core: define generic command core type for all kinds of tasks

Previously the Command core type was only useful for Validators and was a bit hacky in that Holos appends the directory to the end of the argument vector. This patch changes the Command type to represent a generic command for use as a Generator, Transformer, or Validator. The type is extended to support the semantics of reading output from a file, directory, or standard output pipe. Go templates are used to fill in Holos managed data values, for example the temporary directory associated with the pipeline task. The TaskData structu represents these values passed into the template engine.
docs: make generate for docs preview
2026-03-03 21:50:13 +00:00 · 2025-03-03 17:07:56 -08:00 · 2025-02-27 15:47:20 -08:00 · 2025-02-27 15:29:27 -08:00 · 2025-02-27 14:37:44 -08:00 · 2025-02-27 12:56:01 -08:00
999 changed files with 71230 additions and 190298 deletions
--- a/.cspell.json
+++ b/.cspell.json
@@ -5,10 +5,13 @@
    "mdx"
  ],
  "words": [
+    "acmesolver",
+    "acraccesstoken",
    "acraccesstokens",
    "admissionregistration",
    "alertmanager",
    "alertmanagers",
+    "anchore",
    "anthos",
    "apiextensions",
    "apimachinery",
@@ -26,19 +29,25 @@
    "authpolicy",
    "authproxy",
    "authroutes",
+    "autoload",
    "automount",
    "automounting",
    "autoscaler",
    "balancereader",
    "blackbox",
    "buildplan",
+    "buildplans",
+    "Buildx",
    "builtinpluginloadingoptions",
+    "cachedir",
    "cadvisor",
    "cainjector",
    "CAROOT",
    "certificaterequest",
    "certificaterequests",
    "certificatesigningrequests",
+    "chartmuseum",
+    "clientset",
    "clsx",
    "clusterexternalsecret",
    "clusterexternalsecrets",
@@ -49,8 +58,12 @@
    "clustersecretstore",
    "clustersecretstores",
    "clusterwide",
+    "Cmds",
    "CNCF",
    "CODEOWNERS",
+    "compinit",
+    "componentconfig",
+    "configdir",
    "configmap",
    "configmapargs",
    "connectrpc",
@@ -62,6 +75,7 @@
    "creds",
    "crossplane",
    "crunchydata",
+    "ctxt",
    "cuecontext",
    "cuelang",
    "customresourcedefinition",
@@ -69,9 +83,12 @@
    "deploymentruntimeconfig",
    "destinationrule",
    "destinationrules",
+    "devel",
    "devicecode",
+    "distroless",
    "dnsmasq",
    "dscacheutil",
+    "ecrauthorizationtoken",
    "ecrauthorizationtokens",
    "edns",
    "endpointslices",
@@ -87,9 +104,11 @@
    "fieldmaskpb",
    "fieldspec",
    "flushcache",
+    "fluxcd",
    "fullname",
    "gatewayclass",
    "gatewayclasses",
+    "gcraccesstoken",
    "gcraccesstokens",
    "gendoc",
    "generationbehavior",
@@ -98,8 +117,10 @@
    "genproto",
    "ggnpl",
    "ghaction",
+    "githubaccesstoken",
    "githubaccesstokens",
    "gitops",
+    "GOBIN",
    "godoc",
    "golangci",
    "gomarkdoc",
@@ -127,6 +148,7 @@
    "httproute",
    "httproutes",
    "iampolicygenerator",
+    "incpatch",
    "Infima",
    "intstr",
    "isatty",
@@ -136,6 +158,7 @@
    "jetstack",
    "jiralert",
    "Jsonnet",
+    "Kargo",
    "kfbh",
    "killall",
    "kubeadm",
@@ -143,6 +166,7 @@
    "kubelet",
    "kubelogin",
    "kubernetesobjects",
+    "kubeversion",
    "Kustomization",
    "Kustomizations",
    "kustomize",
@@ -159,6 +183,7 @@
    "loadbalancer",
    "loadrestrictions",
    "logfmt",
+    "lxnl",
    "mattn",
    "mccutchen",
    "metav",
@@ -169,7 +194,9 @@
    "Multicluster",
    "mutatingwebhookconfiguration",
    "mutatingwebhookconfigurations",
+    "mvdan",
    "mxcl",
+    "mychart",
    "myhostname",
    "myRegistrKeySecretName",
    "mysecret",
@@ -183,9 +210,11 @@
    "oauthproxy",
    "objectmap",
    "objectmeta",
+    "omitempty",
    "organizationconnect",
    "orgid",
    "otelconnect",
+    "outfile",
    "overriden",
    "Parentspanid",
    "patchstrategicmerge",
@@ -207,6 +236,7 @@
    "poddisruptionbudget",
    "poddisruptionbudgets",
    "podinfo",
+    "podmonitor",
    "portmapping",
    "postgrescluster",
    "privs",
@@ -236,9 +266,11 @@
    "requestauthentications",
    "resourcequotas",
    "retryable",
+    "rogpeppe",
    "rolebinding",
    "rootfs",
    "ropc",
+    "sboms",
    "seccomp",
    "secretargs",
    "SECRETKEY",
@@ -251,6 +283,7 @@
    "serviceentries",
    "serviceentry",
    "servicemonitor",
+    "sigstore",
    "somevalue",
    "SOMEVAR",
    "sortoptions",
@@ -272,6 +305,7 @@
    "systemconnect",
    "tablewriter",
    "templatable",
+    "testscript",
    "thanos",
    "Tiltfile",
    "timestamppb",
@@ -280,13 +314,17 @@
    "tokencache",
    "Tokener",
    "tolerations",
+    "TOPLEVEL",
    "Traceid",
    "traefik",
    "transactionhistory",
    "tsdb",
+    "txtar",
    "typemeta",
    "udev",
    "uibutton",
+    "Unmarshal",
+    "unshallow",
    "unstage",
    "untar",
    "upbound",
@@ -298,12 +336,14 @@
    "userservice",
    "validatingwebhookconfiguration",
    "validatingwebhookconfigurations",
+    "vaultdynamicsecret",
    "vaultdynamicsecrets",
    "virtualservice",
    "virtualservices",
    "volumeattachments",
    "wasmplugin",
    "wasmplugins",
+    "workdir",
    "workloadentries",
    "workloadentry",
    "workloadgroup",
--- a/.github/ISSUE_TEMPLATE/bug-report.md
+++ b/.github/ISSUE_TEMPLATE/bug-report.md
@@ -0,0 +1,131 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: ''
+labels: NeedsInvestigation, Triage
+assignees: ''
+---
+
+<!--
+Please answer these questions before submitting your issue. Thanks!
+To ask questions, see https://github.com/holos-run/holos/discussions
+-->
+
+### What version of holos are you using (`holos --version`)?
+
+```
+0.0.0
+```
+
+### Does this issue reproduce with the latest release?
+
+<!--
+Get the latest release with:
+
+    brew install holos-run/tap/holos
+
+Or see https://holos.run/docs/v1alpha5/tutorial/setup/
+-->
+
+### What did you do?
+
+<!--
+Please provide a testscript that should pass, but does not because of the bug.
+See the below example.
+
+You can create a txtar from a directory with:
+
+  holos txtar ./path/to/dir
+
+Refer to: https://github.com/rogpeppe/go-internal/tree/master/cmd/testscript
+-->
+
+Steps to reproduce:
+
+```shell
+testscript -v -continue <<EOF
+```
+
+```txtar
+# Have: an error related to the imported Kustomize schemas.
+# Want: holos show buildplans to work.
+exec holos --version
+exec holos init platform v1alpha5 --force
+# remove the fix to trigger the bug
+rm cue.mod/pkg/sigs.k8s.io/kustomize/api/types/var.cue
+# want a BuildPlan shown
+exec holos show buildplans
+cmp stdout buildplan.yaml
+# want this error to go away
+! stderr 'cannot convert non-concrete value string'
+-- buildplan.yaml --
+kind: BuildPlan
+-- platform/example.cue --
+package holos
+
+Platform: Components: example: {
+	name: "example"
+	path: "components/example"
+}
+-- components/example/example.cue --
+package holos
+
+import "encoding/yaml"
+
+holos: Component.BuildPlan
+
+Component: #Kustomize & {
+	KustomizeConfig: Kustomization: patches: [
+		{
+			target: kind: "CustomResourceDefinition"
+			patch: yaml.Marshal([{
+				op:    "add"
+				path:  "/metadata/annotations/example"
+				value: "example-value"
+			}])
+		},
+	]
+}
+```
+```shell
+EOF
+```
+
+### What did you expect to see?
+
+The testscript should pass.
+
+### What did you see instead?
+
+The testscript fails because of the bug.
+
+```txt
+# Have: an error related to the imported Kustomize schemas.
+# Want: holos show buildplans to work. (0.168s)
+> exec holos --version
+[stdout]
+0.100.1-2-g9b10e23-dirty
+> exec holos init platform v1alpha5 --force
+# remove the fix to trigger the bug (0.000s)
+> rm cue.mod/pkg/sigs.k8s.io/kustomize/api/types/var.cue
+# want a BuildPlan shown (0.091s)
+> exec holos show buildplans
+[stderr]
+could not run: holos.spec.artifacts.0.transformers.0.kustomize.kustomization.patches.0.target.name: cannot convert non-concrete value string at builder/v1alpha5/builder.go:218
+holos.spec.artifacts.0.transformers.0.kustomize.kustomization.patches.0.target.name: cannot convert non-concrete value string:
+    $WORK/cue.mod/gen/sigs.k8s.io/kustomize/api/types/var_go_gen.cue:33:2
+[exit status 1]
+FAIL: <stdin>:8: unexpected command failure
+> cmp stdout buildplan.yaml
+diff stdout buildplan.yaml
+--- stdout
+++ buildplan.yaml
+@@ -0,0 +1,1 @@
+kind: BuildPlan
+
+FAIL: <stdin>:9: stdout and buildplan.yaml differ
+# want this error to go away (0.000s)
+> ! stderr 'cannot convert non-concrete value string'
+FAIL: <stdin>:11: unexpected match for `cannot convert non-concrete value string` found in stderr: cannot convert non-concrete value string
+failed run
+```
--- a/.github/workflows/container.yaml
+++ b/.github/workflows/container.yaml
@@ -0,0 +1,143 @@
+name: Container
+
+# Only allow actors with write permission to the repository to trigger this
+# workflow.
+permissions:
+  contents: write
+
+on:
+  push:
+    tags:
+      - 'v*'
+  workflow_dispatch:
+    inputs:
+      git_ref:
+        description: 'Git ref to build (e.g., refs/tags/v1.2.3, refs/heads/main)'
+        required: true
+        type: string
+
+jobs:
+  buildx:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      attestations: write
+      id-token: write
+    steps:
+      - name: Set tag from trigger event
+        id: opts
+        run: |
+          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
+            echo "ref=${{ inputs.git_ref }}" >> $GITHUB_OUTPUT
+          else
+            echo "ref=${GITHUB_REF}" >> $GITHUB_OUTPUT
+          fi
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ steps.opts.outputs.ref }}
+      - name: SHA
+        id: sha
+        run: echo "sha=$(/usr/bin/git log -1 --format='%H')" >> $GITHUB_OUTPUT
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Fetch tags
+        run: git fetch --prune --unshallow --tags
+      - name: Set Tags
+        id: tags
+        run: |
+          echo "detail=$(/usr/bin/git describe --tags HEAD)" >> $GITHUB_OUTPUT
+          echo "suffix=$(test -n "$(git status --porcelain)" && echo '-dirty' || echo '')" >> $GITHUB_OUTPUT
+          echo "tag=$(/usr/bin/git describe --tags HEAD)$(test -n "$(git status --porcelain)" && echo '-dirty' || echo '')" >> $GITHUB_OUTPUT
+
+      - name: Login to ghcr.io
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Build and push container images
+        id: build-and-push
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: |
+            ghcr.io/holos-run/holos:${{ steps.tags.outputs.tag }}
+            ghcr.io/holos-run/holos:${{ steps.sha.outputs.sha }}${{ steps.tags.outputs.suffix }}
+      - name: Setup Cosign to sign container images
+        uses: sigstore/cosign-installer@v3.7.0
+      - name: Sign with GitHub OIDC Token
+        env:
+          DIGEST: ${{ steps.build-and-push.outputs.digest }}
+        run: |
+          cosign sign --yes ghcr.io/holos-run/holos:${{ steps.tags.outputs.tag }}@${DIGEST}
+          cosign sign --yes ghcr.io/holos-run/holos:${{ steps.sha.outputs.sha }}${{ steps.tags.outputs.suffix }}@${DIGEST}
+
+      - uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          owner: ${{ github.repository_owner }}
+          app-id: ${{ vars.GORELEASER_APP_ID }}
+          private-key: ${{ secrets.GORELEASER_APP_PRIVATE_KEY }}
+      - name: Get GitHub App User ID
+        id: get-user-id
+        run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+      - run: |
+          git config --global user.name '${{ steps.app-token.outputs.app-slug }}[bot]'
+          git config --global user.email '${{ steps.get-user-id.outputs.user-id }}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com'
+      - name: Update holos-run/holos-action
+        env:
+          IMAGE: ghcr.io/holos-run/holos:v0.102.1
+          VERSION: ${{ steps.tags.outputs.tag }}
+          USER_ID: ${{ steps.get-user-id.outputs.user-id }}
+          TOKEN: ${{ steps.app-token.outputs.token }}
+        run: |
+          set -euo pipefail
+          git clone "https://github.com/holos-run/holos-action"
+          cd holos-action
+          git remote set-url origin https://${USER_ID}:${TOKEN}@github.com/holos-run/holos-action
+          docker pull --quiet "${IMAGE}"
+          docker run -v $(pwd):/app --workdir /app --rm "${IMAGE}"  \
+            holos cue export --out yaml action.cue -t "version=${VERSION}" > action.yml
+          git add action.yml
+          git commit -m "ci: update holos to ${VERSION} - https://github.com/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}" || (echo "No changes to commit"; exit 0)
+          git push origin HEAD:main HEAD:v0 HEAD:v1
+
+      - name: Login to quay.io
+        uses: docker/login-action@v3
+        with:
+          registry: quay.io
+          username: ${{ secrets.QUAY_USER }}
+          password: ${{ secrets.QUAY_TOKEN }}
+      - name: Push to quay.io
+        env:
+          DIGEST: ${{ steps.build-and-push.outputs.digest }}
+        run: |
+          # docker push quay.io/holos-run/holos:${{ steps.tags.outputs.tag }}
+          docker pull --quiet ghcr.io/holos-run/holos:${{ steps.tags.outputs.tag }}@${DIGEST}
+          docker tag ghcr.io/holos-run/holos:${{ steps.tags.outputs.tag }}@${DIGEST} \
+                     quay.io/holos-run/holos:${{ steps.tags.outputs.tag }}
+          docker push quay.io/holos-run/holos:${{ steps.tags.outputs.tag }}
+
+          docker pull --quiet ghcr.io/holos-run/holos:${{ steps.sha.outputs.sha }}${{ steps.tags.outputs.suffix }}@${DIGEST}
+          docker tag ghcr.io/holos-run/holos:${{ steps.sha.outputs.sha }}${{ steps.tags.outputs.suffix }}@${DIGEST} \
+                     quay.io/holos-run/holos:${{ steps.sha.outputs.sha }}${{ steps.tags.outputs.suffix }}
+          docker push quay.io/holos-run/holos:${{ steps.sha.outputs.sha }}${{ steps.tags.outputs.suffix }}
+      - name: Sign quay.io image
+        env:
+          DIGEST: ${{ steps.build-and-push.outputs.digest }}
+        run: |
+          cosign sign --yes quay.io/holos-run/holos:${{ steps.tags.outputs.tag }}@${DIGEST}
+          cosign sign --yes quay.io/holos-run/holos:${{ steps.sha.outputs.sha }}${{ steps.tags.outputs.suffix }}@${DIGEST}
+
+    outputs:
+      tag: ${{ steps.tags.outputs.tag }}
+      detail: ${{ steps.tags.outputs.detail }}
--- a/.github/workflows/dev-deploy.yaml
+++ b/.github/workflows/dev-deploy.yaml
@@ -2,7 +2,7 @@ name: Dev Deploy

 on:
  push:
-    branches: ['main', 'dev-deploy']
+    branches: ['dev-deploy']

 jobs:
  deploy:
--- a/.github/workflows/golangci-lint.yaml
+++ b/.github/workflows/golangci-lint.yaml
@@ -27,4 +27,4 @@ jobs:
      - name: golangci-lint
        uses: golangci/golangci-lint-action@v6
        with:
-          version: v1.60
+          version: v1.64.5
--- a/.github/workflows/lint.yaml
+++ b/.github/workflows/lint.yaml
@@ -1,6 +1,5 @@
 ---
-# https://github.com/golangci/golangci-lint-action?tab=readme-ov-file#how-to-use
-name: Lint
+name: Spelling
 "on":
  push:
    branches:
@@ -8,35 +7,11 @@ name: Lint
      - test
  pull_request:
    types: [opened, synchronize]
-
 permissions:
  contents: read
-
 jobs:
-  lint:
-    name: lint
+  cspell:
    runs-on: ubuntu-latest
    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Set up Node
-        uses: actions/setup-node@v4
-        with:
-          node-version: 20
-
-      - name: Set up Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: stable
-
-      ## Not needed on ubuntu-latest
-      # - name: Install Packages
-      #   run: sudo apt update && sudo apt -qq -y install git curl zip unzip tar bzip2 make
-
-      - name: Install Tools
-        run: make tools
-
-      - name: Lint
-        # golangci-lint runs in a separate workflow.
-        run: make lint -o golangci-lint
+      - uses: actions/checkout@v4
+      - run: ./hack/cspell
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -35,6 +35,9 @@ jobs:
        with:
          go-version: stable

+      - name: Setup Syft
+        uses: anchore/sbom-action/download-syft@1ca97d9028b51809cf6d3c934c3e160716e1b605 # v0.17.5
+
      # Necessary to run these outside of goreleaser, otherwise
      # /home/runner/_work/holos/holos/internal/frontend/node_modules/.bin/protoc-gen-connect-query is not in PATH
      - name: Install Tools
@@ -54,11 +57,19 @@ jobs:
      - name: Git diff
        run: git diff

+      - uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          owner: ${{ github.repository_owner }}
+          app-id: ${{ vars.GORELEASER_APP_ID }}
+          private-key: ${{ secrets.GORELEASER_APP_PRIVATE_KEY }}
+
      - name: Run GoReleaser
        uses: goreleaser/goreleaser-action@v5
        with:
          distribution: goreleaser
-          version: latest
+          version: '~> v2'
          args: release --clean
        env:
+          HOMEBREW_TAP_GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows.disabed/test.yaml
+++ b/.github/workflows.disabed/test.yaml
@@ -13,7 +13,7 @@ permissions:

 jobs:
  test:
-    runs-on: gha-rs
+    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
@@ -28,19 +28,11 @@ jobs:
        with:
          go-version: stable

-      - name: Install Packages
-        run: sudo apt update && sudo apt -qq -y install git curl zip unzip tar bzip2 make
-
      - name: Set up Helm
        uses: azure/setup-helm@v4

      - name: Set up Kubectl
-        uses: azure/setup-kubectl@v3
-
-      - name: Install Tools
-        run: |
-          set -x
-          make tools
+        uses: azure/setup-kubectl@v4

      - name: Test
        run: ./scripts/test
--- a/.gitignore
+++ b/.gitignore
@@ -12,3 +12,4 @@ tmp/
 /holos-k3d/
 /holos-infra/
 node_modules/
+.tmp/
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -6,7 +6,7 @@
 # yaml-language-server: $schema=https://goreleaser.com/static/schema.json
 # vim: set ts=2 sw=2 tw=0 fo=cnqoj

-version: 1
+version: 2

 before:
  hooks:
@@ -50,3 +50,39 @@ changelog:
    exclude:
      - "^docs:"
      - "^test:"
+
+source:
+  enabled: true
+  name_template: '{{ .ProjectName }}_{{ .Version }}_source_code'
+
+sboms:
+  - id: source
+    artifacts: source
+    documents:
+      - "{{ .ProjectName }}_{{ .Version }}_sbom.spdx.json"
+
+brews:
+  - name: holos
+    repository:
+      owner: holos-run
+      name: homebrew-tap
+      branch: main
+      token: "{{ .Env.HOMEBREW_TAP_GITHUB_TOKEN }}"
+    directory: Formula
+    homepage: "https://holos.run"
+    description: "Holos CLI"
+    dependencies:
+      - name: helm
+        type: optional
+      - name: kubectl
+        type: optional
+    install: |
+      bin.install "holos"
+      bash_output = Utils.safe_popen_read(bin/"holos", "completion", "bash")
+      (bash_completion/"holos").write bash_output
+      zsh_output = Utils.safe_popen_read(bin/"holos", "completion", "zsh")
+      (zsh_completion/"_holos").write zsh_output
+      fish_output = Utils.safe_popen_read(bin/"holos", "completion", "fish")
+      (fish_completion/"holos.fish").write fish_output
+    test: |
+      system "#{bin}/holos --version"
--- a/39
+++ b/39
@@ -1,8 +1,31 @@
-FROM quay.io/holos-run/debian:bullseye AS final
-USER root
-WORKDIR /app
-ADD bin bin
-RUN chown -R app: /app
-# Kubernetes requires the user to be numeric
-USER 8192
-ENTRYPOINT bin/holos server
+FROM registry.k8s.io/kubectl:v1.31.0 AS kubectl
+# https://github.com/GoogleContainerTools/distroless
+FROM golang:1.23 AS build
+
+WORKDIR /go/src/app
+COPY . .
+
+RUN CGO_ENABLED=0 make install
+RUN CGO_ENABLED=0 go install sigs.k8s.io/kustomize/kustomize/v5
+
+# Install helm to /usr/local/bin/helm
+# https://helm.sh/docs/intro/install/#from-script
+# https://holos.run/docs/v1alpha5/tutorial/setup/#dependencies
+RUN curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 \
+  && chmod 700 get_helm.sh \
+  && DESIRED_VERSION=v3.16.2 ./get_helm.sh \
+  && rm -f get_helm.sh
+
+COPY --from=kubectl /bin/kubectl /usr/local/bin/
+
+# distroless
+FROM gcr.io/distroless/static-debian12 AS final
+COPY --from=build \
+     /go/bin/holos \
+     /go/bin/kustomize \
+     /usr/local/bin/kubectl \
+     /usr/local/bin/helm \
+     /bin/
+
+# Usage: docker run -v $(pwd):/app --workdir /app --rm -it quay.io/holos-run/holos holos render platform
+CMD ["/bin/holos"]
--- a/17
+++ b/17
@@ -32,17 +32,20 @@ bump: bumppatch
 .PHONY: bumppatch
 bumppatch: ## Bump the patch version.
 	scripts/bump patch
+	HOLOS_UPDATE_SCRIPTS=1 scripts/test

 .PHONY: bumpminor
 bumpminor: ## Bump the minor version.
 	scripts/bump minor
 	scripts/bump patch 0
+	HOLOS_UPDATE_SCRIPTS=1 scripts/test

 .PHONY: bumpmajor
 bumpmajor: ## Bump the major version.
 	scripts/bump major
 	scripts/bump minor 0
 	scripts/bump patch 0
+	HOLOS_UPDATE_SCRIPTS=1 scripts/test

 .PHONY: show-version
 show-version: ## Print the full version.
@@ -75,6 +78,12 @@ build: ## Build holos executable.
 	@echo "GOPATH=${GOPATH}"
 	go build -trimpath -o bin/$(BIN_NAME) -ldflags $(LD_FLAGS) $(REPO_PATH)/cmd/$(BIN_NAME)

+.PHONY: debug
+debug: ## Build debug executable.
+	@echo "building ${BIN_NAME}-debug ${VERSION}"
+	@echo "GOPATH=${GOPATH}"
+	go build -o bin/$(BIN_NAME)-debug $(REPO_PATH)/cmd/$(BIN_NAME)
+
 linux: ## Build holos executable for tilt.
 	@echo "building ${BIN_NAME}.linux ${VERSION}"
 	@echo "GOPATH=${GOPATH}"
@@ -150,6 +159,14 @@ dev-deploy: install image  ## deploy to dev
 website: ## Build website
 	./hack/build-website

+.PHONY: unity
+unity: ## https://cuelabs.dev/unity/
+	./scripts/unity
+
+.PHONY: update-docs
+update-docs: ## Update doc examples
+	HOLOS_UPDATE_SCRIPTS=1 go test -v ./doc/md/...
+
 .PHONY: help
 help:  ## Display this help menu.
 	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m<target>\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf "  \033[36m%-20s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)
--- a/README.md
+++ b/README.md
@@ -1,35 +1,130 @@
-## Holos - A Holistic Development Platform
+# Holos

 <img width="50%"
 align="right"
 style="display: block; margin: 40px auto;"
 src="https://openinfrastructure.co/blog/2016/02/27/logo/logorectangle.png">

-Building and maintaining a software development platform is a complex and time
-consuming endeavour.  Organizations often dedicate a team of 3-4 who need 6-12
-months to build the platform.
+[Holos] is a configuration management tool for Kubernetes implementing the
+[rendered manifests pattern]. It handles configurations ranging from single
+resources to multi-cluster platforms across regions.

-Holos is a tool and a reference platform to reduce the complexity and speed up
-the process of building a modern, cloud native software development platform.
+Key components:
+- Platform schemas defining component integration
+- Building blocks unifying Helm, Kustomize and Kubernetes configs with CUE
+- BuildPlan pipeline for generating, transforming and validating manifests

- **Accelerate new projects** - Reduce time to market and operational complexity by starting your new project on top of the Holos reference platform.
- **Modernize existing projects** - Incrementally incorporate your existing platform services into Holos for simpler integration.
- **Unified configuration model** - Increase safety and reduce the risk of config changes with CUE.
- **First class Helm and Kustomize support** - Leverage and reuse your existing investment in existing configuration tools such as Helm and Kustomize.
- **Modern Authentication and Authorization** - Holos seamlessly integrates platform identity and access management with zero-trust beyond corp style authorization policy.
+```mermaid
+---
+title: Rendering Overview
+---
+graph LR
+    Platform[<a href="https://holos.run/docs/v1alpha5/api/author/#Platform">Platform</a>]
+    Component[<a href="https://holos.run/docs/v1alpha5/api/author/#ComponentConfig">Components</a>]

-## Quick Installation
+    Helm[<a href="https://holos.run/docs/v1alpha5/api/author/#Helm">Helm</a>]
+    Kustomize[<a href="https://holos.run/docs/v1alpha5/api/author/#Kustomize">Kustomize</a>]
+    Kubernetes[<a href="https://holos.run/docs/v1alpha5/api/author/#Kubernetes">Kubernetes</a>]

-```console
-go install github.com/holos-run/holos/cmd/holos@latest
+    BuildPlan[<a href="https://holos.run/docs/v1alpha5/api/core/#BuildPlan">BuildPlan</a>]
+
+    ResourcesArtifact[<a href="https://holos.run/docs/v1alpha5/api/core/#Artifact">Resources<br/>Artifact</a>]
+    GitOpsArtifact[<a href="https://holos.run/docs/v1alpha5/api/core/#Artifact">GitOps<br/>Artifact</a>]
+
+    Generators[<a href="https://holos.run/docs/v1alpha5/api/core/#Generator">Generators</a>]
+    Transformers[<a href="https://holos.run/docs/v1alpha5/api/core/#Transformer">Transformers</a>]
+    Validators[<a href="https://holos.run/docs/v1alpha5/api/core/#Validator">Validators</a>]
+    Files[Manifest<br/>Files]
+
+    Platform --> Component
+    Component --> Helm --> BuildPlan
+    Component --> Kubernetes --> BuildPlan
+    Component --> Kustomize --> BuildPlan
+
+    BuildPlan --> ResourcesArtifact --> Generators
+    BuildPlan --> GitOpsArtifact --> Generators
+
+    Generators --> Transformers --> Validators --> Files
 ```

-## Docs and Support
+## Setup

-The documentation for developing and using Holos is available at: https://holos.run
+```shell
+brew install holos-run/tap/holos
+```

-For discussion and support, [open a discussion](https://github.com/orgs/holos-run/discussions/new/choose).
+Refer to [setup] for other installation methods and dependencies.
+
+## Example
+
+See our [tutorial] for a complete hello world example.
+
+```cue showLineNumbers
+package holos
+
+holos: Component.BuildPlan
+
+Component: #Helm & {
+	Name: "podinfo"
+	Chart: {
+		version: "6.6.2"
+		repository: {
+			name: "podinfo"
+			url:  "https://stefanprodan.github.io/podinfo"
+		}
+	}
+	Values: ui: {
+		message: string | *"Hello World" @tag(message, type=string)
+	}
+}
+```
+
+## Organizational Role
+
+Platform engineers use Holos to generate Kubernetes manifests, both locally and
+in CI pipelines. The manifests are committed to version control and deployed via
+GitOps tools like ArgoCD or Flux.
+
+Holos integrates seamlessly with existing Helm charts, Kustomize bases, and
+other version-controlled configurations.
+
+## Advantages of Holos
+
+### Safe
+
+Holos leverages [CUE] for strong typing and validation of configuration data,
+ensuring consistent output from Helm and other tools.
+
+### Consistent
+
+A unified pipeline processes all configurations - whether from CUE, Helm, or
+Kustomize - through the same well-defined stages.
+
+### Flexible
+
+Composable building blocks for generation, transformation, validation and
+integration let teams assemble workflows that match their needs.
+
+The core is intentionally unopinionated about platform configuration patterns.
+Common needs like environments and clusters are provided as customizable
+[topics] recipes rather than enforced structures.
+
+## Getting Help
+
+Get support through our [Discord] channel or [GitHub discussions]. Configuration
+challenges arise at all experience levels - we welcome your questions and are
+here to help.

 ## License

 Holos is licensed under Apache 2.0 as found in the [LICENSE file](LICENSE).
+
+[Holos]: https://holos.run/docs/overview/
+[rendered manifests pattern]: https://akuity.io/blog/the-rendered-manifests-pattern
+[CUE]: https://cuelang.org/
+[Discord]: https://discord.gg/JgDVbNpye7
+[GitHub discussions]: https://github.com/holos-run/holos/discussions
+[Why CUE for Configuration]: https://holos.run/blog/why-cue-for-configuration/
+[tutorial]: https://holos.run/docs/overview/
+[setup]: https://holos.run/docs/setup/
+[topics]: https://holos.run/docs/topics/
--- a/api/author/v1alpha5/definitions.go
+++ b/api/author/v1alpha5/definitions.go
@@ -0,0 +1,155 @@
+// Package author contains a standard set of schemas for component authors to
+// generate common [core] BuildPlans.
+//
+// Holos values stability, flexibility, and composition.  This package
+// intentionally defines only the minimal necessary set of structures.
+// Component authors are encouraged to define their own structures building on
+// our example [topics].
+//
+// The Holos Maintainers may add definitions to this package if the community
+// identifies nearly all users must define the exact same structure.  Otherwise,
+// definitions should be added as a customizable example in [topics].
+//
+// For example, structures representing a cluster and environment almost always
+// need to be defined.  Their definition varies from one organization to the
+// next.  Therefore, customizable definitions for a cluster and environment are
+// best maintained in [topics], not standardized in this package.
+//
+// [core]: https://holos.run/docs/api/core/
+// [topics]: https://holos.run/docs/topics/
+package author
+
+import core "github.com/holos-run/holos/api/core/v1alpha5"
+
+//go:generate ../../../hack/gendoc
+
+// Platform assembles a core Platform in the Resource field for the holos render
+// platform command.  Use the Components field to register components with the
+// platform.
+type Platform struct {
+	Name       string
+	Components map[NameLabel]core.Component
+	Resource   core.Platform
+}
+
+// ComponentConfig represents the configuration common to all kinds of
+// components for use with the holos render component command.  All component
+// kinds may be transformed with [kustomize] configured with the
+// [KustomizeConfig] field.
+//
+//   - [Helm] charts.
+//   - [Kubernetes] resources generated from CUE.
+//   - [Kustomize] bases.
+//
+// [kustomize]: https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/
+type ComponentConfig struct {
+	// Name represents the BuildPlan metadata.name field.  Used to construct the
+	// fully rendered manifest file path.
+	Name string
+	// Labels represent the BuildPlan metadata.labels field.
+	Labels map[string]string
+	// Annotations represent the BuildPlan metadata.annotations field.
+	Annotations map[string]string
+
+	// Path represents the path to the component producing the BuildPlan.
+	Path string
+	// Parameters are useful to reuse a component with various parameters.
+	// Injected as CUE @tag variables.  Parameters with a "holos_" prefix are
+	// reserved for use by the Holos Authors.
+	Parameters map[string]string
+	// OutputBaseDir represents the output base directory used when assembling
+	// artifacts.  Useful to organize components by clusters or other parameters.
+	// For example, holos writes resource manifests to
+	// {WriteTo}/{OutputBaseDir}/components/{Name}/{Name}.gen.yaml
+	OutputBaseDir string `cue:"string | *\"\""`
+
+	// Resources represents kubernetes resources mixed into the rendered manifest.
+	Resources core.Resources
+	// KustomizeConfig represents the kustomize configuration.
+	KustomizeConfig KustomizeConfig
+	// Validators represent checks that must pass for output to be written.
+	Validators map[NameLabel]core.Validator
+	// Artifacts represents additional artifacts to mix in.  Useful for adding
+	// GitOps resources.  Each Artifact is unified without modification into the
+	// BuildPlan.
+	Artifacts map[NameLabel]core.Artifact
+}
+
+// Helm assembles a BuildPlan rendering a helm chart.  Useful to mix in
+// additional resources from CUE and transform the helm output with kustomize.
+type Helm struct {
+	ComponentConfig `json:",inline"`
+
+	// Chart represents a Helm chart.
+	Chart core.Chart
+	// Values represents data to marshal into a values.yaml for helm.
+	Values core.Values
+	// ValueFiles represents value files for migration from helm value
+	// hierarchies.  Use Values instead.
+	ValueFiles []core.ValueFile `json:",omitempty"`
+	// EnableHooks enables helm hooks when executing the `helm template` command.
+	EnableHooks bool `cue:"true | *false"`
+	// Namespace sets the helm chart namespace flag if provided.
+	Namespace string `json:",omitempty"`
+	// APIVersions represents the helm template --api-versions flag
+	APIVersions []string `json:",omitempty"`
+	// KubeVersion represents the helm template --kube-version flag
+	KubeVersion string `json:",omitempty"`
+
+	// BuildPlan represents the derived BuildPlan produced for the holos render
+	// component command.
+	BuildPlan core.BuildPlan
+}
+
+// Kubernetes assembles a BuildPlan containing inline resources exported from
+// CUE.
+type Kubernetes struct {
+	ComponentConfig `json:",inline"`
+
+	// BuildPlan represents the derived BuildPlan produced for the holos render
+	// component command.
+	BuildPlan core.BuildPlan
+}
+
+// Kustomize assembles a BuildPlan rendering manifests from a [kustomize]
+// kustomization.
+//
+// [kustomize]: https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/
+type Kustomize struct {
+	ComponentConfig `json:",inline"`
+
+	// BuildPlan represents the derived BuildPlan produced for the holos render
+	// component command.
+	BuildPlan core.BuildPlan
+}
+
+// KustomizeConfig represents the configuration for [kustomize] post processing.
+// Use the Files field to mix in plain manifest files located in the component
+// directory.  Use the Resources field to mix in manifests from network urls.
+//
+// [kustomize]: https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/
+type KustomizeConfig struct {
+	// Kustomization represents the kustomization used to transform resources.
+	// Note the resources field is internally managed from the Files and Resources fields.
+	Kustomization map[string]any `json:",omitempty"`
+	// Files represents files to copy from the component directory for kustomization.
+	Files map[string]struct{ Source string } `cue:"{[NAME=_]: Source: NAME}"`
+	// Resources represents additional entries to included in the resources list.
+	Resources map[string]struct{ Source string } `cue:"{[NAME=_]: Source: NAME}"`
+	// CommonLabels represents common labels added without including selectors.
+	CommonLabels map[string]string
+}
+
+// NameLabel represents the common use case of converting a struct to a list
+// where the name field of each value unifies with the field name of the outer
+// struct.
+//
+// For example:
+//
+//	S: [NameLabel=string]: name: NameLabel
+//	S: jeff: _
+//	S: gary: _
+//	S: nate: _
+//	L: [for x in S {x}]
+//	// L is [{name: "jeff"}, {name: "gary"}, {name: "nate"}]
+type NameLabel string
--- a/api/author/v1alpha5/header.yaml
+++ b/api/author/v1alpha5/header.yaml
@@ -0,0 +1,5 @@
+---
+title: Author Schemas
+description: Standardized schemas for component authors.
+sidebar_position: 200
+---
--- a/api/core/v1alpha4/header.yaml
+++ b/api/core/v1alpha4/header.yaml
@@ -1,4 +1,4 @@
 ---
-description: Core v1alpha2 schema for advanced use cases.
-sidebar_position: 996
+description: Core schema for holos to render a component BuildPlan.
+sidebar_position: 100
 ---
--- a/api/core/v1alpha5/header.yaml
+++ b/api/core/v1alpha5/header.yaml
@@ -0,0 +1,5 @@
+---
+title: Core Schemas
+description: BuildPlan defines the holos rendering pipeline.
+sidebar_position: 100
+---
--- a/api/core/v1alpha5/types.go
+++ b/api/core/v1alpha5/types.go
@@ -0,0 +1,400 @@
+// Package core contains schemas for a [Platform] and [BuildPlan].  Holos takes
+// a [Platform] as input, then iterates over each [Component] to produce a
+// [BuildPlan].  Holos processes the [BuildPlan] to produce fully rendered
+// manifests, each an [Artifact].
+package core
+
+//go:generate ../../../hack/gendoc
+
+// BuildPlan represents an implementation of the [rendered manifest pattern].
+// Holos processes a BuildPlan to produce one or more [Artifact] output files.
+// BuildPlan artifact files usually contain Kubernetes manifests, but they may
+// have any content.
+//
+// A BuildPlan usually produces two artifacts.  One artifact contains a manifest
+// of resources.  A second artifact contains a GitOps resource to manage the
+// first, usually an ArgoCD Application resource.
+//
+// Holos uses CUE to construct a BuildPlan.  A future enhancement will support
+// user defined executables providing a BuildPlan to Holos in the style of an
+// [external credential provider].
+//
+// [rendered manifest pattern]: https://akuity.io/blog/the-rendered-manifests-pattern
+// [external credential provider]: https://github.com/kubernetes/enhancements/blob/313ad8b59c80819659e1fbf0f165230f633f2b22/keps/sig-auth/541-external-credential-providers/README.md
+type BuildPlan struct {
+	// Kind represents the type of the resource.
+	Kind string `json:"kind" yaml:"kind" cue:"\"BuildPlan\""`
+	// APIVersion represents the versioned schema of the resource.
+	APIVersion string `json:"apiVersion" yaml:"apiVersion" cue:"string | *\"v1alpha5\""`
+	// Metadata represents data about the resource such as the Name.
+	Metadata Metadata `json:"metadata" yaml:"metadata"`
+	// Spec specifies the desired state of the resource.
+	Spec BuildPlanSpec `json:"spec" yaml:"spec"`
+}
+
+// BuildPlanSpec represents the specification of the [BuildPlan].
+type BuildPlanSpec struct {
+	// Artifacts represents the artifacts for holos to build.
+	Artifacts []Artifact `json:"artifacts" yaml:"artifacts"`
+	// Disabled causes the holos cli to disregard the build plan.
+	Disabled bool `json:"disabled,omitempty" yaml:"disabled,omitempty"`
+}
+
+// Artifact represents one fully rendered manifest produced by a [Transformer]
+// sequence, which transforms a [Generator] collection.  A [BuildPlan] produces
+// an [Artifact] collection.
+//
+// Each Artifact produces one manifest file artifact.  Generator Output values
+// are used as Transformer Inputs.  The Output field of the final [Transformer]
+// should have the same value as the Artifact field.
+//
+// When there is more than one [Generator] there must be at least one
+// [Transformer] to combine outputs into one Artifact.  If there is a single
+// Generator, it may directly produce the Artifact output.
+//
+// An Artifact is processed concurrently with other artifacts in the same
+// [BuildPlan].  An Artifact should not use an output from another Artifact as
+// an input.  Each [Generator] may also run concurrently.  Each [Transformer] is
+// executed sequentially starting after all generators have completed.
+//
+// Output fields are write-once.  It is an error for multiple Generators or
+// Transformers to produce the same Output value within the context of a
+// [BuildPlan].
+type Artifact struct {
+	Artifact     FilePath      `json:"artifact,omitempty" yaml:"artifact,omitempty"`
+	Generators   []Generator   `json:"generators,omitempty" yaml:"generators,omitempty"`
+	Transformers []Transformer `json:"transformers,omitempty" yaml:"transformers,omitempty"`
+	Validators   []Validator   `json:"validators,omitempty" yaml:"validators,omitempty"`
+	Skip         bool          `json:"skip,omitempty" yaml:"skip,omitempty"`
+}
+
+// Generator generates Kubernetes resources.  [Helm] and [Resources] are the
+// most commonly used, often paired together to mix-in resources to an
+// unmodified Helm chart.  A simple [File] generator is also available for use
+// with the [Kustomize] transformer.
+//
+// Each Generator in an [Artifact] must have a distinct Output value for a
+// [Transformer] to reference.
+//
+//  1. [Resources] - Generates resources from CUE code.
+//  2. [Helm] - Generates rendered yaml from a [Chart].
+//  3. [File] - Generates data by reading a file from the component directory.
+type Generator struct {
+	// Kind represents the kind of generator.  Must be Resources, Helm, or File.
+	Kind string `json:"kind" yaml:"kind" cue:"\"Resources\" | \"Helm\" | \"File\""`
+	// Output represents a file for a Transformer or Artifact to consume.
+	Output FilePath `json:"output" yaml:"output"`
+	// Resources generator. Ignored unless kind is Resources.  Resources are
+	// stored as a two level struct.  The top level key is the Kind of resource,
+	// e.g. Namespace or Deployment.  The second level key is an arbitrary
+	// InternalLabel.  The third level is a map[string]any representing the
+	// Resource.
+	Resources Resources `json:"resources,omitempty" yaml:"resources,omitempty"`
+	// Helm generator. Ignored unless kind is Helm.
+	Helm Helm `json:"helm,omitempty" yaml:"helm,omitempty"`
+	// File generator. Ignored unless kind is File.
+	File File `json:"file,omitempty" yaml:"file,omitempty"`
+}
+
+// Resource represents one kubernetes api object.
+type Resource map[string]any
+
+// Resources represents Kubernetes resources.  Most commonly used to mix
+// resources into the [BuildPlan] generated from CUE, but may be generated from
+// elsewhere.
+type Resources map[Kind]map[InternalLabel]Resource
+
+// File represents a simple single file copy [Generator].  Useful with a
+// [Kustomize] [Transformer] to process plain manifest files stored in the
+// component directory.  Multiple File generators may be used to transform
+// multiple resources.
+type File struct {
+	// Source represents a file sub-path relative to the component path.
+	Source FilePath `json:"source" yaml:"source"`
+}
+
+// Helm represents a [Chart] manifest [Generator].
+type Helm struct {
+	// Chart represents a helm chart to manage.
+	Chart Chart `json:"chart" yaml:"chart"`
+	// Values represents values for holos to marshal into values.yaml when
+	// rendering the chart.  Values follow ValueFiles when both are provided.
+	Values Values `json:"values" yaml:"values"`
+	// ValueFiles represents hierarchial value files passed in order to the helm
+	// template -f flag.  Useful for migration from an ApplicationSet.  Use Values
+	// instead.  ValueFiles precede Values when both are provided.
+	ValueFiles []ValueFile `json:"valueFiles,omitempty" yaml:"valueFiles,omitempty"`
+	// EnableHooks enables helm hooks when executing the `helm template` command.
+	EnableHooks bool `json:"enableHooks,omitempty" yaml:"enableHooks,omitempty"`
+	// Namespace represents the helm namespace flag
+	Namespace string `json:"namespace,omitempty" yaml:"namespace,omitempty"`
+	// APIVersions represents the helm template --api-versions flag
+	APIVersions []string `json:"apiVersions,omitempty" yaml:"apiVersions,omitempty"`
+	// KubeVersion represents the helm template --kube-version flag
+	KubeVersion string `json:"kubeVersion,omitempty" yaml:"kubeVersion,omitempty"`
+}
+
+// ValueFile represents one Helm value file produced from CUE.
+type ValueFile struct {
+	// Name represents the file name, e.g. "region-values.yaml"
+	Name string `json:"name" yaml:"name"`
+	// Kind is a discriminator.
+	Kind string `json:"kind" yaml:"kind" cue:"\"Values\""`
+	// Values represents values for holos to marshal into the file name specified
+	// by Name when rendering the chart.
+	Values Values `json:"values,omitempty" yaml:"values,omitempty"`
+}
+
+// Values represents [Helm] Chart values generated from CUE.
+type Values map[string]any
+
+// Chart represents a [Helm] Chart.
+type Chart struct {
+	// Name represents the chart name.
+	Name string `json:"name" yaml:"name"`
+	// Version represents the chart version.
+	Version string `json:"version" yaml:"version"`
+	// Release represents the chart release when executing helm template.
+	Release string `json:"release" yaml:"release"`
+	// Repository represents the repository to fetch the chart from.
+	Repository Repository `json:"repository,omitempty" yaml:"repository,omitempty"`
+}
+
+// Repository represents a [Helm] [Chart] repository.
+//
+// The Auth field is useful to configure http basic authentication to the Helm
+// repository.  Holos gets the username and password from the environment
+// variables represented by the Auth field.
+type Repository struct {
+	Name string `json:"name" yaml:"name"`
+	URL  string `json:"url" yaml:"url"`
+	Auth Auth   `json:"auth,omitempty" yaml:"auth,omitempty"`
+}
+
+// Auth represents environment variable names containing auth credentials.
+type Auth struct {
+	Username AuthSource `json:"username" yaml:"username"`
+	Password AuthSource `json:"password" yaml:"password"`
+}
+
+// AuthSource represents a source for the value of an [Auth] field.
+type AuthSource struct {
+	Value   string `json:"value,omitempty" yaml:"value,omitempty"`
+	FromEnv string `json:"fromEnv,omitempty" yaml:"fromEnv,omitempty"`
+}
+
+// Transformer combines multiple inputs from prior [Generator] or [Transformer]
+// outputs into one output.  [Kustomize] is the most commonly used transformer.
+// A simple [Join] is also supported for use with plain manifest files.
+//
+//  1. [Kustomize] - Patch and transform the output from prior generators or
+//     transformers.  See [Introduction to Kustomize].
+//  2. [Join] - Concatenate multiple prior outputs into one output.
+//  3. [Slice] - Slice an artifact into multiple artifacts using [kubectl-slice].
+//
+// [Introduction to Kustomize]: https://kubectl.docs.kubernetes.io/guides/config_management/introduction/
+// [kubectl-slice]: https://github.com/patrickdappollonio/kubectl-slice
+type Transformer struct {
+	// Kind represents the kind of transformer. Must be Kustomize, or Join.
+	Kind string `json:"kind" yaml:"kind" cue:"\"Kustomize\" | \"Join\" | \"Slice\""`
+	// Inputs represents the files to transform. The Output of prior Generators
+	// and Transformers.
+	Inputs []FilePath `json:"inputs" yaml:"inputs"`
+	// Output represents a file for a subsequent Transformer or Artifact to
+	// consume.
+	Output FilePath `json:"output" yaml:"output"`
+	// Kustomize transformer. Ignored unless kind is Kustomize.
+	Kustomize Kustomize `json:"kustomize,omitempty" yaml:"kustomize,omitempty"`
+	// Join transformer. Ignored unless kind is Join.
+	Join Join `json:"join,omitempty" yaml:"join,omitempty"`
+}
+
+// Join represents a [Transformer] using [bytes.Join] to concatenate multiple
+// inputs into one output with a separator.  Useful for combining output from
+// [Helm] and [Resources] together into one [Artifact] when [Kustomize] is
+// otherwise unnecessary.
+//
+// [bytes.Join]: https://pkg.go.dev/bytes#Join
+type Join struct {
+	Separator string `json:"separator,omitempty" yaml:"separator,omitempty"`
+}
+
+// Kustomize represents a kustomization [Transformer].
+type Kustomize struct {
+	// Kustomization represents the decoded kustomization.yaml file
+	Kustomization Kustomization `json:"kustomization" yaml:"kustomization"`
+	// Files holds file contents for kustomize, e.g. patch files.
+	Files FileContentMap `json:"files,omitempty" yaml:"files,omitempty"`
+}
+
+// Kustomization represents a kustomization.yaml file for use with the
+// [Kustomize] [Transformer].  Untyped to avoid tightly coupling holos to
+// kubectl versions which was a problem for the Flux maintainers.  Type checking
+// is expected to happen in CUE against the kubectl version the user prefers.
+type Kustomization map[string]any
+
+// FileContentMap represents a mapping of file paths to file contents.
+type FileContentMap map[FilePath]FileContent
+
+// FilePath represents a file path.
+type FilePath string
+
+// FileContent represents file contents.
+type FileContent string
+
+// Validator validates files.  Useful to validate an [Artifact] prior to writing
+// it out to the final destination.  Holos may execute validators concurrently.
+// See the [validators] tutorial for an end to end example.
+//
+// [validators]: https://holos.run/docs/v1alpha5/tutorial/validators/
+type Validator struct {
+	// Kind represents the kind of transformer. Must be Kustomize, or Join.
+	Kind string `json:"kind" yaml:"kind" cue:"\"Command\""`
+	// Inputs represents the files to validate.  Usually the final Artifact.
+	Inputs []FilePath `json:"inputs" yaml:"inputs"`
+	// Command represents a validation command.  Ignored unless kind is Command.
+	Command Command `json:"command,omitempty" yaml:"command,omitempty"`
+}
+
+// Command represents a generic command for use as a Generator, Transformer, or
+// Validator.  Holos uses the Go template engine to render the Args field using
+// data provided by the TaskData field.  For example to fill in the fully
+// qualified temporary directory used to provide inputs to the task.
+type Command struct {
+	// DisplayName represents a friendly display name for the command.
+	DisplayName string `json:"displayName,omitempty" yaml:"displayName,omitempty"`
+	// Args represents the complete command argument vector as a go template.
+	Args []string `json:"args,omitempty" yaml:"args,omitempty"`
+	// OutputRef references the source of the output data.
+	OutputRef OutputRef `json:"outputRef,omitempty" yaml:"outputRef,omitempty"`
+	// TaskData populated by Holos for template rendering.
+	TaskData TaskData `json:"taskData,omitempty" yaml:"taskData,omitempty"`
+	// TODO(jjm): add command environment variable support similar to args.
+}
+
+// TaskData represents data values associated with a pipeline task necessary to
+// execute the task.  For example, the randomly generated temporary directory
+// used to read and write artifact files when executing user defined task
+// commands.  Values of this struct are intended for the Go template engine.
+//
+// Holos populates this struct as needed.  Holos may treat user provided values
+// as an error condition.
+type TaskData struct {
+	// TempDir represents the temp directory holos manages for task artifacts.
+	TempDir string `json:"tempDir,omitempty" yaml:"tempDir,omitempty"`
+}
+
+// OutputRef represents a reference to the data source used as the output of a
+// task.  For example, a Generator output may be sourced from standard output or
+// a file path.
+type OutputRef struct {
+	// Kind represents the kind of output produced.
+	Kind string `json:"kind,omitempty" yaml:"kind,omitempty" cue:"string | *\"Pipe\" | \"Path\""`
+	// Pipe represents stdout or stderr.  Ignored unless kind is Pipe.
+	Pipe string `json:"pipe,omitempty" yaml:"pipe,omitempty" cue:"string | *\"stdout\" | \"stderr\""`
+	// Path represents an artifact path relative to the task temp directory.
+	// Ignored unless kind is Path.
+	Path string `json:"path,omitempty" yaml:"path,omitempty"`
+	// TODO(jjm): support jsonpath or cel references to the output data maybe?
+}
+
+// InternalLabel is an arbitrary unique identifier internal to holos itself.
+// The holos cli is expected to never write a InternalLabel value to rendered
+// output files, therefore use a InternalLabel when the identifier must be
+// unique and internal.  Defined as a type for clarity and type checking.
+type InternalLabel string
+
+// Kind is a discriminator. Defined as a type for clarity and type checking.
+type Kind string
+
+// Metadata represents data about the resource such as the Name.
+type Metadata struct {
+	// Name represents the resource name.
+	Name string `json:"name" yaml:"name"`
+	// Labels represents a resource selector.
+	Labels map[string]string `json:"labels,omitempty" yaml:"labels,omitempty"`
+	// Annotations represents arbitrary non-identifying metadata.  For example
+	// holos uses the `app.holos.run/description` annotation to log resources in a
+	// user customized way.
+	Annotations map[string]string `json:"annotations,omitempty" yaml:"annotations,omitempty"`
+}
+
+// Platform represents a platform to manage.  A Platform specifies a [Component]
+// collection and integrates the components together into a holistic platform.
+// Holos iterates over the [Component] collection producing a [BuildPlan] for
+// each, which holos then executes to render manifests.
+//
+// Inspect a Platform resource holos would process by executing:
+//
+//	cue export --out yaml ./platform
+type Platform struct {
+	// Kind is a string value representing the resource.
+	Kind string `json:"kind" yaml:"kind" cue:"\"Platform\""`
+	// APIVersion represents the versioned schema of this resource.
+	APIVersion string `json:"apiVersion" yaml:"apiVersion" cue:"string | *\"v1alpha5\""`
+	// Metadata represents data about the resource such as the Name.
+	Metadata Metadata `json:"metadata" yaml:"metadata"`
+
+	// Spec represents the platform specification.
+	Spec PlatformSpec `json:"spec" yaml:"spec"`
+}
+
+// PlatformSpec represents the platform specification.
+type PlatformSpec struct {
+	// Components represents a collection of holos components to manage.
+	Components []Component `json:"components" yaml:"components"`
+}
+
+// Component represents the complete context necessary to produce a [BuildPlan]
+// from a path containing parameterized CUE configuration.
+type Component struct {
+	// Name represents the name of the component. Injected as the tag variable
+	// "holos_component_name".
+	Name string `json:"name" yaml:"name"`
+	// Path represents the path of the component relative to the platform root.
+	// Injected as the tag variable "holos_component_path".
+	Path string `json:"path" yaml:"path"`
+	// Instances represents additional cue instance paths to unify with Path.
+	// Useful to unify data files into a component BuildPlan.  Added in holos
+	// 0.101.7.
+	Instances []Instance `json:"instances,omitempty" yaml:"instances,omitempty"`
+	// WriteTo represents the holos render component --write-to flag.  If empty,
+	// the default value for the --write-to flag is used.
+	WriteTo string `json:"writeTo,omitempty" yaml:"writeTo,omitempty"`
+	// Parameters represent user defined input variables to produce various
+	// [BuildPlan] resources from one component path.  Injected as CUE @tag
+	// variables.  Parameters with a "holos_" prefix are reserved for use by the
+	// Holos Authors.  Multiple environments are a prime example of an input
+	// parameter that should always be user defined, never defined by Holos.
+	Parameters map[string]string `json:"parameters,omitempty" yaml:"parameters,omitempty"`
+	// Labels represent selector labels for the component.  Copied to the
+	// resulting BuildPlan.
+	Labels map[string]string `json:"labels,omitempty" yaml:"labels,omitempty"`
+	// Annotations represents arbitrary non-identifying metadata.  Use the
+	// `app.holos.run/description` to customize the log message of each BuildPlan.
+	Annotations map[string]string `json:"annotations,omitempty" yaml:"annotations,omitempty"`
+}
+
+// Instance represents a data instance to unify with the configuration.
+//
+// Useful to unify json and yaml files with cue configuration files for
+// integration with other tools.  For example, executing holos render platform
+// from a pull request workflow after [Kargo] executes the [yaml update] and
+// [git wait for pr] promotion steps.
+//
+// [Kargo]: https://docs.kargo.io/
+// [yaml update]: https://docs.kargo.io/references/promotion-steps#yaml-update
+// [git wait for pr]: https://docs.kargo.io/references/promotion-steps#git-wait-for-pr
+type Instance struct {
+	// Kind is a discriminator.
+	Kind string `json:"kind" yaml:"kind" cue:"\"ExtractYAML\""`
+	// Ignored unless kind is ExtractYAML.
+	ExtractYAML ExtractYAML `json:"extractYAML,omitempty" yaml:"extractYAML,omitempty"`
+}
+
+// ExtractYAML represents a cue data instance encoded as yaml or json. If Path
+// refers to a directory all files in the directory are extracted
+// non-recursively.  Otherwise, path must refer to a file.
+type ExtractYAML struct {
+	Path string `json:"path" yaml:"path"`
+}
--- a/api/v1alpha1/buildplan.go
+++ b/api/v1alpha1/buildplan.go
@@ -1,56 +0,0 @@
-package v1alpha1
-
-import (
-	"errors"
-	"fmt"
-	"strings"
-)
-
-// BuildPlan is the primary interface between CUE and the Holos cli.
-type BuildPlan struct {
-	TypeMeta `json:",inline" yaml:",inline"`
-	// Metadata represents the holos component name
-	Metadata ObjectMeta    `json:"metadata,omitempty" yaml:"metadata,omitempty"`
-	Spec     BuildPlanSpec `json:"spec,omitempty" yaml:"spec,omitempty"`
-}
-
-type BuildPlanSpec struct {
-	Disabled   bool                `json:"disabled,omitempty" yaml:"disabled,omitempty"`
-	Components BuildPlanComponents `json:"components,omitempty" yaml:"components,omitempty"`
-	// DeployFiles keys represent file paths relative to the cluster deploy
-	// directory.  Map values represent the string encoded file contents.  Used to
-	// write the argocd Application, but may be used to render any file from CUE.
-	DeployFiles FileContentMap `json:"deployFiles,omitempty" yaml:"deployFiles,omitempty"`
-}
-
-type BuildPlanComponents struct {
-	HelmChartList         []HelmChart                  `json:"helmChartList,omitempty" yaml:"helmChartList,omitempty"`
-	KubernetesObjectsList []KubernetesObjects          `json:"kubernetesObjectsList,omitempty" yaml:"kubernetesObjectsList,omitempty"`
-	KustomizeBuildList    []KustomizeBuild             `json:"kustomizeBuildList,omitempty" yaml:"kustomizeBuildList,omitempty"`
-	Resources             map[string]KubernetesObjects `json:"resources,omitempty" yaml:"resources,omitempty"`
-}
-
-func (bp *BuildPlan) Validate() error {
-	errs := make([]string, 0, 2)
-	if bp.Kind != BuildPlanKind {
-		errs = append(errs, fmt.Sprintf("kind invalid: want: %s have: %s", BuildPlanKind, bp.Kind))
-	}
-	if bp.APIVersion != APIVersion {
-		errs = append(errs, fmt.Sprintf("apiVersion invalid: want: %s have: %s", APIVersion, bp.APIVersion))
-	}
-	if len(errs) > 0 {
-		return errors.New("invalid BuildPlan: " + strings.Join(errs, ", "))
-	}
-	return nil
-}
-
-func (bp *BuildPlan) ResultCapacity() (count int) {
-	if bp == nil {
-		return 0
-	}
-	count = len(bp.Spec.Components.HelmChartList) +
-		len(bp.Spec.Components.KubernetesObjectsList) +
-		len(bp.Spec.Components.KustomizeBuildList) +
-		len(bp.Spec.Components.Resources)
-	return count
-}
--- a/api/v1alpha1/component.go
+++ b/api/v1alpha1/component.go
@@ -1,30 +0,0 @@
-package v1alpha1
-
-// HolosComponent defines the fields common to all holos component kinds including the Render Result.
-type HolosComponent struct {
-	TypeMeta `json:",inline" yaml:",inline"`
-	// Metadata represents the holos component name
-	Metadata ObjectMeta `json:"metadata,omitempty" yaml:"metadata,omitempty"`
-	// APIObjectMap holds the marshalled representation of api objects. Think of
-	// these as resources overlaid at the back of the render pipeline.
-	APIObjectMap APIObjectMap `json:"apiObjectMap,omitempty" yaml:"apiObjectMap,omitempty"`
-	// Kustomization holds the marshalled representation of the flux kustomization
-	// which reconciles resources in git with the api server.
-	Kustomization `json:",inline" yaml:",inline"`
-	// Kustomize represents a kubectl kustomize build post-processing step.
-	Kustomize `json:",inline" yaml:",inline"`
-	// Skip causes holos to take no action regarding the component.
-	Skip bool
-}
-
-func (hc *HolosComponent) NewResult() *Result {
-	return &Result{HolosComponent: *hc}
-}
-
-func (hc *HolosComponent) GetAPIVersion() string {
-	return hc.APIVersion
-}
-
-func (hc *HolosComponent) GetKind() string {
-	return hc.Kind
-}
--- a/api/v1alpha1/constants.go
+++ b/api/v1alpha1/constants.go
@@ -1,11 +0,0 @@
-package v1alpha1
-
-const (
-	APIVersion    = "holos.run/v1alpha1"
-	BuildPlanKind = "BuildPlan"
-	HelmChartKind = "HelmChart"
-	// ChartDir is the directory name created in the holos component directory to cache a chart.
-	ChartDir = "vendor"
-	// ResourcesFile is the file name used to store component output when post-processing with kustomize.
-	ResourcesFile = "resources.yaml"
-)
--- a/api/v1alpha1/doc.go
+++ b/api/v1alpha1/doc.go
@@ -1,2 +0,0 @@
-// Package v1alpha1 defines the api boundary between CUE and Holos.
-package v1alpha1
--- a/api/v1alpha1/form.go
+++ b/api/v1alpha1/form.go
@@ -1,13 +0,0 @@
-package v1alpha1
-
-import object "github.com/holos-run/holos/service/gen/holos/object/v1alpha1"
-
-// Form represents a collection of Formly json powered form.
-type Form struct {
-	TypeMeta `json:",inline" yaml:",inline"`
-	Spec     FormSpec `json:"spec" yaml:"spec"`
-}
-
-type FormSpec struct {
-	Form object.Form `json:"form" yaml:"form"`
-}
--- a/api/v1alpha1/helm.go
+++ b/api/v1alpha1/helm.go
@@ -1,184 +0,0 @@
-package v1alpha1
-
-import (
-	"context"
-	"fmt"
-	"os"
-	"path/filepath"
-	"strings"
-	"syscall"
-
-	"github.com/holos-run/holos"
-	"github.com/holos-run/holos/internal/errors"
-	"github.com/holos-run/holos/internal/logger"
-	"github.com/holos-run/holos/internal/util"
-)
-
-// A HelmChart represents a helm command to provide chart values in order to render kubernetes api objects.
-type HelmChart struct {
-	HolosComponent `json:",inline" yaml:",inline"`
-	// Namespace is the namespace to install into.  TODO: Use metadata.namespace instead.
-	Namespace     string `json:"namespace"`
-	Chart         Chart  `json:"chart"`
-	ValuesContent string `json:"valuesContent"`
-	EnableHooks   bool   `json:"enableHooks"`
-}
-
-type Chart struct {
-	Name       string     `json:"name"`
-	Version    string     `json:"version"`
-	Release    string     `json:"release"`
-	Repository Repository `json:"repository,omitempty"`
-}
-
-type Repository struct {
-	Name string `json:"name"`
-	URL  string `json:"url"`
-}
-
-func (hc *HelmChart) Render(ctx context.Context, path holos.InstancePath) (*Result, error) {
-	result := Result{HolosComponent: hc.HolosComponent}
-	if err := hc.helm(ctx, &result, path); err != nil {
-		return nil, err
-	}
-	result.addObjectMap(ctx, hc.APIObjectMap)
-	if err := result.kustomize(ctx); err != nil {
-		return nil, errors.Wrap(fmt.Errorf("could not kustomize: %w", err))
-	}
-	return &result, nil
-}
-
-// runHelm provides the values produced by CUE to helm template and returns
-// the rendered kubernetes api objects in the result.
-func (hc *HelmChart) helm(ctx context.Context, r *Result, path holos.InstancePath) error {
-	log := logger.FromContext(ctx).With("chart", hc.Chart.Name)
-	if hc.Chart.Name == "" {
-		log.WarnContext(ctx, "skipping helm: no chart name specified, use a different component type")
-		return nil
-	}
-
-	cachedChartPath := filepath.Join(string(path), ChartDir, filepath.Base(hc.Chart.Name))
-	if isNotExist(cachedChartPath) {
-		// Add repositories
-		repo := hc.Chart.Repository
-		if repo.URL != "" {
-			out, err := util.RunCmd(ctx, "helm", "repo", "add", repo.Name, repo.URL)
-			if err != nil {
-				log.ErrorContext(ctx, "could not run helm", "stderr", out.Stderr.String(), "stdout", out.Stdout.String())
-				return errors.Wrap(fmt.Errorf("could not run helm repo add: %w", err))
-			}
-			// Update repository
-			out, err = util.RunCmd(ctx, "helm", "repo", "update", repo.Name)
-			if err != nil {
-				log.ErrorContext(ctx, "could not run helm", "stderr", out.Stderr.String(), "stdout", out.Stdout.String())
-				return errors.Wrap(fmt.Errorf("could not run helm repo update: %w", err))
-			}
-		} else {
-			log.DebugContext(ctx, "no chart repository url proceeding assuming oci chart")
-		}
-
-		// Cache the chart
-		if err := cacheChart(ctx, path, ChartDir, hc.Chart); err != nil {
-			return fmt.Errorf("could not cache chart: %w", err)
-		}
-	}
-
-	// Write values file
-	tempDir, err := os.MkdirTemp("", "holos")
-	if err != nil {
-		return errors.Wrap(fmt.Errorf("could not make temp dir: %w", err))
-	}
-	defer util.Remove(ctx, tempDir)
-
-	valuesPath := filepath.Join(tempDir, "values.yaml")
-	if err := os.WriteFile(valuesPath, []byte(hc.ValuesContent), 0644); err != nil {
-		return errors.Wrap(fmt.Errorf("could not write values: %w", err))
-	}
-	log.DebugContext(ctx, "helm: wrote values", "path", valuesPath, "bytes", len(hc.ValuesContent))
-
-	// Run charts
-	chart := hc.Chart
-	args := []string{"template"}
-	if !hc.EnableHooks {
-		args = append(args, "--no-hooks")
-	}
-	namespace := hc.Namespace
-	args = append(args, "--include-crds", "--values", valuesPath, "--namespace", namespace, "--kubeconfig", "/dev/null", "--version", chart.Version, chart.Release, cachedChartPath)
-	helmOut, err := util.RunCmd(ctx, "helm", args...)
-	if err != nil {
-		stderr := helmOut.Stderr.String()
-		lines := strings.Split(stderr, "\n")
-		for _, line := range lines {
-			if strings.HasPrefix(line, "Error:") {
-				err = fmt.Errorf("%s: %w", line, err)
-			}
-		}
-		return errors.Wrap(fmt.Errorf("could not run helm template: %w", err))
-	}
-
-	r.accumulatedOutput = helmOut.Stdout.String()
-
-	return nil
-}
-
-// cacheChart stores a cached copy of Chart in the chart subdirectory of path.
-//
-// It is assumed that the only method responsible for writing to chartDir is
-// cacheChart itself.
-//
-// This relies on the atomicity of moving temporary directories into place on
-// the same filesystem via os.Rename. If a syscall.EEXIST error occurs during
-// renaming, it indicates that the cached chart already exists, which is an
-// expected scenario when this function is called concurrently.
-func cacheChart(ctx context.Context, path holos.InstancePath, chartDir string, chart Chart) error {
-	log := logger.FromContext(ctx)
-
-	cacheTemp, err := os.MkdirTemp(string(path), chartDir)
-	if err != nil {
-		return errors.Wrap(fmt.Errorf("could not make temp dir: %w", err))
-	}
-	defer util.Remove(ctx, cacheTemp)
-
-	chartName := chart.Name
-	if chart.Repository.Name != "" {
-		chartName = fmt.Sprintf("%s/%s", chart.Repository.Name, chart.Name)
-	}
-	helmOut, err := util.RunCmd(ctx, "helm", "pull", "--destination", cacheTemp, "--untar=true", "--version", chart.Version, chartName)
-	if err != nil {
-		return errors.Wrap(fmt.Errorf("could not run helm pull: %w", err))
-	}
-	log.Debug("helm pull", "stdout", helmOut.Stdout, "stderr", helmOut.Stderr)
-
-	cachePath := filepath.Join(string(path), chartDir)
-
-	if err := os.MkdirAll(cachePath, 0777); err != nil {
-		return errors.Wrap(fmt.Errorf("could not mkdir: %w", err))
-	}
-
-	items, err := os.ReadDir(cacheTemp)
-	if err != nil {
-		return errors.Wrap(fmt.Errorf("could not read directory: %w", err))
-	}
-
-	for _, item := range items {
-		src := filepath.Join(cacheTemp, item.Name())
-		dst := filepath.Join(cachePath, item.Name())
-		log.DebugContext(ctx, "rename", "src", src, "dst", dst)
-		if err := os.Rename(src, dst); err != nil {
-			var linkErr *os.LinkError
-			if errors.As(err, &linkErr) && errors.Is(linkErr.Err, syscall.EEXIST) {
-				log.DebugContext(ctx, "cache already exists", "chart", chart.Name, "chart_version", chart.Version, "path", cachePath)
-			} else {
-				return errors.Wrap(fmt.Errorf("could not rename: %w", err))
-			}
-		}
-	}
-
-	log.InfoContext(ctx, "cached", "chart", chart.Name, "chart_version", chart.Version, "path", cachePath)
-
-	return nil
-}
-func isNotExist(path string) bool {
-	_, err := os.Stat(path)
-	return os.IsNotExist(err)
-}
--- a/api/v1alpha1/kubernetesobjects.go
+++ b/api/v1alpha1/kubernetesobjects.go
@@ -1,21 +0,0 @@
-package v1alpha1
-
-import (
-	"context"
-
-	"github.com/holos-run/holos"
-)
-
-const KubernetesObjectsKind = "KubernetesObjects"
-
-// KubernetesObjects represents CUE output which directly provides Kubernetes api objects to holos.
-type KubernetesObjects struct {
-	HolosComponent `json:",inline" yaml:",inline"`
-}
-
-// Render produces kubernetes api objects from the APIObjectMap
-func (o *KubernetesObjects) Render(ctx context.Context, path holos.InstancePath) (*Result, error) {
-	result := Result{HolosComponent: o.HolosComponent}
-	result.addObjectMap(ctx, o.APIObjectMap)
-	return &result, nil
-}
--- a/api/v1alpha1/kustomization.go
+++ b/api/v1alpha1/kustomization.go
@@ -1,7 +0,0 @@
-package v1alpha1
-
-// Kustomization holds the rendered flux kustomization api object content for git ops.
-type Kustomization struct {
-	// KsContent is the yaml representation of the flux kustomization for gitops.
-	KsContent string `json:"ksContent,omitempty" yaml:"ksContent,omitempty"`
-}
--- a/api/v1alpha1/kustomize.go
+++ b/api/v1alpha1/kustomize.go
@@ -1,47 +0,0 @@
-package v1alpha1
-
-import (
-	"context"
-
-	"github.com/holos-run/holos"
-	"github.com/holos-run/holos/internal/errors"
-	"github.com/holos-run/holos/internal/logger"
-	"github.com/holos-run/holos/internal/util"
-)
-
-const KustomizeBuildKind = "KustomizeBuild"
-
-// Kustomize represents resources necessary to execute a kustomize build.
-// Intended for at least two use cases:
-//
-//  1. Process raw yaml file resources in a holos component directory.
-//  2. Post process a HelmChart to inject istio, add custom labels, etc...
-type Kustomize struct {
-	// KustomizeFiles holds file contents for kustomize, e.g. patch files.
-	KustomizeFiles FileContentMap `json:"kustomizeFiles,omitempty" yaml:"kustomizeFiles,omitempty"`
-	// ResourcesFile is the file name used for api objects in kustomization.yaml
-	ResourcesFile string `json:"resourcesFile,omitempty" yaml:"resourcesFile,omitempty"`
-}
-
-// KustomizeBuild renders plain yaml files in the holos component directory using kubectl kustomize build.
-type KustomizeBuild struct {
-	HolosComponent `json:",inline" yaml:",inline"`
-}
-
-// Render produces a Result by executing kubectl kustomize on the holos
-// component path. Useful for processing raw yaml files.
-func (kb *KustomizeBuild) Render(ctx context.Context, path holos.InstancePath) (*Result, error) {
-	log := logger.FromContext(ctx)
-	result := Result{HolosComponent: kb.HolosComponent}
-	// Run kustomize.
-	kOut, err := util.RunCmd(ctx, "kubectl", "kustomize", string(path))
-	if err != nil {
-		log.ErrorContext(ctx, kOut.Stderr.String())
-		return nil, errors.Wrap(err)
-	}
-	// Replace the accumulated output
-	result.accumulatedOutput = kOut.Stdout.String()
-	// Add CUE based api objects.
-	result.addObjectMap(ctx, kb.APIObjectMap)
-	return &result, nil
-}
--- a/api/v1alpha1/objectmap.go
+++ b/api/v1alpha1/objectmap.go
@@ -1,14 +0,0 @@
-package v1alpha1
-
-// Label is an arbitrary unique identifier.  Defined as a type for clarity and type checking.
-type Label string
-
-// Kind is a kubernetes api object kind. Defined as a type for clarity and type checking.
-type Kind string
-
-// APIObjectMap is the shape of marshalled api objects returned from cue to the
-// holos cli. A map is used to improve the clarity of error messages from cue.
-type APIObjectMap map[Kind]map[Label]string
-
-// FileContentMap is a map of file names to file contents.
-type FileContentMap map[string]string
--- a/api/v1alpha1/objectmeta.go
+++ b/api/v1alpha1/objectmeta.go
@@ -1,15 +0,0 @@
-package v1alpha1
-
-// ObjectMeta represents metadata of a holos component object. The fields are a
-// copy of upstream kubernetes api machinery but are by holos objects distinct
-// from kubernetes api objects.
-type ObjectMeta struct {
-	// Name uniquely identifies the holos component instance and must be suitable as a file name.
-	Name string `json:"name,omitempty" yaml:"name,omitempty"`
-	// Namespace confines a holos component to a single namespace via kustomize if set.
-	Namespace string `json:"namespace,omitempty" yaml:"namespace,omitempty"`
-	// Labels are not used but are copied from api machinery ObjectMeta for completeness.
-	Labels map[string]string `json:"labels,omitempty" yaml:"labels,omitempty"`
-	// Annotations are not used but are copied from api machinery ObjectMeta for completeness.
-	Annotations map[string]string `json:"annotations,omitempty" yaml:"annotations,omitempty"`
-}
--- a/api/v1alpha1/platform.go
+++ b/api/v1alpha1/platform.go
@@ -1,32 +0,0 @@
-package v1alpha1
-
-import "google.golang.org/protobuf/types/known/structpb"
-
-// Platform represents a platform to manage.  A Platform resource informs holos
-// which components to build.  The platform resource also acts as a container
-// for the platform model form values provided by the PlatformService.  The
-// primary use case is to collect the cluster names, cluster types, platform
-// model, and holos components to build into one resource.
-type Platform struct {
-	TypeMeta `json:",inline" yaml:",inline"`
-	Metadata ObjectMeta   `json:"metadata" yaml:"metadata"`
-	Spec     PlatformSpec `json:"spec" yaml:"spec"`
-}
-
-// PlatformSpec represents the platform build plan specification.
-type PlatformSpec struct {
-	// Model represents the platform model holos gets from from the
-	// holos.platform.v1alpha1.PlatformService.GetPlatform method and provides to
-	// CUE using a tag.
-	Model      structpb.Struct         `json:"model" yaml:"model"`
-	Components []PlatformSpecComponent `json:"components" yaml:"components"`
-}
-
-// PlatformSpecComponent represents a component to build or render with flags to
-// pass, for example the cluster name.
-type PlatformSpecComponent struct {
-	// Path is the path of the component relative to the platform root.
-	Path string `json:"path" yaml:"path"`
-	// Cluster is the cluster name to use when building the component.
-	Cluster string `json:"cluster" yaml:"cluster"`
-}
--- a/api/v1alpha1/render.go
+++ b/api/v1alpha1/render.go
@@ -1,22 +0,0 @@
-package v1alpha1
-
-import (
-	"context"
-
-	"github.com/holos-run/holos"
-)
-
-type Renderer interface {
-	GetKind() string
-	Render(ctx context.Context, path holos.InstancePath) (*Result, error)
-}
-
-// Render produces a Result representing the kubernetes api objects to
-// configure. Each of the various holos component types, e.g. Helm, Kustomize,
-// et al, should implement the Renderer interface. This process is best
-// conceptualized as a data pipeline, for example a component may render a
-// result by first calling helm template, then passing the result through
-// kustomize, then mixing in overlay api objects.
-func Render(ctx context.Context, r Renderer, path holos.InstancePath) (*Result, error) {
-	return r.Render(ctx, path)
-}
--- a/api/v1alpha1/result.go
+++ b/api/v1alpha1/result.go
@@ -1,165 +0,0 @@
-package v1alpha1
-
-import (
-	"context"
-	"fmt"
-	"os"
-	"path/filepath"
-	"slices"
-
-	"github.com/holos-run/holos/internal/errors"
-	"github.com/holos-run/holos/internal/logger"
-	"github.com/holos-run/holos/internal/util"
-)
-
-// Result is the build result for display or writing.  Holos components Render the Result as a data pipeline.
-type Result struct {
-	HolosComponent
-	// accumulatedOutput accumulates rendered api objects.
-	accumulatedOutput string
-	// DeployFiles keys represent file paths relative to the cluster deploy
-	// directory.  Map values represent the string encoded file contents.  Used to
-	// write the argocd Application, but may be used to render any file from CUE.
-	DeployFiles FileContentMap `json:"deployFiles,omitempty" yaml:"deployFiles,omitempty"`
-}
-
-// Continue returns true if Skip is true indicating the result is to be skipped over.
-func (r *Result) Continue() bool {
-	if r == nil {
-		return false
-	}
-	return r.Skip
-}
-
-func (r *Result) Name() string {
-	return r.Metadata.Name
-}
-
-func (r *Result) Filename(writeTo string, cluster string) string {
-	name := r.Metadata.Name
-	return filepath.Join(writeTo, "clusters", cluster, "components", name, name+".gen.yaml")
-}
-
-func (r *Result) KustomizationFilename(writeTo string, cluster string) string {
-	return filepath.Join(writeTo, "clusters", cluster, "holos", "components", r.Metadata.Name+"-kustomization.gen.yaml")
-}
-
-// AccumulatedOutput returns the accumulated rendered output.
-func (r *Result) AccumulatedOutput() string {
-	return r.accumulatedOutput
-}
-
-// addObjectMap renders the provided APIObjectMap into the accumulated output.
-func (r *Result) addObjectMap(ctx context.Context, objectMap APIObjectMap) {
-	log := logger.FromContext(ctx)
-	b := []byte(r.AccumulatedOutput())
-	kinds := make([]Kind, 0, len(objectMap))
-	// Sort the keys
-	for kind := range objectMap {
-		kinds = append(kinds, kind)
-	}
-	slices.Sort(kinds)
-
-	for _, kind := range kinds {
-		v := objectMap[kind]
-		// Sort the keys
-		names := make([]Label, 0, len(v))
-		for name := range v {
-			names = append(names, name)
-		}
-		slices.Sort(names)
-
-		for _, name := range names {
-			yamlString := v[name]
-			log.Debug(fmt.Sprintf("%s/%s", kind, name), "kind", kind, "name", name)
-			b = util.EnsureNewline(b)
-			header := fmt.Sprintf("---\n# Source: CUE apiObjects.%s.%s\n", kind, name)
-			b = append(b, []byte(header+yamlString)...)
-			b = util.EnsureNewline(b)
-		}
-	}
-	r.accumulatedOutput = string(b)
-}
-
-// kustomize replaces the accumulated output with the output of kustomize build
-func (r *Result) kustomize(ctx context.Context) error {
-	log := logger.FromContext(ctx)
-	if r.ResourcesFile == "" {
-		log.DebugContext(ctx, "skipping kustomize: no resourcesFile")
-		return nil
-	}
-	if len(r.KustomizeFiles) < 1 {
-		log.DebugContext(ctx, "skipping kustomize: no kustomizeFiles")
-		return nil
-	}
-	tempDir, err := os.MkdirTemp("", "holos.kustomize")
-	if err != nil {
-		return errors.Wrap(err)
-	}
-	defer util.Remove(ctx, tempDir)
-
-	// Write the main api object resources file for kustomize.
-	target := filepath.Join(tempDir, r.ResourcesFile)
-	b := []byte(r.AccumulatedOutput())
-	b = util.EnsureNewline(b)
-	if err := os.WriteFile(target, b, 0644); err != nil {
-		return errors.Wrap(fmt.Errorf("could not write resources: %w", err))
-	}
-	log.DebugContext(ctx, "wrote: "+target, "op", "write", "path", target, "bytes", len(b))
-
-	// Write the kustomization tree, kustomization.yaml must be in this map for kustomize to work.
-	for file, content := range r.KustomizeFiles {
-		target := filepath.Join(tempDir, file)
-		if err := os.MkdirAll(filepath.Dir(target), 0755); err != nil {
-			return errors.Wrap(err)
-		}
-		b := []byte(content)
-		b = util.EnsureNewline(b)
-		if err := os.WriteFile(target, b, 0644); err != nil {
-			return errors.Wrap(fmt.Errorf("could not write: %w", err))
-		}
-		log.DebugContext(ctx, "wrote: "+target, "op", "write", "path", target, "bytes", len(b))
-	}
-
-	// Run kustomize.
-	kOut, err := util.RunCmd(ctx, "kubectl", "kustomize", tempDir)
-	if err != nil {
-		log.ErrorContext(ctx, kOut.Stderr.String())
-		return errors.Wrap(err)
-	}
-	// Replace the accumulated output
-	r.accumulatedOutput = kOut.Stdout.String()
-	return nil
-}
-
-func (r *Result) WriteDeployFiles(ctx context.Context, path string) error {
-	log := logger.FromContext(ctx)
-	if len(r.DeployFiles) == 0 {
-		return nil
-	}
-	for k, content := range r.DeployFiles {
-		path := filepath.Join(path, k)
-		if err := r.Save(ctx, path, content); err != nil {
-			return errors.Wrap(err)
-		}
-		log.InfoContext(ctx, "wrote deploy file", "path", path, "bytes", len(content))
-	}
-	return nil
-}
-
-// Save writes the content to the filesystem for git ops.
-func (r *Result) Save(ctx context.Context, path string, content string) error {
-	log := logger.FromContext(ctx)
-	dir := filepath.Dir(path)
-	if err := os.MkdirAll(dir, os.FileMode(0775)); err != nil {
-		log.WarnContext(ctx, "could not mkdir", "path", dir, "err", err)
-		return errors.Wrap(err)
-	}
-	// Write the file content
-	if err := os.WriteFile(path, []byte(content), os.FileMode(0644)); err != nil {
-		log.WarnContext(ctx, "could not write", "path", path, "err", err)
-		return errors.Wrap(err)
-	}
-	log.DebugContext(ctx, "out: wrote "+path, "action", "write", "path", path, "status", "ok")
-	return nil
-}
--- a/api/v1alpha1/typemeta.go
+++ b/api/v1alpha1/typemeta.go
@@ -1,20 +0,0 @@
-package v1alpha1
-
-type TypeMeta struct {
-	Kind       string `json:"kind,omitempty" yaml:"kind,omitempty"`
-	APIVersion string `json:"apiVersion,omitempty" yaml:"apiVersion,omitempty"`
-}
-
-func (tm *TypeMeta) GetKind() string {
-	return tm.Kind
-}
-
-func (tm *TypeMeta) GetAPIVersion() string {
-	return tm.APIVersion
-}
-
-// Discriminator is an interface to discriminate the kind api object.
-type Discriminator interface {
-	GetKind() string
-	GetAPIVersion() string
-}
--- a/cmd/cmd.go
+++ b/cmd/cmd.go
@@ -0,0 +1,63 @@
+package cmd
+
+import (
+	"context"
+	"fmt"
+	"log/slog"
+	"os"
+	"runtime/pprof"
+	"runtime/trace"
+
+	"github.com/holos-run/holos/internal/cli"
+	"github.com/holos-run/holos/internal/holos"
+)
+
+// MakeMain makes a main function for the cli or tests.
+func MakeMain(options ...holos.Option) func() int {
+	return func() (exitCode int) {
+		cfg := holos.New(options...)
+		slog.SetDefault(cfg.Logger())
+		ctx := context.Background()
+
+		if format := os.Getenv("HOLOS_CPU_PROFILE"); format != "" {
+			f, _ := os.Create(fmt.Sprintf(format, os.Getppid(), os.Getpid()))
+			err := pprof.StartCPUProfile(f)
+			defer func() {
+				pprof.StopCPUProfile()
+				f.Close()
+			}()
+			if err != nil {
+				return cli.HandleError(ctx, err, cfg)
+			}
+		}
+		defer memProfile(ctx, cfg)
+
+		if format := os.Getenv("HOLOS_TRACE"); format != "" {
+			f, _ := os.Create(fmt.Sprintf(format, os.Getppid(), os.Getpid()))
+			err := trace.Start(f)
+			defer func() {
+				trace.Stop()
+				f.Close()
+			}()
+			if err != nil {
+				return cli.HandleError(ctx, err, cfg)
+			}
+		}
+
+		feature := &holos.EnvFlagger{}
+		if err := cli.New(cfg, feature).ExecuteContext(ctx); err != nil {
+			return cli.HandleError(ctx, err, cfg)
+		}
+		return 0
+	}
+}
+
+func memProfile(ctx context.Context, cfg *holos.Config) {
+	if format := os.Getenv("HOLOS_MEM_PROFILE"); format != "" {
+		f, _ := os.Create(fmt.Sprintf(format, os.Getppid(), os.Getpid()))
+		defer f.Close()
+		if err := pprof.WriteHeapProfile(f); err != nil {
+			_ = cli.HandleError(ctx, err, cfg)
+		}
+	}
+}
--- a/cmd/holos/main.go
+++ b/cmd/holos/main.go
@@ -3,9 +3,9 @@ package main
 import (
 	"os"

-	"github.com/holos-run/holos/internal/cli"
+	"github.com/holos-run/holos/cmd"
 )

 func main() {
-	os.Exit(cli.MakeMain()())
+	os.Exit(cmd.MakeMain()())
 }
--- a/cmd/holos/main_test.go
+++ b/cmd/holos/main_test.go
@@ -2,20 +2,51 @@ package main

 import (
 	"os"
+	"path/filepath"
 	"testing"

-	"github.com/holos-run/holos/internal/cli"
+	cue "cuelang.org/go/cmd/cue/cmd"
+	"github.com/holos-run/holos/cmd"
 	"github.com/rogpeppe/go-internal/testscript"
 )

 func TestMain(m *testing.M) {
-	os.Exit(testscript.RunMain(m, map[string]func() int{
-		"holos": cli.MakeMain(),
-	}))
-}
-
-func TestGetSecrets(t *testing.T) {
-	testscript.Run(t, testscript.Params{
-		Dir: "testdata",
+	holosMain := cmd.MakeMain()
+	testscript.Main(m, map[string]func(){
+		"holos": func() { os.Exit(holosMain()) },
+		"cue":   func() { os.Exit(cue.Main()) },
 	})
 }
+
+func TestGuides_v1alpha5(t *testing.T) {
+	testscript.Run(t, params(filepath.Join("v1alpha5", "guides")))
+}
+
+func TestSchemas_v1alpha5(t *testing.T) {
+	testscript.Run(t, params(filepath.Join("v1alpha5", "schemas")))
+}
+
+func TestIssues_v1alpha5(t *testing.T) {
+	testscript.Run(t, params(filepath.Join("v1alpha5", "issues")))
+}
+
+func TestCLI(t *testing.T) {
+	testscript.Run(t, params("cli"))
+}
+
+func params(dir string) testscript.Params {
+	return testscript.Params{
+		Dir:                 filepath.Join("tests", dir),
+		RequireExplicitExec: true,
+		RequireUniqueNames:  os.Getenv("HOLOS_WORKDIR_ROOT") == "",
+		WorkdirRoot:         os.Getenv("HOLOS_WORKDIR_ROOT"),
+		UpdateScripts:       os.Getenv("HOLOS_UPDATE_SCRIPTS") != "",
+		Setup: func(env *testscript.Env) error {
+			// Just like cmd/cue/cmd.TestScript, set up separate cache and config dirs per test.
+			env.Setenv("CUE_CACHE_DIR", filepath.Join(env.WorkDir, "tmp/cachedir"))
+			configDir := filepath.Join(env.WorkDir, "tmp/configdir")
+			env.Setenv("CUE_CONFIG_DIR", configDir)
+			return nil
+		},
+	}
+}
--- a/cmd/holos/testdata/constraints.txt
+++ b/cmd/holos/testdata/constraints.txt
@@ -1,34 +0,0 @@
-# Want support for intermediary constraints
-exec holos build ./foo/... --log-level debug
-stdout '^bf2bc7f9-9ba0-4f9e-9bd2-9a205627eb0b$'
-
-- platform.config.json --
-{}
-- cue.mod --
-package holos
-- foo/constraints.cue --
-package holos
-
-metadata: name: "jeff"
-- foo/bar/bar.cue --
-package holos
-
-spec: components: KubernetesObjectsList: [
-  #KubernetesObjects & {
-    apiObjectMap: foo: bar: "bf2bc7f9-9ba0-4f9e-9bd2-9a205627eb0b"
-  }
-]
-- schema.cue --
-package holos
-
-_cluster: string @tag(cluster, string)
-_platform_config: string @tag(platform_config, string)
-
-#KubernetesObjects: {
-	apiVersion: "holos.run/v1alpha1"
-	kind: "KubernetesObjects"
-	apiObjectMap: {...}
-}
-
-apiVersion: "holos.run/v1alpha1"
-kind: "BuildPlan"
--- a/cmd/holos/testdata/issue15_cue_errors.txt
+++ b/cmd/holos/testdata/issue15_cue_errors.txt
@@ -1,20 +0,0 @@
-# Want cue errors to show files and lines
-! exec holos build .
-stderr 'apiObjectMap.foo.bar: cannot convert incomplete value'
-stderr '/component.cue:\d+:\d+$'
-
-- platform.config.json --
-{}
-- cue.mod --
-package holos
-- component.cue --
-package holos
-
-_cluster: string @tag(cluster, string)
-_platform_config: string @tag(platform_config, string)
-
-apiVersion: "holos.run/v1alpha1"
-kind: "BuildPlan"
-spec: components: KubernetesObjectsList: [{apiObjectMap: foo: bar: _baz}]
-
-_baz: string
--- a/cmd/holos/testdata/issue25_apiobjects_cue.txt
+++ b/cmd/holos/testdata/issue25_apiobjects_cue.txt
@@ -1,61 +0,0 @@
-# Want kube api objects in the apiObjects output.
-exec holos build .
-stdout '^kind: SecretStore$'
-stdout '# Source: CUE apiObjects.SecretStore.default'
-
-- platform.config.json --
-{}
-- cue.mod --
-package holos
-- component.cue --
-package holos
-
-apiVersion: "holos.run/v1alpha1"
-kind: "BuildPlan"
-spec: components: KubernetesObjectsList: [{apiObjectMap: #APIObjects.apiObjectMap}]
-
-_cluster: string @tag(cluster, string)
-_platform_config: string @tag(platform_config, string)
-
-#SecretStore: {
-    kind: string
-    metadata: name: string
-}
-
-#APIObjects: {
-  apiObjects: {
-    SecretStore: {
-      default: #SecretStore & { metadata: name: "default" }
-    }
-  }
-}
-
-
-- schema.cue --
-package holos
-
-// #APIObjects is the output type for api objects produced by cue.  A map is used to aid debugging and clarity.
-import "encoding/yaml"
-
-#APIObjects: {
-	// apiObjects holds each the api objects produced by cue.
-	apiObjects: {
-		[Kind=_]: {
-			[Name=_]: {
-				kind: Kind
-				metadata: name: Name
-			}
-		}
-	}
-
-	// apiObjectsContent holds the marshalled representation of apiObjects
-	apiObjectMap: {
-		for kind, v in apiObjects {
-			"\(kind)": {
-				for name, obj in v {
-				  "\(name)": yaml.Marshal(obj)
-			  }
-			}
-		}
-	}
-}
--- a/cmd/holos/testdata/issue25_apiobjects_helm.txt
+++ b/cmd/holos/testdata/issue25_apiobjects_helm.txt
@@ -1,62 +0,0 @@
-# Want kube api objects in the apiObjects output.
-exec holos build .
-stdout '^kind: SecretStore$'
-stdout '# Source: CUE apiObjects.SecretStore.default'
-stderr 'skipping helm: no chart name specified'
-
-- platform.config.json --
-{}
-- cue.mod --
-package holos
-- component.cue --
-package holos
-
-apiVersion: "holos.run/v1alpha1"
-kind: "BuildPlan"
-spec: components: HelmChartList: [{apiObjectMap: #APIObjects.apiObjectMap}]
-
-_cluster: string @tag(cluster, string)
-_platform_config: string @tag(platform_config, string)
-
-#SecretStore: {
-    kind: string
-    metadata: name: string
-}
-
-#APIObjects: {
-  apiObjects: {
-    SecretStore: {
-      default: #SecretStore & { metadata: name: "default" }
-    }
-  }
-}
-
-
-- schema.cue --
-package holos
-
-// #APIObjects is the output type for api objects produced by cue.  A map is used to aid debugging and clarity.
-import "encoding/yaml"
-
-#APIObjects: {
-	// apiObjects holds each the api objects produced by cue.
-	apiObjects: {
-		[Kind=_]: {
-			[Name=_]: {
-				kind: Kind
-				metadata: name: Name
-			}
-		}
-	}
-
-	// apiObjectsContent holds the marshalled representation of apiObjects
-	apiObjectMap: {
-		for kind, v in apiObjects {
-			"\(kind)": {
-				for name, obj in v {
-				  "\(name)": yaml.Marshal(obj)
-			  }
-			}
-		}
-	}
-}
--- a/cmd/holos/testdata/issue25_show_object_names.txt
+++ b/cmd/holos/testdata/issue25_show_object_names.txt
@@ -1,25 +0,0 @@
-# Want api object kind and name in errors
-! exec holos build .
-stderr 'apiObjects.secretstore.default.foo: field not allowed'
-
-- platform.config.json --
-{}
-- cue.mod --
-package holos
-- component.cue --
-package holos
-
-apiVersion: "holos.run/v1alpha1"
-kind: "KubernetesObjects"
-cluster: string @tag(cluster, string)
-_platform_config: string @tag(platform_config, string)
-
-#SecretStore: {
-    metadata: name: string
-}
-
-apiObjects: {
-  secretstore: {
-    default: #SecretStore & { foo: "not allowed" }
-  }
-}
--- a/cmd/holos/testdata/issue33_helm_stderr.txt
+++ b/cmd/holos/testdata/issue33_helm_stderr.txt
@@ -1,289 +0,0 @@
-# Want helm errors to show up
-! exec holos build .
-stderr 'Error: execution error at \(zitadel/templates/secret_zitadel-masterkey.yaml:2:4\): Either set .Values.zitadel.masterkey xor .Values.zitadel.masterkeySecretName'
-
-- platform.config.json --
-{}
-- cue.mod --
-package holos
-- zitadel.cue --
-package holos
-
-apiVersion: "holos.run/v1alpha1"
-kind: "BuildPlan"
-spec: components: HelmChartList: [_HelmChart]
-
-_cluster: string @tag(cluster, string)
-_platform_config: string @tag(platform_config, string)
-
-_HelmChart: {
-  apiVersion: "holos.run/v1alpha1"
-  kind: "HelmChart"
-  metadata: name: "zitadel"
-  namespace: "zitadel"
-  chart: {
-    name:    "zitadel"
-    version: "7.9.0"
-    release: name
-    repository: {
-      name: "zitadel"
-      url:  "https://charts.zitadel.com"
-    }
-  }
-}
-
-- vendor/zitadel/templates/secret_zitadel-masterkey.yaml --
-{{- if (or (and .Values.zitadel.masterkey .Values.zitadel.masterkeySecretName) (and (not .Values.zitadel.masterkey) (not .Values.zitadel.masterkeySecretName)) ) }}
-{{- fail "Either set .Values.zitadel.masterkey xor .Values.zitadel.masterkeySecretName" }}
-{{- end }}
-{{- if .Values.zitadel.masterkey -}}
-apiVersion: v1
-kind: Secret
-type: Opaque
-metadata:
-  name: zitadel-masterkey
-  {{- with .Values.zitadel.masterkeyAnnotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-  labels:
-    {{- include "zitadel.labels" . | nindent 4 }}
-stringData:
-  masterkey: {{ .Values.zitadel.masterkey }}
-{{- end -}}
-- vendor/zitadel/Chart.yaml --
-apiVersion: v2
-appVersion: v2.46.0
-description: A Helm chart for ZITADEL
-icon: https://zitadel.com/zitadel-logo-dark.svg
-kubeVersion: '>= 1.21.0-0'
-maintainers:
- email: support@zitadel.com
-  name: zitadel
-  url: https://zitadel.com
-name: zitadel
-type: application
-version: 7.9.0
-- vendor/zitadel/values.yaml --
-# Default values for zitadel.
-zitadel:
-  # The ZITADEL config under configmapConfig is written to a Kubernetes ConfigMap
-  # See all defaults here:
-  # https://github.com/zitadel/zitadel/blob/main/cmd/defaults.yaml
-  configmapConfig:
-    ExternalSecure: true
-    Machine:
-      Identification:
-        Hostname:
-          Enabled: true
-        Webhook:
-          Enabled: false
-
-  # The ZITADEL config under secretConfig is written to a Kubernetes Secret
-  # See all defaults here:
-  # https://github.com/zitadel/zitadel/blob/main/cmd/defaults.yaml
-  secretConfig:
-
-  # Annotations set on secretConfig secret
-  secretConfigAnnotations:
-    helm.sh/hook: pre-install,pre-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation
-    helm.sh/hook-weight: "0"
-
-  # Reference the name of a secret that contains ZITADEL configuration.
-  configSecretName:
-  # The key under which the ZITADEL configuration is located in the secret.
-  configSecretKey: config-yaml
-
-  # ZITADEL uses the masterkey for symmetric encryption.
-  # You can generate it for example with tr -dc A-Za-z0-9 </dev/urandom | head -c 32
-  masterkey: ""
-  # Reference the name of the secret that contains the masterkey. The key should be named "masterkey".
-  # Note: Either zitadel.masterkey or zitadel.masterkeySecretName must be set
-  masterkeySecretName: ""
-
-  # Annotations set on masterkey secret
-  masterkeyAnnotations:
-    helm.sh/hook: pre-install,pre-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation
-    helm.sh/hook-weight: "0"
-
-  # The CA Certificate needed for establishing secure database connections
-  dbSslCaCrt: ""
-
-  # The Secret containing the CA certificate at key ca.crt needed for establishing secure database connections
-  dbSslCaCrtSecret: ""
-
-  # The db admins secret containing the client certificate and key at tls.crt and tls.key needed for establishing secure database connections
-  dbSslAdminCrtSecret: ""
-
-  # The db users secret containing the client certificate and key at tls.crt and tls.key needed for establishing secure database connections
-  dbSslUserCrtSecret: ""
-
-  # Generate a self-signed certificate using an init container
-  # This will also mount the generated files to /etc/tls/ so that you can reference them in the pod.
-  # E.G. KeyPath: /etc/tls/tls.key CertPath: /etc/tls/tls.crt
-  # By default, the SAN DNS names include, localhost, the POD IP address and the POD name. You may include one more by using additionalDnsName like "my.zitadel.fqdn".
-  selfSignedCert:
-    enabled: false
-    additionalDnsName:
-
-replicaCount: 3
-
-image:
-  repository: ghcr.io/zitadel/zitadel
-  pullPolicy: IfNotPresent
-  # Overrides the image tag whose default is the chart appVersion.
-  tag: ""
-
-chownImage:
-  repository: alpine
-  pullPolicy: IfNotPresent
-  tag: "3.19"
-
-imagePullSecrets: []
-nameOverride: ""
-fullnameOverride: ""
-
-# Annotations to add to the deployment
-annotations: {}
-
-# Annotations to add to the configMap
-configMap:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation
-    helm.sh/hook-weight: "0"
-
-serviceAccount:
-  # Specifies whether a service account should be created
-  create: true
-  # Annotations to add to the service account
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation
-    helm.sh/hook-weight: "0"
-  # The name of the service account to use.
-  # If not set and create is true, a name is generated using the fullname template
-  name: ""
-
-podAnnotations: {}
-
-podAdditionalLabels: {}
-
-podSecurityContext:
-  runAsNonRoot: true
-  runAsUser: 1000
-
-securityContext: {}
-
-# Additional environment variables
-env:
-  []
-  # - name: ZITADEL_DATABASE_POSTGRES_HOST
-  #   valueFrom:
-  #     secretKeyRef:
-  #       name: postgres-pguser-postgres
-  #       key: host
-
-service:
-  type: ClusterIP
-  # If service type is "ClusterIP", this can optionally be set to a fixed IP address.
-  clusterIP: ""
-  port: 8080
-  protocol: http2
-  annotations: {}
-  scheme: HTTP
-
-ingress:
-  enabled: false
-  className: ""
-  annotations: {}
-  hosts:
-    - host: localhost
-      paths:
-        - path: /
-          pathType: Prefix
-  tls: []
-
-resources: {}
-
-nodeSelector: {}
-
-tolerations: []
-
-affinity: {}
-
-topologySpreadConstraints: []
-
-initJob:
-  # Once ZITADEL is installed, the initJob can be disabled.
-  enabled: true
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation
-    helm.sh/hook-weight: "1"
-  resources: {}
-  backoffLimit: 5
-  activeDeadlineSeconds: 300
-  extraContainers: []
-  podAnnotations: {}
-  # Available init commands :
-  # "": initialize ZITADEL instance (without skip anything)
-  # database: initialize only the database
-  # grant: set ALL grant to user
-  # user: initialize only the database user
-  # zitadel: initialize ZITADEL internals (skip "create user" and "create database")
-  command: ""
-
-setupJob:
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade
-    helm.sh/hook-delete-policy: before-hook-creation
-    helm.sh/hook-weight: "2"
-  resources: {}
-  activeDeadlineSeconds: 300
-  extraContainers: []
-  podAnnotations: {}
-  additionalArgs:
-    - "--init-projections=true"
-  machinekeyWriter:
-    image:
-      repository: bitnami/kubectl
-      tag: ""
-    resources: {}
-
-readinessProbe:
-  enabled: true
-  initialDelaySeconds: 0
-  periodSeconds: 5
-  failureThreshold: 3
-
-livenessProbe:
-  enabled: true
-  initialDelaySeconds: 0
-  periodSeconds: 5
-  failureThreshold: 3
-
-startupProbe:
-  enabled: true
-  periodSeconds: 1
-  failureThreshold: 30
-
-metrics:
-  enabled: false
-  serviceMonitor:
-    # If true, the chart creates a ServiceMonitor that is compatible with Prometheus Operator
-    # https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#monitoring.coreos.com/v1.ServiceMonitor.
-    # The Prometheus community Helm chart installs this operator
-    # https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack#kube-prometheus-stack
-    enabled: false
-    honorLabels: false
-    honorTimestamps: true
-
-pdb:
-  enabled: false
-  # these values are used for the PDB and are mutally exclusive
-  minAvailable: 1
-  # maxUnavailable: 1
-  annotations: {}
--- a/cmd/holos/testdata/issue42_kustomize_build_kind.txt
+++ b/cmd/holos/testdata/issue42_kustomize_build_kind.txt
@@ -1,39 +0,0 @@
-# Kustomize is a supported holos component kind
-exec holos render component --cluster-name=mycluster . --log-level=debug
-
-# Want generated output
-cmp want.yaml deploy/clusters/mycluster/components/kstest/kstest.gen.yaml
-
-- platform.config.json --
-{}
-- cue.mod --
-package holos
-- component.cue --
-package holos
-
-_cluster: string @tag(cluster, string)
-_platform_config: string @tag(platform_config, string)
-
-apiVersion: "holos.run/v1alpha1"
-kind: "BuildPlan"
-spec: components: KustomizeBuildList: [{metadata: name: "kstest"}]
-
-- kustomization.yaml --
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-namespace: mynamespace
-resources:
- serviceaccount.yaml
-
-- serviceaccount.yaml --
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: test
-
-- want.yaml --
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: test
-  namespace: mynamespace
--- a/cmd/holos/testdata/issue72_disallow_unknown_fields.txt
+++ b/cmd/holos/testdata/issue72_disallow_unknown_fields.txt
@@ -1,17 +0,0 @@
-# https://github.com/holos-run/holos/issues/72
-# Want holos to fail on unknown fields to catch typos and aid refactors
-! exec holos build .
-stderr 'unknown field \\"TypoKubernetesObjectsList\\"'
-
-- platform.config.json --
-{}
-- cue.mod --
-package holos
-- component.cue --
-package holos
-_cluster: string @tag(cluster, string)
-_platform_config: string @tag(platform_config, string)
-
-apiVersion: "holos.run/v1alpha1"
-kind: "BuildPlan"
-spec: components: TypoKubernetesObjectsList: []
--- a/cmd/holos/tests/cli/cue-vet.txt
+++ b/cmd/holos/tests/cli/cue-vet.txt
@@ -0,0 +1,12 @@
+# https://github.com/holos-run/holos/issues/358
+# holos cue vet should fail verifications with exit code 1
+! exec holos cue vet ./policy --path strings.ToLower(kind) ./data/secret.yaml
+# holos cue vet should report validation errors to stderr
+stderr 'Forbidden. Use an ExternalSecret instead.'
+
+-- data/secret.yaml --
+kind: Secret
+-- policy/validators.cue --
+package policy
+
+secret: kind: "Forbidden. Use an ExternalSecret instead."
--- a/cmd/holos/tests/cli/first-impression.txt
+++ b/cmd/holos/tests/cli/first-impression.txt
@@ -0,0 +1,2 @@
+# https://github.com/holos-run/holos/issues/334
+exec holos
--- a/cmd/holos/tests/cli/version.txt
+++ b/cmd/holos/tests/cli/version.txt
--- a/cmd/holos/tests/v1alpha5/guides/helm.txt
+++ b/cmd/holos/tests/v1alpha5/guides/helm.txt
--- a/cmd/holos/tests/v1alpha5/issues/holos-show.txt
+++ b/cmd/holos/tests/v1alpha5/issues/holos-show.txt
@@ -0,0 +1,422 @@
+# https://github.com/holos-run/holos/issues/331
+# ensure holos show components --labels selects correctly.
+# ensure BuildPlan includes labels and annotations from the platform component.
+# ensure holos render platform injects the holos_component_labels and
+# holos_component_annotations tags.
+env HOME=$WORK
+
+exec holos init platform v1alpha5 --force
+exec holos show platform
+cmp stdout want/platform.yaml
+
+# all buildplans are selected by default
+exec holos show buildplans
+cmp stdout want/all-buildplans.yaml
+
+# one = works in the selector
+exec holos show buildplans --selector app.holos.run/name=empty1-label
+cmp stdout want/buildplans.1.yaml
+
+# double == works in the selector
+exec holos show buildplans --selector app.holos.run/name==empty2-label
+cmp stdout want/buildplans.2.yaml
+
+# not equal != negates the selection
+exec holos show buildplans --selector app.holos.run/name!=empty3-label
+cmp stdout want/buildplans.3.yaml
+exec holos show buildplans --selector app.holos.run/name!=something-else
+cmp stdout want/buildplans.4.yaml
+
+-- platform/empty.cue --
+package holos
+
+Platform: Components: {
+  empty1: _
+  empty2: _
+  empty3: _
+  empty4: _
+}
+-- platform/metadata.cue --
+package holos
+
+Platform: Components: [NAME=string]: {
+  name: NAME
+  path: "components/empty"
+  labels: "app.holos.run/name": "\(name)-label"
+  annotations: "app.holos.run/description": "\(name)-annotation empty test case"
+}
+-- components/empty/empty.cue --
+package holos
+
+Component: #Kubernetes & {}
+holos: Component.BuildPlan
+-- want/platform.yaml --
+apiVersion: v1alpha5
+kind: Platform
+metadata:
+  name: default
+spec:
+  components:
+    - annotations:
+        app.holos.run/description: empty1-annotation empty test case
+      labels:
+        app.holos.run/name: empty1-label
+      name: empty1
+      path: components/empty
+    - annotations:
+        app.holos.run/description: empty2-annotation empty test case
+      labels:
+        app.holos.run/name: empty2-label
+      name: empty2
+      path: components/empty
+    - annotations:
+        app.holos.run/description: empty3-annotation empty test case
+      labels:
+        app.holos.run/name: empty3-label
+      name: empty3
+      path: components/empty
+    - annotations:
+        app.holos.run/description: empty4-annotation empty test case
+      labels:
+        app.holos.run/name: empty4-label
+      name: empty4
+      path: components/empty
+-- want/empty.yaml --
+-- want/all-buildplans.yaml --
+kind: BuildPlan
+apiVersion: v1alpha5
+metadata:
+  name: empty1
+  labels:
+    app.holos.run/name: empty1-label
+  annotations:
+    app.holos.run/description: empty1-annotation empty test case
+spec:
+  artifacts:
+    - artifact: components/empty1/empty1.gen.yaml
+      generators:
+        - kind: Resources
+          output: resources.gen.yaml
+      transformers:
+        - kind: Kustomize
+          inputs:
+            - resources.gen.yaml
+          output: components/empty1/empty1.gen.yaml
+          kustomize:
+            kustomization:
+              apiVersion: kustomize.config.k8s.io/v1beta1
+              kind: Kustomization
+              resources:
+                - resources.gen.yaml
+---
+kind: BuildPlan
+apiVersion: v1alpha5
+metadata:
+  name: empty2
+  labels:
+    app.holos.run/name: empty2-label
+  annotations:
+    app.holos.run/description: empty2-annotation empty test case
+spec:
+  artifacts:
+    - artifact: components/empty2/empty2.gen.yaml
+      generators:
+        - kind: Resources
+          output: resources.gen.yaml
+      transformers:
+        - kind: Kustomize
+          inputs:
+            - resources.gen.yaml
+          output: components/empty2/empty2.gen.yaml
+          kustomize:
+            kustomization:
+              apiVersion: kustomize.config.k8s.io/v1beta1
+              kind: Kustomization
+              resources:
+                - resources.gen.yaml
+---
+kind: BuildPlan
+apiVersion: v1alpha5
+metadata:
+  name: empty3
+  labels:
+    app.holos.run/name: empty3-label
+  annotations:
+    app.holos.run/description: empty3-annotation empty test case
+spec:
+  artifacts:
+    - artifact: components/empty3/empty3.gen.yaml
+      generators:
+        - kind: Resources
+          output: resources.gen.yaml
+      transformers:
+        - kind: Kustomize
+          inputs:
+            - resources.gen.yaml
+          output: components/empty3/empty3.gen.yaml
+          kustomize:
+            kustomization:
+              apiVersion: kustomize.config.k8s.io/v1beta1
+              kind: Kustomization
+              resources:
+                - resources.gen.yaml
+---
+kind: BuildPlan
+apiVersion: v1alpha5
+metadata:
+  name: empty4
+  labels:
+    app.holos.run/name: empty4-label
+  annotations:
+    app.holos.run/description: empty4-annotation empty test case
+spec:
+  artifacts:
+    - artifact: components/empty4/empty4.gen.yaml
+      generators:
+        - kind: Resources
+          output: resources.gen.yaml
+      transformers:
+        - kind: Kustomize
+          inputs:
+            - resources.gen.yaml
+          output: components/empty4/empty4.gen.yaml
+          kustomize:
+            kustomization:
+              apiVersion: kustomize.config.k8s.io/v1beta1
+              kind: Kustomization
+              resources:
+                - resources.gen.yaml
+-- want/buildplans.1.yaml --
+kind: BuildPlan
+apiVersion: v1alpha5
+metadata:
+  name: empty1
+  labels:
+    app.holos.run/name: empty1-label
+  annotations:
+    app.holos.run/description: empty1-annotation empty test case
+spec:
+  artifacts:
+    - artifact: components/empty1/empty1.gen.yaml
+      generators:
+        - kind: Resources
+          output: resources.gen.yaml
+      transformers:
+        - kind: Kustomize
+          inputs:
+            - resources.gen.yaml
+          output: components/empty1/empty1.gen.yaml
+          kustomize:
+            kustomization:
+              apiVersion: kustomize.config.k8s.io/v1beta1
+              kind: Kustomization
+              resources:
+                - resources.gen.yaml
+-- want/buildplans.2.yaml --
+kind: BuildPlan
+apiVersion: v1alpha5
+metadata:
+  name: empty2
+  labels:
+    app.holos.run/name: empty2-label
+  annotations:
+    app.holos.run/description: empty2-annotation empty test case
+spec:
+  artifacts:
+    - artifact: components/empty2/empty2.gen.yaml
+      generators:
+        - kind: Resources
+          output: resources.gen.yaml
+      transformers:
+        - kind: Kustomize
+          inputs:
+            - resources.gen.yaml
+          output: components/empty2/empty2.gen.yaml
+          kustomize:
+            kustomization:
+              apiVersion: kustomize.config.k8s.io/v1beta1
+              kind: Kustomization
+              resources:
+                - resources.gen.yaml
+-- want/buildplans.3.yaml --
+kind: BuildPlan
+apiVersion: v1alpha5
+metadata:
+  name: empty1
+  labels:
+    app.holos.run/name: empty1-label
+  annotations:
+    app.holos.run/description: empty1-annotation empty test case
+spec:
+  artifacts:
+    - artifact: components/empty1/empty1.gen.yaml
+      generators:
+        - kind: Resources
+          output: resources.gen.yaml
+      transformers:
+        - kind: Kustomize
+          inputs:
+            - resources.gen.yaml
+          output: components/empty1/empty1.gen.yaml
+          kustomize:
+            kustomization:
+              apiVersion: kustomize.config.k8s.io/v1beta1
+              kind: Kustomization
+              resources:
+                - resources.gen.yaml
+---
+kind: BuildPlan
+apiVersion: v1alpha5
+metadata:
+  name: empty2
+  labels:
+    app.holos.run/name: empty2-label
+  annotations:
+    app.holos.run/description: empty2-annotation empty test case
+spec:
+  artifacts:
+    - artifact: components/empty2/empty2.gen.yaml
+      generators:
+        - kind: Resources
+          output: resources.gen.yaml
+      transformers:
+        - kind: Kustomize
+          inputs:
+            - resources.gen.yaml
+          output: components/empty2/empty2.gen.yaml
+          kustomize:
+            kustomization:
+              apiVersion: kustomize.config.k8s.io/v1beta1
+              kind: Kustomization
+              resources:
+                - resources.gen.yaml
+---
+kind: BuildPlan
+apiVersion: v1alpha5
+metadata:
+  name: empty4
+  labels:
+    app.holos.run/name: empty4-label
+  annotations:
+    app.holos.run/description: empty4-annotation empty test case
+spec:
+  artifacts:
+    - artifact: components/empty4/empty4.gen.yaml
+      generators:
+        - kind: Resources
+          output: resources.gen.yaml
+      transformers:
+        - kind: Kustomize
+          inputs:
+            - resources.gen.yaml
+          output: components/empty4/empty4.gen.yaml
+          kustomize:
+            kustomization:
+              apiVersion: kustomize.config.k8s.io/v1beta1
+              kind: Kustomization
+              resources:
+                - resources.gen.yaml
+-- want/buildplans.4.yaml --
+kind: BuildPlan
+apiVersion: v1alpha5
+metadata:
+  name: empty1
+  labels:
+    app.holos.run/name: empty1-label
+  annotations:
+    app.holos.run/description: empty1-annotation empty test case
+spec:
+  artifacts:
+    - artifact: components/empty1/empty1.gen.yaml
+      generators:
+        - kind: Resources
+          output: resources.gen.yaml
+      transformers:
+        - kind: Kustomize
+          inputs:
+            - resources.gen.yaml
+          output: components/empty1/empty1.gen.yaml
+          kustomize:
+            kustomization:
+              apiVersion: kustomize.config.k8s.io/v1beta1
+              kind: Kustomization
+              resources:
+                - resources.gen.yaml
+---
+kind: BuildPlan
+apiVersion: v1alpha5
+metadata:
+  name: empty2
+  labels:
+    app.holos.run/name: empty2-label
+  annotations:
+    app.holos.run/description: empty2-annotation empty test case
+spec:
+  artifacts:
+    - artifact: components/empty2/empty2.gen.yaml
+      generators:
+        - kind: Resources
+          output: resources.gen.yaml
+      transformers:
+        - kind: Kustomize
+          inputs:
+            - resources.gen.yaml
+          output: components/empty2/empty2.gen.yaml
+          kustomize:
+            kustomization:
+              apiVersion: kustomize.config.k8s.io/v1beta1
+              kind: Kustomization
+              resources:
+                - resources.gen.yaml
+---
+kind: BuildPlan
+apiVersion: v1alpha5
+metadata:
+  name: empty3
+  labels:
+    app.holos.run/name: empty3-label
+  annotations:
+    app.holos.run/description: empty3-annotation empty test case
+spec:
+  artifacts:
+    - artifact: components/empty3/empty3.gen.yaml
+      generators:
+        - kind: Resources
+          output: resources.gen.yaml
+      transformers:
+        - kind: Kustomize
+          inputs:
+            - resources.gen.yaml
+          output: components/empty3/empty3.gen.yaml
+          kustomize:
+            kustomization:
+              apiVersion: kustomize.config.k8s.io/v1beta1
+              kind: Kustomization
+              resources:
+                - resources.gen.yaml
+---
+kind: BuildPlan
+apiVersion: v1alpha5
+metadata:
+  name: empty4
+  labels:
+    app.holos.run/name: empty4-label
+  annotations:
+    app.holos.run/description: empty4-annotation empty test case
+spec:
+  artifacts:
+    - artifact: components/empty4/empty4.gen.yaml
+      generators:
+        - kind: Resources
+          output: resources.gen.yaml
+      transformers:
+        - kind: Kustomize
+          inputs:
+            - resources.gen.yaml
+          output: components/empty4/empty4.gen.yaml
+          kustomize:
+            kustomization:
+              apiVersion: kustomize.config.k8s.io/v1beta1
+              kind: Kustomization
+              resources:
+                - resources.gen.yaml
--- a/cmd/holos/tests/v1alpha5/issues/issue348-kustomize-patch-name.txt
+++ b/cmd/holos/tests/v1alpha5/issues/issue348-kustomize-patch-name.txt
@@ -0,0 +1,64 @@
+# https://github.com/holos-run/holos/issues/348
+# when the optional kustomize patch name field is omitted
+exec holos init platform v1alpha5 --force
+# want a buildplan shown
+exec holos show buildplans
+cmp stdout buildplan.yaml
+# want this error to go away
+! stderr 'cannot convert non-concrete value string'
+-- platform/example.cue --
+package holos
+
+Platform: Components: example: {
+	name: "example"
+	path: "components/example"
+}
+-- components/example/example.cue --
+package holos
+
+import "encoding/yaml"
+
+holos: Component.BuildPlan
+
+Component: #Kustomize & {
+	KustomizeConfig: Kustomization: patches: [
+		{
+			target: kind: "CustomResourceDefinition"
+			patch: yaml.Marshal([{
+				op:    "add"
+				path:  "/metadata/annotations/example"
+				value: "example-value"
+			}])
+		},
+	]
+}
+-- buildplan.yaml --
+kind: BuildPlan
+apiVersion: v1alpha5
+metadata:
+  name: example
+spec:
+  artifacts:
+    - artifact: components/example/example.gen.yaml
+      generators:
+        - kind: Resources
+          output: resources.gen.yaml
+      transformers:
+        - kind: Kustomize
+          inputs:
+            - resources.gen.yaml
+          output: components/example/example.gen.yaml
+          kustomize:
+            kustomization:
+              apiVersion: kustomize.config.k8s.io/v1beta1
+              kind: Kustomization
+              patches:
+                - patch: |
+                    - op: add
+                      path: /metadata/annotations/example
+                      value: example-value
+                  target:
+                    kind: CustomResourceDefinition
+                    name: ""
+              resources:
+                - resources.gen.yaml
--- a/cmd/holos/tests/v1alpha5/issues/issue366-cue-build-tags.txt
+++ b/cmd/holos/tests/v1alpha5/issues/issue366-cue-build-tags.txt
@@ -0,0 +1,50 @@
+# https://github.com/holos-run/holos/issues/366
+# Build tags conditionally include CUE files.
+env HOME=$WORK
+
+exec holos init platform v1alpha5 --force
+exec holos show platform
+cmp stdout want/empty.yaml
+
+exec holos show platform -t foo
+cmp stdout want/foo.yaml
+
+-- platform/empty.cue --
+@if(foo)
+package holos
+
+Platform: Components: foo: _
+-- platform/metadata.cue --
+package holos
+
+Platform: Components: [NAME=string]: {
+  name: NAME
+  path: "components/empty"
+  labels: "app.holos.run/name": NAME
+  annotations: "app.holos.run/description": "\(NAME) empty test case"
+}
+-- components/empty/empty.cue --
+package holos
+
+Component: #Kubernetes & {}
+holos: Component.BuildPlan
+-- want/empty.yaml --
+apiVersion: v1alpha5
+kind: Platform
+metadata:
+  name: default
+spec:
+  components: []
+-- want/foo.yaml --
+apiVersion: v1alpha5
+kind: Platform
+metadata:
+  name: default
+spec:
+  components:
+    - annotations:
+        app.holos.run/description: foo empty test case
+      labels:
+        app.holos.run/name: foo
+      name: foo
+      path: components/empty
--- a/cmd/holos/tests/v1alpha5/schemas/capabilities.txt
+++ b/cmd/holos/tests/v1alpha5/schemas/capabilities.txt
@@ -0,0 +1,146 @@
+# https://github.com/holos-run/holos/issues/330
+exec holos init platform v1alpha5 --force
+# Make sure the helm chart works with plain helm
+exec helm template ./components/capabilities/vendor/0.1.0/capabilities
+stdout 'name: has-foo-v1beta1'
+stdout 'kubeVersion: v'
+exec holos render platform ./platform
+# When no capabilities are specified
+cmp deploy/components/capabilities/capabilities.gen.yaml want/when-no-capabilities-specified.yaml
+# With APIVersions specified
+cmp deploy/components/specified/specified.gen.yaml want/with-capabilities-specified.yaml
+# With KubeVersion specified
+cmp deploy/components/kubeversion1/kubeversion1.gen.yaml want/with-kubeversion-specified.yaml
+# With both APIVersions and KubeVersion specified
+cmp deploy/components/kubeversion2/kubeversion2.gen.yaml want/with-both-specified.yaml
+-- want/with-both-specified.yaml --
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    kubeVersion: v1.20.0
+  name: has-foo-v1
+spec:
+  ports:
+  - name: http
+    port: 80
+    protocol: TCP
+    targetPort: http
+-- want/with-kubeversion-specified.yaml --
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    kubeVersion: v1.20.0
+  name: has-foo-v1beta1
+spec:
+  ports:
+  - name: http
+    port: 80
+    protocol: TCP
+    targetPort: http
+-- want/when-no-capabilities-specified.yaml --
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    kubeVersion: v1.31.0
+  name: has-foo-v1beta1
+spec:
+  ports:
+  - name: http
+    port: 80
+    protocol: TCP
+    targetPort: http
+-- want/with-capabilities-specified.yaml --
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    kubeVersion: v1.31.0
+  name: has-foo-v1
+spec:
+  ports:
+  - name: http
+    port: 80
+    protocol: TCP
+    targetPort: http
+-- platform/capabilities.cue --
+package holos
+
+import "encoding/json"
+
+Platform: Components: capabilities: {
+        name: "capabilities"
+        path: "components/capabilities"
+}
+Platform: Components: specified: {
+        name: "specified"
+        path: "components/capabilities"
+        parameters: apiVersions: json.Marshal(["foo/v1","bar/v1"])
+}
+Platform: Components: kubeversion1: {
+        name: "kubeversion1"
+        path: "components/capabilities"
+        parameters: kubeVersion: "v1.20.0"
+}
+Platform: Components: kubeversion2: {
+        name: "kubeversion2"
+        path: "components/capabilities"
+        parameters: kubeVersion: "v1.20.0"
+        parameters: apiVersions: json.Marshal(["foo/v1","bar/v1"])
+}
+-- components/capabilities/capabilities.cue --
+package holos
+
+import "encoding/json"
+
+holos: Component.BuildPlan
+
+Component: #Helm & {
+        Name: string @tag(holos_component_name, type=string)
+        Chart: name: "capabilities"
+        Chart: version: "0.1.0"
+        _APIVersions: string | *"[]" @tag(apiVersions, type=string)
+        APIVersions: json.Unmarshal(_APIVersions)
+        KubeVersion: string | *"v1.31.0" @tag(kubeVersion, type=string)
+}
+-- components/capabilities/vendor/0.1.0/capabilities/Chart.yaml --
+apiVersion: v2
+name: capabilities
+description: A Helm chart for Kubernetes
+type: application
+version: 0.1.0
+appVersion: "1.16.0"
+-- components/capabilities/vendor/0.1.0/capabilities/templates/service.yaml --
+apiVersion: v1
+kind: Service
+metadata:
+{{- if .Capabilities.APIVersions.Has "foo/v1" }}
+  name: has-foo-v1
+{{- else }}
+  name: has-foo-v1beta1
+{{- end }}
+  annotations:
+    kubeVersion: {{ .Capabilities.KubeVersion }}
+spec:
+  ports:
+    - port: 80
+      targetPort: http
+      protocol: TCP
+      name: http
+-- want/helm-template.yaml --
+---
+# Source: capabilities/templates/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: has-foo-v1beta1
+  annotations:
+    kubeVersion: v1.31.0
+spec:
+  ports:
+    - port: 80
+      targetPort: http
+      protocol: TCP
+      name: http
--- a/cmd/holos/tests/v1alpha5/schemas/kubernetes.txt
+++ b/cmd/holos/tests/v1alpha5/schemas/kubernetes.txt
@@ -0,0 +1,45 @@
+# author.#Kubernetes
+
+# Start in an empty directory.
+cd $WORK
+
+# Generate the directory structure we're going to work in.
+exec holos init platform v1alpha5 --force
+
+# Platforms are empty by default.
+exec holos render platform
+stderr -count=1 '^rendered platform'
+
+# When author.#Kubernetes is empty
+exec holos cue export --expression holos --out=yaml ./components/empty
+cmp stdout want.txt
+
+-- components/empty/empty.cue --
+package holos
+
+Kubernetes: #Kubernetes & {}
+holos: Kubernetes.BuildPlan
+-- want.txt --
+kind: BuildPlan
+apiVersion: v1alpha5
+metadata:
+  name: no-name
+spec:
+  artifacts:
+    - artifact: components/no-name/no-name.gen.yaml
+      generators:
+        - kind: Resources
+          output: resources.gen.yaml
+          resources: {}
+      transformers:
+        - kind: Kustomize
+          inputs:
+            - resources.gen.yaml
+          output: components/no-name/no-name.gen.yaml
+          kustomize:
+            kustomization:
+              apiVersion: kustomize.config.k8s.io/v1beta1
+              kind: Kustomization
+              resources:
+                - resources.gen.yaml
+      validators: []
--- a/cmd/holos/tests/v1alpha5/schemas/validators.txt
+++ b/cmd/holos/tests/v1alpha5/schemas/validators.txt
@@ -0,0 +1,37 @@
+# https://github.com/holos-run/holos/issues/357
+exec holos init platform v1alpha5 --force
+! exec holos render platform
+stderr 'secret.kind: conflicting values "Forbidden. Use an ExternalSecret instead." and "Secret"'
+
+-- validators.cue --
+package holos
+
+import "github.com/holos-run/holos/api/author/v1alpha5:author"
+
+#ComponentConfig: author.#ComponentConfig & {
+	Validators: cue: {
+		kind: "Command"
+		command: args: ["holos", "cue", "vet", "./policy", "--path", "strings.ToLower(kind)"]
+	}
+}
+-- policy/validations.cue --
+package validations
+
+secret: kind: "Forbidden. Use an ExternalSecret instead."
+-- platform/example.cue --
+package holos
+
+Platform: Components: example: {
+	name: "example"
+	path: "components/example"
+}
+-- components/example/secret.cue --
+package holos
+
+holos: Component.BuildPlan
+
+Component: #Kubernetes & {
+	Resources: Secret: test: {
+		metadata: name: "test"
+	}
+}
--- a/doc/md.archive/backstory.md
+++ b/doc/md.archive/backstory.md
--- a/doc/md.archive/cli.md
+++ b/doc/md.archive/cli.md
--- a/doc/md.archive/guides-v1alpha4.md
+++ b/doc/md.archive/guides-v1alpha4.md
--- a/doc/md.archive/guides-v1alpha4/change-a-service.mdx
+++ b/doc/md.archive/guides-v1alpha4/change-a-service.mdx
@@ -80,33 +80,62 @@ The bank front end web service is managed by the
 refers to the organization display name in `schema.gen.cue`.

 <Tabs groupId="F5B546EB-566F-4B83-84C3-C55B40F55555">
-  <TabItem value="schema.gen.cue" label="schema.gen.cue">
+  <TabItem value="schema.cue" label="schema.cue">
 ```cue showLineNumbers
 package holos

-import api "github.com/holos-run/holos/api/author/v1alpha3"
+import api "github.com/holos-run/holos/api/author/v1alpha4"

-// Define the default organization name
-// highlight-next-line
-#Organization: DisplayName: string | *"Bank of Holos"
-#Organization: Name:        string | *"bank-of-holos"
-
-#Organization: api.#OrganizationStrict
-#Platform:     api.#Platform
-#Fleets:       api.#StandardFleets
-
-_ComponentConfig: {
-  Resources:  #Resources
-  ArgoConfig: #ArgoConfig
+// Define the default organization name.
+_Organization: api.#OrganizationStrict & {
+	DisplayName: string | *"Bank of Holos"
+	Name:        string | *"bank-of-holos"
+	Domain:      string | *"holos.localhost"
 }

-#Helm:       api.#Helm & _ComponentConfig
-#Kustomize:  api.#Kustomize & _ComponentConfig
-#Kubernetes: api.#Kubernetes & _ComponentConfig
+// Projects represents a way to organize components into projects with owners.
+// https://holos.run/docs/api/author/v1alpha4/#Projects
+_Projects: api.#Projects

-#ArgoConfig: api.#ArgoConfig & {
-  ClusterName: _ClusterName
+// ArgoConfig represents the configuration of ArgoCD Application resources for
+// each component.
+// https://holos.run/docs/api/author/v1alpha4/#ArgoConfig
+_ArgoConfig: api.#ArgoConfig
+
+#ComponentConfig: api.#ComponentConfig & {
+	Name:      _Tags.name
+	Component: _Tags.component
+	Cluster:   _Tags.cluster
+	ArgoConfig: _ArgoConfig & {
+		if _Tags.project != "no-project" {
+			AppProject: _Tags.project
+		}
+	}
+	Resources: #Resources
+
+	// Mix in project labels if the project is defined by the platform.
+	if _Tags.project != "no-project" {
+		CommonLabels: _Projects[_Tags.project].CommonLabels
+	}
 }
+
+// https://holos.run/docs/api/author/v1alpha4/#Kubernetes
+#Kubernetes: close({
+	#ComponentConfig
+	api.#Kubernetes
+})
+
+// https://holos.run/docs/api/author/v1alpha4/#Kustomize
+#Kustomize: close({
+	#ComponentConfig
+	api.#Kustomize
+})
+
+// https://holos.run/docs/api/author/v1alpha4/#Helm
+#Helm: close({
+	#ComponentConfig
+	api.#Helm
+})
 ```
  </TabItem>
  <TabItem value="projects/bank-of-holos/frontend/components/bank-frontend/bank-frontend.cue" label="projects/bank-of-holos/frontend/components/bank-frontend/bank-frontend.cue">
@@ -117,215 +146,214 @@ package holos
 (#Kubernetes & Objects).BuildPlan

 let Objects = {
-  Name:      "bank-frontend"
-  Namespace: #BankOfHolos.Frontend.Namespace
+	Name:      "bank-frontend"
+	Namespace: _BankOfHolos.Frontend.Namespace

-  // Ensure resources go in the correct namespace
-  Resources: [_]: [_]: metadata: namespace: Namespace
+	// Ensure resources go in the correct namespace
+	Resources: [_]: [_]: metadata: namespace: Namespace

-  // https://github.com/GoogleCloudPlatform/bank-of-anthos/blob/release/v0.6.5/kubernetes-manifests/frontend.yaml
-  Resources: {
-    Service: frontend: {
-      metadata: name: "frontend"
-      metadata: labels: {
-        application: "bank-of-holos"
-        environment: "development"
-        team:        "frontend"
-        tier:        "web"
-      }
-      spec: {
-        selector: {
-          app:         "frontend"
-          application: "bank-of-holos"
-          environment: "development"
-          team:        "frontend"
-          tier:        "web"
-        }
-        _ports: http: {
-          name:       "http"
-          port:       80
-          targetPort: 8080
-          protocol:   "TCP"
-        }
-        ports: [for x in _ports {x}]
-      }
-    }
+	// https://github.com/GoogleCloudPlatform/bank-of-anthos/blob/release/v0.6.5/kubernetes-manifests/frontend.yaml
+	Resources: {
+		Service: frontend: {
+			metadata: name: "frontend"
+			metadata: labels: {
+				application: "bank-of-holos"
+				environment: "development"
+				team:        "frontend"
+				tier:        "web"
+			}
+			spec: {
+				selector: {
+					app:         "frontend"
+					application: "bank-of-holos"
+					environment: "development"
+					team:        "frontend"
+					tier:        "web"
+				}
+				_ports: http: {
+					name:       "http"
+					port:       80
+					targetPort: 8080
+					protocol:   "TCP"
+				}
+				ports: [for x in _ports {x}]
+			}
+		}

-    Deployment: frontend: {
-      metadata: name: "frontend"
-      metadata: labels: {
-        application: "bank-of-holos"
-        environment: "development"
-        team:        "frontend"
-        tier:        "web"
-      }
-      spec: {
-        selector: matchLabels: {
-          app:         "frontend"
-          application: "bank-of-holos"
-          environment: "development"
-          team:        "frontend"
-          tier:        "web"
-        }
-        template: {
-          metadata: labels: {
-            app:         "frontend"
-            application: "bank-of-holos"
-            environment: "development"
-            team:        "frontend"
-            tier:        "web"
-          }
-          spec: {
-            securityContext: {
-              seccompProfile: type: "RuntimeDefault"
-              fsGroup:      1000
-              runAsGroup:   1000
-              runAsNonRoot: true
-              runAsUser:    1000
-            }
-            serviceAccountName:            "bank-of-holos"
-            terminationGracePeriodSeconds: 5
-            containers: [{
-              env: [{
-                name:  "BANK_NAME"
-                // highlight-next-line
-                value: #Organization.DisplayName
-              }, {
-                name:  "ENV_PLATFORM"
-                value: "local"
-              }, {
-                name:  "VERSION"
-                value: "v0.6.5"
-              }, {
-                name:  "PORT"
-                value: "8080"
-              }, {
-                name:  "ENABLE_TRACING"
-                value: "false"
-              }, {
-                name:  "SCHEME"
-                value: "https"
-              }, {
-                name:  "LOG_LEVEL"
-                value: "info"
-              }, {
-                name: "DEFAULT_USERNAME"
-                valueFrom: configMapKeyRef: {
-                  key:  "DEMO_LOGIN_USERNAME"
-                  name: "demo-data-config"
-                }
-              }, {
-                name: "DEFAULT_PASSWORD"
-                valueFrom: configMapKeyRef: {
-                  key:  "DEMO_LOGIN_PASSWORD"
-                  name: "demo-data-config"
-                }
-              }, {
-                name: "REGISTERED_OAUTH_CLIENT_ID"
-                valueFrom: configMapKeyRef: {
-                  key:      "DEMO_OAUTH_CLIENT_ID"
-                  name:     "oauth-config"
-                  optional: true
-                }
-              }, {
-                name: "ALLOWED_OAUTH_REDIRECT_URI"
-                valueFrom: configMapKeyRef: {
-                  key:      "DEMO_OAUTH_REDIRECT_URI"
-                  name:     "oauth-config"
-                  optional: true
-                }
-              }]
-              envFrom: [{
-                configMapRef: name: "environment-config"
-              }, {
-                configMapRef: name: "service-api-config"
-              }]
-              image: "us-central1-docker.pkg.dev/bank-of-anthos-ci/bank-of-anthos/frontend:v0.6.5@sha256:d72050f70d12383e4434ad04d189b681dc625f696087ddf0b5df641645c9dafa"
-              livenessProbe: {
-                httpGet: {
-                  path: "/ready"
-                  port: 8080
-                }
-                initialDelaySeconds: 60
-                periodSeconds:       15
-                timeoutSeconds:      30
-              }
-              name: "front"
-              readinessProbe: {
-                httpGet: {
-                  path: "/ready"
-                  port: 8080
-                }
-                initialDelaySeconds: 10
-                periodSeconds:       5
-                timeoutSeconds:      10
-              }
-              resources: {
-                limits: {
-                  cpu:    "250m"
-                  memory: "128Mi"
-                }
-                requests: {
-                  cpu:    "100m"
-                  memory: "64Mi"
-                }
-              }
-              securityContext: {
-                allowPrivilegeEscalation: false
-                capabilities: drop: ["all"]
-                privileged:             false
-                readOnlyRootFilesystem: true
-              }
-              volumeMounts: [{
-                mountPath: "/tmp"
-                name:      "tmp"
-              }, {
-                mountPath: "/tmp/.ssh"
-                name:      "publickey"
-                readOnly:  true
-              }]
-            }]
-            volumes: [
-              {
-                emptyDir: {}
-                name: "tmp"
-              },
-              {
-                name: "publickey"
-                secret: {
-                  items: [{key: "jwtRS256.key.pub", path: "publickey"}]
-                  secretName: "jwt-key"
-                }
-              },
-            ]
-          }
-        }
-      }
-    }
+		Deployment: frontend: {
+			metadata: name: "frontend"
+			metadata: labels: {
+				application: "bank-of-holos"
+				environment: "development"
+				team:        "frontend"
+				tier:        "web"
+			}
+			spec: {
+				selector: matchLabels: {
+					app:         "frontend"
+					application: "bank-of-holos"
+					environment: "development"
+					team:        "frontend"
+					tier:        "web"
+				}
+				template: {
+					metadata: labels: {
+						app:         "frontend"
+						application: "bank-of-holos"
+						environment: "development"
+						team:        "frontend"
+						tier:        "web"
+					}
+					spec: {
+						securityContext: {
+							seccompProfile: type: "RuntimeDefault"
+							fsGroup:      1000
+							runAsGroup:   1000
+							runAsNonRoot: true
+							runAsUser:    1000
+						}
+						serviceAccountName:            "bank-of-holos"
+						terminationGracePeriodSeconds: 5
+						containers: [{
+							env: [{
+								name:  "BANK_NAME"
+								value: _Organization.DisplayName
+							}, {
+								name:  "ENV_PLATFORM"
+								value: "local"
+							}, {
+								name:  "VERSION"
+								value: "v0.6.5"
+							}, {
+								name:  "PORT"
+								value: "8080"
+							}, {
+								name:  "ENABLE_TRACING"
+								value: "false"
+							}, {
+								name:  "SCHEME"
+								value: "https"
+							}, {
+								name:  "LOG_LEVEL"
+								value: "info"
+							}, {
+								name: "DEFAULT_USERNAME"
+								valueFrom: configMapKeyRef: {
+									key:  "DEMO_LOGIN_USERNAME"
+									name: "demo-data-config"
+								}
+							}, {
+								name: "DEFAULT_PASSWORD"
+								valueFrom: configMapKeyRef: {
+									key:  "DEMO_LOGIN_PASSWORD"
+									name: "demo-data-config"
+								}
+							}, {
+								name: "REGISTERED_OAUTH_CLIENT_ID"
+								valueFrom: configMapKeyRef: {
+									key:      "DEMO_OAUTH_CLIENT_ID"
+									name:     "oauth-config"
+									optional: true
+								}
+							}, {
+								name: "ALLOWED_OAUTH_REDIRECT_URI"
+								valueFrom: configMapKeyRef: {
+									key:      "DEMO_OAUTH_REDIRECT_URI"
+									name:     "oauth-config"
+									optional: true
+								}
+							}]
+							envFrom: [{
+								configMapRef: name: "environment-config"
+							}, {
+								configMapRef: name: "service-api-config"
+							}]
+							image: "us-central1-docker.pkg.dev/bank-of-anthos-ci/bank-of-anthos/frontend:v0.6.5@sha256:d72050f70d12383e4434ad04d189b681dc625f696087ddf0b5df641645c9dafa"
+							livenessProbe: {
+								httpGet: {
+									path: "/ready"
+									port: 8080
+								}
+								initialDelaySeconds: 60
+								periodSeconds:       15
+								timeoutSeconds:      30
+							}
+							name: "front"
+							readinessProbe: {
+								httpGet: {
+									path: "/ready"
+									port: 8080
+								}
+								initialDelaySeconds: 10
+								periodSeconds:       5
+								timeoutSeconds:      10
+							}
+							resources: {
+								limits: {
+									cpu:    "250m"
+									memory: "128Mi"
+								}
+								requests: {
+									cpu:    "100m"
+									memory: "64Mi"
+								}
+							}
+							securityContext: {
+								allowPrivilegeEscalation: false
+								capabilities: drop: ["all"]
+								privileged:             false
+								readOnlyRootFilesystem: true
+							}
+							volumeMounts: [{
+								mountPath: "/tmp"
+								name:      "tmp"
+							}, {
+								mountPath: "/tmp/.ssh"
+								name:      "publickey"
+								readOnly:  true
+							}]
+						}]
+						volumes: [
+							{
+								emptyDir: {}
+								name: "tmp"
+							},
+							{
+								name: "publickey"
+								secret: {
+									items: [{key: "jwtRS256.key.pub", path: "publickey"}]
+									secretName: "jwt-key"
+								}
+							},
+						]
+					}
+				}
+			}
+		}

-    // Allow HTTPRoutes in the ingress gateway namespace to reference Services
-    // in this namespace.
-    ReferenceGrant: grant: #ReferenceGrant & {
-      metadata: namespace: Namespace
-    }
+		// Allow HTTPRoutes in the ingress gateway namespace to reference Services
+		// in this namespace.
+		ReferenceGrant: grant: _ReferenceGrant & {
+			metadata: namespace: Namespace
+		}

-    // Include shared resources
-    #BankOfHolos.Resources
-  }
+		// Include shared resources
+		_BankOfHolos.Resources
+	}
 }
 ```
  </TabItem>
 </Tabs>

-Line 6 of the `schema.gen.cue` file defines the _default_ value for
-`#Organization.DisplayName` by using `string | *"..."`.  In CUE, the `*`
+Line 7 of the `schema.cue` file defines the _default_ value for
+`_Organization.DisplayName` by using `string | *"..."`.  In CUE, the `*`
 asterisk character denotes a [default value].

-Line 78 of the `bank-frontend.cue` file refers to `#Organization.DisplayName` to
+Line 78 of the `bank-frontend.cue` file refers to `_Organization.DisplayName` to
 configure the front end web container.

 Let's change the name of the bank by defining a new value for
-`#Organization.DisplayName` at the root of the configuration.  Create
+`_Organization.DisplayName` at the root of the configuration.  Create
 `projects/organization.cue` with the following content.

 <Tabs groupId="B386181F-EBE7-469D-8CB5-37631067669B">
@@ -333,7 +361,7 @@ Let's change the name of the bank by defining a new value for
 ```cue showLineNumbers
 package holos

-#Organization: DisplayName: "The Holistic-Bank"
+_Organization: DisplayName: "The Holistic-Bank"
 ```
  </TabItem>
 </Tabs>
@@ -348,18 +376,11 @@ holos render platform ./platform
  </TabItem>
  <TabItem value="output" label="Output">
 ```txt
-#Organization.DisplayName: 2 errors in empty disjunction:
-#Organization.DisplayName: conflicting values "Bank of Holos" and "The Holistic-Bank":
-    /bank-of-holos/projects/organization.cue:3:29
-    /bank-of-holos/schema.gen.cue:6:39
-// highlight-next-line
-#Organization.DisplayName: invalid value "The Holistic-Bank" (out of bound =~"^[0-9A-Za-z][0-9A-Za-z ]{2,61}[0-9A-Za-z]$"):
-    /bank-of-holos/cue.mod/gen/github.com/holos-run/holos/api/author/v1alpha3/definitions_go_gen.cue:203:25
-    /bank-of-holos/cue.mod/gen/github.com/holos-run/holos/api/author/v1alpha3/definitions_go_gen.cue:188:15
-    /bank-of-holos/cue.mod/gen/github.com/holos-run/holos/api/author/v1alpha3/definitions_go_gen.cue:203:15
-    /bank-of-holos/projects/organization.cue:3:29
-    /bank-of-holos/schema.gen.cue:6:29
-could not run: could not render component: exit status 1 at internal/render/platform.go:50
+could not run: could not marshal json projects/platform/components/istio/cni: cue: marshal error: _Organization.DisplayName: 2 errors in empty disjunction: (and 2 more errors) at internal/builder/builder.go:63
+_Organization.DisplayName: _Organization.DisplayName: 2 errors in empty disjunction: (and 2 more errors)
+could not run: could not marshal json projects/platform/components/argocd/crds: cue: marshal error: _Organization.DisplayName: 2 errors in empty disjunction: (and 2 more errors) at internal/builder/builder.go:63
+_Organization.DisplayName: _Organization.DisplayName: 2 errors in empty disjunction: (and 2 more errors)
+could not run: could not render component: exit status 1 at builder/v1alpha4/builder.go:95
 ```
  </TabItem>
 </Tabs>
@@ -386,7 +407,7 @@ Let's try again, this time replacing the hyphen with a space.
 ```cue showLineNumbers
 package holos

-#Organization: DisplayName: "The Holistic Bank"
+_Organization: DisplayName: "The Holistic Bank"
 ```
  </TabItem>
 </Tabs>
--- a/doc/md.archive/guides-v1alpha4/deploy-a-service.mdx
+++ b/doc/md.archive/guides-v1alpha4/deploy-a-service.mdx
@@ -130,23 +130,23 @@ package holos

 // Platform wide definitions
 // highlight-next-line
-#Migration: Namespace: "migration"
+_Migration: Namespace: "migration"

 // Register namespaces
 // highlight-next-line
-#Namespaces: (#Migration.Namespace): _
+_Namespaces: (_Migration.Namespace): _

 // Register projects
 // highlight-next-line
-#AppProjects: migration: _
+_AppProjects: migration: _
 ```
  </TabItem>
 </Tabs>

 Each of the highlighted lines has a specific purpose.

- Line 4 defines the `#Migration` CUE struct.  The team that currently owns the
-migration project defines this struct.
+- Line 4 defines the `_Migration` hidden field.  The team owning the migration
+project manages this struct.
 - Line 7 registers the namespace with the `namespaces` component owned by the
 platform team.  The `_` value indicates the value is defined elsewhere in CUE.
 In this case, the platform team defines what a Namespace is.
@@ -208,9 +208,9 @@ Changes not staged for commit:
  (use "git add <file>..." to update what will be committed)
  (use "git restore <file>..." to discard changes in working directory)
 // highlight-next-line
-        modified:   deploy/clusters/workload/components/app-projects/app-projects.gen.yaml
+        modified:   deploy/clusters/local/components/app-projects/app-projects.gen.yaml
 // highlight-next-line
-        modified:   deploy/clusters/workload/components/namespaces/namespaces.gen.yaml
+        modified:   deploy/clusters/local/components/namespaces/namespaces.gen.yaml

 Untracked files:
  (use "git add <file>..." to include in what will be committed)
@@ -230,15 +230,14 @@ git diff deploy
  </TabItem>
  <TabItem value="output" label="Output">
 ```diff
-diff --git a/deploy/clusters/workload/components/app-projects/app-projects.gen.yaml b/deploy/clusters/workload/components/app-projects/app-projects.gen.yaml
+diff --git a/deploy/clusters/local/components/app-projects/app-projects.gen.yaml b/deploy/clusters/local/components/app-projects/app-projects.gen.yaml
 index bdc8371..42cb01a 100644
--- a/deploy/clusters/workload/components/app-projects/app-projects.gen.yaml
-+++ b/deploy/clusters/workload/components/app-projects/app-projects.gen.yaml
+--- a/deploy/clusters/local/components/app-projects/app-projects.gen.yaml
+++ b/deploy/clusters/local/components/app-projects/app-projects.gen.yaml
@@ -50,6 +50,23 @@ spec:
   sourceRepos:
     - '*'
 ---
-+# Source: CUE apiObjects.AppProject.migration
 +apiVersion: argoproj.io/v1alpha1
 +kind: AppProject
 +metadata:
@@ -255,19 +254,17 @@ index bdc8371..42cb01a 100644
 +  sourceRepos:
 +    - '*'
 +---
- # Source: CUE apiObjects.AppProject.platform
 apiVersion: argoproj.io/v1alpha1
 kind: AppProject
-diff --git a/deploy/clusters/workload/components/namespaces/namespaces.gen.yaml b/deploy/clusters/workload/components/namespaces/namespaces.gen.yaml
+diff --git a/deploy/clusters/local/components/namespaces/namespaces.gen.yaml b/deploy/clusters/local/components/namespaces/namespaces.gen.yaml
 index de96ab9..7ddd870 100644
--- a/deploy/clusters/workload/components/namespaces/namespaces.gen.yaml
-+++ b/deploy/clusters/workload/components/namespaces/namespaces.gen.yaml
+--- a/deploy/clusters/local/components/namespaces/namespaces.gen.yaml
+++ b/deploy/clusters/local/components/namespaces/namespaces.gen.yaml
@@ -62,3 +62,11 @@ metadata:
     kubernetes.io/metadata.name: istio-system
 kind: Namespace
 apiVersion: v1
 +---
-+# Source: CUE apiObjects.Namespace.migration
 +metadata:
 +  name: migration
 +  labels:
@@ -351,37 +348,33 @@ import ks "sigs.k8s.io/kustomize/api/types"

 // Produce a helm chart build plan.
 // highlight-next-line
-(#Helm & Chart).BuildPlan
+_Helm.BuildPlan

-let Chart = {
-  // highlight-next-line
-  Name:    "podinfo"
-  // highlight-next-line
-  Namespace: #Migration.Namespace
+_Helm: #Helm & {
+	// highlight-next-line
+	Name: "podinfo"
+	// highlight-next-line
+	Namespace: _Migration.Namespace

-  Chart: {
-      version: "6.6.2"
-      repository: {
-        name: "podinfo"
-        url: "https://stefanprodan.github.io/podinfo"
-      }
-  }
+	Chart: {
+		version: "6.6.2"
+		repository: {
+			name: "podinfo"
+			url:  "https://stefanprodan.github.io/podinfo"
+		}
+	}

-  // Necessary to ensure the resources go to the correct namespace.
-  // highlight-next-line
-  EnableKustomizePostProcessor: true
-  // highlight-next-line
-  KustomizeFiles: "kustomization.yaml": ks.#Kustomization & {
-    namespace: Namespace
-  }
+	KustomizeConfig: Kustomization: ks.#Kustomization & {
+		// highlight-next-line
+		namespace: Namespace
+	}

-  // Allow the platform team to route traffic into our namespace.
-  // highlight-next-line
-  Resources: ReferenceGrant: grant: #ReferenceGrant & {
-    metadata: namespace: Namespace
-  }
+	// Allow the platform team to route traffic into our namespace.
+	Resources: ReferenceGrant: grant: _ReferenceGrant & {
+		// highlight-next-line
+		metadata: namespace: Namespace
+	}
 }
-
 ```
  </TabItem>
 </Tabs>
@@ -403,16 +396,16 @@ component, `podinfo/podinfo.cue`, but `holos` doesn't enforce this convention.
 **Line 10**: We use the same namespace we registered with the `namespaces`
 component as the value we pass to Helm.  This is a good example of Holos
 offering safety and consistency with CUE, if we change the value of
-`#Migration.Namespace`, multiple components stay consistent.
+`_Migration.Namespace`, multiple components stay consistent.

-**Lines 20-21**: Unfortunately, the Helm chart doesn't set the
+**Lines 21**: Unfortunately, the Helm chart doesn't set the
 `metadata.namespace` field for the resources it generates, which creates a
 security problem.  The resources will be created in the wrong namespace.  We
 don't want to modify the upstream chart because it creates a maintenance burden.
 We solve the problem by having Holos post-process the Helm output with
 Kustomize.  This ensures all resources go into the correct namespace.

-**Lines 27**: The migration team grants the platform team permission to route
+**Lines 26**: The migration team grants the platform team permission to route
 traffic into the `migration` Namespace using a [ReferenceGrant].

 :::note
@@ -463,11 +456,12 @@ following content.
 package holos

 // Manage on workload clusters only
-for Cluster in #Fleets.workload.clusters {
-  #Platform: Components: "\(Cluster.name)/podinfo": {
-    path:    "projects/migration/components/podinfo"
-    cluster: Cluster.name
-  }
+for Cluster in _Fleets.workload.clusters {
+	_Platform: Components: "\(Cluster.name)/podinfo": {
+		name:      "podinfo"
+		component: "projects/migration/components/podinfo"
+		cluster:   Cluster.name
+	}
 }
 ```
  </TabItem>
@@ -492,7 +486,7 @@ package holos

 // Assign ArgoCD Applications to the migration AppProject
 // highlight-next-line
-#ArgoConfig: AppProject: #AppProjects.migration.metadata.name
+_ArgoConfig: AppProject: _AppProjects.migration.metadata.name
 ```
  </TabItem>
 </Tabs>
@@ -501,7 +495,7 @@ This file provides consistency and safety in a number of ways:

 1. All components under `projects/migration/` will automatically have their
 ArgoCD Application assigned to the migration `AppProject`.
-2. `holos render platform` errors out if `#AppProjects.migration` is not
+2. `holos render platform` errors out if `_AppProjects.migration` is not
 defined, we defined it in `projects/migration.cue`
 3. The platform team is responsible for managing the `AppProject` resource
 itself, the team doing the migration refers to the `metadata.name` field defined
@@ -561,14 +555,14 @@ git status
  </TabItem>
  <TabItem value="output" label="Output">
 ```txt
-On branch main
+On branch jeff/291-consistent-fields
 Changes to be committed:
  (use "git restore --staged <file>..." to unstage)
-        new file:   deploy/clusters/workload/components/podinfo/podinfo.gen.yaml
-        new file:   deploy/clusters/workload/gitops/podinfo.application.gen.yaml
-        new file:   platform/migration-podinfo.cue
-        new file:   projects/migration/app-project.cue
-        new file:   projects/migration/components/podinfo/podinfo.cue
+	new file:   deploy/clusters/local/components/podinfo/podinfo.gen.yaml
+	new file:   deploy/clusters/local/gitops/podinfo.gen.yaml
+	new file:   platform/migration-podinfo.cue
+	new file:   projects/migration/app-project.cue
+	new file:   projects/migration/components/podinfo/podinfo.cue
 ```
  </TabItem>
 </Tabs>
@@ -578,25 +572,26 @@ in a new manifest for the Helm output along with an ArgoCD Application for
 GitOps.  Here's what they look like:

 <Tabs groupId="0F2B3066-B57F-466E-A27F-A603C1803E11">
-  <TabItem value="deploy/clusters/workload/gitops/podinfo.application.gen.yaml" label="podinfo.application.gen.yaml">
+  <TabItem value="deploy/clusters/local/gitops/podinfo.gen.yaml" label="podinfo.gen.yaml">
 ```yaml showLineNumbers
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
+  labels:
+    holos.run/component.name: podinfo
  name: podinfo
  namespace: argocd
 spec:
  destination:
    server: https://kubernetes.default.svc
-  # highlight-next-line
  project: migration
  source:
-    path: ./deploy/clusters/workload/components/podinfo
+    path: deploy/clusters/local/components/podinfo
    repoURL: https://github.com/holos-run/bank-of-holos
    targetRevision: main
 ```
  </TabItem>
-  <TabItem value="deploy/clusters/workload/components/podinfo/podinfo.gen.yaml" label="podinfo.gen.yaml">
+  <TabItem value="deploy/clusters/local/components/podinfo/podinfo.gen.yaml" label="podinfo.gen.yaml">
 ```yaml showLineNumbers
 apiVersion: v1
 kind: Service
@@ -605,9 +600,10 @@ metadata:
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: podinfo
    app.kubernetes.io/version: 6.6.2
+    argocd.argoproj.io/instance: podinfo
    helm.sh/chart: podinfo-6.6.2
+    holos.run/component.name: podinfo
  name: podinfo
-  # highlight-next-line
  namespace: migration
 spec:
  ports:
@@ -621,6 +617,8 @@ spec:
    targetPort: grpc
  selector:
    app.kubernetes.io/name: podinfo
+    argocd.argoproj.io/instance: podinfo
+    holos.run/component.name: podinfo
  type: ClusterIP
 ---
 apiVersion: apps/v1
@@ -630,15 +628,18 @@ metadata:
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: podinfo
    app.kubernetes.io/version: 6.6.2
+    argocd.argoproj.io/instance: podinfo
    helm.sh/chart: podinfo-6.6.2
+    holos.run/component.name: podinfo
  name: podinfo
-  # highlight-next-line
  namespace: migration
 spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: podinfo
+      argocd.argoproj.io/instance: podinfo
+      holos.run/component.name: podinfo
  strategy:
    rollingUpdate:
      maxUnavailable: 1
@@ -650,6 +651,8 @@ spec:
        prometheus.io/scrape: "true"
      labels:
        app.kubernetes.io/name: podinfo
+        argocd.argoproj.io/instance: podinfo
+        holos.run/component.name: podinfo
    spec:
      containers:
      - command:
@@ -714,6 +717,23 @@ spec:
      volumes:
      - emptyDir: {}
        name: data
+---
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: ReferenceGrant
+metadata:
+  labels:
+    argocd.argoproj.io/instance: podinfo
+    holos.run/component.name: podinfo
+  name: istio-ingress
+  namespace: migration
+spec:
+  from:
+  - group: gateway.networking.k8s.io
+    kind: HTTPRoute
+    namespace: istio-ingress
+  to:
+  - group: ""
+    kind: Service
 ```
  </TabItem>
 </Tabs>
@@ -730,10 +750,10 @@ git commit -m 'register the migration project podinfo component with the platfor
  </TabItem>
  <TabItem value="output" label="Output">
 ```txt
-[main] register the migration project podinfo component with the platform
- 5 files changed, 167 insertions(+)
- create mode 100644 deploy/clusters/workload/components/podinfo/podinfo.gen.yaml
- create mode 100644 deploy/clusters/workload/gitops/podinfo.application.gen.yaml
+[main 31197e2] register the migration project podinfo component with the platform
+ 5 files changed, 205 insertions(+)
+ create mode 100644 deploy/clusters/local/components/podinfo/podinfo.gen.yaml
+ create mode 100644 deploy/clusters/local/gitops/podinfo.gen.yaml
 create mode 100644 platform/migration-podinfo.cue
 create mode 100644 projects/migration/app-project.cue
 create mode 100644 projects/migration/components/podinfo/podinfo.cue
@@ -777,9 +797,9 @@ platform as a whole.  Bank of Holos uses [HTTPRoute] routes from the new Gateway
 API.  The company the bank acquired uses older Ingress resources from earlier
 Kubernetes versions.

-The platform team at the bank defines a `#HTTPRoutes` struct for other teams at
-the bank to register with. The `#HTTPRoutes` struct is similar to the
-`#Namespaces` and `#AppProjects` structs we've already seen.
+The platform team at the bank defines a `_HTTPRoutes` struct for other teams at
+the bank to register with. The `_HTTPRoutes` struct is similar to the
+`_Namespaces` and `_AppProjects` structs we've already seen.

 As a member of the migration team, we'll add the file
 `projects/migration-routes.cue` to expose the service we're migrating.
@@ -791,17 +811,15 @@ Go ahead and create this file (if it hasn't been created previously) with the fo
 ```cue showLineNumbers
 package holos

-let Podinfo = {
-  podinfo: {
-    port:      9898
-    namespace: #Migration.Namespace
-  }
-}
-
 // Route migration-podinfo.example.com to port 9898 of Service podinfo in the
 // migration namespace.
 // highlight-next-line
-#HTTPRoutes: "migration-podinfo": _backendRefs: Podinfo
+_HTTPRoutes: "migration-podinfo": _backendRefs: {
+	podinfo: {
+		port:      9898
+		namespace: _Migration.Namespace
+	}
+}
 ```
  </TabItem>
  <TabItem value="projects/httproutes.cue" label="projects/httproutes.cue">
@@ -810,44 +828,45 @@ package holos

 import v1 "gateway.networking.k8s.io/httproute/v1"

-// #HTTPRoutes defines managed HTTPRoute resources for the platform.  These
-// resources are managed in the istio-ingress namespace.  Other components
-// define the routes they need close to the root of configuration.
+// Struct containing HTTPRoute configurations. These resources are managed in
+// the istio-ingress namespace.  Other components define the routes they need
+// close to the root of configuration.
+_HTTPRoutes: #HTTPRoutes
+
+// #HTTPRoutes defines the schema of managed HTTPRoute resources for the
+// platform.
 #HTTPRoutes: {
-  // For the guides, we simplify this down to a flat namespace.
-  // highlight-next-line
-  [Name=string]: v1.#HTTPRoute & {
-    let HOST = Name + "." + #Organization.Domain
+	// For the guides, we simplify this down to a flat namespace.
+	[Name=string]: v1.#HTTPRoute & {
+		let HOST = Name + "." + _Organization.Domain

-    // highlight-next-line
-    _backendRefs: [NAME=string]: {
-      name:      NAME
-      namespace: string
-      port:      number | *80
-    }
+		_backendRefs: [NAME=string]: {
+			name:      NAME
+			namespace: string
+			port:      number | *80
+		}

-    metadata: name:      Name
-    metadata: namespace: #Istio.Gateway.Namespace
-    metadata: labels: app: Name
-    spec: hostnames: [HOST]
-    spec: parentRefs: [{
-      name:      "default"
-      namespace: metadata.namespace
-    }]
-    spec: rules: [
-      {
-        matches: [{path: {type: "PathPrefix", value: "/"}}]
-        // highlight-next-line
-        backendRefs: [for x in _backendRefs {x}]
-      },
-    ]
-  }
+		metadata: name:      Name
+		metadata: namespace: _Istio.Gateway.Namespace
+		metadata: labels: app: Name
+		spec: hostnames: [HOST]
+		spec: parentRefs: [{
+			name:      "default"
+			namespace: metadata.namespace
+		}]
+		spec: rules: [
+			{
+				matches: [{path: {type: "PathPrefix", value: "/"}}]
+				backendRefs: [for x in _backendRefs {x}]
+			},
+		]
+	}
 }
 ```
  </TabItem>
 </Tabs>

-In this file we're adding a field to the `#HTTPRoutes` struct the platform team
+In this file we're adding a field to the `_HTTPRoutes` struct the platform team
 defined for us.

 You might be wondering how we knew all of these fields to put into this file.
@@ -861,8 +880,9 @@ The most important things the migration team takes away from this file are:

 1. The platform team requires a `gateway.networking.k8s.io/httproute/v1`
 `HTTPRoute`.
-2. Line 13 uses a [hidden field] so we can provide backend references as a struct instead of a list.
-3. Line 30 uses a [comprehension] to convert the struct to a list.
+2. Line 17 uses a [hidden field] so we can provide backend references as a
+struct instead of a list.
+3. Line 34 uses a [comprehension] to convert the struct to a list.

 We can look up the spec for the fields we need to provide in the Gateway API
 reference documentation for [HTTPRoute].
@@ -928,10 +948,10 @@ git diff
  </TabItem>
  <TabItem value="output" label="Output">
 ```diff
-diff --git a/deploy/clusters/workload/components/httproutes/httproutes.gen.yaml b/deploy/clusters/workload/components/httproutes/httproutes.gen.yaml
+diff --git a/deploy/clusters/local/components/httproutes/httproutes.gen.yaml b/deploy/clusters/local/components/httproutes/httproutes.gen.yaml
 index 06f7c91..349e070 100644
--- a/deploy/clusters/workload/components/httproutes/httproutes.gen.yaml
-+++ b/deploy/clusters/workload/components/httproutes/httproutes.gen.yaml
+--- a/deploy/clusters/local/components/httproutes/httproutes.gen.yaml
+++ b/deploy/clusters/local/components/httproutes/httproutes.gen.yaml
@@ -47,3 +47,28 @@ spec:
     - path:
         type: PathPrefix
@@ -961,7 +981,6 @@ index 06f7c91..349e070 100644
 +    - path:
 +        type: PathPrefix
 +        value: /
-
 ```
  </TabItem>
 </Tabs>
@@ -1044,7 +1063,7 @@ in the `bank-of-holos` repository after resetting your cluster following the
  </TabItem>
  <TabItem value="output" label="Output">
 ```txt
-+ kubectl apply --server-side=true -f deploy/clusters/workload/components/namespaces/namespaces.gen.yaml
+ kubectl apply --server-side=true -f deploy/clusters/local/components/namespaces/namespaces.gen.yaml
 namespace/argocd serverside-applied
 namespace/bank-backend serverside-applied
 namespace/bank-frontend serverside-applied
@@ -1054,17 +1073,17 @@ namespace/external-secrets serverside-applied
 namespace/istio-ingress serverside-applied
 namespace/istio-system serverside-applied
 namespace/migration serverside-applied
-+ kubectl apply --server-side=true -f deploy/clusters/workload/components/argocd-crds/argocd-crds.gen.yaml
+ kubectl apply --server-side=true -f deploy/clusters/local/components/argocd-crds/argocd-crds.gen.yaml
 customresourcedefinition.apiextensions.k8s.io/applications.argoproj.io serverside-applied
 customresourcedefinition.apiextensions.k8s.io/applicationsets.argoproj.io serverside-applied
 customresourcedefinition.apiextensions.k8s.io/appprojects.argoproj.io serverside-applied
-+ kubectl apply --server-side=true -f deploy/clusters/workload/components/gateway-api/gateway-api.gen.yaml
+ kubectl apply --server-side=true -f deploy/clusters/local/components/gateway-api/gateway-api.gen.yaml
 customresourcedefinition.apiextensions.k8s.io/gatewayclasses.gateway.networking.k8s.io serverside-applied
 customresourcedefinition.apiextensions.k8s.io/gateways.gateway.networking.k8s.io serverside-applied
 customresourcedefinition.apiextensions.k8s.io/grpcroutes.gateway.networking.k8s.io serverside-applied
 customresourcedefinition.apiextensions.k8s.io/httproutes.gateway.networking.k8s.io serverside-applied
 customresourcedefinition.apiextensions.k8s.io/referencegrants.gateway.networking.k8s.io serverside-applied
-+ kubectl apply --server-side=true -f deploy/clusters/workload/components/external-secrets-crds/external-secrets-crds.gen.yaml
+ kubectl apply --server-side=true -f deploy/clusters/local/components/external-secrets-crds/external-secrets-crds.gen.yaml
 customresourcedefinition.apiextensions.k8s.io/acraccesstokens.generators.external-secrets.io serverside-applied
 customresourcedefinition.apiextensions.k8s.io/clusterexternalsecrets.external-secrets.io serverside-applied
 customresourcedefinition.apiextensions.k8s.io/clustersecretstores.external-secrets.io serverside-applied
@@ -1126,7 +1145,7 @@ customresourcedefinition.apiextensions.k8s.io/wasmplugins.extensions.istio.io co
 customresourcedefinition.apiextensions.k8s.io/webhooks.generators.external-secrets.io condition met
 customresourcedefinition.apiextensions.k8s.io/workloadentries.networking.istio.io condition met
 customresourcedefinition.apiextensions.k8s.io/workloadgroups.networking.istio.io condition met
-+ kubectl apply --server-side=true -f deploy/clusters/workload/components/external-secrets/external-secrets.gen.yaml
+ kubectl apply --server-side=true -f deploy/clusters/local/components/external-secrets/external-secrets.gen.yaml
 serviceaccount/external-secrets-cert-controller serverside-applied
 serviceaccount/external-secrets serverside-applied
 serviceaccount/external-secrets-webhook serverside-applied
@@ -1146,7 +1165,7 @@ deployment.apps/external-secrets serverside-applied
 deployment.apps/external-secrets-webhook serverside-applied
 validatingwebhookconfiguration.admissionregistration.k8s.io/secretstore-validate serverside-applied
 validatingwebhookconfiguration.admissionregistration.k8s.io/externalsecret-validate serverside-applied
-+ kubectl apply --server-side=true -f deploy/clusters/workload/components/cert-manager/cert-manager.gen.yaml
+ kubectl apply --server-side=true -f deploy/clusters/local/components/cert-manager/cert-manager.gen.yaml
 serviceaccount/cert-manager-cainjector serverside-applied
 serviceaccount/cert-manager serverside-applied
 serviceaccount/cert-manager-webhook serverside-applied
@@ -1192,11 +1211,11 @@ deployment.apps/cert-manager serverside-applied
 deployment.apps/cert-manager-webhook serverside-applied
 mutatingwebhookconfiguration.admissionregistration.k8s.io/cert-manager-webhook serverside-applied
 validatingwebhookconfiguration.admissionregistration.k8s.io/cert-manager-webhook serverside-applied
-+ kubectl apply --server-side=true -f deploy/clusters/workload/components/local-ca/local-ca.gen.yaml
+ kubectl apply --server-side=true -f deploy/clusters/local/components/local-ca/local-ca.gen.yaml
 clusterissuer.cert-manager.io/local-ca serverside-applied
 + kubectl wait --for=condition=Ready clusterissuer/local-ca --timeout=30s
 clusterissuer.cert-manager.io/local-ca condition met
-+ kubectl apply --server-side=true -f deploy/clusters/workload/components/argocd/argocd.gen.yaml
+ kubectl apply --server-side=true -f deploy/clusters/local/components/argocd/argocd.gen.yaml
 serviceaccount/argocd-application-controller serverside-applied
 serviceaccount/argocd-applicationset-controller serverside-applied
 serviceaccount/argocd-notifications-controller serverside-applied
@@ -1243,13 +1262,13 @@ deployment.apps/argocd-server serverside-applied
 statefulset.apps/argocd-application-controller serverside-applied
 job.batch/argocd-redis-secret-init serverside-applied
 referencegrant.gateway.networking.k8s.io/istio-ingress serverside-applied
-+ kubectl apply --server-side=true -f deploy/clusters/workload/components/app-projects/app-projects.gen.yaml
+ kubectl apply --server-side=true -f deploy/clusters/local/components/app-projects/app-projects.gen.yaml
 appproject.argoproj.io/bank-backend serverside-applied
 appproject.argoproj.io/bank-frontend serverside-applied
 appproject.argoproj.io/bank-security serverside-applied
 appproject.argoproj.io/migration serverside-applied
 appproject.argoproj.io/platform serverside-applied
-+ kubectl apply --server-side=true -f deploy/clusters/workload/components/istio-base/istio-base.gen.yaml
+ kubectl apply --server-side=true -f deploy/clusters/local/components/istio-base/istio-base.gen.yaml
 customresourcedefinition.apiextensions.k8s.io/authorizationpolicies.security.istio.io serverside-applied
 customresourcedefinition.apiextensions.k8s.io/destinationrules.networking.istio.io serverside-applied
 customresourcedefinition.apiextensions.k8s.io/envoyfilters.networking.istio.io serverside-applied
@@ -1266,7 +1285,7 @@ customresourcedefinition.apiextensions.k8s.io/workloadentries.networking.istio.i
 customresourcedefinition.apiextensions.k8s.io/workloadgroups.networking.istio.io serverside-applied
 serviceaccount/istio-reader-service-account serverside-applied
 validatingwebhookconfiguration.admissionregistration.k8s.io/istiod-default-validator serverside-applied
-+ kubectl apply --server-side=true -f deploy/clusters/workload/components/istiod/istiod.gen.yaml
+ kubectl apply --server-side=true -f deploy/clusters/local/components/istiod/istiod.gen.yaml
 serviceaccount/istiod serverside-applied
 role.rbac.authorization.k8s.io/istiod serverside-applied
 clusterrole.rbac.authorization.k8s.io/istio-reader-clusterrole-istio-system serverside-applied
@@ -1284,7 +1303,7 @@ poddisruptionbudget.policy/istiod serverside-applied
 horizontalpodautoscaler.autoscaling/istiod serverside-applied
 mutatingwebhookconfiguration.admissionregistration.k8s.io/istio-sidecar-injector serverside-applied
 validatingwebhookconfiguration.admissionregistration.k8s.io/istio-validator-istio-system serverside-applied
-+ kubectl apply --server-side=true -f deploy/clusters/workload/components/istio-cni/istio-cni.gen.yaml
+ kubectl apply --server-side=true -f deploy/clusters/local/components/istio-cni/istio-cni.gen.yaml
 serviceaccount/istio-cni serverside-applied
 configmap/istio-cni-config serverside-applied
 clusterrole.rbac.authorization.k8s.io/istio-cni serverside-applied
@@ -1296,20 +1315,20 @@ clusterrolebinding.rbac.authorization.k8s.io/istio-cni-ambient serverside-applie
 daemonset.apps/istio-cni-node serverside-applied
 + kubectl wait --for=condition=Ready pod -l k8s-app=istio-cni-node --timeout=300s -n istio-system
 pod/istio-cni-node-7kfbh condition met
-+ kubectl apply --server-side=true -f deploy/clusters/workload/components/istio-ztunnel/istio-ztunnel.gen.yaml
+ kubectl apply --server-side=true -f deploy/clusters/local/components/istio-ztunnel/istio-ztunnel.gen.yaml
 serviceaccount/ztunnel serverside-applied
 daemonset.apps/ztunnel serverside-applied
-+ kubectl apply --server-side=true -f deploy/clusters/workload/components/istio-gateway/istio-gateway.gen.yaml
+ kubectl apply --server-side=true -f deploy/clusters/local/components/istio-gateway/istio-gateway.gen.yaml
 certificate.cert-manager.io/gateway-cert serverside-applied
 gateway.gateway.networking.k8s.io/default serverside-applied
 serviceaccount/default-istio serverside-applied
 + kubectl wait --for=condition=Ready pod -l istio.io/gateway-name=default --timeout=300s -n istio-ingress
 pod/default-istio-54598d985b-69wmr condition met
-+ kubectl apply --server-side=true -f deploy/clusters/workload/components/httproutes/httproutes.gen.yaml
+ kubectl apply --server-side=true -f deploy/clusters/local/components/httproutes/httproutes.gen.yaml
 httproute.gateway.networking.k8s.io/argocd serverside-applied
 httproute.gateway.networking.k8s.io/bank serverside-applied
 httproute.gateway.networking.k8s.io/migration-podinfo serverside-applied
-+ kubectl apply --server-side=true -f deploy/clusters/workload/components/bank-secrets/bank-secrets.gen.yaml
+ kubectl apply --server-side=true -f deploy/clusters/local/components/bank-secrets/bank-secrets.gen.yaml
 configmap/jwt-key-writer serverside-applied
 job.batch/jwt-key-writer serverside-applied
 role.rbac.authorization.k8s.io/jwt-key-reader serverside-applied
@@ -1319,7 +1338,7 @@ rolebinding.rbac.authorization.k8s.io/jwt-key-writer serverside-applied
 serviceaccount/jwt-key-writer serverside-applied
 + kubectl wait --for=condition=complete job.batch/jwt-key-writer -n bank-security --timeout=300s
 job.batch/jwt-key-writer condition met
-+ kubectl apply --server-side=true -f deploy/clusters/workload/components/bank-backend-config/bank-backend-config.gen.yaml
+ kubectl apply --server-side=true -f deploy/clusters/local/components/bank-backend-config/bank-backend-config.gen.yaml
 configmap/demo-data-config serverside-applied
 configmap/environment-config serverside-applied
 configmap/service-api-config serverside-applied
@@ -1327,30 +1346,30 @@ externalsecret.external-secrets.io/jwt-key serverside-applied
 referencegrant.gateway.networking.k8s.io/istio-ingress serverside-applied
 secretstore.external-secrets.io/bank-security serverside-applied
 serviceaccount/bank-of-holos serverside-applied
-+ kubectl apply --server-side=true -f deploy/clusters/workload/components/bank-accounts-db/bank-accounts-db.gen.yaml
+ kubectl apply --server-side=true -f deploy/clusters/local/components/bank-accounts-db/bank-accounts-db.gen.yaml
 configmap/accounts-db-config serverside-applied
 service/accounts-db serverside-applied
 statefulset.apps/accounts-db serverside-applied
-+ kubectl apply --server-side=true -f deploy/clusters/workload/components/bank-ledger-db/bank-ledger-db.gen.yaml
+ kubectl apply --server-side=true -f deploy/clusters/local/components/bank-ledger-db/bank-ledger-db.gen.yaml
 configmap/ledger-db-config serverside-applied
 service/ledger-db serverside-applied
 statefulset.apps/ledger-db serverside-applied
-+ kubectl apply --server-side=true -f deploy/clusters/workload/components/bank-contacts/bank-contacts.gen.yaml
+ kubectl apply --server-side=true -f deploy/clusters/local/components/bank-contacts/bank-contacts.gen.yaml
 deployment.apps/contacts serverside-applied
 service/contacts serverside-applied
-+ kubectl apply --server-side=true -f deploy/clusters/workload/components/bank-balance-reader/bank-balance-reader.gen.yaml
+ kubectl apply --server-side=true -f deploy/clusters/local/components/bank-balance-reader/bank-balance-reader.gen.yaml
 deployment.apps/balancereader serverside-applied
 service/balancereader serverside-applied
-+ kubectl apply --server-side=true -f deploy/clusters/workload/components/bank-userservice/bank-userservice.gen.yaml
+ kubectl apply --server-side=true -f deploy/clusters/local/components/bank-userservice/bank-userservice.gen.yaml
 deployment.apps/userservice serverside-applied
 service/userservice serverside-applied
-+ kubectl apply --server-side=true -f deploy/clusters/workload/components/bank-ledger-writer/bank-ledger-writer.gen.yaml
+ kubectl apply --server-side=true -f deploy/clusters/local/components/bank-ledger-writer/bank-ledger-writer.gen.yaml
 deployment.apps/ledgerwriter serverside-applied
 service/ledgerwriter serverside-applied
-+ kubectl apply --server-side=true -f deploy/clusters/workload/components/bank-transaction-history/bank-transaction-history.gen.yaml
+ kubectl apply --server-side=true -f deploy/clusters/local/components/bank-transaction-history/bank-transaction-history.gen.yaml
 deployment.apps/transactionhistory serverside-applied
 service/transactionhistory serverside-applied
-+ kubectl apply --server-side=true -f deploy/clusters/workload/components/bank-frontend/bank-frontend.gen.yaml
+ kubectl apply --server-side=true -f deploy/clusters/local/components/bank-frontend/bank-frontend.gen.yaml
 configmap/demo-data-config serverside-applied
 configmap/environment-config serverside-applied
 configmap/service-api-config serverside-applied
@@ -1360,7 +1379,7 @@ referencegrant.gateway.networking.k8s.io/istio-ingress serverside-applied
 secretstore.external-secrets.io/bank-security serverside-applied
 service/frontend serverside-applied
 serviceaccount/bank-of-holos serverside-applied
-+ kubectl apply --server-side=true -f deploy/clusters/workload/gitops
+ kubectl apply --server-side=true -f deploy/clusters/local/gitops
 application.argoproj.io/app-projects serverside-applied
 application.argoproj.io/argocd-crds serverside-applied
 application.argoproj.io/argocd serverside-applied
--- a/doc/md.archive/guides-v1alpha4/helm.mdx
+++ b/doc/md.archive/guides-v1alpha4/helm.mdx
@@ -461,8 +461,9 @@ values into both charts to configure them in lock step.

 <Tabs groupId="740ABBEB-7A03-4B53-9CD5-4B8C5680172F">
  <TabItem value="projects/blackbox.schema.cue" label="Blackbox Schema">
-```txt
-projects/blackbox.schema.cue
+```bash
+mkdir -p projects
+touch projects/blackbox.schema.cue
 ```
 ```cue showLineNumbers
 package holos
@@ -498,9 +499,7 @@ Add the CUE configuration to manage the prometheus Helm Chart component.

 ```bash
 mkdir -p projects/platform/components/prometheus
-```
-```txt
-projects/platform/components/prometheus/prometheus.cue
+touch projects/platform/components/prometheus/prometheus.cue
 ```
 ```cue showLineNumbers
 package holos
@@ -527,8 +526,9 @@ the platform directory.

 <Tabs groupId="FF5FF6C6-181D-4071-8BCF-5C8E0663C028">
  <TabItem value="platform/prometheus.cue" label="Platform">
-```txt
-platform/prometheus.cue
+```bash
+mkdir -p platform
+touch platform/prometheus.cue
 ```
 ```cue showLineNumbers
 package holos
@@ -553,8 +553,8 @@ holos render platform ./platform
  <TabItem value="output" label="Output">
 ```txt
 cached prometheus 25.27.0
-rendered prometheus for cluster local in 1.900449291s
-rendered platform in 1.900581125s
+rendered prometheus for cluster local in 1.600449291s
+rendered platform in 1.600581125s
 ```
  </TabItem>
  <TabItem value="deploy/clusters/local/components/prometheus/prometheus.gen.yaml" label="prometheus.gen.yaml">
@@ -2041,9 +2041,7 @@ Add the CUE configuration to manage the blackbox Helm Chart component.

 ```bash
 mkdir -p projects/platform/components/blackbox
-```
-```txt
-projects/platform/components/blackbox/blackbox.cue
+touch projects/platform/components/blackbox/blackbox.cue
 ```
 ```cue showLineNumbers
 package holos
@@ -2070,8 +2068,9 @@ _Helm: #Helm & {
 Register the blackbox chart with the platform by adding the following file to
 the platform directory.

-```txt
-platform/blackbox.cue
+```bash
+mkdir -p platform
+touch platform/blackbox.cue
 ```
 ```cue showLineNumbers
 package holos
@@ -2292,9 +2291,10 @@ First for prometheus.
 <Tabs groupId="5062EB93-F5AA-4038-9CF8-67A5ECA085FD">
  <TabItem value="command" label="Command">
 ```bash
-cue import -p holos -o- -l '_Helm: Values:' \
-  projects/platform/components/prometheus/vendor/25.27.0/prometheus/values.yaml \
-  > projects/platform/components/prometheus/values.cue
+cue import --package holos \
+  --path '_Helm: Values:' \
+  --outfile projects/platform/components/prometheus/values.cue \
+  projects/platform/components/prometheus/vendor/25.27.0/prometheus/values.yaml
 ```
  </TabItem>
  <TabItem value="output" label="values.cue">
@@ -3648,9 +3648,10 @@ Then for blackbox.
 <Tabs groupId="843D706B-5BE0-46FE-978F-EA17BC1AD932">
  <TabItem value="command" label="Command">
 ```bash
-cue import -p holos -o- -l '_Helm: Values:' \
-  projects/platform/components/blackbox/vendor/9.0.1/prometheus-blackbox-exporter/values.yaml \
-  > projects/platform/components/blackbox/values.cue
+cue import --package holos \
+  --path '_Helm: Values:' \
+  --outfile projects/platform/components/blackbox/values.cue
+  projects/platform/components/blackbox/vendor/9.0.1/prometheus-blackbox-exporter/values.yaml
 ```
  </TabItem>
  <TabItem value="output" label="values.cue">
@@ -4168,12 +4169,8 @@ lock step.

 <Tabs groupId="B3A011D0-2D13-4DA8-B963-92115E734085">
  <TabItem value="command" label="Command">
-```bash
-git diff
-```
-  </TabItem>
-  <TabItem value="output" label="Output" default>
 ```diff
+patch -p1 <<EOF
 --- a/projects/platform/components/blackbox/values.cue
 +++ b/projects/platform/components/blackbox/values.cue
@@ -2,6 +2,9 @@ package holos
@@ -4186,15 +4183,15 @@ git diff
 		global: {
 			//# Global image registry to use if it needs to be overriden for some specific use cases (e.g local registries, custom images, ...)
 			//#
-@@ -196,7 +196,7 @@ _Helm: {
-                        annotations: {}
-                        labels: {}
-                        type: "ClusterIP"
-                       port: 9115
-+                       port: _blackbox.port
-                        ipDualStack: {
-                                enabled: false
-                                ipFamilies: ["IPv6", "IPv4"]
+@@ -193,7 +196,7 @@ _Helm: {
+ 			annotations: {}
+ 			labels: {}
+ 			type: "ClusterIP"
+-			port: 9115
+			port: _blackbox.port
+ 			ipDualStack: {
+ 				enabled: false
+ 				ipFamilies: ["IPv6", "IPv4"]
 --- a/projects/platform/components/prometheus/values.cue
 +++ b/projects/platform/components/prometheus/values.cue
@@ -1084,7 +1084,7 @@ _Helm: {
@@ -4206,6 +4203,13 @@ git diff
 					}, {
 						source_labels: ["__param_target"]
 						target_label: "instance"
+EOF
+```
+  </TabItem>
+  <TabItem value="output" label="Output" default>
+```txt
+patching file 'projects/platform/components/blackbox/values.cue'
+patching file 'projects/platform/components/prometheus/values.cue'
 ```
  </TabItem>
 </Tabs>
@@ -4308,11 +4312,10 @@ git diff
         - __address__
         target_label: __param_target
 -      - replacement: blackbox
-+      - replacement: blackbox:6115
+      - replacement: blackbox:9115
         target_label: __address__
       - source_labels:
         - __param_target
-
 ```
  </TabItem>
 </Tabs>
@@ -4498,12 +4501,8 @@ render platform` command fails immediately with a clear validation error.

 <Tabs groupId="BFCF4FCA-33EB-45D8-8D36-CDD80E54C819">
  <TabItem value="command" label="Command">
-```bash
-git diff
-```
-  </TabItem>
-  <TabItem value="output" label="Output">
 ```diff
+patch -p1 <<EOF
 --- a/projects/blackbox.schema.cue
 +++ b/projects/blackbox.schema.cue
@@ -10,6 +10,6 @@ package holos
@@ -4514,7 +4513,12 @@ git diff
 +	host: "this is not valid"
 	port: 6115
 }
-
+EOF
+```
+  </TabItem>
+  <TabItem value="output" label="Output">
+```txt
+patching file 'projects/blackbox.schema.cue'
 ```
  </TabItem>
 </Tabs>
@@ -4539,6 +4543,13 @@ could not run: could not render component: exit status 1 at builder/v1alpha4/bui

 ![VS Code out of bound error](img/helm-editor-constraints.png)

+Undo the invalid change.
+
+```bash
+git restore projects/blackbox.schema.cue
+rm -f projects/blackbox.schema.cue.orig
+```
+
 ### Httpbin Kustomization

 We need to manage [httpbin] so we can achieve the goal of probing a simple
@@ -4556,10 +4567,7 @@ components.
  <TabItem value="projects/platform/components/httpbin/httpbin.cue" label="Component">
 ```bash
 mkdir -p projects/platform/components/httpbin
-```
-
-```txt
-projects/platform/components/httpbin/httpbin.cue
+touch projects/platform/components/httpbin/httpbin.cue
 ```
 ```cue showLineNumbers
 package holos
@@ -4571,9 +4579,10 @@ _Kustomize.BuildPlan

 // https://github.com/mccutchen/go-httpbin/blob/v2.15.0/kustomize/README.md
 _Kustomize: #Kustomize & {
-	KustomizeConfig: Resources: "github.com/mccutchen/go-httpbin/kustomize": _
+	KustomizeConfig: Files: "resources.yaml": _
 	KustomizeConfig: Kustomization: {
 		commonLabels: "app.kubernetes.io/name": "httpbin"
+		images: [{name: "mccutchen/go-httpbin"}]
 		_patches: probe: {
 			target: kind: "Service"
 			target: name: "httpbin"
@@ -4586,6 +4595,55 @@ _Kustomize: #Kustomize & {
 		patches: [for x in _patches {x}]
 	}
 }
+```
+  </TabItem>
+  <TabItem value="projects/platform/components/httpbin/resources.yaml" label="resources.yaml">
+Add a plain `resources.yaml` file containing resources for kustomize to process.
+:::important
+Holos knows this file is part of the BuildPlan from the `KustomizeConfig:
+Files: "resources.yaml": _` line in the Component.
+:::
+```bash
+mkdir -p projects/platform/components/httpbin
+touch projects/platform/components/httpbin/resources.yaml
+```
+```yaml showLineNumbers
+# https://github.com/mccutchen/go-httpbin/blob/v2.15.0/kustomize/resources.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: httpbin
+spec:
+  template:
+    spec:
+      containers:
+        - name: httpbin
+          image: mccutchen/go-httpbin
+          ports:
+            - name: http
+              containerPort: 8080
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /status/200
+              port: http
+          readinessProbe:
+            httpGet:
+              path: /status/200
+              port: http
+          resources: {}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: httpbin
+spec:
+  ports:
+    - port: 80
+      targetPort: http
+      protocol: TCP
+      name: http
+      appProtocol: http
 ```
  </TabItem>
 </Tabs>
@@ -4595,7 +4653,8 @@ Register the component with the platform.
 <Tabs groupId="CBD42BC2-38C3-46E2-9F4D-B21D8E909BAC">
  <TabItem value="platform/httpbin.cue" label="Platform">
 ```txt
-platform/httpbin.cue
+mkdir -p platform
+touch platform/httpbin.cue
 ```
 ```cue showLineNumbers
 package holos
@@ -4765,6 +4824,7 @@ deployment.apps/httpbin created
 Port forward to the prometheus web interface.

 ```bash
+kubectl wait --for=condition=Available deployment/prometheus-server --timeout=300s
 kubectl -n default port-forward svc/prometheus-server 8081:80
 ```

--- a/doc/md.archive/guides-v1alpha4/img/bank-home.png
+++ b/doc/md.archive/guides-v1alpha4/img/bank-home.png
--- a/doc/md.archive/guides-v1alpha4/img/change-a-service-diff.png
+++ b/doc/md.archive/guides-v1alpha4/img/change-a-service-diff.png
--- a/doc/md.archive/guides-v1alpha4/img/change-a-service-in-sync.png
+++ b/doc/md.archive/guides-v1alpha4/img/change-a-service-in-sync.png
--- a/doc/md.archive/guides-v1alpha4/img/change-a-service-login-page.png
+++ b/doc/md.archive/guides-v1alpha4/img/change-a-service-login-page.png
--- a/doc/md.archive/guides-v1alpha4/img/change-a-service-out-of-sync.png
+++ b/doc/md.archive/guides-v1alpha4/img/change-a-service-out-of-sync.png
--- a/doc/md.archive/guides-v1alpha4/img/change-a-service-progressing.png
+++ b/doc/md.archive/guides-v1alpha4/img/change-a-service-progressing.png
--- a/doc/md.archive/guides-v1alpha4/img/deploy-a-service-podinfo-deployed.png
+++ b/doc/md.archive/guides-v1alpha4/img/deploy-a-service-podinfo-deployed.png
--- a/doc/md.archive/guides-v1alpha4/img/deploy-a-service-podinfo-greetings.png
+++ b/doc/md.archive/guides-v1alpha4/img/deploy-a-service-podinfo-greetings.png
--- a/doc/md.archive/guides-v1alpha4/img/deploy-a-service-podinfo-missing.png
+++ b/doc/md.archive/guides-v1alpha4/img/deploy-a-service-podinfo-missing.png
--- a/doc/md.archive/guides-v1alpha4/img/deploy-a-service-podinfo-sync.png
+++ b/doc/md.archive/guides-v1alpha4/img/deploy-a-service-podinfo-sync.png
--- a/doc/md.archive/guides-v1alpha4/quickstart.mdx
+++ b/doc/md.archive/guides-v1alpha4/quickstart.mdx
@@ -72,7 +72,7 @@ go install github.com/holos-run/holos/cmd/holos@latest
  </TabItem>
  <TabItem value="output" label="Output">
 ```txt
-go: downloading github.com/holos-run/holos v0.95.1
+go: downloading github.com/holos-run/holos v0.97.2
 ```
  </TabItem>
 </Tabs>
@@ -138,12 +138,10 @@ workflow.
 ```cue showLineNumbers
 package holos

-#ArgoConfig: {
-  Enabled: true
-  // highlight-next-line
-  RepoURL: "https://github.com/holos-run/bank-of-holos"
+_ArgoConfig: {
+	Enabled: true
+	RepoURL: "https://github.com/jeffmccune/bank-of-holos"
 }
-
 ```
  </TabItem>
 </Tabs>
@@ -154,16 +152,17 @@ Change the RepoURL to the URL of your fork.  For example:
  <TabItem value="command" label="projects/argocd-config.cue">
 ```diff showLineNumbers
 diff --git a/projects/argocd-config.cue b/projects/argocd-config.cue
-index 5264f48..0214e99 100644
+index 1291a31..ff3bbfb 100644
 --- a/projects/argocd-config.cue
 +++ b/projects/argocd-config.cue
@@ -2,5 +2,5 @@ package holos
-
- #ArgoConfig: {
-        Enabled: true
-       RepoURL: "https://github.com/holos-run/bank-of-holos"
-+       RepoURL: "https://github.com/jeffmccune/bank-of-holos"
+ 
+ _ArgoConfig: {
+ 	Enabled: true
+-	RepoURL: "https://github.com/holos-run/bank-of-holos"
+	RepoURL: "https://github.com/jeffmccune/bank-of-holos"
 }
+
 ```
  </TabItem>
 </Tabs>
@@ -228,38 +227,36 @@ git status
  </TabItem>
  <TabItem value="output" label="Output">
 ```txt
-On branch main
-Your branch is up to date with 'origin/main'.
-
+On branch jeff/291-consistent-fields
 Changes not staged for commit:
  (use "git add <file>..." to update what will be committed)
  (use "git restore <file>..." to discard changes in working directory)
-        modified:   deploy/clusters/workload/gitops/app-projects.gen.yaml
-        modified:   deploy/clusters/workload/gitops/argocd-crds.gen.yaml
-        modified:   deploy/clusters/workload/gitops/argocd.gen.yaml
-        modified:   deploy/clusters/workload/gitops/bank-accounts-db.gen.yaml
-        modified:   deploy/clusters/workload/gitops/bank-backend-config.gen.yaml
-        modified:   deploy/clusters/workload/gitops/bank-balance-reader.gen.yaml
-        modified:   deploy/clusters/workload/gitops/bank-contacts.gen.yaml
-        modified:   deploy/clusters/workload/gitops/bank-frontend.gen.yaml
-        modified:   deploy/clusters/workload/gitops/bank-ledger-db.gen.yaml
-        modified:   deploy/clusters/workload/gitops/bank-ledger-writer.gen.yaml
-        modified:   deploy/clusters/workload/gitops/bank-secrets.gen.yaml
-        modified:   deploy/clusters/workload/gitops/bank-transaction-history.gen.yaml
-        modified:   deploy/clusters/workload/gitops/bank-userservice.gen.yaml
-        modified:   deploy/clusters/workload/gitops/cert-manager.gen.yaml
-        modified:   deploy/clusters/workload/gitops/external-secrets-crds.gen.yaml
-        modified:   deploy/clusters/workload/gitops/external-secrets.gen.yaml
-        modified:   deploy/clusters/workload/gitops/gateway-api.gen.yaml
-        modified:   deploy/clusters/workload/gitops/httproutes.gen.yaml
-        modified:   deploy/clusters/workload/gitops/istio-base.gen.yaml
-        modified:   deploy/clusters/workload/gitops/istio-cni.gen.yaml
-        modified:   deploy/clusters/workload/gitops/istio-gateway.gen.yaml
-        modified:   deploy/clusters/workload/gitops/istio-ztunnel.gen.yaml
-        modified:   deploy/clusters/workload/gitops/istiod.gen.yaml
-        modified:   deploy/clusters/workload/gitops/local-ca.gen.yaml
-        modified:   deploy/clusters/workload/gitops/namespaces.gen.yaml
-        modified:   projects/argocd-config.cue
+	modified:   deploy/clusters/local/gitops/app-projects.gen.yaml
+	modified:   deploy/clusters/local/gitops/argocd-crds.gen.yaml
+	modified:   deploy/clusters/local/gitops/argocd.gen.yaml
+	modified:   deploy/clusters/local/gitops/bank-accounts-db.gen.yaml
+	modified:   deploy/clusters/local/gitops/bank-backend-config.gen.yaml
+	modified:   deploy/clusters/local/gitops/bank-balance-reader.gen.yaml
+	modified:   deploy/clusters/local/gitops/bank-contacts.gen.yaml
+	modified:   deploy/clusters/local/gitops/bank-frontend.gen.yaml
+	modified:   deploy/clusters/local/gitops/bank-ledger-db.gen.yaml
+	modified:   deploy/clusters/local/gitops/bank-ledger-writer.gen.yaml
+	modified:   deploy/clusters/local/gitops/bank-secrets.gen.yaml
+	modified:   deploy/clusters/local/gitops/bank-transaction-history.gen.yaml
+	modified:   deploy/clusters/local/gitops/bank-userservice.gen.yaml
+	modified:   deploy/clusters/local/gitops/cert-manager.gen.yaml
+	modified:   deploy/clusters/local/gitops/external-secrets-crds.gen.yaml
+	modified:   deploy/clusters/local/gitops/external-secrets.gen.yaml
+	modified:   deploy/clusters/local/gitops/gateway-api.gen.yaml
+	modified:   deploy/clusters/local/gitops/httproutes.gen.yaml
+	modified:   deploy/clusters/local/gitops/istio-base.gen.yaml
+	modified:   deploy/clusters/local/gitops/istio-cni.gen.yaml
+	modified:   deploy/clusters/local/gitops/istio-gateway.gen.yaml
+	modified:   deploy/clusters/local/gitops/istio-ztunnel.gen.yaml
+	modified:   deploy/clusters/local/gitops/istiod.gen.yaml
+	modified:   deploy/clusters/local/gitops/local-ca.gen.yaml
+	modified:   deploy/clusters/local/gitops/namespaces.gen.yaml
+	modified:   projects/argocd-config.cue

 no changes added to commit (use "git add" and/or "git commit -a")
 ```
@@ -272,22 +269,23 @@ the changed `spec.source.repoURL` field.
 <Tabs groupId="665E5402-FB42-4975-B654-3922EE73EE07">
  <TabItem value="command" label="Command">
 ```bash
-git diff deploy/clusters/workload/gitops/bank-frontend.gen.yaml
+git diff deploy/clusters/local/gitops/bank-frontend.gen.yaml
 ```
  </TabItem>
  <TabItem value="output" label="Output">
 ```diff showLineNumbers
-diff --git a/deploy/clusters/workload/gitops/bank-frontend.gen.yaml b/deploy/clusters/workload/gitops/bank-frontend.gen.yaml
-index 3a3dec0..22e21bb 100644
--- a/deploy/clusters/workload/gitops/bank-frontend.gen.yaml
-+++ b/deploy/clusters/workload/gitops/bank-frontend.gen.yaml
+diff --git a/deploy/clusters/local/gitops/bank-frontend.gen.yaml b/deploy/clusters/local/gitops/bank-frontend.gen.yaml
+index e07d5ea..14cc71c 100644
+--- a/deploy/clusters/local/gitops/bank-frontend.gen.yaml
+++ b/deploy/clusters/local/gitops/bank-frontend.gen.yaml
@@ -11,5 +11,5 @@ spec:
-   project: default
+   project: bank-frontend
   source:
-     path: deploy/clusters/workload/components/bank-frontend
+     path: deploy/clusters/local/components/bank-frontend
 -    repoURL: https://github.com/holos-run/bank-of-holos
 +    repoURL: https://github.com/jeffmccune/bank-of-holos
     targetRevision: main
+
 ```
  </TabItem>
 </Tabs>
@@ -328,35 +326,34 @@ like this.

 ```mermaid
 ---
-title: Figure 1 - Render Pipeline
+title: Figure 1 - v1alpha4 Rendered Manifest Pipeline
 ---
 graph LR
-    PS[<a href="/docs/api/author/v1alpha3/#Platform">Platform</a>]
-    HC[<a href="/docs/api/author/v1alpha3/#ComponentFields">Components</a>]
-    BP[<a href="/docs/api/core/v1alpha3#BuildPlan">BuildPlan</a>]
+    Platform[<a href="/docs/api/author/v1alpha4/#Platform">Platform</a>]
+    Component[<a href="/docs/api/author/v1alpha4/#ComponentConfig">Components</a>]

-    H[<a href="/docs/api/author/v1alpha3/#Helm">Helm</a>]
-    K[<a href="/docs/api/author/v1alpha3/#Kustomize">Kustomize</a>]
-    O[<a href="/docs/api/author/v1alpha3/#Kubernetes">Kubernetes</a>]
+    Helm[<a href="/docs/api/author/v1alpha4/#Helm">Helm</a>]
+    Kustomize[<a href="/docs/api/author/v1alpha4/#Kustomize">Kustomize</a>]
+    Kubernetes[<a href="/docs/api/author/v1alpha4/#Kubernetes">Kubernetes</a>]

-    P[<a href="/docs/api/core/v1alpha3#Kustomize">Kustomize</a>]
-    Y[Kubernetes <br/>Resources]
-    G[GitOps <br/>Resource]
-    FS[Local Files]
+    BuildPlan[<a href="/docs/api/core/v1alpha4/#buildplan">BuildPlan</a>]

-    C[Kube API Server]
+    ResourcesArtifact[<a href="/docs/api/core/v1alpha4/#artifact">Resources<br/>Artifact</a>]
+    GitOpsArtifact[<a href="/docs/api/core/v1alpha4/#artifact">GitOps<br/>Artifact</a>]

-    PS --> HC --> BP
-    BP --> H --> P
-    BP --> K --> P
-    BP --> O --> P
+    Generators[<a href="/docs/api/core/v1alpha4/#generators">Generators</a>]
+    Transformers[<a href="/docs/api/core/v1alpha4/#transformer">Transformers</a>]
+    Files[Manifest<br/>Files]

-    P --> Y --> FS
-    P --> G --> FS
+    Platform --> Component
+    Component --> Helm --> BuildPlan
+    Component --> Kubernetes --> BuildPlan
+    Component --> Kustomize --> BuildPlan

-    FS --> ArgoCD --> C
-    FS --> Flux --> C
-    FS --> kubectl --> C
+    BuildPlan --> ResourcesArtifact --> Generators
+    BuildPlan --> GitOpsArtifact --> Generators
+
+    Generators --> Transformers --> Files
 ```

 ### Why do we render the platform? {#why-render-the-platform}
@@ -407,14 +404,14 @@ files for now, they behave the same as these two.
 package holos

 // Manage the Component on every Cluster in the Platform
-for Fleet in #Fleets {
+for Fleet in _Fleets {
 	for Cluster in Fleet.clusters {
-		#Platform: Components: "\(Cluster.name):argocd-crds": {
+		_Platform: Components: "\(Cluster.name):argocd-crds": {
 			name:      "argocd-crds"
 			component: "projects/platform/components/argocd/crds"
 			cluster:   Cluster.name
 		}
-		#Platform: Components: "\(Cluster.name):argocd": {
+		_Platform: Components: "\(Cluster.name):argocd": {
 			name:      "argocd"
 			component: "projects/platform/components/argocd/argocd"
 			cluster:   Cluster.name
@@ -428,14 +425,14 @@ for Fleet in #Fleets {
 package holos

 // Manage the component on every cluster in the platform
-for Fleet in #Fleets {
+for Fleet in _Fleets {
 	for Cluster in Fleet.clusters {
-		#Platform: Components: "\(Cluster.name):external-secrets-crds": {
+		_Platform: Components: "\(Cluster.name):external-secrets-crds": {
 			name:      "external-secrets-crds"
 			component: "projects/platform/components/external-secrets-crds"
 			cluster:   Cluster.name
 		}
-		#Platform: Components: "\(Cluster.name):external-secrets": {
+		_Platform: Components: "\(Cluster.name):external-secrets": {
 			name:      "external-secrets"
 			component: "projects/platform/components/external-secrets"
 			cluster:   Cluster.name
@@ -488,7 +485,7 @@ understand how the rest of the CUE files in the platform directory behave.

 :::tip
 Each CUE file in the platform directory adds components to the
-`#Platform.Components` struct.
+`_Platform.Components` struct.
 :::

 The final file in the directory is responsible for producing the Platform spec.
@@ -501,17 +498,17 @@ package holos

 import api "github.com/holos-run/holos/api/author/v1alpha4"

-#Platform: api.#Platform & {
-	Name: "guide"
+_Platform: api.#Platform & {
+	Name: "default"
 }

 // Render a Platform resource for holos to process
-#Platform.Resource
+_Platform.Resource
 ```
  </TabItem>
 </Tabs>

-This file provides the value of the `#Platform.Resource` field, the platform
+This file provides the value of the `_Platform.Resource` field, the platform
 spec, to `holos`.

 Let's take a look at that Output value:
@@ -527,29 +524,84 @@ cue export --out yaml ./platform
 kind: Platform
 apiVersion: v1alpha4
 metadata:
-  name: guide
+  name: default
 spec:
-  components: # This is a trimmed list for readability.
+  components:
+    - name: httproutes
+      component: projects/platform/components/httproutes
+      cluster: local
+    - name: istio-gateway
+      component: projects/platform/components/istio/gateway
+      cluster: local
+    - name: istio-base
+      component: projects/platform/components/istio/base
+      cluster: local
+    - name: istiod
+      component: projects/platform/components/istio/istiod
+      cluster: local
+    - name: istio-cni
+      component: projects/platform/components/istio/cni
+      cluster: local
+    - name: istio-ztunnel
+      component: projects/platform/components/istio/ztunnel
+      cluster: local
+    - name: app-projects
+      component: projects/platform/components/app-projects
+      cluster: local
+    - name: argocd-crds
+      component: projects/platform/components/argocd/crds
+      cluster: local
+    - name: argocd
+      component: projects/platform/components/argocd/argocd
+      cluster: local
    - name: bank-secrets
      component: projects/bank-of-holos/security/components/bank-secrets
-      cluster: workload
-      model: {}
+      cluster: local
    - name: bank-frontend
      component: projects/bank-of-holos/frontend/components/bank-frontend
-      cluster: workload
-      model: {}
+      cluster: local
    - name: bank-backend-config
      component: projects/bank-of-holos/backend/components/bank-backend-config
-      cluster: workload
-      model: {}
+      cluster: local
    - name: bank-accounts-db
      component: projects/bank-of-holos/backend/components/bank-accounts-db
-      cluster: workload
-      model: {}
+      cluster: local
    - name: bank-userservice
      component: projects/bank-of-holos/backend/components/bank-userservice
-      cluster: workload
-      model: {}
+      cluster: local
+    - name: bank-ledger-db
+      component: projects/bank-of-holos/backend/components/bank-ledger-db
+      cluster: local
+    - name: bank-ledger-writer
+      component: projects/bank-of-holos/backend/components/bank-ledger-writer
+      cluster: local
+    - name: bank-balance-reader
+      component: projects/bank-of-holos/backend/components/bank-balance-reader
+      cluster: local
+    - name: bank-transaction-history
+      component: projects/bank-of-holos/backend/components/bank-transaction-history
+      cluster: local
+    - name: bank-contacts
+      component: projects/bank-of-holos/backend/components/bank-contacts
+      cluster: local
+    - name: cert-manager
+      component: projects/platform/components/cert-manager
+      cluster: local
+    - name: external-secrets-crds
+      component: projects/platform/components/external-secrets-crds
+      cluster: local
+    - name: external-secrets
+      component: projects/platform/components/external-secrets
+      cluster: local
+    - name: gateway-api
+      component: projects/platform/components/gateway-api
+      cluster: local
+    - name: local-ca
+      component: projects/platform/components/local-ca
+      cluster: local
+    - name: namespaces
+      component: projects/platform/components/namespaces
+      cluster: local
 ```
  </TabItem>
 </Tabs>
@@ -600,23 +652,26 @@ start working with the cert-manager component.
 package holos

 // Produce a helm chart build plan.
-(#Helm & Chart).BuildPlan
+_HelmChart.BuildPlan

-let Chart = {
+_HelmChart: #Helm & {
 	Name:      "cert-manager"
-	Namespace: #CertManager.Namespace
+	Namespace: _CertManager.Namespace

 	Chart: {
-		version: #CertManager.Version
+		version: _CertManager.Version
 		repository: {
 			name: "jetstack"
 			url:  "https://charts.jetstack.io"
 		}
 	}
+	EnableHooks: true

-	Values: {
-		installCRDs: true
+	Values: #Values & {
+		crds: enabled:            true
 		startupapicheck: enabled: false
+		// https://github.com/cert-manager/cert-manager/issues/6716
+		global: leaderElection: namespace: Namespace
 	}
 }
 ```
@@ -625,14 +680,19 @@ let Chart = {
 ```cue showLineNumbers
 package holos

-// Platform wide configuration
 #CertManager: {
-	Version:   "1.15.3"
+	Version:   string
+	Namespace: string
+}
+
+// Platform wide configuration
+_CertManager: {
+	Version:   "v1.16.1"
 	Namespace: "cert-manager"
 }

 // Register the namespace
-#Namespaces: (#CertManager.Namespace): _
+_Namespaces: (_CertManager.Namespace): _
 ```
  </TabItem>
 </Tabs>
@@ -640,15 +700,13 @@ package holos
 This file introduces a few new concepts.

 1. Line 4 indicates this component produces a BuildPlan that wraps a Helm Chart.
-2. On line 6 `let` binds a name to an expression for the current scope.  The
-current file in this case.
-3. Notice Chart is referenced on line 4 before it's bound on line 6.  **Order is
-irrelevant in CUE**.  Complex changes are simpler and easier when we don't have
-to think about order.
-4. The chart version and namespace are defined in a different file closer to the
-root, `projects/cert-manager.cue`
-5. We define Helm values in CUE to take advantage of strong type checking and
-manage multiple Helm charts consistently with platform wide values.
+2. Notice `_HelmChart` is referenced on line 4 before it's defined on line 6.
+**Order is irrelevant in CUE**.  Complex changes are simpler and easier when we
+don't have to think about order.
+3. Line 8 and 11: The chart version and namespace are defined in a different
+file closer to the root, `projects/cert-manager.cue`
+4. Line 19: Helm values are defined in CUE to take advantage of strong type
+checking and manage multiple Helm charts consistently with the same values.

 Let's take a look at the BuildPlan that results from the CUE configuration
 described above.
@@ -675,16 +733,280 @@ spec:
          helm:
            chart:
              name: cert-manager
-              version: 1.15.3
+              version: v1.16.1
              release: cert-manager
              repository:
                name: jetstack
                url: https://charts.jetstack.io
            values:
-              installCRDs: true
+              global:
+                imagePullSecrets: []
+                commonLabels: {}
+                priorityClassName: ""
+                rbac:
+                  create: true
+                  aggregateClusterRoles: true
+                podSecurityPolicy:
+                  enabled: false
+                  useAppArmor: true
+                logLevel: 2
+                leaderElection:
+                  namespace: cert-manager
+              installCRDs: false
+              crds:
+                enabled: true
+                keep: true
+              replicaCount: 1
+              strategy: {}
+              podDisruptionBudget:
+                enabled: false
+              featureGates: ""
+              maxConcurrentChallenges: 60
+              image:
+                repository: quay.io/jetstack/cert-manager-controller
+                pullPolicy: IfNotPresent
+              clusterResourceNamespace: ""
+              namespace: ""
+              serviceAccount:
+                create: true
+                automountServiceAccountToken: true
+              enableCertificateOwnerRef: false
+              config: {}
+              dns01RecursiveNameservers: ""
+              dns01RecursiveNameserversOnly: false
+              disableAutoApproval: false
+              approveSignerNames:
+                - issuers.cert-manager.io/*
+                - clusterissuers.cert-manager.io/*
+              extraArgs: []
+              extraEnv: []
+              resources: {}
+              securityContext:
+                runAsNonRoot: true
+                seccompProfile:
+                  type: RuntimeDefault
+              containerSecurityContext:
+                allowPrivilegeEscalation: false
+                capabilities:
+                  drop:
+                    - ALL
+                readOnlyRootFilesystem: true
+              volumes: []
+              volumeMounts: []
+              podLabels: {}
+              hostAliases: []
+              nodeSelector:
+                kubernetes.io/os: linux
+              ingressShim: {}
+              affinity: {}
+              tolerations: []
+              topologySpreadConstraints: []
+              livenessProbe:
+                enabled: true
+                initialDelaySeconds: 10
+                periodSeconds: 10
+                timeoutSeconds: 15
+                successThreshold: 1
+                failureThreshold: 8
+              enableServiceLinks: false
+              prometheus:
+                enabled: true
+                servicemonitor:
+                  enabled: false
+                  prometheusInstance: default
+                  targetPort: 9402
+                  path: /metrics
+                  interval: 60s
+                  scrapeTimeout: 30s
+                  labels: {}
+                  annotations: {}
+                  honorLabels: false
+                  endpointAdditionalProperties: {}
+                podmonitor:
+                  enabled: false
+                  prometheusInstance: default
+                  path: /metrics
+                  interval: 60s
+                  scrapeTimeout: 30s
+                  labels: {}
+                  annotations: {}
+                  honorLabels: false
+                  endpointAdditionalProperties: {}
+              webhook:
+                replicaCount: 1
+                timeoutSeconds: 30
+                config: {}
+                strategy: {}
+                securityContext:
+                  runAsNonRoot: true
+                  seccompProfile:
+                    type: RuntimeDefault
+                containerSecurityContext:
+                  allowPrivilegeEscalation: false
+                  capabilities:
+                    drop:
+                      - ALL
+                  readOnlyRootFilesystem: true
+                podDisruptionBudget:
+                  enabled: false
+                validatingWebhookConfiguration:
+                  namespaceSelector:
+                    matchExpressions:
+                      - key: cert-manager.io/disable-validation
+                        operator: NotIn
+                        values:
+                          - "true"
+                mutatingWebhookConfiguration:
+                  namespaceSelector: {}
+                extraArgs: []
+                extraEnv: []
+                featureGates: ""
+                resources: {}
+                livenessProbe:
+                  failureThreshold: 3
+                  initialDelaySeconds: 60
+                  periodSeconds: 10
+                  successThreshold: 1
+                  timeoutSeconds: 1
+                readinessProbe:
+                  failureThreshold: 3
+                  initialDelaySeconds: 5
+                  periodSeconds: 5
+                  successThreshold: 1
+                  timeoutSeconds: 1
+                nodeSelector:
+                  kubernetes.io/os: linux
+                affinity: {}
+                tolerations: []
+                topologySpreadConstraints: []
+                podLabels: {}
+                serviceLabels: {}
+                serviceIPFamilyPolicy: ""
+                serviceIPFamilies: []
+                image:
+                  repository: quay.io/jetstack/cert-manager-webhook
+                  pullPolicy: IfNotPresent
+                serviceAccount:
+                  create: true
+                  automountServiceAccountToken: true
+                securePort: 10250
+                hostNetwork: false
+                serviceType: ClusterIP
+                url: {}
+                networkPolicy:
+                  enabled: false
+                  ingress:
+                    - from:
+                        - ipBlock:
+                            cidr: 0.0.0.0/0
+                  egress:
+                    - ports:
+                        - port: 80
+                          protocol: TCP
+                        - port: 443
+                          protocol: TCP
+                        - port: 53
+                          protocol: TCP
+                        - port: 53
+                          protocol: UDP
+                        - port: 6443
+                          protocol: TCP
+                      to:
+                        - ipBlock:
+                            cidr: 0.0.0.0/0
+                volumes: []
+                volumeMounts: []
+                enableServiceLinks: false
+              cainjector:
+                enabled: true
+                replicaCount: 1
+                config: {}
+                strategy: {}
+                securityContext:
+                  runAsNonRoot: true
+                  seccompProfile:
+                    type: RuntimeDefault
+                containerSecurityContext:
+                  allowPrivilegeEscalation: false
+                  capabilities:
+                    drop:
+                      - ALL
+                  readOnlyRootFilesystem: true
+                podDisruptionBudget:
+                  enabled: false
+                extraArgs: []
+                extraEnv: []
+                featureGates: ""
+                resources: {}
+                nodeSelector:
+                  kubernetes.io/os: linux
+                affinity: {}
+                tolerations: []
+                topologySpreadConstraints: []
+                podLabels: {}
+                serviceLabels: {}
+                image:
+                  repository: quay.io/jetstack/cert-manager-cainjector
+                  pullPolicy: IfNotPresent
+                serviceAccount:
+                  create: true
+                  automountServiceAccountToken: true
+                volumes: []
+                volumeMounts: []
+                enableServiceLinks: false
+              acmesolver:
+                image:
+                  repository: quay.io/jetstack/cert-manager-acmesolver
+                  pullPolicy: IfNotPresent
              startupapicheck:
                enabled: false
-            enableHooks: false
+                securityContext:
+                  runAsNonRoot: true
+                  seccompProfile:
+                    type: RuntimeDefault
+                containerSecurityContext:
+                  allowPrivilegeEscalation: false
+                  capabilities:
+                    drop:
+                      - ALL
+                  readOnlyRootFilesystem: true
+                timeout: 1m
+                backoffLimit: 4
+                jobAnnotations:
+                  helm.sh/hook: post-install
+                  helm.sh/hook-weight: "1"
+                  helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+                extraArgs:
+                  - -v
+                extraEnv: []
+                resources: {}
+                nodeSelector:
+                  kubernetes.io/os: linux
+                affinity: {}
+                tolerations: []
+                podLabels: {}
+                image:
+                  repository: quay.io/jetstack/cert-manager-startupapicheck
+                  pullPolicy: IfNotPresent
+                rbac:
+                  annotations:
+                    helm.sh/hook: post-install
+                    helm.sh/hook-weight: "-5"
+                    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+                serviceAccount:
+                  create: true
+                  annotations:
+                    helm.sh/hook: post-install
+                    helm.sh/hook-weight: "-5"
+                    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+                  automountServiceAccountToken: true
+                volumes: []
+                volumeMounts: []
+                enableServiceLinks: false
+              extraObjects: []
+              creator: helm
+              enabled: true
+            enableHooks: true
            namespace: cert-manager
        - kind: Resources
          output: resources.gen.yaml
@@ -711,6 +1033,7 @@ spec:
              namespace: cert-manager
              commonLabels:
                holos.run/component.name: cert-manager
+                argocd.argoproj.io/instance: cert-manager
              resources:
                - combined.gen.yaml
    - artifact: clusters/no-cluster/gitops/cert-manager.gen.yaml
@@ -728,7 +1051,7 @@ spec:
                spec:
                  destination:
                    server: https://kubernetes.default.svc
-                  project: default
+                  project: platform
                  source:
                    path: deploy/clusters/no-cluster/components/cert-manager
                    repoURL: https://github.com/jeffmccune/bank-of-holos
--- a/doc/md.archive/guides/2024-09-15-quickstart.mdx
+++ b/doc/md.archive/guides/2024-09-15-quickstart.mdx
--- a/doc/md.archive/guides/2024-09-17-manage-a-project.mdx
+++ b/doc/md.archive/guides/2024-09-17-manage-a-project.mdx
--- a/doc/md.archive/guides/argocd/argocd-apps-2.png
+++ b/doc/md.archive/guides/argocd/argocd-apps-2.png
--- a/doc/md.archive/guides/argocd/argocd-apps.png
+++ b/doc/md.archive/guides/argocd/argocd-apps.png
--- a/doc/md.archive/guides/argocd/argocd-auto-sync-ok.png
+++ b/doc/md.archive/guides/argocd/argocd-auto-sync-ok.png
--- a/doc/md.archive/guides/argocd/argocd-diff.png
+++ b/doc/md.archive/guides/argocd/argocd-diff.png
--- a/doc/md.archive/guides/argocd/argocd-login-signedout.png
+++ b/doc/md.archive/guides/argocd/argocd-login-signedout.png
--- a/doc/md.archive/guides/argocd/argocd-login.png
+++ b/doc/md.archive/guides/argocd/argocd-login.png
--- a/doc/md.archive/guides/argocd/argocd-out-of-sync.png
+++ b/doc/md.archive/guides/argocd/argocd-out-of-sync.png
--- a/doc/md.archive/guides/argocd/argocd-sync-ok.png
+++ b/doc/md.archive/guides/argocd/argocd-sync-ok.png
--- a/doc/md.archive/guides/argocd/argocd-sync.png
+++ b/doc/md.archive/guides/argocd/argocd-sync.png
--- a/doc/md.archive/guides/argocd/index.mdx
+++ b/doc/md.archive/guides/argocd/index.mdx
--- a/doc/md.archive/guides/backstage/index.md
+++ b/doc/md.archive/guides/backstage/index.md
--- a/doc/md.archive/guides/expose-a-service.mdx
+++ b/doc/md.archive/guides/expose-a-service.mdx
--- a/doc/md.archive/guides/observability/index.md
+++ b/doc/md.archive/guides/observability/index.md
--- a/doc/md.archive/guides/overview.md
+++ b/doc/md.archive/guides/overview.md
--- a/doc/md.archive/guides/register.md
+++ b/doc/md.archive/guides/register.md
--- a/doc/md.archive/guides/try-holos/form-pushed.png
+++ b/doc/md.archive/guides/try-holos/form-pushed.png
--- a/doc/md.archive/guides/try-holos/form.png
+++ b/doc/md.archive/guides/try-holos/form.png
--- a/doc/md.archive/guides/try-holos/index.mdx
+++ b/doc/md.archive/guides/try-holos/index.mdx
--- a/doc/md.archive/guides/try-holos/platform-manifests.md
+++ b/doc/md.archive/guides/try-holos/platform-manifests.md
--- a/doc/md.archive/introduction.md
+++ b/doc/md.archive/introduction.md
@@ -1,6 +1,5 @@
 ---
-description: Holos Documentation
-slug: /
+description: Introduction
 ---

 # Introduction
--- a/doc/md.archive/local-development.md
+++ b/doc/md.archive/local-development.md
--- a/doc/md.archive/reference-platform/architecture.md
+++ b/doc/md.archive/reference-platform/architecture.md
--- a/doc/md.archive/runbooks/argocd.md
+++ b/doc/md.archive/runbooks/argocd.md
--- a/doc/md.archive/runbooks/deploy.md
+++ b/doc/md.archive/runbooks/deploy.md
--- a/doc/md.archive/runbooks/login/backups.md
+++ b/doc/md.archive/runbooks/login/backups.md
--- a/doc/md.archive/runbooks/login/failover.md
+++ b/doc/md.archive/runbooks/login/failover.md
--- a/doc/md.archive/runbooks/management/.gitignore
+++ b/doc/md.archive/runbooks/management/.gitignore
--- a/Show More
+++ b/Show More