v1.204.1-rc.1

feat: Add experimental feature transparency and controls @osterman (#1940)

## what

• Introduce <Experimental /> badge component for marking features as experimental
• Introduce <FirstReleased /> badge component for version tracking
• Create "Experimental Features" policy page explaining maturity levels
• Mark experimental features across documentation with transparency badges
• Add configurable experimental feature handling (silence, disable, warn, error)
• Add ATMOS_EXPERIMENTAL environment variable and settings.experimental config
• Mark terraform backend, terraform workdir, and toolchain commands as experimental
• Fix stacks documentation sidebar sorting (alphabetical)
• Fix toolchain sidebar label capitalization
• Improve Experimental badge with react-icons and button behavior
• Update flag-handler agent with experimental feature documentation

why

Provide users with clear visibility into feature maturity to set expectations.
Experimental features may change APIs, need community feedback, or lack stability
guarantees. This change aligns with the project's commitment to transparency.

Users can now control how experimental features behave:

• silence - Run without notification
• warn - Show notification, continue (default)
• error - Show notification, exit with error
• disable - Block experimental commands entirely

references

• /experimental - Experimental features policy
• /cli/configuration/settings/experimental - Configuration docs

Summary by CodeRabbit

• New Features

  • Experimental features system with four handling modes (silence, warn, disable, error) and CLI visibility badges
  • Unreleased docs tracking and an "Unreleased" page/list with celebratory UI when all docs are released
  • New UI badges: Experimental and First released indicators; Experimental features listing in roadmap/docs

• Documentation

  • New docs for experimental feature controls and unreleased content; experimental indicators added across CLI/docs

• Configuration

  • settings.experimental option with environment override (ATMOS_EXPERIMENTAL)

_{✏️ Tip: You can customize this high-level summary in your review settings.}

feat: Add Devcontainers to hero section typing animation @osterman (#1975)

## Summary - Adds "Devcontainers" to the animated typing list in the website's hero section - Updates accessibility text for screen readers

Test plan

• Website builds successfully (npm run build)
• Verify "Devcontainers" appears in the typing animation cycle on the landing page

🤖 Generated with Claude Code

v1.204.1-rc.0

feat: Add file-browser plugin for examples directory @osterman (#1969)

## what

• Add Docusaurus plugin to scan /examples/ directory and generate crawlable routes for all files
• Create React components for GitHub-style file browser with sidebar navigation
• Support syntax highlighting for code files and markdown rendering for documentation
• Generate "View on GitHub" links for each file
• Fix duplicate breadcrumbs, table border radius clipping, and content width inconsistencies

why

Provides users a way to explore example projects directly on the site with full-text search via Algolia. Makes examples more discoverable and improves the documentation experience by showing code examples alongside guides.

references

Implements the file browser for the /examples/ directory as a reusable Docusaurus plugin that can be used for other documentation browsing needs.

Summary by CodeRabbit

• New Features

  • Added a GitHub-style file browser to the docs with breadcrumb navigation, sidebar tree, file viewer, and "View on GitHub" links.
  • Added an "Examples" item to the site navbar.

• Documentation

  • Added comprehensive README guides for many example projects (Atlantis, Component Versions, Context, Helmfile, Schemas, Stacks, Vendoring, Workflows, Quick Start).

• Style

  • Improved syntax highlighting and YAML code styling site-wide.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

v1.204.0

feat: Improve source provisioner UX with spinners and interactive delete @osterman (#1965)

what

• Added spinner feedback during auto-provisioning in vendorToTarget()
• Introduced PromptForConfirmation() to pkg/flags/interactive.go for reusable destructive action confirmation prompts
• Updated delete command to prompt interactively instead of requiring --force flag
• Delete operation now shows spinner during deletion with consistent visual feedback
• Added blog post and roadmap milestone documenting the enhancement

why

These changes improve UX consistency across the CLI by providing:

• Better visual feedback during vendoring operations with spinners matching other long-running operations
• Interactive confirmation prompts for destructive actions that gracefully degrade in non-TTY environments
• A reusable pattern for other commands that need confirmation prompts

references

Related to source provisioner improvements for better developer experience with JIT vendoring.

Summary by CodeRabbit

• New Features

  • Interactive confirmation for destructive actions (requires TTY unless --force).
  • Interactive component/stack selection added to pull, delete, describe, and list; positional args now optional.
  • Shell completion for component and stack names.
  • Progress spinners for vendoring, provisioning and deletion flows; clearer interactive/error messaging.

• Tests

  • Expanded coverage for prompts, confirmations, non‑TTY flows, provisioning detection, and completion helpers.

• Documentation

  • UX docs updated with TTY vs non‑TTY guidance and force behavior.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

fix: announcement bar responsive wrapping @osterman (#1966)

what

• Override Docusaurus default fixed 30px height on the announcement bar at desktop widths
• Allow the announcement bar to wrap gracefully to multiple lines at mid-range viewport widths instead of clipping text

why

• At viewport widths between 997px and ~1400px, the announcement bar was clipping the text to a single 30px line
• Very wide screens displayed correctly (text fit on one line), and mobile displayed correctly (height: auto)
• The fix enables responsive text wrapping at mid-range widths where the message needs multiple lines

references

• Docusaurus AnnouncementBar default styles: website/node_modules/@docusaurus/theme-classic/src/theme/AnnouncementBar/styles.module.css

Summary by CodeRabbit

• Style
  • Improved announcement bar layout and text wrapping on desktop viewports (997px and above) for better content visibility and presentation.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

docs: nest role_arn under assume_role @kyledecot (#1963)

what

Fixes minor error w/ docs so that role_arn is properly nested under assume_role.

why

Docs incorrectly had role_arn at the top-level of s3 backend configuration.

references

https://developer.hashicorp.com/terraform/language/backend/s3

Summary by CodeRabbit

Release Notes

• Documentation
  • Updated Terraform S3 backend configuration examples to reflect the new nested assume_role structure for specifying IAM role access.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

feat: Add source provisioning example @osterman (#1962)

what

• Added examples/source-provisioning/ demonstrating the source provisioner feature for Just-in-Time component vendoring
• Includes separate dev and prod stacks using different module versions
• Demonstrates workdir isolation for terraform execution
• Simple, focused example showing one feature without catalog complexity

why

• Provides a working reference for users learning source provisioning
• Complements existing test fixtures and documentation with a clean runnable example
• Enables quick validation that source provisioning works end-to-end

references

• Source Provisioner PRD
• Provisioner System

Summary by CodeRabbit

• Documentation
  • Added source provisioning example with comprehensive README documentation and configuration samples demonstrating just-in-time component vendoring across development and production environments.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

docs: refactor terraform usage page @osterman (#1952)

what

• Refactored terraform usage.mdx from 871 to 149 lines into a focused overview page
• Added Multi-Component Operations sections to terraform-plan, terraform-apply, terraform-deploy, and terraform-destroy command pages
• Moved 300+ lines of multi-component examples and flag documentation to individual command pages
• Eliminated 765 lines of duplicate content across documentation

why

The terraform usage page served as both a landing page and comprehensive reference, resulting in massive duplication. Multi-component operations documentation now lives in individual command pages where it's directly relevant, improving maintainability and following the pattern used by other command groups like describe.

references

Issue: Terraform usage page was not refactored after subcommands were broken out into separate pages.

Summary by CodeRabbit

• Documentation
  • Added comprehensive multi-component operations documentation for terraform apply, deploy, and plan commands, covering filtering flags and deployment modes including affected components and query-based selection.
  • Reorganized terraform usage documentation with a new Command Modes section, streamlined examples, and improved navigation for single and multi-component workflows.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

feat: Add data-driven roadmap slide deck with pagination @osterman (#1953)

what

• Created a new data-driven slide deck at /slides/roadmap that visualizes the Atmos product roadmap
• Featured initiatives appear first, followed by other initiatives with progress bars
• Paginated milestone viewer with clickable dots and Shift+Left/Right keyboard navigation
• Styled milestones with status icons, badges for releases/docs, inline code formatting
• Progress bar visualization for initiative completion percentages

why

• Provides a modern, interactive way to present the Atmos roadmap to stakeholders and the community
• Data-driven from roadmapConfig ensures the slides stay in sync with product planning
• Paginated milestones allow initiatives to showcase multiple achievements without cluttering slides
• Keyboard navigation provides power-user experience alongside mouse interaction

references

• Roadmap data source: website/src/data/roadmap.js
• Slide deck system: website/src/components/SlideDeck/

Summary by CodeRabbit

• New Features

  • Added "Atmos Roadmap 2025-2026" interactive slide deck with paginated milestone lists, status badges, progress bars, links, and presenter notes.
  • Milestone pagination supports Shift+ArrowLeft/Right; holding Shift while paging no longer advances slides.

• Style

  • Extensive visual and responsive styling for slides: badges, icons, progress bars, pagination dots, typography, and layout refinements.

• Other

  • Updated roadmap theme title to "Reducing Tool Fatigue".

_{✏️ Tip: You can customize this high-level summary in your review settings.}

feat: stack name identity with zero-config filename fallback @osterman (#1934)

what

• Enforce single stack name identity - each stack now has exactly ONE valid identifier
• Add filename-based identity - stacks work with just filenames when no naming config exists (zero-config for newcomers)
• Improve error messages - when using an invalid stack name, error now says "invalid stack" and provides hints suggesting the correct name and how to list available stacks
• Fix ProcessStacks to recognize the stack manifest name field when matching stacks
• Add JSON schema documentation for the name field
• Add PRD documenting the stack name identity rules
• Add CLI smoke tests with golden snapshots

why

Issue 1: Manifest name not recognized

When a stack manifest has name: "my-explicit-stack", users expect to use that name in commands:

atmos tf plan vpc -s my-explicit-stack

Previously this failed with "Could not find the component vpc in the stack".

##...

v1.204.0-rc.5

feat: Improve source provisioner UX with spinners and interactive delete @osterman (#1965)

## what

• Added spinner feedback during auto-provisioning in vendorToTarget()
• Introduced PromptForConfirmation() to pkg/flags/interactive.go for reusable destructive action confirmation prompts
• Updated delete command to prompt interactively instead of requiring --force flag
• Delete operation now shows spinner during deletion with consistent visual feedback
• Added blog post and roadmap milestone documenting the enhancement

why

These changes improve UX consistency across the CLI by providing:

• Better visual feedback during vendoring operations with spinners matching other long-running operations
• Interactive confirmation prompts for destructive actions that gracefully degrade in non-TTY environments
• A reusable pattern for other commands that need confirmation prompts

references

Related to source provisioner improvements for better developer experience with JIT vendoring.

Summary by CodeRabbit

• New Features

  • Interactive confirmation for destructive actions (requires TTY unless --force).
  • Interactive component/stack selection added to pull, delete, describe, and list; positional args now optional.
  • Shell completion for component and stack names.
  • Progress spinners for vendoring, provisioning and deletion flows; clearer interactive/error messaging.

• Tests

  • Expanded coverage for prompts, confirmations, non‑TTY flows, provisioning detection, and completion helpers.

• Documentation

  • UX docs updated with TTY vs non‑TTY guidance and force behavior.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

fix: announcement bar responsive wrapping @osterman (#1966)

## what

• Override Docusaurus default fixed 30px height on the announcement bar at desktop widths
• Allow the announcement bar to wrap gracefully to multiple lines at mid-range viewport widths instead of clipping text

why

• At viewport widths between 997px and ~1400px, the announcement bar was clipping the text to a single 30px line
• Very wide screens displayed correctly (text fit on one line), and mobile displayed correctly (height: auto)
• The fix enables responsive text wrapping at mid-range widths where the message needs multiple lines

references

• Docusaurus AnnouncementBar default styles: website/node_modules/@docusaurus/theme-classic/src/theme/AnnouncementBar/styles.module.css

Summary by CodeRabbit

• Style
  • Improved announcement bar layout and text wrapping on desktop viewports (997px and above) for better content visibility and presentation.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

docs: nest role_arn under assume_role @kyledecot (#1963)

## what

Fixes minor error w/ docs so that role_arn is properly nested under assume_role.

why

Docs incorrectly had role_arn at the top-level of s3 backend configuration.

references

https://developer.hashicorp.com/terraform/language/backend/s3

Summary by CodeRabbit

Release Notes

• Documentation
  • Updated Terraform S3 backend configuration examples to reflect the new nested assume_role structure for specifying IAM role access.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

feat: Add source provisioning example @osterman (#1962)

## what

• Added examples/source-provisioning/ demonstrating the source provisioner feature for Just-in-Time component vendoring
• Includes separate dev and prod stacks using different module versions
• Demonstrates workdir isolation for terraform execution
• Simple, focused example showing one feature without catalog complexity

why

• Provides a working reference for users learning source provisioning
• Complements existing test fixtures and documentation with a clean runnable example
• Enables quick validation that source provisioning works end-to-end

references

• Source Provisioner PRD
• Provisioner System

🤖 Generated with Claude Code

Summary by CodeRabbit

• Documentation
  • Added source provisioning example with comprehensive README documentation and configuration samples demonstrating just-in-time component vendoring across development and production environments.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

🚀 Enhancements

feat: Automatic toolchain integration for custom commands and workflows @osterman (#1958)

## what

New Feature: Automatic Toolchain Integration

• Custom commands and workflows now automatically load tools from .tool-versions file
• Workflow-specific dependencies can be declared in the workflow definition and override .tool-versions
• Command-specific dependencies can be declared in the command definition
• Tools are automatically installed and PATH is updated before execution
• Component-level tool dependencies - Terraform/Helmfile/Packer components can declare tool dependencies that are resolved and installed before execution

Bug Fixes (Toolchain Bootstrap)

• Fix atmos bootstrap failures for AWS CLI, jq, gum, and replicated by removing unconditional version prefix
• Follow Aqua's actual behavior where version_prefix defaults to empty string, not "v"
• Include ErrHTTP404 in 404 errors to enable version fallback mechanism
• Fix template expansion in files.src for tools like Helm that use {{.OS}}-{{.Arch}} paths
• Preserve all fields in resolveVersionOverrides for version-specific configs
• Add darwin_all pattern support for universal macOS binaries

Bug Fixes (Workflows)

• Fix workflow conditional stack processing - Workflows no longer require stacks configuration when --stack flag is not provided. Previously, running atmos workflow <name> would fail with "stack base path must be provided" even for simple shell workflows that don't use stacks. Now stacks are only validated when --stack is explicitly passed.

Bug Fixes (Batch Install UX)

• Prevent .tool-versions duplication - Add SkipToolVersionsUpdate option to prevent duplicate entries when both InstallSingleTool and updateToolVersionsFile are called
• Enable spinner during batch installs - Spinner now animates during downloads, not just after each tool completes
• Reduce batch install message noise - Add ShowInstallDetails option to show only simple "Installed X" messages in batch mode, while single-tool mode retains verbose output (path, size, registered)
• Add showProgressBar parameter - RunInstall now accepts showProgressBar to control spinner visibility for custom command installs

Bug Fixes (Error Handling)

• Guard against nil error in ErrorBuilder.WithCause - Prevent panic when b.err is nil by using cause directly as the stored error
• Preserve error hints through error chain propagation - Hints from cause errors are now properly preserved via GetAllHints()
• Add alias configuration hint - When tool not found in registry, suggest adding an alias in atmos.yaml
• Suppress PATH hint for dependency installs - Only show PATH export hint when running toolchain install directly

Documentation & Examples

• Add documentation for toolchain integration in custom commands and workflows
• Add examples/toolchain/ with working examples showing:
  • .tool-versions file with tool dependencies
  • Custom command with dependencies declaration
  • Workflow with dependencies declaration
  • Component-level tool dependencies - Mock component with opentofu: "^1.10.0" constraint
  • Inline registry with custom tool definitions (jq, yq)
  • SemVer constraint examples (^1.7.0, ~> 4.40.0)

Test Coverage

• Add DependencyProvider interface for testability
• Add 9 new tests for ensureToolchainDependencies() covering all code paths
• Add tests for extraction edge cases (gzip, tar.gz, MIME type dispatch)
• Add test for .tool-versions directory error path
• Add workflow conditional stack processing tests:
  • TestWorkflowWithoutStacksConfig - workflows succeed without stacks config
  • TestWorkflowWithStackFlagRequiresStacksConfig - workflows fail when --stack passed but stacks not configured
  • TestWorkflowWithStackFlagAndStacksConfigured - workflows succeed when both are present
• Coverage improvements: executor ~19% → 100%, extract functions to 100%

why

Toolchain Integration

Users managing infrastructure often need specific tool versions (terraform, kubectl, helm). The .tool-versions file is a standard way to declare these dependencies (used by asdf, mise). This PR enables Atmos to:

1. Read .tool-versions and automatically install required tools
2. Allow workflows to override versions for specific requirements
3. Update PATH so commands execute with the correct tool versions
4. Support component-level dependencies so different components can require different tool versions

Bootstrap Fixes

...

v1.204.0-rc.4

docs: refactor terraform usage page @osterman (#1952)

## what

• Refactored terraform usage.mdx from 871 to 149 lines into a focused overview page
• Added Multi-Component Operations sections to terraform-plan, terraform-apply, terraform-deploy, and terraform-destroy command pages
• Moved 300+ lines of multi-component examples and flag documentation to individual command pages
• Eliminated 765 lines of duplicate content across documentation

why

The terraform usage page served as both a landing page and comprehensive reference, resulting in massive duplication. Multi-component operations documentation now lives in individual command pages where it's directly relevant, improving maintainability and following the pattern used by other command groups like describe.

references

Issue: Terraform usage page was not refactored after subcommands were broken out into separate pages.

Summary by CodeRabbit

• Documentation
  • Added comprehensive multi-component operations documentation for terraform apply, deploy, and plan commands, covering filtering flags and deployment modes including affected components and query-based selection.
  • Reorganized terraform usage documentation with a new Command Modes section, streamlined examples, and improved navigation for single and multi-component workflows.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

feat: Add data-driven roadmap slide deck with pagination @osterman (#1953)

## what

• Created a new data-driven slide deck at /slides/roadmap that visualizes the Atmos product roadmap
• Featured initiatives appear first, followed by other initiatives with progress bars
• Paginated milestone viewer with clickable dots and Shift+Left/Right keyboard navigation
• Styled milestones with status icons, badges for releases/docs, inline code formatting
• Progress bar visualization for initiative completion percentages

why

• Provides a modern, interactive way to present the Atmos roadmap to stakeholders and the community
• Data-driven from roadmapConfig ensures the slides stay in sync with product planning
• Paginated milestones allow initiatives to showcase multiple achievements without cluttering slides
• Keyboard navigation provides power-user experience alongside mouse interaction

references

• Roadmap data source: website/src/data/roadmap.js
• Slide deck system: website/src/components/SlideDeck/

Summary by CodeRabbit

• New Features

  • Added "Atmos Roadmap 2025-2026" interactive slide deck with paginated milestone lists, status badges, progress bars, links, and presenter notes.
  • Milestone pagination supports Shift+ArrowLeft/Right; holding Shift while paging no longer advances slides.

• Style

  • Extensive visual and responsive styling for slides: badges, icons, progress bars, pagination dots, typography, and layout refinements.

• Other

  • Updated roadmap theme title to "Reducing Tool Fatigue".

_{✏️ Tip: You can customize this high-level summary in your review settings.}

🚀 Enhancements

fix: Fix Aqua registry factory and add darwin_all pattern support @osterman (#1948)

## what

• Fix nil registry factory by injecting real Aqua registry factory
• Load configured registries from atmos.yaml in NewInstaller()
• Add Asset field to AquaPackage for github_release types
• Support platform-specific asset patterns (e.g., darwin_all)
• Add test for replicated darwin_all override pattern
• Move test fixtures to proper testdata directories
• Refactor FindTool to reduce complexity and improve logging

why

The installer subpackage refactoring broke registry lookups because defaultRegistryFactory.NewAquaRegistry() was returning nil. Additionally, NewInstaller() wasn't loading configured registries from atmos.yaml, preventing custom registry support. This fix properly injects a working registry factory and loads configuration during initialization.

references

Fixes toolchain registry factory issues from the installer subpackage refactoring work.

---

🤖 Generated with Claude Code

Summary by CodeRabbit

• New Features

  • Configurable toolchain registries with platform-specific overrides, OS/arch replacements, multi-file extraction and macOS .pkg handling
  • Enhanced CLI help and explicit telemetry notice across toolchain commands

• Documentation

  • Added Aqua package manager README and expanded CLI docs with AWS CLI install example and templating/override guidance

• Tests

  • Large expansion of fixtures, snapshots and unit/integration tests covering registries, install/info/download/extract flows, and overrides

• Style

  • Minor workflow comment update (non-functional)

_{✏️ Tip: You can customize this high-level summary in your review settings.}

fix(provenance): add regression tests and fix flag inheritance @osterman (#1949)

## what

• Add comprehensive regression tests for line-level provenance tracking
• Fix flag inheritance regression where custom commands could not define flags that already exist on parent commands
• Custom commands can now declare --stack, --verbose, or other existing flags when the type matches
• Type mismatches still produce clear error messages (e.g., defining --stack as bool when parent has it as string)

why

• Provenance output format needs regression tests to prevent accidental breakage of import chains, depth tracking, and source attribution
• PR #1947 introduced overly strict flag conflict checking that rejected valid use cases
• Custom commands legitimately need to use flags like --stack and --verbose that are defined elsewhere
• The fix allows flag inheritance when types match (skip re-registration) while still catching actual conflicts (type mismatch)

references

• Fixes flag regression introduced in #1947
• Adds test fixtures: tests/fixtures/scenarios/provenance-advanced/ and tests/fixtures/scenarios/flag-inheritance/
• Test cases: tests/test-cases/provenance-snapshots.yaml and tests/test-cases/flag-inheritance.yaml

Summary by CodeRabbit

• New Features

  • Custom commands now support flag inheritance with type-safety validation and conflict detection
  • Custom commands can define their own --version flags independent of the global version flag
  • Configuration provenance tracking now displays where each setting originates in the stack hierarchy
  • Enhanced atmos list components command shows unique components with stack counts

• Configuration

  • Updated list command configuration structure in atmos.yaml under new list.components, list.instances, and list.stacks paths

_{✏️ Tip: You can customize this high-level summary in your review settings.}

fix: Resolve file-scoped locals in stack configurations @aknysh (#1939)

## what

• Fixed file-scoped locals feature that was documented but not functional (GitHub issue #1933)
• Templates using {{ .locals.* }} now correctly resolve to their defined values
• Added proper integration of locals extraction into the stack processing pipeline
• Section-specific locals (terraform:, helmfile:, packer:) correctly override global locals
• Component-level locals with inheritance support via metadata.inherits
• Added atmos describe locals command to inspect and debug locals configurations
  • --stack flag is required - locals are file-scoped, so a specific stack must be specified
  • Component-level output: shows merged locals available to a specific component
  • Supports both logical stack names (e.g., prod-us-east-1) and file paths (e.g., deploy/prod)
  • Output follows Atmos schema format (direct stack manifest format, can be used as valid YAML)

Example Output

Stack Locals (by file path or logical name)

# Using file path
atmos describe locals --stack deploy/dev

# Using logical stack name (derived from atmos.yaml name_template)
atmos describe locals --stack dev-us-east-1

locals:
  environment: dev
  namespace: acme
  name_prefix: acme-dev
  full_name: acme-dev-us-east-1
  tags:
    Environment: dev
    Namespace: acme
terraform:
  locals:
    backend_bucket: acme-dev-tfstate
    tf_specific: terraform-only

The output is in direct stack manifest format - it can be redirected to a file and used as a valid stack manifest:

atmos describe locals -s dev --file locals.yaml

Component Locals

When a component is specified, the output shows the merged locals available to that component (global + section-specific + component-level + inherited from base components):

atmos describe locals vpc -s prod-us-east-1

components:
  terraform:
    vpc:
      locals:
        backend_bucket: acme-prod-tfstate
        environment: prod
        namespace: acme
        name_prefix: acme-prod
        vpc_type: production
        cidr_prefix: "10.0"

Query Specific Values

# Query the namespace from locals
atmos describe locals -s deploy/dev --query '.locals.namespace'
# Output: acme

# Output as JSON
atmos describe locals -s dev --format json

Component-Level Locals with Inheritance

Components can define their ow...

v1.204.0-rc.3

feat: stack name identity with zero-config filename fallback @osterman (#1934)

## what

• Enforce single stack name identity - each stack now has exactly ONE valid identifier
• Add filename-based identity - stacks work with just filenames when no naming config exists (zero-config for newcomers)
• Improve error messages - when using an invalid stack name, error now says "invalid stack" and provides hints suggesting the correct name and how to list available stacks
• Fix ProcessStacks to recognize the stack manifest name field when matching stacks
• Add JSON schema documentation for the name field
• Add PRD documenting the stack name identity rules
• Add CLI smoke tests with golden snapshots

why

Issue 1: Manifest name not recognized

When a stack manifest has name: "my-explicit-stack", users expect to use that name in commands:

atmos tf plan vpc -s my-explicit-stack

Previously this failed with "Could not find the component vpc in the stack".

Issue 2: Multiple names worked (incorrect)

After the initial fix, ALL of these worked for the same stack:

atmos tf plan vpc -s my-explicit-stack  # explicit name
atmos tf plan vpc -s prod-ue1           # generated from name_template
atmos tf plan vpc -s legacy-prod        # filename

This is incorrect - a stack should have exactly ONE valid identifier.

Issue 3: Misleading error message

When using an invalid stack name (e.g., filename when explicit name exists), the error said "invalid component" instead of "invalid stack":

**Error:** invalid component

Could not find the component vpc in the stack legacy-prod.

New: Zero-config for newcomers

When no name, name_template, or name_pattern is configured, stacks are now identified by their filename. This lets newcomers get started without any naming configuration:

# stacks/prod.yaml - no naming config needed
components:
  terraform:
    vpc:
      vars:
        cidr: "10.0.0.0/16"

# Just works!
atmos terraform plan vpc -s prod

Stack Name Identity Rule

Each stack has exactly ONE valid identifier based on precedence:

Priority	Source	When Valid
1	name field in manifest	If set, ONLY this name works
2	name_template result	If set (and no explicit name), ONLY this works
3	name_pattern result	If set (and no template/name), ONLY this works
4	Filename	Only if nothing else is configured

Evidence

atmos list stacks - shows canonical names

my-legacy-prod-stack
no-name-prod

Note: my-legacy-prod-stack is shown (explicit name), not legacy-prod (filename).

atmos describe component vpc -s no-name-prod - filename works when no naming config

{
  "atmos_component": "vpc",
  "atmos_stack": "no-name-prod",
  "atmos_stack_file": "no-name-prod",
  "stack": "no-name-prod",
  "workspace": "no-name-prod"
}

atmos describe component vpc -s my-legacy-prod-stack - explicit name works

{
  "atmos_component": "vpc",
  "atmos_stack": "my-legacy-prod-stack",
  "atmos_stack_file": "legacy-prod",
  "atmos_manifest": "legacy-prod",
  "stack": "my-legacy-prod-stack",
  "workspace": "my-legacy-prod-stack"
}

Note: atmos_stack is my-legacy-prod-stack (explicit name), while atmos_stack_file shows legacy-prod (the actual filename).

atmos describe component vpc -s legacy-prod - FAILS with helpful suggestions

# Error

**Error:** invalid stack

## Explanation

Stack legacy-prod not found.

## Hints

💡 Did you mean my-legacy-prod-stack?

💡 Run atmos list stacks to see all available stacks.

This is correct - legacy-prod.yaml has name: my-legacy-prod-stack, so only that identifier is valid. The error now correctly identifies this as an invalid stack (not component) and provides hints suggesting the correct name and how to list available stacks.

atmos terraform plan vpc -s legacy-prod - FAILS with helpful suggestions

# Error

**Error:** invalid stack

## Explanation

Stack legacy-prod not found.

## Hints

💡 Did you mean my-legacy-prod-stack?

💡 Run atmos list stacks to see all available stacks.

Changes

• errors/errors.go: Add ErrInvalidStack sentinel error
• internal/exec/utils.go: Enforce single-identity matching in findComponentInStacks; return helpful error with suggestion when filename is used for stack with explicit name; enable filename fallback in processStackContextPrefix
• internal/exec/stack_manifest_name_test.go: Add tests for identity enforcement, filename fallback, and improved error messages
• tests/test-cases/stack-manifest-name.yaml: Add CLI smoke tests with golden snapshots for stack name identity
• pkg/datafetcher/schema/atmos/manifest/1.0.json: Add schema documentation for name field
• docs/prd/stack-name-identity.md: PRD documenting the specification (status: Implemented)
• website/blog/2026-01-06-stack-name-identity.mdx: Blog post documenting the changes
• website/src/data/roadmap.js: Add "Filename-based stack identity" to DX roadmap

References

• Closes #1932

Summary by CodeRabbit

• New Features

  • Single canonical stack identity with precedence (name → name_template → name_pattern → filename), zero‑config filename naming, and clearer "Did you mean…?" suggestions for invalid stacks.

• Documentation

  • Added product requirements and a blog post explaining identity rules, examples, migration guidance, and UX notes.

• Tests

  • Expanded test suites and updated snapshots to validate naming precedence, listing/describe behavior, and suggestion messages.

• Chores

  • Roadmap updated and CLI telemetry notice added to outputs.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

chore: Upgrade Docusaurus from 3.6.3 to 3.9.2 @osterman (#1926)

## what

• Upgrades all Docusaurus packages to version 3.9.2 (latest stable)
• Updates package.json and pnpm-lock.yaml dependencies

why

The upgrade includes support for DocSearch v4 with AI-powered search features, improved i18n configuration options for multi-domain deployments, React 19 compatibility fixes, and new build APIs.

references

• Docusaurus 3.9 Release Notes

Summary by CodeRabbit

• New Features

  • Ask AI conversational search now integrated into documentation, powered by DocSearch v4 and ChatGPT for natural language queries and contextual answers.

• Documentation

  • Added Algolia search indexing setup guide and Ask AI feature announcement blog post.

• Chores

  • Updated documentation framework dependencies and roadmap entries.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

feat: Add robots.txt for search engine indexing @osterman (#1943)

## what

• Adds robots.txt to website/static/ for search engine indexing
• Includes Algolia crawler verification token
• Explicitly allows all crawlers with User-agent: * and Allow: /
• References sitemap for efficient crawler discovery

why

• Improves search engine discoverability of the Atmos documentation
• Enables Algolia crawler verification for site search functionality
• Maximizes indexing potential by explicitly allowing all crawlers

references

• Algolia crawler verification: 10F61B92D9EB1214

Summary by CodeRabbit

• Chores
  • Added web crawler configuration to improve site indexing and point crawlers to the sitemap.
  • Updated deployment configuration to make the site base URL configurable via an environment variable, enabling PR-specific preview hosts during builds.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

🚀 Enhancements

fix(auth): normalize ATMOS_IDENTITY=false (issue #1931) @osterman (#1935)

## what

• Fix ATMOS_IDENTITY=false not being recognized in the legacy ProcessCommandLineArgs() code path
• Create shared NormalizeIdentityValue() function in pkg/config/identity.go to centralize normalization logic
• Add comprehensive tests for ATMOS_IDENTITY=false, 0, no, off in cli_utils_test.go
• Refactor three duplicate normalizeIdentityValue() functions to use shared implementation

why

PR #1900 fixed ATMOS_IDENTITY=false normalization for the flag parsing path (pkg/flags/global_registry.go), but missed a separate code path in internal/exec/cli_utils.go that reads ATMOS_IDENTITY directly via os.Getenv().

Two independent code paths exist:

1. Flag path (pkg/flags/global_registry.go): Used by Cobra commands with proper global flag inheritance - ✅ Fixed in PR #1900
2. Legacy path (internal/exec/cli_utils.go:ProcessCommandLineArgs()): Used by terraform commands - ❌ Not fixed until this PR

The legacy path was added in PR #1720 (Oct 2025) without normalization. When PR #1900 fixed the flag path (Dec 2025), this code path was missed, causing the regression reported in issue #1931.

Verified with user's reproduction case:

# From issue #1931's auth_bug.tar.gz
ATMOS_IDENTITY=false atmos terraform plan myapp -s dev
# Before: "Error: identity not found" (treats "false" as identity name)
# After: Ter...

v1.204.0-rc.2

🚀 Enhancements

fix: Resolve assume role issues and improve error handling @aknysh (#1938)

## what

• Fix panic when using !terraform.output with authentication enabled
• Fix silent/confusing errors when referenced component is missing in template functions
• Add comprehensive documentation for env template function behavior
• Document base_path behavior change as a breaking change in changelog

why

Issue #1921: Panic in !terraform.output with Authentication

When using !terraform.output with AWS SSO authentication, Atmos panicked with:

panic: authContextWrapper.GetChain should not be called

Root Cause: The authContextWrapper.GetChain() method was implemented as a panic stub, but the auth system evolution now calls this method during nested component resolution.

Fix: Changed GetChain() to return an empty slice instead of panicking. An empty chain means no inherited identity from the wrapper, so nested components use their own defaults.

Issue #1030: Missing Component Results in Silent Failure

When using template functions like atmos.Component() or !terraform.output to reference components that are removed from configuration, Atmos produced confusing errors or silent failures.

Root Cause: The ErrInvalidComponent error chain was preserved when wrapping errors from DescribeComponent. This caused the component type fallback logic (detectComponentType()) to incorrectly trigger, producing misleading "component not found as Helmfile/Packer" errors instead of clear "referenced component missing" errors.

Fix: Added WrapComponentDescribeError() helper in errors/error_funcs.go that breaks the ErrInvalidComponent chain using %v instead of %w formatting, ensuring errors about referenced components are returned immediately with clear messages.

Env Template Function Analysis (Not a Bug)

Investigated user report that env template function returns empty strings while .vars.* works correctly. Analysis confirmed this is expected behavior:

• The env function is from Sprig and calls os.Getenv()

• When an env var is NOT set, it returns empty string (standard Go behavior)

• .vars.* works because it comes from stack YAML config passed to template

• User needs to ensure env vars are set before running atmos commands

• Generated files (backend.tf.json) looking correct is from cached runs when vars WERE set

• Closes #1909

Document base_path Behavior Change

A recent Atmos CLI change (v1.202.0) altered how base_path is interpreted in atmos.yaml. Previously, base_path: "" was implicitly treated as the current directory. Now it triggers git root discovery.

Impact: Users with multiple Atmos projects in a single repo, or where the Atmos project root differs from the git root, must update their configuration:

# Before (no longer works as expected)
base_path: ""

# After (explicit current directory)
base_path: "."

Fix: Added breaking change blog post to the changelog documenting:

• The behavior change and affected versions
• Who is affected (multi-project repos, non-git-root configs)
• Migration steps with examples
• Path resolution semantics table

references

closes #1030
closes #1921

Testing

1. Unit tests: All new functionality covered with tests
2. Error chain verification: Tests use assert.NotErrorIs() to verify chain is broken
3. Regression test: TestAuthContextWrapper_GetChain_NoLongerPanics prevents future panics
4. Env function tests: Document expected behavior when env vars are/aren't set

Summary by CodeRabbit

• Bug Fixes

  • Prevented incorrect error propagation when describing missing components and eliminated panics during authenticated Terraform output handling, improving error stability and clarity.

• Tests

  • Added regression tests for component error wrapping, auth-chain behavior, and template env-var rendering (populated and unset scenarios).

• Documentation

  • Added a troubleshooting guide for Terraform output issues and a blog post explaining base_path behavior changes and migration guidance.

• Diagnostics

  • Added debug logging for YAML/template function errors.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

v1.204.0-rc.1

Add generate section inheritance and auto-generation support @osterman (#1878)

## what

• Add generate section to stack config inheritance pipeline with full support for base components, component-level overrides, and component overrides
• Implement atmos terraform generate files command with --all, --dry-run, and --clean flags for generating auxiliary configuration files
• Add auto_generate_files: true configuration option to automatically generate files during terraform operations
• Extension-aware serialization: .json, .yaml, .yml files serialize in their respective formats, .tf and .hcl files generate valid HCL
• Go template support: String values in generate sections are processed as Go templates with full access to component context
• Update all integration test snapshots to reflect new auto_generate_files configuration field

why

Teams often need to generate auxiliary configuration files alongside Terraform components—files like .tool-versions, terragrunt.hcl shims for gradual migration, or environment-specific locals. This feature brings file generation directly into Atmos's declarative configuration model, maintaining the principle that infrastructure configuration should be fully described in YAML and reproducible from stack manifests. The inheritance support ensures teams can define common generate patterns in base components while allowing component-specific customization.

references

• Implements declarative file generation PRD
• Feature branch: osterman/generate-section-prd

Summary by CodeRabbit

• New Features

  • Added declarative file generation for Terraform components via new generate sections in stack configurations.
  • New atmos terraform generate files command to automatically create auxiliary configuration files.
  • Support for extension-aware serialization (JSON, YAML, HCL, Terraform).
  • Go template processing for dynamic content in generated files.
  • Dry-run mode to preview generated files without writing.
  • Multi-level configuration inheritance for generated files.
  • Auto-generation toggle via auto_generate_files configuration.

• Documentation

  • Added comprehensive guides for declarative file generation and CLI usage.

• Tests

  • Added extensive test coverage for file generation and cleanup workflows.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

feat(auth): add PRD for native Okta authentication identity @RoseSecurity (#1924)

## what

[!NOTE]
This is my first PRD, so any feedback is appreciated!

Add PRD for native Okta authentication as a first-class identity provider in Atmos. Unlike the existing SAML-based integration, this introduces dedicated okta/* providers enabling:

• OAuth 2.0 Device Authorization Grant for CLI authentication
• Direct Okta API access with automatic token refresh
• AWS/Azure/GCP federation via OIDC (AssumeRoleWithWebIdentity)
• XDG-compliant credential storage (~/.config/atmos/okta/)

why

• Provides implementation reference following established auth patterns (AWS, Azure PRDs)
• Addresses user requests for native Okta support without browser-based SAML

Test plan

• PRD follows universal file isolation pattern
• Code samples reviewed for Atmos conventions
• Implementation checklist is complete and actionable

references

• #1884

Summary by CodeRabbit

• Documentation
  • Added a comprehensive Okta PRD defining goals, use cases (AWS OIDC federation, API access, multi-cloud), technical specification, token/file isolation and storage guidance, phased implementation roadmap, testing and security considerations, example policies, and an implementation checklist.
• Chores
  • Added a roadmap milestone for Native Okta Authentication (Device Code Flow).

_{✏️ Tip: You can customize this high-level summary in your review settings.}

feat: Implement unified import adapter registry @osterman (#1897)

## what

• Added extensible ImportAdapter interface for pluggable import sources
• Implemented ImportAdapterRegistry with lazy initialization and thread-safe registration
• Created GoGetterAdapter handling http, https, git, s3, oci, and other remote schemes
• Created LocalAdapter as default fallback for filesystem paths
• Created MockAdapter for testing with mock:// scheme
• Unified import handling via registry pattern instead of if/else chains
• Removed obsolete functions (isRemoteImport, processRemoteImport, processLocalImport, downloadRemoteConfig)
• Added comprehensive adapter tests with 90%+ coverage

why

• Extensible design: New import sources (terragrunt://, etc) can be added without modifying core logic
• Clear separation of concerns: Each adapter handles its own scheme
• Testability: Mock adapter enables unit testing without external dependencies
• Thread-safe: Lazy initialization with sync.Once prevents import cycles and race conditions
• Reduced complexity: Unified registry replaces scattered conditional logic
• Better error handling: Adapters can implement their own error strategies

references

• Implements design from docs/prd/import-adapter-registry.md
• Resolves circular dependency issues with lazy adapter initialization
• Provides foundation for future adapters (terragrunt, etc)

Summary by CodeRabbit

• New Features

  • Unified, extensible import adapter system enabling custom schemes, adapter-first routing, and improved handling of nested imports.

• Tests

  • Expanded adapter-focused tests covering routing, error handling, nested imports, mock scenarios, and registry behavior.

• Documentation

  • Added a detailed PRD for the Import Adapter Registry with architecture, examples, and phased rollout.

• Chores

  • Bumped Atmos version in build/config and added a roadmap milestone for the adapter registry.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

v1.204.0-rc.0

feat: Add multiple terraform output formats for CI integration @osterman (#1885)

## Summary - Moved all terraform output execution logic from `internal/exec/` to new `pkg/terraform/output/` package - Implemented dependency injection pattern using `ComponentDescriber` interface to eliminate circular dependency - Created backward-compatible wrappers to maintain API compatibility - Added 39 comprehensive unit tests with 89 total passing tests

What Changed

• Architecture: Package-based dependency injection removes circular dependency
• Logic: No behavioral changes, same functionality with improved organization
• Testing: Comprehensive unit test coverage with mocks for testability
• Performance: Identical behavior, slight code organization improvements

Verification

• ✅ make build passes
• ✅ make lint passes (0 issues)
• ✅ All 89 tests pass
• ✅ No circular dependencies

🤖 Generated with Claude Code

Summary by CodeRabbit

• New Features

  • terraform output: new --format (json,yaml,hcl,env,dotenv,bash,csv,tsv), --output-file, --uppercase and --flatten; supports single-output or all-outputs and write-to-file.
  • Automatic generation of Terraform backend and provider override files; improved workspace handling and a TTY-aware spinner for CLI feedback.

• Tests

  • Extensive unit and integration tests covering formatting, executor, backend, environment and workspace behaviors.

• Documentation

  • CLI docs and blog post for output formatting and examples.
  • Added “Concurrent Sessions (MANDATORY)” guidance.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

feat: Add native Terraform provider caching with XDG support @osterman (#1882)

## what

Atmos now automatically caches Terraform providers across all components using the TF_PLUGIN_CACHE_DIR environment variable with XDG-compliant default paths (~/.cache/atmos/terraform/plugins). This feature is enabled by default with zero configuration required, dramatically reducing terraform init times and network bandwidth.

why

In large Atmos projects with many components, each terraform init downloads the same providers repeatedly. For the AWS provider alone, this can mean downloading 300+ MB per component. With provider caching, Atmos downloads each provider version once and reuses it across all components - achieving 10-50x faster init times in testing.

references

This implements automatic provider caching with validation for invalid TF_PLUGIN_CACHE_DIR values (empty string or root path) and respects user overrides via environment variables or atmos.yaml configuration.

Summary by CodeRabbit

• New Features

  • Zero‑config Terraform provider caching enabled by default with optional custom cache directory and new terraform clean --cache flag (supports --force, dry‑run, interactive and non‑TTY flows). Exposes ATMOS_COMPONENTS_TERRAFORM_PLUGIN_CACHE and ATMOS_COMPONENTS_TERRAFORM_PLUGIN_CACHE_DIR plus TF_PLUGIN_CACHE_DIR behavior.

• Documentation

  • Added blog and CLI docs with examples, flags, and env var references.

• Tests

  • Extensive unit and end‑to‑end tests for configuration, cache path resolution, init/reuse, and cleaning.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

feat: Create pkg/runner with unified task execution @osterman (#1901)

## what

• Introduced pkg/runner package with unified Task type and CommandRunner interface
• Tasks support flexible YAML parsing for both simple strings and structured syntax with timeout, retry, and identity config
• Timeout enforcement via context.WithTimeout
• Proper shell argument parsing using mvdan.cc/sh for quote handling
• Updated custom commands to use the new Tasks type, enabling backward compatibility while supporting new syntax

why

Provides a shared execution layer for both custom commands and workflows, enabling code reuse and consistent task execution patterns across Atmos. Fixes DEV-3005.

references

Closes #DEV-3005

Summary by CodeRabbit

• New Features

  • Unified task runner with structured per-step entries (timeout, retry, working_directory, stack) and support for shell and atmos task types.

• Breaking Change

  • Command step format changed from simple string lists to structured Tasks — update custom command definitions accordingly.

• Tests

  • Expanded tests and new mocks/helpers covering runner behavior, YAML decoding, task parsing, timeouts, overrides, and sequential execution.

• Chores

  • Config decoding updated to handle the new task formats.

• Documentation

  • Blog post documenting the unified task runner and Task formats.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

🚀 Enhancements

fix: Terraform state path for disabled workspaces @aknysh (#1929)

## what

• Fixed !terraform.state YAML function to use correct state file paths when Terraform workspaces are disabled (workspaces_enabled: false)
• For S3 backend: state is now correctly read from <key> instead of <workspace_key_prefix>/default/<key>
• For Local backend: state is now correctly read from terraform.tfstate instead of terraform.tfstate.d/default/terraform.tfstate
• Added comprehensive unit tests for both S3 and local backend default workspace handling
• Added integration tests with a new test fixture for workspaces-disabled scenario

why

• When workspaces_enabled: false is set in atmos.yaml, Atmos sets the workspace to "default" but Terraform stores state at different paths for the default workspace vs named workspaces:
  • S3 backend: Default workspace stores state at <key>, not <workspace_key_prefix>/default/<key>
  • Local backend: Default workspace stores state at terraform.tfstate, not terraform.tfstate.d/default/terraform.tfstate
• The !terraform.state YAML function was looking in the wrong locations, causing it to fail to find state files when workspaces are disabled
• This aligns with Terraform's documented behavior for backend state storage

references

• closes #1920

Summary by CodeRabbit

• Bug Fixes

  • Fixed Terraform state lookup so default/disabled workspaces read state from the root terraform.tfstate location across backends (local, S3, Azure).

• Tests

  • Added unit and end-to-end tests covering state reads and path resolution for default, empty, and named workspaces.

• Documentation

  • Added fixtures and a blog post explaining behavior and upgrade notes when workspaces are disabled.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

v1.203.0

fix: Correct Azure auth provider configuration in docs @osterman (#1928)

what

• Correct Azure authentication provider YAML configuration structure in tutorial documentation
• Move tenant_id, subscription_id, location, and other provider-specific fields under a spec block for all Azure providers (device-code, oidc, service-principal)
• Update 8 Azure provider configuration examples throughout the tutorial

why

Azure authentication providers require configuration to be nested under a spec block according to the schema and provider implementation. The documentation was showing an incorrect structure that would fail when users attempted to use it. This fix aligns the documentation with the actual implementation.

references

User report: Azure authentication tutorial showed incorrect YAML configuration structure with provider-specific fields at the top level instead of nested under spec

Summary by CodeRabbit

• Documentation
  • Updated Azure authentication configuration examples to reflect a restructured format where authentication provider parameters (tenant_id, subscription_id, location, etc.) are now organized under a nested spec object across all Azure authentication methods.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

Add version metadata to shipped roadmap milestones @osterman (#1927)

what

Added an optional version field to all 93 shipped milestones in the roadmap, indicating which release each feature was shipped in. Versions are sourced from blog post release: fields and git history research using git tags.

why

Version metadata enables better tracking of feature releases, supports release notes generation, and provides users with a clear version reference for each shipped feature on the roadmap.

references

• Versions derived from blog post frontmatter (release: field)
• Git history research using git describe --tags for features without blog post references
• Version range: v1.100.0 (Changelog introduction) to v1.203.0 (RC features)

Summary by CodeRabbit

• Chores
  • Roadmap milestones now include optional version identifiers so items map directly to releases across multiple quarters.
• New Features
  • Roadmap UI displays a release link when a milestone has a version, enabling quick access to the corresponding release.
• Style
  • Added a compact version badge/visual treatment in roadmap drawers for clearer discoverability.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

feat: Add ECR authentication @Benbentwo (#1859)

what

Implements ECR authentication integration for Atmos, allowing automatic Docker login to AWS ECR registries using Atmos-managed identities.

New auth.integrations Section

Integrations specify which identity they use via via.identity, and can auto-trigger on identity login via spec.auto_provision:

auth:
  identities:
    dev-admin:
      kind: aws/permission-set
      via:
        provider: company-sso
      principal:
        name: AdministratorAccess
        account: dev

  # Integrations reference identities - not the other way around
  integrations:
    dev/ecr/primary:
      kind: aws/ecr
      via:
        identity: dev-admin           # Which identity provides AWS creds
      spec:
        auto_provision: true          # Auto-trigger on identity login
        registry:
          account_id: "123456789012"
          region: us-east-2

    dev/ecr/secondary:
      kind: aws/ecr
      via:
        identity: dev-admin
      spec:
        auto_provision: true
        registry:
          account_id: "987654321098"
          region: us-west-2

Design: One Registry Per Integration

Each integration defines a single registry rather than a list. This approach:

1. Better Deep Merging: Works with Atmos stack inheritance and merging
2. Clearer Naming: Integration name reflects its purpose (e.g., dev/ecr/main)
3. Consistent Pattern: Matches how identities and providers are defined
4. Easier Override: Individual registries can be overridden in stack configs

New atmos auth ecr-login Command

# Using a named integration
atmos auth ecr-login dev/ecr/primary

# Using an identity (triggers all integrations referencing that identity)
atmos auth ecr-login --identity dev-admin

# Explicit registries (ad-hoc)
atmos auth ecr-login --registry 123456789012.dkr.ecr.us-east-1.amazonaws.com

Auto-Provision on Identity Login

When you login with an identity, all integrations with auto_provision: true that reference that identity are triggered:

$ atmos auth login dev-admin
✓ Authenticated as arn:aws:sts::123456789012:assumed-role/DevRole/user
✓ ECR login: 123456789012.dkr.ecr.us-east-2.amazonaws.com (expires in 12h)
✓ ECR login: 987654321098.dkr.ecr.us-west-2.amazonaws.com (expires in 12h)

Implementation

Component	File	Description
Schema	pkg/schema/schema_auth.go	Integration, IntegrationVia, IntegrationSpec, ECRRegistry structs
Integration System	pkg/auth/integrations/	Type system, registry pattern, factory functions
ECR Integration	pkg/auth/integrations/aws/ecr.go	aws/ecr kind implementation
ECR Token Fetcher	pkg/auth/cloud/aws/ecr.go	AWS SDK GetAuthorizationToken wrapper
Docker Config	pkg/auth/cloud/docker/config.go	XDG-based config manager with file locking
Manager	pkg/auth/manager.go	findIntegrationsForIdentity(), triggerIntegrations(), ExecuteIntegration()
CLI Command	cmd/auth_ecr_login.go	Standalone ECR login command
Errors	errors/errors.go	Sentinel errors for ECR/integration failures

why

• Eliminates manual ECR authentication - No more aws ecr get-login-password | docker login incantations
• Configuration as code - ECR registries defined in atmos.yaml alongside identities
• Automatic login - Integrations with auto_provision: true trigger on identity login
• Multi-registry support - Multiple integrations can reference the same identity
• Isolated credentials - Docker config at ~/.config/atmos/docker/config.json (XDG)
• Non-blocking failures - Integration errors during atmos auth login don't block authentication
• Deep merge friendly - Single registry per integration works with stack inheritance

Design Decisions

Why integrations not identities?

ECR login and EKS kubeconfig are client-only credential materializations, not identities:

Concept	IAM User	ECR Login	EKS kubeconfig
Stored identity object	✅	❌	❌
Policy attachment	✅	❌	❌
Server-side lifecycle	✅	❌	❌
Client-only materialization	❌	✅	✅

Integrations use an identity to derive credentials for specific services.

Why integrations reference identities (not vice versa)?

Integrations specify their required identity via via.identity instead of identities listing their integrations. This:

1. Keeps identities focused on "who you are"
2. Allows multiple integrations to reference the same identity
3. Enables stack-level integration overrides without touching identity config
4. Follows the same pattern as via.provider on identities

references

• PRD: docs/prd/ecr-authentication.md
• Blog post: website/blog/2025-12-15-ecr-authentication-integration.mdx
• Future: EKS integration (aws/eks kind) follows same pattern

Summary by CodeRabbit

• New Features

  • atmos auth ecr-login: explicit registry, named-integration, and identity-driven modes; automatic, non-blocking AWS ECR Docker login with multi‑registry support and managed Docker config.

• Integrations

  • New integration framework and registry for auth plugins (ECR, EKS); per-identity auto-triggering with explicit retry/standalone command; schema and manifest support for integrations/identities.

• Documentation

  • PRD, tutorial, CLI docs, and blog post with examples, CI/CD guidance, rollout and security notes.

• Tests

  • Extensive unit tests covering ECR, Docker config manager, integrations and CLI behavior.

• Chores

  • Dependency and license/version updates; roadmap milestone marked shipped.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

feat: Improve slide deck mobile responsiveness and speaker notes customization @osterman (#1925)

what

Mobile Responsiveness

• Auto-enters fullscreen mode on mobile and tablet devices
• Fullscreen respects current light/dark theme instead of forcing dark mode
• Content scales responsively on mobile using viewport units (vw) and clamp()
• Maintains 2-column split layouts on mobile with proportionally scaled content
• Adds responsive breakpoints for tablet (996px) and mobile (768px)
• Fixes navbar overlap by increasing z-index to 99999

Speaker Notes Customization

• Position toggle: Move notes panel to right (default) or bottom (Google Slides style)
• Display mode toggle: Overlay on slides (default) or shrink slides t...