// The platform configuration root is the directory containing cue.mod.
-//
-// A [Component] always produces exactly one [BuildPlan].
-//
-// # BuildPlan
-//
-// A [BuildPlan] contains an [Artifact] collection.  A BuildPlan often produces
-// two artifacts, one containing the fully rendered Kubernetes API resources,
-// the other containing an additional resource to manage the former with GitOps.
-// For example, a BuildPlan for a podinfo component produces a manifest
-// containing a Deployment and a Service, along with a second manifest
-// containing an ArgoCD Application.
-//
-// Inspect a BuildPlan resource holos render component would process by executing:
-//
-//	cue export --out yaml ./projects/platform/components/namespaces
-//
-// # Artifact
-//
-// An [Artifact] is one fully rendered manifest file produced from the final
-// [Transformer] in a sequence of transformers.  An Artifact may also be
-// produced directly from a [Generator], but this use case is uncommon.
-//
-// # Transformer
-//
-// A [Transformer] takes multiple inputs from prior [Generator] or [Transformer]
-// outputs, then transforms the data into one output.  [Kustomize] is the most
-// commonly used transformer, though a simple [Join] is also supported.
-//
-//  1. [Kustomize] - Patch and transform the output from prior generators or
-//     transformers.  See [Introduction to Kustomize].
-//  2. [Join] - Concatenate multiple prior outputs into one output.
-//
-// # Generators
-//
-// A [Generator] generates Kubernetes resources.  [Helm] and [Resources] are the
-// most commonly used, often paired together to mix-in resources to an
-// unmodified Helm chart.  A simple [File] generator is also available for use
-// with the [Kustomize] transformer.
-//
-//  1. [Resources] - Generates resources from CUE code.
-//  2. [Helm] - Generates rendered yaml from a [Chart].
-//  3. [File] - Generates data by reading a file from the component directory.
-//
-// [Introduction to Kustomize]: https://kubectl.docs.kubernetes.io/guides/config_management/introduction/
-// [Author API]: https://holos.run/docs/api/author/
-// [Quickstart]: https://holos.run/docs/quickstart/
-// [Technical Overview]: https://holos.run/docs/technical-overview/
-package v1alpha4
-
-//go:generate ../../../hack/gendoc
-
-// BuildPlan represents a build plan for holos to execute.  Each [Platform]
-// component produces exactly one BuildPlan.
-//
-// One or more [Artifact] files are produced by a BuildPlan, representing the
-// fully rendered manifests for the Kubernetes API Server.
-//
-// # Example BuildPlan
-//
-// Command:
-//
-//	cue export --out yaml ./projects/platform/components/namespaces
-//
-// Output:
-//
-//	kind: BuildPlan
-//	apiVersion: v1alpha4
-//	metadata:
-//	  name: dev-namespaces
-//	spec:
-//	  component: projects/platform/components/namespaces
-//	  artifacts:
-//	    - artifact: clusters/no-cluster/components/dev-namespaces/dev-namespaces.gen.yaml
-//	      generators:
-//	        - kind: Resources
-//	          output: resources.gen.yaml
-//	          resources:
-//	            Namespace:
-//	              dev-jeff:
-//	                metadata:
-//	                  name: dev-jeff
-//	                  labels:
-//	                    kubernetes.io/metadata.name: dev-jeff
-//	                kind: Namespace
-//	                apiVersion: v1
-//	      transformers:
-//	        - kind: Kustomize
-//	          inputs:
-//	            - resources.gen.yaml
-//	          output: clusters/no-cluster/components/dev-namespaces/dev-namespaces.gen.yaml
-//	          kustomize:
-//	            kustomization:
-//	              commonLabels:
-//	                holos.run/component.name: dev-namespaces
-//	              resources:
-//	                - resources.gen.yaml
-type BuildPlan struct {
-	// Kind represents the type of the resource.
-	Kind string `json:"kind" cue:"\"BuildPlan\""`
-	// APIVersion represents the versioned schema of the resource.
-	APIVersion string `json:"apiVersion" cue:"string | *\"v1alpha4\""`
-	// Metadata represents data about the resource such as the Name.
-	Metadata Metadata `json:"metadata"`
-	// Spec specifies the desired state of the resource.
-	Spec BuildPlanSpec `json:"spec"`
-}
-
-// BuildPlanSpec represents the specification of the [BuildPlan].
-type BuildPlanSpec struct {
-	// Component represents the component that produced the build plan.
-	// Represented as a path relative to the platform root.
-	Component string `json:"component"`
-	// Disabled causes the holos cli to disregard the build plan.
-	Disabled bool `json:"disabled,omitempty"`
-	// Artifacts represents the artifacts for holos to build.
-	Artifacts []Artifact `json:"artifacts"`
-}
-
-// Artifact represents one fully rendered manifest produced by a [Transformer]
-// sequence, which transforms a [Generator] collection.  A [BuildPlan] produces
-// an [Artifact] collection.
-//
-// Each Artifact produces one manifest file artifact.  Generator Output values
-// are used as Transformer Inputs.  The Output field of the final [Transformer]
-// should have the same value as the Artifact field.
-//
-// When there is more than one [Generator] there must be at least one
-// [Transformer] to combine outputs into one Artifact.  If there is a single
-// Generator, it may directly produce the Artifact output.
-//
-// An Artifact is processed concurrently with other artifacts in the same
-// [BuildPlan].  An Artifact should not use an output from another Artifact as
-// an input.  Each [Generator] may also run concurrently.  Each [Transformer] is
-// executed sequentially starting after all generators have completed.
-//
-// Output fields are write-once.  It is an error for multiple Generators or
-// Transformers to produce the same Output value within the context of a
-// [BuildPlan].
-type Artifact struct {
-	Artifact     FilePath      `json:"artifact,omitempty"`
-	Generators   []Generator   `json:"generators,omitempty"`
-	Transformers []Transformer `json:"transformers,omitempty"`
-	Skip         bool          `json:"skip,omitempty"`
-}
-
-// Generator generates an intermediate manifest for a [Artifact].
-//
-// Each Generator in a [Artifact] must have a distinct Output value for a
-// [Transformer] to reference.
-//
-// Refer to [Resources], [Helm], and [File].
-type Generator struct {
-	// Kind represents the kind of generator.  Must be Resources, Helm, or File.
-	Kind string `json:"kind" cue:"\"Resources\" | \"Helm\" | \"File\""`
-	// Output represents a file for a Transformer or Artifact to consume.
-	Output FilePath `json:"output"`
-	// Resources generator. Ignored unless kind is Resources.  Resources are
-	// stored as a two level struct.  The top level key is the Kind of resource,
-	// e.g. Namespace or Deployment.  The second level key is an arbitrary
-	// InternalLabel.  The third level is a map[string]any representing the
-	// Resource.
-	Resources Resources `json:"resources,omitempty"`
-	// Helm generator. Ignored unless kind is Helm.
-	Helm Helm `json:"helm,omitempty"`
-	// File generator. Ignored unless kind is File.
-	File File `json:"file,omitempty"`
-}
-
-// Resource represents one kubernetes api object.
-type Resource map[string]any
-
-// Resources represents a kubernetes resources [Generator] from CUE.
-type Resources map[Kind]map[InternalLabel]Resource
-
-// File represents a simple single file copy [Generator].  Useful with a
-// [Kustomize] [Transformer] to process plain manifest files stored in the
-// component directory.  Multiple File generators may be used to transform
-// multiple resources.
-type File struct {
-	// Source represents a file sub-path relative to the component path.
-	Source FilePath `json:"source"`
-}
-
-// Helm represents a [Chart] manifest [Generator].
-type Helm struct {
-	// Chart represents a helm chart to manage.
-	Chart Chart `json:"chart"`
-	// Values represents values for holos to marshal into values.yaml when
-	// rendering the chart.
-	Values Values `json:"values"`
-	// EnableHooks enables helm hooks when executing the `helm template` command.
-	EnableHooks bool `json:"enableHooks,omitempty"`
-	// Namespace represents the helm namespace flag
-	Namespace string `json:"namespace,omitempty"`
-}
-
-// Values represents [Helm] Chart values generated from CUE.
-type Values map[string]any
-
-// Chart represents a [Helm] Chart.
-type Chart struct {
-	// Name represents the chart name.
-	Name string `json:"name"`
-	// Version represents the chart version.
-	Version string `json:"version"`
-	// Release represents the chart release when executing helm template.
-	Release string `json:"release"`
-	// Repository represents the repository to fetch the chart from.
-	Repository Repository `json:"repository,omitempty"`
-}
-
-// Repository represents a [Helm] [Chart] repository.
-type Repository struct {
-	Name string `json:"name"`
-	URL  string `json:"url"`
-}
-
-// Transformer transforms [Generator] manifests within a [Artifact].
-type Transformer struct {
-	// Kind represents the kind of transformer. Must be Kustomize, or Join.
-	Kind string `json:"kind" cue:"\"Kustomize\" | \"Join\""`
-	// Inputs represents the files to transform. The Output of prior Generators
-	// and Transformers.
-	Inputs []FilePath `json:"inputs"`
-	// Output represents a file for a subsequent Transformer or Artifact to
-	// consume.
-	Output FilePath `json:"output"`
-	// Kustomize transformer. Ignored unless kind is Kustomize.
-	Kustomize Kustomize `json:"kustomize,omitempty"`
-	// Join transformer. Ignored unless kind is Join.
-	Join Join `json:"join,omitempty"`
-}
-
-// Join represents a [Transformer] using [bytes.Join] to concatenate multiple
-// inputs into one output with a separator.  Useful for combining output from
-// [Helm] and [Resources] together into one [Artifact] when [Kustomize] is
-// otherwise unnecessary.
-//
-// [bytes.Join]: https://pkg.go.dev/bytes#Join
-type Join struct {
-	Separator string `json:"separator" cue:"string | *\"---\\n\""`
-}
-
-// Kustomize represents a kustomization [Transformer].
-type Kustomize struct {
-	// Kustomization represents the decoded kustomization.yaml file
-	Kustomization Kustomization `json:"kustomization"`
-	// Files holds file contents for kustomize, e.g. patch files.
-	Files FileContentMap `json:"files,omitempty"`
-}
-
-// Kustomization represents a kustomization.yaml file for use with the
-// [Kustomize] [Transformer].  Untyped to avoid tightly coupling holos to
-// kubectl versions which was a problem for the Flux maintainers.  Type checking
-// is expected to happen in CUE against the kubectl version the user prefers.
-type Kustomization map[string]any
-
-// FileContent represents file contents.
-type FileContent string
-
-// FileContentMap represents a mapping of file paths to file contents.
-type FileContentMap map[FilePath]FileContent
-
-// FilePath represents a file path.
-type FilePath string
-
-// InternalLabel is an arbitrary unique identifier internal to holos itself.
-// The holos cli is expected to never write a InternalLabel value to rendered
-// output files, therefore use a InternalLabel when the identifier must be
-// unique and internal.  Defined as a type for clarity and type checking.
-type InternalLabel string
-
-// Kind is a discriminator. Defined as a type for clarity and type checking.
-type Kind string
-
-// NameLabel is a unique identifier useful to convert a CUE struct to a list
-// when the values have a Name field with a default value.  NameLabel indicates
-// the common use case of converting a struct to a list where the Name field of
-// the value aligns with the outer struct field name.
-//
-// For example:
-//
-//	Outer: [NAME=_]: Name: NAME
-type NameLabel string
-
-// Platform represents a platform to manage.  A Platform resource informs holos
-// which components to build.  The platform resource also acts as a container
-// for the platform model form values provided by the PlatformService.  The
-// primary use case is to collect the cluster names, cluster types, platform
-// model, and holos components to build into one resource.
-type Platform struct {
-	// Kind is a string value representing the resource.
-	Kind string `json:"kind" cue:"\"Platform\""`
-	// APIVersion represents the versioned schema of this resource.
-	APIVersion string `json:"apiVersion" cue:"string | *\"v1alpha4\""`
-	// Metadata represents data about the resource such as the Name.
-	Metadata Metadata `json:"metadata"`
-
-	// Spec represents the specification.
-	Spec PlatformSpec `json:"spec"`
-}
-
-// Metadata represents data about the resource such as the Name.
-type Metadata struct {
-	// Name represents the resource name.
-	Name string `json:"name"`
-}
-
-// PlatformSpec represents the specification of a [Platform].  Think of a
-// platform spec as a [Component] collection for multiple kubernetes clusters
-// combined with the user-specified Platform Model.
-type PlatformSpec struct {
-	// Components represents a list of holos components to manage.
-	Components []Component `json:"components"`
-}
-
-// Component represents the complete context necessary to produce a [BuildPlan].
-// Component carries information injected from holos render platform to holos
-// render component to produce each [BuildPlan].
-//
-// All of these fields are passed to the holos render component command using
-// flags, which in turn are injected to CUE using tags.  For clarity, CUE field
-// and tag names should match the struct json tag names below.
-type Component struct {
-	// Name represents the name of the component. Injected as the tag variable
-	// "holos_name" to set the BuildPlan metadata.name field.  Necessary for clear
-	// user feedback during platform rendering.
-	Name string `json:"name"`
-	// Component represents the path of the component relative to the platform
-	// root.  Injected as the tag variable "holos_component".
-	Component string `json:"component"`
-	// Cluster is the cluster name to provide when rendering the component.
-	// Injected as the tag variable "holos_cluster".
-	Cluster string `json:"cluster"`
-	// Model represents the platform model holos gets from from the
-	// PlatformService.GetPlatform rpc method and provides to CUE using a tag.
-	// Injected as the tag "holos_model".
-	Model map[string]any `json:"model,omitempty"`
-	// Tags represents cue @tag variables injected into the holos render component
-	// command from the holos render platform command.  Tags with a "holos_"
-	// prefix are reserved for use by the Holos Authors.
-	Tags map[string]string `json:"tags,omitempty"`
-	// WriteTo represents the holos render component --write-to flag.  If empty,
-	// the default value for the --write-to flag is used.
-	WriteTo string `json:"writeTo,omitempty"`
-}
-
-// Tags represents standardized fields injected into the component [BuildPlan]
-// from the [Platform].
-//
-// Note, tags should have a reasonable default value to easily use cue eval and
-// cue export without needing to make a bunch of decisions about tag values.
-//
-// Example:
-//
-//	import core "github.com/holos-run/holos/api/core/v1alpha4"
-//	_Tags: core.#Tags & {
-//	  cluster:     _ @tag(cluster, type=string)
-//	  environment: _ @tag(environment, type=string)
-//	  component:   _ @tag(component, type=string)
-//	  name:        _ @tag(name, type=string)
-//	}
-type Tags struct {
-	// Name represents the BuildPlan metadata.name field injected from the Platform.
-	Name string `json:"name" cue:"string | *\"no-name\""`
-	// Cluster represents the cluster name injected from
-	Cluster string `json:"cluster" cue:"string | *\"no-cluster\""`
-	// Environment represents the build plan environment.
-	Environment string `json:"environment" cue:"string | *\"no-environment\""`
-	// Component represents the path of the component relative to the platform root.
-	Component string `json:"component" cue:"string | *\"no-component\""`
-}
--- a/api/core/v1alpha5/types.go
+++ b/api/core/v1alpha5/types.go
@@ -1,9 +1,33 @@
 // Package core contains schemas for a [Platform] and [BuildPlan].  Holos takes
 // a [Platform] as input, then iterates over each [Component] to produce a
-// [BuildPlan].  Holos processes the [BuildPlan] to produce fully rendered
+// [BuildPlan].  Holos evaluates the [BuildPlan] to produce fully rendered
 // manifests, each an [Artifact].
 package core

+// BuildContextTag represents the cue tag holos render component uses to inject
+// the json representation of a [BuildContext] for use in a BuildPlan.
+const BuildContextTag string = "holos_build_context"
+
+// ComponentNameTag represents the cue tag holos uses to inject a [Component]
+// name from the holos render platform command to the holos render component
+// command.
+const ComponentNameTag string = "holos_component_name"
+
+// ComponentPathTag represents the cue tag holos uses to inject a [Component]
+// path relative to the cue module root from the holos render platform command
+// to the holos render component command.
+const ComponentPathTag string = "holos_component_path"
+
+// ComponentLabelsTag represents the cue tag holos uses to inject the json
+// representation of [Component] metadata labels from the holos render platform
+// command to the holos render component command.
+const ComponentLabelsTag string = "holos_component_labels"
+
+// ComponentAnnotationsTag represents the tag holos uses to inject the json
+// representation of [Component] metadata annotations from the holos render
+// platform command to the holos render component command.
+const ComponentAnnotationsTag = "holos_component_annotations"
+
 //go:generate ../../../hack/gendoc

 // BuildPlan represents an implementation of the [rendered manifest pattern].
@@ -118,8 +142,12 @@ type Helm struct {
 	// Chart represents a helm chart to manage.
 	Chart Chart `json:"chart" yaml:"chart"`
 	// Values represents values for holos to marshal into values.yaml when
-	// rendering the chart.
+	// rendering the chart.  Values follow ValueFiles when both are provided.
 	Values Values `json:"values" yaml:"values"`
+	// ValueFiles represents hierarchial value files passed in order to the helm
+	// template -f flag.  Useful for migration from an ApplicationSet.  Use Values
+	// instead.  ValueFiles precede Values when both are provided.
+	ValueFiles []ValueFile `json:"valueFiles,omitempty" yaml:"valueFiles,omitempty"`
 	// EnableHooks enables helm hooks when executing the `helm template` command.
 	EnableHooks bool `json:"enableHooks,omitempty" yaml:"enableHooks,omitempty"`
 	// Namespace represents the helm namespace flag
@@ -130,6 +158,17 @@ type Helm struct {
 	KubeVersion string `json:"kubeVersion,omitempty" yaml:"kubeVersion,omitempty"`
 }

+// ValueFile represents one Helm value file produced from CUE.
+type ValueFile struct {
+	// Name represents the file name, e.g. "region-values.yaml"
+	Name string `json:"name" yaml:"name"`
+	// Kind is a discriminator.
+	Kind string `json:"kind" yaml:"kind" cue:"\"Values\""`
+	// Values represents values for holos to marshal into the file name specified
+	// by Name when rendering the chart.
+	Values Values `json:"values,omitempty" yaml:"values,omitempty"`
+}
+
 // Values represents [Helm] Chart values generated from CUE.
 type Values map[string]any

@@ -263,7 +302,7 @@ type Metadata struct {
 	// Labels represents a resource selector.
 	Labels map[string]string `json:"labels,omitempty" yaml:"labels,omitempty"`
 	// Annotations represents arbitrary non-identifying metadata.  For example
-	// holos uses the `cli.holos.run/description` annotation to log resources in a
+	// holos uses the `app.holos.run/description` annotation to log resources in a
 	// user customized way.
 	Annotations map[string]string `json:"annotations,omitempty" yaml:"annotations,omitempty"`
 }
@@ -320,7 +359,7 @@ type Component struct {
 	// resulting BuildPlan.
 	Labels map[string]string `json:"labels,omitempty" yaml:"labels,omitempty"`
 	// Annotations represents arbitrary non-identifying metadata.  Use the
-	// `cli.holos.run/description` to customize the log message of each BuildPlan.
+	// `app.holos.run/description` to customize the log message of each BuildPlan.
 	Annotations map[string]string `json:"annotations,omitempty" yaml:"annotations,omitempty"`
 }

--- a/api/core/v1alpha6/header.yaml
+++ b/api/core/v1alpha6/header.yaml
@@ -0,0 +1,5 @@
+---
+title: Core Schemas
+description: BuildPlan defines the holos rendering pipeline.
+sidebar_position: 100
+---
--- a/api/core/v1alpha6/types.go
+++ b/api/core/v1alpha6/types.go
@@ -0,0 +1,453 @@
+// Package core contains schemas for a [Platform] and [BuildPlan].  Holos takes
+// a [Platform] as input, then iterates over each [Component] to produce a
+// [BuildPlan].  Holos processes the [BuildPlan] to produce fully rendered
+// manifests, each an [Artifact].
+package core
+
+// BuildContextTag represents the cue tag holos render component uses to inject
+// the json representation of a [BuildContext] for use in a BuildPlan.
+const BuildContextTag string = "holos_build_context"
+
+// ComponentNameTag represents the cue tag holos uses to inject a [Component]
+// name from the holos render platform command to the holos render component
+// command.
+const ComponentNameTag string = "holos_component_name"
+
+// ComponentPathTag represents the cue tag holos uses to inject a [Component]
+// path relative to the cue module root from the holos render platform command
+// to the holos render component command.
+const ComponentPathTag string = "holos_component_path"
+
+// ComponentLabelsTag represents the cue tag holos uses to inject the json
+// representation of [Component] metadata labels from the holos render platform
+// command to the holos render component command.
+const ComponentLabelsTag string = "holos_component_labels"
+
+// ComponentAnnotationsTag represents the tag holos uses to inject the json
+// representation of [Component] metadata annotations from the holos render
+// platform command to the holos render component command.
+const ComponentAnnotationsTag = "holos_component_annotations"
+
+//go:generate ../../../hack/gendoc
+
+// BuildPlan represents an implementation of the [rendered manifest pattern].
+// Holos processes a BuildPlan to produce one or more [Artifact] output files.
+// BuildPlan artifact files usually contain Kubernetes manifests, but they may
+// have any content.
+//
+// A BuildPlan usually produces two artifacts.  One artifact contains a manifest
+// of resources.  A second artifact contains a GitOps resource to manage the
+// first, usually an ArgoCD Application resource.
+//
+// Holos uses CUE to construct a BuildPlan.  Holos injects late binding values
+// such as the build temp dir using the [BuildContext].
+//
+// [rendered manifest pattern]: https://akuity.io/blog/the-rendered-manifests-pattern
+//
+// [external credential provider]: https://github.com/kubernetes/enhancements/blob/313ad8b59c80819659e1fbf0f165230f633f2b22/keps/sig-auth/541-external-credential-providers/README.md
+type BuildPlan struct {
+	// APIVersion represents the versioned schema of the resource.
+	APIVersion string `json:"apiVersion" yaml:"apiVersion" cue:"\"v1alpha6\""`
+	// Kind represents the type of the resource.
+	Kind string `json:"kind" yaml:"kind" cue:"\"BuildPlan\""`
+	// Metadata represents data about the resource such as the Name.
+	Metadata Metadata `json:"metadata" yaml:"metadata"`
+	// Spec specifies the desired state of the resource.
+	Spec BuildPlanSpec `json:"spec" yaml:"spec"`
+	// BuildContext represents values injected by holos just before evaluating a
+	// BuildPlan, for example the tempDir used for the build.
+	BuildContext BuildContext `json:"buildContext" yaml:"buildContext"`
+}
+
+// BuildContext represents build context values owned by the holos render
+// component command.  End users should not manage context field values.  End
+// users may reference fields from within CUE to refer to late binding
+// concrete values defined just before holos executes a [BuildPlan].
+//
+// Holos injects build context values by marshalling this struct to json through
+// the holos_build_context cue tag.
+//
+// Example usage from cue to produce a [BuildPlan]:
+//
+//	package holos
+//
+//	import (
+//	  "encoding/json"
+//	  "github.com/holos-run/holos/api/core/v1alpha6:core"
+//	)
+//
+//	_BuildContextJSON: string | *"{}" @tag(holos_build_context, type=string)
+//	BuildContext: core.#BuildContext & json.Unmarshal(_BuildContextJSON)
+//
+//	holos: core.#BuildPlan & {
+//	  buildContext: BuildContext
+//	  "spec": {
+//	    "artifacts": [
+//	      {
+//	        artifact: "components/slice",
+//	        "transformers": [
+//	          {
+//	            "kind": "Command"
+//	            "inputs": ["resources.gen.yaml"]
+//	            "output": artifact
+//	            "command": {
+//	              "args": [
+//	                "kubectl-slice",
+//	                "-f",
+//	                "\(buildContext.tempDir)/resources.gen.yaml",
+//	                "-o",
+//	                "\(buildContext.tempDir)/\(artifact)",
+//	              ]
+//	            }
+//	          }
+//	        ]
+//	      }
+//	    ]
+//	  }
+//	}
+type BuildContext struct {
+	// TempDir represents the temporary directory managed and owned by the holos
+	// render component command for the execution of one BuildPlan.  Multiple
+	// tasks in the build plan share this temporary directory and therefore should
+	// avoid reading and writing into the same sub-directories as one another.
+	TempDir string `json:"tempDir" yaml:"tempDir" cue:"string | *\"${TEMP_DIR_PLACEHOLDER}\""`
+	// RootDir represents the fully qualified path to the platform root directory.
+	// Useful to construct arguments for commands in BuildPlan tasks.
+	RootDir string `json:"rootDir" yaml:"rootDir" cue:"string | *\"${ROOT_DIR_PLACEHOLDER}\""`
+	// LeafDir represents the cleaned path to the holos component relative to the
+	// platform root.  Useful to construct arguments for commands in BuildPlan
+	// tasks.
+	LeafDir string `json:"leafDir" yaml:"leafDir" cue:"string | *\"${LEAF_DIR_PLACEHOLDER}\""`
+	// HolosExecutable represents the fully qualified path to the holos
+	// executable.  Useful to execute tools embedded as subcommands such as holos
+	// cue vet.
+	HolosExecutable string `json:"holosExecutable" yaml:"holosExecutable" cue:"string | *\"holos\""`
+}
+
+// TODO(jjm): Decide if RootDir and LeafDir are useful.  We have
+// [Component.Path] and [Command] executes with the platform root as the current
+// working directory.
+
+// BuildPlanSpec represents the specification of the [BuildPlan].
+type BuildPlanSpec struct {
+	// Artifacts represents the artifacts for holos to build.
+	Artifacts []Artifact `json:"artifacts" yaml:"artifacts"`
+	// Disabled causes the holos render platform command to skip the BuildPlan.
+	Disabled bool `json:"disabled,omitempty" yaml:"disabled,omitempty"`
+}
+
+// Artifact represents one fully rendered manifest produced by a [Transformer]
+// sequence, which transforms a [Generator] collection.  A [BuildPlan] produces
+// an [Artifact] collection.
+//
+// Each Artifact produces one manifest file or directory artifact.  Generator
+// Output values are used as Transformer Inputs.  The Output field of the final
+// [Transformer] should have the same value as the Artifact field.
+//
+// When there is more than one [Generator] there should be at least one
+// [Transformer] to combine outputs into one Artifact file, or the final
+// artifact should be a directory containing the outputs of the generators.  If
+// there is a single Generator, it may directly produce the Artifact output.
+//
+// An Artifact is processed concurrently with other artifacts in the same
+// [BuildPlan].  One Artifact must not use an output of another Artifact as an
+// input.  Each [Generator] within an artifact also runs concurrently with
+// generators of the same artifact.  Each [Transformer] is executed sequentially
+// starting after all generators have completed.
+//
+// Output fields are write-once.  It is an error for multiple Generators or
+// Transformers to produce the same Output value within the context of a
+// [BuildPlan].
+//
+// When directories are used as inputs or outputs, they behave similar to how
+// `git` works with directories.  When the output field references a directory,
+// all files within the directory are recursively stored using their relative
+// path as a key.  Similar to git add .  When the input field references an
+// absent file, a / is appended and the resulting value is used as a prefix
+// match against all previous task outputs.
+type Artifact struct {
+	Artifact     FileOrDirectoryPath `json:"artifact,omitempty" yaml:"artifact,omitempty"`
+	Generators   []Generator         `json:"generators,omitempty" yaml:"generators,omitempty"`
+	Transformers []Transformer       `json:"transformers,omitempty" yaml:"transformers,omitempty"`
+	Validators   []Validator         `json:"validators,omitempty" yaml:"validators,omitempty"`
+	Skip         bool                `json:"skip,omitempty" yaml:"skip,omitempty"`
+}
+
+// Generator generates Kubernetes resources.  [Helm] and [Resources] are the
+// most commonly used, often paired together to mix-in resources to an
+// unmodified Helm chart.  A simple [File] generator is also available for use
+// with the [Kustomize] transformer.
+//
+// Each Generator in an [Artifact] must have a distinct Output value for a
+// [Transformer] to reference.
+//
+//  1. [Resources] - Generates resources from CUE code.
+//  2. [Helm] - Generates rendered yaml from a [Chart].
+//  3. [File] - Generates data by reading a file from the component directory.
+//  4. [Command] - Generates data by executing an user defined command.
+type Generator struct {
+	// Kind represents the kind of generator.  Must be Resources, Helm, or File.
+	Kind string `json:"kind" yaml:"kind" cue:"\"Resources\" | \"Helm\" | \"File\" | \"Command\""`
+	// Output represents a file for a Transformer or Artifact to consume.
+	Output FileOrDirectoryPath `json:"output" yaml:"output"`
+	// Resources generator. Ignored unless kind is Resources.  Resources are
+	// stored as a two level struct.  The top level key is the Kind of resource,
+	// e.g. Namespace or Deployment.  The second level key is an arbitrary
+	// InternalLabel.  The third level is a map[string]any representing the
+	// Resource.
+	Resources Resources `json:"resources,omitempty" yaml:"resources,omitempty"`
+	// Helm generator. Ignored unless kind is Helm.
+	Helm Helm `json:"helm,omitempty" yaml:"helm,omitempty"`
+	// File generator. Ignored unless kind is File.
+	File File `json:"file,omitempty" yaml:"file,omitempty"`
+	// Command generator. Ignored unless kind is Command.
+	Command Command `json:"command,omitempty" yaml:"command,omitempty"`
+}
+
+// Resource represents one kubernetes api object.
+type Resource map[string]any
+
+// Resources represents Kubernetes resources.  Most commonly used to mix
+// resources into the [BuildPlan] generated from CUE, but may be generated from
+// elsewhere.
+type Resources map[Kind]map[InternalLabel]Resource
+
+// File represents a simple single file copy [Generator].  Useful with a
+// [Kustomize] [Transformer] to process plain manifest files stored in the
+// component directory.  Multiple File generators may be used to transform
+// multiple resources.
+type File struct {
+	// Source represents a file sub-path relative to the component path.
+	Source FilePath `json:"source" yaml:"source"`
+}
+
+// Helm represents a [Chart] manifest [Generator].
+type Helm struct {
+	// Chart represents a helm chart to manage.
+	Chart Chart `json:"chart" yaml:"chart"`
+	// Values represents values for holos to marshal into values.yaml when
+	// rendering the chart.  Values follow ValueFiles when both are provided.
+	Values Values `json:"values" yaml:"values"`
+	// ValueFiles represents hierarchial value files passed in order to the helm
+	// template -f flag.  Useful for migration from an ApplicationSet.  Use Values
+	// instead.  ValueFiles precede Values when both are provided.
+	ValueFiles []ValueFile `json:"valueFiles,omitempty" yaml:"valueFiles,omitempty"`
+	// EnableHooks enables helm hooks when executing the `helm template` command.
+	EnableHooks bool `json:"enableHooks,omitempty" yaml:"enableHooks,omitempty"`
+	// Namespace represents the helm namespace flag
+	Namespace string `json:"namespace,omitempty" yaml:"namespace,omitempty"`
+	// APIVersions represents the helm template --api-versions flag
+	APIVersions []string `json:"apiVersions,omitempty" yaml:"apiVersions,omitempty"`
+	// KubeVersion represents the helm template --kube-version flag
+	KubeVersion string `json:"kubeVersion,omitempty" yaml:"kubeVersion,omitempty"`
+}
+
+// ValueFile represents one Helm value file produced from CUE.
+type ValueFile struct {
+	// Name represents the file name, e.g. "region-values.yaml"
+	Name string `json:"name" yaml:"name"`
+	// Kind is a discriminator.
+	Kind string `json:"kind" yaml:"kind" cue:"\"Values\""`
+	// Values represents values for holos to marshal into the file name specified
+	// by Name when rendering the chart.
+	Values Values `json:"values,omitempty" yaml:"values,omitempty"`
+}
+
+// Values represents [Helm] Chart values generated from CUE.
+type Values map[string]any
+
+// Chart represents a [Helm] Chart.
+type Chart struct {
+	// Name represents the chart name.
+	Name string `json:"name" yaml:"name"`
+	// Version represents the chart version.
+	Version string `json:"version" yaml:"version"`
+	// Release represents the chart release when executing helm template.
+	Release string `json:"release" yaml:"release"`
+	// Repository represents the repository to fetch the chart from.
+	Repository Repository `json:"repository,omitempty" yaml:"repository,omitempty"`
+}
+
+// Repository represents a [Helm] [Chart] repository.
+//
+// The Auth field is useful to configure http basic authentication to the Helm
+// repository.  Holos gets the username and password from the environment
+// variables represented by the Auth field.
+type Repository struct {
+	Name string `json:"name,omitempty" yaml:"name,omitempty"`
+	URL  string `json:"url,omitempty" yaml:"url,omitempty"`
+	Auth Auth   `json:"auth,omitempty" yaml:"auth,omitempty"`
+}
+
+// Auth represents environment variable names containing auth credentials.
+type Auth struct {
+	Username AuthSource `json:"username" yaml:"username"`
+	Password AuthSource `json:"password" yaml:"password"`
+}
+
+// AuthSource represents a source for the value of an [Auth] field.
+type AuthSource struct {
+	Value   string `json:"value,omitempty" yaml:"value,omitempty"`
+	FromEnv string `json:"fromEnv,omitempty" yaml:"fromEnv,omitempty"`
+}
+
+// Transformer combines multiple inputs from prior [Generator] or [Transformer]
+// outputs into one output.  [Kustomize] is the most commonly used transformer.
+// A simple [Join] is also supported for use with plain manifest files.
+//
+//  1. [Kustomize] - Patch and transform the output from prior generators or
+//     transformers.  See [Introduction to Kustomize].
+//  2. [Join] - Concatenate multiple prior outputs into one output.
+//  3. [Command] - Transforms data by executing an user defined command.
+//
+// [Introduction to Kustomize]: https://kubectl.docs.kubernetes.io/guides/config_management/introduction/
+type Transformer struct {
+	// Kind represents the kind of transformer. Must be Kustomize, or Join.
+	Kind string `json:"kind" yaml:"kind" cue:"\"Kustomize\" | \"Join\" | \"Command\""`
+	// Inputs represents the files to transform. The Output of prior Generators
+	// and Transformers.
+	Inputs []FileOrDirectoryPath `json:"inputs" yaml:"inputs"`
+	// Output represents a file or directory for a subsequent Transformer or
+	// Artifact to consume.
+	Output FileOrDirectoryPath `json:"output" yaml:"output"`
+	// Kustomize transformer. Ignored unless kind is Kustomize.
+	Kustomize Kustomize `json:"kustomize,omitempty" yaml:"kustomize,omitempty"`
+	// Join transformer. Ignored unless kind is Join.
+	Join Join `json:"join,omitempty" yaml:"join,omitempty"`
+	// Command transformer. Ignored unless kind is Command.
+	Command Command `json:"command,omitempty" yaml:"command,omitempty"`
+}
+
+// Join represents a [Transformer] using [bytes.Join] to concatenate multiple
+// inputs into one output with a separator.  Useful for combining output from
+// [Helm] and [Resources] together into one [Artifact] when [Kustomize] is
+// otherwise unnecessary.
+//
+// [bytes.Join]: https://pkg.go.dev/bytes#Join
+type Join struct {
+	Separator string `json:"separator,omitempty" yaml:"separator,omitempty"`
+}
+
+// Kustomize represents a kustomization [Transformer].
+type Kustomize struct {
+	// Kustomization represents the decoded kustomization.yaml file
+	Kustomization Kustomization `json:"kustomization" yaml:"kustomization"`
+	// Files holds file contents for kustomize, e.g. patch files.
+	Files FileContentMap `json:"files,omitempty" yaml:"files,omitempty"`
+}
+
+// Kustomization represents a kustomization.yaml file for use with the
+// [Kustomize] [Transformer].  Untyped to avoid tightly coupling holos to
+// kubectl versions which was a problem for the Flux maintainers.  Type checking
+// is expected to happen in CUE against the kubectl version the user prefers.
+type Kustomization map[string]any
+
+// FileContentMap represents a mapping of file paths to file contents.
+type FileContentMap map[FilePath]FileContent
+
+// FilePath represents a file path.
+type FilePath string
+
+// FileOrDirectoryPath represents a file or a directory path.
+type FileOrDirectoryPath string
+
+// FileContent represents file contents.
+type FileContent string
+
+// Validator validates files.  Useful to validate an [Artifact] prior to writing
+// it out to the final destination.  Holos may execute validators concurrently.
+// See the [validators] tutorial for an end to end example.
+//
+// [validators]: https://holos.run/docs/v1alpha6/tutorial/validators/
+type Validator struct {
+	// Kind represents the kind of transformer. Must be Kustomize, or Join.
+	Kind string `json:"kind" yaml:"kind" cue:"\"Command\""`
+	// Inputs represents the files to validate.  Usually the final Artifact.
+	Inputs []FileOrDirectoryPath `json:"inputs" yaml:"inputs"`
+	// Command validator.  Ignored unless kind is Command.
+	Command Command `json:"command,omitempty" yaml:"command,omitempty"`
+}
+
+// Command represents a [BuildPlan] task implemented by executing an user
+// defined system command.  A task is defined as a [Generator], [Transformer],
+// or [Validator].  Commands are executed with the working directory set to the
+// platform root.
+type Command struct {
+	// DisplayName of the command.  The basename of args[0] is used if empty.
+	DisplayName string `json:"displayName,omitempty" yaml:"displayName,omitempty"`
+	// Args represents the argument vector passed to the os. to execute the
+	// command.
+	Args []string `json:"args,omitempty" yaml:"args,omitempty"`
+	// IsStdoutOutput captures the command stdout as the task output if true.
+	IsStdoutOutput bool `json:"isStdoutOutput,omitempty" yaml:"isStdoutOutput,omitempty"`
+}
+
+// InternalLabel is an arbitrary unique identifier internal to holos itself.
+// The holos cli is expected to never write a InternalLabel value to rendered
+// output files, therefore use a InternalLabel when the identifier must be
+// unique and internal.  Defined as a type for clarity and type checking.
+type InternalLabel string
+
+// Kind is a discriminator. Defined as a type for clarity and type checking.
+type Kind string
+
+// Metadata represents data about the resource such as the Name.
+type Metadata struct {
+	// Name represents the resource name.
+	Name string `json:"name" yaml:"name"`
+	// Labels represents a resource selector.
+	Labels map[string]string `json:"labels,omitempty" yaml:"labels,omitempty"`
+	// Annotations represents arbitrary non-identifying metadata.  For example
+	// holos uses the `app.holos.run/description` annotation to log resources in a
+	// user customized way.
+	Annotations map[string]string `json:"annotations,omitempty" yaml:"annotations,omitempty"`
+}
+
+// Platform represents a platform to manage.  A Platform specifies a [Component]
+// collection and integrates the components together into a holistic platform.
+// Holos iterates over the [Component] collection producing a [BuildPlan] for
+// each, which holos then executes to render manifests.
+//
+// Inspect a Platform resource holos would process by executing:
+//
+//	cue export --out yaml ./platform
+type Platform struct {
+	// APIVersion represents the versioned schema of this resource.
+	APIVersion string `json:"apiVersion" yaml:"apiVersion" cue:"string | *\"v1alpha6\""`
+	// Kind is a string value representing the resource.
+	Kind string `json:"kind" yaml:"kind" cue:"\"Platform\""`
+	// Metadata represents data about the resource such as the Name.
+	Metadata Metadata `json:"metadata" yaml:"metadata"`
+
+	// Spec represents the platform specification.
+	Spec PlatformSpec `json:"spec" yaml:"spec"`
+}
+
+// PlatformSpec represents the platform specification.
+type PlatformSpec struct {
+	// Components represents a collection of holos components to manage.
+	Components []Component `json:"components" yaml:"components"`
+}
+
+// Component represents the complete context necessary to produce a [BuildPlan]
+// from a path containing parameterized CUE configuration.
+type Component struct {
+	// Name represents the name of the component. Injected as the tag variable
+	// "holos_component_name".
+	Name string `json:"name" yaml:"name"`
+	// Path represents the path of the component relative to the platform root.
+	// Injected as the tag variable "holos_component_path".
+	Path string `json:"path" yaml:"path"`
+	// Parameters represent user defined input variables to produce various
+	// [BuildPlan] resources from one component path.  Injected as CUE @tag
+	// variables.  Parameters with a "holos_" prefix are reserved for use by the
+	// Holos Authors.  Multiple environments are a prime example of an input
+	// parameter that should always be user defined, never defined by Holos.
+	Parameters map[string]string `json:"parameters,omitempty" yaml:"parameters,omitempty"`
+	// Labels represent selector labels for the component.  Holos copies Labels
+	// from the Component to the resulting BuildPlan.
+	Labels map[string]string `json:"labels,omitempty" yaml:"labels,omitempty"`
+	// Annotations represents arbitrary non-identifying metadata.  Use the
+	// `app.holos.run/description` to customize the log message of each BuildPlan.
+	Annotations map[string]string `json:"annotations,omitempty" yaml:"annotations,omitempty"`
+}
--- a/api/meta/v1alpha2/meta.go
+++ b/api/meta/v1alpha2/meta.go
@@ -1,37 +0,0 @@
-package v1alpha2
-
-// TypeMeta describes an individual object in an API response or request with
-// strings representing the type of the object and its API schema version.
-// Structures that are versioned or persisted should inline TypeMeta.
-type TypeMeta struct {
-	// Kind is a string value representing the resource this object represents.
-	Kind string `json:"kind"`
-	// APIVersion defines the versioned schema of this representation of an object.
-	APIVersion string `json:"apiVersion" cue:"string | *\"v1alpha2\""`
-}
-
-func (tm *TypeMeta) GetKind() string {
-	return tm.Kind
-}
-
-func (tm *TypeMeta) GetAPIVersion() string {
-	return tm.APIVersion
-}
-
-// Discriminator discriminates the kind of an api object.
-type Discriminator interface {
-	// GetKind returns Kind.
-	GetKind() string
-	// GetAPIVersion returns APIVersion.
-	GetAPIVersion() string
-}
-
-// ObjectMeta represents metadata of a holos component object. The fields are a
-// copy of upstream kubernetes api machinery but are holos objects distinct from
-// kubernetes api objects.
-type ObjectMeta struct {
-	// Name uniquely identifies the holos component instance and must be suitable as a file name.
-	Name string `json:"name,omitempty"`
-	// Namespace confines a holos component to a single namespace via kustomize if set.
-	Namespace string `json:"namespace,omitempty"`
-}
--- a/buf.gen.yaml
+++ b/buf.gen.yaml
@@ -1,20 +0,0 @@
-# Generates gRPC and ConnectRPC bindings for Go and TypeScript
-#
-# Note: protoc-gen-connect-query is the primary method of wiring up the React
-# frontend.
-version: v1
-plugins:
-  - plugin: go
-    out: service/gen
-    opt: paths=source_relative
-  - plugin: connect-go
-    out: service/gen
-    opt: paths=source_relative
-  - plugin: es
-    out: internal/frontend/holos/src/app/gen
-    opt:
-      - target=ts
-  - plugin: connect-es
-    out: internal/frontend/holos/src/app/gen
-    opt:
-      - target=ts
--- a/buf.lock
+++ b/buf.lock
@@ -1,8 +0,0 @@
-# Generated by buf. DO NOT EDIT.
-version: v1
-deps:
-  - remote: buf.build
-    owner: bufbuild
-    repository: protovalidate
-    commit: b983156c5e994cc9892e0ce3e64e17e0
-    digest: shake256:fb47a62989d38c2529bcc5cd86ded43d800eb84cee82b42b9e8a9e815d4ee8134a0fb9d0ce8299b27c2d2bbb7d6ade0c4ad5a8a4d467e1e2c7ca619ae9f634e2
--- a/buf.work.yaml
+++ b/buf.work.yaml
@@ -1,3 +0,0 @@
-version: v1
-directories:
-  - service
--- a/cmd/cmd.go
+++ b/cmd/cmd.go
@@ -5,59 +5,30 @@ import (
 	"fmt"
 	"log/slog"
 	"os"
-	"runtime/pprof"
-	"runtime/trace"

 	"github.com/holos-run/holos/internal/cli"
 	"github.com/holos-run/holos/internal/holos"
+	"github.com/holos-run/holos/version"
 )

 // MakeMain makes a main function for the cli or tests.
 func MakeMain(options ...holos.Option) func() int {
 	return func() (exitCode int) {
+		// TODO(jjm): check HOLOS_CHDIR and chdir if set for tests.
+		if len(os.Args) >= 2 && os.Args[1] == "version" {
+			if _, err := fmt.Println(version.GetVersion()); err != nil {
+				panic(err)
+			}
+			return 0
+		}
 		cfg := holos.New(options...)
 		slog.SetDefault(cfg.Logger())
 		ctx := context.Background()
+		cmd := cli.New(cfg)

-		if format := os.Getenv("HOLOS_CPU_PROFILE"); format != "" {
-			f, _ := os.Create(fmt.Sprintf(format, os.Getppid(), os.Getpid()))
-			err := pprof.StartCPUProfile(f)
-			defer func() {
-				pprof.StopCPUProfile()
-				f.Close()
-			}()
-			if err != nil {
-				return cli.HandleError(ctx, err, cfg)
-			}
-		}
-		defer memProfile(ctx, cfg)
-
-		if format := os.Getenv("HOLOS_TRACE"); format != "" {
-			f, _ := os.Create(fmt.Sprintf(format, os.Getppid(), os.Getpid()))
-			err := trace.Start(f)
-			defer func() {
-				trace.Stop()
-				f.Close()
-			}()
-			if err != nil {
-				return cli.HandleError(ctx, err, cfg)
-			}
-		}
-
-		feature := &holos.EnvFlagger{}
-		if err := cli.New(cfg, feature).ExecuteContext(ctx); err != nil {
+		if err := cmd.ExecuteContext(ctx); err != nil {
 			return cli.HandleError(ctx, err, cfg)
 		}
 		return 0
 	}
 }
-
-func memProfile(ctx context.Context, cfg *holos.Config) {
-	if format := os.Getenv("HOLOS_MEM_PROFILE"); format != "" {
-		f, _ := os.Create(fmt.Sprintf(format, os.Getppid(), os.Getpid()))
-		defer f.Close()
-		if err := pprof.WriteHeapProfile(f); err != nil {
-			_ = cli.HandleError(ctx, err, cfg)
-		}
-	}
-}
--- a/cmd/holos/main_test.go
+++ b/cmd/holos/main_test.go
@@ -11,10 +11,11 @@ import (
 )

 func TestMain(m *testing.M) {
-	os.Exit(testscript.RunMain(m, map[string]func() int{
-		"holos": cmd.MakeMain(),
-		"cue":   cue.Main,
-	}))
+	holosMain := cmd.MakeMain()
+	testscript.Main(m, map[string]func(){
+		"holos": func() { os.Exit(holosMain()) },
+		"cue":   func() { os.Exit(cue.Main()) },
+	})
 }

 func TestGuides_v1alpha5(t *testing.T) {
--- a/cmd/holos/tests/cli/first-impression.txt
+++ b/cmd/holos/tests/cli/first-impression.txt
@@ -1,2 +1,7 @@
 # https://github.com/holos-run/holos/issues/334
 exec holos
+stdout Usage
+exec holos --version
+stdout \d+\.\d+\.\d+
+exec holos version
+stdout \d+\.\d+\.\d+
--- a/cmd/holos/tests/v1alpha5/guides/helm.txt
+++ b/cmd/holos/tests/v1alpha5/guides/helm.txt
@@ -12,7 +12,8 @@ stderr -count=1 '^rendered platform'

 # Holos uses CUE to build a platform specification.
 exec holos show platform
-cmp stdout want/1.platform_spec.yaml
+cp stdout platform.yaml
+exec holos compare yaml platform.yaml want/1.platform_spec.yaml

 # Define the host and port in projects/blackbox.schema.cue
 mv projects/blackbox.schema.cue.disabled projects/blackbox.schema.cue
@@ -25,7 +26,7 @@ mv platform/prometheus.cue.disabled platform/prometheus.cue
 exec holos render platform
 stderr -count=1 '^rendered prometheus'
 stderr -count=1 '^rendered platform'
-cmp deploy/components/prometheus/prometheus.gen.yaml want/1.prometheus.gen.yaml
+exec holos compare yaml deploy/components/prometheus/prometheus.gen.yaml want/1.prometheus.gen.yaml

 # Add the CUE configuration to manage the blackbox Helm Chart component.
 mv projects/platform/components/blackbox/blackbox.cue.disabled projects/platform/components/blackbox/blackbox.cue
@@ -37,7 +38,7 @@ exec holos render platform ./platform
 stderr -count=1 '^rendered prometheus'
 stderr -count=1 '^rendered blackbox'
 stderr -count=1 '^rendered platform'
-cmp deploy/components/blackbox/blackbox.gen.yaml want/1.blackbox.gen.yaml
+exec holos compare yaml deploy/components/blackbox/blackbox.gen.yaml want/1.blackbox.gen.yaml

 # Import helm values
 exec cue import --package holos --path 'Helm: Values:' --outfile projects/platform/components/prometheus/values.cue projects/platform/components/prometheus/vendor/25.27.0/prometheus/values.yaml
@@ -55,7 +56,7 @@ mv platform/httpbin.cue.disabled platform/httpbin.cue
 # Render the platform with httpbin
 exec holos render platform ./platform
 stderr -count=1 '^rendered httpbin'
-cmp deploy/components/httpbin/httpbin.gen.yaml want/1.httpbin.gen.yaml
+exec holos compare yaml deploy/components/httpbin/httpbin.gen.yaml want/1.httpbin.gen.yaml

 # Verify the labels are correct
 grep 'replacement: blackbox:9115' deploy/components/prometheus/prometheus.gen.yaml
@@ -73,8 +74,8 @@ core.#BuildPlan & {
 	metadata: name: _Tags.component.name
 }
 -- want/1.platform_spec.yaml --
-apiVersion: v1alpha5
 kind: Platform
+apiVersion: v1alpha5
 metadata:
  name: default
 spec:
--- a/cmd/holos/tests/v1alpha5/issues/holos-show.txt
+++ b/cmd/holos/tests/v1alpha5/issues/holos-show.txt
@@ -1,422 +0,0 @@
-# https://github.com/holos-run/holos/issues/331
-# ensure holos show components --labels selects correctly.
-# ensure BuildPlan includes labels and annotations from the platform component.
-# ensure holos render platform injects the holos_component_labels and
-# holos_component_annotations tags.
-env HOME=$WORK
-
-exec holos init platform v1alpha5 --force
-exec holos show platform
-cmp stdout want/platform.yaml
-
-# all buildplans are selected by default
-exec holos show buildplans
-cmp stdout want/all-buildplans.yaml
-
-# one = works in the selector
-exec holos show buildplans --selector app.holos.run/name=empty1-label
-cmp stdout want/buildplans.1.yaml
-
-# double == works in the selector
-exec holos show buildplans --selector app.holos.run/name==empty2-label
-cmp stdout want/buildplans.2.yaml
-
-# not equal != negates the selection
-exec holos show buildplans --selector app.holos.run/name!=empty3-label
-cmp stdout want/buildplans.3.yaml
-exec holos show buildplans --selector app.holos.run/name!=something-else
-cmp stdout want/buildplans.4.yaml
-
-- platform/empty.cue --
-package holos
-
-Platform: Components: {
-  empty1: _
-  empty2: _
-  empty3: _
-  empty4: _
-}
-- platform/metadata.cue --
-package holos
-
-Platform: Components: [NAME=string]: {
-  name: NAME
-  path: "components/empty"
-  labels: "app.holos.run/name": "\(name)-label"
-  annotations: "app.holos.run/description": "\(name)-annotation empty test case"
-}
-- components/empty/empty.cue --
-package holos
-
-Component: #Kubernetes & {}
-holos: Component.BuildPlan
-- want/platform.yaml --
-apiVersion: v1alpha5
-kind: Platform
-metadata:
-  name: default
-spec:
-  components:
-    - annotations:
-        app.holos.run/description: empty1-annotation empty test case
-      labels:
-        app.holos.run/name: empty1-label
-      name: empty1
-      path: components/empty
-    - annotations:
-        app.holos.run/description: empty2-annotation empty test case
-      labels:
-        app.holos.run/name: empty2-label
-      name: empty2
-      path: components/empty
-    - annotations:
-        app.holos.run/description: empty3-annotation empty test case
-      labels:
-        app.holos.run/name: empty3-label
-      name: empty3
-      path: components/empty
-    - annotations:
-        app.holos.run/description: empty4-annotation empty test case
-      labels:
-        app.holos.run/name: empty4-label
-      name: empty4
-      path: components/empty
-- want/empty.yaml --
-- want/all-buildplans.yaml --
-kind: BuildPlan
-apiVersion: v1alpha5
-metadata:
-  name: empty1
-  labels:
-    app.holos.run/name: empty1-label
-  annotations:
-    app.holos.run/description: empty1-annotation empty test case
-spec:
-  artifacts:
-    - artifact: components/empty1/empty1.gen.yaml
-      generators:
-        - kind: Resources
-          output: resources.gen.yaml
-      transformers:
-        - kind: Kustomize
-          inputs:
-            - resources.gen.yaml
-          output: components/empty1/empty1.gen.yaml
-          kustomize:
-            kustomization:
-              apiVersion: kustomize.config.k8s.io/v1beta1
-              kind: Kustomization
-              resources:
-                - resources.gen.yaml
---
-kind: BuildPlan
-apiVersion: v1alpha5
-metadata:
-  name: empty2
-  labels:
-    app.holos.run/name: empty2-label
-  annotations:
-    app.holos.run/description: empty2-annotation empty test case
-spec:
-  artifacts:
-    - artifact: components/empty2/empty2.gen.yaml
-      generators:
-        - kind: Resources
-          output: resources.gen.yaml
-      transformers:
-        - kind: Kustomize
-          inputs:
-            - resources.gen.yaml
-          output: components/empty2/empty2.gen.yaml
-          kustomize:
-            kustomization:
-              apiVersion: kustomize.config.k8s.io/v1beta1
-              kind: Kustomization
-              resources:
-                - resources.gen.yaml
---
-kind: BuildPlan
-apiVersion: v1alpha5
-metadata:
-  name: empty3
-  labels:
-    app.holos.run/name: empty3-label
-  annotations:
-    app.holos.run/description: empty3-annotation empty test case
-spec:
-  artifacts:
-    - artifact: components/empty3/empty3.gen.yaml
-      generators:
-        - kind: Resources
-          output: resources.gen.yaml
-      transformers:
-        - kind: Kustomize
-          inputs:
-            - resources.gen.yaml
-          output: components/empty3/empty3.gen.yaml
-          kustomize:
-            kustomization:
-              apiVersion: kustomize.config.k8s.io/v1beta1
-              kind: Kustomization
-              resources:
-                - resources.gen.yaml
---
-kind: BuildPlan
-apiVersion: v1alpha5
-metadata:
-  name: empty4
-  labels:
-    app.holos.run/name: empty4-label
-  annotations:
-    app.holos.run/description: empty4-annotation empty test case
-spec:
-  artifacts:
-    - artifact: components/empty4/empty4.gen.yaml
-      generators:
-        - kind: Resources
-          output: resources.gen.yaml
-      transformers:
-        - kind: Kustomize
-          inputs:
-            - resources.gen.yaml
-          output: components/empty4/empty4.gen.yaml
-          kustomize:
-            kustomization:
-              apiVersion: kustomize.config.k8s.io/v1beta1
-              kind: Kustomization
-              resources:
-                - resources.gen.yaml
-- want/buildplans.1.yaml --
-kind: BuildPlan
-apiVersion: v1alpha5
-metadata:
-  name: empty1
-  labels:
-    app.holos.run/name: empty1-label
-  annotations:
-    app.holos.run/description: empty1-annotation empty test case
-spec:
-  artifacts:
-    - artifact: components/empty1/empty1.gen.yaml
-      generators:
-        - kind: Resources
-          output: resources.gen.yaml
-      transformers:
-        - kind: Kustomize
-          inputs:
-            - resources.gen.yaml
-          output: components/empty1/empty1.gen.yaml
-          kustomize:
-            kustomization:
-              apiVersion: kustomize.config.k8s.io/v1beta1
-              kind: Kustomization
-              resources:
-                - resources.gen.yaml
-- want/buildplans.2.yaml --
-kind: BuildPlan
-apiVersion: v1alpha5
-metadata:
-  name: empty2
-  labels:
-    app.holos.run/name: empty2-label
-  annotations:
-    app.holos.run/description: empty2-annotation empty test case
-spec:
-  artifacts:
-    - artifact: components/empty2/empty2.gen.yaml
-      generators:
-        - kind: Resources
-          output: resources.gen.yaml
-      transformers:
-        - kind: Kustomize
-          inputs:
-            - resources.gen.yaml
-          output: components/empty2/empty2.gen.yaml
-          kustomize:
-            kustomization:
-              apiVersion: kustomize.config.k8s.io/v1beta1
-              kind: Kustomization
-              resources:
-                - resources.gen.yaml
-- want/buildplans.3.yaml --
-kind: BuildPlan
-apiVersion: v1alpha5
-metadata:
-  name: empty1
-  labels:
-    app.holos.run/name: empty1-label
-  annotations:
-    app.holos.run/description: empty1-annotation empty test case
-spec:
-  artifacts:
-    - artifact: components/empty1/empty1.gen.yaml
-      generators:
-        - kind: Resources
-          output: resources.gen.yaml
-      transformers:
-        - kind: Kustomize
-          inputs:
-            - resources.gen.yaml
-          output: components/empty1/empty1.gen.yaml
-          kustomize:
-            kustomization:
-              apiVersion: kustomize.config.k8s.io/v1beta1
-              kind: Kustomization
-              resources:
-                - resources.gen.yaml
---
-kind: BuildPlan
-apiVersion: v1alpha5
-metadata:
-  name: empty2
-  labels:
-    app.holos.run/name: empty2-label
-  annotations:
-    app.holos.run/description: empty2-annotation empty test case
-spec:
-  artifacts:
-    - artifact: components/empty2/empty2.gen.yaml
-      generators:
-        - kind: Resources
-          output: resources.gen.yaml
-      transformers:
-        - kind: Kustomize
-          inputs:
-            - resources.gen.yaml
-          output: components/empty2/empty2.gen.yaml
-          kustomize:
-            kustomization:
-              apiVersion: kustomize.config.k8s.io/v1beta1
-              kind: Kustomization
-              resources:
-                - resources.gen.yaml
---
-kind: BuildPlan
-apiVersion: v1alpha5
-metadata:
-  name: empty4
-  labels:
-    app.holos.run/name: empty4-label
-  annotations:
-    app.holos.run/description: empty4-annotation empty test case
-spec:
-  artifacts:
-    - artifact: components/empty4/empty4.gen.yaml
-      generators:
-        - kind: Resources
-          output: resources.gen.yaml
-      transformers:
-        - kind: Kustomize
-          inputs:
-            - resources.gen.yaml
-          output: components/empty4/empty4.gen.yaml
-          kustomize:
-            kustomization:
-              apiVersion: kustomize.config.k8s.io/v1beta1
-              kind: Kustomization
-              resources:
-                - resources.gen.yaml
-- want/buildplans.4.yaml --
-kind: BuildPlan
-apiVersion: v1alpha5
-metadata:
-  name: empty1
-  labels:
-    app.holos.run/name: empty1-label
-  annotations:
-    app.holos.run/description: empty1-annotation empty test case
-spec:
-  artifacts:
-    - artifact: components/empty1/empty1.gen.yaml
-      generators:
-        - kind: Resources
-          output: resources.gen.yaml
-      transformers:
-        - kind: Kustomize
-          inputs:
-            - resources.gen.yaml
-          output: components/empty1/empty1.gen.yaml
-          kustomize:
-            kustomization:
-              apiVersion: kustomize.config.k8s.io/v1beta1
-              kind: Kustomization
-              resources:
-                - resources.gen.yaml
---
-kind: BuildPlan
-apiVersion: v1alpha5
-metadata:
-  name: empty2
-  labels:
-    app.holos.run/name: empty2-label
-  annotations:
-    app.holos.run/description: empty2-annotation empty test case
-spec:
-  artifacts:
-    - artifact: components/empty2/empty2.gen.yaml
-      generators:
-        - kind: Resources
-          output: resources.gen.yaml
-      transformers:
-        - kind: Kustomize
-          inputs:
-            - resources.gen.yaml
-          output: components/empty2/empty2.gen.yaml
-          kustomize:
-            kustomization:
-              apiVersion: kustomize.config.k8s.io/v1beta1
-              kind: Kustomization
-              resources:
-                - resources.gen.yaml
---
-kind: BuildPlan
-apiVersion: v1alpha5
-metadata:
-  name: empty3
-  labels:
-    app.holos.run/name: empty3-label
-  annotations:
-    app.holos.run/description: empty3-annotation empty test case
-spec:
-  artifacts:
-    - artifact: components/empty3/empty3.gen.yaml
-      generators:
-        - kind: Resources
-          output: resources.gen.yaml
-      transformers:
-        - kind: Kustomize
-          inputs:
-            - resources.gen.yaml
-          output: components/empty3/empty3.gen.yaml
-          kustomize:
-            kustomization:
-              apiVersion: kustomize.config.k8s.io/v1beta1
-              kind: Kustomization
-              resources:
-                - resources.gen.yaml
---
-kind: BuildPlan
-apiVersion: v1alpha5
-metadata:
-  name: empty4
-  labels:
-    app.holos.run/name: empty4-label
-  annotations:
-    app.holos.run/description: empty4-annotation empty test case
-spec:
-  artifacts:
-    - artifact: components/empty4/empty4.gen.yaml
-      generators:
-        - kind: Resources
-          output: resources.gen.yaml
-      transformers:
-        - kind: Kustomize
-          inputs:
-            - resources.gen.yaml
-          output: components/empty4/empty4.gen.yaml
-          kustomize:
-            kustomization:
-              apiVersion: kustomize.config.k8s.io/v1beta1
-              kind: Kustomization
-              resources:
-                - resources.gen.yaml
--- a/cmd/holos/tests/v1alpha5/issues/issue348-kustomize-patch-name.txt
+++ b/cmd/holos/tests/v1alpha5/issues/issue348-kustomize-patch-name.txt
@@ -3,7 +3,8 @@
 exec holos init platform v1alpha5 --force
 # want a buildplan shown
 exec holos show buildplans
-cmp stdout buildplan.yaml
+cp stdout buildplan-output.yaml
+exec holos compare yaml buildplan-output.yaml buildplan.yaml
 # want this error to go away
 ! stderr 'cannot convert non-concrete value string'
 -- platform/example.cue --
--- a/cmd/holos/tests/v1alpha5/issues/issue366-cue-build-tags.txt
+++ b/cmd/holos/tests/v1alpha5/issues/issue366-cue-build-tags.txt
@@ -4,10 +4,12 @@ env HOME=$WORK

 exec holos init platform v1alpha5 --force
 exec holos show platform
-cmp stdout want/empty.yaml
+cp stdout empty.yaml
+exec holos compare yaml empty.yaml want/empty.yaml

 exec holos show platform -t foo
-cmp stdout want/foo.yaml
+cp stdout foo.yaml
+exec holos compare yaml foo.yaml want/foo.yaml

 -- platform/empty.cue --
@if(foo)
@@ -29,22 +31,22 @@ package holos
 Component: #Kubernetes & {}
 holos: Component.BuildPlan
 -- want/empty.yaml --
-apiVersion: v1alpha5
 kind: Platform
+apiVersion: v1alpha5
 metadata:
  name: default
 spec:
  components: []
 -- want/foo.yaml --
-apiVersion: v1alpha5
 kind: Platform
+apiVersion: v1alpha5
 metadata:
  name: default
 spec:
  components:
-    - annotations:
-        app.holos.run/description: foo empty test case
+    - name: foo
+      path: components/empty
      labels:
        app.holos.run/name: foo
-      name: foo
-      path: components/empty
+      annotations:
+        app.holos.run/description: foo empty test case
--- a/cmd/holos/tests/v1alpha5/schemas/capabilities.txt
+++ b/cmd/holos/tests/v1alpha5/schemas/capabilities.txt
@@ -1,16 +1,19 @@
 # https://github.com/holos-run/holos/issues/330
+# take care to install helm 3.17.3 otherwise kube versions may not align
 exec holos init platform v1alpha5 --force
+# Make sure the helm chart works with plain helm
 exec helm template ./components/capabilities/vendor/0.1.0/capabilities
-cmp stdout want/helm-template.yaml
+stdout 'name: has-foo-v1beta1'
+stdout 'kubeVersion: v'
 exec holos render platform ./platform
 # When no capabilities are specified
-cmp deploy/components/capabilities/capabilities.gen.yaml want/when-no-capabilities-specified.yaml
+exec holos compare yaml deploy/components/capabilities/capabilities.gen.yaml want/when-no-capabilities-specified.yaml
 # With APIVersions specified
-cmp deploy/components/specified/specified.gen.yaml want/with-capabilities-specified.yaml
+exec holos compare yaml deploy/components/specified/specified.gen.yaml want/with-capabilities-specified.yaml
 # With KubeVersion specified
-cmp deploy/components/kubeversion1/kubeversion1.gen.yaml want/with-kubeversion-specified.yaml
+exec holos compare yaml deploy/components/kubeversion1/kubeversion1.gen.yaml want/with-kubeversion-specified.yaml
 # With both APIVersions and KubeVersion specified
-cmp deploy/components/kubeversion2/kubeversion2.gen.yaml want/with-both-specified.yaml
+exec holos compare yaml deploy/components/kubeversion2/kubeversion2.gen.yaml want/with-both-specified.yaml
 -- want/with-both-specified.yaml --
 apiVersion: v1
 kind: Service
@@ -42,7 +45,7 @@ apiVersion: v1
 kind: Service
 metadata:
  annotations:
-    kubeVersion: v1.31.0
+    kubeVersion: v1.99.0
  name: has-foo-v1beta1
 spec:
  ports:
@@ -55,7 +58,7 @@ apiVersion: v1
 kind: Service
 metadata:
  annotations:
-    kubeVersion: v1.31.0
+    kubeVersion: v1.99.0
  name: has-foo-v1
 spec:
  ports:
@@ -101,7 +104,7 @@ Component: #Helm & {
        Chart: version: "0.1.0"
        _APIVersions: string | *"[]" @tag(apiVersions, type=string)
        APIVersions: json.Unmarshal(_APIVersions)
-        KubeVersion: string | *"v1.31.0" @tag(kubeVersion, type=string)
+        KubeVersion: string | *"v1.99.0" @tag(kubeVersion, type=string)
 }
 -- components/capabilities/vendor/0.1.0/capabilities/Chart.yaml --
 apiVersion: v2
@@ -135,7 +138,7 @@ kind: Service
 metadata:
  name: has-foo-v1beta1
  annotations:
-    kubeVersion: v1.31.0
+    kubeVersion: v1.99.0
 spec:
  ports:
    - port: 80
--- a/cmd/holos/tests/v1alpha5/schemas/kubernetes.txt
+++ b/cmd/holos/tests/v1alpha5/schemas/kubernetes.txt
@@ -12,7 +12,8 @@ stderr -count=1 '^rendered platform'

 # When author.#Kubernetes is empty
 exec holos cue export --expression holos --out=yaml ./components/empty
-cmp stdout want.txt
+cp stdout empty.yaml
+exec holos compare yaml empty.yaml want.txt

 -- components/empty/empty.cue --
 package holos
@@ -31,7 +32,6 @@ spec:
        - kind: Resources
          output: resources.gen.yaml
          resources: {}
-      validators: []
      transformers:
        - kind: Kustomize
          inputs:
@@ -39,7 +39,8 @@ spec:
          output: components/no-name/no-name.gen.yaml
          kustomize:
            kustomization:
+              apiVersion: kustomize.config.k8s.io/v1beta1
+              kind: Kustomization
              resources:
                - resources.gen.yaml
-              kind: Kustomization
-              apiVersion: kustomize.config.k8s.io/v1beta1
+      validators: []
--- a/doc/md.archive/backstory.md
+++ b/doc/md.archive/backstory.md
@@ -1,3 +0,0 @@
-# Backstory
-
-Holos is a tool intended to lighten the burden of managing Kubernetes resources.  In 2020 we set out to develop a holistic platform composed from open source cloud native components.  We quickly became frustrated with how each of the major components packaged and distributed their software in a different way.  Many projects choose to distribute their software with Helm charts, while others provide plain yaml files and Kustomize bases.  The popular Kube Prometheus Stack project provides Jsonnet to render and update Kubernetes yaml manifests.
--- a/doc/md.archive/cli.md
+++ b/doc/md.archive/cli.md
@@ -1,3 +0,0 @@
-# CLI
-
-Use the `holos` command line interface (CLI) to render individual platform components, entire platforms, and push/pull the platform model.
--- a/doc/md.archive/guides-v1alpha4.md
+++ b/doc/md.archive/guides-v1alpha4.md
@@ -1,29 +0,0 @@
-import DocCardList from '@theme/DocCardList';
-
-# Guides
-
-## Technical Overview
-
-Please see the [Technical Overview] to learn about Holos.  If you're ready to
-drive in and try Holos, please work through the following guides.
-
-## Bank of Holos
-The guides are organized as a progression.  We'll use Holos to manage a
-fictional bank's platform, the Bank of Holos in each of the guides.  In doing so
-we'll take the time to explain the foundational concepts of Holos.
-
-1. [Quickstart] covers the foundational concepts of Holos.
-2. [Deploy a Service] explains how to deploy a containerized service using an
-existing Helm chart.  This guide then explains how to deploy a similar service
-safely and consistently with CUE instead of Helm.
-3. [Change a Service] covers the day two task of making configuration changes to
-deployed services safely and consistently.
-
---
-
-<DocCardList />
-
-[Quickstart]: /docs/quickstart/
-[Deploy a Service]: /docs/guides/deploy-a-service/
-[Change a Service]: /docs/guides/change-a-service/
-[Technical Overview]: /docs/technical-overview/
--- a/doc/md.archive/guides-v1alpha4/change-a-service.mdx
+++ b/doc/md.archive/guides-v1alpha4/change-a-service.mdx
@@ -1,735 +0,0 @@
---
-description: Change a service on your platform.
-slug: /guides/change-a-service
-sidebar_position: 300
---
-
-import Tabs from '@theme/Tabs';
-import TabItem from '@theme/TabItem';
-import Admonition from '@theme/Admonition';
-
-# Change a Service
-
-In this guide, we'll explore how Holos supports the frontend development team at [Bank of Holos] in reconfiguring an already deployed service. Along the way, we'll demonstrate how simple configuration changes are made safer with type checking, and how rendering the complete platform provides clear visibility into those changes.
-
-This guide builds on the concepts covered in the [Quickstart] and [Deploy a Service] guides.
-
-## What you'll need {#requirements}
-
-Like our other guides, this guide is intended to be useful without needing to
-run each command.  If you'd like to apply the manifests to a real Cluster,
-complete the [Local Cluster Guide](/docs/guides/local-cluster) before this
-guide.
-
-You'll need the following tools installed to run the commands in this guide.
-
-1. [holos](/docs/install) - to build the Platform.
-2. [helm](https://helm.sh/docs/intro/install/) - to render Holos Components that
-wrap Helm charts.
-3. [kubectl](https://kubernetes.io/docs/tasks/tools/) - to render Holos
-Components that render with Kustomize.
-
-## Fork the Git Repository
-
-If you haven't already done so, [fork the Bank of
-Holos](https://github.com/holos-run/bank-of-holos/fork) then clone the
-repository to your local machine.
-
-<Tabs groupId="git-clone">
-  <TabItem value="command" label="Command">
-```bash
-# Change YourName
-git clone https://github.com/YourName/bank-of-holos
-cd bank-of-holos
-```
-  </TabItem>
-  <TabItem value="output" label="Output">
-```txt
-Cloning into 'bank-of-holos'...
-remote: Enumerating objects: 1177, done.
-remote: Counting objects: 100% (1177/1177), done.
-remote: Compressing objects: 100% (558/558), done.
-remote: Total 1177 (delta 394), reused 1084 (delta 303), pack-reused 0 (from 0)
-Receiving objects: 100% (1177/1177), 2.89 MiB | 6.07 MiB/s, done.
-Resolving deltas: 100% (394/394), done.
-```
-  </TabItem>
-</Tabs>
-
-Run the rest of the commands in this guide from the root of the repository.
-
-If you plan to apply the changes we make, you can delete and re-create your
-local platform synced to the start of this guide.
-
-```bash
-./scripts/reset-cluster
-./scripts/apply
-```
-
-## Rename the Bank
-
-Let's imagine the bank recently re-branded from The Bank of Holos to The
-Holistic Bank.  The software development team responsible for the front end
-website needs to update the branding accordingly.
-
-Let's explore how Holos catches errors early, before they land in production,
-then guides the team to the best place to make a change.
-
-The bank front end web service is managed by the
-`projects/bank-of-holos/frontend/components/bank-frontend/` component which
-refers to the organization display name in `schema.gen.cue`.
-
-<Tabs groupId="F5B546EB-566F-4B83-84C3-C55B40F55555">
-  <TabItem value="schema.cue" label="schema.cue">
-```cue showLineNumbers
-package holos
-
-import api "github.com/holos-run/holos/api/author/v1alpha4"
-
-// Define the default organization name.
-_Organization: api.#OrganizationStrict & {
-	DisplayName: string | *"Bank of Holos"
-	Name:        string | *"bank-of-holos"
-	Domain:      string | *"holos.localhost"
-}
-
-// Projects represents a way to organize components into projects with owners.
-// https://holos.run/docs/api/author/v1alpha4/#Projects
-_Projects: api.#Projects
-
-// ArgoConfig represents the configuration of ArgoCD Application resources for
-// each component.
-// https://holos.run/docs/api/author/v1alpha4/#ArgoConfig
-_ArgoConfig: api.#ArgoConfig
-
-#ComponentConfig: api.#ComponentConfig & {
-	Name:      _Tags.name
-	Component: _Tags.component
-	Cluster:   _Tags.cluster
-	ArgoConfig: _ArgoConfig & {
-		if _Tags.project != "no-project" {
-			AppProject: _Tags.project
-		}
-	}
-	Resources: #Resources
-
-	// Mix in project labels if the project is defined by the platform.
-	if _Tags.project != "no-project" {
-		CommonLabels: _Projects[_Tags.project].CommonLabels
-	}
-}
-
-// https://holos.run/docs/api/author/v1alpha4/#Kubernetes
-#Kubernetes: close({
-	#ComponentConfig
-	api.#Kubernetes
-})
-
-// https://holos.run/docs/api/author/v1alpha4/#Kustomize
-#Kustomize: close({
-	#ComponentConfig
-	api.#Kustomize
-})
-
-// https://holos.run/docs/api/author/v1alpha4/#Helm
-#Helm: close({
-	#ComponentConfig
-	api.#Helm
-})
-```
-  </TabItem>
-  <TabItem value="projects/bank-of-holos/frontend/components/bank-frontend/bank-frontend.cue" label="projects/bank-of-holos/frontend/components/bank-frontend/bank-frontend.cue">
-```cue showLineNumbers
-package holos
-
-// Produce a kubernetes objects build plan.
-(#Kubernetes & Objects).BuildPlan
-
-let Objects = {
-	Name:      "bank-frontend"
-	Namespace: _BankOfHolos.Frontend.Namespace
-
-	// Ensure resources go in the correct namespace
-	Resources: [_]: [_]: metadata: namespace: Namespace
-
-	// https://github.com/GoogleCloudPlatform/bank-of-anthos/blob/release/v0.6.5/kubernetes-manifests/frontend.yaml
-	Resources: {
-		Service: frontend: {
-			metadata: name: "frontend"
-			metadata: labels: {
-				application: "bank-of-holos"
-				environment: "development"
-				team:        "frontend"
-				tier:        "web"
-			}
-			spec: {
-				selector: {
-					app:         "frontend"
-					application: "bank-of-holos"
-					environment: "development"
-					team:        "frontend"
-					tier:        "web"
-				}
-				_ports: http: {
-					name:       "http"
-					port:       80
-					targetPort: 8080
-					protocol:   "TCP"
-				}
-				ports: [for x in _ports {x}]
-			}
-		}
-
-		Deployment: frontend: {
-			metadata: name: "frontend"
-			metadata: labels: {
-				application: "bank-of-holos"
-				environment: "development"
-				team:        "frontend"
-				tier:        "web"
-			}
-			spec: {
-				selector: matchLabels: {
-					app:         "frontend"
-					application: "bank-of-holos"
-					environment: "development"
-					team:        "frontend"
-					tier:        "web"
-				}
-				template: {
-					metadata: labels: {
-						app:         "frontend"
-						application: "bank-of-holos"
-						environment: "development"
-						team:        "frontend"
-						tier:        "web"
-					}
-					spec: {
-						securityContext: {
-							seccompProfile: type: "RuntimeDefault"
-							fsGroup:      1000
-							runAsGroup:   1000
-							runAsNonRoot: true
-							runAsUser:    1000
-						}
-						serviceAccountName:            "bank-of-holos"
-						terminationGracePeriodSeconds: 5
-						containers: [{
-							env: [{
-								name:  "BANK_NAME"
-								value: _Organization.DisplayName
-							}, {
-								name:  "ENV_PLATFORM"
-								value: "local"
-							}, {
-								name:  "VERSION"
-								value: "v0.6.5"
-							}, {
-								name:  "PORT"
-								value: "8080"
-							}, {
-								name:  "ENABLE_TRACING"
-								value: "false"
-							}, {
-								name:  "SCHEME"
-								value: "https"
-							}, {
-								name:  "LOG_LEVEL"
-								value: "info"
-							}, {
-								name: "DEFAULT_USERNAME"
-								valueFrom: configMapKeyRef: {
-									key:  "DEMO_LOGIN_USERNAME"
-									name: "demo-data-config"
-								}
-							}, {
-								name: "DEFAULT_PASSWORD"
-								valueFrom: configMapKeyRef: {
-									key:  "DEMO_LOGIN_PASSWORD"
-									name: "demo-data-config"
-								}
-							}, {
-								name: "REGISTERED_OAUTH_CLIENT_ID"
-								valueFrom: configMapKeyRef: {
-									key:      "DEMO_OAUTH_CLIENT_ID"
-									name:     "oauth-config"
-									optional: true
-								}
-							}, {
-								name: "ALLOWED_OAUTH_REDIRECT_URI"
-								valueFrom: configMapKeyRef: {
-									key:      "DEMO_OAUTH_REDIRECT_URI"
-									name:     "oauth-config"
-									optional: true
-								}
-							}]
-							envFrom: [{
-								configMapRef: name: "environment-config"
-							}, {
-								configMapRef: name: "service-api-config"
-							}]
-							image: "us-central1-docker.pkg.dev/bank-of-anthos-ci/bank-of-anthos/frontend:v0.6.5@sha256:d72050f70d12383e4434ad04d189b681dc625f696087ddf0b5df641645c9dafa"
-							livenessProbe: {
-								httpGet: {
-									path: "/ready"
-									port: 8080
-								}
-								initialDelaySeconds: 60
-								periodSeconds:       15
-								timeoutSeconds:      30
-							}
-							name: "front"
-							readinessProbe: {
-								httpGet: {
-									path: "/ready"
-									port: 8080
-								}
-								initialDelaySeconds: 10
-								periodSeconds:       5
-								timeoutSeconds:      10
-							}
-							resources: {
-								limits: {
-									cpu:    "250m"
-									memory: "128Mi"
-								}
-								requests: {
-									cpu:    "100m"
-									memory: "64Mi"
-								}
-							}
-							securityContext: {
-								allowPrivilegeEscalation: false
-								capabilities: drop: ["all"]
-								privileged:             false
-								readOnlyRootFilesystem: true
-							}
-							volumeMounts: [{
-								mountPath: "/tmp"
-								name:      "tmp"
-							}, {
-								mountPath: "/tmp/.ssh"
-								name:      "publickey"
-								readOnly:  true
-							}]
-						}]
-						volumes: [
-							{
-								emptyDir: {}
-								name: "tmp"
-							},
-							{
-								name: "publickey"
-								secret: {
-									items: [{key: "jwtRS256.key.pub", path: "publickey"}]
-									secretName: "jwt-key"
-								}
-							},
-						]
-					}
-				}
-			}
-		}
-
-		// Allow HTTPRoutes in the ingress gateway namespace to reference Services
-		// in this namespace.
-		ReferenceGrant: grant: _ReferenceGrant & {
-			metadata: namespace: Namespace
-		}
-
-		// Include shared resources
-		_BankOfHolos.Resources
-	}
-}
-```
-  </TabItem>
-</Tabs>
-
-Line 7 of the `schema.cue` file defines the _default_ value for
-`_Organization.DisplayName` by using `string | *"..."`.  In CUE, the `*`
-asterisk character denotes a [default value].
-
-Line 78 of the `bank-frontend.cue` file refers to `_Organization.DisplayName` to
-configure the front end web container.
-
-Let's change the name of the bank by defining a new value for
-`_Organization.DisplayName` at the root of the configuration.  Create
-`projects/organization.cue` with the following content.
-
-<Tabs groupId="B386181F-EBE7-469D-8CB5-37631067669B">
-  <TabItem value="projects/organization.cue" label="projects/organization.cue">
-```cue showLineNumbers
-package holos
-
-_Organization: DisplayName: "The Holistic-Bank"
-```
-  </TabItem>
-</Tabs>
-
-Let's render the platform and see if this changes the name.
-
-<Tabs groupId="A014333C-3271-4C22-87E6-2B7BF898EA3E">
-  <TabItem value="command" label="Command">
-```bash
-holos render platform ./platform
-```
-  </TabItem>
-  <TabItem value="output" label="Output">
-```txt
-could not run: could not marshal json projects/platform/components/istio/cni: cue: marshal error: _Organization.DisplayName: 2 errors in empty disjunction: (and 2 more errors) at internal/builder/builder.go:63
-_Organization.DisplayName: _Organization.DisplayName: 2 errors in empty disjunction: (and 2 more errors)
-could not run: could not marshal json projects/platform/components/argocd/crds: cue: marshal error: _Organization.DisplayName: 2 errors in empty disjunction: (and 2 more errors) at internal/builder/builder.go:63
-_Organization.DisplayName: _Organization.DisplayName: 2 errors in empty disjunction: (and 2 more errors)
-could not run: could not render component: exit status 1 at builder/v1alpha4/builder.go:95
-```
-  </TabItem>
-</Tabs>
-
-:::warning Whoops
-The development team defined a value that isn't allowed by the
-configuration.
-:::
-
-Someone else in the organization placed a [constraint] on the
-configuration to ensure the display name contains only letters, numbers, and
-spaces.  This constraint is expressed as a [regular expression].
-
-:::tip
-CUE provides clear visibility where to start looking to resolve conflicts.  Each
-file and line number listed is a place the `#Organization.DisplayName` field is
-defined.
-:::
-
-Let's try again, this time replacing the hyphen with a space.
-
-<Tabs groupId="F93B34FA-C0C6-4793-A32F-DAD094403208">
-  <TabItem value="projects/organization.cue" label="projects/organization.cue">
-```cue showLineNumbers
-package holos
-
-_Organization: DisplayName: "The Holistic Bank"
-```
-  </TabItem>
-</Tabs>
-
-<Tabs groupId="5FD68778-476A-4F82-8817-71CEE205216E">
-  <TabItem value="command" label="Command">
-```bash
-holos render platform ./platform
-```
-  </TabItem>
-  <TabItem value="output" label="Output">
-```txt
-rendered bank-ledger-db for cluster workload in 139.863625ms
-rendered bank-accounts-db for cluster workload in 151.74875ms
-rendered bank-balance-reader for cluster workload in 154.356083ms
-rendered bank-ledger-writer for cluster workload in 161.209541ms
-rendered bank-userservice for cluster workload in 163.373417ms
-rendered bank-backend-config for cluster workload in 179.271208ms
-rendered bank-secrets for cluster workload in 204.35625ms
-rendered gateway for cluster workload in 118.707583ms
-rendered httproutes for cluster workload in 140.981541ms
-rendered bank-transaction-history for cluster workload in 156.066875ms
-rendered bank-frontend for cluster workload in 300.102292ms
-rendered bank-contacts for cluster workload in 159.89625ms
-rendered cni for cluster workload in 150.754458ms
-rendered istiod for cluster workload in 222.922625ms
-rendered app-projects for cluster workload in 118.422792ms
-rendered ztunnel for cluster workload in 142.840625ms
-rendered cert-manager for cluster workload in 190.938834ms
-rendered base for cluster workload in 340.679416ms
-rendered local-ca for cluster workload in 107.120334ms
-rendered external-secrets for cluster workload in 145.020834ms
-rendered argocd for cluster workload in 299.690917ms
-rendered namespaces for cluster workload in 115.862334ms
-rendered gateway-api for cluster workload in 225.783833ms
-rendered external-secrets-crds for cluster workload in 339.741166ms
-rendered crds for cluster workload in 421.849041ms
-rendered platform in 718.015959ms
-```
-  </TabItem>
-</Tabs>
-
-:::tip Success
-Great, the platform rendered.  We know the display name is valid according to
-the constraints.
-:::
-
-Let's see if the new display name value updated the configuration for the bank
-frontend.
-
-<Tabs groupId="6C068651-2061-4262-BE1E-7BB3E7EB66CB">
-  <TabItem value="command" label="Command">
-```bash
-git status
-```
-  </TabItem>
-  <TabItem value="output" label="Output">
-```txt
-On branch main
-Your branch and 'jeffmccune/main' have diverged,
-and have 2 and 4 different commits each, respectively.
-  (use "git pull" to merge the remote branch into yours)
-
-Changes not staged for commit:
-  (use "git add <file>..." to update what will be committed)
-  (use "git restore <file>..." to discard changes in working directory)
-        // highlight-next-line
-        modified:   deploy/clusters/workload/components/app-projects/app-projects.gen.yaml
-        modified:   deploy/clusters/workload/components/bank-frontend/bank-frontend.gen.yaml
-
-Untracked files:
-  (use "git add <file>..." to include in what will be committed)
-        projects/organization.cue
-
-no changes added to commit (use "git add" and/or "git commit -a")
-```
-  </TabItem>
-</Tabs>
-
-<Tabs groupId="4A20831E-461B-4EDE-8F6E-E73C3AEC12DB">
-  <TabItem value="command" label="Command">
-```bash
-git diff
-```
-  </TabItem>
-  <TabItem value="output" label="Output">
-```diff
-diff --git a/deploy/clusters/workload/components/app-projects/app-projects.gen.yaml b/deploy/clusters/workload/components/app-projects/app-projects.gen.yaml
-index 7914756..250c660 100644
--- a/deploy/clusters/workload/components/app-projects/app-projects.gen.yaml
-+++ b/deploy/clusters/workload/components/app-projects/app-projects.gen.yaml
-@@ -9,7 +9,7 @@ spec:
-   clusterResourceWhitelist:
-     - group: '*'
-       kind: '*'
-  description: Holos managed AppProject for Bank of Holos
-+  description: Holos managed AppProject for The Holistic Bank
-   destinations:
-     - namespace: '*'
-       server: '*'
-@@ -26,7 +26,7 @@ spec:
-   clusterResourceWhitelist:
-     - group: '*'
-       kind: '*'
-  description: Holos managed AppProject for Bank of Holos
-+  description: Holos managed AppProject for The Holistic Bank
-   destinations:
-     - namespace: '*'
-       server: '*'
-@@ -43,7 +43,7 @@ spec:
-   clusterResourceWhitelist:
-     - group: '*'
-       kind: '*'
-  description: Holos managed AppProject for Bank of Holos
-+  description: Holos managed AppProject for The Holistic Bank
-   destinations:
-     - namespace: '*'
-       server: '*'
-@@ -60,7 +60,7 @@ spec:
-   clusterResourceWhitelist:
-     - group: '*'
-       kind: '*'
-  description: Holos managed AppProject for Bank of Holos
-+  description: Holos managed AppProject for The Holistic Bank
-   destinations:
-     - namespace: '*'
-       server: '*'
-diff --git a/deploy/clusters/workload/components/bank-frontend/bank-frontend.gen.yaml b/deploy/clusters/workload/components/bank-frontend/bank-frontend.gen.yaml
-index dae6f93..d41516b 100644
--- a/deploy/clusters/workload/components/bank-frontend/bank-frontend.gen.yaml
-+++ b/deploy/clusters/workload/components/bank-frontend/bank-frontend.gen.yaml
-@@ -71,7 +71,7 @@ spec:
-       containers:
-         - env:
-             - name: BANK_NAME
-              value: Bank of Holos
-+              value: The Holistic Bank
-             - name: ENV_PLATFORM
-               value: local
-             - name: VERSION
-
-```
-  </TabItem>
-</Tabs>
-
-:::danger
-The new display name changed the frontend container, but it _also_ affected the
-app-projects component owned by the platform team.
-:::
-
-Submitting a pull request would trigger a code review from the platform
-engineering team who manages the app-projects component.  Let's see how to
-narrow the change down to limit the scope to the bank's user facing services.
-All of these services are managed under `projects/bank-of-holos/` Move the
-`organization.cue` file into this folder to limit the scope of configuration to
-the the components contained within.
-
-```bash
-mv projects/organization.cue projects/bank-of-holos/
-```
-
-Render the platform and let's see what changed.
-
-<Tabs groupId="0FFEC244-B59B-4136-9C82-837985DC2AB8">
-  <TabItem value="command" label="Command">
-```bash
-holos render platform ./platform
-```
-  </TabItem>
-  <TabItem value="output" label="Output">
-```txt
-rendered bank-ledger-db for cluster workload in 163.814917ms
-rendered bank-accounts-db for cluster workload in 163.960208ms
-rendered bank-userservice for cluster workload in 164.1625ms
-rendered bank-ledger-writer for cluster workload in 169.185291ms
-rendered bank-balance-reader for cluster workload in 174.5455ms
-rendered bank-backend-config for cluster workload in 178.092125ms
-rendered bank-secrets for cluster workload in 202.305334ms
-rendered gateway for cluster workload in 122.81725ms
-rendered httproutes for cluster workload in 134.121084ms
-rendered bank-contacts for cluster workload in 146.4185ms
-rendered bank-frontend for cluster workload in 311.35425ms
-rendered bank-transaction-history for cluster workload in 160.103ms
-rendered cni for cluster workload in 145.762083ms
-rendered istiod for cluster workload in 216.0065ms
-rendered app-projects for cluster workload in 117.684333ms
-rendered ztunnel for cluster workload in 144.555292ms
-rendered cert-manager for cluster workload in 178.247917ms
-rendered base for cluster workload in 336.679ms
-rendered external-secrets for cluster workload in 142.21825ms
-rendered local-ca for cluster workload in 101.249ms
-rendered argocd for cluster workload in 280.54525ms
-rendered namespaces for cluster workload in 106.822042ms
-rendered gateway-api for cluster workload in 200.459791ms
-rendered external-secrets-crds for cluster workload in 470.125833ms
-rendered crds for cluster workload in 844.388666ms
-rendered platform in 1.154937084s
-```
-  </TabItem>
-</Tabs>
-
-<Tabs groupId="DE4FEEE5-FC53-48A6-BC6F-D0EA1DBFD00C">
-  <TabItem value="command" label="Command">
-```bash
-git diff
-```
-  </TabItem>
-  <TabItem value="output" label="Output">
-```diff
-diff --git a/deploy/clusters/workload/components/bank-frontend/bank-frontend.gen.yaml b/deploy/clusters/workload/components/bank-frontend/bank-frontend.gen.yaml
-index dae6f93..d41516b 100644
--- a/deploy/clusters/workload/components/bank-frontend/bank-frontend.gen.yaml
-+++ b/deploy/clusters/workload/components/bank-frontend/bank-frontend.gen.yaml
-@@ -71,7 +71,7 @@ spec:
-       containers:
-         - env:
-             - name: BANK_NAME
-              value: Bank of Holos
-+              value: The Holistic Bank
-             - name: ENV_PLATFORM
-               value: local
-             - name: VERSION
-
-```
-  </TabItem>
-</Tabs>
-
-:::tip Success
-Great!  This time, the only manifest affected is our `bank-frontend.gen.yaml`.
-:::
-
-The `BANK_NAME` environment variable will change as we expect, and only the dev
-teams managing the bank services components are affected by the change.
-
-Let's commit and push this change and see if it works.
-
-<Tabs groupId="435D9C60-F841-4CF1-A947-506422E6BAC9">
-  <TabItem value="command" label="Command">
-```bash
-git add .
-git commit -m 'frontend: rename bank to The Holistic Bank'
-git push
-```
-  </TabItem>
-  <TabItem value="output" label="Output">
-```txt
-[main fda74ec] frontend: rename bank to The Holistic Bank
- 2 files changed, 4 insertions(+), 1 deletion(-)
- create mode 100644 projects/bank-of-holos/organization.cue
-```
-  </TabItem>
-</Tabs>
-
-Now that we've pushed the change, let's apply the change to the platform.
-
-## Apply the Change
-
-Once we've pushed the change, navigate to the [bank-frontend GitOps
-Application](https://argocd.holos.localhost/applications/argocd/bank-frontend?view=tree&resource=).
-We can see the Deployment needs to sync to the desired state we just pushed.
-
-![bank-frontend out of sync](./img/change-a-service-out-of-sync.png)
-
-Clicking on the frontend Deployment, we see the diff with the change we expect.
-
-![bank-frontend diff](./img/change-a-service-diff.png)
-
-Sync the change, ArgoCD applies the desired configuration state to the cluster
-and Kubernetes handles rolling out the updated Deployment resource.
-
-![bank-frontend progressing](./img/change-a-service-progressing.png)
-
-Soon, the deployment finishes and the component is in sync again.
-
-![bank-frontend in sync](./img/change-a-service-in-sync.png)
-
-Finally, let's see if the name actually changed on the website.  Navigate to
-https://bank.holos.localhost/.
-
-![bank-frontend login page](./img/change-a-service-login-page.png)
-
-:::tip Success
-We successfully made our change and successfully applied the changed
-configuration to the platform.
-:::
-
-Thanks for taking the time to work through this guide which covered:
-
- How multiple teams could be impacted by defining configuration at the
-`projects/` path.
- How to scope our change to only affect components within the
-`projects/bank-of-holos/` path, eliminating the impact on other teams.
- How CUE can [constrain] values in Holos, increasing safety.
- How to handle a [default value] in CUE.
- How CUE surfaces the file and line number of _every_ place to look for where a
-value is defined, making it faster and easier to troubleshoot problems.
-
-
-[Quickstart]: /docs/quickstart/
-[Deploy a Service]: /docs/guides/deploy-a-service/
-[Change a Service]: /docs/guides/change-a-service/
-[Helm]: /docs/api/author/v1alpha3/#Helm
-[Kubernetes]: /docs/api/author/v1alpha3/#Kubernetes
-[Kustomize]: /docs/api/author/v1alpha3/#Kustomize
-[ComponentFields]: /docs/api/author/v1alpha3/#ComponentFields
-[platform-files]: /docs/quickstart/#how-platform-rendering-works
-[AppProject]: https://argo-cd.readthedocs.io/en/stable/user-guide/projects/
-[unification operator]: https://cuelang.org/docs/reference/spec/#unification
-[code-owners]: https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners
-[Kustomization API]: https://github.com/kubernetes-sigs/kustomize/blob/release-kustomize-v5.2/api/types/kustomization.go#L34
-[cue import]: https://cuelang.org/docs/reference/command/cue-help-import/
-[cue get go]: https://cuelang.org/docs/concept/how-cue-works-with-go/
-[timoni-crds]: https://timoni.sh/cue/module/custom-resources/
-[HTTPRoute]: https://gateway-api.sigs.k8s.io/api-types/httproute/?h=filter
-[Ingress]: https://kubernetes.io/docs/concepts/services-networking/ingress/
-[hidden field]: https://cuelang.org/docs/tour/references/hidden/
-[comprehension]: https://cuelang.org/docs/reference/spec/#comprehensions
-[code owners]: https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners
-[ReferenceGrant]: https://gateway-api.sigs.k8s.io/api-types/referencegrant/
-[Local Cluster Guide]: /docs/guides/local-cluster
-[Bank of Holos]: https://github.com/holos-run/bank-of-holos
-[default value]: https://cuelang.org/docs/tour/types/defaults/
-[constrain]: https://cuelang.org/docs/tour/basics/constraints/
-[constraint]: https://cuelang.org/docs/tour/basics/constraints/
-[regular expression]: https://cuelang.org/docs/tour/expressions/regexp/
--- a/doc/md.archive/guides-v1alpha4/deploy-a-service.mdx
+++ b/doc/md.archive/guides-v1alpha4/deploy-a-service.mdx
--- a/doc/md.archive/guides-v1alpha4/helm.mdx
+++ b/doc/md.archive/guides-v1alpha4/helm.mdx
--- a/doc/md.archive/guides-v1alpha4/img/bank-home.png
+++ b/doc/md.archive/guides-v1alpha4/img/bank-home.png
--- a/doc/md.archive/guides-v1alpha4/img/change-a-service-diff.png
+++ b/doc/md.archive/guides-v1alpha4/img/change-a-service-diff.png
--- a/doc/md.archive/guides-v1alpha4/img/change-a-service-in-sync.png
+++ b/doc/md.archive/guides-v1alpha4/img/change-a-service-in-sync.png
--- a/doc/md.archive/guides-v1alpha4/img/change-a-service-login-page.png
+++ b/doc/md.archive/guides-v1alpha4/img/change-a-service-login-page.png
--- a/doc/md.archive/guides-v1alpha4/img/change-a-service-out-of-sync.png
+++ b/doc/md.archive/guides-v1alpha4/img/change-a-service-out-of-sync.png
--- a/doc/md.archive/guides-v1alpha4/img/change-a-service-progressing.png
+++ b/doc/md.archive/guides-v1alpha4/img/change-a-service-progressing.png
--- a/doc/md.archive/guides-v1alpha4/img/deploy-a-service-podinfo-deployed.png
+++ b/doc/md.archive/guides-v1alpha4/img/deploy-a-service-podinfo-deployed.png
--- a/doc/md.archive/guides-v1alpha4/img/deploy-a-service-podinfo-greetings.png
+++ b/doc/md.archive/guides-v1alpha4/img/deploy-a-service-podinfo-greetings.png
--- a/doc/md.archive/guides-v1alpha4/img/deploy-a-service-podinfo-missing.png
+++ b/doc/md.archive/guides-v1alpha4/img/deploy-a-service-podinfo-missing.png
--- a/doc/md.archive/guides-v1alpha4/img/deploy-a-service-podinfo-sync.png
+++ b/doc/md.archive/guides-v1alpha4/img/deploy-a-service-podinfo-sync.png
--- a/doc/md.archive/guides-v1alpha4/quickstart.mdx
+++ b/doc/md.archive/guides-v1alpha4/quickstart.mdx
--- a/doc/md.archive/guides/2024-09-15-quickstart.mdx
+++ b/doc/md.archive/guides/2024-09-15-quickstart.mdx
@@ -1,724 +0,0 @@
---
-description: Try Holos with this quick start guide.
-slug: /archive/2024-09-15-quickstart
-sidebar_position: 100
---
-
-import Tabs from '@theme/Tabs';
-import TabItem from '@theme/TabItem';
-import Admonition from '@theme/Admonition';
-
-# Quickstart
-
-In this guide, you'll experience how Holos makes the process of operating a
-Platform safer, easier, and more consistent. We'll use Holos to manage a
-vendor-provided Helm chart as a Component. Next, we'll mix in our own custom
-resources to manage the Component with GitOps. Finally, you'll see how Holos
-makes it safer and easier to maintain software over time by surfacing the exact
-changes that will be applied when upgrading the vendor's chart to a new version,
-before they are actually made.
-
-The [Concepts](/docs/concepts) page defines capitalized terms such as Platform
-and Component.
-
-## What you'll need {#requirements}
-
-You'll need the following tools installed to complete this guide.
-
-1. [holos](/docs/install) - to build the Platform.
-2. [helm](https://helm.sh/docs/intro/install/) - to render Holos Components that
-wrap upstream Helm charts.
-
-Optionally, if you'd like to apply the rendered manifests to a real Cluster,
-first complete the [Local Cluster Guide](/docs/guides/local-cluster).
-
-## Install Holos
-
-Install Holos with the following command or other methods listed on the
-[Installation](/docs/install/) page.
-
-```bash
-go install github.com/holos-run/holos/cmd/holos@latest
-```
-
-## Create a Git Repository
-
-Start by initializing an empty Git repository. Holos operates on local files
-stored in a Git repository.
-
-<Tabs groupId="init">
-  <TabItem value="command" label="Command">
-    ```bash
-    mkdir holos-quickstart
-    cd holos-quickstart
-    git init
-    ```
-  </TabItem>
-  <TabItem value="output" label="Output">
-    ```txt
-    Initialized empty Git repository in /holos-quickstart/.git/
-    ```
-  </TabItem>
-</Tabs>
-
-This guide assumes you will run commands from the root directory of the Git
-repository unless stated otherwise.
-
-## Generate the Platform {#Generate-Platform}
-
-Generate the Platform code in the repository root. A Platform refers to the
-entire set of software holistically integrated to provide a software development
-platform for your organization. In this guide, the Platform will include a
-single Component to demonstrate how the concepts fit together.
-
-```bash
-holos generate platform quickstart
-```
-
-Commit the generated platform config to the repository.
-
-<Tabs groupId="commit-platform">
-  <TabItem value="command" label="Command">
-    ```bash
-    git add .
-    git commit -m "holos generate platform quickstart - $(holos --version)"
-    ```
-  </TabItem>
-  <TabItem value="output" label="Output">
-    ```txt
-    [main (root-commit) 0b17b7f] holos generate platform quickstart
-     213 files changed, 72349 insertions(+)
-     ...
-    ```
-  </TabItem>
-</Tabs>
-
-## Generate a Component {#generate-component}
-
-The platform you generated is currently empty. Run the following command to
-generate the CUE code that defines a Helm Component.
-
-<Tabs groupId="gen-podinfo">
-  <TabItem value="command" label="Command">
-    ```bash
-    holos generate component podinfo --component-version 6.6.1
-    ```
-  </TabItem>
-  <TabItem value="output" label="Output">
-    ```txt
-    generated component
-    ```
-  </TabItem>
-</Tabs>
-
-The --component-version 6.6.1 flag intentionally installs an older release.
-You'll see how Holos assists with software upgrades later in this guide.
-
-The generate component command creates two files: a leaf file,
-`components/podinfo/podinfo.gen.cue`, and a root file, `podinfo.gen.cue`. Holos
-leverages the fact that [order is
-irrelevant](https://cuelang.org/docs/tour/basics/order-irrelevance/) in CUE to
-register the component with the Platform by adding a file to the root of the Git
-repository. The second file defines the component in the leaf component
-directory.
-
-<Tabs groupId="podinfo-files">
-  <TabItem value="components/podinfo/podinfo.gen.cue" label="Leaf">
-    `components/podinfo/podinfo.gen.cue`
-    ```cue showLineNumbers
-    package holos
-
-    // Produce a helm chart build plan.
-    (#Helm & Chart).Output
-
-    let Chart = {
-      Name:      "podinfo"
-      Version:   "6.6.1"
-      Namespace: "default"
-
-      Repo: name: "podinfo"
-      Repo: url:  "https://stefanprodan.github.io/podinfo"
-
-      Values: {}
-    }
-    ```
-  </TabItem>
-  <TabItem value="podinfo.gen.cue" label="Root">
-    `podinfo.gen.cue`
-    ```cue showLineNumbers
-    package holos
-
-    // Manage podinfo on workload clusters only
-    for Cluster in #Fleets.workload.clusters {
-      #Platform: Components: "\(Cluster.name)/podinfo": {
-        path:    "components/podinfo"
-        cluster: Cluster.name
-      }
-    }
-    ```
-  </TabItem>
-</Tabs>
-
-In this example, we provide the minimal information needed to manage the Helm
-chart: the name, version, Kubernetes namespace for deployment, and the chart
-repository location.
-
-This chart deploys cleanly without any values provided, but we include an empty
-Values struct to show how Holos improves consistency and safety in Helm by
-leveraging the strong type-checking in CUE. You can safely pass shared values,
-such as the organization’s domain name, to all Components across all clusters in
-the Platform by defining them at the root of the configuration.
-
-Commit the generated component config to the repository.
-
-<Tabs groupId="commit-component">
-  <TabItem value="command" label="Command">
-    ```bash
-    git add .
-    git commit -m "holos generate component podinfo - $(holos --version)"
-    ```
-  </TabItem>
-  <TabItem value="output" label="Output">
-    ```txt
-    [main cc0e90c] holos generate component podinfo
-     2 files changed, 24 insertions(+)
-     create mode 100644 components/podinfo/podinfo.gen.cue
-     create mode 100644 podinfo.gen.cue
-    ```
-  </TabItem>
-</Tabs>
-
-## Render the Component
-
-You can render individual components without adding them to a Platform, which is
-helpful when developing a new component.
-
-<Tabs groupId="render-podinfo">
-  <TabItem value="command" label="Command">
-    ```bash
-    holos render component ./components/podinfo --cluster-name=default
-    ```
-  </TabItem>
-  <TabItem value="output" label="Output">
-    ```txt
-    cached
-    rendered podinfo
-    ```
-  </TabItem>
-</Tabs>
-
-First, the command caches the Helm chart locally to speed up subsequent
-renderings. Then, the command runs Helm to produce the output and writes it into
-the deploy directory.
-
-<Tabs groupId="tree-podinfo">
-  <TabItem value="command" label="Command">
-    ```bash
-    tree deploy
-    ```
-  </TabItem>
-  <TabItem value="output" label="Output">
-    ```txt
-    deploy
-    └── clusters
-        └── default
-            └── components
-                └── podinfo
-                    └── podinfo.gen.yaml
-
-    5 directories, 1 file
-    ```
-  </TabItem>
-</Tabs>
-
-The component deploys to one cluster named `default`. In practice, the same
-component is often deployed to multiple clusters, such as `east` and `west` to
-provide redundancy and increase availability.
-
-:::tip
-This example is equivalent to running `helm template` on the chart and saving
-the output to a file. Holos simplifies this task, making it safer and more
-consistent when managing many charts.
-:::
-
-## Mix in an ArgoCD Application
-
-We've seen how Holos works with Helm, but we haven't yet explored how Holos
-makes it easier to consistently and safely manage all of the software in a
-Platform.
-
-Holos allows you to easily mix in resources that differentiate your Platform.
-We'll use this feature to mix in an ArgoCD [Application][application] to manage
-the podinfo Component with GitOps. We'll define this configuration in a way that
-can be automatically and consistently reused across all future Components added
-to the Platform.
-
-Create a new file named `argocd.cue` in the root of your Git repository with the
-following contents:
-
-<Tabs groupId="argocd-config">
-  <TabItem value="command" label="argocd.cue">
-    ```cue showLineNumbers
-    package holos
-
-    #ArgoConfig: {
-      Enabled: true
-      RepoURL: "https://github.com/holos-run/holos-quickstart-guide"
-    }
-    ```
-  </TabItem>
-</Tabs>
-
-:::tip
-If you plan to apply the rendered output to a real cluster, change the
-`example.com` RepoURL to the URL of the Git repository you created in this
-guide. You don't need to change the example if you're just exploring Holos by
-inspecting the rendered output without applying it to a live cluster.
-:::
-
-With this file in place, render the component again.
-
-<Tabs groupId="render-podinfo-argocd">
-  <TabItem value="command" label="Command">
-    ```bash
-    holos render component ./components/podinfo --cluster-name=default
-    ```
-  </TabItem>
-  <TabItem value="output" label="Output">
-    ```txt
-    wrote deploy file
-    rendered gitops/podinfo
-    rendered podinfo
-    ```
-  </TabItem>
-</Tabs>
-
-Holos uses the locally cached chart to improve performance and reliability. It
-then renders the Helm template output along with an ArgoCD Application resource
-for GitOps.
-
-:::tip
-By defining the ArgoCD configuration at the root, we again take advantage of the
-fact that [order is
-irrelevant](https://cuelang.org/docs/tour/basics/order-irrelevance/) in CUE.
-:::
-
-Defining the configuration at the root ensures all future leaf Components take
-the ArgoCD configuration and render an Application manifest for GitOps
-management.
-
-<Tabs groupId="tree-podinfo-argocd">
-  <TabItem value="command" label="Command">
-    ```bash
-    tree deploy
-    ```
-  </TabItem>
-  <TabItem value="output" label="Output">
-    ```txt
-    deploy
-    └── clusters
-        └── default
-            ├── components
-            │   └── podinfo
-            │       └── podinfo.gen.yaml
-            └── gitops
-                └── podinfo.application.gen.yaml
-
-    6 directories, 2 files
-    ```
-  </TabItem>
-</Tabs>
-
-Notice the new `podinfo.application.gen.yaml` file created by enabling ArgoCD in
-the Helm component. The Application resource in the file looks like this:
-
-<Tabs groupId="podinfo-application">
-  <TabItem value="file" label="podinfo.application.gen.yaml">
-    ```yaml showLineNumbers
-    apiVersion: argoproj.io/v1alpha1
-    kind: Application
-    metadata:
-      name: podinfo
-      namespace: argocd
-    spec:
-      destination:
-        server: https://kubernetes.default.svc
-      project: default
-      source:
-        path: ./deploy/clusters/default/components/podinfo
-        repoURL: https://example.com/holos-quickstart.git
-        targetRevision: main
-    ```
-  </TabItem>
-</Tabs>
-
-:::tip
-Holos generates a similar Application resource for every additional Component
-added to your Platform.
-:::
-
-Finally, add and commit the results to your Platform's Git repository.
-
-<Tabs groupId="commit-argo">
-  <TabItem value="command" label="Command">
-    ```bash
-    git add .
-    git commit -m "holos render component ./components/podinfo --cluster-name=default"
-    ```
-  </TabItem>
-  <TabItem value="output" label="Output">
-    ```txt
-    [main f95cef1] holos render component ./components/podinfo --cluster-name=default
-     3 files changed, 134 insertions(+)
-     create mode 100644 argocd.cue
-     create mode 100644 deploy/clusters/default/components/podinfo/podinfo.gen.yaml
-     create mode 100644 deploy/clusters/default/gitops/podinfo.application.gen.yaml
-    ```
-  </TabItem>
-</Tabs>
-
-In this section, we learned how Holos simplifies mixing resources into
-Components, like an ArgoCD Application. Holos ensures consistency by managing an
-Application resource for every Component added to the Platform through the
-configuration you define in `argocd.cue` at the root of the repository.
-
-## Define Workload Clusters {#workload-clusters}
-
-We've generated a Component to manage podinfo and integrated it with our
-Platform, but rendering the Platform doesn't render podinfo. Podinfo isn't
-rendered because we haven't assigned any Clusters to the workload Fleet.
-
-Define two new clusters, `east` and `west`, and assign them to the workload
-Fleet. Create a new file named `clusters.cue` in the root of your Git repository
-with the following contents:
-
-<Tabs groupId="clusters">
-  <TabItem value="clusters.cue" label="clusters.cue">
-    ```cue showLineNumbers
-    package holos
-
-    // Define two workload clusters for disaster recovery.
-    #Fleets: workload: clusters: {
-      // In CUE _ indicates values are defined elsewhere.
-      east: _
-      west: _
-    }
-    ```
-  </TabItem>
-</Tabs>
-
-This example shows how Holos simplifies configuring multiple clusters with
-similar configuration by grouping them into a Fleet.
-
-:::tip
-Fleets help segment a group of Clusters into one leader and multiple followers
-by designating one cluster as the primary. Holos makes it safer, easier, and
-more consistent to reconfigure which cluster is the primary. The primary can be
-set to automatically restore persistent data from backups, while non-primary
-clusters can be configured to automatically replicate from the primary.
-
-Automatic database backup, restore, and streaming replication is an advanced
-topic enabled by Cloud Native PG and CUE. Check back for a guide on this and
-other Day 2 operations topics.
-:::
-
-## Render the Platform {#render-platform}
-
-Render the Platform to render the podinfo Component for each of the workload
-clusters.
-
-<Tabs groupId="render-platform">
-  <TabItem value="command" label="Command">
-    ```bash
-    holos render platform ./platform
-    ```
-  </TabItem>
-  <TabItem value="output" label="Output">
-    ```txt
-    rendered components/podinfo for cluster west in 99.480792ms
-    rendered components/podinfo for cluster east in 99.882667ms
-    ```
-  </TabItem>
-</Tabs>
-
-The render platform command iterates over every Cluster in the Fleet and renders
-each Component assigned to the Fleet. Notice the two additional subdirectories
-created under the deploy directory, one for each cluster: `east` and `west`.
-
-<Tabs groupId="tree-platform">
-  <TabItem value="command" label="Command">
-    ```bash
-    tree deploy
-    ```
-  </TabItem>
-  <TabItem value="output" label="Output">
-    ```txt
-    deploy
-    └── clusters
-        ├── default
-        │   ├── components
-        │   │   └── podinfo
-        │   │       └── podinfo.gen.yaml
-        │   └── gitops
-        │       └── podinfo.application.gen.yaml
-        # highlight-next-line
-        ├── east
-        │   ├── components
-        │   │   └── podinfo
-        │   │       └── podinfo.gen.yaml
-        │   └── gitops
-        │       └── podinfo.application.gen.yaml
-        # highlight-next-line
-        └── west
-            ├── components
-            │   └── podinfo
-            │       └── podinfo.gen.yaml
-            └── gitops
-                └── podinfo.application.gen.yaml
-
-    14 directories, 6 files
-    ```
-  </TabItem>
-</Tabs>
-
-Holos ensures consistency and safety by defining the ArgoCD Application once,
-with strong type checking, at the configuration root.
-
-New Application resources are automatically generated for the `east` and `west`
-workload Clusters.
-
-<Tabs groupId="applications">
-  <TabItem value="east" label="east">
-  `deploy/clusters/east/gitops/podinfo.application.gen.yaml`
-```yaml showLineNumbers
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: podinfo
-  namespace: argocd
-spec:
-  destination:
-    server: https://kubernetes.default.svc
-  project: default
-  source:
-    # highlight-next-line
-    path: ./deploy/clusters/east/components/podinfo
-    repoURL: https://example.com/holos-quickstart.git
-    targetRevision: main
-```
-  </TabItem>
-  <TabItem value="west" label="west">
-  `deploy/clusters/west/gitops/podinfo.application.gen.yaml`
-```yaml showLineNumbers
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: podinfo
-  namespace: argocd
-spec:
-  destination:
-    server: https://kubernetes.default.svc
-  project: default
-  source:
-    # highlight-next-line
-    path: ./deploy/clusters/west/components/podinfo
-    repoURL: https://example.com/holos-quickstart.git
-    targetRevision: main
-```
-  </TabItem>
-  <TabItem value="default" label="default">
-  `deploy/clusters/default/gitops/podinfo.application.gen.yaml`
-```yaml showLineNumbers
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: podinfo
-  namespace: argocd
-spec:
-  destination:
-    server: https://kubernetes.default.svc
-  project: default
-  source:
-    # highlight-next-line
-    path: ./deploy/clusters/default/components/podinfo
-    repoURL: https://example.com/holos-quickstart.git
-    targetRevision: main
-```
-  </TabItem>
-</Tabs>
-
-Add and commit the rendered Platform and workload Clusters.
-
-<Tabs groupId="commit-render-platform">
-  <TabItem value="command" label="Command">
-    ```bash
-    git add .
-    git commit -m "holos render platform ./platform - $(holos --version)"
-    ```
-  </TabItem>
-  <TabItem value="output" label="Output">
-    ```txt
-    [main 5aebcf5] holos render platform ./platform - 0.93.2
-     5 files changed, 263 insertions(+)
-     create mode 100644 clusters.cue
-     create mode 100644 deploy/clusters/east/components/podinfo/podinfo.gen.yaml
-     create mode 100644 deploy/clusters/east/gitops/podinfo.application.gen.yaml
-     create mode 100644 deploy/clusters/west/components/podinfo/podinfo.gen.yaml
-     create mode 100644 deploy/clusters/west/gitops/podinfo.application.gen.yaml
-    ```
-  </TabItem>
-</Tabs>
-
-## Upgrade a Helm Chart
-
-Holos is designed to ease the burden of Day 2 operations. With Holos, upgrading
-software, integrating new software, and making safe platform-wide configuration
-changes become easier.
-
-Let's upgrade the podinfo Component to see how this works in practice. First,
-update the Component version field to the latest upstream Helm chart version.
-
-<Tabs groupId="gen-podinfo">
-  <TabItem value="command" label="Command">
-    ```bash
-    holos generate component podinfo --component-version 6.6.2
-    ```
-  </TabItem>
-  <TabItem value="output" label="Output">
-    ```txt
-    generated component
-    ```
-  </TabItem>
-</Tabs>
-
-Remove the cached chart version.
-
-<Tabs groupId="gen-podinfo">
-  <TabItem value="command" label="Command">
-    ```bash
-    rm -rf components/podinfo/vendor
-    ```
-  </TabItem>
-</Tabs>
-
-Now re-render the Platform.
-
-<Tabs groupId="render-platform2">
-  <TabItem value="command" label="Command">
-    ```bash
-    holos render platform ./platform
-    ```
-  </TabItem>
-  <TabItem value="output" label="Output">
-    ```txt
-    rendered components/podinfo for cluster east in 327.10475ms
-    rendered components/podinfo for cluster west in 327.796541ms
-    ```
-  </TabItem>
-</Tabs>
-
-Notice we're still using the upstream chart without modifying it. The Holos
-component wraps around the chart to mix in additional resources and integrate
-the component with the broader Platform.
-
-## Visualize the Changes
-
-Holos makes it easier to see exactly what changes are made and which resources
-will be applied to the API server. By design, Holos operates on local files,
-leaving the task of applying them to ecosystem tools like `kubectl` and ArgoCD.
-This allows platform operators to inspect changes during code review, or before
-committing the change at all.
-
-For example, using `git diff`, we see that the only functional change when
-upgrading this Helm chart is the deployment of a new container image tag to each
-cluster.  Additionally, we can roll out this change gradually by applying it to
-the east cluster first, then to the west cluster, limiting the potential blast
-radius of a problematic change.
-
-<Tabs groupId="git-diff">
-  <TabItem value="command" label="Command">
-    ```bash
-    git diff deploy/clusters/east
-    ```
-  </TabItem>
-  <TabItem value="output" label="Output">
-```diff showLineNumbers
-diff --git a/deploy/clusters/east/components/podinfo/podinfo.gen.yaml b/deploy/clusters/east/components/podinfo/podinfo.gen.yaml
-index 7cc3332..8c1647d 100644
--- a/deploy/clusters/east/components/podinfo/podinfo.gen.yaml
-+++ b/deploy/clusters/east/components/podinfo/podinfo.gen.yaml
-@@ -5,9 +5,9 @@ kind: Service
- metadata:
-   name: podinfo
-   labels:
-    helm.sh/chart: podinfo-6.6.1
-+    helm.sh/chart: podinfo-6.6.2
-     app.kubernetes.io/name: podinfo
-    app.kubernetes.io/version: "6.6.1"
-+    app.kubernetes.io/version: "6.6.2"
-     app.kubernetes.io/managed-by: Helm
- spec:
-   type: ClusterIP
-@@ -29,9 +29,9 @@ kind: Deployment
- metadata:
-   name: podinfo
-   labels:
-    helm.sh/chart: podinfo-6.6.1
-+    helm.sh/chart: podinfo-6.6.2
-     app.kubernetes.io/name: podinfo
-    app.kubernetes.io/version: "6.6.1"
-+    app.kubernetes.io/version: "6.6.2"
-     app.kubernetes.io/managed-by: Helm
- spec:
-   replicas: 1
-@@ -53,7 +53,7 @@ spec:
-       terminationGracePeriodSeconds: 30
-       containers:
-         - name: podinfo
-         # highlight-next-line
-          image: "ghcr.io/stefanprodan/podinfo:6.6.1"
-         # highlight-next-line
-+          image: "ghcr.io/stefanprodan/podinfo:6.6.2"
-           imagePullPolicy: IfNotPresent
-           command:
-             - ./podinfo
-```
-  </TabItem>
-</Tabs>
-
-:::tip
-Holos is designed to surface the _fully rendered_ manifests intended for the
-Kubernetes API server, making it easier to see and reason about platform-wide
-configuration changes.
-:::
-
-## Recap {#recap}
-
-In this quickstart guide, we learned how Holos makes it easier, safer, and more
-consistent to manage a Platform composed of multiple Clusters and upstream Helm
-charts.
-
-We covered how to:
-
-1. Generate a Git repository for the Platform config.
-2. Wrap the unmodified upstream podinfo Helm chart into a Component.
-3. Render an individual Component.
-4. Mix-in your Platform's unique resources to all Components.  For example, ArgoCD Application resources.
-5. Define multiple similar, but not identical, workload clusters.
-6. Render the manifests for the entire Platform with the `holos render platform` command.
-7. Upgrade a Helm chart to the latest version as an important Day 2 task.
-8. Visualize and surface the details of planned changes Platform wide.
-
-## Dive Deeper
-
-If you'd like to dive deeper, check out the [Schema API][schema] and [Core
-API][core] reference docs. The main difference between the schema and core
-packages is that the schema is used by users to write refined CUE, while the
-core package is what the schema produces for `holos` to execute. Users rarely
-need to interact with the Core API when on the happy path, but can use the core
-package as an escape hatch when the happy path doesn't go where you want.
-
-
-[application]: https://argo-cd.readthedocs.io/en/stable/user-guide/application-specification/
-[schema]: /docs/api/author/v1alpha3/
-[core]: /docs/api/core/v1alpha3/
--- a/doc/md.archive/guides/2024-09-17-manage-a-project.mdx
+++ b/doc/md.archive/guides/2024-09-17-manage-a-project.mdx
@@ -1,106 +0,0 @@
---
-description: Self service platform resource management for project teams.
-slug: /archive/guides/2024-09-17-manage-a-project
-sidebar_position: 250
---
-
-import Tabs from '@theme/Tabs';
-import TabItem from '@theme/TabItem';
-import Admonition from '@theme/Admonition';
-
-# Manage a Project
-
-In this guide we'll explore how Holos easily, safely, and consistently manages
-platform resources for teams to develop the projects they're working on.
-
-Intended Audience: Platform Engineers and Software Engineers.
-
-Goal is to demonstrate how the platform team can consistently, easily, and
-safely provide platform resources to software engineers.
-
-Assumption is software engineers have a container they want to deploy onto the
-platform and make accessible.  We'll use httpbin as a stand-in for the dev
-team's container.
-
-Project is roughly equivalent to Dev Team for the purpose of this guide, but in
-practice multiple teams work on a given project over the lifetime of the
-project, so we structure the files into projects instead of teams.
-
-## What you'll need {#requirements}
-
-You'll need the following tools installed to complete this guide.
-
-1. [holos](/docs/install) - to build the Platform.
-2. [helm](https://helm.sh/docs/intro/install/) - to render Helm Components.
-3. [kubectl](https://kubernetes.io/docs/tasks/tools/) - to render Kustomize Components.
-
-If you'd like to apply the manifests we render in this guide complete the
-following optional, but recommended, steps.
-
-a. Complete the [Local Cluster] guide to set up a local cluster to work with.
-b. You'll need a GitHub account to fork the repository associated with this
-guide.
-
-## Fork the Guide Repository
-
-<Tabs groupId="fork">
-  <TabItem value="command" label="Command">
-```bash
-```
-  </TabItem>
-  <TabItem value="output" label="Output">
-```txt showLineNumbers
-```
-  </TabItem>
-</Tabs>
-
-This guide assumes you will run commands from the root directory of this
-repository unless stated otherwise.
-
-[Quickstart]: /docs/quickstart
-[Local Cluster]: /docs/guides/local-cluster
-
-## Render the Platform
-
-So we can build the basic platform.  Don't dwell on the platform bits.
-
-## Apply the Manifests
-
-Deploy ArgoCD, but not any of the Application resources.
-
-## Browse to ArgoCD
-
-Note there is nothing here yet.
-
-## Switch to your Fork
-
-Note all of the Applications change consistently.
-
-## Apply the Applications
-
-Note how ArgoCD takes over management, no longer need to k apply.
-
-## Create a Project
-
-Project is a conceptual, not technical, thing in Holos.  Mainly about how components are laid out in the filesystem tree.
-
-We use a schematic built into holos as an example, the platform team could use the same or provide a similar template and instructions for development teams to self-serve.
-
-## Render the Platform
-
-Notice:
-
-1. Project is registered with the platform at the root.
-2. HTTPRoute and Namespace resources are added close to the root in `projects`
-3. Deployment and Service resources are added at the leaf in `projects/httpbin/backend`
-
-## Update the image tag
-
-Add a basic schematic to demonstrate this.  May need to add two new flags for image url and image tag to the generate subcommand, but should just be two new fields on the struct.
-
-## Dive Deeper
-
-Set the stage for constraints.  Ideas: Limit what resources can be added,
-namespaces can be operated in, enforce labels, etc...
-
-Simple, consistent, easy constraints.
--- a/doc/md.archive/guides/argocd/argocd-apps-2.png
+++ b/doc/md.archive/guides/argocd/argocd-apps-2.png
--- a/doc/md.archive/guides/argocd/argocd-apps.png
+++ b/doc/md.archive/guides/argocd/argocd-apps.png
--- a/doc/md.archive/guides/argocd/argocd-auto-sync-ok.png
+++ b/doc/md.archive/guides/argocd/argocd-auto-sync-ok.png
--- a/doc/md.archive/guides/argocd/argocd-diff.png
+++ b/doc/md.archive/guides/argocd/argocd-diff.png
--- a/doc/md.archive/guides/argocd/argocd-login-signedout.png
+++ b/doc/md.archive/guides/argocd/argocd-login-signedout.png
--- a/doc/md.archive/guides/argocd/argocd-login.png
+++ b/doc/md.archive/guides/argocd/argocd-login.png
--- a/doc/md.archive/guides/argocd/argocd-out-of-sync.png
+++ b/doc/md.archive/guides/argocd/argocd-out-of-sync.png
--- a/doc/md.archive/guides/argocd/argocd-sync-ok.png
+++ b/doc/md.archive/guides/argocd/argocd-sync-ok.png
--- a/doc/md.archive/guides/argocd/argocd-sync.png
+++ b/doc/md.archive/guides/argocd/argocd-sync.png
--- a/doc/md.archive/guides/argocd/index.mdx
+++ b/doc/md.archive/guides/argocd/index.mdx
@@ -1,6 +0,0 @@
-import Tabs from '@theme/Tabs';
-import TabItem from '@theme/TabItem';
-
-# ArgoCD
-
-Coming soon.
--- a/doc/md.archive/guides/backstage/index.md
+++ b/doc/md.archive/guides/backstage/index.md
@@ -1,3 +0,0 @@
-# Backstage
-
-Coming soon.
--- a/doc/md.archive/guides/expose-a-service.mdx
+++ b/doc/md.archive/guides/expose-a-service.mdx
--- a/doc/md.archive/guides/observability/index.md
+++ b/doc/md.archive/guides/observability/index.md
@@ -1,3 +0,0 @@
-# Observability
-
-Coming soon.
--- a/doc/md.archive/guides/overview.md
+++ b/doc/md.archive/guides/overview.md
@@ -1,17 +0,0 @@
-# Overview
-
-<!-- https://kubernetes.io/docs/contribute/style/diagram-guide/ -->
-
-This tutorial covers the following process of getting started with Holos.
-
-```mermaid
-graph LR
-    A[1. Install <br>holos] -->
-    B[2. Register <br>account] -->
-    C[3. Generate <br>platform] -->
-    D[4. Render <br>platform] -->
-    E[5. Apply <br>config]
- 
-    classDef box fill:#fff,stroke:#000,stroke-width:1px,color:#000;
-    class A,B,C,D,E box
-```
--- a/doc/md.archive/guides/register.md
+++ b/doc/md.archive/guides/register.md
@@ -1,62 +0,0 @@
-# Registration
-
-Holos leverages a simple web app to collect and store platform attributes with a web form.  Register an account with the web app to create and retrieve the platform model.
-
-```
-holos register user
-```
-
-:::tip
-
-Holos allows you to customize all of the sections and fields of your platform model.
-
-:::
-
-
-## Generate your Platform
-
-Generate your platform configuration from the holos reference platform embedded in the `holos` executable.  Platform configuration is stored in a git repository.
-
-```bash
-mkdir holos-infra
-cd holos-infra
-holos generate platform holos
-```
-
-The generate command writes many files organized by platform component into the current directory
-
-TODO: Put a table here describing key elements?
-
-:::tip
-
-Take a peek at `holos generate platform --help` to see other platforms embedded in the holos executable.
-
-:::
-
-## Push the Platform Form
-
-```
-holos push platform form .
-```
-
-## Fill in the form
-
-TODO
-
-## Pull the Platform Model
-
-Once the platform model is saved, pull it into the holos-infra repository:
-
-```
-holos pull platform model .
-```
-
-## Render the Platform
-
-With the platform model and the platform spec, you're ready to render the complete platform configuration:
-
-```
-holos render platform ./platform
-```
-
-## Summary
--- a/doc/md.archive/guides/try-holos/form-pushed.png
+++ b/doc/md.archive/guides/try-holos/form-pushed.png
--- a/doc/md.archive/guides/try-holos/form.png
+++ b/doc/md.archive/guides/try-holos/form.png
--- a/doc/md.archive/guides/try-holos/index.mdx
+++ b/doc/md.archive/guides/try-holos/index.mdx
@@ -1,687 +0,0 @@
-import Tabs from '@theme/Tabs';
-import TabItem from '@theme/TabItem';
-import Admonition from '@theme/Admonition';
-
-# Try Holos Locally
-
-This guide walks through the process of building and managing a software
-development platform with Holos.  The k3d platform built in this guide is a
-slimmed down version of the larger, more holistic, Holos reference platform.
-
-Holos is different from existing tools in a few important ways.
-
- 1. Holos provides a **unified configuration model** purpose built to improve on
- unmodified Helm charts, Kustomize bases, or anything else that produces
- structured configuration data.
- 2. Holos all but **eliminates the need to template yaml**, a common source of
- frustration and errors in production.
- 3. Holos platforms are **composable** and have breadth.  The toolchain and
- techniques scale down to one machine and up to multiple clusters across
- multiple regions.
- 4. The unified configuration model is well suited to a **Zero Trust security
- model**.  Platform wide policy configuration is easier to manage with Holos.
-
---
-
-This guide assumes commands are run locally.  Capitalized terms have specific
-definitions described in the [Glossary](/docs/glossary).
-
-## What you'll need {#Requirements}
-
-You'll need the following tools installed to complete this guide.
-
-1. [holos](/docs/install) - to build the platform.
-2. [helm](https://helm.sh/docs/intro/install/) - to render Holos components that wrap upstream Helm charts.
-3. [k3d](https://k3d.io/#installation) - to provide a k8s api server.
-4. [OrbStack](https://docs.orbstack.dev/install) or [Docker](https://docs.docker.com/get-docker/) - to use k3d.
-5. [kubectl](https://kubernetes.io/docs/tasks/tools/) - to interact with the k8s api server.
-6. [mkcert](https://github.com/FiloSottile/mkcert?tab=readme-ov-file#installation) - to make trusted TLS certificates.
-7. [jq](https://jqlang.github.io/jq/download/) - to fiddle with JSON output.
-
-:::note
-
-Registering an account **is recommended** to try out proper authentication and
-authorization in Holos, but you can complete this guide without signing up.
-
-:::
-
-## Goal {#Goal}
-
-By the end of this guide you'll have built the foundation of a software
-development platform.  The foundation provides Zero Trust security by
-holistically integrating off-the-shelf open source software.
-
-  1. Istio is configured to authenticate and authorize requests using an OIDC
-  ID-Token issued by ZITADEL before requests reach backend services.
-  2. The platform provides single sign-on and role based access control for all
-  services running on the platform.
-
-This guide strives to keep things neat and tidy.  All of the resources are
-located in one k3d cluster and one local Git repository.  If you want to clean
-up at any point, do so with:
-
-```bash
-k3d cluster delete workload
-rm -rf holos-k3d
-```
-
-## Sign In or Out {#Sign-In}
-
-Holos provides integrated authentication and authorization which we'll use in
-this guide to protect a service.  We recommend registering an account to see
-this in action.  Registration also enables you to explore the customizable web
-form that simplifies complex configuration.
-
-If you opt-out, the platform will be configured to use a fake identity in place
-of real id tokens.
-
-<Tabs groupId="registration">
-  <TabItem value="registered" label="Sign In">
-    ```bash
-    holos register user
-    ```
-  </TabItem>
-  <TabItem value="unregistered" label="Opt Out">
-    ```bash
-    holos logout
-    ```
-  </TabItem>
-</Tabs>
-
-## Create the Platform {#Create-Platform}
-
-A server-side platform resource in Holos stores the web form used to simplify
-platform wide configuration.
-
-First, initialize an empty Git repository:
-
-```bash
-mkdir holos-k3d
-cd holos-k3d
-git init
-```
-
-<Tabs groupId="registration">
-  <TabItem value="registered" label="Signed In">
-    Use `holos` to make the rpc call to create the server-side platform
-    resource.
-
-    ```bash
-    holos create platform --name k3d --display-name "Try Holos Locally"
-    ```
-  </TabItem>
-  <TabItem value="unregistered" label="Signed Out">
-    Create a blank `platform.metadata.json` file so subsequent holos commands
-    skip rpc calls.
-
-    ```bash
-    touch platform.metadata.json
-    ```
-  </TabItem>
-</Tabs>
-
-### Generate the Platform {#Generate-Platform}
-
-Generate the platform code in the repository root.
-
-```bash
-holos generate platform k3d
-```
-
-Commit the generated platform config to the repository.
-
-```bash
-git add .
-git commit -m "holos generate platform k3d - $(holos --version)"
-```
-
-### Push the Platform Form
-
-Each Holos platform has a Platform Form used to submit top level, platform-wide
-configuration values.  The purpose of the form is to validate configuration
-values and simplify complicated configurations and integrations.
-
-<Tabs groupId="registration">
-  <TabItem value="registered" label="Signed In">
-    Push the Platform Form to publish it.  Browse to the printed URL to view the
-    form.
-
-    ```bash
-    holos push platform form .
-    ```
-  </TabItem>
-  <TabItem value="unregistered" label="Signed Out">
-    You will update the Platform Model locally in a later step so there's
-    nothing to do in this step.  Only signed-in users can push a Platform Form
-    to the Holos web server.
-
-    ```bash
-    # holos push platform form .
-    ```
-  </TabItem>
-</Tabs>
-
-The Platform Form is defined locally in `forms/platform/platform-form.cue`.
-
-On the web it looks like:
-![Platform Form Default Values](./form-pushed.png)
-
-### Update the Platform Model {#Platform-Model}
-
-Holos needs initial, top level configuration values to render the platform.  The
-Platform Model is the term we use for these values.  In this section you will
-configure role based access control by way of updating the Platform Model.
-
-In the k3d platform you're building now, role based access control is
-implemented by asserting against the oidc id token subject.  Update the form
-with the `sub` claim value from your id token.  This will ensure only you have
-access to platform services.
-
-<Tabs groupId="registration">
-  <TabItem value="registered" label="Signed In">
-    Copy and paste the `sub` value into your Platform Form's Subject field.
-
-    ```bash
-    holos login --print-claims --log-level=error | jq -r .sub
-    ```
-
-    After pasting the `sub` value, click Submit on the form.
-  </TabItem>
-  <TabItem value="unregistered" label="Signed Out">
-    You don't have an id token when you're signed out, so there's nothing for
-    you to do in this step.
-
-    ```bash
-    # holos login --print-claims --log-level=error | jq -r .sub
-    ```
-
-    The platform will be configured to assert against the User-Agent header
-    instead.
-  </TabItem>
-</Tabs>
-
-### Pull the Platform Model {#Pull-the-Platform-Model}
-
-The Platform Model needs to be pulled into the local Git repository after the
-form has been submitted. Next, we'll run `holos render` which operates
-exclusively on local files.
-
-Holos stores the Platform Model in the `platform.config.json` file. Holos
-provides this file as input to CUE when rendering the platform.  This file is
-intended to be added to version control.
-
-<Tabs groupId="registration">
-  <TabItem value="registered" label="Signed In">
-    Pull the updated Platform Model into the local repository.
-
-    ```bash
-    holos pull platform model .
-    git add platform.config.json
-    git commit -m "Add platform model"
-    ```
-
-  </TabItem>
-  <TabItem value="unregistered" label="Signed Out">
-    The holos generate platform k3d command created an initial Platform Model in
-    `platform.config.json`.  As a result there's nothing to do in this step.
-
-    ```bash
-    # holos pull platform model .
-    # git add platform.config.json
-    # git commit -m "Add platform model"
-    ```
-  </TabItem>
-</Tabs>
-
-## Render the Platform {#Render-the-Platform}
-
-Holos has everything necessary to render the platform once the
-`platform.config.json` file and the code from `holos generate` are in the
-current directory.
-
-Rendering a platform is the process of iterating over each platform component
-and rendering it into plain yaml. Holos does not apply the resulting manifests.
-Other tools like kubectl, ArgoCD, or Flux are responsible for applying the
-manifests.
-
-```bash
-holos render platform ./platform
-```
-
-The render command writes the manifest files to the `deploy/` directory.  Commit
-the files so they can be applied via GitOps later.
-
-```bash
-git add deploy
-git commit -m "holos render platform ./platform"
-```
-
-:::info[Don't blink, this is where Holos builds the platform]
-
-It usually takes no more than a few seconds.
-
-Rendering the holos reference platform currently results in about 500K lines of
-yaml.  In contrast, roughly 80K lines are produced by this slimmed down k3d
-platform.
-
-We mention this because the scale doesn't matter as much as it does with other
-tools.  Manage millions of lines of configuration with Holos the same way this
-guide manages thousands.  This is made possible by the unique way CUE unifies
-all configuration into one single model.
-
-:::
-
-## Configure DNS {#DNS}
-
-Configure your machine to resolve `*.holos.localhost` to your loopback
-interface.  This is necessary for requests to reach the workload cluster.
-
-<Tabs>
-  <TabItem value="macos" label="macOS" default>
-  Cache sudo credentials.
-
-  Admin access is necessary to setup a local dnsmasq instance and configure
-  macOS's DNS resolver.
-
-  ```bash
-  sudo -v
-  ```
-
-  Resolve *.holos.localhost DNS queries to 127.0.0.1.
-
-  ```bash
-  bash ./scripts/local-dns
-  ```
-
-  </TabItem>
-  <TabItem value="linux" label="Linux">
-    [NSS-myhostname](http://man7.org/linux/man-pages/man8/nss-myhostname.8.html)
-    ships with many Linux distributions and should resolve *.localhost
-    automatically to 127.0.0.1.
-
-    Otherwise it is installable with:
-
-    ```bash
-    sudo apt install libnss-myhostname
-    ```
-  </TabItem>
-  <TabItem value="windows" label="Windows">
-    Ensure the loopback interface has at least the following names in `C:\windows\system32\drivers\etc\hosts`
-
-    ```
-    127.0.0.1 httpbin.holos.localhost app.holos.localhost
-    ```
-  </TabItem>
-</Tabs>
-
-
-## Create the Cluster {#Create-Cluster}
-
-The Workload Cluster is where your applications and services will be deployed.
-In production this is usually an EKS, GKE, or AKS cluster.
-
-:::tip
-
-Holos supports all compliant Kubernetes clusters. Holos was developed and tested
-on GKE, EKS, Talos, k3s, and Kubeadm clusters.
-
-:::
-
-<Tabs>
-  <TabItem value="evaluate" label="Try Holos" default>
-  Use this command when exploring Holos.
-
-  ```bash
-  k3d cluster create workload \
-    --port "443:443@loadbalancer" \
-    --k3s-arg "--disable=traefik@server:0"
-  ```
-
-  </TabItem>
-  <TabItem value="develop" label="Develop Holos">
-  Use this command when developing Holos.
-
-  ```bash
-  k3d registry create registry.holos.localhost --port 5100
-  ```
-
-  ```bash
-  k3d cluster create workload \
-    --registry-use k3d-registry.holos.localhost:5100 \
-    --port "443:443@loadbalancer" \
-    --k3s-arg "--disable=traefik@server:0"
-  ```
-
-  </TabItem>
-</Tabs>
-
-Traefik is disabled because Istio provides the same functionality.
-
-## Apply the Platform Components {#Apply-Platform-Components}
-
-Use `kubectl` to apply each platform component.  In production, it's common to
-fully automate this process with ArgoCD, but we use `kubectl` to the same
-effect.
-
-### Local CA {#Local-CA}
-
-Holos platforms use cert manager to issue tls certificates.  The browser and
-tools we're using need to trust these certificates to work together.
-
-Admin access is necessary for `mkcert` to manage the certificate into your trust
-stores.
-
-```bash
-sudo -v
-```
-
-Manage the local CA and copy the CA key to the workload cluster so that cert
-manager can manage trusted certificates.
-
-```bash
-bash ./scripts/local-ca
-```
-
-:::warning
-
-Take care to run the local-ca script each time you create the workload cluster
-so that Certificates are issued correctly.
-
-:::
-
-
-### Service Mesh
-
-The platform service mesh provides an ingress gateway and connectivity useful
-for observability, reliability, and security.
-
-#### Namespaces
-
-With Holos, components are automatically added to the namespaces component,
-useful for centrally managed policies.
-
-```bash
-kubectl apply --server-side=true -f ./deploy/clusters/workload/components/namespaces
-```
-
-#### Custom Resource Definitions
-
-```bash
-kubectl apply --server-side=true -f ./deploy/clusters/workload/components/gateway-api
-kubectl apply --server-side=true -f ./deploy/clusters/workload/components/istio-base
-```
-
-#### Cert Manager {#cert-manager}
-
-Apply the cert-manager controller.
-
-```bash
-kubectl apply --server-side=true -f ./deploy/clusters/workload/components/cert-manager
-```
-
-Apply the ClusterIssuer which issues Certificate resources using the local
-certificate authority.
-
-```bash
-kubectl -n cert-manager wait pod -l app.kubernetes.io/component=webhook --for=condition=Ready
-kubectl apply --server-side=true -f deploy/clusters/workload/components/local-ca
-kubectl apply --server-side=true -f deploy/clusters/workload/components/certificates
-kubectl -n istio-gateways wait certificate httpbin.holos.localhost --for=condition=Ready
-```
-
-:::warning
-
-The certificate will time out before becoming ready if the [local-ca](#Local-CA)
-script was not run after the cluster was created.
-
-:::
-
-#### Istio {#Istio}
-
-Istio implements the Service Mesh.
-
-```bash
-kubectl apply --server-side=true -f ./deploy/clusters/workload/components/istio-cni
-kubectl apply --server-side=true -f ./deploy/clusters/workload/components/istiod
-kubectl apply --server-side=true -f ./deploy/clusters/workload/components/gateway
-```
-
-Verify the Gateway is programmed and the listeners have been accepted:
-
-```bash
-kubectl -n istio-gateways wait gateway default --for=condition=Accepted
-```
-
-#### httpbin {#httpbin}
-
-httpbin is a simple backend service useful for end-to-end testing.
-
-```bash
-kubectl apply --server-side=true -f deploy/clusters/workload/components/httpbin-backend
-kubectl apply --server-side=true -f deploy/clusters/workload/components/httpbin-routes
-kubectl -n holos-system wait pod -l app.kubernetes.io/instance=httpbin --for=condition=Ready
-```
-
-:::info
-
-Browse to [https://httpbin.holos.localhost/](https://httpbin.holos.localhost/)
-to verify end to end connectivity.  You should see the httpbin index page.
-
-:::
-
-### Authenticating Proxy
-
-The auth proxy is responsible for authenticating browser requests, handling the
-oidc authentication flow, and providing a signed id token to the rest of the
-services in the mesh.
-
-#### Cookie Secret
-
-The auth proxy stores session information in an encrypted cookie.  Generate a
-random cookie encryption Secret and apply.
-
-```bash
-LC_ALL=C tr -dc A-Za-z0-9 </dev/urandom \
-  | head -c 32 \
-  | kubectl create secret generic "authproxy" \
-    --from-file=cookiesecret=/dev/stdin \
-    --dry-run=client -o yaml \
-  | kubectl apply -n istio-gateways -f-
-```
-
-#### Deployment
-
-The auth proxy Deployment receives requests from web browsers and responds with
-an authentication decision.
-
-```bash
-kubectl apply --server-side=true -f deploy/clusters/workload/components/authproxy
-kubectl apply --server-side=true -f deploy/clusters/workload/components/authroutes
-```
-
-<Tabs groupId="registration">
-  <TabItem value="registered" label="Signed In">
-    <Admonition type="info">
-    Verify authentication is working by browsing to
-    [https://httpbin.holos.localhost/holos/authproxy](https://httpbin.holos.localhost/holos/authproxy).
-
-    We want a simple `Authenticated` response.
-
-      <Admonition type="tip">
-      You may need to refresh the page a few times while the platform configures
-      itself.
-      </Admonition>
-    </Admonition>
-
-    Istio will respond with `no healthy upstream` until the pod becomes ready.
-    Wait for the pod to become ready with:
-
-    ```bash
-    kubectl -n holos-system wait pod -l app.kubernetes.io/instance=httpbin --for=condition=Ready
-    ```
-
-    Once authenticated, visit
-    [https://httpbin.holos.localhost/holos/authproxy/userinfo](https://httpbin.holos.localhost/holos/authproxy/userinfo)
-    which returns a subset of claims from your id token.
-
-    <Admonition type="warning">
-      If you get `Unauthorized` instead of a json response body, make sure you
-      [authenticated](https://httpbin.holos.localhost/holos/authproxy) first.
-    </Admonition>
-
-    ```json
-    {
-      "user": "275552236589843464",
-      "email": "demo@holos.run",
-      "preferredUsername": "demo"
-    }
-    ```
-  </TabItem>
-  <TabItem value="unregistered" label="Signed Out">
-    The auth proxy will always try to sign you in when you are signed out, so
-    there isn't much to do here.  Please do take a moment to glance at the
-    Signed In tab to see how this would work if you were signed in.
-
-    The `k3d` platform relies on `https://login.holos.run` to issue id tokens.
-    Authorization has been configured against fake request headers instead of
-    the real `x-oidc-id-token` header.
-  </TabItem>
-</Tabs>
-
-### Authorization Policy
-
-Configure authorization policies using attributes of the authenticated request.
-Authorization policies route web requests through the auth proxy and then
-validate all requests against the `x-oidc-id-token` header.
-
-```bash
-kubectl apply --server-side=true -f deploy/clusters/workload/components/authpolicy
-```
-
-Istio make take a few seconds to program the Gateway with the
-AuthorizationPolicy resources.
-
-## Try out Zero Trust
-
-A basic Zero Trust security model is now in place.  The platform authenticates
-and authorizes requests before they reach the backend service.
-
-### Browser
-
-<Tabs groupId="registration">
-  <TabItem value="registered" label="Signed In">
-    The platform has been configured to authorize requests with a `x-oidc-id-token` header.
-
-    1. Verify authentication is working by browsing to [https://httpbin.holos.localhost/dump/request](https://httpbin.holos.localhost/dump/request).
-        - Refresh the page a few times.
-        - The `httpbin` backend pods should echo back the `x-oidc-id-token`
-        header injected by the auth proxy.
-    2. Note the `x-oidc-id-token` header is not sent by your browser but is
-    received by the backend service.
-        - This design reduces the risk of exposing id tokens in the browser.
-        - Browser request size remains constant as more claims are added to id
-        tokens.
-        - Reliability improves because id tokens often overflow request header
-        buffers when they pass through middle boxes across the internet.
-  </TabItem>
-  <TabItem value="unregistered" label="Signed Out">
-    The platform has been configured to authorize requests with a `User-Agent: anonymous` header.
-
-    1. Open an incognito window (Cmd+Shift+N) to verify the platform is
-    enforcing the authorization policy.
-    2. Browse to
-    [https://httpbin.holos.localhost/dump/request](https://httpbin.holos.localhost/dump/request)
-    you should be redirected to the sign in page by the auth proxy.
-        - You **do not** need to register or sign in.
-        - This step verifies the platform is redirecting unauthenticated
-        requests to the identity provider.
-        - Navigate back or close and re-open an incognito window.
-    3. Set your `User-Agent` header to `anonymous` using your browser developer tools.
-        - For Chrome the process is described
-        [here](https://developer.chrome.com/docs/devtools/device-mode/override-user-agent#override_the_user_agent_string).
-        - The purpose is to simulate an authenticated request.
-    4. Browse to
-    [https://httpbin.holos.localhost/dump/request](https://httpbin.holos.localhost/dump/request).
-        - The platform should allow the request through to the backend pod.
-        - `httpbin` should echo back your request which should contain `User-Agent: anonymous`.
-  </TabItem>
-</Tabs>
-
-### Command Line
-
-Verify unauthenticated requests are blocked by default outside the browser.
-
-```bash
-curl -I https://httpbin.holos.localhost/dump/request
-```
-
-You should receive a `HTTP/2 302` response that redirects to `location:
-https://login.holos.run` to start the oauth login flow.
-
-Next, verify authenticated requests are allowed.
-
-<Tabs groupId="registration">
-  <TabItem value="registered" label="Signed In">
-    The platform is configured to authenticate the id token present in the
-    `x-oidc-id-token` header.
-
-    💡 It also works with `grpcurl`.
-
-    ```bash
-    curl -H x-oidc-id-token:$(holos token) https://httpbin.holos.localhost/dump/request
-    ```
-  </TabItem>
-  <TabItem value="unregistered" label="Signed Out">
-    The platform is configured to authorize any request with `User-Agent:
-    anonymous` in place of validating the oidc id token.
-
-    💡 Take a moment to click the Signed In tab, I don't want you to miss how
-    cool `$(holos token)` is.
-
-    ```bash
-    curl -A anonymous https://httpbin.holos.localhost/dump/request
-    ```
-  </TabItem>
-</Tabs>
-
-You should receive a response showing the request headers the backend received.
-
-:::tip
-
-Note how the platform secures both web browser and command line api access to
-the backend httpbin service.  httpbin itself has no authentication or
-authorization functionality.
-
-:::
-
-## Summary
-
-Thank you for taking the time to try out Holos.  In this guide, you built the
-foundation of a software development platform that:
-
- 1. Provides a unified configuration model with CUE that
-    - Supports unmodified Helm Charts, Kustomize Kustomizations, plain YAML.
-    - Provides a web form to pass top level parameters.
- 2. Reduces errors by eliminating the need to template unstructured text.
- 3. Is composable and scales down to a local machine.
- 4. Provides an way to safely configure broad authentication and authorization
- policy.
-
-## Next Steps
-
-Dive deeper with the following resources that build on the foundation you have now.
-
- 1. Explore the [Rendering Process](/docs/concepts#rendering) in Holos.
- 2. Dive deeper into the [Platform Manifests](./platform-manifests) rendered in this guide.
- 3. Deploy [ArgoCD](../argocd) onto the foundation you built.
- 4. Deploy [Backstage](../backstage) as a portal to the integrated platform components.
-
-## Clean-Up
-
-If you'd like to clean up the resources you created in this guide, remove them
-with:
-
-```bash
-k3d cluster delete workload
-rm -rf holos-k3d
-```
--- a/doc/md.archive/guides/try-holos/platform-manifests.md
+++ b/doc/md.archive/guides/try-holos/platform-manifests.md
@@ -1,137 +0,0 @@
-# Platform Manifests
-
-This document provides an example of how Holos uses CUE and Helm to unify and
-render the platform configuration.  It refers to the manifests rendered in the
-Try Holos Locally guide.
-
-Take a moment to review the manifests `holos` rendered to build the platform.
-
-### ArgoCD Application
-
-Note the Git URL in the Platform Model is used to derive the ArgoCD
-`Application` resource for all of the platform components.
-
-```yaml
-# deploy/clusters/workload/gitops/namespaces.application.gen.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: namespaces
-  namespace: argocd
-spec:
-  destination:
-    server: https://kubernetes.default.svc
-  project: default
-  source:
-    # highlight-next-line
-    path: /deploy/clusters/workload/components/namespaces
-    # highlight-next-line
-    repoURL: https://github.com/holos-run/holos-k3d.git
-    # highlight-next-line
-    targetRevision: HEAD
-```
-
-One ArgoCD `Application` resource is produced for each Holos component by
-default.  The CUE definition which produces the rendered output is defined in
-`buildplan.cue` around line 222.
-
-:::tip
-
-Note how CUE does not use error-prone text templates, the language is well
-specified and typed which reduces errors when unifying the configuration with
-the Platform Model in the following `#Argo` definition.
-
-:::
-
-```cue
-// buildplan.cue
-
-// #Argo represents an argocd Application resource for each component, written
-// using the #HolosComponent.deployFiles field.
-#Argo: {
-	ComponentName: string
-
-	Application: app.#Application & {
-		metadata: name:      ComponentName
-		metadata: namespace: "argocd"
-		spec: {
-			destination: server: "https://kubernetes.default.svc"
-			project: "default"
-			source: {
-        // highlight-next-line
-				path:           "\(_Platform.Model.argocd.deployRoot)/deploy/clusters/\(_ClusterName)/components/\(ComponentName)"
-        // highlight-next-line
-				repoURL:        _Platform.Model.argocd.repoURL
-        // highlight-next-line
-				targetRevision: _Platform.Model.argocd.targetRevision
-			}
-		}
-	}
-
-	// deployFiles represents the output files to write along side the component.
-	deployFiles: "clusters/\(_ClusterName)/gitops/\(ComponentName).application.gen.yaml": yaml.Marshal(Application)
-}
-```
-
-### Helm Chart
-
-The `cert-manger` component renders using the upstream Helm chart.  The build
-plan that defines the helm chart to use along with the values to provide looks
-like the following.
-
-:::tip
-
-Holos fully supports your existing Helm charts.  Consider leveraging `holos` as
-an alternative to umbrella charts.
-
-:::
-
-```cue
-// components/cert-manager/cert-manager.cue
-package holos
-
-// Produce a helm chart build plan.
-(#Helm & Chart).Output
-
-let Chart = {
-	Name:      "cert-manager"
-	Version:   "1.14.5"
-	Namespace: "cert-manager"
-
-	Repo: name: "jetstack"
-	Repo: url:  "https://charts.jetstack.io"
-
-  // highlight-next-line
-	Values: {
-		installCRDs: true
-		startupapicheck: enabled: false
-		// Must not use kube-system on gke autopilot.  GKE Warden blocks access.
-    // highlight-next-line
-		global: leaderElection: namespace: Namespace
-
-		// https://cloud.google.com/kubernetes-engine/docs/concepts/autopilot-resource-requests#min-max-requests
-		resources: requests: {
-			cpu:                 "250m"
-			memory:              "512Mi"
-			"ephemeral-storage": "100Mi"
-		}
-    // highlight-next-line
-		webhook: resources:        Values.resources
-    // highlight-next-line
-		cainjector: resources:     Values.resources
-    // highlight-next-line
-		startupapicheck: resource: Values.resources
-
-		// https://cloud.google.com/kubernetes-engine/docs/how-to/autopilot-spot-pods
-		nodeSelector: {
-			"kubernetes.io/os": "linux"
-			if _ClusterName == "management" {
-				"cloud.google.com/gke-spot": "true"
-			}
-		}
-		webhook: nodeSelector:         Values.nodeSelector
-		cainjector: nodeSelector:      Values.nodeSelector
-		startupapicheck: nodeSelector: Values.nodeSelector
-	}
-}
-```
--- a/doc/md.archive/introduction.md
+++ b/doc/md.archive/introduction.md
@@ -1,52 +0,0 @@
---
-description: Introduction
---
-
-# Introduction
-
-Welcome to Holos.  Holos is an open source tool to manage software development
-platforms safely, easily, and consistently.  We built Holos to help engineering
-teams work more efficiently together by empowering them to build golden paths
-and paved roads for other teams to leverage for quicker delivery.
-
-## Documentation
-
- [Guides] are organized into example use-cases of how Holos helps engineering
-teams at the fictional Bank of Holos deliver business value on the bank's
-platform.
- The [API Reference] is a technical reference for when you're writing CUE code to define your platform.
-
-## Backstory
-
-At [Open Infrastructure Services], we've each helped dozens of companies build and operate their software development platforms. During the U.S. presidential election just before the pandemic, our second-largest client, Twitter, experienced a global outage that lasted nearly a full day. We were managing their production configuration system, allowing the core infrastructure team to focus on business-critical objectives. This gave us a front-row seat to the incident.
-
-A close friend and engineer on the team made a trivial one-line change to the firewall configuration. Less than 30 minutes later, everything was down. That change, which passed code review, caused the host firewall to revert to its default state on hundreds of thousands of servers, blocking all connections globally—except for SSH, thankfully. Even a Presidential candidate complained loudly.
-
-This incident forced us to reconsider key issues with Twitter's platform:
-
-1. **Lack of Visibility** - Engineers couldn't foresee the impact of even a small change, making it difficult to assess risks.
-2. **Large Blast Radius** - Small changes affected the entire global fleet in under 30 minutes. There was no way to limit the impact of a single change.
-3. **Incomplete Tooling** - The right processes were in place, but the tooling didn't fully support them. The change was tested and reviewed, but critical information wasn't surfaced in time.
-
-Over the next few years, we built features to address these issues. Meanwhile, I began exploring how these solutions could work in the Kubernetes and cloud-native space.
-
-As Google Cloud partners, we worked with large customers to understand how they built their platforms on Kubernetes. During the pandemic, we built a platform using CNCF projects like ArgoCD, Prometheus Stack, Istio, Cert Manager, and External Secrets Operator, integrating them into a cohesive platform. We started with upstream recommendations—primarily Helm charts—and wrote scripts to integrate each piece into the platform. For example, we passed Helm outputs to Kustomize to add labels or fix bugs, and wrote umbrella charts to add Ingress, HTTPRoute, and ExternalSecret resources.
-
-These scripts served as necessary glue to hold everything together but became difficult to manage across multiple environments, regions, and cloud providers. YAML templates and nested loops created friction, making them hard to troubleshoot. The scripts themselves made it difficult to see what was happening and to fix issues affecting the entire platform.
-
-Still, the scripts had a key advantage: they produced fully rendered manifests in plain text, committed to version control, and applied via ArgoCD. This clarity made troubleshooting easier and reduced errors in production.
-
-Despite the makeshift nature of the scripts, I kept thinking about the "[Why are we templating YAML]?" post on Hacker News. I wanted to replace our scripts and charts with something more robust and easier to maintain—something that addressed Twitter's issues head-on.
-
-I rewrote our scripts and charts using CUE and Go, replacing the glue layer. The result is **Holos**—a tool designed to complement Helm, Kustomize, and Jsonnet, making it easier and safer to define golden paths and paved roads without bespoke scripts or templates.
-
-Thanks for reading. Take Holos for a spin on your local machine with our [Quickstart] guide.
-
-[Guides]: /docs/guides/
-[API Reference]: /docs/api/
-[Quickstart]: /docs/quickstart/
-[CUE]: https://cuelang.org/
-[Author API]: /docs/api/author/
-[Core API]: /docs/api/core/
-[Open Infrastructure Services]: https://openinfrastructure.co/
-[Why are we templating YAML]: https://hn.algolia.com/?dateRange=all&page=0&prefix=false&query=https%3A%2F%2Fleebriggs.co.uk%2Fblog%2F2019%2F02%2F07%2Fwhy-are-we-templating-yaml&sort=byDate&type=story
--- a/Show More
+++ b/Show More