bump the go_modules group across 1 directory with 2 updates (#455 )

bumps the go_modules group with 2 updates in the / directory: [github.com/docker/docker](https://github.com/docker/docker) and [github.com/go-viper/mapstructure/v2](https://github.com/go-viper/mapstructure). updates `github.com/docker/docker` from 28.2.2+incompatible to 28.3.3+incompatible - [Release notes](https://github.com/docker/docker/releases) - [Commits](https://github.com/docker/docker/compare/v28.2.2...v28.3.3) updates `github.com/go-viper/mapstructure/v2` from 2.3.0 to 2.4.0 - [Release notes](https://github.com/go-viper/mapstructure/releases) - [Changelog](https://github.com/go-viper/mapstructure/blob/main/CHANGELOG.md) - [Commits](https://github.com/go-viper/mapstructure/compare/v2.3.0...v2.4.0) --- updated-dependencies: - dependency-name: github.com/docker/docker dependency-version: 28.3.3+incompatible dependency-type: indirect dependency-group: go_modules - dependency-name: github.com/go-viper/mapstructure/v2 dependency-version: 2.4.0 dependency-type: indirect dependency-group: go_modules ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
upgraded versions/dependencies/deprecations (#454 )
2026-02-19 20:40:18 +00:00 · 2025-10-02 16:04:36 -04:00 · 2025-10-02 14:23:22 -04:00 · 2025-10-01 11:56:36 -04:00 · 2025-09-24 21:24:58 -04:00 · 2025-07-11 11:49:01 -04:00
175 changed files with 10660 additions and 7534 deletions
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -1,31 +1,51 @@
 ---
-name: Bug report
-about: Create a report to help us improve
-title: ''
-labels: ''
+name: Bug Report
+about: Submit a bug report to help us improve!
+title: '[BUG]'
+labels: 'bug'
 assignees: ''
-
 ---

-<!-- Thanks for helping us to improve Hauler! We welcome all bug reports. Please fill out each area of the template so we can better help you. Comments like this will be hidden when you post but you can delete them if you wish. -->
+<!-- Thank you for helping us to improve Hauler! We welcome all bug reports. Please fill out each area of the template so we can better assist you. Comments like this will be hidden when you submit, but you can delete them if you wish. -->

-**Environmental Info:**  
+**Environmental Info:**
+
+<!-- Provide the output of "uname -a" -->
+
+-

 **Hauler Version:**

-**System CPU architecture, OS, and Version:**
-<!-- Provide the output from "uname -a" on the system where Hauler is installed -->
+<!-- Provide the output of "hauler version" -->

-**Describe the bug:**
-<!-- A clear and concise description of what the bug is. -->
+-

-**Steps To Reproduce:**
+**Describe the Bug:**

-**Expected behavior:**
-<!-- A clear and concise description of what you expected to happen. -->
+<!-- Provide a clear and concise description of the bug -->

-**Actual behavior:**
-<!-- A clear and concise description of what actually happened. -->
+-

-**Additional context / logs:**
-<!-- Add any other context and/or logs about the problem here. -->
+**Steps to Reproduce:**
+
+<!-- Provide a clear and concise way to reproduce the bug -->
+
+-
+
+**Expected Behavior:**
+
+<!-- Provide a clear and concise description of what you expected to happen -->
+
+-
+
+**Actual Behavior:**
+
+<!-- Provide a clear and concise description of what actually happens -->
+
+-
+
+**Additional Context:**
+
+<!-- Provide any other context and/or logs about the bug -->
+
+-
--- a/.github/ISSUE_TEMPLATE/feature_request.md
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -0,0 +1,33 @@
+---
+name: Feature Request
+about: Submit a feature request for us to improve!
+title: '[feature]'
+labels: 'enhancement'
+assignees: ''
+---
+
+<!-- Thank you for helping us to improve Hauler! We welcome all requests for enhancements (RFEs). Please fill out each area of the template so we can better assist you. Comments like this will be hidden when you submit, but you can delete them if you wish. -->
+
+**Is this Feature/Enhancement related to an Existing Problem? If so, please describe:**
+
+<!-- Provide a clear and concise description of the problem -->
+
+-
+
+**Describe Proposed Solution(s):**
+
+<!-- Provide a clear and concise description of what you want to happen -->
+
+-
+
+**Describe Possible Alternatives:**
+
+<!-- Provide a clear and concise description of any alternative solutions or features you've considered -->
+
+-
+
+**Additional Context:**
+
+<!-- Provide a clear and concise description of the problem -->
+
+-
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -1,23 +1,36 @@
-* **Please check if the PR fulfills these requirements**
- [ ] The commit message follows our guidelines
- [ ] Tests for the changes have been added (for bug fixes / features)
- [ ] Docs have been added / updated (for bug fixes / features)
+**Please check below, if the PR fulfills these requirements:**
+- [ ] Commit(s) and code follow the repositories guidelines.
+- [ ] Test(s) have been added or updated to support these change(s).
+- [ ] Doc(s) have been added or updated to support these change(s).

+<!-- Comments like this will be hidden when you submit, but you can delete them if you wish. -->

-* **What kind of change does this PR introduce?** (Bug fix, feature, docs update, ...)
+**Associated Links:**

+<!-- Provide any associated or linked related to these change(s) -->

+-

-* **What is the current behavior?** (You can also link to an open issue here)
+**Types of Changes:**

+<!-- What is the type of change? Bugfix, Feature, Breaking Change, etc... -->

+-

-* **What is the new behavior (if this is a feature change)?**
+**Proposed Changes:**

+<!-- Provide the high level and low level description of your change(s) so we can better understand these change(s) -->

+-

-* **Does this PR introduce a breaking change?** (What changes might users need to make in their application due to this PR?)
+**Verification/Testing of Changes:**

+<!-- How can the changes be verified? Provide the steps necessary to reproduce and verify the proposed change(s) -->

+-

-* **Other information**:
+**Additional Context:**
+
+<!-- Provide any additional information, such as if this is a small or large or complex change. Feel free to kick off the discussion by explaining why you chose the solution you did and what alternatives you considered, etc... -->
+
+-
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -1,67 +0,0 @@
-name: CI
-
-on:
-  workflow_dispatch:
-  push:
-    tags: 
-      - '*'
-
-
-jobs:
-
-  test:
-    strategy:
-      matrix:
-        go-version: [1.16.x]
-        os: [ubuntu-latest]
-    runs-on: ${{ matrix.os }}
-    steps:
-    - name: Install Go
-      uses: actions/setup-go@v2
-      with:
-        go-version: ${{ matrix.go-version }}
-    - name: Checkout code
-      uses: actions/checkout@v2
-    - name: Test
-      run: go test ./...
-    - name: Run lint/vet
-      run: |
-        go get -u golang.org/x/lint/golint
-        go mod tidy
-        golint ./...
-        go vet ./...
-    
-  create-release:
-    needs: test
-    runs-on: ubuntu-latest
-    if: startsWith(github.ref, 'refs/tags/')
-    steps:
-    - name: Download release notes utility
-      env:
-        GH_REL_URL: https://github.com/buchanae/github-release-notes/releases/download/0.2.0/github-release-notes-linux-amd64-0.2.0.tar.gz
-      run: cd /tmp && curl -sSL ${GH_REL_URL} | tar xz && sudo mv github-release-notes /usr/local/bin/
-    - name: Generate release notes
-      run: |
-          echo 'CHANGELOG' > /tmp/release.txt
-          #github-release-notes -org rancherfederal -repo hauler -since-latest-release -include-author >> /tmp/release.txt
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    - name: Checkout code
-      uses: actions/checkout@v2
-    - name: Set up Go
-      uses: actions/setup-go@v2
-      with:
-        go-version: 1.16
-    - name: Build and run Hauler package build
-      run: |
-        mkdir bin
-        go build -o bin ./cmd/...
-        ./bin/hauler package build
-    - name: Run GoReleaser
-      id: goreleaser
-      uses: goreleaser/goreleaser-action@v1
-      with:
-        version: latest
-        args: release --release-notes=/tmp/release.txt
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/pages.yaml
+++ b/.github/workflows/pages.yaml
@@ -0,0 +1,47 @@
+name: Pages Workflow
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read
+  pages: write
+  id-token: write
+
+concurrency:
+  group: "pages"
+  cancel-in-progress: false
+
+jobs:
+  deploy-pages:
+    name: Deploy GitHub Pages
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    environment:
+      name: github-pages
+      url: ${{ steps.deployment.outputs.page_url }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Configure Git
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+
+      - name: Setup Pages
+        uses: actions/configure-pages@v5
+
+      - name: Upload Pages Artifacts
+        uses: actions/upload-pages-artifact@v3
+        with:
+          path: './static'
+
+      - name: Deploy to GitHub Pages
+        id: deployment
+        uses: actions/deploy-pages@v4
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -0,0 +1,60 @@
+name: Release Workflow
+
+on:
+  workflow_dispatch:
+  push:
+    tags:
+      - '*'
+
+jobs:
+  goreleaser:
+    name: GoReleaser Job
+    runs-on: ubuntu-latest
+    timeout-minutes: 60
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Configure Git
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+
+      - name: Set Up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+          check-latest: true
+
+      - name: Set Up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Authenticate to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Authenticate to DockerHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: docker.io
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v6
+        with:
+          distribution: goreleaser
+          version: "~> v2"
+          args: "release --clean --timeout 60m"
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.HOMEBREW_TAP_GITHUB_TOKEN }}
+          DOCKER_CLI_EXPERIMENTAL: "enabled"
--- a/.github/workflows/tests.yaml
+++ b/.github/workflows/tests.yaml
@@ -0,0 +1,337 @@
+name: Tests Workflow
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  unit-tests:
+    name: Unit Tests
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Configure Git
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+
+      - name: Set Up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+          check-latest: true
+
+      - name: Install Go Releaser
+        uses: goreleaser/goreleaser-action@v6
+        with:
+          install-only: true
+
+      - name: Install Dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y make
+          sudo apt-get install -y build-essential
+
+      - name: Run Makefile Targets
+        run: |
+          make build-all
+
+      - name: Upload Hauler Binaries
+        uses: actions/upload-artifact@v4
+        with:
+          name: hauler-binaries
+          path: dist/*
+
+      - name: Upload Coverage Report
+        uses: actions/upload-artifact@v4
+        with:
+          name: coverage-report
+          path: coverage.out
+
+  integration-tests:
+    name: Integration Tests
+    runs-on: ubuntu-latest
+    needs: [unit-tests]
+    timeout-minutes: 30
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Configure Git
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+
+      - name: Install Dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y unzip
+          sudo apt-get install -y tree
+
+      - name: Download Artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: hauler-binaries
+          path: dist
+
+      - name: Prepare Hauler for Tests
+        run: |
+          pwd
+          ls -la
+          ls -la dist/
+          chmod -R 755 dist/ testdata/certificate-script.sh
+          sudo mv dist/hauler_linux_amd64_v1/hauler /usr/local/bin/hauler
+          ./testdata/certificate-script.sh && sudo chown -R $(whoami) testdata/certs/
+
+      - name: Verify - hauler version
+        run: |
+          hauler version
+
+      - name: Verify - hauler completion
+        run: |
+          hauler completion
+          hauler completion bash
+          hauler completion fish
+          hauler completion powershell
+          hauler completion zsh
+
+      - name: Verify - hauler help
+        run: |
+          hauler help
+
+      - name: Verify - hauler login
+        run: |
+          hauler login --help
+          hauler login docker.io --username ${{ secrets.DOCKERHUB_USERNAME }} --password ${{ secrets.DOCKERHUB_TOKEN }}
+          echo ${{ secrets.GITHUB_TOKEN }} | hauler login ghcr.io -u ${{ github.repository_owner }} --password-stdin
+
+      - name: Remove Hauler Store Credentials
+        run: |
+          rm -rf ~/.docker/config.json
+
+      - name: Verify - hauler store
+        run: |
+          hauler store --help
+
+      - name: Verify - hauler store add
+        run: |
+          hauler store add --help
+
+      - name: Verify - hauler store add chart
+        run: |
+          hauler store add chart --help
+          # verify via helm repository
+          hauler store add chart rancher --repo https://releases.rancher.com/server-charts/stable
+          hauler store add chart rancher --repo https://releases.rancher.com/server-charts/stable --version 2.8.4
+          hauler store add chart rancher --repo https://releases.rancher.com/server-charts/stable --version 2.8.3 --verify
+          # verify via oci helm repository
+          hauler store add chart hauler-helm --repo oci://ghcr.io/hauler-dev
+          hauler store add chart hauler-helm --repo oci://ghcr.io/hauler-dev --version 1.0.6
+          hauler store add chart hauler-helm --repo oci://ghcr.io/hauler-dev --version 1.0.4 --verify
+          # verify via local helm repository
+          curl -sfOL https://github.com/rancherfederal/rancher-cluster-templates/releases/download/rancher-cluster-templates-0.5.2/rancher-cluster-templates-0.5.2.tgz
+          hauler store add chart rancher-cluster-templates-0.5.2.tgz --repo .
+          curl -sfOL https://github.com/rancherfederal/rancher-cluster-templates/releases/download/rancher-cluster-templates-0.5.1/rancher-cluster-templates-0.5.1.tgz
+          hauler store add chart rancher-cluster-templates-0.5.1.tgz --repo . --version 0.5.1
+          curl -sfOL https://github.com/rancherfederal/rancher-cluster-templates/releases/download/rancher-cluster-templates-0.5.0/rancher-cluster-templates-0.5.0.tgz
+          hauler store add chart rancher-cluster-templates-0.5.0.tgz --repo . --version 0.5.0 --verify
+          # verify via the hauler store contents
+          hauler store info
+
+      - name: Verify - hauler store add file
+        run: |
+          hauler store add file --help
+          # verify via remote file
+          hauler store add file https://get.rke2.io/install.sh
+          hauler store add file https://get.rke2.io/install.sh --name rke2-install.sh
+          # verify via local file
+          hauler store add file testdata/hauler-manifest.yaml
+          hauler store add file testdata/hauler-manifest.yaml --name hauler-manifest-local.yaml
+          # verify via the hauler store contents
+          hauler store info
+
+      - name: Verify - hauler store add image
+        run: |
+          hauler store add image --help
+          # verify via image reference
+          hauler store add image busybox
+          # verify via image reference with version and platform
+          hauler store add image busybox:stable --platform linux/amd64
+          # verify via image reference with full reference
+          hauler store add image gcr.io/distroless/base@sha256:7fa7445dfbebae4f4b7ab0e6ef99276e96075ae42584af6286ba080750d6dfe5
+          # verify via the hauler store contents
+          hauler store info
+
+      - name: Verify - hauler store copy
+        run: |
+          hauler store copy --help
+          # need more tests here
+
+      - name: Verify - hauler store extract
+        run: |
+          hauler store extract --help
+          # verify via extracting hauler store content
+          hauler store extract hauler/hauler-manifest-local.yaml:latest
+          # view extracted content from store
+          cat hauler-manifest-local.yaml
+
+      - name: Verify - hauler store info
+        run: |
+          hauler store info --help
+          # verify via table output
+          hauler store info --output table
+          # verify via json output
+          hauler store info --output json
+          # verify via filtered output (chart)
+          hauler store info --type chart
+          # verify via filtered output (file)
+          hauler store info --type file
+          # verify via filtered output (image)
+          hauler store info --type image
+          # verify store directory structure
+          tree -hC store
+
+      - name: Verify - hauler store save
+        run: |
+          hauler store save --help
+          # verify via save
+          hauler store save
+          # verify via save with filename
+          hauler store save --filename store.tar.zst
+          # verify via save with filename and platform (amd64)
+          hauler store save --filename store-amd64.tar.zst --platform linux/amd64
+
+      - name: Remove Hauler Store Contents
+        run: |
+          rm -rf store
+          hauler store info
+
+      - name: Verify - hauler store load
+        run: |
+          hauler store load --help
+          # verify via load
+          hauler store load
+          # verify via load with multiple files
+          hauler store load --filename haul.tar.zst --filename store.tar.zst
+          # verify via load with filename and temp directory
+          hauler store load --filename store.tar.zst --tempdir /opt
+          # verify via load with filename and platform (amd64)
+          hauler store load --filename store-amd64.tar.zst
+
+      - name: Verify Hauler Store Contents
+        run: |
+          # verify store
+          hauler store info
+          # verify store directory structure
+          tree -hC store
+
+      - name: Verify - docker load
+        run: |
+          docker load --help
+          # verify via load
+          docker load --input store-amd64.tar.zst
+
+      - name: Verify Docker Images Contents
+        run: |
+          docker images --help
+          # verify images
+          docker images --all
+
+      - name: Remove Hauler Store Contents
+        run: |
+          rm -rf store haul.tar.zst store.tar.zst store-amd64.tar.zst
+          hauler store info
+
+      - name: Verify - hauler store sync
+        run: |
+          hauler store sync --help
+          # download local helm repository
+          curl -sfOL https://github.com/rancherfederal/rancher-cluster-templates/releases/download/rancher-cluster-templates-0.5.2/rancher-cluster-templates-0.5.2.tgz
+          # verify via sync
+          hauler store sync --filename testdata/hauler-manifest-pipeline.yaml
+          # verify via sync with multiple files
+          hauler store sync --filename testdata/hauler-manifest-pipeline.yaml --filename testdata/hauler-manifest.yaml
+          # need more tests here
+
+      - name: Verify - hauler store serve
+        run: |
+          hauler store serve --help
+
+      - name: Verify - hauler store serve registry
+        run: |
+          hauler store serve registry --help
+          # verify via registry
+          hauler store serve registry &
+          until curl -sf http://localhost:5000/v2/_catalog; do : ; done
+          pkill -f "hauler store serve registry"
+          # verify via registry with different port
+          hauler store serve registry --port 5001 &
+          until curl -sf http://localhost:5001/v2/_catalog; do : ; done
+          pkill -f "hauler store serve registry --port 5001"
+          # verify via registry with different port and readonly
+          hauler store serve registry --port 5001 --readonly &
+          until curl -sf http://localhost:5001/v2/_catalog; do : ; done
+          pkill -f "hauler store serve registry --port 5001 --readonly"
+          # verify via registry with different port with readonly with tls
+          # hauler store serve registry --port 5001 --readonly --tls-cert testdata/certs/server-cert.crt --tls-key testdata/certs/server-cert.key &
+          # until curl -sf --cacert testdata/certs/cacerts.pem https://localhost:5001/v2/_catalog; do : ; done
+          # pkill -f "hauler store serve registry --port 5001 --readonly --tls-cert testdata/certs/server-cert.crt --tls-key testdata/certs/server-cert.key"
+
+      - name: Verify - hauler store serve fileserver
+        run: |
+          hauler store serve fileserver --help
+          # verify via fileserver
+          hauler store serve fileserver &
+          until curl -sf http://localhost:8080; do : ; done
+          pkill -f "hauler store serve fileserver"
+          # verify via fileserver with different port
+          hauler store serve fileserver --port 8000 &
+          until curl -sf http://localhost:8000; do : ; done
+          pkill -f "hauler store serve fileserver --port 8000"
+          # verify via fileserver with different port and timeout
+          hauler store serve fileserver --port 8000 --timeout 120 &
+          until curl -sf http://localhost:8000; do : ; done
+          pkill -f "hauler store serve fileserver --port 8000 --timeout 120"
+          # verify via fileserver with different port with timeout and tls
+          # hauler store serve fileserver --port 8000 --timeout 120 --tls-cert testdata/certs/server-cert.crt --tls-key testdata/certs/server-cert.key &
+          # until curl -sf --cacert testdata/certs/cacerts.pem https://localhost:8000; do : ; done
+          # pkill -f "hauler store serve fileserver --port 8000 --timeout 120 --tls-cert testdata/certs/server-cert.crt --tls-key testdata/certs/server-cert.key"
+
+      - name: Verify Hauler Store Contents
+        run: |
+          # verify store
+          hauler store info
+          # verify store directory structure
+          tree -hC store
+          # verify registry directory structure
+          tree -hC registry
+          # verify fileserver directory structure
+          tree -hC fileserver
+
+      - name: Create Hauler Report
+        run: |
+          hauler version >> hauler-report.txt
+          hauler store info --output table >> hauler-report.txt
+
+      - name: Remove Hauler Store Contents
+        run: |
+          rm -rf store registry fileserver
+          hauler store info
+
+      - name: Upload Hauler Report
+        uses: actions/upload-artifact@v4
+        with:
+          name: hauler-report
+          path: hauler-report.txt
--- a/.gitignore
+++ b/.gitignore
@@ -1,8 +1,4 @@
-
-# Vagrant
-.vagrant
-
-# Editor directories and files
+**/.DS_Store
 .idea
 .vscode
 *.suo
@@ -10,18 +6,13 @@
 *.njsproj
 *.sln
 *.sw?
-
-# old, ad-hoc ignores
-artifacts
-local-artifacts
-airgap-scp.sh
-
-# test artifacts
-*.tar*
-
-# generated
+*.dir-locals.el
 dist/
-./bundle/
 tmp/
 bin/
-pkg.yaml
+/store/
+registry/
+fileserver/
+cmd/hauler/binaries
+testdata/certs/
+coverage.out
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -1,16 +1,92 @@
+version: 2
+
 project_name: hauler
+before:
+  hooks:
+    - go mod tidy
+    - go mod download
+    - go fmt ./...
+    - go vet ./...
+    - go test ./... -cover -race -covermode=atomic -coverprofile=coverage.out
+
+release:
+  prerelease: auto
+  make_latest: false
+
+env:
+  - vpkg=hauler.dev/go/hauler/internal/version
+  - cosign_version=v2.2.3+carbide.3
+
 builds:
-  - main: cmd/hauler/main.go
+  - dir: ./cmd/hauler/.
    goos:
      - linux
      - darwin
+      - windows
    goarch:
      - amd64
      - arm64
+    ldflags:
+      - -s -w -X {{ .Env.vpkg }}.gitVersion={{ .Version }} -X {{ .Env.vpkg }}.gitCommit={{ .ShortCommit }} -X {{ .Env.vpkg }}.gitTreeState={{if .IsGitDirty}}dirty{{else}}clean{{end}} -X {{ .Env.vpkg }}.buildDate={{ .Date }}
    env:
      - CGO_ENABLED=0
+      - GOEXPERIMENT=boringcrypto
+
+universal_binaries:
+  - replace: false
+
+changelog:
+  disable: false
+  use: git
+
+homebrew_casks:
+  - name: hauler
+    repository:
+      owner: hauler-dev
+      name: homebrew-tap
+      token: "{{ .Env.HOMEBREW_TAP_GITHUB_TOKEN }}"
+    directory: Formula
+    description: "Hauler: Airgap Swiss Army Knife"
+
+dockers_v2:
+  - id: hauler
+    dockerfile: Dockerfile
    flags:
-      - -tags=containers_image_openpgp containers_image_ostree
-release:
-  extra_files:
-    - glob: ./pkg.tar.zst
+      - "--target=release"
+    images:
+      - docker.io/hauler/hauler
+      - ghcr.io/hauler-dev/hauler
+    tags:
+      - "{{ .Version }}"
+    platforms:
+      - linux/amd64
+      - linux/arm64
+    labels:
+      "classification": "UNCLASSIFIED"
+      "org.opencontainers.image.created": "{{.Date}}"
+      "org.opencontainers.image.description": "Hauler: Airgap Swiss Army Knife"
+      "org.opencontainers.image.name": "{{.ProjectName}}-debug"
+      "org.opencontainers.image.revision": "{{.FullCommit}}"
+      "org.opencontainers.image.source": "{{.GitURL}}"
+      "org.opencontainers.image.version": "{{.Version}}"
+
+  - id: hauler-debug
+    dockerfile: Dockerfile
+    flags:
+      - "--target=debug"
+    images:
+      - docker.io/hauler/hauler-debug
+      - ghcr.io/hauler-dev/hauler-debug
+    tags:
+      - "{{ .Version }}"
+    platforms:
+      - linux/amd64
+      - linux/arm64
+    labels:
+      "classification": "UNCLASSIFIED"
+      "org.opencontainers.image.created": "{{.Date}}"
+      "org.opencontainers.image.description": "Hauler: Airgap Swiss Army Knife"
+      "org.opencontainers.image.name": "{{.ProjectName}}-debug"
+      "org.opencontainers.image.revision": "{{.FullCommit}}"
+      "org.opencontainers.image.source": "{{.GitURL}}"
+      "org.opencontainers.image.version": "{{.Version}}"
--- a/43
+++ b/43
@@ -0,0 +1,43 @@
+# builder stage
+FROM registry.suse.com/bci/bci-base:15.7 AS builder
+ARG TARGETPLATFORM
+
+# fetched from goreleaser build process
+COPY $TARGETPLATFORM/hauler /hauler
+
+RUN echo "hauler:x:1001:1001::/home/hauler:" > /etc/passwd \
+&& echo "hauler:x:1001:hauler" > /etc/group \
+&& mkdir /home/hauler \
+&& mkdir /store \
+&& mkdir /fileserver \
+&& mkdir /registry
+
+# release stage
+FROM scratch AS release
+
+COPY --from=builder /var/lib/ca-certificates/ca-bundle.pem /etc/ssl/certs/ca-certificates.crt
+COPY --from=builder /etc/passwd /etc/passwd
+COPY --from=builder /etc/group /etc/group
+COPY --from=builder --chown=hauler:hauler /home/hauler/. /home/hauler
+COPY --from=builder --chown=hauler:hauler /tmp/. /tmp
+COPY --from=builder --chown=hauler:hauler /store/. /store
+COPY --from=builder --chown=hauler:hauler /registry/. /registry
+COPY --from=builder --chown=hauler:hauler /fileserver/. /fileserver
+COPY --from=builder --chown=hauler:hauler /hauler /hauler
+
+USER hauler
+ENTRYPOINT [ "/hauler" ]
+
+# debug stage
+FROM alpine AS debug
+
+COPY --from=builder /var/lib/ca-certificates/ca-bundle.pem /etc/ssl/certs/ca-certificates.crt
+COPY --from=builder /etc/passwd /etc/passwd
+COPY --from=builder /etc/group /etc/group
+COPY --from=builder --chown=hauler:hauler /home/hauler/. /home/hauler
+COPY --from=builder --chown=hauler:hauler /hauler /usr/local/bin/hauler
+
+RUN apk --no-cache add curl
+
+USER hauler
+WORKDIR /home/hauler
--- a/testdata/docker-registry/LICENSE
+++ b/testdata/docker-registry/LICENSE
@@ -174,29 +174,4 @@
      incurred by, or claims asserted against, such Contributor by reason
      of your accepting any such warranty or additional liability.

-   END OF TERMS AND CONDITIONS
-
-   APPENDIX: How to apply the Apache License to your work.
-
-      To apply the Apache License to your work, attach the following
-      boilerplate notice, with the fields enclosed by brackets "[]"
-      replaced with your own identifying information. (Don't include
-      the brackets!)  The text should be enclosed in the appropriate
-      comment syntax for the file format. We also recommend that a
-      file or class name and description of purpose be included on the
-      same "printed page" as the copyright notice for easier
-      identification within third-party archives.
-
-   Copyright The Helm Authors.
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at
-
-       http://www.apache.org/licenses/LICENSE-2.0
-
-   Unless required by applicable law or agreed to in writing, software
-   distributed under the License is distributed on an "AS IS" BASIS,
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   See the License for the specific language governing permissions and
-   limitations under the License.
+   END OF TERMS AND CONDITIONS
--- a/55
+++ b/55
@@ -1,32 +1,49 @@
-SHELL:=/bin/bash
-GO_BUILD_ENV=GOOS=linux GOARCH=amd64 
-GO_FILES=$(shell go list ./... | grep -v /vendor/)
+# Makefile for hauler

-BUILD_VERSION=$(shell cat VERSION)
-BUILD_TAG=$(BUILD_VERSION)
+# set shell
+SHELL=/bin/bash

-.SILENT:
+# set go variables
+GO_FILES=./...
+GO_COVERPROFILE=coverage.out

-all: fmt vet install test
+# set build variables
+BIN_DIRECTORY=bin
+DIST_DIRECTORY=dist

+# local build of hauler for current platform
+# references/configuration from .goreleaser.yaml
 build:
-	mkdir bin;\
-	$(GO_BUILD_ENV) go build -o bin ./cmd/...;\
-	
+	goreleaser build --clean --snapshot --timeout 60m --single-target
+
+# local build of hauler for all platforms
+# references/configuration from .goreleaser.yaml
+build-all:
+	goreleaser build --clean --snapshot --timeout 60m
+
+# local release of hauler for all platforms
+# references/configuration from .goreleaser.yaml
+release:
+	goreleaser release --clean --snapshot --timeout 60m
+
+# install depedencies
 install:
-	$(GO_BUILD_ENV) go install
-
-vet:
-	go vet $(GO_FILES)
+	go mod tidy
+	go mod download
+	CGO_ENABLED=0 go install ./cmd/...

+# format go code
 fmt:
 	go fmt $(GO_FILES)

+# vet go code
+vet:
+	go vet $(GO_FILES)
+
+# test go code
 test:
-	go test $(GO_FILES) -cover
-
-integration_test:
-	go test -tags=integration $(GO_FILES)
+	go test $(GO_FILES) -cover -race -covermode=atomic -coverprofile=$(GO_COVERPROFILE)

+# cleanup artifacts
 clean:
-	rm -rf bin 2> /dev/null
+	rm -rf $(BIN_DIRECTORY) $(DIST_DIRECTORY) $(GO_COVERPROFILE)
--- a/README.md
+++ b/README.md
@@ -1,70 +1,63 @@
-# Hauler - Kubernetes Air Gap Migration
+# Rancher Government Hauler

-## WARNING - Work In Progress
+![rancher-government-hauler-logo](/static/rgs-hauler-logo.png)

-Hauler is a tool designed to ease the burden of working with containers and kubernetes in an airgap. Several components of hauler are used in unison to provide airgap utilities.
+## Airgap Swiss Army Knife

-Hauler's utility is split into a few commands intended to solve increasingly complex airgapped use cases.
+`Rancher Government Hauler` simplifies the airgap experience without requiring operators to adopt a specific workflow. **Hauler** simplifies the airgapping process, by representing assets (images, charts, files, etc...) as content and collections to allow operators to easily fetch, store, package, and distribute these assets with declarative manifests or through the command line.

-__Portable self contained clusters__:
+`Hauler` does this by storing contents and collections as OCI Artifacts and allows operators to serve contents and collections with an embedded registry and fileserver. Additionally, `Hauler` has the ability to store and inspect various non-image OCI Artifacts.

-Within the `hauler package` subset of commands, `Packages` (name to be finalized) can be created, updated, and ran.
+For more information, please review the **[Hauler Documentation](https://hauler.dev)!**

-A `Package` is a hauler specific, configurable, self-contained, compressed archive (`*.tar.zst`) that contains all dependencies needed to 1) create a kubernetes cluster, 2) deploy resources into the cluster.
+## Recent Changes

-```bash
-# Build a minimal portable k8s cluster
-hauler package build
+### In Hauler v1.2.0...

-# Build a package that deploys resources when deployed
-hauler package build -p path/to/chart -p path/to/manifests -i extra/image:latest -i busybox:musl
-
-# Build a package that deploys a cluster, oci registry, and sample app on boot
-# Note the aliases introduced
-hauler pkg b -p testdata/docker-registry -p testdata/rawmanifests
-```
-
-Hauler packages at their core stand on the shoulders of other technologies (`k3s`, `rke2`, and `fleet`), and as such, are designed to be extremely flexible.
-
-Common use cases are to build turn key, appliance like clusters designed to boot on disconnected or low powered devices.  Or portable "utility" clusters that can act as a stepping stone for further downstream deployable infrastructure.  Since ever `Package` is built as an entirely self contained archive, disconnected environments are _always_ a first class citizen.
-
-__Image Relocation__:
-
-For disconnected workloads that don't require a cluster to be created first, images can be efficiently packaged and relocated with `hauler relocate`.
-
-Images are stored as a compressed archive of an `oci` layout, ensuring only the required de-duplicated image layers are packaged and transferred.
+- Upgraded the `apiVersion` to `v1` from `v1alpha1`
+  - Users are able to use `v1` and `v1alpha1`, but `v1alpha1` is now deprecated and will be removed in a future release. We will update the community when we fully deprecate and remove the functionality of `v1alpha1`
+  - Users will see logging notices when using the old `apiVersion` such as...
+  - `!!! DEPRECATION WARNING !!! apiVersion [v1alpha1] will be removed in a future release !!! DEPRECATION WARNING !!!`
+---
+- Updated the behavior of `hauler store load` to default to loading a `haul` with the name of `haul.tar.zst` and requires the flag of `--filename/-f` to load a `haul` with a different name
+- Users can load multiple `hauls` by specifying multiple flags of `--filename/-f`
+  - updated command usage: `hauler store load --filename hauling-hauls.tar.zst`
+  - previous command usage (do not use): `hauler store load hauling-hauls.tar.zst`
+---
+- Updated the behavior of `hauler store sync` to default to syncing a `manifest` with the name of `hauler-manifest.yaml` and requires the flag of `--filename/-f` to sync a `manifest` with a different name
+- Users can sync multiple `manifests` by specifying multiple flags of `--filename/-f`
+  - updated command usage: `hauler store sync --filename hauling-hauls-manifest.yaml`
+  - previous command usage (do not use): `hauler store sync --files hauling-hauls-manifest.yaml`
+---
+Please review the documentation for any additional [Known Limits, Issues, and Notices](https://docs.hauler.dev/docs/known-limits)!

 ## Installation

-Hauler is and will always be a statically compiled binary, we strongly believe in a zero dependency tool is key to reducing operational complexity in airgap environments.
-
-Before GA, hauler can be downloaded from the releases page for every tagged release
-
-## Dev
-
-A `Vagrant` file is provided as a testing ground.  The boot scripts at `vagrant-scripts/*.sh` will be ran on boot to ensure the dev environment is airgapped.
+### Linux/Darwin

 ```bash
-vagrant up
-
-vagrant ssh
+# installs latest release
+curl -sfL https://get.hauler.dev | bash
 ```

-More info can be found in the [vagrant docs](VAGRANT.md).
-
-## WIP Warnings
-
-API stability (including as a code library and as a network endpoint) is NOT guaranteed before `v1` API definitions and a 1.0 release. The following recommendations are made regarding usage patterns of hauler:
- `alpha` (`v1alpha1`, `v1alpha2`, ...) API versions: use **_only_** through `haulerctl`
- `beta` (`v1beta1`, `v1beta2`, ...) API versions: use as an **_experimental_** library and/or API endpoint
- `stable` (`v1`, `v2`, ...) API versions: use as stable CLI tool, library, and/or API endpoint
-
-### Build
+### Homebrew

 ```bash
-# Current arch build
-make build
+# installs latest release
+brew tap hauler-dev/homebrew-tap
+brew install hauler
+```

-# Multiarch dev build
-goreleaser build --rm-dist --snapshot
-```
+### Windows
+
+```bash
+# coming soon
+```
+
+## Acknowledgements
+
+`Hauler` wouldn't be possible without the open-source community, but there are a few projects that stand out:
+
+- [oras cli](https://github.com/oras-project/oras)
+- [cosign](https://github.com/sigstore/cosign)
+- [go-containerregistry](https://github.com/google/go-containerregistry)
--- a/ROADMAP.md
+++ b/ROADMAP.md
@@ -1,42 +0,0 @@
-# Hauler Roadmap
-
-## v0.0.x
-
- Install single-node k3s cluster into an Ubuntu machine using the tarball installation method
-
-## v0.1.0
-
- Install single-node k3s cluster
-  - Support tarball and rpm installation methods
-  - Target narrow set of known Operating Systems to have OS-specific code if needed
- Serve container images
-  - Collect images from image list file
-  - Collect images from image archives
-  - Deploy docker registry
-  - Populate registry with all images
- Serve git repositories 
-  - Collect repos
-  - Deploy git server (Caddy? NGINX?)
-  - Populate git server with repos
- Serve files
-  - Collect files from directory, including subdirectories
-  - Deploy caddy file server
-  - Populate file server with directory contents
-  - NOTE: "generic" option - most other use cases can be satisfied by a specially crafted file
-    server directory
-
-
-## Potential future features
-
- Helm charts
-  - Pull charts, migrate chart artifacts
-  - Analyze required container images, add to dependency list
- Yum repo
-  - Provide package list, collect all dependencies
-  - Deploy fully configured yum repo into file server
- Deploy Minio for S3 API
-  - MVP: backed by HA storage solution (e.g. AWS S3, Azure Blob Storage)
-  - Stable: backed by local storage, including backups
- Split archives into chunks of chosen size
-  - Enables easier transfer via physical media
-  - Allows smaller network transfers, losing less progress on failed upload (or working around timeouts)
--- a/VAGRANT.md
+++ b/VAGRANT.md
@@ -1,49 +0,0 @@
-## Hauler Vagrant machine
-
-A Vagrantfile is provided to allow easy provisioning of a local air-gapped CentOS environment. Some artifacts need to be collected from the internet; below are the steps required for successfully provisioning this machine, downloading all dependencies, and installing k3s (without hauler) into this machine.
-
-### First-time setup
-
-1. Install vagrant, if needed: <https://www.vagrantup.com/downloads>
-2. Install `vagrant-vbguest` plugin, as noted in the Vagrantfile:
-   ```shell
-   vagrant plugin install vagrant-vbguest
-   ```
-3. Deploy Vagrant machine, disabling SELinux:
-   ```shell
-   SELINUX=Disabled vagrant up
-   ```
-4. Access the Vagrant machine via SSH:
-   ```shell
-   vagrant ssh
-   ```
-5. Run all prep scripts inside of the Vagrant machine:
-    > This script temporarily enables internet access from within the VM to allow downloading all dependencies. Even so, the air-gapped network configuration IS restored before completion.
-   ```shell
-   sudo /opt/hauler/vagrant-scripts/prep-all.sh
-   ```
-
-All dependencies for all `vagrant-scripts/*-install.sh` scripts are now downloaded to the local
-repository under `local-artifacts`.
-
-### Installing k3s manually
-
-1. Access the Vagrant machine via SSH:
-  ```bash
-  vagrant ssh
-  ```
-2. Run the k3s install script inside of the Vagrant machine:
-  ```shell
-  sudo /opt/hauler/vagrant-scripts/k3s-install.sh
-  ```
-
-### Installing RKE2 manually
-
-1. Access the Vagrant machine via SSH:
-  ```shell
-  vagrant ssh
-  ```
-2. Run the RKE2 install script inside of the Vagrant machine:
-  ```shell
-  sudo /opt/hauler/vagrant-scripts/rke2-install.sh
-  ```
--- a/65
+++ b/65
@@ -1,65 +0,0 @@
-##################################
-# The vagrant-vbguest plugin is required for CentOS 7.
-# Run the following command to install/update this plugin:
-# vagrant plugin install vagrant-vbguest
-##################################
-
-Vagrant.configure("2") do |config|
-  config.vm.box = "centos/8"
-  config.vm.hostname = "airgap"
-  config.vm.network "private_network", type: "dhcp"
-
-  config.vm.synced_folder ".", "/vagrant"
-
-  config.vm.provider "virtualbox" do |vb|
-    vb.memory = "2048"
-    vb.cpus = "2"
-  
-  config.vm.provision "airgap", type: "shell", run: "always",
-    inline: "/vagrant/vagrant-scripts/airgap.sh airgap"
-  end
-
-  # SELinux is Enforcing by default.
-  # To set SELinux as Disabled on a VM that has already been provisioned:
-  #   SELINUX=Disabled vagrant up --provision-with=selinux
-  # To set SELinux as Permissive on a VM that has already been provsioned
-  #   SELINUX=Permissive vagrant up --provision-with=selinux
-  config.vm.provision "selinux", type: "shell", run: "once" do |sh|
-    sh.upload_path = "/tmp/vagrant-selinux"
-    sh.env = {
-        'SELINUX': ENV['SELINUX'] || "Enforcing"
-    }
-    sh.inline = <<~SHELL
-        #!/usr/bin/env bash
-        set -eux -o pipefail
-
-        if ! type -p getenforce setenforce &>/dev/null; then
-          echo SELinux is Disabled
-          exit 0
-        fi
-
-        case "${SELINUX}" in
-          Disabled)
-            if mountpoint -q /sys/fs/selinux; then
-              setenforce 0
-              umount -v /sys/fs/selinux
-            fi
-            ;;
-          Enforcing)
-            mountpoint -q /sys/fs/selinux || mount -o rw,relatime -t selinuxfs selinuxfs /sys/fs/selinux
-            setenforce 1
-            ;;
-          Permissive)
-            mountpoint -q /sys/fs/selinux || mount -o rw,relatime -t selinuxfs selinuxfs /sys/fs/selinux
-            setenforce 0
-            ;;
-          *)
-            echo "SELinux mode not supported: ${SELINUX}" >&2
-            exit 1
-            ;;
-        esac
-
-        echo SELinux is $(getenforce)
-    SHELL
-  end
-end
--- a/cmd/hauler/app/copy.go
+++ b/cmd/hauler/app/copy.go
@@ -1,61 +0,0 @@
-package app
-
-import (
-	"context"
-
-	"github.com/rancherfederal/hauler/pkg/oci"
-	"github.com/spf13/cobra"
-)
-
-var (
-	copyLong = `hauler copies artifacts stored on a registry to local disk`
-
-	copyExample = `
-# Run Hauler
-hauler copy locahost:5000/artifacts:latest
-`
-)
-
-type copyOpts struct {
-	*rootOpts
-	dir       string
-	sourceRef string
-}
-
-// NewCopyCommand creates a new sub command under
-// hauler for coping files to local disk
-func NewCopyCommand() *cobra.Command {
-	opts := &copyOpts{
-		rootOpts: &ro,
-	}
-
-	cmd := &cobra.Command{
-		Use:     "copy",
-		Short:   "Download artifacts from OCI registry to local disk",
-		Long:    copyLong,
-		Example: copyExample,
-		Aliases: []string{"c", "cp"},
-		Args:    cobra.MinimumNArgs(1),
-		RunE: func(cmd *cobra.Command, args []string) error {
-			opts.sourceRef = args[0]
-			return opts.Run(opts.sourceRef)
-		},
-	}
-
-	f := cmd.Flags()
-	f.StringVarP(&opts.dir, "dir", "d", ".", "Target directory for file copy")
-
-	return cmd
-}
-
-// Run performs the operation.
-func (o *copyOpts) Run(src string) error {
-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
-	defer cancel()
-
-	if err := oci.Get(ctx, src, o.dir); err != nil {
-		o.logger.Errorf("error copy artifact %s to local directory %s: %v", src, o.dir, err)
-	}
-
-	return nil
-}
--- a/cmd/hauler/app/oci.go
+++ b/cmd/hauler/app/oci.go
@@ -1,42 +0,0 @@
-package app
-
-import (
-	"github.com/containerd/containerd/remotes"
-	"github.com/containerd/containerd/remotes/docker"
-	"github.com/spf13/cobra"
-)
-
-type ociOpts struct {
-	insecure  bool
-	plainHTTP bool
-}
-
-const (
-	haulerMediaType = "application/vnd.oci.image"
-)
-
-func NewOCICommand() *cobra.Command {
-	opts := ociOpts{}
-
-	cmd := &cobra.Command{
-		Use:   "oci",
-		Short: "oci stuff",
-		RunE: func(cmd *cobra.Command, args []string) error {
-			return cmd.Help()
-		},
-	}
-
-	cmd.AddCommand(NewOCIPushCommand())
-	cmd.AddCommand(NewOCIPullCommand())
-
-	f := cmd.Flags()
-	f.BoolVarP(&opts.insecure, "insecure", "", false, "Connect to registry without certs")
-	f.BoolVarP(&opts.plainHTTP, "plain-http", "", false, "Connect to registry over plain http")
-
-	return cmd
-}
-
-func (o *ociOpts) resolver() (remotes.Resolver, error) {
-	resolver := docker.NewResolver(docker.ResolverOptions{PlainHTTP: true})
-	return resolver, nil
-}
--- a/cmd/hauler/app/oci_pull.go
+++ b/cmd/hauler/app/oci_pull.go
@@ -1,67 +0,0 @@
-package app
-
-import (
-	"context"
-	"github.com/deislabs/oras/pkg/content"
-	"github.com/deislabs/oras/pkg/oras"
-	"github.com/sirupsen/logrus"
-	"github.com/spf13/cobra"
-)
-
-type ociPullOpts struct {
-	ociOpts
-
-	sourceRef string
-	outDir    string
-}
-
-func NewOCIPullCommand() *cobra.Command {
-	opts := ociPullOpts{}
-
-	cmd := &cobra.Command{
-		Use:     "pull",
-		Short:   "oci pull",
-		Aliases: []string{"p"},
-		Args:    cobra.MinimumNArgs(1),
-		PreRunE: func(cmd *cobra.Command, args []string) error {
-			return opts.PreRun()
-		},
-		RunE: func(cmd *cobra.Command, args []string) error {
-			opts.sourceRef = args[0]
-			return opts.Run()
-		},
-	}
-
-	f := cmd.Flags()
-	f.StringVarP(&opts.outDir, "out-dir", "o", ".", "output directory")
-
-	return cmd
-}
-
-func (o *ociPullOpts) PreRun() error {
-
-	return nil
-}
-
-func (o *ociPullOpts) Run() error {
-	ctx, cancel := context.WithCancel(context.Background())
-	defer cancel()
-
-	store := content.NewFileStore(o.outDir)
-	defer store.Close()
-
-	allowedMediaTypes := []string{
-		haulerMediaType,
-	}
-
-	resolver, err := o.resolver()
-	if err != nil {
-		return err
-	}
-
-	desc, _, err := oras.Pull(ctx, resolver, o.sourceRef, store, oras.WithAllowedMediaTypes(allowedMediaTypes))
-
-	logrus.Infof("pulled %s with digest: %s", o.sourceRef, desc.Digest)
-
-	return nil
-}
--- a/cmd/hauler/app/oci_push.go
+++ b/cmd/hauler/app/oci_push.go
@@ -1,74 +0,0 @@
-package app
-
-import (
-	"context"
-	"github.com/deislabs/oras/pkg/content"
-	"github.com/deislabs/oras/pkg/oras"
-	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
-	"github.com/sirupsen/logrus"
-	"github.com/spf13/cobra"
-	"os"
-)
-
-type ociPushOpts struct {
-	ociOpts
-
-	targetRef string
-	pathRef   string
-}
-
-func NewOCIPushCommand() *cobra.Command {
-	opts := ociPushOpts{}
-
-	cmd := &cobra.Command{
-		Use:     "push",
-		Short:   "oci push",
-		Aliases: []string{"p"},
-		Args:    cobra.MinimumNArgs(2),
-		PreRunE: func(cmd *cobra.Command, args []string) error {
-			return opts.PreRun()
-		},
-		RunE: func(cmd *cobra.Command, args []string) error {
-			opts.pathRef = args[0]
-			opts.targetRef = args[1]
-			return opts.Run()
-		},
-	}
-
-	return cmd
-}
-
-func (o *ociPushOpts) PreRun() error {
-
-	return nil
-}
-
-func (o *ociPushOpts) Run() error {
-	ctx, cancel := context.WithCancel(context.Background())
-	defer cancel()
-
-	data, err := os.ReadFile(o.pathRef)
-	if err != nil {
-		return err
-	}
-
-	resolver, err := o.resolver()
-	if err != nil {
-		return err
-	}
-
-	store := content.NewMemoryStore()
-
-	contents := []ocispec.Descriptor{
-		store.Add(o.pathRef, haulerMediaType, data),
-	}
-
-	desc, err := oras.Push(ctx, resolver, o.targetRef, store, contents)
-	if err != nil {
-		return err
-	}
-
-	logrus.Infof("pushed %s to %s with digest: %s", o.pathRef, o.targetRef, desc.Digest)
-
-	return nil
-}
--- a/cmd/hauler/app/pkg.go
+++ b/cmd/hauler/app/pkg.go
@@ -1,25 +0,0 @@
-package app
-
-import "github.com/spf13/cobra"
-
-type pkgOpts struct{}
-
-func NewPkgCommand() *cobra.Command {
-	opts := &pkgOpts{}
-	//TODO
-	_ = opts
-
-	cmd := &cobra.Command{
-		Use:     "pkg",
-		Short:   "Interact with packages",
-		Aliases: []string{"p", "package"},
-		RunE: func(cmd *cobra.Command, args []string) error {
-			return cmd.Help()
-		},
-	}
-
-	cmd.AddCommand(NewPkgBuildCommand())
-	cmd.AddCommand(NewPkgRunCommand())
-
-	return cmd
-}
--- a/cmd/hauler/app/pkg_build.go
+++ b/cmd/hauler/app/pkg_build.go
@@ -1,202 +0,0 @@
-package app
-
-import (
-	"context"
-	"github.com/rancherfederal/hauler/pkg/apis/hauler.cattle.io/v1alpha1"
-	"github.com/rancherfederal/hauler/pkg/driver"
-	"github.com/rancherfederal/hauler/pkg/packager"
-	"github.com/spf13/cobra"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"os"
-	"sigs.k8s.io/yaml"
-)
-
-type pkgBuildOpts struct {
-	*rootOpts
-
-	cfgFile string
-
-	name          string
-	dir           string
-	driver        string
-	driverVersion string
-
-	fleetVersion string
-
-	images []string
-	paths  []string
-}
-
-func NewPkgBuildCommand() *cobra.Command {
-	opts := pkgBuildOpts{
-		rootOpts: &ro,
-	}
-
-	cmd := &cobra.Command{
-		Use:   "build",
-		Short: "Build a self contained compressed archive of manifests and images",
-		Long: `
-Compressed archives created with this command can be extracted and run anywhere the underlying 'driver' can be run.
-
-Archives are built by collecting all the dependencies (images and manifests) required.
-
-Examples:
-
-	# Build a package containing a helm chart with images autodetected from the generated helm chart
-	hauler package build -p path/to/helm/chart
-
-	# Build a package, sourcing from multiple manifest sources and additional images not autodetected
-	hauler pkg build -p path/to/raw/manifests -p path/to/kustomize -i busybox:latest -i busybox:musl
-
-	# Build a package using a different version of k3s
-	hauler p build -p path/to/chart --driver-version "v1.20.6+k3s1"
-
-	# Build a package from a config file (if ./pkg.yaml does not exist, one will be created)
-	hauler package build -c ./pkg.yaml
-`,
-		Aliases: []string{"b"},
-		PreRunE: func(cmd *cobra.Command, args []string) error {
-			return opts.PreRun()
-		},
-		RunE: func(cmd *cobra.Command, args []string) error {
-			return opts.Run()
-		},
-	}
-
-	f := cmd.PersistentFlags()
-	f.StringVarP(&opts.name, "name", "n", "pkg",
-		"name of the pkg to create, will dicate file name")
-	f.StringVarP(&opts.cfgFile, "config", "c", "",
-		"path to config file")
-	f.StringVar(&opts.dir, "directory", "",
-		"Working directory for building package, if empty, an ephemeral temporary directory will be used.  Set this to persist package artifacts between builds.")
-	f.StringVarP(&opts.driver, "driver", "d", "k3s",
-		"")
-	f.StringVar(&opts.driverVersion, "driver-version", "v1.21.1+k3s1",
-		"")
-	f.StringVar(&opts.fleetVersion, "fleet-version", "v0.3.5",
-		"")
-	f.StringSliceVarP(&opts.paths, "path", "p", []string{},
-		"")
-	f.StringSliceVarP(&opts.images, "image", "i", []string{},
-		"")
-
-	return cmd
-}
-
-func (o *pkgBuildOpts) PreRun() error {
-	_, err := os.Stat(o.cfgFile)
-	if os.IsNotExist(err) {
-		if o.cfgFile == "" {
-			return nil
-		}
-
-		o.logger.Warnf("Did not find an existing %s, creating one", o.cfgFile)
-		p := o.toPackage()
-
-		data, err := yaml.Marshal(p)
-		if err != nil {
-			return err
-		}
-
-		if err := os.WriteFile(o.cfgFile, data, 0644); err != nil {
-			return err
-		}
-	} else if err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func (o *pkgBuildOpts) Run() error {
-	o.logger.Infof("Building package")
-
-	ctx, cancel := context.WithCancel(context.Background())
-	defer cancel()
-
-	var p v1alpha1.Package
-	if o.cfgFile != "" {
-		o.logger.Infof("Config file '%s' specified, attempting to load existing package config", o.cfgFile)
-		cfgData, err := os.ReadFile(o.cfgFile)
-		if err != nil {
-			return err
-		}
-
-		if err := yaml.Unmarshal(cfgData, &p); err != nil {
-			return err
-		}
-
-	} else {
-		o.logger.Infof("No config file specified, strictly using cli arguments")
-		p = o.toPackage()
-	}
-
-	var wdir string
-	if o.dir != "" {
-		if _, err := os.Stat(o.dir); err != nil {
-			o.logger.Errorf("Failed to use specified working directory: %s\n%v", err)
-			return err
-		}
-
-		wdir = o.dir
-	} else {
-		tmpdir, err := os.MkdirTemp("", "hauler")
-		if err != nil {
-			return err
-		}
-		defer os.RemoveAll(tmpdir)
-		wdir = tmpdir
-	}
-
-	pkgr := packager.NewPackager(wdir, o.logger)
-
-	d := driver.NewDriver(p.Spec.Driver)
-	if _, bErr := pkgr.PackageBundles(ctx, p.Spec.Paths...); bErr != nil {
-		return bErr
-	}
-
-	if iErr := pkgr.PackageImages(ctx, o.images...); iErr != nil {
-		return iErr
-	}
-
-	if dErr := pkgr.PackageDriver(ctx, d); dErr != nil {
-		return dErr
-	}
-
-	if fErr := pkgr.PackageFleet(ctx, p.Spec.Fleet); fErr != nil {
-		return fErr
-	}
-
-	a := packager.NewArchiver()
-	if aErr := pkgr.Archive(a, p, o.name); aErr != nil {
-		return aErr
-	}
-
-	o.logger.Successf("Finished building package")
-	return nil
-}
-
-func (o *pkgBuildOpts) toPackage() v1alpha1.Package {
-	p := v1alpha1.Package{
-		TypeMeta: metav1.TypeMeta{
-			Kind:       "",
-			APIVersion: "",
-		},
-		ObjectMeta: metav1.ObjectMeta{
-			Name: o.name,
-		},
-		Spec: v1alpha1.PackageSpec{
-			Fleet: v1alpha1.Fleet{
-				Version: o.fleetVersion,
-			},
-			Driver: v1alpha1.Driver{
-				Type:    o.driver,
-				Version: o.driverVersion,
-			},
-			Paths:  o.paths,
-			Images: o.images,
-		},
-	}
-	return p
-}
--- a/cmd/hauler/app/pkg_build_test.go
+++ b/cmd/hauler/app/pkg_build_test.go
@@ -1,84 +0,0 @@
-package app
-
-import (
-	"os"
-	"testing"
-)
-
-func Test_pkgBuildOpts_Run(t *testing.T) {
-	l, _ := setupCliLogger(os.Stdout, "debug")
-	tro := rootOpts{l}
-
-	type fields struct {
-		rootOpts      *rootOpts
-		cfgFile       string
-		name          string
-		driver        string
-		driverVersion string
-		fleetVersion  string
-		images        []string
-		paths         []string
-	}
-	tests := []struct {
-		name    string
-		fields  fields
-		wantErr bool
-	}{
-		{
-			name: "should package all types of local manifests",
-			fields: fields{
-				rootOpts:      &tro,
-				cfgFile:       "pkg.yaml",
-				name:          "k3s",
-				driver:        "k3s",
-				driverVersion: "v1.21.1+k3s1",
-				fleetVersion:  "v0.3.5",
-				images:        nil,
-				paths: []string{
-					"../../../testdata/docker-registry",
-					"../../../testdata/rawmanifests",
-				},
-			},
-			wantErr: false,
-		},
-		{
-			name: "should package using fleet.yaml",
-			fields: fields{
-				rootOpts:      &tro,
-				cfgFile:       "pkg.yaml",
-				name:          "k3s",
-				driver:        "k3s",
-				driverVersion: "v1.21.1+k3s1",
-				fleetVersion:  "v0.3.5",
-				images:        nil,
-				paths: []string{
-					"../../../testdata/custom",
-				},
-			},
-			wantErr: false,
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			o := &pkgBuildOpts{
-				rootOpts:      tt.fields.rootOpts,
-				cfgFile:       tt.fields.cfgFile,
-				name:          tt.fields.name,
-				driver:        tt.fields.driver,
-				driverVersion: tt.fields.driverVersion,
-				fleetVersion:  tt.fields.fleetVersion,
-				images:        tt.fields.images,
-				paths:         tt.fields.paths,
-			}
-
-			if err := o.PreRun(); err != nil {
-				t.Errorf("PreRun() error = %v", err)
-			}
-			defer os.Remove(o.cfgFile)
-
-			if err := o.Run(); (err != nil) != tt.wantErr {
-				t.Errorf("Run() error = %v, wantErr %v", err, tt.wantErr)
-			}
-		})
-	}
-}
--- a/cmd/hauler/app/pkg_run.go
+++ b/cmd/hauler/app/pkg_run.go
@@ -1,91 +0,0 @@
-package app
-
-import (
-	"context"
-	"github.com/rancherfederal/hauler/pkg/bootstrap"
-	"github.com/rancherfederal/hauler/pkg/driver"
-	"github.com/rancherfederal/hauler/pkg/packager"
-	"github.com/spf13/cobra"
-	"os"
-)
-
-type pkgRunOpts struct {
-	*rootOpts
-
-	cfgFile string
-}
-
-func NewPkgRunCommand() *cobra.Command {
-	opts := pkgRunOpts{
-		rootOpts: &ro,
-	}
-
-	cmd := &cobra.Command{
-		Use:   "run",
-		Short: "Run a compressed archive",
-		Long: `
-Run a compressed archive created from a 'hauler package build'.
-
-Examples:
-
-	# Run a package
-	hauler package run pkg.tar.zst
-`,
-		Aliases: []string{"r"},
-		Args:    cobra.MinimumNArgs(1),
-		PreRunE: func(cmd *cobra.Command, args []string) error {
-			return opts.PreRun()
-		},
-		RunE: func(cmd *cobra.Command, args []string) error {
-			return opts.Run(args[0])
-		},
-	}
-
-	return cmd
-}
-
-func (o *pkgRunOpts) PreRun() error {
-	return nil
-}
-
-func (o *pkgRunOpts) Run(pkgPath string) error {
-	o.logger.Infof("Running from '%s'", pkgPath)
-
-	ctx, cancel := context.WithCancel(context.Background())
-	defer cancel()
-
-	tmpdir, err := os.MkdirTemp("", "hauler")
-	if err != nil {
-		return err
-	}
-	o.logger.Debugf("Using temporary working directory: %s", tmpdir)
-
-	a := packager.NewArchiver()
-
-	if err := packager.Unpackage(a, pkgPath, tmpdir); err != nil {
-		return err
-	}
-	o.logger.Debugf("Unpackaged %s", pkgPath)
-
-	b, err := bootstrap.NewBooter(tmpdir, o.logger)
-	if err != nil {
-		return err
-	}
-
-	d := driver.NewDriver(b.Package.Spec.Driver)
-
-	if preErr := b.PreBoot(ctx, d); preErr != nil {
-		return preErr
-	}
-
-	if bErr := b.Boot(ctx, d); bErr != nil {
-		return bErr
-	}
-
-	if postErr := b.PostBoot(ctx, d); postErr != nil {
-		return postErr
-	}
-
-	o.logger.Successf("Access the cluster with '/opt/hauler/bin/kubectl'")
-	return nil
-}
--- a/cmd/hauler/app/relocate.go
+++ b/cmd/hauler/app/relocate.go
@@ -1,33 +0,0 @@
-package app
-
-import (
-	"github.com/spf13/cobra"
-)
-
-type relocateOpts struct {
-	inputFile string
-	*rootOpts
-}
-
-// NewRelocateCommand creates a new sub command under
-// haulterctl for relocating images and artifacts
-func NewRelocateCommand() *cobra.Command {
-	opts := &relocateOpts{
-		rootOpts: &ro,
-	}
-
-	cmd := &cobra.Command{
-		Use:     "relocate",
-		Short:   "relocate images or artifacts to a registry",
-		Long:    "",
-		Aliases: []string{"r"},
-		RunE: func(cmd *cobra.Command, args []string) error {
-			return cmd.Help()
-		},
-	}
-
-	cmd.AddCommand(NewRelocateArtifactsCommand(opts))
-	cmd.AddCommand(NewRelocateImagesCommand(opts))
-
-	return cmd
-}
--- a/cmd/hauler/app/relocate_artifacts.go
+++ b/cmd/hauler/app/relocate_artifacts.go
@@ -1,56 +0,0 @@
-package app
-
-import (
-	"context"
-
-	"github.com/rancherfederal/hauler/pkg/oci"
-	"github.com/spf13/cobra"
-)
-
-type relocateArtifactsOpts struct {
-	*relocateOpts
-	destRef string
-}
-
-var (
-	relocateArtifactsLong = `hauler relocate artifacts process an archive with files to be pushed to a registry`
-
-	relocateArtifactsExample = `
-# Run Hauler
-hauler relocate artifacts artifacts.tar.zst locahost:5000/artifacts:latest
-`
-)
-
-// NewRelocateArtifactsCommand creates a new sub command of relocate for artifacts
-func NewRelocateArtifactsCommand(relocate *relocateOpts) *cobra.Command {
-	opts := &relocateArtifactsOpts{
-		relocateOpts: relocate,
-	}
-
-	cmd := &cobra.Command{
-		Use:     "artifacts",
-		Short:   "Use artifact from bundle artifacts to populate a target file server with the artifact's contents",
-		Long:    relocateArtifactsLong,
-		Example: relocateArtifactsExample,
-		Args:    cobra.MinimumNArgs(2),
-		Aliases: []string{"a", "art", "af"},
-		RunE: func(cmd *cobra.Command, args []string) error {
-			opts.inputFile = args[0]
-			opts.destRef = args[1]
-			return opts.Run(opts.destRef, opts.inputFile)
-		},
-	}
-
-	return cmd
-}
-
-func (o *relocateArtifactsOpts) Run(dst string, input string) error {
-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
-	defer cancel()
-
-	if err := oci.Put(ctx, input, dst); err != nil {
-		o.logger.Errorf("error pushing artifact to registry %s: %v", dst, err)
-	}
-
-	return nil
-}
--- a/cmd/hauler/app/relocate_images.go
+++ b/cmd/hauler/app/relocate_images.go
@@ -1,103 +0,0 @@
-package app
-
-import (
-	"os"
-	"path/filepath"
-	"strings"
-
-	"github.com/google/go-containerregistry/pkg/name"
-	"github.com/google/go-containerregistry/pkg/v1/layout"
-	"github.com/google/go-containerregistry/pkg/v1/remote"
-	"github.com/rancherfederal/hauler/pkg/oci"
-	"github.com/rancherfederal/hauler/pkg/packager"
-	"github.com/spf13/cobra"
-)
-
-var (
-	relocateImagesLong = `hauler relocate images processes a bundle provides by hauler package build and copies all of 
-the collected images to a registry`
-
-	relocateImagesExample = `
-# Run Hauler
-hauler relocate images pkg.tar.zst locahost:5000
-`
-)
-
-type relocateImagesOpts struct {
-	*relocateOpts
-	destRef string
-}
-
-// NewRelocateImagesCommand creates a new sub command of relocate for images
-func NewRelocateImagesCommand(relocate *relocateOpts) *cobra.Command {
-	opts := &relocateImagesOpts{
-		relocateOpts: relocate,
-	}
-
-	cmd := &cobra.Command{
-		Use:     "images",
-		Short:   "Use artifact from bundle images to populate a target registry with the artifact's images",
-		Long:    relocateImagesLong,
-		Example: relocateImagesExample,
-		Args:    cobra.MinimumNArgs(2),
-		Aliases: []string{"i", "img", "imgs"},
-		RunE: func(cmd *cobra.Command, args []string) error {
-			opts.inputFile = args[0]
-			opts.destRef = args[1]
-			return opts.Run(opts.destRef, opts.inputFile)
-		},
-	}
-
-	return cmd
-}
-
-func (o *relocateImagesOpts) Run(dst string, input string) error {
-
-	tmpdir, err := os.MkdirTemp("", "hauler")
-	if err != nil {
-		return err
-	}
-	o.logger.Debugf("Using temporary working directory: %s", tmpdir)
-
-	a := packager.NewArchiver()
-
-	if err := packager.Unpackage(a, input, tmpdir); err != nil {
-		o.logger.Errorf("error unpackaging input %s: %v", input, err)
-	}
-	o.logger.Debugf("Unpackaged %s", input)
-
-	path := filepath.Join(tmpdir, "layout")
-
-	ly, err := layout.FromPath(path)
-
-	if err != nil {
-		o.logger.Errorf("error creating OCI layout: %v", err)
-	}
-
-	for nm, hash := range oci.ListImages(ly) {
-
-		n := strings.SplitN(nm, "/", 2)
-
-		img, err := ly.Image(hash)
-
-		o.logger.Infof("Copy %s to %s", n[1], dst)
-
-		if err != nil {
-			o.logger.Errorf("error creating image from layout: %v", err)
-		}
-
-		dstimg := dst + "/" + n[1]
-
-		tag, err := name.ParseReference(dstimg)
-
-		if err != nil {
-			o.logger.Errorf("err parsing destination image %s: %v", dstimg, err)
-		}
-
-		if err := remote.Write(tag, img); err != nil {
-			o.logger.Errorf("error writing image to destination registry %s: %v", dst, err)
-		}
-	}
-
-	return nil
-}
--- a/cmd/hauler/app/root.go
+++ b/cmd/hauler/app/root.go
@@ -1,81 +0,0 @@
-package app
-
-import (
-	"io"
-	"os"
-	"time"
-
-	"github.com/rancherfederal/hauler/pkg/log"
-
-	"github.com/spf13/cobra"
-)
-
-var (
-	loglevel string
-	timeout  time.Duration
-
-	getLong = `hauler provides CLI-based air-gap migration assistance using k3s.
-
-Choose your functionality and new a package when internet access is available,
-then deploy the package into your air-gapped environment.
-`
-
-	getExample = `
-hauler pkg build
-hauler pkg run pkg.tar.zst
-
-hauler relocate artifacts artifacts.tar.zst
-hauler relocate images pkg.tar.zst locahost:5000
-
-hauler copy localhost:5000/artifacts:latest
-`
-)
-
-type rootOpts struct {
-	logger log.Logger
-}
-
-var ro rootOpts
-
-// NewRootCommand defines the root hauler command
-func NewRootCommand() *cobra.Command {
-	cmd := &cobra.Command{
-		Use:          "hauler",
-		Short:        "hauler provides CLI-based air-gap migration assistance",
-		Long:         getLong,
-		Example:      getExample,
-		SilenceUsage: true,
-		PersistentPreRunE: func(cmd *cobra.Command, args []string) error {
-			l, err := setupCliLogger(os.Stdout, loglevel)
-			if err != nil {
-				return err
-			}
-
-			ro.logger = l
-			return nil
-		},
-		RunE: func(cmd *cobra.Command, _ []string) error {
-			return cmd.Help()
-		},
-	}
-
-	cobra.OnInitialize()
-
-	cmd.AddCommand(NewRelocateCommand())
-	cmd.AddCommand(NewCopyCommand())
-	cmd.AddCommand(NewPkgCommand())
-
-	f := cmd.PersistentFlags()
-	f.StringVarP(&loglevel, "loglevel", "l", "debug",
-		"Log level (debug, info, warn, error, fatal, panic)")
-	f.DurationVar(&timeout, "timeout", 1*time.Minute,
-		"TODO: timeout for operations")
-
-	return cmd
-}
-
-func setupCliLogger(out io.Writer, level string) (log.Logger, error) {
-	l := log.NewLogger(out)
-
-	return l, nil
-}
--- a/cmd/hauler/boringcrypto.go
+++ b/cmd/hauler/boringcrypto.go
@@ -0,0 +1,6 @@
+//go:build boringcrypto
+// +build boringcrypto
+
+package main
+
+import _ "crypto/tls/fipsonly"
--- a/cmd/hauler/cli/cli.go
+++ b/cmd/hauler/cli/cli.go
@@ -0,0 +1,38 @@
+package cli
+
+import (
+	"context"
+
+	cranecmd "github.com/google/go-containerregistry/cmd/crane/cmd"
+	"github.com/spf13/cobra"
+	"hauler.dev/go/hauler/internal/flags"
+	"hauler.dev/go/hauler/pkg/consts"
+	"hauler.dev/go/hauler/pkg/log"
+)
+
+func New(ctx context.Context, ro *flags.CliRootOpts) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:     "hauler",
+		Short:   "Airgap Swiss Army Knife",
+		Example: "  View the Docs: https://docs.hauler.dev\n  Environment Variables: " + consts.HaulerDir + " | " + consts.HaulerTempDir + " | " + consts.HaulerStoreDir + " | " + consts.HaulerIgnoreErrors,
+		PersistentPreRunE: func(cmd *cobra.Command, args []string) error {
+			l := log.FromContext(ctx)
+			l.SetLevel(ro.LogLevel)
+			l.Debugf("running cli command [%s]", cmd.CommandPath())
+
+			return nil
+		},
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return cmd.Help()
+		},
+	}
+
+	flags.AddRootFlags(cmd, ro)
+
+	cmd.AddCommand(cranecmd.NewCmdAuthLogin("hauler"))
+	addStore(cmd, ro)
+	addVersion(cmd, ro)
+	addCompletion(cmd, ro)
+
+	return cmd
+}
--- a/cmd/hauler/cli/completion.go
+++ b/cmd/hauler/cli/completion.go
@@ -0,0 +1,116 @@
+package cli
+
+import (
+	"fmt"
+	"os"
+
+	"github.com/spf13/cobra"
+
+	"hauler.dev/go/hauler/internal/flags"
+)
+
+func addCompletion(parent *cobra.Command, ro *flags.CliRootOpts) {
+	cmd := &cobra.Command{
+		Use:   "completion",
+		Short: "Generate auto-completion scripts for various shells",
+	}
+
+	cmd.AddCommand(
+		addCompletionZsh(ro),
+		addCompletionBash(ro),
+		addCompletionFish(ro),
+		addCompletionPowershell(ro),
+	)
+
+	parent.AddCommand(cmd)
+}
+
+func addCompletionZsh(ro *flags.CliRootOpts) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "zsh",
+		Short: "Generates auto-completion scripts for zsh",
+		Example: `To load completion run
+
+	. <(hauler completion zsh)
+
+	To configure your zsh shell to load completions for each session add to your zshrc
+
+	# ~/.zshrc or ~/.profile
+	command -v hauler >/dev/null && . <(hauler completion zsh)
+
+	or write a cached file in one of the completion directories in your ${fpath}:
+
+	echo "${fpath// /\n}" | grep -i completion
+	hauler completion zsh > _hauler
+
+	mv _hauler ~/.oh-my-zsh/completions  # oh-my-zsh
+	mv _hauler ~/.zprezto/modules/completion/external/src/  # zprezto`,
+		Run: func(cmd *cobra.Command, args []string) {
+			cmd.Root().GenZshCompletion(os.Stdout)
+			// Cobra doesn't source zsh completion file, explicitly doing it here
+			fmt.Println("compdef _hauler hauler")
+		},
+	}
+	return cmd
+}
+
+func addCompletionBash(ro *flags.CliRootOpts) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "bash",
+		Short: "Generates auto-completion scripts for bash",
+		Example: `To load completion run
+
+	. <(hauler completion bash)
+
+	To configure your bash shell to load completions for each session add to your bashrc
+
+	# ~/.bashrc or ~/.profile
+	command -v hauler >/dev/null && . <(hauler completion bash)`,
+		Run: func(cmd *cobra.Command, args []string) {
+			cmd.Root().GenBashCompletion(os.Stdout)
+		},
+	}
+	return cmd
+}
+
+func addCompletionFish(ro *flags.CliRootOpts) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "fish",
+		Short: "Generates auto-completion scripts for fish",
+		Example: `To configure your fish shell to load completions for each session write this script to your completions dir:
+
+	hauler completion fish > ~/.config/fish/completions/hauler.fish
+
+	See http://fishshell.com/docs/current/index.html#completion-own for more details`,
+		Run: func(cmd *cobra.Command, args []string) {
+			cmd.Root().GenFishCompletion(os.Stdout, true)
+		},
+	}
+	return cmd
+}
+
+func addCompletionPowershell(ro *flags.CliRootOpts) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "powershell",
+		Short: "Generates auto-completion scripts for powershell",
+		Example: `To load completion run
+
+	. <(hauler completion powershell)
+
+	To configure your powershell shell to load completions for each session add to your powershell profile
+
+	Windows:
+
+	cd "$env:USERPROFILE\Documents\WindowsPowerShell\Modules"
+	hauler completion powershell >> hauler-completion.ps1
+
+	Linux:
+
+	cd "${XDG_CONFIG_HOME:-"$HOME/.config/"}/powershell/modules"
+	hauler completion powershell >> hauler-completions.ps1`,
+		Run: func(cmd *cobra.Command, args []string) {
+			cmd.Root().GenPowerShellCompletion(os.Stdout)
+		},
+	}
+	return cmd
+}
--- a/cmd/hauler/cli/store.go
+++ b/cmd/hauler/cli/store.go
@@ -0,0 +1,386 @@
+package cli
+
+import (
+	"fmt"
+
+	"github.com/spf13/cobra"
+	"helm.sh/helm/v3/pkg/action"
+
+	"hauler.dev/go/hauler/cmd/hauler/cli/store"
+	"hauler.dev/go/hauler/internal/flags"
+)
+
+func addStore(parent *cobra.Command, ro *flags.CliRootOpts) {
+	rso := &flags.StoreRootOpts{}
+
+	cmd := &cobra.Command{
+		Use:     "store",
+		Aliases: []string{"s"},
+		Short:   "Interact with the content store",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return cmd.Help()
+		},
+	}
+	rso.AddFlags(cmd)
+
+	cmd.AddCommand(
+		addStoreSync(rso, ro),
+		addStoreExtract(rso, ro),
+		addStoreLoad(rso, ro),
+		addStoreSave(rso, ro),
+		addStoreServe(rso, ro),
+		addStoreInfo(rso, ro),
+		addStoreCopy(rso, ro),
+		addStoreAdd(rso, ro),
+	)
+
+	parent.AddCommand(cmd)
+}
+
+func addStoreExtract(rso *flags.StoreRootOpts, ro *flags.CliRootOpts) *cobra.Command {
+	o := &flags.ExtractOpts{StoreRootOpts: rso}
+
+	cmd := &cobra.Command{
+		Use:     "extract",
+		Short:   "Extract artifacts from the content store to disk",
+		Aliases: []string{"x"},
+		Args:    cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			ctx := cmd.Context()
+
+			s, err := o.Store(ctx)
+			if err != nil {
+				return err
+			}
+
+			return store.ExtractCmd(ctx, o, s, args[0])
+		},
+	}
+	o.AddFlags(cmd)
+
+	return cmd
+}
+
+func addStoreSync(rso *flags.StoreRootOpts, ro *flags.CliRootOpts) *cobra.Command {
+	o := &flags.SyncOpts{StoreRootOpts: rso}
+
+	cmd := &cobra.Command{
+		Use:   "sync",
+		Short: "Sync content to the content store",
+		Args:  cobra.ExactArgs(0),
+		PreRunE: func(cmd *cobra.Command, args []string) error {
+			// Check if the products flag was passed
+			if len(o.Products) > 0 {
+				// Only clear the default if the user did NOT explicitly set --filename
+				if !cmd.Flags().Changed("filename") {
+					o.FileName = []string{}
+				}
+			}
+			return nil
+		},
+		RunE: func(cmd *cobra.Command, args []string) error {
+			ctx := cmd.Context()
+
+			s, err := o.Store(ctx)
+			if err != nil {
+				return err
+			}
+
+			return store.SyncCmd(ctx, o, s, rso, ro)
+		},
+	}
+	o.AddFlags(cmd)
+
+	return cmd
+}
+
+func addStoreLoad(rso *flags.StoreRootOpts, ro *flags.CliRootOpts) *cobra.Command {
+	o := &flags.LoadOpts{StoreRootOpts: rso}
+
+	cmd := &cobra.Command{
+		Use:   "load",
+		Short: "Load a content store from a store archive",
+		Args:  cobra.ExactArgs(0),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			ctx := cmd.Context()
+
+			s, err := o.Store(ctx)
+			if err != nil {
+				return err
+			}
+			_ = s
+
+			return store.LoadCmd(ctx, o, rso, ro)
+		},
+	}
+	o.AddFlags(cmd)
+
+	return cmd
+}
+
+func addStoreServe(rso *flags.StoreRootOpts, ro *flags.CliRootOpts) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "serve",
+		Short: "Serve the content store via an OCI Compliant Registry or Fileserver",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return cmd.Help()
+		},
+	}
+	cmd.AddCommand(
+		addStoreServeRegistry(rso, ro),
+		addStoreServeFiles(rso, ro),
+	)
+
+	return cmd
+}
+
+func addStoreServeRegistry(rso *flags.StoreRootOpts, ro *flags.CliRootOpts) *cobra.Command {
+	o := &flags.ServeRegistryOpts{StoreRootOpts: rso}
+
+	cmd := &cobra.Command{
+		Use:   "registry",
+		Short: "Serve the OCI Compliant Registry",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			ctx := cmd.Context()
+
+			s, err := o.Store(ctx)
+			if err != nil {
+				return err
+			}
+
+			return store.ServeRegistryCmd(ctx, o, s, rso, ro)
+		},
+	}
+
+	o.AddFlags(cmd)
+
+	return cmd
+}
+
+func addStoreServeFiles(rso *flags.StoreRootOpts, ro *flags.CliRootOpts) *cobra.Command {
+	o := &flags.ServeFilesOpts{StoreRootOpts: rso}
+
+	cmd := &cobra.Command{
+		Use:   "fileserver",
+		Short: "Serve the Fileserver",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			ctx := cmd.Context()
+
+			s, err := o.Store(ctx)
+			if err != nil {
+				return err
+			}
+
+			return store.ServeFilesCmd(ctx, o, s, ro)
+		},
+	}
+
+	o.AddFlags(cmd)
+
+	return cmd
+}
+
+func addStoreSave(rso *flags.StoreRootOpts, ro *flags.CliRootOpts) *cobra.Command {
+	o := &flags.SaveOpts{StoreRootOpts: rso}
+
+	cmd := &cobra.Command{
+		Use:   "save",
+		Short: "Save a content store to a store archive",
+		Args:  cobra.ExactArgs(0),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			ctx := cmd.Context()
+
+			s, err := o.Store(ctx)
+			if err != nil {
+				return err
+			}
+			_ = s
+
+			return store.SaveCmd(ctx, o, rso, ro)
+		},
+	}
+	o.AddFlags(cmd)
+
+	return cmd
+}
+
+func addStoreInfo(rso *flags.StoreRootOpts, ro *flags.CliRootOpts) *cobra.Command {
+	o := &flags.InfoOpts{StoreRootOpts: rso}
+
+	var allowedValues = []string{"image", "chart", "file", "sigs", "atts", "sbom", "all"}
+
+	cmd := &cobra.Command{
+		Use:     "info",
+		Short:   "Print out information about the store",
+		Args:    cobra.ExactArgs(0),
+		Aliases: []string{"i", "list", "ls"},
+		RunE: func(cmd *cobra.Command, args []string) error {
+			ctx := cmd.Context()
+
+			s, err := o.Store(ctx)
+			if err != nil {
+				return err
+			}
+
+			for _, allowed := range allowedValues {
+				if o.TypeFilter == allowed {
+					return store.InfoCmd(ctx, o, s)
+				}
+			}
+			return fmt.Errorf("type must be one of %v", allowedValues)
+		},
+	}
+	o.AddFlags(cmd)
+
+	return cmd
+}
+
+func addStoreCopy(rso *flags.StoreRootOpts, ro *flags.CliRootOpts) *cobra.Command {
+	o := &flags.CopyOpts{StoreRootOpts: rso}
+
+	cmd := &cobra.Command{
+		Use:   "copy",
+		Short: "Copy all store content to another location",
+		Args:  cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			ctx := cmd.Context()
+
+			s, err := o.Store(ctx)
+			if err != nil {
+				return err
+			}
+
+			return store.CopyCmd(ctx, o, s, args[0], ro)
+		},
+	}
+	o.AddFlags(cmd)
+
+	return cmd
+}
+
+func addStoreAdd(rso *flags.StoreRootOpts, ro *flags.CliRootOpts) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "add",
+		Short: "Add content to the store",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return cmd.Help()
+		},
+	}
+
+	cmd.AddCommand(
+		addStoreAddFile(rso, ro),
+		addStoreAddImage(rso, ro),
+		addStoreAddChart(rso, ro),
+	)
+
+	return cmd
+}
+
+func addStoreAddFile(rso *flags.StoreRootOpts, ro *flags.CliRootOpts) *cobra.Command {
+	o := &flags.AddFileOpts{StoreRootOpts: rso}
+
+	cmd := &cobra.Command{
+		Use:   "file",
+		Short: "Add a file to the store",
+		Example: `# fetch local file
+hauler store add file file.txt
+
+# fetch remote file
+hauler store add file https://get.rke2.io/install.sh
+
+# fetch remote file and assign new name
+hauler store add file https://get.hauler.dev --name hauler-install.sh`,
+		Args: cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			ctx := cmd.Context()
+
+			s, err := o.Store(ctx)
+			if err != nil {
+				return err
+			}
+
+			return store.AddFileCmd(ctx, o, s, args[0])
+		},
+	}
+	o.AddFlags(cmd)
+
+	return cmd
+}
+
+func addStoreAddImage(rso *flags.StoreRootOpts, ro *flags.CliRootOpts) *cobra.Command {
+	o := &flags.AddImageOpts{StoreRootOpts: rso}
+
+	cmd := &cobra.Command{
+		Use:   "image",
+		Short: "Add a image to the store",
+		Example: `# fetch image
+hauler store add image busybox
+
+# fetch image with repository and tag
+hauler store add image library/busybox:stable
+
+# fetch image with full image reference and specific platform
+hauler store add image ghcr.io/hauler-dev/hauler-debug:v1.2.0 --platform linux/amd64
+
+# fetch image with full image reference via digest
+hauler store add image gcr.io/distroless/base@sha256:7fa7445dfbebae4f4b7ab0e6ef99276e96075ae42584af6286ba080750d6dfe5
+
+# fetch image with full image reference, specific platform, and signature verification
+curl -sfOL https://raw.githubusercontent.com/rancherfederal/carbide-releases/main/carbide-key.pub
+hauler store add image rgcrprod.azurecr.us/rancher/rke2-runtime:v1.31.5-rke2r1 --platform linux/amd64 --key carbide-key.pub`,
+		Args: cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			ctx := cmd.Context()
+
+			s, err := o.Store(ctx)
+			if err != nil {
+				return err
+			}
+
+			return store.AddImageCmd(ctx, o, s, args[0], rso, ro)
+		},
+	}
+	o.AddFlags(cmd)
+
+	return cmd
+}
+
+func addStoreAddChart(rso *flags.StoreRootOpts, ro *flags.CliRootOpts) *cobra.Command {
+	o := &flags.AddChartOpts{StoreRootOpts: rso, ChartOpts: &action.ChartPathOptions{}}
+
+	cmd := &cobra.Command{
+		Use:   "chart",
+		Short: "Add a helm chart to the store",
+		Example: `# fetch local helm chart
+hauler store add chart path/to/chart/directory --repo .
+
+# fetch local compressed helm chart
+hauler store add chart path/to/chart.tar.gz --repo .
+
+# fetch remote oci helm chart
+hauler store add chart hauler-helm --repo oci://ghcr.io/hauler-dev
+
+# fetch remote oci helm chart with version
+hauler store add chart hauler-helm --repo oci://ghcr.io/hauler-dev --version 1.2.0
+
+# fetch remote helm chart
+hauler store add chart rancher --repo https://releases.rancher.com/server-charts/stable
+
+# fetch remote helm chart with specific version
+hauler store add chart rancher --repo https://releases.rancher.com/server-charts/latest --version 2.10.1`,
+		Args: cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			ctx := cmd.Context()
+
+			s, err := o.Store(ctx)
+			if err != nil {
+				return err
+			}
+
+			return store.AddChartCmd(ctx, o, s, args[0])
+		},
+	}
+	o.AddFlags(cmd)
+
+	return cmd
+}
--- a/cmd/hauler/cli/store/add.go
+++ b/cmd/hauler/cli/store/add.go
@@ -0,0 +1,162 @@
+package store
+
+import (
+	"context"
+	"os"
+
+	"github.com/google/go-containerregistry/pkg/name"
+	"helm.sh/helm/v3/pkg/action"
+
+	"hauler.dev/go/hauler/internal/flags"
+	v1 "hauler.dev/go/hauler/pkg/apis/hauler.cattle.io/v1"
+	"hauler.dev/go/hauler/pkg/artifacts/file"
+	"hauler.dev/go/hauler/pkg/consts"
+	"hauler.dev/go/hauler/pkg/content/chart"
+	"hauler.dev/go/hauler/pkg/cosign"
+	"hauler.dev/go/hauler/pkg/getter"
+	"hauler.dev/go/hauler/pkg/log"
+	"hauler.dev/go/hauler/pkg/reference"
+	"hauler.dev/go/hauler/pkg/store"
+)
+
+func AddFileCmd(ctx context.Context, o *flags.AddFileOpts, s *store.Layout, reference string) error {
+	cfg := v1.File{
+		Path: reference,
+	}
+	if len(o.Name) > 0 {
+		cfg.Name = o.Name
+	}
+	return storeFile(ctx, s, cfg)
+}
+
+func storeFile(ctx context.Context, s *store.Layout, fi v1.File) error {
+	l := log.FromContext(ctx)
+
+	copts := getter.ClientOptions{
+		NameOverride: fi.Name,
+	}
+
+	f := file.NewFile(fi.Path, file.WithClient(getter.NewClient(copts)))
+	ref, err := reference.NewTagged(f.Name(fi.Path), consts.DefaultTag)
+	if err != nil {
+		return err
+	}
+
+	l.Infof("adding file [%s] to the store as [%s]", fi.Path, ref.Name())
+	_, err = s.AddOCI(ctx, f, ref.Name())
+	if err != nil {
+		return err
+	}
+
+	l.Infof("successfully added file [%s]", ref.Name())
+
+	return nil
+}
+
+func AddImageCmd(ctx context.Context, o *flags.AddImageOpts, s *store.Layout, reference string, rso *flags.StoreRootOpts, ro *flags.CliRootOpts) error {
+	l := log.FromContext(ctx)
+
+	cfg := v1.Image{
+		Name: reference,
+	}
+
+	// Check if the user provided a key.
+	if o.Key != "" {
+		// verify signature using the provided key.
+		err := cosign.VerifySignature(ctx, s, o.Key, o.Tlog, cfg.Name, rso, ro)
+		if err != nil {
+			return err
+		}
+		l.Infof("signature verified for image [%s]", cfg.Name)
+	} else if o.CertIdentityRegexp != "" || o.CertIdentity != "" {
+		// verify signature using the provided keyless details
+		l.Infof("verifying keyless signature for [%s]", cfg.Name)
+		err := cosign.VerifyKeylessSignature(ctx, s, o.CertIdentity, o.CertIdentityRegexp, o.CertOidcIssuer, o.CertOidcIssuerRegexp, o.CertGithubWorkflowRepository, o.Tlog, cfg.Name, rso, ro)
+		if err != nil {
+			return err
+		}
+		l.Infof("keyless signature verified for image [%s]", cfg.Name)
+	}
+
+	return storeImage(ctx, s, cfg, o.Platform, rso, ro)
+}
+
+func storeImage(ctx context.Context, s *store.Layout, i v1.Image, platform string, rso *flags.StoreRootOpts, ro *flags.CliRootOpts) error {
+	l := log.FromContext(ctx)
+
+	if !ro.IgnoreErrors {
+		envVar := os.Getenv(consts.HaulerIgnoreErrors)
+		if envVar == "true" {
+			ro.IgnoreErrors = true
+		}
+	}
+
+	l.Infof("adding image [%s] to the store", i.Name)
+
+	r, err := name.ParseReference(i.Name)
+	if err != nil {
+		if ro.IgnoreErrors {
+			l.Warnf("unable to parse image [%s]: %v... skipping...", i.Name, err)
+			return nil
+		} else {
+			l.Errorf("unable to parse image [%s]: %v", i.Name, err)
+			return err
+		}
+	}
+
+	err = cosign.SaveImage(ctx, s, r.Name(), platform, rso, ro)
+	if err != nil {
+		if ro.IgnoreErrors {
+			l.Warnf("unable to add image [%s] to store: %v... skipping...", r.Name(), err)
+			return nil
+		} else {
+			l.Errorf("unable to add image [%s] to store: %v", r.Name(), err)
+			return err
+		}
+	}
+
+	l.Infof("successfully added image [%s]", r.Name())
+	return nil
+}
+
+func AddChartCmd(ctx context.Context, o *flags.AddChartOpts, s *store.Layout, chartName string) error {
+	cfg := v1.Chart{
+		Name:    chartName,
+		RepoURL: o.ChartOpts.RepoURL,
+		Version: o.ChartOpts.Version,
+	}
+
+	return storeChart(ctx, s, cfg, o.ChartOpts)
+}
+
+func storeChart(ctx context.Context, s *store.Layout, cfg v1.Chart, opts *action.ChartPathOptions) error {
+	l := log.FromContext(ctx)
+
+	l.Infof("adding chart [%s] to the store", cfg.Name)
+
+	// TODO: This shouldn't be necessary
+	opts.RepoURL = cfg.RepoURL
+	opts.Version = cfg.Version
+
+	chrt, err := chart.NewChart(cfg.Name, opts)
+	if err != nil {
+		return err
+	}
+
+	c, err := chrt.Load()
+	if err != nil {
+		return err
+	}
+
+	ref, err := reference.NewTagged(c.Name(), c.Metadata.Version)
+	if err != nil {
+		return err
+	}
+	_, err = s.AddOCI(ctx, chrt, ref.Name())
+	if err != nil {
+		return err
+	}
+
+	l.Infof("successfully added chart [%s]", ref.Name())
+	return nil
+}
--- a/cmd/hauler/cli/store/copy.go
+++ b/cmd/hauler/cli/store/copy.go
@@ -0,0 +1,53 @@
+package store
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"oras.land/oras-go/pkg/content"
+
+	"hauler.dev/go/hauler/internal/flags"
+	"hauler.dev/go/hauler/pkg/cosign"
+	"hauler.dev/go/hauler/pkg/log"
+	"hauler.dev/go/hauler/pkg/store"
+)
+
+func CopyCmd(ctx context.Context, o *flags.CopyOpts, s *store.Layout, targetRef string, ro *flags.CliRootOpts) error {
+	l := log.FromContext(ctx)
+
+	if o.Username != "" || o.Password != "" {
+		return fmt.Errorf("--username/--password have been deprecated, please use 'hauler login'")
+	}
+
+	components := strings.SplitN(targetRef, "://", 2)
+	switch components[0] {
+	case "dir":
+		l.Debugf("identified directory target reference of [%s]", components[1])
+		fs := content.NewFile(components[1])
+		defer fs.Close()
+
+		_, err := s.CopyAll(ctx, fs, nil)
+		if err != nil {
+			return err
+		}
+
+	case "registry":
+		l.Debugf("identified registry target reference of [%s]", components[1])
+		ropts := content.RegistryOptions{
+			Insecure:  o.Insecure,
+			PlainHTTP: o.PlainHTTP,
+		}
+
+		err := cosign.LoadImages(ctx, s, components[1], o.Only, ropts, ro)
+		if err != nil {
+			return err
+		}
+
+	default:
+		return fmt.Errorf("detecting protocol from [%s]", targetRef)
+	}
+
+	l.Infof("copied artifacts to [%s]", components[1])
+	return nil
+}
--- a/cmd/hauler/cli/store/extract.go
+++ b/cmd/hauler/cli/store/extract.go
@@ -0,0 +1,69 @@
+package store
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"strings"
+
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+
+	"hauler.dev/go/hauler/internal/flags"
+	"hauler.dev/go/hauler/internal/mapper"
+	"hauler.dev/go/hauler/pkg/log"
+	"hauler.dev/go/hauler/pkg/reference"
+	"hauler.dev/go/hauler/pkg/store"
+)
+
+func ExtractCmd(ctx context.Context, o *flags.ExtractOpts, s *store.Layout, ref string) error {
+	l := log.FromContext(ctx)
+
+	r, err := reference.Parse(ref)
+	if err != nil {
+		return err
+	}
+
+	// use the repository from the context and the identifier from the reference
+	repo := r.Context().RepositoryStr() + ":" + r.Identifier()
+
+	found := false
+	if err := s.Walk(func(reference string, desc ocispec.Descriptor) error {
+		if !strings.Contains(reference, repo) {
+			return nil
+		}
+		found = true
+
+		rc, err := s.Fetch(ctx, desc)
+		if err != nil {
+			return err
+		}
+		defer rc.Close()
+
+		var m ocispec.Manifest
+		if err := json.NewDecoder(rc).Decode(&m); err != nil {
+			return err
+		}
+
+		mapperStore, err := mapper.FromManifest(m, o.DestinationDir)
+		if err != nil {
+			return err
+		}
+
+		pushedDesc, err := s.Copy(ctx, reference, mapperStore, "")
+		if err != nil {
+			return err
+		}
+
+		l.Infof("extracted [%s] from store with digest [%s]", pushedDesc.MediaType, pushedDesc.Digest.String())
+
+		return nil
+	}); err != nil {
+		return err
+	}
+
+	if !found {
+		return fmt.Errorf("reference [%s] not found in store (hint: use `hauler store info` to list store contents)", ref)
+	}
+
+	return nil
+}
--- a/cmd/hauler/cli/store/info.go
+++ b/cmd/hauler/cli/store/info.go
@@ -0,0 +1,275 @@
+package store
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"os"
+	"sort"
+
+	"github.com/olekukonko/tablewriter"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+
+	"hauler.dev/go/hauler/internal/flags"
+	"hauler.dev/go/hauler/pkg/consts"
+	"hauler.dev/go/hauler/pkg/reference"
+	"hauler.dev/go/hauler/pkg/store"
+)
+
+func InfoCmd(ctx context.Context, o *flags.InfoOpts, s *store.Layout) error {
+	var items []item
+	if err := s.Walk(func(ref string, desc ocispec.Descriptor) error {
+		if _, ok := desc.Annotations[ocispec.AnnotationRefName]; !ok {
+			return nil
+		}
+		rc, err := s.Fetch(ctx, desc)
+		if err != nil {
+			return err
+		}
+		defer rc.Close()
+
+		// handle multi-arch images
+		if desc.MediaType == consts.OCIImageIndexSchema || desc.MediaType == consts.DockerManifestListSchema2 {
+			var idx ocispec.Index
+			if err := json.NewDecoder(rc).Decode(&idx); err != nil {
+				return err
+			}
+
+			for _, internalDesc := range idx.Manifests {
+				rc, err := s.Fetch(ctx, internalDesc)
+				if err != nil {
+					return err
+				}
+				defer rc.Close()
+
+				var internalManifest ocispec.Manifest
+				if err := json.NewDecoder(rc).Decode(&internalManifest); err != nil {
+					return err
+				}
+
+				i := newItem(s, desc, internalManifest, fmt.Sprintf("%s/%s", internalDesc.Platform.OS, internalDesc.Platform.Architecture), o)
+				var emptyItem item
+				if i != emptyItem {
+					items = append(items, i)
+				}
+			}
+			// handle "non" multi-arch images
+		} else if desc.MediaType == consts.DockerManifestSchema2 || desc.MediaType == consts.OCIManifestSchema1 {
+			var m ocispec.Manifest
+			if err := json.NewDecoder(rc).Decode(&m); err != nil {
+				return err
+			}
+
+			rc, err := s.FetchManifest(ctx, m)
+			if err != nil {
+				return err
+			}
+			defer rc.Close()
+
+			// Unmarshal the OCI image content
+			var internalManifest ocispec.Image
+			if err := json.NewDecoder(rc).Decode(&internalManifest); err != nil {
+				return err
+			}
+
+			if internalManifest.Architecture != "" {
+				i := newItem(s, desc, m, fmt.Sprintf("%s/%s", internalManifest.OS, internalManifest.Architecture), o)
+				var emptyItem item
+				if i != emptyItem {
+					items = append(items, i)
+				}
+			} else {
+				i := newItem(s, desc, m, "-", o)
+				var emptyItem item
+				if i != emptyItem {
+					items = append(items, i)
+				}
+			}
+			// handle the rest
+		} else {
+			var m ocispec.Manifest
+			if err := json.NewDecoder(rc).Decode(&m); err != nil {
+				return err
+			}
+
+			i := newItem(s, desc, m, "-", o)
+			var emptyItem item
+			if i != emptyItem {
+				items = append(items, i)
+			}
+		}
+
+		return nil
+	}); err != nil {
+		return err
+	}
+
+	if o.ListRepos {
+		buildListRepos(items...)
+		return nil
+	}
+
+	// sort items by ref and arch
+	sort.Sort(byReferenceAndArch(items))
+
+	var msg string
+	switch o.OutputFormat {
+	case "json":
+		msg = buildJson(items...)
+		fmt.Println(msg)
+	default:
+		buildTable(items...)
+	}
+	return nil
+}
+
+func buildListRepos(items ...item) {
+	// Create map to track unique repository names
+	repos := make(map[string]bool)
+
+	for _, i := range items {
+		repoName := ""
+		for j := 0; j < len(i.Reference); j++ {
+			if i.Reference[j] == '/' {
+				repoName = i.Reference[:j]
+				break
+			}
+		}
+		if repoName == "" {
+			repoName = i.Reference
+		}
+		repos[repoName] = true
+	}
+
+	// Collect and print unique repository names
+	for repoName := range repos {
+		fmt.Println(repoName)
+	}
+}
+
+func buildTable(items ...item) {
+	// Create a table for the results
+	table := tablewriter.NewWriter(os.Stdout)
+	table.SetHeader([]string{"Reference", "Type", "Platform", "# Layers", "Size"})
+	table.SetHeaderAlignment(tablewriter.ALIGN_LEFT)
+	table.SetRowLine(false)
+	table.SetAutoMergeCellsByColumnIndex([]int{0})
+
+	totalSize := int64(0)
+	for _, i := range items {
+		if i.Type != "" {
+			row := []string{
+				i.Reference,
+				i.Type,
+				i.Platform,
+				fmt.Sprintf("%d", i.Layers),
+				byteCountSI(i.Size),
+			}
+			totalSize += i.Size
+			table.Append(row)
+		}
+	}
+	table.SetFooter([]string{"", "", "", "Total", byteCountSI(totalSize)})
+
+	table.Render()
+}
+
+func buildJson(item ...item) string {
+	data, err := json.MarshalIndent(item, "", "  ")
+	if err != nil {
+		return ""
+	}
+	return string(data)
+}
+
+type item struct {
+	Reference string
+	Type      string
+	Platform  string
+	Layers    int
+	Size      int64
+}
+
+type byReferenceAndArch []item
+
+func (a byReferenceAndArch) Len() int      { return len(a) }
+func (a byReferenceAndArch) Swap(i, j int) { a[i], a[j] = a[j], a[i] }
+func (a byReferenceAndArch) Less(i, j int) bool {
+	if a[i].Reference == a[j].Reference {
+		if a[i].Type == "image" && a[j].Type == "image" {
+			return a[i].Platform < a[j].Platform
+		}
+		if a[i].Type == "image" {
+			return true
+		}
+		if a[j].Type == "image" {
+			return false
+		}
+		return a[i].Type < a[j].Type
+	}
+	return a[i].Reference < a[j].Reference
+}
+
+func newItem(s *store.Layout, desc ocispec.Descriptor, m ocispec.Manifest, plat string, o *flags.InfoOpts) item {
+	var size int64 = 0
+	for _, l := range m.Layers {
+		size += l.Size
+	}
+
+	// Generate a human-readable content type
+	var ctype string
+	switch m.Config.MediaType {
+	case consts.DockerConfigJSON:
+		ctype = "image"
+	case consts.ChartConfigMediaType:
+		ctype = "chart"
+	case consts.FileLocalConfigMediaType, consts.FileHttpConfigMediaType:
+		ctype = "file"
+	default:
+		ctype = "image"
+	}
+
+	switch desc.Annotations["kind"] {
+	case "dev.cosignproject.cosign/sigs":
+		ctype = "sigs"
+	case "dev.cosignproject.cosign/atts":
+		ctype = "atts"
+	case "dev.cosignproject.cosign/sboms":
+		ctype = "sbom"
+	}
+
+	refName := desc.Annotations["io.containerd.image.name"]
+	if refName == "" {
+		refName = desc.Annotations[ocispec.AnnotationRefName]
+	}
+	ref, err := reference.Parse(refName)
+	if err != nil {
+		return item{}
+	}
+
+	if o.TypeFilter != "all" && ctype != o.TypeFilter {
+		return item{}
+	}
+
+	return item{
+		Reference: ref.Name(),
+		Type:      ctype,
+		Platform:  plat,
+		Layers:    len(m.Layers),
+		Size:      size,
+	}
+}
+
+func byteCountSI(b int64) string {
+	const unit = 1000
+	if b < unit {
+		return fmt.Sprintf("%d B", b)
+	}
+	div, exp := int64(unit), 0
+	for n := b / unit; n >= unit; n /= unit {
+		div *= unit
+		exp++
+	}
+	return fmt.Sprintf("%.1f %cB",
+		float64(b)/float64(div), "kMGTPE"[exp])
+}
--- a/cmd/hauler/cli/store/load.go
+++ b/cmd/hauler/cli/store/load.go
@@ -0,0 +1,139 @@
+package store
+
+import (
+	"context"
+	"encoding/json"
+	"io"
+	"net/url"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"hauler.dev/go/hauler/internal/flags"
+	"hauler.dev/go/hauler/pkg/archives"
+	"hauler.dev/go/hauler/pkg/consts"
+	"hauler.dev/go/hauler/pkg/content"
+	"hauler.dev/go/hauler/pkg/getter"
+	"hauler.dev/go/hauler/pkg/log"
+	"hauler.dev/go/hauler/pkg/store"
+
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+)
+
+// extracts the contents of an archived oci layout to an existing oci layout
+func LoadCmd(ctx context.Context, o *flags.LoadOpts, rso *flags.StoreRootOpts, ro *flags.CliRootOpts) error {
+	l := log.FromContext(ctx)
+
+	tempOverride := o.TempOverride
+
+	if tempOverride == "" {
+		tempOverride = os.Getenv(consts.HaulerTempDir)
+	}
+
+	tempDir, err := os.MkdirTemp(tempOverride, consts.DefaultHaulerTempDirName)
+	if err != nil {
+		return err
+	}
+	defer os.RemoveAll(tempDir)
+
+	l.Debugf("using temporary directory at [%s]", tempDir)
+
+	for _, fileName := range o.FileName {
+		l.Infof("loading haul [%s] to [%s]", fileName, o.StoreDir)
+		err := unarchiveLayoutTo(ctx, fileName, o.StoreDir, tempDir)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+// accepts an archived OCI layout, extracts the contents to an existing OCI layout, and preserves the index
+func unarchiveLayoutTo(ctx context.Context, haulPath string, dest string, tempDir string) error {
+	l := log.FromContext(ctx)
+
+	if strings.HasPrefix(haulPath, "http://") || strings.HasPrefix(haulPath, "https://") {
+		l.Debugf("detected remote archive... starting download... [%s]", haulPath)
+
+		h := getter.NewHttp()
+		parsedURL, err := url.Parse(haulPath)
+		if err != nil {
+			return err
+		}
+		rc, err := h.Open(ctx, parsedURL)
+		if err != nil {
+			return err
+		}
+		defer rc.Close()
+
+		fileName := h.Name(parsedURL)
+		if fileName == "" {
+			fileName = filepath.Base(parsedURL.Path)
+		}
+		haulPath = filepath.Join(tempDir, fileName)
+
+		out, err := os.Create(haulPath)
+		if err != nil {
+			return err
+		}
+		defer out.Close()
+
+		if _, err = io.Copy(out, rc); err != nil {
+			return err
+		}
+	}
+
+	if err := archives.Unarchive(ctx, haulPath, tempDir); err != nil {
+		return err
+	}
+
+	// ensure the incoming index.json has the correct annotations.
+	data, err := os.ReadFile(tempDir + "/index.json")
+	if err != nil {
+		return (err)
+	}
+
+	var idx ocispec.Index
+	if err := json.Unmarshal(data, &idx); err != nil {
+		return (err)
+	}
+
+	for i := range idx.Manifests {
+		if idx.Manifests[i].Annotations == nil {
+			idx.Manifests[i].Annotations = make(map[string]string)
+		}
+		if _, exists := idx.Manifests[i].Annotations[consts.KindAnnotationName]; !exists {
+			idx.Manifests[i].Annotations[consts.KindAnnotationName] = consts.KindAnnotationImage
+		}
+		if ref, ok := idx.Manifests[i].Annotations[consts.ContainerdImageNameKey]; ok {
+			if slash := strings.Index(ref, "/"); slash != -1 {
+				ref = ref[slash+1:]
+			}
+			if idx.Manifests[i].Annotations[consts.ImageRefKey] != ref {
+				idx.Manifests[i].Annotations[consts.ImageRefKey] = ref
+			}
+		}
+	}
+
+	out, err := json.MarshalIndent(idx, "", "  ")
+	if err != nil {
+		return err
+	}
+	if err := os.WriteFile(tempDir+"/index.json", out, 0644); err != nil {
+		return err
+	}
+
+	s, err := store.NewLayout(tempDir)
+	if err != nil {
+		return err
+	}
+
+	ts, err := content.NewOCI(dest)
+	if err != nil {
+		return err
+	}
+
+	_, err = s.CopyAll(ctx, ts, nil)
+	return err
+}
--- a/cmd/hauler/cli/store/save.go
+++ b/cmd/hauler/cli/store/save.go
@@ -0,0 +1,243 @@
+package store
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"os"
+	"path"
+	"path/filepath"
+	"slices"
+
+	referencev3 "github.com/distribution/distribution/v3/reference"
+	"github.com/google/go-containerregistry/pkg/name"
+	libv1 "github.com/google/go-containerregistry/pkg/v1"
+	"github.com/google/go-containerregistry/pkg/v1/layout"
+	"github.com/google/go-containerregistry/pkg/v1/tarball"
+	"github.com/google/go-containerregistry/pkg/v1/types"
+	imagev1 "github.com/opencontainers/image-spec/specs-go/v1"
+
+	"hauler.dev/go/hauler/internal/flags"
+	"hauler.dev/go/hauler/pkg/archives"
+	"hauler.dev/go/hauler/pkg/consts"
+	"hauler.dev/go/hauler/pkg/log"
+)
+
+// saves a content store to store archives
+func SaveCmd(ctx context.Context, o *flags.SaveOpts, rso *flags.StoreRootOpts, ro *flags.CliRootOpts) error {
+	l := log.FromContext(ctx)
+
+	// maps to handle compression and archival types
+	compressionMap := archives.CompressionMap
+	archivalMap := archives.ArchivalMap
+
+	// TODO: Support more formats?
+	// Select the correct compression and archival type based on user input
+	compression := compressionMap["zst"]
+	archival := archivalMap["tar"]
+
+	absOutputfile, err := filepath.Abs(o.FileName)
+	if err != nil {
+		return err
+	}
+
+	cwd, err := os.Getwd()
+	if err != nil {
+		return err
+	}
+	defer os.Chdir(cwd)
+	if err := os.Chdir(o.StoreDir); err != nil {
+		return err
+	}
+
+	// create the manifest.json file
+	if err := writeExportsManifest(ctx, ".", o.Platform); err != nil {
+		return err
+	}
+
+	// create the archive
+	err = archives.Archive(ctx, ".", absOutputfile, compression, archival)
+	if err != nil {
+		return err
+	}
+
+	l.Infof("saving store [%s] to archive [%s]", o.StoreDir, o.FileName)
+	return nil
+}
+
+type exports struct {
+	digests []string
+	records map[string]tarball.Descriptor
+}
+
+func writeExportsManifest(ctx context.Context, dir string, platformStr string) error {
+	l := log.FromContext(ctx)
+
+	// validate platform format
+	platform, err := libv1.ParsePlatform(platformStr)
+	if err != nil {
+		return err
+	}
+
+	oci, err := layout.FromPath(dir)
+	if err != nil {
+		return err
+	}
+
+	idx, err := oci.ImageIndex()
+	if err != nil {
+		return err
+	}
+
+	imx, err := idx.IndexManifest()
+	if err != nil {
+		return err
+	}
+
+	x := &exports{
+		digests: []string{},
+		records: map[string]tarball.Descriptor{},
+	}
+
+	for _, desc := range imx.Manifests {
+		l.Debugf("descriptor [%s] = [%s]", desc.Digest.String(), desc.MediaType)
+		if artifactType := types.MediaType(desc.ArtifactType); artifactType != "" && !artifactType.IsImage() && !artifactType.IsIndex() {
+			l.Debugf("descriptor [%s] <<< SKIPPING ARTIFACT [%q]", desc.Digest.String(), desc.ArtifactType)
+			continue
+		}
+		if desc.Annotations != nil {
+			// we only care about images that cosign has added to the layout index
+			if kind, hasKind := desc.Annotations[consts.KindAnnotationName]; hasKind {
+				if refName, hasRefName := desc.Annotations["io.containerd.image.name"]; hasRefName {
+					// branch on image (aka image manifest) or image index
+					switch kind {
+					case consts.KindAnnotationImage:
+						if err := x.record(ctx, idx, desc, refName); err != nil {
+							return err
+						}
+					case consts.KindAnnotationIndex:
+						l.Debugf("index [%s]: digest=[%s]... type=[%s]... size=[%d]", refName, desc.Digest.String(), desc.MediaType, desc.Size)
+
+						// when no platform is provided, warn the user of potential mismatch on import
+						if platform.String() == "" {
+							l.Warnf("specify an export platform to prevent potential platform mismatch on import of index [%s]", refName)
+						}
+
+						iix, err := idx.ImageIndex(desc.Digest)
+						if err != nil {
+							return err
+						}
+						ixm, err := iix.IndexManifest()
+						if err != nil {
+							return err
+						}
+						for _, ixd := range ixm.Manifests {
+							if ixd.MediaType.IsImage() {
+								// check if platform is provided, if so, skip anything that doesn't match
+								if platform.String() != "" {
+									if ixd.Platform.Architecture != platform.Architecture || ixd.Platform.OS != platform.OS {
+										l.Debugf("index [%s]: digest=[%s], platform=[%s/%s]: does not match the supplied platform... skipping...", refName, desc.Digest.String(), ixd.Platform.OS, ixd.Platform.Architecture)
+										continue
+									}
+								}
+
+								// skip 'unknown' platforms... docker hates
+								if ixd.Platform.Architecture == "unknown" && ixd.Platform.OS == "unknown" {
+									l.Debugf("index [%s]: digest=[%s], platform=[%s/%s]: matches unknown platform... skipping...", refName, desc.Digest.String(), ixd.Platform.OS, ixd.Platform.Architecture)
+									continue
+								}
+
+								if err := x.record(ctx, iix, ixd, refName); err != nil {
+									return err
+								}
+							}
+						}
+					default:
+						l.Debugf("descriptor [%s] <<< SKIPPING KIND [%q]", desc.Digest.String(), kind)
+					}
+				}
+			}
+		}
+	}
+
+	buf := bytes.Buffer{}
+	mnf := x.describe()
+	err = json.NewEncoder(&buf).Encode(mnf)
+	if err != nil {
+		return err
+	}
+
+	return oci.WriteFile(consts.ImageManifestFile, buf.Bytes(), 0666)
+}
+
+func (x *exports) describe() tarball.Manifest {
+	m := make(tarball.Manifest, len(x.digests))
+	for i, d := range x.digests {
+		m[i] = x.records[d]
+	}
+	return m
+}
+
+func (x *exports) record(ctx context.Context, index libv1.ImageIndex, desc libv1.Descriptor, refname string) error {
+	l := log.FromContext(ctx)
+
+	digest := desc.Digest.String()
+	image, err := index.Image(desc.Digest)
+	if err != nil {
+		return err
+	}
+
+	config, err := image.ConfigName()
+	if err != nil {
+		return err
+	}
+
+	xd, recorded := x.records[digest]
+	if !recorded {
+		// record one export record per digest
+		x.digests = append(x.digests, digest)
+		xd = tarball.Descriptor{
+			Config:   path.Join(imagev1.ImageBlobsDir, config.Algorithm, config.Hex),
+			RepoTags: []string{},
+			Layers:   []string{},
+		}
+
+		layers, err := image.Layers()
+		if err != nil {
+			return err
+		}
+		for _, layer := range layers {
+			xl, err := layer.Digest()
+			if err != nil {
+				return err
+			}
+			xd.Layers = append(xd.Layers[:], path.Join(imagev1.ImageBlobsDir, xl.Algorithm, xl.Hex))
+		}
+	}
+
+	ref, err := name.ParseReference(refname)
+	if err != nil {
+		return err
+	}
+
+	// record tags for the digest, eliminating dupes
+	switch tag := ref.(type) {
+	case name.Tag:
+		named, err := referencev3.ParseNormalizedNamed(refname)
+		if err != nil {
+			return err
+		}
+		named = referencev3.TagNameOnly(named)
+		repotag := referencev3.FamiliarString(named)
+		xd.RepoTags = append(xd.RepoTags[:], repotag)
+		slices.Sort(xd.RepoTags)
+		xd.RepoTags = slices.Compact(xd.RepoTags)
+		ref = tag.Digest(digest)
+	}
+
+	l.Debugf("image [%s]: type=%s, size=%d", ref.Name(), desc.MediaType, desc.Size)
+	// record export descriptor for the digest
+	x.records[digest] = xd
+
+	return nil
+}
--- a/cmd/hauler/cli/store/serve.go
+++ b/cmd/hauler/cli/store/serve.go
@@ -0,0 +1,136 @@
+package store
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+	"os"
+	"strings"
+
+	"github.com/distribution/distribution/v3/configuration"
+	dcontext "github.com/distribution/distribution/v3/context"
+	_ "github.com/distribution/distribution/v3/registry/storage/driver/base"
+	_ "github.com/distribution/distribution/v3/registry/storage/driver/filesystem"
+	_ "github.com/distribution/distribution/v3/registry/storage/driver/inmemory"
+	"github.com/distribution/distribution/v3/version"
+	"gopkg.in/yaml.v3"
+
+	"hauler.dev/go/hauler/internal/flags"
+	"hauler.dev/go/hauler/internal/server"
+	"hauler.dev/go/hauler/pkg/log"
+	"hauler.dev/go/hauler/pkg/store"
+)
+
+func DefaultRegistryConfig(o *flags.ServeRegistryOpts, rso *flags.StoreRootOpts, ro *flags.CliRootOpts) *configuration.Configuration {
+	cfg := &configuration.Configuration{
+		Version: "0.1",
+		Storage: configuration.Storage{
+			"cache":      configuration.Parameters{"blobdescriptor": "inmemory"},
+			"filesystem": configuration.Parameters{"rootdirectory": o.RootDir},
+			"maintenance": configuration.Parameters{
+				"readonly": map[any]any{"enabled": o.ReadOnly},
+			},
+		},
+	}
+
+	if o.TLSCert != "" && o.TLSKey != "" {
+		cfg.HTTP.TLS.Certificate = o.TLSCert
+		cfg.HTTP.TLS.Key = o.TLSKey
+	}
+
+	cfg.HTTP.Addr = fmt.Sprintf(":%d", o.Port)
+	cfg.HTTP.Headers = http.Header{
+		"X-Content-Type-Options": []string{"nosniff"},
+	}
+
+	cfg.Log.Level = configuration.Loglevel(ro.LogLevel)
+	cfg.Validation.Manifests.URLs.Allow = []string{".+"}
+
+	return cfg
+}
+
+func ServeRegistryCmd(ctx context.Context, o *flags.ServeRegistryOpts, s *store.Layout, rso *flags.StoreRootOpts, ro *flags.CliRootOpts) error {
+	l := log.FromContext(ctx)
+	ctx = dcontext.WithVersion(ctx, version.Version)
+
+	tr := server.NewTempRegistry(ctx, o.RootDir)
+	if err := tr.Start(); err != nil {
+		return err
+	}
+
+	opts := &flags.CopyOpts{}
+	if err := CopyCmd(ctx, opts, s, "registry://"+tr.Registry(), ro); err != nil {
+		return err
+	}
+
+	tr.Close()
+
+	cfg := DefaultRegistryConfig(o, rso, ro)
+	if o.ConfigFile != "" {
+		ucfg, err := loadConfig(o.ConfigFile)
+		if err != nil {
+			return err
+		}
+		cfg = ucfg
+	}
+
+	l.Infof("starting registry on port [%d]", o.Port)
+
+	yamlConfig, err := yaml.Marshal(cfg)
+	if err != nil {
+		l.Errorf("failed to validate/output registry configuration: %v", err)
+	} else {
+		l.Infof("using registry configuration... \n%s", strings.TrimSpace(string(yamlConfig)))
+	}
+
+	l.Debugf("detailed registry configuration: %+v", cfg)
+
+	r, err := server.NewRegistry(ctx, cfg)
+	if err != nil {
+		return err
+	}
+
+	if err = r.ListenAndServe(); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func ServeFilesCmd(ctx context.Context, o *flags.ServeFilesOpts, s *store.Layout, ro *flags.CliRootOpts) error {
+	l := log.FromContext(ctx)
+	ctx = dcontext.WithVersion(ctx, version.Version)
+
+	opts := &flags.CopyOpts{}
+	if err := CopyCmd(ctx, opts, s, "dir://"+o.RootDir, ro); err != nil {
+		return err
+	}
+
+	f, err := server.NewFile(ctx, *o)
+	if err != nil {
+		return err
+	}
+
+	if o.TLSCert != "" && o.TLSKey != "" {
+		l.Infof("starting file server with tls on port [%d]", o.Port)
+		if err := f.ListenAndServeTLS(o.TLSCert, o.TLSKey); err != nil {
+			return err
+		}
+	} else {
+		l.Infof("starting file server on port [%d]", o.Port)
+		if err := f.ListenAndServe(); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func loadConfig(filename string) (*configuration.Configuration, error) {
+	f, err := os.Open(filename)
+	if err != nil {
+		return nil, err
+	}
+
+	return configuration.Parse(f)
+}
--- a/cmd/hauler/cli/store/sync.go
+++ b/cmd/hauler/cli/store/sync.go
@@ -0,0 +1,621 @@
+package store
+
+import (
+	"bufio"
+	"context"
+	"fmt"
+	"io"
+	"net/url"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/mitchellh/go-homedir"
+	"helm.sh/helm/v3/pkg/action"
+	"k8s.io/apimachinery/pkg/util/yaml"
+
+	"hauler.dev/go/hauler/internal/flags"
+	convert "hauler.dev/go/hauler/pkg/apis/hauler.cattle.io/convert"
+	v1 "hauler.dev/go/hauler/pkg/apis/hauler.cattle.io/v1"
+	v1alpha1 "hauler.dev/go/hauler/pkg/apis/hauler.cattle.io/v1alpha1"
+	tchart "hauler.dev/go/hauler/pkg/collection/chart"
+	"hauler.dev/go/hauler/pkg/collection/imagetxt"
+	"hauler.dev/go/hauler/pkg/consts"
+	"hauler.dev/go/hauler/pkg/content"
+	"hauler.dev/go/hauler/pkg/cosign"
+	"hauler.dev/go/hauler/pkg/getter"
+	"hauler.dev/go/hauler/pkg/log"
+	"hauler.dev/go/hauler/pkg/reference"
+	"hauler.dev/go/hauler/pkg/store"
+)
+
+func SyncCmd(ctx context.Context, o *flags.SyncOpts, s *store.Layout, rso *flags.StoreRootOpts, ro *flags.CliRootOpts) error {
+	l := log.FromContext(ctx)
+
+	tempOverride := o.TempOverride
+
+	if tempOverride == "" {
+		tempOverride = os.Getenv(consts.HaulerTempDir)
+	}
+
+	tempDir, err := os.MkdirTemp(tempOverride, consts.DefaultHaulerTempDirName)
+	if err != nil {
+		return err
+	}
+	defer os.RemoveAll(tempDir)
+
+	l.Debugf("using temporary directory at [%s]", tempDir)
+
+	// if passed products, check for a remote manifest to retrieve and use
+	for _, productName := range o.Products {
+		l.Infof("processing product manifest for [%s] to store [%s]", productName, o.StoreDir)
+		parts := strings.Split(productName, "=")
+		tag := strings.ReplaceAll(parts[1], "+", "-")
+
+		ProductRegistry := o.ProductRegistry // cli flag
+		// if no cli flag use CarbideRegistry.
+		if o.ProductRegistry == "" {
+			ProductRegistry = consts.CarbideRegistry
+		}
+
+		manifestLoc := fmt.Sprintf("%s/hauler/%s-manifest.yaml:%s", ProductRegistry, parts[0], tag)
+		l.Infof("fetching product manifest from [%s]", manifestLoc)
+		img := v1.Image{
+			Name: manifestLoc,
+		}
+		err := storeImage(ctx, s, img, o.Platform, rso, ro)
+		if err != nil {
+			return err
+		}
+		err = ExtractCmd(ctx, &flags.ExtractOpts{StoreRootOpts: o.StoreRootOpts}, s, fmt.Sprintf("hauler/%s-manifest.yaml:%s", parts[0], tag))
+		if err != nil {
+			return err
+		}
+		fileName := fmt.Sprintf("%s-manifest.yaml", parts[0])
+
+		fi, err := os.Open(fileName)
+		if err != nil {
+			return err
+		}
+		err = processContent(ctx, fi, o, s, rso, ro)
+		if err != nil {
+			return err
+		}
+		l.Infof("processing completed successfully")
+	}
+
+	// If passed a local manifest, process it
+	for _, fileName := range o.FileName {
+		l.Infof("processing manifest [%s] to store [%s]", fileName, o.StoreDir)
+
+		haulPath := fileName
+		if strings.HasPrefix(haulPath, "http://") || strings.HasPrefix(haulPath, "https://") {
+			l.Debugf("detected remote manifest... starting download... [%s]", haulPath)
+
+			h := getter.NewHttp()
+			parsedURL, err := url.Parse(haulPath)
+			if err != nil {
+				return err
+			}
+			rc, err := h.Open(ctx, parsedURL)
+			if err != nil {
+				return err
+			}
+			defer rc.Close()
+
+			fileName := h.Name(parsedURL)
+			if fileName == "" {
+				fileName = filepath.Base(parsedURL.Path)
+			}
+			haulPath = filepath.Join(tempDir, fileName)
+
+			out, err := os.Create(haulPath)
+			if err != nil {
+				return err
+			}
+			defer out.Close()
+
+			if _, err = io.Copy(out, rc); err != nil {
+				return err
+			}
+		}
+
+		fi, err := os.Open(haulPath)
+		if err != nil {
+			return err
+		}
+		defer fi.Close()
+
+		err = processContent(ctx, fi, o, s, rso, ro)
+		if err != nil {
+			return err
+		}
+
+		l.Infof("processing completed successfully")
+	}
+
+	return nil
+}
+
+func processContent(ctx context.Context, fi *os.File, o *flags.SyncOpts, s *store.Layout, rso *flags.StoreRootOpts, ro *flags.CliRootOpts) error {
+	l := log.FromContext(ctx)
+
+	reader := yaml.NewYAMLReader(bufio.NewReader(fi))
+
+	var docs [][]byte
+	for {
+		raw, err := reader.Read()
+		if err == io.EOF {
+			break
+		}
+		if err != nil {
+			return err
+		}
+		docs = append(docs, raw)
+	}
+
+	for _, doc := range docs {
+		obj, err := content.Load(doc)
+		if err != nil {
+			l.Warnf("skipping syncing due to %v", err)
+			continue
+		}
+
+		gvk := obj.GroupVersionKind()
+		l.Infof("syncing content [%s] with [kind=%s] to store [%s]", gvk.GroupVersion(), gvk.Kind, o.StoreDir)
+
+		switch gvk.Kind {
+
+		case consts.FilesContentKind:
+			switch gvk.Version {
+			case "v1alpha1":
+				l.Warnf("!!! DEPRECATION WARNING !!! apiVersion [%s] will be removed in a future release !!! DEPRECATION WARNING !!!", gvk.Version)
+
+				var alphaCfg v1alpha1.Files
+				if err := yaml.Unmarshal(doc, &alphaCfg); err != nil {
+					return err
+				}
+				var v1Cfg v1.Files
+				if err := convert.ConvertFiles(&alphaCfg, &v1Cfg); err != nil {
+					return err
+				}
+				for _, f := range v1Cfg.Spec.Files {
+					if err := storeFile(ctx, s, f); err != nil {
+						return err
+					}
+				}
+
+			case "v1":
+				var cfg v1.Files
+				if err := yaml.Unmarshal(doc, &cfg); err != nil {
+					return err
+				}
+				for _, f := range cfg.Spec.Files {
+					if err := storeFile(ctx, s, f); err != nil {
+						return err
+					}
+				}
+
+			default:
+				return fmt.Errorf("unsupported version [%s] for kind [%s]... valid versions are [v1 and v1alpha1]", gvk.Version, gvk.Kind)
+			}
+
+		case consts.ImagesContentKind:
+			switch gvk.Version {
+			case "v1alpha1":
+				l.Warnf("!!! DEPRECATION WARNING !!! apiVersion [%s] will be removed in a future release !!! DEPRECATION WARNING !!!", gvk.Version)
+
+				var alphaCfg v1alpha1.Images
+				if err := yaml.Unmarshal(doc, &alphaCfg); err != nil {
+					return err
+				}
+				var v1Cfg v1.Images
+				if err := convert.ConvertImages(&alphaCfg, &v1Cfg); err != nil {
+					return err
+				}
+
+				a := v1Cfg.GetAnnotations()
+				for _, i := range v1Cfg.Spec.Images {
+
+					if a[consts.ImageAnnotationRegistry] != "" || o.Registry != "" {
+						newRef, _ := reference.Parse(i.Name)
+						newReg := o.Registry
+						if o.Registry == "" && a[consts.ImageAnnotationRegistry] != "" {
+							newReg = a[consts.ImageAnnotationRegistry]
+						}
+						if newRef.Context().RegistryStr() == "" {
+							newRef, err = reference.Relocate(i.Name, newReg)
+							if err != nil {
+								return err
+							}
+						}
+						i.Name = newRef.Name()
+					}
+
+					hasAnnotationIdentityOptions := a[consts.ImageAnnotationCertIdentityRegexp] != "" || a[consts.ImageAnnotationCertIdentity] != ""
+					hasCliIdentityOptions := o.CertIdentityRegexp != "" || o.CertIdentity != ""
+					hasImageIdentityOptions := i.CertIdentityRegexp != "" || i.CertIdentity != ""
+
+					needsKeylessVerificaton := hasAnnotationIdentityOptions || hasCliIdentityOptions || hasImageIdentityOptions
+					needsPubKeyVerification := a[consts.ImageAnnotationKey] != "" || o.Key != "" || i.Key != ""
+					if needsPubKeyVerification {
+						key := o.Key
+						if o.Key == "" && a[consts.ImageAnnotationKey] != "" {
+							key, err = homedir.Expand(a[consts.ImageAnnotationKey])
+							if err != nil {
+								return err
+							}
+						}
+						if i.Key != "" {
+							key, err = homedir.Expand(i.Key)
+							if err != nil {
+								return err
+							}
+						}
+						l.Debugf("key for image [%s]", key)
+
+						tlog := o.Tlog
+						if !o.Tlog && a[consts.ImageAnnotationTlog] == "true" {
+							tlog = true
+						}
+						if i.Tlog {
+							tlog = i.Tlog
+						}
+						l.Debugf("transparency log for verification [%b]", tlog)
+
+						if err := cosign.VerifySignature(ctx, s, key, tlog, i.Name, rso, ro); err != nil {
+							l.Errorf("signature verification failed for image [%s]... skipping...\n%v", i.Name, err)
+							continue
+						}
+						l.Infof("signature verified for image [%s]", i.Name)
+					} else if needsKeylessVerificaton { //Keyless signature verification
+						certIdentityRegexp := o.CertIdentityRegexp
+						if o.CertIdentityRegexp == "" && a[consts.ImageAnnotationCertIdentityRegexp] != "" {
+							certIdentityRegexp = a[consts.ImageAnnotationCertIdentityRegexp]
+						}
+						if i.CertIdentityRegexp != "" {
+							certIdentityRegexp = i.CertIdentityRegexp
+						}
+						l.Debugf("certIdentityRegexp for image [%s]", certIdentityRegexp)
+
+						certIdentity := o.CertIdentity
+						if o.CertIdentity == "" && a[consts.ImageAnnotationCertIdentity] != "" {
+							certIdentity = a[consts.ImageAnnotationCertIdentity]
+						}
+						if i.CertIdentity != "" {
+							certIdentity = i.CertIdentity
+						}
+						l.Debugf("certIdentity for image [%s]", certIdentity)
+
+						certOidcIssuer := o.CertOidcIssuer
+						if o.CertOidcIssuer == "" && a[consts.ImageAnnotationCertOidcIssuer] != "" {
+							certOidcIssuer = a[consts.ImageAnnotationCertOidcIssuer]
+						}
+						if i.CertOidcIssuer != "" {
+							certOidcIssuer = i.CertOidcIssuer
+						}
+						l.Debugf("certOidcIssuer for image [%s]", certOidcIssuer)
+
+						certOidcIssuerRegexp := o.CertOidcIssuerRegexp
+						if o.CertOidcIssuerRegexp == "" && a[consts.ImageAnnotationCertOidcIssuerRegexp] != "" {
+							certOidcIssuerRegexp = a[consts.ImageAnnotationCertOidcIssuerRegexp]
+						}
+						if i.CertOidcIssuerRegexp != "" {
+							certOidcIssuerRegexp = i.CertOidcIssuerRegexp
+						}
+						l.Debugf("certOidcIssuerRegexp for image [%s]", certOidcIssuerRegexp)
+
+						certGithubWorkflowRepository := o.CertGithubWorkflowRepository
+						if o.CertGithubWorkflowRepository == "" && a[consts.ImageAnnotationCertGithubWorkflowRepository] != "" {
+							certGithubWorkflowRepository = a[consts.ImageAnnotationCertGithubWorkflowRepository]
+						}
+						if i.CertGithubWorkflowRepository != "" {
+							certGithubWorkflowRepository = i.CertGithubWorkflowRepository
+						}
+						l.Debugf("certGithubWorkflowRepository for image [%s]", certGithubWorkflowRepository)
+
+						tlog := o.Tlog
+						if !o.Tlog && a[consts.ImageAnnotationTlog] == "true" {
+							tlog = true
+						}
+						if i.Tlog {
+							tlog = i.Tlog
+						}
+						l.Debugf("transparency log for verification [%b]", tlog)
+
+						if err := cosign.VerifyKeylessSignature(ctx, s, certIdentity, certIdentityRegexp, certOidcIssuer, certOidcIssuerRegexp, certGithubWorkflowRepository, tlog, i.Name, rso, ro); err != nil {
+							l.Errorf("keyless signature verification failed for image [%s]... skipping...\n%v", i.Name, err)
+							continue
+						}
+						l.Infof("keyless signature verified for image [%s]", i.Name)
+					}
+
+					platform := o.Platform
+					if o.Platform == "" && a[consts.ImageAnnotationPlatform] != "" {
+						platform = a[consts.ImageAnnotationPlatform]
+					}
+					if i.Platform != "" {
+						platform = i.Platform
+					}
+
+					if err := storeImage(ctx, s, i, platform, rso, ro); err != nil {
+						return err
+					}
+				}
+				s.CopyAll(ctx, s.OCI, nil)
+
+			case "v1":
+				var cfg v1.Images
+				if err := yaml.Unmarshal(doc, &cfg); err != nil {
+					return err
+				}
+
+				a := cfg.GetAnnotations()
+				for _, i := range cfg.Spec.Images {
+
+					if a[consts.ImageAnnotationRegistry] != "" || o.Registry != "" {
+						newRef, _ := reference.Parse(i.Name)
+						newReg := o.Registry
+						if o.Registry == "" && a[consts.ImageAnnotationRegistry] != "" {
+							newReg = a[consts.ImageAnnotationRegistry]
+						}
+						if newRef.Context().RegistryStr() == "" {
+							newRef, err = reference.Relocate(i.Name, newReg)
+							if err != nil {
+								return err
+							}
+						}
+						i.Name = newRef.Name()
+					}
+
+					hasAnnotationIdentityOptions := a[consts.ImageAnnotationCertIdentityRegexp] != "" || a[consts.ImageAnnotationCertIdentity] != ""
+					hasCliIdentityOptions := o.CertIdentityRegexp != "" || o.CertIdentity != ""
+					hasImageIdentityOptions := i.CertIdentityRegexp != "" || i.CertIdentity != ""
+
+					needsKeylessVerificaton := hasAnnotationIdentityOptions || hasCliIdentityOptions || hasImageIdentityOptions
+					needsPubKeyVerification := a[consts.ImageAnnotationKey] != "" || o.Key != "" || i.Key != ""
+					if needsPubKeyVerification {
+						key := o.Key
+						if o.Key == "" && a[consts.ImageAnnotationKey] != "" {
+							key, err = homedir.Expand(a[consts.ImageAnnotationKey])
+							if err != nil {
+								return err
+							}
+						}
+						if i.Key != "" {
+							key, err = homedir.Expand(i.Key)
+							if err != nil {
+								return err
+							}
+						}
+						l.Debugf("key for image [%s]", key)
+
+						tlog := o.Tlog
+						if !o.Tlog && a[consts.ImageAnnotationTlog] == "true" {
+							tlog = true
+						}
+						if i.Tlog {
+							tlog = i.Tlog
+						}
+						l.Debugf("transparency log for verification [%b]", tlog)
+
+						if err := cosign.VerifySignature(ctx, s, key, tlog, i.Name, rso, ro); err != nil {
+							l.Errorf("signature verification failed for image [%s]... skipping...\n%v", i.Name, err)
+							continue
+						}
+						l.Infof("signature verified for image [%s]", i.Name)
+					} else if needsKeylessVerificaton { //Keyless signature verification
+						certIdentityRegexp := o.CertIdentityRegexp
+						if o.CertIdentityRegexp == "" && a[consts.ImageAnnotationCertIdentityRegexp] != "" {
+							certIdentityRegexp = a[consts.ImageAnnotationCertIdentityRegexp]
+						}
+						if i.CertIdentityRegexp != "" {
+							certIdentityRegexp = i.CertIdentityRegexp
+						}
+						l.Debugf("certIdentityRegexp for image [%s]", certIdentityRegexp)
+
+						certIdentity := o.CertIdentity
+						if o.CertIdentity == "" && a[consts.ImageAnnotationCertIdentity] != "" {
+							certIdentity = a[consts.ImageAnnotationCertIdentity]
+						}
+						if i.CertIdentity != "" {
+							certIdentity = i.CertIdentity
+						}
+						l.Debugf("certIdentity for image [%s]", certIdentity)
+
+						certOidcIssuer := o.CertOidcIssuer
+						if o.CertOidcIssuer == "" && a[consts.ImageAnnotationCertOidcIssuer] != "" {
+							certOidcIssuer = a[consts.ImageAnnotationCertOidcIssuer]
+						}
+						if i.CertOidcIssuer != "" {
+							certOidcIssuer = i.CertOidcIssuer
+						}
+						l.Debugf("certOidcIssuer for image [%s]", certOidcIssuer)
+
+						certOidcIssuerRegexp := o.CertOidcIssuerRegexp
+						if o.CertOidcIssuerRegexp == "" && a[consts.ImageAnnotationCertOidcIssuerRegexp] != "" {
+							certOidcIssuerRegexp = a[consts.ImageAnnotationCertOidcIssuerRegexp]
+						}
+						if i.CertOidcIssuerRegexp != "" {
+							certOidcIssuerRegexp = i.CertOidcIssuerRegexp
+						}
+						l.Debugf("certOidcIssuerRegexp for image [%s]", certOidcIssuerRegexp)
+
+						certGithubWorkflowRepository := o.CertGithubWorkflowRepository
+						if o.CertGithubWorkflowRepository == "" && a[consts.ImageAnnotationCertGithubWorkflowRepository] != "" {
+							certGithubWorkflowRepository = a[consts.ImageAnnotationCertGithubWorkflowRepository]
+						}
+						if i.CertGithubWorkflowRepository != "" {
+							certGithubWorkflowRepository = i.CertGithubWorkflowRepository
+						}
+						l.Debugf("certGithubWorkflowRepository for image [%s]", certGithubWorkflowRepository)
+
+						tlog := o.Tlog
+						if !o.Tlog && a[consts.ImageAnnotationTlog] == "true" {
+							tlog = true
+						}
+						if i.Tlog {
+							tlog = i.Tlog
+						}
+						l.Debugf("transparency log for verification [%b]", tlog)
+
+						if err := cosign.VerifyKeylessSignature(ctx, s, certIdentity, certIdentityRegexp, certOidcIssuer, certOidcIssuerRegexp, certGithubWorkflowRepository, tlog, i.Name, rso, ro); err != nil {
+							l.Errorf("keyless signature verification failed for image [%s]... skipping...\n%v", i.Name, err)
+							continue
+						}
+						l.Infof("keyless signature verified for image [%s]", i.Name)
+					}
+					platform := o.Platform
+					if o.Platform == "" && a[consts.ImageAnnotationPlatform] != "" {
+						platform = a[consts.ImageAnnotationPlatform]
+					}
+					if i.Platform != "" {
+						platform = i.Platform
+					}
+
+					if err := storeImage(ctx, s, i, platform, rso, ro); err != nil {
+						return err
+					}
+				}
+				s.CopyAll(ctx, s.OCI, nil)
+
+			default:
+				return fmt.Errorf("unsupported version [%s] for kind [%s]... valid versions are [v1 and v1alpha1]", gvk.Version, gvk.Kind)
+			}
+
+		case consts.ChartsContentKind:
+			switch gvk.Version {
+			case "v1alpha1":
+				l.Warnf("!!! DEPRECATION WARNING !!! apiVersion [%s] will be removed in a future release !!! DEPRECATION WARNING !!!", gvk.Version)
+
+				var alphaCfg v1alpha1.Charts
+				if err := yaml.Unmarshal(doc, &alphaCfg); err != nil {
+					return err
+				}
+				var v1Cfg v1.Charts
+				if err := convert.ConvertCharts(&alphaCfg, &v1Cfg); err != nil {
+					return err
+				}
+				for _, ch := range v1Cfg.Spec.Charts {
+					if err := storeChart(ctx, s, ch, &action.ChartPathOptions{}); err != nil {
+						return err
+					}
+				}
+
+			case "v1":
+				var cfg v1.Charts
+				if err := yaml.Unmarshal(doc, &cfg); err != nil {
+					return err
+				}
+				for _, ch := range cfg.Spec.Charts {
+					if err := storeChart(ctx, s, ch, &action.ChartPathOptions{}); err != nil {
+						return err
+					}
+				}
+
+			default:
+				return fmt.Errorf("unsupported version [%s] for kind [%s]... valid versions are [v1 and v1alpha1]", gvk.Version, gvk.Kind)
+			}
+
+		case consts.ChartsCollectionKind:
+			switch gvk.Version {
+			case "v1alpha1":
+				l.Warnf("!!! DEPRECATION WARNING !!! apiVersion [%s] will be removed in a future release !!! DEPRECATION WARNING !!!", gvk.Version)
+
+				var alphaCfg v1alpha1.ThickCharts
+				if err := yaml.Unmarshal(doc, &alphaCfg); err != nil {
+					return err
+				}
+				var v1Cfg v1.ThickCharts
+				if err := convert.ConvertThickCharts(&alphaCfg, &v1Cfg); err != nil {
+					return err
+				}
+				for _, chObj := range v1Cfg.Spec.Charts {
+					tc, err := tchart.NewThickChart(chObj, &action.ChartPathOptions{
+						RepoURL: chObj.RepoURL,
+						Version: chObj.Version,
+					})
+					if err != nil {
+						return err
+					}
+					if _, err := s.AddOCICollection(ctx, tc); err != nil {
+						return err
+					}
+				}
+
+			case "v1":
+				var cfg v1.ThickCharts
+				if err := yaml.Unmarshal(doc, &cfg); err != nil {
+					return err
+				}
+				for _, chObj := range cfg.Spec.Charts {
+					tc, err := tchart.NewThickChart(chObj, &action.ChartPathOptions{
+						RepoURL: chObj.RepoURL,
+						Version: chObj.Version,
+					})
+					if err != nil {
+						return err
+					}
+					if _, err := s.AddOCICollection(ctx, tc); err != nil {
+						return err
+					}
+				}
+
+			default:
+				return fmt.Errorf("unsupported version [%s] for kind [%s]... valid versions are [v1 and v1alpha1]", gvk.Version, gvk.Kind)
+			}
+
+		case consts.ImageTxtsContentKind:
+			switch gvk.Version {
+			case "v1alpha1":
+				l.Warnf("!!! DEPRECATION WARNING !!! apiVersion [%s] will be removed in a future release !!! DEPRECATION WARNING !!!", gvk.Version)
+
+				var alphaCfg v1alpha1.ImageTxts
+				if err := yaml.Unmarshal(doc, &alphaCfg); err != nil {
+					return err
+				}
+				var v1Cfg v1.ImageTxts
+				if err := convert.ConvertImageTxts(&alphaCfg, &v1Cfg); err != nil {
+					return err
+				}
+				for _, cfgIt := range v1Cfg.Spec.ImageTxts {
+					it, err := imagetxt.New(cfgIt.Ref,
+						imagetxt.WithIncludeSources(cfgIt.Sources.Include...),
+						imagetxt.WithExcludeSources(cfgIt.Sources.Exclude...),
+					)
+					if err != nil {
+						return fmt.Errorf("convert ImageTxt %s: %v", v1Cfg.Name, err)
+					}
+					if _, err := s.AddOCICollection(ctx, it); err != nil {
+						return fmt.Errorf("add ImageTxt %s to store: %v", v1Cfg.Name, err)
+					}
+				}
+
+			case "v1":
+				var cfg v1.ImageTxts
+				if err := yaml.Unmarshal(doc, &cfg); err != nil {
+					return err
+				}
+				for _, cfgIt := range cfg.Spec.ImageTxts {
+					it, err := imagetxt.New(cfgIt.Ref,
+						imagetxt.WithIncludeSources(cfgIt.Sources.Include...),
+						imagetxt.WithExcludeSources(cfgIt.Sources.Exclude...),
+					)
+					if err != nil {
+						return fmt.Errorf("convert ImageTxt %s: %v", cfg.Name, err)
+					}
+					if _, err := s.AddOCICollection(ctx, it); err != nil {
+						return fmt.Errorf("add ImageTxt %s to store: %v", cfg.Name, err)
+					}
+				}
+
+			default:
+				return fmt.Errorf("unsupported version [%s] for kind [%s]... valid versions are [v1 and v1alpha1]", gvk.Version, gvk.Kind)
+			}
+
+		default:
+			return fmt.Errorf("unsupported kind [%s]... valid kinds are [Files, Images, Charts, ThickCharts, ImageTxts]", gvk.Kind)
+		}
+	}
+	return nil
+}
--- a/cmd/hauler/cli/version.go
+++ b/cmd/hauler/cli/version.go
@@ -0,0 +1,41 @@
+package cli
+
+import (
+	"fmt"
+
+	"github.com/spf13/cobra"
+
+	"hauler.dev/go/hauler/internal/flags"
+	"hauler.dev/go/hauler/internal/version"
+)
+
+func addVersion(parent *cobra.Command, ro *flags.CliRootOpts) {
+	o := &flags.VersionOpts{}
+
+	cmd := &cobra.Command{
+		Use:     "version",
+		Short:   "Print the current version",
+		Aliases: []string{"v"},
+		RunE: func(cmd *cobra.Command, args []string) error {
+			v := version.GetVersionInfo()
+			v.Name = cmd.Root().Name()
+			v.Description = cmd.Root().Short
+			v.FontName = "starwars"
+			cmd.SetOut(cmd.OutOrStdout())
+
+			if o.JSON {
+				out, err := v.JSONString()
+				if err != nil {
+					return fmt.Errorf("unable to generate JSON from version info: %w", err)
+				}
+				cmd.Println(out)
+			} else {
+				cmd.Println(v.String())
+			}
+			return nil
+		},
+	}
+	o.AddFlags(cmd)
+
+	parent.AddCommand(cmd)
+}
--- a/cmd/hauler/main.go
+++ b/cmd/hauler/main.go
@@ -1,15 +1,24 @@
 package main

 import (
-	"log"
+	"context"
+	"os"

-	"github.com/rancherfederal/hauler/cmd/hauler/app"
+	"hauler.dev/go/hauler/cmd/hauler/cli"
+	"hauler.dev/go/hauler/internal/flags"
+	"hauler.dev/go/hauler/pkg/log"
 )

 func main() {
-	root := app.NewRootCommand()
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()

-	if err := root.Execute(); err != nil {
-		log.Fatalln(err)
+	logger := log.NewLogger(os.Stdout)
+	ctx = logger.WithContext(ctx)
+
+	if err := cli.New(ctx, &flags.CliRootOpts{}).ExecuteContext(ctx); err != nil {
+		logger.Errorf("%v", err)
+		cancel()
+		os.Exit(1)
 	}
 }
--- a/go.mod
+++ b/go.mod
@@ -1,70 +1,337 @@
-module github.com/rancherfederal/hauler
+module hauler.dev/go/hauler

-go 1.16
+go 1.25.1
+
+replace github.com/sigstore/cosign/v2 => github.com/hauler-dev/cosign/v2 v2.4.3-0.20250404165522-3a44ef646a65
+
+replace github.com/distribution/distribution/v3 => github.com/distribution/distribution/v3 v3.0.0-20221208165359-362910506bc2

 require (
-	cloud.google.com/go/storage v1.8.0 // indirect
-	github.com/Microsoft/go-winio v0.5.0 // indirect
-	github.com/containerd/containerd v1.5.0-beta.4
-	github.com/deislabs/oras v0.11.1
-	github.com/docker/docker v20.10.6+incompatible // indirect
-	github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7 // indirect
-	github.com/google/go-containerregistry v0.5.1
-	github.com/hashicorp/go-multierror v1.1.1 // indirect
-	github.com/imdario/mergo v0.3.12
-	github.com/klauspost/compress v1.13.0 // indirect
-	github.com/klauspost/pgzip v1.2.5 // indirect
-	github.com/mholt/archiver/v3 v3.5.0
-	github.com/opencontainers/image-spec v1.0.2-0.20190823105129-775207bd45b6
-	github.com/otiai10/copy v1.6.0
-	github.com/pterm/pterm v0.12.24
-	github.com/rancher/fleet v0.3.5
-	github.com/rancher/fleet/pkg/apis v0.0.0
-	github.com/sirupsen/logrus v1.8.1
-	github.com/spf13/afero v1.6.0
-	github.com/spf13/cobra v1.1.3
-	github.com/ulikunitz/xz v0.5.10 // indirect
-	github.com/xeipuuv/gojsonpointer v0.0.0-20190809123943-df4f5c81cb3b // indirect
-	golang.org/x/lint v0.0.0-20210508222113-6edffad5e616 // indirect
-	golang.org/x/net v0.0.0-20210525063256-abc453219eb5 // indirect
-	golang.org/x/tools v0.1.3 // indirect
-	google.golang.org/genproto v0.0.0-20210524171403-669157292da3 // indirect
-	google.golang.org/grpc v1.38.0 // indirect
-	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
-	helm.sh/helm/v3 v3.5.1
-	k8s.io/apimachinery v0.21.1
-	k8s.io/cli-runtime v0.20.2
-	k8s.io/client-go v11.0.1-0.20190816222228-6d55c1b1f1ca+incompatible
-	sigs.k8s.io/cli-utils v0.23.1
-	sigs.k8s.io/controller-runtime v0.9.0
-	sigs.k8s.io/yaml v1.2.0
+	github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be
+	github.com/containerd/containerd v1.7.28
+	github.com/distribution/distribution/v3 v3.0.0
+	github.com/google/go-containerregistry v0.20.6
+	github.com/gorilla/handlers v1.5.2
+	github.com/gorilla/mux v1.8.1
+	github.com/mholt/archives v0.1.4
+	github.com/mitchellh/go-homedir v1.1.0
+	github.com/olekukonko/tablewriter v0.0.5
+	github.com/opencontainers/go-digest v1.0.0
+	github.com/opencontainers/image-spec v1.1.1
+	github.com/pkg/errors v0.9.1
+	github.com/rs/zerolog v1.34.0
+	github.com/sigstore/cosign/v2 v2.4.1
+	github.com/sirupsen/logrus v1.9.3
+	github.com/spf13/afero v1.15.0
+	github.com/spf13/cobra v1.10.1
+	golang.org/x/sync v0.17.0
+	gopkg.in/yaml.v3 v3.0.1
+	helm.sh/helm/v3 v3.19.0
+	k8s.io/apimachinery v0.34.1
+	k8s.io/client-go v0.34.1
+	oras.land/oras-go v1.2.6
 )

-replace (
-	github.com/rancher/fleet/pkg/apis v0.0.0 => github.com/rancher/fleet/pkg/apis v0.0.0-20210604212701-3a76c78716ab
-	helm.sh/helm/v3 => github.com/rancher/helm/v3 v3.3.3-fleet1
-	k8s.io/api => k8s.io/api v0.20.2
-	k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.20.2 // indirect
-	k8s.io/apimachinery => k8s.io/apimachinery v0.20.2 // indirect
-	k8s.io/apiserver => k8s.io/apiserver v0.20.2
-	k8s.io/cli-runtime => k8s.io/cli-runtime v0.20.2
-	k8s.io/client-go => github.com/rancher/client-go v0.20.0-fleet1
-	k8s.io/cloud-provider => k8s.io/cloud-provider v0.20.2
-	k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.20.2
-	k8s.io/code-generator => k8s.io/code-generator v0.20.2
-	k8s.io/component-base => k8s.io/component-base v0.20.2
-	k8s.io/component-helpers => k8s.io/component-helpers v0.20.2
-	k8s.io/controller-manager => k8s.io/controller-manager v0.20.2
-	k8s.io/cri-api => k8s.io/cri-api v0.20.2
-	k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.20.2
-	k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.20.2
-	k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.20.2
-	k8s.io/kube-proxy => k8s.io/kube-proxy v0.20.2
-	k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.20.2
-	k8s.io/kubectl => k8s.io/kubectl v0.20.2
-	k8s.io/kubelet => k8s.io/kubelet v0.20.2
-	k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.20.2
-	k8s.io/metrics => k8s.io/metrics v0.20.2
-	k8s.io/mount-utils => k8s.io/mount-utils v0.20.2
-	k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.20.2
+require (
+	cloud.google.com/go/auth v0.14.0 // indirect
+	cloud.google.com/go/auth/oauth2adapt v0.2.7 // indirect
+	cloud.google.com/go/compute/metadata v0.7.0 // indirect
+	cuelabs.dev/go/oci/ociregistry v0.0.0-20241125120445-2c00c104c6e1 // indirect
+	cuelang.org/go v0.12.0 // indirect
+	dario.cat/mergo v1.0.1 // indirect
+	github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 // indirect
+	github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/provider v0.14.0 // indirect
+	github.com/Azure/azure-sdk-for-go v68.0.0+incompatible // indirect
+	github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c // indirect
+	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
+	github.com/Azure/go-autorest/autorest v0.11.29 // indirect
+	github.com/Azure/go-autorest/autorest/adal v0.9.23 // indirect
+	github.com/Azure/go-autorest/autorest/azure/auth v0.5.12 // indirect
+	github.com/Azure/go-autorest/autorest/azure/cli v0.4.6 // indirect
+	github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
+	github.com/Azure/go-autorest/logger v0.2.1 // indirect
+	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
+	github.com/BurntSushi/toml v1.5.0 // indirect
+	github.com/MakeNowJust/heredoc v1.0.0 // indirect
+	github.com/Masterminds/goutils v1.1.1 // indirect
+	github.com/Masterminds/semver/v3 v3.4.0 // indirect
+	github.com/Masterminds/sprig/v3 v3.3.0 // indirect
+	github.com/Masterminds/squirrel v1.5.4 // indirect
+	github.com/Microsoft/go-winio v0.6.2 // indirect
+	github.com/ProtonMail/go-crypto v0.0.0-20230923063757-afb1ddc0824c // indirect
+	github.com/STARRY-S/zip v0.2.3 // indirect
+	github.com/Shopify/logrus-bugsnag v0.0.0-20171204204709-577dee27f20d // indirect
+	github.com/ThalesIgnite/crypto11 v1.2.5 // indirect
+	github.com/agnivade/levenshtein v1.2.1 // indirect
+	github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.4 // indirect
+	github.com/alibabacloud-go/cr-20160607 v1.0.1 // indirect
+	github.com/alibabacloud-go/cr-20181201 v1.0.10 // indirect
+	github.com/alibabacloud-go/darabonba-openapi v0.2.1 // indirect
+	github.com/alibabacloud-go/debug v1.0.0 // indirect
+	github.com/alibabacloud-go/endpoint-util v1.1.1 // indirect
+	github.com/alibabacloud-go/openapi-util v0.1.0 // indirect
+	github.com/alibabacloud-go/tea v1.2.1 // indirect
+	github.com/alibabacloud-go/tea-utils v1.4.5 // indirect
+	github.com/alibabacloud-go/tea-xml v1.1.3 // indirect
+	github.com/aliyun/credentials-go v1.3.2 // indirect
+	github.com/andybalholm/brotli v1.2.0 // indirect
+	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
+	github.com/aws/aws-sdk-go-v2 v1.34.0 // indirect
+	github.com/aws/aws-sdk-go-v2/config v1.29.2 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.55 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.25 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.29 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.29 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ecr v1.20.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.18.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.10 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.24.12 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.11 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.33.10 // indirect
+	github.com/aws/smithy-go v1.22.2 // indirect
+	github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20231024185945-8841054dbdb8 // indirect
+	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/blang/semver v3.5.1+incompatible // indirect
+	github.com/blang/semver/v4 v4.0.0 // indirect
+	github.com/bodgit/plumbing v1.3.0 // indirect
+	github.com/bodgit/sevenzip v1.6.1 // indirect
+	github.com/bodgit/windows v1.0.1 // indirect
+	github.com/bshuster-repo/logrus-logstash-hook v1.0.0 // indirect
+	github.com/bugsnag/bugsnag-go v0.0.0-20141110184014-b1d153021fcd // indirect
+	github.com/bugsnag/osext v0.0.0-20130617224835-0dd3f918b21b // indirect
+	github.com/bugsnag/panicwrap v0.0.0-20151223152923-e2c28503fcd0 // indirect
+	github.com/buildkite/agent/v3 v3.91.0 // indirect
+	github.com/buildkite/go-pipeline v0.13.3 // indirect
+	github.com/buildkite/interpolate v0.1.5 // indirect
+	github.com/buildkite/roko v1.3.1 // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
+	github.com/chai2010/gettext-go v1.0.2 // indirect
+	github.com/chrismellard/docker-credential-acr-env v0.0.0-20230304212654-82a0ddb27589 // indirect
+	github.com/chzyer/readline v1.5.1 // indirect
+	github.com/clbanning/mxj/v2 v2.7.0 // indirect
+	github.com/cloudflare/circl v1.6.1 // indirect
+	github.com/cockroachdb/apd/v3 v3.2.1 // indirect
+	github.com/containerd/errdefs v1.0.0 // indirect
+	github.com/containerd/log v0.1.0 // indirect
+	github.com/containerd/platforms v0.2.1 // indirect
+	github.com/containerd/stargz-snapshotter/estargz v0.16.3 // indirect
+	github.com/coreos/go-oidc/v3 v3.12.0 // indirect
+	github.com/cyberphone/json-canonicalization v0.0.0-20231011164504-785e29786b46 // indirect
+	github.com/cyphar/filepath-securejoin v0.4.1 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352 // indirect
+	github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7 // indirect
+	github.com/dimchansky/utfbom v1.1.1 // indirect
+	github.com/distribution/reference v0.6.0 // indirect
+	github.com/docker/cli v28.2.2+incompatible // indirect
+	github.com/docker/distribution v2.8.3+incompatible // indirect
+	github.com/docker/docker v28.3.3+incompatible // indirect
+	github.com/docker/docker-credential-helpers v0.9.3 // indirect
+	github.com/docker/go-connections v0.5.0 // indirect
+	github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c // indirect
+	github.com/docker/go-metrics v0.0.1 // indirect
+	github.com/docker/libtrust v0.0.0-20150114040149-fa567046d9b1 // indirect
+	github.com/dsnet/compress v0.0.2-0.20230904184137-39efe44ab707 // indirect
+	github.com/dustin/go-humanize v1.0.1 // indirect
+	github.com/emicklei/go-restful/v3 v3.12.2 // indirect
+	github.com/emicklei/proto v1.13.4 // indirect
+	github.com/evanphx/json-patch v5.9.11+incompatible // indirect
+	github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f // indirect
+	github.com/fatih/color v1.16.0 // indirect
+	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/fsnotify/fsnotify v1.9.0 // indirect
+	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
+	github.com/go-chi/chi v4.1.2+incompatible // indirect
+	github.com/go-errors/errors v1.4.2 // indirect
+	github.com/go-gorp/gorp/v3 v3.1.0 // indirect
+	github.com/go-ini/ini v1.67.0 // indirect
+	github.com/go-jose/go-jose/v3 v3.0.4 // indirect
+	github.com/go-jose/go-jose/v4 v4.0.5 // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/go-openapi/analysis v0.23.0 // indirect
+	github.com/go-openapi/errors v0.22.0 // indirect
+	github.com/go-openapi/jsonpointer v0.21.0 // indirect
+	github.com/go-openapi/jsonreference v0.21.0 // indirect
+	github.com/go-openapi/loads v0.22.0 // indirect
+	github.com/go-openapi/runtime v0.28.0 // indirect
+	github.com/go-openapi/spec v0.21.0 // indirect
+	github.com/go-openapi/strfmt v0.23.0 // indirect
+	github.com/go-openapi/swag v0.23.0 // indirect
+	github.com/go-openapi/validate v0.24.0 // indirect
+	github.com/go-piv/piv-go/v2 v2.3.0 // indirect
+	github.com/go-viper/mapstructure/v2 v2.4.0 // indirect
+	github.com/gobwas/glob v0.2.3 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang-jwt/jwt/v4 v4.5.2 // indirect
+	github.com/golang/snappy v0.0.4 // indirect
+	github.com/gomodule/redigo v1.8.2 // indirect
+	github.com/google/btree v1.1.3 // indirect
+	github.com/google/certificate-transparency-go v1.3.1 // indirect
+	github.com/google/gnostic-models v0.7.0 // indirect
+	github.com/google/go-cmp v0.7.0 // indirect
+	github.com/google/go-github/v55 v55.0.0 // indirect
+	github.com/google/go-querystring v1.1.0 // indirect
+	github.com/google/s2a-go v0.1.9 // indirect
+	github.com/google/uuid v1.6.0 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.3.4 // indirect
+	github.com/googleapis/gax-go/v2 v2.14.1 // indirect
+	github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 // indirect
+	github.com/gosuri/uitable v0.0.4 // indirect
+	github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect
+	github.com/hashicorp/errwrap v1.1.0 // indirect
+	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
+	github.com/hashicorp/go-multierror v1.1.1 // indirect
+	github.com/hashicorp/go-retryablehttp v0.7.7 // indirect
+	github.com/hashicorp/golang-lru v1.0.2 // indirect
+	github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect
+	github.com/huandu/xstrings v1.5.0 // indirect
+	github.com/in-toto/attestation v1.1.0 // indirect
+	github.com/in-toto/in-toto-golang v0.9.0 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/jedisct1/go-minisign v0.0.0-20230811132847-661be99b8267 // indirect
+	github.com/jmespath/go-jmespath v0.4.1-0.20220621161143-b0104c826a24 // indirect
+	github.com/jmoiron/sqlx v1.4.0 // indirect
+	github.com/josharian/intern v1.0.0 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/klauspost/compress v1.18.0 // indirect
+	github.com/klauspost/pgzip v1.2.6 // indirect
+	github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect
+	github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect
+	github.com/letsencrypt/boulder v0.0.0-20240620165639-de9c06129bec // indirect
+	github.com/lib/pq v1.10.9 // indirect
+	github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
+	github.com/mailru/easyjson v0.7.7 // indirect
+	github.com/manifoldco/promptui v0.9.0 // indirect
+	github.com/mattn/go-colorable v0.1.13 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/mattn/go-runewidth v0.0.16 // indirect
+	github.com/miekg/pkcs11 v1.1.1 // indirect
+	github.com/mikelolasagasti/xz v1.0.1 // indirect
+	github.com/minio/minlz v1.0.1 // indirect
+	github.com/mitchellh/copystructure v1.2.0 // indirect
+	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
+	github.com/mitchellh/mapstructure v1.5.1-0.20231216201459-8508981c8b6c // indirect
+	github.com/mitchellh/reflectwalk v1.0.2 // indirect
+	github.com/moby/locker v1.0.1 // indirect
+	github.com/moby/spdystream v0.5.0 // indirect
+	github.com/moby/term v0.5.2 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
+	github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect
+	github.com/mozillazg/docker-credential-acr-helper v0.4.0 // indirect
+	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
+	github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481 // indirect
+	github.com/nwaples/rardecode/v2 v2.1.1 // indirect
+	github.com/oklog/ulid v1.3.1 // indirect
+	github.com/oleiade/reflections v1.1.0 // indirect
+	github.com/open-policy-agent/opa v1.4.0 // indirect
+	github.com/opentracing/opentracing-go v1.2.0 // indirect
+	github.com/pborman/uuid v1.2.1 // indirect
+	github.com/pelletier/go-toml/v2 v2.2.3 // indirect
+	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
+	github.com/pierrec/lz4/v4 v4.1.22 // indirect
+	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
+	github.com/prometheus/client_golang v1.22.0 // indirect
+	github.com/prometheus/client_model v0.6.1 // indirect
+	github.com/prometheus/common v0.62.0 // indirect
+	github.com/prometheus/procfs v0.15.1 // indirect
+	github.com/protocolbuffers/txtpbfmt v0.0.0-20241112170944-20d2c9ebc01d // indirect
+	github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 // indirect
+	github.com/rivo/uniseg v0.4.4 // indirect
+	github.com/rogpeppe/go-internal v1.13.2-0.20241226121412-a5dc8ff20d0a // indirect
+	github.com/rubenv/sql-migrate v1.8.0 // indirect
+	github.com/russross/blackfriday/v2 v2.1.0 // indirect
+	github.com/sagikazarmark/locafero v0.7.0 // indirect
+	github.com/santhosh-tekuri/jsonschema/v6 v6.0.2 // indirect
+	github.com/sassoftware/relic v7.2.1+incompatible // indirect
+	github.com/secure-systems-lab/go-securesystemslib v0.9.0 // indirect
+	github.com/segmentio/ksuid v1.0.4 // indirect
+	github.com/shibumi/go-pathspec v1.3.0 // indirect
+	github.com/shopspring/decimal v1.4.0 // indirect
+	github.com/sigstore/fulcio v1.6.6 // indirect
+	github.com/sigstore/protobuf-specs v0.4.0 // indirect
+	github.com/sigstore/rekor v1.3.9 // indirect
+	github.com/sigstore/sigstore v1.8.12 // indirect
+	github.com/sigstore/sigstore-go v0.7.0 // indirect
+	github.com/sigstore/timestamp-authority v1.2.4 // indirect
+	github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 // indirect
+	github.com/sorairolake/lzip-go v0.3.8 // indirect
+	github.com/sourcegraph/conc v0.3.0 // indirect
+	github.com/spf13/cast v1.7.1 // indirect
+	github.com/spf13/pflag v1.0.9 // indirect
+	github.com/spf13/viper v1.20.1 // indirect
+	github.com/spiffe/go-spiffe/v2 v2.5.0 // indirect
+	github.com/subosito/gotenv v1.6.0 // indirect
+	github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d // indirect
+	github.com/tchap/go-patricia/v2 v2.3.2 // indirect
+	github.com/thales-e-security/pool v0.0.2 // indirect
+	github.com/theupdateframework/go-tuf v0.7.0 // indirect
+	github.com/theupdateframework/go-tuf/v2 v2.0.2 // indirect
+	github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
+	github.com/tjfoc/gmsm v1.4.1 // indirect
+	github.com/transparency-dev/merkle v0.0.2 // indirect
+	github.com/ulikunitz/xz v0.5.15 // indirect
+	github.com/vbatts/tar-split v0.12.1 // indirect
+	github.com/withfig/autocomplete-tools/integrations/cobra v1.2.1 // indirect
+	github.com/x448/float16 v0.8.4 // indirect
+	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
+	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
+	github.com/xlab/treeprint v1.2.0 // indirect
+	github.com/yashtewari/glob-intersection v0.2.0 // indirect
+	github.com/yvasiyarov/go-metrics v0.0.0-20140926110328-57bccd1ccd43 // indirect
+	github.com/yvasiyarov/gorelic v0.0.0-20141212073537-a9bba5b9ab50 // indirect
+	github.com/yvasiyarov/newrelic_platform_go v0.0.0-20140908184405-b21fdbd4370f // indirect
+	github.com/zeebo/errs v1.4.0 // indirect
+	gitlab.com/gitlab-org/api/client-go v0.121.0 // indirect
+	go.mongodb.org/mongo-driver v1.14.0 // indirect
+	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 // indirect
+	go.opentelemetry.io/otel v1.36.0 // indirect
+	go.opentelemetry.io/otel/metric v1.36.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.36.0 // indirect
+	go.opentelemetry.io/otel/trace v1.36.0 // indirect
+	go.uber.org/multierr v1.11.0 // indirect
+	go.uber.org/zap v1.27.0 // indirect
+	go.yaml.in/yaml/v2 v2.4.2 // indirect
+	go.yaml.in/yaml/v3 v3.0.4 // indirect
+	go4.org v0.0.0-20230225012048-214862532bf5 // indirect
+	golang.org/x/crypto v0.41.0 // indirect
+	golang.org/x/exp v0.0.0-20241108190413-2d47ceb2692f // indirect
+	golang.org/x/mod v0.26.0 // indirect
+	golang.org/x/net v0.42.0 // indirect
+	golang.org/x/oauth2 v0.30.0 // indirect
+	golang.org/x/sys v0.35.0 // indirect
+	golang.org/x/term v0.34.0 // indirect
+	golang.org/x/text v0.28.0 // indirect
+	golang.org/x/time v0.12.0 // indirect
+	google.golang.org/api v0.219.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb // indirect
+	google.golang.org/grpc v1.72.1 // indirect
+	google.golang.org/protobuf v1.36.6 // indirect
+	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
+	gopkg.in/inf.v0 v0.9.1 // indirect
+	gopkg.in/ini.v1 v1.67.0 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
+	k8s.io/api v0.34.1 // indirect
+	k8s.io/apiextensions-apiserver v0.34.0 // indirect
+	k8s.io/apiserver v0.34.0 // indirect
+	k8s.io/cli-runtime v0.34.0 // indirect
+	k8s.io/component-base v0.34.0 // indirect
+	k8s.io/klog/v2 v2.130.1 // indirect
+	k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b // indirect
+	k8s.io/kubectl v0.34.0 // indirect
+	k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 // indirect
+	oras.land/oras-go/v2 v2.6.0 // indirect
+	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
+	sigs.k8s.io/kustomize/api v0.20.1 // indirect
+	sigs.k8s.io/kustomize/kyaml v0.20.1 // indirect
+	sigs.k8s.io/randfill v1.0.0 // indirect
+	sigs.k8s.io/release-utils v0.11.0 // indirect
+	sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect
+	sigs.k8s.io/yaml v1.6.0 // indirect
 )
--- a/go.sum
+++ b/go.sum
--- a/install.sh
+++ b/install.sh
@@ -0,0 +1,223 @@
+#!/bin/bash
+
+# Usage:
+#   - curl -sfL... | ENV_VAR=... bash
+#   - ENV_VAR=... ./install.sh
+#
+# Install Usage:
+#   Install Latest Release
+#     - curl -sfL https://get.hauler.dev | bash
+#     - ./install.sh
+#
+#   Install Specific Release
+#     - curl -sfL https://get.hauler.dev | HAULER_VERSION=1.0.0 bash
+#     - HAULER_VERSION=1.0.0 ./install.sh
+#
+#   Set Install Directory
+#     - curl -sfL https://get.hauler.dev | HAULER_INSTALL_DIR=/usr/local/bin bash
+#     - HAULER_INSTALL_DIR=/usr/local/bin ./install.sh
+#
+#   Set Hauler Directory
+#     - curl -sfL https://get.hauler.dev | HAULER_DIR=$HOME/.hauler bash
+#     - HAULER_DIR=$HOME/.hauler ./install.sh
+#
+# Debug Usage:
+#   - curl -sfL https://get.hauler.dev | HAULER_DEBUG=true bash
+#   - HAULER_DEBUG=true ./install.sh
+#
+# Uninstall Usage:
+#   - curl -sfL https://get.hauler.dev | HAULER_UNINSTALL=true bash
+#   - HAULER_UNINSTALL=true ./install.sh
+#
+# Documentation:
+#   - https://hauler.dev
+#   - https://github.com/hauler-dev/hauler
+
+# set functions for logging
+function verbose {
+    echo "$1"
+}
+
+function info {
+    echo && echo "[INFO] Hauler: $1"
+}
+
+function warn {
+    echo && echo "[WARN] Hauler: $1"
+}
+
+function fatal {
+    echo && echo "[ERROR] Hauler: $1"
+    exit 1
+}
+
+# debug hauler from argument or environment variable
+if [ "${HAULER_DEBUG}" = "true" ]; then
+    set -x
+fi
+
+# start hauler preflight checks
+info "Starting Preflight Checks..."
+
+# check for required packages and dependencies
+for cmd in echo curl grep sed rm mkdir awk openssl tar install source; do
+    if ! command -v "$cmd" &> /dev/null; then
+        fatal "$cmd is required to install Hauler"
+    fi
+done
+
+# set install directory from argument or environment variable
+HAULER_INSTALL_DIR=${HAULER_INSTALL_DIR:-/usr/local/bin}
+
+# ensure install directory exists and/or create it
+if [ ! -d "${HAULER_INSTALL_DIR}" ]; then
+    mkdir -p "${HAULER_INSTALL_DIR}" || fatal "Failed to Create Install Directory: ${HAULER_INSTALL_DIR}"
+fi
+
+# ensure install directory is writable (by user or root privileges)
+if [ ! -w "${HAULER_INSTALL_DIR}" ]; then
+    if [ "$(id -u)" -ne 0 ]; then
+        fatal "Root privileges are required to install Hauler to Directory: ${HAULER_INSTALL_DIR}"
+    fi
+fi
+
+# uninstall hauler from argument or environment variable
+if [ "${HAULER_UNINSTALL}" = "true" ]; then
+    # remove the hauler binary
+    rm -rf "${HAULER_INSTALL_DIR}/hauler" || fatal "Failed to Remove Hauler from ${HAULER_INSTALL_DIR}"
+
+    # remove the hauler directory
+    rm -rf "${HAULER_DIR}" || fatal "Failed to Remove Hauler Directory: ${HAULER_DIR}"
+
+    info "Successfully Uninstalled Hauler" && echo
+    exit 0
+fi
+
+# set version environment variable
+if [ -z "${HAULER_VERSION}" ]; then
+    # attempt to retrieve the latest version from GitHub
+    HAULER_VERSION=$(curl -sI https://github.com/hauler-dev/hauler/releases/latest | grep -i location | sed -e 's#.*tag/v##' -e 's/^[[:space:]]*//g' -e 's/[[:space:]]*$//g')
+
+    # exit if the version could not be detected
+    if [ -z "${HAULER_VERSION}" ]; then
+        fatal "HAULER_VERSION is unable to be detected and/or retrieved from GitHub. Please set: HAULER_VERSION"
+    fi
+fi
+
+# detect the operating system
+PLATFORM=$(uname -s | tr '[:upper:]' '[:lower:]')
+case $PLATFORM in
+    linux)
+        PLATFORM="linux"
+        ;;
+    darwin)
+        PLATFORM="darwin"
+        ;;
+    *)
+        fatal "Unsupported Platform: ${PLATFORM}"
+        ;;
+esac
+
+# detect the architecture
+ARCH=$(uname -m)
+case $ARCH in
+    x86_64 | x86-32 | x64 | x32 | amd64)
+        ARCH="amd64"
+        ;;
+    aarch64 | arm64)
+        ARCH="arm64"
+        ;;
+    *)
+        fatal "Unsupported Architecture: ${ARCH}"
+        ;;
+esac
+
+# set hauler directory from argument or environment variable
+HAULER_DIR=${HAULER_DIR:-$HOME/.hauler}
+
+# start hauler installation
+info "Starting Installation..."
+
+# display the version, platform, and architecture
+verbose "- Version: v${HAULER_VERSION}"
+verbose "- Platform: ${PLATFORM}"
+verbose "- Architecture: ${ARCH}"
+verbose "- Install Directory: ${HAULER_INSTALL_DIR}"
+verbose "- Hauler Directory: ${HAULER_DIR}"
+
+# ensure hauler directory exists and/or create it
+if [ ! -d "${HAULER_DIR}" ]; then
+    mkdir -p "${HAULER_DIR}" || fatal "Failed to Create Hauler Directory: ${HAULER_DIR}"
+fi
+
+# ensure hauler directory is writable (by user or root privileges)
+chmod -R 777 "${HAULER_DIR}" || fatal "Failed to Update Permissions of Hauler Directory: ${HAULER_DIR}"
+
+# change to hauler directory
+cd "${HAULER_DIR}" || fatal "Failed to Change Directory to Hauler Directory: ${HAULER_DIR}"
+
+# start hauler artifacts download
+info "Starting Download..."
+
+# download the checksum file
+if ! curl -sfOL "https://github.com/hauler-dev/hauler/releases/download/v${HAULER_VERSION}/hauler_${HAULER_VERSION}_checksums.txt"; then
+    fatal "Failed to Download: hauler_${HAULER_VERSION}_checksums.txt"
+fi
+
+# download the archive file
+if ! curl -sfOL "https://github.com/hauler-dev/hauler/releases/download/v${HAULER_VERSION}/hauler_${HAULER_VERSION}_${PLATFORM}_${ARCH}.tar.gz"; then
+    fatal "Failed to Download: hauler_${HAULER_VERSION}_${PLATFORM}_${ARCH}.tar.gz"
+fi
+
+# start hauler checksum verification
+info "Starting Checksum Verification..."
+
+# verify the Hauler checksum
+EXPECTED_CHECKSUM=$(awk -v HAULER_VERSION="${HAULER_VERSION}" -v PLATFORM="${PLATFORM}" -v ARCH="${ARCH}" '$2 == "hauler_"HAULER_VERSION"_"PLATFORM"_"ARCH".tar.gz" {print $1}' "hauler_${HAULER_VERSION}_checksums.txt")
+DETERMINED_CHECKSUM=$(openssl dgst -sha256 "hauler_${HAULER_VERSION}_${PLATFORM}_${ARCH}.tar.gz" | awk '{print $2}')
+
+if [ -z "${EXPECTED_CHECKSUM}" ]; then
+    fatal "Failed to Locate Checksum: hauler_${HAULER_VERSION}_${PLATFORM}_${ARCH}.tar.gz"
+elif [ "${DETERMINED_CHECKSUM}" = "${EXPECTED_CHECKSUM}" ]; then
+    verbose "- Expected Checksum: ${EXPECTED_CHECKSUM}"
+    verbose "- Determined Checksum: ${DETERMINED_CHECKSUM}"
+    verbose "- Successfully Verified Checksum: hauler_${HAULER_VERSION}_${PLATFORM}_${ARCH}.tar.gz"
+else
+    verbose "- Expected: ${EXPECTED_CHECKSUM}"
+    verbose "- Determined: ${DETERMINED_CHECKSUM}"
+    fatal "Failed Checksum Verification: hauler_${HAULER_VERSION}_${PLATFORM}_${ARCH}.tar.gz"
+fi
+
+# uncompress the hauler archive
+tar -xzf "hauler_${HAULER_VERSION}_${PLATFORM}_${ARCH}.tar.gz" || fatal "Failed to Extract: hauler_${HAULER_VERSION}_${PLATFORM}_${ARCH}.tar.gz"
+
+# install the hauler binary
+install -m 755 hauler "${HAULER_INSTALL_DIR}" || fatal "Failed to Install Hauler: ${HAULER_INSTALL_DIR}"
+
+# add hauler to the path
+if [[ ":$PATH:" != *":${HAULER_INSTALL_DIR}:"* ]]; then
+    if [ -f "$HOME/.bashrc" ]; then
+        echo "export PATH=\$PATH:${HAULER_INSTALL_DIR}" >> "$HOME/.bashrc"
+        source "$HOME/.bashrc"
+    elif [ -f "$HOME/.bash_profile" ]; then
+        echo "export PATH=\$PATH:${HAULER_INSTALL_DIR}" >> "$HOME/.bash_profile"
+        source "$HOME/.bash_profile"
+    elif [ -f "$HOME/.zshrc" ]; then
+        echo "export PATH=\$PATH:${HAULER_INSTALL_DIR}" >> "$HOME/.zshrc"
+        source "$HOME/.zshrc"
+    elif [ -f "$HOME/.profile" ]; then
+        echo "export PATH=\$PATH:${HAULER_INSTALL_DIR}" >> "$HOME/.profile"
+        source "$HOME/.profile"
+    else
+        warn "Failed to add ${HAULER_INSTALL_DIR} to PATH: Unsupported Shell"
+    fi
+fi
+
+# display success message
+info "Successfully Installed Hauler at ${HAULER_INSTALL_DIR}/hauler"
+
+# display availability message
+info "Hauler v${HAULER_VERSION} is now available for use!"
+
+# display hauler docs message
+verbose "- Documentation: https://hauler.dev" && echo
--- a/internal/flags/add.go
+++ b/internal/flags/add.go
@@ -0,0 +1,61 @@
+package flags
+
+import (
+	"github.com/spf13/cobra"
+	"helm.sh/helm/v3/pkg/action"
+)
+
+type AddImageOpts struct {
+	*StoreRootOpts
+	Name                         string
+	Key                          string
+	CertOidcIssuer               string
+	CertOidcIssuerRegexp         string
+	CertIdentity                 string
+	CertIdentityRegexp           string
+	CertGithubWorkflowRepository string
+	Tlog                         bool
+	Platform                     string
+}
+
+func (o *AddImageOpts) AddFlags(cmd *cobra.Command) {
+	f := cmd.Flags()
+	f.StringVarP(&o.Key, "key", "k", "", "(Optional) Location of public key to use for signature verification")
+	f.StringVar(&o.CertIdentity, "certificate-identity", "", "(Optional) Cosign certificate-identity (either --certificate-identity or --certificate-identity-regexp required for keyless verification)")
+	f.StringVar(&o.CertIdentityRegexp, "certificate-identity-regexp", "", "(Optional) Cosign certificate-identity-regexp (either --certificate-identity or --certificate-identity-regexp required for keyless verification)")
+	f.StringVar(&o.CertOidcIssuer, "certificate-oidc-issuer", "", "(Optional) Cosign option to validate oidc issuer")
+	f.StringVar(&o.CertOidcIssuerRegexp, "certificate-oidc-issuer-regexp", "", "(Optional) Cosign option to validate oidc issuer with regex")
+	f.StringVar(&o.CertGithubWorkflowRepository, "certificate-github-workflow-repository", "", "(Optional) Cosign certificate-github-workflow-repository option")
+	f.BoolVarP(&o.Tlog, "use-tlog-verify", "v", false, "(Optional) Allow transparency log verification. (defaults to false)")
+	f.StringVarP(&o.Platform, "platform", "p", "", "(Optional) Specifiy the platform of the image... i.e. linux/amd64 (defaults to all)")
+}
+
+type AddFileOpts struct {
+	*StoreRootOpts
+	Name string
+}
+
+func (o *AddFileOpts) AddFlags(cmd *cobra.Command) {
+	f := cmd.Flags()
+	f.StringVarP(&o.Name, "name", "n", "", "(Optional) Rewrite the name of the file")
+}
+
+type AddChartOpts struct {
+	*StoreRootOpts
+
+	ChartOpts *action.ChartPathOptions
+}
+
+func (o *AddChartOpts) AddFlags(cmd *cobra.Command) {
+	f := cmd.Flags()
+
+	f.StringVar(&o.ChartOpts.RepoURL, "repo", "", "Location of the chart (https:// | http:// | oci://)")
+	f.StringVar(&o.ChartOpts.Version, "version", "", "(Optional) Specifiy the version of the chart (v1.0.0 | 2.0.0 | ^2.0.0)")
+	f.BoolVar(&o.ChartOpts.Verify, "verify", false, "(Optional) Verify the chart before fetching it")
+	f.StringVar(&o.ChartOpts.Username, "username", "", "(Optional) Username to use for authentication")
+	f.StringVar(&o.ChartOpts.Password, "password", "", "(Optional) Password to use for authentication")
+	f.StringVar(&o.ChartOpts.CertFile, "cert-file", "", "(Optional) Location of the TLS Certificate to use for client authenication")
+	f.StringVar(&o.ChartOpts.KeyFile, "key-file", "", "(Optional) Location of the TLS Key to use for client authenication")
+	f.BoolVar(&o.ChartOpts.InsecureSkipTLSverify, "insecure-skip-tls-verify", false, "(Optional) Skip TLS certificate verification")
+	f.StringVar(&o.ChartOpts.CaFile, "ca-file", "", "(Optional) Location of CA Bundle to enable certification verification")
+}
--- a/internal/flags/cli.go
+++ b/internal/flags/cli.go
@@ -0,0 +1,17 @@
+package flags
+
+import "github.com/spf13/cobra"
+
+type CliRootOpts struct {
+	LogLevel     string
+	HaulerDir    string
+	IgnoreErrors bool
+}
+
+func AddRootFlags(cmd *cobra.Command, ro *CliRootOpts) {
+	pf := cmd.PersistentFlags()
+
+	pf.StringVarP(&ro.LogLevel, "log-level", "l", "info", "Set the logging level (i.e. info, debug, warn)")
+	pf.StringVarP(&ro.HaulerDir, "haulerdir", "d", "", "Set the location of the hauler directory (default $HOME/.hauler)")
+	pf.BoolVar(&ro.IgnoreErrors, "ignore-errors", false, "Ignore/Bypass errors (i.e. warn on error) (defaults false)")
+}
--- a/internal/flags/copy.go
+++ b/internal/flags/copy.go
@@ -0,0 +1,36 @@
+package flags
+
+import "github.com/spf13/cobra"
+
+type CopyOpts struct {
+	*StoreRootOpts
+
+	Username  string
+	Password  string
+	Insecure  bool
+	PlainHTTP bool
+	Only      string
+}
+
+func (o *CopyOpts) AddFlags(cmd *cobra.Command) {
+	f := cmd.Flags()
+
+	f.StringVarP(&o.Username, "username", "u", "", "(Deprecated) Please use 'hauler login'")
+	f.StringVarP(&o.Password, "password", "p", "", "(Deprecated) Please use 'hauler login'")
+	f.BoolVar(&o.Insecure, "insecure", false, "(Optional) Allow insecure connections")
+	f.BoolVar(&o.PlainHTTP, "plain-http", false, "(Optional) Allow plain HTTP connections")
+	f.StringVarP(&o.Only, "only", "o", "", "(Optional) Custom string array to only copy specific 'image' items")
+
+	if err := f.MarkDeprecated("username", "please use 'hauler login'"); err != nil {
+		panic(err)
+	}
+	if err := f.MarkDeprecated("password", "please use 'hauler login'"); err != nil {
+		panic(err)
+	}
+	if err := f.MarkHidden("username"); err != nil {
+		panic(err)
+	}
+	if err := f.MarkHidden("password"); err != nil {
+		panic(err)
+	}
+}
--- a/internal/flags/extract.go
+++ b/internal/flags/extract.go
@@ -0,0 +1,14 @@
+package flags
+
+import "github.com/spf13/cobra"
+
+type ExtractOpts struct {
+	*StoreRootOpts
+	DestinationDir string
+}
+
+func (o *ExtractOpts) AddFlags(cmd *cobra.Command) {
+	f := cmd.Flags()
+
+	f.StringVarP(&o.DestinationDir, "output", "o", "", "(Optional) Set the directory to output (defaults to current directory)")
+}
--- a/internal/flags/info.go
+++ b/internal/flags/info.go
@@ -0,0 +1,20 @@
+package flags
+
+import "github.com/spf13/cobra"
+
+type InfoOpts struct {
+	*StoreRootOpts
+
+	OutputFormat string
+	TypeFilter   string
+	SizeUnit     string
+	ListRepos    bool
+}
+
+func (o *InfoOpts) AddFlags(cmd *cobra.Command) {
+	f := cmd.Flags()
+
+	f.StringVarP(&o.OutputFormat, "output", "o", "table", "(Optional) Specify the output format (table | json)")
+	f.StringVarP(&o.TypeFilter, "type", "t", "all", "(Optional) Filter on content type (image | chart | file | sigs | atts | sbom)")
+	f.BoolVar(&o.ListRepos, "list-repos", false, "(Optional) List all repository names")
+}
--- a/internal/flags/load.go
+++ b/internal/flags/load.go
@@ -0,0 +1,21 @@
+package flags
+
+import (
+	"github.com/spf13/cobra"
+	"hauler.dev/go/hauler/pkg/consts"
+)
+
+type LoadOpts struct {
+	*StoreRootOpts
+	FileName     []string
+	TempOverride string
+}
+
+func (o *LoadOpts) AddFlags(cmd *cobra.Command) {
+	f := cmd.Flags()
+
+	// On Unix systems, the default is $TMPDIR if non-empty, else /tmp
+	// On Windows, the default is GetTempPath, returning the first value from %TMP%, %TEMP%, %USERPROFILE%, or Windows directory
+	f.StringSliceVarP(&o.FileName, "filename", "f", []string{consts.DefaultHaulerArchiveName}, "(Optional) Specify the name of inputted haul(s)")
+	f.StringVarP(&o.TempOverride, "tempdir", "t", "", "(Optional) Override the default temporary directiory determined by the OS")
+}
--- a/internal/flags/save.go
+++ b/internal/flags/save.go
@@ -0,0 +1,19 @@
+package flags
+
+import (
+	"github.com/spf13/cobra"
+	"hauler.dev/go/hauler/pkg/consts"
+)
+
+type SaveOpts struct {
+	*StoreRootOpts
+	FileName string
+	Platform string
+}
+
+func (o *SaveOpts) AddFlags(cmd *cobra.Command) {
+	f := cmd.Flags()
+
+	f.StringVarP(&o.FileName, "filename", "f", consts.DefaultHaulerArchiveName, "(Optional) Specify the name of outputted haul")
+	f.StringVarP(&o.Platform, "platform", "p", "", "(Optional) Specify the platform for runtime imports... i.e. linux/amd64 (unspecified implies all)")
+}
--- a/internal/flags/serve.go
+++ b/internal/flags/serve.go
@@ -0,0 +1,56 @@
+package flags
+
+import (
+	"github.com/spf13/cobra"
+	"hauler.dev/go/hauler/pkg/consts"
+)
+
+type ServeRegistryOpts struct {
+	*StoreRootOpts
+
+	Port       int
+	RootDir    string
+	ConfigFile string
+	ReadOnly   bool
+
+	TLSCert string
+	TLSKey  string
+}
+
+func (o *ServeRegistryOpts) AddFlags(cmd *cobra.Command) {
+	f := cmd.Flags()
+
+	f.IntVarP(&o.Port, "port", "p", consts.DefaultRegistryPort, "(Optional) Set the port to use for incoming connections")
+	f.StringVar(&o.RootDir, "directory", consts.DefaultRegistryRootDir, "(Optional) Directory to use for backend. Defaults to $PWD/registry")
+	f.StringVarP(&o.ConfigFile, "config", "c", "", "(Optional) Location of config file (overrides all flags)")
+	f.BoolVar(&o.ReadOnly, "readonly", true, "(Optional) Run the registry as readonly")
+
+	f.StringVar(&o.TLSCert, "tls-cert", "", "(Optional) Location of the TLS Certificate to use for server authenication")
+	f.StringVar(&o.TLSKey, "tls-key", "", "(Optional) Location of the TLS Key to use for server authenication")
+
+	cmd.MarkFlagsRequiredTogether("tls-cert", "tls-key")
+}
+
+type ServeFilesOpts struct {
+	*StoreRootOpts
+
+	Port    int
+	Timeout int
+	RootDir string
+
+	TLSCert string
+	TLSKey  string
+}
+
+func (o *ServeFilesOpts) AddFlags(cmd *cobra.Command) {
+	f := cmd.Flags()
+
+	f.IntVarP(&o.Port, "port", "p", consts.DefaultFileserverPort, "(Optional) Set the port to use for incoming connections")
+	f.IntVarP(&o.Timeout, "timeout", "t", consts.DefaultFileserverTimeout, "(Optional) Timeout duration for HTTP Requests in seconds for both reads/writes")
+	f.StringVar(&o.RootDir, "directory", consts.DefaultFileserverRootDir, "(Optional) Directory to use for backend. Defaults to $PWD/fileserver")
+
+	f.StringVar(&o.TLSCert, "tls-cert", "", "(Optional) Location of the TLS Certificate to use for server authenication")
+	f.StringVar(&o.TLSKey, "tls-key", "", "(Optional) Location of the TLS Key to use for server authenication")
+
+	cmd.MarkFlagsRequiredTogether("tls-cert", "tls-key")
+}
--- a/internal/flags/store.go
+++ b/internal/flags/store.go
@@ -0,0 +1,61 @@
+package flags
+
+import (
+	"context"
+	"errors"
+	"os"
+	"path/filepath"
+
+	"github.com/spf13/cobra"
+	"hauler.dev/go/hauler/pkg/consts"
+	"hauler.dev/go/hauler/pkg/log"
+	"hauler.dev/go/hauler/pkg/store"
+)
+
+type StoreRootOpts struct {
+	StoreDir string
+	Retries  int
+}
+
+func (o *StoreRootOpts) AddFlags(cmd *cobra.Command) {
+	pf := cmd.PersistentFlags()
+	pf.StringVarP(&o.StoreDir, "store", "s", "", "Set the directory to use for the content store")
+	pf.IntVarP(&o.Retries, "retries", "r", consts.DefaultRetries, "Set the number of retries for operations")
+}
+
+func (o *StoreRootOpts) Store(ctx context.Context) (*store.Layout, error) {
+	l := log.FromContext(ctx)
+
+	storeDir := o.StoreDir
+
+	if storeDir == "" {
+		storeDir = os.Getenv(consts.HaulerStoreDir)
+	}
+
+	if storeDir == "" {
+		storeDir = consts.DefaultStoreName
+	}
+
+	abs, err := filepath.Abs(storeDir)
+	if err != nil {
+		return nil, err
+	}
+
+	o.StoreDir = abs
+
+	l.Debugf("using store at [%s]", abs)
+
+	if _, err := os.Stat(abs); errors.Is(err, os.ErrNotExist) {
+		if err := os.MkdirAll(abs, os.ModePerm); err != nil {
+			return nil, err
+		}
+	} else if err != nil {
+		return nil, err
+	}
+
+	s, err := store.NewLayout(abs)
+	if err != nil {
+		return nil, err
+	}
+	return s, nil
+}
--- a/internal/flags/sync.go
+++ b/internal/flags/sync.go
@@ -0,0 +1,41 @@
+package flags
+
+import (
+	"github.com/spf13/cobra"
+	"hauler.dev/go/hauler/pkg/consts"
+)
+
+type SyncOpts struct {
+	*StoreRootOpts
+	FileName                     []string
+	Key                          string
+	CertOidcIssuer               string
+	CertOidcIssuerRegexp         string
+	CertIdentity                 string
+	CertIdentityRegexp           string
+	CertGithubWorkflowRepository string
+	Products                     []string
+	Platform                     string
+	Registry                     string
+	ProductRegistry              string
+	TempOverride                 string
+	Tlog                         bool
+}
+
+func (o *SyncOpts) AddFlags(cmd *cobra.Command) {
+	f := cmd.Flags()
+
+	f.StringSliceVarP(&o.FileName, "filename", "f", []string{consts.DefaultHaulerManifestName}, "Specify the name of manifest(s) to sync")
+	f.StringVarP(&o.Key, "key", "k", "", "(Optional) Location of public key to use for signature verification")
+	f.StringVar(&o.CertIdentity, "certificate-identity", "", "(Optional) Cosign certificate-identity (either --certificate-identity or --certificate-identity-regexp required for keyless verification)")
+	f.StringVar(&o.CertIdentityRegexp, "certificate-identity-regexp", "", "(Optional) Cosign certificate-identity-regexp (either --certificate-identity or --certificate-identity-regexp required for keyless verification)")
+	f.StringVar(&o.CertOidcIssuer, "certificate-oidc-issuer", "", "(Optional) Cosign option to validate oidc issuer")
+	f.StringVar(&o.CertOidcIssuerRegexp, "certificate-oidc-issuer-regexp", "", "(Optional) Cosign option to validate oidc issuer with regex")
+	f.StringVar(&o.CertGithubWorkflowRepository, "certificate-github-workflow-repository", "", "(Optional) Cosign certificate-github-workflow-repository option")
+	f.StringSliceVar(&o.Products, "products", []string{}, "(Optional) Specify the product name to fetch collections from the product registry i.e. rancher=v2.10.1,rke2=v1.31.5+rke2r1")
+	f.StringVarP(&o.Platform, "platform", "p", "", "(Optional) Specify the platform of the image... i.e linux/amd64 (defaults to all)")
+	f.StringVarP(&o.Registry, "registry", "g", "", "(Optional) Specify the registry of the image for images that do not alredy define one")
+	f.StringVarP(&o.ProductRegistry, "product-registry", "c", "", "(Optional) Specify the product registry. Defaults to RGS Carbide Registry (rgcrprod.azurecr.us)")
+	f.StringVarP(&o.TempOverride, "tempdir", "t", "", "(Optional) Override the default temporary directiory determined by the OS")
+	f.BoolVarP(&o.Tlog, "use-tlog-verify", "v", false, "(Optional) Allow transparency log verification. (defaults to false)")
+}
--- a/internal/flags/version.go
+++ b/internal/flags/version.go
@@ -0,0 +1,12 @@
+package flags
+
+import "github.com/spf13/cobra"
+
+type VersionOpts struct {
+	JSON bool
+}
+
+func (o *VersionOpts) AddFlags(cmd *cobra.Command) {
+	f := cmd.Flags()
+	f.BoolVar(&o.JSON, "json", false, "Set the output format to JSON")
+}
--- a/internal/mapper/filestore.go
+++ b/internal/mapper/filestore.go
@@ -0,0 +1,86 @@
+package mapper
+
+import (
+	"context"
+	"io"
+	"os"
+	"path/filepath"
+	"strings"
+
+	ccontent "github.com/containerd/containerd/content"
+	"github.com/containerd/containerd/remotes"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/pkg/errors"
+	"oras.land/oras-go/pkg/content"
+)
+
+// NewMapperFileStore creates a new file store that uses mapper functions for each detected descriptor.
+//
+//	This extends content.File, and differs in that it allows much more functionality into how each descriptor is written.
+func NewMapperFileStore(root string, mapper map[string]Fn) *store {
+	fs := content.NewFile(root)
+	return &store{
+		File:   fs,
+		mapper: mapper,
+	}
+}
+
+func (s *store) Pusher(ctx context.Context, ref string) (remotes.Pusher, error) {
+	var tag, hash string
+	parts := strings.SplitN(ref, "@", 2)
+	if len(parts) > 0 {
+		tag = parts[0]
+	}
+	if len(parts) > 1 {
+		hash = parts[1]
+	}
+	return &pusher{
+		store:  s.File,
+		tag:    tag,
+		ref:    hash,
+		mapper: s.mapper,
+	}, nil
+}
+
+type store struct {
+	*content.File
+	mapper map[string]Fn
+}
+
+func (s *pusher) Push(ctx context.Context, desc ocispec.Descriptor) (ccontent.Writer, error) {
+	// TODO: This is suuuuuper ugly... redo this when oras v2 is out
+	if _, ok := content.ResolveName(desc); ok {
+		p, err := s.store.Pusher(ctx, s.ref)
+		if err != nil {
+			return nil, err
+		}
+		return p.Push(ctx, desc)
+	}
+
+	// If no custom mapper found, fall back to content.File mapper
+	if _, ok := s.mapper[desc.MediaType]; !ok {
+		return content.NewIoContentWriter(io.Discard, content.WithOutputHash(desc.Digest)), nil
+	}
+
+	filename, err := s.mapper[desc.MediaType](desc)
+	if err != nil {
+		return nil, err
+	}
+
+	fullFileName := filepath.Join(s.store.ResolvePath(""), filename)
+	// TODO: Don't rewrite everytime, we can check the digest
+	f, err := os.OpenFile(fullFileName, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0644)
+	if err != nil {
+		return nil, errors.Wrap(err, "pushing file")
+	}
+
+	w := content.NewIoContentWriter(f, content.WithInputHash(desc.Digest), content.WithOutputHash(desc.Digest))
+	return w, nil
+}
+
+type pusher struct {
+	store  *content.File
+	tag    string
+	ref    string
+	mapper map[string]Fn
+}
--- a/internal/mapper/mappers.go
+++ b/internal/mapper/mappers.go
@@ -0,0 +1,83 @@
+package mapper
+
+import (
+	"fmt"
+
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+	"oras.land/oras-go/pkg/target"
+
+	"hauler.dev/go/hauler/pkg/consts"
+)
+
+type Fn func(desc ocispec.Descriptor) (string, error)
+
+// FromManifest will return the appropriate content store given a reference and source type adequate for storing the results on disk
+func FromManifest(manifest ocispec.Manifest, root string) (target.Target, error) {
+	// TODO: Don't rely solely on config mediatype
+	switch manifest.Config.MediaType {
+	case consts.DockerConfigJSON, consts.OCIManifestSchema1:
+		s := NewMapperFileStore(root, Images())
+		defer s.Close()
+		return s, nil
+
+	case consts.ChartLayerMediaType, consts.ChartConfigMediaType:
+		s := NewMapperFileStore(root, Chart())
+		defer s.Close()
+		return s, nil
+
+	default:
+		s := NewMapperFileStore(root, nil)
+		defer s.Close()
+		return s, nil
+	}
+}
+
+func Images() map[string]Fn {
+	m := make(map[string]Fn)
+
+	manifestMapperFn := Fn(func(desc ocispec.Descriptor) (string, error) {
+		return consts.ImageManifestFile, nil
+	})
+
+	for _, l := range []string{consts.DockerManifestSchema2, consts.DockerManifestListSchema2, consts.OCIManifestSchema1} {
+		m[l] = manifestMapperFn
+	}
+
+	layerMapperFn := Fn(func(desc ocispec.Descriptor) (string, error) {
+		return fmt.Sprintf("%s.tar.gz", desc.Digest.String()), nil
+	})
+
+	for _, l := range []string{consts.OCILayer, consts.DockerLayer} {
+		m[l] = layerMapperFn
+	}
+
+	configMapperFn := Fn(func(desc ocispec.Descriptor) (string, error) {
+		return consts.ImageConfigFile, nil
+	})
+
+	for _, l := range []string{consts.DockerConfigJSON} {
+		m[l] = configMapperFn
+	}
+
+	return m
+}
+
+func Chart() map[string]Fn {
+	m := make(map[string]Fn)
+
+	chartMapperFn := Fn(func(desc ocispec.Descriptor) (string, error) {
+		f := "chart.tar.gz"
+		if _, ok := desc.Annotations[ocispec.AnnotationTitle]; ok {
+			f = desc.Annotations[ocispec.AnnotationTitle]
+		}
+		return f, nil
+	})
+
+	provMapperFn := Fn(func(desc ocispec.Descriptor) (string, error) {
+		return "prov.json", nil
+	})
+
+	m[consts.ChartLayerMediaType] = chartMapperFn
+	m[consts.ProvLayerMediaType] = provMapperFn
+	return m
+}
--- a/internal/server/file.go
+++ b/internal/server/file.go
@@ -0,0 +1,41 @@
+package server
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+	"os"
+	"time"
+
+	"github.com/gorilla/handlers"
+	"github.com/gorilla/mux"
+	"hauler.dev/go/hauler/internal/flags"
+	"hauler.dev/go/hauler/pkg/consts"
+)
+
+// NewFile returns a fileserver
+// TODO: Better configs
+func NewFile(ctx context.Context, cfg flags.ServeFilesOpts) (Server, error) {
+	r := mux.NewRouter()
+	r.PathPrefix("/").Handler(handlers.LoggingHandler(os.Stdout, http.StripPrefix("/", http.FileServer(http.Dir(cfg.RootDir)))))
+	if cfg.RootDir == "" {
+		cfg.RootDir = "."
+	}
+
+	if cfg.Port == 0 {
+		cfg.Port = consts.DefaultFileserverPort
+	}
+
+	if cfg.Timeout == 0 {
+		cfg.Timeout = consts.DefaultFileserverTimeout
+	}
+
+	srv := &http.Server{
+		Handler:      r,
+		Addr:         fmt.Sprintf(":%d", cfg.Port),
+		WriteTimeout: time.Duration(cfg.Timeout) * time.Second,
+		ReadTimeout:  time.Duration(cfg.Timeout) * time.Second,
+	}
+
+	return srv, nil
+}
--- a/internal/server/registry.go
+++ b/internal/server/registry.go
@@ -0,0 +1,113 @@
+package server
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"time"
+
+	"github.com/distribution/distribution/v3/configuration"
+	"github.com/distribution/distribution/v3/registry"
+	"github.com/distribution/distribution/v3/registry/handlers"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+func NewRegistry(ctx context.Context, cfg *configuration.Configuration) (*registry.Registry, error) {
+	r, err := registry.NewRegistry(ctx, cfg)
+	if err != nil {
+		return nil, err
+	}
+
+	return r, nil
+}
+
+type tmpRegistryServer struct {
+	*httptest.Server
+}
+
+func NewTempRegistry(ctx context.Context, root string) *tmpRegistryServer {
+	cfg := &configuration.Configuration{
+		Version: "0.1",
+		Storage: configuration.Storage{
+			"cache":      configuration.Parameters{"blobdescriptor": "inmemory"},
+			"filesystem": configuration.Parameters{"rootdirectory": root},
+		},
+	}
+
+	cfg.Validation.Manifests.URLs.Allow = []string{".+"}
+
+	cfg.Log.Level = "error"
+	cfg.HTTP.Headers = http.Header{
+		"X-Content-Type-Options": []string{"nosniff"},
+	}
+
+	l, err := logrus.ParseLevel("panic")
+	if err != nil {
+		l = logrus.ErrorLevel
+	}
+	logrus.SetLevel(l)
+
+	app := handlers.NewApp(ctx, cfg)
+	app.RegisterHealthChecks()
+	handler := alive("/", app)
+
+	s := httptest.NewUnstartedServer(handler)
+	return &tmpRegistryServer{
+		Server: s,
+	}
+}
+
+// Registry returns the URL of the server without the protocol, suitable for content references
+func (t *tmpRegistryServer) Registry() string {
+	return strings.Replace(t.Server.URL, "http://", "", 1)
+}
+
+func (t *tmpRegistryServer) Start() error {
+	t.Server.Start()
+
+	err := retry(5, 1*time.Second, func() (err error) {
+		resp, err := http.Get(t.Server.URL + "/v2")
+		if err != nil {
+			return err
+		}
+		resp.Body.Close()
+		if resp.StatusCode == http.StatusOK {
+			return nil
+		}
+		return errors.New("to start temporary registry")
+
+	})
+	return err
+}
+
+func (t *tmpRegistryServer) Stop() {
+	t.Server.Close()
+}
+
+func alive(path string, handler http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.URL.Path == path {
+			w.Header().Set("Cache-Control", "no-cache")
+			w.WriteHeader(http.StatusOK)
+			return
+		}
+		handler.ServeHTTP(w, r)
+	})
+}
+
+func retry(attempts int, sleep time.Duration, f func() error) (err error) {
+	for i := 0; i < attempts; i++ {
+		if i > 0 {
+			time.Sleep(sleep)
+			sleep *= 2
+		}
+		err = f()
+		if err == nil {
+			return nil
+		}
+	}
+	return fmt.Errorf("after %d attempts, last error: %s", attempts, err)
+}
--- a/internal/server/server.go
+++ b/internal/server/server.go
@@ -0,0 +1,6 @@
+package server
+
+type Server interface {
+	ListenAndServe() error
+	ListenAndServeTLS(string, string) error
+}
--- a/internal/version/version.go
+++ b/internal/version/version.go
@@ -0,0 +1,228 @@
+/*
+Copyright 2022 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package version
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+	"runtime"
+	"runtime/debug"
+	"strings"
+	"sync"
+	"text/tabwriter"
+	"time"
+
+	"github.com/common-nighthawk/go-figure"
+	"hauler.dev/go/hauler/pkg/consts"
+)
+
+// Base version information.
+//
+// This is the fallback data used when version information from git is not
+// provided via go ldflags.
+var (
+	// Output of "git describe". The prerequisite is that the
+	// branch should be tagged using the correct versioning strategy.
+	gitVersion = "devel"
+	// SHA1 from git, output of $(git rev-parse HEAD)
+	gitCommit = consts.Unknown
+	// State of git tree, either "clean" or "dirty"
+	gitTreeState = consts.Unknown
+	// Build date in ISO8601 format, output of $(date -u +'%Y-%m-%dT%H:%M:%SZ')
+	buildDate = consts.Unknown
+	// flag to print the ascii name banner
+	asciiName = "true"
+	// goVersion is the used golang version.
+	goVersion = consts.Unknown
+	// compiler is the used golang compiler.
+	compiler = consts.Unknown
+	// platform is the used os/arch identifier.
+	platform = consts.Unknown
+
+	once sync.Once
+	info = Info{}
+)
+
+type Info struct {
+	GitVersion   string `json:"gitVersion"`
+	GitCommit    string `json:"gitCommit"`
+	GitTreeState string `json:"gitTreeState"`
+	BuildDate    string `json:"buildDate"`
+	GoVersion    string `json:"goVersion"`
+	Compiler     string `json:"compiler"`
+	Platform     string `json:"platform"`
+
+	ASCIIName   string `json:"-"`
+	FontName    string `json:"-"`
+	Name        string `json:"-"`
+	Description string `json:"-"`
+}
+
+func getBuildInfo() *debug.BuildInfo {
+	bi, ok := debug.ReadBuildInfo()
+	if !ok {
+		return nil
+	}
+	return bi
+}
+
+func getGitVersion(bi *debug.BuildInfo) string {
+	if bi == nil {
+		return consts.Unknown
+	}
+
+	// TODO: remove this when the issue https://github.com/golang/go/issues/29228 is fixed
+	if bi.Main.Version == "(devel)" || bi.Main.Version == "" {
+		return gitVersion
+	}
+
+	return bi.Main.Version
+}
+
+func getCommit(bi *debug.BuildInfo) string {
+	return getKey(bi, "vcs.revision")
+}
+
+func getDirty(bi *debug.BuildInfo) string {
+	modified := getKey(bi, "vcs.modified")
+	if modified == "true" {
+		return "dirty"
+	}
+	if modified == "false" {
+		return "clean"
+	}
+	return consts.Unknown
+}
+
+func getBuildDate(bi *debug.BuildInfo) string {
+	buildTime := getKey(bi, "vcs.time")
+	t, err := time.Parse("2006-01-02T15:04:05Z", buildTime)
+	if err != nil {
+		return consts.Unknown
+	}
+	return t.Format("2006-01-02T15:04:05")
+}
+
+func getKey(bi *debug.BuildInfo, key string) string {
+	if bi == nil {
+		return consts.Unknown
+	}
+	for _, iter := range bi.Settings {
+		if iter.Key == key {
+			return iter.Value
+		}
+	}
+	return consts.Unknown
+}
+
+// GetVersionInfo represents known information on how this binary was built.
+func GetVersionInfo() Info {
+	once.Do(func() {
+		buildInfo := getBuildInfo()
+		gitVersion = getGitVersion(buildInfo)
+		if gitCommit == consts.Unknown {
+			gitCommit = getCommit(buildInfo)
+		}
+
+		if gitTreeState == consts.Unknown {
+			gitTreeState = getDirty(buildInfo)
+		}
+
+		if buildDate == consts.Unknown {
+			buildDate = getBuildDate(buildInfo)
+		}
+
+		if goVersion == consts.Unknown {
+			goVersion = runtime.Version()
+		}
+
+		if compiler == consts.Unknown {
+			compiler = runtime.Compiler
+		}
+
+		if platform == consts.Unknown {
+			platform = fmt.Sprintf("%s/%s", runtime.GOOS, runtime.GOARCH)
+		}
+
+		info = Info{
+			ASCIIName:    asciiName,
+			GitVersion:   gitVersion,
+			GitCommit:    gitCommit,
+			GitTreeState: gitTreeState,
+			BuildDate:    buildDate,
+			GoVersion:    goVersion,
+			Compiler:     compiler,
+			Platform:     platform,
+		}
+	})
+
+	return info
+}
+
+// String returns the string representation of the version info
+func (i *Info) String() string {
+	b := strings.Builder{}
+	w := tabwriter.NewWriter(&b, 0, 0, 2, ' ', 0)
+
+	// name and description are optional.
+	if i.Name != "" {
+		if i.ASCIIName == "true" {
+			f := figure.NewFigure(strings.ToUpper(i.Name), i.FontName, true)
+			_, _ = fmt.Fprint(w, f.String())
+		}
+		_, _ = fmt.Fprint(w, i.Name)
+		if i.Description != "" {
+			_, _ = fmt.Fprintf(w, ": %s", i.Description)
+		}
+		_, _ = fmt.Fprint(w, "\n\n")
+	}
+
+	_, _ = fmt.Fprintf(w, "GitVersion:\t%s\n", i.GitVersion)
+	_, _ = fmt.Fprintf(w, "GitCommit:\t%s\n", i.GitCommit)
+	_, _ = fmt.Fprintf(w, "GitTreeState:\t%s\n", i.GitTreeState)
+	_, _ = fmt.Fprintf(w, "BuildDate:\t%s\n", i.BuildDate)
+	_, _ = fmt.Fprintf(w, "GoVersion:\t%s\n", i.GoVersion)
+	_, _ = fmt.Fprintf(w, "Compiler:\t%s\n", i.Compiler)
+	_, _ = fmt.Fprintf(w, "Platform:\t%s\n", i.Platform)
+
+	_ = w.Flush()
+	return b.String()
+}
+
+// JSONString returns the JSON representation of the version info
+func (i *Info) JSONString() (string, error) {
+	b, err := json.MarshalIndent(i, "", "  ")
+	if err != nil {
+		return "", err
+	}
+
+	return string(b), nil
+}
+
+func (i *Info) CheckFontName(fontName string) bool {
+	assetNames := figure.AssetNames()
+
+	for _, font := range assetNames {
+		if strings.Contains(font, fontName) {
+			return true
+		}
+	}
+
+	fmt.Fprintln(os.Stderr, "font not valid, using default")
+	return false
+}
--- a/pkg/apis/hauler.cattle.io/convert/convert.go
+++ b/pkg/apis/hauler.cattle.io/convert/convert.go
@@ -0,0 +1,121 @@
+package v1alpha1
+
+import (
+	"fmt"
+
+	v1 "hauler.dev/go/hauler/pkg/apis/hauler.cattle.io/v1"
+	v1alpha1 "hauler.dev/go/hauler/pkg/apis/hauler.cattle.io/v1alpha1"
+)
+
+// converts v1alpha1.Files -> v1.Files
+func ConvertFiles(in *v1alpha1.Files, out *v1.Files) error {
+	out.TypeMeta = in.TypeMeta
+	out.ObjectMeta = in.ObjectMeta
+	out.Spec.Files = make([]v1.File, len(in.Spec.Files))
+	for i := range in.Spec.Files {
+		out.Spec.Files[i].Name = in.Spec.Files[i].Name
+		out.Spec.Files[i].Path = in.Spec.Files[i].Path
+	}
+	return nil
+}
+
+// converts v1alpha1.Images -> v1.Images
+func ConvertImages(in *v1alpha1.Images, out *v1.Images) error {
+	out.TypeMeta = in.TypeMeta
+	out.ObjectMeta = in.ObjectMeta
+	out.Spec.Images = make([]v1.Image, len(in.Spec.Images))
+	for i := range in.Spec.Images {
+		out.Spec.Images[i].Name = in.Spec.Images[i].Name
+		out.Spec.Images[i].Platform = in.Spec.Images[i].Platform
+		out.Spec.Images[i].Key = in.Spec.Images[i].Key
+	}
+	return nil
+}
+
+// converts v1alpha1.Charts -> v1.Charts
+func ConvertCharts(in *v1alpha1.Charts, out *v1.Charts) error {
+	out.TypeMeta = in.TypeMeta
+	out.ObjectMeta = in.ObjectMeta
+	out.Spec.Charts = make([]v1.Chart, len(in.Spec.Charts))
+	for i := range in.Spec.Charts {
+		out.Spec.Charts[i].Name = in.Spec.Charts[i].Name
+		out.Spec.Charts[i].RepoURL = in.Spec.Charts[i].RepoURL
+		out.Spec.Charts[i].Version = in.Spec.Charts[i].Version
+	}
+	return nil
+}
+
+// converts v1alpha1.ThickCharts -> v1.ThickCharts
+func ConvertThickCharts(in *v1alpha1.ThickCharts, out *v1.ThickCharts) error {
+	out.TypeMeta = in.TypeMeta
+	out.ObjectMeta = in.ObjectMeta
+	out.Spec.Charts = make([]v1.ThickChart, len(in.Spec.Charts))
+	for i := range in.Spec.Charts {
+		out.Spec.Charts[i].Chart.Name = in.Spec.Charts[i].Chart.Name
+		out.Spec.Charts[i].Chart.RepoURL = in.Spec.Charts[i].Chart.RepoURL
+		out.Spec.Charts[i].Chart.Version = in.Spec.Charts[i].Chart.Version
+	}
+	return nil
+}
+
+// converts v1alpha1.ImageTxts -> v1.ImageTxts
+func ConvertImageTxts(in *v1alpha1.ImageTxts, out *v1.ImageTxts) error {
+	out.TypeMeta = in.TypeMeta
+	out.ObjectMeta = in.ObjectMeta
+	out.Spec.ImageTxts = make([]v1.ImageTxt, len(in.Spec.ImageTxts))
+	for i := range in.Spec.ImageTxts {
+		out.Spec.ImageTxts[i].Ref = in.Spec.ImageTxts[i].Ref
+		out.Spec.ImageTxts[i].Sources.Include = append(
+			out.Spec.ImageTxts[i].Sources.Include,
+			in.Spec.ImageTxts[i].Sources.Include...,
+		)
+		out.Spec.ImageTxts[i].Sources.Exclude = append(
+			out.Spec.ImageTxts[i].Sources.Exclude,
+			in.Spec.ImageTxts[i].Sources.Exclude...,
+		)
+	}
+	return nil
+}
+
+// convert v1alpha1 object to v1 object
+func ConvertObject(in interface{}) (interface{}, error) {
+	switch src := in.(type) {
+
+	case *v1alpha1.Files:
+		dst := &v1.Files{}
+		if err := ConvertFiles(src, dst); err != nil {
+			return nil, err
+		}
+		return dst, nil
+
+	case *v1alpha1.Images:
+		dst := &v1.Images{}
+		if err := ConvertImages(src, dst); err != nil {
+			return nil, err
+		}
+		return dst, nil
+
+	case *v1alpha1.Charts:
+		dst := &v1.Charts{}
+		if err := ConvertCharts(src, dst); err != nil {
+			return nil, err
+		}
+		return dst, nil
+
+	case *v1alpha1.ThickCharts:
+		dst := &v1.ThickCharts{}
+		if err := ConvertThickCharts(src, dst); err != nil {
+			return nil, err
+		}
+		return dst, nil
+
+	case *v1alpha1.ImageTxts:
+		dst := &v1.ImageTxts{}
+		if err := ConvertImageTxts(src, dst); err != nil {
+			return nil, err
+		}
+		return dst, nil
+	}
+
+	return nil, fmt.Errorf("unsupported object type [%T]", in)
+}
--- a/pkg/apis/hauler.cattle.io/v1/chart.go
+++ b/pkg/apis/hauler.cattle.io/v1/chart.go
@@ -0,0 +1,42 @@
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type Charts struct {
+	*metav1.TypeMeta  `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec ChartSpec `json:"spec,omitempty"`
+}
+
+type ChartSpec struct {
+	Charts []Chart `json:"charts,omitempty"`
+}
+
+type Chart struct {
+	Name    string `json:"name,omitempty"`
+	RepoURL string `json:"repoURL,omitempty"`
+	Version string `json:"version,omitempty"`
+}
+
+type ThickCharts struct {
+	*metav1.TypeMeta  `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec ThickChartSpec `json:"spec,omitempty"`
+}
+
+type ThickChartSpec struct {
+	Charts []ThickChart `json:"charts,omitempty"`
+}
+
+type ThickChart struct {
+	Chart       `json:",inline,omitempty"`
+	ExtraImages []ChartImage `json:"extraImages,omitempty"`
+}
+
+type ChartImage struct {
+	Reference string `json:"ref"`
+}
--- a/pkg/apis/hauler.cattle.io/v1/driver.go
+++ b/pkg/apis/hauler.cattle.io/v1/driver.go
@@ -0,0 +1,17 @@
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type Driver struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec DriverSpec `json:"spec"`
+}
+
+type DriverSpec struct {
+	Type    string `json:"type"`
+	Version string `json:"version"`
+}
--- a/pkg/apis/hauler.cattle.io/v1/file.go
+++ b/pkg/apis/hauler.cattle.io/v1/file.go
@@ -0,0 +1,25 @@
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type Files struct {
+	*metav1.TypeMeta  `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec FileSpec `json:"spec,omitempty"`
+}
+
+type FileSpec struct {
+	Files []File `json:"files,omitempty"`
+}
+
+type File struct {
+	// Path is the path to the file contents, can be a local or remote path
+	Path string `json:"path"`
+
+	// Name is an optional field specifying the name of the file when specified,
+	// 	it will override any dynamic name discovery from Path
+	Name string `json:"name,omitempty"`
+}
--- a/pkg/apis/hauler.cattle.io/v1/groupversion_info.go
+++ b/pkg/apis/hauler.cattle.io/v1/groupversion_info.go
@@ -0,0 +1,12 @@
+package v1
+
+import (
+	"k8s.io/apimachinery/pkg/runtime/schema"
+
+	"hauler.dev/go/hauler/pkg/consts"
+)
+
+var (
+	ContentGroupVersion    = schema.GroupVersion{Group: consts.ContentGroup, Version: "v1"}
+	CollectionGroupVersion = schema.GroupVersion{Group: consts.CollectionGroup, Version: "v1"}
+)
--- a/pkg/apis/hauler.cattle.io/v1/image.go
+++ b/pkg/apis/hauler.cattle.io/v1/image.go
@@ -0,0 +1,40 @@
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type Images struct {
+	*metav1.TypeMeta  `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec ImageSpec `json:"spec,omitempty"`
+}
+
+type ImageSpec struct {
+	Images []Image `json:"images,omitempty"`
+}
+
+type Image struct {
+	// Name is the full location for the image, can be referenced by tags or digests
+	Name string `json:"name"`
+
+	// Path is the path to the cosign public key used for verifying image signatures
+	//Key string `json:"key,omitempty"`
+	Key string `json:"key"`
+
+	// Path is the path to the cosign public key used for verifying image signatures
+	//Tlog string `json:"use-tlog-verify,omitempty"`
+	Tlog bool `json:"use-tlog-verify"`
+
+	// cosign keyless validation options
+	CertIdentity                 string `json:"certificate-identity"`
+	CertIdentityRegexp           string `json:"certificate-identity-regexp"`
+	CertOidcIssuer               string `json:"certificate-oidc-issuer"`
+	CertOidcIssuerRegexp         string `json:"certificate-oidc-issuer-regexp"`
+	CertGithubWorkflowRepository string `json:"certificate-github-workflow-repository"`
+
+	// Platform of the image to be pulled.  If not specified, all platforms will be pulled.
+	//Platform string `json:"key,omitempty"`
+	Platform string `json:"platform"`
+}
--- a/pkg/apis/hauler.cattle.io/v1/imagetxt.go
+++ b/pkg/apis/hauler.cattle.io/v1/imagetxt.go
@@ -0,0 +1,26 @@
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type ImageTxts struct {
+	*metav1.TypeMeta  `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec ImageTxtsSpec `json:"spec,omitempty"`
+}
+
+type ImageTxtsSpec struct {
+	ImageTxts []ImageTxt `json:"imageTxts,omitempty"`
+}
+
+type ImageTxt struct {
+	Ref     string          `json:"ref,omitempty"`
+	Sources ImageTxtSources `json:"sources,omitempty"`
+}
+
+type ImageTxtSources struct {
+	Include []string `json:"include,omitempty"`
+	Exclude []string `json:"exclude,omitempty"`
+}
--- a/pkg/apis/hauler.cattle.io/v1alpha1/chart.go
+++ b/pkg/apis/hauler.cattle.io/v1alpha1/chart.go
@@ -0,0 +1,42 @@
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type Charts struct {
+	*metav1.TypeMeta  `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec ChartSpec `json:"spec,omitempty"`
+}
+
+type ChartSpec struct {
+	Charts []Chart `json:"charts,omitempty"`
+}
+
+type Chart struct {
+	Name    string `json:"name,omitempty"`
+	RepoURL string `json:"repoURL,omitempty"`
+	Version string `json:"version,omitempty"`
+}
+
+type ThickCharts struct {
+	*metav1.TypeMeta  `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec ThickChartSpec `json:"spec,omitempty"`
+}
+
+type ThickChartSpec struct {
+	Charts []ThickChart `json:"charts,omitempty"`
+}
+
+type ThickChart struct {
+	Chart       `json:",inline,omitempty"`
+	ExtraImages []ChartImage `json:"extraImages,omitempty"`
+}
+
+type ChartImage struct {
+	Reference string `json:"ref"`
+}
--- a/pkg/apis/hauler.cattle.io/v1alpha1/driver.go
+++ b/pkg/apis/hauler.cattle.io/v1alpha1/driver.go
@@ -1,91 +1,17 @@
 package v1alpha1

 import (
-	"sigs.k8s.io/cli-utils/pkg/object"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )

-type Drive interface {
-	Images() ([]string, error)
-	BinURL() string
+type Driver struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`

-	LibPath() string
-	EtcPath() string
-	Config() (*map[string]interface{}, error)
-	SystemObjects() (objs []object.ObjMetadata)
+	Spec DriverSpec `json:"spec"`
 }

-//Driver
-type Driver struct {
+type DriverSpec struct {
 	Type    string `json:"type"`
 	Version string `json:"version"`
 }
-
-////TODO: Don't hardcode this
-//func (k k3s) BinURL() string {
-//	return "https://github.com/k3s-io/k3s/releases/download/v1.21.1%2Bk3s1/k3s"
-//}
-//
-//func (k k3s) PackageImages() ([]string, error) {
-//	//TODO: Replace this with a query to images.txt on release page
-//	return []string{
-//		"docker.io/rancher/coredns-coredns:1.8.3",
-//		"docker.io/rancher/klipper-helm:v0.5.0-build20210505",
-//		"docker.io/rancher/klipper-lb:v0.2.0",
-//		"docker.io/rancher/library-busybox:1.32.1",
-//		"docker.io/rancher/library-traefik:2.4.8",
-//		"docker.io/rancher/local-path-provisioner:v0.0.19",
-//		"docker.io/rancher/metrics-server:v0.3.6",
-//		"docker.io/rancher/pause:3.1",
-//	}, nil
-//}
-//
-//func (k k3s) Config() (*map[string]interface{}, error) {
-//	//	TODO: This should be typed
-//	c := make(map[string]interface{})
-//	c["write-kubeconfig-mode"] = "0644"
-//
-//	//TODO: Add uid or something to ensure this works for multi-node setups
-//	c["node-name"] = "hauler"
-//
-//	return &c, nil
-//}
-//
-//func (k k3s) SystemObjects() (objs []object.ObjMetadata) {
-//	//TODO: Make sure this matches up with specified config disables
-//	for _, dep := range []string{"coredns", "local-path-provisioner", "metrics-server"} {
-//		objMeta, _ := object.CreateObjMetadata("kube-system", dep, schema.GroupKind{Kind: "Deployment", Group: "apps"})
-//		objs = append(objs, objMeta)
-//	}
-//	return objs
-//}
-//
-//func (k k3s) LibPath() string { return "/var/lib/rancher/k3s" }
-//func (k k3s) EtcPath() string { return "/etc/rancher/k3s" }
-//
-////TODO: Implement rke2 as a driver
-//type rke2 struct{}
-//
-//func (r rke2) PackageImages() ([]string, error)                  { return []string{}, nil }
-//func (r rke2) BinURL() string                             { return "" }
-//func (r rke2) LibPath() string                            { return "" }
-//func (r rke2) EtcPath() string                            { return "" }
-//func (r rke2) Config() (*map[string]interface{}, error)   { return nil, nil }
-//func (r rke2) SystemObjects() (objs []object.ObjMetadata) { return objs }
-//
-////NewDriver will return the appropriate driver given a kind, defaults to k3s
-//func NewDriver(kind string) Drive {
-//	var d Drive
-//	switch kind {
-//	case "rke2":
-//		//TODO
-//		d = rke2{}
-//
-//	default:
-//		d = k3s{
-//			dataDir: "/var/lib/rancher/k3s",
-//			etcDir:  "/etc/rancher/k3s",
-//		}
-//	}
-//
-//	return d
-//}
--- a/pkg/apis/hauler.cattle.io/v1alpha1/file.go
+++ b/pkg/apis/hauler.cattle.io/v1alpha1/file.go
@@ -0,0 +1,25 @@
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type Files struct {
+	*metav1.TypeMeta  `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec FileSpec `json:"spec,omitempty"`
+}
+
+type FileSpec struct {
+	Files []File `json:"files,omitempty"`
+}
+
+type File struct {
+	// Path is the path to the file contents, can be a local or remote path
+	Path string `json:"path"`
+
+	// Name is an optional field specifying the name of the file when specified,
+	// 	it will override any dynamic name discovery from Path
+	Name string `json:"name,omitempty"`
+}
--- a/pkg/apis/hauler.cattle.io/v1alpha1/fleet.go
+++ b/pkg/apis/hauler.cattle.io/v1alpha1/fleet.go
@@ -1,32 +0,0 @@
-package v1alpha1
-
-import (
-	"fmt"
-	"strings"
-)
-
-//Fleet is used as the deployment engine for all things Hauler
-type Fleet struct {
-	//Version of fleet to package and use in deployment
-	Version string `json:"version"`
-}
-
-//TODO: These should be identified from the chart version
-func (f Fleet) Images() ([]string, error) {
-	return []string{
-		fmt.Sprintf("rancher/gitjob:v0.1.15"),
-		fmt.Sprintf("rancher/fleet:%s", f.Version),
-		fmt.Sprintf("rancher/fleet-agent:%s", f.Version),
-	}, nil
-}
-
-func (f Fleet) CRDChart() string {
-	return fmt.Sprintf("https://github.com/rancher/fleet/releases/download/%s/fleet-crd-%s.tgz", f.Version, f.VLess())
-}
-func (f Fleet) Chart() string {
-	return fmt.Sprintf("https://github.com/rancher/fleet/releases/download/%s/fleet-%s.tgz", f.Version, f.VLess())
-}
-
-func (f Fleet) VLess() string {
-	return strings.ReplaceAll(f.Version, "v", "")
-}
--- a/pkg/apis/hauler.cattle.io/v1alpha1/groupversion_info.go
+++ b/pkg/apis/hauler.cattle.io/v1alpha1/groupversion_info.go
@@ -0,0 +1,12 @@
+package v1alpha1
+
+import (
+	"k8s.io/apimachinery/pkg/runtime/schema"
+
+	"hauler.dev/go/hauler/pkg/consts"
+)
+
+var (
+	ContentGroupVersion    = schema.GroupVersion{Group: consts.ContentGroup, Version: "v1alpha1"}
+	CollectionGroupVersion = schema.GroupVersion{Group: consts.CollectionGroup, Version: "v1alpha1"}
+)
--- a/pkg/apis/hauler.cattle.io/v1alpha1/image.go
+++ b/pkg/apis/hauler.cattle.io/v1alpha1/image.go
@@ -0,0 +1,40 @@
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type Images struct {
+	*metav1.TypeMeta  `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec ImageSpec `json:"spec,omitempty"`
+}
+
+type ImageSpec struct {
+	Images []Image `json:"images,omitempty"`
+}
+
+type Image struct {
+	// Name is the full location for the image, can be referenced by tags or digests
+	Name string `json:"name"`
+
+	// Path is the path to the cosign public key used for verifying image signatures
+	//Key string `json:"key,omitempty"`
+	Key string `json:"key"`
+
+	// Path is the path to the cosign public key used for verifying image signatures
+	//Tlog string `json:"use-tlog-verify,omitempty"`
+	Tlog bool `json:"use-tlog-verify"`
+
+	// cosign keyless validation options
+	CertIdentity                 string `json:"certificate-identity"`
+	CertIdentityRegexp           string `json:"certificate-identity-regexp"`
+	CertOidcIssuer               string `json:"certificate-oidc-issuer"`
+	CertOidcIssuerRegexp         string `json:"certificate-oidc-issuer-regexp"`
+	CertGithubWorkflowRepository string `json:"certificate-github-workflow-repository"`
+
+	// Platform of the image to be pulled.  If not specified, all platforms will be pulled.
+	//Platform string `json:"key,omitempty"`
+	Platform string `json:"platform"`
+}
--- a/pkg/apis/hauler.cattle.io/v1alpha1/imagetxt.go
+++ b/pkg/apis/hauler.cattle.io/v1alpha1/imagetxt.go
@@ -0,0 +1,26 @@
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type ImageTxts struct {
+	*metav1.TypeMeta  `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec ImageTxtsSpec `json:"spec,omitempty"`
+}
+
+type ImageTxtsSpec struct {
+	ImageTxts []ImageTxt `json:"imageTxts,omitempty"`
+}
+
+type ImageTxt struct {
+	Ref     string          `json:"ref,omitempty"`
+	Sources ImageTxtSources `json:"sources,omitempty"`
+}
+
+type ImageTxtSources struct {
+	Include []string `json:"include,omitempty"`
+	Exclude []string `json:"exclude,omitempty"`
+}
--- a/pkg/apis/hauler.cattle.io/v1alpha1/package.go
+++ b/pkg/apis/hauler.cattle.io/v1alpha1/package.go
@@ -1,53 +0,0 @@
-package v1alpha1
-
-import (
-	"os"
-	"path/filepath"
-
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"sigs.k8s.io/yaml"
-)
-
-const (
-	BundlesDir = "bundles"
-	LayoutDir  = "layout"
-	BinDir     = "bin"
-	ChartDir   = "charts"
-
-	PackageFile = "package.json"
-)
-
-type Package struct {
-	metav1.TypeMeta   `json:",inline"`
-	metav1.ObjectMeta `json:"metadata,omitempty"`
-
-	Spec PackageSpec `json:"spec"`
-}
-
-type PackageSpec struct {
-	Fleet Fleet `json:"fleet"`
-
-	Driver Driver `json:"driver"`
-
-	// Paths is the list of directories relative to the working directory contains all resources to be bundled.
-	// path globbing is supported, for example [ "charts/*" ] will match all folders as a subdirectory of charts/
-	// If empty, "/" is the default
-	Paths []string `json:"paths,omitempty"`
-
-	Images []string `json:"images,omitempty"`
-}
-
-//LoadPackageFromDir will load an existing package from a directory on disk, it fails if no PackageFile is found in dir
-func LoadPackageFromDir(path string) (Package, error) {
-	data, err := os.ReadFile(filepath.Join(path, PackageFile))
-	if err != nil {
-		return Package{}, err
-	}
-
-	var p Package
-	if err := yaml.Unmarshal(data, &p); err != nil {
-		return Package{}, err
-	}
-
-	return p, nil
-}
--- a/pkg/archives/archiver.go
+++ b/pkg/archives/archiver.go
@@ -0,0 +1,104 @@
+package archives
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"path/filepath"
+
+	"github.com/mholt/archives"
+	"hauler.dev/go/hauler/pkg/log"
+)
+
+// maps to handle compression types
+var CompressionMap = map[string]archives.Compression{
+	"gz":  archives.Gz{},
+	"bz2": archives.Bz2{},
+	"xz":  archives.Xz{},
+	"zst": archives.Zstd{},
+	"lz4": archives.Lz4{},
+	"br":  archives.Brotli{},
+}
+
+// maps to handle archival types
+var ArchivalMap = map[string]archives.Archival{
+	"tar": archives.Tar{},
+	"zip": archives.Zip{},
+}
+
+// check if a path exists
+func isExist(path string) bool {
+	_, statErr := os.Stat(path)
+	return !os.IsNotExist(statErr)
+}
+
+// archives the files in a directory
+// dir: the directory to Archive
+// outfile: the output file
+// compression: the compression to use (gzip, bzip2, etc.)
+// archival: the archival to use (tar, zip, etc.)
+func Archive(ctx context.Context, dir, outfile string, compression archives.Compression, archival archives.Archival) error {
+	l := log.FromContext(ctx)
+	l.Debugf("starting the archival process for [%s]", dir)
+
+	// remove outfile
+	l.Debugf("removing existing output file: [%s]", outfile)
+	if err := os.RemoveAll(outfile); err != nil {
+		errMsg := fmt.Errorf("failed to remove existing output file [%s]: %w", outfile, err)
+		l.Debugf(errMsg.Error())
+		return errMsg
+	}
+
+	if !isExist(dir) {
+		errMsg := fmt.Errorf("directory [%s] does not exist, cannot proceed with archival", dir)
+		l.Debugf(errMsg.Error())
+		return errMsg
+	}
+
+	// map files on disk to their paths in the archive
+	l.Debugf("mapping files in directory [%s]", dir)
+	archiveDirName := filepath.Base(filepath.Clean(dir))
+	if dir == "." {
+		archiveDirName = ""
+	}
+	files, err := archives.FilesFromDisk(context.Background(), nil, map[string]string{
+		dir: archiveDirName,
+	})
+	if err != nil {
+		errMsg := fmt.Errorf("error mapping files from directory [%s]: %w", dir, err)
+		l.Debugf(errMsg.Error())
+		return errMsg
+	}
+	l.Debugf("successfully mapped files for directory [%s]", dir)
+
+	// create the output file we'll write to
+	l.Debugf("creating output file [%s]", outfile)
+	outf, err := os.Create(outfile)
+	if err != nil {
+		errMsg := fmt.Errorf("error creating output file [%s]: %w", outfile, err)
+		l.Debugf(errMsg.Error())
+		return errMsg
+	}
+	defer func() {
+		l.Debugf("closing output file [%s]", outfile)
+		outf.Close()
+	}()
+
+	// define the archive format
+	l.Debugf("defining the archive format: [%T]/[%T]", archival, compression)
+	format := archives.CompressedArchive{
+		Compression: compression,
+		Archival:    archival,
+	}
+
+	// create the archive
+	l.Debugf("starting archive for [%s]", outfile)
+	err = format.Archive(context.Background(), outf, files)
+	if err != nil {
+		errMsg := fmt.Errorf("error during archive creation for output file [%s]: %w", outfile, err)
+		l.Debugf(errMsg.Error())
+		return errMsg
+	}
+	l.Debugf("archive created successfully [%s]", outfile)
+	return nil
+}
--- a/pkg/archives/unarchiver.go
+++ b/pkg/archives/unarchiver.go
@@ -0,0 +1,158 @@
+package archives
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/mholt/archives"
+	"hauler.dev/go/hauler/pkg/log"
+)
+
+const (
+	dirPermissions  = 0o700 // default directory permissions
+	filePermissions = 0o600 // default file permissions
+)
+
+// ensures the path is safely relative to the target directory
+func securePath(basePath, relativePath string) (string, error) {
+	relativePath = filepath.Clean("/" + relativePath)
+	relativePath = strings.TrimPrefix(relativePath, string(os.PathSeparator))
+
+	dstPath := filepath.Join(basePath, relativePath)
+
+	if !strings.HasPrefix(filepath.Clean(dstPath)+string(os.PathSeparator), filepath.Clean(basePath)+string(os.PathSeparator)) {
+		return "", fmt.Errorf("illegal file path: %s", dstPath)
+	}
+	return dstPath, nil
+}
+
+// creates a directory with specified permissions
+func createDirWithPermissions(ctx context.Context, path string, mode os.FileMode) error {
+	l := log.FromContext(ctx)
+	l.Debugf("creating directory [%s]", path)
+	if err := os.MkdirAll(path, mode); err != nil {
+		return fmt.Errorf("failed to mkdir: %w", err)
+	}
+	return nil
+}
+
+// sets permissions to a file or directory
+func setPermissions(path string, mode os.FileMode) error {
+	if err := os.Chmod(path, mode); err != nil {
+		return fmt.Errorf("failed to chmod: %w", err)
+	}
+	return nil
+}
+
+// handles the extraction of a file from the archive.
+func handleFile(ctx context.Context, f archives.FileInfo, dst string) error {
+	l := log.FromContext(ctx)
+	l.Debugf("handling file [%s]", f.NameInArchive)
+
+	// validate and construct the destination path
+	dstPath, pathErr := securePath(dst, f.NameInArchive)
+	if pathErr != nil {
+		return pathErr
+	}
+
+	// ensure the parent directory exists
+	parentDir := filepath.Dir(dstPath)
+	if dirErr := createDirWithPermissions(ctx, parentDir, dirPermissions); dirErr != nil {
+		return dirErr
+	}
+
+	// handle directories
+	if f.IsDir() {
+		// create the directory with permissions from the archive
+		if dirErr := createDirWithPermissions(ctx, dstPath, f.Mode()); dirErr != nil {
+			return fmt.Errorf("failed to create directory: %w", dirErr)
+		}
+		l.Debugf("successfully created directory [%s]", dstPath)
+		return nil
+	}
+
+	// ignore symlinks (or hardlinks)
+	if f.LinkTarget != "" {
+		l.Debugf("skipping symlink [%s] to [%s]", dstPath, f.LinkTarget)
+		return nil
+	}
+
+	// check and handle parent directory permissions
+	originalMode, statErr := os.Stat(parentDir)
+	if statErr != nil {
+		return fmt.Errorf("failed to stat parent directory: %w", statErr)
+	}
+
+	// if parent directory is read only, temporarily make it writable
+	if originalMode.Mode().Perm()&0o200 == 0 {
+		l.Debugf("parent directory is read only... temporarily making it writable [%s]", parentDir)
+		if chmodErr := os.Chmod(parentDir, originalMode.Mode()|0o200); chmodErr != nil {
+			return fmt.Errorf("failed to chmod parent directory: %w", chmodErr)
+		}
+		defer func() {
+			// restore the original permissions after writing
+			if chmodErr := os.Chmod(parentDir, originalMode.Mode()); chmodErr != nil {
+				l.Debugf("failed to restore original permissions for [%s]: %v", parentDir, chmodErr)
+			}
+		}()
+	}
+
+	// handle regular files
+	reader, openErr := f.Open()
+	if openErr != nil {
+		return fmt.Errorf("failed to open file: %w", openErr)
+	}
+	defer reader.Close()
+
+	dstFile, createErr := os.OpenFile(dstPath, os.O_CREATE|os.O_WRONLY, f.Mode())
+	if createErr != nil {
+		return fmt.Errorf("failed to create file: %w", createErr)
+	}
+	defer dstFile.Close()
+
+	if _, copyErr := io.Copy(dstFile, reader); copyErr != nil {
+		return fmt.Errorf("failed to copy: %w", copyErr)
+	}
+	l.Debugf("successfully extracted file [%s]", dstPath)
+	return nil
+}
+
+// unarchives a tarball to a directory, symlinks, and hardlinks are ignored
+func Unarchive(ctx context.Context, tarball, dst string) error {
+	l := log.FromContext(ctx)
+	l.Debugf("unarchiving temporary archive [%s] to temporary store [%s]", tarball, dst)
+	archiveFile, openErr := os.Open(tarball)
+	if openErr != nil {
+		return fmt.Errorf("failed to open tarball %s: %w", tarball, openErr)
+	}
+	defer archiveFile.Close()
+
+	format, input, identifyErr := archives.Identify(context.Background(), tarball, archiveFile)
+	if identifyErr != nil {
+		return fmt.Errorf("failed to identify format: %w", identifyErr)
+	}
+
+	extractor, ok := format.(archives.Extractor)
+	if !ok {
+		return fmt.Errorf("unsupported format for extraction")
+	}
+
+	if dirErr := createDirWithPermissions(ctx, dst, dirPermissions); dirErr != nil {
+		return fmt.Errorf("failed to create destination directory: %w", dirErr)
+	}
+
+	handler := func(ctx context.Context, f archives.FileInfo) error {
+		return handleFile(ctx, f, dst)
+	}
+
+	if extractErr := extractor.Extract(context.Background(), input, handler); extractErr != nil {
+		return fmt.Errorf("failed to extract: %w", extractErr)
+	}
+
+	l.Infof("unarchiving completed successfully")
+	return nil
+}
--- a/pkg/artifacts/config.go
+++ b/pkg/artifacts/config.go
@@ -0,0 +1,92 @@
+package artifacts
+
+import (
+	"bytes"
+	"encoding/json"
+
+	v1 "github.com/google/go-containerregistry/pkg/v1"
+	"github.com/google/go-containerregistry/pkg/v1/partial"
+	"github.com/google/go-containerregistry/pkg/v1/types"
+
+	"hauler.dev/go/hauler/pkg/consts"
+)
+
+var _ partial.Describable = (*marshallableConfig)(nil)
+
+type Config interface {
+	// Raw returns the config bytes
+	Raw() ([]byte, error)
+
+	Digest() (v1.Hash, error)
+
+	MediaType() (types.MediaType, error)
+
+	Size() (int64, error)
+}
+
+type Marshallable interface{}
+
+type ConfigOption func(*marshallableConfig)
+
+// ToConfig takes anything that is marshallabe and converts it into a Config
+func ToConfig(i Marshallable, opts ...ConfigOption) Config {
+	mc := &marshallableConfig{Marshallable: i}
+	for _, o := range opts {
+		o(mc)
+	}
+	return mc
+}
+
+func WithConfigMediaType(mediaType string) ConfigOption {
+	return func(config *marshallableConfig) {
+		config.mediaType = mediaType
+	}
+}
+
+// marshallableConfig implements Config using helper methods
+type marshallableConfig struct {
+	Marshallable
+
+	mediaType string
+}
+
+func (c *marshallableConfig) MediaType() (types.MediaType, error) {
+	mt := c.mediaType
+	if mt == "" {
+		mt = consts.UnknownManifest
+	}
+	return types.MediaType(mt), nil
+}
+
+func (c *marshallableConfig) Raw() ([]byte, error) {
+	return json.Marshal(c.Marshallable)
+}
+
+func (c *marshallableConfig) Digest() (v1.Hash, error) {
+	return Digest(c)
+}
+
+func (c *marshallableConfig) Size() (int64, error) {
+	return Size(c)
+}
+
+type WithRawConfig interface {
+	Raw() ([]byte, error)
+}
+
+func Digest(c WithRawConfig) (v1.Hash, error) {
+	b, err := c.Raw()
+	if err != nil {
+		return v1.Hash{}, err
+	}
+	digest, _, err := v1.SHA256(bytes.NewReader(b))
+	return digest, err
+}
+
+func Size(c WithRawConfig) (int64, error) {
+	b, err := c.Raw()
+	if err != nil {
+		return -1, err
+	}
+	return int64(len(b)), nil
+}
--- a/pkg/artifacts/file/file.go
+++ b/pkg/artifacts/file/file.go
@@ -0,0 +1,116 @@
+package file
+
+import (
+	"context"
+
+	gv1 "github.com/google/go-containerregistry/pkg/v1"
+	"github.com/google/go-containerregistry/pkg/v1/partial"
+	gtypes "github.com/google/go-containerregistry/pkg/v1/types"
+
+	"hauler.dev/go/hauler/pkg/artifacts"
+	"hauler.dev/go/hauler/pkg/consts"
+	"hauler.dev/go/hauler/pkg/getter"
+)
+
+// interface guard
+var _ artifacts.OCI = (*File)(nil)
+
+// File implements the OCI interface for File API objects. API spec information is
+// stored into the Path field.
+type File struct {
+	Path string
+
+	computed    bool
+	client      *getter.Client
+	config      artifacts.Config
+	blob        gv1.Layer
+	manifest    *gv1.Manifest
+	annotations map[string]string
+}
+
+func NewFile(path string, opts ...Option) *File {
+	client := getter.NewClient(getter.ClientOptions{})
+
+	f := &File{
+		client: client,
+		Path:   path,
+	}
+
+	for _, opt := range opts {
+		opt(f)
+	}
+	return f
+}
+
+// Name is the name of the file's reference
+func (f *File) Name(path string) string {
+	return f.client.Name(path)
+}
+
+func (f *File) MediaType() string {
+	return consts.OCIManifestSchema1
+}
+
+func (f *File) RawConfig() ([]byte, error) {
+	if err := f.compute(); err != nil {
+		return nil, err
+	}
+	return f.config.Raw()
+}
+
+func (f *File) Layers() ([]gv1.Layer, error) {
+	if err := f.compute(); err != nil {
+		return nil, err
+	}
+	var layers []gv1.Layer
+	layers = append(layers, f.blob)
+	return layers, nil
+}
+
+func (f *File) Manifest() (*gv1.Manifest, error) {
+	if err := f.compute(); err != nil {
+		return nil, err
+	}
+	return f.manifest, nil
+}
+
+func (f *File) compute() error {
+	if f.computed {
+		return nil
+	}
+
+	ctx := context.TODO()
+	blob, err := f.client.LayerFrom(ctx, f.Path)
+	if err != nil {
+		return err
+	}
+
+	layer, err := partial.Descriptor(blob)
+	if err != nil {
+		return err
+	}
+
+	cfg := f.client.Config(f.Path)
+	if cfg == nil {
+		cfg = f.client.Config(f.Path)
+	}
+
+	cfgDesc, err := partial.Descriptor(cfg)
+	if err != nil {
+		return err
+	}
+
+	m := &gv1.Manifest{
+		SchemaVersion: 2,
+		MediaType:     gtypes.MediaType(f.MediaType()),
+		Config:        *cfgDesc,
+		Layers:        []gv1.Descriptor{*layer},
+		Annotations:   f.annotations,
+	}
+
+	f.manifest = m
+	f.config = cfg
+	f.blob = blob
+	f.computed = true
+	return nil
+}
--- a/pkg/artifacts/file/file_test.go
+++ b/pkg/artifacts/file/file_test.go
@@ -0,0 +1,166 @@
+package file_test
+
+import (
+	"bytes"
+	"context"
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/spf13/afero"
+
+	"hauler.dev/go/hauler/pkg/artifacts/file"
+	"hauler.dev/go/hauler/pkg/consts"
+	"hauler.dev/go/hauler/pkg/getter"
+)
+
+var (
+	filename = "myfile.yaml"
+	data     = []byte(`data`)
+
+	ts  *httptest.Server
+	tfs afero.Fs
+	mc  *getter.Client
+)
+
+func TestMain(m *testing.M) {
+	teardown := setup()
+	defer teardown()
+	code := m.Run()
+	os.Exit(code)
+}
+
+func Test_file_Config(t *testing.T) {
+	tests := []struct {
+		name    string
+		ref     string
+		want    string
+		wantErr bool
+	}{
+		{
+			name:    "should properly type local file",
+			ref:     filename,
+			want:    consts.FileLocalConfigMediaType,
+			wantErr: false,
+		},
+		{
+			name:    "should properly type remote file",
+			ref:     ts.URL + "/" + filename,
+			want:    consts.FileHttpConfigMediaType,
+			wantErr: false,
+		},
+		// TODO: Add directory test
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			f := file.NewFile(tt.ref, file.WithClient(mc))
+
+			f.MediaType()
+
+			m, err := f.Manifest()
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			got := string(m.Config.MediaType)
+			if got != tt.want {
+				t.Errorf("unxpected mediatype; got %s, want %s", got, tt.want)
+			}
+		})
+	}
+}
+
+func Test_file_Layers(t *testing.T) {
+	tests := []struct {
+		name    string
+		ref     string
+		want    []byte
+		wantErr bool
+	}{
+		{
+			name:    "should load a local file and preserve contents",
+			ref:     filename,
+			want:    data,
+			wantErr: false,
+		},
+		{
+			name:    "should load a remote file and preserve contents",
+			ref:     ts.URL + "/" + filename,
+			want:    data,
+			wantErr: false,
+		},
+		// TODO: Add directory test
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(it *testing.T) {
+			f := file.NewFile(tt.ref, file.WithClient(mc))
+
+			layers, err := f.Layers()
+			if (err != nil) != tt.wantErr {
+				it.Fatalf("unexpected Layers() error: got %v, want %v", err, tt.wantErr)
+			}
+
+			rc, err := layers[0].Compressed()
+			if err != nil {
+				it.Fatal(err)
+			}
+
+			got, err := io.ReadAll(rc)
+			if err != nil {
+				it.Fatal(err)
+			}
+
+			if !bytes.Equal(got, tt.want) {
+				it.Fatalf("unexpected Layers(): got %v, want %v", layers, tt.want)
+			}
+		})
+	}
+}
+
+func setup() func() {
+	tfs = afero.NewMemMapFs()
+	afero.WriteFile(tfs, filename, data, 0644)
+
+	mf := &mockFile{File: getter.NewFile(), fs: tfs}
+
+	mockHttp := getter.NewHttp()
+	mhttp := afero.NewHttpFs(tfs)
+	fileserver := http.FileServer(mhttp.Dir("."))
+	http.Handle("/", fileserver)
+	ts = httptest.NewServer(fileserver)
+
+	mc = &getter.Client{
+		Options: getter.ClientOptions{},
+		Getters: map[string]getter.Getter{
+			"file": mf,
+			"http": mockHttp,
+		},
+	}
+
+	teardown := func() {
+		defer ts.Close()
+	}
+
+	return teardown
+}
+
+type mockFile struct {
+	*getter.File
+	fs afero.Fs
+}
+
+func (m mockFile) Open(ctx context.Context, u *url.URL) (io.ReadCloser, error) {
+	return m.fs.Open(filepath.Join(u.Host, u.Path))
+}
+
+func (m mockFile) Detect(u *url.URL) bool {
+	fi, err := m.fs.Stat(filepath.Join(u.Host, u.Path))
+	if err != nil {
+		return false
+	}
+	return !fi.IsDir()
+}
--- a/pkg/artifacts/file/options.go
+++ b/pkg/artifacts/file/options.go
@@ -0,0 +1,26 @@
+package file
+
+import (
+	"hauler.dev/go/hauler/pkg/artifacts"
+	"hauler.dev/go/hauler/pkg/getter"
+)
+
+type Option func(*File)
+
+func WithClient(c *getter.Client) Option {
+	return func(f *File) {
+		f.client = c
+	}
+}
+
+func WithConfig(obj interface{}, mediaType string) Option {
+	return func(f *File) {
+		f.config = artifacts.ToConfig(obj, artifacts.WithConfigMediaType(mediaType))
+	}
+}
+
+func WithAnnotations(m map[string]string) Option {
+	return func(f *File) {
+		f.annotations = m
+	}
+}
--- a/pkg/artifacts/image/image.go
+++ b/pkg/artifacts/image/image.go
@@ -0,0 +1,80 @@
+package image
+
+import (
+	"fmt"
+	"github.com/google/go-containerregistry/pkg/authn"
+	gname "github.com/google/go-containerregistry/pkg/name"
+	gv1 "github.com/google/go-containerregistry/pkg/v1"
+	"github.com/google/go-containerregistry/pkg/v1/remote"
+
+	"hauler.dev/go/hauler/pkg/artifacts"
+)
+
+var _ artifacts.OCI = (*Image)(nil)
+
+func (i *Image) MediaType() string {
+	mt, err := i.Image.MediaType()
+	if err != nil {
+		return ""
+	}
+	return string(mt)
+}
+
+func (i *Image) RawConfig() ([]byte, error) {
+	return i.RawConfigFile()
+}
+
+// Image implements the OCI interface for Image API objects. API spec information
+// is stored into the Name field.
+type Image struct {
+	Name string
+	gv1.Image
+}
+
+func NewImage(name string, opts ...remote.Option) (*Image, error) {
+	r, err := gname.ParseReference(name)
+	if err != nil {
+		return nil, err
+	}
+
+	defaultOpts := []remote.Option{
+		remote.WithAuthFromKeychain(authn.DefaultKeychain),
+	}
+	opts = append(opts, defaultOpts...)
+
+	img, err := remote.Image(r, opts...)
+	if err != nil {
+		return nil, err
+	}
+
+	return &Image{
+		Name:  name,
+		Image: img,
+	}, nil
+}
+
+func IsMultiArchImage(name string, opts ...remote.Option) (bool, error) {
+	ref, err := gname.ParseReference(name)
+	if err != nil {
+		return false, fmt.Errorf("parsing reference %q: %v", name, err)
+	}
+
+	defaultOpts := []remote.Option{
+		remote.WithAuthFromKeychain(authn.DefaultKeychain),
+	}
+	opts = append(opts, defaultOpts...)
+
+	desc, err := remote.Get(ref, opts...)
+	if err != nil {
+		return false, fmt.Errorf("getting image %q: %v", name, err)
+	}
+
+	_, err = desc.ImageIndex()
+	if err != nil {
+		// If the descriptor could not be converted to an image index, it's not a multi-arch image
+		return false, nil
+	}
+
+	// If the descriptor could be converted to an image index, it's a multi-arch image
+	return true, nil
+}
--- a/pkg/artifacts/image/image_test.go
+++ b/pkg/artifacts/image/image_test.go
@@ -0,0 +1 @@
+package image_test
--- a/pkg/artifacts/memory/memory.go
+++ b/pkg/artifacts/memory/memory.go
@@ -0,0 +1,78 @@
+package memory
+
+import (
+	v1 "github.com/google/go-containerregistry/pkg/v1"
+	"github.com/google/go-containerregistry/pkg/v1/partial"
+	"github.com/google/go-containerregistry/pkg/v1/static"
+	"github.com/google/go-containerregistry/pkg/v1/types"
+
+	"hauler.dev/go/hauler/pkg/artifacts"
+	"hauler.dev/go/hauler/pkg/consts"
+)
+
+var _ artifacts.OCI = (*Memory)(nil)
+
+// Memory implements the OCI interface for a generic set of bytes stored in memory.
+type Memory struct {
+	blob        v1.Layer
+	annotations map[string]string
+	config      artifacts.Config
+}
+
+type defaultConfig struct {
+	MediaType string `json:"mediaType,omitempty"`
+}
+
+func NewMemory(data []byte, mt string, opts ...Option) *Memory {
+	blob := static.NewLayer(data, types.MediaType(mt))
+
+	cfg := defaultConfig{MediaType: consts.MemoryConfigMediaType}
+	m := &Memory{
+		blob:   blob,
+		config: artifacts.ToConfig(cfg),
+	}
+
+	for _, opt := range opts {
+		opt(m)
+	}
+	return m
+}
+
+func (m *Memory) MediaType() string {
+	return consts.OCIManifestSchema1
+}
+
+func (m *Memory) Manifest() (*v1.Manifest, error) {
+	layer, err := partial.Descriptor(m.blob)
+	if err != nil {
+		return nil, err
+	}
+
+	cfgDesc, err := partial.Descriptor(m.config)
+	if err != nil {
+		return nil, err
+	}
+
+	manifest := &v1.Manifest{
+		SchemaVersion: 2,
+		MediaType:     types.MediaType(m.MediaType()),
+		Config:        *cfgDesc,
+		Layers:        []v1.Descriptor{*layer},
+		Annotations:   m.annotations,
+	}
+
+	return manifest, nil
+}
+
+func (m *Memory) RawConfig() ([]byte, error) {
+	if m.config == nil {
+		return []byte(`{}`), nil
+	}
+	return m.config.Raw()
+}
+
+func (m *Memory) Layers() ([]v1.Layer, error) {
+	var layers []v1.Layer
+	layers = append(layers, m.blob)
+	return layers, nil
+}
--- a/pkg/artifacts/memory/memory_test.go
+++ b/pkg/artifacts/memory/memory_test.go
@@ -0,0 +1,61 @@
+package memory_test
+
+import (
+	"math/rand"
+	"testing"
+
+	v1 "github.com/google/go-containerregistry/pkg/v1"
+	"github.com/opencontainers/go-digest"
+
+	"hauler.dev/go/hauler/pkg/artifacts/memory"
+)
+
+func TestMemory_Layers(t *testing.T) {
+	tests := []struct {
+		name    string
+		want    *v1.Manifest
+		wantErr bool
+	}{
+		{
+			name:    "should preserve content",
+			want:    nil,
+			wantErr: false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			data, m := setup(t)
+
+			layers, err := m.Layers()
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			if len(layers) != 1 {
+				t.Fatalf("Expected 1 layer, got %d", len(layers))
+			}
+
+			h, err := layers[0].Digest()
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			d := digest.FromBytes(data)
+
+			if d.String() != h.String() {
+				t.Fatalf("bytes do not match, got %s, expected %s", h.String(), d.String())
+			}
+		})
+	}
+}
+
+func setup(t *testing.T) ([]byte, *memory.Memory) {
+	block := make([]byte, 2048)
+	_, err := rand.Read(block)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	mem := memory.NewMemory(block, "random")
+	return block, mem
+}
--- a/pkg/artifacts/memory/options.go
+++ b/pkg/artifacts/memory/options.go
@@ -0,0 +1,17 @@
+package memory
+
+import "hauler.dev/go/hauler/pkg/artifacts"
+
+type Option func(*Memory)
+
+func WithConfig(obj interface{}, mediaType string) Option {
+	return func(m *Memory) {
+		m.config = artifacts.ToConfig(obj, artifacts.WithConfigMediaType(mediaType))
+	}
+}
+
+func WithAnnotations(annotations map[string]string) Option {
+	return func(m *Memory) {
+		m.annotations = annotations
+	}
+}
--- a/pkg/artifacts/ocis.go
+++ b/pkg/artifacts/ocis.go
@@ -0,0 +1,22 @@
+package artifacts
+
+import "github.com/google/go-containerregistry/pkg/v1"
+
+// OCI is the bare minimum we need to represent an artifact in an oci layout
+//
+//	At a high level, it is not constrained by an Image's config, manifests, and layer ordinality
+//	This specific implementation fully encapsulates v1.Layer's within a more generic form
+type OCI interface {
+	MediaType() string
+
+	Manifest() (*v1.Manifest, error)
+
+	RawConfig() ([]byte, error)
+
+	Layers() ([]v1.Layer, error)
+}
+
+type OCICollection interface {
+	// Contents returns the list of contents in the collection
+	Contents() (map[string]OCI, error)
+}
--- a/pkg/bootstrap/booter.go
+++ b/pkg/bootstrap/booter.go
@@ -1,180 +0,0 @@
-package bootstrap
-
-import (
-	"bytes"
-	"context"
-	"fmt"
-	"github.com/google/go-containerregistry/pkg/v1/tarball"
-	"github.com/otiai10/copy"
-	"github.com/rancherfederal/hauler/pkg/apis/hauler.cattle.io/v1alpha1"
-	"github.com/rancherfederal/hauler/pkg/driver"
-	"github.com/rancherfederal/hauler/pkg/fs"
-	"github.com/rancherfederal/hauler/pkg/log"
-	"helm.sh/helm/v3/pkg/chart/loader"
-	"io"
-	"os"
-	"path/filepath"
-)
-
-type Booter interface {
-	Init() error
-	PreBoot(context.Context) error
-	Boot(context.Context, driver.Driver) error
-	PostBoot(context.Context, driver.Driver) error
-}
-
-type booter struct {
-	Package v1alpha1.Package
-	fs      fs.PkgFs
-
-	logger log.Logger
-}
-
-//NewBooter will build a new booter given a path to a directory containing a hauler package.json
-func NewBooter(pkgPath string, logger log.Logger) (*booter, error) {
-	pkg, err := v1alpha1.LoadPackageFromDir(pkgPath)
-	if err != nil {
-		return nil, err
-	}
-
-	fsys := fs.NewPkgFS(pkgPath)
-
-	return &booter{
-		Package: pkg,
-		fs:      fsys,
-		logger:  logger,
-	}, nil
-}
-
-func (b booter) PreBoot(ctx context.Context, d driver.Driver) error {
-	b.logger.Infof("Beginning pre boot")
-
-	//TODO: Feel like there's a better way to do all this dir creation
-
-	if err := os.MkdirAll(d.DataPath(), os.ModePerm); err != nil {
-		return err
-	}
-
-	if err := b.moveBin(); err != nil {
-		return err
-	}
-
-	if err := b.moveImages(d); err != nil {
-		return err
-	}
-
-	if err := b.moveBundles(d); err != nil {
-		return err
-	}
-
-	if err := b.moveCharts(d); err != nil {
-		return err
-	}
-
-	b.logger.Debugf("Writing %s config", d.Name())
-	if err := d.WriteConfig(); err != nil {
-		return err
-	}
-
-	b.logger.Successf("Completed pre boot")
-	return nil
-}
-
-func (b booter) Boot(ctx context.Context, d driver.Driver) error {
-	b.logger.Infof("Beginning boot")
-
-	var stdoutBuf, stderrBuf bytes.Buffer
-	out := io.MultiWriter(os.Stdout, &stdoutBuf, &stderrBuf)
-
-	err := d.Start(out)
-	if err != nil {
-		return err
-	}
-
-	b.logger.Infof("Waiting for driver core components to provision...")
-	waitErr := waitForDriver(ctx, d)
-	if waitErr != nil {
-		return err
-	}
-
-	b.logger.Successf("Completed boot")
-	return nil
-}
-
-func (b booter) PostBoot(ctx context.Context, d driver.Driver) error {
-	b.logger.Infof("Beginning post boot")
-
-	cf := NewBootConfig("fleet-system", d.KubeConfigPath())
-
-	fleetCrdChartPath := b.fs.Chart().Path(fmt.Sprintf("fleet-crd-%s.tgz", b.Package.Spec.Fleet.VLess()))
-	fleetCrdChart, err := loader.Load(fleetCrdChartPath)
-	if err != nil {
-		return err
-	}
-
-	b.logger.Infof("Installing fleet crds")
-	fleetCrdRelease, fleetCrdErr := installChart(cf, fleetCrdChart, "fleet-crd", nil, b.logger)
-	if fleetCrdErr != nil {
-		return fleetCrdErr
-	}
-
-	b.logger.Infof("Installed '%s' to namespace '%s'", fleetCrdRelease.Name, fleetCrdRelease.Namespace)
-
-	fleetChartPath := b.fs.Chart().Path(fmt.Sprintf("fleet-%s.tgz", b.Package.Spec.Fleet.VLess()))
-	fleetChart, err := loader.Load(fleetChartPath)
-	if err != nil {
-		return err
-	}
-
-	b.logger.Infof("Installing fleet")
-	fleetRelease, fleetErr := installChart(cf, fleetChart, "fleet", nil, b.logger)
-	if fleetErr != nil {
-		return fleetErr
-	}
-
-	b.logger.Infof("Installed '%s' to namespace '%s'", fleetRelease.Name, fleetRelease.Namespace)
-
-	b.logger.Successf("Completed post boot")
-	return nil
-}
-
-//TODO: Move* will actually just copy. This is more expensive, but is much safer/easier at handling deep merges, should this change?
-func (b booter) moveBin() error {
-	path := filepath.Join("/opt/hauler/bin")
-	if err := os.MkdirAll(path, os.ModePerm); err != nil {
-		return err
-	}
-
-	return copy.Copy(b.fs.Bin().Path(), path)
-}
-
-func (b booter) moveImages(d driver.Driver) error {
-	//NOTE: archives are not recursively searched, this _must_ be at the images dir
-	path := d.DataPath("agent/images")
-	if err := os.MkdirAll(path, 0700); err != nil {
-		return err
-	}
-
-	refs, err := b.fs.MapLayout()
-	if err != nil {
-		return err
-	}
-
-	return tarball.MultiRefWriteToFile(filepath.Join(path, "hauler.tar"), refs)
-}
-
-func (b booter) moveBundles(d driver.Driver) error {
-	path := d.DataPath("server/manifests/hauler")
-	if err := os.MkdirAll(path, 0700); err != nil {
-		return err
-	}
-	return copy.Copy(b.fs.Bundle().Path(), path)
-}
-
-func (b booter) moveCharts(d driver.Driver) error {
-	path := d.DataPath("server/static/charts/hauler")
-	if err := os.MkdirAll(path, 0700); err != nil {
-		return err
-	}
-	return copy.Copy(b.fs.Chart().Path(), path)
-}
--- a/pkg/bootstrap/config.go
+++ b/pkg/bootstrap/config.go
@@ -1,29 +0,0 @@
-package bootstrap
-
-import (
-	"k8s.io/cli-runtime/pkg/genericclioptions"
-)
-
-type BootSettings struct {
-	config     *genericclioptions.ConfigFlags
-	Namespace  string
-	KubeConfig string
-}
-
-func NewBootConfig(ns, kubepath string) *BootSettings {
-	env := &BootSettings{
-		Namespace:  ns,
-		KubeConfig: kubepath,
-	}
-
-	env.config = &genericclioptions.ConfigFlags{
-		Namespace:  &env.Namespace,
-		KubeConfig: &env.KubeConfig,
-	}
-	return env
-}
-
-// RESTClientGetter gets the kubeconfig from BootSettings
-func (s *BootSettings) RESTClientGetter() genericclioptions.RESTClientGetter {
-	return s.config
-}
--- a/pkg/bootstrap/config_test.go
+++ b/pkg/bootstrap/config_test.go
@@ -1,20 +0,0 @@
-package bootstrap
-
-import (
-	"testing"
-)
-
-func TestBootSettings(t *testing.T) {
-
-	ns := "test"
-	kpath := "somepath"
-
-	settings := NewBootConfig(ns, kpath)
-
-	if settings.Namespace != ns {
-		t.Errorf("expected namespace %q, got %q", ns, settings.Namespace)
-	}
-	if settings.KubeConfig != kpath {
-		t.Errorf("expected kube-config %q, got %q", kpath, settings.KubeConfig)
-	}
-}
--- a/pkg/bootstrap/kube.go
+++ b/pkg/bootstrap/kube.go
@@ -1,63 +0,0 @@
-package bootstrap
-
-import (
-	"context"
-	"errors"
-	"github.com/rancherfederal/hauler/pkg/driver"
-	"github.com/rancherfederal/hauler/pkg/kube"
-	"github.com/rancherfederal/hauler/pkg/log"
-	"helm.sh/helm/v3/pkg/action"
-	"helm.sh/helm/v3/pkg/chart"
-	"helm.sh/helm/v3/pkg/release"
-	"os"
-	"time"
-)
-
-func waitForDriver(ctx context.Context, d driver.Driver) error {
-	ctx, cancel := context.WithTimeout(ctx, 2*time.Minute)
-	defer cancel()
-
-	//TODO: This is a janky way of waiting for file to exist
-	for {
-		_, err := os.Stat(d.KubeConfigPath())
-		if err == nil {
-			break
-		}
-
-		if ctx.Err() == context.DeadlineExceeded {
-			return errors.New("timed out waiting for driver to provision")
-		}
-
-		time.Sleep(1 * time.Second)
-	}
-
-	cfg, err := kube.NewKubeConfig()
-	if err != nil {
-		return err
-	}
-
-	sc, err := kube.NewStatusChecker(cfg, 5*time.Second, 5*time.Minute)
-	if err != nil {
-		return err
-	}
-
-	return sc.WaitForCondition(d.SystemObjects()...)
-}
-
-//TODO: This is likely way too fleet specific
-func installChart(cf *BootSettings, chart *chart.Chart, releaseName string, vals map[string]interface{}, logger log.Logger) (*release.Release, error) {
-	actionConfig := new(action.Configuration)
-	if err := actionConfig.Init(cf.RESTClientGetter(), cf.Namespace, os.Getenv("HELM_DRIVER"), logger.Debugf); err != nil {
-		return nil, err
-	}
-
-	client := action.NewInstall(actionConfig)
-	client.ReleaseName = releaseName
-	client.CreateNamespace = true
-	client.Wait = true
-
-	//TODO: Do this better
-	client.Namespace = cf.Namespace
-
-	return client.Run(chart, vals)
-}
--- a/pkg/collection/chart/chart.go
+++ b/pkg/collection/chart/chart.go
@@ -0,0 +1,107 @@
+package chart
+
+import (
+	"helm.sh/helm/v3/pkg/action"
+
+	"hauler.dev/go/hauler/pkg/apis/hauler.cattle.io/v1"
+	"hauler.dev/go/hauler/pkg/artifacts"
+	"hauler.dev/go/hauler/pkg/artifacts/image"
+	"hauler.dev/go/hauler/pkg/content/chart"
+	"hauler.dev/go/hauler/pkg/reference"
+)
+
+var _ artifacts.OCICollection = (*tchart)(nil)
+
+// tchart is a thick chart that includes all the dependent images as well as the chart itself
+type tchart struct {
+	chart  *chart.Chart
+	config v1.ThickChart
+
+	computed bool
+	contents map[string]artifacts.OCI
+}
+
+func NewThickChart(cfg v1.ThickChart, opts *action.ChartPathOptions) (artifacts.OCICollection, error) {
+	o, err := chart.NewChart(cfg.Chart.Name, opts)
+	if err != nil {
+		return nil, err
+	}
+
+	return &tchart{
+		chart:    o,
+		config:   cfg,
+		contents: make(map[string]artifacts.OCI),
+	}, nil
+}
+
+func (c *tchart) Contents() (map[string]artifacts.OCI, error) {
+	if err := c.compute(); err != nil {
+		return nil, err
+	}
+	return c.contents, nil
+}
+
+func (c *tchart) compute() error {
+	if c.computed {
+		return nil
+	}
+
+	if err := c.dependentImages(); err != nil {
+		return err
+	}
+	if err := c.chartContents(); err != nil {
+		return err
+	}
+	if err := c.extraImages(); err != nil {
+		return err
+	}
+
+	c.computed = true
+	return nil
+}
+
+func (c *tchart) chartContents() error {
+	ch, err := c.chart.Load()
+	if err != nil {
+		return err
+	}
+
+	ref, err := reference.NewTagged(ch.Name(), ch.Metadata.Version)
+	if err != nil {
+		return err
+	}
+	c.contents[ref.Name()] = c.chart
+	return nil
+}
+
+func (c *tchart) dependentImages() error {
+	ch, err := c.chart.Load()
+	if err != nil {
+		return err
+	}
+
+	imgs, err := ImagesInChart(ch)
+	if err != nil {
+		return err
+	}
+
+	for _, img := range imgs.Spec.Images {
+		i, err := image.NewImage(img.Name)
+		if err != nil {
+			return err
+		}
+		c.contents[img.Name] = i
+	}
+	return nil
+}
+
+func (c *tchart) extraImages() error {
+	for _, img := range c.config.ExtraImages {
+		i, err := image.NewImage(img.Reference)
+		if err != nil {
+			return err
+		}
+		c.contents[img.Reference] = i
+	}
+	return nil
+}
--- a/pkg/collection/chart/dependents.go
+++ b/pkg/collection/chart/dependents.go
@@ -0,0 +1,129 @@
+package chart
+
+import (
+	"bufio"
+	"bytes"
+	"io"
+	"strings"
+
+	"helm.sh/helm/v3/pkg/action"
+	helmchart "helm.sh/helm/v3/pkg/chart"
+	"helm.sh/helm/v3/pkg/chartutil"
+	"helm.sh/helm/v3/pkg/kube/fake"
+	"helm.sh/helm/v3/pkg/storage"
+	"helm.sh/helm/v3/pkg/storage/driver"
+	"k8s.io/apimachinery/pkg/util/yaml"
+	"k8s.io/client-go/util/jsonpath"
+
+	"hauler.dev/go/hauler/pkg/apis/hauler.cattle.io/v1"
+)
+
+var defaultKnownImagePaths = []string{
+	// Deployments & DaemonSets
+	"{.spec.template.spec.initContainers[*].image}",
+	"{.spec.template.spec.containers[*].image}",
+
+	// Pods
+	"{.spec.initContainers[*].image}",
+	"{.spec.containers[*].image}",
+}
+
+// ImagesInChart will render a chart and identify all dependent images from it
+func ImagesInChart(c *helmchart.Chart) (v1.Images, error) {
+	docs, err := template(c)
+	if err != nil {
+		return v1.Images{}, err
+	}
+
+	var images []v1.Image
+	reader := yaml.NewYAMLReader(bufio.NewReader(strings.NewReader(docs)))
+	for {
+		raw, err := reader.Read()
+		if err == io.EOF {
+			break
+		}
+		if err != nil {
+			return v1.Images{}, err
+		}
+
+		found := find(raw, defaultKnownImagePaths...)
+		for _, f := range found {
+			images = append(images, v1.Image{Name: f})
+		}
+	}
+
+	ims := v1.Images{
+		Spec: v1.ImageSpec{
+			Images: images,
+		},
+	}
+	return ims, nil
+}
+
+func template(c *helmchart.Chart) (string, error) {
+	s := storage.Init(driver.NewMemory())
+
+	templateCfg := &action.Configuration{
+		RESTClientGetter: nil,
+		Releases:         s,
+		KubeClient:       &fake.PrintingKubeClient{Out: io.Discard},
+		Capabilities:     chartutil.DefaultCapabilities,
+		Log:              func(format string, v ...interface{}) {},
+	}
+
+	// TODO: Do we need values if we're claiming this is best effort image detection?
+	//       Justification being: if users are relying on us to get images from their values, they could just add images to the []ImagesInChart spec of the Store api
+	vals := make(map[string]interface{})
+
+	client := action.NewInstall(templateCfg)
+	client.ReleaseName = "dry"
+	client.DryRun = true
+	client.Replace = true
+	client.ClientOnly = true
+	client.IncludeCRDs = true
+
+	release, err := client.Run(c, vals)
+	if err != nil {
+		return "", err
+	}
+
+	return release.Manifest, nil
+}
+
+func find(data []byte, paths ...string) []string {
+	var (
+		pathMatches []string
+		obj         interface{}
+	)
+
+	if err := yaml.Unmarshal(data, &obj); err != nil {
+		return nil
+	}
+	j := jsonpath.New("")
+	j.AllowMissingKeys(true)
+
+	for _, p := range paths {
+		r, err := parseJSONPath(obj, j, p)
+		if err != nil {
+			continue
+		}
+
+		pathMatches = append(pathMatches, r...)
+	}
+	return pathMatches
+}
+
+func parseJSONPath(data interface{}, parser *jsonpath.JSONPath, template string) ([]string, error) {
+	buf := new(bytes.Buffer)
+	if err := parser.Parse(template); err != nil {
+		return nil, err
+	}
+
+	if err := parser.Execute(buf, data); err != nil {
+		return nil, err
+	}
+
+	f := func(s rune) bool { return s == ' ' }
+	r := strings.FieldsFunc(buf.String(), f)
+	return r, nil
+}
--- a/pkg/collection/imagetxt/imagetxt.go
+++ b/pkg/collection/imagetxt/imagetxt.go
@@ -0,0 +1,232 @@
+package imagetxt
+
+import (
+	"bufio"
+	"context"
+	"fmt"
+	"io"
+	"os"
+	"strings"
+	"sync"
+
+	"github.com/google/go-containerregistry/pkg/name"
+
+	artifact "hauler.dev/go/hauler/pkg/artifacts"
+	"hauler.dev/go/hauler/pkg/artifacts/image"
+	"hauler.dev/go/hauler/pkg/getter"
+	"hauler.dev/go/hauler/pkg/log"
+)
+
+type ImageTxt struct {
+	Ref            string
+	IncludeSources map[string]bool
+	ExcludeSources map[string]bool
+
+	lock     *sync.Mutex
+	client   *getter.Client
+	computed bool
+	contents map[string]artifact.OCI
+}
+
+var _ artifact.OCICollection = (*ImageTxt)(nil)
+
+type Option interface {
+	Apply(*ImageTxt) error
+}
+
+type withIncludeSources []string
+
+func (o withIncludeSources) Apply(it *ImageTxt) error {
+	if it.IncludeSources == nil {
+		it.IncludeSources = make(map[string]bool)
+	}
+	for _, s := range o {
+		it.IncludeSources[s] = true
+	}
+	return nil
+}
+
+func WithIncludeSources(include ...string) Option {
+	return withIncludeSources(include)
+}
+
+type withExcludeSources []string
+
+func (o withExcludeSources) Apply(it *ImageTxt) error {
+	if it.ExcludeSources == nil {
+		it.ExcludeSources = make(map[string]bool)
+	}
+	for _, s := range o {
+		it.ExcludeSources[s] = true
+	}
+	return nil
+}
+
+func WithExcludeSources(exclude ...string) Option {
+	return withExcludeSources(exclude)
+}
+
+func New(ref string, opts ...Option) (*ImageTxt, error) {
+	it := &ImageTxt{
+		Ref: ref,
+
+		client: getter.NewClient(getter.ClientOptions{}),
+		lock:   &sync.Mutex{},
+	}
+
+	for i, o := range opts {
+		if err := o.Apply(it); err != nil {
+			return nil, fmt.Errorf("invalid option %d: %v", i, err)
+		}
+	}
+
+	return it, nil
+}
+
+func (it *ImageTxt) Contents() (map[string]artifact.OCI, error) {
+	it.lock.Lock()
+	defer it.lock.Unlock()
+	if !it.computed {
+		if err := it.compute(); err != nil {
+			return nil, fmt.Errorf("compute OCI layout: %v", err)
+		}
+		it.computed = true
+	}
+	return it.contents, nil
+}
+
+func (it *ImageTxt) compute() error {
+	// TODO - pass in logger from context
+	l := log.NewLogger(os.Stdout)
+
+	it.contents = make(map[string]artifact.OCI)
+
+	ctx := context.TODO()
+
+	rc, err := it.client.ContentFrom(ctx, it.Ref)
+	if err != nil {
+		return fmt.Errorf("fetch image.txt ref %s: %w", it.Ref, err)
+	}
+	defer rc.Close()
+
+	entries, err := splitImagesTxt(rc)
+	if err != nil {
+		return fmt.Errorf("parse image.txt ref %s: %v", it.Ref, err)
+	}
+
+	foundSources := make(map[string]bool)
+	for _, e := range entries {
+		for s := range e.Sources {
+			foundSources[s] = true
+		}
+	}
+
+	var pullAll bool
+	targetSources := make(map[string]bool)
+
+	if len(foundSources) == 0 || (len(it.IncludeSources) == 0 && len(it.ExcludeSources) == 0) {
+		// pull all found images
+		pullAll = true
+
+		if len(foundSources) == 0 {
+			l.Infof("image txt file appears to have no sources; pulling all found images")
+			if len(it.IncludeSources) != 0 || len(it.ExcludeSources) != 0 {
+				l.Warnf("ImageTxt provided include or exclude sources; ignoring")
+			}
+		} else if len(it.IncludeSources) == 0 && len(it.ExcludeSources) == 0 {
+			l.Infof("image-sources txt file not filtered; pulling all found images")
+		}
+	} else {
+		// determine sources to pull
+		if len(it.IncludeSources) != 0 && len(it.ExcludeSources) != 0 {
+			l.Warnf("ImageTxt provided include and exclude sources; using only include sources")
+		}
+
+		if len(it.IncludeSources) != 0 {
+			targetSources = it.IncludeSources
+		} else {
+			for s := range foundSources {
+				targetSources[s] = true
+			}
+			for s := range it.ExcludeSources {
+				delete(targetSources, s)
+			}
+		}
+		var targetSourcesArr []string
+		for s := range targetSources {
+			targetSourcesArr = append(targetSourcesArr, s)
+		}
+		l.Infof("pulling images covering sources %s", strings.Join(targetSourcesArr, ", "))
+	}
+
+	for _, e := range entries {
+		var matchesSourceFilter bool
+		if pullAll {
+			l.Infof("pulling image %s", e.Reference)
+		} else {
+			for s := range e.Sources {
+				if targetSources[s] {
+					matchesSourceFilter = true
+					l.Infof("pulling image %s (matched source %s)", e.Reference, s)
+					break
+				}
+			}
+		}
+
+		if pullAll || matchesSourceFilter {
+			curImage, err := image.NewImage(e.Reference.String())
+			if err != nil {
+				return fmt.Errorf("pull image %s: %v", e.Reference, err)
+			}
+			it.contents[e.Reference.String()] = curImage
+		}
+	}
+
+	return nil
+}
+
+type imageTxtEntry struct {
+	Reference name.Reference
+	Sources   map[string]bool
+}
+
+func splitImagesTxt(r io.Reader) ([]imageTxtEntry, error) {
+	var entries []imageTxtEntry
+	scanner := bufio.NewScanner(r)
+	for scanner.Scan() {
+		curEntry := imageTxtEntry{
+			Sources: make(map[string]bool),
+		}
+
+		lineContent := scanner.Text()
+		if lineContent == "" || strings.HasPrefix(lineContent, "#") {
+			// skip past empty and commented lines
+			continue
+		}
+		splitContent := strings.Split(lineContent, " ")
+		if len(splitContent) > 2 {
+			return nil, fmt.Errorf(
+				"invalid image.txt format: must contain only an image reference and sources separated by space; invalid line: %q",
+				lineContent)
+		}
+
+		curRef, err := name.ParseReference(splitContent[0])
+		if err != nil {
+			return nil, fmt.Errorf("invalid reference %s: %v", splitContent[0], err)
+		}
+		curEntry.Reference = curRef
+
+		if len(splitContent) == 2 {
+			for _, source := range strings.Split(splitContent[1], ",") {
+				curEntry.Sources[source] = true
+			}
+		}
+
+		entries = append(entries, curEntry)
+	}
+	if err := scanner.Err(); err != nil {
+		return nil, fmt.Errorf("scan contents: %v", err)
+	}
+
+	return entries, nil
+}
--- a/pkg/collection/imagetxt/imagetxt_test.go
+++ b/pkg/collection/imagetxt/imagetxt_test.go
@@ -0,0 +1,209 @@
+package imagetxt
+
+import (
+	"errors"
+	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"testing"
+
+	"hauler.dev/go/hauler/pkg/artifacts"
+	"hauler.dev/go/hauler/pkg/artifacts/image"
+)
+
+var (
+	ErrRefNotFound    = errors.New("ref not found")
+	ErrRefNotImage    = errors.New("ref is not image")
+	ErrExtraRefsFound = errors.New("extra refs found in contents")
+)
+
+var (
+	testServer *httptest.Server
+)
+
+func TestMain(m *testing.M) {
+	setup()
+	code := m.Run()
+	teardown()
+	os.Exit(code)
+}
+
+func setup() {
+	dir := http.Dir("./testdata/http/")
+	h := http.FileServer(dir)
+	testServer = httptest.NewServer(h)
+}
+
+func teardown() {
+	if testServer != nil {
+		testServer.Close()
+	}
+}
+
+type failKind string
+
+const (
+	failKindNew      = failKind("New")
+	failKindContents = failKind("Contents")
+)
+
+func checkError(checkedFailKind failKind) func(*testing.T, error, bool, failKind) {
+	return func(cet *testing.T, err error, testShouldFail bool, testFailKind failKind) {
+		if err != nil {
+			// if error should not have happened at all OR error should have happened
+			// at a different point, test failed
+			if !testShouldFail || testFailKind != checkedFailKind {
+				cet.Fatalf("unexpected error at %s: %v", checkedFailKind, err)
+			}
+			// test should fail at this point, test passed
+			return
+		}
+		// if no error occurred but error should have happened at this point, test
+		// failed
+		if testShouldFail && testFailKind == checkedFailKind {
+			cet.Fatalf("unexpected nil error at %s", checkedFailKind)
+		}
+	}
+}
+
+func TestImageTxtCollection(t *testing.T) {
+	type testEntry struct {
+		Name           string
+		Ref            string
+		IncludeSources []string
+		ExcludeSources []string
+		ExpectedImages []string
+		ShouldFail     bool
+		FailKind       failKind
+	}
+	tt := []testEntry{
+		{
+			Name: "http ref basic",
+			Ref:  fmt.Sprintf("%s/images-http.txt", testServer.URL),
+			ExpectedImages: []string{
+				"busybox",
+				"nginx:1.19",
+				"rancher/hyperkube:v1.21.7-rancher1",
+				"docker.io/rancher/klipper-lb:v0.3.4",
+				"quay.io/jetstack/cert-manager-controller:v1.6.1",
+			},
+		},
+		{
+			Name: "http ref sources format pull all",
+			Ref:  fmt.Sprintf("%s/images-src-http.txt", testServer.URL),
+			ExpectedImages: []string{
+				"busybox",
+				"nginx:1.19",
+				"rancher/hyperkube:v1.21.7-rancher1",
+				"docker.io/rancher/klipper-lb:v0.3.4",
+				"quay.io/jetstack/cert-manager-controller:v1.6.1",
+			},
+		},
+		{
+			Name: "http ref sources format include sources A",
+			Ref:  fmt.Sprintf("%s/images-src-http.txt", testServer.URL),
+			IncludeSources: []string{
+				"core", "rke",
+			},
+			ExpectedImages: []string{
+				"busybox",
+				"nginx:1.19",
+				"rancher/hyperkube:v1.21.7-rancher1",
+			},
+		},
+		{
+			Name: "http ref sources format include sources B",
+			Ref:  fmt.Sprintf("%s/images-src-http.txt", testServer.URL),
+			IncludeSources: []string{
+				"nginx", "rancher", "cert-manager",
+			},
+			ExpectedImages: []string{
+				"nginx:1.19",
+				"rancher/hyperkube:v1.21.7-rancher1",
+				"docker.io/rancher/klipper-lb:v0.3.4",
+				"quay.io/jetstack/cert-manager-controller:v1.6.1",
+			},
+		},
+		{
+			Name: "http ref sources format exclude sources A",
+			Ref:  fmt.Sprintf("%s/images-src-http.txt", testServer.URL),
+			ExcludeSources: []string{
+				"cert-manager",
+			},
+			ExpectedImages: []string{
+				"busybox",
+				"nginx:1.19",
+				"rancher/hyperkube:v1.21.7-rancher1",
+				"docker.io/rancher/klipper-lb:v0.3.4",
+			},
+		},
+		{
+			Name: "http ref sources format exclude sources B",
+			Ref:  fmt.Sprintf("%s/images-src-http.txt", testServer.URL),
+			ExcludeSources: []string{
+				"core",
+			},
+			ExpectedImages: []string{
+				"nginx:1.19",
+				"rancher/hyperkube:v1.21.7-rancher1",
+				"docker.io/rancher/klipper-lb:v0.3.4",
+				"quay.io/jetstack/cert-manager-controller:v1.6.1",
+			},
+		},
+		{
+			Name: "local file ref",
+			Ref:  "./testdata/images-file.txt",
+			ExpectedImages: []string{
+				"busybox",
+				"nginx:1.19",
+				"rancher/hyperkube:v1.21.7-rancher1",
+				"docker.io/rancher/klipper-lb:v0.3.4",
+				"quay.io/jetstack/cert-manager-controller:v1.6.1",
+			},
+		},
+	}
+
+	checkErrorNew := checkError(failKindNew)
+	checkErrorContents := checkError(failKindContents)
+
+	for _, curTest := range tt {
+		t.Run(curTest.Name, func(innerT *testing.T) {
+			curImageTxt, err := New(curTest.Ref,
+				WithIncludeSources(curTest.IncludeSources...),
+				WithExcludeSources(curTest.ExcludeSources...),
+			)
+			checkErrorNew(innerT, err, curTest.ShouldFail, curTest.FailKind)
+
+			ociContents, err := curImageTxt.Contents()
+			checkErrorContents(innerT, err, curTest.ShouldFail, curTest.FailKind)
+
+			if err := checkImages(ociContents, curTest.ExpectedImages); err != nil {
+				innerT.Fatal(err)
+			}
+		})
+	}
+}
+
+func checkImages(content map[string]artifacts.OCI, refs []string) error {
+	contentCopy := make(map[string]artifacts.OCI, len(content))
+	for k, v := range content {
+		contentCopy[k] = v
+	}
+	for _, ref := range refs {
+		target, ok := content[ref]
+		if !ok {
+			return fmt.Errorf("ref %s: %w", ref, ErrRefNotFound)
+		}
+		if _, ok := target.(*image.Image); !ok {
+			return fmt.Errorf("got underlying type %T: %w", target, ErrRefNotImage)
+		}
+		delete(contentCopy, ref)
+	}
+
+	if len(contentCopy) != 0 {
+		return ErrExtraRefsFound
+	}
+
+	return nil
+}
--- a/pkg/collection/imagetxt/testdata/http/images-http.txt
+++ b/pkg/collection/imagetxt/testdata/http/images-http.txt
@@ -0,0 +1,5 @@
+busybox
+nginx:1.19
+rancher/hyperkube:v1.21.7-rancher1
+docker.io/rancher/klipper-lb:v0.3.4
+quay.io/jetstack/cert-manager-controller:v1.6.1
--- a/pkg/collection/imagetxt/testdata/http/images-src-http.txt
+++ b/pkg/collection/imagetxt/testdata/http/images-src-http.txt
@@ -0,0 +1,5 @@
+busybox core
+nginx:1.19 core,nginx
+rancher/hyperkube:v1.21.7-rancher1 rancher,rke
+docker.io/rancher/klipper-lb:v0.3.4 rancher,k3s
+quay.io/jetstack/cert-manager-controller:v1.6.1 cert-manager
--- a/pkg/collection/imagetxt/testdata/images-file.txt
+++ b/pkg/collection/imagetxt/testdata/images-file.txt
@@ -0,0 +1,5 @@
+busybox
+nginx:1.19
+rancher/hyperkube:v1.21.7-rancher1
+docker.io/rancher/klipper-lb:v0.3.4
+quay.io/jetstack/cert-manager-controller:v1.6.1
--- a/Show More
+++ b/Show More