v1.206.0-rc.1

feat: version-aware JIT source provisioning with TTL-based cleanup @osterman (#2010)

## what

• Implement version-aware JIT source provisioning that automatically re-provisions workdirs when remote source version or URI changes
• Add incremental local sync using per-file checksum comparison (SyncDir) instead of full directory copy
• Support TTL-based cleanup for stale workdirs with --expired, --ttl, and --dry-run flags
• Move workdir metadata from .workdir-metadata.json to .atmos/metadata.json for better organization
• Track source_uri, source_version, and last_accessed timestamps in metadata

Additional Fixes

• Closes #2019 - Fix JIT provisioning gaps in generate commands
  • terraform generate varfile / terraform generate backend - now support JIT-sourced components
  • helmfile generate varfile - now supports JIT-sourced components
  • packer output - now supports JIT-sourced components

why

• Previously, changing a component's source version required manually cleaning the workdir before changes took effect
• Full directory copy was inefficient for local development with frequent small changes
• No mechanism existed to automatically clean up stale workdirs that accumulate over time
• Enhanced metadata enables intelligent provisioning decisions and better observability
• Generate commands failed with JIT-sourced components because they lacked source provisioning (#2019)

references

• New pkg/duration package extracted for reusable duration parsing
• Updated workdir list and workdir show commands display version and access information
• Blog post: website/blog/2025-01-22-version-aware-jit-provisioning.mdx

Summary by CodeRabbit

• New Features
  • JIT source provisioning now takes precedence over local components across all terraform commands when source and workdir are enabled.
  • Automatic component refresh when version or source URI changes.
  • TTL-based cleanup for stale workdirs using --ttl flag (e.g., --ttl=7d).
  • Enhanced workdir information displays source type, version, and last accessed timestamp.
  • Incremental file synchronization—only changed files sync to workdirs.

🚀 Enhancements

fix: Terraform shell command not working from Atmos interactive UI @aknysh (#2055)

## what

• Fix terraform shell command when invoked from the Atmos interactive UI (TUI)
• Route terraform shell directly to ExecuteTerraformShell() from the UI dispatcher, bypassing ExecuteTerraform()
• Add AuthManager propagation to terraform shell for YAML functions like !terraform.state
• Add --identity flag support to terraform shell command
• Extract testable helpers (shellInfoFromOptions, resolveWorkdirPath, shellOptionsForUI) from inline logic
• Add auth orchestration functions (createAndAuthenticateAuthManager, getMergedAuthConfig, storeAutoDetectedIdentity) to utils_auth.go

why

• The Atmos interactive UI dispatches commands through ExecuteTerraform(), which had no handler for the shell subcommand. Since terraform shell is an Atmos-only command (not a native Terraform subcommand), it fell through and attempted to execute terraform shell as a native command, which doesn't exist, resulting in: Terraform has no command named "shell"
• AuthManager was not being passed to ProcessStacks in the shell command, causing !terraform.state and !terraform.output YAML functions to fail with authentication errors
• The --identity flag was missing from terraform shell, preventing users from specifying which AWS identity to use for authentication

references

• Closes #2017

Summary by CodeRabbit

• New Features

  • Added --identity flag (alias -i) to the terraform shell command to specify AWS identity.

• Improvements

  • Shell execution now surfaces identity in dry-run output, uses improved workdir resolution, and routes the UI path through the interactive shell flow.
  • Enhanced authentication handling with merged global/component auth and auto-detected identity fallback.

• Documentation

  • CLI docs updated with --identity flag and examples.

• Tests

  • Extensive unit tests for auth merging, identity handling, shell options mapping, and workdir logic.

v1.206.0-rc.0

• No changes

v1.205.1

fix: add JIT vendoring support to generate varfile and generate backend @aknysh (#2054)

what

• Add JIT (Just-In-Time) vendoring support to atmos terraform generate varfile and atmos terraform generate backend commands
• Fix writeBackendConfigFile() to use constructTerraformComponentWorkingDir() instead of hardcoded path construction, so backend files are written to the correct directory for JIT-vendored components
• Add ensureTerraformComponentExists() helper that resolves the component path, checks existence, and triggers JIT provisioning via AutoProvisionSource when a source is configured
• Replace hardcoded "terraform" strings with cfg.TerraformComponentType constant
• Add comprehensive unit tests for all new helper functions, writeBackendConfigFile workdir support, and path construction with JIT vendored components

why

• generate varfile and generate backend bypassed JIT provisioning because they called ProcessStacks() directly without triggering the provisioning hooks that download component sources
• writeBackendConfigFile hardcoded the component path (BasePath/Components.Terraform.BasePath/prefix/component) instead of using constructTerraformComponentWorkingDir(), which checks for WorkdirPathKey set by JIT provisioning
• This meant both commands failed for any component that relied on source vendoring, as the component directory didn't exist yet and the backend file was written to the wrong path

references

• Closes #2019

Summary by CodeRabbit

• New Features

  • Just-in-time provisioning for Terraform components when missing (5-minute timeout).
  • Terraform component type made configurable for generation commands.

• Bug Fixes

  • Improved working-directory and varfile path resolution, including vendored/JIT component scenarios.
  • Stronger component-existence validation with clearer, contextual errors.

• Tests

  • Extensive new unit/integration tests for varfile/backend generation, JIT provisioning, permission/error cases, and deprecated command behavior.

• Deprecations

  • Legacy generate commands now signal deprecation with explicit errors.

fix: Resolve Atmos Pro template regression with {{ .atmos_component }} in non-.tmpl files @aknysh (#2053)

what

• Fix regression introduced in Atmos 1.205 where {{ .atmos_component }} and {{ .atmos_stack }} templates in non-.tmpl files fail during import with: map has no entry for key "atmos_component"
• Add processTemplatesInSection() helper to resolve {{ .locals.X }} in individual sections (settings, vars, env) without triggering full-file template processing
• Skip .terraform directories in describe-affected test copies to avoid dangling symlink failures
• Add --verify=false to helm plugin install in Dockerfile for Helm 4 compatibility

why

Atmos Pro template regression (Issue #2032)

The locals feature (PR #1994) inadvertently triggered template processing for imported non-.tmpl files. extractAndAddLocalsToContext() populated the template context with settings/vars/env from the file, making len(context) > 0, which triggered the template processing guard. Templates like {{ .atmos_component }} then failed because component context isn't available at import time.

Fix: Track whether context was originally provided externally (originalContextProvided) vs extracted from the file itself. When template processing fails and only file-extracted context is available, gracefully fall back to raw content — preserving templates like {{ .atmos_component }} for later resolution in ProcessStacks when the full component context is available.

Additionally, extractAndAddLocalsToContext() now processes templates in individual sections (settings → vars → env) using a pipeline with resolved locals context. This enables bidirectional references between locals and settings while avoiding premature processing of component-scoped templates.

Dangling .terraform symlinks in describe-affected tests

TestDescribeAffectedWith* tests failed locally due to a dangling symlink in examples/secrets-masking/.terraform/providers/ left by a previous test run. Added .terraform to the copy skip filter alongside the existing node_modules skip.

Helm plugin install in Dockerfile

Helm 4 requires --verify=false because helm-diff does not ship .prov signature files.

references

• Closes #2032

Summary by CodeRabbit

• Bug Fixes

  • Preserve component- and stack-level templates during import and defer evaluation until full context is available to prevent premature resolution and regressions.
  • Persist resolved section values so downstream describe/merge flows see processed results.

• New Features

  • Enhanced template resolution to support cross-references between locals, settings, vars, and env.

• New Tests

  • Large suite of tests covering template processing, cross-references, external-context behavior, and a regression case.

• Chores

  • Adjusted Helm plugin install for Helm 4 compatibility and expanded file exclusion patterns during config processing.

Fix: Vendoring excluded_paths not matching simple filenames @Benbentwo (#2049)

what

• Fixed pattern matching bug where excluded_paths in component.yaml and vendor.yaml weren't matching simple filename patterns like "providers.tf"
• Fixed logic error where combined excluded_paths + included_paths wasn't working correctly
• Added comprehensive unit tests and YAML-based integration tests for the fix

why

• Users could not use simple filename patterns in excluded_paths without the **/ glob prefix
• When both excluded_paths and included_paths were specified, the include filter was never applied
• Patterns were matched against absolute temp paths instead of relative paths, causing simple patterns to always fail

references

• Fixes vendoring with simple filename exclusions like excluded_paths: ["providers.tf"]
• Enables proper filtering when both exclude and include patterns are specified together

Summary by CodeRabbit

• Bug Fixes

  • Improved vendor file exclusion/inclusion logic to apply patterns correctly and consistently.
  • Fixed path matching to work with relative paths, enabling simpler exclusion/inclusion patterns without directory prefixes.
  • Added early exclusion checks for clearer and more efficient filtering behavior.

• Tests

  • Added comprehensive test suite for vendor exclude/include scenarios covering various pattern combinations.

feat: register terraform compound subcommands in Cobra command tree @aknysh (#2044)

what

• Register terraform compound subcommands (state, providers, workspace) as proper Cobra child commands
• Register per-subcommand compat flags for all 15 compound terraform subcommands
• Add dedicated documentation pages for all compound subcommands with detailed "Native Terraform Flags" sections
• Update screengrabs for all CLI commands
• Fix quoted compound terraform subcommands like "providers lock"
• Add compound subcommand argument parsing (parseCompoundSubcommand, processTerraformCompoundSubcommand)
• Add website documentation updates (templates defaults, stores, hooks)

why

Terraform compound subcommands registered in Cobra command tree (#2018)

Previously, compound terraform subcommands (state list, providers lock, workspace select, etc.) were handled entirely by argument parsing in processArgsAndFlags. This had several limitations:

• Tab completion didn't work for subcommands
• Help text didn't show subcommands with [command] suffix
• Quoted forms like "providers lock" weren't supported

Fix (Part 1 — argument parsing): Added modular helper functions (parseCompoundSubcommand, parseQuotedCompoundSubcommand, parseSeparateCompoundSubcommand, processTerraformCompoundSubcommand) with configurable subcommand lists for workspace, state, providers, and write commands. Supports both quoted ("providers lock") and separate (providers lock) forms.

Fix (Part 2 — Cobra command tree registration): Registered compound subcommands as proper Cobra child commands:

• cmd/terraform/state.go — list, mv, pull, push, replace-provider, rm, show as children of stateCmd
• cmd/terraform/providers.go — lock, mirror, schema as children of providersCmd
• cmd/terraform/workspace.go — list, select, new, delete, show as children of workspaceCmd
• cmd/terraform/utils.go — newTerraformPassthroughSubcommand() helper creates Cobra child commands that delegate to the parent command's execution flow

The legacy compound subcommand parsing in processArgsAndFlags is retained as a fallback for the interactive UI path (which bypasses Cobra) and backward compatibility.

Files: internal/exec/cli_utils.go, internal/exec/cli_utils_test.go, cmd/terraform/utils.go, cmd/terraform/state.go, cmd/terraform/providers.go, cmd/terraform/workspace.go, cmd/terraform/subcommands_test.go

Per-subcommand compat flags for compound terraform subcommands

Added per-subcommand compat flag defi...

v1.205.1-rc.2

docs: clarify dependencies section is for tool dependencies only @osterman (#2045)

## what

• Removed misleading component dependency examples that showed unsupported syntax
• Clarified that the dependencies section currently supports tool version requirements only
• Added admonition directing users to settings.depends_on for component execution order
• Updated frontmatter, intro, and use cases to reflect tool-only focus
• Added reference link to settings.depends_on documentation

why

The documentation previously conflated two separate concepts: tool dependencies (currently implemented via /dependencies/tools) and component dependencies (only available via settings.depends_on). The examples showing component dependency syntax were misleading since they're not yet supported in the /dependencies section. This change prevents user confusion and guides them to the correct feature.

references

This fixes documentation confusion around component dependencies vs tool dependencies. The plan is to consolidate these features in a future release, so this admonition acknowledges that intent.

Summary by CodeRabbit

• Documentation
  • Clarified dependencies documentation to emphasize tool version requirements as the primary focus
  • Expanded tool dependency configuration guidance, including configuration scopes, version formats, and inheritance behavior
  • Added information directing users to settings for managing component execution order
  • Updated related documentation references to include component dependencies guidance

_{✏️ Tip: You can customize this high-level summary in your review settings.}

🚀 Enhancements

Fix: Vendoring excluded_paths not matching simple filenames @Benbentwo (#2049)

## what

• Fixed pattern matching bug where excluded_paths in component.yaml and vendor.yaml weren't matching simple filename patterns like "providers.tf"
• Fixed logic error where combined excluded_paths + included_paths wasn't working correctly
• Added comprehensive unit tests and YAML-based integration tests for the fix

why

• Users could not use simple filename patterns in excluded_paths without the **/ glob prefix
• When both excluded_paths and included_paths were specified, the include filter was never applied
• Patterns were matched against absolute temp paths instead of relative paths, causing simple patterns to always fail

references

• Fixes vendoring with simple filename exclusions like excluded_paths: ["providers.tf"]
• Enables proper filtering when both exclude and include patterns are specified together

Summary by CodeRabbit

• Bug Fixes

  • Improved vendor file exclusion/inclusion logic to apply patterns correctly and consistently.
  • Fixed path matching to work with relative paths, enabling simpler exclusion/inclusion patterns without directory prefixes.
  • Added early exclusion checks for clearer and more efficient filtering behavior.

• Tests

  • Added comprehensive test suite for vendor exclude/include scenarios covering various pattern combinations.

v1.205.1-rc.1

refactor: move toolchain from root to pkg/toolchain @osterman (#2041)

## what

• Move toolchain package from repository root to pkg/toolchain to align with project architecture guidelines
• Update 90 import statements across 145 files to reference github.com/cloudposse/atmos/pkg/toolchain
• Regenerate mocks with updated import paths
• Update documentation references in PRD files

why

The toolchain package was incorrectly placed at the repository root in PR #1686. Project architecture guidelines (CLAUDE.md) specify that all business logic packages belong in pkg/. Moving toolchain to pkg/toolchain ensures consistency with other business logic packages like config, stack, component, store, git, and auth.

references

Aligns with project architecture guidelines in CLAUDE.md: All business logic belongs in pkg/ packages, not at the repository root.

Summary by CodeRabbit

• Chores
  • Internal package reorganization for improved code structure and maintainability. No user-facing functionality changes or behavioral impact.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

🚀 Enhancements

feat: register terraform compound subcommands in Cobra command tree @aknysh (#2044)

## what

• Register terraform compound subcommands (state, providers, workspace) as proper Cobra child commands
• Register per-subcommand compat flags for all 15 compound terraform subcommands
• Add dedicated documentation pages for all compound subcommands with detailed "Native Terraform Flags" sections
• Update screengrabs for all CLI commands
• Fix quoted compound terraform subcommands like "providers lock"
• Add compound subcommand argument parsing (parseCompoundSubcommand, processTerraformCompoundSubcommand)
• Add website documentation updates (templates defaults, stores, hooks)

why

Terraform compound subcommands registered in Cobra command tree (#2018)

Previously, compound terraform subcommands (state list, providers lock, workspace select, etc.) were handled entirely by argument parsing in processArgsAndFlags. This had several limitations:

• Tab completion didn't work for subcommands
• Help text didn't show subcommands with [command] suffix
• Quoted forms like "providers lock" weren't supported

Fix (Part 1 — argument parsing): Added modular helper functions (parseCompoundSubcommand, parseQuotedCompoundSubcommand, parseSeparateCompoundSubcommand, processTerraformCompoundSubcommand) with configurable subcommand lists for workspace, state, providers, and write commands. Supports both quoted ("providers lock") and separate (providers lock) forms.

Fix (Part 2 — Cobra command tree registration): Registered compound subcommands as proper Cobra child commands:

• cmd/terraform/state.go — list, mv, pull, push, replace-provider, rm, show as children of stateCmd
• cmd/terraform/providers.go — lock, mirror, schema as children of providersCmd
• cmd/terraform/workspace.go — list, select, new, delete, show as children of workspaceCmd
• cmd/terraform/utils.go — newTerraformPassthroughSubcommand() helper creates Cobra child commands that delegate to the parent command's execution flow

The legacy compound subcommand parsing in processArgsAndFlags is retained as a fallback for the interactive UI path (which bypasses Cobra) and backward compatibility.

Files: internal/exec/cli_utils.go, internal/exec/cli_utils_test.go, cmd/terraform/utils.go, cmd/terraform/state.go, cmd/terraform/providers.go, cmd/terraform/workspace.go, cmd/terraform/subcommands_test.go

Per-subcommand compat flags for compound terraform subcommands

Added per-subcommand compat flag definitions for all 15 compound terraform subcommands, registered them with the command registry, and documented them in the website docs.

Compat flags registered per subcommand:

Subcommand	Native Terraform Flags
state list	-state, -id
state mv	-lock, -lock-timeout, -ignore-remote-version
state pull	(none)
state push	-force, -lock, -lock-timeout, -ignore-remote-version
state replace-provider	-auto-approve, -lock, -lock-timeout, -ignore-remote-version
state rm	-lock, -lock-timeout, -ignore-remote-version
state show	-state
providers lock	-platform, -fs-mirror, -net-mirror, -enable-plugin-cache
providers mirror	-platform
providers schema	-json
workspace list	(none)
workspace select	-or-create
workspace new	-lock, -lock-timeout, -state
workspace delete	-force, -lock, -lock-timeout
workspace show	(none)

Note: Terraform's -dry-run on state mv/state rm is intentionally excluded to avoid conflict with Atmos's --dry-run flag.

Files: cmd/terraform/compat_flags.go, cmd/terraform/state.go, cmd/terraform/providers.go, cmd/terraform/workspace.go, cmd/terraform/subcommands_test.go

Website documentation for compound subcommands

Added dedicated documentation pages for 15 terraform compound subcommands across 3 command families, each with detailed "Native Terraform Flags" sections documenting all supported terraform flags per subcommand:

• providers/ — lock, mirror, schema
• state/ — list, mv, pull, push, replace-provider, rm, show
• workspace/ — list, select, new, delete, show

Each page follows the existing documentation pattern with frontmatter, Intro component, Screengrab, Usage, Examples, Arguments, Flags, Native Terraform Flags, and See Also sections.

Updated screengrabs

Regenerated all CLI command screengrabs to reflect current help text including the new compound subcommand [command] suffixes.

references

• Closes #2018

v1.205.1-rc.0

docs: auth realm isolation PRD @Benbentwo (#2033)

## what

• Added comprehensive PRD for credential namespace isolation feature
• Addresses credential collision issue when same identity names are used across different repositories
• Documents hybrid namespace approach with environment variable, config file, and automatic path hash precedence

why

When engineers work with multiple customer repositories that use identical identity names (e.g., core-root/terraform), AWS credentials collide and cause cross-contamination. This PRD outlines the design for isolating credentials using repository-specific namespaces, preventing accidental use of the wrong customer's credentials.

references

• DEV-3960: Fix caching issue with super user identities between customers

Summary by CodeRabbit

• Documentation
  • Added three PRDs defining credential realm isolation: realm concept, selection precedence (env/config/automatic), naming/validation and sanitization rules.
  • Documented new per-realm credential storage layout and provider-specific Azure path and environment wiring.
  • Added migration guidance (breaking path change, no automatic migration), user-facing messaging, security considerations, testing guidance, and success metrics.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

🚀 Enhancements

Fix Artifactory store and improve store documentation @osterman (#2038)

## what

• Fixed Artifactory store integration by adding Flat=true parameter to JFrog SDK downloads and proper directory path handling
• Corrected store documentation to match actual implementation: fixed field names, store type names, and removed unsupported backends
• Added comprehensive integration tests for Artifactory store with mock HTTP server
• Added blog post announcing the fix

why

Customer reported retrieval issues with Artifactory store. Investigation revealed two problems:

1. Store code was missing JFrog SDK configuration needed for proper file downloads
2. Documentation contained errors that did not match the actual implementation (unsupported backends, incorrect field names)

The Artifactory GetKey method lacked the same configuration that the Get method had, causing downloads to fail. Documentation had outdated examples with unsupported stores (Vault, AWS Secrets Manager) and wrong field names (backend/config instead of type/options).

Customer-reported issue

Customer logs showed the exact problem this PR fixes:

[Info] Downloading "atmos_store/dev/myapp/private_ip" to "/tmp/atmos-artifactory.../dev/myapp/private_ip"
...
Error: failed to read file: open /tmp/atmos-artifactory.../private_ip: no such file or directory

Root cause: Without Flat=true, the JFrog SDK preserves the directory structure when downloading:

• SDK downloads to: /tmp/atmos-artifactory.../dev/myapp/private_ip (nested path)
• Code expects: /tmp/atmos-artifactory.../private_ip (flat path)

The fix: Adding downloadParams.Flat = true tells the SDK to download files directly to the temp directory with just the base filename, matching what the code expects.

The Get method already had this configuration (which is why !store with stack/component/key worked), but GetKey was missing it.

references

• All Artifactory store integration tests now pass
• Documentation is consistent with actual supported backends: aws-ssm-parameter-store, azure-key-vault, google-secret-manager, redis, artifactory
• Mock server properly validates JFrog SDK integration patterns including AQL search, checksum validation, and file path handling

Summary by CodeRabbit

• Bug Fixes

  • Fixed Artifactory retrieval to correctly handle nested paths and ensure consistent download behavior for Get/GetKey.

• Documentation

  • Updated Artifactory store guidance, repository recommendations, store backend identifiers, tutorials, examples, and added a blog post describing the fix and configuration guidance.

• Tests

  • Added comprehensive Artifactory integration tests and a deterministic Artifactory mock server for testing.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

fix: Config isolation for --chdir flag @osterman (#1941)

## what

When using --chdir to change to a directory with its own atmos.yaml, Atmos now correctly uses ONLY that local config. Parent directory and git root searches are now properly treated as fallbacks and are skipped when local config exists.

• Fixed config loading to respect local config isolation when using --chdir
• Updated PRD to clarify parent/git-root searches are fallbacks
• Added comprehensive unit and CLI tests for config isolation behavior
• Updated test framework to properly handle --chdir flag in tests

why

Previously, atmos --chdir path/to/project describe config would unexpectedly include configuration from parent directories and the git root, causing wrong component paths and stack settings to be used in monorepo environments and test scenarios.

This fix ensures --chdir behaves as expected: as if you had run the command directly from that directory, searching parent directories and git root only as fallbacks when no local config exists.

references

Related to the PRD on config discovery behavior (docs/prd/git-root-discovery-default-behavior.md).

Summary by CodeRabbit

• Bug Fixes

  • Local Atmos configs now take precedence, preventing parent/git-root configs from being merged when a local config exists (improves --chdir isolation).

• Documentation

  • New blog post explaining config-loading order with --chdir, examples, and how to explicitly import parent configs.

• Tests

  • Added/expanded tests, fixtures, and snapshots to validate chdir config isolation and expected CLI output (including telemetry notice).

_{✏️ Tip: You can customize this high-level summary in your review settings.}

v1.205.0

Fix documentation URL redirects and link checker configuration @osterman (#2021)

what

• Fixed 9 documentation files with redirecting URLs to canonical forms
• Updated outdated external documentation links (Docker CLI, freedesktop XDG spec, AWS IAM, GitHub branches)
• Updated GitHub PR references from /issues/ to /pull/ for #1447 and #1489
• Added link checker exceptions for expected redirect behaviors (GitHub/CDN/auth redirects)

why

• Link checker fails on redirect chains; updating to canonical URLs resolves checker failures
• Ensures documentation references remain valid as external sites reorganize their docs
• GitHub branch master → main migration in upstream terraform-aws-components
• Properly configures link checker to allow intentional redirects (auth flows, API aliases, CDN paths)

references

• Related to fixing broken documentation links identified by automated link checking

Summary by CodeRabbit

• Documentation

  • Normalized URLs and markdown link formatting across README and docs for consistency and accuracy.
  • Updated several reference links in product requirement docs and added a "Related PRDs" subsection where applicable.

• Chores

  • Expanded link-checker exclusions to ignore additional redirect patterns and external service URLs to reduce false positives.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

feat: export AWS_REGION from atmos auth env when configured @osterman (#1955)

what

• Export AWS_REGION and AWS_DEFAULT_REGION from the Environment() method of all AWS identities
• Region is only exported when explicitly configured, not default fallback values
• Enables external tools (aws cli, direct terraform, etc.) to access region after sourcing atmos auth env

why

When using atmos auth env to export credentials for external tools (aws cli, direct terraform runs), users also need access to the configured region. This completes the credential export for external tool usage.

Note: For atmos commands (atmos terraform plan, etc.), region is automatically injected - no sourcing required.

references

Related to auth environment variable configuration. Blog post and PRD documentation included.

Summary by CodeRabbit

Release Notes

• New Features

  • AWS_REGION and AWS_DEFAULT_REGION environment variables now exported from atmos auth env when region is configured in identity settings
  • Azure Portal console access support added

• Documentation

  • Updated profile structure to directory-based format
  • Enhanced authentication configuration documentation for multiple identity types
  • Clarified provider and identity configuration options

• CLI Changes

  • profile-list command output simplified; removed TYPE column

_{✏️ Tip: You can customize this high-level summary in your review settings.}

Implement custom secrets masking patterns and fix output routing @osterman (#1972)

what

• Added registerCustomMaskPatterns() to load user-defined patterns and literals from atmos.yaml config
• Updated masker to support custom replacement strings from config settings
• Fixed all output paths to route through io layer for automatic secret masking
• Created examples/secrets-masking/ directory demonstrating the feature with test configs and components

why

Secrets matching user-defined patterns are now automatically masked across all CLI output (terraform, logs, auth commands, docs, help text, etc.), preventing accidental exposure while maintaining the ability to customize masking behavior per environment.

references

Implements custom pattern/literal loading for the secrets masking feature that was already configured in the schema but not being loaded or applied.

Summary by CodeRabbit

• New Features

  • Global secrets masking: configurable enable/disable, custom regex patterns, literal values, and configurable replacement text; applied across CLI, logs, docs and tooling.
  • Added an Example Creator agent to generate self-contained demo examples and mocks.

• Documentation

  • Expanded secrets-masking docs, new agent guide, embedded examples, updated examples list, and a blog post announcing custom masking.

• Tests

  • New/updated test cases and snapshots to reflect masking behavior.

• Chores

  • Visible telemetry notice with opt-out instructions.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

fix: Skip CODEOWNERS validation when file not modified @osterman (#2016)

what

• Added tj-actions/changed-files step to detect if .github/CODEOWNERS was modified in the PR
• Only run CODEOWNERS validation checks when the file actually changed or on manual workflow_dispatch triggers
• Prevents unnecessary validation overhead for PRs that don't touch the CODEOWNERS file

why

• The CODEOWNERS validation should only run when the file is actually modified
• This reduces CI overhead and prevents friction for unrelated PRs
• Always allow manual validation via workflow_dispatch for verification purposes

references

• Uses tj-actions/changed-files@v45 - a widely-used, well-maintained action for detecting changed files

feat: Atmos bugfixes and enhancements from vhs-demo-videos branch @osterman (#1954)

what

• Add atmos list aliases subcommand for viewing CLI command aliases
• Add query normalization and simplified syntax for atmos list components
• Support installing multiple tools in a single atmos toolchain install command
• Add markdown rendering extensions (admonitions, badges, highlights, linkify, muted)
• Fix inline code spacing in markdown rendering
• Add terraform output format improvements
• Update roadmap component with demo links support
• Various documentation updates across CLI commands

why

• These improvements enhance the CLI user experience with better list filtering and multi-tool installation
• The markdown extensions enable richer terminal output formatting
• Documentation updates ensure consistency across command reference pages
• These changes were developed alongside the vhs-demo-videos feature but are independent core improvements

references

• Extracted from osterman/vhs-demo-videos branch (excluding demo infrastructure: tools/director/, pkg/ffmpeg/, pkg/vhs/, demos/)

Summary by CodeRabbit

• New Features

  • Added atmos list aliases to show built-in + configured aliases.
  • atmos toolchain install accepts multiple tools in one command.
  • List commands can page output when enabled; Terraform output gains a table format.
  • Rich Markdown rendering: admonitions, badges, highlights, muted text.
  • Demo video embeds added across CLI docs.

• Improvements

  • List/vendor tables show Tags; stacks expose extracted vars for templates.
  • Better terminal color/profile and optional force-color handling.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

Auto-scroll sidebar to active item on navigation @osterman (#2009)

what

• Added SidebarScrollHandler component to automatically scroll the sidebar to show the active menu item
• Component triggers on route changes and waits for sidebar DOM updates before scrolling
• Uses smooth animation to center the active link in the sidebar viewport

why

When navigating to design patterns or other sections that share sidebars with references, Docusaurus's autoCollapseCategories feature expands/collapses categories. Previously, the active item would end up off-screen. This fix ensures the active menu item is always visible and centered in the sidebar.

references

Fixes the sidebar navigation issue where design pattern pages weren't scrolled into focus when the sidebar changed.

Summary by CodeRabbit

• New Features
  • The sidebar now automatically scrolls to highlight the active navigation link when navigating between pages, improving visibility of your current location in the documentation.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

feat: Add interactive file generation for terraform, helmfile, and packer @osterman (#1971)

Summary

Adds comprehensive support for atmos terraform generate files with auto-generation enabled during component execution for all provisioners (terraform, helmfile, packer).

What Changed

Core Features

• Auto-generate files BEFORE path validation when auto_generate_files is enabled, allowing components to be JIT (Just-In-Time) created from stack configuration
• Interactive prompting for component and stack selection (like terraform backend command)
• Idempotent file generation - compares existing content before writing to avoid unnecessary update...

v1.204.1-rc.6

Fix documentation URL redirects and link checker configuration @osterman (#2021)

## what

• Fixed 9 documentation files with redirecting URLs to canonical forms
• Updated outdated external documentation links (Docker CLI, freedesktop XDG spec, AWS IAM, GitHub branches)
• Updated GitHub PR references from /issues/ to /pull/ for #1447 and #1489
• Added link checker exceptions for expected redirect behaviors (GitHub/CDN/auth redirects)

why

• Link checker fails on redirect chains; updating to canonical URLs resolves checker failures
• Ensures documentation references remain valid as external sites reorganize their docs
• GitHub branch master → main migration in upstream terraform-aws-components
• Properly configures link checker to allow intentional redirects (auth flows, API aliases, CDN paths)

references

• Related to fixing broken documentation links identified by automated link checking

Summary by CodeRabbit

• Documentation

  • Normalized URLs and markdown link formatting across README and docs for consistency and accuracy.
  • Updated several reference links in product requirement docs and added a "Related PRDs" subsection where applicable.

• Chores

  • Expanded link-checker exclusions to ignore additional redirect patterns and external service URLs to reduce false positives.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

feat: export AWS_REGION from atmos auth env when configured @osterman (#1955)

## what

• Export AWS_REGION and AWS_DEFAULT_REGION from the Environment() method of all AWS identities
• Region is only exported when explicitly configured, not default fallback values
• Enables external tools (aws cli, direct terraform, etc.) to access region after sourcing atmos auth env

why

When using atmos auth env to export credentials for external tools (aws cli, direct terraform runs), users also need access to the configured region. This completes the credential export for external tool usage.

Note: For atmos commands (atmos terraform plan, etc.), region is automatically injected - no sourcing required.

references

Related to auth environment variable configuration. Blog post and PRD documentation included.

Summary by CodeRabbit

Release Notes

• New Features

  • AWS_REGION and AWS_DEFAULT_REGION environment variables now exported from atmos auth env when region is configured in identity settings
  • Azure Portal console access support added

• Documentation

  • Updated profile structure to directory-based format
  • Enhanced authentication configuration documentation for multiple identity types
  • Clarified provider and identity configuration options

• CLI Changes

  • profile-list command output simplified; removed TYPE column

_{✏️ Tip: You can customize this high-level summary in your review settings.}

🚀 Enhancements

fix: toolchain error handling, binary naming, and platform detection @aknysh (#2027)

## what

• Glamour warning suppression: Suppress confusing "Warning: unhandled element" messages from glamour markdown renderer by redirecting stdout during rendering with thread-safe mutex protection
• Improved HTTP 404 error messages: User-friendly error messages with platform-specific hints and context instead of nested "HTTP request failed: HTTP request failed:" pattern
• Binary naming fix for 3-segment packages: kubectl correctly named kubectl instead of kubernetes (extracts binary name from last segment of Aqua package name like kubernetes/kubernetes/kubectl) via resolveBinaryName helper
• Pre-flight platform compatibility check: Check supported_envs from Aqua registry before attempting download, providing immediate feedback instead of waiting for HTTP 404
• Arch-only platform matching: Handle Aqua registry supported_envs entries like amd64 which mean "any OS with this architecture" (fixes helm/helm on Windows which uses ["darwin", "linux", "amd64"])
• Platform-specific hints: WSL hints for Windows users, Rosetta 2 hints for macOS arm64 users, Docker suggestions for Linux-only tools on macOS, QEMU hints for Linux arm64 users
• Non-existent tool error handling: Clear "tool not in registry" error when attempting to install tools that don't exist in any configured registry (e.g., replicatedhq/replicated which exists on GitHub but is not in Aqua registry)

why

• Users were confused by glamour warnings that appeared in terminal output during error rendering
• HTTP 404 errors for unsupported platforms were unhelpful and didn't explain why the download failed
• kubectl binary naming issue broke scripts expecting the kubectl binary name
• Users wasted time waiting for downloads to fail when the tool didn't support their platform
• helm/helm failed on Windows because amd64 in supported_envs was treated as an OS name instead of architecture
• Platform-specific workarounds (WSL, Rosetta, Docker) weren't suggested to users
• The distinction between "tool not found" and "platform not supported" wasn't clear

references

• Related to Windows toolchain fixes discovered during cross-platform testing
• Uses Aqua registry supported_envs field for platform detection
• Test fixture: tests/fixtures/scenarios/toolchain-aqua-tools/
• Documentation: docs/fixes/toolchain-error-handling-and-binary-naming.md

Files Changed

Category	Files
Error handling	errors/errors.go, toolchain/installer/download.go
Platform detection	toolchain/installer/platform.go, toolchain/installer/platform_test.go
Registry	toolchain/registry/registry.go, toolchain/registry/aqua/aqua.go
Glamour fix	pkg/ui/markdown/custom_renderer.go
Tests	tests/toolchain_aqua_tools_test.go, toolchain/installer/download_test.go
Test fixture	tests/fixtures/scenarios/toolchain-aqua-tools/

Platform Matching Logic

The isPlatformMatch function handles three Aqua registry supported_envs formats:

Format	Example	Matches
OS only	darwin	Any architecture on that OS
OS/arch	darwin/amd64	Exact OS and architecture
Arch only	amd64	Any OS with that architecture

This correctly handles entries like helm's ["darwin", "linux", "amd64"] where amd64 means "Windows amd64 is supported".

Test Coverage

Test	Platform	Description
TestToolchainAquaTools_KubectlBinaryNaming	All	Verifies kubectl installed as kubectl NOT kubernetes
TestToolchainAquaTools_InstallAllTools	All	Installs cross-platform tools; kots on Linux/macOS only
TestToolchainAquaTools_WindowsKotsPlatformError	Windows	Verifies platform error with WSL hint
TestToolchainAquaTools_NonExistentToolError	All	Verifies "not in registry" error
TestIsPlatformMatch	All	Tests OS-only, OS/arch, and arch-only matching
TestIsKnownArch	All	Tests recognition of Go architecture names
TestBuildPlatformNotSupportedError	All	Tests error building with hints
TestFormatPlatformError	All	Tests user-friendly error formatting

Summary by CodeRabbit

• New Features

  • Pre‑flight platform checks with actionable hints (WSL, Rosetta, Docker, qemu)
  • Improved binary-name resolution for multi‑segment package identifiers

• Bug Fixes

  • Enriched HTTP 404/download errors with OS/arch context and platform guidance
  • Windows: automatic .exe handling for raw binary URLs
  • Suppressed noisy renderer warnings during output

• Tests

  • Expanded unit/integration fixtures covering naming, platform matching, and error scenarios

• Documentation

  • Added guidance for toolchain error handling and binary naming

_{✏️ Tip: You can customize this high-level summary in your review settings.}

docs: update describe stacks --component-types @kyledecot (#2020)

## what

Updates the help menu for atmos describe stacks ... to denote that the --component-types flag supports packer.

why

Looks like this wasn't updated after Packer support was added.

references

N/A

Summary by CodeRabbit

Documentation

• Updated the component-types flag help text to include "packer" as an additional supported component type.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

v1.204.1-rc.5

Implement custom secrets masking patterns and fix output routing @osterman (#1972)

## what

• Added registerCustomMaskPatterns() to load user-defined patterns and literals from atmos.yaml config
• Updated masker to support custom replacement strings from config settings
• Fixed all output paths to route through io layer for automatic secret masking
• Created examples/secrets-masking/ directory demonstrating the feature with test configs and components

why

Secrets matching user-defined patterns are now automatically masked across all CLI output (terraform, logs, auth commands, docs, help text, etc.), preventing accidental exposure while maintaining the ability to customize masking behavior per environment.

references

Implements custom pattern/literal loading for the secrets masking feature that was already configured in the schema but not being loaded or applied.

Summary by CodeRabbit

• New Features

  • Global secrets masking: configurable enable/disable, custom regex patterns, literal values, and configurable replacement text; applied across CLI, logs, docs and tooling.
  • Added an Example Creator agent to generate self-contained demo examples and mocks.

• Documentation

  • Expanded secrets-masking docs, new agent guide, embedded examples, updated examples list, and a blog post announcing custom masking.

• Tests

  • New/updated test cases and snapshots to reflect masking behavior.

• Chores

  • Visible telemetry notice with opt-out instructions.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

fix: Skip CODEOWNERS validation when file not modified @osterman (#2016)

## what

• Added tj-actions/changed-files step to detect if .github/CODEOWNERS was modified in the PR
• Only run CODEOWNERS validation checks when the file actually changed or on manual workflow_dispatch triggers
• Prevents unnecessary validation overhead for PRs that don't touch the CODEOWNERS file

why

• The CODEOWNERS validation should only run when the file is actually modified
• This reduces CI overhead and prevents friction for unrelated PRs
• Always allow manual validation via workflow_dispatch for verification purposes

references

• Uses tj-actions/changed-files@v45 - a widely-used, well-maintained action for detecting changed files

🚀 Enhancements

fix: Audit and fix broken links in README @osterman (#2013)

## what

• Fixed 15 broken /core-concepts/* links in README that returned 404 errors
• Added 5 missing redirects to docusaurus.config.js for backward compatibility
• Uncommented workflows redirect with corrected target URL
• Created GitHub Action workflow (.github/workflows/link-check.yml) to automatically check .md files for broken links using lychee

why

GitHub reported 404 errors for several README links pointing to moved documentation pages. Adding redirects provides backward compatibility for external references, and the new link checker prevents future broken link regressions.

references

Related to: https://github.com/cloudposse/atmos/issues (README broken links audit)

Summary by CodeRabbit

• New Features

  • Added automated link validation (CI workflow + local target) to catch broken Markdown links.

• Documentation

  • Reorganized and updated many documentation links to new site structure for consistency.
  • Corrected external references to third-party docs and adjusted cross‑references across guides and examples.
  • Minor content alignments and added a Use Case bullet about service catalogs/landing zones.

• Chores

  • Added link-check configuration and a Makefile target to run the checker locally.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

fix: Use toolchain.GetInstallPath() for PATH construction @osterman (#2015)

## what

• Ensures PATH points to where tools are actually installed (XDG path by default) instead of hardcoded .tools directory
• Fixes issue where custom commands and workflows would use system-installed tools instead of toolchain-managed versions
• Adds test to reproduce and validate the PATH mismatch bug

why

Tools are installed via toolchain.GetInstallPath() (defaults to ~/.local/share/atmos/toolchain), but BuildToolchainPATH() and NewInstaller() were using a hardcoded .tools default. This caused PATH to point to the wrong directory, making system-installed tools (like brew-installed helm) take precedence over the Atmos-managed versions.

references

Resolves issue where users had to work around the bug using atmos toolchain exec helm/helm -- instead of calling helm directly in custom commands.

Summary by CodeRabbit

• Bug Fixes

  • Enhanced tool binary path resolution to consistently use the centralized toolchain installation path instead of hard-coded defaults, while maintaining backward compatibility with custom paths when configured

• Tests

  • Added test coverage to verify PATH construction correctly includes the actual toolchain installation path for tool binaries

_{✏️ Tip: You can customize this high-level summary in your review settings.}

fix: Windows toolchain installation issues @aknysh (#2012)

## what

• Fix Windows toolchain installation failures where binaries were installed without .exe extension
• Fix GitHub release download URLs to include .exe for raw binaries on Windows (following Aqua behavior)
• Fix archive extraction for tools like helm that have .exe binaries inside archives
• Fix hint message to show PowerShell Invoke-Expression syntax instead of Unix eval on Windows
• Improve .atmos.d directory detection to differentiate permission errors from not-found errors
• Extend archive extension detection to include .tar.xz, .tar.bz2, .7z, and other formats
• Add integration tests for Windows toolchain functionality
• Update CLI documentation with PowerShell examples

why

Users reported multiple issues when using atmos toolchain install on Windows:

1. Binary without .exe extension - Installing tools like terraform resulted in binaries without .exe extension, causing terraform --version to hang indefinitely
2. Download URL missing .exe - Tools like jq that have standalone Windows binaries (e.g., jq-windows-amd64.exe) failed to download because the URL was constructed without .exe
3. Archive extraction failures - Tools like helm that ship as archives (.tar.gz, .zip) failed because the extractor looked for windows-amd64/helm instead of windows-amd64/helm.exe
4. Wrong shell hint - The hint message showed Unix eval $(...) syntax instead of PowerShell Invoke-Expression syntax

Architecture

Centralized Windows Extension Handling

Following Aqua's Windows support approach, Windows executables need the .exe extension to be found by os/exec.LookPath. We use a single centralized function:

// EnsureWindowsExeExtension appends .exe to the binary name on Windows if not present.
func EnsureWindowsExeExtension(binaryName string) string {
    if runtime.GOOS == "windows" && \!strings.HasSuffix(strings.ToLower(binaryName), ".exe") {
        return binaryName + ".exe"
    }
    return binaryName
}

Download URL Handling by Tool Type

Tool Type	Download URL .exe Handling
github_release	Automatic: Adds .exe on Windows for raw binaries (assets without archive extensions like .tar.gz, .zip)
http	Manual: The asset template must include .exe in the URL if needed

This matches Aqua's behavior where .exe is added to the download URL upfront during URL construction, not as a fallback after a 404 error.

Archive Extension Detection

Extended to recognize additional formats to avoid incorrectly appending .exe to archive URLs:

var archiveExtensions = []string{
    ".tar.gz", ".tgz", ".zip", ".gz",
    ".tar.xz", ".txz", ".tar.bz2", ".tbz", ".tbz2",
    ".bz2", ".xz", ".7z", ".tar", ".pkg",
}

Archive Extraction

When extracting from archives, the .exe fallback only runs on Windows (not on Unix) to avoid masking wrong-asset errors.

Fixes Applied

File	Fix
toolchain/installer/installer.go	Added EnsureWindowsExeExtension() centralized function
toolchain/installer/asset.go	Adds .exe to GitHub release URLs for raw binaries on Windows; extended archive detection
toolchain/installer/extract.go	Uses centralized function; .exe fallback only on Windows
toolchain/install_helpers.go	Platform-aware hint message for PowerShell
pkg/config/load.go	Differentiate stat errors from not-found for .atmos.d directories

Test Results (Windows)

All integration tests pass on Windows:

--- PASS: TestToolchainCustomCommands_InstallAllTools (14.04s)
--- PASS: TestToolchainCustomCommands_ToolsExecutable (12.33s)
--- PASS: TestToolchainCustomCommands_PathEnvOutput (10.09s)
--- PASS: TestToolchainCustomCommands_WindowsExeExtension (8.91s)
--- PASS: TestToolchainCustomCommands_CustomCommandsLoaded (8.31s)
--- PASS: TestToolchainCustomCommands_ExecuteWithDependencies (14.50s)
PASS

references

• Full documentation: `docs/fixes/windows-atmos-d-and-toolchain-issu...

v1.204.1-rc.4

feat: Atmos bugfixes and enhancements from vhs-demo-videos branch @osterman (#1954)

## what

• Add atmos list aliases subcommand for viewing CLI command aliases
• Add query normalization and simplified syntax for atmos list components
• Support installing multiple tools in a single atmos toolchain install command
• Add markdown rendering extensions (admonitions, badges, highlights, linkify, muted)
• Fix inline code spacing in markdown rendering
• Add terraform output format improvements
• Update roadmap component with demo links support
• Various documentation updates across CLI commands

why

• These improvements enhance the CLI user experience with better list filtering and multi-tool installation
• The markdown extensions enable richer terminal output formatting
• Documentation updates ensure consistency across command reference pages
• These changes were developed alongside the vhs-demo-videos feature but are independent core improvements

references

• Extracted from osterman/vhs-demo-videos branch (excluding demo infrastructure: tools/director/, pkg/ffmpeg/, pkg/vhs/, demos/)

Summary by CodeRabbit

• New Features

  • Added atmos list aliases to show built-in + configured aliases.
  • atmos toolchain install accepts multiple tools in one command.
  • List commands can page output when enabled; Terraform output gains a table format.
  • Rich Markdown rendering: admonitions, badges, highlights, muted text.
  • Demo video embeds added across CLI docs.

• Improvements

  • List/vendor tables show Tags; stacks expose extracted vars for templates.
  • Better terminal color/profile and optional force-color handling.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

Auto-scroll sidebar to active item on navigation @osterman (#2009)

## what

• Added SidebarScrollHandler component to automatically scroll the sidebar to show the active menu item
• Component triggers on route changes and waits for sidebar DOM updates before scrolling
• Uses smooth animation to center the active link in the sidebar viewport

why

When navigating to design patterns or other sections that share sidebars with references, Docusaurus's autoCollapseCategories feature expands/collapses categories. Previously, the active item would end up off-screen. This fix ensures the active menu item is always visible and centered in the sidebar.

references

Fixes the sidebar navigation issue where design pattern pages weren't scrolled into focus when the sidebar changed.

Summary by CodeRabbit

• New Features
  • The sidebar now automatically scrolls to highlight the active navigation link when navigating between pages, improving visibility of your current location in the documentation.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

feat: Add interactive file generation for terraform, helmfile, and packer @osterman (#1971)

## Summary

Adds comprehensive support for atmos terraform generate files with auto-generation enabled during component execution for all provisioners (terraform, helmfile, packer).

What Changed

Core Features

• Auto-generate files BEFORE path validation when auto_generate_files is enabled, allowing components to be JIT (Just-In-Time) created from stack configuration
• Interactive prompting for component and stack selection (like terraform backend command)
• Idempotent file generation - compares existing content before writing to avoid unnecessary updates
• Deterministic output - uses sorted map keys to ensure reproducible file generation across runs
• Enhanced UI - shows individual files changed plus a summary line with counts

Files Modified

• pkg/terraform/generate/file_generator.go - Core idempotent generation logic with sorted keys and summary output
• pkg/terraform/generate/generate.go - Directory creation before file generation
• cmd/terraform/generate/files.go - Interactive prompting for component/stack selection
• internal/exec/terraform.go - Auto-generation during terraform execution
• internal/exec/helmfile.go - Auto-generation during helmfile execution
• internal/exec/packer.go - Auto-generation during packer execution
• pkg/schema/schema.go - Config support for helmfile and packer auto-generation
• examples/generate-files/ - Complete working example with terraform configurations

Test Plan

1. Test interactive prompting without arguments:

   atmos -C examples/generate-files terraform generate files
   # Should prompt for component, then stack

2. Test with component argument only:

   atmos -C examples/generate-files terraform generate files demo
   # Should prompt for stack only

3. Test with all arguments (no prompting):

   atmos -C examples/generate-files terraform generate files demo -s dev
   # Should generate without prompting

4. Test idempotency (run twice):

   atmos -C examples/generate-files terraform generate files demo -s dev
   atmos -C examples/generate-files terraform generate files demo -s dev
   # Second run should show "unchanged" files

5. Test auto-generation during terraform plan:

   cd examples/generate-files
   atmos terraform plan demo -s dev
   # Should auto-generate files before validation

6. Test helmfile and packer:

   atmos -C examples/generate-files helmfile diff demo -s dev
   atmos -C examples/generate-files packer build demo -s dev
   # Both should auto-generate files if needed

7. Run test suite:

   make testacc

🤖 Generated with Claude Code

Summary by CodeRabbit

• New Features

  • Interactive prompts (with shell completion) to select component and stack when generating files; JIT auto-generation for Terraform, Helmfile, and Packer before validation; deterministic HCL/.tfvars output and per-file create/update/skip summaries.

• Documentation

  • New blog post, CLI docs, working example, and embedded demos for file-generation workflows.

• Tests

  • Broadly expanded tests covering generation, .tfvars, labeled blocks, formatting, templates, and edge cases.

• Chores

  • Added example project, README, and ignore/config files for the generate-files demo.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

docs: Remove non-existent CLI flags from profiles blog post @osterman (#2004)

## what

Removed non-existent CLI flags (--sentry-enabled, --terminal-width, --markdown-style) from the blog post examples. Fixed incorrect config keys (width → max_width). Now accurately shows the real problem: scattered environment variables across CI/CD systems.

why

The examples were showing CLI flags that don't exist in Atmos, which could mislead users. These settings are configuration-only via atmos.yaml or profiles, not CLI flags. The corrected examples now focus on the actual pain point that Profiles solve.

references

Follows investigation of hallucinated flags in documentation examples.

Summary by CodeRabbit

• Documentation
  • Updated blog post to reflect environment variable-based configuration approach instead of CLI flags.
  • Expanded content on profile benefits including version control and composability.
  • Updated configuration examples and terminology throughout.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

feat: Enhance source list commands with optional filters @osterman (#1996)

## what

• Made --stack flag optional for atmos terraform source list and atmos list sources commands
• Added optional [component] positional argument to filter by component name or folder
• Added dynamic Folder column that appears only when component folder differs from instance name
• Added Type column to atmos list sources for multi-type visibility

why

• Improves UX by allowing users to list sources across all stacks without specifying --stack
• Follows Atmos naming conventions with optional positional arguments for filtering
• Better visibility when dealing with derived components using metadata.component

references

Implements enhancements outlined in the source provisioner PRD for comprehensive source listing capabilities.

Summary by CodeRabbit

• New Features

  • Added unified atmos list sources to list component sources across Terraform, Helmfile, and Packer with optional component/stack filtering and multiple output formats.

• Documentation

  • Expanded docs and examples for the new command and per-type variants; added blog post and roadmap entry.

• Improvements

  • Dynamic output columns and improved user-facing messages; enhanced error context extraction and inline markdown formatting.

• Tests

  • Comprehensive tests added for listing, extraction, filtering, sorting, rendering, and error scenarios.

_{✏️ Tip: You can customize this high-level summary in your review settings.}