(#178) Update buf with make tools

Previously go releaser was failing because buf has been updated again.

.github/workflows/release.yaml

@@ -54,6 +54,9 @@ jobs:
       - name: List keys
         run: gpg -K
 
+      - name: Git diff
+        run: git diff
+
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v5
         with:

.gitignore

@@ -6,3 +6,4 @@ coverage.out
 *.hold/
 /deploy/
 .vscode/
+tmp/

Makefile

@@ -16,10 +16,12 @@ $( shell mkdir -p bin)
 export PATH := $(PWD)/internal/frontend/holos/node_modules/.bin:$(PATH)
 
 GIT_COMMIT=$(shell git rev-parse HEAD)
+GIT_SUFFIX=$(shell test -n "`git status --porcelain`" && echo "-dirty" || echo "")
+GIT_DETAIL=$(shell git describe --tags HEAD)
 GIT_TREE_STATE=$(shell test -n "`git status --porcelain`" && echo "dirty" || echo "clean")
 BUILD_DATE=$(shell date -Iseconds)
 
-LD_FLAGS="-w -X ${ORG_PATH}/${PROJ}/version.GitCommit=${GIT_COMMIT} -X ${ORG_PATH}/${PROJ}/version.GitTreeState=${GIT_TREE_STATE} -X ${ORG_PATH}/${PROJ}/version.BuildDate=${BUILD_DATE}"
+LD_FLAGS="-w -X ${ORG_PATH}/${PROJ}/version.GitDescribe=${GIT_DETAIL}${GIT_SUFFIX} -X ${ORG_PATH}/${PROJ}/version.GitCommit=${GIT_COMMIT} -X ${ORG_PATH}/${PROJ}/version.GitTreeState=${GIT_TREE_STATE} -X ${ORG_PATH}/${PROJ}/version.BuildDate=${BUILD_DATE}"
 
 .PHONY: default
 default: test
@@ -61,7 +63,7 @@ vet: ## Vet Go code.
 
 .PHONY: gencue
 gencue: ## Generate CUE definitions
-	cd docs/examples && cue get go github.com/holos-run/holos/api/...
+	cd internal/generate/platforms && cue get go github.com/holos-run/holos/api/v1alpha1/...
 
 .PHONY: rmgen
 rmgen: ## Remove generated code
@@ -76,7 +78,7 @@ rmgen: ## Remove generated code
 regenerate: generate ## Re-generate code (delete and re-create)
 
 .PHONY: generate
-generate: buf ## Generate code.
+generate: buf gencue ## Generate code.
 	go generate ./...
 
 .PHONY: build
@@ -113,7 +115,7 @@ snapshot:  ## Go release snapshot
 
 .PHONY: buf
 buf: ## buf generate
-	cd service && buf mod update
+	cd service && buf dep update
 	buf generate
 
 .PHONY: tools

api/v1alpha1/buildplan.go

@@ -9,14 +9,17 @@ import (
 type BuildPlan struct {
 	TypeMeta `json:",inline" yaml:",inline"`
 	// Metadata represents the holos component name
-	Metadata ObjectMeta     `json:"metadata,omitempty" yaml:"metadata,omitempty"`
-	Spec     BuildPlanSpec  `json:"spec,omitempty" yaml:"spec,omitempty"`
-	Platform map[string]any `json:"platform,omitempty" yaml:"platform,omitempty"`
+	Metadata ObjectMeta    `json:"metadata,omitempty" yaml:"metadata,omitempty"`
+	Spec     BuildPlanSpec `json:"spec,omitempty" yaml:"spec,omitempty"`
 }
 
 type BuildPlanSpec struct {
 	Disabled   bool                `json:"disabled,omitempty" yaml:"disabled,omitempty"`
 	Components BuildPlanComponents `json:"components,omitempty" yaml:"components,omitempty"`
+	// DeployFiles keys represent file paths relative to the cluster deploy
+	// directory.  Map values represent the string encoded file contents.  Used to
+	// write the argocd Application, but may be used to render any file from CUE.
+	DeployFiles FileContentMap `json:"deployFiles,omitempty" yaml:"deployFiles,omitempty"`
 }
 
 type BuildPlanComponents struct {

api/v1alpha1/component.go

@@ -20,3 +20,11 @@ type HolosComponent struct {
 func (hc *HolosComponent) NewResult() *Result {
 	return &Result{HolosComponent: *hc}
 }
+
+func (hc *HolosComponent) GetAPIVersion() string {
+	return hc.APIVersion
+}
+
+func (hc *HolosComponent) GetKind() string {
+	return hc.Kind
+}

api/v1alpha1/form.go

@@ -0,0 +1,13 @@
+package v1alpha1
+
+import object "github.com/holos-run/holos/service/gen/holos/object/v1alpha1"
+
+// Form represents a collection of Formly json powered form.
+type Form struct {
+	TypeMeta `json:",inline" yaml:",inline"`
+	Spec     FormSpec `json:"spec" yaml:"spec"`
+}
+
+type FormSpec struct {
+	Form object.Form `json:"form" yaml:"form"`
+}

api/v1alpha1/platform.go

@@ -1,9 +1,32 @@
 package v1alpha1
 
-// Platform represents a platform to manage.  A Platform resource tells holos
-// which components to build.  The primary use case is to specify the cluster
-// names, cluster types, and holos components to build.
+import "google.golang.org/protobuf/types/known/structpb"
+
+// Platform represents a platform to manage.  A Platform resource informs holos
+// which components to build.  The platform resource also acts as a container
+// for the platform model form values provided by the PlatformService.  The
+// primary use case is to collect the cluster names, cluster types, platform
+// model, and holos components to build into one resource.
 type Platform struct {
 	TypeMeta `json:",inline" yaml:",inline"`
-	Metadata ObjectMeta `json:"metadata,omitempty" yaml:"metadata,omitempty"`
+	Metadata ObjectMeta   `json:"metadata" yaml:"metadata"`
+	Spec     PlatformSpec `json:"spec" yaml:"spec"`
+}
+
+// PlatformSpec represents the platform build plan specification.
+type PlatformSpec struct {
+	// Model represents the platform model holos gets from from the
+	// holos.platform.v1alpha1.PlatformService.GetPlatform method and provides to
+	// CUE using a tag.
+	Model      structpb.Struct         `json:"model" yaml:"model"`
+	Components []PlatformSpecComponent `json:"components" yaml:"components"`
+}
+
+// PlatformSpecComponent represents a component to build or render with flags to
+// pass, for example the cluster name.
+type PlatformSpecComponent struct {
+	// Path is the path of the component relative to the platform root.
+	Path string `json:"path" yaml:"path"`
+	// Cluster is the cluster name to use when building the component.
+	Cluster string `json:"cluster" yaml:"cluster"`
 }

api/v1alpha1/result.go

@@ -17,6 +17,10 @@ type Result struct {
 	HolosComponent
 	// accumulatedOutput accumulates rendered api objects.
 	accumulatedOutput string
+	// DeployFiles keys represent file paths relative to the cluster deploy
+	// directory.  Map values represent the string encoded file contents.  Used to
+	// write the argocd Application, but may be used to render any file from CUE.
+	DeployFiles FileContentMap `json:"deployFiles,omitempty" yaml:"deployFiles,omitempty"`
 }
 
 // Continue returns true if Skip is true indicating the result is to be skipped over.
@@ -133,6 +137,21 @@ func (r *Result) kustomize(ctx context.Context) error {
 	return nil
 }
 
+func (r *Result) WriteDeployFiles(ctx context.Context, path string) error {
+	log := logger.FromContext(ctx)
+	if len(r.DeployFiles) == 0 {
+		return nil
+	}
+	for k, content := range r.DeployFiles {
+		path := filepath.Join(path, k)
+		if err := r.Save(ctx, path, content); err != nil {
+			return errors.Wrap(err)
+		}
+		log.InfoContext(ctx, "wrote deploy file", "path", path, "bytes", len(content))
+	}
+	return nil
+}
+
 // Save writes the content to the filesystem for git ops.
 func (r *Result) Save(ctx context.Context, path string, content string) error {
 	log := logger.FromContext(ctx)
@@ -141,7 +160,7 @@ func (r *Result) Save(ctx context.Context, path string, content string) error {
 		log.WarnContext(ctx, "could not mkdir", "path", dir, "err", err)
 		return errors.Wrap(err)
 	}
-	// Write the kube api objects
+	// Write the file content
 	if err := os.WriteFile(path, []byte(content), os.FileMode(0644)); err != nil {
 		log.WarnContext(ctx, "could not write", "path", path, "err", err)
 		return errors.Wrap(err)

cmd/holos/testdata/constraints.txt

@@ -2,6 +2,8 @@
 exec holos build ./foo/... --log-level debug
 stdout '^bf2bc7f9-9ba0-4f9e-9bd2-9a205627eb0b$'
 
+-- platform.config.json --
+{}
 -- cue.mod --
 package holos
 -- foo/constraints.cue --
@@ -20,6 +22,7 @@ spec: components: KubernetesObjectsList: [
 package holos
 
 _cluster: string @tag(cluster, string)
+_platform_config: string @tag(platform_config, string)
 
 #KubernetesObjects: {
 	apiVersion: "holos.run/v1alpha1"

cmd/holos/testdata/issue15_cue_errors.txt

@@ -3,12 +3,15 @@
 stderr 'apiObjectMap.foo.bar: cannot convert incomplete value'
 stderr '/component.cue:\d+:\d+$'
 
+-- platform.config.json --
+{}
 -- cue.mod --
 package holos
 -- component.cue --
 package holos
 
 _cluster: string @tag(cluster, string)
+_platform_config: string @tag(platform_config, string)
 
 apiVersion: "holos.run/v1alpha1"
 kind: "BuildPlan"

cmd/holos/testdata/issue25_apiobjects_cue.txt

@@ -3,6 +3,8 @@ exec holos build .
 stdout '^kind: SecretStore$'
 stdout '# Source: CUE apiObjects.SecretStore.default'
 
+-- platform.config.json --
+{}
 -- cue.mod --
 package holos
 -- component.cue --
@@ -13,6 +15,7 @@ kind: "BuildPlan"
 spec: components: KubernetesObjectsList: [{apiObjectMap: #APIObjects.apiObjectMap}]
 
 _cluster: string @tag(cluster, string)
+_platform_config: string @tag(platform_config, string)
 
 #SecretStore: {
     kind: string

cmd/holos/testdata/issue25_apiobjects_helm.txt

@@ -4,6 +4,8 @@ stdout '^kind: SecretStore$'
 stdout '# Source: CUE apiObjects.SecretStore.default'
 stderr 'skipping helm: no chart name specified'
 
+-- platform.config.json --
+{}
 -- cue.mod --
 package holos
 -- component.cue --
@@ -14,6 +16,7 @@ kind: "BuildPlan"
 spec: components: HelmChartList: [{apiObjectMap: #APIObjects.apiObjectMap}]
 
 _cluster: string @tag(cluster, string)
+_platform_config: string @tag(platform_config, string)
 
 #SecretStore: {
     kind: string

cmd/holos/testdata/issue25_show_object_names.txt

@@ -2,6 +2,8 @@
 ! exec holos build .
 stderr 'apiObjects.secretstore.default.foo: field not allowed'
 
+-- platform.config.json --
+{}
 -- cue.mod --
 package holos
 -- component.cue --
@@ -10,6 +12,7 @@ package holos
 apiVersion: "holos.run/v1alpha1"
 kind: "KubernetesObjects"
 cluster: string @tag(cluster, string)
+_platform_config: string @tag(platform_config, string)
 
 #SecretStore: {
     metadata: name: string

cmd/holos/testdata/issue33_helm_stderr.txt

@@ -2,6 +2,8 @@
 ! exec holos build .
 stderr 'Error: execution error at \(zitadel/templates/secret_zitadel-masterkey.yaml:2:4\): Either set .Values.zitadel.masterkey xor .Values.zitadel.masterkeySecretName'
 
+-- platform.config.json --
+{}
 -- cue.mod --
 package holos
 -- zitadel.cue --
@@ -12,6 +14,7 @@ kind: "BuildPlan"
 spec: components: HelmChartList: [_HelmChart]
 
 _cluster: string @tag(cluster, string)
+_platform_config: string @tag(platform_config, string)
 
 _HelmChart: {
   apiVersion: "holos.run/v1alpha1"

cmd/holos/testdata/issue42_kustomize_build_kind.txt

@@ -1,15 +1,18 @@
 # Kustomize is a supported holos component kind
-exec holos render --cluster-name=mycluster . --log-level=debug
+exec holos render component --cluster-name=mycluster . --log-level=debug
 
 # Want generated output
 cmp want.yaml deploy/clusters/mycluster/components/kstest/kstest.gen.yaml
 
+-- platform.config.json --
+{}
 -- cue.mod --
 package holos
 -- component.cue --
 package holos
 
 _cluster: string @tag(cluster, string)
+_platform_config: string @tag(platform_config, string)
 
 apiVersion: "holos.run/v1alpha1"
 kind: "BuildPlan"

cmd/holos/testdata/issue72_disallow_unknown_fields.txt

@@ -3,11 +3,14 @@
 ! exec holos build .
 stderr 'unknown field \\"TypoKubernetesObjectsList\\"'
 
+-- platform.config.json --
+{}
 -- cue.mod --
 package holos
 -- component.cue --
 package holos
 _cluster: string @tag(cluster, string)
+_platform_config: string @tag(platform_config, string)
 
 apiVersion: "holos.run/v1alpha1"
 kind: "BuildPlan"

cmd/holos/testdata/version.txt

@@ -1,5 +1,3 @@
 exec holos --version
 # want version with no v on stdout
 stdout -count=1 '^\d+\.\d+\.\d+$'
-# want nothing on stderr
-! stderr .

docs/examples/api/ListPlatform/listplatform.json

@@ -0,0 +1,10 @@
+{
+  "org_id": "018f36fb-e3f7-7f7f-a1c5-c85fb735d215",
+  "field_mask": {
+    "paths": [
+      "id",
+      "name",
+      "displayName"
+    ]
+  }
+}

docs/examples/api/UpdatePlatform/clearform.json

@@ -0,0 +1,8 @@
+{
+  "update_mask": {
+    "paths": ["form"]
+  },
+  "update": {
+    "platform_id": "018f36fb-e3ff-7f7f-a5d1-7ca2bf499e94"
+  }
+}

docs/examples/api/UpdatePlatform/model.json

@@ -0,0 +1,11 @@
+{
+  "update_mask": {
+    "paths": ["model","name","display_name"]
+  },
+  "update": {
+    "platform_id": "018f36fb-e3ff-7f7f-a5d1-7ca2bf499e94",
+    "name": "bareplatform",
+    "display_name": "Bare Platform",
+    "model": {}
+  }
+}

docs/examples/api/UpdatePlatform/nomask.json

@@ -0,0 +1,6 @@
+{
+  "update": {
+    "platform_id": "018f36fb-e3ff-7f7f-a5d1-7ca2bf499e94",
+    "model": {}
+  }
+}

docs/examples/platform.config.cue

@@ -0,0 +1,3 @@
+package holos
+
+_platform_config: string @tag(platform_config, type=string)

docs/examples/platform.config.json

@@ -0,0 +1 @@
+{}

docs/examples/platforms/reference/clusters/workload/holos-run/dev/app/holos-run-app.cue

@@ -34,7 +34,7 @@ let OBJECTS = #APIObjects & {
 					containers: [
 						{
 							name:            Holos
-							image:           "271053619184.dkr.ecr.us-east-2.amazonaws.com/holos-run/holos-server/holos:0.74.0"
+							image:           "271053619184.dkr.ecr.us-east-2.amazonaws.com/holos-run/holos-server/holos:v0.79.0"
 							imagePullPolicy: "Always"
 							env: [
 								{

docs/runbooks/argocd.md

@@ -0,0 +1,14 @@
+# ArgoCD
+
+Create the deploy key secret in the management cluster.
+
+```bash
+tmp="$(mktemp -d)"
+(cd $tmp && ssh-keygen -t ed25519 -f sshPrivateKey -m pem -C argocd -N '')
+echo git@github.com:holos-run/holos-infra.git > "${tmp}/url"
+holos create secret -n argocd --append-hash=false creds-holos-infra --from-file $tmp
+rm -rf "$tmp"
+```
+
+When syncing the secret, the ExternalSecret needs to set the label
+`argocd.argoproj.io/secret-type: repo-creds`.

docs/runbooks/login/backups.md

@@ -0,0 +1,97 @@
+# PostgresCluster Backups
+
+This document describes how the S3 bucket for `PostgresCluster` backups is configured.  These buckets are configured both for ZITADEL and for Holos 
+Server and are applicable to any service in Holos that stores data in a pgo `PostgresCluster` resource.
+
+## Create the Bucket
+Name: `holos-zitadel-backups` for `zitadel`
+Name: `holos-server-backups` for `holos server`
+> [!NOTE]
+> The settings below match the default settings recommended by AWS.
+
+Object Ownership: `ACLs disabled` (recommended) Checked.
+Block Public Access settings for this bucket: **`Block all public access`** Checked.
+Bucket Versioning: `Disable`
+Default encryption: `Server-side encryption with Amazon S3 managed keys (SSE-S3)`
+Bucket Key: `Enable`
+Object Lock: `Disable`
+
+## Create an IAM Policy
+Create one IAM Policy for each bucket to grant full access to the bucket.  Replace the resource with each bucket name.
+Name: `holos-zitadel-backups` for `zitadel`
+Name: `holos-server-backups` for `holos server`
+Description: `Read and write access to a specific bucket for pgrest operating within a pgo PostgresCluster.`
+
+Policy JSON:
+```json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "s3:GetBucketLocation",
+                "s3:ListAllMyBuckets"
+            ],
+            "Resource": "arn:aws:s3:::*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": "s3:*",
+            "Resource": [
+                "arn:aws:s3:::holos-zitadel-backups",
+                "arn:aws:s3:::holos-zitadel-backups/*"
+            ]
+        }
+    ]
+}
+```
+## Create an IAM Group
+Create an IAM Group to attach the policy granting access to the bucket.
+Name: `holos-zitadel-backups` for `zitadel`
+Attach permission policies: `holos-zitadel-backups`
+
+Name: `holos-server-backups` for `holos server`
+Attach permission policies: `holos-server-backups`
+## Create the IAM User
+Create an IAM User entity for each PostgresCluster.  Do not provide user access to the AWS Management Console.
+Name: `holos-zitadel-backups` for `zitadel`
+Group: `holos-zitadel-backups`
+
+Name: `holos-server-backups` for `holos server`
+Group: `holos-server-backups`
+
+## Create an Access Key
+Create an access key for `pgbackrest` associated with the `PostgresCluster`.
+
+Description: 
+> Used by pgbackrest associated with the PostgresCluster resource.  Refer to the PostgresCluster resource pgbackrest.cofiguration.secret.name for the stored location of the access key.  Synced from the Management Cluster using an ExternalSecret.
+## Create the Secret
+Create a `Secret` in the holos management cluster usable by pgbackrest.  This is a secret with a single key, `s3.conf` with the following format:
+```
+[global]
+repo2-cipher-pass=
+repo2-s3-key=
+repo2-s3-key-secret=
+repo3-cipher-pass=
+repo3-s3-key=
+repo3-s3-key-secret=
+```
+> [!NOTE]
+> Use the same values for repo2 and repo3.  The purpose is to make space for migrating if need be in the future.
+
+Generate the cipher pass using.  This password is used to encrypt all backups using client side before the backup is written to the bucket.
+```
+tr -dc A-Za-z0-9 </dev/urandom | head -c 64
+```
+
+Store the secret into the management cluster:
+```
+holos create secret --namespace zitadel holos-zitadel-backups \
+  --append-hash=false --from-file .
+```
+
+```
+holos create secret --namespace holos holos-server-backups \
+  --append-hash=false --from-file .
+```

docs/runbooks/namespace.md

@@ -0,0 +1,25 @@
+# Namespaces
+
+Holos follows the [Namespace Sameness - Sig Multicluster Position][1].  A
+namespace is the same on all clusters within the scope of a platform.
+
+Namespaces are also security boundaries for role based access control.  As such,
+permission to read a secret in a namespace means the secret is readable on all
+clusters in the platform.
+
+When adding a component to a platform, create a namespace using the following
+process.  This ensures a namespace scoped `SecretStore` is created to sync
+`ExternalSecret` resources from the management cluster.
+
+ 1. Add a new project to the `_Projects` struct in `platform.cue`.
+ 2. Add the namespace to the `spec.namespaces` field of the project.
+ 3. Render the platform
+ 4. Apply the `namespaces` component to the management cluster
+ 5. Apply the `eso-creds-manager` component to the management cluster to create the `eso-reader` ksa for the namespace `SecretStore`
+ 6. Apply the `namespaces` component to the workload clusters
+ 7. On the workload cluster, run the job to fetch the eso-reader creds: `kubectl create job -n holos-system --from=cronjob/eso-creds-refresher eso-creds-refresher-$(date +%s)`
+ 8. Apply the secretstores component to the workload cluster.
+
+Your namespace is created and you have the ability to create secrets in the management cluster and pull them using ExternalSecret resources. (edited)  
+
+[1]: https://github.com/kubernetes/community/blob/dd4c8b704ef1c9c3bfd928c6fa9234276d61ad18/sig-multicluster/namespace-sameness-position-statement.md

docs/runbooks/workload-identity.md

@@ -0,0 +1,31 @@
+# Workload Identity
+
+When a new workload cluster is provisioned, allow it to access the Management
+Cluster using workload identity.  This is necessary for the
+`eso-creds-refresher` component and `Job` that executes in each workload
+cluster, which in turn enables the `SecretStore` in each namespace to sync
+secrets.
+
+Build the cluster with Cluster API.
+See https://github.com/holos-run/holos-infra/blob/main/hack/capi/eks/aws2/aws2-managedmachinepool.yaml#L81-L84
+
+## Workload Identity Provider
+Add the Cluster as a workload identity provider to the `holos-ops` gcp project.
+
+Pool: [holos](https://console.cloud.google.com/iam-admin/workload-identity-pools/pool/holos?organizationId=358674006047&project=holos-ops)
+Name: `k8s-aws1`, `k8s-aws2`, etc...
+### Issuer URL:
+```
+kubectl create -n default token default | cut -d. -f2 | base64 -d | jq -r .iss
+```
+
+### Audience
+Use the default audience.
+### Attribute Mapping
+
+| Google                           | OIDC                                                   |
+| -------------------------------- | ------------------------------------------------------ |
+| `google.subject`                 | `assertion.sub`                                        |
+| `attribute.service_account_name` | `assertion['kubernetes.io']['serviceaccount']['name']` |
+| `attribute.uid`                  | `assertion['kubernetes.io']['serviceaccount']['uid']`  |
+| `attribute.pod`                  | `assertion['kubernetes.io']['pod']['name']`            |

go.mod

@@ -6,6 +6,7 @@ require (
 	buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.33.0-20240401165935-b983156c5e99.1
 	connectrpc.com/connect v1.16.0
 	connectrpc.com/grpcreflect v1.2.0
+	connectrpc.com/otelconnect v0.7.0
 	connectrpc.com/validate v0.1.0
 	cuelang.org/go v0.8.0
 	entgo.io/ent v0.13.1
@@ -20,6 +21,7 @@ require (
 	github.com/lmittmann/tint v1.0.4
 	github.com/mattn/go-isatty v0.0.20
 	github.com/mattn/go-runewidth v0.0.15
+	github.com/mennanov/fieldmask-utils v1.1.2
 	github.com/olekukonko/tablewriter v0.0.5
 	github.com/prometheus/client_golang v1.19.0
 	github.com/rogpeppe/go-internal v1.12.0
@@ -29,6 +31,7 @@ require (
 	github.com/stretchr/testify v1.9.0
 	golang.org/x/net v0.24.0
 	golang.org/x/tools v0.20.0
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20240325203815-454cdb8f5daa
 	google.golang.org/protobuf v1.33.1-0.20240408130810-98873a205002
 	honnef.co/go/tools v0.4.7
 	k8s.io/api v0.29.2
@@ -43,7 +46,6 @@ require (
 	ariga.io/atlas v0.19.1-0.20240203083654-5948b60a8e43 // indirect
 	cloud.google.com/go/compute v1.23.3 // indirect
 	cloud.google.com/go/compute/metadata v0.2.3 // indirect
-	connectrpc.com/otelconnect v0.7.0 // indirect
 	cuelabs.dev/go/oci/ociregistry v0.0.0-20240314152124-224736b49f2e // indirect
 	github.com/AlecAivazis/survey/v2 v2.3.7 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect
@@ -84,7 +86,7 @@ require (
 	github.com/distribution/reference v0.6.0 // indirect
 	github.com/docker/cli v26.0.0+incompatible // indirect
 	github.com/docker/distribution v2.8.3+incompatible // indirect
-	github.com/docker/docker v26.0.0+incompatible // indirect
+	github.com/docker/docker v26.0.2+incompatible // indirect
 	github.com/docker/docker-credential-helpers v0.8.1 // indirect
 	github.com/docker/go-connections v0.5.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
@@ -245,8 +247,8 @@ require (
 	golang.org/x/text v0.14.0 // indirect
 	golang.org/x/time v0.5.0 // indirect
 	google.golang.org/appengine v1.6.8 // indirect
+	google.golang.org/genproto v0.0.0-20240123012728-ef4313101c80 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20240325203815-454cdb8f5daa // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20240325203815-454cdb8f5daa // indirect
 	google.golang.org/grpc v1.62.1 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect

go.sum

@@ -86,6 +86,7 @@ github.com/agext/levenshtein v1.2.1 h1:QmvMAjj2aEICytGiWzmxoE0x2KZvE0fvmqMOfy2tj
 github.com/agext/levenshtein v1.2.1/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558=
 github.com/agnivade/levenshtein v1.1.1 h1:QY8M92nrzkmr798gCo3kmMyqXFzdQVpxLlGPRBij0P8=
 github.com/agnivade/levenshtein v1.1.1/go.mod h1:veldBMzWxcCG2ZvUTKD2kJNRdCk5hVbJomOvKkmgYbo=
+github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY=
 github.com/antlr4-go/antlr/v4 v4.13.0 h1:lxCg3LAv+EUK6t1i0y1V6/SLeUi0eKEKdhQAlS8TVTI=
 github.com/antlr4-go/antlr/v4 v4.13.0/go.mod h1:pfChB/xh/Unjila75QW7+VU4TSnWnnk9UTnmpPaOR2g=
 github.com/apparentlymart/go-textseg/v13 v13.0.0 h1:Y+KvPE1NYz0xl601PVImeQfFyEy6iT90AvPUL1NNfNw=
@@ -115,6 +116,7 @@ github.com/census-instrumentation/opencensus-proto v0.4.1 h1:iKLQ0xPNFxR/2hzXZMr
 github.com/census-instrumentation/opencensus-proto v0.4.1/go.mod h1:4T9NM4+4Vw91VeyqjLS6ao50K5bOcLKN6Q42XnYaRYw=
 github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko=
 github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
+github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/cheekybits/genny v1.0.0 h1:uGGa4nei+j20rOSeDeP5Of12XVm7TGUd4dJA9RDitfE=
@@ -144,9 +146,13 @@ github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDk
 github.com/cloudevents/sdk-go/v2 v2.15.2 h1:54+I5xQEnI73RBhWHxbI1XJcqOFOVJN85vb41+8mHUc=
 github.com/cloudevents/sdk-go/v2 v2.15.2/go.mod h1:lL7kSWAE/V8VI4Wh0jbL2v/jvqsm6tjmaQBSvxcv4uE=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
+github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
+github.com/cncf/udpa/go v0.0.0-20210930031921-04548b0d99d4/go.mod h1:6pvJx4me5XPnfI9Z40ddWsdw2W/uZgQLFXToKeRcDiI=
 github.com/cncf/udpa/go v0.0.0-20220112060539-c52dc94e7fbe h1:QQ3GSy+MqSHxm/d8nCtnAiZdYFd45cYZPs8vOOIYKfk=
 github.com/cncf/udpa/go v0.0.0-20220112060539-c52dc94e7fbe/go.mod h1:6pvJx4me5XPnfI9Z40ddWsdw2W/uZgQLFXToKeRcDiI=
 github.com/cncf/xds/go v0.0.0-20210922020428-25de7278fc84/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
+github.com/cncf/xds/go v0.0.0-20211001041855-01bcc9b48dfe/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
+github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
 github.com/cncf/xds/go v0.0.0-20231128003011-0fa0005c9caa h1:jQCWAUqqlij9Pgj2i/PB79y4KOPYVyFYdROxgaCwdTQ=
 github.com/cncf/xds/go v0.0.0-20231128003011-0fa0005c9caa/go.mod h1:x/1Gn8zydmfq8dk6e9PdstVsDgu9RuyIIJqAaF//0IM=
 github.com/cockroachdb/apd/v3 v3.2.1 h1:U+8j7t0axsIgvQUqthuNm82HIrYXodOV2iWLWtEaIwg=
@@ -181,8 +187,8 @@ github.com/docker/cli v26.0.0+incompatible h1:90BKrx1a1HKYpSnnBFR6AgDq/FqkHxwlUy
 github.com/docker/cli v26.0.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk=
 github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
-github.com/docker/docker v26.0.0+incompatible h1:Ng2qi+gdKADUa/VM+6b6YaY2nlZhk/lVJiKR/2bMudU=
-github.com/docker/docker v26.0.0+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker v26.0.2+incompatible h1:yGVmKUFGgcxA6PXWAokO0sQL22BrQ67cgVjko8tGdXE=
+github.com/docker/docker v26.0.2+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/docker-credential-helpers v0.8.1 h1:j/eKUktUltBtMzKqmfLB0PAgqYyMHOp5vfsD1807oKo=
 github.com/docker/docker-credential-helpers v0.8.1/go.mod h1:P3ci7E3lwkZg6XiHdRKft1KckHiO9a2rNtyFbZ/ry9M=
 github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c=
@@ -198,6 +204,8 @@ github.com/emicklei/proto v1.10.0/go.mod h1:rn1FgRS/FANiZdD2djyH7TMA9jdRDcYQ9IEN
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
+github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
+github.com/envoyproxy/go-control-plane v0.10.2-0.20220325020618-49ff273808a1/go.mod h1:KJwIaB5Mv44NWtYuAOFCVOjcI94vtpEz2JU/D2v6IjE=
 github.com/envoyproxy/go-control-plane v0.12.0 h1:4X+VP1GHd1Mhj6IB5mMeGbLCleqxjletLK6K0rbxyZI=
 github.com/envoyproxy/go-control-plane v0.12.0/go.mod h1:ZBTaoJ23lqITozF0M6G4/IragXCQKCnYbmlmtHvwRG0=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
@@ -307,6 +315,7 @@ github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:W
 github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
 github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=
 github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
+github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
 github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
 github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
@@ -356,6 +365,7 @@ github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaU
 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ=
 github.com/google/subcommands v1.0.1/go.mod h1:ZjhPrFU+Olkh9WazFPsl27BQ4UPiG37m3yTrtFlrHVk=
 github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/wire v0.5.0 h1:I7ELFeVBr3yfPIcc8+MWvrjk+3VjbcSzoXm3JVa+jD8=
@@ -374,6 +384,7 @@ github.com/gosuri/uilive v0.0.4 h1:hUEBpQDj8D8jXgtCdBu7sWsy5sbW/5GhuO8KBwJ2jyY=
 github.com/gosuri/uilive v0.0.4/go.mod h1:V/epo5LjjlDE5RJUcqx8dbw+zc93y5Ya3yg8tfZ74VI=
 github.com/gosuri/uiprogress v0.0.1 h1:0kpv/XY/qTmFWl/SkaJykZXrBBzwwadmW8fRb7RJSxw=
 github.com/gosuri/uiprogress v0.0.1/go.mod h1:C1RTYn4Sc7iEyf6j8ft5dyoZ4212h8G1ol9QQluh5+0=
+github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.0 h1:Wqo399gCIufwto+VfwCSvsnfGpF/w5E9CNxSwbpD6No=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.0/go.mod h1:qmOFXW2epJhM0qSnUUYpldc7gVz2KMQwJ/QYCDIa7XU=
 github.com/guptarohit/asciigraph v0.7.1 h1:K+JWbRc04XEfv8BSZgNuvhCmpbvX4+9NYd/UxXVnAuk=
@@ -468,6 +479,8 @@ github.com/mattn/go-runewidth v0.0.15 h1:UNAjwbU9l54TA3KzvqLGxwWjHmMgBUVhBiTjelZ
 github.com/mattn/go-runewidth v0.0.15/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
 github.com/mattn/go-sqlite3 v1.14.22 h1:2gZY6PC6kBnID23Tichd1K+Z0oS6nE/XwU+Vz/5o4kU=
 github.com/mattn/go-sqlite3 v1.14.22/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
+github.com/mennanov/fieldmask-utils v1.1.2 h1:f5hd3hYeWdl+q2thiKYyZZmqTqn90uayWG03bca9U+E=
+github.com/mennanov/fieldmask-utils v1.1.2/go.mod h1:xRqd9Fjz/gFEDYCQw7pxGouxqLhSPrkOdx2yhEAXEls=
 github.com/mgutz/ansi v0.0.0-20170206155736-9520e82c474b/go.mod h1:01TrycV0kFyexm33Z7vhZRXopbI8J3TDReVlkTgMUxE=
 github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d h1:5PJl274Y63IEHC+7izoQE9x6ikvDFZS2mDVS3drnohI=
 github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d/go.mod h1:01TrycV0kFyexm33Z7vhZRXopbI8J3TDReVlkTgMUxE=
@@ -568,6 +581,7 @@ github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
 github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
 github.com/robfig/cron v1.2.0 h1:ZjScXvvxeQ63Dbyxy76Fj3AT3Ut0aKsyd2/tl3DTMuQ=
 github.com/robfig/cron v1.2.0/go.mod h1:JGuDeoQd7Z6yL4zQhZ3OPEVHB7fL6Ka6skscFHfmt2k=
+github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
 github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
@@ -686,6 +700,7 @@ go.opentelemetry.io/otel/sdk/metric v1.19.0 h1:EJoTO5qysMsYCa+w4UghwFV/ptQgqSL/8
 go.opentelemetry.io/otel/sdk/metric v1.19.0/go.mod h1:XjG0jQyFJrv2PbMvwND7LwCEhsJzCzV5210euduKcKY=
 go.opentelemetry.io/otel/trace v1.25.0 h1:tqukZGLwQYRIFtSQM2u2+yfMVTgGVeqRLPUYx1Dq6RM=
 go.opentelemetry.io/otel/trace v1.25.0/go.mod h1:hCCs70XM/ljO+BeQkyFnbK28SBIJ/Emuha+ccrCRT7I=
+go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI=
 go.opentelemetry.io/proto/otlp v1.1.0 h1:2Di21piLrCqJ3U3eXGCTPHE9R8Nh+0uglSnOyxikMeI=
 go.opentelemetry.io/proto/otlp v1.1.0/go.mod h1:GpBHCBWiqvVLDqmHZsoMM3C5ySeKTC7ej/RNTae6MdY=
 go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
@@ -833,6 +848,7 @@ golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201204225414-ed752295db88/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -979,12 +995,16 @@ google.golang.org/genproto v0.0.0-20200312145019-da6875a35672/go.mod h1:55QSHmfG
 google.golang.org/genproto v0.0.0-20200331122359-1ee6d9798940/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
 google.golang.org/genproto v0.0.0-20200430143042-b979b6f78d84/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
 google.golang.org/genproto v0.0.0-20200511104702-f5ebc3bea380/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
+google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
 google.golang.org/genproto v0.0.0-20200515170657-fc4c6c6a6587/go.mod h1:YsZOwe1myG/8QRHRsmBRE1LrgQY60beZKjly0O1fX9U=
 google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
 google.golang.org/genproto v0.0.0-20200618031413-b414f8b61790/go.mod h1:jDfRM7FcilCzHH/e9qn6dsT145K34l5v+OpcnNgKAAA=
 google.golang.org/genproto v0.0.0-20200729003335-053ba62fc06f/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/genproto v0.0.0-20220531173845-685668d2de03/go.mod h1:yKyY4AMRwFiC8yMMNaMi+RkCnjZJt9LoWuvhXjMs+To=
+google.golang.org/genproto v0.0.0-20240123012728-ef4313101c80 h1:KAeGQVN3M9nD0/bQXnr/ClcEMJ968gUXJQ9pwfSynuQ=
+google.golang.org/genproto v0.0.0-20240123012728-ef4313101c80/go.mod h1:cc8bqMqtv9gMOr0zHg2Vzff5ULhhL2IXP4sbcn32Dro=
 google.golang.org/genproto/googleapis/api v0.0.0-20240325203815-454cdb8f5daa h1:Jt1XW5PaLXF1/ePZrznsh/aAUvI7Adfc3LY1dAKlzRs=
 google.golang.org/genproto/googleapis/api v0.0.0-20240325203815-454cdb8f5daa/go.mod h1:K4kfzHtI0kqWA79gecJarFtDn/Mls+GxQcg3Zox91Ac=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20240325203815-454cdb8f5daa h1:RBgMaUMP+6soRkik4VoN8ojR2nex2TqZwjSSogic+eo=
@@ -1001,6 +1021,9 @@ google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKa
 google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk=
 google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
 google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
+google.golang.org/grpc v1.33.1/go.mod h1:fr5YgcSWrqhRRxogOsw7RzIpsmvOZ6IcH4kBYTpR3n0=
+google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
+google.golang.org/grpc v1.46.2/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk=
 google.golang.org/grpc v1.62.1 h1:B4n+nfKzOICUXMgyrNd19h/I9oH0L1pizfk1d4zSgTk=
 google.golang.org/grpc v1.62.1/go.mod h1:IWTG0VlJLCh1SkC58F7np9ka9mx/WNkjl4PGJaiq+QE=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
@@ -1015,6 +1038,8 @@ google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGj
 google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
+google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
+google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
 google.golang.org/protobuf v1.33.1-0.20240408130810-98873a205002 h1:V7Da7qt0MkY3noVANIMVBk28nOnijADeOR3i5Hcvpj4=
 google.golang.org/protobuf v1.33.1-0.20240408130810-98873a205002/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
@@ -1026,6 +1051,7 @@ gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=

holos.go

@@ -1,10 +1,10 @@
 // Package holos defines types for the rest of the system.
 package holos
 
-// A PathCueMod is a string representing the filesystem path of a cue module.
-// It is given a unique type so the API is clear.
+// A PathCueMod is a string representing the absolute filesystem path of a cue
+// module.  It is given a unique type so the API is clear.
 type PathCueMod string
 
-// A InstancePath is a string representing the filesystem path of a holos instance.
-// It is given a unique type so the API is clear.
+// A InstancePath is a string representing the absolute filesystem path of a
+// holos instance.  It is given a unique type so the API is clear.
 type InstancePath string

internal/builder/builder.go

@@ -10,6 +10,7 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"strings"
 
 	"cuelang.org/go/cue/build"
 	"cuelang.org/go/cue/cuecontext"
@@ -17,6 +18,7 @@ import (
 	"github.com/holos-run/holos/api/v1alpha1"
 
 	"github.com/holos-run/holos"
+	"github.com/holos-run/holos/internal/client"
 	"github.com/holos-run/holos/internal/errors"
 	"github.com/holos-run/holos/internal/logger"
 )
@@ -70,7 +72,7 @@ func (b *Builder) Cluster() string {
 }
 
 // Instances returns the cue build instances being built.
-func (b *Builder) Instances(ctx context.Context) ([]*build.Instance, error) {
+func (b *Builder) Instances(ctx context.Context, cfg *client.Config) ([]*build.Instance, error) {
 	log := logger.FromContext(ctx)
 
 	mod, err := b.findCueMod()
@@ -79,7 +81,29 @@ func (b *Builder) Instances(ctx context.Context) ([]*build.Instance, error) {
 	}
 	dir := string(mod)
 
-	cfg := load.Config{Dir: dir}
+	cueConfig := load.Config{Dir: dir}
+
+	// Get the platform model from the PlatformConfig
+	pc, err := client.LoadPlatformConfig(ctx, dir)
+	if err != nil {
+		return nil, errors.Wrap(err)
+	}
+	data, err := json.Marshal(pc)
+	if err != nil {
+		return nil, errors.Wrap(err)
+	}
+
+	// Refer to https://github.com/cue-lang/cue/blob/v0.7.0/cmd/cue/cmd/common.go#L429
+	cueConfig.Tags = append(cueConfig.Tags, "platform_config="+string(data))
+	if b.Cluster() != "" {
+		cueConfig.Tags = append(cueConfig.Tags, "cluster="+b.Cluster())
+	}
+	log.DebugContext(ctx, fmt.Sprintf("cue: tags %v", cueConfig.Tags))
+
+	prefix := []string{"cue", "export", "--out", "yaml"}
+	for _, tag := range cueConfig.Tags {
+		prefix = append(prefix, "-t", fmt.Sprintf("'%s'", tag))
+	}
 
 	// Make args relative to the module directory
 	args := make([]string, len(b.cfg.args))
@@ -94,21 +118,20 @@ func (b *Builder) Instances(ctx context.Context) ([]*build.Instance, error) {
 		}
 		relPath = "./" + relPath
 		args[idx] = relPath
-		equiv := fmt.Sprintf("cue export --out yaml -t cluster=%v %v", b.Cluster(), relPath)
-		log.Debug("cue: equivalent command: " + equiv)
+
+		equiv := make([]string, len(prefix), 1+len(prefix))
+		copy(equiv, prefix)
+		equiv = append(equiv, relPath)
+		log.Debug(strings.Join(equiv, " "), "comment", "cue equivalent command")
 	}
 
-	// Refer to https://github.com/cue-lang/cue/blob/v0.7.0/cmd/cue/cmd/common.go#L429
-	cfg.Tags = append(cfg.Tags, "cluster="+b.Cluster())
-	log.DebugContext(ctx, fmt.Sprintf("cue: tags %v", cfg.Tags))
-
-	return load.Instances(args, &cfg), nil
+	return load.Instances(args, &cueConfig), nil
 }
 
-func (b *Builder) Run(ctx context.Context) (results []*v1alpha1.Result, err error) {
+func (b *Builder) Run(ctx context.Context, cfg *client.Config) (results []*v1alpha1.Result, err error) {
 	log := logger.FromContext(ctx)
 	log.DebugContext(ctx, "cue: building instances")
-	instances, err := b.Instances(ctx)
+	instances, err := b.Instances(ctx, cfg)
 	if err != nil {
 		return nil, err
 	}
@@ -161,9 +184,14 @@ func (b Builder) runInstance(ctx context.Context, instance *build.Instance) (res
 
 	// New decoder for the full object
 	decoder = json.NewDecoder(bytes.NewReader(jsonBytes))
+
+	// TODO: When we release v1, explicitly allow unknown fields so we can add
+	// fields without needing to bump the major version.  Disallow until we reach
+	// v1 for clear error reporting.
 	decoder.DisallowUnknownFields()
 
 	switch tm.Kind {
+	// TODO(jeff) Process a v1alpha1.Result here, the result is tightly coupled to a BuildPlan.
 	case "BuildPlan":
 		var bp v1alpha1.BuildPlan
 		if err = decoder.Decode(&bp); err != nil {
@@ -171,24 +199,14 @@ func (b Builder) runInstance(ctx context.Context, instance *build.Instance) (res
 			return
 		}
 		results, err = b.buildPlan(ctx, &bp, path)
-	case "Platform":
-		var pf v1alpha1.Platform
-		if err = decoder.Decode(&pf); err != nil {
-			err = errors.Wrap(fmt.Errorf("could not decode Platform %s: %w", instance.Dir, err))
-			return
+		if err != nil {
+			return results, err
 		}
-		results, err = b.buildPlatform(ctx, &pf)
 	default:
 		err = errors.Wrap(fmt.Errorf("unknown kind: %v", tm.Kind))
 	}
 
-	return
-}
-
-func (b *Builder) buildPlatform(ctx context.Context, pf *v1alpha1.Platform) (results []*v1alpha1.Result, err error) {
-	log := logger.FromContext(ctx)
-	log.ErrorContext(ctx, "not implemented", "platform", pf)
-	return nil, errors.Wrap(fmt.Errorf("not implemeneted"))
+	return results, err
 }
 
 func (b *Builder) buildPlan(ctx context.Context, buildPlan *v1alpha1.BuildPlan, path holos.InstancePath) (results []*v1alpha1.Result, err error) {
@@ -237,6 +255,17 @@ func (b *Builder) buildPlan(ctx context.Context, buildPlan *v1alpha1.BuildPlan,
 		}
 	}
 
+	// Add a separate Result if there are DeployFiles from the BuildPlan.
+	if len(buildPlan.Spec.DeployFiles) > 0 {
+		results = append(results, &v1alpha1.Result{
+			HolosComponent: v1alpha1.HolosComponent{
+				TypeMeta: buildPlan.TypeMeta,
+				Metadata: buildPlan.Metadata,
+			},
+			DeployFiles: buildPlan.Spec.DeployFiles,
+		})
+	}
+
 	log.DebugContext(ctx, "returning results", "len", len(results))
 
 	return results, nil

internal/builder/platform.go

@@ -0,0 +1,90 @@
+package builder
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+
+	"cuelang.org/go/cue/build"
+	"cuelang.org/go/cue/cuecontext"
+	"github.com/holos-run/holos"
+	"github.com/holos-run/holos/api/v1alpha1"
+	"github.com/holos-run/holos/internal/client"
+	"github.com/holos-run/holos/internal/errors"
+	"github.com/holos-run/holos/internal/logger"
+)
+
+// Platform builds a platform
+func (b *Builder) Platform(ctx context.Context, cfg *client.Config) (*v1alpha1.Platform, error) {
+	log := logger.FromContext(ctx)
+	log.DebugContext(ctx, "cue: building platform instance")
+	instances, err := b.Instances(ctx, cfg)
+	if err != nil {
+		return nil, errors.Wrap(err)
+	}
+
+	if len(instances) != 1 {
+		return nil, errors.Wrap(errors.New(fmt.Sprintf("instances length %d must be exactly 1", len(instances))))
+	}
+
+	// We only process the first instance, assume the render platform subcommand enforces this.
+	instance := instances[0]
+	log.DebugContext(ctx, "cue: building instance", "dir", instance.Dir)
+	p, err := b.runPlatform(ctx, instance)
+	if err != nil {
+		return nil, errors.Wrap(fmt.Errorf("could not build platform: %w", err))
+	}
+	return p, nil
+}
+
+func (b Builder) runPlatform(ctx context.Context, instance *build.Instance) (*v1alpha1.Platform, error) {
+	path := holos.InstancePath(instance.Dir)
+	log := logger.FromContext(ctx).With("dir", path)
+
+	if err := instance.Err; err != nil {
+		return nil, errors.Wrap(fmt.Errorf("could not load: %w", err))
+	}
+	cueCtx := cuecontext.New()
+	value := cueCtx.BuildInstance(instance)
+	if err := value.Err(); err != nil {
+		return nil, errors.Wrap(fmt.Errorf("could not build %s: %w", instance.Dir, err))
+	}
+	log.DebugContext(ctx, "cue: validating instance")
+	if err := value.Validate(); err != nil {
+		return nil, errors.Wrap(fmt.Errorf("could not validate: %w", err))
+	}
+
+	log.DebugContext(ctx, "cue: decoding holos platform")
+	jsonBytes, err := value.MarshalJSON()
+	if err != nil {
+		return nil, errors.Wrap(fmt.Errorf("could not marshal cue instance %s: %w", instance.Dir, err))
+	}
+	decoder := json.NewDecoder(bytes.NewReader(jsonBytes))
+	// Discriminate the type of build plan.
+	tm := &v1alpha1.TypeMeta{}
+	err = decoder.Decode(tm)
+	if err != nil {
+		return nil, errors.Wrap(fmt.Errorf("invalid platform: %s: %w", instance.Dir, err))
+	}
+
+	log.DebugContext(ctx, "cue: discriminated build kind: "+tm.Kind, "kind", tm.Kind, "apiVersion", tm.APIVersion)
+
+	// New decoder for the full object
+	decoder = json.NewDecoder(bytes.NewReader(jsonBytes))
+	decoder.DisallowUnknownFields()
+
+	var pf v1alpha1.Platform
+	switch tm.Kind {
+	case "Platform":
+		if err = decoder.Decode(&pf); err != nil {
+			err = errors.Wrap(fmt.Errorf("could not decode platform %s: %w", instance.Dir, err))
+			return nil, err
+		}
+		return &pf, nil
+	default:
+		err = errors.Wrap(fmt.Errorf("unknown kind: %v", tm.Kind))
+	}
+
+	return nil, err
+}

internal/cli/build/build.go

@@ -7,16 +7,20 @@ import (
 
 	"github.com/holos-run/holos/internal/builder"
 	"github.com/holos-run/holos/internal/cli/command"
+	"github.com/holos-run/holos/internal/client"
 	"github.com/holos-run/holos/internal/errors"
 	"github.com/holos-run/holos/internal/holos"
+	"github.com/holos-run/holos/internal/server/middleware/logger"
 	"github.com/spf13/cobra"
 )
 
 // makeBuildRunFunc returns the internal implementation of the build cli command
-func makeBuildRunFunc(cfg *holos.Config) command.RunFunc {
+func makeBuildRunFunc(cfg *client.Config) command.RunFunc {
 	return func(cmd *cobra.Command, args []string) error {
-		build := builder.New(builder.Entrypoints(args), builder.Cluster(cfg.ClusterName()))
-		results, err := build.Run(cmd.Context())
+		ctx := cmd.Root().Context()
+		logger.FromContext(ctx).DebugContext(ctx, "RunE", "args", args)
+		build := builder.New(builder.Entrypoints(args), builder.Cluster(cfg.Holos().ClusterName()))
+		results, err := build.Run(ctx, cfg)
 		if err != nil {
 			return err
 		}
@@ -42,7 +46,12 @@ func New(cfg *holos.Config) *cobra.Command {
 	cmd := command.New("build [directory...]")
 	cmd.Args = cobra.MinimumNArgs(1)
 	cmd.Short = "build kubernetes api objects from a directory"
-	cmd.RunE = makeBuildRunFunc(cfg)
+
 	cmd.Flags().AddGoFlagSet(cfg.ClusterFlagSet())
+	config := client.NewConfig(cfg)
+	cmd.PersistentFlags().AddGoFlagSet(config.ClientFlagSet())
+	cmd.PersistentFlags().AddGoFlagSet(config.TokenFlagSet())
+
+	cmd.RunE = makeBuildRunFunc(config)
 	return cmd
 }

internal/cli/command/cmd.go

@@ -1,9 +1,6 @@
 package command
 
 import (
-	"fmt"
-
-	"github.com/holos-run/holos/internal/errors"
 	"github.com/holos-run/holos/version"
 	"github.com/spf13/cobra"
 )
@@ -20,9 +17,6 @@ func New(name string) *cobra.Command {
 		CompletionOptions: cobra.CompletionOptions{
 			HiddenDefaultCmd: true,
 		},
-		RunE: func(c *cobra.Command, args []string) error {
-			return errors.Wrap(fmt.Errorf("could not run %v: not implemented", c.Name()))
-		},
 		SilenceUsage:  true,
 		SilenceErrors: true,
 	}

internal/cli/create/create.go

@@ -3,21 +3,52 @@ package create
 import (
 	"github.com/holos-run/holos/internal/cli/command"
 	"github.com/holos-run/holos/internal/cli/secret"
+	"github.com/holos-run/holos/internal/client"
 	"github.com/holos-run/holos/internal/holos"
+	"github.com/holos-run/holos/internal/server/middleware/logger"
 	"github.com/spf13/cobra"
 )
 
 // New returns the create command for the cli
-func New(hc *holos.Config) *cobra.Command {
+func New(cfg *holos.Config) *cobra.Command {
 	cmd := command.New("create")
 	cmd.Short = "create resources"
 	cmd.Flags().SortFlags = false
 	cmd.RunE = func(c *cobra.Command, args []string) error {
 		return c.Usage()
 	}
+
+	// api client config
+	config := client.NewConfig(cfg)
+
 	// flags
 	cmd.PersistentFlags().SortFlags = false
 	// commands
-	cmd.AddCommand(secret.NewCreateCmd(hc))
+	cmd.AddCommand(secret.NewCreateCmd(cfg))
+	cmd.AddCommand(NewPlatform(config))
+	return cmd
+}
+
+func NewPlatform(cfg *client.Config) *cobra.Command {
+	cmd := command.New("platform")
+
+	cmd.Short = "create a platform"
+	cmd.Args = cobra.NoArgs
+
+	pm := client.PlatformMutation{}
+	cmd.Flags().AddGoFlagSet(pm.FlagSet())
+
+	cmd.RunE = func(cmd *cobra.Command, args []string) error {
+		ctx := cmd.Root().Context()
+		client := client.New(cfg)
+		pf, err := client.CreatePlatform(ctx, pm)
+		if err != nil {
+			return err
+		}
+		log := logger.FromContext(ctx)
+		log.InfoContext(ctx, "created platform", "name", pf.GetName(), "id", pf.GetId(), "org", pf.GetOwner().GetOrgId())
+		return nil
+	}
+
 	return cmd
 }

internal/cli/generate/generate.go

@@ -0,0 +1,106 @@
+package generate
+
+import (
+	"fmt"
+	"log/slog"
+	"path/filepath"
+	"strings"
+
+	"github.com/holos-run/holos/internal/cli/command"
+	"github.com/holos-run/holos/internal/client"
+	"github.com/holos-run/holos/internal/errors"
+	"github.com/holos-run/holos/internal/generate"
+	"github.com/holos-run/holos/internal/holos"
+	"github.com/spf13/cobra"
+)
+
+// New returns a new generate command.
+func New(cfg *holos.Config) *cobra.Command {
+	cmd := command.New("generate")
+	cmd.Aliases = []string{"gen"}
+	cmd.Short = "generate local resources"
+	cmd.Args = cobra.NoArgs
+
+	cmd.AddCommand(NewPlatform(cfg))
+	cmd.AddCommand(NewComponent())
+
+	return cmd
+}
+
+func NewPlatform(cfg *holos.Config) *cobra.Command {
+	cmd := command.New("platform")
+	cmd.Use = "platform [flags] PLATFORM"
+	cmd.Short = "generate a platform from an embedded schematic"
+	cmd.Long = fmt.Sprintf("Embedded platforms available to generate:\n\n  %s", strings.Join(generate.Platforms(), "\n  "))
+	cmd.Args = cobra.ExactArgs(1)
+	cmd.RunE = func(cmd *cobra.Command, args []string) error {
+		ctx := cmd.Root().Context()
+		clientContext := holos.NewClientContext(ctx)
+		client := client.New(client.NewConfig(cfg))
+
+		for _, name := range args {
+			if err := generate.GeneratePlatform(ctx, client, clientContext.OrgID, name); err != nil {
+				return errors.Wrap(err)
+			}
+		}
+
+		return nil
+	}
+
+	return cmd
+}
+
+// NewComponent returns a command to generate a holos component
+func NewComponent() *cobra.Command {
+	cmd := command.New("component")
+	cmd.Short = "generate a component from an embedded schematic"
+
+	cmd.AddCommand(NewCueComponent())
+	cmd.AddCommand(NewHelmComponent())
+
+	return cmd
+}
+
+func NewHelmComponent() *cobra.Command {
+	cmd := command.New("helm")
+	cmd.Short = "generate a helm component from a schematic"
+
+	for _, name := range generate.HelmComponents() {
+		cmd.AddCommand(makeSchematicCommand("helm", name))
+	}
+
+	return cmd
+}
+
+func NewCueComponent() *cobra.Command {
+	cmd := command.New("cue")
+	cmd.Short = "generate a cue component from a schematic"
+
+	for _, name := range generate.CueComponents() {
+		cmd.AddCommand(makeSchematicCommand("cue", name))
+	}
+	return cmd
+}
+
+func makeSchematicCommand(kind, name string) *cobra.Command {
+	cmd := command.New(name)
+	cfg, err := generate.NewSchematic(filepath.Join("components", kind), name)
+	if err != nil {
+		slog.Error("could not get schematic", "err", err)
+		return nil
+	}
+	cmd.Short = cfg.Short
+	cmd.Long = cfg.Long
+	cmd.Args = cobra.NoArgs
+	cmd.Flags().AddGoFlagSet(cfg.FlagSet())
+
+	cmd.RunE = func(cmd *cobra.Command, args []string) error {
+		ctx := cmd.Root().Context()
+		if err := generate.GenerateComponent(ctx, kind, name, cfg); err != nil {
+			return errors.Wrap(err)
+		}
+		return nil
+	}
+
+	return cmd
+}

internal/cli/main.go

@@ -5,9 +5,11 @@ import (
 	"fmt"
 	"log/slog"
 
+	"connectrpc.com/connect"
 	cue "cuelang.org/go/cue/errors"
 	"github.com/holos-run/holos/internal/errors"
 	"github.com/holos-run/holos/internal/holos"
+	"google.golang.org/genproto/googleapis/rpc/errdetails"
 )
 
 // MakeMain makes a main function for the cli or tests.
@@ -25,7 +27,8 @@ func MakeMain(options ...holos.Option) func() int {
 
 // HandleError is the top level error handler that unwraps and logs errors.
 func HandleError(ctx context.Context, err error, hc *holos.Config) (exitCode int) {
-	log := hc.NewTopLevelLogger()
+	// Connect errors have codes, log them.
+	log := hc.NewTopLevelLogger().With("code", connect.CodeOf(err))
 	var cueErr cue.Error
 	var errAt *errors.ErrorAt
 	const msg = "could not execute"
@@ -39,5 +42,24 @@ func HandleError(ctx context.Context, err error, hc *holos.Config) (exitCode int
 		msg := cue.Details(cueErr, nil)
 		_, _ = fmt.Fprint(hc.Stderr(), msg)
 	}
+	// connect errors have details and codes.
+	// Refer to https://connectrpc.com/docs/go/errors
+	if connectErr := new(connect.Error); errors.As(err, &connectErr) {
+		for _, detail := range connectErr.Details() {
+			msg, valueErr := detail.Value()
+			if valueErr != nil {
+				log.WarnContext(ctx, "could not decode error detail", "err", err, "type", detail.Type(), "note", "this usually means we don't have the schema for the protobuf message type")
+				continue
+			}
+			if info, ok := msg.(*errdetails.ErrorInfo); ok {
+				logDetail := log.With("reason", info.GetReason(), "domain", info.GetDomain())
+				for k, v := range info.GetMetadata() {
+					logDetail = logDetail.With(k, v)
+				}
+				logDetail.ErrorContext(ctx, info.String())
+			}
+		}
+	}
+
 	return 1
 }

internal/cli/pull/pull.go

@@ -0,0 +1,81 @@
+// Package pull pulls resources from the PlatformService and caches them in the
+// local filesystem.
+package pull
+
+import (
+	"github.com/holos-run/holos/internal/cli/command"
+	"github.com/holos-run/holos/internal/client"
+	"github.com/holos-run/holos/internal/errors"
+	"github.com/holos-run/holos/internal/holos"
+	"github.com/holos-run/holos/internal/server/middleware/logger"
+	object "github.com/holos-run/holos/service/gen/holos/object/v1alpha1"
+	"github.com/spf13/cobra"
+)
+
+func New(cfg *holos.Config) *cobra.Command {
+	cmd := command.New("pull")
+	cmd.Short = "pull resources from holos server"
+	cmd.Args = cobra.NoArgs
+
+	config := client.NewConfig(cfg)
+	cmd.PersistentFlags().AddGoFlagSet(config.ClientFlagSet())
+	cmd.PersistentFlags().AddGoFlagSet(config.TokenFlagSet())
+
+	cmd.AddCommand(NewPlatform(config))
+
+	return cmd
+}
+
+func NewPlatform(cfg *client.Config) *cobra.Command {
+	cmd := command.New("platform")
+
+	cmd.Short = "pull platform resources"
+	cmd.Args = cobra.NoArgs
+
+	cmd.AddCommand(NewPlatformConfig(cfg))
+
+	return cmd
+}
+
+func NewPlatformConfig(cfg *client.Config) *cobra.Command {
+	cmd := command.New("config")
+	cmd.Short = "pull platform config"
+	cmd.Args = cobra.MinimumNArgs(1)
+
+	cmd.RunE = func(cmd *cobra.Command, args []string) error {
+		ctx := cmd.Root().Context()
+		if ctx == nil {
+			return errors.Wrap(errors.New("cannot execute: no context"))
+		}
+		ctx = logger.NewContext(ctx, logger.FromContext(ctx).With("server", cfg.Client().Server()))
+		rpc := client.New(cfg)
+		for _, name := range args {
+			// Get the platform metadata for the platform id.
+			pmd, err := client.LoadPlatform(ctx, name)
+			if err != nil {
+				return errors.Wrap(err)
+			}
+			log := logger.FromContext(ctx).With("platform_id", pmd.GetId())
+			// Get the platform model
+			model, err := rpc.PlatformModel(ctx, pmd.GetId())
+			if err != nil {
+				return errors.Wrap(err)
+			}
+			log.Info("pulled platform model")
+			// Build the PlatformConfig
+			pc := &object.PlatformConfig{
+				PlatformId:    pmd.GetId(),
+				PlatformModel: model,
+			}
+			// Save the PlatformConfig
+			path, err := client.SavePlatformConfig(ctx, name, pc)
+			if err != nil {
+				return errors.Wrap(err)
+			}
+			log.Info("saved platform config", "path", path)
+		}
+		return nil
+	}
+
+	return cmd
+}

internal/cli/push/push.go

@@ -0,0 +1,76 @@
+// Package push pushes resources to the holos api server.
+package push
+
+import (
+	"fmt"
+	"log/slog"
+
+	"github.com/holos-run/holos/internal/cli/command"
+	"github.com/holos-run/holos/internal/client"
+	"github.com/holos-run/holos/internal/errors"
+	"github.com/holos-run/holos/internal/holos"
+	"github.com/holos-run/holos/internal/push"
+	"github.com/holos-run/holos/internal/server/middleware/logger"
+	"github.com/spf13/cobra"
+)
+
+func New(cfg *holos.Config) *cobra.Command {
+	cmd := command.New("push")
+	cmd.Short = "push resources to holos server"
+	cmd.Args = cobra.NoArgs
+
+	config := client.NewConfig(cfg)
+	cmd.PersistentFlags().AddGoFlagSet(config.ClientFlagSet())
+	cmd.PersistentFlags().AddGoFlagSet(config.TokenFlagSet())
+
+	cmd.AddCommand(NewPlatform(config))
+
+	return cmd
+}
+
+func NewPlatform(cfg *client.Config) *cobra.Command {
+	cmd := command.New("platform")
+
+	cmd.Short = "push platform resources to holos server"
+	cmd.Args = cobra.NoArgs
+
+	cmd.AddCommand(NewPlatformForm(cfg))
+	// cmd.AddCommand(NewPlatformModel(cfg))
+
+	return cmd
+}
+
+func NewPlatformForm(cfg *client.Config) *cobra.Command {
+	cmd := command.New("form")
+	cmd.Short = "push platform form to holos server"
+	cmd.Args = cobra.MinimumNArgs(1)
+
+	cmd.RunE = func(cmd *cobra.Command, args []string) error {
+		ctx := cmd.Root().Context()
+		if ctx == nil {
+			return errors.Wrap(errors.New("cannot execute: no context"))
+		}
+		ctx = logger.NewContext(ctx, logger.FromContext(ctx).With("server", cfg.Client().Server()))
+		rpc := client.New(cfg)
+		for _, name := range args {
+			// Get the platform metadata for the platform id.
+			p, err := client.LoadPlatform(ctx, name)
+			if err != nil {
+				return errors.Wrap(err)
+			}
+			// Build the form from the cue code.
+			form, err := push.PlatformForm(ctx, name)
+			if err != nil {
+				return errors.Wrap(err)
+			}
+			// Make the rpc call to update the platform form.
+			if err := rpc.UpdateForm(ctx, p.GetId(), form); err != nil {
+				return errors.Wrap(err)
+			}
+			slog.Default().InfoContext(ctx, fmt.Sprintf("pushed: %s/ui/platform/%s", cfg.Client().Server(), p.GetId()))
+		}
+		return nil
+	}
+
+	return cmd
+}

internal/cli/register/register.go

@@ -0,0 +1,36 @@
+// Package register provides user registration via the command line.
+package register
+
+import (
+	"github.com/holos-run/holos/internal/cli/command"
+	"github.com/holos-run/holos/internal/client"
+	"github.com/holos-run/holos/internal/holos"
+	"github.com/holos-run/holos/internal/register"
+	"github.com/spf13/cobra"
+)
+
+// New returns a new register command.
+func New(cfg *holos.Config) *cobra.Command {
+	cmd := command.New("register")
+	cmd.Short = "register with holos server"
+	cmd.Args = cobra.NoArgs
+
+	config := client.NewConfig(cfg)
+	cmd.PersistentFlags().AddGoFlagSet(config.ClientFlagSet())
+	cmd.PersistentFlags().AddGoFlagSet(config.TokenFlagSet())
+
+	cmd.AddCommand(NewUser(config))
+
+	return cmd
+}
+
+// NewUser returns a command to register a user with holos server.
+func NewUser(cfg *client.Config) *cobra.Command {
+	cmd := command.New("user")
+	cmd.Short = "user registration workflow"
+	cmd.RunE = func(cmd *cobra.Command, args []string) error {
+		ctx := cmd.Root().Context()
+		return register.User(ctx, cfg)
+	}
+	return cmd
+}

internal/cli/render/render.go

@@ -7,37 +7,46 @@ import (
 
 	"github.com/holos-run/holos/internal/builder"
 	"github.com/holos-run/holos/internal/cli/command"
+	"github.com/holos-run/holos/internal/client"
 	"github.com/holos-run/holos/internal/errors"
 	"github.com/holos-run/holos/internal/holos"
 	"github.com/holos-run/holos/internal/logger"
+	"github.com/holos-run/holos/internal/render"
 	"github.com/spf13/cobra"
 )
 
-// New returns the render subcommand for the root command
 func New(cfg *holos.Config) *cobra.Command {
-	cmd := command.New("render [directory...]")
+	cmd := command.New("render")
+	cmd.Args = cobra.NoArgs
+	cmd.Short = "render platform configuration"
+	cmd.AddCommand(NewComponent(cfg))
+	cmd.AddCommand(NewPlatform(cfg))
+	return cmd
+}
+
+// New returns the component subcommand for the render command
+func NewComponent(cfg *holos.Config) *cobra.Command {
+	cmd := command.New("component [directory...]")
 	cmd.Args = cobra.MinimumNArgs(1)
 	cmd.Short = "write kubernetes api objects to the filesystem"
-	cmd.Flags().SortFlags = false
 	cmd.Flags().AddGoFlagSet(cfg.WriteFlagSet())
 	cmd.Flags().AddGoFlagSet(cfg.ClusterFlagSet())
 
+	config := client.NewConfig(cfg)
+	cmd.PersistentFlags().AddGoFlagSet(config.ClientFlagSet())
+	cmd.PersistentFlags().AddGoFlagSet(config.TokenFlagSet())
+
 	var printInstances bool
 	flagSet := flag.NewFlagSet("", flag.ContinueOnError)
 	flagSet.BoolVar(&printInstances, "print-instances", false, "expand /... paths for xargs")
 	cmd.Flags().AddGoFlagSet(flagSet)
 
 	cmd.RunE = func(cmd *cobra.Command, args []string) error {
-		if cfg.ClusterName() == "" {
-			return errors.Wrap(fmt.Errorf("missing cluster name"))
-		}
-
-		ctx := cmd.Context()
-		log := logger.FromContext(ctx).With("cluster", cfg.ClusterName())
+		ctx := cmd.Root().Context()
 		build := builder.New(builder.Entrypoints(args), builder.Cluster(cfg.ClusterName()))
 
 		if printInstances {
-			instances, err := build.Instances(ctx)
+			instances, err := build.Instances(ctx, config)
 			if err != nil {
 				return errors.Wrap(err)
 			}
@@ -47,35 +56,78 @@ func New(cfg *holos.Config) *cobra.Command {
 			return nil
 		}
 
-		results, err := build.Run(cmd.Context())
+		results, err := build.Run(ctx, config)
 		if err != nil {
 			return errors.Wrap(err)
 		}
-		// TODO: Avoid accidental over-writes if to holos component instances result in
-		// the same file path. Write files into a blank temporary directory, error if a
-		// file exists, then move the directory into place.
+		// TODO: Avoid accidental over-writes if two or more holos component
+		// instances result in the same file path. Write files into a blank
+		// temporary directory, error if a file exists, then move the directory into
+		// place.
 		var result Result
 		for _, result = range results {
+			log := logger.FromContext(ctx).With(
+				"cluster", cfg.ClusterName(),
+				"name", result.Name(),
+			)
 			if result.Continue() {
 				continue
 			}
+			// DeployFiles from the BuildPlan
+			if err := result.WriteDeployFiles(ctx, cfg.WriteTo()); err != nil {
+				return errors.Wrap(err)
+			}
+			// Build plans don't have anything but DeployFiles to write.
+			if result.GetKind() == "BuildPlan" {
+				continue
+			}
+
 			// API Objects
 			path := result.Filename(cfg.WriteTo(), cfg.ClusterName())
 			if err := result.Save(ctx, path, result.AccumulatedOutput()); err != nil {
 				return errors.Wrap(err)
 			}
 			// Kustomization
-			path = result.KustomizationFilename(cfg.WriteTo(), cfg.ClusterName())
-			if err := result.Save(ctx, path, result.KustomizationContent()); err != nil {
-				return errors.Wrap(err)
+			if result.KustomizationContent() == "" {
+				log.DebugContext(ctx, "flux kustomization: skipped "+result.Name(), "status", "ok", "action", "skipped")
+			} else {
+				path = result.KustomizationFilename(cfg.WriteTo(), cfg.ClusterName())
+				if err := result.Save(ctx, path, result.KustomizationContent()); err != nil {
+					return errors.Wrap(err)
+				}
 			}
-			log.InfoContext(ctx, "rendered "+result.Name(), "status", "ok", "action", "rendered", "name", result.Name())
+
+			log.InfoContext(ctx, "rendered "+result.Name(), "status", "ok", "action", "rendered")
 		}
 		return nil
 	}
 	return cmd
 }
 
+func NewPlatform(cfg *holos.Config) *cobra.Command {
+	cmd := command.New("platform [directory]")
+	cmd.Args = cobra.ExactArgs(1)
+	cmd.Short = "render all platform components"
+
+	config := client.NewConfig(cfg)
+	cmd.PersistentFlags().AddGoFlagSet(config.ClientFlagSet())
+	cmd.PersistentFlags().AddGoFlagSet(config.TokenFlagSet())
+
+	cmd.RunE = func(cmd *cobra.Command, args []string) error {
+		ctx := cmd.Root().Context()
+		build := builder.New(builder.Entrypoints(args))
+
+		platform, err := build.Platform(ctx, config)
+		if err != nil {
+			return errors.Wrap(err)
+		}
+
+		return render.Platform(ctx, platform, cmd.ErrOrStderr())
+	}
+
+	return cmd
+}
+
 type Result interface {
 	Continue() bool
 	Name() string
@@ -84,4 +136,7 @@ type Result interface {
 	Save(ctx context.Context, path string, content string) error
 	AccumulatedOutput() string
 	KustomizationContent() string
+	WriteDeployFiles(ctx context.Context, writeTo string) error
+	GetKind() string
+	GetAPIVersion() string
 }

internal/cli/root.go

@@ -1,27 +1,34 @@
 package cli
 
 import (
+	"fmt"
 	"log/slog"
 
 	"github.com/spf13/cobra"
 
+	"github.com/holos-run/holos/version"
+
+	"github.com/holos-run/holos/internal/holos"
+	"github.com/holos-run/holos/internal/logger"
 	"github.com/holos-run/holos/internal/server"
 
 	"github.com/holos-run/holos/internal/cli/build"
+	"github.com/holos-run/holos/internal/cli/command"
 	"github.com/holos-run/holos/internal/cli/controller"
 	"github.com/holos-run/holos/internal/cli/create"
+	"github.com/holos-run/holos/internal/cli/generate"
 	"github.com/holos-run/holos/internal/cli/get"
 	"github.com/holos-run/holos/internal/cli/kv"
 	"github.com/holos-run/holos/internal/cli/login"
 	"github.com/holos-run/holos/internal/cli/logout"
 	"github.com/holos-run/holos/internal/cli/preflight"
+	"github.com/holos-run/holos/internal/cli/pull"
+	"github.com/holos-run/holos/internal/cli/push"
+	"github.com/holos-run/holos/internal/cli/register"
 	"github.com/holos-run/holos/internal/cli/render"
 	"github.com/holos-run/holos/internal/cli/rpc"
 	"github.com/holos-run/holos/internal/cli/token"
 	"github.com/holos-run/holos/internal/cli/txtar"
-	"github.com/holos-run/holos/internal/holos"
-	"github.com/holos-run/holos/internal/logger"
-	"github.com/holos-run/holos/version"
 )
 
 // New returns a new root *cobra.Command for command line execution.
@@ -29,7 +36,7 @@ func New(cfg *holos.Config) *cobra.Command {
 	rootCmd := &cobra.Command{
 		Use:     "holos",
 		Short:   "holos manages a holistic integrated software development platform",
-		Version: version.Version,
+		Version: version.GetVersion(),
 		Args:    cobra.NoArgs,
 		CompletionOptions: cobra.CompletionOptions{
 			HiddenDefaultCmd: true, // Don't complete the complete subcommand itself
@@ -41,7 +48,7 @@ func New(cfg *holos.Config) *cobra.Command {
 				return err
 			}
 			log := cfg.Logger()
-			c.SetContext(logger.NewContext(c.Context(), log))
+			c.Root().SetContext(logger.NewContext(c.Context(), log))
 			// Set the default logger after flag parsing.
 			slog.SetDefault(log)
 			return nil
@@ -65,6 +72,11 @@ func New(cfg *holos.Config) *cobra.Command {
 	rootCmd.AddCommand(logout.New(cfg))
 	rootCmd.AddCommand(token.New(cfg))
 	rootCmd.AddCommand(rpc.New(cfg))
+	rootCmd.AddCommand(generate.New(cfg))
+	rootCmd.AddCommand(register.New(cfg))
+	rootCmd.AddCommand(pull.New(cfg))
+	rootCmd.AddCommand(push.New(cfg))
+	rootCmd.AddCommand(newOrgCmd())
 
 	// Maybe not needed?
 	rootCmd.AddCommand(txtar.New(cfg))
@@ -80,3 +92,15 @@ func New(cfg *holos.Config) *cobra.Command {
 
 	return rootCmd
 }
+
+func newOrgCmd() (cmd *cobra.Command) {
+	cmd = command.New("orgid")
+	cmd.Short = "print the current context org id."
+	cmd.RunE = func(cmd *cobra.Command, args []string) error {
+		ctx := cmd.Root().Context()
+		cc := holos.NewClientContext(ctx)
+		_, err := fmt.Fprintln(cmd.OutOrStdout(), cc.OrgID)
+		return err
+	}
+	return cmd
+}

internal/cli/rpc/rpc.go

@@ -45,7 +45,7 @@ func NewPlatformModel(cfg *Config) *cobra.Command {
 	cmd := command.New("platform-model")
 	cmd.Short = "get the platform model"
 	cmd.RunE = func(cmd *cobra.Command, args []string) error {
-		ctx := cmd.Context()
+		ctx := cmd.Root().Context()
 		log := logger.FromContext(ctx)
 		// client := platformconnect.NewPlatformServiceClient(token.NewClient(cfg.token), cfg.client.Server())
 		client := platformconnect.NewPlatformServiceClient(token.NewClient(cfg.token), cfg.client.Server())

internal/cli/secret/testdata/create_secret_no_hash.txt

@@ -1,7 +0,0 @@
-# Want no hash appended
-holos create secret test --namespace holos-system --from-file $WORK/test --append-hash=false
-stderr ' created: test '
-stderr ' secret=test '
-
--- test --
-sekret

internal/client/client.go

@@ -0,0 +1,127 @@
+// Package client provides configuration and convenience methods for making API calls to the holos server.
+package client
+
+import (
+	"context"
+	"flag"
+	"time"
+
+	"connectrpc.com/connect"
+	"github.com/holos-run/holos/internal/errors"
+	"github.com/holos-run/holos/internal/server/middleware/logger"
+	"github.com/holos-run/holos/internal/token"
+	object "github.com/holos-run/holos/service/gen/holos/object/v1alpha1"
+	"github.com/holos-run/holos/service/gen/holos/organization/v1alpha1/organizationconnect"
+	platform "github.com/holos-run/holos/service/gen/holos/platform/v1alpha1"
+	"github.com/holos-run/holos/service/gen/holos/platform/v1alpha1/platformconnect"
+	"github.com/holos-run/holos/service/gen/holos/user/v1alpha1/userconnect"
+	"google.golang.org/protobuf/types/known/fieldmaskpb"
+	"google.golang.org/protobuf/types/known/structpb"
+)
+
+type PlatformMutation struct {
+	Name        string
+	DisplayName string
+	flagSet     *flag.FlagSet
+}
+
+func (pm *PlatformMutation) FlagSet() *flag.FlagSet {
+	if pm == nil {
+		return nil
+	}
+	if pm.flagSet != nil {
+		return pm.flagSet
+	}
+	fs := flag.NewFlagSet("", flag.ContinueOnError)
+	fs.StringVar(&pm.Name, "name", "example", "platform name")
+	fs.StringVar(&pm.DisplayName, "display-name", "Example Platform", "platform display name")
+	pm.flagSet = fs
+	return fs
+}
+
+func New(cfg *Config) *Client {
+	t := token.NewClient(cfg.Token())
+	s := cfg.Client().Server()
+	return &Client{
+		cfg:    cfg,
+		usrSvc: userconnect.NewUserServiceClient(t, s),
+		orgSvc: organizationconnect.NewOrganizationServiceClient(t, s),
+		pltSvc: platformconnect.NewPlatformServiceClient(t, s),
+	}
+}
+
+// Client provides convenience methods for making API calls to the holos server.
+type Client struct {
+	cfg    *Config
+	usrSvc userconnect.UserServiceClient
+	pltSvc platformconnect.PlatformServiceClient
+	orgSvc organizationconnect.OrganizationServiceClient
+}
+
+func (c *Client) Platforms(ctx context.Context, orgID string) ([]*platform.Platform, error) {
+	if c == nil {
+		return nil, errors.New("no service client")
+	}
+	req := &platform.ListPlatformsRequest{
+		OrgId: orgID,
+		FieldMask: &fieldmaskpb.FieldMask{
+			Paths: []string{"id", "name", "displayName"},
+		},
+	}
+	resp, err := c.pltSvc.ListPlatforms(ctx, connect.NewRequest(req))
+	if err != nil {
+		return nil, err
+	}
+	return resp.Msg.GetPlatforms(), nil
+}
+
+func (c *Client) UpdateForm(ctx context.Context, platformID string, form *object.Form) error {
+	start := time.Now()
+	req := &platform.UpdatePlatformRequest{
+		PlatformId: platformID,
+		Update:     &platform.PlatformMutation{Form: form},
+		UpdateMask: &fieldmaskpb.FieldMask{Paths: []string{"form"}},
+	}
+	_, err := c.pltSvc.UpdatePlatform(ctx, connect.NewRequest(req))
+	if err != nil {
+		return errors.Wrap(err)
+	}
+	log := logger.FromContext(ctx)
+	log.DebugContext(ctx, "updated platform", "platform_id", platformID, "duration", time.Since(start))
+	return nil
+}
+
+// PlatformModel gets the platform model from the PlatformService.
+func (c *Client) PlatformModel(ctx context.Context, platformID string) (*structpb.Struct, error) {
+	start := time.Now()
+	req := &platform.GetPlatformRequest{
+		PlatformId: platformID,
+		FieldMask:  &fieldmaskpb.FieldMask{Paths: []string{"spec.model"}},
+	}
+	pf, err := c.pltSvc.GetPlatform(ctx, connect.NewRequest(req))
+	if err != nil {
+		return nil, errors.Wrap(err)
+	}
+	log := logger.FromContext(ctx)
+	log.DebugContext(ctx, "get platform", "platform_id", platformID, "duration", time.Since(start))
+	return pf.Msg.GetPlatform().GetSpec().GetModel(), nil
+}
+
+func (c *Client) CreatePlatform(ctx context.Context, pm PlatformMutation) (*platform.Platform, error) {
+	log := logger.FromContext(ctx).With("platform", pm.Name)
+	start := time.Now()
+	req := &platform.CreatePlatformRequest{
+		OrgId: c.cfg.context.OrgID,
+		Create: &platform.PlatformMutation{
+			Name:        &pm.Name,
+			DisplayName: &pm.DisplayName,
+		},
+	}
+	pf, err := c.pltSvc.CreatePlatform(ctx, connect.NewRequest(req))
+	if err != nil {
+		return nil, errors.Wrap(err)
+	}
+	log = log.With("platform_id", pf.Msg.GetPlatform().GetId())
+	log.DebugContext(ctx, "create platform", "duration", time.Since(start))
+	return pf.Msg.GetPlatform(), nil
+}

internal/client/config.go

@@ -0,0 +1,71 @@
+// Package client provides client configuration for the holos cli.
+package client
+
+import (
+	"context"
+	"flag"
+
+	"github.com/holos-run/holos/internal/holos"
+	"github.com/holos-run/holos/internal/token"
+)
+
+func NewConfig(cfg *holos.Config) *Config {
+	return &Config{
+		holos:   cfg,
+		client:  holos.NewClientConfig(),
+		context: holos.NewClientContext(context.Background()),
+		token:   token.NewConfig(),
+	}
+}
+
+type Config struct {
+	holos   *holos.Config
+	client  *holos.ClientConfig
+	context *holos.ClientContext
+	token   *token.Config
+}
+
+func (c *Config) ClientFlagSet() *flag.FlagSet {
+	if c == nil {
+		return nil
+	}
+	return c.client.FlagSet()
+}
+
+func (c *Config) TokenFlagSet() *flag.FlagSet {
+	if c == nil {
+		return nil
+	}
+	return c.token.FlagSet()
+}
+
+func (c *Config) Token() *token.Config {
+	if c == nil {
+		return nil
+	}
+	return c.token
+}
+
+func (c *Config) Client() *holos.ClientConfig {
+	if c == nil {
+		return nil
+	}
+	return c.client
+}
+
+// Context returns the ClientContext useful to get the OrgID and UserID for rpc
+// calls.
+func (c *Config) Context() *holos.ClientContext {
+	if c == nil {
+		return nil
+	}
+	return c.context
+}
+
+// Holos returns the *holos.Config
+func (c *Config) Holos() *holos.Config {
+	if c == nil {
+		return nil
+	}
+	return c.holos
+}

internal/client/platform.go

@@ -0,0 +1,69 @@
+package client
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"path/filepath"
+
+	"github.com/holos-run/holos/internal/server/middleware/logger"
+	object "github.com/holos-run/holos/service/gen/holos/object/v1alpha1"
+	platform "github.com/holos-run/holos/service/gen/holos/platform/v1alpha1"
+	"google.golang.org/protobuf/encoding/protojson"
+)
+
+// PlatformMetadataFile is the platform metadata json file name located in the root
+// of a platform directory.
+const PlatformMetadataFile = "platform.metadata.json"
+
+// PlatformConfigFile is the marshaled json representation of the PlatformConfig
+// DTO used to cache the data holos passes from the PlatformService to CUE when
+// rendering platform components.
+const PlatformConfigFile = "platform.config.json"
+
+// LoadPlatform loads the platform.metadata.json file from a named path.  Useful
+// to obtain a platform id for PlatformService rpc methods.
+func LoadPlatform(ctx context.Context, name string) (*platform.Platform, error) {
+	data, err := os.ReadFile(filepath.Join(name, PlatformMetadataFile))
+	if err != nil {
+		return nil, fmt.Errorf("could not load platform metadata: %w", err)
+	}
+	p := &platform.Platform{}
+	if err := protojson.Unmarshal(data, p); err != nil {
+		return nil, fmt.Errorf("could not load platform metadata: %w", err)
+	}
+	return p, nil
+}
+
+// LoadPlatformConfig loads the PlatformConfig DTO from the platform.config.json
+// file.  Useful to provide all values necessary to render cue config without an
+// rpc to the HolosService.
+func LoadPlatformConfig(ctx context.Context, name string) (*object.PlatformConfig, error) {
+	data, err := os.ReadFile(filepath.Join(name, PlatformConfigFile))
+	if err != nil {
+		return nil, fmt.Errorf("could not load platform config: %w", err)
+	}
+	pc := &object.PlatformConfig{}
+	if err := protojson.Unmarshal(data, pc); err != nil {
+		return nil, fmt.Errorf("could not load platform config: %w", err)
+	}
+	return pc, nil
+}
+
+// SavePlatformConfig writes pc to the platform root directory path identified by name.
+func SavePlatformConfig(ctx context.Context, name string, pc *object.PlatformConfig) (string, error) {
+	encoder := protojson.MarshalOptions{Multiline: true}
+	data, err := encoder.Marshal(pc)
+	if err != nil {
+		return "", err
+	}
+	if len(data) > 0 {
+		data = append(data, '\n')
+	}
+	path := filepath.Join(name, PlatformConfigFile)
+	if err := os.WriteFile(path, data, 0644); err != nil {
+		return "", fmt.Errorf("could not write platform config: %w", err)
+	}
+	logger.FromContext(ctx).DebugContext(ctx, "wrote", "path", path)
+	return path, nil
+}

internal/frontend/holos/angular.json

@@ -116,6 +116,7 @@
   "cli": {
     "schematicCollections": [
       "@angular-eslint/schematics"
-    ]
+    ],
+    "analytics": false
   }
 }

internal/frontend/holos/package.json

@@ -21,9 +21,9 @@
     "@angular/platform-browser": "^17.3.0",
     "@angular/platform-browser-dynamic": "^17.3.0",
     "@angular/router": "^17.3.0",
-    "@bufbuild/protobuf": "^1.9.0",
+    "@bufbuild/protobuf": "^1.10.0",
     "@connectrpc/connect": "^1.4.0",
-    "@connectrpc/connect-query": "^1.3.1",
+    "@connectrpc/connect-query": "^1.4.1",
     "@connectrpc/connect-web": "^1.4.0",
     "@ngx-formly/core": "^6.3.0",
     "@ngx-formly/material": "^6.3.0",
@@ -40,10 +40,10 @@
     "@angular-eslint/template-parser": "17.3.0",
     "@angular/cli": "^17.3.4",
     "@angular/compiler-cli": "^17.3.0",
-    "@bufbuild/buf": "^1.31.0",
-    "@bufbuild/protoc-gen-es": "^1.9.0",
+    "@bufbuild/buf": "^1.32.2",
+    "@bufbuild/protoc-gen-es": "^1.10.0",
     "@connectrpc/protoc-gen-connect-es": "^1.4.0",
-    "@connectrpc/protoc-gen-connect-query": "^1.3.1",
+    "@connectrpc/protoc-gen-connect-query": "^1.4.1",
     "@ngx-formly/schematics": "^6.3.0",
     "@types/jasmine": "~5.1.0",
     "@typescript-eslint/eslint-plugin": "7.2.0",
@@ -57,4 +57,4 @@
     "karma-jasmine-html-reporter": "~2.1.0",
     "typescript": "~5.4.2"
   }
-}
+}

internal/frontend/holos/src/app/app.config.ts

@@ -10,6 +10,7 @@ import { UserService } from './gen/holos/user/v1alpha1/user_service_connect';
 import { OrganizationService } from './gen/holos/organization/v1alpha1/organization_service_connect';
 import { PlatformService } from './gen/holos/platform/v1alpha1/platform_service_connect';
 import { HolosPanelWrapperComponent } from '../wrappers/holos-panel-wrapper/holos-panel-wrapper.component';
+import { SystemService } from './gen/holos/system/v1alpha1/system_service_connect';
 
 export const appConfig: ApplicationConfig = {
   providers: [
@@ -19,6 +20,7 @@ export const appConfig: ApplicationConfig = {
     provideClient(UserService),
     provideClient(OrganizationService),
     provideClient(PlatformService),
+    provideClient(SystemService),
     importProvidersFrom(
       ConnectModule.forRoot({
         baseUrl: window.location.origin

internal/frontend/holos/src/app/gen/holos/object/v1alpha1/object_pb.ts

@@ -1,10 +1,10 @@
-// @generated by protoc-gen-es v1.9.0 with parameter "target=ts"
+// @generated by protoc-gen-es v1.10.0 with parameter "target=ts"
 // @generated from file holos/object/v1alpha1/object.proto (package holos.object.v1alpha1, syntax proto3)
 /* eslint-disable */
 // @ts-nocheck
 
 import type { BinaryReadOptions, FieldList, JsonReadOptions, JsonValue, PartialMessage, PlainMessage } from "@bufbuild/protobuf";
-import { Message, proto3, Timestamp } from "@bufbuild/protobuf";
+import { Message, proto3, Struct, Timestamp } from "@bufbuild/protobuf";
 
 /**
  * @generated from message holos.object.v1alpha1.Detail
@@ -325,3 +325,95 @@ export class ResourceOwner extends Message<ResourceOwner> {
   }
 }
 
+/**
+ * Form represents a Formly json powered form.
+ *
+ * @generated from message holos.object.v1alpha1.Form
+ */
+export class Form extends Message<Form> {
+  /**
+   * fields represents FormlyFieldConfig[] encoded as an array of JSON objects
+   * organized by section.
+   *
+   * @generated from field: repeated google.protobuf.Struct field_configs = 1;
+   */
+  fieldConfigs: Struct[] = [];
+
+  constructor(data?: PartialMessage<Form>) {
+    super();
+    proto3.util.initPartial(data, this);
+  }
+
+  static readonly runtime: typeof proto3 = proto3;
+  static readonly typeName = "holos.object.v1alpha1.Form";
+  static readonly fields: FieldList = proto3.util.newFieldList(() => [
+    { no: 1, name: "field_configs", kind: "message", T: Struct, repeated: true },
+  ]);
+
+  static fromBinary(bytes: Uint8Array, options?: Partial<BinaryReadOptions>): Form {
+    return new Form().fromBinary(bytes, options);
+  }
+
+  static fromJson(jsonValue: JsonValue, options?: Partial<JsonReadOptions>): Form {
+    return new Form().fromJson(jsonValue, options);
+  }
+
+  static fromJsonString(jsonString: string, options?: Partial<JsonReadOptions>): Form {
+    return new Form().fromJsonString(jsonString, options);
+  }
+
+  static equals(a: Form | PlainMessage<Form> | undefined, b: Form | PlainMessage<Form> | undefined): boolean {
+    return proto3.util.equals(Form, a, b);
+  }
+}
+
+/**
+ * PlatformConfig represents the data passed from the holos cli to CUE when
+ * rendering configuration.
+ *
+ * @generated from message holos.object.v1alpha1.PlatformConfig
+ */
+export class PlatformConfig extends Message<PlatformConfig> {
+  /**
+   * Platform UUID.
+   *
+   * @generated from field: string platform_id = 1;
+   */
+  platformId = "";
+
+  /**
+   * Platform Model.
+   *
+   * @generated from field: google.protobuf.Struct platform_model = 2;
+   */
+  platformModel?: Struct;
+
+  constructor(data?: PartialMessage<PlatformConfig>) {
+    super();
+    proto3.util.initPartial(data, this);
+  }
+
+  static readonly runtime: typeof proto3 = proto3;
+  static readonly typeName = "holos.object.v1alpha1.PlatformConfig";
+  static readonly fields: FieldList = proto3.util.newFieldList(() => [
+    { no: 1, name: "platform_id", kind: "scalar", T: 9 /* ScalarType.STRING */ },
+    { no: 2, name: "platform_model", kind: "message", T: Struct },
+  ]);
+
+  static fromBinary(bytes: Uint8Array, options?: Partial<BinaryReadOptions>): PlatformConfig {
+    return new PlatformConfig().fromBinary(bytes, options);
+  }
+
+  static fromJson(jsonValue: JsonValue, options?: Partial<JsonReadOptions>): PlatformConfig {
+    return new PlatformConfig().fromJson(jsonValue, options);
+  }
+
+  static fromJsonString(jsonString: string, options?: Partial<JsonReadOptions>): PlatformConfig {
+    return new PlatformConfig().fromJsonString(jsonString, options);
+  }
+
+  static equals(a: PlatformConfig | PlainMessage<PlatformConfig> | undefined, b: PlatformConfig | PlainMessage<PlatformConfig> | undefined): boolean {
+    return proto3.util.equals(PlatformConfig, a, b);
+  }
+}
+

internal/frontend/holos/src/app/gen/holos/organization/v1alpha1/organization_pb.ts

@@ -1,4 +1,4 @@
-// @generated by protoc-gen-es v1.9.0 with parameter "target=ts"
+// @generated by protoc-gen-es v1.10.0 with parameter "target=ts"
 // @generated from file holos/organization/v1alpha1/organization.proto (package holos.organization.v1alpha1, syntax proto3)
 /* eslint-disable */
 // @ts-nocheck

internal/frontend/holos/src/app/gen/holos/organization/v1alpha1/organization_service_pb.ts

@@ -1,4 +1,4 @@
-// @generated by protoc-gen-es v1.9.0 with parameter "target=ts"
+// @generated by protoc-gen-es v1.10.0 with parameter "target=ts"
 // @generated from file holos/organization/v1alpha1/organization_service.proto (package holos.organization.v1alpha1, syntax proto3)
 /* eslint-disable */
 // @ts-nocheck

internal/frontend/holos/src/app/gen/holos/platform/v1alpha1/platform_pb.ts

@@ -1,11 +1,11 @@
-// @generated by protoc-gen-es v1.9.0 with parameter "target=ts"
+// @generated by protoc-gen-es v1.10.0 with parameter "target=ts"
 // @generated from file holos/platform/v1alpha1/platform.proto (package holos.platform.v1alpha1, syntax proto3)
 /* eslint-disable */
 // @ts-nocheck
 
 import type { BinaryReadOptions, FieldList, JsonReadOptions, JsonValue, PartialMessage, PlainMessage } from "@bufbuild/protobuf";
 import { Message, proto3, Struct } from "@bufbuild/protobuf";
-import { Detail } from "../../object/v1alpha1/object_pb.js";
+import { Detail, Form } from "../../object/v1alpha1/object_pb.js";
 
 /**
  * @generated from message holos.platform.v1alpha1.Platform
@@ -147,7 +147,7 @@ export class Spec extends Message<Spec> {
   model?: Struct;
 
   /**
-   * @generated from field: optional holos.platform.v1alpha1.Form form = 2;
+   * @generated from field: optional holos.object.v1alpha1.Form form = 2;
    */
   form?: Form;
 
@@ -180,45 +180,3 @@ export class Spec extends Message<Spec> {
   }
 }
 
-/**
- * Form represents the Formly input form.
- *
- * @generated from message holos.platform.v1alpha1.Form
- */
-export class Form extends Message<Form> {
-  /**
-   * fields represents FormlyFieldConfig[] encoded as an array of JSON objects
-   * organized by section.
-   *
-   * @generated from field: repeated google.protobuf.Struct fields = 1;
-   */
-  fields: Struct[] = [];
-
-  constructor(data?: PartialMessage<Form>) {
-    super();
-    proto3.util.initPartial(data, this);
-  }
-
-  static readonly runtime: typeof proto3 = proto3;
-  static readonly typeName = "holos.platform.v1alpha1.Form";
-  static readonly fields: FieldList = proto3.util.newFieldList(() => [
-    { no: 1, name: "fields", kind: "message", T: Struct, repeated: true },
-  ]);
-
-  static fromBinary(bytes: Uint8Array, options?: Partial<BinaryReadOptions>): Form {
-    return new Form().fromBinary(bytes, options);
-  }
-
-  static fromJson(jsonValue: JsonValue, options?: Partial<JsonReadOptions>): Form {
-    return new Form().fromJson(jsonValue, options);
-  }
-
-  static fromJsonString(jsonString: string, options?: Partial<JsonReadOptions>): Form {
-    return new Form().fromJsonString(jsonString, options);
-  }
-
-  static equals(a: Form | PlainMessage<Form> | undefined, b: Form | PlainMessage<Form> | undefined): boolean {
-    return proto3.util.equals(Form, a, b);
-  }
-}
-

internal/frontend/holos/src/app/gen/holos/platform/v1alpha1/platform_service_pb.ts

@@ -1,20 +1,26 @@
-// @generated by protoc-gen-es v1.9.0 with parameter "target=ts"
+// @generated by protoc-gen-es v1.10.0 with parameter "target=ts"
 // @generated from file holos/platform/v1alpha1/platform_service.proto (package holos.platform.v1alpha1, syntax proto3)
 /* eslint-disable */
 // @ts-nocheck
 
 import type { BinaryReadOptions, FieldList, JsonReadOptions, JsonValue, PartialMessage, PlainMessage } from "@bufbuild/protobuf";
-import { FieldMask, Message, proto3 } from "@bufbuild/protobuf";
+import { FieldMask, Message, proto3, Struct } from "@bufbuild/protobuf";
 import { Platform } from "./platform_pb.js";
+import { Form } from "../../object/v1alpha1/object_pb.js";
 
 /**
  * @generated from message holos.platform.v1alpha1.CreatePlatformRequest
  */
 export class CreatePlatformRequest extends Message<CreatePlatformRequest> {
   /**
-   * @generated from field: holos.platform.v1alpha1.Platform platform = 1;
+   * @generated from field: string org_id = 1;
    */
-  platform?: Platform;
+  orgId = "";
+
+  /**
+   * @generated from field: holos.platform.v1alpha1.PlatformMutation create = 2;
+   */
+  create?: PlatformMutation;
 
   constructor(data?: PartialMessage<CreatePlatformRequest>) {
     super();
@@ -24,7 +30,8 @@ export class CreatePlatformRequest extends Message<CreatePlatformRequest> {
   static readonly runtime: typeof proto3 = proto3;
   static readonly typeName = "holos.platform.v1alpha1.CreatePlatformRequest";
   static readonly fields: FieldList = proto3.util.newFieldList(() => [
-    { no: 1, name: "platform", kind: "message", T: Platform },
+    { no: 1, name: "org_id", kind: "scalar", T: 9 /* ScalarType.STRING */ },
+    { no: 2, name: "create", kind: "message", T: PlatformMutation },
   ]);
 
   static fromBinary(bytes: Uint8Array, options?: Partial<BinaryReadOptions>): CreatePlatformRequest {
@@ -163,6 +170,64 @@ export class GetPlatformResponse extends Message<GetPlatformResponse> {
   }
 }
 
+/**
+ * @generated from message holos.platform.v1alpha1.UpdatePlatformRequest
+ */
+export class UpdatePlatformRequest extends Message<UpdatePlatformRequest> {
+  /**
+   * Platform UUID to update.
+   *
+   * @generated from field: string platform_id = 1;
+   */
+  platformId = "";
+
+  /**
+   * Update operations to perform.  Fields are set to the provided value if
+   * selected by the mask.  Absent fields are cleared if they are selected by
+   * the mask.
+   *
+   * @generated from field: holos.platform.v1alpha1.PlatformMutation update = 2;
+   */
+  update?: PlatformMutation;
+
+  /**
+   * FieldMask represents the mutation operations to perform.  Marked optional
+   * for the nil guard check.  Required.
+   *
+   * @generated from field: optional google.protobuf.FieldMask update_mask = 3;
+   */
+  updateMask?: FieldMask;
+
+  constructor(data?: PartialMessage<UpdatePlatformRequest>) {
+    super();
+    proto3.util.initPartial(data, this);
+  }
+
+  static readonly runtime: typeof proto3 = proto3;
+  static readonly typeName = "holos.platform.v1alpha1.UpdatePlatformRequest";
+  static readonly fields: FieldList = proto3.util.newFieldList(() => [
+    { no: 1, name: "platform_id", kind: "scalar", T: 9 /* ScalarType.STRING */ },
+    { no: 2, name: "update", kind: "message", T: PlatformMutation },
+    { no: 3, name: "update_mask", kind: "message", T: FieldMask, opt: true },
+  ]);
+
+  static fromBinary(bytes: Uint8Array, options?: Partial<BinaryReadOptions>): UpdatePlatformRequest {
+    return new UpdatePlatformRequest().fromBinary(bytes, options);
+  }
+
+  static fromJson(jsonValue: JsonValue, options?: Partial<JsonReadOptions>): UpdatePlatformRequest {
+    return new UpdatePlatformRequest().fromJson(jsonValue, options);
+  }
+
+  static fromJsonString(jsonString: string, options?: Partial<JsonReadOptions>): UpdatePlatformRequest {
+    return new UpdatePlatformRequest().fromJsonString(jsonString, options);
+  }
+
+  static equals(a: UpdatePlatformRequest | PlainMessage<UpdatePlatformRequest> | undefined, b: UpdatePlatformRequest | PlainMessage<UpdatePlatformRequest> | undefined): boolean {
+    return proto3.util.equals(UpdatePlatformRequest, a, b);
+  }
+}
+
 /**
  * @generated from message holos.platform.v1alpha1.UpdatePlatformResponse
  */
@@ -200,51 +265,6 @@ export class UpdatePlatformResponse extends Message<UpdatePlatformResponse> {
   }
 }
 
-/**
- * @generated from message holos.platform.v1alpha1.UpdatePlatformRequest
- */
-export class UpdatePlatformRequest extends Message<UpdatePlatformRequest> {
-  /**
-   * @generated from field: holos.platform.v1alpha1.Platform platform = 1;
-   */
-  platform?: Platform;
-
-  /**
-   * FieldMask represents the request Platform fields to update.
-   *
-   * @generated from field: google.protobuf.FieldMask field_mask = 2;
-   */
-  fieldMask?: FieldMask;
-
-  constructor(data?: PartialMessage<UpdatePlatformRequest>) {
-    super();
-    proto3.util.initPartial(data, this);
-  }
-
-  static readonly runtime: typeof proto3 = proto3;
-  static readonly typeName = "holos.platform.v1alpha1.UpdatePlatformRequest";
-  static readonly fields: FieldList = proto3.util.newFieldList(() => [
-    { no: 1, name: "platform", kind: "message", T: Platform },
-    { no: 2, name: "field_mask", kind: "message", T: FieldMask },
-  ]);
-
-  static fromBinary(bytes: Uint8Array, options?: Partial<BinaryReadOptions>): UpdatePlatformRequest {
-    return new UpdatePlatformRequest().fromBinary(bytes, options);
-  }
-
-  static fromJson(jsonValue: JsonValue, options?: Partial<JsonReadOptions>): UpdatePlatformRequest {
-    return new UpdatePlatformRequest().fromJson(jsonValue, options);
-  }
-
-  static fromJsonString(jsonString: string, options?: Partial<JsonReadOptions>): UpdatePlatformRequest {
-    return new UpdatePlatformRequest().fromJsonString(jsonString, options);
-  }
-
-  static equals(a: UpdatePlatformRequest | PlainMessage<UpdatePlatformRequest> | undefined, b: UpdatePlatformRequest | PlainMessage<UpdatePlatformRequest> | undefined): boolean {
-    return proto3.util.equals(UpdatePlatformRequest, a, b);
-  }
-}
-
 /**
  * @generated from message holos.platform.v1alpha1.ListPlatformsRequest
  */
@@ -327,3 +347,68 @@ export class ListPlatformsResponse extends Message<ListPlatformsResponse> {
   }
 }
 
+/**
+ * PlatformMutation represents the fields to create or update.
+ *
+ * @generated from message holos.platform.v1alpha1.PlatformMutation
+ */
+export class PlatformMutation extends Message<PlatformMutation> {
+  /**
+   * Update the platform name.
+   *
+   * @generated from field: optional string name = 2;
+   */
+  name?: string;
+
+  /**
+   * Update the platform display name.
+   *
+   * @generated from field: optional string display_name = 3;
+   */
+  displayName?: string;
+
+  /**
+   * Replace the form model.
+   *
+   * @generated from field: optional google.protobuf.Struct model = 4;
+   */
+  model?: Struct;
+
+  /**
+   * Replace the form.
+   *
+   * @generated from field: optional holos.object.v1alpha1.Form form = 5;
+   */
+  form?: Form;
+
+  constructor(data?: PartialMessage<PlatformMutation>) {
+    super();
+    proto3.util.initPartial(data, this);
+  }
+
+  static readonly runtime: typeof proto3 = proto3;
+  static readonly typeName = "holos.platform.v1alpha1.PlatformMutation";
+  static readonly fields: FieldList = proto3.util.newFieldList(() => [
+    { no: 2, name: "name", kind: "scalar", T: 9 /* ScalarType.STRING */, opt: true },
+    { no: 3, name: "display_name", kind: "scalar", T: 9 /* ScalarType.STRING */, opt: true },
+    { no: 4, name: "model", kind: "message", T: Struct, opt: true },
+    { no: 5, name: "form", kind: "message", T: Form, opt: true },
+  ]);
+
+  static fromBinary(bytes: Uint8Array, options?: Partial<BinaryReadOptions>): PlatformMutation {
+    return new PlatformMutation().fromBinary(bytes, options);
+  }
+
+  static fromJson(jsonValue: JsonValue, options?: Partial<JsonReadOptions>): PlatformMutation {
+    return new PlatformMutation().fromJson(jsonValue, options);
+  }
+
+  static fromJsonString(jsonString: string, options?: Partial<JsonReadOptions>): PlatformMutation {
+    return new PlatformMutation().fromJsonString(jsonString, options);
+  }
+
+  static equals(a: PlatformMutation | PlainMessage<PlatformMutation> | undefined, b: PlatformMutation | PlainMessage<PlatformMutation> | undefined): boolean {
+    return proto3.util.equals(PlatformMutation, a, b);
+  }
+}
+

internal/frontend/holos/src/app/gen/holos/storage/v1alpha1/storage_pb.ts

@@ -1,4 +1,4 @@
-// @generated by protoc-gen-es v1.9.0 with parameter "target=ts"
+// @generated by protoc-gen-es v1.10.0 with parameter "target=ts"
 // @generated from file holos/storage/v1alpha1/storage.proto (package holos.storage.v1alpha1, syntax proto3)
 /* eslint-disable */
 // @ts-nocheck
@@ -57,9 +57,9 @@ export class Form extends Message<Form> {
    * fields represents FormlyFieldConfig[] encoded as an array of JSON objects
    * organized by section.
    *
-   * @generated from field: repeated google.protobuf.Struct fields = 1;
+   * @generated from field: repeated google.protobuf.Struct field_configs = 1;
    */
-  fields: Struct[] = [];
+  fieldConfigs: Struct[] = [];
 
   constructor(data?: PartialMessage<Form>) {
     super();
@@ -69,7 +69,7 @@ export class Form extends Message<Form> {
   static readonly runtime: typeof proto3 = proto3;
   static readonly typeName = "holos.storage.v1alpha1.Form";
   static readonly fields: FieldList = proto3.util.newFieldList(() => [
-    { no: 1, name: "fields", kind: "message", T: Struct, repeated: true },
+    { no: 1, name: "field_configs", kind: "message", T: Struct, repeated: true },
   ]);
 
   static fromBinary(bytes: Uint8Array, options?: Partial<BinaryReadOptions>): Form {

internal/frontend/holos/src/app/gen/holos/system/v1alpha1/system_pb.ts

@@ -0,0 +1,81 @@
+// @generated by protoc-gen-es v1.10.0 with parameter "target=ts"
+// @generated from file holos/system/v1alpha1/system.proto (package holos.system.v1alpha1, syntax proto3)
+/* eslint-disable */
+// @ts-nocheck
+
+import type { BinaryReadOptions, FieldList, JsonReadOptions, JsonValue, PartialMessage, PlainMessage } from "@bufbuild/protobuf";
+import { Message, proto3 } from "@bufbuild/protobuf";
+
+/**
+ * @generated from message holos.system.v1alpha1.Version
+ */
+export class Version extends Message<Version> {
+  /**
+   * @generated from field: string version = 1;
+   */
+  version = "";
+
+  /**
+   * @generated from field: string git_commit = 2;
+   */
+  gitCommit = "";
+
+  /**
+   * @generated from field: string git_tree_state = 3;
+   */
+  gitTreeState = "";
+
+  /**
+   * @generated from field: string go_version = 4;
+   */
+  goVersion = "";
+
+  /**
+   * @generated from field: string build_date = 5;
+   */
+  buildDate = "";
+
+  /**
+   * @generated from field: string os = 6;
+   */
+  os = "";
+
+  /**
+   * @generated from field: string arch = 7;
+   */
+  arch = "";
+
+  constructor(data?: PartialMessage<Version>) {
+    super();
+    proto3.util.initPartial(data, this);
+  }
+
+  static readonly runtime: typeof proto3 = proto3;
+  static readonly typeName = "holos.system.v1alpha1.Version";
+  static readonly fields: FieldList = proto3.util.newFieldList(() => [
+    { no: 1, name: "version", kind: "scalar", T: 9 /* ScalarType.STRING */ },
+    { no: 2, name: "git_commit", kind: "scalar", T: 9 /* ScalarType.STRING */ },
+    { no: 3, name: "git_tree_state", kind: "scalar", T: 9 /* ScalarType.STRING */ },
+    { no: 4, name: "go_version", kind: "scalar", T: 9 /* ScalarType.STRING */ },
+    { no: 5, name: "build_date", kind: "scalar", T: 9 /* ScalarType.STRING */ },
+    { no: 6, name: "os", kind: "scalar", T: 9 /* ScalarType.STRING */ },
+    { no: 7, name: "arch", kind: "scalar", T: 9 /* ScalarType.STRING */ },
+  ]);
+
+  static fromBinary(bytes: Uint8Array, options?: Partial<BinaryReadOptions>): Version {
+    return new Version().fromBinary(bytes, options);
+  }
+
+  static fromJson(jsonValue: JsonValue, options?: Partial<JsonReadOptions>): Version {
+    return new Version().fromJson(jsonValue, options);
+  }
+
+  static fromJsonString(jsonString: string, options?: Partial<JsonReadOptions>): Version {
+    return new Version().fromJsonString(jsonString, options);
+  }
+
+  static equals(a: Version | PlainMessage<Version> | undefined, b: Version | PlainMessage<Version> | undefined): boolean {
+    return proto3.util.equals(Version, a, b);
+  }
+}
+

internal/frontend/holos/src/app/gen/holos/system/v1alpha1/system_service_connect.ts

@@ -3,7 +3,7 @@
 /* eslint-disable */
 // @ts-nocheck
 
-import { DropTablesRequest, DropTablesResponse, SeedDatabaseRequest, SeedDatabaseResponse } from "./system_service_pb.js";
+import { DropTablesRequest, DropTablesResponse, GetVersionRequest, GetVersionResponse, SeedDatabaseRequest, SeedDatabaseResponse } from "./system_service_pb.js";
 import { MethodKind } from "@bufbuild/protobuf";
 
 /**
@@ -13,12 +13,12 @@ export const SystemService = {
   typeName: "holos.system.v1alpha1.SystemService",
   methods: {
     /**
-     * @generated from rpc holos.system.v1alpha1.SystemService.SeedDatabase
+     * @generated from rpc holos.system.v1alpha1.SystemService.GetVersion
      */
-    seedDatabase: {
-      name: "SeedDatabase",
-      I: SeedDatabaseRequest,
-      O: SeedDatabaseResponse,
+    getVersion: {
+      name: "GetVersion",
+      I: GetVersionRequest,
+      O: GetVersionResponse,
       kind: MethodKind.Unary,
     },
     /**
@@ -30,6 +30,15 @@ export const SystemService = {
       O: DropTablesResponse,
       kind: MethodKind.Unary,
     },
+    /**
+     * @generated from rpc holos.system.v1alpha1.SystemService.SeedDatabase
+     */
+    seedDatabase: {
+      name: "SeedDatabase",
+      I: SeedDatabaseRequest,
+      O: SeedDatabaseResponse,
+      kind: MethodKind.Unary,
+    },
   }
 } as const;
 

internal/frontend/holos/src/app/gen/holos/system/v1alpha1/system_service_pb.ts

@@ -1,10 +1,87 @@
-// @generated by protoc-gen-es v1.9.0 with parameter "target=ts"
+// @generated by protoc-gen-es v1.10.0 with parameter "target=ts"
 // @generated from file holos/system/v1alpha1/system_service.proto (package holos.system.v1alpha1, syntax proto3)
 /* eslint-disable */
 // @ts-nocheck
 
 import type { BinaryReadOptions, FieldList, JsonReadOptions, JsonValue, PartialMessage, PlainMessage } from "@bufbuild/protobuf";
-import { Message, proto3 } from "@bufbuild/protobuf";
+import { FieldMask, Message, proto3 } from "@bufbuild/protobuf";
+import { Version } from "./system_pb.js";
+
+/**
+ * @generated from message holos.system.v1alpha1.GetVersionRequest
+ */
+export class GetVersionRequest extends Message<GetVersionRequest> {
+  /**
+   * FieldMask represents the fields to include in the response.
+   *
+   * @generated from field: google.protobuf.FieldMask field_mask = 1;
+   */
+  fieldMask?: FieldMask;
+
+  constructor(data?: PartialMessage<GetVersionRequest>) {
+    super();
+    proto3.util.initPartial(data, this);
+  }
+
+  static readonly runtime: typeof proto3 = proto3;
+  static readonly typeName = "holos.system.v1alpha1.GetVersionRequest";
+  static readonly fields: FieldList = proto3.util.newFieldList(() => [
+    { no: 1, name: "field_mask", kind: "message", T: FieldMask },
+  ]);
+
+  static fromBinary(bytes: Uint8Array, options?: Partial<BinaryReadOptions>): GetVersionRequest {
+    return new GetVersionRequest().fromBinary(bytes, options);
+  }
+
+  static fromJson(jsonValue: JsonValue, options?: Partial<JsonReadOptions>): GetVersionRequest {
+    return new GetVersionRequest().fromJson(jsonValue, options);
+  }
+
+  static fromJsonString(jsonString: string, options?: Partial<JsonReadOptions>): GetVersionRequest {
+    return new GetVersionRequest().fromJsonString(jsonString, options);
+  }
+
+  static equals(a: GetVersionRequest | PlainMessage<GetVersionRequest> | undefined, b: GetVersionRequest | PlainMessage<GetVersionRequest> | undefined): boolean {
+    return proto3.util.equals(GetVersionRequest, a, b);
+  }
+}
+
+/**
+ * @generated from message holos.system.v1alpha1.GetVersionResponse
+ */
+export class GetVersionResponse extends Message<GetVersionResponse> {
+  /**
+   * @generated from field: holos.system.v1alpha1.Version version = 1;
+   */
+  version?: Version;
+
+  constructor(data?: PartialMessage<GetVersionResponse>) {
+    super();
+    proto3.util.initPartial(data, this);
+  }
+
+  static readonly runtime: typeof proto3 = proto3;
+  static readonly typeName = "holos.system.v1alpha1.GetVersionResponse";
+  static readonly fields: FieldList = proto3.util.newFieldList(() => [
+    { no: 1, name: "version", kind: "message", T: Version },
+  ]);
+
+  static fromBinary(bytes: Uint8Array, options?: Partial<BinaryReadOptions>): GetVersionResponse {
+    return new GetVersionResponse().fromBinary(bytes, options);
+  }
+
+  static fromJson(jsonValue: JsonValue, options?: Partial<JsonReadOptions>): GetVersionResponse {
+    return new GetVersionResponse().fromJson(jsonValue, options);
+  }
+
+  static fromJsonString(jsonString: string, options?: Partial<JsonReadOptions>): GetVersionResponse {
+    return new GetVersionResponse().fromJsonString(jsonString, options);
+  }
+
+  static equals(a: GetVersionResponse | PlainMessage<GetVersionResponse> | undefined, b: GetVersionResponse | PlainMessage<GetVersionResponse> | undefined): boolean {
+    return proto3.util.equals(GetVersionResponse, a, b);
+  }
+}
 
 /**
  * @generated from message holos.system.v1alpha1.SeedDatabaseRequest

internal/frontend/holos/src/app/gen/holos/user/v1alpha1/user_pb.ts

@@ -1,4 +1,4 @@
-// @generated by protoc-gen-es v1.9.0 with parameter "target=ts"
+// @generated by protoc-gen-es v1.10.0 with parameter "target=ts"
 // @generated from file holos/user/v1alpha1/user.proto (package holos.user.v1alpha1, syntax proto3)
 /* eslint-disable */
 // @ts-nocheck

internal/frontend/holos/src/app/gen/holos/user/v1alpha1/user_service_connect.ts

@@ -3,7 +3,7 @@
 /* eslint-disable */
 // @ts-nocheck
 
-import { CreateUserRequest, CreateUserResponse, GetUserRequest, GetUserResponse } from "./user_service_pb.js";
+import { CreateUserRequest, CreateUserResponse, GetUserRequest, GetUserResponse, RegisterUserRequest, RegisterUserResponse } from "./user_service_pb.js";
 import { MethodKind } from "@bufbuild/protobuf";
 
 /**
@@ -36,6 +36,17 @@ export const UserService = {
       O: GetUserResponse,
       kind: MethodKind.Unary,
     },
+    /**
+     * Register an user and initialize an organization, bare platform, and reference platform.
+     *
+     * @generated from rpc holos.user.v1alpha1.UserService.RegisterUser
+     */
+    registerUser: {
+      name: "RegisterUser",
+      I: RegisterUserRequest,
+      O: RegisterUserResponse,
+      kind: MethodKind.Unary,
+    },
   }
 } as const;
 

internal/frontend/holos/src/app/gen/holos/user/v1alpha1/user_service_pb.ts

@@ -1,4 +1,4 @@
-// @generated by protoc-gen-es v1.9.0 with parameter "target=ts"
+// @generated by protoc-gen-es v1.10.0 with parameter "target=ts"
 // @generated from file holos/user/v1alpha1/user_service.proto (package holos.user.v1alpha1, syntax proto3)
 /* eslint-disable */
 // @ts-nocheck
@@ -7,6 +7,7 @@ import type { BinaryReadOptions, FieldList, JsonReadOptions, JsonValue, PartialM
 import { FieldMask, Message, proto3 } from "@bufbuild/protobuf";
 import { User } from "./user_pb.js";
 import { UserRef } from "../../object/v1alpha1/object_pb.js";
+import { Organization } from "../../organization/v1alpha1/organization_pb.js";
 
 /**
  * Create a User from the oidc id token claims or the provided user.  Each one
@@ -172,3 +173,118 @@ export class GetUserResponse extends Message<GetUserResponse> {
   }
 }
 
+/**
+ * Register a User from the oidc id token claims or the provided user.  Each one
+ * of subject, email, and user id must be globally unique.
+ *
+ * @generated from message holos.user.v1alpha1.RegisterUserRequest
+ */
+export class RegisterUserRequest extends Message<RegisterUserRequest> {
+  /**
+   * User resource to create.  If absent, the server populates User fields with
+   * the oidc id token claims of the authenticated request.
+   * NOTE: The server may ignore this request field and register the user solely
+   * from authenticated identity claims.
+   *
+   * @generated from field: optional holos.user.v1alpha1.User user = 1;
+   */
+  user?: User;
+
+  /**
+   * Mask of the user fields to include in the response.
+   *
+   * @generated from field: optional google.protobuf.FieldMask user_mask = 2;
+   */
+  userMask?: FieldMask;
+
+  /**
+   * Organization resource to create.  If absent, the server generates an
+   * organization based on the user fields.
+   * NOTE: The server may ignore this request field and register the
+   * organization solely from authenticated identity claims.
+   *
+   * @generated from field: optional holos.organization.v1alpha1.Organization organization = 3;
+   */
+  organization?: Organization;
+
+  /**
+   * Mask of the organization fields to include in the response.
+   *
+   * @generated from field: optional google.protobuf.FieldMask organization_mask = 4;
+   */
+  organizationMask?: FieldMask;
+
+  constructor(data?: PartialMessage<RegisterUserRequest>) {
+    super();
+    proto3.util.initPartial(data, this);
+  }
+
+  static readonly runtime: typeof proto3 = proto3;
+  static readonly typeName = "holos.user.v1alpha1.RegisterUserRequest";
+  static readonly fields: FieldList = proto3.util.newFieldList(() => [
+    { no: 1, name: "user", kind: "message", T: User, opt: true },
+    { no: 2, name: "user_mask", kind: "message", T: FieldMask, opt: true },
+    { no: 3, name: "organization", kind: "message", T: Organization, opt: true },
+    { no: 4, name: "organization_mask", kind: "message", T: FieldMask, opt: true },
+  ]);
+
+  static fromBinary(bytes: Uint8Array, options?: Partial<BinaryReadOptions>): RegisterUserRequest {
+    return new RegisterUserRequest().fromBinary(bytes, options);
+  }
+
+  static fromJson(jsonValue: JsonValue, options?: Partial<JsonReadOptions>): RegisterUserRequest {
+    return new RegisterUserRequest().fromJson(jsonValue, options);
+  }
+
+  static fromJsonString(jsonString: string, options?: Partial<JsonReadOptions>): RegisterUserRequest {
+    return new RegisterUserRequest().fromJsonString(jsonString, options);
+  }
+
+  static equals(a: RegisterUserRequest | PlainMessage<RegisterUserRequest> | undefined, b: RegisterUserRequest | PlainMessage<RegisterUserRequest> | undefined): boolean {
+    return proto3.util.equals(RegisterUserRequest, a, b);
+  }
+}
+
+/**
+ * @generated from message holos.user.v1alpha1.RegisterUserResponse
+ */
+export class RegisterUserResponse extends Message<RegisterUserResponse> {
+  /**
+   * @generated from field: holos.user.v1alpha1.User user = 1;
+   */
+  user?: User;
+
+  /**
+   * @generated from field: holos.organization.v1alpha1.Organization organization = 2;
+   */
+  organization?: Organization;
+
+  constructor(data?: PartialMessage<RegisterUserResponse>) {
+    super();
+    proto3.util.initPartial(data, this);
+  }
+
+  static readonly runtime: typeof proto3 = proto3;
+  static readonly typeName = "holos.user.v1alpha1.RegisterUserResponse";
+  static readonly fields: FieldList = proto3.util.newFieldList(() => [
+    { no: 1, name: "user", kind: "message", T: User },
+    { no: 2, name: "organization", kind: "message", T: Organization },
+  ]);
+
+  static fromBinary(bytes: Uint8Array, options?: Partial<BinaryReadOptions>): RegisterUserResponse {
+    return new RegisterUserResponse().fromBinary(bytes, options);
+  }
+
+  static fromJson(jsonValue: JsonValue, options?: Partial<JsonReadOptions>): RegisterUserResponse {
+    return new RegisterUserResponse().fromJson(jsonValue, options);
+  }
+
+  static fromJsonString(jsonString: string, options?: Partial<JsonReadOptions>): RegisterUserResponse {
+    return new RegisterUserResponse().fromJsonString(jsonString, options);
+  }
+
+  static equals(a: RegisterUserResponse | PlainMessage<RegisterUserResponse> | undefined, b: RegisterUserResponse | PlainMessage<RegisterUserResponse> | undefined): boolean {
+    return proto3.util.equals(RegisterUserResponse, a, b);
+  }
+}
+

internal/frontend/holos/src/app/nav/nav.component.html

@@ -31,6 +31,7 @@
           </button>
         }
       </span>
+      <app-version-button></app-version-button>
       <app-profile-button [user$]="user$"></app-profile-button>
     </mat-toolbar>
     <main class="main-content">

internal/frontend/holos/src/app/nav/nav.component.ts

@@ -1,20 +1,21 @@
-import { Component, OnInit, inject } from '@angular/core';
 import { BreakpointObserver, Breakpoints } from '@angular/cdk/layout';
 import { AsyncPipe, NgIf } from '@angular/common';
-import { MatToolbarModule } from '@angular/material/toolbar';
+import { Component, OnDestroy, OnInit, inject } from '@angular/core';
 import { MatButtonModule } from '@angular/material/button';
-import { MatSidenavModule } from '@angular/material/sidenav';
-import { MatListModule } from '@angular/material/list';
-import { MatIconModule } from '@angular/material/icon';
-import { Observable } from 'rxjs';
-import { map, shareReplay } from 'rxjs/operators';
-import { RouterLink, RouterLinkActive, RouterOutlet } from '@angular/router';
 import { MatCardModule } from '@angular/material/card';
-import { ProfileButtonComponent } from '../profile-button/profile-button.component';
-import { User } from '../gen/holos/user/v1alpha1/user_pb';
-import { UserService } from '../services/user.service';
+import { MatIconModule } from '@angular/material/icon';
+import { MatListModule } from '@angular/material/list';
+import { MatSidenavModule } from '@angular/material/sidenav';
+import { MatToolbarModule } from '@angular/material/toolbar';
+import { RouterLink, RouterLinkActive, RouterOutlet } from '@angular/router';
+import { Observable, Subject } from 'rxjs';
+import { map, shareReplay, takeUntil } from 'rxjs/operators';
 import { Organization } from '../gen/holos/organization/v1alpha1/organization_pb';
+import { User } from '../gen/holos/user/v1alpha1/user_pb';
+import { ProfileButtonComponent } from '../profile-button/profile-button.component';
 import { OrganizationService } from '../services/organization.service';
+import { UserService } from '../services/user.service';
+import { VersionButtonComponent } from '../version-button/version-button.component';
 
 @Component({
   selector: 'app-nav',
@@ -34,28 +35,35 @@ import { OrganizationService } from '../services/organization.service';
     RouterOutlet,
     MatCardModule,
     ProfileButtonComponent,
+    VersionButtonComponent,
   ]
 })
-export class NavComponent implements OnInit {
+export class NavComponent implements OnInit, OnDestroy {
   private breakpointObserver = inject(BreakpointObserver);
   private userService = inject(UserService);
   private orgService = inject(OrganizationService);
+  private destroy$: Subject<boolean> = new Subject<boolean>();
 
   user$!: Observable<User | null>;
   org$!: Observable<Organization | undefined>;
 
-  refreshOrg(): void {
-    this.orgService.refreshOrganizations()
-  }
-
   isHandset$: Observable<boolean> = this.breakpointObserver.observe(Breakpoints.Handset)
     .pipe(
       map(result => result.matches),
       shareReplay()
     );
 
+  refreshOrg(): void {
+    this.orgService.refreshOrganizations()
+  }
+
   ngOnInit(): void {
-    this.user$ = this.userService.getUser();
-    this.org$ = this.orgService.activeOrg();
+    this.user$ = this.userService.getUser().pipe(takeUntil(this.destroy$));
+    this.org$ = this.orgService.activeOrg().pipe(takeUntil(this.destroy$));
+  }
+
+  public ngOnDestroy(): void {
+    this.destroy$.next(true);
+    this.destroy$.complete();
   }
 }

internal/frontend/holos/src/app/services/platform.service.ts

@@ -1,10 +1,11 @@
 import { Inject, Injectable } from '@angular/core';
+import { FieldMask, JsonValue, Struct } from '@bufbuild/protobuf';
 import { Observable, of, switchMap } from 'rxjs';
 import { ObservableClient } from '../../connect/observable-client';
 import { Organization } from '../gen/holos/organization/v1alpha1/organization_pb';
-import { PlatformService as ConnectPlatformService } from '../gen/holos/platform/v1alpha1/platform_service_connect';
 import { Platform } from '../gen/holos/platform/v1alpha1/platform_pb';
-import { GetPlatformRequest, ListPlatformsRequest } from '../gen/holos/platform/v1alpha1/platform_service_pb';
+import { PlatformService as ConnectPlatformService } from '../gen/holos/platform/v1alpha1/platform_service_connect';
+import { GetPlatformRequest, ListPlatformsRequest, PlatformMutation, UpdatePlatformRequest } from '../gen/holos/platform/v1alpha1/platform_service_pb';
 
 @Injectable({
   providedIn: 'root'
@@ -24,6 +25,15 @@ export class PlatformService {
     )
   }
 
+  updateModel(platformId: string, model: JsonValue): Observable<Platform | undefined> {
+    const update = new PlatformMutation({ model: Struct.fromJson(model) })
+    const updateMask = new FieldMask({ paths: ["model"] })
+    const req = new UpdatePlatformRequest({ platformId: platformId, update: update, updateMask: updateMask })
+    return this.client.updatePlatform(req).pipe(
+      switchMap(resp => { return of(resp.platform) })
+    )
+  }
+
   getPlatform(platformId: string): Observable<Platform | undefined> {
     const req = new GetPlatformRequest({ platformId: platformId })
     return this.client.getPlatform(req).pipe(

internal/frontend/holos/src/app/services/system.service.spec.ts

@@ -0,0 +1,16 @@
+import { TestBed } from '@angular/core/testing';
+
+import { SystemService } from './system.service';
+
+describe('SystemService', () => {
+  let service: SystemService;
+
+  beforeEach(() => {
+    TestBed.configureTestingModule({});
+    service = TestBed.inject(SystemService);
+  });
+
+  it('should be created', () => {
+    expect(service).toBeTruthy();
+  });
+});

internal/frontend/holos/src/app/services/system.service.ts

@@ -0,0 +1,22 @@
+import { Inject, Injectable } from '@angular/core';
+import { Observable, of, switchMap } from 'rxjs';
+import { ObservableClient } from '../../connect/observable-client';
+import { Version } from '../gen/holos/system/v1alpha1/system_pb';
+import { SystemService as ConnectSystemService } from '../gen/holos/system/v1alpha1/system_service_connect';
+import { GetVersionRequest } from '../gen/holos/system/v1alpha1/system_service_pb';
+import { FieldMask } from '@bufbuild/protobuf';
+
+@Injectable({
+  providedIn: 'root'
+})
+export class SystemService {
+  getVersion(): Observable<Version | undefined> {
+    const fieldMask = new FieldMask({ paths: ["version", "git_commit", "go_version", "os", "arch"] })
+    const req = new GetVersionRequest({ fieldMask: fieldMask })
+    return this.client.getVersion(req).pipe(
+      switchMap(resp => { return of(resp.version) })
+    )
+  }
+
+  constructor(@Inject(ConnectSystemService) private client: ObservableClient<typeof ConnectSystemService>) { }
+}

internal/frontend/holos/src/app/truncate.pipe.spec.ts

@@ -0,0 +1,8 @@
+import { TruncatePipe } from './truncate.pipe';
+
+describe('TruncatePipe', () => {
+  it('create an instance', () => {
+    const pipe = new TruncatePipe();
+    expect(pipe).toBeTruthy();
+  });
+});

internal/frontend/holos/src/app/truncate.pipe.ts

@@ -0,0 +1,13 @@
+import { Pipe, PipeTransform } from '@angular/core';
+
+@Pipe({
+  name: 'truncate',
+  standalone: true
+})
+export class TruncatePipe implements PipeTransform {
+
+  transform(value: string, limit: number = 8): string {
+    if (!value) return '';
+    return value.length > limit ? value.substring(0, limit) : value;
+  }
+}

internal/frontend/holos/src/app/version-button/version-button.component.html

@@ -0,0 +1,23 @@
+@if (version$ | async; as version) {
+  <button mat-button [matMenuTriggerFor]="menu">
+    {{ version.version }}
+  </button>
+
+  <mat-menu class="version-menu" #menu="matMenu">
+    <mat-card class="version-card">
+      <mat-card-header>
+        <mat-card-title>{{ version.version }}</mat-card-title>
+        <mat-card-subtitle>Server version info</mat-card-subtitle>
+      </mat-card-header>
+      <mat-card-content>
+        <pre>Git: {{ version.gitCommit | truncate }}</pre>
+        <pre>Go: {{ version.goVersion | truncate }}</pre>
+        <pre>OS: {{ version.os | truncate }}</pre>
+        <pre>Arch: {{ version.arch | truncate }}</pre>
+      </mat-card-content>
+      <mat-card-actions>
+        <button mat-button (click)="refreshVersion()" [disabled]="isLoading">Refresh</button>
+      </mat-card-actions>
+    </mat-card>
+  </mat-menu>
+}

internal/frontend/holos/src/app/version-button/version-button.component.spec.ts

@@ -0,0 +1,23 @@
+import { ComponentFixture, TestBed } from '@angular/core/testing';
+
+import { VersionButtonComponent } from './version-button.component';
+
+describe('VersionButtonComponent', () => {
+  let component: VersionButtonComponent;
+  let fixture: ComponentFixture<VersionButtonComponent>;
+
+  beforeEach(async () => {
+    await TestBed.configureTestingModule({
+      imports: [VersionButtonComponent]
+    })
+    .compileComponents();
+    
+    fixture = TestBed.createComponent(VersionButtonComponent);
+    component = fixture.componentInstance;
+    fixture.detectChanges();
+  });
+
+  it('should create', () => {
+    expect(component).toBeTruthy();
+  });
+});

internal/frontend/holos/src/app/version-button/version-button.component.ts

@@ -0,0 +1,58 @@
+import { AsyncPipe, NgIf, NgStyle } from '@angular/common';
+import { Component, OnDestroy, OnInit, inject } from '@angular/core';
+import { MatButtonModule } from '@angular/material/button';
+import { MatCardModule } from '@angular/material/card';
+import { MatIconModule } from '@angular/material/icon';
+import { MatMenuModule } from '@angular/material/menu';
+import { Observable, Subject, of, startWith, switchMap, takeUntil } from 'rxjs';
+import { Version } from '../gen/holos/system/v1alpha1/system_pb';
+import { SystemService } from '../services/system.service';
+import { TruncatePipe } from '../truncate.pipe';
+import { MatDivider } from '@angular/material/divider';
+
+@Component({
+  selector: 'app-version-button',
+  standalone: true,
+  imports: [
+    AsyncPipe,
+    MatButtonModule,
+    MatCardModule,
+    MatDivider,
+    MatIconModule,
+    MatMenuModule,
+    NgIf,
+    NgStyle,
+    TruncatePipe,
+  ],
+  templateUrl: './version-button.component.html',
+  styleUrl: './version-button.component.scss'
+})
+export class VersionButtonComponent implements OnInit, OnDestroy {
+  private destroy$: Subject<boolean> = new Subject<boolean>();
+  private refreshVersion$ = new Subject<boolean>();
+  private systemService = inject(SystemService);
+  version$!: Observable<Version | undefined>;
+  isLoading = false;
+
+  refreshVersion(): void {
+    this.refreshVersion$.next(true);
+  }
+
+  ngOnInit(): void {
+    this.version$ = this.refreshVersion$.pipe(
+      takeUntil(this.destroy$),
+      startWith(true),
+      switchMap(() => {
+        this.isLoading = true;
+        return this.systemService.getVersion().pipe(
+          switchMap((version) => { this.isLoading = false; return of(version); })
+        );
+      }),
+    )
+  }
+
+  public ngOnDestroy(): void {
+    this.destroy$.next(true);
+    this.destroy$.complete();
+  }
+}

internal/frontend/holos/src/app/views/platform-detail/platform-detail.component.html

@@ -4,7 +4,7 @@
       <div class="grid-container">
         <form [formGroup]="form" (ngSubmit)="onSubmit(model)">
           <formly-form [model]="model" [fields]="fields" [options]="options" [form]="form"></formly-form>
-          <button type="submit" mat-flat-button color="primary" [disabled]="!form.valid">Submit</button>
+          <button type="submit" mat-flat-button color="primary" [disabled]="!form.valid || isLoading">Submit</button>
         </form>
       </div>
     </mat-tab>

internal/frontend/holos/src/app/views/platform-detail/platform-detail.component.ts

@@ -3,11 +3,13 @@ import { Component, Input, OnDestroy, inject } from '@angular/core';
 import { FormGroup, ReactiveFormsModule } from '@angular/forms';
 import { MatButton } from '@angular/material/button';
 import { MatDivider } from '@angular/material/divider';
+import { MatSnackBar } from '@angular/material/snack-bar';
 import { MatTab, MatTabGroup } from '@angular/material/tabs';
 import { JsonValue } from '@bufbuild/protobuf';
 import { FormlyFieldConfig, FormlyFormOptions, FormlyModule } from '@ngx-formly/core';
 import { FormlyMaterialModule } from '@ngx-formly/material';
 import { Subject, takeUntil } from 'rxjs';
+import { Platform } from '../../gen/holos/platform/v1alpha1/platform_pb';
 import { PlatformService } from '../../services/platform.service';
 
 @Component({
@@ -29,7 +31,10 @@ import { PlatformService } from '../../services/platform.service';
 })
 export class PlatformDetailComponent implements OnDestroy {
   private platformService = inject(PlatformService);
+  private _snackBar: MatSnackBar = inject(MatSnackBar);
   private platformId: string = "";
+  private platform: Platform = new Platform();
+  isLoading = false;
 
   private destroy$: Subject<boolean> = new Subject<boolean>();
   form = new FormGroup({});
@@ -52,8 +57,17 @@ export class PlatformDetailComponent implements OnDestroy {
 
   onSubmit(model: JsonValue) {
     if (this.form.valid) {
-      console.log(model)
-      window.alert("call UpdatePlatform")
+      this.isLoading = true;
+      this.platformService
+        .updateModel(this.platform.id, model)
+        .pipe(takeUntil(this.destroy$))
+        .subscribe(platform => {
+          this._snackBar.open('Saved ' + platform?.displayName, 'OK', {
+            duration: 5000,
+          }).afterDismissed().subscribe(() => {
+            this.isLoading = false;
+          })
+        })
     }
   }
 
@@ -64,6 +78,9 @@ export class PlatformDetailComponent implements OnDestroy {
       .getPlatform(platformId)
       .pipe(takeUntil(this.destroy$))
       .subscribe(platform => {
+        if (platform !== undefined) {
+          this.platform = platform
+        }
         if (platform?.spec?.model !== undefined) {
           this.setModel(platform.spec.model.toJson())
         }
@@ -71,7 +88,7 @@ export class PlatformDetailComponent implements OnDestroy {
           // NOTE: We could mix functions into the json data via mapped fields,
           // but consider carefully before doing so.  Refer to
           // https://formly.dev/docs/examples/other/json-powered
-          this.fields = platform.spec.form.fields.map(field => field.toJson() as FormlyFieldConfig)
+          this.fields = platform.spec.form.fieldConfigs.map(fieldConfig => fieldConfig.toJson() as FormlyFieldConfig)
         }
       })
   }

internal/generate/component.go

@@ -0,0 +1,149 @@
+package generate
+
+import (
+	"bytes"
+	"context"
+	"embed"
+	"encoding/json"
+	"flag"
+	"io/fs"
+	"log/slog"
+	"os"
+	"path/filepath"
+	"text/template"
+
+	"github.com/holos-run/holos/internal/errors"
+	"github.com/holos-run/holos/internal/server/middleware/logger"
+)
+
+//go:embed all:components
+var components embed.FS
+
+// componentsRoot is the root path to copy component cue code from.
+const componentsRoot = "components"
+
+func NewSchematic(root string, name string) (*Schematic, error) {
+	data, err := components.ReadFile(filepath.Join(root, name, "schematic.json"))
+	if err != nil {
+		return nil, errors.Wrap(err)
+	}
+	schematic := Schematic{Name: name}
+	if err := json.Unmarshal(data, &schematic); err != nil {
+		return nil, errors.Wrap(err)
+	}
+	return &schematic, nil
+}
+
+// Schematic represents the flags and command metadata stored in the
+// schematic.yaml file along side each schematic.
+type Schematic struct {
+	// Name represents the name of the resource the schematic generates.
+	Name string `json:"name,omitempty" yaml:"name,omitempty"`
+
+	Short string `json:"short,omitempty" yaml:"short,omitempty"`
+	Long  string `json:"long,omitempty" yaml:"long,omitempty"`
+
+	Chart     *string `json:"chart,omitempty" yaml:"chart,omitempty"`
+	Version   *string `json:"version,omitempty" yaml:"version,omitempty"`
+	Namespace *string `json:"namespace,omitempty" yaml:"namespace,omitempty"`
+
+	RepoName *string `json:"reponame,omitempty" yaml:"reponame,omitempty"`
+	RepoURL  *string `json:"repourl,omitempty" yaml:"repourl,omitempty"`
+
+	flagSet *flag.FlagSet
+}
+
+func (s *Schematic) FlagSet() *flag.FlagSet {
+	if s == nil {
+		return nil
+	}
+	if s.flagSet != nil {
+		return s.flagSet
+	}
+	fs := flag.NewFlagSet("", flag.ContinueOnError)
+	fs.StringVar(&s.Name, "name", s.Name, "component name")
+	if s.Chart != nil {
+		fs.StringVar(s.Chart, "chart", *s.Chart, "chart name")
+	}
+	if s.Version != nil {
+		fs.StringVar(s.Version, "component-version", *s.Version, "component version")
+	}
+	if s.Namespace != nil {
+		fs.StringVar(s.Namespace, "namespace", *s.Namespace, "namespace")
+	}
+	if s.RepoName != nil {
+		fs.StringVar(s.RepoName, "repo-name", *s.RepoName, "chart repository name")
+	}
+	if s.RepoURL != nil {
+		fs.StringVar(s.RepoURL, "repo-url", *s.RepoURL, "chart repository url")
+	}
+	s.flagSet = fs
+	return fs
+}
+
+// CueComponents returns a slice of embedded component schematics or nil if there are none.
+func CueComponents() []string {
+	entries, err := fs.ReadDir(components, filepath.Join(componentsRoot, "cue"))
+	if err != nil {
+		return nil
+	}
+	dirs := make([]string, 0, len(entries))
+	for _, entry := range entries {
+		dirs = append(dirs, entry.Name())
+	}
+	return dirs
+}
+
+// HelmComponents returns a slice of embedded component schematics or nil if there are none.
+func HelmComponents() []string {
+	entries, err := fs.ReadDir(components, filepath.Join(componentsRoot, "helm"))
+	if err != nil {
+		return nil
+	}
+	dirs := make([]string, 0, len(entries))
+	for _, entry := range entries {
+		dirs = append(dirs, entry.Name())
+	}
+	return dirs
+}
+
+// makeRenderFunc makes a template rendering function for embedded files.
+func makeRenderFunc[T any](log *slog.Logger, path string, cfg T) func([]byte) *bytes.Buffer {
+	return func(content []byte) *bytes.Buffer {
+		tmpl, err := template.New(filepath.Base(path)).Parse(string(content))
+		if err != nil {
+			log.Error("could not load template", "err", err)
+			return bytes.NewBuffer(content)
+		}
+
+		var rendered bytes.Buffer
+		if err := tmpl.Execute(&rendered, cfg); err != nil {
+			log.Error("could not execute template", "err", err)
+			return bytes.NewBuffer(content)
+		}
+
+		return &rendered
+	}
+}
+
+// GenerateComponent writes the cue code for a component to the local working
+// directory.
+func GenerateComponent(ctx context.Context, kind string, name string, cfg *Schematic) error {
+	// use name from args to build the source path
+	path := filepath.Join(componentsRoot, kind, name)
+	// use cfg.Name from flags to build the destination path
+	dstPath := filepath.Join(getCwd(ctx), cfg.Name)
+	log := logger.FromContext(ctx).With("name", cfg.Name, "path", dstPath)
+	log.DebugContext(ctx, "mkdir")
+	if err := os.MkdirAll(dstPath, os.ModePerm); err != nil {
+		return errors.Wrap(err)
+	}
+
+	mapper := makeRenderFunc(log, path, cfg)
+	if err := copyEmbedFS(ctx, components, path, dstPath, mapper); err != nil {
+		return errors.Wrap(err)
+	}
+
+	log.InfoContext(ctx, "generated component")
+	return nil
+}

internal/generate/components/cue/argocd/argocd.cue

@@ -0,0 +1,4 @@
+package holos
+
+// Produce a kubectl kustomize build plan.
+(#Kustomize & {Name: "{{ .Name }}"}).Output

internal/generate/components/cue/argocd/kustomization.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: "{{ .Namespace }}"
+resources:
+  - "https://raw.githubusercontent.com/argoproj/argo-cd/v{{ .Version }}/manifests/install.yaml"

internal/generate/components/cue/argocd/schematic.json

@@ -0,0 +1,7 @@
+{
+  "name": "argocd",
+  "namespace": "argocd",
+  "short": "argocd kustomize",
+  "long": "Manage argocd using a kustomization.yaml build plan.",
+  "version": "2.11.2"
+}

internal/generate/components/cue/configmap/configmap.cue

@@ -0,0 +1,21 @@
+package holos
+
+import "encoding/yaml"
+
+let Objects = {
+	Name:      "{{ .Name }}"
+	Namespace: "{{ .Namespace }}"
+
+	Resources: {
+		ConfigMap: {
+			example: {
+				metadata: namespace: "{{ .Namespace }}"
+				// _Platform.Model represents the web form model
+				data: platform: yaml.Marshal({model: _Platform.Model})
+			}
+		}
+	}
+}
+
+// Produce a kubernetes objects build plan.
+(#Kubernetes & Objects).Output

internal/generate/components/cue/configmap/schematic.json

@@ -0,0 +1,6 @@
+{
+  "name": "configmap",
+  "namespace": "default",
+  "short": "simple configmap example",
+  "long": "End-to-end demonstration of data flowing from the web ui to a cluster resource"
+}

internal/generate/components/cue/namespaces/namespaces.cue

@@ -0,0 +1,11 @@
+package holos
+
+let Objects = {
+	Name:      "{{ .Name }}"
+	Namespace: "{{ .Namespace }}"
+
+	Resources: Namespace: _Namespaces
+}
+
+// Produce a kubernetes objects build plan.
+(#Kubernetes & Objects).Output

internal/generate/components/cue/namespaces/schematic.json

@@ -0,0 +1,6 @@
+{
+  "name": "namespaces",
+  "namespace": "default",
+  "short": "manage namespaces on multiple clusters",
+  "long": "Manage namespaces across all clusters in the platform following sig-multicluster namespace sameness position."
+}

internal/generate/components/helm/cert-manager/cert-manager.cue

@@ -0,0 +1,20 @@
+package holos
+
+let Chart = {
+	Name:      "{{ .Name }}"
+	Version:   "{{ .Version }}"
+	Namespace: "{{ .Namespace }}"
+
+	Repo: name: "{{ .RepoName }}"
+	Repo: url:  "{{ .RepoURL }}"
+
+	Values: {
+		installCRDs: true
+		startupapicheck: enabled: false
+		// Must not use kube-system on gke autopilot.  GKE Warden blocks access.
+		global: leaderElection: namespace: Namespace
+	}
+}
+
+// Produce a helm chart build plan.
+(#Helm & Chart).Output

internal/generate/components/helm/cert-manager/schematic.json

@@ -0,0 +1,10 @@
+{
+  "name": "cert-manager",
+  "short": "cloud native certificate management",
+  "long": "Automatically provision and manage TLS certificates in Kubernetes",
+  "chart": "cert-manager",
+  "version": "1.14.5",
+  "namespace": "cert-manager",
+  "reponame": "jetstack",
+  "repourl": "https://charts.jetstack.io"
+}

internal/generate/components/helm/podinfo-oci/podinfo.cue

@@ -0,0 +1,15 @@
+package holos
+
+let Chart = {
+	Name:      "{{ .Name }}"
+	Version:   "{{ .Version }}"
+	Namespace: "{{ .Namespace }}"
+
+	// OCI helm charts use the image url as the chart name
+	Chart: chart: name: "{{ .Chart }}"
+
+	Values: {}
+}
+
+// Produce a helm chart build plan.
+(#Helm & Chart).Output

internal/generate/components/helm/podinfo-oci/schematic.json

@@ -0,0 +1,8 @@
+{
+  "name": "podinfo-oci",
+  "short": "oci helm chart example",
+  "long": "Podinfo is a tiny web application made with Go that showcases best practices of running microservices in Kubernetes.",
+  "chart": "oci://ghcr.io/stefanprodan/charts/podinfo",
+  "version": "6.6.2",
+  "namespace": "default"
+}

internal/generate/components/helm/podinfo/podinfo.cue

@@ -0,0 +1,15 @@
+package holos
+
+let Chart = {
+	Name:      "{{ .Name }}"
+	Version:   "{{ .Version }}"
+	Namespace: "{{ .Namespace }}"
+
+	Repo: name: "{{ .RepoName }}"
+	Repo: url:  "{{ .RepoURL }}"
+
+	Values: {}
+}
+
+// Produce a helm chart build plan.
+(#Helm & Chart).Output

internal/generate/components/helm/podinfo/schematic.json

@@ -0,0 +1,10 @@
+{
+  "name": "podinfo",
+  "short": "simple helm chart example",
+  "long": "Podinfo is a tiny web application made with Go that showcases best practices of running microservices in Kubernetes.",
+  "chart": "podinfo",
+  "reponame": "podinfo",
+  "repourl": "https://stefanprodan.github.io/podinfo",
+  "version": "6.6.2",
+  "namespace": "default"
+}

internal/generate/generate.go

@@ -0,0 +1,79 @@
+package generate
+
+import (
+	"bytes"
+	"context"
+	"embed"
+	"io/fs"
+	"os"
+	"path/filepath"
+
+	"github.com/holos-run/holos/internal/errors"
+	"github.com/holos-run/holos/internal/server/middleware/logger"
+)
+
+func dirExists(srcFS embed.FS, path string) bool {
+	entries, err := fs.ReadDir(srcFS, path)
+	if err != nil {
+		return false
+	}
+	return len(entries) > 0
+}
+
+// copyEmbedFS copies embedded files from srcPath to dstPath passing the
+// contents through mapFunc.
+func copyEmbedFS(ctx context.Context, srcFS embed.FS, srcPath, dstPath string, mapFunc func([]byte) *bytes.Buffer) error {
+	log := logger.FromContext(ctx)
+	return fs.WalkDir(srcFS, srcPath, func(path string, d fs.DirEntry, err error) error {
+		if err != nil {
+			return errors.Wrap(err)
+		}
+
+		relPath, err := filepath.Rel(srcPath, path)
+		if err != nil {
+			return errors.Wrap(err)
+		}
+
+		dstFullPath := filepath.Join(dstPath, relPath)
+
+		if d.IsDir() {
+			if err := os.MkdirAll(dstFullPath, os.ModePerm); err != nil {
+				return errors.Wrap(err)
+			}
+			log.DebugContext(ctx, "created", "directory", dstFullPath)
+			return nil
+		}
+
+		if filepath.Base(path) == "schematic.json" {
+			log.DebugContext(ctx, "skipped", "file", dstFullPath)
+			return nil
+		}
+
+		data, err := srcFS.ReadFile(path)
+		if err != nil {
+			return errors.Wrap(err)
+		}
+
+		buf := mapFunc(data)
+		if err := os.WriteFile(dstFullPath, buf.Bytes(), 0666); err != nil {
+			return errors.Wrap(err)
+		}
+
+		log.DebugContext(ctx, "wrote", "file", dstFullPath)
+		return nil
+	})
+}
+
+func getCwd(ctx context.Context) string {
+	cwd, err := os.Getwd()
+	if err != nil {
+		logger.FromContext(ctx).WarnContext(ctx, "could not get working directory", "err", err)
+		return "."
+	}
+	abs, err := filepath.Abs(cwd)
+	if err != nil {
+		logger.FromContext(ctx).WarnContext(ctx, "could not get absolute path", "err", err)
+		return cwd
+	}
+	return abs
+}

internal/generate/platform.go

@@ -0,0 +1,94 @@
+package generate
+
+import (
+	"bytes"
+	"context"
+	"embed"
+	"encoding/json"
+	"fmt"
+	"io/fs"
+	"os"
+	"path/filepath"
+
+	"github.com/holos-run/holos/internal/client"
+	"github.com/holos-run/holos/internal/errors"
+	"github.com/holos-run/holos/internal/logger"
+	platform "github.com/holos-run/holos/service/gen/holos/platform/v1alpha1"
+)
+
+//go:embed all:platforms
+var platforms embed.FS
+
+// platformsRoot is the root path to copy platform cue code from.
+const platformsRoot = "platforms"
+
+// Platforms returns a slice of embedded platforms or nil if there are none.
+func Platforms() []string {
+	entries, err := fs.ReadDir(platforms, platformsRoot)
+	if err != nil {
+		return nil
+	}
+	dirs := make([]string, 0, len(entries))
+	for _, entry := range entries {
+		if entry.IsDir() && entry.Name() != "cue.mod" {
+			dirs = append(dirs, entry.Name())
+		}
+	}
+	return dirs
+}
+
+// GeneratePlatform writes the cue code for a platform to the local working
+// directory.
+func GeneratePlatform(ctx context.Context, rpc *client.Client, orgID string, name string) error {
+	log := logger.FromContext(ctx)
+	// Check for a valid platform
+	platformPath := filepath.Join(platformsRoot, name)
+	if !dirExists(platforms, platformPath) {
+		return errors.Wrap(fmt.Errorf("cannot generate: have: [%s] want: %+v", name, Platforms()))
+	}
+
+	// Link the local platform the SaaS platform ID.
+	rpcPlatforms, err := rpc.Platforms(ctx, orgID)
+	if err != nil {
+		return errors.Wrap(err)
+	}
+
+	var rpcPlatform *platform.Platform
+	for _, p := range rpcPlatforms {
+		if p.GetName() == name {
+			rpcPlatform = p
+			break
+		}
+	}
+	if rpcPlatform == nil {
+		return errors.Wrap(errors.New("cannot generate: platform not found in the holos server"))
+	}
+
+	// Write the platform data.
+	data, err := json.MarshalIndent(rpcPlatform, "", "  ")
+	if err != nil {
+		return errors.Wrap(err)
+	}
+	if len(data) > 0 {
+		data = append(data, '\n')
+	}
+	log = log.With("platform_id", rpcPlatform.GetId())
+	if err := os.WriteFile(client.PlatformMetadataFile, data, 0644); err != nil {
+		return errors.Wrap(fmt.Errorf("could not write platform metadata: %w", err))
+	}
+	log.InfoContext(ctx, "wrote "+client.PlatformMetadataFile, "path", filepath.Join(getCwd(ctx), client.PlatformMetadataFile))
+
+	// Copy the cue.mod directory
+	if err := copyEmbedFS(ctx, platforms, filepath.Join(platformsRoot, "cue.mod"), "cue.mod", bytes.NewBuffer); err != nil {
+		return errors.Wrap(err)
+	}
+
+	// Copy the named platform
+	if err := copyEmbedFS(ctx, platforms, platformPath, ".", bytes.NewBuffer); err != nil {
+		return errors.Wrap(err)
+	}
+
+	log.InfoContext(ctx, "generated platform "+name, "path", getCwd(ctx))
+
+	return nil
+}

internal/generate/platforms/bare/buildplan.cue

@@ -0,0 +1,33 @@
+package holos
+
+import "encoding/yaml"
+import v1 "github.com/holos-run/holos/api/v1alpha1"
+
+// #Helm represents a holos build plan composed of one or more helm charts.
+#Helm: {
+  Name: string
+  Version: string
+  Namespace: string
+
+  Repo: {
+    name: string | *""
+    url: string | *""
+  }
+
+  Values: {...}
+
+  Chart: v1.#HelmChart & {
+    metadata: name: string | *Name
+    namespace: string | *Namespace
+    chart: name: string | *Name
+    chart: version: string | *Version
+    chart: repository: Repo
+    // Render the values to yaml for holos to provide to helm.
+    valuesContent: yaml.Marshal(Values)
+  }
+
+  // output represents the build plan provided to the holos cli.
+	Output: v1.#BuildPlan & {
+    spec: components: helmChartList: [Chart]
+  }
+}

internal/generate/platforms/bare/components/configmap/configmap.cue

@@ -0,0 +1,30 @@
+package holos
+
+import "encoding/yaml"
+
+import v1 "github.com/holos-run/holos/api/v1alpha1"
+
+// Provide a BuildPlan to the holos cli to render k8s api objects.
+v1.#BuildPlan & {
+	spec: components: resources: platformConfigmap: {
+		metadata: name: "platform-configmap"
+		apiObjectMap: OBJECTS.apiObjectMap
+	}
+}
+
+// OBJECTS represents the kubernetes api objects to manage.
+let OBJECTS = v1.#APIObjects & {
+	apiObjects: ConfigMap: platform: {
+		metadata: {
+			name:      "platform"
+			namespace: "default"
+		}
+		// Output the platform model which is derived from the web app form the
+		// platform engineer provides and the form values the end user provides.
+		data: platform: yaml.Marshal(PLATFORM)
+	}
+}
+
+let PLATFORM = {
+	spec: model: _Platform.spec.model
+}

internal/generate/platforms/bare/forms/platform/platform-form.cue

@@ -0,0 +1,314 @@
+package forms
+
+import v1 "github.com/holos-run/holos/api/v1alpha1"
+
+// Provides a concrete v1.#Form
+FormBuilder.Output
+
+let FormBuilder = v1.#FormBuilder & {
+	Sections: org: {
+		displayName: "Organization"
+		description: "Organization config values are used to derive more specific configuration values throughout the platform."
+
+		fieldConfigs: {
+			// platform.spec.config.user.sections.org.fields.name
+			name: {
+				type: "input"
+				props: {
+					label: "Name"
+					// placeholder: "example" placeholder cannot be used with validation?
+					description: "DNS label, e.g. 'example'"
+					pattern:     "^[a-z]([0-9a-z]|-){1,28}[0-9a-z]$"
+					minLength:   3
+					maxLength:   30
+					required:    true
+				}
+				validation: messages: {
+					pattern:   "It must be \(props.minLength) to \(props.maxLength) lowercase letters, digits, or hyphens. It must start with a letter. Trailing hyphens are prohibited."
+					minLength: "Must be at least \(props.minLength) characters"
+					maxLength: "Must be at most \(props.maxLength) characters"
+				}
+			}
+
+			// platform.spec.config.user.sections.org.fields.displayName
+			displayName: {
+				type: "input"
+				props: {
+					label:       "Display Name"
+					placeholder: "Example Organization"
+					description: "Display name, e.g. 'Example Organization'"
+					maxLength:   100
+					required:    true
+				}
+			}
+		}
+	}
+
+	Sections: cloud: {
+		displayName: "Cloud Providers"
+		description: "Select the services that provide resources for the platform."
+
+		fieldConfigs: {
+			providers: {
+				// https://formly.dev/docs/api/ui/material/select/
+				type: "select"
+				props: {
+					label:           "Select Providers"
+					description:     "Select the cloud providers the platform builds upon."
+					multiple:        true
+					selectAllOption: "Select All"
+					options: [
+						{value: "aws", label:        "Amazon Web Services"},
+						{value: "gcp", label:        "Google Cloud Platform"},
+						{value: "azure", label:      "Microsoft Azure"},
+						{value: "cloudflare", label: "Cloudflare"},
+						{value: "github", label:     "GitHub"},
+						{value: "ois", label:        "Open Infrastructure Services"},
+						{value: "onprem", label:     "On Premises", disabled: true},
+					]
+				}
+			}
+		}
+	}
+
+	Sections: aws: {
+		displayName: "Amazon Web Services"
+		description: "Provide the information necessary for Holos to manage AWS resources to provide the platform."
+
+		expressions: hide: "!\(AWSSelected)"
+
+		fieldConfigs: {
+			primaryRoleARN: {
+				// https://formly.dev/docs/api/ui/material/input
+				type: "input"
+				props: {
+					label:       "Holos Admin Role ARN"
+					description: "Enter the AWS Role ARN Holos will use to bootstrap resources.  For example, arn:aws:iam::123456789012:role/HolosAdminAccess"
+					pattern:     "^arn:.*"
+					minLength:   4
+					required:    true
+				}
+				validation: messages: {
+					pattern: "Must be a valid ARN.  Refer to https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html"
+				}
+			}
+
+			regions: {
+				// https://formly.dev/docs/api/ui/material/select/
+				type: "select"
+				props: {
+					label:           "Select Regions"
+					description:     "Select the AWS regions this platform operates in."
+					multiple:        true
+					required:        true
+					selectAllOption: "Select All"
+					options:         AWSRegions
+				}
+			}
+		}
+	}
+
+	Sections: gcp: {
+		displayName: "Google Cloud Platform"
+		description: "Use this form to configure platform level GCP settings."
+
+		expressions: hide: "!\(GCPSelected)"
+
+		fieldConfigs: {
+			regions: {
+				// https://formly.dev/docs/api/ui/material/select/
+				type: "select"
+				props: {
+					label:           "Select Regions"
+					description:     "Select the GCP regions this platform operates in."
+					multiple:        true
+					selectAllOption: "Select All"
+					// gcloud compute regions list --format=json | jq '.[] | {value: .name, label: .description}' regions.json | jq -s | cue export --out cue
+					options: GCPRegions
+				}
+			}
+
+			gcpProjectID: {
+				// https://formly.dev/docs/api/ui/material/input
+				type: "input"
+				props: {
+					label:       "Project ID"
+					description: "Enter the project id where the provisioner cluster resides."
+					pattern:     "^[a-z]([0-9a-z]|-){1,28}[0-9a-z]$"
+					minLength:   6
+					maxLength:   30
+					required:    true
+				}
+				validation: messages: {
+					pattern:   "It must be \(props.minLength) to \(props.maxLength) lowercase letters, digits, or hyphens. It must start with a letter. Trailing hyphens are prohibited."
+					minLength: "Must be at least \(props.minLength) characters."
+					maxLength: "Must be at most \(props.maxLength) characters."
+				}
+			}
+
+			gcpProjectNumber: {
+				// https://formly.dev/docs/api/ui/material/input
+				type: "input"
+				props: {
+					label: "Project Number"
+					// note type number here
+					type:        "number"
+					description: "Enter the project number where the provisioner cluster resides."
+					pattern:     "^[0-9]+$"
+					required:    true
+				}
+				validation: messages: {
+					pattern: "Must be a valid project number."
+				}
+			}
+
+			provisionerCABundle: {
+				type: "input"
+				props: {
+					label:       "Provisioner CA Bundle"
+					description: "Enter the provisioner cluster ca bundle.  kubectl config view --minify --flatten -ojsonpath='{.clusters[0].cluster.certificate-authority-data}'"
+					pattern:     "^[0-9a-zA-Z]+=*$"
+					required:    true
+				}
+				validation: messages: {
+					pattern: "Must be a base64 encoded pem encoded certificate bundle."
+				}
+			}
+
+			provisionerURL: {
+				type: "input"
+				props: {
+					label:       "Provisioner URL"
+					description: "Enter the URL of the provisioner cluster API endpoint.  kubectl config view --minify --flatten -ojsonpath='{.clusters[0].cluster.server}'"
+					pattern:     "^https://.*$"
+					required:    true
+				}
+				validation: messages: {
+					pattern: "Must be a https:// URL."
+				}
+			}
+		}
+	}
+
+	Sections: cloudflare: {
+		displayName: "Cloudflare"
+		description: "Cloudflare is primarily used for DNS automation."
+
+		expressions: hide: "!" + CloudflareSelected
+
+		fieldConfigs: {
+			email: {
+				// https://formly.dev/docs/api/ui/material/input
+				type: "input"
+				props: {
+					label:       "Account Email"
+					description: "Enter the Cloudflare email address to manage DNS"
+					minLength:   3
+					required:    true
+				}
+			}
+		}
+	}
+
+	Sections: github: {
+		displayName: "GitHub"
+		description: "GitHub is primarily used to host Git repositories and execute Actions workflows."
+
+		expressions: hide: "!\(GitHubSelected)"
+
+		fieldConfigs: {
+			primaryOrg: {
+				// https://formly.dev/docs/api/ui/material/input
+				type: "input"
+				props: {
+					label:       "Organization"
+					description: "Enter the primary GitHub organization associed with the platform."
+					pattern:     "^(?!-)(?!.*--)([a-zA-Z0-9]|-){1,39}$"
+					minLength:   1
+					maxLength:   39
+					required:    true
+				}
+				validation: messages: {
+					pattern: "All characters must be either a hyphen or alphanumeric.  Cannot start with a hyphen.  Cannot include consecutive hyphens."
+				}
+			}
+		}
+	}
+}
+
+let GCPRegions = [
+	{value: "africa-south1", label:           "africa-south1"},
+	{value: "asia-east1", label:              "asia-east1"},
+	{value: "asia-east2", label:              "asia-east2"},
+	{value: "asia-northeast1", label:         "asia-northeast1"},
+	{value: "asia-northeast2", label:         "asia-northeast2"},
+	{value: "asia-northeast3", label:         "asia-northeast3"},
+	{value: "asia-south1", label:             "asia-south1"},
+	{value: "asia-south2", label:             "asia-south2"},
+	{value: "asia-southeast1", label:         "asia-southeast1"},
+	{value: "asia-southeast2", label:         "asia-southeast2"},
+	{value: "australia-southeast1", label:    "australia-southeast1"},
+	{value: "australia-southeast2", label:    "australia-southeast2"},
+	{value: "europe-central2", label:         "europe-central2"},
+	{value: "europe-north1", label:           "europe-north1"},
+	{value: "europe-southwest1", label:       "europe-southwest1"},
+	{value: "europe-west1", label:            "europe-west1"},
+	{value: "europe-west10", label:           "europe-west10"},
+	{value: "europe-west12", label:           "europe-west12"},
+	{value: "europe-west2", label:            "europe-west2"},
+	{value: "europe-west3", label:            "europe-west3"},
+	{value: "europe-west4", label:            "europe-west4"},
+	{value: "europe-west6", label:            "europe-west6"},
+	{value: "europe-west8", label:            "europe-west8"},
+	{value: "europe-west9", label:            "europe-west9"},
+	{value: "me-central1", label:             "me-central1"},
+	{value: "me-central2", label:             "me-central2"},
+	{value: "me-west1", label:                "me-west1"},
+	{value: "northamerica-northeast1", label: "northamerica-northeast1"},
+	{value: "northamerica-northeast2", label: "northamerica-northeast2"},
+	{value: "southamerica-east1", label:      "southamerica-east1"},
+	{value: "southamerica-west1", label:      "southamerica-west1"},
+	{value: "us-central1", label:             "us-central1"},
+	{value: "us-east1", label:                "us-east1"},
+	{value: "us-east4", label:                "us-east4"},
+	{value: "us-east5", label:                "us-east5"},
+	{value: "us-south1", label:               "us-south1"},
+	{value: "us-west1", label:                "us-west1"},
+	{value: "us-west2", label:                "us-west2"},
+	{value: "us-west3", label:                "us-west3"},
+	{value: "us-west4", label:                "us-west4"},
+]
+
+let AWSRegions = [
+	{value: "us-east-1", label:      "N. Virginia (us-east-1)"},
+	{value: "us-east-2", label:      "Ohio (us-east-2)"},
+	{value: "us-west-1", label:      "N. California (us-west-1)"},
+	{value: "us-west-2", label:      "Oregon (us-west-2)"},
+	{value: "us-gov-west1", label:   "US GovCloud West (us-gov-west1)"},
+	{value: "us-gov-east1", label:   "US GovCloud East (us-gov-east1)"},
+	{value: "ca-central-1", label:   "Canada (ca-central-1)"},
+	{value: "eu-north-1", label:     "Stockholm (eu-north-1)"},
+	{value: "eu-west-1", label:      "Ireland (eu-west-1)"},
+	{value: "eu-west-2", label:      "London (eu-west-2)"},
+	{value: "eu-west-3", label:      "Paris (eu-west-3)"},
+	{value: "eu-central-1", label:   "Frankfurt (eu-central-1)"},
+	{value: "eu-south-1", label:     "Milan (eu-south-1)"},
+	{value: "af-south-1", label:     "Cape Town (af-south-1)"},
+	{value: "ap-northeast-1", label: "Tokyo (ap-northeast-1)"},
+	{value: "ap-northeast-2", label: "Seoul (ap-northeast-2)"},
+	{value: "ap-northeast-3", label: "Osaka (ap-northeast-3)"},
+	{value: "ap-southeast-1", label: "Singapore (ap-southeast-1)"},
+	{value: "ap-southeast-2", label: "Sydney (ap-southeast-2)"},
+	{value: "ap-east-1", label:      "Hong Kong (ap-east-1)"},
+	{value: "ap-south-1", label:     "Mumbai (ap-south-1)"},
+	{value: "me-south-1", label:     "Bahrain (me-south-1)"},
+	{value: "sa-east-1", label:      "São Paulo (sa-east-1)"},
+	{value: "cn-north-1", label:     "Bejing (cn-north-1)"},
+	{value: "cn-northwest-1", label: "Ningxia (cn-northwest-1)"},
+	{value: "ap-southeast-3", label: "Jakarta (ap-southeast-3)"},
+]
+
+let AWSSelected = "formState.model.cloud?.providers?.includes(\"aws\")"
+let GCPSelected = "formState.model.cloud?.providers?.includes(\"gcp\")"
+let GitHubSelected = "formState.model.cloud?.providers?.includes(\"github\")"
+let CloudflareSelected = "formState.model.cloud?.providers?.includes(\"cloudflare\")"

internal/generate/platforms/bare/forms/projects/greeter/greeter-form.cue

@@ -0,0 +1 @@
+

internal/generate/platforms/bare/platform.cue

@@ -0,0 +1,47 @@
+package holos
+
+import "encoding/json"
+
+import v1 "github.com/holos-run/holos/api/v1alpha1"
+
+import dto "github.com/holos-run/holos/service/gen/holos/object/v1alpha1:object"
+
+// _PlatformConfig represents all of the data passed from holos to cue.
+// Intended to carry the platform model and project models.
+_PlatformConfig:     dto.#PlatformConfig & json.Unmarshal(_PlatformConfigJSON)
+_PlatformConfigJSON: string | *"{}" @tag(platform_config, type=string)
+
+// _Platform provides a platform resource to the holos cli for rendering.  The
+// field is hidden because most components need to refer to platform data,
+// specifically the platform model and the project models.  The platform
+// resource itself is output once when rendering the entire platform, see the
+// platform/ subdirectory.
+_Platform: v1.#Platform & {
+	metadata: {
+		name: string | *"bare" @tag(platform_name, type=string)
+	}
+
+	// spec is the platform specification
+	spec: {
+		// model represents the web form values provided by the user.
+		model: _PlatformConfig.platform_model
+		components: [for c in _components {c}]
+
+		_components: [string]: v1.#PlatformSpecComponent
+		_components: {
+			for WorkloadCluster in _Clusters.Workload {
+				"\(WorkloadCluster)-configmap": {
+					path:    "components/configmap"
+					cluster: WorkloadCluster
+				}
+			}
+		}
+	}
+}
+
+// _Clusters represents the clusters in the platform.  The default values are
+// intended to be provided by the user in a file which is not written over by
+// `holos generate`.
+_Clusters: {
+	Workload: [...string] | *["mycluster"]
+}

internal/generate/platforms/bare/platform/platform.cue

@@ -0,0 +1,4 @@
+package holos
+
+// Output the Platform resource for holos to render the entire platform.
+{} & _Platform