update tablewriter to v1.1.2 (#512 )

Signed-off-by: Adam Martin <adam.martin@ranchergovernment.com>
fix for file:// dependency chart path resolutions (#510 )
2026-02-16 02:50:08 +00:00 · 2026-02-14 11:55:54 -05:00 · 2026-02-14 11:43:30 -05:00 · 2026-02-12 22:07:53 -05:00 · 2026-01-27 09:55:45 -05:00 · 2026-01-22 16:18:01 -05:00
152 changed files with 10695 additions and 5038 deletions
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -1,31 +1,51 @@
 ---
-name: Bug report
-about: Create a report to help us improve
-title: ''
-labels: ''
+name: Bug Report
+about: Submit a bug report to help us improve!
+title: '[BUG]'
+labels: 'bug'
 assignees: ''
-
 ---

-<!-- Thanks for helping us to improve Hauler! We welcome all bug reports. Please fill out each area of the template so we can better help you. Comments like this will be hidden when you post but you can delete them if you wish. -->
+<!-- Thank you for helping us to improve Hauler! We welcome all bug reports. Please fill out each area of the template so we can better assist you. Comments like this will be hidden when you submit, but you can delete them if you wish. -->

-**Environmental Info:**  
+**Environmental Info:**
+
+<!-- Provide the output of "uname -a" -->
+
+-

 **Hauler Version:**

-**System CPU architecture, OS, and Version:**
-<!-- Provide the output from "uname -a" on the system where Hauler is installed -->
+<!-- Provide the output of "hauler version" -->

-**Describe the bug:**
-<!-- A clear and concise description of what the bug is. -->
+-

-**Steps To Reproduce:**
+**Describe the Bug:**

-**Expected behavior:**
-<!-- A clear and concise description of what you expected to happen. -->
+<!-- Provide a clear and concise description of the bug -->

-**Actual behavior:**
-<!-- A clear and concise description of what actually happened. -->
+-

-**Additional context / logs:**
-<!-- Add any other context and/or logs about the problem here. -->
+**Steps to Reproduce:**
+
+<!-- Provide a clear and concise way to reproduce the bug -->
+
+-
+
+**Expected Behavior:**
+
+<!-- Provide a clear and concise description of what you expected to happen -->
+
+-
+
+**Actual Behavior:**
+
+<!-- Provide a clear and concise description of what actually happens -->
+
+-
+
+**Additional Context:**
+
+<!-- Provide any other context and/or logs about the bug -->
+
+-
--- a/.github/ISSUE_TEMPLATE/feature_request.md
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -0,0 +1,33 @@
+---
+name: Feature Request
+about: Submit a feature request for us to improve!
+title: '[feature]'
+labels: 'enhancement'
+assignees: ''
+---
+
+<!-- Thank you for helping us to improve Hauler! We welcome all requests for enhancements (RFEs). Please fill out each area of the template so we can better assist you. Comments like this will be hidden when you submit, but you can delete them if you wish. -->
+
+**Is this Feature/Enhancement related to an Existing Problem? If so, please describe:**
+
+<!-- Provide a clear and concise description of the problem -->
+
+-
+
+**Describe Proposed Solution(s):**
+
+<!-- Provide a clear and concise description of what you want to happen -->
+
+-
+
+**Describe Possible Alternatives:**
+
+<!-- Provide a clear and concise description of any alternative solutions or features you've considered -->
+
+-
+
+**Additional Context:**
+
+<!-- Provide a clear and concise description of the problem -->
+
+-
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -1,23 +1,36 @@
-* **Please check if the PR fulfills these requirements**
- [ ] The commit message follows our guidelines
- [ ] Tests for the changes have been added (for bug fixes / features)
- [ ] Docs have been added / updated (for bug fixes / features)
+**Please check below, if the PR fulfills these requirements:**
+- [ ] Commit(s) and code follow the repositories guidelines.
+- [ ] Test(s) have been added or updated to support these change(s).
+- [ ] Doc(s) have been added or updated to support these change(s).

+<!-- Comments like this will be hidden when you submit, but you can delete them if you wish. -->

-* **What kind of change does this PR introduce?** (Bug fix, feature, docs update, ...)
+**Associated Links:**

+<!-- Provide any associated or linked related to these change(s) -->

+-

-* **What is the current behavior?** (You can also link to an open issue here)
+**Types of Changes:**

+<!-- What is the type of change? Bugfix, Feature, Breaking Change, etc... -->

+-

-* **What is the new behavior (if this is a feature change)?**
+**Proposed Changes:**

+<!-- Provide the high level and low level description of your change(s) so we can better understand these change(s) -->

+-

-* **Does this PR introduce a breaking change?** (What changes might users need to make in their application due to this PR?)
+**Verification/Testing of Changes:**

+<!-- How can the changes be verified? Provide the steps necessary to reproduce and verify the proposed change(s) -->

+-

-* **Other information**:
+**Additional Context:**
+
+<!-- Provide any additional information, such as if this is a small or large or complex change. Feel free to kick off the discussion by explaining why you chose the solution you did and what alternatives you considered, etc... -->
+
+-
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -1,32 +0,0 @@
-name: CI
-
-on:
-  workflow_dispatch:
-  push:
-    tags: 
-      - '*'
-
-jobs:
-  goreleaser:
-    runs-on: ubuntu-latest
-    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v2
-        with:
-          fetch-depth: 0
-      -
-        name: Set up Go
-        uses: actions/setup-go@v2
-        with:
-          go-version: 1.17.x
-      -
-        name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v2
-        with:
-          distribution: goreleaser
-          version: latest
-          args: release --rm-dist
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.HOMEBREW_TAP_GITHUB_TOKEN }}
--- a/.github/workflows/pages.yaml
+++ b/.github/workflows/pages.yaml
@@ -0,0 +1,51 @@
+name: Pages Workflow
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read
+  pages: write
+  id-token: write
+
+concurrency:
+  group: "pages"
+  cancel-in-progress: false
+
+jobs:
+  deploy-pages:
+    name: Deploy GitHub Pages
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    environment:
+      name: github-pages
+      url: ${{ steps.deployment.outputs.page_url }}
+
+    steps:
+      - name: Clean Up Actions Tools Cache
+        run: rm -rf /opt/hostedtoolcache
+
+      - name: Checkout
+        uses: actions/checkout@v6.0.1
+        with:
+          fetch-depth: 0
+
+      - name: Configure Git
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+
+      - name: Setup Pages
+        uses: actions/configure-pages@v5
+
+      - name: Upload Pages Artifacts
+        uses: actions/upload-pages-artifact@v3
+        with:
+          path: './static'
+
+      - name: Deploy to GitHub Pages
+        id: deployment
+        uses: actions/deploy-pages@v4
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -0,0 +1,64 @@
+name: Release Workflow
+
+on:
+  workflow_dispatch:
+  push:
+    tags:
+      - '*'
+
+jobs:
+  goreleaser:
+    name: GoReleaser Job
+    runs-on: ubuntu-latest
+    timeout-minutes: 60
+
+    steps:
+      - name: Clean Up Actions Tools Cache
+        run: rm -rf /opt/hostedtoolcache
+
+      - name: Checkout
+        uses: actions/checkout@v6.0.1
+        with:
+          fetch-depth: 0
+
+      - name: Configure Git
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+
+      - name: Set Up Go
+        uses: actions/setup-go@v6.1.0
+        with:
+          go-version-file: go.mod
+          check-latest: true
+
+      - name: Set Up QEMU
+        uses: docker/setup-qemu-action@v3.7.0
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3.11.1
+
+      - name: Authenticate to GitHub Container Registry
+        uses: docker/login-action@v3.6.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Authenticate to DockerHub Container Registry
+        uses: docker/login-action@v3.6.0
+        with:
+          registry: docker.io
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v6.4.0
+        with:
+          distribution: goreleaser
+          version: "~> v2"
+          args: "release --clean --timeout 60m"
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.HOMEBREW_TAP_GITHUB_TOKEN }}
+          DOCKER_CLI_EXPERIMENTAL: "enabled"
--- a/.github/workflows/testdata.yaml
+++ b/.github/workflows/testdata.yaml
@@ -0,0 +1,41 @@
+name: Refresh Hauler Testdata
+
+on:
+  workflow_dispatch:
+
+jobs:
+  refresh-testdata:
+    name: Refresh Hauler Testdata
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+
+    steps:
+      - name: Clean Up Actions Tools Cache
+        run: rm -rf /opt/hostedtoolcache
+
+      - name: Checkout Repository
+        uses: actions/checkout@v6.0.1
+
+      - name: Fetch Hauler Binary
+        run: curl -sfL https://get.hauler.dev | bash
+
+      - name: Login to GitHub Container Registry and Docker Hub Container Registry
+        run: |
+          hauler login ghcr.io --username ${{ github.repository_owner }} --password ${{ secrets.GITHUB_TOKEN }}
+          hauler login docker.io --username ${{ secrets.DOCKERHUB_USERNAME }} --password ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Process Images for Tests
+        run: |
+          hauler store add image nginx:1.25-alpine
+          hauler store add image nginx:1.26-alpine
+          hauler store add image busybox
+          hauler store add image busybox:stable
+          hauler store add image gcr.io/distroless/base
+          hauler store add image gcr.io/distroless/base@sha256:7fa7445dfbebae4f4b7ab0e6ef99276e96075ae42584af6286ba080750d6dfe5
+
+      - name: Push Store Contents to Hauler-Dev GitHub Container Registry
+        run: |
+          hauler store copy registry://ghcr.io/${{ github.repository_owner }}
+
+      - name: Verify Hauler Store Contents
+        run: hauler store info
--- a/.github/workflows/tests.yaml
+++ b/.github/workflows/tests.yaml
@@ -0,0 +1,480 @@
+name: Tests Workflow
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  unit-tests:
+    name: Unit Tests
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+
+    steps:
+      - name: Clean Up Actions Tools Cache
+        run: rm -rf /opt/hostedtoolcache
+
+      - name: Checkout
+        uses: actions/checkout@v6.0.1
+        with:
+          fetch-depth: 0
+
+      - name: Configure Git
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+
+      - name: Set Up Go
+        uses: actions/setup-go@v6.1.0
+        with:
+          go-version-file: go.mod
+          check-latest: true
+
+      - name: Install Go Releaser
+        uses: goreleaser/goreleaser-action@v6.4.0
+        with:
+          install-only: true
+
+      - name: Install Dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y make
+          sudo apt-get install -y build-essential
+
+      - name: Run Makefile Targets
+        run: |
+          make build-all
+
+      - name: Upload Hauler Binaries
+        uses: actions/upload-artifact@v4.6.2
+        with:
+          name: hauler-binaries
+          path: dist/*
+
+      - name: Upload Coverage Report
+        uses: actions/upload-artifact@v4.6.2
+        with:
+          name: coverage-report
+          path: coverage.out
+
+  integration-tests:
+    name: Integration Tests
+    runs-on: ubuntu-latest
+    needs: [unit-tests]
+    timeout-minutes: 30
+
+    steps:
+      - name: Clean Up Actions Tools Cache
+        run: rm -rf /opt/hostedtoolcache
+
+      - name: Checkout
+        uses: actions/checkout@v6.0.1
+        with:
+          fetch-depth: 0
+
+      - name: Configure Git
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+
+      - name: Install Dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y unzip
+          sudo apt-get install -y tree
+
+      - name: Download Artifacts
+        uses: actions/download-artifact@v6.0.0
+        with:
+          name: hauler-binaries
+          path: dist
+
+      - name: Prepare Hauler for Tests
+        run: |
+          pwd
+          ls -la
+          ls -la dist/
+          chmod -R 755 dist/ testdata/certificate-script.sh
+          sudo mv dist/hauler_linux_amd64_v1/hauler /usr/local/bin/hauler
+          ./testdata/certificate-script.sh && sudo chown -R $(whoami) testdata/certs/
+
+      - name: Verify - hauler version
+        run: |
+          hauler version
+
+      - name: Verify - hauler completion
+        run: |
+          hauler completion
+          hauler completion bash
+          hauler completion fish
+          hauler completion powershell
+          hauler completion zsh
+
+      - name: Verify - hauler help
+        run: |
+          hauler help
+
+      - name: Verify - hauler login
+        run: |
+          hauler login --help
+          hauler login docker.io --username ${{ secrets.DOCKERHUB_USERNAME }} --password ${{ secrets.DOCKERHUB_TOKEN }}
+          echo ${{ secrets.GITHUB_TOKEN }} | hauler login ghcr.io --username ${{ github.repository_owner }} --password-stdin
+
+      - name: Verify - hauler store
+        run: |
+          hauler store --help
+
+      - name: Verify - hauler store add
+        run: |
+          hauler store add --help
+
+      - name: Verify - hauler store add chart
+        run: |
+          hauler store add chart --help
+          # verify via helm repository
+          hauler store add chart rancher --repo https://releases.rancher.com/server-charts/stable
+          hauler store add chart rancher --repo https://releases.rancher.com/server-charts/stable --version 2.8.4
+          hauler store add chart rancher --repo https://releases.rancher.com/server-charts/stable --version 2.8.3 --verify
+          # verify via oci helm repository
+          hauler store add chart hauler-helm --repo oci://ghcr.io/hauler-dev
+          hauler store add chart hauler-helm --repo oci://ghcr.io/hauler-dev --version 1.0.6
+          hauler store add chart hauler-helm --repo oci://ghcr.io/hauler-dev --version 1.0.4 --verify
+          # verify via local helm repository
+          curl -sfOL https://github.com/rancherfederal/rancher-cluster-templates/releases/download/rancher-cluster-templates-0.5.2/rancher-cluster-templates-0.5.2.tgz
+          hauler store add chart rancher-cluster-templates-0.5.2.tgz --repo .
+          curl -sfOL https://github.com/rancherfederal/rancher-cluster-templates/releases/download/rancher-cluster-templates-0.5.1/rancher-cluster-templates-0.5.1.tgz
+          hauler store add chart rancher-cluster-templates-0.5.1.tgz --repo . --version 0.5.1
+          curl -sfOL https://github.com/rancherfederal/rancher-cluster-templates/releases/download/rancher-cluster-templates-0.5.0/rancher-cluster-templates-0.5.0.tgz
+          hauler store add chart rancher-cluster-templates-0.5.0.tgz --repo . --version 0.5.0 --verify
+          # verify via the hauler store contents
+          hauler store info
+
+      - name: Verify - hauler store add chart --rewrite
+        run: |
+          # add chart with rewrite flag
+          hauler store add chart rancher --repo https://releases.rancher.com/server-charts/stable --version 2.8.4 --rewrite custom-path/rancher:2.8.4
+          # verify new ref in store
+          hauler store info | grep 'custom-path/rancher:2.8.4'
+          # confrim leading slash trimmed from rewrite
+          hauler store add chart rancher --repo https://releases.rancher.com/server-charts/stable --version 2.8.4 --rewrite /custom-path/rancher:2.8.4
+          # verify no leading slash
+          ! hauler store info | grep '/custom-path/rancher:2.8.4'
+          # confirm old tag used if not specified
+          hauler store add chart rancher --repo https://releases.rancher.com/server-charts/stable --version 2.8.4 --rewrite /custom-path/rancher
+          # confirm tag
+          hauler store info | grep '2.8.4'
+
+      - name: Verify - hauler store add file
+        run: |
+          hauler store add file --help
+          # verify via remote file
+          hauler store add file https://get.rke2.io/install.sh
+          hauler store add file https://get.rke2.io/install.sh --name rke2-install.sh
+          # verify via local file
+          hauler store add file testdata/hauler-manifest.yaml
+          hauler store add file testdata/hauler-manifest.yaml --name hauler-manifest-local.yaml
+          # verify via the hauler store contents
+          hauler store info
+
+      - name: Verify - hauler store add image
+        run: |
+          hauler store add image --help
+          # verify via image reference
+          hauler store add image ghcr.io/hauler-dev/library/busybox
+          # verify via image reference with version and platform
+          hauler store add image ghcr.io/hauler-dev/library/busybox:stable --platform linux/amd64
+          # verify via image reference with full reference
+          hauler store add image ghcr.io/hauler-dev/distroless/base@sha256:7fa7445dfbebae4f4b7ab0e6ef99276e96075ae42584af6286ba080750d6dfe5
+          # verify via the hauler store contents
+          hauler store info
+
+      - name: Verify - hauler store add image --rewrite
+        run: |
+          # add image with rewrite flag
+          hauler store add image ghcr.io/hauler-dev/library/busybox --rewrite custom-registry.io/custom-path/busybox:latest
+          # verify new ref in store
+          hauler store info | grep 'custom-registry.io/custom-path/busybox:latest'
+          # confrim leading slash trimmed from rewrite
+          hauler store add image ghcr.io/hauler-dev/library/busybox --rewrite /custom-path/busybox:latest
+          # verify no leading slash
+          ! hauler store info | grep '/custom-path/busybox:latest'
+          # confirm old tag used if not specified
+          hauler store add image ghcr.io/hauler-dev/library/busybox:stable --rewrite /custom-path/busybox
+          # confirm tag
+          hauler store info | grep ':stable'
+
+      - name: Verify - hauler store copy
+        run: |
+          hauler store copy --help
+          # need more tests here
+
+      - name: Verify - hauler store extract
+        run: |
+          hauler store extract --help
+          # verify via extracting hauler store content
+          hauler store extract hauler/hauler-manifest-local.yaml:latest
+          # view extracted content from store
+          cat hauler-manifest-local.yaml
+
+      - name: Verify - hauler store info
+        run: |
+          hauler store info --help
+          # verify via table output
+          hauler store info --output table
+          # verify via json output
+          hauler store info --output json
+          # verify via filtered output (chart)
+          hauler store info --type chart
+          # verify via filtered output (file)
+          hauler store info --type file
+          # verify via filtered output (image)
+          hauler store info --type image
+          # verify store directory structure
+          tree -hC store
+
+      - name: Verify - hauler store save
+        run: |
+          hauler store save --help
+          # verify via save
+          hauler store save
+          # verify via save with filename
+          hauler store save --filename store.tar.zst
+          # verify via save with filename and platform (amd64)
+          hauler store save --filename store-amd64.tar.zst --platform linux/amd64
+
+      - name: Remove Hauler Store Contents
+        run: |
+          rm -rf store
+          hauler store info
+
+      - name: Verify - hauler store load
+        run: |
+          hauler store load --help
+          # verify via load
+          hauler store load
+          # verify via load with multiple files
+          hauler store load --filename haul.tar.zst --filename store.tar.zst
+          # confirm store contents
+          tar -xOf store.tar.zst index.json
+          # verify via load with filename and temp directory
+          hauler store load --filename store.tar.zst --tempdir /opt
+          # verify via load with filename and platform (amd64)
+          hauler store load --filename store-amd64.tar.zst
+
+      - name: Verify Hauler Store Contents
+        run: |
+          # verify store
+          hauler store info
+          # verify store directory structure
+          tree -hC store
+
+      - name: Verify - docker load
+        run: |
+          docker load --help
+          # verify via load
+          docker load --input store-amd64.tar.zst
+
+      - name: Verify Docker Images Contents
+        run: |
+          docker images --help
+          # verify images
+          docker images --all
+
+      - name: Remove Hauler Store Contents
+        run: |
+          rm -rf store haul.tar.zst store.tar.zst store-amd64.tar.zst
+          hauler store info
+
+      - name: Verify - hauler store sync
+        run: |
+          hauler store sync --help
+          # verify via sync
+          hauler store sync --filename testdata/hauler-manifest-pipeline.yaml
+          # verify via sync with multiple files
+          hauler store sync --filename testdata/hauler-manifest-pipeline.yaml --filename testdata/hauler-manifest.yaml
+          # need more tests here
+
+      - name: Verify - hauler store serve
+        run: |
+          hauler store serve --help
+
+      - name: Verify - hauler store serve registry
+        run: |
+          hauler store serve registry --help
+          # verify via registry
+          hauler store serve registry &
+          until curl -sf http://localhost:5000/v2/_catalog; do : ; done
+          pkill -f "hauler store serve registry"
+          # verify via registry with different port
+          hauler store serve registry --port 5001 &
+          until curl -sf http://localhost:5001/v2/_catalog; do : ; done
+          pkill -f "hauler store serve registry --port 5001"
+          # verify via registry with different port and readonly
+          hauler store serve registry --port 5001 --readonly &
+          until curl -sf http://localhost:5001/v2/_catalog; do : ; done
+          pkill -f "hauler store serve registry --port 5001 --readonly"
+          # verify via registry with different port with readonly with tls
+          # hauler store serve registry --port 5001 --readonly --tls-cert testdata/certs/server-cert.crt --tls-key testdata/certs/server-cert.key &
+          # until curl -sf --cacert testdata/certs/cacerts.pem https://localhost:5001/v2/_catalog; do : ; done
+          # pkill -f "hauler store serve registry --port 5001 --readonly --tls-cert testdata/certs/server-cert.crt --tls-key testdata/certs/server-cert.key"
+
+      - name: Verify - hauler store serve fileserver
+        run: |
+          hauler store serve fileserver --help
+          # verify via fileserver
+          hauler store serve fileserver &
+          until curl -sf http://localhost:8080; do : ; done
+          pkill -f "hauler store serve fileserver"
+          # verify via fileserver with different port
+          hauler store serve fileserver --port 8000 &
+          until curl -sf http://localhost:8000; do : ; done
+          pkill -f "hauler store serve fileserver --port 8000"
+          # verify via fileserver with different port and timeout
+          hauler store serve fileserver --port 8000 --timeout 120 &
+          until curl -sf http://localhost:8000; do : ; done
+          pkill -f "hauler store serve fileserver --port 8000 --timeout 120"
+          # verify via fileserver with different port with timeout and tls
+          # hauler store serve fileserver --port 8000 --timeout 120 --tls-cert testdata/certs/server-cert.crt --tls-key testdata/certs/server-cert.key &
+          # until curl -sf --cacert testdata/certs/cacerts.pem https://localhost:8000; do : ; done
+          # pkill -f "hauler store serve fileserver --port 8000 --timeout 120 --tls-cert testdata/certs/server-cert.crt --tls-key testdata/certs/server-cert.key"
+
+      - name: Verify Hauler Store Contents
+        run: |
+          # verify store
+          hauler store info
+          # verify store directory structure
+          tree -hC store
+          # verify registry directory structure
+          tree -hC registry
+          # verify fileserver directory structure
+          tree -hC fileserver
+
+      - name: Verify - hauler store remove (image)
+        run: |
+          hauler store remove --help
+          # add test images
+          hauler store add image ghcr.io/hauler-dev/library/nginx:1.25-alpine
+          hauler store add image ghcr.io/hauler-dev/library/nginx:1.26-alpine
+          # confirm artifacts
+          hauler store info | grep 'nginx:1.25'
+          hauler store info | grep 'nginx:1.26'
+          # count blobs before delete
+          BLOBS_BEFORE=$(find store/blobs/sha256 -type f | wc -l | xargs)
+          echo "blobs before deletion: $BLOBS_BEFORE"
+          # delete one artifact
+          hauler store remove nginx:1.25 --force
+          # verify artifact removed
+          ! hauler store info | grep -q "nginx:1.25"
+          # non-deleted artifact exists
+          hauler store info | grep -q "nginx:1.26"
+          # count blobs after delete
+          BLOBS_AFTER=$(find store/blobs/sha256 -type f | wc -l | xargs)
+          echo "blobs after deletion: $BLOBS_AFTER"
+          # verify only unreferenced blobs removed
+          if [ "$BLOBS_AFTER" -ge "$BLOBS_BEFORE" ]; then
+            echo "ERROR: No blobs were cleaned up"
+            exit 1
+          fi
+          if [ "$BLOBS_AFTER" -eq 0 ]; then
+            echo "ERROR: All blobs deleted (shared layers removed)"
+            exit 1
+          fi
+          # verify remaining image not missing layers
+          hauler store extract ghcr.io/hauler-dev/library/nginx:1.26-alpine
+
+      - name: Verify - hauler store remove (chart)
+        run: |
+          hauler store remove --help
+          # add test images
+          hauler store add chart rancher --repo https://releases.rancher.com/server-charts/stable --version 2.8.4
+          hauler store add chart rancher --repo https://releases.rancher.com/server-charts/stable --version 2.8.5
+          # confirm artifacts
+          hauler store info | grep '2.8.4'
+          hauler store info | grep '2.8.5'
+          # count blobs before delete
+          BLOBS_BEFORE=$(find store/blobs/sha256 -type f | wc -l | xargs)
+          echo "blobs before deletion: $BLOBS_BEFORE"
+          # delete one artifact
+          hauler store remove 2.8.4 --force
+          # verify artifact removed
+          ! hauler store info | grep -q "2.8.4"
+          # non-deleted artifact exists
+          hauler store info | grep -q "2.8.5"
+          # count blobs after delete
+          BLOBS_AFTER=$(find store/blobs/sha256 -type f | wc -l | xargs)
+          echo "blobs after deletion: $BLOBS_AFTER"
+          # verify only unreferenced blobs removed
+          if [ "$BLOBS_AFTER" -ge "$BLOBS_BEFORE" ]; then
+            echo "ERROR: No blobs were cleaned up"
+            exit 1
+          fi
+          if [ "$BLOBS_AFTER" -eq 0 ]; then
+            echo "ERROR: All blobs deleted (shared layers removed)"
+            exit 1
+          fi
+          # verify remaining image not missing layers
+          hauler store extract hauler/rancher:2.8.5
+
+      - name: Verify - hauler store remove (file)
+        run: |
+          hauler store remove --help
+          # add test images
+          hauler store add file https://get.hauler.dev
+          hauler store add file https://get.rke2.io/install.sh
+          # confirm artifacts
+          hauler store info | grep 'get.hauler.dev'
+          hauler store info | grep 'install.sh'
+          # count blobs before delete
+          BLOBS_BEFORE=$(find store/blobs/sha256 -type f | wc -l | xargs)
+          echo "blobs before deletion: $BLOBS_BEFORE"
+          # delete one artifact
+          hauler store remove get.hauler.dev --force
+          # verify artifact removed
+          ! hauler store info | grep -q "get.hauler.dev"
+          # non-deleted artifact exists
+          hauler store info | grep -q "install.sh"
+          # count blobs after delete
+          BLOBS_AFTER=$(find store/blobs/sha256 -type f | wc -l | xargs)
+          echo "blobs after deletion: $BLOBS_AFTER"
+          # verify only unreferenced blobs removed
+          if [ "$BLOBS_AFTER" -ge "$BLOBS_BEFORE" ]; then
+            echo "ERROR: No blobs were cleaned up"
+            exit 1
+          fi
+          if [ "$BLOBS_AFTER" -eq 0 ]; then
+            echo "ERROR: All blobs deleted (shared layers removed)"
+            exit 1
+          fi
+          # verify remaining image not missing layers
+          hauler store extract hauler/install.sh:latest
+
+      - name: Create Hauler Report
+        run: |
+          hauler version >> hauler-report.txt
+          hauler store info --output table >> hauler-report.txt
+
+      - name: Remove Hauler Store Contents
+        run: |
+          rm -rf store registry fileserver
+          hauler store info
+
+      - name: Upload Hauler Report
+        uses: actions/upload-artifact@v4.6.2
+        with:
+          name: hauler-report
+          path: hauler-report.txt
+
+      - name: Verify - hauler logout
+        run: |
+          hauler logout --help
+          hauler logout docker.io
+          hauler logout ghcr.io
+
+      - name: Remove Hauler Store Credentials
+        run: |
+          rm -rf ~/.docker/config.json
--- a/.gitignore
+++ b/.gitignore
@@ -1,9 +1,4 @@
-.DS_Store
-
-# Vagrant
-.vagrant
-
-# Editor directories and files
+**/.DS_Store
 .idea
 .vscode
 *.suo
@@ -12,19 +7,12 @@
 *.sln
 *.sw?
 *.dir-locals.el
-
-# old, ad-hoc ignores
-artifacts
-local-artifacts
-airgap-scp.sh
-
-# test artifacts
-*.tar*
-
-# generated
 dist/
-./bundle/
 tmp/
 bin/
-pkg.yaml
-haul/
+/store/
+registry/
+fileserver/
+cmd/hauler/binaries
+testdata/certs/
+coverage.out
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -1,14 +1,24 @@
+version: 2
+
 project_name: hauler
 before:
  hooks:
    - go mod tidy
    - go mod download
+    - go fmt ./...
+    - go vet ./...
+    - go test ./... -cover -race -covermode=atomic -coverprofile=coverage.out
+
+release:
+  prerelease: auto
+  make_latest: false

 env:
-  - vpkg=github.com/rancherfederal/hauler/pkg/version
+  - vpkg=hauler.dev/go/hauler/internal/version
+  - cosign_version=v2.2.3+carbide.3

 builds:
-  - main: cmd/hauler/main.go
+  - dir: ./cmd/hauler/.
    goos:
      - linux
      - darwin
@@ -17,22 +27,65 @@ builds:
      - amd64
      - arm64
    ldflags:
-      - -s -w -X {{ .Env.vpkg }}.GitVersion={{ .Version }} -X {{ .Env.vpkg }}.commit={{ .ShortCommit }} -X {{ .Env.vpkg }}.buildDate={{ .Date }}
+      - -s -w -X {{ .Env.vpkg }}.gitVersion={{ .Version }} -X {{ .Env.vpkg }}.gitCommit={{ .ShortCommit }} -X {{ .Env.vpkg }}.gitTreeState={{if .IsGitDirty}}dirty{{else}}clean{{end}} -X {{ .Env.vpkg }}.buildDate={{ .Date }}
    env:
      - CGO_ENABLED=0
+      - GOEXPERIMENT=boringcrypto

 universal_binaries:
-  - replace: true
+  - replace: false

 changelog:
-  skip: false
+  disable: false
  use: git

-brews:
+homebrew_casks:
  - name: hauler
-    tap:
-      owner: rancherfederal
+    repository:
+      owner: hauler-dev
      name: homebrew-tap
      token: "{{ .Env.HOMEBREW_TAP_GITHUB_TOKEN }}"
-    folder: Formula
-    description: "Hauler CLI"
+    description: "Hauler: Airgap Swiss Army Knife"
+
+dockers_v2:
+  - id: hauler
+    dockerfile: Dockerfile
+    flags:
+      - "--target=release"
+    images:
+      - docker.io/hauler/hauler
+      - ghcr.io/hauler-dev/hauler
+    tags:
+      - "{{ .Version }}"
+    platforms:
+      - linux/amd64
+      - linux/arm64
+    labels:
+      "classification": "UNCLASSIFIED"
+      "org.opencontainers.image.created": "{{.Date}}"
+      "org.opencontainers.image.description": "Hauler: Airgap Swiss Army Knife"
+      "org.opencontainers.image.name": "{{.ProjectName}}-debug"
+      "org.opencontainers.image.revision": "{{.FullCommit}}"
+      "org.opencontainers.image.source": "{{.GitURL}}"
+      "org.opencontainers.image.version": "{{.Version}}"
+
+  - id: hauler-debug
+    dockerfile: Dockerfile
+    flags:
+      - "--target=debug"
+    images:
+      - docker.io/hauler/hauler-debug
+      - ghcr.io/hauler-dev/hauler-debug
+    tags:
+      - "{{ .Version }}"
+    platforms:
+      - linux/amd64
+      - linux/arm64
+    labels:
+      "classification": "UNCLASSIFIED"
+      "org.opencontainers.image.created": "{{.Date}}"
+      "org.opencontainers.image.description": "Hauler: Airgap Swiss Army Knife"
+      "org.opencontainers.image.name": "{{.ProjectName}}-debug"
+      "org.opencontainers.image.revision": "{{.FullCommit}}"
+      "org.opencontainers.image.source": "{{.GitURL}}"
+      "org.opencontainers.image.version": "{{.Version}}"
--- a/43
+++ b/43
@@ -0,0 +1,43 @@
+# builder stage
+FROM registry.suse.com/bci/bci-base:15.7 AS builder
+ARG TARGETPLATFORM
+
+# fetched from goreleaser build process
+COPY $TARGETPLATFORM/hauler /hauler
+
+RUN echo "hauler:x:1001:1001::/home/hauler:" > /etc/passwd \
+&& echo "hauler:x:1001:hauler" > /etc/group \
+&& mkdir /home/hauler \
+&& mkdir /store \
+&& mkdir /fileserver \
+&& mkdir /registry
+
+# release stage
+FROM scratch AS release
+
+COPY --from=builder /var/lib/ca-certificates/ca-bundle.pem /etc/ssl/certs/ca-certificates.crt
+COPY --from=builder /etc/passwd /etc/passwd
+COPY --from=builder /etc/group /etc/group
+COPY --from=builder --chown=hauler:hauler /home/hauler/. /home/hauler
+COPY --from=builder --chown=hauler:hauler /tmp/. /tmp
+COPY --from=builder --chown=hauler:hauler /store/. /store
+COPY --from=builder --chown=hauler:hauler /registry/. /registry
+COPY --from=builder --chown=hauler:hauler /fileserver/. /fileserver
+COPY --from=builder --chown=hauler:hauler /hauler /hauler
+
+USER hauler
+ENTRYPOINT [ "/hauler" ]
+
+# debug stage
+FROM alpine AS debug
+
+COPY --from=builder /var/lib/ca-certificates/ca-bundle.pem /etc/ssl/certs/ca-certificates.crt
+COPY --from=builder /etc/passwd /etc/passwd
+COPY --from=builder /etc/group /etc/group
+COPY --from=builder --chown=hauler:hauler /home/hauler/. /home/hauler
+COPY --from=builder --chown=hauler:hauler /hauler /usr/local/bin/hauler
+
+RUN apk --no-cache add curl
+
+USER hauler
+WORKDIR /home/hauler
--- a/177
+++ b/177
@@ -0,0 +1,177 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
--- a/56
+++ b/56
@@ -1,35 +1,49 @@
-SHELL:=/bin/bash
-GO_BUILD_ENV=GOOS=linux GOARCH=amd64 
-GO_FILES=$(shell go list ./... | grep -v /vendor/)
+# Makefile for hauler

-BUILD_VERSION=$(shell cat VERSION)
-BUILD_TAG=$(BUILD_VERSION)
+# set shell
+SHELL=/bin/bash

-.SILENT:
+# set go variables
+GO_FILES=./...
+GO_COVERPROFILE=coverage.out

-all: fmt vet install test
+# set build variables
+BIN_DIRECTORY=bin
+DIST_DIRECTORY=dist

+# local build of hauler for current platform
+# references/configuration from .goreleaser.yaml
 build:
-	mkdir bin;\
-	$(GO_BUILD_ENV) go build -o bin ./cmd/...;\
+	goreleaser build --clean --snapshot --timeout 60m --single-target

-build-all: fmt vet
-	goreleaser build --rm-dist --snapshot
-	
+# local build of hauler for all platforms
+# references/configuration from .goreleaser.yaml
+build-all:
+	goreleaser build --clean --snapshot --timeout 60m
+
+# local release of hauler for all platforms
+# references/configuration from .goreleaser.yaml
+release:
+	goreleaser release --clean --snapshot --timeout 60m
+
+# install depedencies
 install:
-	$(GO_BUILD_ENV) go install
-
-vet:
-	go vet $(GO_FILES)
+	go mod tidy
+	go mod download
+	CGO_ENABLED=0 go install ./cmd/...

+# format go code
 fmt:
 	go fmt $(GO_FILES)

+# vet go code
+vet:
+	go vet $(GO_FILES)
+
+# test go code
 test:
-	go test $(GO_FILES) -cover
-
-integration_test:
-	go test -tags=integration $(GO_FILES)
+	go test $(GO_FILES) -cover -race -covermode=atomic -coverprofile=$(GO_COVERPROFILE)

+# cleanup artifacts
 clean:
-	rm -rf bin 2> /dev/null
+	rm -rf $(BIN_DIRECTORY) $(DIST_DIRECTORY) $(GO_COVERPROFILE)
--- a/README.md
+++ b/README.md
@@ -1,28 +1,70 @@
-# Hauler: Airgap Assistant
+# Rancher Government Hauler

-> ⚠️ This project is still in active development and _not_ GA.  While a lot of the core features are ready, we're still adding a _ton_, and we may make breaking api and feature changes version to version.
+![rancher-government-hauler-logo](/static/rgs-hauler-logo.png)

-`hauler` simplifies the airgap experience without forcing you to adopt a specific workflow for your infrastructure or application.  
+## Airgap Swiss Army Knife

-To accomplish this, it focuses strictly on two of the biggest airgap pain points:
+`Rancher Government Hauler` simplifies the airgap experience without requiring operators to adopt a specific workflow. **Hauler** simplifies the airgapping process, by representing assets (images, charts, files, etc...) as content and collections to allow operators to easily fetch, store, package, and distribute these assets with declarative manifests or through the command line.

-* content collection
-* content distribution
+`Hauler` does this by storing contents and collections as OCI Artifacts and allows operators to serve contents and collections with an embedded registry and fileserver. Additionally, `Hauler` has the ability to store and inspect various non-image OCI Artifacts.

-As OCI registries have become ubiquitous nowadays for storing and distributing containers.  Their success and widespread adoption has led many projects to expand beyond containers.
+For more information, please review the **[Hauler Documentation](https://hauler.dev)!**

-`hauler` capitalizes on this, and leverages the [`oci`](https://github.com/opencontainers) spec to be a simple, zero dependency tool to collect, transport, and distribute your artifacts.
+## Recent Changes

-## Getting started
+### In Hauler v1.4.0...

-See the [quickstart](docs/walkthrough.md#Quickstart) for a quick way to get started with some of `haulers` capabilities.
+- Added a notice to `hauler store sync --products/--product-registry` to warn users the default registry will be updated in a future release.
+  - Users will see logging notices when using the `--products/--product-registry` such as...
+  - `!!! WARNING !!! [--products] will be updating its default registry in a future release...`
+  - `!!! WARNING !!! [--product-registry] will be updating its default registry in a future release...`

-For a guided example of all of `haulers` capabilities, check out the [guided example](docs/walkthrough.md#guided-examples).
+### In Hauler v1.2.0...
+
+- Upgraded the `apiVersion` to `v1` from `v1alpha1`
+  - Users are able to use `v1` and `v1alpha1`, but `v1alpha1` is now deprecated and will be removed in a future release. We will update the community when we fully deprecate and remove the functionality of `v1alpha1`
+  - Users will see logging notices when using the old `apiVersion` such as...
+  - `!!! DEPRECATION WARNING !!! apiVersion [v1alpha1] will be removed in a future release...`
+---
+- Updated the behavior of `hauler store load` to default to loading a `haul` with the name of `haul.tar.zst` and requires the flag of `--filename/-f` to load a `haul` with a different name
+- Users can load multiple `hauls` by specifying multiple flags of `--filename/-f`
+  - updated command usage: `hauler store load --filename hauling-hauls.tar.zst`
+  - previous command usage (do not use): `hauler store load hauling-hauls.tar.zst`
+---
+- Updated the behavior of `hauler store sync` to default to syncing a `manifest` with the name of `hauler-manifest.yaml` and requires the flag of `--filename/-f` to sync a `manifest` with a different name
+- Users can sync multiple `manifests` by specifying multiple flags of `--filename/-f`
+  - updated command usage: `hauler store sync --filename hauling-hauls-manifest.yaml`
+  - previous command usage (do not use): `hauler store sync --files hauling-hauls-manifest.yaml`
+---
+Please review the documentation for any additional [Known Limits, Issues, and Notices](https://docs.hauler.dev/docs/known-limits)!
+
+## Installation
+
+### Linux/Darwin
+
+```bash
+# installs latest release
+curl -sfL https://get.hauler.dev | bash
+```
+
+### Homebrew
+
+```bash
+# installs latest release
+brew tap hauler-dev/homebrew-tap
+brew install hauler
+```
+
+### Windows
+
+```bash
+# coming soon
+```

 ## Acknowledgements

-`hauler` wouldn't be possible without the open source community, but there are a few dependent projects that stand out:
+`Hauler` wouldn't be possible without the open-source community, but there are a few projects that stand out:

-* [go-containerregistry](https://github.com/google/go-containerregistry)
-* [oras](https://github.com/oras-project/oras)
-* [cosign](https://github.com/sigstore/cosign)
+- [oras cli](https://github.com/oras-project/oras)
+- [cosign](https://github.com/sigstore/cosign)
+- [go-containerregistry](https://github.com/google/go-containerregistry)
--- a/ROADMAP.md
+++ b/ROADMAP.md
@@ -1,49 +0,0 @@
-# Hauler Roadmap
-
-## \> v0.2.0
-
- Leverage `referrers` api to robustly link content/collection
- Support signing for all `artifact.OCI` contents
- Support encryption for `artifact.OCI` layers
- Safely embed container runtime for user created `collections` creation and transformation
- Better defaults/configuration/security around for long-lived embedded registry
- Better support multi-platform content
- Better leverage `oras` (`>=0.5.0`) for content relocation
- Store git repos as CAS in OCI format
-
-## v0.2.0 - MVP 2
-
- Re-focus on cli and framework for oci content fetching and delivery
- Focus on initial key contents
-  - Files (local/remote)
-  - Charts (local/remote)
-  - Images
- Establish framework for `content` and `collections`
- Define initial `content` types (`file`, `chart`, `image`)
- Define initial `collection` types (`thickchart`, `k3s`)
- Define framework for manipulating OCI content (`artifact.OCI`, `artifact.Collection`)
-
-## v0.1.0 - MVP 1
-
- Install single-node k3s cluster
-  - Support tarball and rpm installation methods
-  - Target narrow set of known Operating Systems to have OS-specific code if needed
- Serve container images
-  - Collect images from image list file
-  - Collect images from image archives
-  - Deploy docker registry
-  - Populate registry with all images
- Serve git repositories 
-  - Collect repos
-  - Deploy git server (Caddy? NGINX?)
-  - Populate git server with repos
- Serve files
-  - Collect files from directory, including subdirectories
-  - Deploy caddy file server
-  - Populate file server with directory contents
-  - NOTE: "generic" option - most other use cases can be satisfied by a specially crafted file
-    server directory
-
-## v0.0.x
-
- Install single-node k3s cluster into an Ubuntu machine using the tarball installation method
--- a/VAGRANT.md
+++ b/VAGRANT.md
@@ -1,49 +0,0 @@
-## Hauler Vagrant machine
-
-A Vagrantfile is provided to allow easy provisioning of a local air-gapped CentOS environment. Some artifacts need to be collected from the internet; below are the steps required for successfully provisioning this machine, downloading all dependencies, and installing k3s (without hauler) into this machine.
-
-### First-time setup
-
-1. Install vagrant, if needed: <https://www.vagrantup.com/downloads>
-2. Install `vagrant-vbguest` plugin, as noted in the Vagrantfile:
-   ```shell
-   vagrant plugin install vagrant-vbguest
-   ```
-3. Deploy Vagrant machine, disabling SELinux:
-   ```shell
-   SELINUX=Disabled vagrant up
-   ```
-4. Access the Vagrant machine via SSH:
-   ```shell
-   vagrant ssh
-   ```
-5. Run all prep scripts inside of the Vagrant machine:
-    > This script temporarily enables internet access from within the VM to allow downloading all dependencies. Even so, the air-gapped network configuration IS restored before completion.
-   ```shell
-   sudo /opt/hauler/vagrant-scripts/prep-all.sh
-   ```
-
-All dependencies for all `vagrant-scripts/*-install.sh` scripts are now downloaded to the local
-repository under `local-artifacts`.
-
-### Installing k3s manually
-
-1. Access the Vagrant machine via SSH:
-  ```bash
-  vagrant ssh
-  ```
-2. Run the k3s install script inside of the Vagrant machine:
-  ```shell
-  sudo /opt/hauler/vagrant-scripts/k3s-install.sh
-  ```
-
-### Installing RKE2 manually
-
-1. Access the Vagrant machine via SSH:
-  ```shell
-  vagrant ssh
-  ```
-2. Run the RKE2 install script inside of the Vagrant machine:
-  ```shell
-  sudo /opt/hauler/vagrant-scripts/rke2-install.sh
-  ```
--- a/65
+++ b/65
@@ -1,65 +0,0 @@
-##################################
-# The vagrant-vbguest plugin is required for CentOS 7.
-# Run the following command to install/update this plugin:
-# vagrant plugin install vagrant-vbguest
-##################################
-
-Vagrant.configure("2") do |config|
-  config.vm.box = "centos/8"
-  config.vm.hostname = "airgap"
-  config.vm.network "private_network", type: "dhcp"
-
-  config.vm.synced_folder ".", "/vagrant"
-
-  config.vm.provider "virtualbox" do |vb|
-    vb.memory = "2048"
-    vb.cpus = "2"
-  
-  config.vm.provision "airgap", type: "shell", run: "always",
-    inline: "/vagrant/vagrant-scripts/airgap.sh airgap"
-  end
-
-  # SELinux is Enforcing by default.
-  # To set SELinux as Disabled on a VM that has already been provisioned:
-  #   SELINUX=Disabled vagrant up --provision-with=selinux
-  # To set SELinux as Permissive on a VM that has already been provsioned
-  #   SELINUX=Permissive vagrant up --provision-with=selinux
-  config.vm.provision "selinux", type: "shell", run: "once" do |sh|
-    sh.upload_path = "/tmp/vagrant-selinux"
-    sh.env = {
-        'SELINUX': ENV['SELINUX'] || "Enforcing"
-    }
-    sh.inline = <<~SHELL
-        #!/usr/bin/env bash
-        set -eux -o pipefail
-
-        if ! type -p getenforce setenforce &>/dev/null; then
-          echo SELinux is Disabled
-          exit 0
-        fi
-
-        case "${SELINUX}" in
-          Disabled)
-            if mountpoint -q /sys/fs/selinux; then
-              setenforce 0
-              umount -v /sys/fs/selinux
-            fi
-            ;;
-          Enforcing)
-            mountpoint -q /sys/fs/selinux || mount -o rw,relatime -t selinuxfs selinuxfs /sys/fs/selinux
-            setenforce 1
-            ;;
-          Permissive)
-            mountpoint -q /sys/fs/selinux || mount -o rw,relatime -t selinuxfs selinuxfs /sys/fs/selinux
-            setenforce 0
-            ;;
-          *)
-            echo "SELinux mode not supported: ${SELINUX}" >&2
-            exit 1
-            ;;
-        esac
-
-        echo SELinux is $(getenforce)
-    SHELL
-  end
-end
--- a/cmd/hauler/boringcrypto.go
+++ b/cmd/hauler/boringcrypto.go
@@ -0,0 +1,6 @@
+//go:build boringcrypto
+// +build boringcrypto
+
+package main
+
+import _ "crypto/tls/fipsonly"
--- a/cmd/hauler/cli/cli.go
+++ b/cmd/hauler/cli/cli.go
@@ -2,33 +2,24 @@ package cli

 import (
 	"context"
-	"errors"
-	"os"
-	"path/filepath"

+	cranecmd "github.com/google/go-containerregistry/cmd/crane/cmd"
 	"github.com/spf13/cobra"
-
-	"github.com/rancherfederal/hauler/pkg/cache"
-	"github.com/rancherfederal/hauler/pkg/log"
-	"github.com/rancherfederal/hauler/pkg/store"
+	"hauler.dev/go/hauler/internal/flags"
+	"hauler.dev/go/hauler/pkg/consts"
+	"hauler.dev/go/hauler/pkg/log"
 )

-type rootOpts struct {
-	logLevel string
-	cacheDir string
-	storeDir string
-}
-
-const defaultStoreLocation = "haul"
-
-var ro = &rootOpts{}
-
-func New() *cobra.Command {
+func New(ctx context.Context, ro *flags.CliRootOpts) *cobra.Command {
 	cmd := &cobra.Command{
-		Use:   "hauler",
-		Short: "",
+		Use:     "hauler",
+		Short:   "Airgap Swiss Army Knife",
+		Example: "  View the Docs: https://docs.hauler.dev\n  Environment Variables: " + consts.HaulerDir + " | " + consts.HaulerTempDir + " | " + consts.HaulerStoreDir + " | " + consts.HaulerIgnoreErrors + "\n  Warnings: Hauler commands and flags marked with (EXPERIMENTAL) are not yet stable and may change in the future.",
 		PersistentPreRunE: func(cmd *cobra.Command, args []string) error {
-			log.FromContext(cmd.Context()).SetLevel(ro.logLevel)
+			l := log.FromContext(ctx)
+			l.SetLevel(ro.LogLevel)
+			l.Debugf("running cli command [%s]", cmd.CommandPath())
+
 			return nil
 		},
 		RunE: func(cmd *cobra.Command, args []string) error {
@@ -36,76 +27,13 @@ func New() *cobra.Command {
 		},
 	}

-	pf := cmd.PersistentFlags()
-	pf.StringVarP(&ro.logLevel, "log-level", "l", "info", "")
-	pf.StringVar(&ro.cacheDir, "cache", "", "Location of where to store cache data (defaults to $XDG_CACHE_DIR/hauler)")
-	pf.StringVarP(&ro.storeDir, "store", "s", "", "Location to create store at (defaults to $PWD/store)")
+	flags.AddRootFlags(cmd, ro)

-	// Add subcommands
-	addDownload(cmd)
-	addStore(cmd)
-	addVersion(cmd)
+	cmd.AddCommand(cranecmd.NewCmdAuthLogin("hauler"))
+	cmd.AddCommand(cranecmd.NewCmdAuthLogout("hauler"))
+	addStore(cmd, ro)
+	addVersion(cmd, ro)
+	addCompletion(cmd, ro)

 	return cmd
 }
-
-func (o *rootOpts) getStore(ctx context.Context) (*store.Store, error) {
-	lgr := log.FromContext(ctx)
-	dir := o.storeDir
-
-	if dir == "" {
-		lgr.Debugf("no store path specified, defaulting to $PWD/store")
-		pwd, err := os.Getwd()
-		if err != nil {
-			return nil, err
-		}
-
-		dir = filepath.Join(pwd, defaultStoreLocation)
-	}
-
-	abs, err := filepath.Abs(dir)
-	if err != nil {
-		return nil, err
-	}
-
-	lgr.Debugf("using store at %s", abs)
-	if _, err := os.Stat(abs); errors.Is(err, os.ErrNotExist) {
-		err := os.Mkdir(abs, os.ModePerm)
-		if err != nil {
-			return nil, err
-		}
-	} else if err != nil {
-		return nil, err
-	}
-
-	// TODO: Do we want this to be configurable?
-	c, err := o.getCache(ctx)
-	if err != nil {
-		return nil, err
-	}
-
-	s := store.NewStore(ctx, abs, store.WithCache(c))
-	return s, nil
-}
-
-func (o *rootOpts) getCache(ctx context.Context) (cache.Cache, error) {
-	dir := o.cacheDir
-
-	if dir == "" {
-		// Default to $XDG_CACHE_DIR
-		cachedir, err := os.UserCacheDir()
-		if err != nil {
-			return nil, err
-		}
-
-		abs, _ := filepath.Abs(filepath.Join(cachedir, "hauler"))
-		if err := os.MkdirAll(abs, os.ModePerm); err != nil {
-			return nil, err
-		}
-
-		dir = abs
-	}
-
-	c := cache.NewFilesystem(dir)
-	return c, nil
-}
--- a/cmd/hauler/cli/completion.go
+++ b/cmd/hauler/cli/completion.go
@@ -0,0 +1,116 @@
+package cli
+
+import (
+	"fmt"
+	"os"
+
+	"github.com/spf13/cobra"
+
+	"hauler.dev/go/hauler/internal/flags"
+)
+
+func addCompletion(parent *cobra.Command, ro *flags.CliRootOpts) {
+	cmd := &cobra.Command{
+		Use:   "completion",
+		Short: "Generate auto-completion scripts for various shells",
+	}
+
+	cmd.AddCommand(
+		addCompletionZsh(ro),
+		addCompletionBash(ro),
+		addCompletionFish(ro),
+		addCompletionPowershell(ro),
+	)
+
+	parent.AddCommand(cmd)
+}
+
+func addCompletionZsh(ro *flags.CliRootOpts) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "zsh",
+		Short: "Generates auto-completion scripts for zsh",
+		Example: `To load completion run
+
+	. <(hauler completion zsh)
+
+	To configure your zsh shell to load completions for each session add to your zshrc
+
+	# ~/.zshrc or ~/.profile
+	command -v hauler >/dev/null && . <(hauler completion zsh)
+
+	or write a cached file in one of the completion directories in your ${fpath}:
+
+	echo "${fpath// /\n}" | grep -i completion
+	hauler completion zsh > _hauler
+
+	mv _hauler ~/.oh-my-zsh/completions  # oh-my-zsh
+	mv _hauler ~/.zprezto/modules/completion/external/src/  # zprezto`,
+		Run: func(cmd *cobra.Command, args []string) {
+			cmd.Root().GenZshCompletion(os.Stdout)
+			// Cobra doesn't source zsh completion file, explicitly doing it here
+			fmt.Println("compdef _hauler hauler")
+		},
+	}
+	return cmd
+}
+
+func addCompletionBash(ro *flags.CliRootOpts) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "bash",
+		Short: "Generates auto-completion scripts for bash",
+		Example: `To load completion run
+
+	. <(hauler completion bash)
+
+	To configure your bash shell to load completions for each session add to your bashrc
+
+	# ~/.bashrc or ~/.profile
+	command -v hauler >/dev/null && . <(hauler completion bash)`,
+		Run: func(cmd *cobra.Command, args []string) {
+			cmd.Root().GenBashCompletion(os.Stdout)
+		},
+	}
+	return cmd
+}
+
+func addCompletionFish(ro *flags.CliRootOpts) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "fish",
+		Short: "Generates auto-completion scripts for fish",
+		Example: `To configure your fish shell to load completions for each session write this script to your completions dir:
+
+	hauler completion fish > ~/.config/fish/completions/hauler.fish
+
+	See http://fishshell.com/docs/current/index.html#completion-own for more details`,
+		Run: func(cmd *cobra.Command, args []string) {
+			cmd.Root().GenFishCompletion(os.Stdout, true)
+		},
+	}
+	return cmd
+}
+
+func addCompletionPowershell(ro *flags.CliRootOpts) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "powershell",
+		Short: "Generates auto-completion scripts for powershell",
+		Example: `To load completion run
+
+	. <(hauler completion powershell)
+
+	To configure your powershell shell to load completions for each session add to your powershell profile
+
+	Windows:
+
+	cd "$env:USERPROFILE\Documents\WindowsPowerShell\Modules"
+	hauler completion powershell >> hauler-completion.ps1
+
+	Linux:
+
+	cd "${XDG_CONFIG_HOME:-"$HOME/.config/"}/powershell/modules"
+	hauler completion powershell >> hauler-completions.ps1`,
+		Run: func(cmd *cobra.Command, args []string) {
+			cmd.Root().GenPowerShellCompletion(os.Stdout)
+		},
+	}
+	return cmd
+}
--- a/cmd/hauler/cli/download.go
+++ b/cmd/hauler/cli/download.go
@@ -1,42 +0,0 @@
-package cli
-
-import (
-	"github.com/spf13/cobra"
-
-	"github.com/rancherfederal/hauler/cmd/hauler/cli/download"
-)
-
-func addDownload(parent *cobra.Command) {
-	o := &download.Opts{}
-
-	cmd := &cobra.Command{
-		Use:   "download",
-		Short: "Download OCI content from a registry and populate it on disk",
-		Long: `Locate OCI content based on it's reference in a compatible registry and download the contents to disk.
-
-Note that the content type determines it's format on disk.  Hauler's built in content types act as follows:
-
-	- File: as a file named after the pushed contents source name (ex: my-file.yaml:latest --> my-file.yaml)
-	- Image: as a .tar named after the image (ex: alpine:latest --> alpine:latest.tar)
-	- Chart: as a .tar.gz named after the chart (ex: loki:2.0.2 --> loki-2.0.2.tar.gz)`,
-		Example: `
-# Download a file
-hauler dl my-file.yaml:latest
-
-# Download an image
-hauler dl rancher/k3s:v1.22.2-k3s2
-
-# Download a chart
-hauler dl longhorn:1.2.0`,
-		Aliases: []string{"dl"},
-		Args:    cobra.ExactArgs(1),
-		RunE: func(cmd *cobra.Command, arg []string) error {
-			ctx := cmd.Context()
-
-			return download.Cmd(ctx, o, arg[0])
-		},
-	}
-	o.AddArgs(cmd)
-
-	parent.AddCommand(cmd)
-}
--- a/cmd/hauler/cli/download/download.go
+++ b/cmd/hauler/cli/download/download.go
@@ -1,141 +0,0 @@
-package download
-
-import (
-	"context"
-	"encoding/json"
-	"fmt"
-	"path"
-
-	"github.com/containerd/containerd/remotes/docker"
-	"github.com/google/go-containerregistry/pkg/authn"
-	"github.com/google/go-containerregistry/pkg/name"
-	"github.com/google/go-containerregistry/pkg/v1/remote"
-	"github.com/google/go-containerregistry/pkg/v1/tarball"
-	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
-	"github.com/spf13/cobra"
-	"oras.land/oras-go/pkg/content"
-	"oras.land/oras-go/pkg/oras"
-
-	"github.com/rancherfederal/hauler/pkg/artifact/types"
-	"github.com/rancherfederal/hauler/pkg/log"
-)
-
-type Opts struct {
-	DestinationDir string
-	OutputFile     string
-}
-
-func (o *Opts) AddArgs(cmd *cobra.Command) {
-	f := cmd.Flags()
-
-	f.StringVar(&o.DestinationDir, "dir", "", "Directory to save contents to (defaults to current directory)")
-	f.StringVarP(&o.OutputFile, "output", "o", "", "(Optional) Override name of file to save.")
-}
-
-func Cmd(ctx context.Context, o *Opts, reference string) error {
-	lgr := log.FromContext(ctx)
-	lgr.Debugf("running command `hauler download`")
-
-	cs := content.NewFileStore(o.DestinationDir)
-	defer cs.Close()
-
-	ref, err := name.ParseReference(reference)
-	if err != nil {
-		return err
-	}
-
-	// resolver := docker.NewResolver(docker.ResolverOptions{})
-
-	desc, err := remote.Get(ref)
-	if err != nil {
-		return err
-	}
-
-	manifestData, err := desc.RawManifest()
-	if err != nil {
-		return err
-	}
-
-	var manifest ocispec.Manifest
-	if err := json.Unmarshal(manifestData, &manifest); err != nil {
-		return err
-	}
-
-	// TODO: These need to be factored out into each of the contents own logic
-	switch manifest.Config.MediaType {
-	case types.DockerConfigJSON, types.OCIManifestSchema1:
-		lgr.Infof("identified [image] (%s) content", manifest.Config.MediaType)
-		img, err := remote.Image(ref, remote.WithAuthFromKeychain(authn.DefaultKeychain))
-		if err != nil {
-			return err
-		}
-
-		outputFile := o.OutputFile
-		if outputFile == "" {
-			outputFile = fmt.Sprintf("%s:%s.tar", path.Base(ref.Context().RepositoryStr()), ref.Identifier())
-		}
-
-		if err := tarball.WriteToFile(outputFile, ref, img); err != nil {
-			return err
-		}
-
-		d, err := img.Digest()
-		if err != nil {
-			return err
-		}
-
-		lgr.Infof("downloaded image [%s] to [%s] with digest [%s]", ref.Name(), outputFile, d.String())
-
-	case types.FileConfigMediaType:
-		lgr.Infof("identified [file] (%s) content", manifest.Config.MediaType)
-
-		fs := content.NewFileStore(o.DestinationDir)
-
-		resolver := docker.NewResolver(docker.ResolverOptions{})
-		mdesc, descs, err := oras.Pull(ctx, resolver, ref.Name(), fs)
-		if err != nil {
-			return err
-		}
-
-		lgr.Infof("downloaded [%d] file(s) with digest [%s]", len(descs), mdesc)
-
-	case types.ChartLayerMediaType, types.ChartConfigMediaType:
-		lgr.Infof("identified [chart] (%s) content", manifest.Config.MediaType)
-
-		fs := content.NewFileStore(o.DestinationDir)
-
-		resolver := docker.NewResolver(docker.ResolverOptions{})
-		mdesc, descs, err := oras.Pull(ctx, resolver, ref.Name(), fs)
-		if err != nil {
-			return err
-		}
-
-		cn := path.Base(ref.Name())
-		for _, d := range descs {
-			if n, ok := d.Annotations[ocispec.AnnotationTitle]; ok {
-				cn = n
-			}
-		}
-
-		lgr.Infof("downloaded chart [%s] to [%s] with digest [%s]", ref.String(), cn, mdesc.Digest.String())
-
-	default:
-		return fmt.Errorf("unrecognized content type: %s", manifest.Config.MediaType)
-	}
-
-	return nil
-}
-
-func getManifest(ctx context.Context, ref string) (*remote.Descriptor, error) {
-	r, err := name.ParseReference(ref)
-	if err != nil {
-		return nil, fmt.Errorf("parsing reference %q: %v", ref, err)
-	}
-
-	desc, err := remote.Get(r, remote.WithContext(ctx))
-	if err != nil {
-		return nil, err
-	}
-
-	return desc, nil
-}
--- a/cmd/hauler/cli/download/download_test.go
+++ b/cmd/hauler/cli/download/download_test.go
@@ -1,38 +0,0 @@
-package download
-
-import (
-	"context"
-	"testing"
-)
-
-func TestCmd(t *testing.T) {
-	ctx := context.Background()
-
-	type args struct {
-		ctx       context.Context
-		o         *Opts
-		reference string
-	}
-	tests := []struct {
-		name    string
-		args    args
-		wantErr bool
-	}{
-		{
-			name: "should work",
-			args: args{
-				ctx:       ctx,
-				o:         &Opts{DestinationDir: ""},
-				reference: "localhost:3000/hauler/file.txt:latest",
-			},
-			wantErr: false,
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			if err := Cmd(tt.args.ctx, tt.args.o, tt.args.reference); (err != nil) != tt.wantErr {
-				t.Errorf("Cmd() error = %v, wantErr %v", err, tt.wantErr)
-			}
-		})
-	}
-}
--- a/cmd/hauler/cli/store.go
+++ b/cmd/hauler/cli/store.go
@@ -1,49 +1,56 @@
 package cli

 import (
-	"github.com/spf13/cobra"
+	"fmt"

-	"github.com/rancherfederal/hauler/cmd/hauler/cli/store"
+	"github.com/spf13/cobra"
+	"helm.sh/helm/v3/pkg/action"
+
+	"hauler.dev/go/hauler/cmd/hauler/cli/store"
+	"hauler.dev/go/hauler/internal/flags"
+	"hauler.dev/go/hauler/pkg/log"
 )

-func addStore(parent *cobra.Command) {
+func addStore(parent *cobra.Command, ro *flags.CliRootOpts) {
+	rso := &flags.StoreRootOpts{}
+
 	cmd := &cobra.Command{
 		Use:     "store",
 		Aliases: []string{"s"},
-		Short:   "Interact with hauler's embedded content store",
+		Short:   "Interact with the content store",
 		RunE: func(cmd *cobra.Command, args []string) error {
 			return cmd.Help()
 		},
 	}
+	rso.AddFlags(cmd)

 	cmd.AddCommand(
-		addStoreSync(),
-		addStoreExtract(),
-		addStoreLoad(),
-		addStoreSave(),
-		addStoreServe(),
-		addStoreList(),
-		addStoreCopy(),
-
-		// TODO: Remove this in favor of sync?
-		addStoreAdd(),
+		addStoreSync(rso, ro),
+		addStoreExtract(rso, ro),
+		addStoreLoad(rso, ro),
+		addStoreSave(rso, ro),
+		addStoreServe(rso, ro),
+		addStoreInfo(rso, ro),
+		addStoreCopy(rso, ro),
+		addStoreAdd(rso, ro),
+		addStoreRemove(rso, ro),
 	)

 	parent.AddCommand(cmd)
 }

-func addStoreExtract() *cobra.Command {
-	o := &store.ExtractOpts{}
+func addStoreExtract(rso *flags.StoreRootOpts, ro *flags.CliRootOpts) *cobra.Command {
+	o := &flags.ExtractOpts{StoreRootOpts: rso}

 	cmd := &cobra.Command{
 		Use:     "extract",
-		Short:   "Extract content from the store to disk",
+		Short:   "Extract artifacts from the content store to disk",
 		Aliases: []string{"x"},
 		Args:    cobra.ExactArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			ctx := cmd.Context()

-			s, err := ro.getStore(ctx)
+			s, err := o.Store(ctx)
 			if err != nil {
 				return err
 			}
@@ -51,26 +58,44 @@ func addStoreExtract() *cobra.Command {
 			return store.ExtractCmd(ctx, o, s, args[0])
 		},
 	}
-	o.AddArgs(cmd)
+	o.AddFlags(cmd)

 	return cmd
 }

-func addStoreSync() *cobra.Command {
-	o := &store.SyncOpts{}
+func addStoreSync(rso *flags.StoreRootOpts, ro *flags.CliRootOpts) *cobra.Command {
+	o := &flags.SyncOpts{StoreRootOpts: rso}

 	cmd := &cobra.Command{
 		Use:   "sync",
-		Short: "Sync content to the embedded content store",
+		Short: "Sync content to the content store",
+		Args:  cobra.ExactArgs(0),
+		PreRunE: func(cmd *cobra.Command, args []string) error {
+			// warn if products or product-registry flag is used by the user
+			if cmd.Flags().Changed("products") {
+				log.FromContext(cmd.Context()).Warnf("!!! WARNING !!! [--products] will be updating its default registry in a future release.")
+			}
+			if cmd.Flags().Changed("product-registry") {
+				log.FromContext(cmd.Context()).Warnf("!!! WARNING !!! [--product-registry] will be updating its default registry in a future release.")
+			}
+			// check if the products flag was passed
+			if len(o.Products) > 0 {
+				// only clear the default if the user did not explicitly set it
+				if !cmd.Flags().Changed("filename") {
+					o.FileName = []string{}
+				}
+			}
+			return nil
+		},
 		RunE: func(cmd *cobra.Command, args []string) error {
 			ctx := cmd.Context()

-			s, err := ro.getStore(ctx)
+			s, err := o.Store(ctx)
 			if err != nil {
 				return err
 			}

-			return store.SyncCmd(ctx, o, s)
+			return store.SyncCmd(ctx, o, s, rso, ro)
 		},
 	}
 	o.AddFlags(cmd)
@@ -78,22 +103,23 @@ func addStoreSync() *cobra.Command {
 	return cmd
 }

-func addStoreLoad() *cobra.Command {
-	o := &store.LoadOpts{}
+func addStoreLoad(rso *flags.StoreRootOpts, ro *flags.CliRootOpts) *cobra.Command {
+	o := &flags.LoadOpts{StoreRootOpts: rso}

 	cmd := &cobra.Command{
 		Use:   "load",
 		Short: "Load a content store from a store archive",
-		Args:  cobra.MinimumNArgs(1),
+		Args:  cobra.ExactArgs(0),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			ctx := cmd.Context()

-			s, err := ro.getStore(ctx)
+			s, err := o.Store(ctx)
 			if err != nil {
 				return err
 			}
+			_ = s

-			return store.LoadCmd(ctx, o, s.DataDir, args...)
+			return store.LoadCmd(ctx, o, rso, ro)
 		},
 	}
 	o.AddFlags(cmd)
@@ -101,30 +127,70 @@ func addStoreLoad() *cobra.Command {
 	return cmd
 }

-func addStoreServe() *cobra.Command {
-	o := &store.ServeOpts{}
-
+func addStoreServe(rso *flags.StoreRootOpts, ro *flags.CliRootOpts) *cobra.Command {
 	cmd := &cobra.Command{
 		Use:   "serve",
-		Short: "Expose the content of a local store through an OCI compliant server",
+		Short: "Serve the content store via an OCI Compliant Registry or Fileserver",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return cmd.Help()
+		},
+	}
+	cmd.AddCommand(
+		addStoreServeRegistry(rso, ro),
+		addStoreServeFiles(rso, ro),
+	)
+
+	return cmd
+}
+
+func addStoreServeRegistry(rso *flags.StoreRootOpts, ro *flags.CliRootOpts) *cobra.Command {
+	o := &flags.ServeRegistryOpts{StoreRootOpts: rso}
+
+	cmd := &cobra.Command{
+		Use:   "registry",
+		Short: "Serve the OCI Compliant Registry",
 		RunE: func(cmd *cobra.Command, args []string) error {
 			ctx := cmd.Context()

-			s, err := ro.getStore(ctx)
+			s, err := o.Store(ctx)
 			if err != nil {
 				return err
 			}

-			return store.ServeCmd(ctx, o, s)
+			return store.ServeRegistryCmd(ctx, o, s, rso, ro)
 		},
 	}
+
 	o.AddFlags(cmd)

 	return cmd
 }

-func addStoreSave() *cobra.Command {
-	o := &store.SaveOpts{}
+func addStoreServeFiles(rso *flags.StoreRootOpts, ro *flags.CliRootOpts) *cobra.Command {
+	o := &flags.ServeFilesOpts{StoreRootOpts: rso}
+
+	cmd := &cobra.Command{
+		Use:   "fileserver",
+		Short: "Serve the Fileserver",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			ctx := cmd.Context()
+
+			s, err := o.Store(ctx)
+			if err != nil {
+				return err
+			}
+
+			return store.ServeFilesCmd(ctx, o, s, ro)
+		},
+	}
+
+	o.AddFlags(cmd)
+
+	return cmd
+}
+
+func addStoreSave(rso *flags.StoreRootOpts, ro *flags.CliRootOpts) *cobra.Command {
+	o := &flags.SaveOpts{StoreRootOpts: rso}

 	cmd := &cobra.Command{
 		Use:   "save",
@@ -133,36 +199,13 @@ func addStoreSave() *cobra.Command {
 		RunE: func(cmd *cobra.Command, args []string) error {
 			ctx := cmd.Context()

-			s, err := ro.getStore(ctx)
+			s, err := o.Store(ctx)
 			if err != nil {
 				return err
 			}
+			_ = s

-			return store.SaveCmd(ctx, o, o.FileName, s.DataDir)
-		},
-	}
-	o.AddArgs(cmd)
-
-	return cmd
-}
-
-func addStoreList() *cobra.Command {
-	o := &store.ListOpts{}
-
-	cmd := &cobra.Command{
-		Use:     "list",
-		Short:   "List all content references in a store",
-		Args:    cobra.ExactArgs(0),
-		Aliases: []string{"ls"},
-		RunE: func(cmd *cobra.Command, args []string) error {
-			ctx := cmd.Context()
-
-			s, err := ro.getStore(ctx)
-			if err != nil {
-				return err
-			}
-
-			return store.ListCmd(ctx, o, s)
+			return store.SaveCmd(ctx, o, rso, ro)
 		},
 	}
 	o.AddFlags(cmd)
@@ -170,22 +213,53 @@ func addStoreList() *cobra.Command {
 	return cmd
 }

-func addStoreCopy() *cobra.Command {
-	o := &store.CopyOpts{}
+func addStoreInfo(rso *flags.StoreRootOpts, ro *flags.CliRootOpts) *cobra.Command {
+	o := &flags.InfoOpts{StoreRootOpts: rso}
+
+	var allowedValues = []string{"image", "chart", "file", "sigs", "atts", "sbom", "all"}
+
+	cmd := &cobra.Command{
+		Use:     "info",
+		Short:   "Print out information about the store",
+		Args:    cobra.ExactArgs(0),
+		Aliases: []string{"i", "list", "ls"},
+		RunE: func(cmd *cobra.Command, args []string) error {
+			ctx := cmd.Context()
+
+			s, err := o.Store(ctx)
+			if err != nil {
+				return err
+			}
+
+			for _, allowed := range allowedValues {
+				if o.TypeFilter == allowed {
+					return store.InfoCmd(ctx, o, s)
+				}
+			}
+			return fmt.Errorf("type must be one of %v", allowedValues)
+		},
+	}
+	o.AddFlags(cmd)
+
+	return cmd
+}
+
+func addStoreCopy(rso *flags.StoreRootOpts, ro *flags.CliRootOpts) *cobra.Command {
+	o := &flags.CopyOpts{StoreRootOpts: rso}

 	cmd := &cobra.Command{
 		Use:   "copy",
-		Short: "Copy all store contents to another OCI registry",
+		Short: "Copy all store content to another location",
 		Args:  cobra.ExactArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			ctx := cmd.Context()

-			s, err := ro.getStore(ctx)
+			s, err := o.Store(ctx)
 			if err != nil {
 				return err
 			}

-			return store.CopyCmd(ctx, o, s, args[0])
+			return store.CopyCmd(ctx, o, s, args[0], ro)
 		},
 	}
 	o.AddFlags(cmd)
@@ -193,35 +267,43 @@ func addStoreCopy() *cobra.Command {
 	return cmd
 }

-func addStoreAdd() *cobra.Command {
+func addStoreAdd(rso *flags.StoreRootOpts, ro *flags.CliRootOpts) *cobra.Command {
 	cmd := &cobra.Command{
 		Use:   "add",
-		Short: "Add content to store",
+		Short: "Add content to the store",
 		RunE: func(cmd *cobra.Command, args []string) error {
 			return cmd.Help()
 		},
 	}

 	cmd.AddCommand(
-		addStoreAddFile(),
-		addStoreAddImage(),
-		addStoreAddChart(),
+		addStoreAddFile(rso, ro),
+		addStoreAddImage(rso, ro),
+		addStoreAddChart(rso, ro),
 	)

 	return cmd
 }

-func addStoreAddFile() *cobra.Command {
-	o := &store.AddFileOpts{}
+func addStoreAddFile(rso *flags.StoreRootOpts, ro *flags.CliRootOpts) *cobra.Command {
+	o := &flags.AddFileOpts{StoreRootOpts: rso}

 	cmd := &cobra.Command{
 		Use:   "file",
-		Short: "Add a file to the content store",
-		Args:  cobra.ExactArgs(1),
+		Short: "Add a file to the store",
+		Example: `# fetch local file
+hauler store add file file.txt
+
+# fetch remote file
+hauler store add file https://get.rke2.io/install.sh
+
+# fetch remote file and assign new name
+hauler store add file https://get.hauler.dev --name hauler-install.sh`,
+		Args: cobra.ExactArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			ctx := cmd.Context()

-			s, err := ro.getStore(ctx)
+			s, err := o.Store(ctx)
 			if err != nil {
 				return err
 			}
@@ -234,52 +316,125 @@ func addStoreAddFile() *cobra.Command {
 	return cmd
 }

-func addStoreAddImage() *cobra.Command {
-	o := &store.AddImageOpts{}
+func addStoreAddImage(rso *flags.StoreRootOpts, ro *flags.CliRootOpts) *cobra.Command {
+	o := &flags.AddImageOpts{StoreRootOpts: rso}

 	cmd := &cobra.Command{
 		Use:   "image",
-		Short: "Add an image to the content store",
-		Args:  cobra.ExactArgs(1),
-		RunE: func(cmd *cobra.Command, args []string) error {
-			ctx := cmd.Context()
+		Short: "Add a image to the store",
+		Example: `# fetch image
+hauler store add image busybox

-			s, err := ro.getStore(ctx)
-			if err != nil {
-				return err
-			}
+# fetch image with repository and tag
+hauler store add image library/busybox:stable

-			return store.AddImageCmd(ctx, o, s, args[0])
-		},
-	}
-	o.AddFlags(cmd)
+# fetch image with full image reference and specific platform
+hauler store add image ghcr.io/hauler-dev/hauler-debug:v1.2.0 --platform linux/amd64

-	return cmd
-}
+# fetch image with full image reference via digest
+hauler store add image gcr.io/distroless/base@sha256:7fa7445dfbebae4f4b7ab0e6ef99276e96075ae42584af6286ba080750d6dfe5

-func addStoreAddChart() *cobra.Command {
-	o := &store.AddChartOpts{}
+# fetch image with full image reference, specific platform, and signature verification
+curl -sfOL https://raw.githubusercontent.com/rancherfederal/carbide-releases/main/carbide-key.pub
+hauler store add image rgcrprod.azurecr.us/rancher/rke2-runtime:v1.31.5-rke2r1 --platform linux/amd64 --key carbide-key.pub

-	cmd := &cobra.Command{
-		Use:   "chart",
-		Short: "Add a chart to the content store",
-		Example: `
-# add a chart
-hauler store add chart longhorn --repo "https://charts.longhorn.io"
-
-# add a specific version of a chart
-hauler store add chart rancher --repo "https://releases.rancher.com/server-charts/latest" --version "2.6.2"
-`,
+# fetch image and rewrite path
+hauler store add image busybox --rewrite custom-path/busybox:latest`,
 		Args: cobra.ExactArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			ctx := cmd.Context()

-			s, err := ro.getStore(ctx)
+			s, err := o.Store(ctx)
 			if err != nil {
 				return err
 			}

-			return store.AddChartCmd(ctx, o, s, args[0])
+			return store.AddImageCmd(ctx, o, s, args[0], rso, ro)
+		},
+	}
+	o.AddFlags(cmd)
+
+	return cmd
+}
+
+func addStoreAddChart(rso *flags.StoreRootOpts, ro *flags.CliRootOpts) *cobra.Command {
+	o := &flags.AddChartOpts{StoreRootOpts: rso, ChartOpts: &action.ChartPathOptions{}}
+
+	cmd := &cobra.Command{
+		Use:   "chart",
+		Short: "Add a helm chart to the store",
+		Example: `# fetch local helm chart
+hauler store add chart path/to/chart/directory --repo .
+
+# fetch local compressed helm chart
+hauler store add chart path/to/chart.tar.gz --repo .
+
+# fetch remote oci helm chart
+hauler store add chart hauler-helm --repo oci://ghcr.io/hauler-dev
+
+# fetch remote oci helm chart with version
+hauler store add chart hauler-helm --repo oci://ghcr.io/hauler-dev --version 1.2.0
+
+# fetch remote helm chart
+hauler store add chart rancher --repo https://releases.rancher.com/server-charts/stable
+
+# fetch remote helm chart with specific version
+hauler store add chart rancher --repo https://releases.rancher.com/server-charts/latest --version 2.10.1
+
+# fetch remote helm chart and rewrite path
+hauler store add chart hauler-helm --repo oci://ghcr.io/hauler-dev --rewrite custom-path/hauler-chart:latest`,
+		Args: cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			ctx := cmd.Context()
+
+			s, err := o.Store(ctx)
+			if err != nil {
+				return err
+			}
+
+			return store.AddChartCmd(ctx, o, s, args[0], rso, ro)
+		},
+	}
+	o.AddFlags(cmd)
+
+	return cmd
+}
+
+func addStoreRemove(rso *flags.StoreRootOpts, ro *flags.CliRootOpts) *cobra.Command {
+	o := &flags.RemoveOpts{}
+	cmd := &cobra.Command{
+		Use:   "remove <artifact-ref>",
+		Short: "(EXPERIMENTAL) Remove an artifact from the content store",
+		Example: `# remove an image using full store reference
+hauler store info
+hauler store remove index.docker.io/library/busybox:stable
+
+# remove a chart using full store reference
+hauler store info
+hauler store remove hauler/rancher:2.8.4
+
+# remove a file using full store reference
+hauler store info
+hauler store remove hauler/rke2-install.sh
+
+# remove any artifact with the latest tag
+hauler store remove :latest
+
+# remove any artifact with 'busybox' in the reference
+hauler store remove busybox
+
+# force remove without verification
+hauler store remove busybox:latest --force`,
+		Args: cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			ctx := cmd.Context()
+
+			s, err := rso.Store(ctx)
+			if err != nil {
+				return err
+			}
+
+			return store.RemoveCmd(ctx, o, s, args[0])
 		},
 	}
 	o.AddFlags(cmd)
--- a/cmd/hauler/cli/store/add.go
+++ b/cmd/hauler/cli/store/add.go
@@ -2,178 +2,601 @@ package store

 import (
 	"context"
+	"fmt"
+	"os"
 	"path/filepath"
+	"regexp"
+	"slices"
+	"strings"

 	"github.com/google/go-containerregistry/pkg/name"
-	"github.com/spf13/cobra"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+	helmchart "helm.sh/helm/v3/pkg/chart"
+	"helm.sh/helm/v3/pkg/chartutil"
+	"helm.sh/helm/v3/pkg/engine"
+	"k8s.io/apimachinery/pkg/util/yaml"

-	"github.com/rancherfederal/hauler/pkg/apis/hauler.cattle.io/v1alpha1"
-	"github.com/rancherfederal/hauler/pkg/content/chart"
-	"github.com/rancherfederal/hauler/pkg/content/file"
-	"github.com/rancherfederal/hauler/pkg/content/image"
-	"github.com/rancherfederal/hauler/pkg/log"
-	"github.com/rancherfederal/hauler/pkg/store"
+	"hauler.dev/go/hauler/internal/flags"
+	v1 "hauler.dev/go/hauler/pkg/apis/hauler.cattle.io/v1"
+	"hauler.dev/go/hauler/pkg/artifacts/file"
+	"hauler.dev/go/hauler/pkg/consts"
+	"hauler.dev/go/hauler/pkg/content/chart"
+	"hauler.dev/go/hauler/pkg/cosign"
+	"hauler.dev/go/hauler/pkg/getter"
+	"hauler.dev/go/hauler/pkg/log"
+	"hauler.dev/go/hauler/pkg/reference"
+	"hauler.dev/go/hauler/pkg/store"
 )

-type AddFileOpts struct {
-	Name string
-}
-
-func (o *AddFileOpts) AddFlags(cmd *cobra.Command) {
-	f := cmd.Flags()
-	f.StringVarP(&o.Name, "name", "n", "", "(Optional) Name to assign to file in store")
-}
-
-func AddFileCmd(ctx context.Context, o *AddFileOpts, s *store.Store, reference string) error {
-	lgr := log.FromContext(ctx)
-	lgr.Debugf("running cli command `hauler store add`")
-
-	s.Open()
-	defer s.Close()
-
-	cfg := v1alpha1.File{
-		Ref:  reference,
-		Name: o.Name,
+func AddFileCmd(ctx context.Context, o *flags.AddFileOpts, s *store.Layout, reference string) error {
+	cfg := v1.File{
+		Path: reference,
+	}
+	if len(o.Name) > 0 {
+		cfg.Name = o.Name
 	}
-
 	return storeFile(ctx, s, cfg)
 }

-func storeFile(ctx context.Context, s *store.Store, fi v1alpha1.File) error {
-	lgr := log.FromContext(ctx)
+func storeFile(ctx context.Context, s *store.Layout, fi v1.File) error {
+	l := log.FromContext(ctx)

-	if fi.Name == "" {
-		base := filepath.Base(fi.Ref)
-		fi.Name = filepath.Base(fi.Ref)
-		lgr.Warnf("no name specified for file reference [%s], using base filepath: [%s]", fi.Ref, base)
+	copts := getter.ClientOptions{
+		NameOverride: fi.Name,
 	}

-	oci, err := file.NewFile(fi.Ref, fi.Name)
+	f := file.NewFile(fi.Path, file.WithClient(getter.NewClient(copts)))
+	ref, err := reference.NewTagged(f.Name(fi.Path), consts.DefaultTag)
 	if err != nil {
 		return err
 	}

-	ref, err := name.ParseReference(fi.Name, name.WithDefaultRegistry(""))
+	l.Infof("adding file [%s] to the store as [%s]", fi.Path, ref.Name())
+	_, err = s.AddOCI(ctx, f, ref.Name())
 	if err != nil {
 		return err
 	}

-	desc, err := s.AddArtifact(ctx, oci, ref)
-	if err != nil {
-		return err
-	}
+	l.Infof("successfully added file [%s]", ref.Name())

-	lgr.Infof("added file [%s] to store at [%s] with manifest digest [%s]", fi.Ref, ref.Name(), desc.Digest.String())
 	return nil
 }

-type AddImageOpts struct {
-	Name string
+func AddImageCmd(ctx context.Context, o *flags.AddImageOpts, s *store.Layout, reference string, rso *flags.StoreRootOpts, ro *flags.CliRootOpts) error {
+	l := log.FromContext(ctx)
+
+	cfg := v1.Image{
+		Name:    reference,
+		Rewrite: o.Rewrite,
+	}
+
+	// Check if the user provided a key.
+	if o.Key != "" {
+		// verify signature using the provided key.
+		err := cosign.VerifySignature(ctx, s, o.Key, o.Tlog, cfg.Name, rso, ro)
+		if err != nil {
+			return err
+		}
+		l.Infof("signature verified for image [%s]", cfg.Name)
+	} else if o.CertIdentityRegexp != "" || o.CertIdentity != "" {
+		// verify signature using keyless details
+		l.Infof("verifying keyless signature for [%s]", cfg.Name)
+		err := cosign.VerifyKeylessSignature(ctx, s, o.CertIdentity, o.CertIdentityRegexp, o.CertOidcIssuer, o.CertOidcIssuerRegexp, o.CertGithubWorkflowRepository, o.Tlog, cfg.Name, rso, ro)
+		if err != nil {
+			return err
+		}
+		l.Infof("keyless signature verified for image [%s]", cfg.Name)
+	}
+
+	return storeImage(ctx, s, cfg, o.Platform, rso, ro, o.Rewrite)
 }

-func (o *AddImageOpts) AddFlags(cmd *cobra.Command) {
-	f := cmd.Flags()
-	_ = f
-}
+func storeImage(ctx context.Context, s *store.Layout, i v1.Image, platform string, rso *flags.StoreRootOpts, ro *flags.CliRootOpts, rewrite string) error {
+	l := log.FromContext(ctx)

-func AddImageCmd(ctx context.Context, o *AddImageOpts, s *store.Store, reference string) error {
-	lgr := log.FromContext(ctx)
-	lgr.Debugf("running cli command `hauler store add image`")
-
-	s.Open()
-	defer s.Close()
-
-	cfg := v1alpha1.Image{
-		Ref: reference,
+	if !ro.IgnoreErrors {
+		envVar := os.Getenv(consts.HaulerIgnoreErrors)
+		if envVar == "true" {
+			ro.IgnoreErrors = true
+		}
 	}

-	return storeImage(ctx, s, cfg)
-}
+	l.Infof("adding image [%s] to the store", i.Name)

-func storeImage(ctx context.Context, s *store.Store, i v1alpha1.Image) error {
-	lgr := log.FromContext(ctx)
-
-	oci, err := image.NewImage(i.Ref)
+	r, err := name.ParseReference(i.Name)
 	if err != nil {
-		return err
+		if ro.IgnoreErrors {
+			l.Warnf("unable to parse image [%s]: %v... skipping...", i.Name, err)
+			return nil
+		} else {
+			l.Errorf("unable to parse image [%s]: %v", i.Name, err)
+			return err
+		}
 	}

-	ref, err := name.ParseReference(i.Ref)
+	// copy and sig verification
+	err = cosign.SaveImage(ctx, s, r.Name(), platform, rso, ro)
 	if err != nil {
-		return err
+		if ro.IgnoreErrors {
+			l.Warnf("unable to add image [%s] to store: %v... skipping...", r.Name(), err)
+			return nil
+		} else {
+			l.Errorf("unable to add image [%s] to store: %v", r.Name(), err)
+			return err
+		}
 	}

-	desc, err := s.AddArtifact(ctx, oci, ref)
-	if err != nil {
-		return err
+	if rewrite != "" {
+		rewrite = strings.TrimPrefix(rewrite, "/")
+		if !strings.Contains(rewrite, ":") {
+			rewrite = strings.Join([]string{rewrite, r.(name.Tag).TagStr()}, ":")
+		}
+		// rename image name in store
+		newRef, err := name.ParseReference(rewrite)
+		if err != nil {
+			l.Errorf("unable to parse rewrite name: %w", err)
+		}
+		rewriteReference(ctx, s, r, newRef)
 	}

-	lgr.Infof("added image [%s] to store at [%s] with manifest digest [%s]", i.Ref, ref.Context().RepositoryStr(), desc.Digest.String())
+	l.Infof("successfully added image [%s]", r.Name())
 	return nil
 }

-type AddChartOpts struct {
-	Version string
-	RepoURL string
+func rewriteReference(ctx context.Context, s *store.Layout, oldRef name.Reference, newRef name.Reference) error {
+	l := log.FromContext(ctx)
+
+	l.Infof("rewriting [%s] to [%s]", oldRef.Name(), newRef.Name())
+
+	s.OCI.LoadIndex()
+
+	//TODO: improve string manipulation
+	oldRefContext := oldRef.Context()
+	newRefContext := newRef.Context()
+
+	oldRepo := oldRefContext.RepositoryStr()
+	newRepo := newRefContext.RepositoryStr()
+	oldTag := oldRef.(name.Tag).TagStr()
+	newTag := newRef.(name.Tag).TagStr()
+	oldRegistry := strings.TrimPrefix(oldRefContext.RegistryStr(), "index.")
+	newRegistry := strings.TrimPrefix(newRefContext.RegistryStr(), "index.")
+
+	oldTotal := oldRepo + ":" + oldTag
+	newTotal := newRepo + ":" + newTag
+	oldTotalReg := oldRegistry + "/" + oldTotal
+	newTotalReg := newRegistry + "/" + newTotal
+
+	//find and update reference
+	found := false
+	if err := s.OCI.Walk(func(k string, d ocispec.Descriptor) error {
+		if d.Annotations[ocispec.AnnotationRefName] == oldTotal && d.Annotations[consts.ContainerdImageNameKey] == oldTotalReg {
+			d.Annotations[ocispec.AnnotationRefName] = newTotal
+			d.Annotations[consts.ContainerdImageNameKey] = newTotalReg
+			found = true
+		}
+		return nil
+	}); err != nil {
+		return err
+	}
+
+	if !found {
+		return fmt.Errorf("could not find image [%s] in store", oldRef.Name())
+	}
+
+	return s.OCI.SaveIndex()

-	// TODO: Support helm auth
-	Username              string
-	Password              string
-	PassCredentialsAll    bool
-	CertFile              string
-	KeyFile               string
-	CaFile                string
-	InsecureSkipTLSverify bool
-	RepositoryConfig      string
-	RepositoryCache       string
 }

-func (o *AddChartOpts) AddFlags(cmd *cobra.Command) {
-	f := cmd.Flags()
-
-	f.StringVarP(&o.RepoURL, "repo", "r", "", "Chart repository URL")
-	f.StringVar(&o.Version, "version", "", "(Optional) Version of the chart to download, defaults to latest if not specified")
-}
-
-func AddChartCmd(ctx context.Context, o *AddChartOpts, s *store.Store, chartName string) error {
-	lgr := log.FromContext(ctx)
-	lgr.Debugf("running cli command `hauler store add chart`")
-
-	s.Open()
-	defer s.Close()
-
-	cfg := v1alpha1.Chart{
+func AddChartCmd(ctx context.Context, o *flags.AddChartOpts, s *store.Layout, chartName string, rso *flags.StoreRootOpts, ro *flags.CliRootOpts) error {
+	cfg := v1.Chart{
 		Name:    chartName,
-		RepoURL: o.RepoURL,
-		Version: o.Version,
+		RepoURL: o.ChartOpts.RepoURL,
+		Version: o.ChartOpts.Version,
 	}

-	return storeChart(ctx, s, cfg)
+	rewrite := ""
+	if o.Rewrite != "" {
+		rewrite = o.Rewrite
+	}
+	return storeChart(ctx, s, cfg, o, rso, ro, rewrite)
 }

-func storeChart(ctx context.Context, s *store.Store, ch v1alpha1.Chart) error {
-	lgr := log.FromContext(ctx)
+// unexported type for the context key to avoid collisions
+type isSubchartKey struct{}

-	oci, err := chart.NewChart(ch.Name, ch.RepoURL, ch.Version)
+// imageregex parses image references starting with "image:" and with optional spaces or optional quotes
+var imageRegex = regexp.MustCompile(`(?m)^[ \t]*image:[ \t]*['"]?([^\s'"#]+)`)
+
+// helmAnnotatedImage parses images references from helm chart annotations
+type helmAnnotatedImage struct {
+	Image string `yaml:"image"`
+	Name  string `yaml:"name,omitempty"`
+}
+
+// imagesFromChartAnnotations parses image references from helm chart annotations
+func imagesFromChartAnnotations(c *helmchart.Chart) ([]string, error) {
+	if c == nil || c.Metadata == nil || c.Metadata.Annotations == nil {
+		return nil, nil
+	}
+
+	// support multiple annotations
+	keys := []string{
+		"helm.sh/images",
+		"images",
+	}
+
+	var out []string
+	for _, k := range keys {
+		raw, ok := c.Metadata.Annotations[k]
+		if !ok || strings.TrimSpace(raw) == "" {
+			continue
+		}
+
+		var items []helmAnnotatedImage
+		if err := yaml.Unmarshal([]byte(raw), &items); err != nil {
+			return nil, fmt.Errorf("failed to parse helm chart annotation %q: %w", k, err)
+		}
+
+		for _, it := range items {
+			img := strings.TrimSpace(it.Image)
+			if img == "" {
+				continue
+			}
+			img = strings.TrimPrefix(img, "/")
+			out = append(out, img)
+		}
+	}
+
+	slices.Sort(out)
+	out = slices.Compact(out)
+
+	return out, nil
+}
+
+// imagesFromImagesLock parses image references from images lock files in the chart directory
+func imagesFromImagesLock(chartDir string) ([]string, error) {
+	var out []string
+
+	for _, name := range []string{
+		"images.lock",
+		"images-lock.yaml",
+		"images.lock.yaml",
+		".images.lock.yaml",
+	} {
+		p := filepath.Join(chartDir, name)
+		b, err := os.ReadFile(p)
+		if err != nil {
+			continue
+		}
+
+		matches := imageRegex.FindAllSubmatch(b, -1)
+		for _, m := range matches {
+			if len(m) > 1 {
+				out = append(out, string(m[1]))
+			}
+		}
+	}
+
+	if len(out) == 0 {
+		return nil, nil
+	}
+
+	for i := range out {
+		out[i] = strings.TrimPrefix(out[i], "/")
+	}
+	slices.Sort(out)
+	out = slices.Compact(out)
+	return out, nil
+}
+
+func applyDefaultRegistry(img string, defaultRegistry string) (string, error) {
+	img = strings.TrimSpace(strings.TrimPrefix(img, "/"))
+	if img == "" || defaultRegistry == "" {
+		return img, nil
+	}
+
+	ref, err := reference.Parse(img)
+	if err != nil {
+		return "", err
+	}
+
+	if ref.Context().RegistryStr() != "" {
+		return img, nil
+	}
+
+	newRef, err := reference.Relocate(img, defaultRegistry)
+	if err != nil {
+		return "", err
+	}
+
+	return newRef.Name(), nil
+}
+
+func storeChart(ctx context.Context, s *store.Layout, cfg v1.Chart, opts *flags.AddChartOpts, rso *flags.StoreRootOpts, ro *flags.CliRootOpts, rewrite string) error {
+	l := log.FromContext(ctx)
+
+	// subchart logging prefix
+	isSubchart := ctx.Value(isSubchartKey{}) == true
+	prefix := ""
+	if isSubchart {
+		prefix = "  ↳ "
+	}
+
+	// normalize chart name for logging
+	displayName := cfg.Name
+	if strings.Contains(cfg.Name, string(os.PathSeparator)) {
+		displayName = filepath.Base(cfg.Name)
+	}
+	l.Infof("%sadding chart [%s] to the store", prefix, displayName)
+
+	opts.ChartOpts.RepoURL = cfg.RepoURL
+	opts.ChartOpts.Version = cfg.Version
+
+	chrt, err := chart.NewChart(cfg.Name, opts.ChartOpts)
 	if err != nil {
 		return err
 	}

-	tag := ch.Version
-	if tag == "" {
-		tag = name.DefaultTag
-	}
-
-	ref, err := name.ParseReference(ch.Name, name.WithDefaultRegistry(""), name.WithDefaultTag(tag))
+	c, err := chrt.Load()
 	if err != nil {
 		return err
 	}

-	desc, err := s.AddArtifact(ctx, oci, ref)
+	ref, err := reference.NewTagged(c.Name(), c.Metadata.Version)
 	if err != nil {
 		return err
 	}

-	lgr.Infof("added chart [%s] to store at [%s:%s] with manifest digest [%s]", ch.Name, ref.Context().RepositoryStr(), ref.Identifier(), desc.Digest.String())
+	if _, err := s.AddOCI(ctx, chrt, ref.Name()); err != nil {
+		return err
+	}
+	if err := s.OCI.SaveIndex(); err != nil {
+		return err
+	}
+
+	l.Infof("%ssuccessfully added chart [%s:%s]", prefix, c.Name(), c.Metadata.Version)
+
+	tempOverride := rso.TempOverride
+	if tempOverride == "" {
+		tempOverride = os.Getenv(consts.HaulerTempDir)
+	}
+	tempDir, err := os.MkdirTemp(tempOverride, consts.DefaultHaulerTempDirName)
+	if err != nil {
+		return fmt.Errorf("failed to create temp dir: %w", err)
+	}
+	defer os.RemoveAll(tempDir)
+
+	chartPath := chrt.Path()
+	if strings.HasSuffix(chartPath, ".tgz") {
+		l.Debugf("%sextracting chart archive [%s]", prefix, filepath.Base(chartPath))
+		if err := chartutil.ExpandFile(tempDir, chartPath); err != nil {
+			return fmt.Errorf("failed to extract chart: %w", err)
+		}
+
+		// expanded chart should be in a directory matching the chart name
+		expectedChartDir := filepath.Join(tempDir, c.Name())
+		if _, err := os.Stat(expectedChartDir); err != nil {
+			return fmt.Errorf("chart archive did not expand into expected directory '%s': %w", c.Name(), err)
+		}
+		chartPath = expectedChartDir
+	}
+
+	// add-images
+	if opts.AddImages {
+		userValues := chartutil.Values{}
+		if opts.HelmValues != "" {
+			userValues, err = chartutil.ReadValuesFile(opts.HelmValues)
+			if err != nil {
+				return fmt.Errorf("failed to read helm values file [%s]: %w", opts.HelmValues, err)
+			}
+		}
+
+		// set helm default capabilities
+		caps := chartutil.DefaultCapabilities.Copy()
+
+		// only parse and override if provided kube version
+		if opts.KubeVersion != "" {
+			kubeVersion, err := chartutil.ParseKubeVersion(opts.KubeVersion)
+			if err != nil {
+				l.Warnf("%sinvalid kube-version [%s], using default kubernetes version", prefix, opts.KubeVersion)
+			} else {
+				caps.KubeVersion = *kubeVersion
+			}
+		}
+
+		values, err := chartutil.ToRenderValues(c, userValues, chartutil.ReleaseOptions{Namespace: "hauler"}, caps)
+		if err != nil {
+			return err
+		}
+
+		// helper for normalization and deduping slices
+		normalizeUniq := func(in []string) []string {
+			if len(in) == 0 {
+				return nil
+			}
+			for i := range in {
+				in[i] = strings.TrimPrefix(in[i], "/")
+			}
+			slices.Sort(in)
+			return slices.Compact(in)
+		}
+
+		// Collect images by method so we can debug counts
+		var (
+			templateImages   []string
+			annotationImages []string
+			lockImages       []string
+		)
+
+		// parse helm chart templates and values for images
+		rendered, err := engine.Render(c, values)
+		if err != nil {
+			// charts may fail due to values so still try helm chart annotations and lock
+			l.Warnf("%sfailed to render chart [%s]: %v", prefix, c.Name(), err)
+			rendered = map[string]string{}
+		}
+
+		for _, manifest := range rendered {
+			matches := imageRegex.FindAllStringSubmatch(manifest, -1)
+			for _, match := range matches {
+				if len(match) > 1 {
+					templateImages = append(templateImages, match[1])
+				}
+			}
+		}
+
+		// parse helm chart annotations for images
+		annotationImages, err = imagesFromChartAnnotations(c)
+		if err != nil {
+			l.Warnf("%sfailed to parse helm chart annotation for [%s:%s]: %v", prefix, c.Name(), c.Metadata.Version, err)
+			annotationImages = nil
+		}
+
+		// parse images lock files for images
+		lockImages, err = imagesFromImagesLock(chartPath)
+		if err != nil {
+			l.Warnf("%sfailed to parse images lock: %v", prefix, err)
+			lockImages = nil
+		}
+
+		// normalization and deduping the slices
+		templateImages = normalizeUniq(templateImages)
+		annotationImages = normalizeUniq(annotationImages)
+		lockImages = normalizeUniq(lockImages)
+
+		// merge all sources then final dedupe
+		images := append(append(templateImages, annotationImages...), lockImages...)
+		images = normalizeUniq(images)
+
+		l.Debugf("%simage references identified for helm template: [%d] image(s)", prefix, len(templateImages))
+
+		l.Debugf("%simage references identified for helm chart annotations: [%d] image(s)", prefix, len(annotationImages))
+
+		l.Debugf("%simage references identified for helm image lock file: [%d] image(s)", prefix, len(lockImages))
+		l.Debugf("%ssuccessfully parsed and deduped image references: [%d] image(s)", prefix, len(images))
+
+		l.Debugf("%ssuccessfully parsed image references %v", prefix, images)
+
+		if len(images) > 0 {
+			l.Infof("%s  ↳ identified [%d] image(s) in [%s:%s]", prefix, len(images), c.Name(), c.Metadata.Version)
+		}
+
+		for _, image := range images {
+			image, err := applyDefaultRegistry(image, opts.Registry)
+			if err != nil {
+				if ro.IgnoreErrors {
+					l.Warnf("%s  ↳ unable to apply registry to image [%s]: %v... skipping...", prefix, image, err)
+					continue
+				}
+				return fmt.Errorf("unable to apply registry to image [%s]: %w", image, err)
+			}
+
+			imgCfg := v1.Image{Name: image}
+			if err := storeImage(ctx, s, imgCfg, opts.Platform, rso, ro, ""); err != nil {
+				if ro.IgnoreErrors {
+					l.Warnf("%s  ↳ failed to store image [%s]: %v... skipping...", prefix, image, err)
+					continue
+				}
+				return fmt.Errorf("failed to store image [%s]: %w", image, err)
+			}
+			s.OCI.LoadIndex()
+			if err := s.OCI.SaveIndex(); err != nil {
+				return err
+			}
+		}
+	}
+
+	// add-dependencies
+	if opts.AddDependencies && len(c.Metadata.Dependencies) > 0 {
+		for _, dep := range c.Metadata.Dependencies {
+			l.Infof("%sadding dependent chart [%s:%s]", prefix, dep.Name, dep.Version)
+
+			depOpts := *opts
+			depOpts.AddDependencies = true
+			depOpts.AddImages = true
+			subCtx := context.WithValue(ctx, isSubchartKey{}, true)
+
+			var depCfg v1.Chart
+			var err error
+
+			if strings.HasPrefix(dep.Repository, "file://") {
+				subchartPath := filepath.Join(chartPath, "charts", dep.Name)
+
+				depCfg = v1.Chart{Name: subchartPath, RepoURL: "", Version: ""}
+				depOpts.ChartOpts.RepoURL = ""
+				depOpts.ChartOpts.Version = ""
+
+				err = storeChart(subCtx, s, depCfg, &depOpts, rso, ro, "")
+			} else {
+				depCfg = v1.Chart{Name: dep.Name, RepoURL: dep.Repository, Version: dep.Version}
+				depOpts.ChartOpts.RepoURL = dep.Repository
+				depOpts.ChartOpts.Version = dep.Version
+
+				err = storeChart(subCtx, s, depCfg, &depOpts, rso, ro, "")
+			}
+
+			if err != nil {
+				if ro.IgnoreErrors {
+					l.Warnf("%s  ↳ failed to add dependent chart [%s]: %v... skipping...", prefix, dep.Name, err)
+				} else {
+					l.Errorf("%s  ↳ failed to add dependent chart [%s]: %v", prefix, dep.Name, err)
+					return err
+				}
+			}
+		}
+	}
+
+	// chart rewrite functionality
+	if rewrite != "" {
+		rewrite = strings.TrimPrefix(rewrite, "/")
+		newRef, err := name.ParseReference(rewrite)
+		if err != nil {
+			// error... don't continue with a bad reference
+			return fmt.Errorf("unable to parse rewrite name [%s]: %w", rewrite, err)
+		}
+
+		// if rewrite omits a tag... keep the existing tag
+		oldTag := ref.(name.Tag).TagStr()
+		if !strings.Contains(rewrite, ":") {
+			rewrite = strings.Join([]string{rewrite, oldTag}, ":")
+			newRef, err = name.ParseReference(rewrite)
+			if err != nil {
+				return fmt.Errorf("unable to parse rewrite name [%s]: %w", rewrite, err)
+			}
+		}
+
+		// rename chart name in store
+		s.OCI.LoadIndex()
+
+		oldRefContext := ref.Context()
+		newRefContext := newRef.Context()
+
+		oldRepo := oldRefContext.RepositoryStr()
+		newRepo := newRefContext.RepositoryStr()
+		newTag := newRef.(name.Tag).TagStr()
+
+		oldTotal := oldRepo + ":" + oldTag
+		newTotal := newRepo + ":" + newTag
+
+		found := false
+		if err := s.OCI.Walk(func(k string, d ocispec.Descriptor) error {
+			if d.Annotations[ocispec.AnnotationRefName] == oldTotal {
+				d.Annotations[ocispec.AnnotationRefName] = newTotal
+				found = true
+			}
+			return nil
+		}); err != nil {
+			return err
+		}
+
+		if !found {
+			return fmt.Errorf("could not find chart [%s] in store", ref.Name())
+		}
+
+		if err := s.OCI.SaveIndex(); err != nil {
+			return err
+		}
+	}
+
 	return nil
 }
--- a/cmd/hauler/cli/store/copy.go
+++ b/cmd/hauler/cli/store/copy.go
@@ -2,57 +2,52 @@ package store

 import (
 	"context"
+	"fmt"
+	"strings"

-	"github.com/google/go-containerregistry/pkg/name"
-	"github.com/google/go-containerregistry/pkg/v1/remote"
-	"github.com/spf13/cobra"
+	"oras.land/oras-go/pkg/content"

-	"github.com/rancherfederal/hauler/pkg/log"
-	"github.com/rancherfederal/hauler/pkg/store"
+	"hauler.dev/go/hauler/internal/flags"
+	"hauler.dev/go/hauler/pkg/cosign"
+	"hauler.dev/go/hauler/pkg/log"
+	"hauler.dev/go/hauler/pkg/store"
 )

-type CopyOpts struct{}
+func CopyCmd(ctx context.Context, o *flags.CopyOpts, s *store.Layout, targetRef string, ro *flags.CliRootOpts) error {
+	l := log.FromContext(ctx)

-func (o *CopyOpts) AddFlags(cmd *cobra.Command) {
-	f := cmd.Flags()
-	_ = f
-
-	// TODO: Regex matching
-}
-
-func CopyCmd(ctx context.Context, o *CopyOpts, s *store.Store, registry string) error {
-	lgr := log.FromContext(ctx)
-	lgr.Debugf("running cli command `hauler store copy`")
-
-	s.Open()
-	defer s.Close()
-
-	refs, err := s.List(ctx)
-	if err != nil {
-		return err
+	if o.Username != "" || o.Password != "" {
+		return fmt.Errorf("--username/--password have been deprecated, please use 'hauler login'")
 	}

-	for _, r := range refs {
-		ref, err := name.ParseReference(r, name.WithDefaultRegistry(s.Registry()))
+	components := strings.SplitN(targetRef, "://", 2)
+	switch components[0] {
+	case "dir":
+		l.Debugf("identified directory target reference of [%s]", components[1])
+		fs := content.NewFile(components[1])
+		defer fs.Close()
+
+		_, err := s.CopyAll(ctx, fs, nil)
 		if err != nil {
 			return err
 		}

-		o, err := remote.Image(ref)
+	case "registry":
+		l.Debugf("identified registry target reference of [%s]", components[1])
+		ropts := content.RegistryOptions{
+			Insecure:  o.Insecure,
+			PlainHTTP: o.PlainHTTP,
+		}
+
+		err := cosign.LoadImages(ctx, s, components[1], o.Only, ropts, ro)
 		if err != nil {
 			return err
 		}

-		rref, err := name.ParseReference(r, name.WithDefaultRegistry(registry))
-		if err != nil {
-			return err
-		}
-
-		lgr.Infof("relocating [%s] -> [%s]", ref.Name(), rref.Name())
-		if err := remote.Write(rref, o); err != nil {
-			return err
-		}
+	default:
+		return fmt.Errorf("detecting protocol from [%s]", targetRef)
 	}

+	l.Infof("copied artifacts to [%s]", components[1])
 	return nil
 }
--- a/cmd/hauler/cli/store/extract.go
+++ b/cmd/hauler/cli/store/extract.go
@@ -2,40 +2,68 @@ package store

 import (
 	"context"
+	"encoding/json"
+	"fmt"
+	"strings"

-	"github.com/spf13/cobra"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"

-	"github.com/rancherfederal/hauler/cmd/hauler/cli/download"
-	"github.com/rancherfederal/hauler/pkg/layout"
-	"github.com/rancherfederal/hauler/pkg/log"
-	"github.com/rancherfederal/hauler/pkg/store"
+	"hauler.dev/go/hauler/internal/flags"
+	"hauler.dev/go/hauler/internal/mapper"
+	"hauler.dev/go/hauler/pkg/log"
+	"hauler.dev/go/hauler/pkg/reference"
+	"hauler.dev/go/hauler/pkg/store"
 )

-type ExtractOpts struct {
-	DestinationDir string
-}
-
-func (o *ExtractOpts) AddArgs(cmd *cobra.Command) {
-	f := cmd.Flags()
-
-	f.StringVar(&o.DestinationDir, "dir", "", "Directory to save contents to (defaults to current directory)")
-}
-
-func ExtractCmd(ctx context.Context, o *ExtractOpts, s *store.Store, reference string) error {
+func ExtractCmd(ctx context.Context, o *flags.ExtractOpts, s *store.Layout, ref string) error {
 	l := log.FromContext(ctx)
-	l.Debugf("running command `hauler store extract`")

-	s.Open()
-	defer s.Close()
-
-	eref, err := layout.RelocateReference(reference, s.Registry())
+	r, err := reference.Parse(ref)
 	if err != nil {
 		return err
 	}

-	gopts := &download.Opts{
-		DestinationDir: o.DestinationDir,
+	// use the repository from the context and the identifier from the reference
+	repo := r.Context().RepositoryStr() + ":" + r.Identifier()
+
+	found := false
+	if err := s.Walk(func(reference string, desc ocispec.Descriptor) error {
+		if !strings.Contains(reference, repo) {
+			return nil
+		}
+		found = true
+
+		rc, err := s.Fetch(ctx, desc)
+		if err != nil {
+			return err
+		}
+		defer rc.Close()
+
+		var m ocispec.Manifest
+		if err := json.NewDecoder(rc).Decode(&m); err != nil {
+			return err
+		}
+
+		mapperStore, err := mapper.FromManifest(m, o.DestinationDir)
+		if err != nil {
+			return err
+		}
+
+		pushedDesc, err := s.Copy(ctx, reference, mapperStore, "")
+		if err != nil {
+			return err
+		}
+
+		l.Infof("extracted [%s] from store with digest [%s]", pushedDesc.MediaType, pushedDesc.Digest.String())
+
+		return nil
+	}); err != nil {
+		return err
 	}

-	return download.Cmd(ctx, gopts, eref.Name())
+	if !found {
+		return fmt.Errorf("reference [%s] not found in store (hint: use `hauler store info` to list store contents)", ref)
+	}
+
+	return nil
 }
--- a/cmd/hauler/cli/store/info.go
+++ b/cmd/hauler/cli/store/info.go
@@ -0,0 +1,347 @@
+package store
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"os"
+	"sort"
+	"strings"
+
+	"github.com/olekukonko/tablewriter"
+	"github.com/olekukonko/tablewriter/tw"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+
+	"hauler.dev/go/hauler/internal/flags"
+	"hauler.dev/go/hauler/pkg/consts"
+	"hauler.dev/go/hauler/pkg/reference"
+	"hauler.dev/go/hauler/pkg/store"
+)
+
+func InfoCmd(ctx context.Context, o *flags.InfoOpts, s *store.Layout) error {
+	var items []item
+	if err := s.Walk(func(ref string, desc ocispec.Descriptor) error {
+		if _, ok := desc.Annotations[ocispec.AnnotationRefName]; !ok {
+			return nil
+		}
+		rc, err := s.Fetch(ctx, desc)
+		if err != nil {
+			return err
+		}
+		defer rc.Close()
+
+		// handle multi-arch images
+		if desc.MediaType == consts.OCIImageIndexSchema || desc.MediaType == consts.DockerManifestListSchema2 {
+			var idx ocispec.Index
+			if err := json.NewDecoder(rc).Decode(&idx); err != nil {
+				return err
+			}
+
+			for _, internalDesc := range idx.Manifests {
+				rc, err := s.Fetch(ctx, internalDesc)
+				if err != nil {
+					return err
+				}
+				defer rc.Close()
+
+				var internalManifest ocispec.Manifest
+				if err := json.NewDecoder(rc).Decode(&internalManifest); err != nil {
+					return err
+				}
+
+				i := newItemWithDigest(
+					s,
+					internalDesc.Digest.String(),
+					desc,
+					internalManifest,
+					fmt.Sprintf("%s/%s", internalDesc.Platform.OS, internalDesc.Platform.Architecture),
+					o,
+				)
+				var emptyItem item
+				if i != emptyItem {
+					items = append(items, i)
+				}
+			}
+
+			// handle "non" multi-arch images
+		} else if desc.MediaType == consts.DockerManifestSchema2 || desc.MediaType == consts.OCIManifestSchema1 {
+			var m ocispec.Manifest
+			if err := json.NewDecoder(rc).Decode(&m); err != nil {
+				return err
+			}
+
+			rc, err := s.FetchManifest(ctx, m)
+			if err != nil {
+				return err
+			}
+			defer rc.Close()
+
+			// unmarshal the oci image content
+			var internalManifest ocispec.Image
+			if err := json.NewDecoder(rc).Decode(&internalManifest); err != nil {
+				return err
+			}
+
+			if internalManifest.Architecture != "" {
+				i := newItem(s, desc, m,
+					fmt.Sprintf("%s/%s", internalManifest.OS, internalManifest.Architecture), o)
+				var emptyItem item
+				if i != emptyItem {
+					items = append(items, i)
+				}
+			} else {
+				i := newItem(s, desc, m, "-", o)
+				var emptyItem item
+				if i != emptyItem {
+					items = append(items, i)
+				}
+			}
+
+			// handle everything else (charts, files, sigs, etc.)
+		} else {
+			var m ocispec.Manifest
+			if err := json.NewDecoder(rc).Decode(&m); err != nil {
+				return err
+			}
+
+			i := newItem(s, desc, m, "-", o)
+			var emptyItem item
+			if i != emptyItem {
+				items = append(items, i)
+			}
+		}
+
+		return nil
+	}); err != nil {
+		return err
+	}
+
+	if o.ListRepos {
+		buildListRepos(items...)
+		return nil
+	}
+
+	// sort items by ref and arch
+	sort.Sort(byReferenceAndArch(items))
+
+	var msg string
+	switch o.OutputFormat {
+	case "json":
+		msg = buildJson(items...)
+		fmt.Println(msg)
+	default:
+		if err := buildTable(o.ShowDigests, items...); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func buildListRepos(items ...item) {
+	// create map to track unique repository names
+	repos := make(map[string]bool)
+
+	for _, i := range items {
+		repoName := ""
+		for j := 0; j < len(i.Reference); j++ {
+			if i.Reference[j] == '/' {
+				repoName = i.Reference[:j]
+				break
+			}
+		}
+		if repoName == "" {
+			repoName = i.Reference
+		}
+		repos[repoName] = true
+	}
+
+	// collect and print unique repository names
+	for repoName := range repos {
+		fmt.Println(repoName)
+	}
+}
+
+func buildTable(showDigests bool, items ...item) error {
+	table := tablewriter.NewTable(os.Stdout)
+	table.Configure(func(cfg *tablewriter.Config) {
+		cfg.Header.Alignment.Global = tw.AlignLeft
+		cfg.Row.Merging.Mode = tw.MergeVertical
+		cfg.Row.Merging.ByColumnIndex = tw.NewBoolMapper(0)
+	})
+
+	if showDigests {
+		table.Header("Reference", "Type", "Platform", "Digest", "# Layers", "Size")
+	} else {
+		table.Header("Reference", "Type", "Platform", "# Layers", "Size")
+	}
+
+	totalSize := int64(0)
+
+	for _, i := range items {
+		if i.Type == "" {
+			continue
+		}
+
+		ref := truncateReference(i.Reference)
+		var row []string
+
+		if showDigests {
+			digest := i.Digest
+			if digest == "" {
+				digest = "-"
+			}
+			row = []string{
+				ref,
+				i.Type,
+				i.Platform,
+				digest,
+				fmt.Sprintf("%d", i.Layers),
+				byteCountSI(i.Size),
+			}
+		} else {
+			row = []string{
+				ref,
+				i.Type,
+				i.Platform,
+				fmt.Sprintf("%d", i.Layers),
+				byteCountSI(i.Size),
+			}
+		}
+
+		totalSize += i.Size
+		if err := table.Append(row); err != nil {
+			return err
+		}
+	}
+
+	// align total column based on digest visibility
+	if showDigests {
+		table.Footer("", "", "", "", "Total", byteCountSI(totalSize))
+	} else {
+		table.Footer("", "", "", "Total", byteCountSI(totalSize))
+	}
+
+	return table.Render()
+}
+
+// truncateReference shortens the digest of a reference
+func truncateReference(ref string) string {
+	const prefix = "@sha256:"
+	idx := strings.Index(ref, prefix)
+	if idx == -1 {
+		return ref
+	}
+	if len(ref) > idx+len(prefix)+12 {
+		return ref[:idx+len(prefix)+12] + "…"
+	}
+	return ref
+}
+
+func buildJson(item ...item) string {
+	data, err := json.MarshalIndent(item, "", "  ")
+	if err != nil {
+		return ""
+	}
+	return string(data)
+}
+
+type item struct {
+	Reference string
+	Type      string
+	Platform  string
+	Digest    string
+	Layers    int
+	Size      int64
+}
+
+type byReferenceAndArch []item
+
+func (a byReferenceAndArch) Len() int      { return len(a) }
+func (a byReferenceAndArch) Swap(i, j int) { a[i], a[j] = a[j], a[i] }
+func (a byReferenceAndArch) Less(i, j int) bool {
+	if a[i].Reference == a[j].Reference {
+		if a[i].Type == "image" && a[j].Type == "image" {
+			return a[i].Platform < a[j].Platform
+		}
+		if a[i].Type == "image" {
+			return true
+		}
+		if a[j].Type == "image" {
+			return false
+		}
+		return a[i].Type < a[j].Type
+	}
+	return a[i].Reference < a[j].Reference
+}
+
+// overrides the digest with a specific per platform digest
+func newItemWithDigest(s *store.Layout, digestStr string, desc ocispec.Descriptor, m ocispec.Manifest, plat string, o *flags.InfoOpts) item {
+	item := newItem(s, desc, m, plat, o)
+	item.Digest = digestStr
+	return item
+}
+
+func newItem(s *store.Layout, desc ocispec.Descriptor, m ocispec.Manifest, plat string, o *flags.InfoOpts) item {
+	var size int64 = 0
+	for _, l := range m.Layers {
+		size += l.Size
+	}
+
+	// Generate a human-readable content type
+	var ctype string
+	switch m.Config.MediaType {
+	case consts.DockerConfigJSON:
+		ctype = "image"
+	case consts.ChartConfigMediaType:
+		ctype = "chart"
+	case consts.FileLocalConfigMediaType, consts.FileHttpConfigMediaType:
+		ctype = "file"
+	default:
+		ctype = "image"
+	}
+
+	switch desc.Annotations["kind"] {
+	case "dev.cosignproject.cosign/sigs":
+		ctype = "sigs"
+	case "dev.cosignproject.cosign/atts":
+		ctype = "atts"
+	case "dev.cosignproject.cosign/sboms":
+		ctype = "sbom"
+	}
+
+	refName := desc.Annotations["io.containerd.image.name"]
+	if refName == "" {
+		refName = desc.Annotations[ocispec.AnnotationRefName]
+	}
+	ref, err := reference.Parse(refName)
+	if err != nil {
+		return item{}
+	}
+
+	if o.TypeFilter != "all" && ctype != o.TypeFilter {
+		return item{}
+	}
+
+	return item{
+		Reference: ref.Name(),
+		Type:      ctype,
+		Platform:  plat,
+		Digest:    desc.Digest.String(),
+		Layers:    len(m.Layers),
+		Size:      size,
+	}
+}
+
+func byteCountSI(b int64) string {
+	const unit = 1000
+	if b < unit {
+		return fmt.Sprintf("%d B", b)
+	}
+	div, exp := int64(unit), 0
+	for n := b / unit; n >= unit; n /= unit {
+		div *= unit
+		exp++
+	}
+	return fmt.Sprintf("%.1f %cB",
+		float64(b)/float64(div), "kMGTPE"[exp])
+}
--- a/cmd/hauler/cli/store/list.go
+++ b/cmd/hauler/cli/store/list.go
@@ -1,52 +0,0 @@
-package store
-
-import (
-	"context"
-	"fmt"
-	"os"
-	"text/tabwriter"
-
-	"github.com/google/go-containerregistry/pkg/name"
-	"github.com/spf13/cobra"
-
-	"github.com/rancherfederal/hauler/pkg/log"
-	"github.com/rancherfederal/hauler/pkg/store"
-)
-
-type ListOpts struct{}
-
-func (o *ListOpts) AddFlags(cmd *cobra.Command) {
-	f := cmd.Flags()
-	_ = f
-
-	// TODO: Regex matching
-}
-
-func ListCmd(ctx context.Context, o *ListOpts, s *store.Store) error {
-	lgr := log.FromContext(ctx)
-	lgr.Debugf("running cli command `hauler store list`")
-
-	s.Open()
-	defer s.Close()
-
-	refs, err := s.List(ctx)
-	if err != nil {
-		return err
-	}
-
-	// TODO: Just use a tabler library
-	tw := tabwriter.NewWriter(os.Stdout, 8, 12, 4, '\t', 0)
-	defer tw.Flush()
-
-	fmt.Fprintf(tw, "#\tReference\tIdentifier\n")
-	for i, r := range refs {
-		ref, err := name.ParseReference(r, name.WithDefaultRegistry(""))
-		if err != nil {
-			return err
-		}
-
-		fmt.Fprintf(tw, "%d\t%s\t%s\n", i, ref.Context().String(), ref.Identifier())
-	}
-
-	return nil
-}
--- a/cmd/hauler/cli/store/load.go
+++ b/cmd/hauler/cli/store/load.go
@@ -2,41 +2,151 @@ package store

 import (
 	"context"
+	"encoding/json"
+	"io"
+	"net/url"
+	"os"
+	"path/filepath"
+	"strings"

-	"github.com/mholt/archiver/v3"
-	"github.com/spf13/cobra"
+	"hauler.dev/go/hauler/internal/flags"
+	"hauler.dev/go/hauler/pkg/archives"
+	"hauler.dev/go/hauler/pkg/consts"
+	"hauler.dev/go/hauler/pkg/content"
+	"hauler.dev/go/hauler/pkg/getter"
+	"hauler.dev/go/hauler/pkg/log"
+	"hauler.dev/go/hauler/pkg/store"

-	"github.com/rancherfederal/hauler/pkg/log"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 )

-type LoadOpts struct {
-	OutputDir string
-}
-
-func (o *LoadOpts) AddFlags(cmd *cobra.Command) {
-	f := cmd.Flags()
-
-	f.StringVarP(&o.OutputDir, "output", "o", "", "Directory to unload archived contents to (defaults to $PWD/haul)")
-}
-
-// LoadCmd
-// TODO: Just use mholt/archiver for now, even though we don't need most of it
-func LoadCmd(ctx context.Context, o *LoadOpts, dir string, archiveRefs ...string) error {
+// extracts the contents of an archived oci layout to an existing oci layout
+func LoadCmd(ctx context.Context, o *flags.LoadOpts, rso *flags.StoreRootOpts, ro *flags.CliRootOpts) error {
 	l := log.FromContext(ctx)
-	l.Debugf("running command `hauler store load`")

-	// TODO: Support more formats?
-	a := archiver.NewTarZstd()
-	a.OverwriteExisting = true
+	tempOverride := rso.TempOverride

-	odir := dir
-	if o.OutputDir != "" {
-		odir = o.OutputDir
+	if tempOverride == "" {
+		tempOverride = os.Getenv(consts.HaulerTempDir)
 	}

-	for _, archiveRef := range archiveRefs {
-		l.Infof("loading content from [%s] to [%s]", archiveRef, odir)
-		err := a.Unarchive(archiveRef, odir)
+	tempDir, err := os.MkdirTemp(tempOverride, consts.DefaultHaulerTempDirName)
+	if err != nil {
+		return err
+	}
+	defer os.RemoveAll(tempDir)
+
+	l.Debugf("using temporary directory at [%s]", tempDir)
+
+	for _, fileName := range o.FileName {
+		l.Infof("loading haul [%s] to [%s]", fileName, o.StoreDir)
+		err := unarchiveLayoutTo(ctx, fileName, o.StoreDir, tempDir)
+		if err != nil {
+			return err
+		}
+		clearDir(tempDir)
+	}
+
+	return nil
+}
+
+// accepts an archived OCI layout, extracts the contents to an existing OCI layout, and preserves the index
+func unarchiveLayoutTo(ctx context.Context, haulPath string, dest string, tempDir string) error {
+	l := log.FromContext(ctx)
+
+	if strings.HasPrefix(haulPath, "http://") || strings.HasPrefix(haulPath, "https://") {
+		l.Debugf("detected remote archive... starting download... [%s]", haulPath)
+
+		h := getter.NewHttp()
+		parsedURL, err := url.Parse(haulPath)
+		if err != nil {
+			return err
+		}
+		rc, err := h.Open(ctx, parsedURL)
+		if err != nil {
+			return err
+		}
+		defer rc.Close()
+
+		fileName := h.Name(parsedURL)
+		if fileName == "" {
+			fileName = filepath.Base(parsedURL.Path)
+		}
+		haulPath = filepath.Join(tempDir, fileName)
+
+		out, err := os.Create(haulPath)
+		if err != nil {
+			return err
+		}
+		defer out.Close()
+
+		if _, err = io.Copy(out, rc); err != nil {
+			return err
+		}
+	}
+
+	if err := archives.Unarchive(ctx, haulPath, tempDir); err != nil {
+		return err
+	}
+
+	// ensure the incoming index.json has the correct annotations.
+	data, err := os.ReadFile(tempDir + "/index.json")
+	if err != nil {
+		return (err)
+	}
+
+	var idx ocispec.Index
+	if err := json.Unmarshal(data, &idx); err != nil {
+		return (err)
+	}
+
+	for i := range idx.Manifests {
+		if idx.Manifests[i].Annotations == nil {
+			idx.Manifests[i].Annotations = make(map[string]string)
+		}
+		if _, exists := idx.Manifests[i].Annotations[consts.KindAnnotationName]; !exists {
+			idx.Manifests[i].Annotations[consts.KindAnnotationName] = consts.KindAnnotationImage
+		}
+		if ref, ok := idx.Manifests[i].Annotations[consts.ContainerdImageNameKey]; ok {
+			if slash := strings.Index(ref, "/"); slash != -1 {
+				ref = ref[slash+1:]
+			}
+			if idx.Manifests[i].Annotations[consts.ImageRefKey] != ref {
+				idx.Manifests[i].Annotations[consts.ImageRefKey] = ref
+			}
+		}
+	}
+
+	out, err := json.MarshalIndent(idx, "", "  ")
+	if err != nil {
+		return err
+	}
+	if err := os.WriteFile(tempDir+"/index.json", out, 0644); err != nil {
+		return err
+	}
+
+	s, err := store.NewLayout(tempDir)
+	if err != nil {
+		return err
+	}
+
+	ts, err := content.NewOCI(dest)
+	if err != nil {
+		return err
+	}
+
+	_, err = s.CopyAll(ctx, ts, nil)
+	return err
+}
+
+func clearDir(path string) error {
+	entries, err := os.ReadDir(path)
+	if err != nil {
+		return err
+	}
+
+	for _, entry := range entries {
+		err = os.RemoveAll(filepath.Join(path, entry.Name()))
 		if err != nil {
 			return err
 		}
--- a/cmd/hauler/cli/store/remove.go
+++ b/cmd/hauler/cli/store/remove.go
@@ -0,0 +1,122 @@
+package store
+
+import (
+	"bufio"
+	"context"
+	"errors"
+	"fmt"
+	"io"
+	"os"
+	"strings"
+
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+
+	"hauler.dev/go/hauler/internal/flags"
+	"hauler.dev/go/hauler/pkg/log"
+	"hauler.dev/go/hauler/pkg/store"
+)
+
+func formatReference(ref string) string {
+	tagIdx := strings.LastIndex(ref, ":")
+	if tagIdx == -1 {
+		return ref
+	}
+
+	dashIdx := strings.Index(ref[tagIdx+1:], "-")
+	if dashIdx == -1 {
+		return ref
+	}
+
+	dashIdx = tagIdx + 1 + dashIdx
+
+	base := ref[:dashIdx]
+	suffix := ref[dashIdx+1:]
+
+	if base == "" || suffix == "" {
+		return ref
+	}
+
+	return fmt.Sprintf("%s [%s]", base, suffix)
+}
+
+func RemoveCmd(ctx context.Context, o *flags.RemoveOpts, s *store.Layout, ref string) error {
+	l := log.FromContext(ctx)
+
+	// collect matching artifacts
+	type match struct {
+		reference string
+		desc      ocispec.Descriptor
+	}
+	var matches []match
+
+	if err := s.Walk(func(reference string, desc ocispec.Descriptor) error {
+		if !strings.Contains(reference, ref) {
+			return nil
+		}
+
+		matches = append(matches, match{
+			reference: reference,
+			desc:      desc,
+		})
+
+		return nil // continue walking
+	}); err != nil {
+		return err
+	}
+
+	if len(matches) == 0 {
+		return fmt.Errorf("reference [%s] not found in store (use `hauler store info` to list store contents)", ref)
+	}
+
+	if len(matches) >= 1 {
+		l.Infof("found %d matching references:", len(matches))
+		for _, m := range matches {
+			l.Infof("  - [%s]", formatReference(m.reference))
+		}
+	}
+
+	if !o.Force {
+		fmt.Printf("  ↳ are you sure you want to remove [%d] artifact(s) from the store? (yes/no) ", len(matches))
+
+		reader := bufio.NewReader(os.Stdin)
+
+		line, err := reader.ReadString('\n')
+		if err != nil && !errors.Is(err, io.EOF) {
+			return fmt.Errorf("failed to read response: [%w]... please answer 'yes' or 'no'", err)
+		}
+
+		response := strings.ToLower(strings.TrimSpace(line))
+
+		switch response {
+		case "yes", "y":
+			l.Infof("starting to remove artifacts from store...")
+		case "no", "n":
+			l.Infof("successfully cancelled removal of artifacts from store")
+			return nil
+		case "":
+			return fmt.Errorf("failed to read response... please answer 'yes' or 'no'")
+		default:
+			return fmt.Errorf("invalid response [%s]... please answer 'yes' or 'no'", response)
+		}
+	}
+
+	// remove artifact(s)
+	for _, m := range matches {
+		if err := s.RemoveArtifact(ctx, m.reference, m.desc); err != nil {
+			return fmt.Errorf("failed to remove artifact [%s]: %w", formatReference(m.reference), err)
+		}
+
+		l.Infof("successfully removed [%s] of type [%s] with digest [%s]", formatReference(m.reference), m.desc.MediaType, m.desc.Digest.String())
+	}
+
+	// clean up unreferenced blobs
+	l.Infof("cleaning up all unreferenced blobs...")
+	removedCount, removedSize, err := s.CleanUp(ctx)
+	if err != nil {
+		l.Warnf("garbage collection failed: [%v]", err)
+	} else if removedCount > 0 {
+		l.Infof("successfully removed [%d] unreferenced blobs [freed %d bytes]", removedCount, removedSize)
+	}
+
+	return nil
+}
--- a/cmd/hauler/cli/store/save.go
+++ b/cmd/hauler/cli/store/save.go
@@ -1,37 +1,41 @@
 package store

 import (
+	"bytes"
 	"context"
+	"encoding/json"
 	"os"
+	"path"
 	"path/filepath"
+	"slices"

-	"github.com/mholt/archiver/v3"
-	"github.com/spf13/cobra"
+	referencev3 "github.com/distribution/distribution/v3/reference"
+	"github.com/google/go-containerregistry/pkg/name"
+	libv1 "github.com/google/go-containerregistry/pkg/v1"
+	"github.com/google/go-containerregistry/pkg/v1/layout"
+	"github.com/google/go-containerregistry/pkg/v1/tarball"
+	"github.com/google/go-containerregistry/pkg/v1/types"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"

-	"github.com/rancherfederal/hauler/pkg/log"
+	"hauler.dev/go/hauler/internal/flags"
+	"hauler.dev/go/hauler/pkg/archives"
+	"hauler.dev/go/hauler/pkg/consts"
+	"hauler.dev/go/hauler/pkg/log"
 )

-type SaveOpts struct {
-	FileName string
-}
-
-func (o *SaveOpts) AddArgs(cmd *cobra.Command) {
-	f := cmd.Flags()
-
-	f.StringVarP(&o.FileName, "filename", "f", "pkg.tar.zst", "Name of archive")
-}
-
-// SaveCmd
-// TODO: Just use mholt/archiver for now, even though we don't need most of it
-func SaveCmd(ctx context.Context, o *SaveOpts, outputFile string, dir string) error {
+// saves a content store to store archives
+func SaveCmd(ctx context.Context, o *flags.SaveOpts, rso *flags.StoreRootOpts, ro *flags.CliRootOpts) error {
 	l := log.FromContext(ctx)
-	l.Debugf("running command `hauler store save`")

-	// TODO: Support more formats?
-	a := archiver.NewTarZstd()
-	a.OverwriteExisting = true
+	// maps to handle compression and archival types
+	compressionMap := archives.CompressionMap
+	archivalMap := archives.ArchivalMap

-	absOutputfile, err := filepath.Abs(outputFile)
+	// select the compression and archival type based parsed filename extension
+	compression := compressionMap["zst"]
+	archival := archivalMap["tar"]
+
+	absOutputfile, err := filepath.Abs(o.FileName)
 	if err != nil {
 		return err
 	}
@@ -41,15 +45,211 @@ func SaveCmd(ctx context.Context, o *SaveOpts, outputFile string, dir string) er
 		return err
 	}
 	defer os.Chdir(cwd)
-	if err := os.Chdir(dir); err != nil {
+	if err := os.Chdir(o.StoreDir); err != nil {
 		return err
 	}

-	err = a.Archive([]string{"."}, absOutputfile)
+	// create the manifest.json file
+	if err := writeExportsManifest(ctx, ".", o.Platform); err != nil {
+		return err
+	}
+
+	// strip out the oci-layout file from the haul
+	// required for containerd to be able to interpret the haul correctly for all mediatypes and artifactypes
+	if o.ContainerdCompatibility {
+		if err := os.Remove(filepath.Join(".", ocispec.ImageLayoutFile)); err != nil {
+			if !os.IsNotExist(err) {
+				return err
+			}
+		} else {
+			l.Warnf("compatibility warning... containerd... removing 'oci-layout' file to support containerd importing of images")
+		}
+	}
+
+	// create the archive
+	err = archives.Archive(ctx, ".", absOutputfile, compression, archival)
 	if err != nil {
 		return err
 	}

-	l.Infof("saved haul [%s] -> [%s]", dir, absOutputfile)
+	l.Infof("saving store [%s] to archive [%s]", o.StoreDir, o.FileName)
+	return nil
+}
+
+type exports struct {
+	digests []string
+	records map[string]tarball.Descriptor
+}
+
+func writeExportsManifest(ctx context.Context, dir string, platformStr string) error {
+	l := log.FromContext(ctx)
+
+	// validate platform format
+	platform, err := libv1.ParsePlatform(platformStr)
+	if err != nil {
+		return err
+	}
+
+	oci, err := layout.FromPath(dir)
+	if err != nil {
+		return err
+	}
+
+	idx, err := oci.ImageIndex()
+	if err != nil {
+		return err
+	}
+
+	imx, err := idx.IndexManifest()
+	if err != nil {
+		return err
+	}
+
+	x := &exports{
+		digests: []string{},
+		records: map[string]tarball.Descriptor{},
+	}
+
+	for _, desc := range imx.Manifests {
+		l.Debugf("descriptor [%s] = [%s]", desc.Digest.String(), desc.MediaType)
+		if artifactType := types.MediaType(desc.ArtifactType); artifactType != "" && !artifactType.IsImage() && !artifactType.IsIndex() {
+			l.Debugf("descriptor [%s] <<< SKIPPING ARTIFACT [%q]", desc.Digest.String(), desc.ArtifactType)
+			continue
+		}
+		if desc.Annotations != nil {
+			// we only care about images that cosign has added to the layout index
+			if kind, hasKind := desc.Annotations[consts.KindAnnotationName]; hasKind {
+				if refName, hasRefName := desc.Annotations["io.containerd.image.name"]; hasRefName {
+					// branch on image (aka image manifest) or image index
+					switch kind {
+					case consts.KindAnnotationImage:
+						if err := x.record(ctx, idx, desc, refName); err != nil {
+							return err
+						}
+					case consts.KindAnnotationIndex:
+						l.Debugf("index [%s]: digest=[%s]... type=[%s]... size=[%d]", refName, desc.Digest.String(), desc.MediaType, desc.Size)
+
+						// when no platform is inputted... warn the user of potential mismatch on import for docker
+						// required for docker to be able to interpret and load the image correctly
+						if platform.String() == "" {
+							l.Warnf("compatibility warning... docker... specify platform to prevent potential mismatch on import of index [%s]", refName)
+						}
+
+						iix, err := idx.ImageIndex(desc.Digest)
+						if err != nil {
+							return err
+						}
+						ixm, err := iix.IndexManifest()
+						if err != nil {
+							return err
+						}
+						for _, ixd := range ixm.Manifests {
+							if ixd.MediaType.IsImage() {
+								if platform.String() != "" {
+									if ixd.Platform.Architecture != platform.Architecture || ixd.Platform.OS != platform.OS {
+										l.Debugf("index [%s]: digest=[%s], platform=[%s/%s]: does not match the supplied platform... skipping...", refName, desc.Digest.String(), ixd.Platform.OS, ixd.Platform.Architecture)
+										continue
+									}
+								}
+
+								// skip any platforms of 'unknown/unknown'... docker hates
+								// required for docker to be able to interpret and load the image correctly
+								if ixd.Platform.Architecture == "unknown" && ixd.Platform.OS == "unknown" {
+									l.Debugf("index [%s]: digest=[%s], platform=[%s/%s]: matches unknown platform... skipping...", refName, desc.Digest.String(), ixd.Platform.OS, ixd.Platform.Architecture)
+									continue
+								}
+
+								if err := x.record(ctx, iix, ixd, refName); err != nil {
+									return err
+								}
+							}
+						}
+					default:
+						l.Debugf("descriptor [%s] <<< SKIPPING KIND [%q]", desc.Digest.String(), kind)
+					}
+				}
+			}
+		}
+	}
+
+	buf := bytes.Buffer{}
+	mnf := x.describe()
+	err = json.NewEncoder(&buf).Encode(mnf)
+	if err != nil {
+		return err
+	}
+
+	return oci.WriteFile(consts.ImageManifestFile, buf.Bytes(), 0666)
+}
+
+func (x *exports) describe() tarball.Manifest {
+	m := make(tarball.Manifest, len(x.digests))
+	for i, d := range x.digests {
+		m[i] = x.records[d]
+	}
+	return m
+}
+
+func (x *exports) record(ctx context.Context, index libv1.ImageIndex, desc libv1.Descriptor, refname string) error {
+	l := log.FromContext(ctx)
+
+	digest := desc.Digest.String()
+	image, err := index.Image(desc.Digest)
+	if err != nil {
+		return err
+	}
+
+	config, err := image.ConfigName()
+	if err != nil {
+		return err
+	}
+
+	xd, recorded := x.records[digest]
+	if !recorded {
+		// record one export record per digest
+		x.digests = append(x.digests, digest)
+		xd = tarball.Descriptor{
+			Config:   path.Join(ocispec.ImageBlobsDir, config.Algorithm, config.Hex),
+			RepoTags: []string{},
+			Layers:   []string{},
+		}
+
+		layers, err := image.Layers()
+		if err != nil {
+			return err
+		}
+		for _, layer := range layers {
+			xl, err := layer.Digest()
+			if err != nil {
+				return err
+			}
+			xd.Layers = append(xd.Layers[:], path.Join(ocispec.ImageBlobsDir, xl.Algorithm, xl.Hex))
+		}
+	}
+
+	ref, err := name.ParseReference(refname)
+	if err != nil {
+		return err
+	}
+
+	// record tags for the digest, eliminating dupes
+	switch tag := ref.(type) {
+	case name.Tag:
+		named, err := referencev3.ParseNormalizedNamed(refname)
+		if err != nil {
+			return err
+		}
+		named = referencev3.TagNameOnly(named)
+		repotag := referencev3.FamiliarString(named)
+		xd.RepoTags = append(xd.RepoTags[:], repotag)
+		slices.Sort(xd.RepoTags)
+		xd.RepoTags = slices.Compact(xd.RepoTags)
+		ref = tag.Digest(digest)
+	}
+
+	l.Debugf("image [%s]: type=%s, size=%d", ref.Name(), desc.MediaType, desc.Size)
+	// record export descriptor for the digest
+	x.records[digest] = xd
+
 	return nil
 }
--- a/cmd/hauler/cli/store/serve.go
+++ b/cmd/hauler/cli/store/serve.go
@@ -2,57 +2,48 @@ package store

 import (
 	"context"
+	"errors"
 	"fmt"
+	"io/fs"
 	"net/http"
 	"os"
+	"path/filepath"
+	"strings"

 	"github.com/distribution/distribution/v3/configuration"
-	"github.com/distribution/distribution/v3/registry"
-	"github.com/spf13/cobra"
+	dcontext "github.com/distribution/distribution/v3/context"
+	_ "github.com/distribution/distribution/v3/registry/storage/driver/base"
+	_ "github.com/distribution/distribution/v3/registry/storage/driver/filesystem"
+	_ "github.com/distribution/distribution/v3/registry/storage/driver/inmemory"
+	"github.com/distribution/distribution/v3/version"
+	"gopkg.in/yaml.v3"

-	"github.com/rancherfederal/hauler/pkg/log"
-	"github.com/rancherfederal/hauler/pkg/store"
+	"hauler.dev/go/hauler/internal/flags"
+	"hauler.dev/go/hauler/internal/server"
+	"hauler.dev/go/hauler/pkg/log"
+	"hauler.dev/go/hauler/pkg/store"
 )

-type ServeOpts struct {
-	Port       int
-	ConfigFile string
+func validateStoreExists(s *store.Layout) error {
+	indexPath := filepath.Join(s.Root, "index.json")

-	storedir string
-}
-
-func (o *ServeOpts) AddFlags(cmd *cobra.Command) {
-	f := cmd.Flags()
-
-	f.IntVarP(&o.Port, "port", "p", 5000, "Port to listen on")
-	f.StringVarP(&o.ConfigFile, "config", "c", "", "Path to a config file, will override all other configs")
-}
-
-// ServeCmd does
-func ServeCmd(ctx context.Context, o *ServeOpts, s *store.Store) error {
-	l := log.FromContext(ctx)
-	l.Debugf("running command `hauler store serve`")
-
-	cfg := o.defaultConfig(s)
-	if o.ConfigFile != "" {
-		ucfg, err := loadConfig(o.ConfigFile)
-		if err != nil {
-			return err
-		}
-		cfg = ucfg
+	_, err := os.Stat(indexPath)
+	if err == nil {
+		return nil
 	}

-	r, err := registry.NewRegistry(ctx, cfg)
-	if err != nil {
-		return err
+	if errors.Is(err, fs.ErrNotExist) {
+		return fmt.Errorf(
+			"no store found at [%s]\n  ↳ does the hauler store exist? (verify with `hauler store info`)",
+			s.Root,
+		)
 	}

-	l.Infof("Starting registry listening on :%d", o.Port)
-	if err = r.ListenAndServe(); err != nil {
-		return err
-	}
-
-	return nil
+	return fmt.Errorf(
+		"unable to access store at [%s]: %w",
+		s.Root,
+		err,
+	)
 }

 func loadConfig(filename string) (*configuration.Configuration, error) {
@@ -64,22 +55,115 @@ func loadConfig(filename string) (*configuration.Configuration, error) {
 	return configuration.Parse(f)
 }

-func (o *ServeOpts) defaultConfig(s *store.Store) *configuration.Configuration {
+func DefaultRegistryConfig(o *flags.ServeRegistryOpts, rso *flags.StoreRootOpts, ro *flags.CliRootOpts) *configuration.Configuration {
 	cfg := &configuration.Configuration{
 		Version: "0.1",
 		Storage: configuration.Storage{
 			"cache":      configuration.Parameters{"blobdescriptor": "inmemory"},
-			"filesystem": configuration.Parameters{"rootdirectory": s.DataDir},
-
-			// TODO: Ensure this is toggleable via cli arg if necessary
-			"maintenance": configuration.Parameters{"readonly.enabled": true},
+			"filesystem": configuration.Parameters{"rootdirectory": o.RootDir},
+			"maintenance": configuration.Parameters{
+				"readonly": map[any]any{"enabled": o.ReadOnly},
+			},
 		},
 	}
-	cfg.Log.Level = "info"
+
+	if o.TLSCert != "" && o.TLSKey != "" {
+		cfg.HTTP.TLS.Certificate = o.TLSCert
+		cfg.HTTP.TLS.Key = o.TLSKey
+	}
+
 	cfg.HTTP.Addr = fmt.Sprintf(":%d", o.Port)
 	cfg.HTTP.Headers = http.Header{
 		"X-Content-Type-Options": []string{"nosniff"},
 	}

+	cfg.Log.Level = configuration.Loglevel(ro.LogLevel)
+	cfg.Validation.Manifests.URLs.Allow = []string{".+"}
+
 	return cfg
 }
+
+func ServeRegistryCmd(ctx context.Context, o *flags.ServeRegistryOpts, s *store.Layout, rso *flags.StoreRootOpts, ro *flags.CliRootOpts) error {
+	l := log.FromContext(ctx)
+	ctx = dcontext.WithVersion(ctx, version.Version)
+
+	if err := validateStoreExists(s); err != nil {
+		return err
+	}
+
+	tr := server.NewTempRegistry(ctx, o.RootDir)
+	if err := tr.Start(); err != nil {
+		return err
+	}
+
+	opts := &flags.CopyOpts{}
+	if err := CopyCmd(ctx, opts, s, "registry://"+tr.Registry(), ro); err != nil {
+		return err
+	}
+
+	tr.Close()
+
+	cfg := DefaultRegistryConfig(o, rso, ro)
+	if o.ConfigFile != "" {
+		ucfg, err := loadConfig(o.ConfigFile)
+		if err != nil {
+			return err
+		}
+		cfg = ucfg
+	}
+
+	l.Infof("starting registry on port [%d]", o.Port)
+
+	yamlConfig, err := yaml.Marshal(cfg)
+	if err != nil {
+		l.Errorf("failed to validate/output registry configuration: %v", err)
+	} else {
+		l.Infof("using registry configuration... \n%s", strings.TrimSpace(string(yamlConfig)))
+	}
+
+	l.Debugf("detailed registry configuration: %+v", cfg)
+
+	r, err := server.NewRegistry(ctx, cfg)
+	if err != nil {
+		return err
+	}
+
+	if err = r.ListenAndServe(); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func ServeFilesCmd(ctx context.Context, o *flags.ServeFilesOpts, s *store.Layout, ro *flags.CliRootOpts) error {
+	l := log.FromContext(ctx)
+	ctx = dcontext.WithVersion(ctx, version.Version)
+
+	if err := validateStoreExists(s); err != nil {
+		return err
+	}
+
+	opts := &flags.CopyOpts{}
+	if err := CopyCmd(ctx, opts, s, "dir://"+o.RootDir, ro); err != nil {
+		return err
+	}
+
+	f, err := server.NewFile(ctx, *o)
+	if err != nil {
+		return err
+	}
+
+	if o.TLSCert != "" && o.TLSKey != "" {
+		l.Infof("starting file server with tls on port [%d]", o.Port)
+		if err := f.ListenAndServeTLS(o.TLSCert, o.TLSKey); err != nil {
+			return err
+		}
+	} else {
+		l.Infof("starting file server on port [%d]", o.Port)
+		if err := f.ListenAndServe(); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
--- a/cmd/hauler/cli/store/sync.go
+++ b/cmd/hauler/cli/store/sync.go
@@ -5,150 +5,657 @@ import (
 	"context"
 	"fmt"
 	"io"
+	"net/url"
 	"os"
+	"path/filepath"
+	"strings"

-	"github.com/spf13/cobra"
+	"github.com/mitchellh/go-homedir"
+	"helm.sh/helm/v3/pkg/action"
 	"k8s.io/apimachinery/pkg/util/yaml"

-	"github.com/rancherfederal/hauler/pkg/apis/hauler.cattle.io/v1alpha1"
-	"github.com/rancherfederal/hauler/pkg/collection/chart"
-	"github.com/rancherfederal/hauler/pkg/collection/k3s"
-	"github.com/rancherfederal/hauler/pkg/content"
-	"github.com/rancherfederal/hauler/pkg/log"
-	"github.com/rancherfederal/hauler/pkg/store"
+	"hauler.dev/go/hauler/internal/flags"
+	convert "hauler.dev/go/hauler/pkg/apis/hauler.cattle.io/convert"
+	v1 "hauler.dev/go/hauler/pkg/apis/hauler.cattle.io/v1"
+	v1alpha1 "hauler.dev/go/hauler/pkg/apis/hauler.cattle.io/v1alpha1"
+	tchart "hauler.dev/go/hauler/pkg/collection/chart"
+	"hauler.dev/go/hauler/pkg/collection/imagetxt"
+	"hauler.dev/go/hauler/pkg/consts"
+	"hauler.dev/go/hauler/pkg/content"
+	"hauler.dev/go/hauler/pkg/cosign"
+	"hauler.dev/go/hauler/pkg/getter"
+	"hauler.dev/go/hauler/pkg/log"
+	"hauler.dev/go/hauler/pkg/reference"
+	"hauler.dev/go/hauler/pkg/store"
 )

-type SyncOpts struct {
-	ContentFiles []string
-}
-
-func (o *SyncOpts) AddFlags(cmd *cobra.Command) {
-	f := cmd.Flags()
-
-	f.StringSliceVarP(&o.ContentFiles, "files", "f", []string{}, "Path to content files")
-}
-
-func SyncCmd(ctx context.Context, o *SyncOpts, s *store.Store) error {
+func SyncCmd(ctx context.Context, o *flags.SyncOpts, s *store.Layout, rso *flags.StoreRootOpts, ro *flags.CliRootOpts) error {
 	l := log.FromContext(ctx)
-	l.Debugf("running cli command `hauler store sync`")

-	// Start from an empty store (contents are cached elsewhere)
-	l.Debugf("flushing any existing content in store: %s", s.DataDir)
-	if err := s.Flush(ctx); err != nil {
-		return err
+	tempOverride := rso.TempOverride
+
+	if tempOverride == "" {
+		tempOverride = os.Getenv(consts.HaulerTempDir)
 	}

-	s.Open()
-	defer s.Close()
+	tempDir, err := os.MkdirTemp(tempOverride, consts.DefaultHaulerTempDirName)
+	if err != nil {
+		return err
+	}
+	defer os.RemoveAll(tempDir)

-	for _, filename := range o.ContentFiles {
-		l.Debugf("processing content file: '%s'", filename)
-		fi, err := os.Open(filename)
+	l.Debugf("using temporary directory at [%s]", tempDir)
+
+	// if passed products, check for a remote manifest to retrieve and use
+	for _, productName := range o.Products {
+		l.Infof("processing product manifest for [%s] to store [%s]", productName, o.StoreDir)
+		parts := strings.Split(productName, "=")
+		tag := strings.ReplaceAll(parts[1], "+", "-")
+
+		ProductRegistry := o.ProductRegistry // cli flag
+		// if no cli flag use CarbideRegistry.
+		if o.ProductRegistry == "" {
+			ProductRegistry = consts.CarbideRegistry
+		}
+
+		manifestLoc := fmt.Sprintf("%s/hauler/%s-manifest.yaml:%s", ProductRegistry, parts[0], tag)
+		l.Infof("fetching product manifest from [%s]", manifestLoc)
+		img := v1.Image{
+			Name: manifestLoc,
+		}
+		err := storeImage(ctx, s, img, o.Platform, rso, ro, "")
+		if err != nil {
+			return err
+		}
+		err = ExtractCmd(ctx, &flags.ExtractOpts{StoreRootOpts: o.StoreRootOpts}, s, fmt.Sprintf("hauler/%s-manifest.yaml:%s", parts[0], tag))
+		if err != nil {
+			return err
+		}
+		fileName := fmt.Sprintf("%s-manifest.yaml", parts[0])
+
+		fi, err := os.Open(fileName)
+		if err != nil {
+			return err
+		}
+		err = processContent(ctx, fi, o, s, rso, ro)
+		if err != nil {
+			return err
+		}
+		l.Infof("processing completed successfully")
+	}
+
+	// If passed a local manifest, process it
+	for _, fileName := range o.FileName {
+		l.Infof("processing manifest [%s] to store [%s]", fileName, o.StoreDir)
+
+		haulPath := fileName
+		if strings.HasPrefix(haulPath, "http://") || strings.HasPrefix(haulPath, "https://") {
+			l.Debugf("detected remote manifest... starting download... [%s]", haulPath)
+
+			h := getter.NewHttp()
+			parsedURL, err := url.Parse(haulPath)
+			if err != nil {
+				return err
+			}
+			rc, err := h.Open(ctx, parsedURL)
+			if err != nil {
+				return err
+			}
+			defer rc.Close()
+
+			fileName := h.Name(parsedURL)
+			if fileName == "" {
+				fileName = filepath.Base(parsedURL.Path)
+			}
+			haulPath = filepath.Join(tempDir, fileName)
+
+			out, err := os.Create(haulPath)
+			if err != nil {
+				return err
+			}
+			defer out.Close()
+
+			if _, err = io.Copy(out, rc); err != nil {
+				return err
+			}
+		}
+
+		fi, err := os.Open(haulPath)
+		if err != nil {
+			return err
+		}
+		defer fi.Close()
+
+		err = processContent(ctx, fi, o, s, rso, ro)
 		if err != nil {
 			return err
 		}

-		reader := yaml.NewYAMLReader(bufio.NewReader(fi))
+		l.Infof("processing completed successfully")
+	}

-		var docs [][]byte
-		for {
-			raw, err := reader.Read()
-			if err == io.EOF {
-				break
-			}
-			if err != nil {
-				return err
-			}
+	return nil
+}

-			docs = append(docs, raw)
+func processContent(ctx context.Context, fi *os.File, o *flags.SyncOpts, s *store.Layout, rso *flags.StoreRootOpts, ro *flags.CliRootOpts) error {
+	l := log.FromContext(ctx)
+
+	reader := yaml.NewYAMLReader(bufio.NewReader(fi))
+
+	var docs [][]byte
+	for {
+		raw, err := reader.Read()
+		if err == io.EOF {
+			break
+		}
+		if err != nil {
+			return err
+		}
+		docs = append(docs, raw)
+	}
+
+	for _, doc := range docs {
+		obj, err := content.Load(doc)
+		if err != nil {
+			l.Warnf("skipping syncing due to %v", err)
+			continue
 		}

-		for _, doc := range docs {
-			obj, err := content.Load(doc)
-			if err != nil {
-				return err
-			}
+		gvk := obj.GroupVersionKind()
+		l.Infof("syncing content [%s] with [kind=%s] to store [%s]", gvk.GroupVersion(), gvk.Kind, o.StoreDir)

-			l.Infof("syncing [%s] to [%s]", obj.GroupVersionKind().String(), s.DataDir)
+		switch gvk.Kind {

-			// TODO: Should type switch instead...
-			switch obj.GroupVersionKind().Kind {
-			case v1alpha1.FilesContentKind:
-				var cfg v1alpha1.Files
+		case consts.FilesContentKind:
+			switch gvk.Version {
+			case "v1alpha1":
+				l.Warnf("!!! DEPRECATION WARNING !!! apiVersion [%s] will be removed in a future release...", gvk.Version)
+
+				var alphaCfg v1alpha1.Files
+				if err := yaml.Unmarshal(doc, &alphaCfg); err != nil {
+					return err
+				}
+				var v1Cfg v1.Files
+				if err := convert.ConvertFiles(&alphaCfg, &v1Cfg); err != nil {
+					return err
+				}
+				for _, f := range v1Cfg.Spec.Files {
+					if err := storeFile(ctx, s, f); err != nil {
+						return err
+					}
+				}
+
+			case "v1":
+				var cfg v1.Files
 				if err := yaml.Unmarshal(doc, &cfg); err != nil {
 					return err
 				}
-
 				for _, f := range cfg.Spec.Files {
-					err := storeFile(ctx, s, f)
-					if err != nil {
-						return err
-					}
-				}
-
-			case v1alpha1.ImagesContentKind:
-				var cfg v1alpha1.Images
-				if err := yaml.Unmarshal(doc, &cfg); err != nil {
-					return err
-				}
-
-				for _, i := range cfg.Spec.Images {
-					err := storeImage(ctx, s, i)
-					if err != nil {
-						return err
-					}
-				}
-
-			case v1alpha1.ChartsContentKind:
-				var cfg v1alpha1.Charts
-				if err := yaml.Unmarshal(doc, &cfg); err != nil {
-					return err
-				}
-
-				for _, ch := range cfg.Spec.Charts {
-					err := storeChart(ctx, s, ch)
-					if err != nil {
-						return err
-					}
-				}
-
-			case v1alpha1.K3sCollectionKind:
-				var cfg v1alpha1.K3s
-				if err := yaml.Unmarshal(doc, &cfg); err != nil {
-					return err
-				}
-
-				k, err := k3s.NewK3s(cfg.Spec.Version)
-				if err != nil {
-					return err
-				}
-
-				if _, err := s.AddCollection(ctx, k); err != nil {
-					return err
-				}
-
-			case v1alpha1.ChartsCollectionKind:
-				var cfg v1alpha1.ThickCharts
-				if err := yaml.Unmarshal(doc, &cfg); err != nil {
-					return err
-				}
-
-				for _, cfg := range cfg.Spec.Charts {
-					tc, err := chart.NewChart(cfg.Name, cfg.RepoURL, cfg.Version)
-					if err != nil {
-						return err
-					}
-
-					if _, err := s.AddCollection(ctx, tc); err != nil {
+					if err := storeFile(ctx, s, f); err != nil {
 						return err
 					}
 				}

 			default:
-				return fmt.Errorf("unrecognized content/collection type: %s", obj.GroupVersionKind().String())
+				return fmt.Errorf("unsupported version [%s] for kind [%s]... valid versions are [v1 and v1alpha1]", gvk.Version, gvk.Kind)
 			}
+
+		case consts.ImagesContentKind:
+			switch gvk.Version {
+			case "v1alpha1":
+				l.Warnf("!!! DEPRECATION WARNING !!! apiVersion [%s] will be removed in a future release...", gvk.Version)
+
+				var alphaCfg v1alpha1.Images
+				if err := yaml.Unmarshal(doc, &alphaCfg); err != nil {
+					return err
+				}
+				var v1Cfg v1.Images
+				if err := convert.ConvertImages(&alphaCfg, &v1Cfg); err != nil {
+					return err
+				}
+
+				a := v1Cfg.GetAnnotations()
+				for _, i := range v1Cfg.Spec.Images {
+
+					if a[consts.ImageAnnotationRegistry] != "" || o.Registry != "" {
+						newRef, _ := reference.Parse(i.Name)
+						newReg := o.Registry
+						if o.Registry == "" && a[consts.ImageAnnotationRegistry] != "" {
+							newReg = a[consts.ImageAnnotationRegistry]
+						}
+						if newRef.Context().RegistryStr() == "" {
+							newRef, err = reference.Relocate(i.Name, newReg)
+							if err != nil {
+								return err
+							}
+						}
+						i.Name = newRef.Name()
+					}
+
+					hasAnnotationIdentityOptions := a[consts.ImageAnnotationCertIdentityRegexp] != "" || a[consts.ImageAnnotationCertIdentity] != ""
+					hasCliIdentityOptions := o.CertIdentityRegexp != "" || o.CertIdentity != ""
+					hasImageIdentityOptions := i.CertIdentityRegexp != "" || i.CertIdentity != ""
+
+					needsKeylessVerificaton := hasAnnotationIdentityOptions || hasCliIdentityOptions || hasImageIdentityOptions
+					needsPubKeyVerification := a[consts.ImageAnnotationKey] != "" || o.Key != "" || i.Key != ""
+					if needsPubKeyVerification {
+						key := o.Key
+						if o.Key == "" && a[consts.ImageAnnotationKey] != "" {
+							key, err = homedir.Expand(a[consts.ImageAnnotationKey])
+							if err != nil {
+								return err
+							}
+						}
+						if i.Key != "" {
+							key, err = homedir.Expand(i.Key)
+							if err != nil {
+								return err
+							}
+						}
+						l.Debugf("key for image [%s]", key)
+
+						tlog := o.Tlog
+						if !o.Tlog && a[consts.ImageAnnotationTlog] == "true" {
+							tlog = true
+						}
+						if i.Tlog {
+							tlog = i.Tlog
+						}
+						l.Debugf("transparency log for verification [%b]", tlog)
+
+						if err := cosign.VerifySignature(ctx, s, key, tlog, i.Name, rso, ro); err != nil {
+							l.Errorf("signature verification failed for image [%s]... skipping...\n%v", i.Name, err)
+							continue
+						}
+						l.Infof("signature verified for image [%s]", i.Name)
+					} else if needsKeylessVerificaton { //Keyless signature verification
+						certIdentityRegexp := o.CertIdentityRegexp
+						if o.CertIdentityRegexp == "" && a[consts.ImageAnnotationCertIdentityRegexp] != "" {
+							certIdentityRegexp = a[consts.ImageAnnotationCertIdentityRegexp]
+						}
+						if i.CertIdentityRegexp != "" {
+							certIdentityRegexp = i.CertIdentityRegexp
+						}
+						l.Debugf("certIdentityRegexp for image [%s]", certIdentityRegexp)
+
+						certIdentity := o.CertIdentity
+						if o.CertIdentity == "" && a[consts.ImageAnnotationCertIdentity] != "" {
+							certIdentity = a[consts.ImageAnnotationCertIdentity]
+						}
+						if i.CertIdentity != "" {
+							certIdentity = i.CertIdentity
+						}
+						l.Debugf("certIdentity for image [%s]", certIdentity)
+
+						certOidcIssuer := o.CertOidcIssuer
+						if o.CertOidcIssuer == "" && a[consts.ImageAnnotationCertOidcIssuer] != "" {
+							certOidcIssuer = a[consts.ImageAnnotationCertOidcIssuer]
+						}
+						if i.CertOidcIssuer != "" {
+							certOidcIssuer = i.CertOidcIssuer
+						}
+						l.Debugf("certOidcIssuer for image [%s]", certOidcIssuer)
+
+						certOidcIssuerRegexp := o.CertOidcIssuerRegexp
+						if o.CertOidcIssuerRegexp == "" && a[consts.ImageAnnotationCertOidcIssuerRegexp] != "" {
+							certOidcIssuerRegexp = a[consts.ImageAnnotationCertOidcIssuerRegexp]
+						}
+						if i.CertOidcIssuerRegexp != "" {
+							certOidcIssuerRegexp = i.CertOidcIssuerRegexp
+						}
+						l.Debugf("certOidcIssuerRegexp for image [%s]", certOidcIssuerRegexp)
+
+						certGithubWorkflowRepository := o.CertGithubWorkflowRepository
+						if o.CertGithubWorkflowRepository == "" && a[consts.ImageAnnotationCertGithubWorkflowRepository] != "" {
+							certGithubWorkflowRepository = a[consts.ImageAnnotationCertGithubWorkflowRepository]
+						}
+						if i.CertGithubWorkflowRepository != "" {
+							certGithubWorkflowRepository = i.CertGithubWorkflowRepository
+						}
+						l.Debugf("certGithubWorkflowRepository for image [%s]", certGithubWorkflowRepository)
+
+						tlog := o.Tlog
+						if !o.Tlog && a[consts.ImageAnnotationTlog] == "true" {
+							tlog = true
+						}
+						if i.Tlog {
+							tlog = i.Tlog
+						}
+						l.Debugf("transparency log for verification [%b]", tlog)
+
+						if err := cosign.VerifyKeylessSignature(ctx, s, certIdentity, certIdentityRegexp, certOidcIssuer, certOidcIssuerRegexp, certGithubWorkflowRepository, tlog, i.Name, rso, ro); err != nil {
+							l.Errorf("keyless signature verification failed for image [%s]... skipping...\n%v", i.Name, err)
+							continue
+						}
+						l.Infof("keyless signature verified for image [%s]", i.Name)
+					}
+
+					platform := o.Platform
+					if o.Platform == "" && a[consts.ImageAnnotationPlatform] != "" {
+						platform = a[consts.ImageAnnotationPlatform]
+					}
+					if i.Platform != "" {
+						platform = i.Platform
+					}
+
+					rewrite := ""
+					if i.Rewrite != "" {
+						rewrite = i.Rewrite
+					}
+
+					if err := storeImage(ctx, s, i, platform, rso, ro, rewrite); err != nil {
+						return err
+					}
+				}
+				s.CopyAll(ctx, s.OCI, nil)
+
+			case "v1":
+				var cfg v1.Images
+				if err := yaml.Unmarshal(doc, &cfg); err != nil {
+					return err
+				}
+
+				a := cfg.GetAnnotations()
+				for _, i := range cfg.Spec.Images {
+
+					if a[consts.ImageAnnotationRegistry] != "" || o.Registry != "" {
+						newRef, _ := reference.Parse(i.Name)
+						newReg := o.Registry
+						if o.Registry == "" && a[consts.ImageAnnotationRegistry] != "" {
+							newReg = a[consts.ImageAnnotationRegistry]
+						}
+						if newRef.Context().RegistryStr() == "" {
+							newRef, err = reference.Relocate(i.Name, newReg)
+							if err != nil {
+								return err
+							}
+						}
+						i.Name = newRef.Name()
+					}
+
+					hasAnnotationIdentityOptions := a[consts.ImageAnnotationCertIdentityRegexp] != "" || a[consts.ImageAnnotationCertIdentity] != ""
+					hasCliIdentityOptions := o.CertIdentityRegexp != "" || o.CertIdentity != ""
+					hasImageIdentityOptions := i.CertIdentityRegexp != "" || i.CertIdentity != ""
+
+					needsKeylessVerificaton := hasAnnotationIdentityOptions || hasCliIdentityOptions || hasImageIdentityOptions
+					needsPubKeyVerification := a[consts.ImageAnnotationKey] != "" || o.Key != "" || i.Key != ""
+					if needsPubKeyVerification {
+						key := o.Key
+						if o.Key == "" && a[consts.ImageAnnotationKey] != "" {
+							key, err = homedir.Expand(a[consts.ImageAnnotationKey])
+							if err != nil {
+								return err
+							}
+						}
+						if i.Key != "" {
+							key, err = homedir.Expand(i.Key)
+							if err != nil {
+								return err
+							}
+						}
+						l.Debugf("key for image [%s]", key)
+
+						tlog := o.Tlog
+						if !o.Tlog && a[consts.ImageAnnotationTlog] == "true" {
+							tlog = true
+						}
+						if i.Tlog {
+							tlog = i.Tlog
+						}
+						l.Debugf("transparency log for verification [%b]", tlog)
+
+						if err := cosign.VerifySignature(ctx, s, key, tlog, i.Name, rso, ro); err != nil {
+							l.Errorf("signature verification failed for image [%s]... skipping...\n%v", i.Name, err)
+							continue
+						}
+						l.Infof("signature verified for image [%s]", i.Name)
+					} else if needsKeylessVerificaton { //Keyless signature verification
+						certIdentityRegexp := o.CertIdentityRegexp
+						if o.CertIdentityRegexp == "" && a[consts.ImageAnnotationCertIdentityRegexp] != "" {
+							certIdentityRegexp = a[consts.ImageAnnotationCertIdentityRegexp]
+						}
+						if i.CertIdentityRegexp != "" {
+							certIdentityRegexp = i.CertIdentityRegexp
+						}
+						l.Debugf("certIdentityRegexp for image [%s]", certIdentityRegexp)
+
+						certIdentity := o.CertIdentity
+						if o.CertIdentity == "" && a[consts.ImageAnnotationCertIdentity] != "" {
+							certIdentity = a[consts.ImageAnnotationCertIdentity]
+						}
+						if i.CertIdentity != "" {
+							certIdentity = i.CertIdentity
+						}
+						l.Debugf("certIdentity for image [%s]", certIdentity)
+
+						certOidcIssuer := o.CertOidcIssuer
+						if o.CertOidcIssuer == "" && a[consts.ImageAnnotationCertOidcIssuer] != "" {
+							certOidcIssuer = a[consts.ImageAnnotationCertOidcIssuer]
+						}
+						if i.CertOidcIssuer != "" {
+							certOidcIssuer = i.CertOidcIssuer
+						}
+						l.Debugf("certOidcIssuer for image [%s]", certOidcIssuer)
+
+						certOidcIssuerRegexp := o.CertOidcIssuerRegexp
+						if o.CertOidcIssuerRegexp == "" && a[consts.ImageAnnotationCertOidcIssuerRegexp] != "" {
+							certOidcIssuerRegexp = a[consts.ImageAnnotationCertOidcIssuerRegexp]
+						}
+						if i.CertOidcIssuerRegexp != "" {
+							certOidcIssuerRegexp = i.CertOidcIssuerRegexp
+						}
+						l.Debugf("certOidcIssuerRegexp for image [%s]", certOidcIssuerRegexp)
+
+						certGithubWorkflowRepository := o.CertGithubWorkflowRepository
+						if o.CertGithubWorkflowRepository == "" && a[consts.ImageAnnotationCertGithubWorkflowRepository] != "" {
+							certGithubWorkflowRepository = a[consts.ImageAnnotationCertGithubWorkflowRepository]
+						}
+						if i.CertGithubWorkflowRepository != "" {
+							certGithubWorkflowRepository = i.CertGithubWorkflowRepository
+						}
+						l.Debugf("certGithubWorkflowRepository for image [%s]", certGithubWorkflowRepository)
+
+						tlog := o.Tlog
+						if !o.Tlog && a[consts.ImageAnnotationTlog] == "true" {
+							tlog = true
+						}
+						if i.Tlog {
+							tlog = i.Tlog
+						}
+						l.Debugf("transparency log for verification [%b]", tlog)
+
+						if err := cosign.VerifyKeylessSignature(ctx, s, certIdentity, certIdentityRegexp, certOidcIssuer, certOidcIssuerRegexp, certGithubWorkflowRepository, tlog, i.Name, rso, ro); err != nil {
+							l.Errorf("keyless signature verification failed for image [%s]... skipping...\n%v", i.Name, err)
+							continue
+						}
+						l.Infof("keyless signature verified for image [%s]", i.Name)
+					}
+					platform := o.Platform
+					if o.Platform == "" && a[consts.ImageAnnotationPlatform] != "" {
+						platform = a[consts.ImageAnnotationPlatform]
+					}
+					if i.Platform != "" {
+						platform = i.Platform
+					}
+
+					rewrite := ""
+					if i.Rewrite != "" {
+						rewrite = i.Rewrite
+					}
+
+					if err := storeImage(ctx, s, i, platform, rso, ro, rewrite); err != nil {
+						return err
+					}
+				}
+				s.CopyAll(ctx, s.OCI, nil)
+
+			default:
+				return fmt.Errorf("unsupported version [%s] for kind [%s]... valid versions are [v1 and v1alpha1]", gvk.Version, gvk.Kind)
+			}
+
+		case consts.ChartsContentKind:
+			switch gvk.Version {
+			case "v1alpha1":
+				l.Warnf("!!! DEPRECATION WARNING !!! apiVersion [%s] will be removed in a future release...", gvk.Version)
+
+				var alphaCfg v1alpha1.Charts
+				if err := yaml.Unmarshal(doc, &alphaCfg); err != nil {
+					return err
+				}
+				var v1Cfg v1.Charts
+				if err := convert.ConvertCharts(&alphaCfg, &v1Cfg); err != nil {
+					return err
+				}
+				for _, ch := range v1Cfg.Spec.Charts {
+					if err := storeChart(ctx, s, ch,
+						&flags.AddChartOpts{
+							ChartOpts: &action.ChartPathOptions{
+								RepoURL: ch.RepoURL,
+								Version: ch.Version,
+							},
+						},
+						rso, ro,
+						"",
+					); err != nil {
+						return err
+					}
+				}
+
+			case "v1":
+				var cfg v1.Charts
+				if err := yaml.Unmarshal(doc, &cfg); err != nil {
+					return err
+				}
+				registry := o.Registry
+				if registry == "" {
+					annotation := cfg.GetAnnotations()
+					if annotation != nil {
+						registry = annotation[consts.ImageAnnotationRegistry]
+					}
+				}
+
+				for i, ch := range cfg.Spec.Charts {
+					if err := storeChart(ctx, s, ch,
+						&flags.AddChartOpts{
+							ChartOpts: &action.ChartPathOptions{
+								RepoURL: ch.RepoURL,
+								Version: ch.Version,
+							},
+							AddImages:       ch.AddImages,
+							AddDependencies: ch.AddDependencies,
+							Registry:        registry,
+							Platform:        o.Platform,
+						},
+						rso, ro,
+						cfg.Spec.Charts[i].Rewrite,
+					); err != nil {
+						return err
+					}
+				}
+
+			default:
+				return fmt.Errorf("unsupported version [%s] for kind [%s]... valid versions are [v1 and v1alpha1]", gvk.Version, gvk.Kind)
+			}
+
+		case consts.ChartsCollectionKind:
+			switch gvk.Version {
+			case "v1alpha1":
+				l.Warnf("!!! DEPRECATION WARNING !!! apiVersion [%s] will be removed in a future release...", gvk.Version)
+
+				var alphaCfg v1alpha1.ThickCharts
+				if err := yaml.Unmarshal(doc, &alphaCfg); err != nil {
+					return err
+				}
+				var v1Cfg v1.ThickCharts
+				if err := convert.ConvertThickCharts(&alphaCfg, &v1Cfg); err != nil {
+					return err
+				}
+				for _, chObj := range v1Cfg.Spec.Charts {
+					tc, err := tchart.NewThickChart(chObj, &action.ChartPathOptions{
+						RepoURL: chObj.RepoURL,
+						Version: chObj.Version,
+					})
+					if err != nil {
+						return err
+					}
+					if _, err := s.AddOCICollection(ctx, tc); err != nil {
+						return err
+					}
+				}
+
+			case "v1":
+				var cfg v1.ThickCharts
+				if err := yaml.Unmarshal(doc, &cfg); err != nil {
+					return err
+				}
+				for _, chObj := range cfg.Spec.Charts {
+					tc, err := tchart.NewThickChart(chObj, &action.ChartPathOptions{
+						RepoURL: chObj.RepoURL,
+						Version: chObj.Version,
+					})
+					if err != nil {
+						return err
+					}
+					if _, err := s.AddOCICollection(ctx, tc); err != nil {
+						return err
+					}
+				}
+
+			default:
+				return fmt.Errorf("unsupported version [%s] for kind [%s]... valid versions are [v1 and v1alpha1]", gvk.Version, gvk.Kind)
+			}
+
+		case consts.ImageTxtsContentKind:
+			switch gvk.Version {
+			case "v1alpha1":
+				l.Warnf("!!! DEPRECATION WARNING !!! apiVersion [%s] will be removed in a future release...", gvk.Version)
+
+				var alphaCfg v1alpha1.ImageTxts
+				if err := yaml.Unmarshal(doc, &alphaCfg); err != nil {
+					return err
+				}
+				var v1Cfg v1.ImageTxts
+				if err := convert.ConvertImageTxts(&alphaCfg, &v1Cfg); err != nil {
+					return err
+				}
+				for _, cfgIt := range v1Cfg.Spec.ImageTxts {
+					it, err := imagetxt.New(cfgIt.Ref,
+						imagetxt.WithIncludeSources(cfgIt.Sources.Include...),
+						imagetxt.WithExcludeSources(cfgIt.Sources.Exclude...),
+					)
+					if err != nil {
+						return fmt.Errorf("convert ImageTxt %s: %v", v1Cfg.Name, err)
+					}
+					if _, err := s.AddOCICollection(ctx, it); err != nil {
+						return fmt.Errorf("add ImageTxt %s to store: %v", v1Cfg.Name, err)
+					}
+				}
+
+			case "v1":
+				var cfg v1.ImageTxts
+				if err := yaml.Unmarshal(doc, &cfg); err != nil {
+					return err
+				}
+				for _, cfgIt := range cfg.Spec.ImageTxts {
+					it, err := imagetxt.New(cfgIt.Ref,
+						imagetxt.WithIncludeSources(cfgIt.Sources.Include...),
+						imagetxt.WithExcludeSources(cfgIt.Sources.Exclude...),
+					)
+					if err != nil {
+						return fmt.Errorf("convert ImageTxt %s: %v", cfg.Name, err)
+					}
+					if _, err := s.AddOCICollection(ctx, it); err != nil {
+						return fmt.Errorf("add ImageTxt %s to store: %v", cfg.Name, err)
+					}
+				}
+
+			default:
+				return fmt.Errorf("unsupported version [%s] for kind [%s]... valid versions are [v1 and v1alpha1]", gvk.Version, gvk.Kind)
+			}
+
+		default:
+			return fmt.Errorf("unsupported kind [%s]... valid kinds are [Files, Images, Charts, ThickCharts, ImageTxts]", gvk.Kind)
 		}
 	}
-
 	return nil
 }
--- a/cmd/hauler/cli/version.go
+++ b/cmd/hauler/cli/version.go
@@ -5,33 +5,37 @@ import (

 	"github.com/spf13/cobra"

-	"github.com/rancherfederal/hauler/pkg/version"
+	"hauler.dev/go/hauler/internal/flags"
+	"hauler.dev/go/hauler/internal/version"
 )

-func addVersion(parent *cobra.Command) {
-	var json bool
+func addVersion(parent *cobra.Command, ro *flags.CliRootOpts) {
+	o := &flags.VersionOpts{}

 	cmd := &cobra.Command{
 		Use:     "version",
-		Short:   "Print current hauler version",
-		Long:    "Print current hauler version",
+		Short:   "Print the current version",
 		Aliases: []string{"v"},
 		RunE: func(cmd *cobra.Command, args []string) error {
 			v := version.GetVersionInfo()
-			response := v.String()
-			if json {
-				data, err := v.JSONString()
+			v.Name = cmd.Root().Name()
+			v.Description = cmd.Root().Short
+			v.FontName = "starwars"
+			cmd.SetOut(cmd.OutOrStdout())
+
+			if o.JSON {
+				out, err := v.JSONString()
 				if err != nil {
-					return err
+					return fmt.Errorf("unable to generate JSON from version info: %w", err)
 				}
-				response = data
+				cmd.Println(out)
+			} else {
+				cmd.Println(v.String())
 			}
-			fmt.Print(response)
 			return nil
 		},
 	}
-
-	cmd.Flags().BoolVar(&json, "json", false, "toggle output in JSON")
+	o.AddFlags(cmd)

 	parent.AddCommand(cmd)
 }
--- a/cmd/hauler/main.go
+++ b/cmd/hauler/main.go
@@ -4,8 +4,9 @@ import (
 	"context"
 	"os"

-	"github.com/rancherfederal/hauler/cmd/hauler/cli"
-	"github.com/rancherfederal/hauler/pkg/log"
+	"hauler.dev/go/hauler/cmd/hauler/cli"
+	"hauler.dev/go/hauler/internal/flags"
+	"hauler.dev/go/hauler/pkg/log"
 )

 func main() {
@@ -15,7 +16,9 @@ func main() {
 	logger := log.NewLogger(os.Stdout)
 	ctx = logger.WithContext(ctx)

-	if err := cli.New().ExecuteContext(ctx); err != nil {
+	if err := cli.New(ctx, &flags.CliRootOpts{}).ExecuteContext(ctx); err != nil {
 		logger.Errorf("%v", err)
+		cancel()
+		os.Exit(1)
 	}
 }
--- a/docs/walkthrough.md
+++ b/docs/walkthrough.md
@@ -1,177 +0,0 @@
-# Walkthrough
-
-## Installation
-
-The latest version of `hauler` is available as statically compiled binaries for most combinations of operating systems and architectures on the GitHub [releases](https://github.com/rancherfederal/hauler/releases) page.
-
-## Quickstart
-
-The tl;dr for how to use `hauler` to fetch, transport, and distribute `content`:
-
-```bash
-# fetch some content
-hauler store add file "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
-hauler store add chart longhorn --repo "https://charts.longhorn.io"
-hauler store add image "rancher/cowsay"
-
-# transport the content
-hauler store save
-
-# <-airgap the haul.tar.zst file generated->
-
-# load the content
-hauler store load
-
-# serve the content
-hauler store serve
-```
-
-While the example above fits into a quickstart, it falls short of demonstrating all the capabilities `hauler` has to offer, including taking advantage of its fully declarative nature.  Keep reading the [Guided Examples](#Guided-Examples) below for a more thorough walkthrough of `haulers` full capabilities.
-
-## Guided Examples
-
-Since `hauler`'s primary objective is to simplify the content collection/distribution airgap process, a lot of the design revolves around the typical airgap workflow:
-
-```bash
-fetch -> save - | <airgap> | -> validate/load -> distribute
-```
-
-This is accomplished as follows:
-
-```bash
-# fetch content
-hauler store add ...
-
-# compress and archive content
-hauler store save
-
-# <airgap>
-
-# validate/load content
-hauler store load ...
-
-# distribute content
-hauler store serve
-```
-
-At this point you're probably wondering: what is `content`? In `hauler` land, there are a few important terms given to important resources:
-
-* `artifact`: anything that can be represented as an [`oci artifact`](https://github.com/opencontainers/artifacts)
-* `content`: built in "primitive" types of `artifacts` that `hauler` understands
-
-### Built in content
-
-As of today, `hauler` understands three types of `content`, one with a strong legacy of community support and consensus ([`image-spec`]()), one with a finalized spec and experimental support ([`chart-spec`]()), and one generic type created just for `hauler`.  These `content` types are outlined below:
-
-__`files`__:
-
-Generic content that can be represented as a file, either sourced locally or remotely.
-
-```bash
-# local file
-hauler store add file path/to/local/file.txt
-
-# remote file
-hauler store add file https://get.k3s.io
-```
-
-__`images`__:
-
-Any OCI compatible image can be fetched remotely.
-
-```bash
-# "shorthand"  image references
-hauler store add image rancher/k3s:v1.22.2-k3s1
-
-# fully qualified image references
-hauler store add image ghcr.io/fluxcd/flux-cli@sha256:02aa820c3a9c57d67208afcfc4bce9661658c17d15940aea369da259d2b976dd
-```
-
-__`charts`__:
-
-Helm charts represented as OCI content.
-
-```bash
-# add a helm chart (defaults to latest version)
-hauler store add chart loki --repo "https://grafana.github.io/helm-charts"
-
-# add a specific version of a helm chart
-hauler store add chart loki --repo "https://grafana.github.io/helm-charts" --version 2.8.1
-
-# install directly from the oci content
-HELM_EXPERIMENTAL_OCI=1 helm install loki oci://localhost:3000/library/loki --version 2.8.1
-```
-
-> Note: `hauler` supports the currently experimental format of helm as OCI content, but can also be represented as the usual tarball if necessary
-
-### Content API
-
-While imperatively adding `content` to `hauler` is a simple way to get started, the recommended long term approach is to use the provided api that each `content` has, in conjunction with the `sync` command.
-
-```bash
-# create a haul from declaratively defined content
-hauler store sync -f testdata/contents.yaml
-```
-
-> For a commented view of the `contents` api, take a look at the `testdata` folder in the root of the project.
-
-The API for each type of built-in `content` allows you to easily and declaratively define all the `content` that exist within a `haul`, and ensures a more gitops compatible workflow for managing the lifecycle of your `hauls`.
-
-### Collections
-
-Earlier we referred to `content` as "primitives".  While the quotes justify the loose definition of that term, we call it that because they can be used to build groups of `content`, which we call `collections`.
-
-`collections` are groups of 1 or more `contents` that collectively represent something desirable.  Just like `content`, there are a handful that are built in to `hauler`.
-
-Since `collections` usually contain more purposefully crafted `contents`, we restrict their use to the declarative commands (`sync`):
-
-```bash
-# sync a collection
-hauler store sync -f my-collection.yaml
-
-# sync sets of content/collection
-hauler store sync -f collection.yaml -f content.yaml
-```
-
-__`thickcharts`__:
-
-Thick Charts represent the combination of `charts` and `images`.  When storing a thick chart, the chart _and_ the charts dependent images will be fetched and stored by `hauler`.  
-
-```yaml
-# thick-chart.yaml
-apiVersion: collection.hauler.cattle.io/v1alpha1
-kind: ThickCharts
-metadata:
-  name: loki
-spec:
-  charts:
-    - name: loki
-      repoURL: https://grafana.github.io/helm-charts
-```
-
-When syncing the collection above, `hauler` will identify the images the chart depends on and store those too
-
-> The method for identifying images is constantly changing, as of today, the chart is rendered and a configurable set of container defining json path's are processed.  The most common paths are recognized by hauler, but this can be configured for the more niche CRDs out there.
-
-__`k3s`__:
-
-Combining `files` and `images`, full clusters can also be captured by `hauler` for further simplifying the already simple nature of `k3s`.
-
-```yaml
-# k3s.yaml
---
-apiVersion: collection.hauler.cattle.io/v1alpha1
-kind: K3s
-metadata:
-  name: k3s
-spec:
-  version: stable
-```
-
-Using the collection above, the dependent files (`k3s` executable and `https://get.k3s.io` script) will be fetched, as well as all the dependent images.
-
-> We know not everyone uses the get.k3s.io script to provision k3s, in the future this may change, but until then you're welcome to mix and match the `collection` with any of your own additional `content` 
-
-#### User defined `collections`
-
-Although `content` and `collections` can only be used when they are baked in to `hauler`, the goal is to allow these to be securely user-defined, allowing you to define your own desirable `collection` types, and leave the heavy lifting to `hauler`.  Check out our [roadmap](../ROADMAP.md) and [milestones]() for more info on that.
--- a/go.mod
+++ b/go.mod
@@ -1,162 +1,362 @@
-module github.com/rancherfederal/hauler
+module hauler.dev/go/hauler

-go 1.17
+go 1.25.5
+
+replace github.com/sigstore/cosign/v3 => github.com/hauler-dev/cosign/v3 v3.0.5-0.20260212234448-00b85d677dfc
+
+replace github.com/distribution/distribution/v3 => github.com/distribution/distribution/v3 v3.0.0-20221208165359-362910506bc2
+
+replace github.com/docker/cli => github.com/docker/cli v28.5.1+incompatible // needed to keep oras v1.2.7 working, which depends on docker/cli v28.5.1+incompatible

 require (
-	github.com/containerd/containerd v1.5.7
-	github.com/distribution/distribution/v3 v3.0.0-20210926092439-1563384b69df
-	github.com/google/go-containerregistry v0.6.0
-	github.com/mholt/archiver/v3 v3.5.0
+	github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be
+	github.com/containerd/containerd v1.7.29
+	github.com/distribution/distribution/v3 v3.0.0
+	github.com/google/go-containerregistry v0.20.7
+	github.com/gorilla/handlers v1.5.2
+	github.com/gorilla/mux v1.8.1
+	github.com/mholt/archives v0.1.5
+	github.com/mitchellh/go-homedir v1.1.0
+	github.com/olekukonko/tablewriter v1.1.2
 	github.com/opencontainers/go-digest v1.0.0
-	github.com/opencontainers/image-spec v1.0.1
-	github.com/rancher/wrangler v0.8.4
-	github.com/rs/zerolog v1.26.0
-	github.com/sirupsen/logrus v1.8.1
-	github.com/spf13/cobra v1.2.1
-	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c
-	helm.sh/helm/v3 v3.7.1
-	k8s.io/apimachinery v0.22.2
-	k8s.io/client-go v0.22.2
-	oras.land/oras-go v0.4.0
-	sigs.k8s.io/controller-runtime v0.10.3
+	github.com/opencontainers/image-spec v1.1.1
+	github.com/pkg/errors v0.9.1
+	github.com/rs/zerolog v1.34.0
+	github.com/sigstore/cosign/v3 v3.0.2
+	github.com/sirupsen/logrus v1.9.4
+	github.com/spf13/afero v1.15.0
+	github.com/spf13/cobra v1.10.2
+	golang.org/x/sync v0.19.0
+	gopkg.in/yaml.v3 v3.0.1
+	helm.sh/helm/v3 v3.19.0
+	k8s.io/apimachinery v0.35.0
+	k8s.io/client-go v0.35.0
+	oras.land/oras-go v1.2.7
 )

 require (
-	github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
-	github.com/BurntSushi/toml v0.3.1 // indirect
-	github.com/MakeNowJust/heredoc v0.0.0-20170808103936-bb23615498cd // indirect
+	cloud.google.com/go/auth v0.18.0 // indirect
+	cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect
+	cloud.google.com/go/compute/metadata v0.9.0 // indirect
+	cuelabs.dev/go/oci/ociregistry v0.0.0-20250722084951-074d06050084 // indirect
+	cuelang.org/go v0.15.3 // indirect
+	dario.cat/mergo v1.0.1 // indirect
+	github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 // indirect
+	github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/provider v0.14.0 // indirect
+	github.com/Azure/azure-sdk-for-go v68.0.0+incompatible // indirect
+	github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c // indirect
+	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
+	github.com/Azure/go-autorest/autorest v0.11.29 // indirect
+	github.com/Azure/go-autorest/autorest/adal v0.9.23 // indirect
+	github.com/Azure/go-autorest/autorest/azure/auth v0.5.12 // indirect
+	github.com/Azure/go-autorest/autorest/azure/cli v0.4.6 // indirect
+	github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
+	github.com/Azure/go-autorest/logger v0.2.1 // indirect
+	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
+	github.com/BurntSushi/toml v1.5.0 // indirect
+	github.com/MakeNowJust/heredoc v1.0.0 // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect
-	github.com/Masterminds/semver/v3 v3.1.1 // indirect
-	github.com/Masterminds/sprig/v3 v3.2.2 // indirect
-	github.com/Masterminds/squirrel v1.5.0 // indirect
-	github.com/PuerkitoBio/purell v1.1.1 // indirect
-	github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
+	github.com/Masterminds/semver/v3 v3.4.0 // indirect
+	github.com/Masterminds/sprig/v3 v3.3.0 // indirect
+	github.com/Masterminds/squirrel v1.5.4 // indirect
+	github.com/Microsoft/go-winio v0.6.2 // indirect
+	github.com/STARRY-S/zip v0.2.3 // indirect
 	github.com/Shopify/logrus-bugsnag v0.0.0-20171204204709-577dee27f20d // indirect
-	github.com/andybalholm/brotli v1.0.0 // indirect
-	github.com/asaskevich/govalidator v0.0.0-20200428143746-21a406dcc535 // indirect
+	github.com/ThalesIgnite/crypto11 v1.2.5 // indirect
+	github.com/agnivade/levenshtein v1.2.1 // indirect
+	github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.4 // indirect
+	github.com/alibabacloud-go/cr-20160607 v1.0.1 // indirect
+	github.com/alibabacloud-go/cr-20181201 v1.0.10 // indirect
+	github.com/alibabacloud-go/darabonba-openapi v0.2.1 // indirect
+	github.com/alibabacloud-go/debug v1.0.0 // indirect
+	github.com/alibabacloud-go/endpoint-util v1.1.1 // indirect
+	github.com/alibabacloud-go/openapi-util v0.1.0 // indirect
+	github.com/alibabacloud-go/tea v1.2.1 // indirect
+	github.com/alibabacloud-go/tea-utils v1.4.5 // indirect
+	github.com/alibabacloud-go/tea-xml v1.1.3 // indirect
+	github.com/aliyun/credentials-go v1.3.2 // indirect
+	github.com/andybalholm/brotli v1.2.0 // indirect
+	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
+	github.com/aws/aws-sdk-go-v2 v1.41.0 // indirect
+	github.com/aws/aws-sdk-go-v2/config v1.32.5 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.19.5 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.16 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.16 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.16 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ecr v1.51.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.38.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.16 // indirect
+	github.com/aws/aws-sdk-go-v2/service/signin v1.0.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.30.7 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.12 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.41.5 // indirect
+	github.com/aws/smithy-go v1.24.0 // indirect
+	github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.11.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/blang/semver v3.5.1+incompatible // indirect
+	github.com/blang/semver/v4 v4.0.0 // indirect
+	github.com/bodgit/plumbing v1.3.0 // indirect
+	github.com/bodgit/sevenzip v1.6.1 // indirect
+	github.com/bodgit/windows v1.0.1 // indirect
 	github.com/bshuster-repo/logrus-logstash-hook v1.0.0 // indirect
 	github.com/bugsnag/bugsnag-go v0.0.0-20141110184014-b1d153021fcd // indirect
 	github.com/bugsnag/osext v0.0.0-20130617224835-0dd3f918b21b // indirect
 	github.com/bugsnag/panicwrap v0.0.0-20151223152923-e2c28503fcd0 // indirect
-	github.com/cespare/xxhash/v2 v2.1.1 // indirect
-	github.com/containerd/stargz-snapshotter/estargz v0.7.0 // indirect
-	github.com/cyphar/filepath-securejoin v0.2.2 // indirect
-	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/docker/cli v20.10.7+incompatible // indirect
-	github.com/docker/distribution v2.7.1+incompatible // indirect
-	github.com/docker/docker v20.10.7+incompatible // indirect
-	github.com/docker/docker-credential-helpers v0.6.3 // indirect
-	github.com/docker/go-connections v0.4.0 // indirect
+	github.com/buildkite/agent/v3 v3.115.2 // indirect
+	github.com/buildkite/go-pipeline v0.16.0 // indirect
+	github.com/buildkite/interpolate v0.1.5 // indirect
+	github.com/buildkite/roko v1.4.0 // indirect
+	github.com/cenkalti/backoff/v5 v5.0.3 // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
+	github.com/chai2010/gettext-go v1.0.2 // indirect
+	github.com/chrismellard/docker-credential-acr-env v0.0.0-20230304212654-82a0ddb27589 // indirect
+	github.com/chzyer/readline v1.5.1 // indirect
+	github.com/clbanning/mxj/v2 v2.7.0 // indirect
+	github.com/clipperhouse/displaywidth v0.6.0 // indirect
+	github.com/clipperhouse/stringish v0.1.1 // indirect
+	github.com/clipperhouse/uax29/v2 v2.3.0 // indirect
+	github.com/cockroachdb/apd/v3 v3.2.1 // indirect
+	github.com/containerd/errdefs v1.0.0 // indirect
+	github.com/containerd/log v0.1.0 // indirect
+	github.com/containerd/platforms v1.0.0-rc.2 // indirect
+	github.com/containerd/stargz-snapshotter/estargz v0.18.1 // indirect
+	github.com/coreos/go-oidc/v3 v3.17.0 // indirect
+	github.com/cyberphone/json-canonicalization v0.0.0-20241213102144-19d51d7fe467 // indirect
+	github.com/cyphar/filepath-securejoin v0.4.1 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0 // indirect
+	github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352 // indirect
+	github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7 // indirect
+	github.com/dimchansky/utfbom v1.1.1 // indirect
+	github.com/distribution/reference v0.6.0 // indirect
+	github.com/docker/cli v29.0.3+incompatible // indirect
+	github.com/docker/distribution v2.8.3+incompatible // indirect
+	github.com/docker/docker v28.5.2+incompatible // indirect
+	github.com/docker/docker-credential-helpers v0.9.4 // indirect
+	github.com/docker/go-connections v0.6.0 // indirect
 	github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c // indirect
 	github.com/docker/go-metrics v0.0.1 // indirect
-	github.com/docker/go-units v0.4.0 // indirect
 	github.com/docker/libtrust v0.0.0-20150114040149-fa567046d9b1 // indirect
-	github.com/dsnet/compress v0.0.1 // indirect
-	github.com/evanphx/json-patch v4.11.0+incompatible // indirect
-	github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d // indirect
-	github.com/fatih/color v1.7.0 // indirect
-	github.com/felixge/httpsnoop v1.0.1 // indirect
-	github.com/ghodss/yaml v1.0.0 // indirect
-	github.com/go-errors/errors v1.0.1 // indirect
-	github.com/go-logr/logr v0.4.0 // indirect
-	github.com/go-openapi/jsonpointer v0.19.5 // indirect
-	github.com/go-openapi/jsonreference v0.19.5 // indirect
-	github.com/go-openapi/swag v0.19.14 // indirect
+	github.com/dsnet/compress v0.0.2-0.20230904184137-39efe44ab707 // indirect
+	github.com/dustin/go-humanize v1.0.1 // indirect
+	github.com/emicklei/go-restful/v3 v3.13.0 // indirect
+	github.com/emicklei/proto v1.14.2 // indirect
+	github.com/evanphx/json-patch v5.9.11+incompatible // indirect
+	github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f // indirect
+	github.com/fatih/color v1.18.0 // indirect
+	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/fsnotify/fsnotify v1.9.0 // indirect
+	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
+	github.com/go-chi/chi/v5 v5.2.4 // indirect
+	github.com/go-errors/errors v1.4.2 // indirect
+	github.com/go-gorp/gorp/v3 v3.1.0 // indirect
+	github.com/go-ini/ini v1.67.0 // indirect
+	github.com/go-jose/go-jose/v4 v4.1.3 // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/go-openapi/analysis v0.24.1 // indirect
+	github.com/go-openapi/errors v0.22.6 // indirect
+	github.com/go-openapi/jsonpointer v0.22.4 // indirect
+	github.com/go-openapi/jsonreference v0.21.4 // indirect
+	github.com/go-openapi/loads v0.23.2 // indirect
+	github.com/go-openapi/runtime v0.29.2 // indirect
+	github.com/go-openapi/spec v0.22.3 // indirect
+	github.com/go-openapi/strfmt v0.25.0 // indirect
+	github.com/go-openapi/swag v0.25.4 // indirect
+	github.com/go-openapi/swag/cmdutils v0.25.4 // indirect
+	github.com/go-openapi/swag/conv v0.25.4 // indirect
+	github.com/go-openapi/swag/fileutils v0.25.4 // indirect
+	github.com/go-openapi/swag/jsonname v0.25.4 // indirect
+	github.com/go-openapi/swag/jsonutils v0.25.4 // indirect
+	github.com/go-openapi/swag/loading v0.25.4 // indirect
+	github.com/go-openapi/swag/mangling v0.25.4 // indirect
+	github.com/go-openapi/swag/netutils v0.25.4 // indirect
+	github.com/go-openapi/swag/stringutils v0.25.4 // indirect
+	github.com/go-openapi/swag/typeutils v0.25.4 // indirect
+	github.com/go-openapi/swag/yamlutils v0.25.4 // indirect
+	github.com/go-openapi/validate v0.25.1 // indirect
+	github.com/go-piv/piv-go/v2 v2.4.0 // indirect
+	github.com/go-viper/mapstructure/v2 v2.4.0 // indirect
 	github.com/gobwas/glob v0.2.3 // indirect
+	github.com/goccy/go-json v0.10.5 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang/protobuf v1.5.2 // indirect
-	github.com/golang/snappy v0.0.3 // indirect
+	github.com/golang-jwt/jwt/v4 v4.5.2 // indirect
+	github.com/golang/snappy v0.0.4 // indirect
 	github.com/gomodule/redigo v1.8.2 // indirect
-	github.com/google/btree v1.0.1 // indirect
-	github.com/google/go-cmp v0.5.6 // indirect
-	github.com/google/gofuzz v1.1.0 // indirect
-	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
-	github.com/google/uuid v1.2.0 // indirect
-	github.com/googleapis/gnostic v0.5.5 // indirect
-	github.com/gorilla/handlers v1.5.1 // indirect
-	github.com/gorilla/mux v1.8.0 // indirect
+	github.com/google/btree v1.1.3 // indirect
+	github.com/google/certificate-transparency-go v1.3.2 // indirect
+	github.com/google/gnostic-models v0.7.0 // indirect
+	github.com/google/go-cmp v0.7.0 // indirect
+	github.com/google/go-github/v73 v73.0.0 // indirect
+	github.com/google/go-querystring v1.2.0 // indirect
+	github.com/google/s2a-go v0.1.9 // indirect
+	github.com/google/uuid v1.6.0 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.3.9 // indirect
+	github.com/googleapis/gax-go/v2 v2.16.0 // indirect
+	github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 // indirect
 	github.com/gosuri/uitable v0.0.4 // indirect
-	github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 // indirect
-	github.com/huandu/xstrings v1.3.2 // indirect
-	github.com/imdario/mergo v0.3.12 // indirect
-	github.com/inconshreveable/mousetrap v1.0.0 // indirect
-	github.com/jmoiron/sqlx v1.3.1 // indirect
-	github.com/josharian/intern v1.0.0 // indirect
-	github.com/json-iterator/go v1.1.11 // indirect
-	github.com/klauspost/compress v1.13.0 // indirect
-	github.com/klauspost/pgzip v1.2.4 // indirect
+	github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.4 // indirect
+	github.com/hashicorp/errwrap v1.1.0 // indirect
+	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
+	github.com/hashicorp/go-multierror v1.1.1 // indirect
+	github.com/hashicorp/go-retryablehttp v0.7.8 // indirect
+	github.com/hashicorp/golang-lru v1.0.2 // indirect
+	github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect
+	github.com/huandu/xstrings v1.5.0 // indirect
+	github.com/in-toto/attestation v1.1.2 // indirect
+	github.com/in-toto/in-toto-golang v0.9.0 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/jedisct1/go-minisign v0.0.0-20230811132847-661be99b8267 // indirect
+	github.com/jmoiron/sqlx v1.4.0 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/klauspost/compress v1.18.2 // indirect
+	github.com/klauspost/pgzip v1.2.6 // indirect
 	github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect
 	github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect
-	github.com/lib/pq v1.10.0 // indirect
+	github.com/lestrrat-go/blackmagic v1.0.4 // indirect
+	github.com/lestrrat-go/dsig v1.0.0 // indirect
+	github.com/lestrrat-go/dsig-secp256k1 v1.0.0 // indirect
+	github.com/lestrrat-go/httpcc v1.0.1 // indirect
+	github.com/lestrrat-go/httprc/v3 v3.0.1 // indirect
+	github.com/lestrrat-go/jwx/v3 v3.0.12 // indirect
+	github.com/lestrrat-go/option v1.0.1 // indirect
+	github.com/lestrrat-go/option/v2 v2.0.0 // indirect
+	github.com/letsencrypt/boulder v0.20251110.0 // indirect
+	github.com/lib/pq v1.10.9 // indirect
 	github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
-	github.com/mailru/easyjson v0.7.6 // indirect
-	github.com/mattn/go-colorable v0.0.9 // indirect
-	github.com/mattn/go-isatty v0.0.4 // indirect
-	github.com/mattn/go-runewidth v0.0.9 // indirect
-	github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect
-	github.com/mitchellh/copystructure v1.1.1 // indirect
-	github.com/mitchellh/go-wordwrap v1.0.0 // indirect
-	github.com/mitchellh/reflectwalk v1.0.1 // indirect
+	github.com/manifoldco/promptui v0.9.0 // indirect
+	github.com/mattn/go-colorable v0.1.14 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/mattn/go-runewidth v0.0.19 // indirect
+	github.com/miekg/pkcs11 v1.1.1 // indirect
+	github.com/mikelolasagasti/xz v1.0.1 // indirect
+	github.com/minio/minlz v1.0.1 // indirect
+	github.com/mitchellh/copystructure v1.2.0 // indirect
+	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
+	github.com/mitchellh/reflectwalk v1.0.2 // indirect
 	github.com/moby/locker v1.0.1 // indirect
-	github.com/moby/spdystream v0.2.0 // indirect
-	github.com/moby/term v0.0.0-20210610120745-9d4ed1856297 // indirect
+	github.com/moby/spdystream v0.5.0 // indirect
+	github.com/moby/term v0.5.2 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
-	github.com/modern-go/reflect2 v1.0.1 // indirect
+	github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
 	github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect
-	github.com/morikuni/aec v1.0.0 // indirect
-	github.com/nwaples/rardecode v1.1.0 // indirect
+	github.com/mozillazg/docker-credential-acr-helper v0.4.0 // indirect
+	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
+	github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481 // indirect
+	github.com/nwaples/rardecode/v2 v2.2.1 // indirect
+	github.com/oklog/ulid v1.3.1 // indirect
+	github.com/oleiade/reflections v1.1.0 // indirect
+	github.com/olekukonko/cat v0.0.0-20250911104152-50322a0618f6 // indirect
+	github.com/olekukonko/errors v1.1.0 // indirect
+	github.com/olekukonko/ll v0.1.3 // indirect
+	github.com/open-policy-agent/opa v1.12.1 // indirect
+	github.com/pborman/uuid v1.2.1 // indirect
+	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
 	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
-	github.com/pierrec/lz4/v4 v4.0.3 // indirect
-	github.com/pkg/errors v0.9.1 // indirect
-	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/prometheus/client_golang v1.11.0 // indirect
-	github.com/prometheus/client_model v0.2.0 // indirect
-	github.com/prometheus/common v0.26.0 // indirect
-	github.com/prometheus/procfs v0.6.0 // indirect
-	github.com/rancher/lasso v0.0.0-20210616224652-fc3ebd901c08 // indirect
-	github.com/rubenv/sql-migrate v0.0.0-20210614095031-55d5740dbbcc // indirect
-	github.com/russross/blackfriday v1.5.2 // indirect
-	github.com/shopspring/decimal v1.2.0 // indirect
-	github.com/spf13/cast v1.3.1 // indirect
-	github.com/spf13/pflag v1.0.5 // indirect
-	github.com/stretchr/testify v1.7.0 // indirect
-	github.com/ulikunitz/xz v0.5.7 // indirect
-	github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f // indirect
+	github.com/pierrec/lz4/v4 v4.1.22 // indirect
+	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
+	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
+	github.com/prometheus/client_golang v1.23.2 // indirect
+	github.com/prometheus/client_model v0.6.2 // indirect
+	github.com/prometheus/common v0.67.5 // indirect
+	github.com/prometheus/procfs v0.17.0 // indirect
+	github.com/protocolbuffers/txtpbfmt v0.0.0-20251016062345-16587c79cd91 // indirect
+	github.com/rcrowley/go-metrics v0.0.0-20250401214520-65e299d6c5c9 // indirect
+	github.com/rogpeppe/go-internal v1.14.1 // indirect
+	github.com/rubenv/sql-migrate v1.8.0 // indirect
+	github.com/russross/blackfriday/v2 v2.1.0 // indirect
+	github.com/sagikazarmark/locafero v0.11.0 // indirect
+	github.com/santhosh-tekuri/jsonschema/v6 v6.0.2 // indirect
+	github.com/sassoftware/relic v7.2.1+incompatible // indirect
+	github.com/secure-systems-lab/go-securesystemslib v0.10.0 // indirect
+	github.com/segmentio/asm v1.2.1 // indirect
+	github.com/shibumi/go-pathspec v1.3.0 // indirect
+	github.com/shopspring/decimal v1.4.0 // indirect
+	github.com/sigstore/fulcio v1.8.5 // indirect
+	github.com/sigstore/protobuf-specs v0.5.0 // indirect
+	github.com/sigstore/rekor v1.5.0 // indirect
+	github.com/sigstore/rekor-tiles/v2 v2.0.1 // indirect
+	github.com/sigstore/sigstore v1.10.4 // indirect
+	github.com/sigstore/sigstore-go v1.1.4 // indirect
+	github.com/sigstore/timestamp-authority/v2 v2.0.4 // indirect
+	github.com/sorairolake/lzip-go v0.3.8 // indirect
+	github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8 // indirect
+	github.com/spf13/cast v1.10.0 // indirect
+	github.com/spf13/pflag v1.0.10 // indirect
+	github.com/spf13/viper v1.21.0 // indirect
+	github.com/spiffe/go-spiffe/v2 v2.6.0 // indirect
+	github.com/subosito/gotenv v1.6.0 // indirect
+	github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d // indirect
+	github.com/tchap/go-patricia/v2 v2.3.3 // indirect
+	github.com/thales-e-security/pool v0.0.2 // indirect
+	github.com/theupdateframework/go-tuf v0.7.0 // indirect
+	github.com/theupdateframework/go-tuf/v2 v2.3.1 // indirect
+	github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
+	github.com/tjfoc/gmsm v1.4.1 // indirect
+	github.com/transparency-dev/formats v0.0.0-20251017110053-404c0d5b696c // indirect
+	github.com/transparency-dev/merkle v0.0.2 // indirect
+	github.com/ulikunitz/xz v0.5.15 // indirect
+	github.com/valyala/fastjson v1.6.4 // indirect
+	github.com/vbatts/tar-split v0.12.2 // indirect
+	github.com/vektah/gqlparser/v2 v2.5.31 // indirect
+	github.com/withfig/autocomplete-tools/integrations/cobra v1.2.1 // indirect
+	github.com/x448/float16 v0.8.4 // indirect
+	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
-	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
-	github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8 // indirect
-	github.com/xlab/treeprint v0.0.0-20181112141820-a009c3971eca // indirect
+	github.com/xlab/treeprint v1.2.0 // indirect
+	github.com/yashtewari/glob-intersection v0.2.0 // indirect
 	github.com/yvasiyarov/go-metrics v0.0.0-20140926110328-57bccd1ccd43 // indirect
 	github.com/yvasiyarov/gorelic v0.0.0-20141212073537-a9bba5b9ab50 // indirect
 	github.com/yvasiyarov/newrelic_platform_go v0.0.0-20140908184405-b21fdbd4370f // indirect
-	go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect
-	golang.org/x/crypto v0.0.0-20210817164053-32db794688a5 // indirect
-	golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d // indirect
-	golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c // indirect
-	golang.org/x/sys v0.0.0-20210817190340-bfb29a6856f2 // indirect
-	golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d // indirect
-	golang.org/x/text v0.3.6 // indirect
-	golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac // indirect
-	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/genproto v0.0.0-20210602131652-f16073e35f0c // indirect
-	google.golang.org/grpc v1.38.0 // indirect
-	google.golang.org/protobuf v1.26.0 // indirect
-	gopkg.in/gorp.v1 v1.7.2 // indirect
+	gitlab.com/gitlab-org/api/client-go v1.11.0 // indirect
+	go.mongodb.org/mongo-driver v1.17.6 // indirect
+	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0 // indirect
+	go.opentelemetry.io/otel v1.39.0 // indirect
+	go.opentelemetry.io/otel/metric v1.39.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.39.0 // indirect
+	go.opentelemetry.io/otel/trace v1.39.0 // indirect
+	go.uber.org/multierr v1.11.0 // indirect
+	go.uber.org/zap v1.27.1 // indirect
+	go.yaml.in/yaml/v2 v2.4.3 // indirect
+	go.yaml.in/yaml/v3 v3.0.4 // indirect
+	go4.org v0.0.0-20230225012048-214862532bf5 // indirect
+	golang.org/x/crypto v0.46.0 // indirect
+	golang.org/x/mod v0.31.0 // indirect
+	golang.org/x/net v0.48.0 // indirect
+	golang.org/x/oauth2 v0.34.0 // indirect
+	golang.org/x/sys v0.39.0 // indirect
+	golang.org/x/term v0.38.0 // indirect
+	golang.org/x/text v0.32.0 // indirect
+	golang.org/x/time v0.14.0 // indirect
+	google.golang.org/api v0.260.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20251222181119-0a764e51fe1b // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20251222181119-0a764e51fe1b // indirect
+	google.golang.org/grpc v1.78.0 // indirect
+	google.golang.org/protobuf v1.36.11 // indirect
+	gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
+	gopkg.in/ini.v1 v1.67.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
-	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect
-	k8s.io/api v0.22.2 // indirect
-	k8s.io/apiextensions-apiserver v0.22.2 // indirect
-	k8s.io/apiserver v0.22.2 // indirect
-	k8s.io/cli-runtime v0.22.1 // indirect
-	k8s.io/component-base v0.22.2 // indirect
-	k8s.io/klog/v2 v2.9.0 // indirect
-	k8s.io/kube-openapi v0.0.0-20210421082810-95288971da7e // indirect
-	k8s.io/kubectl v0.22.1 // indirect
-	k8s.io/utils v0.0.0-20210819203725-bdf08cb9a70a // indirect
-	sigs.k8s.io/kustomize/api v0.8.11 // indirect
-	sigs.k8s.io/kustomize/kyaml v0.11.0 // indirect
-	sigs.k8s.io/structured-merge-diff/v4 v4.1.2 // indirect
-	sigs.k8s.io/yaml v1.2.0 // indirect
+	k8s.io/api v0.35.0 // indirect
+	k8s.io/apiextensions-apiserver v0.34.0 // indirect
+	k8s.io/apiserver v0.34.0 // indirect
+	k8s.io/cli-runtime v0.34.0 // indirect
+	k8s.io/component-base v0.34.0 // indirect
+	k8s.io/klog/v2 v2.130.1 // indirect
+	k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 // indirect
+	k8s.io/kubectl v0.34.0 // indirect
+	k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 // indirect
+	oras.land/oras-go/v2 v2.6.0 // indirect
+	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
+	sigs.k8s.io/kustomize/api v0.20.1 // indirect
+	sigs.k8s.io/kustomize/kyaml v0.20.1 // indirect
+	sigs.k8s.io/randfill v1.0.0 // indirect
+	sigs.k8s.io/release-utils v0.12.3 // indirect
+	sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect
+	sigs.k8s.io/yaml v1.6.0 // indirect
 )
--- a/go.sum
+++ b/go.sum
--- a/install.sh
+++ b/install.sh
@@ -0,0 +1,223 @@
+#!/bin/bash
+
+# Usage:
+#   - curl -sfL... | ENV_VAR=... bash
+#   - ENV_VAR=... ./install.sh
+#
+# Install Usage:
+#   Install Latest Release
+#     - curl -sfL https://get.hauler.dev | bash
+#     - ./install.sh
+#
+#   Install Specific Release
+#     - curl -sfL https://get.hauler.dev | HAULER_VERSION=1.0.0 bash
+#     - HAULER_VERSION=1.0.0 ./install.sh
+#
+#   Set Install Directory
+#     - curl -sfL https://get.hauler.dev | HAULER_INSTALL_DIR=/usr/local/bin bash
+#     - HAULER_INSTALL_DIR=/usr/local/bin ./install.sh
+#
+#   Set Hauler Directory
+#     - curl -sfL https://get.hauler.dev | HAULER_DIR=$HOME/.hauler bash
+#     - HAULER_DIR=$HOME/.hauler ./install.sh
+#
+# Debug Usage:
+#   - curl -sfL https://get.hauler.dev | HAULER_DEBUG=true bash
+#   - HAULER_DEBUG=true ./install.sh
+#
+# Uninstall Usage:
+#   - curl -sfL https://get.hauler.dev | HAULER_UNINSTALL=true bash
+#   - HAULER_UNINSTALL=true ./install.sh
+#
+# Documentation:
+#   - https://hauler.dev
+#   - https://github.com/hauler-dev/hauler
+
+# set functions for logging
+function verbose {
+    echo "$1"
+}
+
+function info {
+    echo && echo "[INFO] Hauler: $1"
+}
+
+function warn {
+    echo && echo "[WARN] Hauler: $1"
+}
+
+function fatal {
+    echo && echo "[ERROR] Hauler: $1"
+    exit 1
+}
+
+# debug hauler from argument or environment variable
+if [ "${HAULER_DEBUG}" = "true" ]; then
+    set -x
+fi
+
+# start hauler preflight checks
+info "Starting Preflight Checks..."
+
+# check for required packages and dependencies
+for cmd in echo curl grep sed rm mkdir awk openssl tar install source; do
+    if ! command -v "$cmd" &> /dev/null; then
+        fatal "$cmd is required to install Hauler"
+    fi
+done
+
+# set install directory from argument or environment variable
+HAULER_INSTALL_DIR=${HAULER_INSTALL_DIR:-/usr/local/bin}
+
+# ensure install directory exists and/or create it
+if [ ! -d "${HAULER_INSTALL_DIR}" ]; then
+    mkdir -p "${HAULER_INSTALL_DIR}" || fatal "Failed to Create Install Directory: ${HAULER_INSTALL_DIR}"
+fi
+
+# ensure install directory is writable (by user or root privileges)
+if [ ! -w "${HAULER_INSTALL_DIR}" ]; then
+    if [ "$(id -u)" -ne 0 ]; then
+        fatal "Root privileges are required to install Hauler to Directory: ${HAULER_INSTALL_DIR}"
+    fi
+fi
+
+# uninstall hauler from argument or environment variable
+if [ "${HAULER_UNINSTALL}" = "true" ]; then
+    # remove the hauler binary
+    rm -rf "${HAULER_INSTALL_DIR}/hauler" || fatal "Failed to Remove Hauler from ${HAULER_INSTALL_DIR}"
+
+    # remove the hauler directory
+    rm -rf "${HAULER_DIR}" || fatal "Failed to Remove Hauler Directory: ${HAULER_DIR}"
+
+    info "Successfully Uninstalled Hauler" && echo
+    exit 0
+fi
+
+# set version environment variable
+if [ -z "${HAULER_VERSION}" ]; then
+    # attempt to retrieve the latest version from GitHub
+    HAULER_VERSION=$(curl -sI https://github.com/hauler-dev/hauler/releases/latest | grep -i location | sed -e 's#.*tag/v##' -e 's/^[[:space:]]*//g' -e 's/[[:space:]]*$//g')
+
+    # exit if the version could not be detected
+    if [ -z "${HAULER_VERSION}" ]; then
+        fatal "HAULER_VERSION is unable to be detected and/or retrieved from GitHub. Please set: HAULER_VERSION"
+    fi
+fi
+
+# detect the operating system
+PLATFORM=$(uname -s | tr '[:upper:]' '[:lower:]')
+case $PLATFORM in
+    linux)
+        PLATFORM="linux"
+        ;;
+    darwin)
+        PLATFORM="darwin"
+        ;;
+    *)
+        fatal "Unsupported Platform: ${PLATFORM}"
+        ;;
+esac
+
+# detect the architecture
+ARCH=$(uname -m)
+case $ARCH in
+    x86_64 | x86-32 | x64 | x32 | amd64)
+        ARCH="amd64"
+        ;;
+    aarch64 | arm64)
+        ARCH="arm64"
+        ;;
+    *)
+        fatal "Unsupported Architecture: ${ARCH}"
+        ;;
+esac
+
+# set hauler directory from argument or environment variable
+HAULER_DIR=${HAULER_DIR:-$HOME/.hauler}
+
+# start hauler installation
+info "Starting Installation..."
+
+# display the version, platform, and architecture
+verbose "- Version: v${HAULER_VERSION}"
+verbose "- Platform: ${PLATFORM}"
+verbose "- Architecture: ${ARCH}"
+verbose "- Install Directory: ${HAULER_INSTALL_DIR}"
+verbose "- Hauler Directory: ${HAULER_DIR}"
+
+# ensure hauler directory exists and/or create it
+if [ ! -d "${HAULER_DIR}" ]; then
+    mkdir -p "${HAULER_DIR}" || fatal "Failed to Create Hauler Directory: ${HAULER_DIR}"
+fi
+
+# ensure hauler directory is writable (by user or root privileges)
+chmod -R 777 "${HAULER_DIR}" || fatal "Failed to Update Permissions of Hauler Directory: ${HAULER_DIR}"
+
+# change to hauler directory
+cd "${HAULER_DIR}" || fatal "Failed to Change Directory to Hauler Directory: ${HAULER_DIR}"
+
+# start hauler artifacts download
+info "Starting Download..."
+
+# download the checksum file
+if ! curl -sfOL "https://github.com/hauler-dev/hauler/releases/download/v${HAULER_VERSION}/hauler_${HAULER_VERSION}_checksums.txt"; then
+    fatal "Failed to Download: hauler_${HAULER_VERSION}_checksums.txt"
+fi
+
+# download the archive file
+if ! curl -sfOL "https://github.com/hauler-dev/hauler/releases/download/v${HAULER_VERSION}/hauler_${HAULER_VERSION}_${PLATFORM}_${ARCH}.tar.gz"; then
+    fatal "Failed to Download: hauler_${HAULER_VERSION}_${PLATFORM}_${ARCH}.tar.gz"
+fi
+
+# start hauler checksum verification
+info "Starting Checksum Verification..."
+
+# verify the Hauler checksum
+EXPECTED_CHECKSUM=$(awk -v HAULER_VERSION="${HAULER_VERSION}" -v PLATFORM="${PLATFORM}" -v ARCH="${ARCH}" '$2 == "hauler_"HAULER_VERSION"_"PLATFORM"_"ARCH".tar.gz" {print $1}' "hauler_${HAULER_VERSION}_checksums.txt")
+DETERMINED_CHECKSUM=$(openssl dgst -sha256 "hauler_${HAULER_VERSION}_${PLATFORM}_${ARCH}.tar.gz" | awk '{print $2}')
+
+if [ -z "${EXPECTED_CHECKSUM}" ]; then
+    fatal "Failed to Locate Checksum: hauler_${HAULER_VERSION}_${PLATFORM}_${ARCH}.tar.gz"
+elif [ "${DETERMINED_CHECKSUM}" = "${EXPECTED_CHECKSUM}" ]; then
+    verbose "- Expected Checksum: ${EXPECTED_CHECKSUM}"
+    verbose "- Determined Checksum: ${DETERMINED_CHECKSUM}"
+    verbose "- Successfully Verified Checksum: hauler_${HAULER_VERSION}_${PLATFORM}_${ARCH}.tar.gz"
+else
+    verbose "- Expected: ${EXPECTED_CHECKSUM}"
+    verbose "- Determined: ${DETERMINED_CHECKSUM}"
+    fatal "Failed Checksum Verification: hauler_${HAULER_VERSION}_${PLATFORM}_${ARCH}.tar.gz"
+fi
+
+# uncompress the hauler archive
+tar -xzf "hauler_${HAULER_VERSION}_${PLATFORM}_${ARCH}.tar.gz" || fatal "Failed to Extract: hauler_${HAULER_VERSION}_${PLATFORM}_${ARCH}.tar.gz"
+
+# install the hauler binary
+install -m 755 hauler "${HAULER_INSTALL_DIR}" || fatal "Failed to Install Hauler: ${HAULER_INSTALL_DIR}"
+
+# add hauler to the path
+if [[ ":$PATH:" != *":${HAULER_INSTALL_DIR}:"* ]]; then
+    if [ -f "$HOME/.bashrc" ]; then
+        echo "export PATH=\$PATH:${HAULER_INSTALL_DIR}" >> "$HOME/.bashrc"
+        source "$HOME/.bashrc"
+    elif [ -f "$HOME/.bash_profile" ]; then
+        echo "export PATH=\$PATH:${HAULER_INSTALL_DIR}" >> "$HOME/.bash_profile"
+        source "$HOME/.bash_profile"
+    elif [ -f "$HOME/.zshrc" ]; then
+        echo "export PATH=\$PATH:${HAULER_INSTALL_DIR}" >> "$HOME/.zshrc"
+        source "$HOME/.zshrc"
+    elif [ -f "$HOME/.profile" ]; then
+        echo "export PATH=\$PATH:${HAULER_INSTALL_DIR}" >> "$HOME/.profile"
+        source "$HOME/.profile"
+    else
+        warn "Failed to add ${HAULER_INSTALL_DIR} to PATH: Unsupported Shell"
+    fi
+fi
+
+# display success message
+info "Successfully Installed Hauler at ${HAULER_INSTALL_DIR}/hauler"
+
+# display availability message
+info "Hauler v${HAULER_VERSION} is now available for use!"
+
+# display hauler docs message
+verbose "- Documentation: https://hauler.dev" && echo
--- a/internal/flags/add.go
+++ b/internal/flags/add.go
@@ -0,0 +1,81 @@
+package flags
+
+import (
+	"github.com/spf13/cobra"
+	"helm.sh/helm/v3/pkg/action"
+)
+
+type AddImageOpts struct {
+	*StoreRootOpts
+	Name                         string
+	Key                          string
+	CertOidcIssuer               string
+	CertOidcIssuerRegexp         string
+	CertIdentity                 string
+	CertIdentityRegexp           string
+	CertGithubWorkflowRepository string
+	Tlog                         bool
+	Platform                     string
+	Rewrite                      string
+}
+
+func (o *AddImageOpts) AddFlags(cmd *cobra.Command) {
+	f := cmd.Flags()
+	f.StringVarP(&o.Key, "key", "k", "", "(Optional) Location of public key to use for signature verification")
+	f.StringVar(&o.CertIdentity, "certificate-identity", "", "(Optional) Cosign certificate-identity (either --certificate-identity or --certificate-identity-regexp required for keyless verification)")
+	f.StringVar(&o.CertIdentityRegexp, "certificate-identity-regexp", "", "(Optional) Cosign certificate-identity-regexp (either --certificate-identity or --certificate-identity-regexp required for keyless verification)")
+	f.StringVar(&o.CertOidcIssuer, "certificate-oidc-issuer", "", "(Optional) Cosign option to validate oidc issuer")
+	f.StringVar(&o.CertOidcIssuerRegexp, "certificate-oidc-issuer-regexp", "", "(Optional) Cosign option to validate oidc issuer with regex")
+	f.StringVar(&o.CertGithubWorkflowRepository, "certificate-github-workflow-repository", "", "(Optional) Cosign certificate-github-workflow-repository option")
+	f.BoolVar(&o.Tlog, "use-tlog-verify", false, "(Optional) Allow transparency log verification (defaults to false)")
+	f.StringVarP(&o.Platform, "platform", "p", "", "(Optional) Specify the platform of the image... i.e. linux/amd64 (defaults to all)")
+	f.StringVar(&o.Rewrite, "rewrite", "", "(EXPERIMENTAL & Optional) Rewrite artifact path to specified string")
+}
+
+type AddFileOpts struct {
+	*StoreRootOpts
+	Name string
+}
+
+func (o *AddFileOpts) AddFlags(cmd *cobra.Command) {
+	f := cmd.Flags()
+	f.StringVarP(&o.Name, "name", "n", "", "(Optional) Rewrite the name of the file")
+}
+
+type AddChartOpts struct {
+	*StoreRootOpts
+
+	ChartOpts       *action.ChartPathOptions
+	Rewrite         string
+	AddDependencies bool
+	AddImages       bool
+	HelmValues      string
+	Platform        string
+	Registry        string
+	KubeVersion     string
+}
+
+func (o *AddChartOpts) AddFlags(cmd *cobra.Command) {
+	f := cmd.Flags()
+
+	f.StringVar(&o.ChartOpts.RepoURL, "repo", "", "Location of the chart (https:// | http:// | oci://)")
+	f.StringVar(&o.ChartOpts.Version, "version", "", "(Optional) Specify the version of the chart (v1.0.0 | 2.0.0 | ^2.0.0)")
+	f.BoolVar(&o.ChartOpts.Verify, "verify", false, "(Optional) Verify the chart before fetching it")
+	f.StringVar(&o.ChartOpts.Username, "username", "", "(Optional) Username to use for authentication")
+	f.StringVar(&o.ChartOpts.Password, "password", "", "(Optional) Password to use for authentication")
+	f.StringVar(&o.ChartOpts.CertFile, "cert-file", "", "(Optional) Location of the TLS Certificate to use for client authentication")
+	f.StringVar(&o.ChartOpts.KeyFile, "key-file", "", "(Optional) Location of the TLS Key to use for client authentication")
+	f.BoolVar(&o.ChartOpts.InsecureSkipTLSverify, "insecure-skip-tls-verify", false, "(Optional) Skip TLS certificate verification")
+	f.StringVar(&o.ChartOpts.CaFile, "ca-file", "", "(Optional) Location of CA Bundle to enable certification verification")
+	f.StringVar(&o.Rewrite, "rewrite", "", "(EXPERIMENTAL & Optional) Rewrite artifact path to specified string")
+
+	cmd.MarkFlagsRequiredTogether("username", "password")
+	cmd.MarkFlagsRequiredTogether("cert-file", "key-file", "ca-file")
+
+	cmd.Flags().BoolVar(&o.AddDependencies, "add-dependencies", false, "(EXPERIMENTAL & Optional) Fetch dependent helm charts")
+	f.BoolVar(&o.AddImages, "add-images", false, "(EXPERIMENTAL & Optional) Fetch images referenced in helm charts")
+	f.StringVar(&o.HelmValues, "values", "", "(EXPERIMENTAL & Optional) Specify helm chart values when fetching images")
+	f.StringVarP(&o.Platform, "platform", "p", "", "(Optional) Specify the platform of the image, e.g. linux/amd64")
+	f.StringVarP(&o.Registry, "registry", "g", "", "(Optional) Specify the registry of the image for images that do not alredy define one")
+	f.StringVar(&o.KubeVersion, "kube-version", "v1.34.1", "(EXPERIMENTAL & Optional) Override the kubernetes version for helm template rendering")
+}
--- a/internal/flags/cli.go
+++ b/internal/flags/cli.go
@@ -0,0 +1,17 @@
+package flags
+
+import "github.com/spf13/cobra"
+
+type CliRootOpts struct {
+	LogLevel     string
+	HaulerDir    string
+	IgnoreErrors bool
+}
+
+func AddRootFlags(cmd *cobra.Command, ro *CliRootOpts) {
+	pf := cmd.PersistentFlags()
+
+	pf.StringVarP(&ro.LogLevel, "log-level", "l", "info", "Set the logging level (i.e. info, debug, warn)")
+	pf.StringVarP(&ro.HaulerDir, "haulerdir", "d", "", "Set the location of the hauler directory (default $HOME/.hauler)")
+	pf.BoolVar(&ro.IgnoreErrors, "ignore-errors", false, "Ignore/Bypass errors (i.e. warn on error) (defaults false)")
+}
--- a/internal/flags/copy.go
+++ b/internal/flags/copy.go
@@ -0,0 +1,38 @@
+package flags
+
+import "github.com/spf13/cobra"
+
+type CopyOpts struct {
+	*StoreRootOpts
+
+	Username  string
+	Password  string
+	Insecure  bool
+	PlainHTTP bool
+	Only      string
+}
+
+func (o *CopyOpts) AddFlags(cmd *cobra.Command) {
+	f := cmd.Flags()
+
+	f.StringVarP(&o.Username, "username", "u", "", "(Deprecated) Please use 'hauler login'")
+	f.StringVarP(&o.Password, "password", "p", "", "(Deprecated) Please use 'hauler login'")
+	f.BoolVar(&o.Insecure, "insecure", false, "(Optional) Allow insecure connections")
+	f.BoolVar(&o.PlainHTTP, "plain-http", false, "(Optional) Allow plain HTTP connections")
+	f.StringVarP(&o.Only, "only", "o", "", "(Optional) Custom string array to only copy specific 'image' items")
+
+	cmd.MarkFlagsRequiredTogether("username", "password")
+
+	if err := f.MarkDeprecated("username", "please use 'hauler login'"); err != nil {
+		panic(err)
+	}
+	if err := f.MarkDeprecated("password", "please use 'hauler login'"); err != nil {
+		panic(err)
+	}
+	if err := f.MarkHidden("username"); err != nil {
+		panic(err)
+	}
+	if err := f.MarkHidden("password"); err != nil {
+		panic(err)
+	}
+}
--- a/internal/flags/extract.go
+++ b/internal/flags/extract.go
@@ -0,0 +1,14 @@
+package flags
+
+import "github.com/spf13/cobra"
+
+type ExtractOpts struct {
+	*StoreRootOpts
+	DestinationDir string
+}
+
+func (o *ExtractOpts) AddFlags(cmd *cobra.Command) {
+	f := cmd.Flags()
+
+	f.StringVarP(&o.DestinationDir, "output", "o", "", "(Optional) Set the directory to output (defaults to current directory)")
+}
--- a/internal/flags/info.go
+++ b/internal/flags/info.go
@@ -0,0 +1,22 @@
+package flags
+
+import "github.com/spf13/cobra"
+
+type InfoOpts struct {
+	*StoreRootOpts
+
+	OutputFormat string
+	TypeFilter   string
+	SizeUnit     string
+	ListRepos    bool
+	ShowDigests  bool
+}
+
+func (o *InfoOpts) AddFlags(cmd *cobra.Command) {
+	f := cmd.Flags()
+
+	f.StringVarP(&o.OutputFormat, "output", "o", "table", "(Optional) Specify the output format (table | json)")
+	f.StringVar(&o.TypeFilter, "type", "all", "(Optional) Filter on content type (image | chart | file | sigs | atts | sbom)")
+	f.BoolVar(&o.ListRepos, "list-repos", false, "(Optional) List all repository names")
+	f.BoolVar(&o.ShowDigests, "digests", false, "(Optional) Show digests of each artifact in the output table")
+}
--- a/internal/flags/load.go
+++ b/internal/flags/load.go
@@ -0,0 +1,17 @@
+package flags
+
+import (
+	"github.com/spf13/cobra"
+	"hauler.dev/go/hauler/pkg/consts"
+)
+
+type LoadOpts struct {
+	*StoreRootOpts
+	FileName []string
+}
+
+func (o *LoadOpts) AddFlags(cmd *cobra.Command) {
+	f := cmd.Flags()
+
+	f.StringSliceVarP(&o.FileName, "filename", "f", []string{consts.DefaultHaulerArchiveName}, "(Optional) Specify the name of inputted haul(s)")
+}
--- a/internal/flags/remove.go
+++ b/internal/flags/remove.go
@@ -0,0 +1,11 @@
+package flags
+
+import "github.com/spf13/cobra"
+
+type RemoveOpts struct {
+	Force bool // skip remove confirmation
+}
+
+func (o *RemoveOpts) AddFlags(cmd *cobra.Command) {
+	cmd.Flags().BoolVarP(&o.Force, "force", "f", false, "(Optional) Remove artifact(s) without confirmation")
+}
--- a/internal/flags/save.go
+++ b/internal/flags/save.go
@@ -0,0 +1,22 @@
+package flags
+
+import (
+	"github.com/spf13/cobra"
+	"hauler.dev/go/hauler/pkg/consts"
+)
+
+type SaveOpts struct {
+	*StoreRootOpts
+	FileName                string
+	Platform                string
+	ContainerdCompatibility bool
+}
+
+func (o *SaveOpts) AddFlags(cmd *cobra.Command) {
+	f := cmd.Flags()
+
+	f.StringVarP(&o.FileName, "filename", "f", consts.DefaultHaulerArchiveName, "(Optional) Specify the name of outputted haul")
+	f.StringVarP(&o.Platform, "platform", "p", "", "(Optional) Specify the platform for runtime imports... i.e. linux/amd64 (unspecified implies all)")
+	f.BoolVar(&o.ContainerdCompatibility, "containerd", false, "(Optional) Enable import compatibility with containerd... removes oci-layout from the haul")
+
+}
--- a/internal/flags/serve.go
+++ b/internal/flags/serve.go
@@ -0,0 +1,56 @@
+package flags
+
+import (
+	"github.com/spf13/cobra"
+	"hauler.dev/go/hauler/pkg/consts"
+)
+
+type ServeRegistryOpts struct {
+	*StoreRootOpts
+
+	Port       int
+	RootDir    string
+	ConfigFile string
+	ReadOnly   bool
+
+	TLSCert string
+	TLSKey  string
+}
+
+func (o *ServeRegistryOpts) AddFlags(cmd *cobra.Command) {
+	f := cmd.Flags()
+
+	f.IntVarP(&o.Port, "port", "p", consts.DefaultRegistryPort, "(Optional) Set the port to use for incoming connections")
+	f.StringVar(&o.RootDir, "directory", consts.DefaultRegistryRootDir, "(Optional) Directory to use for backend. Defaults to $PWD/registry")
+	f.StringVarP(&o.ConfigFile, "config", "c", "", "(Optional) Location of config file (overrides all flags)")
+	f.BoolVar(&o.ReadOnly, "readonly", true, "(Optional) Run the registry as readonly")
+
+	f.StringVar(&o.TLSCert, "tls-cert", "", "(Optional) Location of the TLS Certificate to use for server authenication")
+	f.StringVar(&o.TLSKey, "tls-key", "", "(Optional) Location of the TLS Key to use for server authenication")
+
+	cmd.MarkFlagsRequiredTogether("tls-cert", "tls-key")
+}
+
+type ServeFilesOpts struct {
+	*StoreRootOpts
+
+	Port    int
+	Timeout int
+	RootDir string
+
+	TLSCert string
+	TLSKey  string
+}
+
+func (o *ServeFilesOpts) AddFlags(cmd *cobra.Command) {
+	f := cmd.Flags()
+
+	f.IntVarP(&o.Port, "port", "p", consts.DefaultFileserverPort, "(Optional) Set the port to use for incoming connections")
+	f.IntVar(&o.Timeout, "timeout", consts.DefaultFileserverTimeout, "(Optional) Timeout duration for HTTP Requests in seconds for both reads/writes")
+	f.StringVar(&o.RootDir, "directory", consts.DefaultFileserverRootDir, "(Optional) Directory to use for backend. Defaults to $PWD/fileserver")
+
+	f.StringVar(&o.TLSCert, "tls-cert", "", "(Optional) Location of the TLS Certificate to use for server authenication")
+	f.StringVar(&o.TLSKey, "tls-key", "", "(Optional) Location of the TLS Key to use for server authenication")
+
+	cmd.MarkFlagsRequiredTogether("tls-cert", "tls-key")
+}
--- a/internal/flags/store.go
+++ b/internal/flags/store.go
@@ -0,0 +1,63 @@
+package flags
+
+import (
+	"context"
+	"errors"
+	"os"
+	"path/filepath"
+
+	"github.com/spf13/cobra"
+	"hauler.dev/go/hauler/pkg/consts"
+	"hauler.dev/go/hauler/pkg/log"
+	"hauler.dev/go/hauler/pkg/store"
+)
+
+type StoreRootOpts struct {
+	StoreDir     string
+	Retries      int
+	TempOverride string
+}
+
+func (o *StoreRootOpts) AddFlags(cmd *cobra.Command) {
+	pf := cmd.PersistentFlags()
+	pf.StringVarP(&o.StoreDir, "store", "s", "", "Set the directory to use for the content store")
+	pf.IntVarP(&o.Retries, "retries", "r", consts.DefaultRetries, "Set the number of retries for operations")
+	pf.StringVarP(&o.TempOverride, "tempdir", "t", "", "(Optional) Override the default temporary directory determined by the OS")
+}
+
+func (o *StoreRootOpts) Store(ctx context.Context) (*store.Layout, error) {
+	l := log.FromContext(ctx)
+
+	storeDir := o.StoreDir
+
+	if storeDir == "" {
+		storeDir = os.Getenv(consts.HaulerStoreDir)
+	}
+
+	if storeDir == "" {
+		storeDir = consts.DefaultStoreName
+	}
+
+	abs, err := filepath.Abs(storeDir)
+	if err != nil {
+		return nil, err
+	}
+
+	o.StoreDir = abs
+
+	l.Debugf("using store at [%s]", abs)
+
+	if _, err := os.Stat(abs); errors.Is(err, os.ErrNotExist) {
+		if err := os.MkdirAll(abs, os.ModePerm); err != nil {
+			return nil, err
+		}
+	} else if err != nil {
+		return nil, err
+	}
+
+	s, err := store.NewLayout(abs)
+	if err != nil {
+		return nil, err
+	}
+	return s, nil
+}
--- a/internal/flags/sync.go
+++ b/internal/flags/sync.go
@@ -0,0 +1,41 @@
+package flags
+
+import (
+	"github.com/spf13/cobra"
+	"hauler.dev/go/hauler/pkg/consts"
+)
+
+type SyncOpts struct {
+	*StoreRootOpts
+	FileName                     []string
+	Key                          string
+	CertOidcIssuer               string
+	CertOidcIssuerRegexp         string
+	CertIdentity                 string
+	CertIdentityRegexp           string
+	CertGithubWorkflowRepository string
+	Products                     []string
+	Platform                     string
+	Registry                     string
+	ProductRegistry              string
+	Tlog                         bool
+	Rewrite                      string
+}
+
+func (o *SyncOpts) AddFlags(cmd *cobra.Command) {
+	f := cmd.Flags()
+
+	f.StringSliceVarP(&o.FileName, "filename", "f", []string{consts.DefaultHaulerManifestName}, "Specify the name of manifest(s) to sync")
+	f.StringVarP(&o.Key, "key", "k", "", "(Optional) Location of public key to use for signature verification")
+	f.StringVar(&o.CertIdentity, "certificate-identity", "", "(Optional) Cosign certificate-identity (either --certificate-identity or --certificate-identity-regexp required for keyless verification)")
+	f.StringVar(&o.CertIdentityRegexp, "certificate-identity-regexp", "", "(Optional) Cosign certificate-identity-regexp (either --certificate-identity or --certificate-identity-regexp required for keyless verification)")
+	f.StringVar(&o.CertOidcIssuer, "certificate-oidc-issuer", "", "(Optional) Cosign option to validate oidc issuer")
+	f.StringVar(&o.CertOidcIssuerRegexp, "certificate-oidc-issuer-regexp", "", "(Optional) Cosign option to validate oidc issuer with regex")
+	f.StringVar(&o.CertGithubWorkflowRepository, "certificate-github-workflow-repository", "", "(Optional) Cosign certificate-github-workflow-repository option")
+	f.StringSliceVar(&o.Products, "products", []string{}, "(Optional) Specify the product name to fetch collections from the product registry i.e. rancher=v2.10.1,rke2=v1.31.5+rke2r1")
+	f.StringVarP(&o.Platform, "platform", "p", "", "(Optional) Specify the platform of the image... i.e linux/amd64 (defaults to all)")
+	f.StringVarP(&o.Registry, "registry", "g", "", "(Optional) Specify the registry of the image for images that do not alredy define one")
+	f.StringVarP(&o.ProductRegistry, "product-registry", "c", "", "(Optional) Specify the product registry. Defaults to RGS Carbide Registry (rgcrprod.azurecr.us)")
+	f.BoolVar(&o.Tlog, "use-tlog-verify", false, "(Optional) Allow transparency log verification (defaults to false)")
+	f.StringVar(&o.Rewrite, "rewrite", "", "(EXPERIMENTAL & Optional) Rewrite artifact path to specified string")
+}
--- a/internal/flags/version.go
+++ b/internal/flags/version.go
@@ -0,0 +1,12 @@
+package flags
+
+import "github.com/spf13/cobra"
+
+type VersionOpts struct {
+	JSON bool
+}
+
+func (o *VersionOpts) AddFlags(cmd *cobra.Command) {
+	f := cmd.Flags()
+	f.BoolVar(&o.JSON, "json", false, "Set the output format to JSON")
+}
--- a/internal/mapper/filestore.go
+++ b/internal/mapper/filestore.go
@@ -0,0 +1,86 @@
+package mapper
+
+import (
+	"context"
+	"io"
+	"os"
+	"path/filepath"
+	"strings"
+
+	ccontent "github.com/containerd/containerd/content"
+	"github.com/containerd/containerd/remotes"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/pkg/errors"
+	"oras.land/oras-go/pkg/content"
+)
+
+// NewMapperFileStore creates a new file store that uses mapper functions for each detected descriptor.
+//
+//	This extends content.File, and differs in that it allows much more functionality into how each descriptor is written.
+func NewMapperFileStore(root string, mapper map[string]Fn) *store {
+	fs := content.NewFile(root)
+	return &store{
+		File:   fs,
+		mapper: mapper,
+	}
+}
+
+func (s *store) Pusher(ctx context.Context, ref string) (remotes.Pusher, error) {
+	var tag, hash string
+	parts := strings.SplitN(ref, "@", 2)
+	if len(parts) > 0 {
+		tag = parts[0]
+	}
+	if len(parts) > 1 {
+		hash = parts[1]
+	}
+	return &pusher{
+		store:  s.File,
+		tag:    tag,
+		ref:    hash,
+		mapper: s.mapper,
+	}, nil
+}
+
+type store struct {
+	*content.File
+	mapper map[string]Fn
+}
+
+func (s *pusher) Push(ctx context.Context, desc ocispec.Descriptor) (ccontent.Writer, error) {
+	// TODO: This is suuuuuper ugly... redo this when oras v2 is out
+	if _, ok := content.ResolveName(desc); ok {
+		p, err := s.store.Pusher(ctx, s.ref)
+		if err != nil {
+			return nil, err
+		}
+		return p.Push(ctx, desc)
+	}
+
+	// If no custom mapper found, fall back to content.File mapper
+	if _, ok := s.mapper[desc.MediaType]; !ok {
+		return content.NewIoContentWriter(io.Discard, content.WithOutputHash(desc.Digest)), nil
+	}
+
+	filename, err := s.mapper[desc.MediaType](desc)
+	if err != nil {
+		return nil, err
+	}
+
+	fullFileName := filepath.Join(s.store.ResolvePath(""), filename)
+	// TODO: Don't rewrite everytime, we can check the digest
+	f, err := os.OpenFile(fullFileName, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0644)
+	if err != nil {
+		return nil, errors.Wrap(err, "pushing file")
+	}
+
+	w := content.NewIoContentWriter(f, content.WithInputHash(desc.Digest), content.WithOutputHash(desc.Digest))
+	return w, nil
+}
+
+type pusher struct {
+	store  *content.File
+	tag    string
+	ref    string
+	mapper map[string]Fn
+}
--- a/internal/mapper/mappers.go
+++ b/internal/mapper/mappers.go
@@ -0,0 +1,83 @@
+package mapper
+
+import (
+	"fmt"
+
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+	"oras.land/oras-go/pkg/target"
+
+	"hauler.dev/go/hauler/pkg/consts"
+)
+
+type Fn func(desc ocispec.Descriptor) (string, error)
+
+// FromManifest will return the appropriate content store given a reference and source type adequate for storing the results on disk
+func FromManifest(manifest ocispec.Manifest, root string) (target.Target, error) {
+	// TODO: Don't rely solely on config mediatype
+	switch manifest.Config.MediaType {
+	case consts.DockerConfigJSON, consts.OCIManifestSchema1:
+		s := NewMapperFileStore(root, Images())
+		defer s.Close()
+		return s, nil
+
+	case consts.ChartLayerMediaType, consts.ChartConfigMediaType:
+		s := NewMapperFileStore(root, Chart())
+		defer s.Close()
+		return s, nil
+
+	default:
+		s := NewMapperFileStore(root, nil)
+		defer s.Close()
+		return s, nil
+	}
+}
+
+func Images() map[string]Fn {
+	m := make(map[string]Fn)
+
+	manifestMapperFn := Fn(func(desc ocispec.Descriptor) (string, error) {
+		return consts.ImageManifestFile, nil
+	})
+
+	for _, l := range []string{consts.DockerManifestSchema2, consts.DockerManifestListSchema2, consts.OCIManifestSchema1} {
+		m[l] = manifestMapperFn
+	}
+
+	layerMapperFn := Fn(func(desc ocispec.Descriptor) (string, error) {
+		return fmt.Sprintf("%s.tar.gz", desc.Digest.String()), nil
+	})
+
+	for _, l := range []string{consts.OCILayer, consts.DockerLayer} {
+		m[l] = layerMapperFn
+	}
+
+	configMapperFn := Fn(func(desc ocispec.Descriptor) (string, error) {
+		return consts.ImageConfigFile, nil
+	})
+
+	for _, l := range []string{consts.DockerConfigJSON} {
+		m[l] = configMapperFn
+	}
+
+	return m
+}
+
+func Chart() map[string]Fn {
+	m := make(map[string]Fn)
+
+	chartMapperFn := Fn(func(desc ocispec.Descriptor) (string, error) {
+		f := "chart.tar.gz"
+		if _, ok := desc.Annotations[ocispec.AnnotationTitle]; ok {
+			f = desc.Annotations[ocispec.AnnotationTitle]
+		}
+		return f, nil
+	})
+
+	provMapperFn := Fn(func(desc ocispec.Descriptor) (string, error) {
+		return "prov.json", nil
+	})
+
+	m[consts.ChartLayerMediaType] = chartMapperFn
+	m[consts.ProvLayerMediaType] = provMapperFn
+	return m
+}
--- a/internal/server/file.go
+++ b/internal/server/file.go
@@ -0,0 +1,41 @@
+package server
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+	"os"
+	"time"
+
+	"github.com/gorilla/handlers"
+	"github.com/gorilla/mux"
+	"hauler.dev/go/hauler/internal/flags"
+	"hauler.dev/go/hauler/pkg/consts"
+)
+
+// NewFile returns a fileserver
+// TODO: Better configs
+func NewFile(ctx context.Context, cfg flags.ServeFilesOpts) (Server, error) {
+	r := mux.NewRouter()
+	r.PathPrefix("/").Handler(handlers.LoggingHandler(os.Stdout, http.StripPrefix("/", http.FileServer(http.Dir(cfg.RootDir)))))
+	if cfg.RootDir == "" {
+		cfg.RootDir = "."
+	}
+
+	if cfg.Port == 0 {
+		cfg.Port = consts.DefaultFileserverPort
+	}
+
+	if cfg.Timeout == 0 {
+		cfg.Timeout = consts.DefaultFileserverTimeout
+	}
+
+	srv := &http.Server{
+		Handler:      r,
+		Addr:         fmt.Sprintf(":%d", cfg.Port),
+		WriteTimeout: time.Duration(cfg.Timeout) * time.Second,
+		ReadTimeout:  time.Duration(cfg.Timeout) * time.Second,
+	}
+
+	return srv, nil
+}
--- a/internal/server/registry.go
+++ b/internal/server/registry.go
@@ -0,0 +1,113 @@
+package server
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"time"
+
+	"github.com/distribution/distribution/v3/configuration"
+	"github.com/distribution/distribution/v3/registry"
+	"github.com/distribution/distribution/v3/registry/handlers"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+func NewRegistry(ctx context.Context, cfg *configuration.Configuration) (*registry.Registry, error) {
+	r, err := registry.NewRegistry(ctx, cfg)
+	if err != nil {
+		return nil, err
+	}
+
+	return r, nil
+}
+
+type tmpRegistryServer struct {
+	*httptest.Server
+}
+
+func NewTempRegistry(ctx context.Context, root string) *tmpRegistryServer {
+	cfg := &configuration.Configuration{
+		Version: "0.1",
+		Storage: configuration.Storage{
+			"cache":      configuration.Parameters{"blobdescriptor": "inmemory"},
+			"filesystem": configuration.Parameters{"rootdirectory": root},
+		},
+	}
+
+	cfg.Validation.Manifests.URLs.Allow = []string{".+"}
+
+	cfg.Log.Level = "error"
+	cfg.HTTP.Headers = http.Header{
+		"X-Content-Type-Options": []string{"nosniff"},
+	}
+
+	l, err := logrus.ParseLevel("panic")
+	if err != nil {
+		l = logrus.ErrorLevel
+	}
+	logrus.SetLevel(l)
+
+	app := handlers.NewApp(ctx, cfg)
+	app.RegisterHealthChecks()
+	handler := alive("/", app)
+
+	s := httptest.NewUnstartedServer(handler)
+	return &tmpRegistryServer{
+		Server: s,
+	}
+}
+
+// Registry returns the URL of the server without the protocol, suitable for content references
+func (t *tmpRegistryServer) Registry() string {
+	return strings.Replace(t.Server.URL, "http://", "", 1)
+}
+
+func (t *tmpRegistryServer) Start() error {
+	t.Server.Start()
+
+	err := retry(5, 1*time.Second, func() (err error) {
+		resp, err := http.Get(t.Server.URL + "/v2")
+		if err != nil {
+			return err
+		}
+		resp.Body.Close()
+		if resp.StatusCode == http.StatusOK {
+			return nil
+		}
+		return errors.New("to start temporary registry")
+
+	})
+	return err
+}
+
+func (t *tmpRegistryServer) Stop() {
+	t.Server.Close()
+}
+
+func alive(path string, handler http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.URL.Path == path {
+			w.Header().Set("Cache-Control", "no-cache")
+			w.WriteHeader(http.StatusOK)
+			return
+		}
+		handler.ServeHTTP(w, r)
+	})
+}
+
+func retry(attempts int, sleep time.Duration, f func() error) (err error) {
+	for i := 0; i < attempts; i++ {
+		if i > 0 {
+			time.Sleep(sleep)
+			sleep *= 2
+		}
+		err = f()
+		if err == nil {
+			return nil
+		}
+	}
+	return fmt.Errorf("after %d attempts, last error: %s", attempts, err)
+}
--- a/internal/server/server.go
+++ b/internal/server/server.go
@@ -0,0 +1,6 @@
+package server
+
+type Server interface {
+	ListenAndServe() error
+	ListenAndServeTLS(string, string) error
+}
--- a/internal/version/version.go
+++ b/internal/version/version.go
@@ -0,0 +1,228 @@
+/*
+Copyright 2022 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package version
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+	"runtime"
+	"runtime/debug"
+	"strings"
+	"sync"
+	"text/tabwriter"
+	"time"
+
+	"github.com/common-nighthawk/go-figure"
+	"hauler.dev/go/hauler/pkg/consts"
+)
+
+// Base version information.
+//
+// This is the fallback data used when version information from git is not
+// provided via go ldflags.
+var (
+	// Output of "git describe". The prerequisite is that the
+	// branch should be tagged using the correct versioning strategy.
+	gitVersion = "devel"
+	// SHA1 from git, output of $(git rev-parse HEAD)
+	gitCommit = consts.Unknown
+	// State of git tree, either "clean" or "dirty"
+	gitTreeState = consts.Unknown
+	// Build date in ISO8601 format, output of $(date -u +'%Y-%m-%dT%H:%M:%SZ')
+	buildDate = consts.Unknown
+	// flag to print the ascii name banner
+	asciiName = "true"
+	// goVersion is the used golang version.
+	goVersion = consts.Unknown
+	// compiler is the used golang compiler.
+	compiler = consts.Unknown
+	// platform is the used os/arch identifier.
+	platform = consts.Unknown
+
+	once sync.Once
+	info = Info{}
+)
+
+type Info struct {
+	GitVersion   string `json:"gitVersion"`
+	GitCommit    string `json:"gitCommit"`
+	GitTreeState string `json:"gitTreeState"`
+	BuildDate    string `json:"buildDate"`
+	GoVersion    string `json:"goVersion"`
+	Compiler     string `json:"compiler"`
+	Platform     string `json:"platform"`
+
+	ASCIIName   string `json:"-"`
+	FontName    string `json:"-"`
+	Name        string `json:"-"`
+	Description string `json:"-"`
+}
+
+func getBuildInfo() *debug.BuildInfo {
+	bi, ok := debug.ReadBuildInfo()
+	if !ok {
+		return nil
+	}
+	return bi
+}
+
+func getGitVersion(bi *debug.BuildInfo) string {
+	if bi == nil {
+		return consts.Unknown
+	}
+
+	// TODO: remove this when the issue https://github.com/golang/go/issues/29228 is fixed
+	if bi.Main.Version == "(devel)" || bi.Main.Version == "" {
+		return gitVersion
+	}
+
+	return bi.Main.Version
+}
+
+func getCommit(bi *debug.BuildInfo) string {
+	return getKey(bi, "vcs.revision")
+}
+
+func getDirty(bi *debug.BuildInfo) string {
+	modified := getKey(bi, "vcs.modified")
+	if modified == "true" {
+		return "dirty"
+	}
+	if modified == "false" {
+		return "clean"
+	}
+	return consts.Unknown
+}
+
+func getBuildDate(bi *debug.BuildInfo) string {
+	buildTime := getKey(bi, "vcs.time")
+	t, err := time.Parse("2006-01-02T15:04:05Z", buildTime)
+	if err != nil {
+		return consts.Unknown
+	}
+	return t.Format("2006-01-02T15:04:05")
+}
+
+func getKey(bi *debug.BuildInfo, key string) string {
+	if bi == nil {
+		return consts.Unknown
+	}
+	for _, iter := range bi.Settings {
+		if iter.Key == key {
+			return iter.Value
+		}
+	}
+	return consts.Unknown
+}
+
+// GetVersionInfo represents known information on how this binary was built.
+func GetVersionInfo() Info {
+	once.Do(func() {
+		buildInfo := getBuildInfo()
+		gitVersion = getGitVersion(buildInfo)
+		if gitCommit == consts.Unknown {
+			gitCommit = getCommit(buildInfo)
+		}
+
+		if gitTreeState == consts.Unknown {
+			gitTreeState = getDirty(buildInfo)
+		}
+
+		if buildDate == consts.Unknown {
+			buildDate = getBuildDate(buildInfo)
+		}
+
+		if goVersion == consts.Unknown {
+			goVersion = runtime.Version()
+		}
+
+		if compiler == consts.Unknown {
+			compiler = runtime.Compiler
+		}
+
+		if platform == consts.Unknown {
+			platform = fmt.Sprintf("%s/%s", runtime.GOOS, runtime.GOARCH)
+		}
+
+		info = Info{
+			ASCIIName:    asciiName,
+			GitVersion:   gitVersion,
+			GitCommit:    gitCommit,
+			GitTreeState: gitTreeState,
+			BuildDate:    buildDate,
+			GoVersion:    goVersion,
+			Compiler:     compiler,
+			Platform:     platform,
+		}
+	})
+
+	return info
+}
+
+// String returns the string representation of the version info
+func (i *Info) String() string {
+	b := strings.Builder{}
+	w := tabwriter.NewWriter(&b, 0, 0, 2, ' ', 0)
+
+	// name and description are optional.
+	if i.Name != "" {
+		if i.ASCIIName == "true" {
+			f := figure.NewFigure(strings.ToUpper(i.Name), i.FontName, true)
+			_, _ = fmt.Fprint(w, f.String())
+		}
+		_, _ = fmt.Fprint(w, i.Name)
+		if i.Description != "" {
+			_, _ = fmt.Fprintf(w, ": %s", i.Description)
+		}
+		_, _ = fmt.Fprint(w, "\n\n")
+	}
+
+	_, _ = fmt.Fprintf(w, "GitVersion:\t%s\n", i.GitVersion)
+	_, _ = fmt.Fprintf(w, "GitCommit:\t%s\n", i.GitCommit)
+	_, _ = fmt.Fprintf(w, "GitTreeState:\t%s\n", i.GitTreeState)
+	_, _ = fmt.Fprintf(w, "BuildDate:\t%s\n", i.BuildDate)
+	_, _ = fmt.Fprintf(w, "GoVersion:\t%s\n", i.GoVersion)
+	_, _ = fmt.Fprintf(w, "Compiler:\t%s\n", i.Compiler)
+	_, _ = fmt.Fprintf(w, "Platform:\t%s\n", i.Platform)
+
+	_ = w.Flush()
+	return b.String()
+}
+
+// JSONString returns the JSON representation of the version info
+func (i *Info) JSONString() (string, error) {
+	b, err := json.MarshalIndent(i, "", "  ")
+	if err != nil {
+		return "", err
+	}
+
+	return string(b), nil
+}
+
+func (i *Info) CheckFontName(fontName string) bool {
+	assetNames := figure.AssetNames()
+
+	for _, font := range assetNames {
+		if strings.Contains(font, fontName) {
+			return true
+		}
+	}
+
+	fmt.Fprintln(os.Stderr, "font not valid, using default")
+	return false
+}
--- a/pkg/apis/hauler.cattle.io/convert/convert.go
+++ b/pkg/apis/hauler.cattle.io/convert/convert.go
@@ -0,0 +1,121 @@
+package v1alpha1
+
+import (
+	"fmt"
+
+	v1 "hauler.dev/go/hauler/pkg/apis/hauler.cattle.io/v1"
+	v1alpha1 "hauler.dev/go/hauler/pkg/apis/hauler.cattle.io/v1alpha1"
+)
+
+// converts v1alpha1.Files -> v1.Files
+func ConvertFiles(in *v1alpha1.Files, out *v1.Files) error {
+	out.TypeMeta = in.TypeMeta
+	out.ObjectMeta = in.ObjectMeta
+	out.Spec.Files = make([]v1.File, len(in.Spec.Files))
+	for i := range in.Spec.Files {
+		out.Spec.Files[i].Name = in.Spec.Files[i].Name
+		out.Spec.Files[i].Path = in.Spec.Files[i].Path
+	}
+	return nil
+}
+
+// converts v1alpha1.Images -> v1.Images
+func ConvertImages(in *v1alpha1.Images, out *v1.Images) error {
+	out.TypeMeta = in.TypeMeta
+	out.ObjectMeta = in.ObjectMeta
+	out.Spec.Images = make([]v1.Image, len(in.Spec.Images))
+	for i := range in.Spec.Images {
+		out.Spec.Images[i].Name = in.Spec.Images[i].Name
+		out.Spec.Images[i].Platform = in.Spec.Images[i].Platform
+		out.Spec.Images[i].Key = in.Spec.Images[i].Key
+	}
+	return nil
+}
+
+// converts v1alpha1.Charts -> v1.Charts
+func ConvertCharts(in *v1alpha1.Charts, out *v1.Charts) error {
+	out.TypeMeta = in.TypeMeta
+	out.ObjectMeta = in.ObjectMeta
+	out.Spec.Charts = make([]v1.Chart, len(in.Spec.Charts))
+	for i := range in.Spec.Charts {
+		out.Spec.Charts[i].Name = in.Spec.Charts[i].Name
+		out.Spec.Charts[i].RepoURL = in.Spec.Charts[i].RepoURL
+		out.Spec.Charts[i].Version = in.Spec.Charts[i].Version
+	}
+	return nil
+}
+
+// converts v1alpha1.ThickCharts -> v1.ThickCharts
+func ConvertThickCharts(in *v1alpha1.ThickCharts, out *v1.ThickCharts) error {
+	out.TypeMeta = in.TypeMeta
+	out.ObjectMeta = in.ObjectMeta
+	out.Spec.Charts = make([]v1.ThickChart, len(in.Spec.Charts))
+	for i := range in.Spec.Charts {
+		out.Spec.Charts[i].Chart.Name = in.Spec.Charts[i].Chart.Name
+		out.Spec.Charts[i].Chart.RepoURL = in.Spec.Charts[i].Chart.RepoURL
+		out.Spec.Charts[i].Chart.Version = in.Spec.Charts[i].Chart.Version
+	}
+	return nil
+}
+
+// converts v1alpha1.ImageTxts -> v1.ImageTxts
+func ConvertImageTxts(in *v1alpha1.ImageTxts, out *v1.ImageTxts) error {
+	out.TypeMeta = in.TypeMeta
+	out.ObjectMeta = in.ObjectMeta
+	out.Spec.ImageTxts = make([]v1.ImageTxt, len(in.Spec.ImageTxts))
+	for i := range in.Spec.ImageTxts {
+		out.Spec.ImageTxts[i].Ref = in.Spec.ImageTxts[i].Ref
+		out.Spec.ImageTxts[i].Sources.Include = append(
+			out.Spec.ImageTxts[i].Sources.Include,
+			in.Spec.ImageTxts[i].Sources.Include...,
+		)
+		out.Spec.ImageTxts[i].Sources.Exclude = append(
+			out.Spec.ImageTxts[i].Sources.Exclude,
+			in.Spec.ImageTxts[i].Sources.Exclude...,
+		)
+	}
+	return nil
+}
+
+// convert v1alpha1 object to v1 object
+func ConvertObject(in interface{}) (interface{}, error) {
+	switch src := in.(type) {
+
+	case *v1alpha1.Files:
+		dst := &v1.Files{}
+		if err := ConvertFiles(src, dst); err != nil {
+			return nil, err
+		}
+		return dst, nil
+
+	case *v1alpha1.Images:
+		dst := &v1.Images{}
+		if err := ConvertImages(src, dst); err != nil {
+			return nil, err
+		}
+		return dst, nil
+
+	case *v1alpha1.Charts:
+		dst := &v1.Charts{}
+		if err := ConvertCharts(src, dst); err != nil {
+			return nil, err
+		}
+		return dst, nil
+
+	case *v1alpha1.ThickCharts:
+		dst := &v1.ThickCharts{}
+		if err := ConvertThickCharts(src, dst); err != nil {
+			return nil, err
+		}
+		return dst, nil
+
+	case *v1alpha1.ImageTxts:
+		dst := &v1.ImageTxts{}
+		if err := ConvertImageTxts(src, dst); err != nil {
+			return nil, err
+		}
+		return dst, nil
+	}
+
+	return nil, fmt.Errorf("unsupported object type [%T]", in)
+}
--- a/pkg/apis/hauler.cattle.io/v1/chart.go
+++ b/pkg/apis/hauler.cattle.io/v1/chart.go
@@ -0,0 +1,46 @@
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type Charts struct {
+	*metav1.TypeMeta  `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec ChartSpec `json:"spec,omitempty"`
+}
+
+type ChartSpec struct {
+	Charts []Chart `json:"charts,omitempty"`
+}
+
+type Chart struct {
+	Name    string `json:"name,omitempty"`
+	RepoURL string `json:"repoURL,omitempty"`
+	Version string `json:"version,omitempty"`
+	Rewrite string `json:"rewrite,omitempty"`
+
+	AddImages       bool `json:"add-images,omitempty"`
+	AddDependencies bool `json:"add-dependencies,omitempty"`
+}
+
+type ThickCharts struct {
+	*metav1.TypeMeta  `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec ThickChartSpec `json:"spec,omitempty"`
+}
+
+type ThickChartSpec struct {
+	Charts []ThickChart `json:"charts,omitempty"`
+}
+
+type ThickChart struct {
+	Chart       `json:",inline,omitempty"`
+	ExtraImages []ChartImage `json:"extraImages,omitempty"`
+}
+
+type ChartImage struct {
+	Reference string `json:"ref"`
+}
--- a/pkg/apis/hauler.cattle.io/v1/driver.go
+++ b/pkg/apis/hauler.cattle.io/v1/driver.go
@@ -0,0 +1,17 @@
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type Driver struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec DriverSpec `json:"spec"`
+}
+
+type DriverSpec struct {
+	Type    string `json:"type"`
+	Version string `json:"version"`
+}
--- a/pkg/apis/hauler.cattle.io/v1/file.go
+++ b/pkg/apis/hauler.cattle.io/v1/file.go
@@ -0,0 +1,25 @@
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type Files struct {
+	*metav1.TypeMeta  `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec FileSpec `json:"spec,omitempty"`
+}
+
+type FileSpec struct {
+	Files []File `json:"files,omitempty"`
+}
+
+type File struct {
+	// Path is the path to the file contents, can be a local or remote path
+	Path string `json:"path"`
+
+	// Name is an optional field specifying the name of the file when specified,
+	// 	it will override any dynamic name discovery from Path
+	Name string `json:"name,omitempty"`
+}
--- a/pkg/apis/hauler.cattle.io/v1/groupversion_info.go
+++ b/pkg/apis/hauler.cattle.io/v1/groupversion_info.go
@@ -0,0 +1,12 @@
+package v1
+
+import (
+	"k8s.io/apimachinery/pkg/runtime/schema"
+
+	"hauler.dev/go/hauler/pkg/consts"
+)
+
+var (
+	ContentGroupVersion    = schema.GroupVersion{Group: consts.ContentGroup, Version: "v1"}
+	CollectionGroupVersion = schema.GroupVersion{Group: consts.CollectionGroup, Version: "v1"}
+)
--- a/pkg/apis/hauler.cattle.io/v1/image.go
+++ b/pkg/apis/hauler.cattle.io/v1/image.go
@@ -0,0 +1,41 @@
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type Images struct {
+	*metav1.TypeMeta  `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec ImageSpec `json:"spec,omitempty"`
+}
+
+type ImageSpec struct {
+	Images []Image `json:"images,omitempty"`
+}
+
+type Image struct {
+	// Name is the full location for the image, can be referenced by tags or digests
+	Name string `json:"name"`
+
+	// Path is the path to the cosign public key used for verifying image signatures
+	//Key string `json:"key,omitempty"`
+	Key string `json:"key"`
+
+	// Path is the path to the cosign public key used for verifying image signatures
+	//Tlog string `json:"use-tlog-verify,omitempty"`
+	Tlog bool `json:"use-tlog-verify"`
+
+	// cosign keyless validation options
+	CertIdentity                 string `json:"certificate-identity"`
+	CertIdentityRegexp           string `json:"certificate-identity-regexp"`
+	CertOidcIssuer               string `json:"certificate-oidc-issuer"`
+	CertOidcIssuerRegexp         string `json:"certificate-oidc-issuer-regexp"`
+	CertGithubWorkflowRepository string `json:"certificate-github-workflow-repository"`
+
+	// Platform of the image to be pulled.  If not specified, all platforms will be pulled.
+	//Platform string `json:"key,omitempty"`
+	Platform string `json:"platform"`
+	Rewrite  string `json:"rewrite"`
+}
--- a/pkg/apis/hauler.cattle.io/v1/imagetxt.go
+++ b/pkg/apis/hauler.cattle.io/v1/imagetxt.go
@@ -0,0 +1,26 @@
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type ImageTxts struct {
+	*metav1.TypeMeta  `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec ImageTxtsSpec `json:"spec,omitempty"`
+}
+
+type ImageTxtsSpec struct {
+	ImageTxts []ImageTxt `json:"imageTxts,omitempty"`
+}
+
+type ImageTxt struct {
+	Ref     string          `json:"ref,omitempty"`
+	Sources ImageTxtSources `json:"sources,omitempty"`
+}
+
+type ImageTxtSources struct {
+	Include []string `json:"include,omitempty"`
+	Exclude []string `json:"exclude,omitempty"`
+}
--- a/pkg/apis/hauler.cattle.io/v1alpha1/chart.go
+++ b/pkg/apis/hauler.cattle.io/v1alpha1/chart.go
@@ -4,11 +4,6 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )

-const (
-	ChartsContentKind    = "Charts"
-	ChartsCollectionKind = "ThickCharts"
-)
-
 type Charts struct {
 	*metav1.TypeMeta  `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
@@ -21,24 +16,27 @@ type ChartSpec struct {
 }

 type Chart struct {
-	Name    string `json:"name"`
-	RepoURL string `json:"repoURL"`
-	Version string `json:"version"`
+	Name    string `json:"name,omitempty"`
+	RepoURL string `json:"repoURL,omitempty"`
+	Version string `json:"version,omitempty"`
 }

 type ThickCharts struct {
 	*metav1.TypeMeta  `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`

-	Spec ChartSpec `json:"spec,omitempty"`
+	Spec ThickChartSpec `json:"spec,omitempty"`
 }

 type ThickChartSpec struct {
-	ThickCharts []ThickChart `json:"charts,omitempty"`
+	Charts []ThickChart `json:"charts,omitempty"`
 }

 type ThickChart struct {
-	Name    string `json:"name"`
-	RepoURL string `json:"repoURL"`
-	Version string `json:"version"`
+	Chart       `json:",inline,omitempty"`
+	ExtraImages []ChartImage `json:"extraImages,omitempty"`
+}
+
+type ChartImage struct {
+	Reference string `json:"ref"`
 }
--- a/pkg/apis/hauler.cattle.io/v1alpha1/driver.go
+++ b/pkg/apis/hauler.cattle.io/v1alpha1/driver.go
@@ -4,10 +4,6 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )

-const (
-	DriverContentKind = "Driver"
-)
-
 type Driver struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
--- a/pkg/apis/hauler.cattle.io/v1alpha1/file.go
+++ b/pkg/apis/hauler.cattle.io/v1alpha1/file.go
@@ -4,8 +4,6 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )

-const FilesContentKind = "Files"
-
 type Files struct {
 	*metav1.TypeMeta  `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
@@ -18,6 +16,10 @@ type FileSpec struct {
 }

 type File struct {
-	Ref  string `json:"ref"`
+	// Path is the path to the file contents, can be a local or remote path
+	Path string `json:"path"`
+
+	// Name is an optional field specifying the name of the file when specified,
+	// 	it will override any dynamic name discovery from Path
 	Name string `json:"name,omitempty"`
 }
--- a/pkg/apis/hauler.cattle.io/v1alpha1/groupversion_info.go
+++ b/pkg/apis/hauler.cattle.io/v1alpha1/groupversion_info.go
@@ -2,18 +2,11 @@ package v1alpha1

 import (
 	"k8s.io/apimachinery/pkg/runtime/schema"
-	"sigs.k8s.io/controller-runtime/pkg/scheme"
-)

-const (
-	Version         = "v1alpha1"
-	ContentGroup    = "content.hauler.cattle.io"
-	CollectionGroup = "collection.hauler.cattle.io"
+	"hauler.dev/go/hauler/pkg/consts"
 )

 var (
-	ContentGroupVersion = schema.GroupVersion{Group: ContentGroup, Version: Version}
-	SchemeBuilder       = &scheme.Builder{GroupVersion: ContentGroupVersion}
-
-	CollectionGroupVersion = schema.GroupVersion{Group: CollectionGroup, Version: Version}
+	ContentGroupVersion    = schema.GroupVersion{Group: consts.ContentGroup, Version: "v1alpha1"}
+	CollectionGroupVersion = schema.GroupVersion{Group: consts.CollectionGroup, Version: "v1alpha1"}
 )
--- a/pkg/apis/hauler.cattle.io/v1alpha1/image.go
+++ b/pkg/apis/hauler.cattle.io/v1alpha1/image.go
@@ -4,8 +4,6 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )

-const ImagesContentKind = "Images"
-
 type Images struct {
 	*metav1.TypeMeta  `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
@@ -18,5 +16,26 @@ type ImageSpec struct {
 }

 type Image struct {
-	Ref string `json:"ref"`
+	// Name is the full location for the image, can be referenced by tags or digests
+	Name string `json:"name"`
+
+	// Path is the path to the cosign public key used for verifying image signatures
+	//Key string `json:"key,omitempty"`
+	Key string `json:"key"`
+
+	// Path is the path to the cosign public key used for verifying image signatures
+	//Tlog string `json:"use-tlog-verify,omitempty"`
+	Tlog bool `json:"use-tlog-verify"`
+
+	// cosign keyless validation options
+	CertIdentity                 string `json:"certificate-identity"`
+	CertIdentityRegexp           string `json:"certificate-identity-regexp"`
+	CertOidcIssuer               string `json:"certificate-oidc-issuer"`
+	CertOidcIssuerRegexp         string `json:"certificate-oidc-issuer-regexp"`
+	CertGithubWorkflowRepository string `json:"certificate-github-workflow-repository"`
+
+	// Platform of the image to be pulled.  If not specified, all platforms will be pulled.
+	//Platform string `json:"key,omitempty"`
+	Platform string `json:"platform"`
+	Rewrite  string `json:"rewrite"`
 }
--- a/pkg/apis/hauler.cattle.io/v1alpha1/imagetxt.go
+++ b/pkg/apis/hauler.cattle.io/v1alpha1/imagetxt.go
@@ -0,0 +1,26 @@
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type ImageTxts struct {
+	*metav1.TypeMeta  `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec ImageTxtsSpec `json:"spec,omitempty"`
+}
+
+type ImageTxtsSpec struct {
+	ImageTxts []ImageTxt `json:"imageTxts,omitempty"`
+}
+
+type ImageTxt struct {
+	Ref     string          `json:"ref,omitempty"`
+	Sources ImageTxtSources `json:"sources,omitempty"`
+}
+
+type ImageTxtSources struct {
+	Include []string `json:"include,omitempty"`
+	Exclude []string `json:"exclude,omitempty"`
+}
--- a/pkg/apis/hauler.cattle.io/v1alpha1/k3s.go
+++ b/pkg/apis/hauler.cattle.io/v1alpha1/k3s.go
@@ -1,17 +0,0 @@
-package v1alpha1
-
-import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-
-const K3sCollectionKind = "K3s"
-
-type K3s struct {
-	*metav1.TypeMeta  `json:",inline"`
-	metav1.ObjectMeta `json:"metadata,omitempty"`
-
-	Spec K3sSpec `json:"spec,omitempty"`
-}
-
-type K3sSpec struct {
-	Version string `json:"version"`
-	Arch    string `json:"arch"`
-}
--- a/pkg/archives/archiver.go
+++ b/pkg/archives/archiver.go
@@ -0,0 +1,104 @@
+package archives
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"path/filepath"
+
+	"github.com/mholt/archives"
+	"hauler.dev/go/hauler/pkg/log"
+)
+
+// maps to handle compression types
+var CompressionMap = map[string]archives.Compression{
+	"gz":  archives.Gz{},
+	"bz2": archives.Bz2{},
+	"xz":  archives.Xz{},
+	"zst": archives.Zstd{},
+	"lz4": archives.Lz4{},
+	"br":  archives.Brotli{},
+}
+
+// maps to handle archival types
+var ArchivalMap = map[string]archives.Archival{
+	"tar": archives.Tar{},
+	"zip": archives.Zip{},
+}
+
+// check if a path exists
+func isExist(path string) bool {
+	_, statErr := os.Stat(path)
+	return !os.IsNotExist(statErr)
+}
+
+// archives the files in a directory
+// dir: the directory to Archive
+// outfile: the output file
+// compression: the compression to use (gzip, bzip2, etc.)
+// archival: the archival to use (tar, zip, etc.)
+func Archive(ctx context.Context, dir, outfile string, compression archives.Compression, archival archives.Archival) error {
+	l := log.FromContext(ctx)
+	l.Debugf("starting the archival process for [%s]", dir)
+
+	// remove outfile
+	l.Debugf("removing existing output file: [%s]", outfile)
+	if err := os.RemoveAll(outfile); err != nil {
+		errMsg := fmt.Errorf("failed to remove existing output file [%s]: %w", outfile, err)
+		l.Debugf(errMsg.Error())
+		return errMsg
+	}
+
+	if !isExist(dir) {
+		errMsg := fmt.Errorf("directory [%s] does not exist, cannot proceed with archival", dir)
+		l.Debugf(errMsg.Error())
+		return errMsg
+	}
+
+	// map files on disk to their paths in the archive
+	l.Debugf("mapping files in directory [%s]", dir)
+	archiveDirName := filepath.Base(filepath.Clean(dir))
+	if dir == "." {
+		archiveDirName = ""
+	}
+	files, err := archives.FilesFromDisk(context.Background(), nil, map[string]string{
+		dir: archiveDirName,
+	})
+	if err != nil {
+		errMsg := fmt.Errorf("error mapping files from directory [%s]: %w", dir, err)
+		l.Debugf(errMsg.Error())
+		return errMsg
+	}
+	l.Debugf("successfully mapped files for directory [%s]", dir)
+
+	// create the output file we'll write to
+	l.Debugf("creating output file [%s]", outfile)
+	outf, err := os.Create(outfile)
+	if err != nil {
+		errMsg := fmt.Errorf("error creating output file [%s]: %w", outfile, err)
+		l.Debugf(errMsg.Error())
+		return errMsg
+	}
+	defer func() {
+		l.Debugf("closing output file [%s]", outfile)
+		outf.Close()
+	}()
+
+	// define the archive format
+	l.Debugf("defining the archive format: [%T]/[%T]", archival, compression)
+	format := archives.CompressedArchive{
+		Compression: compression,
+		Archival:    archival,
+	}
+
+	// create the archive
+	l.Debugf("starting archive for [%s]", outfile)
+	err = format.Archive(context.Background(), outf, files)
+	if err != nil {
+		errMsg := fmt.Errorf("error during archive creation for output file [%s]: %w", outfile, err)
+		l.Debugf(errMsg.Error())
+		return errMsg
+	}
+	l.Debugf("archive created successfully [%s]", outfile)
+	return nil
+}
--- a/pkg/archives/unarchiver.go
+++ b/pkg/archives/unarchiver.go
@@ -0,0 +1,158 @@
+package archives
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/mholt/archives"
+	"hauler.dev/go/hauler/pkg/log"
+)
+
+const (
+	dirPermissions  = 0o700 // default directory permissions
+	filePermissions = 0o600 // default file permissions
+)
+
+// ensures the path is safely relative to the target directory
+func securePath(basePath, relativePath string) (string, error) {
+	relativePath = filepath.Clean("/" + relativePath)
+	relativePath = strings.TrimPrefix(relativePath, string(os.PathSeparator))
+
+	dstPath := filepath.Join(basePath, relativePath)
+
+	if !strings.HasPrefix(filepath.Clean(dstPath)+string(os.PathSeparator), filepath.Clean(basePath)+string(os.PathSeparator)) {
+		return "", fmt.Errorf("illegal file path: %s", dstPath)
+	}
+	return dstPath, nil
+}
+
+// creates a directory with specified permissions
+func createDirWithPermissions(ctx context.Context, path string, mode os.FileMode) error {
+	l := log.FromContext(ctx)
+	l.Debugf("creating directory [%s]", path)
+	if err := os.MkdirAll(path, mode); err != nil {
+		return fmt.Errorf("failed to mkdir: %w", err)
+	}
+	return nil
+}
+
+// sets permissions to a file or directory
+func setPermissions(path string, mode os.FileMode) error {
+	if err := os.Chmod(path, mode); err != nil {
+		return fmt.Errorf("failed to chmod: %w", err)
+	}
+	return nil
+}
+
+// handles the extraction of a file from the archive.
+func handleFile(ctx context.Context, f archives.FileInfo, dst string) error {
+	l := log.FromContext(ctx)
+	l.Debugf("handling file [%s]", f.NameInArchive)
+
+	// validate and construct the destination path
+	dstPath, pathErr := securePath(dst, f.NameInArchive)
+	if pathErr != nil {
+		return pathErr
+	}
+
+	// ensure the parent directory exists
+	parentDir := filepath.Dir(dstPath)
+	if dirErr := createDirWithPermissions(ctx, parentDir, dirPermissions); dirErr != nil {
+		return dirErr
+	}
+
+	// handle directories
+	if f.IsDir() {
+		// create the directory with permissions from the archive
+		if dirErr := createDirWithPermissions(ctx, dstPath, f.Mode()); dirErr != nil {
+			return fmt.Errorf("failed to create directory: %w", dirErr)
+		}
+		l.Debugf("successfully created directory [%s]", dstPath)
+		return nil
+	}
+
+	// ignore symlinks (or hardlinks)
+	if f.LinkTarget != "" {
+		l.Debugf("skipping symlink [%s] to [%s]", dstPath, f.LinkTarget)
+		return nil
+	}
+
+	// check and handle parent directory permissions
+	originalMode, statErr := os.Stat(parentDir)
+	if statErr != nil {
+		return fmt.Errorf("failed to stat parent directory: %w", statErr)
+	}
+
+	// if parent directory is read only, temporarily make it writable
+	if originalMode.Mode().Perm()&0o200 == 0 {
+		l.Debugf("parent directory is read only... temporarily making it writable [%s]", parentDir)
+		if chmodErr := os.Chmod(parentDir, originalMode.Mode()|0o200); chmodErr != nil {
+			return fmt.Errorf("failed to chmod parent directory: %w", chmodErr)
+		}
+		defer func() {
+			// restore the original permissions after writing
+			if chmodErr := os.Chmod(parentDir, originalMode.Mode()); chmodErr != nil {
+				l.Debugf("failed to restore original permissions for [%s]: %v", parentDir, chmodErr)
+			}
+		}()
+	}
+
+	// handle regular files
+	reader, openErr := f.Open()
+	if openErr != nil {
+		return fmt.Errorf("failed to open file: %w", openErr)
+	}
+	defer reader.Close()
+
+	dstFile, createErr := os.OpenFile(dstPath, os.O_CREATE|os.O_WRONLY, f.Mode())
+	if createErr != nil {
+		return fmt.Errorf("failed to create file: %w", createErr)
+	}
+	defer dstFile.Close()
+
+	if _, copyErr := io.Copy(dstFile, reader); copyErr != nil {
+		return fmt.Errorf("failed to copy: %w", copyErr)
+	}
+	l.Debugf("successfully extracted file [%s]", dstPath)
+	return nil
+}
+
+// unarchives a tarball to a directory, symlinks, and hardlinks are ignored
+func Unarchive(ctx context.Context, tarball, dst string) error {
+	l := log.FromContext(ctx)
+	l.Debugf("unarchiving temporary archive [%s] to temporary store [%s]", tarball, dst)
+	archiveFile, openErr := os.Open(tarball)
+	if openErr != nil {
+		return fmt.Errorf("failed to open tarball %s: %w", tarball, openErr)
+	}
+	defer archiveFile.Close()
+
+	format, input, identifyErr := archives.Identify(context.Background(), tarball, archiveFile)
+	if identifyErr != nil {
+		return fmt.Errorf("failed to identify format: %w", identifyErr)
+	}
+
+	extractor, ok := format.(archives.Extractor)
+	if !ok {
+		return fmt.Errorf("unsupported format for extraction")
+	}
+
+	if dirErr := createDirWithPermissions(ctx, dst, dirPermissions); dirErr != nil {
+		return fmt.Errorf("failed to create destination directory: %w", dirErr)
+	}
+
+	handler := func(ctx context.Context, f archives.FileInfo) error {
+		return handleFile(ctx, f, dst)
+	}
+
+	if extractErr := extractor.Extract(context.Background(), input, handler); extractErr != nil {
+		return fmt.Errorf("failed to extract: %w", extractErr)
+	}
+
+	l.Infof("unarchiving completed successfully")
+	return nil
+}
--- a/pkg/artifact/config.go
+++ b/pkg/artifact/config.go
@@ -1,10 +0,0 @@
-package artifact
-
-import v1 "github.com/google/go-containerregistry/pkg/v1"
-
-type Config interface {
-	// Raw returns the config bytes
-	Raw() ([]byte, error)
-
-	Descriptor() (v1.Descriptor, error)
-}
--- a/pkg/artifact/oci.go
+++ b/pkg/artifact/oci.go
@@ -1,24 +0,0 @@
-package artifact
-
-import (
-	"github.com/google/go-containerregistry/pkg/name"
-	"github.com/google/go-containerregistry/pkg/v1"
-)
-
-// OCI is the bare minimum we need to represent an artifact in an oci layout
-//  At a high level, it is not constrained by an Image's config, manifests, and layer ordinality
-//  This specific implementation fully encapsulates v1.Layer's within a more generic form
-type OCI interface {
-	MediaType() string
-
-	Manifest() (*v1.Manifest, error)
-
-	RawConfig() ([]byte, error)
-
-	Layers() ([]v1.Layer, error)
-}
-
-type Collection interface {
-	// Contents returns the list of contents in the collection
-	Contents() (map[name.Reference]OCI, error)
-}
--- a/pkg/artifact/types/types.go
+++ b/pkg/artifact/types/types.go
@@ -1,37 +0,0 @@
-package types
-
-const (
-	OCIManifestSchema1    = "application/vnd.oci.image.manifest.v1+json"
-	DockerManifestSchema2 = "application/vnd.docker.distribution.manifest.v2+json"
-
-	DockerConfigJSON = "application/vnd.docker.container.image.v1+json"
-
-	// ChartConfigMediaType is the reserved media type for the Helm chart manifest config
-	ChartConfigMediaType = "application/vnd.cncf.helm.config.v1+json"
-
-	// ChartLayerMediaType is the reserved media type for Helm chart package content
-	ChartLayerMediaType = "application/vnd.cncf.helm.chart.content.v1.tar+gzip"
-
-	// ProvLayerMediaType is the reserved media type for Helm chart provenance files
-	ProvLayerMediaType = "application/vnd.cncf.helm.chart.provenance.v1.prov"
-
-	// FileLayerMediaType is the reserved media type for File content layers
-	FileLayerMediaType = "application/vnd.content.hauler.file.layer.v1"
-
-	// FileConfigMediaType is the reserved media type for File config
-	FileConfigMediaType = "application/vnd.content.hauler.file.config.v1+json"
-
-	// WasmArtifactLayerMediaType is the reserved media type for WASM artifact layers
-	WasmArtifactLayerMediaType = "application/vnd.wasm.content.layer.v1+wasm"
-
-	// WasmConfigMediaType is the reserved media type for WASM configs
-	WasmConfigMediaType = "application/vnd.wasm.config.v1+json"
-
-	UnknownManifest = "application/vnd.hauler.cattle.io.unknown.v1+json"
-	UnknownLayer    = "application/vnd.content.hauler.unknown.layer"
-
-	OCIVendorPrefix    = "vnd.oci"
-	DockerVendorPrefix = "vnd.docker"
-	HaulerVendorPrefix = "vnd.hauler"
-	OCIImageIndexFile  = "index.json"
-)
--- a/pkg/artifacts/config.go
+++ b/pkg/artifacts/config.go
@@ -0,0 +1,92 @@
+package artifacts
+
+import (
+	"bytes"
+	"encoding/json"
+
+	v1 "github.com/google/go-containerregistry/pkg/v1"
+	"github.com/google/go-containerregistry/pkg/v1/partial"
+	"github.com/google/go-containerregistry/pkg/v1/types"
+
+	"hauler.dev/go/hauler/pkg/consts"
+)
+
+var _ partial.Describable = (*marshallableConfig)(nil)
+
+type Config interface {
+	// Raw returns the config bytes
+	Raw() ([]byte, error)
+
+	Digest() (v1.Hash, error)
+
+	MediaType() (types.MediaType, error)
+
+	Size() (int64, error)
+}
+
+type Marshallable interface{}
+
+type ConfigOption func(*marshallableConfig)
+
+// ToConfig takes anything that is marshallabe and converts it into a Config
+func ToConfig(i Marshallable, opts ...ConfigOption) Config {
+	mc := &marshallableConfig{Marshallable: i}
+	for _, o := range opts {
+		o(mc)
+	}
+	return mc
+}
+
+func WithConfigMediaType(mediaType string) ConfigOption {
+	return func(config *marshallableConfig) {
+		config.mediaType = mediaType
+	}
+}
+
+// marshallableConfig implements Config using helper methods
+type marshallableConfig struct {
+	Marshallable
+
+	mediaType string
+}
+
+func (c *marshallableConfig) MediaType() (types.MediaType, error) {
+	mt := c.mediaType
+	if mt == "" {
+		mt = consts.UnknownManifest
+	}
+	return types.MediaType(mt), nil
+}
+
+func (c *marshallableConfig) Raw() ([]byte, error) {
+	return json.Marshal(c.Marshallable)
+}
+
+func (c *marshallableConfig) Digest() (v1.Hash, error) {
+	return Digest(c)
+}
+
+func (c *marshallableConfig) Size() (int64, error) {
+	return Size(c)
+}
+
+type WithRawConfig interface {
+	Raw() ([]byte, error)
+}
+
+func Digest(c WithRawConfig) (v1.Hash, error) {
+	b, err := c.Raw()
+	if err != nil {
+		return v1.Hash{}, err
+	}
+	digest, _, err := v1.SHA256(bytes.NewReader(b))
+	return digest, err
+}
+
+func Size(c WithRawConfig) (int64, error) {
+	b, err := c.Raw()
+	if err != nil {
+		return -1, err
+	}
+	return int64(len(b)), nil
+}
--- a/pkg/artifacts/file/file.go
+++ b/pkg/artifacts/file/file.go
@@ -0,0 +1,116 @@
+package file
+
+import (
+	"context"
+
+	gv1 "github.com/google/go-containerregistry/pkg/v1"
+	"github.com/google/go-containerregistry/pkg/v1/partial"
+	gtypes "github.com/google/go-containerregistry/pkg/v1/types"
+
+	"hauler.dev/go/hauler/pkg/artifacts"
+	"hauler.dev/go/hauler/pkg/consts"
+	"hauler.dev/go/hauler/pkg/getter"
+)
+
+// interface guard
+var _ artifacts.OCI = (*File)(nil)
+
+// File implements the OCI interface for File API objects. API spec information is
+// stored into the Path field.
+type File struct {
+	Path string
+
+	computed    bool
+	client      *getter.Client
+	config      artifacts.Config
+	blob        gv1.Layer
+	manifest    *gv1.Manifest
+	annotations map[string]string
+}
+
+func NewFile(path string, opts ...Option) *File {
+	client := getter.NewClient(getter.ClientOptions{})
+
+	f := &File{
+		client: client,
+		Path:   path,
+	}
+
+	for _, opt := range opts {
+		opt(f)
+	}
+	return f
+}
+
+// Name is the name of the file's reference
+func (f *File) Name(path string) string {
+	return f.client.Name(path)
+}
+
+func (f *File) MediaType() string {
+	return consts.OCIManifestSchema1
+}
+
+func (f *File) RawConfig() ([]byte, error) {
+	if err := f.compute(); err != nil {
+		return nil, err
+	}
+	return f.config.Raw()
+}
+
+func (f *File) Layers() ([]gv1.Layer, error) {
+	if err := f.compute(); err != nil {
+		return nil, err
+	}
+	var layers []gv1.Layer
+	layers = append(layers, f.blob)
+	return layers, nil
+}
+
+func (f *File) Manifest() (*gv1.Manifest, error) {
+	if err := f.compute(); err != nil {
+		return nil, err
+	}
+	return f.manifest, nil
+}
+
+func (f *File) compute() error {
+	if f.computed {
+		return nil
+	}
+
+	ctx := context.TODO()
+	blob, err := f.client.LayerFrom(ctx, f.Path)
+	if err != nil {
+		return err
+	}
+
+	layer, err := partial.Descriptor(blob)
+	if err != nil {
+		return err
+	}
+
+	cfg := f.client.Config(f.Path)
+	if cfg == nil {
+		cfg = f.client.Config(f.Path)
+	}
+
+	cfgDesc, err := partial.Descriptor(cfg)
+	if err != nil {
+		return err
+	}
+
+	m := &gv1.Manifest{
+		SchemaVersion: 2,
+		MediaType:     gtypes.MediaType(f.MediaType()),
+		Config:        *cfgDesc,
+		Layers:        []gv1.Descriptor{*layer},
+		Annotations:   f.annotations,
+	}
+
+	f.manifest = m
+	f.config = cfg
+	f.blob = blob
+	f.computed = true
+	return nil
+}
--- a/pkg/artifacts/file/file_test.go
+++ b/pkg/artifacts/file/file_test.go
@@ -0,0 +1,166 @@
+package file_test
+
+import (
+	"bytes"
+	"context"
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/spf13/afero"
+
+	"hauler.dev/go/hauler/pkg/artifacts/file"
+	"hauler.dev/go/hauler/pkg/consts"
+	"hauler.dev/go/hauler/pkg/getter"
+)
+
+var (
+	filename = "myfile.yaml"
+	data     = []byte(`data`)
+
+	ts  *httptest.Server
+	tfs afero.Fs
+	mc  *getter.Client
+)
+
+func TestMain(m *testing.M) {
+	teardown := setup()
+	defer teardown()
+	code := m.Run()
+	os.Exit(code)
+}
+
+func Test_file_Config(t *testing.T) {
+	tests := []struct {
+		name    string
+		ref     string
+		want    string
+		wantErr bool
+	}{
+		{
+			name:    "should properly type local file",
+			ref:     filename,
+			want:    consts.FileLocalConfigMediaType,
+			wantErr: false,
+		},
+		{
+			name:    "should properly type remote file",
+			ref:     ts.URL + "/" + filename,
+			want:    consts.FileHttpConfigMediaType,
+			wantErr: false,
+		},
+		// TODO: Add directory test
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			f := file.NewFile(tt.ref, file.WithClient(mc))
+
+			f.MediaType()
+
+			m, err := f.Manifest()
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			got := string(m.Config.MediaType)
+			if got != tt.want {
+				t.Errorf("unxpected mediatype; got %s, want %s", got, tt.want)
+			}
+		})
+	}
+}
+
+func Test_file_Layers(t *testing.T) {
+	tests := []struct {
+		name    string
+		ref     string
+		want    []byte
+		wantErr bool
+	}{
+		{
+			name:    "should load a local file and preserve contents",
+			ref:     filename,
+			want:    data,
+			wantErr: false,
+		},
+		{
+			name:    "should load a remote file and preserve contents",
+			ref:     ts.URL + "/" + filename,
+			want:    data,
+			wantErr: false,
+		},
+		// TODO: Add directory test
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(it *testing.T) {
+			f := file.NewFile(tt.ref, file.WithClient(mc))
+
+			layers, err := f.Layers()
+			if (err != nil) != tt.wantErr {
+				it.Fatalf("unexpected Layers() error: got %v, want %v", err, tt.wantErr)
+			}
+
+			rc, err := layers[0].Compressed()
+			if err != nil {
+				it.Fatal(err)
+			}
+
+			got, err := io.ReadAll(rc)
+			if err != nil {
+				it.Fatal(err)
+			}
+
+			if !bytes.Equal(got, tt.want) {
+				it.Fatalf("unexpected Layers(): got %v, want %v", layers, tt.want)
+			}
+		})
+	}
+}
+
+func setup() func() {
+	tfs = afero.NewMemMapFs()
+	afero.WriteFile(tfs, filename, data, 0644)
+
+	mf := &mockFile{File: getter.NewFile(), fs: tfs}
+
+	mockHttp := getter.NewHttp()
+	mhttp := afero.NewHttpFs(tfs)
+	fileserver := http.FileServer(mhttp.Dir("."))
+	http.Handle("/", fileserver)
+	ts = httptest.NewServer(fileserver)
+
+	mc = &getter.Client{
+		Options: getter.ClientOptions{},
+		Getters: map[string]getter.Getter{
+			"file": mf,
+			"http": mockHttp,
+		},
+	}
+
+	teardown := func() {
+		defer ts.Close()
+	}
+
+	return teardown
+}
+
+type mockFile struct {
+	*getter.File
+	fs afero.Fs
+}
+
+func (m mockFile) Open(ctx context.Context, u *url.URL) (io.ReadCloser, error) {
+	return m.fs.Open(filepath.Join(u.Host, u.Path))
+}
+
+func (m mockFile) Detect(u *url.URL) bool {
+	fi, err := m.fs.Stat(filepath.Join(u.Host, u.Path))
+	if err != nil {
+		return false
+	}
+	return !fi.IsDir()
+}
--- a/pkg/artifacts/file/options.go
+++ b/pkg/artifacts/file/options.go
@@ -0,0 +1,26 @@
+package file
+
+import (
+	"hauler.dev/go/hauler/pkg/artifacts"
+	"hauler.dev/go/hauler/pkg/getter"
+)
+
+type Option func(*File)
+
+func WithClient(c *getter.Client) Option {
+	return func(f *File) {
+		f.client = c
+	}
+}
+
+func WithConfig(obj interface{}, mediaType string) Option {
+	return func(f *File) {
+		f.config = artifacts.ToConfig(obj, artifacts.WithConfigMediaType(mediaType))
+	}
+}
+
+func WithAnnotations(m map[string]string) Option {
+	return func(f *File) {
+		f.annotations = m
+	}
+}
--- a/pkg/artifacts/image/image.go
+++ b/pkg/artifacts/image/image.go
@@ -0,0 +1,80 @@
+package image
+
+import (
+	"fmt"
+	"github.com/google/go-containerregistry/pkg/authn"
+	gname "github.com/google/go-containerregistry/pkg/name"
+	gv1 "github.com/google/go-containerregistry/pkg/v1"
+	"github.com/google/go-containerregistry/pkg/v1/remote"
+
+	"hauler.dev/go/hauler/pkg/artifacts"
+)
+
+var _ artifacts.OCI = (*Image)(nil)
+
+func (i *Image) MediaType() string {
+	mt, err := i.Image.MediaType()
+	if err != nil {
+		return ""
+	}
+	return string(mt)
+}
+
+func (i *Image) RawConfig() ([]byte, error) {
+	return i.RawConfigFile()
+}
+
+// Image implements the OCI interface for Image API objects. API spec information
+// is stored into the Name field.
+type Image struct {
+	Name string
+	gv1.Image
+}
+
+func NewImage(name string, opts ...remote.Option) (*Image, error) {
+	r, err := gname.ParseReference(name)
+	if err != nil {
+		return nil, err
+	}
+
+	defaultOpts := []remote.Option{
+		remote.WithAuthFromKeychain(authn.DefaultKeychain),
+	}
+	opts = append(opts, defaultOpts...)
+
+	img, err := remote.Image(r, opts...)
+	if err != nil {
+		return nil, err
+	}
+
+	return &Image{
+		Name:  name,
+		Image: img,
+	}, nil
+}
+
+func IsMultiArchImage(name string, opts ...remote.Option) (bool, error) {
+	ref, err := gname.ParseReference(name)
+	if err != nil {
+		return false, fmt.Errorf("parsing reference %q: %v", name, err)
+	}
+
+	defaultOpts := []remote.Option{
+		remote.WithAuthFromKeychain(authn.DefaultKeychain),
+	}
+	opts = append(opts, defaultOpts...)
+
+	desc, err := remote.Get(ref, opts...)
+	if err != nil {
+		return false, fmt.Errorf("getting image %q: %v", name, err)
+	}
+
+	_, err = desc.ImageIndex()
+	if err != nil {
+		// If the descriptor could not be converted to an image index, it's not a multi-arch image
+		return false, nil
+	}
+
+	// If the descriptor could be converted to an image index, it's a multi-arch image
+	return true, nil
+}
--- a/pkg/artifacts/image/image_test.go
+++ b/pkg/artifacts/image/image_test.go
@@ -0,0 +1 @@
+package image_test
--- a/pkg/artifacts/memory/memory.go
+++ b/pkg/artifacts/memory/memory.go
@@ -0,0 +1,78 @@
+package memory
+
+import (
+	v1 "github.com/google/go-containerregistry/pkg/v1"
+	"github.com/google/go-containerregistry/pkg/v1/partial"
+	"github.com/google/go-containerregistry/pkg/v1/static"
+	"github.com/google/go-containerregistry/pkg/v1/types"
+
+	"hauler.dev/go/hauler/pkg/artifacts"
+	"hauler.dev/go/hauler/pkg/consts"
+)
+
+var _ artifacts.OCI = (*Memory)(nil)
+
+// Memory implements the OCI interface for a generic set of bytes stored in memory.
+type Memory struct {
+	blob        v1.Layer
+	annotations map[string]string
+	config      artifacts.Config
+}
+
+type defaultConfig struct {
+	MediaType string `json:"mediaType,omitempty"`
+}
+
+func NewMemory(data []byte, mt string, opts ...Option) *Memory {
+	blob := static.NewLayer(data, types.MediaType(mt))
+
+	cfg := defaultConfig{MediaType: consts.MemoryConfigMediaType}
+	m := &Memory{
+		blob:   blob,
+		config: artifacts.ToConfig(cfg),
+	}
+
+	for _, opt := range opts {
+		opt(m)
+	}
+	return m
+}
+
+func (m *Memory) MediaType() string {
+	return consts.OCIManifestSchema1
+}
+
+func (m *Memory) Manifest() (*v1.Manifest, error) {
+	layer, err := partial.Descriptor(m.blob)
+	if err != nil {
+		return nil, err
+	}
+
+	cfgDesc, err := partial.Descriptor(m.config)
+	if err != nil {
+		return nil, err
+	}
+
+	manifest := &v1.Manifest{
+		SchemaVersion: 2,
+		MediaType:     types.MediaType(m.MediaType()),
+		Config:        *cfgDesc,
+		Layers:        []v1.Descriptor{*layer},
+		Annotations:   m.annotations,
+	}
+
+	return manifest, nil
+}
+
+func (m *Memory) RawConfig() ([]byte, error) {
+	if m.config == nil {
+		return []byte(`{}`), nil
+	}
+	return m.config.Raw()
+}
+
+func (m *Memory) Layers() ([]v1.Layer, error) {
+	var layers []v1.Layer
+	layers = append(layers, m.blob)
+	return layers, nil
+}
--- a/pkg/artifacts/memory/memory_test.go
+++ b/pkg/artifacts/memory/memory_test.go
@@ -0,0 +1,61 @@
+package memory_test
+
+import (
+	"math/rand"
+	"testing"
+
+	v1 "github.com/google/go-containerregistry/pkg/v1"
+	"github.com/opencontainers/go-digest"
+
+	"hauler.dev/go/hauler/pkg/artifacts/memory"
+)
+
+func TestMemory_Layers(t *testing.T) {
+	tests := []struct {
+		name    string
+		want    *v1.Manifest
+		wantErr bool
+	}{
+		{
+			name:    "should preserve content",
+			want:    nil,
+			wantErr: false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			data, m := setup(t)
+
+			layers, err := m.Layers()
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			if len(layers) != 1 {
+				t.Fatalf("Expected 1 layer, got %d", len(layers))
+			}
+
+			h, err := layers[0].Digest()
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			d := digest.FromBytes(data)
+
+			if d.String() != h.String() {
+				t.Fatalf("bytes do not match, got %s, expected %s", h.String(), d.String())
+			}
+		})
+	}
+}
+
+func setup(t *testing.T) ([]byte, *memory.Memory) {
+	block := make([]byte, 2048)
+	_, err := rand.Read(block)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	mem := memory.NewMemory(block, "random")
+	return block, mem
+}
--- a/pkg/artifacts/memory/options.go
+++ b/pkg/artifacts/memory/options.go
@@ -0,0 +1,17 @@
+package memory
+
+import "hauler.dev/go/hauler/pkg/artifacts"
+
+type Option func(*Memory)
+
+func WithConfig(obj interface{}, mediaType string) Option {
+	return func(m *Memory) {
+		m.config = artifacts.ToConfig(obj, artifacts.WithConfigMediaType(mediaType))
+	}
+}
+
+func WithAnnotations(annotations map[string]string) Option {
+	return func(m *Memory) {
+		m.annotations = annotations
+	}
+}
--- a/pkg/artifacts/ocis.go
+++ b/pkg/artifacts/ocis.go
@@ -0,0 +1,22 @@
+package artifacts
+
+import "github.com/google/go-containerregistry/pkg/v1"
+
+// OCI is the bare minimum we need to represent an artifact in an oci layout
+//
+//	At a high level, it is not constrained by an Image's config, manifests, and layer ordinality
+//	This specific implementation fully encapsulates v1.Layer's within a more generic form
+type OCI interface {
+	MediaType() string
+
+	Manifest() (*v1.Manifest, error)
+
+	RawConfig() ([]byte, error)
+
+	Layers() ([]v1.Layer, error)
+}
+
+type OCICollection interface {
+	// Contents returns the list of contents in the collection
+	Contents() (map[string]OCI, error)
+}
--- a/pkg/cache/doc.go
+++ b/pkg/cache/doc.go
@@ -1,5 +0,0 @@
-package cache
-
-/*
-This package is _heavily_ influenced by go-containerregistry and it's cache implementation: https://github.com/google/go-containerregistry/tree/main/pkg/v1/cache
-*/
--- a/pkg/collection/chart/chart.go
+++ b/pkg/collection/chart/chart.go
@@ -1,36 +1,40 @@
 package chart

 import (
-	gname "github.com/google/go-containerregistry/pkg/name"
+	"helm.sh/helm/v3/pkg/action"

-	"github.com/rancherfederal/hauler/pkg/artifact"
-	"github.com/rancherfederal/hauler/pkg/content/chart"
-	"github.com/rancherfederal/hauler/pkg/content/image"
+	"hauler.dev/go/hauler/pkg/apis/hauler.cattle.io/v1"
+	"hauler.dev/go/hauler/pkg/artifacts"
+	"hauler.dev/go/hauler/pkg/artifacts/image"
+	"hauler.dev/go/hauler/pkg/content/chart"
+	"hauler.dev/go/hauler/pkg/reference"
 )

-var _ artifact.Collection = (*tchart)(nil)
+var _ artifacts.OCICollection = (*tchart)(nil)

 // tchart is a thick chart that includes all the dependent images as well as the chart itself
 type tchart struct {
-	chart *chart.Chart
+	chart  *chart.Chart
+	config v1.ThickChart

 	computed bool
-	contents map[gname.Reference]artifact.OCI
+	contents map[string]artifacts.OCI
 }

-func NewChart(name, repo, version string) (artifact.Collection, error) {
-	o, err := chart.NewChart(name, repo, version)
+func NewThickChart(cfg v1.ThickChart, opts *action.ChartPathOptions) (artifacts.OCICollection, error) {
+	o, err := chart.NewChart(cfg.Chart.Name, opts)
 	if err != nil {
 		return nil, err
 	}

 	return &tchart{
 		chart:    o,
-		contents: make(map[gname.Reference]artifact.OCI),
+		config:   cfg,
+		contents: make(map[string]artifacts.OCI),
 	}, nil
 }

-func (c *tchart) Contents() (map[gname.Reference]artifact.OCI, error) {
+func (c *tchart) Contents() (map[string]artifacts.OCI, error) {
 	if err := c.compute(); err != nil {
 		return nil, err
 	}
@@ -45,11 +49,31 @@ func (c *tchart) compute() error {
 	if err := c.dependentImages(); err != nil {
 		return err
 	}
+	if err := c.chartContents(); err != nil {
+		return err
+	}
+	if err := c.extraImages(); err != nil {
+		return err
+	}

 	c.computed = true
 	return nil
 }

+func (c *tchart) chartContents() error {
+	ch, err := c.chart.Load()
+	if err != nil {
+		return err
+	}
+
+	ref, err := reference.NewTagged(ch.Name(), ch.Metadata.Version)
+	if err != nil {
+		return err
+	}
+	c.contents[ref.Name()] = c.chart
+	return nil
+}
+
 func (c *tchart) dependentImages() error {
 	ch, err := c.chart.Load()
 	if err != nil {
@@ -62,17 +86,22 @@ func (c *tchart) dependentImages() error {
 	}

 	for _, img := range imgs.Spec.Images {
-		ref, err := gname.ParseReference(img.Ref)
+		i, err := image.NewImage(img.Name)
 		if err != nil {
 			return err
 		}
-
-		i, err := image.NewImage(img.Ref)
-		if err != nil {
-			return err
-		}
-		c.contents[ref] = i
+		c.contents[img.Name] = i
+	}
+	return nil
+}
+
+func (c *tchart) extraImages() error {
+	for _, img := range c.config.ExtraImages {
+		i, err := image.NewImage(img.Reference)
+		if err != nil {
+			return err
+		}
+		c.contents[img.Reference] = i
 	}
-
 	return nil
 }
--- a/pkg/collection/chart/dependents.go
+++ b/pkg/collection/chart/dependents.go
@@ -1,23 +1,21 @@
 package chart

 import (
+	"bufio"
 	"bytes"
-	"encoding/json"
 	"io"
 	"strings"

-	"github.com/rancher/wrangler/pkg/yaml"
 	"helm.sh/helm/v3/pkg/action"
 	helmchart "helm.sh/helm/v3/pkg/chart"
 	"helm.sh/helm/v3/pkg/chartutil"
 	"helm.sh/helm/v3/pkg/kube/fake"
 	"helm.sh/helm/v3/pkg/storage"
 	"helm.sh/helm/v3/pkg/storage/driver"
-	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
-	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/util/yaml"
 	"k8s.io/client-go/util/jsonpath"

-	"github.com/rancherfederal/hauler/pkg/apis/hauler.cattle.io/v1alpha1"
+	"hauler.dev/go/hauler/pkg/apis/hauler.cattle.io/v1"
 )

 var defaultKnownImagePaths = []string{
@@ -31,51 +29,38 @@ var defaultKnownImagePaths = []string{
 }

 // ImagesInChart will render a chart and identify all dependent images from it
-func ImagesInChart(c *helmchart.Chart) (v1alpha1.Images, error) {
-	objs, err := template(c)
+func ImagesInChart(c *helmchart.Chart) (v1.Images, error) {
+	docs, err := template(c)
 	if err != nil {
-		return v1alpha1.Images{}, err
+		return v1.Images{}, err
 	}

-	var imageRefs []string
-	for _, o := range objs {
-		d, err := o.(*unstructured.Unstructured).MarshalJSON()
+	var images []v1.Image
+	reader := yaml.NewYAMLReader(bufio.NewReader(strings.NewReader(docs)))
+	for {
+		raw, err := reader.Read()
+		if err == io.EOF {
+			break
+		}
 		if err != nil {
-			// TODO: Should we actually capture these errors?
-			continue
+			return v1.Images{}, err
 		}

-		var obj interface{}
-		if err := json.Unmarshal(d, &obj); err != nil {
-			continue
-		}
-
-		j := jsonpath.New("")
-		j.AllowMissingKeys(true)
-
-		for _, p := range defaultKnownImagePaths {
-			r, err := parseJSONPath(obj, j, p)
-			if err != nil {
-				continue
-			}
-
-			imageRefs = append(imageRefs, r...)
+		found := find(raw, defaultKnownImagePaths...)
+		for _, f := range found {
+			images = append(images, v1.Image{Name: f})
 		}
 	}

-	ims := v1alpha1.Images{
-		Spec: v1alpha1.ImageSpec{
-			Images: []v1alpha1.Image{},
+	ims := v1.Images{
+		Spec: v1.ImageSpec{
+			Images: images,
 		},
 	}
-
-	for _, ref := range imageRefs {
-		ims.Spec.Images = append(ims.Spec.Images, v1alpha1.Image{Ref: ref})
-	}
 	return ims, nil
 }

-func template(c *helmchart.Chart) ([]runtime.Object, error) {
+func template(c *helmchart.Chart) (string, error) {
 	s := storage.Init(driver.NewMemory())

 	templateCfg := &action.Configuration{
@@ -99,10 +84,33 @@ func template(c *helmchart.Chart) ([]runtime.Object, error) {

 	release, err := client.Run(c, vals)
 	if err != nil {
-		return nil, err
+		return "", err
 	}

-	return yaml.ToObjects(bytes.NewBufferString(release.Manifest))
+	return release.Manifest, nil
+}
+
+func find(data []byte, paths ...string) []string {
+	var (
+		pathMatches []string
+		obj         interface{}
+	)
+
+	if err := yaml.Unmarshal(data, &obj); err != nil {
+		return nil
+	}
+	j := jsonpath.New("")
+	j.AllowMissingKeys(true)
+
+	for _, p := range paths {
+		r, err := parseJSONPath(obj, j, p)
+		if err != nil {
+			continue
+		}
+
+		pathMatches = append(pathMatches, r...)
+	}
+	return pathMatches
 }

 func parseJSONPath(data interface{}, parser *jsonpath.JSONPath, template string) ([]string, error) {
--- a/pkg/collection/imagetxt/imagetxt.go
+++ b/pkg/collection/imagetxt/imagetxt.go
@@ -0,0 +1,232 @@
+package imagetxt
+
+import (
+	"bufio"
+	"context"
+	"fmt"
+	"io"
+	"os"
+	"strings"
+	"sync"
+
+	"github.com/google/go-containerregistry/pkg/name"
+
+	artifact "hauler.dev/go/hauler/pkg/artifacts"
+	"hauler.dev/go/hauler/pkg/artifacts/image"
+	"hauler.dev/go/hauler/pkg/getter"
+	"hauler.dev/go/hauler/pkg/log"
+)
+
+type ImageTxt struct {
+	Ref            string
+	IncludeSources map[string]bool
+	ExcludeSources map[string]bool
+
+	lock     *sync.Mutex
+	client   *getter.Client
+	computed bool
+	contents map[string]artifact.OCI
+}
+
+var _ artifact.OCICollection = (*ImageTxt)(nil)
+
+type Option interface {
+	Apply(*ImageTxt) error
+}
+
+type withIncludeSources []string
+
+func (o withIncludeSources) Apply(it *ImageTxt) error {
+	if it.IncludeSources == nil {
+		it.IncludeSources = make(map[string]bool)
+	}
+	for _, s := range o {
+		it.IncludeSources[s] = true
+	}
+	return nil
+}
+
+func WithIncludeSources(include ...string) Option {
+	return withIncludeSources(include)
+}
+
+type withExcludeSources []string
+
+func (o withExcludeSources) Apply(it *ImageTxt) error {
+	if it.ExcludeSources == nil {
+		it.ExcludeSources = make(map[string]bool)
+	}
+	for _, s := range o {
+		it.ExcludeSources[s] = true
+	}
+	return nil
+}
+
+func WithExcludeSources(exclude ...string) Option {
+	return withExcludeSources(exclude)
+}
+
+func New(ref string, opts ...Option) (*ImageTxt, error) {
+	it := &ImageTxt{
+		Ref: ref,
+
+		client: getter.NewClient(getter.ClientOptions{}),
+		lock:   &sync.Mutex{},
+	}
+
+	for i, o := range opts {
+		if err := o.Apply(it); err != nil {
+			return nil, fmt.Errorf("invalid option %d: %v", i, err)
+		}
+	}
+
+	return it, nil
+}
+
+func (it *ImageTxt) Contents() (map[string]artifact.OCI, error) {
+	it.lock.Lock()
+	defer it.lock.Unlock()
+	if !it.computed {
+		if err := it.compute(); err != nil {
+			return nil, fmt.Errorf("compute OCI layout: %v", err)
+		}
+		it.computed = true
+	}
+	return it.contents, nil
+}
+
+func (it *ImageTxt) compute() error {
+	// TODO - pass in logger from context
+	l := log.NewLogger(os.Stdout)
+
+	it.contents = make(map[string]artifact.OCI)
+
+	ctx := context.TODO()
+
+	rc, err := it.client.ContentFrom(ctx, it.Ref)
+	if err != nil {
+		return fmt.Errorf("fetch image.txt ref %s: %w", it.Ref, err)
+	}
+	defer rc.Close()
+
+	entries, err := splitImagesTxt(rc)
+	if err != nil {
+		return fmt.Errorf("parse image.txt ref %s: %v", it.Ref, err)
+	}
+
+	foundSources := make(map[string]bool)
+	for _, e := range entries {
+		for s := range e.Sources {
+			foundSources[s] = true
+		}
+	}
+
+	var pullAll bool
+	targetSources := make(map[string]bool)
+
+	if len(foundSources) == 0 || (len(it.IncludeSources) == 0 && len(it.ExcludeSources) == 0) {
+		// pull all found images
+		pullAll = true
+
+		if len(foundSources) == 0 {
+			l.Infof("image txt file appears to have no sources; pulling all found images")
+			if len(it.IncludeSources) != 0 || len(it.ExcludeSources) != 0 {
+				l.Warnf("ImageTxt provided include or exclude sources; ignoring")
+			}
+		} else if len(it.IncludeSources) == 0 && len(it.ExcludeSources) == 0 {
+			l.Infof("image-sources txt file not filtered; pulling all found images")
+		}
+	} else {
+		// determine sources to pull
+		if len(it.IncludeSources) != 0 && len(it.ExcludeSources) != 0 {
+			l.Warnf("ImageTxt provided include and exclude sources; using only include sources")
+		}
+
+		if len(it.IncludeSources) != 0 {
+			targetSources = it.IncludeSources
+		} else {
+			for s := range foundSources {
+				targetSources[s] = true
+			}
+			for s := range it.ExcludeSources {
+				delete(targetSources, s)
+			}
+		}
+		var targetSourcesArr []string
+		for s := range targetSources {
+			targetSourcesArr = append(targetSourcesArr, s)
+		}
+		l.Infof("pulling images covering sources %s", strings.Join(targetSourcesArr, ", "))
+	}
+
+	for _, e := range entries {
+		var matchesSourceFilter bool
+		if pullAll {
+			l.Infof("pulling image %s", e.Reference)
+		} else {
+			for s := range e.Sources {
+				if targetSources[s] {
+					matchesSourceFilter = true
+					l.Infof("pulling image %s (matched source %s)", e.Reference, s)
+					break
+				}
+			}
+		}
+
+		if pullAll || matchesSourceFilter {
+			curImage, err := image.NewImage(e.Reference.String())
+			if err != nil {
+				return fmt.Errorf("pull image %s: %v", e.Reference, err)
+			}
+			it.contents[e.Reference.String()] = curImage
+		}
+	}
+
+	return nil
+}
+
+type imageTxtEntry struct {
+	Reference name.Reference
+	Sources   map[string]bool
+}
+
+func splitImagesTxt(r io.Reader) ([]imageTxtEntry, error) {
+	var entries []imageTxtEntry
+	scanner := bufio.NewScanner(r)
+	for scanner.Scan() {
+		curEntry := imageTxtEntry{
+			Sources: make(map[string]bool),
+		}
+
+		lineContent := scanner.Text()
+		if lineContent == "" || strings.HasPrefix(lineContent, "#") {
+			// skip past empty and commented lines
+			continue
+		}
+		splitContent := strings.Split(lineContent, " ")
+		if len(splitContent) > 2 {
+			return nil, fmt.Errorf(
+				"invalid image.txt format: must contain only an image reference and sources separated by space; invalid line: %q",
+				lineContent)
+		}
+
+		curRef, err := name.ParseReference(splitContent[0])
+		if err != nil {
+			return nil, fmt.Errorf("invalid reference %s: %v", splitContent[0], err)
+		}
+		curEntry.Reference = curRef
+
+		if len(splitContent) == 2 {
+			for _, source := range strings.Split(splitContent[1], ",") {
+				curEntry.Sources[source] = true
+			}
+		}
+
+		entries = append(entries, curEntry)
+	}
+	if err := scanner.Err(); err != nil {
+		return nil, fmt.Errorf("scan contents: %v", err)
+	}
+
+	return entries, nil
+}
--- a/pkg/collection/imagetxt/imagetxt_test.go
+++ b/pkg/collection/imagetxt/imagetxt_test.go
@@ -0,0 +1,209 @@
+package imagetxt
+
+import (
+	"errors"
+	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"testing"
+
+	"hauler.dev/go/hauler/pkg/artifacts"
+	"hauler.dev/go/hauler/pkg/artifacts/image"
+)
+
+var (
+	ErrRefNotFound    = errors.New("ref not found")
+	ErrRefNotImage    = errors.New("ref is not image")
+	ErrExtraRefsFound = errors.New("extra refs found in contents")
+)
+
+var (
+	testServer *httptest.Server
+)
+
+func TestMain(m *testing.M) {
+	setup()
+	code := m.Run()
+	teardown()
+	os.Exit(code)
+}
+
+func setup() {
+	dir := http.Dir("./testdata/http/")
+	h := http.FileServer(dir)
+	testServer = httptest.NewServer(h)
+}
+
+func teardown() {
+	if testServer != nil {
+		testServer.Close()
+	}
+}
+
+type failKind string
+
+const (
+	failKindNew      = failKind("New")
+	failKindContents = failKind("Contents")
+)
+
+func checkError(checkedFailKind failKind) func(*testing.T, error, bool, failKind) {
+	return func(cet *testing.T, err error, testShouldFail bool, testFailKind failKind) {
+		if err != nil {
+			// if error should not have happened at all OR error should have happened
+			// at a different point, test failed
+			if !testShouldFail || testFailKind != checkedFailKind {
+				cet.Fatalf("unexpected error at %s: %v", checkedFailKind, err)
+			}
+			// test should fail at this point, test passed
+			return
+		}
+		// if no error occurred but error should have happened at this point, test
+		// failed
+		if testShouldFail && testFailKind == checkedFailKind {
+			cet.Fatalf("unexpected nil error at %s", checkedFailKind)
+		}
+	}
+}
+
+func TestImageTxtCollection(t *testing.T) {
+	type testEntry struct {
+		Name           string
+		Ref            string
+		IncludeSources []string
+		ExcludeSources []string
+		ExpectedImages []string
+		ShouldFail     bool
+		FailKind       failKind
+	}
+	tt := []testEntry{
+		{
+			Name: "http ref basic",
+			Ref:  fmt.Sprintf("%s/images-http.txt", testServer.URL),
+			ExpectedImages: []string{
+				"busybox",
+				"nginx:1.19",
+				"rancher/hyperkube:v1.21.7-rancher1",
+				"docker.io/rancher/klipper-lb:v0.3.4",
+				"quay.io/jetstack/cert-manager-controller:v1.6.1",
+			},
+		},
+		{
+			Name: "http ref sources format pull all",
+			Ref:  fmt.Sprintf("%s/images-src-http.txt", testServer.URL),
+			ExpectedImages: []string{
+				"busybox",
+				"nginx:1.19",
+				"rancher/hyperkube:v1.21.7-rancher1",
+				"docker.io/rancher/klipper-lb:v0.3.4",
+				"quay.io/jetstack/cert-manager-controller:v1.6.1",
+			},
+		},
+		{
+			Name: "http ref sources format include sources A",
+			Ref:  fmt.Sprintf("%s/images-src-http.txt", testServer.URL),
+			IncludeSources: []string{
+				"core", "rke",
+			},
+			ExpectedImages: []string{
+				"busybox",
+				"nginx:1.19",
+				"rancher/hyperkube:v1.21.7-rancher1",
+			},
+		},
+		{
+			Name: "http ref sources format include sources B",
+			Ref:  fmt.Sprintf("%s/images-src-http.txt", testServer.URL),
+			IncludeSources: []string{
+				"nginx", "rancher", "cert-manager",
+			},
+			ExpectedImages: []string{
+				"nginx:1.19",
+				"rancher/hyperkube:v1.21.7-rancher1",
+				"docker.io/rancher/klipper-lb:v0.3.4",
+				"quay.io/jetstack/cert-manager-controller:v1.6.1",
+			},
+		},
+		{
+			Name: "http ref sources format exclude sources A",
+			Ref:  fmt.Sprintf("%s/images-src-http.txt", testServer.URL),
+			ExcludeSources: []string{
+				"cert-manager",
+			},
+			ExpectedImages: []string{
+				"busybox",
+				"nginx:1.19",
+				"rancher/hyperkube:v1.21.7-rancher1",
+				"docker.io/rancher/klipper-lb:v0.3.4",
+			},
+		},
+		{
+			Name: "http ref sources format exclude sources B",
+			Ref:  fmt.Sprintf("%s/images-src-http.txt", testServer.URL),
+			ExcludeSources: []string{
+				"core",
+			},
+			ExpectedImages: []string{
+				"nginx:1.19",
+				"rancher/hyperkube:v1.21.7-rancher1",
+				"docker.io/rancher/klipper-lb:v0.3.4",
+				"quay.io/jetstack/cert-manager-controller:v1.6.1",
+			},
+		},
+		{
+			Name: "local file ref",
+			Ref:  "./testdata/images-file.txt",
+			ExpectedImages: []string{
+				"busybox",
+				"nginx:1.19",
+				"rancher/hyperkube:v1.21.7-rancher1",
+				"docker.io/rancher/klipper-lb:v0.3.4",
+				"quay.io/jetstack/cert-manager-controller:v1.6.1",
+			},
+		},
+	}
+
+	checkErrorNew := checkError(failKindNew)
+	checkErrorContents := checkError(failKindContents)
+
+	for _, curTest := range tt {
+		t.Run(curTest.Name, func(innerT *testing.T) {
+			curImageTxt, err := New(curTest.Ref,
+				WithIncludeSources(curTest.IncludeSources...),
+				WithExcludeSources(curTest.ExcludeSources...),
+			)
+			checkErrorNew(innerT, err, curTest.ShouldFail, curTest.FailKind)
+
+			ociContents, err := curImageTxt.Contents()
+			checkErrorContents(innerT, err, curTest.ShouldFail, curTest.FailKind)
+
+			if err := checkImages(ociContents, curTest.ExpectedImages); err != nil {
+				innerT.Fatal(err)
+			}
+		})
+	}
+}
+
+func checkImages(content map[string]artifacts.OCI, refs []string) error {
+	contentCopy := make(map[string]artifacts.OCI, len(content))
+	for k, v := range content {
+		contentCopy[k] = v
+	}
+	for _, ref := range refs {
+		target, ok := content[ref]
+		if !ok {
+			return fmt.Errorf("ref %s: %w", ref, ErrRefNotFound)
+		}
+		if _, ok := target.(*image.Image); !ok {
+			return fmt.Errorf("got underlying type %T: %w", target, ErrRefNotImage)
+		}
+		delete(contentCopy, ref)
+	}
+
+	if len(contentCopy) != 0 {
+		return ErrExtraRefsFound
+	}
+
+	return nil
+}
--- a/pkg/collection/imagetxt/testdata/http/images-http.txt
+++ b/pkg/collection/imagetxt/testdata/http/images-http.txt
@@ -0,0 +1,5 @@
+busybox
+nginx:1.19
+rancher/hyperkube:v1.21.7-rancher1
+docker.io/rancher/klipper-lb:v0.3.4
+quay.io/jetstack/cert-manager-controller:v1.6.1
--- a/pkg/collection/imagetxt/testdata/http/images-src-http.txt
+++ b/pkg/collection/imagetxt/testdata/http/images-src-http.txt
@@ -0,0 +1,5 @@
+busybox core
+nginx:1.19 core,nginx
+rancher/hyperkube:v1.21.7-rancher1 rancher,rke
+docker.io/rancher/klipper-lb:v0.3.4 rancher,k3s
+quay.io/jetstack/cert-manager-controller:v1.6.1 cert-manager
--- a/pkg/collection/imagetxt/testdata/images-file.txt
+++ b/pkg/collection/imagetxt/testdata/images-file.txt
@@ -0,0 +1,5 @@
+busybox
+nginx:1.19
+rancher/hyperkube:v1.21.7-rancher1
+docker.io/rancher/klipper-lb:v0.3.4
+quay.io/jetstack/cert-manager-controller:v1.6.1
--- a/pkg/collection/k3s/k3s.go
+++ b/pkg/collection/k3s/k3s.go
@@ -1,191 +0,0 @@
-package k3s
-
-import (
-	"bufio"
-	"encoding/json"
-	"errors"
-	"fmt"
-	"net/http"
-	"net/url"
-	"path"
-	"strings"
-
-	"github.com/google/go-containerregistry/pkg/name"
-
-	"github.com/rancherfederal/hauler/pkg/artifact"
-	"github.com/rancherfederal/hauler/pkg/content/file"
-	"github.com/rancherfederal/hauler/pkg/content/image"
-)
-
-var _ artifact.Collection = (*k3s)(nil)
-
-const (
-	releaseUrl   = "https://github.com/k3s-io/k3s/releases/download"
-	channelUrl   = "https://update.k3s.io/v1-release/channels"
-	bootstrapUrl = "https://get.k3s.io"
-)
-
-var (
-	ErrImagesNotFound     = errors.New("k3s dependent images not found")
-	ErrFetchingImages     = errors.New("failed to fetch k3s dependent images")
-	ErrExecutableNotfound = errors.New("k3s executable not found")
-	ErrChannelNotFound    = errors.New("desired k3s channel not found")
-)
-
-type k3s struct {
-	version string
-	arch    string
-
-	computed bool
-	contents map[name.Reference]artifact.OCI
-	channels map[string]string
-}
-
-func NewK3s(version string) (artifact.Collection, error) {
-	return &k3s{
-		version:  version,
-		contents: make(map[name.Reference]artifact.OCI),
-	}, nil
-}
-
-func (k *k3s) Contents() (map[name.Reference]artifact.OCI, error) {
-	if err := k.compute(); err != nil {
-		return nil, err
-	}
-	return k.contents, nil
-}
-
-func (k *k3s) compute() error {
-	if k.computed {
-		return nil
-	}
-
-	if err := k.fetchChannels(); err == nil {
-		if version, ok := k.channels[k.version]; ok {
-			k.version = version
-		}
-	}
-
-	if err := k.images(); err != nil {
-		return err
-	}
-
-	if err := k.executable(); err != nil {
-		return err
-	}
-
-	if err := k.bootstrap(); err != nil {
-		return err
-	}
-
-	k.computed = true
-	return nil
-}
-
-func (k *k3s) executable() error {
-	n := "k3s"
-	if k.arch != "" && k.arch != "amd64" {
-		n = fmt.Sprintf("name-%s", k.arch)
-	}
-	fref := k.releaseUrl(n)
-
-	resp, err := http.Head(fref)
-	if resp.StatusCode != http.StatusOK || err != nil {
-		return ErrExecutableNotfound
-	}
-
-	f, err := file.NewFile(fref, "k3s")
-	if err != nil {
-		return err
-	}
-
-	ref, err := name.ParseReference("hauler/k3s", name.WithDefaultTag(k.dnsCompliantVersion()), name.WithDefaultRegistry(""))
-	if err != nil {
-		return err
-	}
-
-	k.contents[ref] = f
-	return nil
-}
-
-func (k *k3s) bootstrap() error {
-	f, err := file.NewFile(bootstrapUrl, "get-k3s.io")
-	if err != nil {
-		return err
-	}
-
-	ref, err := name.ParseReference("hauler/get-k3s.io", name.WithDefaultRegistry(""), name.WithDefaultTag("latest"))
-	if err != nil {
-		return err
-	}
-
-	k.contents[ref] = f
-	return nil
-}
-
-func (k *k3s) images() error {
-	resp, err := http.Get(k.releaseUrl("k3s-images.txt"))
-	if resp.StatusCode != http.StatusOK {
-		return ErrFetchingImages
-	} else if err != nil {
-		return ErrImagesNotFound
-	}
-	defer resp.Body.Close()
-
-	scanner := bufio.NewScanner(resp.Body)
-	for scanner.Scan() {
-		reference := scanner.Text()
-		ref, err := name.ParseReference(reference)
-		if err != nil {
-			return err
-		}
-		o, err := image.NewImage(reference)
-		if err != nil {
-			return err
-		}
-
-		k.contents[ref] = o
-	}
-	return nil
-}
-
-func (k *k3s) releaseUrl(artifact string) string {
-	u, _ := url.Parse(releaseUrl)
-	complete := []string{u.Path}
-	u.Path = path.Join(append(complete, []string{k.version, artifact}...)...)
-	return u.String()
-}
-
-func (k *k3s) dnsCompliantVersion() string {
-	return strings.ReplaceAll(k.version, "+", "-")
-}
-
-func (k *k3s) fetchChannels() error {
-	resp, err := http.Get(channelUrl)
-	if err != nil {
-		return err
-	}
-
-	var c channel
-	if err := json.NewDecoder(resp.Body).Decode(&c); err != nil {
-		return err
-	}
-
-	channels := make(map[string]string)
-	for _, ch := range c.Data {
-		channels[ch.Name] = ch.Latest
-	}
-
-	k.channels = channels
-	return nil
-}
-
-type channel struct {
-	Data []channelData `json:"data"`
-}
-
-type channelData struct {
-	ID     string `json:"id"`
-	Name   string `json:"name"`
-	Latest string `json:"latest"`
-}
--- a/pkg/collection/k3s/k3s_test.go
+++ b/pkg/collection/k3s/k3s_test.go
@@ -1,71 +0,0 @@
-package k3s
-
-import (
-	"context"
-	"os"
-	"testing"
-
-	"github.com/rancherfederal/hauler/pkg/artifact"
-	"github.com/rancherfederal/hauler/pkg/log"
-	"github.com/rancherfederal/hauler/pkg/store"
-)
-
-// TODO: This is not at all a good test, we really just need to test the added collections functionality (like image scanning)
-func TestNewK3s(t *testing.T) {
-	ctx := context.Background()
-	l := log.NewLogger(os.Stdout)
-	ctx = l.WithContext(ctx)
-
-	tmpdir, err := os.MkdirTemp("", "hauler")
-	if err != nil {
-		t.Error(err)
-	}
-	defer os.Remove(tmpdir)
-
-	s := store.NewStore(ctx, tmpdir)
-	s.Open()
-	defer s.Close()
-
-	type args struct {
-		version string
-	}
-	tests := []struct {
-		name    string
-		args    args
-		want    artifact.Collection
-		wantErr bool
-	}{
-		{
-			name: "should work",
-			args: args{
-				version: "v1.22.2+k3s2",
-			},
-			want:    nil,
-			wantErr: false,
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			got, err := NewK3s(tt.args.version)
-			if (err != nil) != tt.wantErr {
-				t.Errorf("NewK3s() error = %v, wantErr %v", err, tt.wantErr)
-				return
-			}
-
-			c, err := got.Contents()
-			if err != nil {
-				t.Fatal(err)
-			}
-
-			for r, o := range c {
-				if _, err := s.AddArtifact(ctx, o, r); err != nil {
-					t.Fatal(err)
-				}
-			}
-
-			// if !reflect.DeepEqual(got, tt.want) {
-			// 	t.Errorf("NewK3s() got = %v, want %v", got, tt.want)
-			// }
-		})
-	}
-}
--- a/pkg/consts/consts.go
+++ b/pkg/consts/consts.go
@@ -0,0 +1,102 @@
+package consts
+
+const (
+	// container media types
+	OCIManifestSchema1        = "application/vnd.oci.image.manifest.v1+json"
+	DockerManifestSchema2     = "application/vnd.docker.distribution.manifest.v2+json"
+	DockerManifestListSchema2 = "application/vnd.docker.distribution.manifest.list.v2+json"
+	OCIImageIndexSchema       = "application/vnd.oci.image.index.v1+json"
+	DockerConfigJSON          = "application/vnd.docker.container.image.v1+json"
+	DockerLayer               = "application/vnd.docker.image.rootfs.diff.tar.gzip"
+	DockerForeignLayer        = "application/vnd.docker.image.rootfs.foreign.diff.tar.gzip"
+	DockerUncompressedLayer   = "application/vnd.docker.image.rootfs.diff.tar"
+	OCILayer                  = "application/vnd.oci.image.layer.v1.tar+gzip"
+	OCIArtifact               = "application/vnd.oci.empty.v1+json"
+
+	// helm chart media types
+	ChartConfigMediaType = "application/vnd.cncf.helm.config.v1+json"
+	ChartLayerMediaType  = "application/vnd.cncf.helm.chart.content.v1.tar+gzip"
+	ProvLayerMediaType   = "application/vnd.cncf.helm.chart.provenance.v1.prov"
+
+	// file media types
+	FileLayerMediaType           = "application/vnd.content.hauler.file.layer.v1"
+	FileLocalConfigMediaType     = "application/vnd.content.hauler.file.local.config.v1+json"
+	FileDirectoryConfigMediaType = "application/vnd.content.hauler.file.directory.config.v1+json"
+	FileHttpConfigMediaType      = "application/vnd.content.hauler.file.http.config.v1+json"
+
+	// memory media types
+	MemoryConfigMediaType = "application/vnd.content.hauler.memory.config.v1+json"
+
+	// wasm media types
+	WasmArtifactLayerMediaType = "application/vnd.wasm.content.layer.v1+wasm"
+	WasmConfigMediaType        = "application/vnd.wasm.config.v1+json"
+
+	// unknown media types
+	UnknownManifest = "application/vnd.hauler.cattle.io.unknown.v1+json"
+	UnknownLayer    = "application/vnd.content.hauler.unknown.layer"
+	Unknown         = "unknown"
+
+	// vendor prefixes
+	OCIVendorPrefix    = "vnd.oci"
+	DockerVendorPrefix = "vnd.docker"
+	HaulerVendorPrefix = "vnd.hauler"
+
+	// annotation keys
+	ContainerdImageNameKey  = "io.containerd.image.name"
+	KindAnnotationName      = "kind"
+	KindAnnotationImage     = "dev.cosignproject.cosign/image"
+	KindAnnotationIndex     = "dev.cosignproject.cosign/imageIndex"
+	ImageAnnotationKey      = "hauler.dev/key"
+	ImageAnnotationPlatform = "hauler.dev/platform"
+	ImageAnnotationRegistry = "hauler.dev/registry"
+	ImageAnnotationTlog     = "hauler.dev/use-tlog-verify"
+	ImageAnnotationRewrite  = "hauler.dev/rewrite"
+	ImageRefKey             = "org.opencontainers.image.ref.name"
+
+	// cosign keyless validation options
+	ImageAnnotationCertIdentity                 = "hauler.dev/certificate-identity"
+	ImageAnnotationCertIdentityRegexp           = "hauler.dev/certificate-identity-regexp"
+	ImageAnnotationCertOidcIssuer               = "hauler.dev/certificate-oidc-issuer"
+	ImageAnnotationCertOidcIssuerRegexp         = "hauler.dev/certificate-oidc-issuer-regexp"
+	ImageAnnotationCertGithubWorkflowRepository = "hauler.dev/certificate-github-workflow-repository"
+
+	// content kinds
+	ImagesContentKind    = "Images"
+	ChartsContentKind    = "Charts"
+	FilesContentKind     = "Files"
+	DriverContentKind    = "Driver"
+	ImageTxtsContentKind = "ImageTxts"
+	ChartsCollectionKind = "ThickCharts"
+
+	// content groups
+	ContentGroup    = "content.hauler.cattle.io"
+	CollectionGroup = "collection.hauler.cattle.io"
+
+	// environment variables
+	HaulerDir          = "HAULER_DIR"
+	HaulerTempDir      = "HAULER_TEMP_DIR"
+	HaulerStoreDir     = "HAULER_STORE_DIR"
+	HaulerIgnoreErrors = "HAULER_IGNORE_ERRORS"
+
+	// container files and directories
+	ImageManifestFile = "manifest.json"
+	ImageConfigFile   = "config.json"
+
+	// other constraints
+	CarbideRegistry           = "rgcrprod.azurecr.us"
+	DefaultNamespace          = "hauler"
+	DefaultTag                = "latest"
+	DefaultStoreName          = "store"
+	DefaultHaulerDirName      = ".hauler"
+	DefaultHaulerTempDirName  = "hauler"
+	DefaultRegistryRootDir    = "registry"
+	DefaultRegistryPort       = 5000
+	DefaultFileserverRootDir  = "fileserver"
+	DefaultFileserverPort     = 8080
+	DefaultFileserverTimeout  = 60
+	DefaultHaulerArchiveName  = "haul.tar.zst"
+	DefaultHaulerManifestName = "hauler-manifest.yaml"
+	DefaultRetries            = 3
+	RetriesInterval           = 5
+	CustomTimeFormat          = "2006-01-02 15:04:05"
+)
--- a/pkg/content/chart/chart.go
+++ b/pkg/content/chart/chart.go
@@ -1,9 +1,14 @@
 package chart

 import (
+	"archive/tar"
 	"bytes"
+	"compress/gzip"
 	"encoding/json"
+	"fmt"
 	"io"
+	"io/fs"
+	"net/url"
 	"os"
 	"path/filepath"

@@ -11,42 +16,85 @@ import (
 	"github.com/google/go-containerregistry/pkg/v1/partial"
 	gtypes "github.com/google/go-containerregistry/pkg/v1/types"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+	"hauler.dev/go/hauler/pkg/artifacts"
+	"hauler.dev/go/hauler/pkg/log"
 	"helm.sh/helm/v3/pkg/action"
 	"helm.sh/helm/v3/pkg/chart"
 	"helm.sh/helm/v3/pkg/chart/loader"
 	"helm.sh/helm/v3/pkg/cli"
+	"helm.sh/helm/v3/pkg/registry"

-	"github.com/rancherfederal/hauler/pkg/artifact"
-	"github.com/rancherfederal/hauler/pkg/artifact/local"
-	"github.com/rancherfederal/hauler/pkg/artifact/types"
+	"hauler.dev/go/hauler/pkg/consts"
+	"hauler.dev/go/hauler/pkg/layer"
 )

-var _ artifact.OCI = (*Chart)(nil)
+var (
+	_        artifacts.OCI = (*Chart)(nil)
+	settings               = cli.New()
+)

+// chart implements the oci interface for chart api objects... api spec values are stored into the name, repo, and version fields
 type Chart struct {
-	path string
-
+	path        string
 	annotations map[string]string
 }

-func NewChart(name, repo, version string) (*Chart, error) {
-	cpo := action.ChartPathOptions{
-		RepoURL: repo,
-		Version: version,
+// newchart is a helper method that returns newlocalchart or newremotechart depending on chart contents
+func NewChart(name string, opts *action.ChartPathOptions) (*Chart, error) {
+	chartRef := name
+	actionConfig := new(action.Configuration)
+	if err := actionConfig.Init(settings.RESTClientGetter(), settings.Namespace(), os.Getenv("HELM_DRIVER"), log.NewLogger(os.Stdout).Debugf); err != nil {
+		return nil, err
 	}

-	cp, err := cpo.LocateChart(name, cli.New())
+	client := action.NewInstall(actionConfig)
+	client.ChartPathOptions.Version = opts.Version
+
+	registryClient, err := newRegistryClient(client.CertFile, client.KeyFile, client.CaFile,
+		client.InsecureSkipTLSverify, client.PlainHTTP)
+	if err != nil {
+		return nil, fmt.Errorf("missing registry client: %w", err)
+	}
+
+	client.SetRegistryClient(registryClient)
+	if registry.IsOCI(opts.RepoURL) {
+		chartRef = opts.RepoURL + "/" + name
+	} else if isUrl(opts.RepoURL) { // oci protocol registers as a valid url
+		client.ChartPathOptions.RepoURL = opts.RepoURL
+	} else { // handles cases like grafana and loki
+		chartRef = opts.RepoURL + "/" + name
+	}
+
+	// suppress helm downloader oci logs (stdout/stderr)
+	oldStdout := os.Stdout
+	oldStderr := os.Stderr
+	rOut, wOut, _ := os.Pipe()
+	rErr, wErr, _ := os.Pipe()
+	os.Stdout = wOut
+	os.Stderr = wErr
+
+	chartPath, err := client.ChartPathOptions.LocateChart(chartRef, settings)
+
+	wOut.Close()
+	wErr.Close()
+	os.Stdout = oldStdout
+	os.Stderr = oldStderr
+	_, _ = io.Copy(io.Discard, rOut)
+	_, _ = io.Copy(io.Discard, rErr)
+	rOut.Close()
+	rErr.Close()
+
 	if err != nil {
 		return nil, err
 	}

 	return &Chart{
-		path: cp,
-	}, nil
+		path: chartPath,
+	}, err
 }

 func (h *Chart) MediaType() string {
-	return types.OCIManifestSchema1
+	return consts.OCIManifestSchema1
 }

 func (h *Chart) Manifest() (*gv1.Manifest, error) {
@@ -94,23 +142,18 @@ func (h *Chart) configDescriptor() (gv1.Descriptor, error) {
 	}

 	return gv1.Descriptor{
-		MediaType: types.ChartConfigMediaType,
+		MediaType: consts.ChartConfigMediaType,
 		Size:      size,
 		Digest:    hash,
 	}, nil
 }

 func (h *Chart) Load() (*chart.Chart, error) {
-	rc, err := chartOpener(h.path)()
-	if err != nil {
-		return nil, err
-	}
-	defer rc.Close()
-	return loader.LoadArchive(rc)
+	return loader.Load(h.path)
 }

 func (h *Chart) Layers() ([]gv1.Layer, error) {
-	chartDataLayer, err := h.chartDataLayer()
+	chartDataLayer, err := h.chartData()
 	if err != nil {
 		return nil, err
 	}
@@ -125,17 +168,141 @@ func (h *Chart) RawChartData() ([]byte, error) {
 	return os.ReadFile(h.path)
 }

-func (h *Chart) chartDataLayer() (gv1.Layer, error) {
+// chartdata loads the chart contents into memory and returns a NopCloser for the contents
+// normally we avoid loading into memory, but charts sizes are strictly capped at ~1MB
+func (h *Chart) chartData() (gv1.Layer, error) {
+	info, err := os.Stat(h.path)
+	if err != nil {
+		return nil, err
+	}
+
+	var chartdata []byte
+	if info.IsDir() {
+		buf := &bytes.Buffer{}
+		gw := gzip.NewWriter(buf)
+		tw := tar.NewWriter(gw)
+
+		if err := filepath.WalkDir(h.path, func(path string, d fs.DirEntry, err error) error {
+			fi, err := d.Info()
+			if err != nil {
+				return err
+			}
+
+			header, err := tar.FileInfoHeader(fi, fi.Name())
+			if err != nil {
+				return err
+			}
+
+			rel, err := filepath.Rel(filepath.Dir(h.path), path)
+			if err != nil {
+				return err
+			}
+			header.Name = rel
+
+			if err := tw.WriteHeader(header); err != nil {
+				return err
+			}
+
+			if !d.IsDir() {
+				data, err := os.Open(path)
+				if err != nil {
+					return err
+				}
+				if _, err := io.Copy(tw, data); err != nil {
+					return err
+				}
+			}
+
+			return nil
+		}); err != nil {
+			return nil, err
+		}
+
+		if err := tw.Close(); err != nil {
+			return nil, err
+		}
+		if err := gw.Close(); err != nil {
+			return nil, err
+		}
+		chartdata = buf.Bytes()
+
+	} else {
+		data, err := os.ReadFile(h.path)
+		if err != nil {
+			return nil, err
+		}
+		chartdata = data
+	}
+
 	annotations := make(map[string]string)
 	annotations[ocispec.AnnotationTitle] = filepath.Base(h.path)

-	return local.LayerFromOpener(chartOpener(h.path),
-		local.WithMediaType(types.ChartLayerMediaType),
-		local.WithAnnotations(annotations))
+	opener := func() layer.Opener {
+		return func() (io.ReadCloser, error) {
+			return io.NopCloser(bytes.NewBuffer(chartdata)), nil
+		}
+	}
+	chartDataLayer, err := layer.FromOpener(opener(),
+		layer.WithMediaType(consts.ChartLayerMediaType),
+		layer.WithAnnotations(annotations))
+
+	return chartDataLayer, err
+}
+func isUrl(name string) bool {
+	_, err := url.ParseRequestURI(name)
+	return err == nil
 }

-func chartOpener(path string) local.Opener {
-	return func() (io.ReadCloser, error) {
-		return os.Open(path)
+func newRegistryClient(certFile, keyFile, caFile string, insecureSkipTLSverify, plainHTTP bool) (*registry.Client, error) {
+	if certFile != "" && keyFile != "" || caFile != "" || insecureSkipTLSverify {
+		registryClient, err := newRegistryClientWithTLS(certFile, keyFile, caFile, insecureSkipTLSverify)
+		if err != nil {
+			return nil, err
+		}
+		return registryClient, nil
 	}
+	registryClient, err := newDefaultRegistryClient(plainHTTP)
+	if err != nil {
+		return nil, err
+	}
+	return registryClient, nil
+}
+
+func newDefaultRegistryClient(plainHTTP bool) (*registry.Client, error) {
+	opts := []registry.ClientOption{
+		registry.ClientOptDebug(settings.Debug),
+		registry.ClientOptEnableCache(true),
+		registry.ClientOptWriter(io.Discard),
+		registry.ClientOptCredentialsFile(settings.RegistryConfig),
+	}
+	if plainHTTP {
+		opts = append(opts, registry.ClientOptPlainHTTP())
+	}
+
+	// create a new registry client
+	registryClient, err := registry.NewClient(opts...)
+	if err != nil {
+		return nil, err
+	}
+	return registryClient, nil
+}
+
+func newRegistryClientWithTLS(certFile, keyFile, caFile string, insecureSkipTLSverify bool) (*registry.Client, error) {
+	// create a new registry client
+	registryClient, err := registry.NewRegistryClientWithTLS(
+		io.Discard,
+		certFile, keyFile, caFile,
+		insecureSkipTLSverify,
+		settings.RegistryConfig,
+		settings.Debug,
+	)
+	if err != nil {
+		return nil, err
+	}
+	return registryClient, nil
+}
+
+// path returns the local filesystem path to the chart archive or directory
+func (h *Chart) Path() string {
+	return h.path
 }
--- a/pkg/content/chart/chart_test.go
+++ b/pkg/content/chart/chart_test.go
@@ -1,72 +1,107 @@
 package chart_test

 import (
-	"context"
 	"os"
-	"path"
+	"reflect"
 	"testing"

-	"github.com/google/go-containerregistry/pkg/name"
+	v1 "github.com/google/go-containerregistry/pkg/v1"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+	"helm.sh/helm/v3/pkg/action"

-	"github.com/rancherfederal/hauler/pkg/apis/hauler.cattle.io/v1alpha1"
-	"github.com/rancherfederal/hauler/pkg/content/chart"
-	"github.com/rancherfederal/hauler/pkg/log"
-	"github.com/rancherfederal/hauler/pkg/store"
+	"hauler.dev/go/hauler/pkg/consts"
+	"hauler.dev/go/hauler/pkg/content/chart"
 )

-func TestChart_Copy(t *testing.T) {
-	ctx := context.Background()
-	l := log.NewLogger(os.Stdout)
-	ctx = l.WithContext(ctx)
-
-	tmpdir, err := os.MkdirTemp("", "hauler")
+func TestNewChart(t *testing.T) {
+	tempDir, err := os.MkdirTemp("", "hauler")
 	if err != nil {
-		t.Error(err)
+		t.Fatal(err)
 	}
-	defer os.Remove(tmpdir)
-
-	s := store.NewStore(ctx, tmpdir)
-	s.Open()
-	defer s.Close()
+	defer os.RemoveAll(tempDir)

 	type args struct {
-		ctx      context.Context
-		registry string
+		name string
+		opts *action.ChartPathOptions
 	}
 	tests := []struct {
 		name    string
-		cfg     v1alpha1.Chart
 		args    args
+		want    v1.Descriptor
 		wantErr bool
 	}{
-		// TODO: This test isn't self-contained
 		{
-			name: "should work with unversioned chart",
-			cfg: v1alpha1.Chart{
-				Name:    "loki",
-				RepoURL: "https://grafana.github.io/helm-charts",
-			},
+			name: "should create from a chart archive",
 			args: args{
-				ctx:      ctx,
-				registry: s.Registry(),
+				name: "rancher-cluster-templates-0.5.2.tgz",
+				opts: &action.ChartPathOptions{RepoURL: "../../../testdata"},
+			},
+			want: v1.Descriptor{
+				MediaType: consts.ChartLayerMediaType,
+				Size:      14970,
+				Digest: v1.Hash{
+					Algorithm: "sha256",
+					Hex:       "0905de044a6e57cf3cd27bfc8482753049920050b10347ae2315599bd982a0e3",
+				},
+				Annotations: map[string]string{
+					ocispec.AnnotationTitle: "rancher-cluster-templates-0.5.2.tgz",
+				},
+			},
+			wantErr: false,
+		},
+		// TODO: This isn't matching digests b/c of file timestamps not being respected
+		// {
+		// 	name:    "should create from a chart directory",
+		// 	args:    args{
+		// 		path: filepath.Join(tempDir, "podinfo"),
+		// 	},
+		// 	want:    want,
+		// 	wantErr: false,
+		// },
+		{
+			// TODO: Use a mock helm server
+			name: "should fetch a remote chart",
+			args: args{
+				name: "cert-manager",
+				opts: &action.ChartPathOptions{RepoURL: "https://charts.jetstack.io", Version: "1.15.3"},
+			},
+			want: v1.Descriptor{
+				MediaType: consts.ChartLayerMediaType,
+				Size:      94751,
+				Digest: v1.Hash{
+					Algorithm: "sha256",
+					Hex:       "016e68d9f7083d2c4fd302f951ee6490dbf4cb1ef44cfc06914c39cbfb01d858",
+				},
+				Annotations: map[string]string{
+					ocispec.AnnotationTitle: "cert-manager-v1.15.3.tgz",
+				},
 			},
 			wantErr: false,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			c, err := chart.NewChart(tt.cfg.Name, tt.cfg.RepoURL, tt.cfg.Version)
-			if err != nil {
-				t.Fatal(err)
-			}
-			ref, err := name.ParseReference(path.Join("hauler", tt.cfg.Name))
-			if err != nil {
-				t.Fatal(err)
+			got, err := chart.NewChart(tt.args.name, tt.args.opts)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("NewLocalChart() error = %v, wantErr %v", err, tt.wantErr)
+				return
 			}

-			if _, err := s.AddArtifact(ctx, c, ref); (err != nil) != tt.wantErr {
+			m, err := got.Manifest()
+			if err != nil {
 				t.Error(err)
 			}
+
+			// TODO: This changes when we support provenance files
+			if len(m.Layers) > 1 {
+				t.Errorf("Expected 1 layer for chart, got %d", len(m.Layers))
+			}
+			desc := m.Layers[0]
+
+			if !reflect.DeepEqual(desc, tt.want) {
+				t.Errorf("got: %v\nwant: %v", desc, tt.want)
+				return
+			}
 		})
 	}
 }
--- a/Show More
+++ b/Show More