Merge pull request #190 from holos-run/jeff/189-reference-docs

(#189) v1alpha2 API for reference docs

.github/workflows/release.yaml

@@ -54,6 +54,9 @@ jobs:
       - name: List keys
         run: gpg -K
 
+      - name: Git diff
+        run: git diff
+
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v5
         with:

.gitignore

@@ -6,3 +6,4 @@ coverage.out
 *.hold/
 /deploy/
 .vscode/
+tmp/

Dockerfile

@@ -0,0 +1,8 @@
+FROM quay.io/holos-run/debian:bullseye AS final
+USER root
+WORKDIR /app
+ADD bin bin
+RUN chown -R app: /app
+# Kubernetes requires the user to be numeric
+USER 8192
+ENTRYPOINT bin/holos server

Makefile

@@ -7,7 +7,7 @@ REPO_PATH=$(ORG_PATH)/$(PROJ)
 VERSION := $(shell cat version/embedded/major version/embedded/minor version/embedded/patch | xargs printf "%s.%s.%s")
 BIN_NAME := holos
 
-DOCKER_REPO=quay.io/openinfrastructure/holos
+DOCKER_REPO=quay.io/holos-run/holos
 IMAGE_NAME=$(DOCKER_REPO)
 
 $( shell mkdir -p bin)
@@ -16,10 +16,12 @@ $( shell mkdir -p bin)
 export PATH := $(PWD)/internal/frontend/holos/node_modules/.bin:$(PATH)
 
 GIT_COMMIT=$(shell git rev-parse HEAD)
+GIT_SUFFIX=$(shell test -n "`git status --porcelain`" && echo "-dirty" || echo "")
+GIT_DETAIL=$(shell git describe --tags HEAD)
 GIT_TREE_STATE=$(shell test -n "`git status --porcelain`" && echo "dirty" || echo "clean")
 BUILD_DATE=$(shell date -Iseconds)
 
-LD_FLAGS="-w -X ${ORG_PATH}/${PROJ}/version.GitCommit=${GIT_COMMIT} -X ${ORG_PATH}/${PROJ}/version.GitTreeState=${GIT_TREE_STATE} -X ${ORG_PATH}/${PROJ}/version.BuildDate=${BUILD_DATE}"
+LD_FLAGS="-w -X ${ORG_PATH}/${PROJ}/version.GitDescribe=${GIT_DETAIL}${GIT_SUFFIX} -X ${ORG_PATH}/${PROJ}/version.GitCommit=${GIT_COMMIT} -X ${ORG_PATH}/${PROJ}/version.GitTreeState=${GIT_TREE_STATE} -X ${ORG_PATH}/${PROJ}/version.BuildDate=${BUILD_DATE}"
 
 .PHONY: default
 default: test
@@ -53,6 +55,7 @@ tidy: ## Tidy go module.
 .PHONY: fmt
 fmt: ## Format code.
 	cd docs/examples && cue fmt ./...
+	cd internal/generate/platforms && cue fmt ./...
 	go fmt ./...
 
 .PHONY: vet
@@ -61,10 +64,24 @@ vet: ## Vet Go code.
 
 .PHONY: gencue
 gencue: ## Generate CUE definitions
-	cd docs/examples && cue get go github.com/holos-run/holos/api/...
+	cd internal/generate/platforms && cue get go github.com/holos-run/holos/api/v1alpha1/...
+	cd internal/generate/platforms && cue get go github.com/holos-run/holos/api/core/...
+	cd internal/generate/platforms && cue get go github.com/holos-run/holos/api/meta/...
+
+.PHONY: rmgen
+rmgen: ## Remove generated code
+	git rm -rf service/gen/ internal/frontend/holos/src/app/gen/ || true
+	rm -rf service/gen/ internal/frontend/holos/src/app/gen/
+	git rm -rf internal/ent/
+	rm -rf internal/ent/
+	git restore --staged internal/ent/generate.go internal/ent/schema/
+	git restore internal/ent/generate.go internal/ent/schema/
+
+.PHONY: regenerate
+regenerate: generate ## Re-generate code (delete and re-create)
 
 .PHONY: generate
-generate: ## Generate code.
+generate: buf gencue ## Generate code.
 	go generate ./...
 
 .PHONY: build
@@ -87,6 +104,8 @@ test: ## Run tests.
 
 .PHONY: lint
 lint: ## Run linters.
+	buf lint
+	cd internal/frontend/holos && ng lint
 	golangci-lint run
 
 .PHONY: coverage
@@ -99,7 +118,7 @@ snapshot:  ## Go release snapshot
 
 .PHONY: buf
 buf: ## buf generate
-	cd service && buf mod update
+	cd service && buf dep update
 	buf generate
 
 .PHONY: tools
@@ -107,11 +126,13 @@ tools: go-deps frontend-deps  ## install tool dependencies
 
 .PHONY: go-deps
 go-deps: ## tool versions pinned in tools.go
+	go install cuelang.org/go/cmd/cue
 	go install github.com/bufbuild/buf/cmd/buf
 	go install github.com/fullstorydev/grpcurl/cmd/grpcurl
 	go install google.golang.org/protobuf/cmd/protoc-gen-go
 	go install connectrpc.com/connect/cmd/protoc-gen-connect-go
-	go install honnef.co/go/tools/cmd/staticcheck@latest
+	go install honnef.co/go/tools/cmd/staticcheck
+	go install golang.org/x/tools/cmd/godoc
 	# curl https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | bash
 
 .PHONY: frontend-deps
@@ -131,6 +152,11 @@ frontend: buf
 	cd internal/frontend/holos && ng build
 	touch internal/frontend/frontend.go
 
+.PHONY: image
+image: build ## Docker image build
+	docker build . -t ${DOCKER_REPO}:v$(shell ./bin/holos --version)
+	docker push ${DOCKER_REPO}:v$(shell ./bin/holos --version)
+
 .PHONY: help
 help:  ## Display this help menu.
 	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m<target>\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf "  \033[36m%-20s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)

README.md

@@ -0,0 +1 @@
+# Holos

Tiltfile

@@ -99,6 +99,7 @@ docker_build_with_restart(
         '--listen-port={}'.format(listen_port),
         '--oidc-issuer=https://login.ois.run',
         '--oidc-audience=262096764402729854@holos_platform',
+        '--log-level=debug',
         '--metrics-port={}'.format(metrics_port),
     ],
     dockerfile='./hack/tilt/Dockerfile',
@@ -190,7 +191,7 @@ k8s_resource(
     ],
     resource_deps=[compile_id],
     links=[
-        link('https://{}.holos.dev.k2.ois.run/app/'.format(developer), "Holos Web UI")
+        link('https://{}.app.dev.k2.holos.run/ui/'.format(developer), "Holos Web UI")
     ],
 )
 
@@ -200,11 +201,6 @@ k8s_resource(
     new_name=auth_id,
     objects=[
       '{}:virtualservice'.format(holos_server),
-      '{}-allow-groups:authorizationpolicy'.format(holos_server),
-      '{}-allow-nothing:authorizationpolicy'.format(holos_server),
-      '{}-allow-well-known-paths:authorizationpolicy'.format(holos_server),
-      '{}-auth:authorizationpolicy'.format(holos_server),
-      '{}:requestauthentication'.format(holos_server),
     ],
 )
 

api/core/v1alpha2/apiobjects.go

@@ -0,0 +1,38 @@
+package v1alpha2
+
+import "google.golang.org/protobuf/types/known/structpb"
+
+// Label is an arbitrary unique identifier.  Defined as a type for clarity and type checking.
+type Label string
+
+// Kind is a kubernetes api object kind. Defined as a type for clarity and type checking.
+type Kind string
+
+// APIObjectMap represents the marshalled yaml representation of kubernetes api
+// objects.  Do not produce an APIObjectMap directly, instead use [APIObjects]
+// to produce the marshalled yaml representation from CUE data, then provide the
+// result to [HolosComponent].
+type APIObjectMap map[Kind]map[Label]string
+
+// APIObjects represents kubernetes api objects to apply to the api server.
+// Useful to mix in resources to each HolosComponent type, for example adding an
+// ExternalSecret to a HelmChart HolosComponent.
+//
+// Kind must be the resource kind, e.g. Deployment or Service.
+//
+// Label is an arbitrary internal identifier to uniquely identify the resource
+// within the context of a `holos` command.  Holos will never write the
+// intermediate label to rendered output.
+//
+// Refer to [HolosComponent] which accepts an [APIObjectMap] field provided by
+// [APIObjects].
+type APIObjects struct {
+	// APIObjects represents Kubernetes API objects defined directly from CUE
+	// code.  Useful to mix in resources, for example adding an ExternalSecret
+	// resource to a HelmChart HolosComponent.
+	APIObjects map[Kind]map[Label]structpb.Struct `json:"apiObjects"`
+	// APIObjectMap represents the marshalled yaml representation of APIObjects,
+	// useful to inspect the rendered representation of the resource which will be
+	// sent to the kubernetes API server.
+	APIObjectMap APIObjectMap `json:"apiObjectMap"`
+}

api/core/v1alpha2/buildplan.go

@@ -0,0 +1,116 @@
+package v1alpha2
+
+import (
+	"fmt"
+	"strings"
+)
+
+// FileContentMap represents a mapping of file names to file content.
+type FileContentMap map[string]string
+
+// BuildPlan represents a build plan for the holos cli to execute.  A build plan
+// is a set of zero or more holos components.  The purpose of a BuildPlan is to
+// define one or more [HolosComponent] kinds, for example a [HelmChart] or
+// [KustomizeBuild].
+//
+// A BuildPlan usually has an additional empty [KubernetesObjects] for the
+// purpose of using the [HolosComponent] DeployFiles field to deploy an ArgoCD
+// or Flux gitops resource for the holos component.
+type BuildPlan struct {
+	Kind       string        `json:"kind" cue:"\"BuildPlan\""`
+	APIVersion string        `json:"apiVersion" cue:"string | *\"v1alpha2\""`
+	Spec       BuildPlanSpec `json:"spec"`
+}
+
+func (bp *BuildPlan) Validate() error {
+	errs := make([]string, 0, 2)
+	if bp.Kind != BuildPlanKind {
+		errs = append(errs, fmt.Sprintf("kind invalid: want: %s have: %s", BuildPlanKind, bp.Kind))
+	}
+	if bp.APIVersion != APIVersion {
+		errs = append(errs, fmt.Sprintf("apiVersion invalid: want: %s have: %s", APIVersion, bp.APIVersion))
+	}
+	if len(errs) > 0 {
+		return fmt.Errorf("invalid BuildPlan: " + strings.Join(errs, ", "))
+	}
+	return nil
+}
+
+func (bp *BuildPlan) ResultCapacity() (count int) {
+	if bp == nil {
+		return 0
+	}
+	count = len(bp.Spec.Components.HelmChartList) +
+		len(bp.Spec.Components.KubernetesObjectsList) +
+		len(bp.Spec.Components.KustomizeBuildList) +
+		len(bp.Spec.Components.Resources)
+	return count
+}
+
+type BuildPlanSpec struct {
+	Disabled   bool                `json:"disabled,omitempty"`
+	Components BuildPlanComponents `json:"components,omitempty"`
+}
+
+type BuildPlanComponents struct {
+	Resources             map[string]KubernetesObjects `json:"resources,omitempty"`
+	KubernetesObjectsList []KubernetesObjects          `json:"kubernetesObjectsList,omitempty"`
+	HelmChartList         []HelmChart                  `json:"helmChartList,omitempty"`
+	KustomizeBuildList    []KustomizeBuild             `json:"kustomizeBuildList,omitempty"`
+}
+
+// HolosComponent defines the fields common to all holos component kinds.  Every
+// holos component kind should embed HolosComponent.
+type HolosComponent struct {
+	// Kind is a string value representing the resource this object represents.
+	Kind string `json:"kind"`
+	// APIVersion represents the versioned schema of this representation of an object.
+	APIVersion string `json:"apiVersion" cue:"string | *\"v1alpha2\""`
+	// Metadata represents data about the holos component such as the Name.
+	Metadata Metadata `json:"metadata"`
+
+	// APIObjectMap holds the marshalled representation of api objects.  Useful to
+	// mix in resources to each HolosComponent type, for example adding an
+	// ExternalSecret to a HelmChart HolosComponent.  Refer to [APIObjects].
+	APIObjectMap APIObjectMap `json:"apiObjectMap,omitempty"`
+
+	// DeployFiles represents file paths relative to the cluster deploy directory
+	// with the value representing the file content.  Intended for defining the
+	// ArgoCD Application resource or Flux Kustomization resource from within CUE,
+	// but may be used to render any file related to the build plan from CUE.
+	DeployFiles FileContentMap `json:"deployFiles,omitempty"`
+
+	// Kustomize represents a kubectl kustomize build post-processing step.
+	Kustomize `json:"kustomize,omitempty"`
+
+	// Skip causes holos to take no action regarding this component.
+	Skip bool `json:"skip" cue:"bool | *false"`
+}
+
+// Metadata represents data about the holos component such as the Name.
+type Metadata struct {
+	// Name represents the name of the holos component.
+	Name string `json:"name"`
+	// Namespace is the primary namespace of the holos component.  A holos
+	// component may manage resources in multiple namespaces, in this case
+	// consider setting the component namespace to default.
+	//
+	// This field is optional because not all resources require a namespace,
+	// particularly CRD's and DeployFiles functionality.
+	// +optional
+	Namespace string `json:"namespace,omitempty"`
+}
+
+// Kustomize represents resources necessary to execute a kustomize build.
+// Intended for at least two use cases:
+//
+//  1. Process a [KustomizeBuild] [HolosComponent] which represents raw yaml
+//     file resources in a holos component directory.
+//  2. Post process a [HelmChart] [HolosComponent] to inject istio, patch jobs,
+//     add custom labels, etc...
+type Kustomize struct {
+	// KustomizeFiles holds file contents for kustomize, e.g. patch files.
+	KustomizeFiles FileContentMap `json:"kustomizeFiles,omitempty"`
+	// ResourcesFile is the file name used for api objects in kustomization.yaml
+	ResourcesFile string `json:"resourcesFile,omitempty"`
+}

api/core/v1alpha2/constants.go

@@ -0,0 +1,11 @@
+package v1alpha2
+
+const (
+	APIVersion    = "v1alpha2"
+	BuildPlanKind = "BuildPlan"
+	HelmChartKind = "HelmChart"
+	// ChartDir is the directory name created in the holos component directory to cache a chart.
+	ChartDir = "vendor"
+	// ResourcesFile is the file name used to store component output when post-processing with kustomize.
+	ResourcesFile = "resources.yaml"
+)

api/core/v1alpha2/core.go

@@ -0,0 +1,49 @@
+// Package v1alpha2 contains the core API contract between the holos cli and cue
+// configuration code.  Platform designers, operators, and software developers
+// use this API to write configuration in CUE which `holos` loads.  The overall
+// shape of the API defines imperative actions `holos` should carry out to
+// render the complete yaml that represents a Platform.
+package v1alpha2
+
+import "google.golang.org/protobuf/types/known/structpb"
+
+type PlatformMetadata struct {
+	// Name represents the Platform name.
+	Name string `json:"name"`
+}
+
+// Platform represents a platform to manage.  A Platform resource informs holos
+// which components to build.  The platform resource also acts as a container
+// for the platform model form values provided by the PlatformService.  The
+// primary use case is to collect the cluster names, cluster types, platform
+// model, and holos components to build into one resource.
+type Platform struct {
+	// Kind is a string value representing the resource this object represents.
+	Kind string `json:"kind" cue:"\"Platform\""`
+	// APIVersion represents the versioned schema of this representation of an object.
+	APIVersion string `json:"apiVersion" cue:"string | *\"v1alpha2\""`
+	// Metadata represents data about the object such as the Name.
+	Metadata PlatformMetadata `json:"metadata"`
+
+	// Spec represents the specification.
+	Spec PlatformSpec `json:"spec"`
+}
+
+// PlatformSpec represents the specification of a Platform.  Think of a platform
+// specification as a list of platform components to apply to a list of
+// kubernetes clusters combined with the user-specified Platform Model.
+type PlatformSpec struct {
+	// Model represents the platform model holos gets from from the
+	// PlatformService.GetPlatform rpc method and provides to CUE using a tag.
+	Model structpb.Struct `json:"model"`
+	// Components represents a list of holos components to manage.
+	Components []PlatformSpecComponent `json:"components"`
+}
+
+// PlatformSpecComponent represents a holos component to build or render.
+type PlatformSpecComponent struct {
+	// Path is the path of the component relative to the platform root.
+	Path string `json:"path"`
+	// Cluster is the cluster name to provide when rendering the component.
+	Cluster string `json:"cluster"`
+}

api/core/v1alpha2/helm.go

@@ -0,0 +1,38 @@
+package v1alpha2
+
+// HelmChart represents a holos component which wraps around an upstream helm
+// chart.  Holos orchestrates helm by providing values obtained from CUE,
+// renders the output using `helm template`, then post-processes the helm output
+// yaml using the general functionality provided by [HolosComponent], for
+// example [Kustomize] post-rendering and mixing in additional kubernetes api
+// objects.
+type HelmChart struct {
+	HolosComponent `json:",inline"`
+	Kind           string `json:"kind" cue:"\"HelmChart\""`
+
+	// Chart represents a helm chart to manage.
+	Chart Chart `json:"chart"`
+	// ValuesContent represents the values.yaml file holos passes to the `helm
+	// template` command.
+	ValuesContent string `json:"valuesContent"`
+	// EnableHooks enables helm hooks when executing the `helm template` command.
+	EnableHooks bool `json:"enableHooks" cue:"bool | *false"`
+}
+
+// Chart represents a helm chart.
+type Chart struct {
+	// Name represents the chart name.
+	Name string `json:"name"`
+	// Version represents the chart version.
+	Version string `json:"version"`
+	// Release represents the chart release when executing helm template.
+	Release string `json:"release"`
+	// Repository represents the repository to fetch the chart from.
+	Repository Repository `json:"repository,omitempty"`
+}
+
+// Repository represents a helm chart repository.
+type Repository struct {
+	Name string `json:"name"`
+	URL  string `json:"url"`
+}

api/core/v1alpha2/kubernetesobjects.go

@@ -0,0 +1,10 @@
+package v1alpha2
+
+const KubernetesObjectsKind = "KubernetesObjects"
+
+// KubernetesObjects represents a [HolosComponent] composed of kubernetes api
+// objects provided directly from CUE using [APIObjects].
+type KubernetesObjects struct {
+	HolosComponent `json:",inline"`
+	Kind           string `json:"kind" cue:"\"KubernetesObjects\""`
+}

api/core/v1alpha2/kustomizebuild.go

@@ -0,0 +1,8 @@
+package v1alpha2
+
+// KustomizeBuild renders plain yaml files in the holos component directory
+// using kubectl kustomize build.
+type KustomizeBuild struct {
+	HolosComponent `json:",inline"`
+	Kind           string `json:"kind" cue:"\"KustomizeBuild\""`
+}

api/meta/v1alpha2/meta.go

@@ -0,0 +1,37 @@
+package v1alpha2
+
+// TypeMeta describes an individual object in an API response or request with
+// strings representing the type of the object and its API schema version.
+// Structures that are versioned or persisted should inline TypeMeta.
+type TypeMeta struct {
+	// Kind is a string value representing the resource this object represents.
+	Kind string `json:"kind"`
+	// APIVersion defines the versioned schema of this representation of an object.
+	APIVersion string `json:"apiVersion" cue:"string | *\"v1alpha2\""`
+}
+
+func (tm *TypeMeta) GetKind() string {
+	return tm.Kind
+}
+
+func (tm *TypeMeta) GetAPIVersion() string {
+	return tm.APIVersion
+}
+
+// Discriminator discriminates the kind of an api object.
+type Discriminator interface {
+	// GetKind returns Kind.
+	GetKind() string
+	// GetAPIVersion returns APIVersion.
+	GetAPIVersion() string
+}
+
+// ObjectMeta represents metadata of a holos component object. The fields are a
+// copy of upstream kubernetes api machinery but are holos objects distinct from
+// kubernetes api objects.
+type ObjectMeta struct {
+	// Name uniquely identifies the holos component instance and must be suitable as a file name.
+	Name string `json:"name,omitempty"`
+	// Namespace confines a holos component to a single namespace via kustomize if set.
+	Namespace string `json:"namespace,omitempty"`
+}

api/v1alpha1/buildplan.go

@@ -16,6 +16,10 @@ type BuildPlan struct {
 type BuildPlanSpec struct {
 	Disabled   bool                `json:"disabled,omitempty" yaml:"disabled,omitempty"`
 	Components BuildPlanComponents `json:"components,omitempty" yaml:"components,omitempty"`
+	// DeployFiles keys represent file paths relative to the cluster deploy
+	// directory.  Map values represent the string encoded file contents.  Used to
+	// write the argocd Application, but may be used to render any file from CUE.
+	DeployFiles FileContentMap `json:"deployFiles,omitempty" yaml:"deployFiles,omitempty"`
 }
 
 type BuildPlanComponents struct {
@@ -38,3 +42,14 @@ func (bp *BuildPlan) Validate() error {
 	}
 	return nil
 }
+
+func (bp *BuildPlan) ResultCapacity() (count int) {
+	if bp == nil {
+		return 0
+	}
+	count = len(bp.Spec.Components.HelmChartList) +
+		len(bp.Spec.Components.KubernetesObjectsList) +
+		len(bp.Spec.Components.KustomizeBuildList) +
+		len(bp.Spec.Components.Resources)
+	return count
+}

api/v1alpha1/component.go

@@ -20,3 +20,11 @@ type HolosComponent struct {
 func (hc *HolosComponent) NewResult() *Result {
 	return &Result{HolosComponent: *hc}
 }
+
+func (hc *HolosComponent) GetAPIVersion() string {
+	return hc.APIVersion
+}
+
+func (hc *HolosComponent) GetKind() string {
+	return hc.Kind
+}

api/v1alpha1/form.go

@@ -0,0 +1,13 @@
+package v1alpha1
+
+import object "github.com/holos-run/holos/service/gen/holos/object/v1alpha1"
+
+// Form represents a collection of Formly json powered form.
+type Form struct {
+	TypeMeta `json:",inline" yaml:",inline"`
+	Spec     FormSpec `json:"spec" yaml:"spec"`
+}
+
+type FormSpec struct {
+	Form object.Form `json:"form" yaml:"form"`
+}

api/v1alpha1/helm.go

@@ -6,6 +6,7 @@ import (
 	"os"
 	"path/filepath"
 	"strings"
+	"syscall"
 
 	"github.com/holos-run/holos"
 	"github.com/holos-run/holos/internal/errors"
@@ -121,6 +122,14 @@ func (hc *HelmChart) helm(ctx context.Context, r *Result, path holos.InstancePat
 }
 
 // cacheChart stores a cached copy of Chart in the chart subdirectory of path.
+//
+// It is assumed that the only method responsible for writing to chartDir is
+// cacheChart itself.
+//
+// This relies on the atomicity of moving temporary directories into place on
+// the same filesystem via os.Rename. If a syscall.EEXIST error occurs during
+// renaming, it indicates that the cached chart already exists, which is an
+// expected scenario when this function is called concurrently.
 func cacheChart(ctx context.Context, path holos.InstancePath, chartDir string, chart Chart) error {
 	log := logger.FromContext(ctx)
 
@@ -156,11 +165,16 @@ func cacheChart(ctx context.Context, path holos.InstancePath, chartDir string, c
 		dst := filepath.Join(cachePath, item.Name())
 		log.DebugContext(ctx, "rename", "src", src, "dst", dst)
 		if err := os.Rename(src, dst); err != nil {
-			return errors.Wrap(fmt.Errorf("could not rename: %w", err))
+			var linkErr *os.LinkError
+			if errors.As(err, &linkErr) && errors.Is(linkErr.Err, syscall.EEXIST) {
+				log.DebugContext(ctx, "cache already exists", "chart", chart.Name, "chart_version", chart.Version, "path", cachePath)
+			} else {
+				return errors.Wrap(fmt.Errorf("could not rename: %w", err))
+			}
 		}
 	}
 
-	log.InfoContext(ctx, "cached", "chart", chart.Name, "version", chart.Version, "path", cachePath)
+	log.InfoContext(ctx, "cached", "chart", chart.Name, "chart_version", chart.Version, "path", cachePath)
 
 	return nil
 }

api/v1alpha1/platform.go

@@ -0,0 +1,32 @@
+package v1alpha1
+
+import "google.golang.org/protobuf/types/known/structpb"
+
+// Platform represents a platform to manage.  A Platform resource informs holos
+// which components to build.  The platform resource also acts as a container
+// for the platform model form values provided by the PlatformService.  The
+// primary use case is to collect the cluster names, cluster types, platform
+// model, and holos components to build into one resource.
+type Platform struct {
+	TypeMeta `json:",inline" yaml:",inline"`
+	Metadata ObjectMeta   `json:"metadata" yaml:"metadata"`
+	Spec     PlatformSpec `json:"spec" yaml:"spec"`
+}
+
+// PlatformSpec represents the platform build plan specification.
+type PlatformSpec struct {
+	// Model represents the platform model holos gets from from the
+	// holos.platform.v1alpha1.PlatformService.GetPlatform method and provides to
+	// CUE using a tag.
+	Model      structpb.Struct         `json:"model" yaml:"model"`
+	Components []PlatformSpecComponent `json:"components" yaml:"components"`
+}
+
+// PlatformSpecComponent represents a component to build or render with flags to
+// pass, for example the cluster name.
+type PlatformSpecComponent struct {
+	// Path is the path of the component relative to the platform root.
+	Path string `json:"path" yaml:"path"`
+	// Cluster is the cluster name to use when building the component.
+	Cluster string `json:"cluster" yaml:"cluster"`
+}

api/v1alpha1/result.go

@@ -17,6 +17,18 @@ type Result struct {
 	HolosComponent
 	// accumulatedOutput accumulates rendered api objects.
 	accumulatedOutput string
+	// DeployFiles keys represent file paths relative to the cluster deploy
+	// directory.  Map values represent the string encoded file contents.  Used to
+	// write the argocd Application, but may be used to render any file from CUE.
+	DeployFiles FileContentMap `json:"deployFiles,omitempty" yaml:"deployFiles,omitempty"`
+}
+
+// Continue returns true if Skip is true indicating the result is to be skipped over.
+func (r *Result) Continue() bool {
+	if r == nil {
+		return false
+	}
+	return r.Skip
 }
 
 func (r *Result) Name() string {
@@ -120,6 +132,21 @@ func (r *Result) kustomize(ctx context.Context) error {
 	return nil
 }
 
+func (r *Result) WriteDeployFiles(ctx context.Context, path string) error {
+	log := logger.FromContext(ctx)
+	if len(r.DeployFiles) == 0 {
+		return nil
+	}
+	for k, content := range r.DeployFiles {
+		path := filepath.Join(path, k)
+		if err := r.Save(ctx, path, content); err != nil {
+			return errors.Wrap(err)
+		}
+		log.InfoContext(ctx, "wrote deploy file", "path", path, "bytes", len(content))
+	}
+	return nil
+}
+
 // Save writes the content to the filesystem for git ops.
 func (r *Result) Save(ctx context.Context, path string, content string) error {
 	log := logger.FromContext(ctx)
@@ -128,7 +155,7 @@ func (r *Result) Save(ctx context.Context, path string, content string) error {
 		log.WarnContext(ctx, "could not mkdir", "path", dir, "err", err)
 		return errors.Wrap(err)
 	}
-	// Write the kube api objects
+	// Write the file content
 	if err := os.WriteFile(path, []byte(content), os.FileMode(0644)); err != nil {
 		log.WarnContext(ctx, "could not write", "path", path, "err", err)
 		return errors.Wrap(err)

api/v1alpha1/typemeta.go

@@ -8,3 +8,13 @@ type TypeMeta struct {
 func (tm *TypeMeta) GetKind() string {
 	return tm.Kind
 }
+
+func (tm *TypeMeta) GetAPIVersion() string {
+	return tm.APIVersion
+}
+
+// Discriminator is an interface to discriminate the kind api object.
+type Discriminator interface {
+	GetKind() string
+	GetAPIVersion() string
+}

buf.gen.yaml

@@ -11,14 +11,10 @@ plugins:
     out: service/gen
     opt: paths=source_relative
   - plugin: es
-    out: internal/frontend/holos/gen
+    out: internal/frontend/holos/src/app/gen
     opt:
       - target=ts
   - plugin: connect-es
-    out: internal/frontend/holos/gen
-    opt:
-      - target=ts
-  - plugin: connect-query
-    out: internal/frontend/holos/gen
+    out: internal/frontend/holos/src/app/gen
     opt:
       - target=ts

cmd/holos/testdata/constraints.txt

@@ -2,6 +2,8 @@
 exec holos build ./foo/... --log-level debug
 stdout '^bf2bc7f9-9ba0-4f9e-9bd2-9a205627eb0b$'
 
+-- platform.config.json --
+{}
 -- cue.mod --
 package holos
 -- foo/constraints.cue --
@@ -20,6 +22,7 @@ spec: components: KubernetesObjectsList: [
 package holos
 
 _cluster: string @tag(cluster, string)
+_platform_config: string @tag(platform_config, string)
 
 #KubernetesObjects: {
 	apiVersion: "holos.run/v1alpha1"

cmd/holos/testdata/issue15_cue_errors.txt

@@ -3,12 +3,15 @@
 stderr 'apiObjectMap.foo.bar: cannot convert incomplete value'
 stderr '/component.cue:\d+:\d+$'
 
+-- platform.config.json --
+{}
 -- cue.mod --
 package holos
 -- component.cue --
 package holos
 
 _cluster: string @tag(cluster, string)
+_platform_config: string @tag(platform_config, string)
 
 apiVersion: "holos.run/v1alpha1"
 kind: "BuildPlan"

cmd/holos/testdata/issue25_apiobjects_cue.txt

@@ -3,6 +3,8 @@ exec holos build .
 stdout '^kind: SecretStore$'
 stdout '# Source: CUE apiObjects.SecretStore.default'
 
+-- platform.config.json --
+{}
 -- cue.mod --
 package holos
 -- component.cue --
@@ -13,6 +15,7 @@ kind: "BuildPlan"
 spec: components: KubernetesObjectsList: [{apiObjectMap: #APIObjects.apiObjectMap}]
 
 _cluster: string @tag(cluster, string)
+_platform_config: string @tag(platform_config, string)
 
 #SecretStore: {
     kind: string

cmd/holos/testdata/issue25_apiobjects_helm.txt

@@ -4,6 +4,8 @@ stdout '^kind: SecretStore$'
 stdout '# Source: CUE apiObjects.SecretStore.default'
 stderr 'skipping helm: no chart name specified'
 
+-- platform.config.json --
+{}
 -- cue.mod --
 package holos
 -- component.cue --
@@ -14,6 +16,7 @@ kind: "BuildPlan"
 spec: components: HelmChartList: [{apiObjectMap: #APIObjects.apiObjectMap}]
 
 _cluster: string @tag(cluster, string)
+_platform_config: string @tag(platform_config, string)
 
 #SecretStore: {
     kind: string

cmd/holos/testdata/issue25_show_object_names.txt

@@ -2,6 +2,8 @@
 ! exec holos build .
 stderr 'apiObjects.secretstore.default.foo: field not allowed'
 
+-- platform.config.json --
+{}
 -- cue.mod --
 package holos
 -- component.cue --
@@ -10,6 +12,7 @@ package holos
 apiVersion: "holos.run/v1alpha1"
 kind: "KubernetesObjects"
 cluster: string @tag(cluster, string)
+_platform_config: string @tag(platform_config, string)
 
 #SecretStore: {
     metadata: name: string

cmd/holos/testdata/issue33_helm_stderr.txt

@@ -2,6 +2,8 @@
 ! exec holos build .
 stderr 'Error: execution error at \(zitadel/templates/secret_zitadel-masterkey.yaml:2:4\): Either set .Values.zitadel.masterkey xor .Values.zitadel.masterkeySecretName'
 
+-- platform.config.json --
+{}
 -- cue.mod --
 package holos
 -- zitadel.cue --
@@ -12,6 +14,7 @@ kind: "BuildPlan"
 spec: components: HelmChartList: [_HelmChart]
 
 _cluster: string @tag(cluster, string)
+_platform_config: string @tag(platform_config, string)
 
 _HelmChart: {
   apiVersion: "holos.run/v1alpha1"

cmd/holos/testdata/issue42_kustomize_build_kind.txt

@@ -1,15 +1,18 @@
 # Kustomize is a supported holos component kind
-exec holos render --cluster-name=mycluster . --log-level=debug
+exec holos render component --cluster-name=mycluster . --log-level=debug
 
 # Want generated output
 cmp want.yaml deploy/clusters/mycluster/components/kstest/kstest.gen.yaml
 
+-- platform.config.json --
+{}
 -- cue.mod --
 package holos
 -- component.cue --
 package holos
 
 _cluster: string @tag(cluster, string)
+_platform_config: string @tag(platform_config, string)
 
 apiVersion: "holos.run/v1alpha1"
 kind: "BuildPlan"

cmd/holos/testdata/issue72_disallow_unknown_fields.txt

@@ -3,11 +3,14 @@
 ! exec holos build .
 stderr 'unknown field \\"TypoKubernetesObjectsList\\"'
 
+-- platform.config.json --
+{}
 -- cue.mod --
 package holos
 -- component.cue --
 package holos
 _cluster: string @tag(cluster, string)
+_platform_config: string @tag(platform_config, string)
 
 apiVersion: "holos.run/v1alpha1"
 kind: "BuildPlan"

cmd/holos/testdata/version.txt

@@ -1,5 +1,3 @@
 exec holos --version
 # want version with no v on stdout
 stdout -count=1 '^\d+\.\d+\.\d+$'
-# want nothing on stderr
-! stderr .

docs/examples/api/ListPlatform/listplatform.json

@@ -0,0 +1,10 @@
+{
+  "org_id": "018f36fb-e3f7-7f7f-a1c5-c85fb735d215",
+  "field_mask": {
+    "paths": [
+      "id",
+      "name",
+      "displayName"
+    ]
+  }
+}

docs/examples/api/UpdatePlatform/clearform.json

@@ -0,0 +1,8 @@
+{
+  "update_mask": {
+    "paths": ["form"]
+  },
+  "update": {
+    "platform_id": "018f36fb-e3ff-7f7f-a5d1-7ca2bf499e94"
+  }
+}

docs/examples/api/UpdatePlatform/model.json

@@ -0,0 +1,11 @@
+{
+  "update_mask": {
+    "paths": ["model","name","display_name"]
+  },
+  "update": {
+    "platform_id": "018f36fb-e3ff-7f7f-a5d1-7ca2bf499e94",
+    "name": "bareplatform",
+    "display_name": "Bare Platform",
+    "model": {}
+  }
+}

docs/examples/api/UpdatePlatform/nomask.json

@@ -0,0 +1,6 @@
+{
+  "update": {
+    "platform_id": "018f36fb-e3ff-7f7f-a5d1-7ca2bf499e94",
+    "model": {}
+  }
+}

docs/examples/authpolicy.cue

@@ -2,7 +2,10 @@ package holos
 
 import ap "security.istio.io/authorizationpolicy/v1"
 
-// #AuthPolicyRules represents AuthorizationPolicy rules for hosts that need specialized treatment.  Entries in this struct are exclused from the blank ingressauth AuthorizationPolicy governing the ingressgateway and included in a spcialized policy
+// #AuthPolicyRules represents AuthorizationPolicy rules for hosts that need
+// specialized treatment.  Entries in this struct are excluded from
+// AuthorizationPolicy/authproxy-custom in the istio-ingress namespace.  Entries
+// are added to their own AuthorizationPolicy.
 #AuthPolicyRules: {
 	// AuthProxySpec represents the identity provider configuration
 	AuthProxySpec: #AuthProxySpec & #Platform.authproxy
@@ -14,6 +17,9 @@ import ap "security.istio.io/authorizationpolicy/v1"
 			name: Name
 			// slug is the resource name prefix
 			slug: string
+			// NoAuthorizationPolicy disables an AuthorizationPolicy for the host
+			NoAuthorizationPolicy: true | *false
+
 			// Refer to https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule
 			spec: ap.#AuthorizationPolicySpec & {
 				action: "CUSTOM"
@@ -25,11 +31,13 @@ import ap "security.istio.io/authorizationpolicy/v1"
 
 	objects: #APIObjects & {
 		for Host in hosts {
-			apiObjects: {
-				AuthorizationPolicy: "\(Host.slug)-custom": {
-					metadata: namespace: "istio-ingress"
-					metadata: name:      "\(Host.slug)-custom"
-					spec: Host.spec
+			if Host.NoAuthorizationPolicy == false {
+				apiObjects: {
+					AuthorizationPolicy: "\(Host.slug)-custom": {
+						metadata: namespace: "istio-ingress"
+						metadata: name:      "\(Host.slug)-custom"
+						spec: Host.spec
+					}
 				}
 			}
 		}

docs/examples/cue.mod/module.cue

@@ -1 +1,2 @@
 module: "github.com/holos-run/holos/docs/examples"
+language: version: "v0.9.2"

docs/examples/helpers.cue

@@ -18,6 +18,7 @@ import "encoding/yaml"
 		Issuer?: [Name=_]: #Issuer & {metadata: name: Name}
 		Gateway?: [Name=_]: #Gateway & {metadata: name: Name}
 		ConfigMap?: [Name=_]: #ConfigMap & {metadata: name: Name}
+		ServiceAccount?: [Name=_]: #ServiceAccount & {metadata: name: Name}
 
 		Deployment?: [_]:            #Deployment
 		StatefulSet?: [_]:           #StatefulSet

docs/examples/platform.config.cue

@@ -0,0 +1,3 @@
+package holos
+
+_platform_config: string @tag(platform_config, type=string)

docs/examples/platform.config.json

@@ -0,0 +1 @@
+{}

docs/examples/platforms/holos-saas/clusters/provisioner/choria/broker/broker.cue

@@ -1,13 +1,13 @@
 package holos
 
 let Namespace = "jeff-holos"
-let Broker = "broker"
+let Broker = "choria-broker"
 
 spec: components: KubernetesObjectsList: [
 	#KubernetesObjects & {
 		_dependsOn: "prod-platform-issuer": _
 
-		metadata: name: "\(Namespace)-broker"
+		metadata: name: "\(Namespace)-\(Broker)"
 		apiObjectMap: OBJECTS.apiObjectMap
 	},
 ]
@@ -31,9 +31,6 @@ let OBJECTS = #APIObjects & {
 					Broker,
 					"\(Broker).\(Namespace).svc",
 					"\(Broker).\(Namespace).svc.cluster.local",
-					"provision-\(Broker)",
-					"provision-\(Broker).\(Namespace).svc",
-					"provision-\(Broker).\(Namespace).svc.cluster.local",
 					"*.\(Broker)",
 					"*.\(Broker).\(Namespace).svc",
 					"*.\(Broker).\(Namespace).svc.cluster.local",

docs/examples/platforms/holos-saas/clusters/provisioner/choria/provisioner/provsioner.cue

@@ -0,0 +1,45 @@
+package holos
+
+let Namespace = "jeff-holos"
+let Provisioner = "choria-provisioner"
+
+spec: components: KubernetesObjectsList: [
+	#KubernetesObjects & {
+		_dependsOn: "prod-platform-issuer": _
+
+		metadata: name: "\(Namespace)-\(Provisioner)"
+		apiObjectMap: OBJECTS.apiObjectMap
+	},
+]
+
+let SelectorLabels = {
+	"app.kubernetes.io/instance": Provisioner
+	"app.kubernetes.io/name":     Provisioner
+}
+
+let OBJECTS = #APIObjects & {
+	apiObjects: {
+		Certificate: "\(Provisioner)-tls": #Certificate & {
+			metadata: {
+				name:      "\(Provisioner)-tls"
+				namespace: Namespace
+				labels:    SelectorLabels
+			}
+			spec: {
+				commonName: "\(Provisioner).\(Namespace).svc.cluster.local"
+				dnsNames: [
+					Provisioner,
+					"\(Provisioner).\(Namespace).svc",
+					"\(Provisioner).\(Namespace).svc.cluster.local",
+					"*.\(Provisioner)",
+					"*.\(Provisioner).\(Namespace).svc",
+					"*.\(Provisioner).\(Namespace).svc.cluster.local",
+				]
+				issuerRef: kind: "ClusterIssuer"
+				issuerRef: name: "platform-issuer"
+				secretName: metadata.name
+				usages: ["signing", "key encipherment", "server auth", "client auth"]
+			}
+		}
+	}
+}

docs/examples/platforms/holos-saas/clusters/workload/choria/broker/broker.cue

@@ -1,20 +1,20 @@
 package holos
 
 let Namespace = "jeff-holos"
-let Broker = "broker"
+let Broker = "choria-broker"
 
 spec: components: KubernetesObjectsList: [
 	#KubernetesObjects & {
 		_dependsOn: "prod-secrets-stores": _
 
-		metadata: name: "\(Namespace)-broker"
+		metadata: name: "\(Namespace)-\(Broker)"
 		apiObjectMap: OBJECTS.apiObjectMap
 	},
 ]
 
 let SelectorLabels = {
-	"app.kubernetes.io/instance": Broker
-	"app.kubernetes.io/name":     Broker
+	"app.kubernetes.io/part-of": "choria"
+	"app.kubernetes.io/name":    Broker
 }
 
 let Metadata = {
@@ -29,8 +29,8 @@ let OBJECTS = #APIObjects & {
 			metadata: name:      "\(Broker)-tls"
 			metadata: namespace: Namespace
 		}
-		ExternalSecret: "choria-\(Broker)": #ExternalSecret & {
-			metadata: name:      "choria-\(Broker)"
+		ExternalSecret: "\(Broker)": #ExternalSecret & {
+			metadata: name:      Broker
 			metadata: namespace: Namespace
 		}
 		StatefulSet: "\(Broker)": {
@@ -92,7 +92,7 @@ let OBJECTS = #APIObjects & {
 					volumes: [
 						{
 							name: Broker
-							secret: secretName: "choria-\(Broker)"
+							secret: secretName: Broker
 						},
 						{
 							name: "\(Broker)-tls"
@@ -137,11 +137,20 @@ let OBJECTS = #APIObjects & {
 			}
 		}
 		DestinationRule: "\(Broker)-wss": #DestinationRule & {
-			metadata: Metadata
+			_decriptions: "Configures Istio to connect to Choria using a cert issued by the Platform Issuer"
+			metadata:     Metadata
 			spec: host: "\(Broker).\(Namespace).svc.cluster.local"
 			spec: trafficPolicy: tls: {
 				credentialName: "istio-ingress-mtls-cert"
 				mode:           "MUTUAL"
+				// subjectAltNames is important, otherwise istio will fail to verify the
+				// choria broker upstream server.  make sure this matches a value
+				// present in the choria broker's cert.
+				//
+				//  kubectl get secret choria-broker-tls -o json | jq --exit-status
+				//  '.data | map_values(@base64d)' | jq .\"tls.crt\" -r | openssl x509
+				//  -text -noout -in -
+				subjectAltNames: [spec.host]
 			}
 		}
 		VirtualService: "\(Broker)-wss": #VirtualService & {

docs/examples/platforms/holos-saas/clusters/workload/choria/broker/reference.yaml

@@ -1,220 +0,0 @@
-# build output from https://github.com/holos-run/holos-infra/blob/main/experiments/components/holos-saas/broker/build
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  labels:
-    app.kubernetes.io/instance: broker
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/name: broker
-    app.kubernetes.io/version: 0.1.0
-    helm.sh/chart: broker-0.1.0
-  name: broker
----
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    app.kubernetes.io/instance: broker
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/name: broker
-    app.kubernetes.io/version: 0.1.0
-    helm.sh/chart: broker-0.1.0
-  name: broker
-spec:
-  clusterIP: None
-  ports:
-  - appProtocol: tcp
-    name: tcp-nats
-    port: 4222
-    protocol: TCP
-    targetPort: tcp-nats
-  - appProtocol: tcp
-    name: tcp-cluster
-    port: 5222
-    protocol: TCP
-    targetPort: tcp-cluster
-  - appProtocol: https
-    name: https-wss
-    port: 443
-    protocol: TCP
-    targetPort: https-wss
-  selector:
-    app.kubernetes.io/instance: broker
-    app.kubernetes.io/name: broker
-  type: ClusterIP
----
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    app.kubernetes.io/instance: broker
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/name: broker
-    app.kubernetes.io/version: 0.1.0
-    helm.sh/chart: broker-0.1.0
-  name: broker-lb
-spec:
-  externalTrafficPolicy: Local
-  loadBalancerIP: 1.2.3.4
-  ports:
-  - appProtocol: tcp
-    name: tcp-nats
-    port: 4222
-    protocol: TCP
-    targetPort: tcp-nats
-  - appProtocol: https
-    name: https-wss
-    port: 443
-    protocol: TCP
-    targetPort: https-wss
-  selector:
-    app.kubernetes.io/instance: broker
-    app.kubernetes.io/name: broker
-  type: LoadBalancer
----
-apiVersion: apps/v1
-kind: StatefulSet
-metadata:
-  labels:
-    app.kubernetes.io/instance: broker
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/name: broker
-    app.kubernetes.io/version: 0.1.0
-    helm.sh/chart: broker-0.1.0
-  name: broker
-spec:
-  replicas: 3
-  selector:
-    matchLabels:
-      app.kubernetes.io/instance: broker
-      app.kubernetes.io/name: broker
-  serviceName: broker
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/instance: broker
-        app.kubernetes.io/name: broker
-    spec:
-      containers:
-      - command:
-        - choria
-        - broker
-        - run
-        - --config
-        - /etc/choria/broker.conf
-        image: registry.choria.io/choria/choria:latest
-        imagePullPolicy: Always
-        livenessProbe:
-          httpGet:
-            path: /healthz
-            port: http-stats
-        name: broker
-        ports:
-        - containerPort: 4222
-          name: tcp-nats
-          protocol: TCP
-        - containerPort: 4333
-          name: https-wss
-          protocol: TCP
-        - containerPort: 5222
-          name: tcp-cluster
-          protocol: TCP
-        - containerPort: 8222
-          name: http-stats
-          protocol: TCP
-        readinessProbe:
-          httpGet:
-            path: /healthz
-            port: http-stats
-        resources: {}
-        securityContext: {}
-        volumeMounts:
-        - mountPath: /etc/choria
-          name: broker
-        - mountPath: /etc/choria-tls
-          name: broker-tls
-      securityContext: {}
-      serviceAccountName: broker
-      volumes:
-      - name: broker
-        secret:
-          secretName: broker
-      - name: broker-tls
-        secret:
-          secretName: broker-tls
----
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: broker-tls
-  namespace: holos-dev
-spec:
-  commonName: broker.holos-dev.svc.cluster.local
-  dnsNames:
-  - broker
-  - broker.holos-dev.svc
-  - broker.holos-dev.svc.cluster.local
-  - provision-broker
-  - provision-broker.holos-dev.svc
-  - provision-broker.holos-dev.svc.cluster.local
-  - '*.broker'
-  - '*.broker.holos-dev.svc'
-  - '*.broker.holos-dev.svc.cluster.local'
-  issuerRef:
-    kind: ClusterIssuer
-    name: cluster-issuer
-  secretName: broker-tls
-  usages:
-  - signing
-  - key encipherment
-  - server auth
-  - client auth
----
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
-  name: broker
-spec:
-  dataFrom:
-  - extract:
-      key: kv//kube-namespace/holos-dev/broker
-  refreshInterval: 1h
-  secretStoreRef:
-    kind: SecretStore
-    name: core-vault
-  target:
-    creationPolicy: Owner
-    name: broker
----
-apiVersion: networking.istio.io/v1alpha3
-kind: DestinationRule
-metadata:
-  name: broker-wss
-  namespace: holos-dev
-spec:
-  host: broker.holos-dev.svc.cluster.local
-  trafficPolicy:
-    tls:
-      credentialName: istio-ingress-mtls-cert
-      mode: MUTUAL
----
-apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
-  name: broker-wss
-  namespace: holos-dev
-spec:
-  gateways:
-  - istio-ingress/wildcard-pub-gw
-  hosts:
-  - provision.pub.k2.holos.run
-  http:
-  - route:
-    - destination:
-        host: broker.holos-dev.svc.cluster.local
-        port:
-          number: 443
-        tls:
-          mode: SIMPLE
-

docs/examples/platforms/holos-saas/clusters/workload/choria/provisioner/Dockerfile

@@ -0,0 +1,18 @@
+FROM registry.choria.io/choria/provisioner:latest
+
+RUN curl -Lo nsc.zip https://github.com/nats-io/nsc/releases/download/v2.8.6/nsc-linux-amd64.zip &&\
+  unzip nsc.zip && \
+  mv nsc /usr/local/bin/nsc && \
+  chmod 755 /usr/local/bin/nsc && \
+  rm -f nsc.zip
+
+# TODO: Add jwt executable
+# TODO: Add helper executable
+
+USER choria
+ENV USER=choria
+
+ENTRYPOINT ["/usr/sbin/choria-provisioner"]
+
+# These two files are expected to be in the provisioner secret.
+CMD ["--config=/etc/provisioner/provisioner.yaml", "--choria-config=/etc/provisioner/choria.cfg"]

docs/examples/platforms/holos-saas/clusters/workload/choria/provisioner/provisioner.cue

@@ -0,0 +1,82 @@
+package holos
+
+let Namespace = "jeff-holos"
+let Provisioner = "choria-provisioner"
+
+spec: components: KubernetesObjectsList: [
+	#KubernetesObjects & {
+		_dependsOn: "prod-secrets-stores": _
+
+		metadata: name: "\(Namespace)-\(Provisioner)"
+		apiObjectMap: OBJECTS.apiObjectMap
+	},
+]
+
+let SelectorLabels = {
+	"app.kubernetes.io/instance": Provisioner
+	"app.kubernetes.io/name":     Provisioner
+}
+
+let Metadata = {
+	name:      Provisioner
+	namespace: Namespace
+	labels:    SelectorLabels
+}
+
+let OBJECTS = #APIObjects & {
+	apiObjects: {
+		ExternalSecret: "\(Provisioner)-tls": #ExternalSecret & {
+			metadata: name:      "\(Provisioner)-tls"
+			metadata: namespace: Namespace
+		}
+		ExternalSecret: "\(Provisioner)": #ExternalSecret & {
+			metadata: name:      Provisioner
+			metadata: namespace: Namespace
+		}
+		ServiceAccount: "\(Provisioner)": #ServiceAccount & {
+			metadata: Metadata
+		}
+		Deployment: "\(Provisioner)": {
+			metadata: Metadata
+			spec: {
+				selector: matchLabels: SelectorLabels
+				template: metadata: labels: SelectorLabels
+				template: spec: {
+					containers: [
+						{
+							name: Provisioner
+							command: ["bash", "/etc/provisioner/entrypoint"]
+							// skopeo inspect docker://registry.choria.io/choria/provisioner | jq .RepoTags
+							image:           "registry.choria.io/choria/provisioner:0.15.1"
+							imagePullPolicy: "IfNotPresent"
+							resources: {}
+							securityContext: {}
+							volumeMounts: [
+								{
+									mountPath: "/etc/provisioner"
+									name:      Provisioner
+								},
+								{
+									mountPath: "/etc/provisioner-tls"
+									name:      "\(Provisioner)-tls"
+								},
+							]
+						},
+					]
+					securityContext: {}
+					serviceAccountName: Provisioner
+					volumes: [
+						{
+							name: Provisioner
+							secret: secretName: name
+						},
+						{
+							name: "\(Provisioner)-tls"
+							secret: secretName: name
+						},
+					]
+				}
+			}
+		}
+	}
+}

docs/examples/platforms/reference/clusters/foundation/cloud/argocd/argocd.cue

@@ -71,14 +71,15 @@ let IstioInject = [{op: "add", path: "/spec/template/metadata/labels/sidecar.ist
 	}
 }
 
-// Probably shouldn't use the authproxy struct and should instead define an identity provider struct.
-let AuthProxySpec = #AuthProxySpec & #Platform.authproxy
+let OAuthClient = #Platform.oauthClients.argocd.spec
 
 let OIDCConfig = {
-	name:     "Holos Platform"
-	issuer:   AuthProxySpec.issuer
-	clientID: #Platform.argocd.clientID
-	requestedIDTokenClaims: groups: essential: true
-	requestedScopes: ["openid", "profile", "email", "groups", "urn:zitadel:iam:org:domain:primary:\(AuthProxySpec.orgDomain)"]
+	name:            "Holos Platform"
+	issuer:          OAuthClient.issuer
+	clientID:        OAuthClient.clientID
+	requestedScopes: OAuthClient.scopesList
+	// Set redirect uri to https://argocd.example.com/pkce/verify
 	enablePKCEAuthentication: true
+
+	requestedIDTokenClaims: groups: essential: true
 }

docs/examples/platforms/reference/clusters/foundation/cloud/mesh/istio/ingress/ingress.cue

@@ -151,7 +151,7 @@ let OBJECTS = #APIObjects & {
 			loopback: #Service & {
 				_description: LoopbackDescription
 				metadata:     LoopbackMetaName
-				spec: selector:      LoopbackLabels
+				spec: selector: LoopbackLabels
 				spec: ports: [{port: 80, name: "http"}, {port: 443, name: "https"}]
 			}
 		}

docs/examples/platforms/reference/clusters/foundation/cloud/mesh/mesh.cue

@@ -18,6 +18,10 @@ _IngressAuthProxy: {
 	Domains: (#Platform.org.domain):                    _
 	Domains: "\(#ClusterName).\(#Platform.org.domain)": _
 
+	// TODO: This should be generated from ProjectHosts
+	Domains: "holos.run":                 _
+	Domains: "\(#ClusterName).holos.run": _
+
 	let Metadata = {
 		name:      string
 		namespace: Namespace
@@ -85,7 +89,8 @@ _IngressAuthProxy: {
 						spec: {
 							securityContext: seccompProfile: type: "RuntimeDefault"
 							containers: [{
-								image:           "quay.io/oauth2-proxy/oauth2-proxy:v7.6.0"
+								// image: "quay.io/oauth3-proxy/oauth2-proxy:v7.6.0"
+								image:           "quay.io/holos/oauth2-proxy:v7.6.0-1-g77a03ae2"
 								imagePullPolicy: "IfNotPresent"
 								name:            "oauth2-proxy"
 								volumeMounts: [{
@@ -271,11 +276,14 @@ _IngressAuthProxy: {
 					rules: [
 						{
 							to: [{
+								// Refer to https://istio.io/latest/docs/ops/best-practices/security/#writing-host-match-policies
 								operation: notHosts: [
 									// Never send requests for the login service through the authorizer, would block login.
 									AuthProxySpec.issuerHost,
+									"\(AuthProxySpec.issuerHost):*",
 									// Exclude hosts with specialized rules from the catch-all.
 									for x in _AuthPolicyRules.hosts {x.name},
+									for x in _AuthPolicyRules.hosts {"\(x.name):*"},
 								]
 							}]
 							when: [
@@ -298,7 +306,7 @@ _IngressAuthProxy: {
 _AuthPolicyRules: #AuthPolicyRules & {
 	hosts: {
 		let Vault = "vault.core.ois.run"
-		(Vault): {
+		"\(Vault)": {
 			slug: "vault"
 			// Rules for when to route requests through the auth proxy
 			spec: rules: [
@@ -321,3 +329,20 @@ _AuthPolicyRules: #AuthPolicyRules & {
 		}
 	}
 }
+
+// Exclude project hosts from the auth proxy if configured to do so.  The
+// intended effect is to exclude the host from the blanket `authproxy-custom`
+// AuthorizationPolicy rule _without_ adding a specialized AuthorizationPolicy
+// for the same host.  This has the effect of completely excluding the host from
+// authorization policy.
+for Project in _Projects {
+	let ProjectHosts = (#ProjectHosts & {project: Project}).Hosts
+
+	for FQDN, Host in ProjectHosts {
+		if Host.NoAuthorizationPolicy {
+			if Host.clusters[#ClusterName] != _|_ {
+				_AuthPolicyRules: hosts: "\(Host.fqdn)": NoAuthorizationPolicy: true
+			}
+		}
+	}
+}

docs/examples/platforms/reference/clusters/platform-projects.cue

@@ -4,15 +4,23 @@ package holos
 
 let ZitadelProjectID = 257713952794870157
 
+let AllClusters = {
+	// platform level services typically run in the core cluster pair.
+	core1: _
+	core2: _
+	// for development, probably wouldn't run these services in the workload clusters.
+	k1: _
+	k2: _
+	k3: _
+	k4: _
+	k5: _
+}
+
 _Projects: #Projects & {
 	// The platform project is required and where platform services reside.  ArgoCD, Grafana, Prometheus, etc...
 	platform: {
 		resourceId: ZitadelProjectID
-		// platform level services typically run in the core cluster pair.
-		clusters: core1: _
-		clusters: core2: _
-		// for development, probably wouldn't run these services in the workload clusters.
-		clusters: k2: _
+		clusters:   AllClusters
 		// Services hosted in the platform project
 		hosts: argocd:     _
 		hosts: grafana:    _
@@ -22,13 +30,7 @@ _Projects: #Projects & {
 	holos: {
 		resourceId: ZitadelProjectID
 		domain:     "holos.run"
-		clusters: core1: _
-		clusters: core2: _
-		clusters: k1:    _
-		clusters: k2:    _
-		clusters: k3:    _
-		clusters: k4:    _
-		clusters: k5:    _
+		clusters:   AllClusters
 
 		environments: {
 			prod: stage: "prod"
@@ -41,9 +43,9 @@ _Projects: #Projects & {
 		// app is the holos web app and grpc api.
 		hosts: app: _
 		// provision is the choria broker provisioning system.
-		hosts: provision: _
+		hosts: provision: NoAuthorizationPolicy: true
 		// nats is the nats service holos controller machine room agents connect after provisioning.
-		hosts: nats: _
+		hosts: nats: NoAuthorizationPolicy: true
 	}
 
 	iam: {

docs/examples/platforms/reference/clusters/provisioner/platform-issuer/platform-issuer.cue

@@ -29,6 +29,7 @@ let OBJECTS = #APIObjects & {
 				metadata: name:      PlatformIssuer
 				metadata: namespace: Namespace
 				spec: {
+					duration:   "999999h"
 					isCA:       true
 					commonName: PlatformIssuer
 					secretName: PlatformIssuer

docs/examples/platforms/reference/clusters/workload/holos-run/dev/app/holos-run-app.cue

@@ -0,0 +1,73 @@
+package holos
+
+let Namespace = "dev-holos"
+let Holos = "holos"
+
+// spec represents the output provided to holos
+spec: components: KubernetesObjectsList: [
+	#KubernetesObjects & {
+		metadata: name: "dev-holos-app"
+		apiObjectMap: OBJECTS.apiObjectMap
+	},
+]
+
+// OBJECTS represents the kubernetes api objects to manage.
+let OBJECTS = #APIObjects & {
+	apiObjects: Deployment: holos: {
+		metadata: {
+			name:      Holos
+			namespace: Namespace
+			labels: app: Holos
+		}
+		spec: {
+			selector: matchLabels: app: Holos
+			template: metadata: labels: {
+				app:                       Holos
+				"sidecar.istio.io/inject": "true"
+			}
+			strategy: rollingUpdate: maxSurge:       1
+			strategy: rollingUpdate: maxUnavailable: 0
+			template: {
+				spec: {
+					serviceAccountName: Holos
+					securityContext: seccompProfile: type: "RuntimeDefault"
+					containers: [
+						{
+							name:            Holos
+							image:           "271053619184.dkr.ecr.us-east-2.amazonaws.com/holos-run/holos-server/holos:v0.79.0"
+							imagePullPolicy: "Always"
+							env: [
+								{
+									name:  "TZ"
+									value: "America/Los_Angeles"
+								},
+								{
+									name: "DATABASE_URL"
+									valueFrom: secretKeyRef: {
+										key:  "uri"
+										name: "holos-pguser-holos"
+									}
+								},
+							]
+							ports: [
+								{
+									containerPort: 3000
+									name:          "http"
+									protocol:      "TCP"
+								},
+							]
+							securityContext: capabilities: drop: ["ALL"]
+							securityContext: allowPrivilegeEscalation: false
+							securityContext: runAsNonRoot:             true
+							resources: limits: {
+								cpu:    "0.25"
+								memory: "256Mi"
+							}
+							resources: requests: resources.limits
+						},
+					]
+				}
+			}
+		}
+	}
+}

docs/examples/platforms/reference/clusters/workload/holos-run/dev/infra/holos-run-infra.cue

@@ -0,0 +1,129 @@
+package holos
+
+let Namespace = "dev-holos"
+let Holos = "holos"
+
+// spec represents the output provided to holos
+spec: components: KubernetesObjectsList: [
+	#KubernetesObjects & {
+		metadata: name: "dev-holos-infra"
+		apiObjectMap: OBJECTS.apiObjectMap
+	},
+]
+
+let Metadata = {
+	name:      Holos
+	namespace: Namespace
+	labels: app: Holos
+}
+
+// OBJECTS represents the kubernetes api objects to manage.
+let OBJECTS = #APIObjects & {
+	// Postgres
+	// Deployment
+	// VirtualService
+
+	apiObjects: ServiceAccount: holos: {
+		metadata: Metadata
+		imagePullSecrets: [{name: "kube-system-ecr-image-pull-creds"}]
+	}
+
+	apiObjects: PostgresCluster: holos: {
+		apiVersion: "postgres-operator.crunchydata.com/v1beta1"
+		metadata:   Metadata
+		spec: {
+			image: "registry.developers.crunchydata.com/crunchydata/crunchy-postgres:ubi8-16.1-0"
+			instances: [{
+				affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: [{
+					podAffinityTerm: {
+						labelSelector: matchLabels: "postgres-operator.crunchydata.com/cluster": "holos"
+						topologyKey: "kubernetes.io/hostname"
+					}
+					weight: 1
+				}]
+				dataVolumeClaimSpec: {
+					accessModes: ["ReadWriteOnce"]
+					resources: requests: storage: "1Gi"
+				}
+				name:     "db"
+				replicas: 1
+			}]
+			port:            5432
+			postgresVersion: 16
+			users: [{
+				databases: ["holos"]
+				name:    "holos"
+				options: "SUPERUSER"
+			}]
+			backups: pgbackrest: {
+				global: {
+					"archive-async":          "y"
+					"archive-push-queue-max": "100MiB"
+					"spool-path":             "/pgdata/backups"
+				}
+				image: "registry.developers.crunchydata.com/crunchydata/crunchy-pgbackrest:ubi8-2.47-2"
+				repos: [{
+					name: "repo1"
+					volume: volumeClaimSpec: {
+						accessModes: ["ReadWriteOnce"]
+						resources: requests: storage: "1Gi"
+					}
+				}]
+			}
+		}
+	}
+
+	apiObjects: Service: holos: {
+		apiVersion: "v1"
+		metadata:   Metadata
+		spec: {
+			type: "ClusterIP"
+			selector: app: "holos"
+			ports: [{
+				appProtocol: "http2"
+				name:        "http"
+				port:        3000
+				protocol:    "TCP"
+				targetPort:  3000
+			}, {
+				appProtocol: "http"
+				name:        "metrics"
+				port:        9090
+				protocol:    "TCP"
+				targetPort:  9090
+			}]
+		}
+	}
+
+	apiObjects: VirtualService: holos: {
+		apiVersion: "networking.istio.io/v1beta1"
+		metadata:   Metadata
+		spec: {
+			gateways: ["istio-ingress/default"]
+			hosts: [
+				"app.dev.holos.run",
+				"app.dev.\(#ClusterName).holos.run",
+			]
+			http: [{
+				match: [{
+					uri: prefix: "/ui"
+				}]
+				name: "ui"
+				route: [{
+					destination: {
+						host: "holos"
+						port: number: 3000
+					}
+				}]
+			}, {
+				name: "api"
+				route: [{
+					destination: {
+						host: "holos"
+						port: number: 3000
+					}
+				}]
+			}]
+		}
+	}
+}

docs/examples/platforms/reference/platform-project-schema.cue

@@ -4,15 +4,18 @@ package holos
 #Project: {
 	name: string
 
-	// All projects have at least a prod environment and stage.
+	// All projects have at least a prod and dev environment and stage.
+
+	// Omit the prod stage segment from hostnames.  foo.holos.run not foo.prod.holos.run
 	stages: prod: stageSegments: []
 	environments: prod: stage: "prod"
+	// Omit the prod env segment from hostnames.  foo.holos.run not prod.foo.holos.run
 	environments: prod: envSegments: []
+
 	stages: dev: _
 	environments: dev: stage: "dev"
+	// Omit the dev env segment from hostnames.  foo.dev.holos.run not dev.foo.dev.holos.run
 	environments: dev: envSegments: []
-	// Ensure at least the project name is a short hostname.  Additional may be added.
-	hosts: (name): _
 
 	// environments share the stage segments of their stage.
 	environments: [_]: {

docs/examples/project-hosts.cue

@@ -16,9 +16,10 @@ import "strings"
 			for Host in project.hosts {
 				// Global hostname, e.g. app.holos.run
 				let CertInfo = (#MakeCertInfo & {
-					host:   Host
-					env:    Env
-					domain: project.domain
+					host:       Host
+					env:        Env
+					domain:     project.domain
+					clusterMap: project.clusters
 				}).CertInfo
 
 				"\(CertInfo.fqdn)": CertInfo
@@ -26,10 +27,11 @@ import "strings"
 				// Cluster hostname, e.g. app.east1.holos.run, app.west1.holos.run
 				for Cluster in project.clusters {
 					let CertInfo = (#MakeCertInfo & {
-						host:    Host
-						env:     Env
-						domain:  project.domain
-						cluster: Cluster.name
+						host:       Host
+						env:        Env
+						domain:     project.domain
+						cluster:    Cluster.name
+						clusterMap: project.clusters
 					}).CertInfo
 
 					"\(CertInfo.fqdn)": CertInfo
@@ -42,10 +44,11 @@ import "strings"
 // #MakeCertInfo provides dns info for a certificate
 // Refer to: https://github.com/holos-run/holos/issues/66#issuecomment-2027562626
 #MakeCertInfo: {
-	host:    #Host
-	env:     #Environment
-	domain:  string
-	cluster: string
+	host:       #Host
+	env:        #Environment
+	domain:     string
+	cluster:    string
+	clusterMap: #ClusterMap
 
 	let Stage = #StageInfo & {name: env.stage, project: env.project}
 	let Env = env
@@ -91,6 +94,18 @@ import "strings"
 			slug:      Env.slug
 			namespace: Env.namespace
 		}
+
+		if cluster != _|_ {
+			// Host is valid on a single cluster.
+			clusters: "\(cluster)": _
+		}
+
+		if cluster == _|_ {
+			// Host is valid on all project clusters.
+			clusters: clusterMap
+		}
+
+		NoAuthorizationPolicy: host.NoAuthorizationPolicy
 	}
 }
 
@@ -108,8 +123,19 @@ import "strings"
 
 	stage: #StageOrEnvRef
 	env:   #StageOrEnvRef
+
+	// clusters represents the cluster names the fqdn is valid on.
+	clusters: #ClusterMap
+	// hosts are always valid on the provisioner cluster
+	clusters: provisioner: _
+
+	// NoAuthorizationPolicy excludes the host from the auth proxy integrated with
+	// the default ingress Gateway.
+	NoAuthorizationPolicy: true | *false
 }
 
+#ClusterMap: [Name=string]: #Cluster & {name: Name}
+
 #StageOrEnvRef: {
 	name:      string
 	slug:      string

docs/examples/project-template-provisioner-certs.cue

@@ -24,7 +24,7 @@ package holos
 						dnsNames: [for x in _dnsNames {x}]
 						issuerRef: {
 							kind: "ClusterIssuer"
-							name: "letsencrypt-staging"
+							name: "letsencrypt"
 						}
 					}
 				}

docs/examples/project-template.cue

@@ -3,6 +3,7 @@ package holos
 import (
 	h "github.com/holos-run/holos/api/v1alpha1"
 	"encoding/yaml"
+	"strings"
 )
 
 // let SourceLoc = "project-template.cue"
@@ -26,25 +27,32 @@ import (
 	project: #Project
 	let Project = project
 
+	// ProjectHosts represents all of the hosts associated with a project indexed
+	// by FQDN with #CertInfo values.  Slice and dice this struct as needed to
+	// work with hosts in the platform.
 	ProjectHosts: (#ProjectHosts & {project: Project}).Hosts
 
 	// GatewayServers maps Gateway spec.servers #GatewayServer values indexed by stage then name.
 	GatewayServers: {
 		for FQDN, Host in ProjectHosts {
-			"\(FQDN)": #GatewayServer & {
-				_CertInfo: Host
-				hosts: [
-					"\(Host.env.namespace)/\(FQDN)",
-					// Allow the authproxy VirtualService to match the project.authProxyPrefix path.
-					"\(Host.stage.namespace)/\(FQDN)",
-				]
-				port: {
-					name:     "https"
-					number:   443
-					protocol: "HTTPS"
+			// If the host is valid on the cluster being rendered
+			if Host.clusters[#ClusterName] != _|_ {
+				"\(FQDN)": #GatewayServer & {
+					_CertInfo: Host
+					hosts: [
+						"\(Host.env.namespace)/\(FQDN)",
+						// Allow the authproxy VirtualService to match the project.authProxyPrefix path.
+						"\(Host.stage.namespace)/\(FQDN)",
+					]
+					port: {
+						// NOTE: port names in servers must be unique: duplicate name https
+						name:     "https-" + strings.Replace(FQDN, ".", "-", -1)
+						number:   443
+						protocol: "HTTPS"
+					}
+					tls: credentialName: Host.canonical
+					tls: mode:           "SIMPLE"
 				}
-				tls: credentialName: Host.canonical
-				tls: mode:           "SIMPLE"
 			}
 		}
 	}

docs/examples/project_types.cue

@@ -68,8 +68,13 @@ _Projects: #Projects
 // #Cluster defines a cluster
 #Cluster: name: string
 
-// #Host defines a short hostname
-#Host: name: string
+#Host: {
+	// #Host defines a short hostname
+	name: string
+	// NoAuthorizationPolicy excludes the host from the auth proxy integrated with
+	// the default ingress Gateway.
+	NoAuthorizationPolicy: true | *false
+}
 
 #Environment: {
 	// name uniquely identifies the environment within the scope of the project.

docs/runbooks/argocd.md

@@ -0,0 +1,14 @@
+# ArgoCD
+
+Create the deploy key secret in the management cluster.
+
+```bash
+tmp="$(mktemp -d)"
+(cd $tmp && ssh-keygen -t ed25519 -f sshPrivateKey -m pem -C argocd -N '')
+echo git@github.com:holos-run/holos-infra.git > "${tmp}/url"
+holos create secret -n argocd --append-hash=false creds-holos-infra --from-file $tmp
+rm -rf "$tmp"
+```
+
+When syncing the secret, the ExternalSecret needs to set the label
+`argocd.argoproj.io/secret-type: repo-creds`.

docs/runbooks/login/backups.md

@@ -0,0 +1,97 @@
+# PostgresCluster Backups
+
+This document describes how the S3 bucket for `PostgresCluster` backups is configured.  These buckets are configured both for ZITADEL and for Holos 
+Server and are applicable to any service in Holos that stores data in a pgo `PostgresCluster` resource.
+
+## Create the Bucket
+Name: `holos-zitadel-backups` for `zitadel`
+Name: `holos-server-backups` for `holos server`
+> [!NOTE]
+> The settings below match the default settings recommended by AWS.
+
+Object Ownership: `ACLs disabled` (recommended) Checked.
+Block Public Access settings for this bucket: **`Block all public access`** Checked.
+Bucket Versioning: `Disable`
+Default encryption: `Server-side encryption with Amazon S3 managed keys (SSE-S3)`
+Bucket Key: `Enable`
+Object Lock: `Disable`
+
+## Create an IAM Policy
+Create one IAM Policy for each bucket to grant full access to the bucket.  Replace the resource with each bucket name.
+Name: `holos-zitadel-backups` for `zitadel`
+Name: `holos-server-backups` for `holos server`
+Description: `Read and write access to a specific bucket for pgrest operating within a pgo PostgresCluster.`
+
+Policy JSON:
+```json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "s3:GetBucketLocation",
+                "s3:ListAllMyBuckets"
+            ],
+            "Resource": "arn:aws:s3:::*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": "s3:*",
+            "Resource": [
+                "arn:aws:s3:::holos-zitadel-backups",
+                "arn:aws:s3:::holos-zitadel-backups/*"
+            ]
+        }
+    ]
+}
+```
+## Create an IAM Group
+Create an IAM Group to attach the policy granting access to the bucket.
+Name: `holos-zitadel-backups` for `zitadel`
+Attach permission policies: `holos-zitadel-backups`
+
+Name: `holos-server-backups` for `holos server`
+Attach permission policies: `holos-server-backups`
+## Create the IAM User
+Create an IAM User entity for each PostgresCluster.  Do not provide user access to the AWS Management Console.
+Name: `holos-zitadel-backups` for `zitadel`
+Group: `holos-zitadel-backups`
+
+Name: `holos-server-backups` for `holos server`
+Group: `holos-server-backups`
+
+## Create an Access Key
+Create an access key for `pgbackrest` associated with the `PostgresCluster`.
+
+Description: 
+> Used by pgbackrest associated with the PostgresCluster resource.  Refer to the PostgresCluster resource pgbackrest.cofiguration.secret.name for the stored location of the access key.  Synced from the Management Cluster using an ExternalSecret.
+## Create the Secret
+Create a `Secret` in the holos management cluster usable by pgbackrest.  This is a secret with a single key, `s3.conf` with the following format:
+```
+[global]
+repo2-cipher-pass=
+repo2-s3-key=
+repo2-s3-key-secret=
+repo3-cipher-pass=
+repo3-s3-key=
+repo3-s3-key-secret=
+```
+> [!NOTE]
+> Use the same values for repo2 and repo3.  The purpose is to make space for migrating if need be in the future.
+
+Generate the cipher pass using.  This password is used to encrypt all backups using client side before the backup is written to the bucket.
+```
+tr -dc A-Za-z0-9 </dev/urandom | head -c 64
+```
+
+Store the secret into the management cluster:
+```
+holos create secret --namespace zitadel holos-zitadel-backups \
+  --append-hash=false --from-file .
+```
+
+```
+holos create secret --namespace holos holos-server-backups \
+  --append-hash=false --from-file .
+```

docs/runbooks/login/pgbouncer.md

@@ -0,0 +1,92 @@
+# PG Bouncer
+
+Every few days ZITADEL fails.  The problem seems to be related to pgbouncer not
+being able to resolve DNS.  Restarting the pgbouncer pod fixes the issue.
+
+See [How to load-balance queries between several servers?](https://www.pgbouncer.org/faq.html#how-to-load-balance-queries-between-several-servers)
+
+> [!NOTE]
+> DNS round-robin. Use several IPs behind one DNS name. PgBouncer does not look up DNS each time a new connection is launched. Instead, it caches all IPs and does round-robin internally. Note: if there are more than 8 IPs behind one name, the DNS backend must support the EDNS0 protocol. See README for details.
+
+## Workaround
+
+```sh
+# Get the tls based creds to bypass oidc
+(cd ~/.kube && holos get secret core2-kubeconfig-admin --print-key kubeconfig.admin > core2.admin)
+export KUBECONFIG=$HOME/.kube/core2.admin
+# Restart pgbouncer
+kubectl -n prod-iam rollout restart deployment zitadel-pgbouncer
+```
+
+## Symptom logs
+
+```sh
+kubectl -n prod-iam logs -c pgbouncer -l postgres-operator.crunchydata.com/role=pgbouncer
+```
+
+```txt
+2024-05-08 17:56:11.424 UTC [7] LOG S-0x559b03f90ff0: zitadel/zitadel@10.110.109.110:5432 SSL established: TLSv1.3/TLS_AES_256_GCM_SHA384/ECDH=prime256v1
+2024-05-08 17:56:11.429 UTC [7] LOG S-0x559b03f92820: zitadel/zitadel@10.110.109.110:5432 new connection to server (from 10.244.5.38:53658)
+2024-05-08 17:56:11.435 UTC [7] LOG S-0x559b03f92820: zitadel/zitadel@10.110.109.110:5432 SSL established: TLSv1.3/TLS_AES_256_GCM_SHA384/ECDH=prime256v1
+2024-05-08 17:56:11.476 UTC [7] LOG C-0x559b03f7a610: zitadel/zitadel@10.244.2.89:34932 closing because: client close request (age=440s)
+2024-05-08 17:56:19.708 UTC [7] LOG stats: 15 xacts/s, 42 queries/s, 0 client parses/s, 0 server parses/s, 0 binds/s, in 6159 B/s, out 6124 B/s, xact 3930 us, query 869 us, wait 490 us
+[msg] Nameserver 10.96.0.10:53 is back up
+2024-05-08 17:57:09.366 UTC [7] LOG C-0x559b03f7a610: zitadel/zitadel@10.244.3.187:58674 login attempt: db=zitadel user=zitadel tls=TLSv1.3/TLS_AES_256_GCM_SHA384
+2024-05-08 17:57:09.391 UTC [7] LOG C-0x559b03f7a610: zitadel/zitadel@10.244.3.187:58674 closing because: client close request (age=0s)
+2024-05-08 17:57:19.709 UTC [7] LOG stats: 9 xacts/s, 24 queries/s, 0 client parses/s, 0 server parses/s, 0 binds/s, in 2870 B/s, out 3018 B/s, xact 4147 us, query 958 us, wait 23 us
+2024-05-08 17:58:19.708 UTC [7] LOG stats: 12 xacts/s, 32 queries/s, 0 client parses/s, 0 server parses/s, 0 binds/s, in 3861 B/s, out 3533 B/s, xact 3843 us, query 853 us, wait 0 us
+2024-05-08 17:56:11.411 UTC [8] LOG S-0x55a894e36650: zitadel/_crunchypgbouncer@10.110.109.110:5432 new connection to server (from 10.244.3.227:58984)
+2024-05-08 17:56:11.411 UTC [8] LOG S-0x55a894e37920: zitadel/zitadel@10.110.109.110:5432 new connection to server (from 10.244.3.227:58992)
+2024-05-08 17:56:11.418 UTC [8] LOG S-0x55a894e37920: zitadel/zitadel@10.110.109.110:5432 SSL established: TLSv1.3/TLS_AES_256_GCM_SHA384/ECDH=prime256v1
+2024-05-08 17:56:11.420 UTC [8] LOG S-0x55a894e36650: zitadel/_crunchypgbouncer@10.110.109.110:5432 SSL established: TLSv1.3/TLS_AES_256_GCM_SHA384/ECDH=prime256v1
+2024-05-08 17:56:11.438 UTC [8] LOG S-0x55a894e35b90: zitadel/zitadel@10.110.109.110:5432 new connection to server (from 10.244.3.227:59004)
+2024-05-08 17:56:11.445 UTC [8] LOG S-0x55a894e35b90: zitadel/zitadel@10.110.109.110:5432 SSL established: TLSv1.3/TLS_AES_256_GCM_SHA384/ECDH=prime256v1
+2024-05-08 17:56:17.148 UTC [8] LOG stats: 9 xacts/s, 27 queries/s, 0 client parses/s, 0 server parses/s, 0 binds/s, in 3236 B/s, out 2826 B/s, xact 5224 us, query 910 us, wait 1182 us
+[msg] Nameserver 10.96.0.10:53 is back up
+2024-05-08 17:57:17.145 UTC [8] LOG stats: 10 xacts/s, 31 queries/s, 0 client parses/s, 0 server parses/s, 0 binds/s, in 4342 B/s, out 4305 B/s, xact 4536 us, query 776 us, wait 0 us
+2024-05-08 17:58:17.149 UTC [8] LOG stats: 5 xacts/s, 15 queries/s, 0 client parses/s, 0 server parses/s, 0 binds/s, in 1641 B/s, out 1582 B/s, xact 7819 us, query 1426 us, wait 0 us
+```
+
+## Relevant Configuration
+
+`/etc/pgbouncer/pgbouncer.ini` is empty.
+
+```
+bash-4.4$ cat /etc/pgbouncer/~postgres-operator.ini
+# Generated by postgres-operator. DO NOT EDIT.
+# Your changes will not be saved.
+
+[pgbouncer]
+%include /etc/pgbouncer/pgbouncer.ini
+
+[pgbouncer]
+auth_file = /etc/pgbouncer/~postgres-operator/users.txt
+auth_query = SELECT username, password from pgbouncer.get_auth($1)
+auth_user = _crunchypgbouncer
+client_tls_ca_file = /etc/pgbouncer/~postgres-operator/frontend-ca.crt
+client_tls_cert_file = /etc/pgbouncer/~postgres-operator/frontend-tls.crt
+client_tls_key_file = /etc/pgbouncer/~postgres-operator/frontend-tls.key
+client_tls_sslmode = require
+conffile = /etc/pgbouncer/~postgres-operator.ini
+ignore_startup_parameters = extra_float_digits
+listen_addr = *
+listen_port = 5432
+server_tls_ca_file = /etc/pgbouncer/~postgres-operator/backend-ca.crt
+server_tls_sslmode = verify-full
+unix_socket_dir =
+
+[databases]
+* = host=zitadel-primary port=5432
+```
+
+### [host](https://www.pgbouncer.org/config.html#host)
+
+> Host name or IP address to connect to. Host names are resolved at connection time, the result is cached per dns_max_ttl parameter. When a host name’s resolution changes, existing server connections are automatically closed when they are released (according to the pooling mode), and new server connections immediately use the new resolution. If DNS returns several results, they are used in a round-robin manner.
+
+### dns_max_ttl
+
+[dns_max_ttl](https://www.pgbouncer.org/config.html#dns_max_ttl)
+
+How long DNS lookups can be cached. The actual DNS TTL is ignored.
+
+Default: 15.0 (seconds)

docs/runbooks/namespace.md

@@ -0,0 +1,30 @@
+# Namespaces
+
+Holos follows the [Namespace Sameness - Sig Multicluster Position][1].  A
+namespace is the same on all clusters within the scope of a platform.
+
+Namespaces are also security boundaries for role based access control.  As such,
+permission to read a secret in a namespace means the secret is readable on all
+clusters in the platform.
+
+When adding a component to a platform, create a namespace using the following
+process.  This ensures a namespace scoped `SecretStore` is created to sync
+`ExternalSecret` resources from the management cluster.
+
+ 1. Add a new project to the `_Projects` struct in `platform.cue`.
+ 2. Add the namespace to the `spec.namespaces` field of the project.
+ 3. Render the platform
+ 4. Apply the `namespaces` component to the management cluster
+ 5. Apply the `eso-creds-manager` component to the management cluster to create the `eso-reader` ksa for the namespace `SecretStore`
+ 6. Get a timestamp: `STAMP="$(date +%s)"`
+ 7. Run the job to populate ecr creds: `kubectl create job -n holos-system --from=cronjob/ecr-creds-manager ecr-creds-manager-$STAMP`
+ 8. Wait for the job to complete: `kubectl -n holos-system logs -l job-name=ecr-creds-manager-$STAMP -f`
+ 9. Apply the `namespaces` component to the workload clusters
+ 10. On the workload cluster, run the job to fetch the eso-reader creds: `kubectl create job -n holos-system --from=cronjob/eso-creds-refresher eso-creds-refresher-${STAMP}`
+ 11. Wait for the job to complete: `kubectl -n holos-system logs -l job-name=eso-creds-refresher-${STAMP}`
+ 12. Apply the secretstores component to the workload cluster.
+ 13. Apply any other cluster specific components which were modified by the `holos render platform ./platform` command.
+
+Your namespace is created and you have the ability to create secrets in the management cluster and pull them using ExternalSecret resources. (edited)  
+
+[1]: https://github.com/kubernetes/community/blob/dd4c8b704ef1c9c3bfd928c6fa9234276d61ad18/sig-multicluster/namespace-sameness-position-statement.md

docs/runbooks/workload-identity.md

@@ -0,0 +1,31 @@
+# Workload Identity
+
+When a new workload cluster is provisioned, allow it to access the Management
+Cluster using workload identity.  This is necessary for the
+`eso-creds-refresher` component and `Job` that executes in each workload
+cluster, which in turn enables the `SecretStore` in each namespace to sync
+secrets.
+
+Build the cluster with Cluster API.
+See https://github.com/holos-run/holos-infra/blob/main/hack/capi/eks/aws2/aws2-managedmachinepool.yaml#L81-L84
+
+## Workload Identity Provider
+Add the Cluster as a workload identity provider to the `holos-ops` gcp project.
+
+Pool: [holos](https://console.cloud.google.com/iam-admin/workload-identity-pools/pool/holos?organizationId=358674006047&project=holos-ops)
+Name: `k8s-aws1`, `k8s-aws2`, etc...
+### Issuer URL:
+```
+kubectl create -n default token default | cut -d. -f2 | base64 -d | jq -r .iss
+```
+
+### Audience
+Use the default audience.
+### Attribute Mapping
+
+| Google                           | OIDC                                                   |
+| -------------------------------- | ------------------------------------------------------ |
+| `google.subject`                 | `assertion.sub`                                        |
+| `attribute.service_account_name` | `assertion['kubernetes.io']['serviceaccount']['name']` |
+| `attribute.uid`                  | `assertion['kubernetes.io']['serviceaccount']['uid']`  |
+| `attribute.pod`                  | `assertion['kubernetes.io']['pod']['name']`            |

go.mod

@@ -5,11 +5,13 @@ go 1.21.5
 require (
 	buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.33.0-20240401165935-b983156c5e99.1
 	connectrpc.com/connect v1.16.0
+	connectrpc.com/grpcreflect v1.2.0
+	connectrpc.com/otelconnect v0.7.0
 	connectrpc.com/validate v0.1.0
-	cuelang.org/go v0.8.0
+	cuelang.org/go v0.9.2
 	entgo.io/ent v0.13.1
 	github.com/bufbuild/buf v1.30.1
-	github.com/choria-io/machine-room v0.0.0-20231204170637-dbd92497cddc
+	github.com/choria-io/machine-room v0.0.0-20240417064836-c604da2f005e
 	github.com/coreos/go-oidc/v3 v3.10.0
 	github.com/fullstorydev/grpcurl v1.9.1
 	github.com/go-jose/go-jose/v3 v3.0.3
@@ -19,6 +21,7 @@ require (
 	github.com/lmittmann/tint v1.0.4
 	github.com/mattn/go-isatty v0.0.20
 	github.com/mattn/go-runewidth v0.0.15
+	github.com/mennanov/fieldmask-utils v1.1.2
 	github.com/olekukonko/tablewriter v0.0.5
 	github.com/prometheus/client_golang v1.19.0
 	github.com/rogpeppe/go-internal v1.12.0
@@ -26,8 +29,10 @@ require (
 	github.com/spf13/cobra v1.8.0
 	github.com/spf13/pflag v1.0.5
 	github.com/stretchr/testify v1.9.0
-	golang.org/x/net v0.22.0
-	golang.org/x/tools v0.19.0
+	golang.org/x/net v0.26.0
+	golang.org/x/sync v0.7.0
+	golang.org/x/tools v0.22.0
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20240325203815-454cdb8f5daa
 	google.golang.org/protobuf v1.33.1-0.20240408130810-98873a205002
 	honnef.co/go/tools v0.4.7
 	k8s.io/api v0.29.2
@@ -40,10 +45,8 @@ require (
 
 require (
 	ariga.io/atlas v0.19.1-0.20240203083654-5948b60a8e43 // indirect
-	cloud.google.com/go/compute v1.23.3 // indirect
-	cloud.google.com/go/compute/metadata v0.2.3 // indirect
-	connectrpc.com/otelconnect v0.7.0 // indirect
-	cuelabs.dev/go/oci/ociregistry v0.0.0-20240314152124-224736b49f2e // indirect
+	cloud.google.com/go/compute/metadata v0.3.0 // indirect
+	cuelabs.dev/go/oci/ociregistry v0.0.0-20240404174027-a39bec0462d2 // indirect
 	github.com/AlecAivazis/survey/v2 v2.3.7 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect
 	github.com/BurntSushi/toml v1.3.2 // indirect
@@ -66,24 +69,24 @@ require (
 	github.com/bufbuild/protoyaml-go v0.1.8 // indirect
 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
 	github.com/census-instrumentation/opencensus-proto v0.4.1 // indirect
-	github.com/cespare/xxhash/v2 v2.2.0 // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/cheekybits/genny v1.0.0 // indirect
-	github.com/choria-io/fisk v0.6.1 // indirect
-	github.com/choria-io/go-choria v0.27.1-0.20231204170245-efda165efc54 // indirect
+	github.com/choria-io/fisk v0.6.2 // indirect
+	github.com/choria-io/go-choria v0.28.1-0.20240416190746-b3bf9c7d5a45 // indirect
 	github.com/choria-io/go-updater v0.1.0 // indirect
 	github.com/choria-io/stream-replicator v0.8.3-0.20230503130504-86152f798aec // indirect
-	github.com/choria-io/tokens v0.0.3 // indirect
-	github.com/cloudevents/sdk-go/v2 v2.14.0 // indirect
+	github.com/choria-io/tokens v0.0.4-0.20240316144214-a929d9325d48 // indirect
+	github.com/cloudevents/sdk-go/v2 v2.15.2 // indirect
 	github.com/cncf/udpa/go v0.0.0-20220112060539-c52dc94e7fbe // indirect
 	github.com/cncf/xds/go v0.0.0-20231128003011-0fa0005c9caa // indirect
 	github.com/cockroachdb/apd/v3 v3.2.1 // indirect
 	github.com/containerd/stargz-snapshotter/estargz v0.15.1 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.4 // indirect
-	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/distribution/reference v0.6.0 // indirect
 	github.com/docker/cli v26.0.0+incompatible // indirect
 	github.com/docker/distribution v2.8.3+incompatible // indirect
-	github.com/docker/docker v26.0.0+incompatible // indirect
+	github.com/docker/docker v26.0.2+incompatible // indirect
 	github.com/docker/docker-credential-helpers v0.8.1 // indirect
 	github.com/docker/go-connections v0.5.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
@@ -93,7 +96,7 @@ require (
 	github.com/envoyproxy/go-control-plane v0.12.0 // indirect
 	github.com/envoyproxy/protoc-gen-validate v1.0.4 // indirect
 	github.com/evanphx/json-patch v5.7.0+incompatible // indirect
-	github.com/expr-lang/expr v1.15.6 // indirect
+	github.com/expr-lang/expr v1.16.4 // indirect
 	github.com/fatih/color v1.16.0 // indirect
 	github.com/felixge/fgprof v0.9.4 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
@@ -120,7 +123,7 @@ require (
 	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/google/go-containerregistry v0.19.1 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
-	github.com/google/pprof v0.0.0-20240327155427-868f304927ed // indirect
+	github.com/google/pprof v0.0.0-20240416155748-26353dc0451f // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/google/wire v0.5.0 // indirect
@@ -131,7 +134,7 @@ require (
 	github.com/gosuri/uilive v0.0.4 // indirect
 	github.com/gosuri/uiprogress v0.0.1 // indirect
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.0 // indirect
-	github.com/guptarohit/asciigraph v0.5.6 // indirect
+	github.com/guptarohit/asciigraph v0.7.1 // indirect
 	github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect
 	github.com/hashicorp/hcl/v2 v2.13.0 // indirect
 	github.com/hashicorp/logutils v1.0.0 // indirect
@@ -149,11 +152,11 @@ require (
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
-	github.com/klauspost/compress v1.17.7 // indirect
+	github.com/klauspost/compress v1.17.8 // indirect
 	github.com/klauspost/pgzip v1.2.6 // indirect
 	github.com/lib/pq v1.10.9 // indirect
 	github.com/looplab/fsm v1.0.1 // indirect
-	github.com/lufia/plan9stats v0.0.0-20231016141302-07b5767bb0ed // indirect
+	github.com/lufia/plan9stats v0.0.0-20240408141607-282e7b5d6b74 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d // indirect
@@ -172,46 +175,47 @@ require (
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/morikuni/aec v1.0.0 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
-	github.com/nats-io/jsm.go v0.1.1-0.20231204140718-1ad3bcd9702c // indirect
-	github.com/nats-io/jwt/v2 v2.5.3 // indirect
-	github.com/nats-io/nats-server/v2 v2.10.6 // indirect
-	github.com/nats-io/nats.go v1.31.0 // indirect
-	github.com/nats-io/nkeys v0.4.6 // indirect
+	github.com/nats-io/jsm.go v0.1.1 // indirect
+	github.com/nats-io/jwt/v2 v2.5.5 // indirect
+	github.com/nats-io/nats-server/v2 v2.10.14 // indirect
+	github.com/nats-io/nats.go v1.34.1 // indirect
+	github.com/nats-io/nkeys v0.4.7 // indirect
 	github.com/nats-io/nuid v1.0.1 // indirect
 	github.com/ncruces/go-strftime v0.1.9 // indirect
 	github.com/oleiade/reflections v1.0.1 // indirect
-	github.com/onsi/ginkgo/v2 v2.15.0 // indirect
-	github.com/onsi/gomega v1.31.1 // indirect
-	github.com/open-policy-agent/opa v0.59.0 // indirect
+	github.com/onsi/ginkgo/v2 v2.17.1 // indirect
+	github.com/onsi/gomega v1.32.0 // indirect
+	github.com/open-policy-agent/opa v0.63.0 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.0 // indirect
 	github.com/patrickmn/go-cache v2.1.0+incompatible // indirect
 	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pkg/profile v1.7.0 // indirect
-	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/power-devops/perfstat v0.0.0-20221212215047-62379fc7944b // indirect
-	github.com/prometheus/client_model v0.6.0 // indirect
-	github.com/prometheus/common v0.50.0 // indirect
-	github.com/prometheus/procfs v0.12.0 // indirect
+	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
+	github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 // indirect
+	github.com/prometheus/client_model v0.6.1 // indirect
+	github.com/prometheus/common v0.52.3 // indirect
+	github.com/prometheus/procfs v0.13.0 // indirect
 	github.com/protocolbuffers/txtpbfmt v0.0.0-20230328191034-3462fbc510c0 // indirect
 	github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 // indirect
 	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
-	github.com/rivo/uniseg v0.4.4 // indirect
+	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/robfig/cron v1.2.0 // indirect
 	github.com/rs/cors v1.10.1 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/samber/lo v1.39.0 // indirect
 	github.com/santhosh-tekuri/jsonschema/v5 v5.3.1 // indirect
 	github.com/segmentio/ksuid v1.0.4 // indirect
-	github.com/shirou/gopsutil/v3 v3.23.11 // indirect
+	github.com/shirou/gopsutil/v3 v3.24.3 // indirect
 	github.com/shoenig/go-m1cpu v0.1.6 // indirect
-	github.com/shopspring/decimal v1.3.1 // indirect
+	github.com/shopspring/decimal v1.4.0 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/spf13/cast v1.6.0 // indirect
 	github.com/stoewer/go-strcase v1.3.0 // indirect
 	github.com/stretchr/objx v0.5.2 // indirect
 	github.com/tchap/go-patricia/v2 v2.3.1 // indirect
+	github.com/tetratelabs/wazero v1.6.0 // indirect
 	github.com/tidwall/gjson v1.17.1 // indirect
 	github.com/tidwall/match v1.1.1 // indirect
 	github.com/tidwall/pretty v1.2.1 // indirect
@@ -222,7 +226,8 @@ require (
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
 	github.com/xlab/tablewriter v0.0.0-20160610135559-80b567a11ad5 // indirect
 	github.com/yashtewari/glob-intersection v0.2.0 // indirect
-	github.com/yusufpapurcu/wmi v1.2.3 // indirect
+	github.com/yuin/goldmark v1.4.13 // indirect
+	github.com/yusufpapurcu/wmi v1.2.4 // indirect
 	github.com/zclconf/go-cty v1.8.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 // indirect
 	go.opentelemetry.io/otel v1.25.0 // indirect
@@ -233,19 +238,17 @@ require (
 	go.uber.org/atomic v1.11.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.27.0 // indirect
-	golang.org/x/crypto v0.21.0 // indirect
-	golang.org/x/exp v0.0.0-20240325151524-a685a6edb6d8 // indirect
+	golang.org/x/crypto v0.24.0 // indirect
+	golang.org/x/exp v0.0.0-20240416160154-fe59bbe5cc7f // indirect
 	golang.org/x/exp/typeparams v0.0.0-20221208152030-732eee02a75a // indirect
-	golang.org/x/mod v0.16.0 // indirect
-	golang.org/x/oauth2 v0.18.0 // indirect
-	golang.org/x/sync v0.6.0 // indirect
-	golang.org/x/sys v0.18.0 // indirect
-	golang.org/x/term v0.18.0 // indirect
-	golang.org/x/text v0.14.0 // indirect
+	golang.org/x/mod v0.18.0 // indirect
+	golang.org/x/oauth2 v0.20.0 // indirect
+	golang.org/x/sys v0.21.0 // indirect
+	golang.org/x/term v0.21.0 // indirect
+	golang.org/x/text v0.16.0 // indirect
 	golang.org/x/time v0.5.0 // indirect
-	google.golang.org/appengine v1.6.8 // indirect
+	google.golang.org/genproto v0.0.0-20240123012728-ef4313101c80 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20240325203815-454cdb8f5daa // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20240325203815-454cdb8f5daa // indirect
 	google.golang.org/grpc v1.62.1 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
@@ -262,5 +265,3 @@ require (
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
 )
-
-replace github.com/choria-io/machine-room v0.0.0 => github.com/jeffmccune/machine-room v0.0.990

go.sum

@@ -23,10 +23,8 @@ cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvf
 cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg=
 cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc=
 cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ=
-cloud.google.com/go/compute v1.23.3 h1:6sVlXXBmbd7jNX0Ipq0trII3e4n1/MsADLK6a+aiVlk=
-cloud.google.com/go/compute v1.23.3/go.mod h1:VCgBUoMnIVIR0CscqQiPJLAG25E3ZRZMzcFZeQ+h8CI=
-cloud.google.com/go/compute/metadata v0.2.3 h1:mg4jlk7mCAj6xXp9UJ4fjI9VUI5rubuGBW5aJ7UnBMY=
-cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA=
+cloud.google.com/go/compute/metadata v0.3.0 h1:Tz+eQXMEqDIKRsmY3cHTL6FVaynIjX2QxYC4trgAKZc=
+cloud.google.com/go/compute/metadata v0.3.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k=
 cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE=
 cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk=
 cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I=
@@ -40,14 +38,16 @@ cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RX
 cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0=
 connectrpc.com/connect v1.16.0 h1:rdtfQjZ0OyFkWPTegBNcH7cwquGAN1WzyJy80oFNibg=
 connectrpc.com/connect v1.16.0/go.mod h1:XpZAduBQUySsb4/KO5JffORVkDI4B6/EYPi7N8xpNZw=
+connectrpc.com/grpcreflect v1.2.0 h1:Q6og1S7HinmtbEuBvARLNwYmTbhEGRpHDhqrPNlmK+U=
+connectrpc.com/grpcreflect v1.2.0/go.mod h1:nwSOKmE8nU5u/CidgHtPYk1PFI3U9ignz7iDMxOYkSY=
 connectrpc.com/otelconnect v0.7.0 h1:ZH55ZZtcJOTKWWLy3qmL4Pam4RzRWBJFOqTPyAqCXkY=
 connectrpc.com/otelconnect v0.7.0/go.mod h1:Bt2ivBymHZHqxvo4HkJ0EwHuUzQN6k2l0oH+mp/8nwc=
 connectrpc.com/validate v0.1.0 h1:r55jirxMK7HO/xZwVHj3w2XkVFarsUM77ZDy367NtH4=
 connectrpc.com/validate v0.1.0/go.mod h1:GU47c9/x/gd+u9wRSPkrQOP46gx2rMN+Wo37EHgI3Ow=
-cuelabs.dev/go/oci/ociregistry v0.0.0-20240314152124-224736b49f2e h1:GwCVItFUPxwdsEYnlUcJ6PJxOjTeFFCKOh6QWg4oAzQ=
-cuelabs.dev/go/oci/ociregistry v0.0.0-20240314152124-224736b49f2e/go.mod h1:ApHceQLLwcOkCEXM1+DyCXTHEJhNGDpJ2kmV6axsx24=
-cuelang.org/go v0.8.0 h1:fO1XPe/SUGtc7dhnGnTPbpIDoQm/XxhDtoSF7jzO01c=
-cuelang.org/go v0.8.0/go.mod h1:CoDbYolfMms4BhWUlhD+t5ORnihR7wvjcfgyO9lL5FI=
+cuelabs.dev/go/oci/ociregistry v0.0.0-20240404174027-a39bec0462d2 h1:BnG6pr9TTr6CYlrJznYUDj6V7xldD1W+1iXPum0wT/w=
+cuelabs.dev/go/oci/ociregistry v0.0.0-20240404174027-a39bec0462d2/go.mod h1:pK23AUVXuNzzTpfMCA06sxZGeVQ/75FdVtW249de9Uo=
+cuelang.org/go v0.9.2 h1:pfNiry2PdRBr02G/aKm5k2vhzmqbAOoaB4WurmEbWvs=
+cuelang.org/go v0.9.2/go.mod h1:qpAYsLOf7gTM1YdEg6cxh553uZ4q9ZDWlPbtZr9q1Wk=
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
 entgo.io/ent v0.13.1 h1:uD8QwN1h6SNphdCCzmkMN3feSUzNnVvV/WIkHKMbzOE=
 entgo.io/ent v0.13.1/go.mod h1:qCEmo+biw3ccBn9OyL4ZK5dfpwg++l1Gxwac5B1206A=
@@ -84,6 +84,7 @@ github.com/agext/levenshtein v1.2.1 h1:QmvMAjj2aEICytGiWzmxoE0x2KZvE0fvmqMOfy2tj
 github.com/agext/levenshtein v1.2.1/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558=
 github.com/agnivade/levenshtein v1.1.1 h1:QY8M92nrzkmr798gCo3kmMyqXFzdQVpxLlGPRBij0P8=
 github.com/agnivade/levenshtein v1.1.1/go.mod h1:veldBMzWxcCG2ZvUTKD2kJNRdCk5hVbJomOvKkmgYbo=
+github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY=
 github.com/antlr4-go/antlr/v4 v4.13.0 h1:lxCg3LAv+EUK6t1i0y1V6/SLeUi0eKEKdhQAlS8TVTI=
 github.com/antlr4-go/antlr/v4 v4.13.0/go.mod h1:pfChB/xh/Unjila75QW7+VU4TSnWnnk9UTnmpPaOR2g=
 github.com/apparentlymart/go-textseg/v13 v13.0.0 h1:Y+KvPE1NYz0xl601PVImeQfFyEy6iT90AvPUL1NNfNw=
@@ -113,22 +114,23 @@ github.com/census-instrumentation/opencensus-proto v0.4.1 h1:iKLQ0xPNFxR/2hzXZMr
 github.com/census-instrumentation/opencensus-proto v0.4.1/go.mod h1:4T9NM4+4Vw91VeyqjLS6ao50K5bOcLKN6Q42XnYaRYw=
 github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko=
 github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
-github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44=
-github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
+github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/cheekybits/genny v1.0.0 h1:uGGa4nei+j20rOSeDeP5Of12XVm7TGUd4dJA9RDitfE=
 github.com/cheekybits/genny v1.0.0/go.mod h1:+tQajlRqAUrPI7DOSpB0XAqZYtQakVtB7wXkRAgjxjQ=
-github.com/choria-io/fisk v0.6.1 h1:umFzmj2Ecttk89AFoxnqCph0exAmChqhJklvE+Id18o=
-github.com/choria-io/fisk v0.6.1/go.mod h1:m6kd61ycRGwkyb0SDdgmcQXW9fQJuqeH4DKEjRxJewg=
-github.com/choria-io/go-choria v0.27.1-0.20231204170245-efda165efc54 h1:JeKdv9cF/VRvpCiHYn9ywiRO8EAJOxa4ucRxK7ZyPL8=
-github.com/choria-io/go-choria v0.27.1-0.20231204170245-efda165efc54/go.mod h1:FRKqAlnTdujcyhNCdGBSaTGtlHuTX6akgjTxP9SDXMI=
+github.com/choria-io/fisk v0.6.2 h1:Vfvpcv8SD53FHW5cT4u7LStpz/wThwRPQHU7mzv1kMI=
+github.com/choria-io/fisk v0.6.2/go.mod h1:PajiUZTAotE5zO18eU6UexuPLLv565WOma4dB0ObxRM=
+github.com/choria-io/go-choria v0.28.1-0.20240416190746-b3bf9c7d5a45 h1:B76eu8PMXr3mAhQl8y7NSsb1/4KCKX4bEDTsKWh7/CQ=
+github.com/choria-io/go-choria v0.28.1-0.20240416190746-b3bf9c7d5a45/go.mod h1:XLEKGqo1Xmvj69DrSdI0neDGveWJDDQTeHdZgf1zxsI=
 github.com/choria-io/go-updater v0.1.0 h1:+Pt2ifsDh478T/ldA8fnDwavvH3RTQNn1mkrabVZ5eg=
 github.com/choria-io/go-updater v0.1.0/go.mod h1:8qj3lwYUC6c0zqsvaKP4pNu8GMHbIr5WGrd5YUWByWw=
-github.com/choria-io/machine-room v0.0.0-20231204170637-dbd92497cddc h1:S/I4co2ITCHzZO81EV4xpIP+sGWQvxkFnrhXCehNR+0=
-github.com/choria-io/machine-room v0.0.0-20231204170637-dbd92497cddc/go.mod h1:sL9flpPiPucmV8Xb+HQ3VD2lgBZnLGAJbJALcGYcxjc=
+github.com/choria-io/machine-room v0.0.0-20240417064836-c604da2f005e h1:Kt9CeGRjW/mKQTams+aCUvIAucw3VzEZbKFJvM3pFeE=
+github.com/choria-io/machine-room v0.0.0-20240417064836-c604da2f005e/go.mod h1:3zCpMS5R2/xOd6Wsep2o0vvAy0eJnfU/ngEptEuJArs=
 github.com/choria-io/stream-replicator v0.8.3-0.20230503130504-86152f798aec h1:jGTkaDf2kDAlho4Oi6r2x51kzjXpxqhECFTHzTZ/a3w=
 github.com/choria-io/stream-replicator v0.8.3-0.20230503130504-86152f798aec/go.mod h1:QVvT5tjYSYmvqx585herBk0aK13DS1j/wJVDDWuLFww=
-github.com/choria-io/tokens v0.0.3 h1:kD+TNzS+ok8hYOs8MUOOTrkpG/gsQwpfIVPhcH7zrXs=
-github.com/choria-io/tokens v0.0.3/go.mod h1:P/2ukQBNVkM4EjGw/PAvUrPQY8A/CU9I3NALGTC07yM=
+github.com/choria-io/tokens v0.0.4-0.20240316144214-a929d9325d48 h1:KyL4w+dxAOfqi4Wds6Fh0632sxBw0YvRqL9fqMziGBI=
+github.com/choria-io/tokens v0.0.4-0.20240316144214-a929d9325d48/go.mod h1:dEyJo/309e8n141nzx1u82QuXVt6mt42V1Jn9CkJJPs=
 github.com/chromedp/cdproto v0.0.0-20230802225258-3cf4e6d46a89/go.mod h1:GKljq0VrfU4D5yc+2qA6OVr8pmO/MBbPEWqWQ/oqGEs=
 github.com/chromedp/chromedp v0.9.2/go.mod h1:LkSXJKONWTCHAfQasKFUZI+mxqS4tZqhmtGzzhLsnLs=
 github.com/chromedp/sysutil v1.0.0/go.mod h1:kgWmDdq8fTzXYcKIBqIYvRRTnYb9aNS9moAV0xufSww=
@@ -139,12 +141,16 @@ github.com/chzyer/readline v1.5.1/go.mod h1:Eh+b79XXUwfKfcPLepksvw2tcLE/Ct21YObk
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
 github.com/chzyer/test v1.0.0/go.mod h1:2JlltgoNkt4TW/z9V/IzDdFaMTM2JPIi26O1pF38GC8=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
-github.com/cloudevents/sdk-go/v2 v2.14.0 h1:Nrob4FwVgi5L4tV9lhjzZcjYqFVyJzsA56CwPaPfv6s=
-github.com/cloudevents/sdk-go/v2 v2.14.0/go.mod h1:xDmKfzNjM8gBvjaF8ijFjM1VYOVUEeUfapHMUX1T5To=
+github.com/cloudevents/sdk-go/v2 v2.15.2 h1:54+I5xQEnI73RBhWHxbI1XJcqOFOVJN85vb41+8mHUc=
+github.com/cloudevents/sdk-go/v2 v2.15.2/go.mod h1:lL7kSWAE/V8VI4Wh0jbL2v/jvqsm6tjmaQBSvxcv4uE=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
+github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
+github.com/cncf/udpa/go v0.0.0-20210930031921-04548b0d99d4/go.mod h1:6pvJx4me5XPnfI9Z40ddWsdw2W/uZgQLFXToKeRcDiI=
 github.com/cncf/udpa/go v0.0.0-20220112060539-c52dc94e7fbe h1:QQ3GSy+MqSHxm/d8nCtnAiZdYFd45cYZPs8vOOIYKfk=
 github.com/cncf/udpa/go v0.0.0-20220112060539-c52dc94e7fbe/go.mod h1:6pvJx4me5XPnfI9Z40ddWsdw2W/uZgQLFXToKeRcDiI=
 github.com/cncf/xds/go v0.0.0-20210922020428-25de7278fc84/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
+github.com/cncf/xds/go v0.0.0-20211001041855-01bcc9b48dfe/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
+github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
 github.com/cncf/xds/go v0.0.0-20231128003011-0fa0005c9caa h1:jQCWAUqqlij9Pgj2i/PB79y4KOPYVyFYdROxgaCwdTQ=
 github.com/cncf/xds/go v0.0.0-20231128003011-0fa0005c9caa/go.mod h1:x/1Gn8zydmfq8dk6e9PdstVsDgu9RuyIIJqAaF//0IM=
 github.com/cockroachdb/apd/v3 v3.2.1 h1:U+8j7t0axsIgvQUqthuNm82HIrYXodOV2iWLWtEaIwg=
@@ -163,8 +169,9 @@ github.com/creack/pty v1.1.17/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr
 github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY=
 github.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
+github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/dgraph-io/badger/v3 v3.2103.5 h1:ylPa6qzbjYRQMU6jokoj4wzcaweHylt//CH0AKt0akg=
 github.com/dgraph-io/badger/v3 v3.2103.5/go.mod h1:4MPiseMeDQ3FNCYwRbbcBOGJLf5jsE0PPFzRiKjtcdw=
 github.com/dgraph-io/ristretto v0.1.1 h1:6CWw5tJNgpegArSHpNHJKldNeq03FQCwYvfMVWajOK8=
@@ -178,8 +185,8 @@ github.com/docker/cli v26.0.0+incompatible h1:90BKrx1a1HKYpSnnBFR6AgDq/FqkHxwlUy
 github.com/docker/cli v26.0.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk=
 github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
-github.com/docker/docker v26.0.0+incompatible h1:Ng2qi+gdKADUa/VM+6b6YaY2nlZhk/lVJiKR/2bMudU=
-github.com/docker/docker v26.0.0+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker v26.0.2+incompatible h1:yGVmKUFGgcxA6PXWAokO0sQL22BrQ67cgVjko8tGdXE=
+github.com/docker/docker v26.0.2+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/docker-credential-helpers v0.8.1 h1:j/eKUktUltBtMzKqmfLB0PAgqYyMHOp5vfsD1807oKo=
 github.com/docker/docker-credential-helpers v0.8.1/go.mod h1:P3ci7E3lwkZg6XiHdRKft1KckHiO9a2rNtyFbZ/ry9M=
 github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c=
@@ -195,6 +202,8 @@ github.com/emicklei/proto v1.10.0/go.mod h1:rn1FgRS/FANiZdD2djyH7TMA9jdRDcYQ9IEN
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
+github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
+github.com/envoyproxy/go-control-plane v0.10.2-0.20220325020618-49ff273808a1/go.mod h1:KJwIaB5Mv44NWtYuAOFCVOjcI94vtpEz2JU/D2v6IjE=
 github.com/envoyproxy/go-control-plane v0.12.0 h1:4X+VP1GHd1Mhj6IB5mMeGbLCleqxjletLK6K0rbxyZI=
 github.com/envoyproxy/go-control-plane v0.12.0/go.mod h1:ZBTaoJ23lqITozF0M6G4/IragXCQKCnYbmlmtHvwRG0=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
@@ -202,8 +211,8 @@ github.com/envoyproxy/protoc-gen-validate v1.0.4 h1:gVPz/FMfvh57HdSJQyvBtF00j8JU
 github.com/envoyproxy/protoc-gen-validate v1.0.4/go.mod h1:qys6tmnRsYrQqIhm2bvKZH4Blx/1gTIZ2UKVY1M+Yew=
 github.com/evanphx/json-patch v5.7.0+incompatible h1:vgGkfT/9f8zE6tvSCe74nfpAVDQ2tG6yudJd8LBksgI=
 github.com/evanphx/json-patch v5.7.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
-github.com/expr-lang/expr v1.15.6 h1:dQFgzj5DBu3wnUz8+PGLZdPMpefAvxaCFTNM3iSjkGA=
-github.com/expr-lang/expr v1.15.6/go.mod h1:uCkhfG+x7fcZ5A5sXHKuQ07jGZRl6J0FCAaf2k4PtVQ=
+github.com/expr-lang/expr v1.16.4 h1:1Mq5RHw5T5jxXMUvyb+eT546mJREm1yFyNHkybYQ81c=
+github.com/expr-lang/expr v1.16.4/go.mod h1:uCkhfG+x7fcZ5A5sXHKuQ07jGZRl6J0FCAaf2k4PtVQ=
 github.com/fatih/color v1.16.0 h1:zmkK9Ngbjj+K0yRhTVONQh1p/HknKYSlNT+vZCzyokM=
 github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE=
 github.com/felixge/fgprof v0.9.3/go.mod h1:RdbpDgzqYVh/T9fPELJyV7EYJuHB55UTEULNun8eiPw=
@@ -213,8 +222,8 @@ github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/fortytw2/leaktest v1.3.0 h1:u8491cBMTQ8ft8aeV+adlcytMZylmA5nnwwkRZjI8vw=
 github.com/fortytw2/leaktest v1.3.0/go.mod h1:jDsjWgpAGjm2CA7WthBh/CdZYEPF31XHquHwclZch5g=
-github.com/foxcpp/go-mockdns v1.0.0 h1:7jBqxd3WDWwi/6WhDvacvH1XsN3rOLXyHM1uhvIx6FI=
-github.com/foxcpp/go-mockdns v1.0.0/go.mod h1:lgRN6+KxQBawyIghpnl5CezHFGS9VLzvtVlwxvzXTQ4=
+github.com/foxcpp/go-mockdns v1.1.0 h1:jI0rD8M0wuYAxL7r/ynTrCQQq0BVqfB99Vgk7DlmewI=
+github.com/foxcpp/go-mockdns v1.1.0/go.mod h1:IhLeSFGed3mJIAXPH2aiRQB+kqz7oqu8ld2qVbOu7Wk=
 github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8=
 github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
 github.com/fullstorydev/grpcurl v1.9.1 h1:YxX1aCcCc4SDBQfj9uoWcTLe8t4NWrZe1y+mk83BQgo=
@@ -304,6 +313,7 @@ github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:W
 github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
 github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=
 github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
+github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
 github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
 github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
@@ -346,13 +356,14 @@ github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hf
 github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
 github.com/google/pprof v0.0.0-20211214055906-6f57359322fd/go.mod h1:KgnwoLYCZ8IQu3XUZ8Nc/bM9CCZFOyjUNOSygVozoDg=
 github.com/google/pprof v0.0.0-20240227163752-401108e1b7e7/go.mod h1:czg5+yv1E0ZGTi6S6vVK1mke0fV+FaUhNGcd6VRS9Ik=
-github.com/google/pprof v0.0.0-20240327155427-868f304927ed h1:n8QtJTrwsv3P7dNxPaMeNkMcxvUpqocsHLr8iDLGlQI=
-github.com/google/pprof v0.0.0-20240327155427-868f304927ed/go.mod h1:kf6iHlnVGwgKolg33glAes7Yg/8iWP8ukqeldJSO7jw=
+github.com/google/pprof v0.0.0-20240416155748-26353dc0451f h1:WpZiq8iqvGjJ3m3wzAVKL6+0vz7VkE79iSy9GII00II=
+github.com/google/pprof v0.0.0-20240416155748-26353dc0451f/go.mod h1:kf6iHlnVGwgKolg33glAes7Yg/8iWP8ukqeldJSO7jw=
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4=
 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ=
 github.com/google/subcommands v1.0.1/go.mod h1:ZjhPrFU+Olkh9WazFPsl27BQ4UPiG37m3yTrtFlrHVk=
 github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/wire v0.5.0 h1:I7ELFeVBr3yfPIcc8+MWvrjk+3VjbcSzoXm3JVa+jD8=
@@ -371,10 +382,11 @@ github.com/gosuri/uilive v0.0.4 h1:hUEBpQDj8D8jXgtCdBu7sWsy5sbW/5GhuO8KBwJ2jyY=
 github.com/gosuri/uilive v0.0.4/go.mod h1:V/epo5LjjlDE5RJUcqx8dbw+zc93y5Ya3yg8tfZ74VI=
 github.com/gosuri/uiprogress v0.0.1 h1:0kpv/XY/qTmFWl/SkaJykZXrBBzwwadmW8fRb7RJSxw=
 github.com/gosuri/uiprogress v0.0.1/go.mod h1:C1RTYn4Sc7iEyf6j8ft5dyoZ4212h8G1ol9QQluh5+0=
+github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.0 h1:Wqo399gCIufwto+VfwCSvsnfGpF/w5E9CNxSwbpD6No=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.0/go.mod h1:qmOFXW2epJhM0qSnUUYpldc7gVz2KMQwJ/QYCDIa7XU=
-github.com/guptarohit/asciigraph v0.5.6 h1:0tra3HEhfdj1sP/9IedrCpfSiXYTtHdCgBhBL09Yx6E=
-github.com/guptarohit/asciigraph v0.5.6/go.mod h1:dYl5wwK4gNsnFf9Zp+l06rFiDZ5YtXM6x7SRWZ3KGag=
+github.com/guptarohit/asciigraph v0.7.1 h1:K+JWbRc04XEfv8BSZgNuvhCmpbvX4+9NYd/UxXVnAuk=
+github.com/guptarohit/asciigraph v0.7.1/go.mod h1:dYl5wwK4gNsnFf9Zp+l06rFiDZ5YtXM6x7SRWZ3KGag=
 github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/golang-lru/v2 v2.0.7 h1:a+bsQ5rvGLjzHuww6tVxozPZFVghXaHOwFs4luLUK2k=
@@ -427,8 +439,8 @@ github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 h1:Z9n2FFNU
 github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51/go.mod h1:CzGEWj7cYgsdH8dAjBGEr58BoE7ScuLd+fwFZ44+/x8=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/klauspost/compress v1.17.7 h1:ehO88t2UGzQK66LMdE8tibEd1ErmzZjNEqWkjLAKQQg=
-github.com/klauspost/compress v1.17.7/go.mod h1:Di0epgTjJY877eYKx5yC51cX2A2Vl2ibi7bDH9ttBbw=
+github.com/klauspost/compress v1.17.8 h1:YcnTYrq7MikUT7k0Yb5eceMmALQPYBW/Xltxn0NAMnU=
+github.com/klauspost/compress v1.17.8/go.mod h1:Di0epgTjJY877eYKx5yC51cX2A2Vl2ibi7bDH9ttBbw=
 github.com/klauspost/pgzip v1.2.6 h1:8RXeL5crjEUFnR2/Sn6GJNWtSQ3Dk8pq4CL3jvdDyjU=
 github.com/klauspost/pgzip v1.2.6/go.mod h1:Ch1tH69qFZu15pkjo5kYi6mth2Zzwzt50oCQKQE9RUs=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
@@ -449,8 +461,8 @@ github.com/lmittmann/tint v1.0.4/go.mod h1:HIS3gSy7qNwGCj+5oRjAutErFBl4BzdQP6cJZ
 github.com/looplab/fsm v1.0.1 h1:OEW0ORrIx095N/6lgoGkFkotqH6s7vaFPsgjLAaF5QU=
 github.com/looplab/fsm v1.0.1/go.mod h1:PmD3fFvQEIsjMEfvZdrCDZ6y8VwKTwWNjlpEr6IKPO4=
 github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0/go.mod h1:zJYVVT2jmtg6P3p1VtQj7WsuWi/y4VnjVBn7F8KPB3I=
-github.com/lufia/plan9stats v0.0.0-20231016141302-07b5767bb0ed h1:036IscGBfJsFIgJQzlui7nK1Ncm0tp2ktmPj8xO4N/0=
-github.com/lufia/plan9stats v0.0.0-20231016141302-07b5767bb0ed/go.mod h1:ilwx/Dta8jXAgpFYFvSWEMwxmbWXyiUHkd5FwyKhb5k=
+github.com/lufia/plan9stats v0.0.0-20240408141607-282e7b5d6b74 h1:1KuuSOy4ZNgW0KA2oYIngXVFhQcXxhLqCVK7cBcldkk=
+github.com/lufia/plan9stats v0.0.0-20240408141607-282e7b5d6b74/go.mod h1:ilwx/Dta8jXAgpFYFvSWEMwxmbWXyiUHkd5FwyKhb5k=
 github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
 github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
 github.com/mattn/go-colorable v0.1.2/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
@@ -465,6 +477,8 @@ github.com/mattn/go-runewidth v0.0.15 h1:UNAjwbU9l54TA3KzvqLGxwWjHmMgBUVhBiTjelZ
 github.com/mattn/go-runewidth v0.0.15/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
 github.com/mattn/go-sqlite3 v1.14.22 h1:2gZY6PC6kBnID23Tichd1K+Z0oS6nE/XwU+Vz/5o4kU=
 github.com/mattn/go-sqlite3 v1.14.22/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
+github.com/mennanov/fieldmask-utils v1.1.2 h1:f5hd3hYeWdl+q2thiKYyZZmqTqn90uayWG03bca9U+E=
+github.com/mennanov/fieldmask-utils v1.1.2/go.mod h1:xRqd9Fjz/gFEDYCQw7pxGouxqLhSPrkOdx2yhEAXEls=
 github.com/mgutz/ansi v0.0.0-20170206155736-9520e82c474b/go.mod h1:01TrycV0kFyexm33Z7vhZRXopbI8J3TDReVlkTgMUxE=
 github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d h1:5PJl274Y63IEHC+7izoQE9x6ikvDFZS2mDVS3drnohI=
 github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d/go.mod h1:01TrycV0kFyexm33Z7vhZRXopbI8J3TDReVlkTgMUxE=
@@ -501,16 +515,16 @@ github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=
 github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
-github.com/nats-io/jsm.go v0.1.1-0.20231204140718-1ad3bcd9702c h1:/4QPECV3zPK1/eRQEU7SfYDACU1yPRYuwaf5p+ThJUI=
-github.com/nats-io/jsm.go v0.1.1-0.20231204140718-1ad3bcd9702c/go.mod h1:4HtrppnSb8m+1bX9bH/IhqmYDluP8tXRVVEznXo+kIg=
-github.com/nats-io/jwt/v2 v2.5.3 h1:/9SWvzc6hTfamcgXJ3uYRpgj+QuY2aLNqRiqrKcrpEo=
-github.com/nats-io/jwt/v2 v2.5.3/go.mod h1:iysuPemFcc7p4IoYots3IuELSI4EDe9Y0bQMe+I3Bf4=
-github.com/nats-io/nats-server/v2 v2.10.6 h1:40U3ngyAKyC1tNT4Kw7PjuvivY74NTYD3qyIHxZUHKQ=
-github.com/nats-io/nats-server/v2 v2.10.6/go.mod h1:IrTXS8o4Roa3G2kW8L5mEtSdmSrFjKhYb/m2g0gQ/vc=
-github.com/nats-io/nats.go v1.31.0 h1:/WFBHEc/dOKBF6qf1TZhrdEfTmOZ5JzdJ+Y3m6Y/p7E=
-github.com/nats-io/nats.go v1.31.0/go.mod h1:di3Bm5MLsoB4Bx61CBTsxuarI36WbhAwOm8QrW39+i8=
-github.com/nats-io/nkeys v0.4.6 h1:IzVe95ru2CT6ta874rt9saQRkWfe2nFj1NtvYSLqMzY=
-github.com/nats-io/nkeys v0.4.6/go.mod h1:4DxZNzenSVd1cYQoAa8948QY3QDjrHfcfVADymtkpts=
+github.com/nats-io/jsm.go v0.1.1 h1:6vjllz276SdC+3Fb3XI71p9B6toxkCruuB1K6unQEr0=
+github.com/nats-io/jsm.go v0.1.1/go.mod h1:cFz5wR1pW0zLFotntS4HA7V8Wm+sf8zpF+iQJHbsS6M=
+github.com/nats-io/jwt/v2 v2.5.5 h1:ROfXb50elFq5c9+1ztaUbdlrArNFl2+fQWP6B8HGEq4=
+github.com/nats-io/jwt/v2 v2.5.5/go.mod h1:ZdWS1nZa6WMZfFwwgpEaqBV8EPGVgOTDHN/wTbz0Y5A=
+github.com/nats-io/nats-server/v2 v2.10.14 h1:98gPJFOAO2vLdM0gogh8GAiHghwErrSLhugIqzRC+tk=
+github.com/nats-io/nats-server/v2 v2.10.14/go.mod h1:a0TwOVBJZz6Hwv7JH2E4ONdpyFk9do0C18TEwxnHdRk=
+github.com/nats-io/nats.go v1.34.1 h1:syWey5xaNHZgicYBemv0nohUPPmaLteiBEUT6Q5+F/4=
+github.com/nats-io/nats.go v1.34.1/go.mod h1:Ubdu4Nh9exXdSz0RVWRFBbRfrbSxOYd26oF0wkWclB8=
+github.com/nats-io/nkeys v0.4.7 h1:RwNJbbIdYCoClSDNY7QVKZlyb/wfT6ugvFCiKy6vDvI=
+github.com/nats-io/nkeys v0.4.7/go.mod h1:kqXRgRDPlGy7nGaEDMuYzmiJCIAAWDK0IMBtDmGD0nc=
 github.com/nats-io/nuid v1.0.1 h1:5iA8DT8V7q8WK2EScv2padNa/rTESc1KdnPw4TC2paw=
 github.com/nats-io/nuid v1.0.1/go.mod h1:19wcPz3Ph3q0Jbyiqsd0kePYG7A95tJPxeL+1OSON2c=
 github.com/ncruces/go-strftime v0.1.9 h1:bY0MQC28UADQmHmaF5dgpLmImcShSi2kHU9XLdhx/f4=
@@ -519,12 +533,12 @@ github.com/oleiade/reflections v1.0.1 h1:D1XO3LVEYroYskEsoSiGItp9RUxG6jWnCVvrqH0
 github.com/oleiade/reflections v1.0.1/go.mod h1:rdFxbxq4QXVZWj0F+e9jqjDkc7dbp97vkRixKo2JR60=
 github.com/olekukonko/tablewriter v0.0.5 h1:P2Ga83D34wi1o9J6Wh1mRuqd4mF/x/lgBS7N7AbDhec=
 github.com/olekukonko/tablewriter v0.0.5/go.mod h1:hPp6KlRPjbx+hW8ykQs1w3UBbZlj6HuIJcUGPhkA7kY=
-github.com/onsi/ginkgo/v2 v2.15.0 h1:79HwNRBAZHOEwrczrgSOPy+eFTTlIGELKy5as+ClttY=
-github.com/onsi/ginkgo/v2 v2.15.0/go.mod h1:HlxMHtYF57y6Dpf+mc5529KKmSq9h2FpCF+/ZkwUxKM=
-github.com/onsi/gomega v1.31.1 h1:KYppCUK+bUgAZwHOu7EXVBKyQA6ILvOESHkn/tgoqvo=
-github.com/onsi/gomega v1.31.1/go.mod h1:y40C95dwAD1Nz36SsEnxvfFe8FFfNxzI5eJ0EYGyAy0=
-github.com/open-policy-agent/opa v0.59.0 h1:1WFU/KUhJAr3qatm0Lf8Ea5jp10ZmlE2M07oaLiHypg=
-github.com/open-policy-agent/opa v0.59.0/go.mod h1:rdJSkEc4oQ+0074/3Fsgno5bkPsYxTjU5aLNmMujIvI=
+github.com/onsi/ginkgo/v2 v2.17.1 h1:V++EzdbhI4ZV4ev0UTIj0PzhzOcReJFyJaLjtSF55M8=
+github.com/onsi/ginkgo/v2 v2.17.1/go.mod h1:llBI3WDLL9Z6taip6f33H76YcWtJv+7R3HigUjbIBOs=
+github.com/onsi/gomega v1.32.0 h1:JRYU78fJ1LPxlckP6Txi/EYqJvjtMrDC04/MM5XRHPk=
+github.com/onsi/gomega v1.32.0/go.mod h1:a4x4gW6Pz2yK1MAmvluYme5lvYTn61afQ2ETw/8n4Lg=
+github.com/open-policy-agent/opa v0.63.0 h1:ztNNste1v8kH0/vJMJNquE45lRvqwrM5mY9Ctr9xIXw=
+github.com/open-policy-agent/opa v0.63.0/go.mod h1:9VQPqEfoB2N//AToTxzZ1pVTVPUoF2Mhd64szzjWPpU=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=
@@ -539,20 +553,21 @@ github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/profile v1.7.0 h1:hnbDkaNWPCLMO9wGLdBFTIZvzDrDfBM2072E1S9gJkA=
 github.com/pkg/profile v1.7.0/go.mod h1:8Uer0jas47ZQMJ7VD+OHknK4YDY07LPUC6dEvqDjvNo=
-github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
+github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c/go.mod h1:OmDBASR4679mdNQnz2pUhc2G8CO2JrUAVFDRBDP/hJE=
-github.com/power-devops/perfstat v0.0.0-20221212215047-62379fc7944b h1:0LFwY6Q3gMACTjAbMZBjXAqTOzOwFaj2Ld6cjeQ7Rig=
-github.com/power-devops/perfstat v0.0.0-20221212215047-62379fc7944b/go.mod h1:OmDBASR4679mdNQnz2pUhc2G8CO2JrUAVFDRBDP/hJE=
+github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 h1:o4JXh1EVt9k/+g42oCprj/FisM4qX9L3sZB3upGN2ZU=
+github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55/go.mod h1:OmDBASR4679mdNQnz2pUhc2G8CO2JrUAVFDRBDP/hJE=
 github.com/prometheus/client_golang v1.19.0 h1:ygXvpU1AoN1MhdzckN+PyD9QJOSD4x7kmXYlnfbA6JU=
 github.com/prometheus/client_golang v1.19.0/go.mod h1:ZRM9uEAypZakd+q/x7+gmsvXdURP+DABIEIjnmDdp+k=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
-github.com/prometheus/client_model v0.6.0 h1:k1v3CzpSRUTrKMppY35TLwPvxHqBu0bYgxZzqGIgaos=
-github.com/prometheus/client_model v0.6.0/go.mod h1:NTQHnmxFpouOD0DpvP4XujX3CdOAGQPoaGhyTchlyt8=
-github.com/prometheus/common v0.50.0 h1:YSZE6aa9+luNa2da6/Tik0q0A5AbR+U003TItK57CPQ=
-github.com/prometheus/common v0.50.0/go.mod h1:wHFBCEVWVmHMUpg7pYcOm2QUR/ocQdYSJVQJKnHc3xQ=
-github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo=
-github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo=
+github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E=
+github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY=
+github.com/prometheus/common v0.52.3 h1:5f8uj6ZwHSscOGNdIQg6OiZv/ybiK2CO2q2drVZAQSA=
+github.com/prometheus/common v0.52.3/go.mod h1:BrxBKv3FWBIGXw89Mg1AeBq7FSyRzXWI3l3e7W3RN5U=
+github.com/prometheus/procfs v0.13.0 h1:GqzLlQyfsPbaEHaQkO7tbDlriv/4o5Hudv6OXHGKX7o=
+github.com/prometheus/procfs v0.13.0/go.mod h1:cd4PFCR54QLnGKPaKGA6l+cfuNXtht43ZKY6tow0Y1g=
 github.com/protocolbuffers/txtpbfmt v0.0.0-20230328191034-3462fbc510c0 h1:sadMIsgmHpEOGbUs6VtHBXRR1OHevnj7hLx9ZcdNGW4=
 github.com/protocolbuffers/txtpbfmt v0.0.0-20230328191034-3462fbc510c0/go.mod h1:jgxiZysxFPM+iWKwQwPR+y+Jvo54ARd4EisXxKYpB5c=
 github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 h1:N/ElC8H3+5XpJzTSTfLsJV/mx9Q9g7kxmchpfZyxgzM=
@@ -560,10 +575,11 @@ github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475/go.mod h1:bCqn
 github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec h1:W09IVJc94icq4NjY3clb7Lk8O1qJ8BdBEF8z0ibU0rE=
 github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
-github.com/rivo/uniseg v0.4.4 h1:8TfxU8dW6PdqD27gjM8MVNuicgxIjxpm4K7x4jp8sis=
-github.com/rivo/uniseg v0.4.4/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
+github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
+github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
 github.com/robfig/cron v1.2.0 h1:ZjScXvvxeQ63Dbyxy76Fj3AT3Ut0aKsyd2/tl3DTMuQ=
 github.com/robfig/cron v1.2.0/go.mod h1:JGuDeoQd7Z6yL4zQhZ3OPEVHB7fL6Ka6skscFHfmt2k=
+github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
 github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
@@ -577,19 +593,19 @@ github.com/santhosh-tekuri/jsonschema/v5 v5.3.1 h1:lZUw3E0/J3roVtGQ+SCrUrg3ON6Ng
 github.com/santhosh-tekuri/jsonschema/v5 v5.3.1/go.mod h1:uToXkOrWAZ6/Oc07xWQrPOhJotwFIyu2bBVN41fcDUY=
 github.com/segmentio/ksuid v1.0.4 h1:sBo2BdShXjmcugAMwjugoGUdUV0pcxY5mW4xKRn3v4c=
 github.com/segmentio/ksuid v1.0.4/go.mod h1:/XUiZBD3kVx5SmUOl55voK5yeAbBNNIed+2O73XgrPE=
-github.com/sergi/go-diff v1.1.0 h1:we8PVUC3FE2uYfodKH/nBHMSetSfHDR6scGdBi+erh0=
-github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM=
+github.com/sergi/go-diff v1.3.1 h1:xkr+Oxo4BOQKmkn/B9eMK0g5Kg/983T9DqqPHwYqD+8=
+github.com/sergi/go-diff v1.3.1/go.mod h1:aMJSSKb2lpPvRNec0+w3fl7LP9IOFzdc9Pa4NFbPK1I=
 github.com/sethvargo/go-retry v0.2.4 h1:T+jHEQy/zKJf5s95UkguisicE0zuF9y7+/vgz08Ocec=
 github.com/sethvargo/go-retry v0.2.4/go.mod h1:1afjQuvh7s4gflMObvjLPaWgluLLyhA1wmVZ6KLpICw=
-github.com/shirou/gopsutil/v3 v3.23.11 h1:i3jP9NjCPUz7FiZKxlMnODZkdSIp2gnzfrvsu9CuWEQ=
-github.com/shirou/gopsutil/v3 v3.23.11/go.mod h1:1FrWgea594Jp7qmjHUUPlJDTPgcsb9mGnXDxavtikzM=
+github.com/shirou/gopsutil/v3 v3.24.3 h1:eoUGJSmdfLzJ3mxIhmOAhgKEKgQkeOwKpz1NbhVnuPE=
+github.com/shirou/gopsutil/v3 v3.24.3/go.mod h1:JpND7O217xa72ewWz9zN2eIIkPWsDN/3pl0H8Qt0uwg=
 github.com/shoenig/go-m1cpu v0.1.6 h1:nxdKQNcEB6vzgA2E2bvzKIYRuNj7XNJ4S/aRSwKzFtM=
 github.com/shoenig/go-m1cpu v0.1.6/go.mod h1:1JJMcUBvfNwpq05QDQVAnx3gUHr9IYF7GNg9SUEw2VQ=
 github.com/shoenig/test v0.6.4 h1:kVTaSd7WLz5WZ2IaoM0RSzRsUD+m8wRR+5qvntpn4LU=
 github.com/shoenig/test v0.6.4/go.mod h1:byHiCGXqrVaflBLAMq/srcZIHynQPQgeyvkvXnjqq0k=
 github.com/shopspring/decimal v1.2.0/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o=
-github.com/shopspring/decimal v1.3.1 h1:2Usl1nmF/WZucqkFZhnfFYxxxu8LG21F6nPQBE5gKV8=
-github.com/shopspring/decimal v1.3.1/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o=
+github.com/shopspring/decimal v1.4.0 h1:bxl37RwXBklmTi0C79JfXCEBD1cqqHt0bbgBAGFp81k=
+github.com/shopspring/decimal v1.4.0/go.mod h1:gawqmDU56v4yIKSwfBSFip1HdCCXN8/+DMd9qYNcwME=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/spf13/cast v1.3.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
@@ -620,6 +636,8 @@ github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsT
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/tchap/go-patricia/v2 v2.3.1 h1:6rQp39lgIYZ+MHmdEq4xzuk1t7OdC35z/xm0BGhTkes=
 github.com/tchap/go-patricia/v2 v2.3.1/go.mod h1:VZRHKAb53DLaG+nA9EaYYiaEx6YztwDlLElMsnSHD4k=
+github.com/tetratelabs/wazero v1.6.0 h1:z0H1iikCdP8t+q341xqepY4EWvHEw8Es7tlqiVzlP3g=
+github.com/tetratelabs/wazero v1.6.0/go.mod h1:0U0G41+ochRKoPKCJlh0jMg1CHkyfK8kDqiirMmKY8A=
 github.com/tidwall/gjson v1.17.1 h1:wlYEnwqAHgzmhNUFfw7Xalt2JzQvsMx2Se4PcoFCT/U=
 github.com/tidwall/gjson v1.17.1/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
 github.com/tidwall/match v1.1.1 h1:+Ho715JplO36QYgwN9PGYNhgZvoUSc9X2c80KVTi+GA=
@@ -652,9 +670,10 @@ github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9de
 github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
+github.com/yuin/goldmark v1.4.13 h1:fVcFKWvrslecOb/tg+Cc05dkeYx540o0FuFt3nUVDoE=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
-github.com/yusufpapurcu/wmi v1.2.3 h1:E1ctvB7uKFMOJw3fdOW32DwGE9I7t++CRUEMKvFoFiw=
-github.com/yusufpapurcu/wmi v1.2.3/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0=
+github.com/yusufpapurcu/wmi v1.2.4 h1:zFUKzehAFReQwLys1b/iSMl+JQGSCSjtVqQn9bBrPo0=
+github.com/yusufpapurcu/wmi v1.2.4/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0=
 github.com/zclconf/go-cty v1.8.0 h1:s4AvqaeQzJIu3ndv4gVIhplVD0krU+bgrcLSVUnaWuA=
 github.com/zclconf/go-cty v1.8.0/go.mod h1:vVKLxnk3puL4qRAv72AO+W99LUD4da90g3uUAzyuvAk=
 go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
@@ -682,6 +701,7 @@ go.opentelemetry.io/otel/sdk/metric v1.19.0 h1:EJoTO5qysMsYCa+w4UghwFV/ptQgqSL/8
 go.opentelemetry.io/otel/sdk/metric v1.19.0/go.mod h1:XjG0jQyFJrv2PbMvwND7LwCEhsJzCzV5210euduKcKY=
 go.opentelemetry.io/otel/trace v1.25.0 h1:tqukZGLwQYRIFtSQM2u2+yfMVTgGVeqRLPUYx1Dq6RM=
 go.opentelemetry.io/otel/trace v1.25.0/go.mod h1:hCCs70XM/ljO+BeQkyFnbK28SBIJ/Emuha+ccrCRT7I=
+go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI=
 go.opentelemetry.io/proto/otlp v1.1.0 h1:2Di21piLrCqJ3U3eXGCTPHE9R8Nh+0uglSnOyxikMeI=
 go.opentelemetry.io/proto/otlp v1.1.0/go.mod h1:GpBHCBWiqvVLDqmHZsoMM3C5ySeKTC7ej/RNTae6MdY=
 go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
@@ -700,8 +720,8 @@ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPh
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
-golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA=
-golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
+golang.org/x/crypto v0.24.0 h1:mnl8DM0o513X8fdIkmyFE/5hTYxbwYOjDS/+rK6qpRI=
+golang.org/x/crypto v0.24.0/go.mod h1:Z1PMYSOR5nyMcyAVAIQSKCDwalqy85Aqn1x3Ws4L5DM=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -712,8 +732,8 @@ golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u0
 golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
 golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM=
 golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU=
-golang.org/x/exp v0.0.0-20240325151524-a685a6edb6d8 h1:aAcj0Da7eBAtrTp03QXWvm88pSyOt+UgdZw2BFZ+lEw=
-golang.org/x/exp v0.0.0-20240325151524-a685a6edb6d8/go.mod h1:CQ1k9gNrJ50XIzaKCRR2hssIjF07kZFEiieALBM/ARQ=
+golang.org/x/exp v0.0.0-20240416160154-fe59bbe5cc7f h1:99ci1mjWVBWwJiEKYY6jWa4d2nTQVIEhZIptnrVb1XY=
+golang.org/x/exp v0.0.0-20240416160154-fe59bbe5cc7f/go.mod h1:/lliqkxwWAhPjf5oSOIJup2XcqJaw8RGS6k3TGEc7GI=
 golang.org/x/exp/typeparams v0.0.0-20221208152030-732eee02a75a h1:Jw5wfR+h9mnIYH+OtGT2im5wV1YGGDora5vTv/aa5bE=
 golang.org/x/exp/typeparams v0.0.0-20221208152030-732eee02a75a/go.mod h1:AbB0pIl9nAr9wVwH+Z2ZpaocVmF5I4GyWCDIsVjR0bk=
 golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
@@ -739,8 +759,8 @@ golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/mod v0.16.0 h1:QX4fJ0Rr5cPQCF7O9lh9Se4pmwfwskqZfq5moyldzic=
-golang.org/x/mod v0.16.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.18.0 h1:5+9lSbEzPSdWkH32vYPBwEpX8KwDbM52Ud9xBUvNlb0=
+golang.org/x/mod v0.18.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -774,16 +794,16 @@ golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug
 golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
-golang.org/x/net v0.22.0 h1:9sGLhx7iRIHEiX0oAJ3MRZMUCElJgy7Br1nO+AMN3Tc=
-golang.org/x/net v0.22.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
+golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ=
+golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20211005180243-6b3c2da341f1/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.18.0 h1:09qnuIAgzdx1XplqJvW6CQqMCtGZykZWcXzPMPUusvI=
-golang.org/x/oauth2 v0.18.0/go.mod h1:Wf7knwG0MPoWIMMBgFlEaSUDaKskp0dCfrlJRJXbBi8=
+golang.org/x/oauth2 v0.20.0 h1:4mQdhULixXKP1rwYBW0vAijoXnkTG0BLCDRzfe1idMo=
+golang.org/x/oauth2 v0.20.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -796,8 +816,8 @@ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.6.0 h1:5BMeUDZ7vkXGfEr1x9B4bRcTH4lpkTkpdh0T/J+qjbQ=
-golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
+golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190130150945-aca44879d564/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -829,6 +849,7 @@ golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201204225414-ed752295db88/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -846,18 +867,18 @@ golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4=
 golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws=
+golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
 golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
 golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
-golang.org/x/term v0.18.0 h1:FcHjZXDMxI8mM3nwhX9HlKop4C0YQvCVCdwYl2wOtE8=
-golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58=
+golang.org/x/term v0.21.0 h1:WVXCp+/EBEHOj53Rvu+7KiT/iElMrO8ACK16SMZ3jaA=
+golang.org/x/term v0.21.0/go.mod h1:ooXLefLobQVslOqselCNF4SxFAaoS6KujMbsGzSDmX0=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -865,12 +886,12 @@ golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ=
 golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
-golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4=
+golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
@@ -922,8 +943,8 @@ golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4f
 golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
-golang.org/x/tools v0.19.0 h1:tfGCXNR1OsFG+sVdLAitlpjAvD/I6dHDKnYrpEZUHkw=
-golang.org/x/tools v0.19.0/go.mod h1:qoJWxmGSIBmAeriMx19ogtrEPrGtDbPK634QFIcLAhc=
+golang.org/x/tools v0.22.0 h1:gqSGLZqv+AI9lIQzniJ0nZDRG5GBPsSi+DRNHWNz6yA=
+golang.org/x/tools v0.22.0/go.mod h1:aCwcsjqvq7Yqt6TNyX7QMU2enbQ/Gt0bo6krSeEri+c=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -950,8 +971,6 @@ google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7
 google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0=
 google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
 google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
-google.golang.org/appengine v1.6.8 h1:IhEN5q69dyKagZPYMSdIjS2HqprW324FRQZJcGqPAsM=
-google.golang.org/appengine v1.6.8/go.mod h1:1jJ3jBArFh5pcgW8gCtRJnepW8FzD1V44FJffLiz/Ds=
 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
 google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
 google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
@@ -975,12 +994,16 @@ google.golang.org/genproto v0.0.0-20200312145019-da6875a35672/go.mod h1:55QSHmfG
 google.golang.org/genproto v0.0.0-20200331122359-1ee6d9798940/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
 google.golang.org/genproto v0.0.0-20200430143042-b979b6f78d84/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
 google.golang.org/genproto v0.0.0-20200511104702-f5ebc3bea380/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
+google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
 google.golang.org/genproto v0.0.0-20200515170657-fc4c6c6a6587/go.mod h1:YsZOwe1myG/8QRHRsmBRE1LrgQY60beZKjly0O1fX9U=
 google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
 google.golang.org/genproto v0.0.0-20200618031413-b414f8b61790/go.mod h1:jDfRM7FcilCzHH/e9qn6dsT145K34l5v+OpcnNgKAAA=
 google.golang.org/genproto v0.0.0-20200729003335-053ba62fc06f/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/genproto v0.0.0-20220531173845-685668d2de03/go.mod h1:yKyY4AMRwFiC8yMMNaMi+RkCnjZJt9LoWuvhXjMs+To=
+google.golang.org/genproto v0.0.0-20240123012728-ef4313101c80 h1:KAeGQVN3M9nD0/bQXnr/ClcEMJ968gUXJQ9pwfSynuQ=
+google.golang.org/genproto v0.0.0-20240123012728-ef4313101c80/go.mod h1:cc8bqMqtv9gMOr0zHg2Vzff5ULhhL2IXP4sbcn32Dro=
 google.golang.org/genproto/googleapis/api v0.0.0-20240325203815-454cdb8f5daa h1:Jt1XW5PaLXF1/ePZrznsh/aAUvI7Adfc3LY1dAKlzRs=
 google.golang.org/genproto/googleapis/api v0.0.0-20240325203815-454cdb8f5daa/go.mod h1:K4kfzHtI0kqWA79gecJarFtDn/Mls+GxQcg3Zox91Ac=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20240325203815-454cdb8f5daa h1:RBgMaUMP+6soRkik4VoN8ojR2nex2TqZwjSSogic+eo=
@@ -997,6 +1020,9 @@ google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKa
 google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk=
 google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
 google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
+google.golang.org/grpc v1.33.1/go.mod h1:fr5YgcSWrqhRRxogOsw7RzIpsmvOZ6IcH4kBYTpR3n0=
+google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
+google.golang.org/grpc v1.46.2/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk=
 google.golang.org/grpc v1.62.1 h1:B4n+nfKzOICUXMgyrNd19h/I9oH0L1pizfk1d4zSgTk=
 google.golang.org/grpc v1.62.1/go.mod h1:IWTG0VlJLCh1SkC58F7np9ka9mx/WNkjl4PGJaiq+QE=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
@@ -1011,6 +1037,8 @@ google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGj
 google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
+google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
+google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
 google.golang.org/protobuf v1.33.1-0.20240408130810-98873a205002 h1:V7Da7qt0MkY3noVANIMVBk28nOnijADeOR3i5Hcvpj4=
 google.golang.org/protobuf v1.33.1-0.20240408130810-98873a205002/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
@@ -1022,6 +1050,7 @@ gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=

hack/choria/initialize/README.md

@@ -1,5 +1,17 @@
 Initialize machine room provisioning credentials
 
+When you want the holos controller to provision while operating in the current
+working directory, run:
+
+ 1. `init-choria-provisioner-creds` to populate secrets in the Holos
+    Provisioner Cluster (not to be confused with the Choria Provisioner).
+ 2. `make-provisioning-jwt` to issue a `provisioning.jwt` file for `holos
+    controller` to use.
+ 3. `holos controller --config=agent.cfg` to read `provisioning.jwt` and write
+    the provisioned config file and credentials to the current directory.
+
+Expect the controller to provision.
+
 Setup Notes:
 
 The holos server flag `--provisioner-seed` must match the issuer.seed value.

hack/choria/initialize/init-choria-provisioner-creds

@@ -6,6 +6,9 @@ export PROVISIONER_TOKEN="$(LC_ALL=C tr -dc "[:alpha:]" </dev/random | tr '[:upp
 
 set -xeuo pipefail
 
+# Make sure gomplate is available
+gomplate --version
+
 PARENT="$(cd $(dirname "$0") && pwd)"
 TOPLEVEL="$(cd "${PARENT}" && git rev-parse --show-toplevel)"
 : "${NAMESPACE:=jeff-holos}"
@@ -33,7 +36,7 @@ echo -n "${PROVISIONER_TOKEN}" > ./provisioner/token
 # Provisioner signer
 choria jwt keys ./provisioner/signer.seed ./provisioner/signer.public
 choria jwt client ./provisioner/signer.jwt provisioner_signer ./issuer/issuer.seed \
-  --public-key "$(<provisioner/signer.public)" --server-provisioner --validity $((999*365))d --issuer
+  --public-key "$(<provisioner/signer.public)" --server-provisioner --validity $((100*365))d --issuer
 
 # Provisioner Secret
 mkdir -p provisioner/secret
@@ -57,5 +60,5 @@ choria jwt keys ./agents/signer.seed ./agents/signer.public
 # Now save the secrets
 holos create secret --append-hash=false --namespace $NAMESPACE choria-issuer --from-file=issuer
 holos create secret --append-hash=false --namespace $NAMESPACE choria-broker --from-file=broker
-holos create secret --append-hash=false --namespace $NAMESPACE choria-provisioner --from-file=provisioner
+holos create secret --append-hash=false --namespace $NAMESPACE choria-provisioner --from-file=provisioner/secret
 holos create secret --append-hash=false --namespace $NAMESPACE choria-agents --from-file=agents

hack/choria/initialize/make-provisioning-jwt

@@ -0,0 +1,50 @@
+#! /bin/bash
+#
+# Make a provisioner.jwt and put it in the current directory.
+#
+# Use the provisioner.jwt with `holos controller --config=controller.cfg` which
+# will read the jwt from the same directory as the config file.
+#
+# Refer to Arri's
+# [setup.sh](https://github.com/ripienaar/machine-room-mvp/blob/main/example/setup/setup.sh#L41)
+# And our own nites at https://github.com/holos-run/holos/issues/142
+
+PARENT="$(cd $(dirname "$0") && pwd)"
+OUTDIR="$(pwd)"
+
+: "${NAMESPACE:=jeff-holos}"
+
+tmpdir="$(mktemp -d)"
+finish() {
+  [[ -d "$tmpdir" ]] && rm -rvf "$tmpdir"
+}
+trap finish EXIT
+cd "$tmpdir"
+
+set -xeuo pipefail
+
+# e.g. jeff.provision.dev.k2.holos.run
+#
+kubectl -n $NAMESPACE get virtualservice choria-broker-wss -o json > vs.json
+jq --exit-status -r '.spec.hosts[0]' vs.json > host
+
+# Get the issuer.seed
+holos -n $NAMESPACE get secret choria-issuer --to-file issuer.seed
+
+# Get the provisioner token to embed in the provisioning.jwt file.
+holos -n $NAMESPACE get secret choria-provisioner --to-file token
+
+# The --token flag value must be the same value set in the token field of provisioner.yaml
+# Refer to https://github.com/ripienaar/machine-room-mvp/blob/main/example/setup/setup.sh#L41
+# Refer to https://github.com/ripienaar/machine-room-mvp/blob/main/example/setup/templates/provisioner/provisioner.yaml#L6
+choria jwt prov provisioning.jwt "issuer.seed" \
+  --token "$(<token)" \
+  --urls wss://$(<host):443 \
+  --default \
+  --protocol-v2 \
+  --insecure \
+  --update \
+  --validity 30d \
+  --extensions '{}'
+
+cp provisioning.jwt "${OUTDIR}/"

hack/choria/initialize/reset-choria-config

@@ -0,0 +1,23 @@
+#! /bin/bash
+#
+# This script resets the choria config for a Namespace
+
+PARENT="$(cd $(dirname "$0") && pwd)"
+: "${NAMESPACE:=jeff-holos}"
+export NAMESPACE
+
+set -xeuo pipefail
+
+KUBECONFIG=$HOME/.holos/kubeconfig.provisioner kubectl delete secret -n jeff-holos choria-agents choria-broker choria-provisioner choria-issuer
+
+"${PARENT}/init-choria-provisioner-creds"
+
+stamp="$(date)"
+
+kubectl -n $NAMESPACE annotate externalsecret choria-broker secret.holos.run/refresh="$stamp" --overwrite
+kubectl -n $NAMESPACE annotate externalsecret choria-provisioner secret.holos.run/refresh="$stamp" --overwrite
+
+kubectl -n $NAMESPACE wait --for='jsonpath={.status.conditions[?(@.type=="Ready")].status}=True' externalsecret choria-provisioner choria-broker
+
+kubectl -n $NAMESPACE rollout restart statefulset choria-broker
+kubectl -n $NAMESPACE rollout restart deployment choria-provisioner

hack/choria/initialize/templates/broker/broker.conf

@@ -6,11 +6,13 @@ plugin.choria.network.client_port = 4222
 plugin.choria.network.peer_port = 5222
 plugin.choria.network.system.user = system
 plugin.choria.network.system.password = system
-plugin.choria.network.peers = nats://broker-0.broker:5222,nats://broker-1.broker:5222,nats://broker-2.broker:5222
+plugin.choria.network.peers = nats://choria-broker-0.choria-broker:5222,nats://choria-broker-1.choria-broker:5222,nats://choria-broker-2.choria-broker:5222
 plugin.choria.use_srv = false
 plugin.choria.network.websocket_port = 4333
 
 plugin.security.provider = choria
+# NOTE: plugin.security.choria.ca must not be set or provisioning will fail
+# with a unhandled choria_provisioning purpose token error
 plugin.security.choria.certificate = /etc/choria-tls/tls.crt
 plugin.security.choria.key = /etc/choria-tls/tls.key
 plugin.security.choria.token_file = /etc/choria/broker.jwt

hack/choria/initialize/templates/provisioner/choria.cfg

@@ -4,4 +4,4 @@ plugin.security.choria.seed_file = /etc/provisioner/signer.seed
 
 identity = provisioner_signer
 
-plugin.choria.middleware_hosts = broker-0.broker:4222,broker-1.broker:4222,broker-2.broker:4222
+plugin.choria.middleware_hosts = choria-broker-0.choria-broker:4222,choria-broker-1.choria-broker:4222,choria-broker-2.choria-broker:4222

hack/choria/initialize/templates/provisioner/entrypoint

@@ -0,0 +1,9 @@
+#! /bin/bash
+#
+
+set -xeuo pipefail
+
+mkdir -p /home/choria/bin
+install -m 0755 /etc/provisioner/helper.rb /home/choria/bin/helper.rb
+
+exec /usr/sbin/choria-provisioner --config=/etc/provisioner/provisioner.yaml --choria-config=/etc/provisioner/choria.cfg

hack/choria/initialize/templates/provisioner/helper.rb

@@ -0,0 +1,134 @@
+#!/usr/bin/ruby
+
+require "json"
+require "yaml"
+require "base64"
+require "net/http"
+require "openssl"
+
+def parse_input
+  input = STDIN.read
+
+  begin
+    File.open("/tmp/request.json", "w") {|f| f.write(input)}
+  rescue Exception
+  end
+
+  request = JSON.parse(input)
+  request["inventory"] = JSON.parse(request["inventory"])
+
+  request
+end
+
+def validate!(request, reply)
+  if request["identity"] && request["identity"].length == 0
+    reply["msg"] = "No identity received in request"
+    reply["defer"] = true
+    return false
+  end
+
+  unless request["ed25519_pubkey"]
+    reply["msg"] = "No ed15519 public key received"
+    reply["defer"] = true
+    return false
+  end
+
+  unless request["ed25519_pubkey"]
+    reply["msg"] = "No ed15519 directory received"
+    reply["defer"] = true
+    return false
+  end
+
+  if request["ed25519_pubkey"]["directory"].length == 0
+    reply["msg"] = "No ed15519 directory received"
+    reply["defer"] = true
+    return false
+  end
+
+  true
+end
+
+def publish_reply(reply)
+  begin
+    File.open("/tmp/reply.json", "w") {|f| f.write(reply.to_json)}
+  rescue Exception
+  end
+
+  puts reply.to_json
+end
+
+def publish_reply!(reply)
+  publish_reply(reply)
+  exit
+end
+
+def set_config!(request, reply)
+  # stub data the helper will fetch from the saas
+  customers = {
+        "one" => {
+            :brokers => "nats://managed.example.net:9222", # whoever is the leader for this site
+            :site => "customer_one",
+            :source => {
+                :host => "nats://cust_one:s3cret@saas-nats.choria.local",
+            }
+        }
+    }
+
+
+  customer = request["jwt"]["extensions"]["customer"]
+  brokers = customers[customer][:brokers]
+  source = customers[customer][:source]
+
+  reply["configuration"].merge!(
+    "identity" => request["identity"],
+    "loglevel" => "warn",
+    "plugin.choria.server.provision" => "false",
+    "plugin.choria.middleware_hosts" => brokers,
+    "plugin.security.issuer.names" => "choria",
+    "plugin.security.issuer.choria.public" => "{{ .Env.ISSUER }}",
+    "plugin.security.provider" => "choria",
+    "plugin.security.choria.token_file" => File.join(request["ed25519_pubkey"]["directory"], "server.jwt"),
+    "plugin.security.choria.seed_file" => File.join(request["ed25519_pubkey"]["directory"], "server.seed"),
+    "machine_room.role" => "leader",
+    "machine_room.site" => customers[customer][:site],
+    "machine_room.source.host" => source[:host],
+  )
+
+  reply["server_claims"].merge!(
+    "exp" => 5*60*60*24*365,
+    "pub_subjects" => [">"],
+    "permissions" => {
+      "streams" => true,
+      "submission" => true,
+      "service_host" => true,
+    }
+  )
+end
+
+reply = {
+  "defer" => false,
+  "msg" => "",
+  "certificate" => "",
+  "ca" => "",
+  "configuration" => {},
+  "server_claims" => {}
+}
+
+begin
+  request = parse_input
+
+  reply["msg"] = "Validating"
+  unless validate!(request, reply)
+    publish_reply!(reply)
+  end
+
+  set_config!(request, reply)
+
+  reply["msg"] = "Done"
+  publish_reply!(reply)
+rescue SystemExit
+rescue Exception
+  reply["msg"] = "Unexpected failure during provisioning: %s: %s" % [$!.class, $!.to_s]
+  reply["defer"] = true
+  publish_reply!(reply)
+end

hack/choria/initialize/templates/provisioner/provisioner.yaml

@@ -2,7 +2,8 @@ workers: 4
 interval: 1m
 logfile: /dev/stdout
 loglevel: info
-helper: /app/.venv/bin/helper
+# The entrypoint script installs this helper script.
+helper: /home/choria/bin/helper.rb
 token: "{{ .Env.PROVISIONER_TOKEN }}"
 choria_insecure: false
 site: holos

hack/choria/initialize/templates/provisioner/token

@@ -0,0 +1 @@
+{{ .Env.PROVISIONER_TOKEN -}}

hack/setup/bare

@@ -0,0 +1,16 @@
+#! /bin/bash
+
+set -euo pipefail
+TOPLEVEL="$(cd $(dirname "$0") && git rev-parse --show-toplevel)"
+
+host="jeff.app.dev.k2.holos.run:443"
+
+read -p "Reset all data in $host? " choice
+case "$choice" in
+  y|Y) echo "proceeding...";;
+  *) exit 1;;
+esac
+
+
+grpcurl -H "x-oidc-id-token: $(holos token)" $host holos.v1alpha1.SystemService.DropTables
+grpcurl -H "x-oidc-id-token: $(holos token)" $host holos.v1alpha1.SystemService.SeedDatabase

hack/tilt/Dockerfile

@@ -3,5 +3,6 @@ USER root
 WORKDIR /app
 ADD bin bin
 RUN chown -R app: /app
-USER app
+# Kubernetes requires the user to be numeric
+USER 8192
 ENTRYPOINT bin/holos server

hack/tilt/k8s.yaml

@@ -101,15 +101,44 @@ spec:
   gateways:
     - istio-ingress/default
   hosts:
-    - '{developer}.holos.dev.k2.ois.run'
+    - '{developer}.app.dev.k2.holos.run'
   http:
-    - route:
+    - name: "coffee-ui"
+      match:
+      - uri:
+          prefix: "/ui"
+      route:
+      - destination:
+          host: coffee
+          port:
+            number: 4200
+    - name: "holos-api"
+      route:
         - destination:
             host: '{name}'
             port:
               number: {listen_port}
 ---
 apiVersion: v1
+kind: Service
+metadata:
+  name: coffee
+spec:
+  ports:
+  - protocol: TCP
+    port: 4200
+---
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: coffee
+subsets:
+  - addresses:
+    - ip: 192.168.2.21
+    ports:
+    - port: 4200
+---
+apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: holos
@@ -120,117 +149,6 @@ metadata:
 imagePullSecrets:
   - name: kube-system-ecr-image-pull-creds
 ---
-apiVersion: security.istio.io/v1beta1
-kind: AuthorizationPolicy
-metadata:
-  labels:
-    app: '{name}'
-    holos.run/developer: '{developer}'
-  name: '{name}-allow-groups'
-  namespace: '{namespace}'
-spec:
-  action: ALLOW
-  rules:
-    - when:
-        - key: request.auth.claims[groups]
-          values:
-            - holos-developer
-            - holos-developer@openinfrastructure.co
-  selector:
-    matchLabels:
-      holos.run/authz: dev-holos-sso
----
-apiVersion: security.istio.io/v1beta1
-kind: AuthorizationPolicy
-metadata:
-  name: '{name}-allow-nothing'
-  namespace: '{namespace}'
-  labels:
-    app: '{name}'
-    holos.run/developer: '{developer}'
-spec:
-  action: ALLOW
-  selector:
-    matchLabels:
-      holos.run/authz: dev-holos-sso
----
-apiVersion: security.istio.io/v1beta1
-kind: AuthorizationPolicy
-metadata:
-  name: '{name}-allow-well-known-paths'
-  namespace: '{namespace}'
-  labels:
-    app: '{name}'
-    holos.run/developer: '{developer}'
-spec:
-  action: ALLOW
-  rules:
-    - to:
-        - operation:
-            paths:
-              - /healthz
-              - /metrics
-              - /callbacks/github
-  selector:
-    matchLabels:
-      holos.run/authz: dev-holos-sso
----
-apiVersion: security.istio.io/v1beta1
-kind: AuthorizationPolicy
-metadata:
-  name: '{name}-auth'
-  namespace: '{namespace}'
-  labels:
-    app: '{name}'
-    holos.run/developer: '{developer}'
-spec:
-  action: CUSTOM
-  provider:
-    name: dev-holos-sso
-  rules:
-    - to:
-        - operation:
-            notPaths:
-              - /healthz
-              - /metrics
-              - /callbacks/github
-      when:
-        - key: request.headers[Authorization]
-          notValues:
-            - Bearer *
-  selector:
-    matchLabels:
-      holos.run/authz: dev-holos-sso
----
-apiVersion: security.istio.io/v1beta1
-kind: RequestAuthentication
-metadata:
-  name: '{name}'
-  namespace: '{namespace}'
-  labels:
-    app: '{name}'
-    holos.run/developer: '{developer}'
-spec:
-  jwtRules:
-    - audiences:
-        - https://sso.dev.holos.run
-      forwardOriginalToken: true
-      fromHeaders:
-        - name: x-auth-request-access-token
-      issuer: https://idex.core.ois.run
-      jwksUri: https://idex.core.ois.run/keys
-    - audiences:
-        - holos-cli
-      forwardOriginalToken: true
-      fromHeaders:
-        - name: authorization
-          prefix: 'Bearer '
-      issuer: https://idex.core.ois.run
-      jwksUri: https://idex.core.ois.run/keys
-  selector:
-    matchLabels:
-      holos.run/authz: dev-holos-sso
----
 apiVersion: postgres-operator.crunchydata.com/v1beta1
 kind: PGAdmin
 metadata:

holos.go

@@ -1,10 +1,10 @@
 // Package holos defines types for the rest of the system.
 package holos
 
-// A PathCueMod is a string representing the filesystem path of a cue module.
-// It is given a unique type so the API is clear.
+// A PathCueMod is a string representing the absolute filesystem path of a cue
+// module.  It is given a unique type so the API is clear.
 type PathCueMod string
 
-// A InstancePath is a string representing the filesystem path of a holos instance.
-// It is given a unique type so the API is clear.
+// A InstancePath is a string representing the absolute filesystem path of a
+// holos instance.  It is given a unique type so the API is clear.
 type InstancePath string

internal/api/core/v1alpha1/api.go

@@ -1,2 +0,0 @@
-// Package v1alpha1 is the unstable version of the core api.
-package v1alpha1

internal/builder/builder.go

@@ -0,0 +1,297 @@
+// Package builder is responsible for building fully rendered kubernetes api
+// objects from various input directories. A directory may contain a platform
+// spec or a component spec.
+package builder
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"cuelang.org/go/cue/build"
+	"cuelang.org/go/cue/cuecontext"
+	"cuelang.org/go/cue/load"
+	"github.com/holos-run/holos/api/core/v1alpha2"
+	"github.com/holos-run/holos/api/v1alpha1"
+
+	"github.com/holos-run/holos"
+	"github.com/holos-run/holos/internal/client"
+	"github.com/holos-run/holos/internal/errors"
+	"github.com/holos-run/holos/internal/logger"
+	"github.com/holos-run/holos/internal/render"
+)
+
+const (
+	KubernetesObjects = v1alpha2.KubernetesObjectsKind
+	// Helm is the value of the kind field of holos build output indicating helm
+	// values and helm command information.
+	Helm = v1alpha2.HelmChartKind
+	// Skip is the value when the instance should be skipped
+	Skip = "Skip"
+	// KustomizeBuild is the value of the kind field of cue output indicating
+	// holos should process the component using kustomize build to render output.
+	KustomizeBuild = v1alpha1.KustomizeBuildKind
+)
+
+// An Option configures a Builder
+type Option func(*config)
+
+type config struct {
+	args    []string
+	cluster string
+}
+
+type Builder struct {
+	cfg config
+}
+
+// New returns a new *Builder configured by opts Option.
+func New(opts ...Option) *Builder {
+	var cfg config
+	for _, f := range opts {
+		f(&cfg)
+	}
+	b := &Builder{cfg: cfg}
+	return b
+}
+
+// Entrypoints configures the leaf directories Builder builds.
+func Entrypoints(args []string) Option {
+	return func(cfg *config) { cfg.args = args }
+}
+
+// Cluster configures the cluster name for the holos component instance.
+func Cluster(name string) Option {
+	return func(cfg *config) { cfg.cluster = name }
+}
+
+// Cluster returns the cluster name of the component instance being built.
+func (b *Builder) Cluster() string {
+	return b.cfg.cluster
+}
+
+// Instances returns the cue build instances being built.
+func (b *Builder) Instances(ctx context.Context, cfg *client.Config) ([]*build.Instance, error) {
+	log := logger.FromContext(ctx)
+
+	mod, err := b.findCueMod()
+	if err != nil {
+		return nil, errors.Wrap(err)
+	}
+	dir := string(mod)
+
+	cueConfig := load.Config{Dir: dir}
+
+	// Get the platform model from the PlatformConfig
+	pc, err := client.LoadPlatformConfig(ctx, dir)
+	if err != nil {
+		return nil, errors.Wrap(err)
+	}
+	data, err := json.Marshal(pc)
+	if err != nil {
+		return nil, errors.Wrap(err)
+	}
+
+	// Refer to https://github.com/cue-lang/cue/blob/v0.7.0/cmd/cue/cmd/common.go#L429
+	cueConfig.Tags = append(cueConfig.Tags, "platform_config="+string(data))
+	if b.Cluster() != "" {
+		cueConfig.Tags = append(cueConfig.Tags, "cluster="+b.Cluster())
+	}
+	log.DebugContext(ctx, fmt.Sprintf("cue: tags %v", cueConfig.Tags))
+
+	prefix := []string{"cue", "export", "--out", "yaml"}
+	for _, tag := range cueConfig.Tags {
+		prefix = append(prefix, "-t", fmt.Sprintf("'%s'", tag))
+	}
+
+	// Make args relative to the module directory
+	args := make([]string, len(b.cfg.args))
+	for idx, path := range b.cfg.args {
+		target, err := filepath.Abs(path)
+		if err != nil {
+			return nil, errors.Wrap(fmt.Errorf("could not find absolute path: %w", err))
+		}
+		relPath, err := filepath.Rel(dir, target)
+		if err != nil {
+			return nil, errors.Wrap(fmt.Errorf("invalid argument, must be relative to cue.mod: %w", err))
+		}
+		relPath = "./" + relPath
+		args[idx] = relPath
+
+		equiv := make([]string, len(prefix), 1+len(prefix))
+		copy(equiv, prefix)
+		equiv = append(equiv, relPath)
+		log.Debug(strings.Join(equiv, " "), "comment", "cue equivalent command")
+	}
+
+	return load.Instances(args, &cueConfig), nil
+}
+
+func (b *Builder) Run(ctx context.Context, cfg *client.Config) (results []*render.Result, err error) {
+	log := logger.FromContext(ctx)
+	log.DebugContext(ctx, "cue: building instances")
+	instances, err := b.Instances(ctx, cfg)
+	if err != nil {
+		return nil, err
+	}
+	results = make([]*render.Result, 0, len(instances)*8)
+
+	// Each CUE instance provides a BuildPlan
+	for idx, instance := range instances {
+		log.DebugContext(ctx, "cue: building instance", "idx", idx, "dir", instance.Dir)
+		r, err := b.runInstance(ctx, instance)
+		if err != nil {
+			return nil, errors.Wrap(fmt.Errorf("could not run: %w", err))
+		}
+		results = append(results, r...)
+	}
+
+	return results, nil
+}
+
+func (b Builder) runInstance(ctx context.Context, instance *build.Instance) (results []*render.Result, err error) {
+	path := holos.InstancePath(instance.Dir)
+	log := logger.FromContext(ctx).With("dir", path)
+
+	if err := instance.Err; err != nil {
+		return nil, errors.Wrap(fmt.Errorf("could not load: %w", err))
+	}
+	cueCtx := cuecontext.New()
+	value := cueCtx.BuildInstance(instance)
+	if err := value.Err(); err != nil {
+		return nil, errors.Wrap(fmt.Errorf("could not build %s: %w", instance.Dir, err))
+	}
+	log.DebugContext(ctx, "cue: validating instance")
+	if err := value.Validate(); err != nil {
+		return nil, errors.Wrap(fmt.Errorf("could not validate: %w", err))
+	}
+
+	log.DebugContext(ctx, "cue: decoding holos build plan")
+	jsonBytes, err := value.MarshalJSON()
+	if err != nil {
+		return nil, errors.Wrap(fmt.Errorf("could not marshal cue instance %s: %w", instance.Dir, err))
+	}
+	decoder := json.NewDecoder(bytes.NewReader(jsonBytes))
+	// Discriminate the type of build plan.
+	tm := &v1alpha1.TypeMeta{}
+	err = decoder.Decode(tm)
+	if err != nil {
+		return nil, errors.Wrap(fmt.Errorf("invalid BuildPlan: %s: %w", instance.Dir, err))
+	}
+
+	log.DebugContext(ctx, "cue: discriminated build kind: "+tm.Kind, "kind", tm.Kind, "apiVersion", tm.APIVersion)
+
+	// New decoder for the full object
+	decoder = json.NewDecoder(bytes.NewReader(jsonBytes))
+
+	// TODO: When we release v1, explicitly allow unknown fields so we can add
+	// fields without needing to bump the major version.  Disallow until we reach
+	// v1 for clear error reporting.
+	decoder.DisallowUnknownFields()
+
+	switch tm.Kind {
+	case "BuildPlan":
+		var bp v1alpha2.BuildPlan
+		if err = decoder.Decode(&bp); err != nil {
+			err = errors.Wrap(fmt.Errorf("could not decode BuildPlan %s: %w", instance.Dir, err))
+			return
+		}
+		results, err = b.buildPlan(ctx, &bp, path)
+		if err != nil {
+			return results, err
+		}
+	default:
+		err = errors.Wrap(fmt.Errorf("unknown kind: %v", tm.Kind))
+	}
+
+	return results, err
+}
+
+func (b *Builder) buildPlan(ctx context.Context, buildPlan *v1alpha2.BuildPlan, path holos.InstancePath) (results []*render.Result, err error) {
+	log := logger.FromContext(ctx)
+
+	if err := buildPlan.Validate(); err != nil {
+		log.WarnContext(ctx, "could not validate", "skipped", true, "err", err)
+		return nil, errors.Wrap(fmt.Errorf("could not validate %w", err))
+	}
+
+	if buildPlan.Spec.Disabled {
+		log.DebugContext(ctx, "skipped: spec.disabled is true", "skipped", true)
+		return
+	}
+
+	results = make([]*render.Result, 0, buildPlan.ResultCapacity())
+	log.DebugContext(ctx, "allocated results slice", "cap", buildPlan.ResultCapacity())
+
+	for _, component := range buildPlan.Spec.Components.Resources {
+		ko := render.KubernetesObjects{Component: component}
+		if result, err := ko.Render(ctx, path); err != nil {
+			return nil, errors.Wrap(fmt.Errorf("could not render: %w", err))
+		} else {
+			results = append(results, result)
+		}
+	}
+
+	for _, component := range buildPlan.Spec.Components.KubernetesObjectsList {
+		ko := render.KubernetesObjects{Component: component}
+		if result, err := ko.Render(ctx, path); err != nil {
+			return nil, errors.Wrap(fmt.Errorf("could not render: %w", err))
+		} else {
+			results = append(results, result)
+		}
+	}
+	for _, component := range buildPlan.Spec.Components.HelmChartList {
+		hc := render.HelmChart{Component: component}
+		if result, err := hc.Render(ctx, path); err != nil {
+			return nil, errors.Wrap(fmt.Errorf("could not render: %w", err))
+		} else {
+			results = append(results, result)
+		}
+	}
+	for _, component := range buildPlan.Spec.Components.KustomizeBuildList {
+		kb := render.KustomizeBuild{Component: component}
+		if result, err := kb.Render(ctx, path); err != nil {
+			return nil, errors.Wrap(fmt.Errorf("could not render: %w", err))
+		} else {
+			results = append(results, result)
+		}
+	}
+
+	log.DebugContext(ctx, "returning results", "len", len(results))
+
+	return results, nil
+}
+
+// findCueMod returns the root module location containing the cue.mod file or
+// directory or an error if the builder arguments do not share a common root
+// module.
+func (b *Builder) findCueMod() (dir holos.PathCueMod, err error) {
+	for _, origPath := range b.cfg.args {
+		absPath, err := filepath.Abs(origPath)
+		if err != nil {
+			return "", err
+		}
+		path := holos.PathCueMod(absPath)
+		for {
+			if _, err := os.Stat(filepath.Join(string(path), "cue.mod")); err == nil {
+				if dir != "" && dir != path {
+					return "", fmt.Errorf("multiple modules not supported: %v is not %v", dir, path)
+				}
+				dir = path
+				break
+			} else if !os.IsNotExist(err) {
+				return "", err
+			}
+			parentPath := holos.PathCueMod(filepath.Dir(string(path)))
+			if parentPath == path {
+				return "", fmt.Errorf("no cue.mod from root to leaf: %v", origPath)
+			}
+			path = parentPath
+		}
+	}
+	return dir, nil
+}

internal/builder/platform.go

@@ -0,0 +1,92 @@
+package builder
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+
+	"cuelang.org/go/cue/build"
+	"cuelang.org/go/cue/cuecontext"
+	"github.com/holos-run/holos"
+	core "github.com/holos-run/holos/api/core/v1alpha2"
+	meta "github.com/holos-run/holos/api/meta/v1alpha2"
+	"github.com/holos-run/holos/internal/client"
+	"github.com/holos-run/holos/internal/errors"
+	"github.com/holos-run/holos/internal/logger"
+)
+
+// Platform builds a platform
+func (b *Builder) Platform(ctx context.Context, cfg *client.Config) (*core.Platform, error) {
+	log := logger.FromContext(ctx)
+	log.DebugContext(ctx, "cue: building platform instance")
+	instances, err := b.Instances(ctx, cfg)
+	if err != nil {
+		return nil, errors.Wrap(err)
+	}
+
+	if len(instances) != 1 {
+		return nil, errors.Wrap(errors.New(fmt.Sprintf("instances length %d must be exactly 1", len(instances))))
+	}
+
+	// We only process the first instance, assume the render platform subcommand enforces this.
+	instance := instances[0]
+	log.DebugContext(ctx, "cue: building instance", "dir", instance.Dir)
+	p, err := b.runPlatform(ctx, instance)
+	if err != nil {
+		return nil, errors.Wrap(fmt.Errorf("could not build platform: %w", err))
+	}
+	return p, nil
+}
+
+func (b Builder) runPlatform(ctx context.Context, instance *build.Instance) (*core.Platform, error) {
+	path := holos.InstancePath(instance.Dir)
+	log := logger.FromContext(ctx).With("dir", path)
+
+	if err := instance.Err; err != nil {
+		return nil, errors.Wrap(fmt.Errorf("could not load: %w", err))
+	}
+	cueCtx := cuecontext.New()
+	value := cueCtx.BuildInstance(instance)
+	if err := value.Err(); err != nil {
+		return nil, errors.Wrap(fmt.Errorf("could not build %s: %w", instance.Dir, err))
+	}
+	log.DebugContext(ctx, "cue: validating instance")
+	if err := value.Validate(); err != nil {
+		return nil, errors.Wrap(fmt.Errorf("could not validate: %w", err))
+	}
+
+	log.DebugContext(ctx, "cue: decoding holos platform")
+	jsonBytes, err := value.MarshalJSON()
+	if err != nil {
+		return nil, errors.Wrap(fmt.Errorf("could not marshal cue instance %s: %w", instance.Dir, err))
+	}
+
+	decoder := json.NewDecoder(bytes.NewReader(jsonBytes))
+	// Discriminate the type of build plan.
+	tm := &meta.TypeMeta{}
+	err = decoder.Decode(tm)
+	if err != nil {
+		return nil, errors.Wrap(fmt.Errorf("invalid platform: %s: %w", instance.Dir, err))
+	}
+
+	log.DebugContext(ctx, "cue: discriminated build kind: "+tm.GetKind(), "kind", tm.GetKind(), "apiVersion", tm.GetAPIVersion())
+
+	// New decoder for the full object
+	decoder = json.NewDecoder(bytes.NewReader(jsonBytes))
+	decoder.DisallowUnknownFields()
+
+	var pf core.Platform
+	switch tm.GetKind() {
+	case "Platform":
+		if err = decoder.Decode(&pf); err != nil {
+			err = errors.Wrap(fmt.Errorf("could not decode platform %s: %w", instance.Dir, err))
+			return nil, err
+		}
+		return &pf, nil
+	default:
+		err = errors.Wrap(fmt.Errorf("unknown kind: %v", tm.GetKind()))
+	}
+
+	return nil, err
+}

internal/cli/build/build.go

@@ -2,28 +2,35 @@ package build
 
 import (
 	"fmt"
+	"log/slog"
 	"strings"
 
+	"github.com/holos-run/holos/internal/builder"
 	"github.com/holos-run/holos/internal/cli/command"
+	"github.com/holos-run/holos/internal/client"
 	"github.com/holos-run/holos/internal/errors"
 	"github.com/holos-run/holos/internal/holos"
-	"github.com/holos-run/holos/internal/internal/builder"
+	"github.com/holos-run/holos/internal/server/middleware/logger"
 	"github.com/spf13/cobra"
 )
 
 // makeBuildRunFunc returns the internal implementation of the build cli command
-func makeBuildRunFunc(cfg *holos.Config) command.RunFunc {
+func makeBuildRunFunc(cfg *client.Config) command.RunFunc {
 	return func(cmd *cobra.Command, args []string) error {
-		build := builder.New(builder.Entrypoints(args), builder.Cluster(cfg.ClusterName()))
-		results, err := build.Run(cmd.Context())
+		ctx := cmd.Root().Context()
+		logger.FromContext(ctx).DebugContext(ctx, "RunE", "args", args)
+		build := builder.New(builder.Entrypoints(args), builder.Cluster(cfg.Holos().ClusterName()))
+		results, err := build.Run(ctx, cfg)
 		if err != nil {
 			return err
 		}
 		outs := make([]string, 0, len(results))
-		for _, result := range results {
-			if result.Skip {
+		for idx, result := range results {
+			if result.Continue() {
+				slog.Debug("skip result", "idx", idx, "result", result)
 				continue
 			}
+			slog.Debug("append result", "idx", idx, "result.kind", result.Kind)
 			outs = append(outs, result.AccumulatedOutput())
 		}
 		out := strings.Join(outs, "---\n")
@@ -39,7 +46,12 @@ func New(cfg *holos.Config) *cobra.Command {
 	cmd := command.New("build [directory...]")
 	cmd.Args = cobra.MinimumNArgs(1)
 	cmd.Short = "build kubernetes api objects from a directory"
-	cmd.RunE = makeBuildRunFunc(cfg)
+
 	cmd.Flags().AddGoFlagSet(cfg.ClusterFlagSet())
+	config := client.NewConfig(cfg)
+	cmd.PersistentFlags().AddGoFlagSet(config.ClientFlagSet())
+	cmd.PersistentFlags().AddGoFlagSet(config.TokenFlagSet())
+
+	cmd.RunE = makeBuildRunFunc(config)
 	return cmd
 }

internal/cli/command/cmd.go

@@ -1,9 +1,6 @@
 package command
 
 import (
-	"fmt"
-
-	"github.com/holos-run/holos/internal/errors"
 	"github.com/holos-run/holos/version"
 	"github.com/spf13/cobra"
 )
@@ -20,9 +17,6 @@ func New(name string) *cobra.Command {
 		CompletionOptions: cobra.CompletionOptions{
 			HiddenDefaultCmd: true,
 		},
-		RunE: func(c *cobra.Command, args []string) error {
-			return errors.Wrap(fmt.Errorf("could not run %v: not implemented", c.Name()))
-		},
 		SilenceUsage:  true,
 		SilenceErrors: true,
 	}

internal/cli/create/create.go

@@ -3,21 +3,52 @@ package create
 import (
 	"github.com/holos-run/holos/internal/cli/command"
 	"github.com/holos-run/holos/internal/cli/secret"
+	"github.com/holos-run/holos/internal/client"
 	"github.com/holos-run/holos/internal/holos"
+	"github.com/holos-run/holos/internal/server/middleware/logger"
 	"github.com/spf13/cobra"
 )
 
 // New returns the create command for the cli
-func New(hc *holos.Config) *cobra.Command {
+func New(cfg *holos.Config) *cobra.Command {
 	cmd := command.New("create")
 	cmd.Short = "create resources"
 	cmd.Flags().SortFlags = false
 	cmd.RunE = func(c *cobra.Command, args []string) error {
 		return c.Usage()
 	}
+
+	// api client config
+	config := client.NewConfig(cfg)
+
 	// flags
 	cmd.PersistentFlags().SortFlags = false
 	// commands
-	cmd.AddCommand(secret.NewCreateCmd(hc))
+	cmd.AddCommand(secret.NewCreateCmd(cfg))
+	cmd.AddCommand(NewPlatform(config))
+	return cmd
+}
+
+func NewPlatform(cfg *client.Config) *cobra.Command {
+	cmd := command.New("platform")
+
+	cmd.Short = "create a platform"
+	cmd.Args = cobra.NoArgs
+
+	pm := client.PlatformMutation{}
+	cmd.Flags().AddGoFlagSet(pm.FlagSet())
+
+	cmd.RunE = func(cmd *cobra.Command, args []string) error {
+		ctx := cmd.Root().Context()
+		client := client.New(cfg)
+		pf, err := client.CreatePlatform(ctx, pm)
+		if err != nil {
+			return err
+		}
+		log := logger.FromContext(ctx)
+		log.InfoContext(ctx, "created platform", "name", pf.GetName(), "id", pf.GetId(), "org", pf.GetOwner().GetOrgId())
+		return nil
+	}
+
 	return cmd
 }

internal/cli/generate/generate.go

@@ -0,0 +1,106 @@
+package generate
+
+import (
+	"fmt"
+	"log/slog"
+	"path/filepath"
+	"strings"
+
+	"github.com/holos-run/holos/internal/cli/command"
+	"github.com/holos-run/holos/internal/client"
+	"github.com/holos-run/holos/internal/errors"
+	"github.com/holos-run/holos/internal/generate"
+	"github.com/holos-run/holos/internal/holos"
+	"github.com/spf13/cobra"
+)
+
+// New returns a new generate command.
+func New(cfg *holos.Config) *cobra.Command {
+	cmd := command.New("generate")
+	cmd.Aliases = []string{"gen"}
+	cmd.Short = "generate local resources"
+	cmd.Args = cobra.NoArgs
+
+	cmd.AddCommand(NewPlatform(cfg))
+	cmd.AddCommand(NewComponent())
+
+	return cmd
+}
+
+func NewPlatform(cfg *holos.Config) *cobra.Command {
+	cmd := command.New("platform")
+	cmd.Use = "platform [flags] PLATFORM"
+	cmd.Short = "generate a platform from an embedded schematic"
+	cmd.Long = fmt.Sprintf("Embedded platforms available to generate:\n\n  %s", strings.Join(generate.Platforms(), "\n  "))
+	cmd.Args = cobra.ExactArgs(1)
+	cmd.RunE = func(cmd *cobra.Command, args []string) error {
+		ctx := cmd.Root().Context()
+		clientContext := holos.NewClientContext(ctx)
+		client := client.New(client.NewConfig(cfg))
+
+		for _, name := range args {
+			if err := generate.GeneratePlatform(ctx, client, clientContext.OrgID, name); err != nil {
+				return errors.Wrap(err)
+			}
+		}
+
+		return nil
+	}
+
+	return cmd
+}
+
+// NewComponent returns a command to generate a holos component
+func NewComponent() *cobra.Command {
+	cmd := command.New("component")
+	cmd.Short = "generate a component from an embedded schematic"
+
+	cmd.AddCommand(NewCueComponent())
+	cmd.AddCommand(NewHelmComponent())
+
+	return cmd
+}
+
+func NewHelmComponent() *cobra.Command {
+	cmd := command.New("helm")
+	cmd.Short = "generate a helm component from a schematic"
+
+	for _, name := range generate.HelmComponents() {
+		cmd.AddCommand(makeSchematicCommand("helm", name))
+	}
+
+	return cmd
+}
+
+func NewCueComponent() *cobra.Command {
+	cmd := command.New("cue")
+	cmd.Short = "generate a cue component from a schematic"
+
+	for _, name := range generate.CueComponents() {
+		cmd.AddCommand(makeSchematicCommand("cue", name))
+	}
+	return cmd
+}
+
+func makeSchematicCommand(kind, name string) *cobra.Command {
+	cmd := command.New(name)
+	cfg, err := generate.NewSchematic(filepath.Join("components", kind), name)
+	if err != nil {
+		slog.Error("could not get schematic", "err", err)
+		return nil
+	}
+	cmd.Short = cfg.Short
+	cmd.Long = cfg.Long
+	cmd.Args = cobra.NoArgs
+	cmd.Flags().AddGoFlagSet(cfg.FlagSet())
+
+	cmd.RunE = func(cmd *cobra.Command, args []string) error {
+		ctx := cmd.Root().Context()
+		if err := generate.GenerateComponent(ctx, kind, name, cfg); err != nil {
+			return errors.Wrap(err)
+		}
+		return nil
+	}
+
+	return cmd
+}

internal/cli/login/login.go

@@ -15,6 +15,7 @@ import (
 // New returns a new login command.
 func New(cfg *holos.Config) *cobra.Command {
 	cmd := command.New("login")
+	cmd.Short = "log in by caching credentials"
 	var printClaims bool
 
 	config := token.NewConfig()

internal/cli/logout/logout.go

@@ -13,6 +13,7 @@ import (
 
 func New(cfg *holos.Config) *cobra.Command {
 	cmd := command.New("logout")
+	cmd.Short = "log out by deleting cached credentials"
 	cmd.RunE = func(c *cobra.Command, args []string) error {
 		if err := os.RemoveAll(token.CacheDir); err != nil {
 			return errors.Wrap(fmt.Errorf("could not logout: %w", err))

internal/cli/main.go

@@ -5,9 +5,11 @@ import (
 	"fmt"
 	"log/slog"
 
+	"connectrpc.com/connect"
 	cue "cuelang.org/go/cue/errors"
 	"github.com/holos-run/holos/internal/errors"
 	"github.com/holos-run/holos/internal/holos"
+	"google.golang.org/genproto/googleapis/rpc/errdetails"
 )
 
 // MakeMain makes a main function for the cli or tests.
@@ -25,7 +27,8 @@ func MakeMain(options ...holos.Option) func() int {
 
 // HandleError is the top level error handler that unwraps and logs errors.
 func HandleError(ctx context.Context, err error, hc *holos.Config) (exitCode int) {
-	log := hc.NewTopLevelLogger()
+	// Connect errors have codes, log them.
+	log := hc.NewTopLevelLogger().With("code", connect.CodeOf(err))
 	var cueErr cue.Error
 	var errAt *errors.ErrorAt
 	const msg = "could not execute"
@@ -39,5 +42,24 @@ func HandleError(ctx context.Context, err error, hc *holos.Config) (exitCode int
 		msg := cue.Details(cueErr, nil)
 		_, _ = fmt.Fprint(hc.Stderr(), msg)
 	}
+	// connect errors have details and codes.
+	// Refer to https://connectrpc.com/docs/go/errors
+	if connectErr := new(connect.Error); errors.As(err, &connectErr) {
+		for _, detail := range connectErr.Details() {
+			msg, valueErr := detail.Value()
+			if valueErr != nil {
+				log.WarnContext(ctx, "could not decode error detail", "err", err, "type", detail.Type(), "note", "this usually means we don't have the schema for the protobuf message type")
+				continue
+			}
+			if info, ok := msg.(*errdetails.ErrorInfo); ok {
+				logDetail := log.With("reason", info.GetReason(), "domain", info.GetDomain())
+				for k, v := range info.GetMetadata() {
+					logDetail = logDetail.With(k, v)
+				}
+				logDetail.ErrorContext(ctx, info.String())
+			}
+		}
+	}
+
 	return 1
 }

internal/cli/pull/pull.go

@@ -0,0 +1,82 @@
+// Package pull pulls resources from the PlatformService and caches them in the
+// local filesystem.
+package pull
+
+import (
+	"github.com/holos-run/holos/internal/cli/command"
+	"github.com/holos-run/holos/internal/client"
+	"github.com/holos-run/holos/internal/errors"
+	"github.com/holos-run/holos/internal/holos"
+	"github.com/holos-run/holos/internal/server/middleware/logger"
+	object "github.com/holos-run/holos/service/gen/holos/object/v1alpha1"
+	"github.com/spf13/cobra"
+)
+
+func New(cfg *holos.Config) *cobra.Command {
+	cmd := command.New("pull")
+	cmd.Short = "pull resources from holos server"
+	cmd.Args = cobra.NoArgs
+
+	config := client.NewConfig(cfg)
+	cmd.PersistentFlags().AddGoFlagSet(config.ClientFlagSet())
+	cmd.PersistentFlags().AddGoFlagSet(config.TokenFlagSet())
+
+	cmd.AddCommand(NewPlatform(config))
+
+	return cmd
+}
+
+func NewPlatform(cfg *client.Config) *cobra.Command {
+	cmd := command.New("platform")
+
+	cmd.Short = "pull platform resources"
+	cmd.Args = cobra.NoArgs
+
+	cmd.AddCommand(NewPlatformConfig(cfg))
+
+	return cmd
+}
+
+func NewPlatformConfig(cfg *client.Config) *cobra.Command {
+	cmd := command.New("model")
+	cmd.Aliases = []string{"config"}
+	cmd.Short = "pull platform model"
+	cmd.Args = cobra.MinimumNArgs(1)
+
+	cmd.RunE = func(cmd *cobra.Command, args []string) error {
+		ctx := cmd.Root().Context()
+		if ctx == nil {
+			return errors.Wrap(errors.New("cannot execute: no context"))
+		}
+		ctx = logger.NewContext(ctx, logger.FromContext(ctx).With("server", cfg.Client().Server()))
+		rpc := client.New(cfg)
+		for _, name := range args {
+			// Get the platform metadata for the platform id.
+			pmd, err := client.LoadPlatform(ctx, name)
+			if err != nil {
+				return errors.Wrap(err)
+			}
+			log := logger.FromContext(ctx).With("platform_id", pmd.GetId())
+			// Get the platform model
+			model, err := rpc.PlatformModel(ctx, pmd.GetId())
+			if err != nil {
+				return errors.Wrap(err)
+			}
+			log.Info("pulled platform model")
+			// Build the PlatformConfig
+			pc := &object.PlatformConfig{
+				PlatformId:    pmd.GetId(),
+				PlatformModel: model,
+			}
+			// Save the PlatformConfig
+			path, err := client.SavePlatformConfig(ctx, name, pc)
+			if err != nil {
+				return errors.Wrap(err)
+			}
+			log.Info("saved platform config", "path", path)
+		}
+		return nil
+	}
+
+	return cmd
+}

internal/cli/push/push.go

@@ -0,0 +1,107 @@
+// Package push pushes resources to the holos api server.
+package push
+
+import (
+	"fmt"
+	"log/slog"
+
+	"github.com/holos-run/holos/internal/cli/command"
+	"github.com/holos-run/holos/internal/client"
+	"github.com/holos-run/holos/internal/errors"
+	"github.com/holos-run/holos/internal/holos"
+	"github.com/holos-run/holos/internal/push"
+	"github.com/holos-run/holos/internal/server/middleware/logger"
+	"github.com/spf13/cobra"
+)
+
+func New(cfg *holos.Config) *cobra.Command {
+	cmd := command.New("push")
+	cmd.Short = "push resources to holos server"
+	cmd.Args = cobra.NoArgs
+
+	config := client.NewConfig(cfg)
+	cmd.PersistentFlags().AddGoFlagSet(config.ClientFlagSet())
+	cmd.PersistentFlags().AddGoFlagSet(config.TokenFlagSet())
+
+	cmd.AddCommand(NewPlatform(config))
+
+	return cmd
+}
+
+func NewPlatform(cfg *client.Config) *cobra.Command {
+	cmd := command.New("platform")
+
+	cmd.Short = "push platform resources to holos server"
+	cmd.Args = cobra.NoArgs
+
+	cmd.AddCommand(NewPlatformForm(cfg))
+	cmd.AddCommand(NewPlatformModel(cfg))
+
+	return cmd
+}
+
+func NewPlatformForm(cfg *client.Config) *cobra.Command {
+	cmd := command.New("form")
+	cmd.Short = "push platform form to holos server"
+	cmd.Args = cobra.MinimumNArgs(1)
+
+	cmd.RunE = func(cmd *cobra.Command, args []string) error {
+		ctx := cmd.Root().Context()
+		if ctx == nil {
+			return errors.Wrap(errors.New("cannot execute: no context"))
+		}
+		ctx = logger.NewContext(ctx, logger.FromContext(ctx).With("server", cfg.Client().Server()))
+		rpc := client.New(cfg)
+		for _, name := range args {
+			// Get the platform metadata for the platform id.
+			p, err := client.LoadPlatform(ctx, name)
+			if err != nil {
+				return errors.Wrap(err)
+			}
+			// Build the form from the cue code.
+			form, err := push.PlatformForm(ctx, name)
+			if err != nil {
+				return errors.Wrap(err)
+			}
+			// Make the rpc call to update the platform form.
+			if err := rpc.UpdateForm(ctx, p.GetId(), form); err != nil {
+				return errors.Wrap(err)
+			}
+			slog.Default().InfoContext(ctx, fmt.Sprintf("pushed: %s/ui/platform/%s", cfg.Client().Server(), p.GetId()))
+		}
+		return nil
+	}
+
+	return cmd
+}
+
+func NewPlatformModel(cfg *client.Config) *cobra.Command {
+	cmd := command.New("model")
+	cmd.Short = "push platform model to holos server"
+	cmd.Args = cobra.MinimumNArgs(1)
+
+	cmd.RunE = func(cmd *cobra.Command, args []string) error {
+		ctx := cmd.Root().Context()
+		if ctx == nil {
+			return errors.Wrap(errors.New("cannot execute: no context"))
+		}
+		ctx = logger.NewContext(ctx, logger.FromContext(ctx).With("server", cfg.Client().Server()))
+		rpc := client.New(cfg)
+		for _, name := range args {
+			// Get the platform config for the platform id.
+			p, err := client.LoadPlatformConfig(ctx, name)
+			if err != nil {
+				return errors.Wrap(err)
+			}
+
+			// Make the rpc call to update the platform form.
+			if err := rpc.UpdatePlatformModel(ctx, p.PlatformId, p.PlatformModel); err != nil {
+				return errors.Wrap(err)
+			}
+			slog.Default().InfoContext(ctx, fmt.Sprintf("pushed: %s/ui/platform/%s", cfg.Client().Server(), p.PlatformId))
+		}
+		return nil
+	}
+
+	return cmd
+}

internal/cli/register/register.go

@@ -0,0 +1,36 @@
+// Package register provides user registration via the command line.
+package register
+
+import (
+	"github.com/holos-run/holos/internal/cli/command"
+	"github.com/holos-run/holos/internal/client"
+	"github.com/holos-run/holos/internal/holos"
+	"github.com/holos-run/holos/internal/register"
+	"github.com/spf13/cobra"
+)
+
+// New returns a new register command.
+func New(cfg *holos.Config) *cobra.Command {
+	cmd := command.New("register")
+	cmd.Short = "register with holos server"
+	cmd.Args = cobra.NoArgs
+
+	config := client.NewConfig(cfg)
+	cmd.PersistentFlags().AddGoFlagSet(config.ClientFlagSet())
+	cmd.PersistentFlags().AddGoFlagSet(config.TokenFlagSet())
+
+	cmd.AddCommand(NewUser(config))
+
+	return cmd
+}
+
+// NewUser returns a command to register a user with holos server.
+func NewUser(cfg *client.Config) *cobra.Command {
+	cmd := command.New("user")
+	cmd.Short = "user registration workflow"
+	cmd.RunE = func(cmd *cobra.Command, args []string) error {
+		ctx := cmd.Root().Context()
+		return register.User(ctx, cfg)
+	}
+	return cmd
+}

internal/cli/render/render.go

@@ -1,60 +1,137 @@
 package render
 
 import (
+	"context"
+	"flag"
 	"fmt"
+	"runtime"
 
+	"github.com/holos-run/holos/internal/builder"
 	"github.com/holos-run/holos/internal/cli/command"
+	"github.com/holos-run/holos/internal/client"
 	"github.com/holos-run/holos/internal/errors"
 	"github.com/holos-run/holos/internal/holos"
-	"github.com/holos-run/holos/internal/internal/builder"
 	"github.com/holos-run/holos/internal/logger"
+	"github.com/holos-run/holos/internal/render"
 	"github.com/spf13/cobra"
 )
 
-func makeRenderRunFunc(cfg *holos.Config) command.RunFunc {
-	return func(cmd *cobra.Command, args []string) error {
-		if cfg.ClusterName() == "" {
-			return errors.Wrap(fmt.Errorf("missing cluster name"))
+func New(cfg *holos.Config) *cobra.Command {
+	cmd := command.New("render")
+	cmd.Args = cobra.NoArgs
+	cmd.Short = "render platform configuration"
+	cmd.AddCommand(NewComponent(cfg))
+	cmd.AddCommand(NewPlatform(cfg))
+	return cmd
+}
+
+// New returns the component subcommand for the render command
+func NewComponent(cfg *holos.Config) *cobra.Command {
+	cmd := command.New("component [directory...]")
+	cmd.Args = cobra.MinimumNArgs(1)
+	cmd.Short = "write kubernetes api objects to the filesystem"
+	cmd.Flags().AddGoFlagSet(cfg.WriteFlagSet())
+	cmd.Flags().AddGoFlagSet(cfg.ClusterFlagSet())
+
+	config := client.NewConfig(cfg)
+	cmd.PersistentFlags().AddGoFlagSet(config.ClientFlagSet())
+	cmd.PersistentFlags().AddGoFlagSet(config.TokenFlagSet())
+
+	var printInstances bool
+	flagSet := flag.NewFlagSet("", flag.ContinueOnError)
+	flagSet.BoolVar(&printInstances, "print-instances", false, "expand /... paths for xargs")
+	cmd.Flags().AddGoFlagSet(flagSet)
+
+	cmd.RunE = func(cmd *cobra.Command, args []string) error {
+		ctx := cmd.Root().Context()
+		build := builder.New(builder.Entrypoints(args), builder.Cluster(cfg.ClusterName()))
+
+		if printInstances {
+			instances, err := build.Instances(ctx, config)
+			if err != nil {
+				return errors.Wrap(err)
+			}
+			for _, instance := range instances {
+				fmt.Fprintln(cmd.OutOrStdout(), instance.Dir)
+			}
+			return nil
 		}
 
-		ctx := cmd.Context()
-		log := logger.FromContext(ctx).With("cluster", cfg.ClusterName())
-		build := builder.New(builder.Entrypoints(args), builder.Cluster(cfg.ClusterName()))
-		results, err := build.Run(cmd.Context())
+		results, err := build.Run(ctx, config)
 		if err != nil {
 			return errors.Wrap(err)
 		}
-		// TODO: Avoid accidental over-writes if to holos component instances result in
-		// the same file path. Write files into a blank temporary directory, error if a
-		// file exists, then move the directory into place.
-		for _, result := range results {
-			if result.Skip {
+		// TODO: Avoid accidental over-writes if two or more holos component
+		// instances result in the same file path. Write files into a blank
+		// temporary directory, error if a file exists, then move the directory into
+		// place.
+		var result Result
+		for _, result = range results {
+			log := logger.FromContext(ctx).With(
+				"cluster", cfg.ClusterName(),
+				"name", result.Name(),
+			)
+			if result.Continue() {
 				continue
 			}
+			// DeployFiles from the BuildPlan
+			if err := result.WriteDeployFiles(ctx, cfg.WriteTo()); err != nil {
+				return errors.Wrap(err)
+			}
+
 			// API Objects
-			path := result.Filename(cfg.WriteTo(), cfg.ClusterName())
-			if err := result.Save(ctx, path, result.AccumulatedOutput()); err != nil {
-				return errors.Wrap(err)
+			if result.SkipWriteAccumulatedOutput() {
+				log.DebugContext(ctx, "skipped writing k8s objects for "+result.Name())
+			} else {
+				path := result.Filename(cfg.WriteTo(), cfg.ClusterName())
+				if err := result.Save(ctx, path, result.AccumulatedOutput()); err != nil {
+					return errors.Wrap(err)
+				}
 			}
-			// Kustomization
-			path = result.KustomizationFilename(cfg.WriteTo(), cfg.ClusterName())
-			if err := result.Save(ctx, path, result.KsContent); err != nil {
-				return errors.Wrap(err)
-			}
-			log.InfoContext(ctx, "rendered "+result.Name(), "status", "ok", "action", "rendered", "name", result.Name())
+
+			log.InfoContext(ctx, "rendered "+result.Name(), "status", "ok", "action", "rendered")
 		}
 		return nil
 	}
-}
-
-// New returns the render subcommand for the root command
-func New(cfg *holos.Config) *cobra.Command {
-	cmd := command.New("render [directory...]")
-	cmd.Args = cobra.MinimumNArgs(1)
-	cmd.Short = "write kubernetes api objects to the filesystem"
-	cmd.Flags().SortFlags = false
-	cmd.Flags().AddGoFlagSet(cfg.WriteFlagSet())
-	cmd.Flags().AddGoFlagSet(cfg.ClusterFlagSet())
-	cmd.RunE = makeRenderRunFunc(cfg)
 	return cmd
 }
+
+func NewPlatform(cfg *holos.Config) *cobra.Command {
+	cmd := command.New("platform [directory]")
+	cmd.Args = cobra.ExactArgs(1)
+	cmd.Short = "render all platform components"
+
+	config := client.NewConfig(cfg)
+	cmd.PersistentFlags().AddGoFlagSet(config.ClientFlagSet())
+	cmd.PersistentFlags().AddGoFlagSet(config.TokenFlagSet())
+
+	var concurrency int
+	cmd.Flags().IntVar(&concurrency, "concurrency", min(runtime.NumCPU(), 8), "Number of concurrent components to render")
+
+	cmd.RunE = func(cmd *cobra.Command, args []string) error {
+		ctx := cmd.Root().Context()
+		build := builder.New(builder.Entrypoints(args))
+
+		platform, err := build.Platform(ctx, config)
+		if err != nil {
+			return errors.Wrap(err)
+		}
+
+		return render.Platform(ctx, concurrency, platform, cmd.ErrOrStderr())
+	}
+
+	return cmd
+}
+
+type Result interface {
+	Continue() bool
+	Name() string
+	Filename(writeTo string, cluster string) string
+	KustomizationFilename(writeTo string, cluster string) string
+	Save(ctx context.Context, path string, content string) error
+	AccumulatedOutput() string
+	SkipWriteAccumulatedOutput() bool
+	WriteDeployFiles(ctx context.Context, writeTo string) error
+	GetKind() string
+	GetAPIVersion() string
+}

internal/cli/root.go

@@ -1,25 +1,34 @@
 package cli
 
 import (
+	"fmt"
 	"log/slog"
 
 	"github.com/spf13/cobra"
 
+	"github.com/holos-run/holos/version"
+
+	"github.com/holos-run/holos/internal/holos"
+	"github.com/holos-run/holos/internal/logger"
 	"github.com/holos-run/holos/internal/server"
 
 	"github.com/holos-run/holos/internal/cli/build"
+	"github.com/holos-run/holos/internal/cli/command"
 	"github.com/holos-run/holos/internal/cli/controller"
 	"github.com/holos-run/holos/internal/cli/create"
+	"github.com/holos-run/holos/internal/cli/generate"
 	"github.com/holos-run/holos/internal/cli/get"
 	"github.com/holos-run/holos/internal/cli/kv"
 	"github.com/holos-run/holos/internal/cli/login"
 	"github.com/holos-run/holos/internal/cli/logout"
 	"github.com/holos-run/holos/internal/cli/preflight"
+	"github.com/holos-run/holos/internal/cli/pull"
+	"github.com/holos-run/holos/internal/cli/push"
+	"github.com/holos-run/holos/internal/cli/register"
 	"github.com/holos-run/holos/internal/cli/render"
+	"github.com/holos-run/holos/internal/cli/rpc"
+	"github.com/holos-run/holos/internal/cli/token"
 	"github.com/holos-run/holos/internal/cli/txtar"
-	"github.com/holos-run/holos/internal/holos"
-	"github.com/holos-run/holos/internal/logger"
-	"github.com/holos-run/holos/version"
 )
 
 // New returns a new root *cobra.Command for command line execution.
@@ -27,7 +36,7 @@ func New(cfg *holos.Config) *cobra.Command {
 	rootCmd := &cobra.Command{
 		Use:     "holos",
 		Short:   "holos manages a holistic integrated software development platform",
-		Version: version.Version,
+		Version: version.GetVersion(),
 		Args:    cobra.NoArgs,
 		CompletionOptions: cobra.CompletionOptions{
 			HiddenDefaultCmd: true, // Don't complete the complete subcommand itself
@@ -39,7 +48,7 @@ func New(cfg *holos.Config) *cobra.Command {
 				return err
 			}
 			log := cfg.Logger()
-			c.SetContext(logger.NewContext(c.Context(), log))
+			c.Root().SetContext(logger.NewContext(c.Context(), log))
 			// Set the default logger after flag parsing.
 			slog.SetDefault(log)
 			return nil
@@ -61,6 +70,13 @@ func New(cfg *holos.Config) *cobra.Command {
 	rootCmd.AddCommand(preflight.New(cfg))
 	rootCmd.AddCommand(login.New(cfg))
 	rootCmd.AddCommand(logout.New(cfg))
+	rootCmd.AddCommand(token.New(cfg))
+	rootCmd.AddCommand(rpc.New(cfg))
+	rootCmd.AddCommand(generate.New(cfg))
+	rootCmd.AddCommand(register.New(cfg))
+	rootCmd.AddCommand(pull.New(cfg))
+	rootCmd.AddCommand(push.New(cfg))
+	rootCmd.AddCommand(newOrgCmd())
 
 	// Maybe not needed?
 	rootCmd.AddCommand(txtar.New(cfg))
@@ -76,3 +92,15 @@ func New(cfg *holos.Config) *cobra.Command {
 
 	return rootCmd
 }
+
+func newOrgCmd() (cmd *cobra.Command) {
+	cmd = command.New("orgid")
+	cmd.Short = "print the current context org id."
+	cmd.RunE = func(cmd *cobra.Command, args []string) error {
+		ctx := cmd.Root().Context()
+		cc := holos.NewClientContext(ctx)
+		_, err := fmt.Fprintln(cmd.OutOrStdout(), cc.OrgID)
+		return err
+	}
+	return cmd
+}

internal/cli/rpc/rpc.go

@@ -0,0 +1,70 @@
+package rpc
+
+import (
+	"encoding/json"
+	"fmt"
+
+	"connectrpc.com/connect"
+	"github.com/holos-run/holos/internal/cli/command"
+	"github.com/holos-run/holos/internal/errors"
+	"github.com/holos-run/holos/internal/holos"
+	"github.com/holos-run/holos/internal/server/middleware/logger"
+	"github.com/holos-run/holos/internal/token"
+	platform "github.com/holos-run/holos/service/gen/holos/platform/v1alpha1"
+	"github.com/holos-run/holos/service/gen/holos/platform/v1alpha1/platformconnect"
+	"github.com/spf13/cobra"
+)
+
+// Remove these
+const BarePlatformID = "018f36fb-e3ff-7f7f-a5d1-7ca2bf499e94"
+
+type Config struct {
+	holos  *holos.Config
+	client *holos.ClientConfig
+	token  *token.Config
+}
+
+// New returns a new rpc command.
+func New(cfg *holos.Config) *cobra.Command {
+	cmd := command.New("rpc")
+	cmd.Short = "remote procedure calls"
+
+	config := &Config{
+		holos:  cfg,
+		client: holos.NewClientConfig(),
+		token:  token.NewConfig(),
+	}
+
+	cmd.PersistentFlags().AddGoFlagSet(config.client.FlagSet())
+	cmd.PersistentFlags().AddGoFlagSet(config.token.FlagSet())
+	cmd.AddCommand(NewPlatformModel(config))
+	return cmd
+}
+
+func NewPlatformModel(cfg *Config) *cobra.Command {
+	cmd := command.New("platform-model")
+	cmd.Short = "get the platform model"
+	cmd.RunE = func(cmd *cobra.Command, args []string) error {
+		ctx := cmd.Root().Context()
+		log := logger.FromContext(ctx)
+		// client := platformconnect.NewPlatformServiceClient(token.NewClient(cfg.token), cfg.client.Server())
+		client := platformconnect.NewPlatformServiceClient(token.NewClient(cfg.token), cfg.client.Server())
+		// JEFFTODO - FieldMask
+		log.WarnContext(ctx, "JEFFTODO use the fieldmask to get only the model")
+		req := connect.NewRequest(&platform.GetPlatformRequest{PlatformId: BarePlatformID})
+		res, err := client.GetPlatform(ctx, req)
+		if err != nil {
+			return errors.Wrap(fmt.Errorf("could not get platform: %w", err))
+		}
+		if res == nil || res.Msg == nil || res.Msg.Platform == nil || res.Msg.Platform.Spec == nil {
+			return errors.Wrap(fmt.Errorf("response missing platform spec:\n\thave: (%+v)\n\twant: (response message platform.spec)", res))
+		}
+		encoder := json.NewEncoder(cmd.OutOrStdout())
+		encoder.SetIndent("", "  ")
+		if err := encoder.Encode(res.Msg.Platform.Spec.Model); err != nil {
+			return errors.Wrap(fmt.Errorf("could not encode json: %w", err))
+		}
+		return err
+	}
+	return cmd
+}

internal/cli/secret/testdata/create_secret_no_hash.txt

@@ -1,7 +0,0 @@
-# Want no hash appended
-holos create secret test --namespace holos-system --from-file $WORK/test --append-hash=false
-stderr ' created: test '
-stderr ' secret=test '
-
--- test --
-sekret

internal/cli/token/token.go

@@ -0,0 +1,44 @@
+package token
+
+import (
+	"context"
+	"flag"
+	"fmt"
+	"log/slog"
+
+	"github.com/holos-run/holos/internal/cli/command"
+	"github.com/holos-run/holos/internal/holos"
+	"github.com/holos-run/holos/internal/token"
+	"github.com/spf13/cobra"
+)
+
+// New returns a new login command.
+func New(cfg *holos.Config) *cobra.Command {
+	cmd := command.New("token")
+	cmd.Short = "write id token to stdout"
+	cmd.Long = "Useful with curl / grpcurl -H $(holos token)"
+
+	config := token.NewConfig()
+	cmd.Flags().AddGoFlagSet(config.FlagSet())
+
+	fs := &flag.FlagSet{}
+	cmd.Flags().AddGoFlagSet(fs)
+
+	cmd.RunE = func(c *cobra.Command, args []string) error {
+		ctx := c.Context()
+		if ctx == nil {
+			ctx = context.Background()
+		}
+		token, err := token.Get(ctx, cfg.Logger(), config)
+		if err != nil {
+			slog.Error("could not get token", "err", err)
+			return fmt.Errorf("could not get token: %w", err)
+		}
+
+		fmt.Fprintf(cmd.OutOrStdout(), token.Bearer)
+
+		return nil
+	}
+
+	return cmd
+}

internal/client/client.go

@@ -0,0 +1,143 @@
+// Package client provides configuration and convenience methods for making API calls to the holos server.
+package client
+
+import (
+	"context"
+	"flag"
+	"time"
+
+	"connectrpc.com/connect"
+	"github.com/holos-run/holos/internal/errors"
+	"github.com/holos-run/holos/internal/server/middleware/logger"
+	"github.com/holos-run/holos/internal/token"
+	object "github.com/holos-run/holos/service/gen/holos/object/v1alpha1"
+	"github.com/holos-run/holos/service/gen/holos/organization/v1alpha1/organizationconnect"
+	platform "github.com/holos-run/holos/service/gen/holos/platform/v1alpha1"
+	"github.com/holos-run/holos/service/gen/holos/platform/v1alpha1/platformconnect"
+	"github.com/holos-run/holos/service/gen/holos/user/v1alpha1/userconnect"
+	"google.golang.org/protobuf/types/known/fieldmaskpb"
+	"google.golang.org/protobuf/types/known/structpb"
+)
+
+type PlatformMutation struct {
+	Name        string
+	DisplayName string
+	flagSet     *flag.FlagSet
+}
+
+func (pm *PlatformMutation) FlagSet() *flag.FlagSet {
+	if pm == nil {
+		return nil
+	}
+	if pm.flagSet != nil {
+		return pm.flagSet
+	}
+	fs := flag.NewFlagSet("", flag.ContinueOnError)
+	fs.StringVar(&pm.Name, "name", "example", "platform name")
+	fs.StringVar(&pm.DisplayName, "display-name", "Example Platform", "platform display name")
+	pm.flagSet = fs
+	return fs
+}
+
+func New(cfg *Config) *Client {
+	t := token.NewClient(cfg.Token())
+	s := cfg.Client().Server()
+	return &Client{
+		cfg:    cfg,
+		usrSvc: userconnect.NewUserServiceClient(t, s),
+		orgSvc: organizationconnect.NewOrganizationServiceClient(t, s),
+		pltSvc: platformconnect.NewPlatformServiceClient(t, s),
+	}
+}
+
+// Client provides convenience methods for making API calls to the holos server.
+type Client struct {
+	cfg    *Config
+	usrSvc userconnect.UserServiceClient
+	pltSvc platformconnect.PlatformServiceClient
+	orgSvc organizationconnect.OrganizationServiceClient
+}
+
+func (c *Client) Platforms(ctx context.Context, orgID string) ([]*platform.Platform, error) {
+	if c == nil {
+		return nil, errors.New("no service client")
+	}
+	req := &platform.ListPlatformsRequest{
+		OrgId: orgID,
+		FieldMask: &fieldmaskpb.FieldMask{
+			Paths: []string{"id", "name", "displayName"},
+		},
+	}
+	resp, err := c.pltSvc.ListPlatforms(ctx, connect.NewRequest(req))
+	if err != nil {
+		return nil, err
+	}
+	return resp.Msg.GetPlatforms(), nil
+}
+
+func (c *Client) UpdateForm(ctx context.Context, platformID string, form *object.Form) error {
+	start := time.Now()
+	req := &platform.UpdatePlatformRequest{
+		PlatformId: platformID,
+		Update:     &platform.PlatformMutation{Form: form},
+		UpdateMask: &fieldmaskpb.FieldMask{Paths: []string{"form"}},
+	}
+	_, err := c.pltSvc.UpdatePlatform(ctx, connect.NewRequest(req))
+	if err != nil {
+		return errors.Wrap(err)
+	}
+	log := logger.FromContext(ctx)
+	log.DebugContext(ctx, "updated platform", "platform_id", platformID, "duration", time.Since(start))
+	return nil
+}
+
+func (c *Client) UpdatePlatformModel(ctx context.Context, platformID string, model *structpb.Struct) error {
+	start := time.Now()
+	req := &platform.UpdatePlatformRequest{
+		PlatformId: platformID,
+		Update:     &platform.PlatformMutation{Model: model},
+		UpdateMask: &fieldmaskpb.FieldMask{Paths: []string{"model"}},
+	}
+	_, err := c.pltSvc.UpdatePlatform(ctx, connect.NewRequest(req))
+	if err != nil {
+		return errors.Wrap(err)
+	}
+	log := logger.FromContext(ctx)
+	log.DebugContext(ctx, "updated platform", "platform_id", platformID, "duration", time.Since(start))
+	return nil
+}
+
+// PlatformModel gets the platform model from the PlatformService.
+func (c *Client) PlatformModel(ctx context.Context, platformID string) (*structpb.Struct, error) {
+	start := time.Now()
+	req := &platform.GetPlatformRequest{
+		PlatformId: platformID,
+		FieldMask:  &fieldmaskpb.FieldMask{Paths: []string{"spec.model"}},
+	}
+	pf, err := c.pltSvc.GetPlatform(ctx, connect.NewRequest(req))
+	if err != nil {
+		return nil, errors.Wrap(err)
+	}
+	log := logger.FromContext(ctx)
+	log.DebugContext(ctx, "get platform", "platform_id", platformID, "duration", time.Since(start))
+	return pf.Msg.GetPlatform().GetSpec().GetModel(), nil
+}
+
+func (c *Client) CreatePlatform(ctx context.Context, pm PlatformMutation) (*platform.Platform, error) {
+	log := logger.FromContext(ctx).With("platform", pm.Name)
+	start := time.Now()
+	req := &platform.CreatePlatformRequest{
+		OrgId: c.cfg.context.OrgID,
+		Create: &platform.PlatformMutation{
+			Name:        &pm.Name,
+			DisplayName: &pm.DisplayName,
+		},
+	}
+	pf, err := c.pltSvc.CreatePlatform(ctx, connect.NewRequest(req))
+	if err != nil {
+		return nil, errors.Wrap(err)
+	}
+	log = log.With("platform_id", pf.Msg.GetPlatform().GetId())
+	log.DebugContext(ctx, "create platform", "duration", time.Since(start))
+	return pf.Msg.GetPlatform(), nil
+}

internal/client/config.go

@@ -0,0 +1,71 @@
+// Package client provides client configuration for the holos cli.
+package client
+
+import (
+	"context"
+	"flag"
+
+	"github.com/holos-run/holos/internal/holos"
+	"github.com/holos-run/holos/internal/token"
+)
+
+func NewConfig(cfg *holos.Config) *Config {
+	return &Config{
+		holos:   cfg,
+		client:  holos.NewClientConfig(),
+		context: holos.NewClientContext(context.Background()),
+		token:   token.NewConfig(),
+	}
+}
+
+type Config struct {
+	holos   *holos.Config
+	client  *holos.ClientConfig
+	context *holos.ClientContext
+	token   *token.Config
+}
+
+func (c *Config) ClientFlagSet() *flag.FlagSet {
+	if c == nil {
+		return nil
+	}
+	return c.client.FlagSet()
+}
+
+func (c *Config) TokenFlagSet() *flag.FlagSet {
+	if c == nil {
+		return nil
+	}
+	return c.token.FlagSet()
+}
+
+func (c *Config) Token() *token.Config {
+	if c == nil {
+		return nil
+	}
+	return c.token
+}
+
+func (c *Config) Client() *holos.ClientConfig {
+	if c == nil {
+		return nil
+	}
+	return c.client
+}
+
+// Context returns the ClientContext useful to get the OrgID and UserID for rpc
+// calls.
+func (c *Config) Context() *holos.ClientContext {
+	if c == nil {
+		return nil
+	}
+	return c.context
+}
+
+// Holos returns the *holos.Config
+func (c *Config) Holos() *holos.Config {
+	if c == nil {
+		return nil
+	}
+	return c.holos
+}

internal/client/platform.go

@@ -0,0 +1,69 @@
+package client
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"path/filepath"
+
+	"github.com/holos-run/holos/internal/server/middleware/logger"
+	object "github.com/holos-run/holos/service/gen/holos/object/v1alpha1"
+	platform "github.com/holos-run/holos/service/gen/holos/platform/v1alpha1"
+	"google.golang.org/protobuf/encoding/protojson"
+)
+
+// PlatformMetadataFile is the platform metadata json file name located in the root
+// of a platform directory.
+const PlatformMetadataFile = "platform.metadata.json"
+
+// PlatformConfigFile is the marshaled json representation of the PlatformConfig
+// DTO used to cache the data holos passes from the PlatformService to CUE when
+// rendering platform components.
+const PlatformConfigFile = "platform.config.json"
+
+// LoadPlatform loads the platform.metadata.json file from a named path.  Useful
+// to obtain a platform id for PlatformService rpc methods.
+func LoadPlatform(ctx context.Context, name string) (*platform.Platform, error) {
+	data, err := os.ReadFile(filepath.Join(name, PlatformMetadataFile))
+	if err != nil {
+		return nil, fmt.Errorf("could not load platform metadata: %w", err)
+	}
+	p := &platform.Platform{}
+	if err := protojson.Unmarshal(data, p); err != nil {
+		return nil, fmt.Errorf("could not load platform metadata: %w", err)
+	}
+	return p, nil
+}
+
+// LoadPlatformConfig loads the PlatformConfig DTO from the platform.config.json
+// file.  Useful to provide all values necessary to render cue config without an
+// rpc to the HolosService.
+func LoadPlatformConfig(ctx context.Context, name string) (*object.PlatformConfig, error) {
+	data, err := os.ReadFile(filepath.Join(name, PlatformConfigFile))
+	if err != nil {
+		return nil, fmt.Errorf("could not load platform config: %w", err)
+	}
+	pc := &object.PlatformConfig{}
+	if err := protojson.Unmarshal(data, pc); err != nil {
+		return nil, fmt.Errorf("could not load platform config: %w", err)
+	}
+	return pc, nil
+}
+
+// SavePlatformConfig writes pc to the platform root directory path identified by name.
+func SavePlatformConfig(ctx context.Context, name string, pc *object.PlatformConfig) (string, error) {
+	encoder := protojson.MarshalOptions{Multiline: true}
+	data, err := encoder.Marshal(pc)
+	if err != nil {
+		return "", err
+	}
+	if len(data) > 0 {
+		data = append(data, '\n')
+	}
+	path := filepath.Join(name, PlatformConfigFile)
+	if err := os.WriteFile(path, data, 0644); err != nil {
+		return "", fmt.Errorf("could not write platform config: %w", err)
+	}
+	logger.FromContext(ctx).DebugContext(ctx, "wrote", "path", path)
+	return path, nil
+}