diff --git a/.ci/create-pkg.sh b/.ci/create-pkg.sh
new file mode 100755
index 00000000..46cd0a48
--- /dev/null
+++ b/.ci/create-pkg.sh
@@ -0,0 +1,18 @@
+#!/bin/sh
+
+set -e
+
+export VERSION="${CIRRUS_TAG:-0}"
+
+mkdir -p .ci/pkg/
+cp .build/arm64-apple-macosx/release/tart .ci/pkg/tart
+cp Resources/embedded.provisionprofile .ci/pkg/embedded.provisionprofile
+cp Resources/AppIcon.png .ci/pkg/AppIcon.png
+cp Resources/Info.plist .ci/pkg/Info.plist
+pkgbuild --root .ci/pkg/ --identifier com.github.cirruslabs.tart --version $VERSION \
+ --scripts .ci/pkg/scripts \
+ --install-location "/Library/Application Support/Tart" \
+ --sign "Developer ID Installer: Cirrus Labs, Inc. (9M2P8L4D89)" \
+ "./.ci/Tart-$VERSION.pkg"
+xcrun notarytool submit "./.ci/Tart-$VERSION.pkg" --keychain-profile "notarytool" --wait
+xcrun stapler staple "./.ci/Tart-$VERSION.pkg"
diff --git a/.ci/pkg/scripts/postinstall b/.ci/pkg/scripts/postinstall
new file mode 100755
index 00000000..6c563b8d
--- /dev/null
+++ b/.ci/pkg/scripts/postinstall
@@ -0,0 +1,15 @@
+#!/bin/sh
+
+set -e
+
+# fix structure
+mkdir -p "$2/tart.app/Contents/MacOS" "$2/tart.app/Resources"
+mv "$2/tart" "$2/tart.app/Contents/MacOS/tart"
+mv "$2/embedded.provisionprofile" "$2/tart.app/Contents/embedded.provisionprofile"
+mv "$2/AppIcon.png" "$2/tart.app/Resources/AppIcon.png"
+mv "$2/Info.plist" "$2/tart.app/Contents/Info.plist"
+
+echo "#!/bin/sh" > /usr/local/bin/tart
+echo "exec '$2/tart.app/Contents/MacOS/tart' \"\$@\"" >> /usr/local/bin/tart
+
+chmod +x /usr/local/bin/tart
diff --git a/.ci/set-version.sh b/.ci/set-version.sh
new file mode 100755
index 00000000..d886191d
--- /dev/null
+++ b/.ci/set-version.sh
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+TMPFILE=$(mktemp)
+envsubst < Sources/tart/CI/CI.swift > $TMPFILE
+mv $TMPFILE Sources/tart/CI/CI.swift
+
+/usr/libexec/PlistBuddy -c "Add :CFBundleShortVersionString string ${CIRRUS_TAG}" Resources/Info.plist
diff --git a/.cirrus.yml b/.cirrus.yml
index 6a169f3d..bb366c66 100644
--- a/.cirrus.yml
+++ b/.cirrus.yml
@@ -1,23 +1,161 @@
+use_compute_credits: true
+
task:
- name: Build
- only_if: $CIRRUS_TAG == ''
+ name: Test
+ alias: test
persistent_worker:
labels:
- os: darwin
- arch: arm64
- build_script: swift build
- sign_script: codesign --sign - --entitlements Sources/tart/tart.entitlements --force .build/debug/tart
+ name: dev-mini
+ resources:
+ tart-vms: 1
+ build_script:
+ - swift build
+ test_script:
+ - swift test
+ integration_test_script:
+ - codesign --sign - --entitlements Resources/tart-dev.entitlements --force .build/debug/tart
+ - export PATH=$(pwd)/.build/arm64-apple-macosx/debug:$PATH
+ # Run integration tests
+ - cd integration-tests
+ - python3 -m venv --symlinks venv
+ - source venv/bin/activate
+ - pip install -r requirements.txt
+ - pytest --verbose --junit-xml=pytest-junit.xml
+ pytest_junit_result_artifacts:
+ path: "integration-tests/pytest-junit.xml"
+ format: junit
+
+task:
+ name: Markdown Lint
+ only_if: $CIRRUS_BRANCH != 'gh-pages' && changesInclude('**.md')
+ container:
+ image: node:latest
+ install_script: npm install -g markdownlint-cli
+ lint_script: markdownlint --config=docs/.markdownlint.yml docs/
+
+task:
+ name: Lint
+ alias: lint
+ macos_instance:
+ image: ghcr.io/cirruslabs/macos-runner:sequoia
+ lint_script:
+ - swift package plugin --allow-writing-to-package-directory swiftformat --cache ignore --lint --report swiftformat.json .
+ always:
+ swiftformat_report_artifacts:
+ path: swiftformat.json
+ format: swiftformat
+
+task:
+ only_if: $CIRRUS_TAG == ''
+ env:
+ matrix:
+ BUILD_ARCH: arm64
+ BUILD_ARCH: x86_64
+ name: Build ($BUILD_ARCH)
+ alias: build
+ macos_instance:
+ image: ghcr.io/cirruslabs/macos-runner:sequoia
+ build_script: swift build --arch $BUILD_ARCH --product tart
+ sign_script: codesign --sign - --entitlements Resources/tart-dev.entitlements --force .build/$BUILD_ARCH-apple-macosx/debug/tart
binary_artifacts:
- path: .build/debug/tart
+ path: .build/$BUILD_ARCH-apple-macosx/debug/tart
+
+task:
+ only_if: $CIRRUS_TAG == '' && ($CIRRUS_USER_PERMISSION == 'write' || $CIRRUS_USER_PERMISSION == 'admin')
+ name: Release (Dry Run)
+ depends_on:
+ - lint
+ - build
+ macos_instance:
+ image: ghcr.io/cirruslabs/macos-runner:sequoia
+ env:
+ MACOS_CERTIFICATE: ENCRYPTED[552b9d275d1c2bdbc1bff778b104a8f9a53cbd0d59344d4b7f6d0ca3c811a5cefb97bef9ba0ef31c219cb07bdacdd2c2]
+ AC_PASSWORD: ENCRYPTED[4a761023e7e06fe2eb350c8b6e8e7ca961af193cb9ba47605f25f1d353abc3142606f412e405be48fd897a78787ea8c2]
+ GITHUB_TOKEN: ENCRYPTED[!98ace8259c6024da912c14d5a3c5c6aac186890a8d4819fad78f3e0c41a4e0cd3a2537dd6e91493952fb056fa434be7c!]
+ GORELEASER_KEY: ENCRYPTED[!9b80b6ef684ceaf40edd4c7af93014ee156c8aba7e6e5795f41c482729887b5c31f36b651491d790f1f668670888d9fd!]
+ setup_script:
+ - cd $HOME
+ - echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12
+ - security create-keychain -p password101 build.keychain
+ - security default-keychain -s build.keychain
+ - security unlock-keychain -p password101 build.keychain
+ - security import certificate.p12 -k build.keychain -P password101 -T /usr/bin/codesign -T /usr/bin/pkgbuild
+ - security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k password101 build.keychain
+ - xcrun notarytool store-credentials "notarytool" --apple-id "hello@cirruslabs.org" --team-id "9M2P8L4D89" --password $AC_PASSWORD
+ install_script:
+ - brew install go
+ - brew install mitchellh/gon/gon
+ - brew install --cask goreleaser/tap/goreleaser-pro
+ info_script:
+ - security find-identity -v
+ - xcodebuild -version
+ - swift -version
+ goreleaser_script: goreleaser release --skip=publish --snapshot --clean
+ always:
+ dist_artifacts:
+ path: "dist/*"
task:
name: Release
only_if: $CIRRUS_TAG != ''
- persistent_worker:
- labels:
- os: darwin
- arch: arm64
+ depends_on:
+ - lint
+ - test
+ - build
+ macos_instance:
+ image: ghcr.io/cirruslabs/macos-runner:sequoia
env:
+ MACOS_CERTIFICATE: ENCRYPTED[552b9d275d1c2bdbc1bff778b104a8f9a53cbd0d59344d4b7f6d0ca3c811a5cefb97bef9ba0ef31c219cb07bdacdd2c2]
+ AC_PASSWORD: ENCRYPTED[4a761023e7e06fe2eb350c8b6e8e7ca961af193cb9ba47605f25f1d353abc3142606f412e405be48fd897a78787ea8c2]
GITHUB_TOKEN: ENCRYPTED[!98ace8259c6024da912c14d5a3c5c6aac186890a8d4819fad78f3e0c41a4e0cd3a2537dd6e91493952fb056fa434be7c!]
GORELEASER_KEY: ENCRYPTED[!9b80b6ef684ceaf40edd4c7af93014ee156c8aba7e6e5795f41c482729887b5c31f36b651491d790f1f668670888d9fd!]
+ SENTRY_ORG: cirrus-labs
+ SENTRY_PROJECT: persistent-workers
+ SENTRY_AUTH_TOKEN: ENCRYPTED[!9eaf2875d51b113e2f68598441ff8e6b2e53242e48fcb93633bd75a373fbe2e7caa900d837cc92f0b142b65579731644!]
+ setup_script:
+ - cd $HOME
+ - echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12
+ - security create-keychain -p password101 build.keychain
+ - security default-keychain -s build.keychain
+ - security unlock-keychain -p password101 build.keychain
+ - security import certificate.p12 -k build.keychain -P password101 -T /usr/bin/codesign -T /usr/bin/pkgbuild
+ - security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k password101 build.keychain
+ - xcrun notarytool store-credentials "notarytool" --apple-id "hello@cirruslabs.org" --team-id "9M2P8L4D89" --password $AC_PASSWORD
+ install_script:
+ - brew install go getsentry/tools/sentry-cli
+ - brew install mitchellh/gon/gon
+ - brew install --cask goreleaser/tap/goreleaser-pro
+ info_script:
+ - security find-identity -v
+ - xcodebuild -version
+ - swift -version
release_script: goreleaser
+ upload_sentry_debug_files_script:
+ - cd .build/arm64-apple-macosx/release/
+ # Generate and upload symbols
+ - dsymutil tart
+ - sentry-cli debug-files upload tart.dSYM/
+ - SENTRY_PROJECT=tart sentry-cli debug-files upload tart.dSYM/
+ # Bundle and upload sources
+ - sentry-cli debug-files bundle-sources tart.dSYM
+ - sentry-cli debug-files upload tart.src.zip
+ - SENTRY_PROJECT=tart sentry-cli debug-files upload tart.src.zip
+ create_sentry_release_script:
+ - export SENTRY_RELEASE="tart@$CIRRUS_TAG"
+ - sentry-cli releases new $SENTRY_RELEASE
+ - sentry-cli releases set-commits $SENTRY_RELEASE --auto
+ - sentry-cli releases finalize $SENTRY_RELEASE
+
+task:
+ name: Deploy Documentation
+ only_if: $CIRRUS_BRANCH == 'main'
+ container:
+ image: ghcr.io/cirruslabs/mkdocs-material-insiders:latest
+ registry_config: ENCRYPTED[!cf1a0f25325aa75bad3ce6ebc890bc53eb0044c02efa70d8cefb83ba9766275a994b4831706c52630a0692b2fa9cfb9e!]
+ env:
+ DEPLOY_TOKEN: ENCRYPTED[!45ed45666558902ed1c2400add734ec063103bec31841847e8c8764802fca229bfa6d85c690e16ad159e047574b48793!]
+ deploy_script:
+ - git config --global user.name "Cirrus CI"
+ - git config --global user.name "hello@cirruslabs.org"
+ - git remote set-url origin https://$DEPLOY_TOKEN@github.com/cirruslabs/tart/
+ - mkdocs --verbose gh-deploy --force --remote-branch gh-pages
diff --git a/.gitattributes b/.gitattributes
deleted file mode 100644
index 24a8e879..00000000
--- a/.gitattributes
+++ /dev/null
@@ -1 +0,0 @@
-*.png filter=lfs diff=lfs merge=lfs -text
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
new file mode 100644
index 00000000..7b5fd11c
--- /dev/null
+++ b/.github/CODEOWNERS
@@ -0,0 +1 @@
+* @edigaryev @fkorotkov
diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml
new file mode 100644
index 00000000..a1ac82db
--- /dev/null
+++ b/.github/FUNDING.yml
@@ -0,0 +1 @@
+github: [cirruslabs]
diff --git a/.gitignore b/.gitignore
index b7d59ace..21d2e7b6 100644
--- a/.gitignore
+++ b/.gitignore
@@ -8,8 +8,17 @@ tart.xcodeproj/
# AppCode
.idea/
+# VS Code
+.vscode/
+
# Swift
.build/
# GoReleaser
dist/
+
+# mkdocs
+.cache
+
+# mkdocs-material
+site
diff --git a/.goreleaser.yml b/.goreleaser.yml
index 842e9a90..2326b63d 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -1,40 +1,70 @@
+version: 2
+
project_name: tart
+before:
+ hooks:
+ - .ci/set-version.sh
+ - swift build --arch arm64 --configuration release --product tart
+ - swift build --arch x86_64 --configuration release --product tart
+
builds:
- - builder: prebuilt
+ - id: tart
+ builder: prebuilt
+ goamd64: [v1]
goos:
- darwin
goarch:
- arm64
+ - amd64
+ binary: tart.app/Contents/MacOS/tart
prebuilt:
- path: .build/{{ .Arch }}-apple-macosx/release/tart
+ path: '.build/{{- if eq .Arch "arm64" }}arm64{{- else }}x86_64{{ end }}-apple-macosx/release/tart'
-before:
- hooks:
- - swift build -c release --product tart
-
-after:
- hooks:
- - codesign --sign - --entitlements Sources/tart/tart.entitlements --force .build/arm64-apple-macosx/release/tart
+universal_binaries:
+ - name_template: tart.app/Contents/MacOS/tart
+ replace: true
+ hooks:
+ post: gon gon.hcl
archives:
- - id: binary
- format: binary
- name_template: "{{ .ProjectName }}"
- - id: regular
- name_template: "{{ .ProjectName }}"
+ - name_template: "{{ .ProjectName }}"
+ files:
+ - src: Resources/embedded.provisionprofile
+ dst: tart.app/Contents
+ strip_parent: true
+ - src: Resources/Info.plist
+ dst: tart.app/Contents
+ strip_parent: true
+ - src: Resources/AppIcon.png
+ dst: tart.app/Contents/Resources
+ strip_parent: true
+ - LICENSE
release:
prerelease: auto
brews:
- name: tart
- ids:
- - regular
- tap:
+ repository:
owner: cirruslabs
name: homebrew-cli
- caveats: See the Github repository for more information
+ caveats: |
+ Tart has been installed. You might want to reduce the default DHCP lease time
+ from 86,400 to 600 seconds to avoid DHCP shortage when running lots of VMs daily:
+
+ sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.InternetSharing.default.plist bootpd -dict DHCPLeaseTimeSecs -int 600
+
+ See https://tart.run/faq/#changing-the-default-dhcp-lease-time for more details.
homepage: https://github.com/cirruslabs/tart
- description: Run macOS VMs on Apple Silicon
+ license: "Fair Source"
+ description: Run macOS and Linux VMs on Apple Hardware
skip_upload: auto
+ dependencies:
+ - "cirruslabs/cli/softnet"
+ install: |
+ libexec.install Dir["*"]
+ bin.write_exec_script "#{libexec}/tart.app/Contents/MacOS/tart"
+ generate_completions_from_executable(libexec/"tart.app/Contents/MacOS/tart", "--generate-completion-script")
+ custom_block: |
+ depends_on :macos => :ventura
diff --git a/.run/sign debug.run.xml b/.run/sign debug.run.xml
deleted file mode 100644
index 03d2bb0b..00000000
--- a/.run/sign debug.run.xml
+++ /dev/null
@@ -1,17 +0,0 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
\ No newline at end of file
diff --git a/.run/tart create.run.xml b/.run/tart create.run.xml
deleted file mode 100644
index 8831dfa3..00000000
--- a/.run/tart create.run.xml
+++ /dev/null
@@ -1,8 +0,0 @@
-
-
-
-
-
-
-
-
\ No newline at end of file
diff --git a/.run/tart run.run.xml b/.run/tart run.run.xml
deleted file mode 100644
index cf7968e3..00000000
--- a/.run/tart run.run.xml
+++ /dev/null
@@ -1,8 +0,0 @@
-
-
-
-
-
-
-
-
\ No newline at end of file
diff --git a/.swiftformat b/.swiftformat
new file mode 100644
index 00000000..743e500c
--- /dev/null
+++ b/.swiftformat
@@ -0,0 +1,5 @@
+--disable all
+--enable indent
+--indent 2
+--exclude Sources/tart/OCI/Reference/Generated
+--swiftversion 5.7
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
new file mode 100644
index 00000000..021b6e0f
--- /dev/null
+++ b/CONTRIBUTING.md
@@ -0,0 +1,41 @@
+# Contributing to Tart
+
+Table of Contents
+-----------------
+
+- [How to Build](#how-to-build)
+- [How to Create an Issue/Enhancement](#how-to-create-an-issueenhancement)
+- [Style Guidelines](#style-guidelines)
+- [Pull Requests](#Pull-Requests)
+
+## How to Build
+
+1. Fork the repository to your own GitHub account
+2. Clone the forked repository to your local machine
+3. If using Xcode, use from Xcode 15 or newer
+4. Run ./scripts/run-signed.sh from the root of your repository
+
+```bash
+./scripts/run-signed.sh list
+```
+## How to Create an Issue/Enhancement
+
+1. Go to the [Issue page](https://github.com/cirruslabs/tart/issues) of the repository
+2. Click on the "New Issue" button
+3. Provide a descriptive title and detailed description of the issue or enhancement you're suggesting
+4. Submit the issue
+
+## Style Guidelines
+
+1. Code should follow camel case
+2. Code should follow [SwiftFormat](https://github.com/nicklockwood/SwiftFormat#swift-package-manager-plugin) guidelines. You can auto-format the code by running the following command:
+
+```bash
+swift package plugin --allow-writing-to-package-directory swiftformat --cache ignore .
+```
+
+## Pull Requests
+
+1. Provide a detailed description of the changes you made in the pull request
+2. Wait for pull request to be reviewed
+3. Make adjustments if necessary
diff --git a/LICENSE b/LICENSE
index 0ad25db4..a691b969 100644
--- a/LICENSE
+++ b/LICENSE
@@ -1,661 +1,45 @@
- GNU AFFERO GENERAL PUBLIC LICENSE
- Version 3, 19 November 2007
+Fair Source License, version 0.9
- Copyright (C) 2007 Free Software Foundation, Inc.
- Everyone is permitted to copy and distribute verbatim copies
- of this license document, but changing it is not allowed.
+Copyright (C) 2023 Cirrus Labs, Inc.
- Preamble
+Licensor: Cirrus Labs, Inc.
- The GNU Affero General Public License is a free, copyleft license for
-software and other kinds of works, specifically designed to ensure
-cooperation with the community in the case of network server software.
+Software: Tart
- The licenses for most software and other practical works are designed
-to take away your freedom to share and change the works. By contrast,
-our General Public Licenses are intended to guarantee your freedom to
-share and change all versions of a program--to make sure it remains free
-software for all its users.
+Use Limitation: 100 users. User is defined as a single core of a central processing unit (CPU) used by the product.
+The Use Limitation does not apply to CPUs installed in devices used by a single individual.
- When we speak of free software, we are referring to freedom, not
-price. Our General Public Licenses are designed to make sure that you
-have the freedom to distribute copies of free software (and charge for
-them if you wish), that you receive source code or can get it if you
-want it, that you can change the software or use pieces of it in new
-free programs, and that you know you can do these things.
+License Grant. Licensor hereby grants to each recipient of the
+Software ("you") a non-exclusive, non-transferable, royalty-free and
+fully-paid-up license, under all of the Licensor's copyright and
+patent rights, to use, copy, distribute, prepare derivative works of,
+publicly perform and display the Software, subject to the Use
+Limitation and the conditions set forth below.
- Developers that use our General Public Licenses protect your rights
-with two steps: (1) assert copyright on the software, and (2) offer
-you this License which gives you legal permission to copy, distribute
-and/or modify the software.
+Use Limitation. The license granted above allows use by up to the
+number of users per entity set forth above (the "Use Limitation"). For
+determining the number of users, "you" includes all affiliates,
+meaning legal entities controlling, controlled by, or under common
+control with you. If you exceed the Use Limitation, your use is
+subject to payment of Licensor's then-current list price for licenses.
- A secondary benefit of defending all users' freedom is that
-improvements made in alternate versions of the program, if they
-receive widespread use, become available for other developers to
-incorporate. Many developers of free software are heartened and
-encouraged by the resulting cooperation. However, in the case of
-software used on network servers, this result may fail to come about.
-The GNU General Public License permits making a modified version and
-letting the public access it on a server without ever releasing its
-source code to the public.
-
- The GNU Affero General Public License is designed specifically to
-ensure that, in such cases, the modified source code becomes available
-to the community. It requires the operator of a network server to
-provide the source code of the modified version running there to the
-users of that server. Therefore, public use of a modified version, on
-a publicly accessible server, gives the public access to the source
-code of the modified version.
-
- An older license, called the Affero General Public License and
-published by Affero, was designed to accomplish similar goals. This is
-a different license, not a version of the Affero GPL, but Affero has
-released a new version of the Affero GPL which permits relicensing under
+Conditions. Redistribution in source code or other forms must include
+a copy of this license document to be provided in a reasonable
+manner. Any redistribution of the Software is only allowed subject to
this license.
- The precise terms and conditions for copying, distribution and
-modification follow.
-
- TERMS AND CONDITIONS
-
- 0. Definitions.
-
- "This License" refers to version 3 of the GNU Affero General Public License.
-
- "Copyright" also means copyright-like laws that apply to other kinds of
-works, such as semiconductor masks.
-
- "The Program" refers to any copyrightable work licensed under this
-License. Each licensee is addressed as "you". "Licensees" and
-"recipients" may be individuals or organizations.
-
- To "modify" a work means to copy from or adapt all or part of the work
-in a fashion requiring copyright permission, other than the making of an
-exact copy. The resulting work is called a "modified version" of the
-earlier work or a work "based on" the earlier work.
-
- A "covered work" means either the unmodified Program or a work based
-on the Program.
-
- To "propagate" a work means to do anything with it that, without
-permission, would make you directly or secondarily liable for
-infringement under applicable copyright law, except executing it on a
-computer or modifying a private copy. Propagation includes copying,
-distribution (with or without modification), making available to the
-public, and in some countries other activities as well.
-
- To "convey" a work means any kind of propagation that enables other
-parties to make or receive copies. Mere interaction with a user through
-a computer network, with no transfer of a copy, is not conveying.
-
- An interactive user interface displays "Appropriate Legal Notices"
-to the extent that it includes a convenient and prominently visible
-feature that (1) displays an appropriate copyright notice, and (2)
-tells the user that there is no warranty for the work (except to the
-extent that warranties are provided), that licensees may convey the
-work under this License, and how to view a copy of this License. If
-the interface presents a list of user commands or options, such as a
-menu, a prominent item in the list meets this criterion.
-
- 1. Source Code.
-
- The "source code" for a work means the preferred form of the work
-for making modifications to it. "Object code" means any non-source
-form of a work.
-
- A "Standard Interface" means an interface that either is an official
-standard defined by a recognized standards body, or, in the case of
-interfaces specified for a particular programming language, one that
-is widely used among developers working in that language.
-
- The "System Libraries" of an executable work include anything, other
-than the work as a whole, that (a) is included in the normal form of
-packaging a Major Component, but which is not part of that Major
-Component, and (b) serves only to enable use of the work with that
-Major Component, or to implement a Standard Interface for which an
-implementation is available to the public in source code form. A
-"Major Component", in this context, means a major essential component
-(kernel, window system, and so on) of the specific operating system
-(if any) on which the executable work runs, or a compiler used to
-produce the work, or an object code interpreter used to run it.
-
- The "Corresponding Source" for a work in object code form means all
-the source code needed to generate, install, and (for an executable
-work) run the object code and to modify the work, including scripts to
-control those activities. However, it does not include the work's
-System Libraries, or general-purpose tools or generally available free
-programs which are used unmodified in performing those activities but
-which are not part of the work. For example, Corresponding Source
-includes interface definition files associated with source files for
-the work, and the source code for shared libraries and dynamically
-linked subprograms that the work is specifically designed to require,
-such as by intimate data communication or control flow between those
-subprograms and other parts of the work.
-
- The Corresponding Source need not include anything that users
-can regenerate automatically from other parts of the Corresponding
-Source.
-
- The Corresponding Source for a work in source code form is that
-same work.
-
- 2. Basic Permissions.
-
- All rights granted under this License are granted for the term of
-copyright on the Program, and are irrevocable provided the stated
-conditions are met. This License explicitly affirms your unlimited
-permission to run the unmodified Program. The output from running a
-covered work is covered by this License only if the output, given its
-content, constitutes a covered work. This License acknowledges your
-rights of fair use or other equivalent, as provided by copyright law.
-
- You may make, run and propagate covered works that you do not
-convey, without conditions so long as your license otherwise remains
-in force. You may convey covered works to others for the sole purpose
-of having them make modifications exclusively for you, or provide you
-with facilities for running those works, provided that you comply with
-the terms of this License in conveying all material for which you do
-not control copyright. Those thus making or running the covered works
-for you must do so exclusively on your behalf, under your direction
-and control, on terms that prohibit them from making any copies of
-your copyrighted material outside their relationship with you.
-
- Conveying under any other circumstances is permitted solely under
-the conditions stated below. Sublicensing is not allowed; section 10
-makes it unnecessary.
-
- 3. Protecting Users' Legal Rights From Anti-Circumvention Law.
-
- No covered work shall be deemed part of an effective technological
-measure under any applicable law fulfilling obligations under article
-11 of the WIPO copyright treaty adopted on 20 December 1996, or
-similar laws prohibiting or restricting circumvention of such
-measures.
-
- When you convey a covered work, you waive any legal power to forbid
-circumvention of technological measures to the extent such circumvention
-is effected by exercising rights under this License with respect to
-the covered work, and you disclaim any intention to limit operation or
-modification of the work as a means of enforcing, against the work's
-users, your or third parties' legal rights to forbid circumvention of
-technological measures.
-
- 4. Conveying Verbatim Copies.
-
- You may convey verbatim copies of the Program's source code as you
-receive it, in any medium, provided that you conspicuously and
-appropriately publish on each copy an appropriate copyright notice;
-keep intact all notices stating that this License and any
-non-permissive terms added in accord with section 7 apply to the code;
-keep intact all notices of the absence of any warranty; and give all
-recipients a copy of this License along with the Program.
-
- You may charge any price or no price for each copy that you convey,
-and you may offer support or warranty protection for a fee.
-
- 5. Conveying Modified Source Versions.
-
- You may convey a work based on the Program, or the modifications to
-produce it from the Program, in the form of source code under the
-terms of section 4, provided that you also meet all of these conditions:
-
- a) The work must carry prominent notices stating that you modified
- it, and giving a relevant date.
-
- b) The work must carry prominent notices stating that it is
- released under this License and any conditions added under section
- 7. This requirement modifies the requirement in section 4 to
- "keep intact all notices".
-
- c) You must license the entire work, as a whole, under this
- License to anyone who comes into possession of a copy. This
- License will therefore apply, along with any applicable section 7
- additional terms, to the whole of the work, and all its parts,
- regardless of how they are packaged. This License gives no
- permission to license the work in any other way, but it does not
- invalidate such permission if you have separately received it.
-
- d) If the work has interactive user interfaces, each must display
- Appropriate Legal Notices; however, if the Program has interactive
- interfaces that do not display Appropriate Legal Notices, your
- work need not make them do so.
-
- A compilation of a covered work with other separate and independent
-works, which are not by their nature extensions of the covered work,
-and which are not combined with it such as to form a larger program,
-in or on a volume of a storage or distribution medium, is called an
-"aggregate" if the compilation and its resulting copyright are not
-used to limit the access or legal rights of the compilation's users
-beyond what the individual works permit. Inclusion of a covered work
-in an aggregate does not cause this License to apply to the other
-parts of the aggregate.
-
- 6. Conveying Non-Source Forms.
-
- You may convey a covered work in object code form under the terms
-of sections 4 and 5, provided that you also convey the
-machine-readable Corresponding Source under the terms of this License,
-in one of these ways:
-
- a) Convey the object code in, or embodied in, a physical product
- (including a physical distribution medium), accompanied by the
- Corresponding Source fixed on a durable physical medium
- customarily used for software interchange.
-
- b) Convey the object code in, or embodied in, a physical product
- (including a physical distribution medium), accompanied by a
- written offer, valid for at least three years and valid for as
- long as you offer spare parts or customer support for that product
- model, to give anyone who possesses the object code either (1) a
- copy of the Corresponding Source for all the software in the
- product that is covered by this License, on a durable physical
- medium customarily used for software interchange, for a price no
- more than your reasonable cost of physically performing this
- conveying of source, or (2) access to copy the
- Corresponding Source from a network server at no charge.
-
- c) Convey individual copies of the object code with a copy of the
- written offer to provide the Corresponding Source. This
- alternative is allowed only occasionally and noncommercially, and
- only if you received the object code with such an offer, in accord
- with subsection 6b.
-
- d) Convey the object code by offering access from a designated
- place (gratis or for a charge), and offer equivalent access to the
- Corresponding Source in the same way through the same place at no
- further charge. You need not require recipients to copy the
- Corresponding Source along with the object code. If the place to
- copy the object code is a network server, the Corresponding Source
- may be on a different server (operated by you or a third party)
- that supports equivalent copying facilities, provided you maintain
- clear directions next to the object code saying where to find the
- Corresponding Source. Regardless of what server hosts the
- Corresponding Source, you remain obligated to ensure that it is
- available for as long as needed to satisfy these requirements.
-
- e) Convey the object code using peer-to-peer transmission, provided
- you inform other peers where the object code and Corresponding
- Source of the work are being offered to the general public at no
- charge under subsection 6d.
-
- A separable portion of the object code, whose source code is excluded
-from the Corresponding Source as a System Library, need not be
-included in conveying the object code work.
-
- A "User Product" is either (1) a "consumer product", which means any
-tangible personal property which is normally used for personal, family,
-or household purposes, or (2) anything designed or sold for incorporation
-into a dwelling. In determining whether a product is a consumer product,
-doubtful cases shall be resolved in favor of coverage. For a particular
-product received by a particular user, "normally used" refers to a
-typical or common use of that class of product, regardless of the status
-of the particular user or of the way in which the particular user
-actually uses, or expects or is expected to use, the product. A product
-is a consumer product regardless of whether the product has substantial
-commercial, industrial or non-consumer uses, unless such uses represent
-the only significant mode of use of the product.
-
- "Installation Information" for a User Product means any methods,
-procedures, authorization keys, or other information required to install
-and execute modified versions of a covered work in that User Product from
-a modified version of its Corresponding Source. The information must
-suffice to ensure that the continued functioning of the modified object
-code is in no case prevented or interfered with solely because
-modification has been made.
-
- If you convey an object code work under this section in, or with, or
-specifically for use in, a User Product, and the conveying occurs as
-part of a transaction in which the right of possession and use of the
-User Product is transferred to the recipient in perpetuity or for a
-fixed term (regardless of how the transaction is characterized), the
-Corresponding Source conveyed under this section must be accompanied
-by the Installation Information. But this requirement does not apply
-if neither you nor any third party retains the ability to install
-modified object code on the User Product (for example, the work has
-been installed in ROM).
-
- The requirement to provide Installation Information does not include a
-requirement to continue to provide support service, warranty, or updates
-for a work that has been modified or installed by the recipient, or for
-the User Product in which it has been modified or installed. Access to a
-network may be denied when the modification itself materially and
-adversely affects the operation of the network or violates the rules and
-protocols for communication across the network.
-
- Corresponding Source conveyed, and Installation Information provided,
-in accord with this section must be in a format that is publicly
-documented (and with an implementation available to the public in
-source code form), and must require no special password or key for
-unpacking, reading or copying.
-
- 7. Additional Terms.
-
- "Additional permissions" are terms that supplement the terms of this
-License by making exceptions from one or more of its conditions.
-Additional permissions that are applicable to the entire Program shall
-be treated as though they were included in this License, to the extent
-that they are valid under applicable law. If additional permissions
-apply only to part of the Program, that part may be used separately
-under those permissions, but the entire Program remains governed by
-this License without regard to the additional permissions.
-
- When you convey a copy of a covered work, you may at your option
-remove any additional permissions from that copy, or from any part of
-it. (Additional permissions may be written to require their own
-removal in certain cases when you modify the work.) You may place
-additional permissions on material, added by you to a covered work,
-for which you have or can give appropriate copyright permission.
-
- Notwithstanding any other provision of this License, for material you
-add to a covered work, you may (if authorized by the copyright holders of
-that material) supplement the terms of this License with terms:
-
- a) Disclaiming warranty or limiting liability differently from the
- terms of sections 15 and 16 of this License; or
-
- b) Requiring preservation of specified reasonable legal notices or
- author attributions in that material or in the Appropriate Legal
- Notices displayed by works containing it; or
-
- c) Prohibiting misrepresentation of the origin of that material, or
- requiring that modified versions of such material be marked in
- reasonable ways as different from the original version; or
-
- d) Limiting the use for publicity purposes of names of licensors or
- authors of the material; or
-
- e) Declining to grant rights under trademark law for use of some
- trade names, trademarks, or service marks; or
-
- f) Requiring indemnification of licensors and authors of that
- material by anyone who conveys the material (or modified versions of
- it) with contractual assumptions of liability to the recipient, for
- any liability that these contractual assumptions directly impose on
- those licensors and authors.
-
- All other non-permissive additional terms are considered "further
-restrictions" within the meaning of section 10. If the Program as you
-received it, or any part of it, contains a notice stating that it is
-governed by this License along with a term that is a further
-restriction, you may remove that term. If a license document contains
-a further restriction but permits relicensing or conveying under this
-License, you may add to a covered work material governed by the terms
-of that license document, provided that the further restriction does
-not survive such relicensing or conveying.
-
- If you add terms to a covered work in accord with this section, you
-must place, in the relevant source files, a statement of the
-additional terms that apply to those files, or a notice indicating
-where to find the applicable terms.
-
- Additional terms, permissive or non-permissive, may be stated in the
-form of a separately written license, or stated as exceptions;
-the above requirements apply either way.
-
- 8. Termination.
-
- You may not propagate or modify a covered work except as expressly
-provided under this License. Any attempt otherwise to propagate or
-modify it is void, and will automatically terminate your rights under
-this License (including any patent licenses granted under the third
-paragraph of section 11).
-
- However, if you cease all violation of this License, then your
-license from a particular copyright holder is reinstated (a)
-provisionally, unless and until the copyright holder explicitly and
-finally terminates your license, and (b) permanently, if the copyright
-holder fails to notify you of the violation by some reasonable means
-prior to 60 days after the cessation.
-
- Moreover, your license from a particular copyright holder is
-reinstated permanently if the copyright holder notifies you of the
-violation by some reasonable means, this is the first time you have
-received notice of violation of this License (for any work) from that
-copyright holder, and you cure the violation prior to 30 days after
-your receipt of the notice.
-
- Termination of your rights under this section does not terminate the
-licenses of parties who have received copies or rights from you under
-this License. If your rights have been terminated and not permanently
-reinstated, you do not qualify to receive new licenses for the same
-material under section 10.
-
- 9. Acceptance Not Required for Having Copies.
-
- You are not required to accept this License in order to receive or
-run a copy of the Program. Ancillary propagation of a covered work
-occurring solely as a consequence of using peer-to-peer transmission
-to receive a copy likewise does not require acceptance. However,
-nothing other than this License grants you permission to propagate or
-modify any covered work. These actions infringe copyright if you do
-not accept this License. Therefore, by modifying or propagating a
-covered work, you indicate your acceptance of this License to do so.
-
- 10. Automatic Licensing of Downstream Recipients.
-
- Each time you convey a covered work, the recipient automatically
-receives a license from the original licensors, to run, modify and
-propagate that work, subject to this License. You are not responsible
-for enforcing compliance by third parties with this License.
-
- An "entity transaction" is a transaction transferring control of an
-organization, or substantially all assets of one, or subdividing an
-organization, or merging organizations. If propagation of a covered
-work results from an entity transaction, each party to that
-transaction who receives a copy of the work also receives whatever
-licenses to the work the party's predecessor in interest had or could
-give under the previous paragraph, plus a right to possession of the
-Corresponding Source of the work from the predecessor in interest, if
-the predecessor has it or can get it with reasonable efforts.
-
- You may not impose any further restrictions on the exercise of the
-rights granted or affirmed under this License. For example, you may
-not impose a license fee, royalty, or other charge for exercise of
-rights granted under this License, and you may not initiate litigation
-(including a cross-claim or counterclaim in a lawsuit) alleging that
-any patent claim is infringed by making, using, selling, offering for
-sale, or importing the Program or any portion of it.
-
- 11. Patents.
-
- A "contributor" is a copyright holder who authorizes use under this
-License of the Program or a work on which the Program is based. The
-work thus licensed is called the contributor's "contributor version".
-
- A contributor's "essential patent claims" are all patent claims
-owned or controlled by the contributor, whether already acquired or
-hereafter acquired, that would be infringed by some manner, permitted
-by this License, of making, using, or selling its contributor version,
-but do not include claims that would be infringed only as a
-consequence of further modification of the contributor version. For
-purposes of this definition, "control" includes the right to grant
-patent sublicenses in a manner consistent with the requirements of
-this License.
-
- Each contributor grants you a non-exclusive, worldwide, royalty-free
-patent license under the contributor's essential patent claims, to
-make, use, sell, offer for sale, import and otherwise run, modify and
-propagate the contents of its contributor version.
-
- In the following three paragraphs, a "patent license" is any express
-agreement or commitment, however denominated, not to enforce a patent
-(such as an express permission to practice a patent or covenant not to
-sue for patent infringement). To "grant" such a patent license to a
-party means to make such an agreement or commitment not to enforce a
-patent against the party.
-
- If you convey a covered work, knowingly relying on a patent license,
-and the Corresponding Source of the work is not available for anyone
-to copy, free of charge and under the terms of this License, through a
-publicly available network server or other readily accessible means,
-then you must either (1) cause the Corresponding Source to be so
-available, or (2) arrange to deprive yourself of the benefit of the
-patent license for this particular work, or (3) arrange, in a manner
-consistent with the requirements of this License, to extend the patent
-license to downstream recipients. "Knowingly relying" means you have
-actual knowledge that, but for the patent license, your conveying the
-covered work in a country, or your recipient's use of the covered work
-in a country, would infringe one or more identifiable patents in that
-country that you have reason to believe are valid.
-
- If, pursuant to or in connection with a single transaction or
-arrangement, you convey, or propagate by procuring conveyance of, a
-covered work, and grant a patent license to some of the parties
-receiving the covered work authorizing them to use, propagate, modify
-or convey a specific copy of the covered work, then the patent license
-you grant is automatically extended to all recipients of the covered
-work and works based on it.
-
- A patent license is "discriminatory" if it does not include within
-the scope of its coverage, prohibits the exercise of, or is
-conditioned on the non-exercise of one or more of the rights that are
-specifically granted under this License. You may not convey a covered
-work if you are a party to an arrangement with a third party that is
-in the business of distributing software, under which you make payment
-to the third party based on the extent of your activity of conveying
-the work, and under which the third party grants, to any of the
-parties who would receive the covered work from you, a discriminatory
-patent license (a) in connection with copies of the covered work
-conveyed by you (or copies made from those copies), or (b) primarily
-for and in connection with specific products or compilations that
-contain the covered work, unless you entered into that arrangement,
-or that patent license was granted, prior to 28 March 2007.
-
- Nothing in this License shall be construed as excluding or limiting
-any implied license or other defenses to infringement that may
-otherwise be available to you under applicable patent law.
-
- 12. No Surrender of Others' Freedom.
-
- If conditions are imposed on you (whether by court order, agreement or
-otherwise) that contradict the conditions of this License, they do not
-excuse you from the conditions of this License. If you cannot convey a
-covered work so as to satisfy simultaneously your obligations under this
-License and any other pertinent obligations, then as a consequence you may
-not convey it at all. For example, if you agree to terms that obligate you
-to collect a royalty for further conveying from those to whom you convey
-the Program, the only way you could satisfy both those terms and this
-License would be to refrain entirely from conveying the Program.
-
- 13. Remote Network Interaction; Use with the GNU General Public License.
-
- Notwithstanding any other provision of this License, if you modify the
-Program, your modified version must prominently offer all users
-interacting with it remotely through a computer network (if your version
-supports such interaction) an opportunity to receive the Corresponding
-Source of your version by providing access to the Corresponding Source
-from a network server at no charge, through some standard or customary
-means of facilitating copying of software. This Corresponding Source
-shall include the Corresponding Source for any work covered by version 3
-of the GNU General Public License that is incorporated pursuant to the
-following paragraph.
-
- Notwithstanding any other provision of this License, you have
-permission to link or combine any covered work with a work licensed
-under version 3 of the GNU General Public License into a single
-combined work, and to convey the resulting work. The terms of this
-License will continue to apply to the part which is the covered work,
-but the work with which it is combined will remain governed by version
-3 of the GNU General Public License.
-
- 14. Revised Versions of this License.
-
- The Free Software Foundation may publish revised and/or new versions of
-the GNU Affero General Public License from time to time. Such new versions
-will be similar in spirit to the present version, but may differ in detail to
-address new problems or concerns.
-
- Each version is given a distinguishing version number. If the
-Program specifies that a certain numbered version of the GNU Affero General
-Public License "or any later version" applies to it, you have the
-option of following the terms and conditions either of that numbered
-version or of any later version published by the Free Software
-Foundation. If the Program does not specify a version number of the
-GNU Affero General Public License, you may choose any version ever published
-by the Free Software Foundation.
-
- If the Program specifies that a proxy can decide which future
-versions of the GNU Affero General Public License can be used, that proxy's
-public statement of acceptance of a version permanently authorizes you
-to choose that version for the Program.
-
- Later license versions may give you additional or different
-permissions. However, no additional obligations are imposed on any
-author or copyright holder as a result of your choosing to follow a
-later version.
-
- 15. Disclaimer of Warranty.
-
- THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
-APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
-HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
-OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
-THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
-IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
-ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
-
- 16. Limitation of Liability.
-
- IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
-WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
-THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
-GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
-USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
-DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
-PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
-EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
-SUCH DAMAGES.
-
- 17. Interpretation of Sections 15 and 16.
-
- If the disclaimer of warranty and limitation of liability provided
-above cannot be given local legal effect according to their terms,
-reviewing courts shall apply local law that most closely approximates
-an absolute waiver of all civil liability in connection with the
-Program, unless a warranty or assumption of liability accompanies a
-copy of the Program in return for a fee.
-
- END OF TERMS AND CONDITIONS
-
- How to Apply These Terms to Your New Programs
-
- If you develop a new program, and you want it to be of the greatest
-possible use to the public, the best way to achieve this is to make it
-free software which everyone can redistribute and change under these terms.
-
- To do so, attach the following notices to the program. It is safest
-to attach them to the start of each source file to most effectively
-state the exclusion of warranty; and each file should have at least
-the "copyright" line and a pointer to where the full notice is found.
-
-
- Copyright (C)
-
- This program is free software: you can redistribute it and/or modify
- it under the terms of the GNU Affero General Public License as published
- by the Free Software Foundation, either version 3 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU Affero General Public License for more details.
-
- You should have received a copy of the GNU Affero General Public License
- along with this program. If not, see .
-
-Also add information on how to contact you by electronic and paper mail.
-
- If your software can interact with users remotely through a computer
-network, you should also make sure that it provides a way for users to
-get its source. For example, if your program is a web application, its
-interface could display a "Source" link that leads users to an archive
-of the code. There are many ways you could offer source, and different
-solutions will be better for different programs; see section 13 for the
-specific requirements.
-
- You should also get your employer (if you work as a programmer) or school,
-if any, to sign a "copyright disclaimer" for the program, if necessary.
-For more information on this, and how to apply and follow the GNU AGPL, see
-.
+Trademarks. This license does not grant you any right in the
+trademarks, service marks, brand names or logos of Licensor.
+
+DISCLAIMER. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OR
+CONDITION, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO WARRANTIES
+OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. LICENSORS HEREBY DISCLAIM ALL LIABILITY, WHETHER IN
+AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE.
+
+Termination. If you violate the terms of this license, your rights
+will terminate automatically and will not be reinstated without the
+prior written consent of Licensor. Any such termination will not
+affect the right of others who may have received copies of the
+Software from you.
diff --git a/PROFILING.md b/PROFILING.md
new file mode 100644
index 00000000..ce8ef9d0
--- /dev/null
+++ b/PROFILING.md
@@ -0,0 +1,64 @@
+# Profiling Tart
+
+## Using `time(1)`
+
+Perhaps, the easiest, but not the most comprehensive way to tell what's going on with Tart is to use the [`time(1)`](https://ss64.com/mac/time.html) command.
+
+In the example below, you will run `tart pull` via `time(1)` to gather generalized CPU, I/O and memory usage metrics:
+
+```shell
+/usr/bin/time -l tart pull ghcr.io/cirruslabs/macos-sequoia-base:latest
+```
+
+**Note:** you need to specify a full path to `time(1)` binary, otherwise the shell's built-in `time` command will be invoked, which doesn't have the `-l` command-line argument.
+
+**Note:** The `-l` command-line argument makes `time(1)` return much more useful information, for example, maximum memory usage.
+
+When running the command above, you'll see the `tart pull` output first as it pulls the image, and then the `time(1)` output, which will be printed once the Tart process finishes:
+
+```
+ 172.17 real 10.29 user 8.36 sys
+ 353796096 maximum resident set size
+ 0 average shared memory size
+ 0 average unshared data size
+ 0 average unshared stack size
+ 23838 page reclaims
+ 35 page faults
+ 0 swaps
+ 0 block input operations
+ 0 block output operations
+ 8 messages sent
+ 8 messages received
+ 0 signals received
+ 146 voluntary context switches
+ 222950 involuntary context switches
+ 39683070975 instructions retired
+ 27562035252 cycles elapsed
+ 170920448 peak memory footprint
+```
+
+From the output above, you can tell that `tart pull` spent nearly 90% of time off-CPU (`real` > `user` + `sys`), which means that Tart was mostly waiting for the I/O (be it a network or disk), instead of decompressing disk layers or doing other useful computations.
+
+## Using `xctrace(1)`
+
+[`xctrace(1)`](https://keith.github.io/xcode-man-pages/xctrace.1.html) is a `.trace` format recorder for the [Instruments](https://en.wikipedia.org/wiki/Instruments_(software)) app, which yields much more powerful insights compared to `time(1)`. For example, it can tell which Tart functions spent the most time on the CPU, thus allowing the Tart developers to further optimize these functions.
+
+To use it, make sure that [Xcode](https://developer.apple.com/xcode/resources/) is installed. If you're installing Xcode for the first time on the machine, you'll need to launch it once and click the blue "Install" button. There's no need to choose any platforms except for the macOS.
+
+Once done, you can create a CPU profile of `tart pull`:
+
+```shell
+xctrace record --template "CPU Profiler" --target-stdout - --launch -- /opt/homebrew/bin/tart pull ghcr.io/cirruslabs/macos-sequoia-base:latest
+```
+
+Now that `xctrace(1)` is running, you'll see the `tart pull`-related output first, and once finished, the following line will appear:
+
+```
+Output file saved as: Launch_[...].trace
+```
+
+To view this trace in the Instruments app, simply find this directory in Finder and double-click it. Instruments app will appear:
+
+
+
+To send this trace, right-click its directory in Finder and choose "Compress [...]". This will result in a similarly named file with a `.zip` at the end, which can now be conveniently sent via email or uploaded.
diff --git a/Package.resolved b/Package.resolved
index 8896f8cf..0b9655da 100644
--- a/Package.resolved
+++ b/Package.resolved
@@ -1,14 +1,267 @@
{
+ "originHash" : "668bad809d4882f75f097e66a12a6dbc8e61ec998f1800a7e09439c854fadda1",
"pins" : [
+ {
+ "identity" : "antlr4",
+ "kind" : "remoteSourceControl",
+ "location" : "https://github.com/antlr/antlr4",
+ "state" : {
+ "revision" : "cc82115a4e7f53d71d9d905caa2c2dfa4da58899",
+ "version" : "4.13.2"
+ }
+ },
+ {
+ "identity" : "cirruslabs_tart-guest-agent_apple_swift",
+ "kind" : "remoteSourceControl",
+ "location" : "https://buf.build/gen/swift/git/1.28.2-00000000000000-17d7dedafb88.1/cirruslabs_tart-guest-agent_apple_swift.git",
+ "state" : {
+ "revision" : "ccfae5de1917cdb0d7c5000008fa5ed0bad032bf",
+ "version" : "1.28.2-00000000000000-17d7dedafb88.1"
+ }
+ },
+ {
+ "identity" : "cirruslabs_tart-guest-agent_grpc_swift",
+ "kind" : "remoteSourceControl",
+ "location" : "https://buf.build/gen/swift/git/1.24.2-00000000000000-17d7dedafb88.1/cirruslabs_tart-guest-agent_grpc_swift.git",
+ "state" : {
+ "branch" : "1.24.2-00000000000000-17d7dedafb88.1",
+ "revision" : "b8421f137325fe8de737ff5b61238f6f2131b2a8"
+ }
+ },
+ {
+ "identity" : "dynamic",
+ "kind" : "remoteSourceControl",
+ "location" : "https://github.com/mhdhejazi/Dynamic",
+ "state" : {
+ "branch" : "master",
+ "revision" : "772883073d044bc754d401cabb6574624eb3778f"
+ }
+ },
+ {
+ "identity" : "grpc-swift",
+ "kind" : "remoteSourceControl",
+ "location" : "https://github.com/grpc/grpc-swift.git",
+ "state" : {
+ "revision" : "8c5e99d0255c373e0330730d191a3423c57373fb",
+ "version" : "1.24.2"
+ }
+ },
+ {
+ "identity" : "semaphore",
+ "kind" : "remoteSourceControl",
+ "location" : "https://github.com/groue/Semaphore",
+ "state" : {
+ "revision" : "2543679282aa6f6c8ecf2138acd613ed20790bc2",
+ "version" : "0.1.0"
+ }
+ },
+ {
+ "identity" : "sentry-cocoa",
+ "kind" : "remoteSourceControl",
+ "location" : "https://github.com/getsentry/sentry-cocoa",
+ "state" : {
+ "revision" : "65b3d2a7608685e8d4a37c68fa2c64f28d0b537e",
+ "version" : "8.51.1"
+ }
+ },
+ {
+ "identity" : "swift-algorithms",
+ "kind" : "remoteSourceControl",
+ "location" : "https://github.com/apple/swift-algorithms",
+ "state" : {
+ "revision" : "f6919dfc309e7f1b56224378b11e28bab5bccc42",
+ "version" : "1.2.0"
+ }
+ },
{
"identity" : "swift-argument-parser",
"kind" : "remoteSourceControl",
"location" : "https://github.com/apple/swift-argument-parser",
"state" : {
- "revision" : "f3c9084a71ef4376f2fabbdf1d3d90a49f1fabdb",
- "version" : "1.1.2"
+ "revision" : "309a47b2b1d9b5e991f36961c983ecec72275be3",
+ "version" : "1.6.1"
+ }
+ },
+ {
+ "identity" : "swift-atomics",
+ "kind" : "remoteSourceControl",
+ "location" : "https://github.com/apple/swift-atomics.git",
+ "state" : {
+ "revision" : "cd142fd2f64be2100422d658e7411e39489da985",
+ "version" : "1.2.0"
+ }
+ },
+ {
+ "identity" : "swift-collections",
+ "kind" : "remoteSourceControl",
+ "location" : "https://github.com/apple/swift-collections.git",
+ "state" : {
+ "revision" : "671108c96644956dddcd89dd59c203dcdb36cec7",
+ "version" : "1.1.4"
+ }
+ },
+ {
+ "identity" : "swift-http-structured-headers",
+ "kind" : "remoteSourceControl",
+ "location" : "https://github.com/apple/swift-http-structured-headers.git",
+ "state" : {
+ "revision" : "db6eea3692638a65e2124990155cd220c2915903",
+ "version" : "1.3.0"
+ }
+ },
+ {
+ "identity" : "swift-http-types",
+ "kind" : "remoteSourceControl",
+ "location" : "https://github.com/apple/swift-http-types.git",
+ "state" : {
+ "revision" : "a0a57e949a8903563aba4615869310c0ebf14c03",
+ "version" : "1.4.0"
+ }
+ },
+ {
+ "identity" : "swift-log",
+ "kind" : "remoteSourceControl",
+ "location" : "https://github.com/apple/swift-log.git",
+ "state" : {
+ "revision" : "9cb486020ebf03bfa5b5df985387a14a98744537",
+ "version" : "1.6.1"
+ }
+ },
+ {
+ "identity" : "swift-nio",
+ "kind" : "remoteSourceControl",
+ "location" : "https://github.com/apple/swift-nio.git",
+ "state" : {
+ "revision" : "34d486b01cd891297ac615e40d5999536a1e138d",
+ "version" : "2.83.0"
+ }
+ },
+ {
+ "identity" : "swift-nio-extras",
+ "kind" : "remoteSourceControl",
+ "location" : "https://github.com/apple/swift-nio-extras.git",
+ "state" : {
+ "revision" : "f1f6f772198bee35d99dd145f1513d8581a54f2c",
+ "version" : "1.26.0"
+ }
+ },
+ {
+ "identity" : "swift-nio-http2",
+ "kind" : "remoteSourceControl",
+ "location" : "https://github.com/apple/swift-nio-http2.git",
+ "state" : {
+ "revision" : "4281466512f63d1bd530e33f4aa6993ee7864be0",
+ "version" : "1.36.0"
+ }
+ },
+ {
+ "identity" : "swift-nio-ssl",
+ "kind" : "remoteSourceControl",
+ "location" : "https://github.com/apple/swift-nio-ssl.git",
+ "state" : {
+ "revision" : "4b38f35946d00d8f6176fe58f96d83aba64b36c7",
+ "version" : "2.31.0"
+ }
+ },
+ {
+ "identity" : "swift-nio-transport-services",
+ "kind" : "remoteSourceControl",
+ "location" : "https://github.com/apple/swift-nio-transport-services.git",
+ "state" : {
+ "revision" : "cd1e89816d345d2523b11c55654570acd5cd4c56",
+ "version" : "1.24.0"
+ }
+ },
+ {
+ "identity" : "swift-numerics",
+ "kind" : "remoteSourceControl",
+ "location" : "https://github.com/apple/swift-numerics",
+ "state" : {
+ "revision" : "0a5bc04095a675662cf24757cc0640aa2204253b",
+ "version" : "1.0.2"
+ }
+ },
+ {
+ "identity" : "swift-protobuf",
+ "kind" : "remoteSourceControl",
+ "location" : "https://github.com/apple/swift-protobuf.git",
+ "state" : {
+ "revision" : "ebc7251dd5b37f627c93698e4374084d98409633",
+ "version" : "1.28.2"
+ }
+ },
+ {
+ "identity" : "swift-retry",
+ "kind" : "remoteSourceControl",
+ "location" : "https://github.com/fumoboy007/swift-retry",
+ "state" : {
+ "revision" : "df9d7b185d2e433147ec0083a73c257e665eea0d",
+ "version" : "0.2.4"
+ }
+ },
+ {
+ "identity" : "swift-sysctl",
+ "kind" : "remoteSourceControl",
+ "location" : "https://github.com/sersoft-gmbh/swift-sysctl.git",
+ "state" : {
+ "revision" : "a91be36de6803ebe48f678699dfd0694c2200d2f",
+ "version" : "1.8.0"
+ }
+ },
+ {
+ "identity" : "swift-system",
+ "kind" : "remoteSourceControl",
+ "location" : "https://github.com/apple/swift-system.git",
+ "state" : {
+ "revision" : "a34201439c74b53f0fd71ef11741af7e7caf01e1",
+ "version" : "1.4.2"
+ }
+ },
+ {
+ "identity" : "swift-xattr",
+ "kind" : "remoteSourceControl",
+ "location" : "https://github.com/jozefizso/swift-xattr",
+ "state" : {
+ "revision" : "f8605af7b3290dbb235fb182ec6e9035d0c8c3ac",
+ "version" : "3.0.0"
+ }
+ },
+ {
+ "identity" : "swiftdate",
+ "kind" : "remoteSourceControl",
+ "location" : "https://github.com/malcommac/SwiftDate",
+ "state" : {
+ "revision" : "5d943224c3bb173e6ecf27295611615eba90c80e",
+ "version" : "7.0.0"
+ }
+ },
+ {
+ "identity" : "swiftformat",
+ "kind" : "remoteSourceControl",
+ "location" : "https://github.com/nicklockwood/SwiftFormat",
+ "state" : {
+ "revision" : "ab6844edb79a7b88dc6320e6cee0a0db7674dac3",
+ "version" : "0.54.5"
+ }
+ },
+ {
+ "identity" : "swiftradix",
+ "kind" : "remoteSourceControl",
+ "location" : "https://github.com/orchetect/SwiftRadix",
+ "state" : {
+ "revision" : "a52c37a4c213403f7377ae77b4c68451bcab8330",
+ "version" : "1.3.1"
+ }
+ },
+ {
+ "identity" : "texttable",
+ "kind" : "remoteSourceControl",
+ "location" : "https://github.com/cfilipov/TextTable",
+ "state" : {
+ "branch" : "master",
+ "revision" : "e03289289155b4e7aa565e32862f9cb42140596a"
}
}
],
- "version" : 2
+ "version" : 3
}
diff --git a/Package.swift b/Package.swift
index b299604a..69ce3cfa 100644
--- a/Package.swift
+++ b/Package.swift
@@ -1,25 +1,57 @@
-// swift-tools-version:5.6
+// swift-tools-version:5.10
import PackageDescription
-
let package = Package(
name: "Tart",
platforms: [
- .macOS(.v12)
+ .macOS(.v13)
],
products: [
.executable(name: "tart", targets: ["tart"])
],
dependencies: [
- .package(url: "https://github.com/apple/swift-argument-parser", from: "1.1.2"),
+ .package(url: "https://github.com/apple/swift-argument-parser", from: "1.6.1"),
+ .package(url: "https://github.com/mhdhejazi/Dynamic", branch: "master"),
+ .package(url: "https://github.com/apple/swift-algorithms", from: "1.2.0"),
+ .package(url: "https://github.com/malcommac/SwiftDate", from: "7.0.0"),
+ .package(url: "https://github.com/antlr/antlr4", exact: "4.13.2"),
+ .package(url: "https://github.com/apple/swift-atomics.git", .upToNextMajor(from: "1.2.0")),
+ .package(url: "https://github.com/nicklockwood/SwiftFormat", from: "0.53.6"),
+ .package(url: "https://github.com/getsentry/sentry-cocoa", from: "8.51.1"),
+ .package(url: "https://github.com/cfilipov/TextTable", branch: "master"),
+ .package(url: "https://github.com/sersoft-gmbh/swift-sysctl.git", from: "1.8.0"),
+ .package(url: "https://github.com/orchetect/SwiftRadix", from: "1.3.1"),
+ .package(url: "https://github.com/groue/Semaphore", from: "0.0.8"),
+ .package(url: "https://github.com/fumoboy007/swift-retry", from: "0.2.3"),
+ .package(url: "https://github.com/jozefizso/swift-xattr", from: "3.0.0"),
+ .package(url: "https://github.com/grpc/grpc-swift.git", .upToNextMajor(from: "1.24.2")),
+ .package(url: "https://buf.build/gen/swift/git/1.24.2-00000000000000-17d7dedafb88.1/cirruslabs_tart-guest-agent_grpc_swift.git", revision: "1.24.2-00000000000000-17d7dedafb88.1"),
],
targets: [
- .executableTarget(name: "tart",
- dependencies: [
- .product(name: "ArgumentParser", package: "swift-argument-parser"),
- ],
- resources: [
- .process("Resources/AppIcon.png")
- ]),
+ .executableTarget(name: "tart", dependencies: [
+ .product(name: "Algorithms", package: "swift-algorithms"),
+ .product(name: "ArgumentParser", package: "swift-argument-parser"),
+ .product(name: "Dynamic", package: "Dynamic"),
+ .product(name: "SwiftDate", package: "SwiftDate"),
+ .product(name: "Antlr4Static", package: "Antlr4"),
+ .product(name: "Atomics", package: "swift-atomics"),
+ .product(name: "Sentry", package: "sentry-cocoa"),
+ .product(name: "TextTable", package: "TextTable"),
+ .product(name: "Sysctl", package: "swift-sysctl"),
+ .product(name: "SwiftRadix", package: "SwiftRadix"),
+ .product(name: "Semaphore", package: "Semaphore"),
+ .product(name: "DMRetry", package: "swift-retry"),
+ .product(name: "XAttr", package: "swift-xattr"),
+ .product(name: "GRPC", package: "grpc-swift"),
+ .product(name: "Cirruslabs_TartGuestAgent_Grpc_Swift", package: "cirruslabs_tart-guest-agent_grpc_swift"),
+ ], exclude: [
+ "OCI/Reference/Makefile",
+ "OCI/Reference/Reference.g4",
+ "OCI/Reference/Generated/Reference.interp",
+ "OCI/Reference/Generated/Reference.tokens",
+ "OCI/Reference/Generated/ReferenceLexer.interp",
+ "OCI/Reference/Generated/ReferenceLexer.tokens",
+ ]),
+ .testTarget(name: "TartTests", dependencies: ["tart"])
]
)
diff --git a/README.md b/README.md
index cc994722..b67af9f1 100644
--- a/README.md
+++ b/README.md
@@ -1,3 +1,74 @@
-# Tart
+
-macOS VMs on Apple Silicon to use in CI and other automations
+*Tart* is a virtualization toolset to build, run and manage macOS and Linux virtual machines (VMs) on Apple Silicon.
+Built by CI engineers for your automation needs. Here are some highlights of Tart:
+
+* Tart uses Apple's own `Virtualization.Framework` for [near-native performance](https://browser.geekbench.com/v5/cpu/compare/20382844?baseline=20382722).
+* Push/Pull virtual machines from any OCI-compatible container registry.
+* Use Tart Packer Plugin to automate VM creation.
+* Easily integrates with any CI system.
+
+Tart powers [Cirrus Runners](https://cirrus-runners.app/)
+service — a drop-in replacement for the standard GitHub-hosted runners, offering 2-3 times better performance for a fraction of the price.
+
+
+
+**Note:** If your company or project is using Tart please consider [sharing with the community](https://github.com/cirruslabs/tart/discussions/857).
+
+
+
+We are also very pleased by how the community responded to [the license change](2023-02-11-changing-tart-license.md).
+We now have a number of companies running Tart at scale under the new license. Revenue from the licensing allowed us to
+allocate time to continue improving Tart which brings us to the section below.
+
+## Recent updates and what's changing in Tart 2.0.0
+
+In the last 7 months we've had 12 feature releases that brought a lot of features requested by the community. Here are just
+a few of them to highlight:
+
+-[Custom GitLab Runner Executor](../../integrations/gitlab-runner.md).
+-[Cluster Management via Orchard](2023-04-25-orchard-ga.md).
+-Numerous compatibility improvements for all kinds of OCI-registries.
+-Sonoma Support (see details [below](#macos-sonoma-updates)).
+
+But one of the most requested features/complaints was around pulling huge Tart images from remote OCI-compatible registries.
+With an ideal network conditions `tart pull` worked pretty good but in case of any network issues it was required to
+restart the pull from scratch. Additionally, some registries are notably slow streaming a single blob but can stream
+multiple blobs in parallel. Finally, the initial format of storing Tart VMs was very naive: disk image is compressed
+via a single stream which is chunked up into blobs that are serially uploaded to a registry. A single compression stream
+means that Tart can also only decompress blobs serially.
+
+Given these three observations above we came up with an improved format of storing Tart VM disk images. In Tart 2.0.0
+disk images are chunked up first and compressed independently into blobs, when pushed, each blob has attached annotations
+of expected uncompressed size and a checksum. This way when Tart 2.0.0 is pulling an image pushed by Tart 2.0.0 each blob can
+be pulled, uncompressed and written at the right offset independently. Having checksums along expected uncompressed blob size
+also allowed to support resumable pulls. Upon a failure Tart 2.0.0 will compare checksums of chunks and will continue pulling
+only missing blobs.
+
+Overall in our experiments we saw a 10% improvement in compressed size of the images and **4 times faster pulls**.
+
+In order to try the new image format please upgrade Tart and try to pull any of [the Sonoma images](https://github.com/orgs/cirruslabs/packages?tab=packages&q=macos-sonoma):
+
+```bash
+brew upgrade cirruslabs/cli/tart
+tart pull ghcr.io/cirruslabs/macos-sonoma-base:latest
+```
+
+## macOS Sonoma Updates
+
+Tart VMs now can be run in a "suspendable" mode which will enable VM snapshotting instead of the standard shutdown.
+VMs with an existing snapshot will `run` from the same state as they got snapshotted. Please check demo down below:
+
+
+
+
+ Tart 1.8.0 brings macOS Sonoma updates! 🍏 Now you can suspend and resume your virtual machines for even faster startup times. Check out the demo below 👇 pic.twitter.com/RoRFT8Nwst
+
+
+There are two caveats to the "suspendable" mode support:
+
+1. Both host and guest should be running macOS Sonoma.
+2. Snapshots are locally encrypted and can't be shared between physical hosts. Therefore `tart push` won't push the corresponding snapshotted state of the VM.
+
+Try the "suspendable" mode for yourself by passing `--suspendable` flag to a `tart run` command:
+
+```bash
+tart clone ghcr.io/cirruslabs/macos-sonoma-base:latest sonoma-base
+tart run --suspendable sonoma-base
+```
+
+## Conclusion
+
+We are very excited about this major release of Tart. Please give it a try and let us know how it went!
+
+Stay tuned for new updates and announcements! There are a few coming up very shortly...
diff --git a/docs/blog/posts/2023-10-06-tart-on-aws.md b/docs/blog/posts/2023-10-06-tart-on-aws.md
new file mode 100644
index 00000000..1b84dcea
--- /dev/null
+++ b/docs/blog/posts/2023-10-06-tart-on-aws.md
@@ -0,0 +1,71 @@
+---
+draft: false
+date: 2023-10-06
+search:
+ exclude: true
+authors:
+ - fkorotkov
+categories:
+ - announcement
+---
+
+# Tart is now available on AWS Marketplace
+
+Announcing [official AMIs for EC2 Mac Instances](https://aws.amazon.com/marketplace/pp/prodview-qczco34wlkdws)
+with preconfigured Tart installation that is optimized to work within AWS infrastructure.
+
+EC2 Mac Instances is a gem of engineering powered by AWS Nitro devices. Just imagine there is a physical Mac Mini with
+a plugged in Nitro device that can push the physical power button!
+
+
+
+This clever synergy between Apple Hardware and Nitro System allows seamless integration with VPC networking and booting macOS from an EBS volume.
+
+In this blog post we’ll see how a virtualization solution like Tart can compliment and elevate experience with EC2 Mac Instances.
+
+
+
+Let’s start from the basics, what EC2 Mac Instances allow to do compared to physical Mac Minis seating in offices of
+many companies around the world?
+
+First and foremost, EC2 Mac Instances sit inside AWS data centers and can leverage all the goodies of VPC networking
+within your company's existing infrastructure. No need to connect your Macs in the office through a VPN and deal
+with networking and security.
+
+Additionally, EC2 Mac Instances are booting from EBS volumes which means it is possible to always have reproducible instances
+and apply all the best practices of Infrastructure-as-Code. Managing a fleet of physical Macs is a pain and it's very hard
+to make them configured in a reproducible and stable way. With booting from identical EBS volumes your team is always sure
+about the identical initial state of the fleet.
+
+## Compromises of EC2 Mac Instances
+
+The flexibility of EBS volumes for macOS comes with some compromises that virtualization solutions like Tart can help with.
+The initial boot from an EBS volume takes some time and not instant. macOS itself is pretty heavy and a Nitro device needs
+to download tens of gigabytes that macOS requires in order to boot. This means that **resetting a EC2 Mac Instance to a clean state
+is not instant and usually takes a couple of minutes** when you can’t utilize the precious resources for your workloads.
+
+It is much easier to tailor such EBS volumes with tools like Packer but there is still a **friction to test newly created EBS volumes**
+since one needs to start and run a EC2 Mac Instance and it’s not possible to test things locally. Similarly it is even harder
+to test beta versions of macOS that require manual interaction with a running instance.
+
+## Solution
+
+Tart can help with all the compromises! Tart virtual machines (VMs) have nearly native performance thanks to utilizing
+native `Virtualization.Framework` that was developed along the first Apple Silicon chip. **Tart VMs can be copied/disposed
+instantly and booting a fresh Tart VM takes only several seconds**. It is also possible to run two different Tart VMs in parallel
+that can have completely different versions of macOS and packages. For example, it is possible to have the latest stable macOS
+with the release version of Xcode along with the next version of macOS with the latest beta of Xcode.
+
+Creation of Tart VMs can be automated with [a Packer plugin](https://github.com/cirruslabs/packer-plugin-tart) the same way as
+creation of EC2 AMIs with one caveat that **Tart Packer Plugin works locally so you can test the same virtual machine locally
+as you would run it in the cloud**.
+
+Lightweight nature of Tart VMs with a focus on an easy-to-integrate Tart CLI compliments any macOS automation and helps to reduce
+the feedback cycle and improves reproducibility of macOS environments even further.
+
+## Conclusion
+
+We are excited to bring [official AMIs that include Tart installation optimized to work within AWS](https://aws.amazon.com/marketplace/pp/prodview-qczco34wlkdws).
+In the coming weeks when macOS Sonoma will become available on AWS we’ll release another update specifically targeting EC2 Mac Instances.
+This update will simplify access to local SSDs of Mac Instances that are slightly faster than EBS volumes. Stay tuned and don’t hesitate
+to ask any [questions](https://tart.run/licensing/).
diff --git a/docs/blog/posts/2023-11-03-cirrus-runners-dashboard.md b/docs/blog/posts/2023-11-03-cirrus-runners-dashboard.md
new file mode 100644
index 00000000..36dbaced
--- /dev/null
+++ b/docs/blog/posts/2023-11-03-cirrus-runners-dashboard.md
@@ -0,0 +1,59 @@
+---
+draft: false
+date: 2023-11-03
+search:
+ exclude: true
+authors:
+ - fkorotkov
+categories:
+ - announcement
+---
+
+# New dashboard with insights into performance of Cirrus Runners
+
+This month we are celebrating one year since launching Cirrus Runners — managed Apple Silicon infrastructure for your
+GitHub Actions. During the last 12 months we ran millions of workflows for our customers and now ready to share some insights
+into price performance of them for our customers.
+
+One of the key difference with Cirrus Runners is how they are getting billed for. Customers purchase Cirrus Runners via monthly subscription
+that costs $150 per each Cirrus Runner. Each runner can be used 24 hours a day 7 days a week to run GitHub Actions workflows
+for an organization. If there are more outstanding jobs than available runners then they are queued and executed as soon as
+there is a free runner. This is different from how GitHub-managed GitHub Actions are billed for — you pay for each minute of execution time.
+
+The benefit of a fixed price is that you can run as many jobs as you want without worrying about the cost. The downside is that
+you need to make sure that you are using your runners efficiently. This is where the new dashboard comes in handy.
+
+
+
+But first, **let's see theoretically the lowest price per minute** of a Cirrus Runners. If you run 24 hours a day 7 days a week
+then you will get 43,200 minutes of execution time per month. This means that the price per minute is $0.0035 if your runners
+utilization is 100%. But even if your engineering teams is located in a single time zone and works 8 hours a day 5 days a week
+then you will get 9,600 minutes of execution time per month which comes down to $0.015 per-minute. This is still more than 10 times cheaper
+than recently announced Apple Silicon GitHub-manged runners that cost $0.16 per minute.
+
+Now lets take a look at the new Cirrus Runners dashboard of a real customers that run their workflows on Cirrus Runners
+and **practically pushing the price performance pretty close to the theoretical minimum**.
+
+
+
+As you can see above Cirrus Runners Dashboard focuses on 4 core metrics:
+
+1. **Minutes Used** — overall amount of minutes that Cirrus Runners were executing jobs.
+2. **Workflow Runs** — absolute number of workflow runs that were executed on Cirrus Runners.
+3. **Queue Size** — number of jobs that were queued and waiting for a free Cirrus Runner.
+4. **Queue Time** — average time that jobs were waiting in the queue.
+
+In this particular example price performance of Cirrus Runners is $0.006 per minute which is 2 times more than the theoretical minimum
+and **26 times better than GitHub-managed Apple Silicon runners**. But this is a extreme example, looking at queue time and queue size
+we can see that the downside of such great price performance is that jobs are waiting in the queue on average around 5 minutes.
+
+Here is another example of Cirrus Runners Dashboard for a different customer that has a slightly higher price performance of $0.017 per minute
+but at the same time doesn't experience queue time at all. **Note that $0.017 is still 10 times cheaper than GitHub-managed Apple Silicon runners**.
+
+
+
+## Conclusion
+
+Having a fixed price for Cirrus Runners is a great way to save money on your CI/CD infrastructure and just in general have predictable budged.
+But it requires keeping the balance between price per minute and queue time. Cirrus Runners Dashboard helps you to keep an eye on this balance
+and make sure that you are getting the most out of your Cirrus Runners.
diff --git a/docs/blog/posts/2024-06-20-jumping-through-the-hoops.md b/docs/blog/posts/2024-06-20-jumping-through-the-hoops.md
new file mode 100644
index 00000000..15df5b38
--- /dev/null
+++ b/docs/blog/posts/2024-06-20-jumping-through-the-hoops.md
@@ -0,0 +1,62 @@
+---
+draft: false
+date: 2024-06-20
+search:
+ exclude: true
+authors:
+ - edigaryev
+categories:
+ - orchard
+---
+
+# Jumping through the hoops: SSH jump host functionality in Orchard
+
+Almost a year ago, when we started building [Orchard](https://github.com/cirruslabs/orchard), an orchestration system for Tart, we quickly realized that most worker machines will be in a private network, and that VMs will be only reachable from the worker machines themselves. Thus, one of our goals became to simplify accessing the compute resources in a cluster through a centralized controller host.
+
+This effort resulted in commands like `orchard port-forward` and `orchard ssh`, which were later improved to support connecting not just to the VMs, but to the worker machines themselves.
+
+Today, we’re making an even further step in this effort: with a trivial configuration, an Orchard controller can act as an SSH jump host to allow connecting to the VMs using just the `ssh` command like `ssh -J @orchard-controller.example.com `!
+
+
+
+## Implementation
+
+In a typical cluster there’s one controller, to which workers connect by calling various REST API endpoints to synchronize the worker & VMs state. Each worker also maintains a persistent bi-directional gRPC connection with the controller, with the goal of improving the overall reactivity and making the port-forwarding work.
+
+The gRPC service definition that the controller offers is pretty minimalistic:
+
+```protobuf
+service Controller {
+ rpc Watch(google.protobuf.Empty) returns (stream WatchInstruction);
+ rpc PortForward(stream PortForwardData) returns (stream PortForwardData);
+}
+```
+
+Each watch instruction corresponds a single action to be done by the worker, which can either be a request for establishing a port-forwarding stream or a request for VMs re-syncing:
+
+```protobuf
+oneof action {
+ PortForward port_forward_action = 1;
+ SyncVMs sync_vms_action = 2;
+}
+```
+
+Now, when the user invokes `orchard port-forward` or `orchard ssh`, controller effectively becomes a rendezvous point by accepting the WebSocket connection from the user, and then asking the worker associated with the requested VM to establish a port-forwarding stream, and finally proxying the two streams together.
+
+
+
+SSH protocol works the same way, multiplexing multiple channels in a single transport connection, where each channel can be upgraded either to an interactive session (that’s what you get when you `ssh` to the server) or X11 channel (for X11 forwarding using `-X`), direct or forward TCP/IP channels (these are used for local and remote port-forwarding when using `-L` and `-R` options correspondingly) and so on.
+
+In fact, `ssh -J` jump host functionality also uses the direct TCP/IP channel, which is [just a single port-forwarding request](https://datatracker.ietf.org/doc/html/rfc4254#section-7.2) that needs to be implemented. We’ve used [Golang's SSH library](https://pkg.go.dev/golang.org/x/crypto/ssh) as the most mature choice for this task, and it’s been pleasant to work with so far.
+
+The support for `ssh -J` has landed in Orchard version 0.19.0. To configure the SSH jump host, simply add the `--listen-ssh` command-line argument to your `orchard controller run` invocation.
+
+Once running, you can connect to any VM in the cluster using the `ssh -J @orchard-controller.example.com `. The password for the jump host is the corresponding service account’s token.
+
+## Future plans
+
+First of all, we’d like to thank our paid clients, without which this feature wouldn’t be possible. [Become one now](../../licensing.md) and get the benefit of higher Tart VMs and Orchard workers allowances and making sure that the roadmap for Tart and Orchard is aligned with your company's needs.
+
+In the near future we plan to implement a mechanism similar to `authorized_keys` file that will allow attaching public SSH keys to the Orchard controller’s service accounts, and thus avoid the need to type the passwords.
+
+Stay tuned and don’t hesitate to send us your feedback on [GitHub](https://github.com/cirruslabs/orchard) and [Twitter](https://x.com/cirrus_labs)!
diff --git a/docs/blog/posts/2025-06-01-tart-guest-agent.md b/docs/blog/posts/2025-06-01-tart-guest-agent.md
new file mode 100644
index 00000000..152fde27
--- /dev/null
+++ b/docs/blog/posts/2025-06-01-tart-guest-agent.md
@@ -0,0 +1,72 @@
+---
+draft: false
+date: 2025-06-01
+search:
+ exclude: true
+authors:
+ - edigaryev
+categories:
+ - announcement
+---
+
+# Bridging the gaps with the Tart Guest Agent
+
+We're introducing a new improvement for the Tart usability experience: a [Tart Guest Agent](https://github.com/cirruslabs/tart-guest-agent).
+
+This agent provides automatic disk resizing, seamless clipboard sharing for macOS guests (a [long-awaited](https://github.com/cirruslabs/tart/issues/14) feature), and the ability to run commands, without SSH and networking, using the new `tart exec` command.
+
+As of recently, we include this agent in all non-vanilla Cirrus Labs images, so you likely won't need to do anything to benefit from these usability improvements.
+
+Read on to learn why we chose to implement the agent from scratch in Golang, and which features we plan to add next.
+
+
+
+## Existing solutions
+
+Tart uses the Virtualization.Framework, and the latter implemented a SPICE client some time ago, however, one piece was missing: the agent that runs inside the guest.
+
+The original [SPICE `vdagent` implementation](https://gitlab.freedesktop.org/spice/linux/vd_agent) only supports Linux. While [a fork](https://github.com/utmapp/vd_agent) from the UTM project adds macOS support, the long-term viability of maintaining this fork without upstreaming changes is uncertain.
+
+Moreover, if we were to add some extra functionality (as we did), there would be more than one agent binary to ship and install, which complicates maintenance and makes it harder to explain to users why we need a bunch of agent binaries.
+
+In the end, we decided to go with our own solution, one that would easily accomodate future ideas.
+
+## Rolling our own agent
+
+After carefully inspecting the [`vdagent` protocol](https://www.spice-space.org/agent-protocol.html) we've realized that the clipboard sharing is actually a small subset of the whole protocol, making it relatively simple to implement.
+
+Thanks to Golang, we were able to implement the protocol much faster than we could have with a lower-level language like C (with all due respect), which requires manual memory management and complex event loops.
+
+As for the command execution via `tart exec`, we've decided to go with gRPC with a rather simple protocol:
+
+
+
+For each `tart exec` invocation a new gRPC `Exec` bidirectional stream is established with the agent running inside a VM. After the gRPC stream is established, `tart exec` sends a command to execute to the guest and streams the I/O. Once the command terminates, `tart exec` collects the process exit code and quits with exactly that exit code.
+
+Using gRPC simplifies `tart exec` implementation because of code generation and forms a nice bridge between the host and the guest which allows us to easily expand the protocol later down the road when we decide to introduce new features.
+
+Thanks to [gRPC Swift](https://github.com/grpc/grpc-swift), which is built on top of [SwiftNIO](https://github.com/apple/swift-nio), we get [`async/await`](https://docs.swift.org/swift-book/documentation/the-swift-programming-language/concurrency/) support for free, further simplifying the `tart exec` logic.
+
+As for the Tart Guest Agent, the final result is a Golang binary that [can be customized](https://github.com/cirruslabs/tart-guest-agent?tab=readme-ov-file#guest-agent-for-tart-vms) depending on the execution context:
+
+* launchd global daemon — runs as a privileged user (`root`), has no clipboard access
+ * `--resize-disk` — resizes the disk when there's a free space at the end of a disk (assuming that one previously ran `tart set --disk-size`)
+* launchd global agent — runs as a normal user (`admin`), has clipboard access
+ * `--run-vdagent` — clipboard sharing
+ * `--run-rpc` — `tart exec` and new functionality in the future
+
+We’ve also introduced `--run-daemon` (which implies `--resize-disk`) and `--run-agent` (which implies both `--run-vdagent` and `--run-rpc`) to help run the most appropriate functionality based on the given context.
+
+## Future plans
+
+First, we'd like to thank our paid clients, without whom this feature wouldn't have been possible.
+
+[Become one now](../../licensing.md) and enjoy higher allowances for Tart VMs and Orchard workers—while helping ensure that our roadmap aligns with your company's needs.
+
+In the near future we plan to implement:
+
+* Linux support — to provide seamless experience for Linux guests too
+* a new `tart ip` resolver — to provide a more robust IP retrieval facility for Linux guests, which often struggle to populate the host's ARP table with their network activity
+* `tart cp` command — to copy files from/to guest VMs
+
+Stay tuned, and feel free to send us feedback on [GitHub](https://github.com/cirruslabs/tart) and [Twitter](https://x.com/cirrus_labs)!
diff --git a/docs/blog/posts/2025-10-27-press-release-fair-enforcement.md b/docs/blog/posts/2025-10-27-press-release-fair-enforcement.md
new file mode 100644
index 00000000..df253263
--- /dev/null
+++ b/docs/blog/posts/2025-10-27-press-release-fair-enforcement.md
@@ -0,0 +1,44 @@
+---
+draft: false
+date: 2025-10-27
+search:
+ exclude: true
+authors:
+ - fkorotkov
+categories:
+ - announcement
+---
+
+# Press Release: Cirrus Labs Successfully Enforces Its Fair Source License
+
+**New York City, NY – October 27th, 2025 – Cirrus Labs, Inc.**, a leading provider of platforms for digital transformation, today announced that it has reached a settlement agreement regarding a violation of its Fair Source License.
+
+
+
+Cirrus Labs makes its Tart Virtualization Toolset, a leading virtualization toolset to build, run and manage macOS and Linux virtual machines (VMs) on Apple Silicon,
+freely available on GitHub under the Fair Source License, a source-available license. Tart is used by tens of thousands of engineers at no charge within its generous free‑use limits.
+Many large enterprises that need to exceed those limits support continued development through paid licenses. Cirrus Labs also uses Tart to power [Cirrus Runners](https://cirrus-runners.app/)
+— a drop‑in replacement for macOS and Linux runners for GitHub Actions — offered at a fixed monthly price for unlimited usage.
+
+Cirrus Labs discovered that, **despite a prior licensing request that was declined due to a conflict of interest**, another company used Tart in a manner that exceeded the license’s free‑use limits,
+in order to create a competing product.
+
+After several months of negotiations, the matter was settled and a settlement payment to Cirrus Labs was agreed upon.
+
+!!! quote "Comment by Fedor Korotkov, CEO of Cirrus Labs"
+
+ As a company we embrace healthy competition that ultimately benefits the end user. Most of our users have no trouble complying with our license,
+ and even when they need something more than our free use limits, we can almost always grant them a license that fits their needs. **This was an exceptional case.**
+ We are pleased to have reached this settlement, which validates our source-available licensing strategy and reinforces our commitment to protecting our company and serving our community.
+
+Cirrus Labs was represented in this matter by [Jordan Raphael](https://byronraphael.com/attorneys/jordan-raphael/) of Byron Raphael LLP, a boutique intellectual property law firm,
+and [Heather Meeker](https://www.techlawpartners.com/heather), a well-known specialist in open source and source available licensing.
+
+The specific financial terms of the settlement and the identity of the counterparty remain confidential.
+
+**About Cirrus Labs:** Cirrus Labs, Inc. is a bootstrapped developer-infrastructure company founded in 2017. Our offerings among others include Tart and Cirrus Runners,
+and our software is used by teams at category-leading companies including Atlassian, Figma, Zendesk, Sentry and many more.
+
+Learn more at [https://tart.run/](https://tart.run/) and [https://cirrus-runners.app/](https://cirrus-runners.app/).
+
+**Contact:** [hello@cirruslabs.org](mailto:hello@cirruslabs.org)
diff --git a/docs/faq.md b/docs/faq.md
new file mode 100644
index 00000000..74f29129
--- /dev/null
+++ b/docs/faq.md
@@ -0,0 +1,284 @@
+---
+hide:
+ - navigation
+title: Frequently Asked Questions
+description: Advanced configuration and troubleshooting tips for advanced configurations.
+---
+
+## Headless machines
+
+Starting from macOS 15 (Sequoia), there's an undocumented requirement from [Virtualization.Framework](https://developer.apple.com/documentation/virtualization) (which Tart uses) to have an unlocked `login.keychain` available at the times when running a VM.
+
+Without an existing and unlocked `login.keychain`, the VM won't start with errors like:
+
+* `SecKeyCreateRandomKey_ios failed`
+* `Failed to generate keypair`
+* `Interaction is not allowed with the Security Server`
+
+Below you'll find a couple of workarounds for this behavior.
+
+### Log in via GUI at least once
+
+Connect to the headless machine via [Screen Sharing](https://support.apple.com/guide/mac-help/share-the-screen-of-another-mac-mh14066/mac) and log in to a Mac user account. If you haven't done already, you can enable Screen Sharing [via the terminal](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/connect-to-mac-instance.html#mac-instance-vnc).
+
+Logging in graphically will automatically create the `login.keychain`. Afterward, you have two options:
+
+* configure [automatic log in to a Mac user account](https://support.apple.com/en-us/102316)
+ * this will maintain a running user session (GUI) even after the machine reboots
+ * moreover, you can still lock the screen (either manually [or automatically](https://support.apple.com/guide/mac-help/change-lock-screen-settings-on-mac-mh11784/mac)), however, the security benefit of this is questionable
+* use `security unlock-keychain login.keychain` to unlock the login keychain via the terminal
+ * this command also supports the `-p` command-line argument, which allows you to supply a password and unlock non-interactively
+
+### Create and unlock the login keychain via the terminal
+
+Compared to the previous approach, this one is fully automated, but might stop working at some point in the future:
+
+```shell
+security create-keychain -p '' login.keychain
+security unlock-keychain -p '' login.keychain
+security login-keychain -s login.keychain
+```
+
+Note that this will create a `login.keychain` with an empty password. Consider supplying a different value to `-p` or omitting the `-p` to enter the password interactively.
+
+## Troubleshooting crashes
+
+If you experience a crash or encounter another error while using the tart executable, you can collect debug information to assist with troubleshooting. Run the following command in a separate terminal window to gather logs from the Tart process and the macOS Virtualization subsystem:
+
+```shell
+log stream --predicate='process=="tart" OR process CONTAINS "Virtualization"' > tart.log
+```
+
+While the events are being streamed, attempt to reproduce the issue. Once the issue is reproduced, stop the streaming by pressing Ctrl+C. Then, attach the tart.log file to your report.
+
+## VM location on disk
+
+Tart stores all its files in `~/.tart/` directory. Local images that you can run are stored in `~/.tart/vms/`.
+Remote images are pulled into `~/.tart/cache/OCIs/`.
+
+## Nested virtualization support?
+
+Tart is limited by functionality of Apple's `Virtualization.Framework`. At the moment `Virtualization.Framework`
+supports nested virtualization only on M3 or M4 chips running macOS 15 (Sequoia). By default, it is disabled, but can be enabled by passing the `--nested` flag to `tart run`.
+
+## Connecting to a service running on host
+
+To connect from within a virtual machine to a service running on the host machine
+please first make sure that the service is bound to `0.0.0.0`.
+
+Then from within a virtual machine you can access the service using the router's IP address that you can get either from `Preferences -> Network`
+or by running the following command in the Terminal:
+
+```shell
+netstat -nr | awk '/default/{print $2; exit}'
+```
+
+Note: that accessing host is only possible with the default NAT network. If you are running your virtual machines with
+[Softnet](https://github.com/cirruslabs/softnet) (via `tart run --net-softnet )`, then the network isolation
+is stricter and it's not possible to access the host.
+
+## Changing the default NAT subnet
+
+To change the default network to `192.168.77.1`:
+
+```shell
+sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.vmnet.plist Shared_Net_Address -string 192.168.77.1
+```
+
+Note that even through a network would normally be specified as `192.168.77.0`, the [vmnet framework](https://developer.apple.com/documentation/vmnet) seems to treat this as a starting address too and refuses to pick up such network-like values.
+
+The default subnet mask `255.255.255.0` should suffice for most use-cases, however, you can also change it to `255.255.0.0`, for example:
+
+```shell
+sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.vmnet.plist Shared_Net_Mask -string 255.255.0.0
+```
+
+## Changing the default DHCP lease time
+
+By default, the built-in macOS DHCP server allocates IP-addresses to the VMs for the duration of 86,400 seconds (one day), which may easily cause DHCP exhaustion if you run more than ~253 VMs per day, or in other words, more than one VM every ~6 minutes.
+
+This issue is worked around automatically [when using Softnet](http://github.com/cirruslabs/softnet), however, if you don't use or can't use it, the following command will reduce the lease time from the default 86,400 seconds (one day) to 600 seconds (10 minutes):
+
+```shell
+sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.InternetSharing.default.plist bootpd -dict DHCPLeaseTimeSecs -int 600
+```
+
+This tweak persists across reboots, so normally you'll only need to do it once per new host.
+
+If that doesn't help after starting a new VM, it's possible that the `/var/db/dhcpd_leases` file is already overfilled with 86,400-second leases. You can remove it with the following command and try starting a new VM again:
+
+```shell
+sudo rm /var/db/dhcpd_leases
+```
+
+And no worries, this file will be re-created on the next `tart run`.
+
+## Unsupported DHCP client identifiers
+
+Due to the limitations of the macOS built-in DHCP server, `tart ip` is unable to correctly report the IP addresses for VMs using DHCP client identifiers that are not based on VMs link-layer addresses (MAC addresses).
+
+By default, when [no `--resolver=arp` is specified](#resolving-the-vms-ip-when-using-bridged-networking), `tart ip` reads the `/var/db/dhcpd_leases` file and tries to find the freshest entry that matches the VM's MAC address (based on the `hw_address` field).
+
+However, things starts to break when the VM uses a [DUID-EN](https://metebalci.com/blog/a-note-on-dhcpv6-duid-and-prefix-delegation#duid-types) identifier, for example. One of the notorious examples of this being Ubuntu, using this type of identifier by default on latest versions. This results in the `/var/db/dhcpd_leases` entry for Ubuntu appearing as follows:
+
+```ini
+{
+ name=ubuntu
+ ip_address=192.168.64.3
+ hw_address=ff,f1:f5:dd:7f:0:2:0:0:ab:11:cb:fb:30:b0:97:b6:3a:67
+ identifier=ff,f1:f5:dd:7f:0:2:0:0:ab:11:cb:fb:30:b0:97:b6:3a:67
+ lease=0x678e2ce7
+}
+```
+
+Because the macOS built-in DHCP server overwrites the `hw_address` with the `identifier`, it leaves no information about the VM's MAC address to the `tart ip`.
+
+To avoid this issue, make sure that your VM only sends a DHCP client identifier (option 61) with link-layer address (MAC address) or that it doesn't send this option at all.
+
+For the aforementioned Ubuntu, the solution is outlined in the section [How to integrate with Windows DHCP Server](https://netplan.readthedocs.io/en/stable/examples/#how-to-integrate-with-windows-dhcp-server) of Canonical Netplan's documentation:
+
+```yaml
+network:
+ version: 2
+ ethernets:
+ enp3s0:
+ dhcp4: yes
+ dhcp-identifier: mac
+```
+
+## Resolving the VM's IP when using bridged networking
+
+When running `tart run` with `--net-bridged`, you need to invoke `tart ip` differently, because the macOS built-in DHCP server won't have any information about the VM's IP-address:
+
+```shell
+tart ip --resolver=arp
+```
+
+This causes the `tart ip` to consult the host's ARP table instead of the `/var/db/dhcpd_leases` file.
+
+Note that this method of resolving the IP heavily relies on the level of VM's activity on the network, namely, exchanging ARP requests between the guest and the host.
+
+This is normally not an issue for macOS VMs, but on Linux VMs you might need to install Samba, which includes a [NetBIOS name server](https://www.samba.org/samba/docs/current/man-html/nmbd.8.html) and exhibits the same behavior as macOS, resulting in the population of the ARP table of the host OS:
+
+```shell
+sudo apt-get install samba
+```
+
+## Running login/clone/pull/push commands over SSH
+
+When invoking the Tart in an SSH session, you might get error like this:
+
+>Keychain returned unsuccessful status -25308
+
+...or this:
+
+>Keychain failed to update item: User interaction is not allowed.
+
+This is because Tart uses [Keychain](https://en.wikipedia.org/wiki/Keychain_(software)) to store and retrieve OCI registry credentials by default, but Keychain is only automatically/semi-automatically unlocked in GUI sessions.
+
+To unlock the Keychain in an SSH session, run the following command, which will ask for your user's password:
+
+```shell
+security unlock-keychain login.keychain
+```
+
+This command also supports the `-p` command-line argument that allows you to supply a password and unlock non-interactively, which is great for scripts.
+
+Alternatively, you can pass the credentials via the environment variables, see [Registry Authorization](integrations/vm-management.md#registry-authorization) for more details on how to do that.
+
+## How is Tart different from Anka?
+
+Under the hood Tart is using the same technology as Anka 3.0 so there should be no real difference in performance
+or features supported. If there is some feature missing please don't hesitate to [create a feature request](https://github.com/cirruslabs/tart/issues).
+
+Instead of Anka Registry, Tart can work with any OCI-compatible container registry. This provides a much more consistent
+and scalable experience for distributing virtual machines.
+
+Tart does have an analogue of Anka Controller for managing VMs across a cluster of Mac hosts called [Orchard](orchard/quick-start.md).
+
+## Automatic pruning
+
+`tart pull` and `tart clone` commands check the remaining space available on the volume associated with `TART_HOME` directory (defaults to `~/.tart`) before pulling or cloning anything.
+
+In case there's not enough space to fit the newly pulled or cloned VM image, Tart will remove the least recently accessed VMs from OCI cache and `.ipsw` files from IPSW cache until enough free space is available.
+
+The `tart clone` command limits this automatic pruning to 100 GB by default to avoid removing too many cached items. You can change this limit with the `--prune-limit` option (in gigabytes).
+
+To disable this functionality, set the `TART_NO_AUTO_PRUNE` environment variable either globally:
+
+```shell
+export TART_NO_AUTO_PRUNE=
+```
+
+...or per `tart pull` and `tart clone` invocation as follows:
+
+```shell
+TART_NO_AUTO_PRUNE= tart pull ...
+```
+
+## Disk resizing
+
+Disk resizing works on most cloud-ready Linux distributions out-of-the box (e.g. Ubuntu Cloud Images have the `cloud-initramfs-growroot` package installed that runs on boot) and on the rest of the distributions by running the `growpart` or `resize2fs` commands.
+
+For macOS, however, things are a bit more complicated, and you generally have two options: automated and manual resizing.
+
+For the automated option, you can use [Packer](https://www.packer.io/) with the [Packer builder for Tart VMs](https://developer.hashicorp.com/packer/integrations/cirruslabs/tart/latest/components/builder/tart). The latter has two has configuration directives related to the disk resizing behavior:
+
+* [`disk_size_gb`](https://developer.hashicorp.com/packer/integrations/cirruslabs/tart/latest/components/builder/tart#configuration-reference) — controls the target disk size in gigabytes
+* [`recovery_partition`](https://developer.hashicorp.com/packer/integrations/cirruslabs/tart/latest/components/builder/tart#configuration-reference) — controls what to do with the recovery partition when resizing the disk
+ * you can either keep, delete or relocate it to the end of the disk
+
+For the manual approach, you have to remove the recovery partition first, repair the disk and the resize the APFS container.
+
+To do this, first we'll need to identify the primary disk and the APFS containers by running the command below from within a VM:
+
+```shell
+diskutil list physical
+```
+
+For example, the output might look like this:
+
+```plain
+/dev/disk0 (internal, physical):
+ #: TYPE NAME SIZE IDENTIFIER
+ 0: GUID_partition_scheme *100.0 GB disk0
+ 1: Apple_APFS_ISC Container disk1 524.3 MB disk0s1
+ 2: Apple_APFS Container disk3 44.1 GB disk0s2
+ 3: Apple_APFS_Recovery Container disk2 5.4 GB disk0s3
+ (free space) 50.0 GB -
+```
+
+In the output, you'll normally see:
+
+* a single physical disk (`disk0`)
+* APFS container with the system partition which we're going to resize (`disk0s2`)
+* APFS container with the recovery partition which we're going to delete (`disk0s3`)
+* `(free space)` which we'll put to use
+
+To proceed, boot the VM in recovery mode using `tart run --recovery` and choose the "Options" item:
+
+{width="640" .center}
+
+When the recovery OS boots, open the Terminal app:
+
+{width="720" .center}
+
+In Terminal app, invoke the command below to remove the recovery partition:
+
+```shell
+diskutil eraseVolume free free disk0s3
+```
+
+Now, repair the disk:
+
+```shell
+yes | diskutil repairDisk disk0
+```
+
+Finally, resize the system APFS container to take all the remaining space:
+
+```shell
+diskutil apfs resizeContainer disk0s2 0
+```
+
+Now, you can shut down and `tart run` as you'd normally do.
diff --git a/docs/index.md b/docs/index.md
new file mode 100644
index 00000000..58a33f88
--- /dev/null
+++ b/docs/index.md
@@ -0,0 +1,5 @@
+---
+template: overrides/home.html
+title: Toolset to build, run and manage macOS and Linux VMs
+description: Native performance. Remote storage for Virtual Machines. Many integrations including GitHub, GitLab and more.
+---
diff --git a/docs/integrations/buildkite.md b/docs/integrations/buildkite.md
new file mode 100644
index 00000000..285b6116
--- /dev/null
+++ b/docs/integrations/buildkite.md
@@ -0,0 +1,26 @@
+---
+title: Buildkite Integration
+description: Run pipeline steps in isolated ephemeral Tart Virtual Machines.
+---
+
+# Buildkite
+
+It is possible to run [Buildkite](https://buildkite.com/) pipeline steps in isolated ephemeral Tart Virtual Machines with the help of [Tart Buildkite Plugin](https://github.com/cirruslabs/tart-buildkite-plugin):
+
+
+
+## Configuration
+
+The most basic configuration looks like this:
+
+```yaml
+steps:
+- command: uname -a
+ plugins:
+ - cirruslabs/tart#main:
+ image: ghcr.io/cirruslabs/macos-sequoia-base:latest
+```
+
+This will run `uname -r` in a macOS Tart VM cloned from `ghcr.io/cirruslabs/macos-sequoia-base:latest`.
+
+See plugin's [Configuration section](https://github.com/cirruslabs/tart-buildkite-plugin#configuration) for the full list of available options.
diff --git a/docs/integrations/cirrus-cli.md b/docs/integrations/cirrus-cli.md
new file mode 100644
index 00000000..c1dcee8d
--- /dev/null
+++ b/docs/integrations/cirrus-cli.md
@@ -0,0 +1,66 @@
+---
+title: Cirrus CLI
+description: Tool for running isolated tasks reproducibly in any environment with a simple YAML configuration.
+---
+
+# Cirrus CLI
+
+Tart itself is only responsible for managing virtual machines, but we've built Tart support into a tool called Cirrus CLI
+also developed by Cirrus Labs. [Cirrus CLI](https://github.com/cirruslabs/cirrus-cli) is a command line tool with
+one configuration format to execute common CI steps (run a script, cache a folder, etc.) locally or in any CI system.
+We built Cirrus CLI to solve "But it works on my machine!" problem.
+
+Here is an example of a `.cirrus.yml` configuration file which will start a Tart VM, will copy over working directory and
+will run scripts and [other instructions](https://cirrus-ci.org/guide/writing-tasks/#supported-instructions) inside the virtual machine:
+
+```yaml
+task:
+ name: hello
+ macos_instance:
+ # can be a remote or a local virtual machine
+ image: ghcr.io/cirruslabs/macos-sequoia-base:latest
+ hello_script:
+ - echo "Hello from within a Tart VM!"
+ - echo "Here is my CPU info:"
+ - sysctl -n machdep.cpu.brand_string
+ - sleep 15
+```
+
+Put the above `.cirrus.yml` file in the root of your repository and run it with the following command:
+
+```bash
+brew install cirruslabs/cli/cirrus
+cirrus run
+```
+
+
+
+[Cirrus CI](https://cirrus-ci.org/) already leverages Tart to power its macOS cloud infrastructure. The `.cirrus.yml`
+config from above will just work in Cirrus CI and your tasks will be executed inside Tart VMs in our cloud.
+
+**Note:** Cirrus CI only allows [images managed and regularly updated by us](https://github.com/orgs/cirruslabs/packages?tab=packages&q=macos).
+
+## Retrieving artifacts from within Tart VMs
+
+In many cases there is a need to retrieve particular files or a folder from within a Tart virtual machine.
+For example, the below `.cirrus.yml` configuration defines a single task that builds a `tart` binary and
+exposes it via [`artifacts` instruction](https://cirrus-ci.org/guide/writing-tasks/#artifacts-instruction):
+
+```yaml
+task:
+ name: Build
+ macos_instance:
+ image: ghcr.io/cirruslabs/macos-sequoia-xcode:latest
+ build_script: swift build --product tart
+ binary_artifacts:
+ path: .build/debug/tart
+```
+
+Running Cirrus CLI with `--artifacts-dir` will write defined `artifacts` to the provided local directory on the host:
+
+```bash
+cirrus run --artifacts-dir artifacts
+```
+
+Note that all retrieved artifacts will be prefixed with the associated task name and `artifacts` instruction name.
+For the example above, `tart` binary will be saved to `$PWD/artifacts/Build/binary/.build/debug/tart`.
diff --git a/docs/integrations/gitlab-runner.md b/docs/integrations/gitlab-runner.md
new file mode 100644
index 00000000..127cedd8
--- /dev/null
+++ b/docs/integrations/gitlab-runner.md
@@ -0,0 +1,54 @@
+---
+title: GitLab Runner Executor
+description: Run jobs in isolated ephemeral Tart Virtual Machines.
+---
+
+# GitLab Runner Executor
+
+It is possible to run GitLab jobs in isolated ephemeral Tart Virtual Machines via [Tart Executor](https://github.com/cirruslabs/gitlab-tart-executor).
+Tart Executor utilizes [custom executor](https://docs.gitlab.com/runner/executors/custom.html) feature of GitLab Runner.
+
+# Basic Configuration
+
+Configuring Tart Executor for GitLab Runner is as simple as installing `gitlab-tart-executor` binary from Homebrew:
+
+```bash
+brew install cirruslabs/cli/gitlab-tart-executor
+```
+
+And updating configuration of your self-hosted GitLab Runner to use `gitlab-tart-executor` binary:
+
+```toml
+concurrent = 2
+
+[[runners]]
+ # ...
+ executor = "custom"
+ builds_dir = "/Users/admin/builds" # directory inside the VM
+ cache_dir = "/Users/admin/cache"
+ [runners.feature_flags]
+ FF_RESOLVE_FULL_TLS_CHAIN = false
+ [runners.custom]
+ prepare_exec = "gitlab-tart-executor"
+ prepare_args = ["prepare"]
+ run_exec = "gitlab-tart-executor"
+ run_args = ["run"]
+ cleanup_exec = "gitlab-tart-executor"
+ cleanup_args = ["cleanup"]
+```
+
+Now you can use Tart Images in your `.gitlab-ci.yml`:
+
+```yaml
+# You can use any remote Tart Image.
+# Tart Executor will pull it from the registry and use it for creating ephemeral VMs.
+image: ghcr.io/cirruslabs/macos-sequoia-base:latest
+
+test:
+ tags:
+ - tart-installed # in case you tagged runners with Tart Executor installed
+ script:
+ - uname -a
+```
+
+For more advanced configuration please refer to [GitLab Tart Executor repository](https://github.com/cirruslabs/gitlab-tart-executor).
diff --git a/docs/integrations/vm-management.md b/docs/integrations/vm-management.md
new file mode 100644
index 00000000..ab210653
--- /dev/null
+++ b/docs/integrations/vm-management.md
@@ -0,0 +1,143 @@
+---
+title: Managing Virtual Machine
+description: Use Packer to build custom VM images, configure VMs and work with remote OCI registries.
+---
+
+# Managing Virtual Machine
+
+## Creating from scratch
+
+Tart supports macOS and Linux virtual machines. All commands like `run` and `pull` work the same way regardless of the underlying OS a particular VM image has.
+The only difference is how such VM images are created. Please check sections below for [macOS](#creating-a-macos-vm-image-from-scratch) and [Linux](#creating-a-linux-vm-image-from-scratch) instructions.
+
+### Creating a macOS VM image from scratch
+
+Tart can create VMs from `*.ipsw` files. You can download a specific `*.ipsw` file [here](https://ipsw.me/) or you can
+use `latest` instead of a path to `*.ipsw` to download the latest available version:
+
+```bash
+tart create --from-ipsw=latest sequoia-vanilla
+tart run sequoia-vanilla
+```
+
+After the initial booting of the VM, you'll need to manually go through the macOS installation process. As a convention we recommend creating an `admin` user with an `admin` password. After the regular installation please do some additional modifications in the VM:
+
+1. Enable Auto-Login. Users & Groups -> Login Options -> Automatic login -> admin.
+2. Allow SSH. Sharing -> Remote Login
+3. Disable Lock Screen. Preferences -> Lock Screen -> disable "Require Password" after 5.
+4. Disable Screen Saver.
+5. Run `sudo visudo` in Terminal, find `%admin ALL=(ALL) ALL` add `admin ALL=(ALL) NOPASSWD: ALL` to allow sudo without a password.
+
+### Creating a Linux VM image from scratch
+
+Linux VMs are supported on hosts running macOS 13.0 (Ventura) or newer.
+
+```bash
+# Create a bare VM
+tart create --linux ubuntu
+
+# Install Ubuntu
+tart run --disk focal-desktop-arm64.iso ubuntu
+
+# Run VM
+tart run ubuntu
+```
+
+After the initial setup please make sure your VM can be SSH-ed into by running the following commands inside your VM:
+
+```bash
+sudo apt update
+sudo apt install -y openssh-server
+sudo ufw allow ssh
+```
+
+## Configuring a VM
+
+By default, a Tart VM uses 2 CPUs and 4 GB of memory with a `1024x768` display. This can be changed after VM creation with `tart set` command.
+Please refer to `tart set --help` for additional details.
+
+## Building with Packer
+
+Please refer to [Tart Packer Plugin repository](https://github.com/cirruslabs/packer-plugin-tart) for setup instructions.
+Here is an example of a template to build a local image based of a remote image:
+
+```hcl
+packer {
+ required_plugins {
+ tart = {
+ version = ">= 0.5.3"
+ source = "github.com/cirruslabs/tart"
+ }
+ }
+}
+
+source "tart-cli" "tart" {
+ vm_base_name = "ghcr.io/cirruslabs/macos-sequoia-base:latest"
+ vm_name = "my-custom-sequoia"
+ cpu_count = 4
+ memory_gb = 8
+ disk_size_gb = 70
+ ssh_password = "admin"
+ ssh_timeout = "120s"
+ ssh_username = "admin"
+}
+
+build {
+ sources = ["source.tart-cli.tart"]
+
+ provisioner "shell" {
+ inline = ["echo 'Disabling spotlight indexing...'", "sudo mdutil -a -i off"]
+ }
+
+ # more provisioners
+}
+```
+
+Here is a [repository with Packer templates](https://github.com/cirruslabs/macos-image-templates) used to build [all the images managed by us](https://github.com/orgs/cirruslabs/packages?tab=packages&q=macos).
+
+## Working with a Remote OCI Container Registry
+
+Tart supports interacting with Open Container Initiative (OCI) registries, but only runs images created and pushed by Tart. This means images created for container engines, like Docker, can't be pulled. Instead, create a custom image as documented above.
+
+For example, let's say you want to push/pull images to an OCI registry hosted at `https://acme.io/`.
+
+### Registry Authorization
+
+First, you need to login to `acme.io` with the `tart login` command:
+
+```bash
+tart login acme.io
+```
+
+If you login to your registry with OAuth, you may need to create an access token to use as the password.
+Credentials are securely stored in Keychain.
+
+In addition, Tart supports [Docker credential helpers](https://docs.docker.com/engine/reference/commandline/login/#credential-helpers)
+if defined in `~/.docker/config.json`.
+
+Finally, `TART_REGISTRY_USERNAME` and `TART_REGISTRY_PASSWORD` environment variables allow to override authorization
+for all registries which might useful for integrating with your CI's secret management.
+
+### Pushing a Local Image
+
+Once credentials are saved for `acme.io`, run the following command to push a local images remotely with two tags:
+
+```bash
+tart push my-local-vm-name acme.io/remoteorg/name:latest acme.io/remoteorg/name:v1.0.0
+```
+
+### Pulling a Remote Image
+
+You can either pull an image:
+
+```bash
+tart pull acme.io/remoteorg/name:latest
+```
+
+or create a VM from a remote image:
+
+```bash
+tart clone acme.io/remoteorg/name:latest my-local-vm-name
+```
+
+If the specified image is not already present, this invocation calls the `tart pull` implicitly before cloning.
diff --git a/docs/layouts/custom.yml b/docs/layouts/custom.yml
new file mode 100644
index 00000000..62b316e7
--- /dev/null
+++ b/docs/layouts/custom.yml
@@ -0,0 +1,260 @@
+# Copyright (c) 2016-2024 Martin Donath
+
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to
+# deal in the Software without restriction, including without limitation the
+# rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+# sell copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
+# IN THE SOFTWARE.
+
+# -----------------------------------------------------------------------------
+# Configuration
+# -----------------------------------------------------------------------------
+
+# Definitions
+definitions:
+
+ # Background image
+ - &background_image >-
+ {{ layout.background_image | x }}
+
+ # Background color (default: indigo)
+ - &background_color >-
+ {%- if layout.background_color -%}
+ {{ layout.background_color }}
+ {%- else -%}
+ {%- set palette = config.theme.palette or {} -%}
+ {%- if not palette is mapping -%}
+ {%- set list = palette | selectattr("accent") | list + palette -%}
+ {%- set palette = list | first -%}
+ {%- endif -%}
+ {%- set accent = palette.get("accent", "indigo") -%}
+ {%- set accent = accent.replace(" ", "-") -%}
+ {{ {
+ "red": "#ff1a47",
+ "pink": "#f50056",
+ "purple": "#df41fb",
+ "deep-purple": "#7c4dff",
+ "indigo": "#526cfe",
+ "blue": "#4287ff",
+ "light-blue": "#0091eb",
+ "cyan": "#00bad6",
+ "teal": "#00bda4",
+ "green": "#00c753",
+ "light-green": "#63de17",
+ "lime": "#b0eb00",
+ "yellow": "#ffd500",
+ "amber": "#ffaa00",
+ "orange": "#ff9100",
+ "deep-orange": "#ff6e42"
+ }[accent] or "#4051b5" }}
+ {%- endif -%}
+
+ # Text color (default: white)
+ - &color >-
+ {%- if layout.color -%}
+ {{ layout.color }}
+ {%- else -%}
+ {%- set palette = config.theme.palette or {} -%}
+ {%- if not palette is mapping -%}
+ {%- set list = palette | selectattr("accent") | list + palette -%}
+ {%- set palette = list | first -%}
+ {%- endif -%}
+ {%- set accent = palette.get("accent", "indigo") -%}
+ {%- set accent = accent.replace(" ", "-") -%}
+ {{ {
+ "red": "#ffffff",
+ "pink": "#ffffff",
+ "purple": "#ffffff",
+ "deep-purple": "#ffffff",
+ "indigo": "#ffffff",
+ "blue": "#ffffff",
+ "light-blue": "#ffffff",
+ "cyan": "#ffffff",
+ "teal": "#ffffff",
+ "green": "#ffffff",
+ "light-green": "#ffffff",
+ "lime": "#000000",
+ "yellow": "#000000",
+ "amber": "#000000",
+ "orange": "#000000",
+ "deep-orange": "#ffffff"
+ }[accent] or "#ffffff" }}
+ {%- endif -%}
+
+ # Font family (default: Roboto)
+ - &font_family >-
+ {%- if layout.font_family -%}
+ {{ layout.font_family }}
+ {%- elif config.theme.font != false -%}
+ {{ config.theme.font.get("text", "Roboto") }}
+ {%- else -%}
+ Roboto
+ {%- endif -%}
+
+ # Font variant
+ - &font_variant >-
+ {%- if layout.font_variant -%}
+ {{ layout.font_variant }}
+ {%- endif -%}
+
+ # Site name
+ - &site_name >-
+ {{ config.site_name }}
+
+ # Page title
+ - &page_title >-
+ {%- if page.meta.no_title_in_card -%}
+ {# do not show anything #}
+ {%- elif layout.title -%}
+ {{ layout.title }}
+ {%- else -%}
+ {{ page.meta.get("title", page.title) }}
+ {%- endif -%}
+
+ # Page title with site name
+ - &page_title_with_site_name >-
+ {%- if not page.is_homepage -%}
+ {{ page.meta.get("title", page.title) }} - {{ config.site_name }}
+ {%- else -%}
+ {{ page.meta.get("title", page.title) }}
+ {%- endif -%}
+
+ # Page description
+ - &page_description >-
+ {%- if layout.description -%}
+ {{ layout.description }}
+ {%- else -%}
+ {{ page.meta.get("description", config.site_description) | x }}
+ {%- endif -%}
+
+ # Page description for social card
+ - &page_description_social_card >-
+ {%- if layout.description -%}
+ {{ layout.description }}
+ {%- else -%}
+ {{ page.meta.get("description", config.site_description_social_card) | x }}
+ {%- endif -%}
+
+ # Logo
+ - &logo >-
+ {%- if layout.logo -%}
+ {{ layout.logo }}
+ {%- elif config.theme.logo -%}
+ {{ config.docs_dir }}/{{ config.theme.logo }}
+ {%- endif -%}
+
+ # Logo (icon)
+ - &logo_icon >-
+ {%- if not layout.logo -%}
+ {{ config.theme.icon.logo | x }}
+ {%- endif -%}
+
+# Meta tags
+tags:
+
+ # Open Graph
+ og:type: website
+ og:title: *page_title_with_site_name
+ og:description: *page_description
+ og:image: "{{ image.url }}"
+ og:image:type: "{{ image.type }}"
+ og:image:width: "{{ image.width }}"
+ og:image:height: "{{ image.height }}"
+ og:url: "{{ page.canonical_url }}"
+
+ # Twitter
+ twitter:card: summary_large_image
+ twitter:title: *page_title_with_site_name
+ twitter:description: *page_description
+ twitter:image: "{{ image.url }}"
+
+# -----------------------------------------------------------------------------
+# Specification
+# -----------------------------------------------------------------------------
+
+# Card size and layers
+size: { width: 1200, height: 630 }
+layers:
+
+ # Background
+ - background:
+ image: *background_image
+ color: *background_color
+
+ # Logo
+ - size: { width: 170, height: 192 }
+ offset: { x: 966, y: 64 }
+ background:
+ image: *logo
+ icon:
+ value: *logo_icon
+ color: *color
+
+ # Site name
+ - size: { width: 832, height: 42 }
+ offset: { x: 64, y: 64 }
+ typography:
+ content: *site_name
+ align: start center
+ color: *color
+ font:
+ family: *font_family
+ variant: *font_variant
+ style: Bold
+
+ # Motto
+ - size: { width: 832, height: 150 }
+ offset: { x: 64, y: 106 }
+ typography:
+ content: "{{ config.motto }}"
+ align: start center
+ color: *color
+ line:
+ amount: 2.5
+ height: 1.25
+ font:
+ family: *font_family
+ variant: *font_variant
+ style: Bold
+
+ # Page title
+ - size: { width: 1072, height: 256 }
+ offset: { x: 64, y: 256 }
+ typography:
+ content: *page_title
+ align: start center
+ color: *color
+ line:
+ amount: 3
+ height: 1.25
+ font:
+ family: *font_family
+ variant: *font_variant
+ style: Bold
+
+ # Page description
+ - size: { width: 832, height: 64 }
+ offset: { x: 64, y: 512 }
+ typography:
+ content: *page_description_social_card
+ align: start center
+ color: *color
+ line:
+ amount: 2
+ height: 1.5
+ font:
+ family: *font_family
+ variant: *font_variant
+ style: Regular
\ No newline at end of file
diff --git a/docs/legal/privacy.md b/docs/legal/privacy.md
new file mode 100644
index 00000000..9f857202
--- /dev/null
+++ b/docs/legal/privacy.md
@@ -0,0 +1,113 @@
+---
+search:
+ exclude: true
+---
+
+
+
+# Privacy Policy
+
+In addition to this Privacy Policy, Cirrus Labs also has a [Terms of Service](terms.md).
+
+### The Gist
+
+Cirrus Labs Inc will collect certain non-personally identify information about you as you use our sites. We may use
+this data to better understand our users. We can also publish this data, but the data will be about a large group of users,
+not individuals.
+
+We will also ask you to provide personal information, but you'll always be able to opt out. If you give us personal
+information, we won't do anything evil with it.
+
+We can also use cookies, but you can choose not to store these.
+
+That's the basic idea, but you must read through the entire Privacy Policy below and agree with all the details
+before you use any of our sites.
+
+### Reuse
+
+This document is based upon the [Automattic Privacy Policy](https://automattic.com/privacy/) and is licensed under
+[Creative Commons Attribution Share-Alike License 2.5](https://creativecommons.org/licenses/by-sa/2.5/). Basically,
+this means you can use it verbatim or edited, but you must release new versions under the same license and
+you have to credit Automattic somewhere (like this!). Automattic is not connected with and does not sponsor or endorse
+Cirrus Labs Inc or its use of the work.
+
+Cirrus Labs Inc ("Cirrus Labs") makes available services include our web sites (https://tart.run/), our blog, our API,
+and any other software, sites, and services offered by Cirrus Labs Inc in connection to any of those (taken together, the "Service").
+It is Cirrus Labs Inc's policy to respect your privacy regarding any information we may collect while operating our websites.
+
+### Questions
+
+If you have question about this Privacy Policy, please contact us at hello@cirruslabs.org
+
+### Visitors
+
+Like most website operators, Cirrus Labs Inc collects non-personally-identifying information of the sort that web browsers and
+servers typically make available, such as the browser type, language preference, referring site, and the date and time of each visitor request.
+Cirrus Labs Inc's purpose in collecting non-personally identifying information is to better understand how Cirrus Labs Inc's
+visitors use its website. From time to time, Cirrus Labs Inc may release non-personally-identifying information in the aggregate,
+e.g., by publishing a report on trends in the usage of its website.
+
+Cirrus Labs Inc also collects potentially personally-identifying information like Internet Protocol (IP) addresses.
+Cirrus Labs Inc does not use such information to identify its visitors, however, and does not disclose such information,
+other than under the same circumstances that it uses and discloses personally-identifying information, as described below.
+We may also collect and use IP addresses to block users who violated our Terms of Service.
+
+### Gathering of Personally-Identifying Information
+
+Certain visitors to Cirrus Labs Inc's websites choose to interact with Cirrus Labs Inc in ways that require
+Cirrus Labs Inc to gather personally-identifying information. The amount and type of information that Cirrus Labs Inc gathers
+depends on the nature of the interaction. Cirrus Labs Inc collects such information only insofar as is necessary or
+appropriate to fulfill the purpose of the visitor's interaction with Cirrus Labs Inc. Cirrus Labs Inc does not disclose
+personally-identifying information other than as described below. And visitors can always refuse to supply personally-identifying information,
+with the caveat that it may prevent them from engaging in certain Service-related activities.
+
+Additionally, some interactions, such as posting a comment, may ask for optional personal information. For instance,
+when posting a comment, may provide a website that will be displayed along with a user's name when the comment is displayed.
+Supplying such personal information is completely optional and is only displayed for the benefit and the convenience of the user.
+
+### Aggregated Statistics
+
+Cirrus Labs Inc may collect statistics about the behavior of visitors to the Service. For instance, Cirrus Labs Inc
+may monitor the most popular parts of the https://tart.run/. Cirrus Labs Inc may display this information publicly or
+provide it to others. However, Cirrus Labs Inc does not disclose personally-identifying information other than as described below.
+
+### Protection of Certain Personally-Identifying Information
+
+Cirrus Labs Inc discloses potentially personally-identifying and personally-identifying information only to those of its employees,
+contractors and affiliated organizations that (i) need to know that information in order to process it on Cirrus Labs Inc's behalf
+or to provide services available at Cirrus Labs Inc's websites, and (ii) that have agreed not to disclose it to others.
+Some of those employees, contractors and affiliated organizations may be located outside of your home country; by using the Service,
+you consent to the transfer of such information to them. Cirrus Labs Inc will not rent or sell potentially personally-identifying and
+personally-identifying information to anyone. Other than to its employees, contractors and affiliated organizations, as described above,
+Cirrus Labs Inc discloses potentially personally-identifying and personally-identifying information only when required to do so by law,
+or when Cirrus Labs Inc believes in good faith that disclosure is reasonably necessary to protect the property or rights of Cirrus Labs Inc,
+third parties or the public at large. If you are a registered user of the Service and have supplied your email address, Cirrus Labs Inc may
+occasionally send you an email to tell you about new features, solicit your feedback, or just keep you up to date with what's going on with
+Cirrus Labs Inc and our products. We primarily use our website and blog to communicate this type of information, so we expect to keep
+this type of email to a minimum. If you send us a request (for example via a support email or via one of our feedback mechanisms),
+we reserve the right to publish it in order to help us clarify or respond to your request or to help us support other users.
+Cirrus Labs Inc takes all measures reasonably necessary to protect against the unauthorized access, use, alteration or
+destruction of potentially personally-identifying and personally-identifying information.
+
+### Browser Cookies
+
+A cookie is a string of information that a website stores on a visitor's computer, and that the visitor's browser provides
+to the Service each time the visitor returns. Cirrus Labs Inc uses cookies to help Cirrus Labs Inc identify and track visitors,
+their usage of Cirrus Labs Inc Service, and their Service access preferences. Cirrus Labs Inc visitors who do not wish to have
+cookies placed on their computers should set their browsers to refuse cookies before using Cirrus Labs Inc's websites, with
+the drawback that certain features of Cirrus Labs Inc's websites may not function properly without the aid of cookies.
+
+### Data Storage
+
+Cirrus Labs Inc uses third party vendors and hosting partners to provide the necessary hardware, software, networking,
+storage, and related technology required to run the Service. You understand that although you retain full rights to your data,
+it may be stored on third party storage and transmitted through third party networks.
+
+### Privacy Policy Changes
+
+Although most changes are likely to be minor, Cirrus Labs Inc may change its Privacy Policy from time to time,
+and in Cirrus Labs Inc's sole discretion. Cirrus Labs Inc encourages visitors to frequently check this page for any changes
+to its Privacy Policy. Your continued use of this site after any change in this Privacy Policy will constitute your
+acceptance of such change.
+
+This page was last updated on 02/20/2023.
diff --git a/docs/legal/terms.md b/docs/legal/terms.md
new file mode 100644
index 00000000..ede46bd7
--- /dev/null
+++ b/docs/legal/terms.md
@@ -0,0 +1,249 @@
+---
+search:
+ exclude: true
+---
+
+
+
+# Terms of Service
+
+This page covers Terms of Service only for Cirrus Runners and Tart Documentation website in addition to the [Privacy Policy](privacy.md).
+
+### The Gist
+
+Cirrus Labs Inc ("Cirrus Labs") operates the [Cirrus Runners service](https://cirrus-runners.app/) which we hope you use.
+If you use it, please use it responsibly. If you don't, we'll have to terminate your subscription.
+
+For paid plans, you'll be charged on a monthly basis. You can cancel anytime, but there are no refunds.
+
+The Terms of Service and our prices can change at any time unless specified in your agreement. We'll warn you 30 days in advance of any price changes.
+We'll try to warn you about major changes to the Terms of Service, but we make no guarantees.
+
+That's the basic idea, but you must read through the entire Terms of Service below and agree with all the details before
+you use any of our websites or services (whether or not you have signed up).
+
+### Reuse
+
+This document is an adaptation of the Code Climate Terms of Service, which is an adaptation of the Heroku Terms of Service,
+which is turn an adaptation of the Google App Engine Terms of Service. The original work has been modified
+with permission under the [Creative Commons Attribution 3.0 License](https://creativecommons.org/licenses/by/3.0/).
+Neither Code Climate, Inc, nor Heroku, Inc. nor Google, Inc. is connected with and they do not sponsor or endorse
+Cirrus Labs or its use of the work.
+
+You're welcome to adapt and use this document for your own needs. If you make an improvement, we'd appreciate it if
+you would let us know, so we can consider improving our own document.
+
+### Your Agreement with Cirrus Labs Inc
+
+Your use of the Cirrus Runners Service is governed by this agreement (the "Terms"). The "Service" means the services Cirrus Labs
+makes available include our websites (https://tart.run/, https://cirrus-runners.app/), our blog, and any other software, sites,
+and services offered by Cirrus Labs in connection to any of those.
+
+"Customer Source Code" means any source code you directly or indirectly submit to Cirrus Runners for the purpose of using the Service.
+"Content" means all content generated by Cirrus Runners on your behalf (including metric data) and does not include Customer Source Code.
+
+In order to use the Service, You (the "Customer", "You", or "Your") must first agree to the Terms. You understand and agree
+that Cirrus Labs will treat Your use of the Service as acceptance of the Terms from that point onwards.
+
+Cirrus Labs may make changes to the Terms from time to time. You may reject the changes by terminating Your subscription.
+You understand and agree that if You use the Service after the date on which the Terms have changed, Cirrus Labs will treat
+Your use as acceptance of the updated Terms.
+
+If you have any question about the Terms, please [contact us](../licensing.md#general-support).
+
+### Use of the Service
+
+* You must provide accurate and complete registration information any time You register to use the Service.
+* You are responsible for the security of Your passwords and for any use of Your user.
+* Your use of the Service must comply with all applicable laws, regulations and ordinances.
+* You agree to not engage in any activity that interferes with or disrupts the Service.
+* Cirrus Labs reserves the right to enforce quotas and usage limits (to any resources, including the API) at its sole discretion,
+with or without notice, which may result in Cirrus Labs disabling or throttling your usage of the Service for any amount of time.
+
+### Service Policies and Privacy
+
+The Service shall be subject to the privacy policy for the Service available at [Privacy Policy](privacy.md), hereby
+expressly into the Terms of Service by reference. You agree to the use of Your data in accordance with Cirrus Labs' privacy policies.
+
+### Fees for Use of the Service
+
+* The Service may be provided to You without charge up with certain limits or for a certain "trial" period of time.
+* All payments for use of the Service will go through Stripe unless specified in the agreement.
+* Cirrus Labs may change its fees and payment policies for the Service by notifying You at least thirty (30) days before the beginning of the billing cycle in which such change will take effect.
+
+### Cancellation and Termination
+
+* You must cancel your subscription via Stripe or my emailing sales@cirruslabs.org.
+* You agree that Cirrus Labs, in its sole discretion and for any or no reason, may terminate or suspend Your subscription. You agree that any termination of Your access to the Service may be without prior notice, and You agree that Cirrus Labs will not be liable to You or any third party for such termination.
+
+### Customer Source Code
+
+* Cirrus Labs claims no ownership or control over any Customer Source Code. You retain copyright and any other rights You
+already hold in the Customer Source Code and You are responsible for protecting those rights, as appropriate.
+* You agree to assume full responsibility for configuring the Service to allow appropriate access to any Customer Source Code provided to the Service.
+* You retain sole responsibility for any collaborators or third-party services that you allow to view Customer Source Code and entrust them at your own risk.
+* Cirrus Labs is not responsible if you fail to configure, or misconfigure, your project and inadvertently allow unauthorized parties to view any Customer Source Code.
+
+### Ideas and Feedback
+
+You may choose to or we may invite You to submit comments or ideas about the Service, including but not limited to ideas
+about improving the Service or our products ("Ideas"). By submitting any Idea, You agree that Your disclosure is unsolicited
+and without restriction and will not place Cirrus Labs under any fiduciary or other obligation, and that we are free to
+use the Idea without any additional compensation to You, and/or to disclose the Idea on a non-confidential basis or otherwise to anyone.
+
+### Modification of the Service
+
+* You acknowledge and agree that the Service may change from time to time without prior notice to You.
+* Changes include, without limitation, changes to fee and payment policies, security patches, added or removed functionality, and other enhancements or restrictions.
+* Cirrus Labs shall not be liable to you or to any third party for any modification, price change, suspension or discontinuance of the Service.
+
+### External Resources
+
+The Service may include hyperlinks to other websites or content or resources or email content. You acknowledge and
+agree that Cirrus Labs is not responsible for the availability of any such external sites or resources, and does not
+endorse any advertising, products or other materials on or available from such web sites or resources.
+
+### License from Cirrus Runners and Restrictions
+
+Subject to and conditioned upon your compliance with these Terms of Service, we grant to you a personal, worldwide,
+royalty-free, non-assignable and non-exclusive license to use the software provided to You by Cirrus Labs as part of
+the Service as provided to You by Cirrus Labs. This license is for the sole purpose of enabling You to use and enjoy
+the benefit of the Service as provided by Cirrus Labs, in the manner permitted by the Terms.
+
+You may not (and You may not permit anyone else to): (a) copy, modify, create a derivative work of, reverse engineer,
+decompile or otherwise attempt to extract the source code of the Service or any part thereof, unless this is expressly
+permitted or required by law, or unless You have been specifically told that You may do so by Cirrus Labs, in writing
+(e.g., through an open source software license); or (b) attempt to disable or circumvent any security mechanisms used by the Service.
+
+Open source software licenses for components of the Service released under an open source license constitute separate written agreements.
+To the limited extent that the open source software licenses expressly supersede these Terms of Service, the open source licenses
+govern Your agreement with Cirrus Labs for the use of the components of the Service released under an open source license.
+
+You may not use the Service in any manner that could damage, disable, overburden or impair our servers or networks, or
+interfere with any other users' use or enjoyment of the Service.
+
+You may not attempt to gain unauthorized access to any of the Service, member accounts, or computer systems or networks,
+through hacking, password mining or any other means.
+
+Without limiting anything else contained herein, you agree that you shall not (and you agree not to allow any third party to):
+
+* remove any notices of copyright, trademark or other proprietary rights contained in/on or accessible through the Service
+or in any content or other material obtained via the Service;
+* use any robot, spider, website search/retrieval application, or other automated device, process or means to access,
+retrieve or index any portion of the Service;
+* reformat or frame any portion of the web pages that are part of the Service;
+* use the Service for commercial purposes not permitted under these Terms;
+* create users by automated means or under false or fraudulent pretenses;
+* attempt to defeat any security or verification measure relating to the Service;
+* provide or use tracking or monitoring functionality in connection with the Service, including, without limitation,
+to identify other users’ actions or activities;
+* impersonate or attempt to impersonate Cirrus Labs or any employee, contractor or associate of Cirrus Labs, or any other
+person or entity; or collect or store personal data about other users in connection with the prohibited activities described in this paragraph.
+
+### Our Copyright Dispute Policy
+
+Cirrus Labs respects the intellectual property of others and requires that our users do the same. It is our policy to
+terminate the membership of repeat infringers. If you believe that material or content residing on or accessible through
+the Service infringes a copyright, please send a notice of copyright infringement containing the following information
+to the Designated Copyright Agent listed below:
+
+* identification of the copyrighted work claimed to have been infringed, or, if multiple copyrighted works are covered
+by a single notification, a representative list of such works;
+* information reasonably sufficient to permit us to contact you, such as an address, telephone number, and an email address;
+* a statement by you that you have a good faith belief that the disputed use is not authorized by the copyright owner, its agent, or the law;
+* a statement by you, made under penalty of perjury, that the above information in your notification is accurate and that
+you are the copyright owner or are authorized to act on the copyright owner's behalf; and
+* your physical or electronic signature.
+
+Our Designated Copyright Agent for notification of claimed infringement can be reached by email at: hello@cirruslabs.org.
+
+The Service may contain advertisements and/or links to other websites (“Third Party Sites”). Cirrus Labs does not endorse,
+sanction or verify the accuracy or ownership of the information contained in/on any Third Party Site or any products or
+services advertised on Third Party Sites. If you decide to leave the Site and navigate to Third Party Sites, or install
+any software or download content from any such Third Party Sites, you do so at your own risk. Once you access a Third Party Site
+through a link on our Site, you may no longer be protected by these Terms of Service and you may be subject to the terms
+and conditions of such Third Party Site. You should review the applicable policies, including privacy and data gathering practices,
+of any Third Party Site to which you navigate from the Site, or relating to any software you use or install from a Third Party Site.
+Concerns regarding a Third Party Site should be directed to the Third Party Site itself. Cirrus Labs bears no responsibility for
+any action associated with any Third Party Site.
+
+### Disclaimer of Warranties
+
+IF YOU ACCESS THE SERVICE, YOU DO SO AT YOUR OWN RISK. WE PROVIDE THE SERVICE “AS IS”, “WITH ALL FAULTS” AND “AS AVAILABLE.”
+WE MAKE NO EXPRESS OR IMPLIED WARRANTIES OR GUARANTEES ABOUT THE SERVICE. TO THE MAXIMUM EXTENT PERMITTED BY LAW, WE HEREBY
+DISCLAIM ALL SUCH WARRANTIES, INCLUDING ALL STATUTORY WARRANTIES, WITH RESPECT TO THE SERVICE, INCLUDING WITHOUT LIMITATION
+ANY WARRANTIES THAT THE SERVICE IS MERCHANTABLE, OF SATISFACTORY QUALITY, ACCURATE, FIT FOR A PARTICULAR PURPOSE OR NEED,
+OR NON-INFRINGING. WE DO NOT GUARANTEE THAT THE RESULTS THAT MAY BE OBTAINED FROM THE USE OF THE SERVICE WILL BE EFFECTIVE,
+RELIABLE OR ACCURATE OR WILL MEET YOUR REQUIREMENTS. WE DO NOT GUARANTEE THAT YOU WILL BE ABLE TO ACCESS OR USE THE SERVICE
+(EITHER DIRECTLY OR THROUGH THIRD-PARTY NETWORKS) AT TIMES OR LOCATIONS OF YOUR CHOOSING. WE ARE NOT RESPONSIBLE FOR THE ACCURACY,
+RELIABILITY, TIMELINESS OR COMPLETENESS OF INFORMATION PROVIDED BY ANY OTHER USERS OF THE SERVICE OR ANY OTHER DATA OR
+INFORMATION PROVIDED OR RECEIVED THROUGH THE SERVICE. EXCEPT AS EXPRESSLY SET FORTH HEREIN, CIRRUS LABS MAKES NO WARRANTIES
+ABOUT THE INFORMATION SYSTEMS, SOFTWARE AND FUNCTIONS MADE ACCESSIBLE BY OR THROUGH THE SERVICE OR ANY SECURITY ASSOCIATED
+WITH THE TRANSMISSION OF SENSITIVE INFORMATION. CIRRUS LABS DOES NOT WARRANT THAT THE SERVICE WILL OPERATE ERROR-FREE,
+THAT ERRORS IN THE SERVICE WILL BE FIXED, THAT LOSS OF DATA WILL NOT OCCUR, OR THAT THE SERVICE OR SOFTWARE ARE FREE OF
+COMPUTER VIRUSES, CONTAMINANTS OR OTHER HARMFUL ITEMS. UNDER NO CIRCUMSTANCES WILL CIRRUS LABS, ANY OF OUR AFFILIATES,
+DISTRIBUTORS, PARTNERS, LICENSORS, AND/OR ANY OF OUR OR THEIR DIRECTORS, OFFICERS, EMPLOYEES, CONSULTANTS, AGENTS, OR
+OTHER REPRESENTATIVES BE LIABLE FOR ANY LOSS OR DAMAGE CAUSED BY YOUR RELIANCE ON INFORMATION OBTAINED THROUGH THE SERVICE.
+
+### Limitations on Liability
+
+YOUR SOLE AND EXCLUSIVE REMEDY FOR ANY DISPUTE WITH US IS THE CANCELLATION OF YOUR REGISTRATION. IN NO EVENT SHALL OUR
+TOTAL CUMULATIVE LIABILITY TO YOU FOR ANY AND ALL CLAIMS RELATING TO OR ARISING OUT OF YOUR USE OF THE SERVICE,
+REGARDLESS OF THE FORM OF ACTION, EXCEED THE GREATER OF: (A) THE TOTAL AMOUNT OF FEES, IF ANY, THAT YOU PAID TO UTILIZE
+THE SERVICE OR (B) ONE HUNDRED DOLLARS ($100). IN NO EVENT SHALL WE BE LIABLE TO YOU (OR TO ANY THIRD PARTY CLAIMING
+UNDER OR THROUGH YOU) FOR ANY DIRECT, INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, PUNITIVE OR EXEMPLARY DAMAGES OR
+ANY BODILY INJURY, EMOTIONAL DISTRESS, DEATH OR ANY OTHER DAMAGES ARISING FROM YOUR USE OF OR INABILITY TO USE THE SERVICE,
+WHETHER ON-LINE OR OFF-LINE, OR OTHERWISE IN CONNECTION WITH THE SERVICE. THESE EXCLUSIONS APPLY TO ANY CLAIMS FOR LOST PROFITS,
+LOST DATA, LOSS OF GOODWILL OR BUSINESS REPUTATION, COST OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, WORK STOPPAGE,
+COMPUTER FAILURE OR MALFUNCTION, ANY OTHER COMMERCIAL DAMAGES OR LOSSES, OR ANY PERSONAL INJURY OR PROPERTY DAMAGES,
+EVEN IF WE KNEW OR SHOULD HAVE KNOWN OF THE POSSIBILITY OF SUCH DAMAGES. BECAUSE SOME STATES OR JURISDICTIONS DO NOT ALLOW
+THE EXCLUSION OR THE LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES, IN SUCH STATES OR JURISDICTIONS,
+OUR LIABILITY SHALL BE LIMITED TO THE EXTENT PERMITTED BY LAW. IF YOU ARE A CALIFORNIA RESIDENT, YOU WAIVE YOUR RIGHTS
+WITH RESPECT TO CALIFORNIA CIVIL CODE SECTION 1542, WHICH SAYS "A GENERAL RELEASE DOES NOT EXTEND TO CLAIMS WHICH THE
+CREDITOR DOES NOT KNOW OR SUSPECT TO EXIST IN HIS FAVOR AT THE TIME OF EXECUTING THE RELEASE, WHICH, IF KNOWN BY HIM
+MUST HAVE MATERIALLY AFFECTED HIS SETTLEMENT WITH THE DEBTOR.”
+
+### Indemnification
+
+You agree to hold harmless and indemnify Cirrus Labs, and its subsidiaries, affiliates, officers, agents, employees,
+advertisers, licensors, suppliers or partners (collectively "Cirrus Labs and Partners") from and against any
+third party claim arising from or in any way related to (a) Your breach of the Terms, (b) Your use of the Service,
+(c) Your violation of applicable laws, rules or regulations in connection with the Service, or (d) Your Customer Source Code,
+including any liability or expense arising from all claims, losses, damages (actual and consequential), suits, judgments,
+litigation costs and attorneys' fees, of every kind and nature. In such a case, Cirrus Labs will provide You with
+written notice of such claim, suit or action.
+
+### Choice of Law and Dispute Resolution
+
+The Terms of Service shall be deemed to have been entered into and shall be construed and enforced in accordance with
+the laws of the State of New York as applied to contracts made and performed entirely within New York, without giving
+effect to any conflicts of law statutes. Any controversy, dispute or claim arising out of or related to the
+Terms of Service or the Service shall be settled by final and binding arbitration to be conducted by an arbitration
+tribunal in the State of New York and the County of New York, pursuant to the rules of the American Arbitration Association.
+Any and all disputes that you may have with Cirrus Labs shall be resolved individually, without resort to any form of class action.
+
+### General Legal Terms
+
+The Terms constitute the whole legal agreement between You and Cirrus Labs and govern Your use of the Service and
+completely replace any prior agreements between You and Cirrus Labs in relation to the Service.
+
+If any part of the Terms of Service is held invalid or unenforceable, that portion shall be construed in a manner
+consistent with applicable law to reflect, as nearly as possible, the original intentions of the parties, and
+the remaining portions shall remain in full force and effect.
+
+The failure of Cirrus Labs to exercise or enforce any right or provision of the Terms of Service shall not constitute
+a waiver of such right or provision. The failure of either party to exercise in any respect any right provided for herein
+shall not be deemed a waiver of any further rights hereunder.
+
+You agree that if Cirrus Labs does not exercise or enforce any legal right or remedy which is contained in the Terms
+(or which Cirrus Labs has the benefit of under any applicable law), this will not be taken to be a formal waiver of
+Cirrus Labs' rights and that those rights or remedies will still be available to Cirrus Labs.
+
+Cirrus Labs shall not be liable for failing or delaying performance of its obligations resulting from any condition
+beyond its reasonable control, including but not limited to, governmental action, acts of terrorism, earthquake, fire,
+flood or other acts of God, labor conditions, power failures, and Internet disturbances.
+
+We may assign this contract at any time to any parent, subsidiary, or any affiliated company, or as part of the sale to,
+merger with, or other transfer of our company to another entity.
+
+This page was last updated on 02/03/2019.
diff --git a/docs/licensing.md b/docs/licensing.md
new file mode 100644
index 00000000..3f4e14fb
--- /dev/null
+++ b/docs/licensing.md
@@ -0,0 +1,102 @@
+---
+hide:
+ - navigation
+title: Licensing and Support
+description: Free Tier with 100 CPU core limit. Very affordable Tiers for larger enterprises.
+---
+
+Both [Tart Virtualization](https://github.com/cirruslabs/tart) and [Orchard Orchestration](https://github.com/cirruslabs/orchard)
+are licensed under [Fair Source License](https://fair.io/). Usage on personal computers including personal workstations is royalty-free,
+but organizations that exceed a certain number of server installations (100 CPU cores for Tart and/or 4 hosts for Orchard)
+will be required to obtain a paid license.
+
+??? note "Host CPU Core usage"
+ The virtual CPU cores of Tart VMs are not tied to specific physical cores of the host CPU. Instead, for optimal performance
+ Tart VMs will automatically try to balance compute between all available cores of the host CPU. As a result,
+ all performance and energy-efficient cores of the host CPU are always counted towards the license usage.
+
+## License Tiers
+
+By default, when no [license is purchased](#get-the-license), it is assumed that an organization is using a Free Tier license.
+You can find the Free Tier license text in [Tart](https://github.com/cirruslabs/tart/blob/main/LICENSE) and [Orchard](https://github.com/cirruslabs/orchard/blob/main/LICENSE) repositories.
+
+Free Tier license has a 100 CPU core limit for Tart and 4 Orchard Workers limit for Orchard.
+
+??? info "Usage Scenarios Examples"
+
+ Here are a few examples that fit into the free tier:
+
+ - Using Tart on 12 Mac Minis with 8 CPUs each running up to 24 VMs in parallel.
+ - Creating an Orchard cluster of 4 Mac Studio workers with 24 CPUs each.
+
+ Here are a few examples that do not fit into the free tier:
+
+ - Using Tart on 13 Mac Minis with 8 CPUs each.
+ - Creating an Orchard cluster of 5 Mac Minis workers with 8 CPUs each.
+
+### Gold Tier
+
+If an organization wishes to exceed the limits of the Free Tier license, a purchase of the [Gold Tier License](#get-the-license) is required, which costs \$1000 per month.
+
+Gold Tier license has a 500 CPU core limit for Tart and 20 Orchard Workers limit for Orchard.
+
+### Platinum Tier
+
+If an organization wishes to exceed the limits of the Gold Tier license, a purchase of the [Platinum Tier License](#get-the-license) is required, which costs \$3000 per month.
+
+Platinum Tier license has a 3,000 CPU core limit for Tart and 200 Orchard Workers limit for Orchard.
+
+### Diamond Tier
+
+For organizations that wish to exceed the limits of the Platinum Tier license, a purchase of a [custom Diamond Tier License](#get-the-license) is required, which costs \$1 per CPU core per month and gives the ability to run unlimited Orchard Workers.
+
+## Get the license
+
+If your organization is interested in purchasing one of the license tiers, please email [licensing@cirruslabs.org](mailto:licensing@cirruslabs.org).
+
+You can see a template of a license subscription agreement [here](assets/TartLicenseSubscription.pdf).
+
+!!! info "Running on AWS?"
+
+ There are [official AMIs for EC2 Mac Instances](https://aws.amazon.com/marketplace/pp/prodview-qczco34wlkdws)
+ with preconfigured Tart installation that is optimized to work within AWS infrastructure.
+
+ Additionally, there is a [ECR Pulic Gallery mirror](https://gallery.ecr.aws/cirruslabs/macos) of all the
+ [Tart VM images managed by us](https://github.com/cirruslabs/macos-image-templates).
+
+## General Support
+
+The best way to ask general questions about particular use cases is to email our support team at [support@cirruslabs.org](mailto:support@cirruslabs.org).
+Our support team is trying our best to respond ASAP, but there is no guarantee on a response time unless your organization
+has a paid license subscription which includes [Priority Support](#priority-support).
+
+If you have a feature request or noticed lack of some documentation please feel free to [create a GitHub issue](https://github.com/cirruslabs/tart/issues/new).
+Our support team will answer it by replying to the issue or by updating the documentation.
+
+## Priority Support
+
+In addition to the general support we provide a *Priority Support* with guaranteed response times included in all the paid license tiers.
+
+| Severity | Support Impact | First Response Time SLA | Hours | How to Submit |
+|----------|-----------------------------------------------------------------------------------------------|-------------------------|-------|--------------------------------------------------------------------------------------------------|
+| 1 | Emergency (service is unavailable or completely unusable). | 30 minutes | 24x7 | Please use urgent email address. |
+| 2 | Highly Degraded (Important features unavailable or extremely slow; No acceptable workaround). | 4 hours | 24x5 | Please use priority email address. |
+| 3 | Medium Impact. | 8 hours | 24x5 | Please use priority email address. |
+| 4 | Low Impact. | 24 hours | 24x5 | Please use regular support email address. Make sure to send the email from your corporate email. |
+
+`24x5` means period of time from 9AM on Monday till 5PM on Friday in EST timezone.
+
+
+??? note "Support Impact Definitions"
+ * **Severity 1** - Your installation of Orchard is unavailable or completely unusable. An urgent issue can be filed and
+ our On-Call Support Engineer will respond within 30 minutes. Example: Orchard Controller is showing 502 errors for all users.
+ * **Severity 2** - Orchard installation is Highly Degraded. Significant Business Impact. Important features are unavailable
+ or extremely slowed, with no acceptable workaround.
+ * **Severity 3** - Something is preventing normal service operation. Some Business Impact. Important features of Tart or Orchard
+ are unavailable or somewhat slowed, but a workaround is available.
+ * **Severity 4** - Questions or Clarifications around features or documentation. Minimal or no Business Impact.
+ Information, an enhancement, or documentation clarification is requested, but there is no impact on the operation of Tart and/or Orchard.
+
+!!! info "How to submit a priority or an urgent issue"
+ Once your organization [obtains a license](#license-tiers), members of your organization
+ will get access to separate support emails specified in your subscription contract.
diff --git a/docs/orchard/architecture-and-security.md b/docs/orchard/architecture-and-security.md
new file mode 100644
index 00000000..9f027123
--- /dev/null
+++ b/docs/orchard/architecture-and-security.md
@@ -0,0 +1,67 @@
+## Architecture
+
+Orchard cluster consists of three components:
+
+* Controller — responsible for managing the cluster and scheduling of resources
+* Worker — responsible for executing the VMs
+* Client — responsible for creating, modifying and removing the resources on the Controller, can either be an [Orchard CLI](using-orchard-cli.md) or [an API consumer](integration-guide.md)
+
+At the moment, only one Controller instance is currently supported, while you can deploy one or more Workers and run any number of Clients.
+
+In terms of networking requirements, only Controller needs to be directly accessible from Workers and Clients, while Workers and Clients can be deployed and run anywhere (e.g. behind a NAT).
+
+## Security
+
+When an Orchard Client or a Worker connects to the Controller, they need to establish trust and verify that they're talking to the right Controller, so that no [man-in-the-middle attack](https://en.wikipedia.org/wiki/Man-in-the-middle_attack) is possible.
+
+Similarly to web-browsers (that rely on the [public key infrastructure](https://en.wikipedia.org/wiki/Public_key_infrastructure)) and SSH (which relies on semi-automated fingerprint verification), Orchard combines these two traits in a hybrid approach by defaulting to automatic PKI verification (can be disabled by [`--no-pki`](#-no-pki-override)) and falling-back to a manual verification for self-signed certificates.
+
+This hybrid approach is needed because the Controller can be configured in two ways:
+
+* *Controller with a publicly valid certificate*
+ * can be configured manually by passing `--controller-cert` and `--controller-key` command-line arguments to `orchard controller run`
+* *Controller with a self-signed certificate*
+ * configured automatically on first Controller start-up when no `--controller-cert` and `--controller-key` command-line arguments are passed
+
+Below we'll explain how Orchard client and Worker secure the connection when accessing these two Controller types.
+
+### Client
+
+Client is associated with the Controller using a `orchard context create` command, which works as follows:
+
+* Client attempts to connect to the Controller and validate its certificate using host's root CA set (can be disabled with [`--no-pki`](#-no-pki-override))
+* if the Client encounters a *Controller with a publicly valid certificate*, that would be the last step and the association would succeed
+* if the Client is dealing with *Controller with a self-signed certificate*, the Client will do another connection attempt to probe the Controller's certificate
+* the probed Controller's certificate fingerprint is then presented to the user, and if the user agrees to trust it, the Client then considers that certificate to be trusted for a given context
+* Client finally connects to the Controller again with a trusted CA set containing only that certificate, executes the final API sanity checks, and if everything is OK then the association succeeds
+
+Afterward, each interaction with the Controller (e.g. `orchard create vm` command) will stick to the chosen verification method and will re-verify the presented Controller's certificate against:
+
+* *Controller with a self-signed certificate*: a trusted certificate stored in the Orchard's configuration file
+* *Controller with a publicly valid certificate*: host's root CA set
+
+### Worker
+
+To make the Worker connect to the Controller, a Bootstrap Token needs to be obtained using the `orchard get bootstrap-token` command.
+
+While this approach provides a less ad-hoc experience than that you'd have with `orchard context create`, it allows one to mass-deploy workers non-interactively, using tools such as Ansible.
+
+This resulting Bootstrap Token will either include the Controller's certificate (when the current context is with a *Controller with a self-signed certificate*) or omit it (when the current context is with a *Controller with a publicly valid certificate*).
+
+The way Worker connects to the Controller using the `orchard worker run` command is as follows:
+
+* when the Bootstrap Token contains the Controller's certificate:
+ * the Orchard Worker will try to connect to the Controller with a trusted CA set containing only that certificate
+* when the Bootstrap Token has no Controller's certificate:
+ * the Orchard Worker will try the PKI approach (can be disabled with [`--no-pki`](#-no-pki-override) to effectively prevent the Worker from connecting) and fail if certificate verification using PKI is not possible
+
+### `--no-pki` override
+
+If you only intend to access the *Controller with a self-signed certificate* and want to additionally guard yourself against [CA compromises](https://en.wikipedia.org/wiki/Certificate_authority#CA_compromise) and other PKI-specific attacks, pass a `--no-pki` command-line argument to the following commands:
+
+* `orchard context create --no-pki`
+ * this will prevent the Client from using PKI and will let you interactively verify the Controller's certificate fingerprint before connecting, thus creating a non-PKI association
+* `orchard worker run --no-pki`
+ * this will prevent the Worker from trying to use PKI when connecting to the Controller using a Bootstrap Token that has no certificate included in it, thus failing fast and letting you know that you need to create a proper Bootstrap Token
+
+We've deliberately chosen not to use environment variables (e.g. `ORCHARD_NO_PKI`) because they fail silently (e.g. due to a typo), compared to command-line arguments, which will result in an error that is much easier to detect.
diff --git a/docs/orchard/deploying-controller.md b/docs/orchard/deploying-controller.md
new file mode 100644
index 00000000..abb47cd5
--- /dev/null
+++ b/docs/orchard/deploying-controller.md
@@ -0,0 +1,242 @@
+## Introduction
+
+Compared to Worker, which can only be deployed on a macOS machine, Controller can be also deployed on Linux.
+
+In fact, we've made a [container image](https://github.com/cirruslabs/orchard/pkgs/container/orchard) to ease deploying the Controller in container-native environments such as Kubernetes.
+
+Another thing to keep in mind that Orchard API is secured by default: all requests must be authenticated with the credentials of a service account. When you first run Orchard Controller, a `bootstrap-admin` service account will be created automatically and credentials will be printed to the standard output.
+
+If you already have a token in mind that you want to use for the `bootstrap-admin` service account, or you've got locked out and want this service account with a well-known password back, you can set the `ORCHARD_BOOTSTRAP_ADMIN_TOKEN` when running the controller.
+
+For example to use a secure, random value:
+
+```bash
+ORCHARD_BOOTSTRAP_ADMIN_TOKEN=$(openssl rand -hex 32) orchard controller run
+```
+
+## Customization
+
+Note that all the [Deployment Methods](#deployment-methods) essentially boil down to starting an `orchard controller run` command and keeping it alive.
+
+This means that by introducing additional command-line arguments, you can customize the Orchard Controller's behavior. Below, we list some of the common scenarios.
+
+### Customizing listening port
+
+* `--listen` — address to listen on (default `:6120`)
+
+### Customizing TLS
+
+* `--controller-cert` — use the controller certificate from the specified path instead of the auto-generated one (requires --controller-key)
+* `--controller-key` — use the controller certificate key from the specified path instead of the auto-generated one (requires --controller-cert)
+* `--insecure-no-tls` — disable TLS, making all connections to the controller unencrypted
+ * useful when deploying Orchard Controller behind a load balancer/ingress controller
+
+### Built-in SSH server
+
+Orchard Controller can act as a simple SSH server that port-forwards connections to the VMs running in the Orchard Cluster.
+
+This way you can completely skip the Orchard API when connecting to a given VM and only use the SSH client:
+
+```shell
+ssh -J @orchard-controller.example.com
+```
+
+To enable this functionality, pass `--listen-ssh` command-line argument to the `orchard controller run` command, for example:
+
+```ssh
+orchard controller run --listen-ssh 6122
+```
+
+Here's other command-line arguments associated with this functionality:
+
+* `--ssh-host-key` — use the SSH private host key from the specified path instead of the auto-generated one
+* `--insecure-ssh-no-client-auth` — allow SSH clients to connect to the controller's SSH server without authentication, thus only authenticating on the target worker/VM's SSH server
+ * useful when you already have strong credentials on your VMs, and you want to share these VMs to others without additionally giving out Orchard Cluster credentials
+
+Check out our [Jumping through the hoops: SSH jump host functionality in Orchard](../blog/posts/2024-06-20-jumping-through-the-hoops.md) blog post for more information.
+
+## Deployment Methods
+
+While you can always start `orchard controller run` manually with the required arguments, this method is not recommended due to lack of persistence.
+
+In the following sections you'll find several examples of how to run Orchard Controller in various environments in a more persistent way. Feel free to submit PRs with more examples.
+
+### Google Compute Engine
+
+An example below will deploy a single instance of Orchard Controller in Google Cloud Compute Engine in `us-central1` region.
+
+First, let's create a static IP address for our instance:
+
+```bash
+gcloud compute addresses create orchard-ip --region=us-central1
+export ORCHARD_IP=$(gcloud compute addresses describe orchard-ip --format='value(address)' --region=us-central1)
+```
+
+Then, ensure that there exist a firewall rule targeting `https-server` tag and allowing access to TCP port 443. If that's not the case, create one:
+
+```shell
+gcloud compute firewall-rules create default-allow-https --direction=INGRESS --priority=1000 --network=default --action=ALLOW --rules=tcp:443 --source-ranges=0.0.0.0/0 --target-tags=https-server
+```
+
+Once we have the IP address and the firewall rule set up, we can create a new instance with Orchard Controller running inside a container:
+
+```bash
+gcloud compute instances create-with-container orchard-controller \
+ --machine-type=e2-micro \
+ --zone=us-central1-a \
+ --image-family cos-stable \
+ --image-project cos-cloud \
+ --tags=https-server \
+ --address=$ORCHARD_IP \
+ --container-image=ghcr.io/cirruslabs/orchard:latest \
+ --container-env=PORT=443 \
+ --container-env=ORCHARD_BOOTSTRAP_ADMIN_TOKEN=$ORCHARD_BOOTSTRAP_ADMIN_TOKEN \
+ --container-mount-host-path=host-path=/home/orchard-data,mode=rw,mount-path=/data
+```
+
+Now you can create a new context for your local client:
+
+```bash
+orchard context create --name production \
+ --service-account-name bootstrap-admin \
+ --service-account-token $ORCHARD_BOOTSTRAP_ADMIN_TOKEN \
+ https://$ORCHARD_IP:443
+```
+
+And select it as the default context:
+
+```bash
+orchard context default production
+```
+
+### Kubernetes (GKE, EKS, etc.)
+
+The easiest way to run Orchard Controller on Kubernetes is to expose it through the `LoadBalancer` service.
+
+This way no fiddling with the TLS certificates and HTTP proxying is needed, and most cloud providers will allocate a ready-to-use IP-address that can directly used in `orchard context create` and `orchard worker run` commands, or additionally assigned to a DNS domain name for a more memorable hostname.
+
+Do deploy on Kubernetes, only three resources are needed:
+
+```yaml
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+ name: orchard-controller
+spec:
+ accessModes:
+ - ReadWriteOnce
+ resources:
+ requests:
+ storage: 1Gi
+ # Uncomment this when deploying on Amazon's EKS and
+ # change to the desired storage class name if needed
+ # storageClassName: gp2
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+ name: orchard-controller
+spec:
+ serviceName: orchard-controller
+ replicas: 1
+ selector:
+ matchLabels:
+ app: orchard-controller
+ template:
+ metadata:
+ labels:
+ app: orchard-controller
+ spec:
+ containers:
+ - name: orchard-controller
+ image: ghcr.io/cirruslabs/orchard:latest
+ volumeMounts:
+ - mountPath: /data
+ name: orchard-controller
+ volumes:
+ - name: orchard-controller
+ persistentVolumeClaim:
+ claimName: orchard-controller
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: orchard-controller
+spec:
+ selector:
+ app: orchard-controller
+ ports:
+ - protocol: TCP
+ port: 6120
+ targetPort: 6120
+ type: LoadBalancer
+```
+
+Once deployed, the bootstrap credentials will be printed to the standard output. You can inspect them by running `kubectl logs deployment/orchard-controller`.
+
+The resources above ensure that Controller's database is stored in a persistent storage and survives restats.
+
+You can further allocate a static IP address and use it by adding annotations to the `Service` resource. Here's how to do that:
+
+* on Google's GKE:
+* on Amazon's EKS:
+
+### systemd service on Debian-based distributions
+
+This should work for most Debian-based distributions like Debian, Ubuntu, etc.
+
+Firstly, make sure that the APT transport for downloading packages via HTTPS and common X.509 certificates are installed:
+
+```shell
+sudo apt-get update && sudo apt-get -y install apt-transport-https ca-certificates
+```
+
+Then, add the Cirrus Labs repository:
+
+```shell
+echo "deb [trusted=yes] https://apt.fury.io/cirruslabs/ /" | sudo tee /etc/apt/sources.list.d/cirruslabs.list
+```
+
+Update the package index files and install the Orchard Controller:
+
+```shell
+sudo apt-get update && sudo apt-get -y install orchard-controller
+```
+
+Finally, enable and start the Orchard Controller systemd service:
+
+```shell
+sudo systemctl enable orchard-controller
+sudo systemctl start orchard-controller
+```
+
+The bootstrap credentials will be printed to the standard output. You can inspect them by running `sudo systemctl status orhcard-controller` or `journalctl -u orchard-controller`.
+
+### systemd service on RPM-based distributions
+
+This should work for most RPM-based distributions like Fedora, CentOS, etc.
+
+First, create a `/etc/yum.repos.d/cirruslabs.repo` file with the following contents:
+
+```ini
+[cirruslabs]
+name=Cirrus Labs Repo
+baseurl=https://yum.fury.io/cirruslabs/
+enabled=1
+gpgcheck=0
+```
+
+Then, install the Orchard Controller:
+
+```shell
+sudo yum -y install orchard-controller
+```
+
+Finally, enable and start the Orchard Controller systemd service:
+
+```shell
+systemctl enable orchard-controller
+systemctl start orchard-controller
+```
+
+The bootstrap credentials will be printed to the standard output. You can inspect them by running `sudo systemctl status orhcard-controller` or `journalctl -u orchard-controller`.
diff --git a/docs/orchard/deploying-workers.md b/docs/orchard/deploying-workers.md
new file mode 100644
index 00000000..5d5fa84a
--- /dev/null
+++ b/docs/orchard/deploying-workers.md
@@ -0,0 +1,127 @@
+## Obtain a Boostrap Token
+
+First, create a service account with a minimal set of roles (`compute:read` and `compute:write`) required for proper Worker functioning:
+
+```bash
+orchard create service-account worker-pool-m1 --roles "compute:read" --roles "compute:write"
+```
+
+Then, generate a Bootstrap Token for this service account:
+
+```shell
+orchard get bootstrap-token worker-pool-m1
+```
+
+We will reference the value of the Bootstrap Token generated here as `${BOOTSTRAP_TOKEN}` below.
+
+Further, we assume that Orchard controller is available on `orchard.example.com`
+
+## Deployment Methods
+
+While you can always run `orchard worker run` manually with the required arguments, this method of deploying the Worker is not recommended.
+
+Instead, we've listed a more persistent methods of a Worker deployment below.
+
+### launchd
+
+[launchd](https://launchd.info/) is an init system for macOS that manages daemons, agents and other background processes.
+
+In this deployment method, we'll create a new job definition file for the launchd to manage on its behalf.
+
+To begin, first install Orchard:
+
+```shell
+brew install cirruslabs/cli/orchard
+```
+
+Ensure that the following command:
+
+```shell
+which orchard
+```
+
+...yields `/opt/homebrew/bin/orchard`. If not, you'll need to replace all of the occurences of `/opt/homebrew/bin/orchard` in the job definition below.
+
+Then, create a launchd job definition in `/Library/LaunchDaemons/org.cirruslabs.orchard.worker.plist` with the following contents:
+
+```xml
+
+
+
+
+ Label
+ org.cirruslabs.orchard.worker
+ Program
+ /opt/homebrew/bin/orchard
+ ProgramArguments
+
+ /opt/homebrew/bin/orchard
+ worker
+ run
+ --user
+ admin
+ --bootstrap-token
+ ${BOOTSTRAP_TOKEN}
+ orchard.example.com
+
+ EnvironmentVariables
+
+ PATH
+ /bin:/usr/bin:/usr/local/bin:/opt/homebrew/bin
+
+ WorkingDirectory
+ /var/empty
+ RunAtLoad
+
+ KeepAlive
+
+ StandardOutPath
+ /Users/admin/orchard-launchd.log
+ StandardErrorPath
+ /Users/admin/orchard-launchd.log
+
+
+```
+
+This assumes that your macOS user on the host is named `admin`. If not, change all occurrences of `admin` in the job definition above to `$USER`.
+
+Finally, change the `orchard.example.com` to the FQDN or an IP-address of your Orchard Controller.
+
+Now, you can start the job:
+
+```shell
+launchctl load -w /Library/LaunchDaemons/org.cirruslabs.orchard.worker.plist
+```
+
+### Ansible
+
+If you have a set of machines that you want to use as Orchard Workers, you can use [Ansible](https://docs.ansible.com/) to configure them.
+
+We've created the [cirruslabs/ansible-orchard](https://github.com/cirruslabs/ansible-orchard) repository with a basic Ansible playbook for convenient setup.
+
+To use it, clone it locally:
+
+```shell
+git clone https://github.com/cirruslabs/ansible-orchard.git
+cd ansible-orchard/
+```
+
+Make sure that the Ansible Galaxy dependencies are installed:
+
+```shell
+ansible-galaxy install -r requirements.yml
+```
+
+Then, edit the `production-pool` file and populate the following fields:
+
+* `hosts` — replace `worker-1.hosts.internal` with your worker FQDN or IP-address and add more hosts if needed
+* `ansible_user` — set it macOS user on the host for the SSH to work
+* `orchard_worker_user` — set it macOS user on the host under which the Worker will run, e.g. `admin`
+* `orchard_worker_controller_url` — set it to FQDN or an IP-address of your Orchard Controller, for example, `orchard.example.com`
+* `orchard_worker_bootstrap_token` — set it to `${BOOTSTRAP_TOKEN}` we've generated above
+
+Deploy the playbook:
+
+```shell
+ansible-playbook --inventory-file production-pool --ask-pass playbook-workers.yml
+```
diff --git a/docs/orchard/integration-guide.md b/docs/orchard/integration-guide.md
new file mode 100644
index 00000000..6c7a0257
--- /dev/null
+++ b/docs/orchard/integration-guide.md
@@ -0,0 +1,187 @@
+Orchard has a REST API that follows [OpenAPI specification](https://swagger.io/specification/) and is described in [`api/openapi.yaml`](https://github.com/cirruslabs/orchard/blob/main/api/openapi.yaml).
+
+You can run `orchard dev` locally and navigate to `http://127.0.0.1:6120/v1/` for interactive documentation.
+
+
+
+## Using the API
+
+Below you'll find examples of using Orchard API via vanilla Python's request library and Golang package that Orchard CLI build on top of.
+
+### Authentication
+
+When running in non-development mode, Orchard API expects a [basic access authentication](https://en.wikipedia.org/wiki/Basic_access_authentication) to be provided for each API call.
+
+Below you'll find two snippets that retrieve controller's information and output its version:
+
+#### Authentication in Python
+
+```python
+import requests
+from requests.auth import HTTPBasicAuth
+
+
+def main():
+ # Authentication
+ basic_auth = HTTPBasicAuth("service account name", "service account token")
+
+ response = requests.get("http://127.0.0.1:6120/v1/info", auth=basic_auth)
+
+ print(response.json()["version"])
+
+
+if __name__ == '__main__':
+ main()
+```
+
+#### Authentication in Golang
+
+```go
+package main
+
+import (
+ "context"
+ "fmt"
+ "github.com/cirruslabs/orchard/pkg/client"
+ "log"
+)
+
+func main() {
+ client, err := client.New()
+ if err != nil {
+ log.Fatalf("failed to initialize Orchard API client: %v", err)
+ }
+
+ controllerInfo, err := client.Controller().Info(context.Background())
+ if err != nil {
+ log.Fatalf("failed to retrieve controller's information: %v", err)
+ }
+
+ fmt.Println(controllerInfo.Version)
+}
+```
+
+Note that we don't provide any credentials for Golang's version of the snippet: this is because Orchard's Golang API client (`github.com/cirruslabs/orchard/pkg/client`) has the ability to read the current's user Orchard context automatically.
+
+### Creating a VM
+
+A more intricate example would be spinning off a VM with a startup script that outputs date, reading its logs and removing it from the controller:
+
+#### Creating a VM in Python
+
+```python
+import time
+import uuid
+
+import requests
+from requests.auth import HTTPBasicAuth
+
+
+def main():
+ vm_name = str(uuid.uuid4())
+
+ basic_auth = HTTPBasicAuth("service account name", "service account token")
+
+ # Create VM
+ response = requests.post("http://127.0.0.1:6120/v1/vms", auth=basic_auth, json={
+ "name": vm_name,
+ "image": "ghcr.io/cirruslabs/macos-sequoia-base:latest",
+ "cpu": 4,
+ "memory": 4096,
+ "startup_script": {
+ "script_content": "date",
+ }
+ })
+ response.raise_for_status()
+
+ # Retrieve VM's logs
+ while True:
+ response = requests.get(f"http://127.0.0.1:6120/v1/vms/{vm_name}/events", auth=basic_auth)
+ response.raise_for_status()
+
+ result = response.json()
+
+ if isinstance(result, list) and len(result) != 0:
+ print(result[0]["payload"])
+ break
+
+ time.sleep(1)
+
+ # Delete VM
+ response = requests.delete(f"http://127.0.0.1:6120/v1/vms/{vm_name}", auth=basic_auth)
+ response.raise_for_status()
+
+
+if __name__ == '__main__':
+ main()
+```
+
+#### Creating a VM in Golang
+
+```go
+package main
+
+import (
+ "context"
+ "fmt"
+ "github.com/cirruslabs/orchard/pkg/client"
+ v1 "github.com/cirruslabs/orchard/pkg/resource/v1"
+ "github.com/google/uuid"
+ "log"
+ "time"
+)
+
+func main() {
+ vmName := uuid.New().String()
+
+ client, err := client.New()
+ if err != nil {
+ log.Fatalf("failed to initialize Orchard API client: %v", err)
+ }
+
+ // Create VM
+ err = client.VMs().Create(context.Background(), &v1.VM{
+ Meta: v1.Meta{
+ Name: vmName,
+ },
+ Image: "ghcr.io/cirruslabs/macos-sequoia-base:latest",
+ CPU: 4,
+ Memory: 4096,
+ StartupScript: &v1.VMScript{
+ ScriptContent: "date",
+ },
+ })
+ if err != nil {
+ log.Fatalf("failed to create VM: %v")
+ }
+
+ // Retrieve VM's logs
+ for {
+ vmLogs, err := client.VMs().Logs(context.Background(), vmName)
+ if err != nil {
+ log.Fatalf("failed to retrieve VM logs")
+ }
+
+ if len(vmLogs) != 0 {
+ fmt.Println(vmLogs[0])
+ break
+ }
+
+ time.Sleep(time.Second)
+ }
+
+ // Delete VM
+ if err := client.VMs().Delete(context.Background(), vmName); err != nil {
+ log.Fatalf("failed to delete VM: %v", err)
+ }
+}
+```
+
+## Resource management
+
+Some resources, such as `Worker` and `VM`, have a `resource` field which is a dictionary that maps between resource names and their amounts (amount requested or amount provided, depending on the resource) and is useful for scheduling.
+
+Well-known resources:
+
+* `org.cirruslabs.tart-vms` — number of Tart VM slots available on the machine or requested by the VM
+ * this number is `2` for workers and `1` for VMs by default
diff --git a/docs/orchard/managing-cluster.md b/docs/orchard/managing-cluster.md
new file mode 100644
index 00000000..d1ac6e27
--- /dev/null
+++ b/docs/orchard/managing-cluster.md
@@ -0,0 +1,30 @@
+## Backups
+
+In order to backup the Orchard Controller, simply copy its `ORCHARD_HOME` (which defaults to `~/.orchard/`) directory somewhere safe and restore it when needed.
+
+This directory contains a BadgerDB database that Controller uses to store state and an X.509 certificate with key.
+
+## Upgrades
+
+Since the Orchard's initial release, we've managed to maintain the backwards compatibility between versions up to this day, so generally, it doesn't matter whether you upgrade the Controller or Worker(s) first.
+
+In case a new functionality is introduced, you might be required to finish the upgrade of both the Controller and the Worker(s) to be able to use it fully.
+
+In case there will be backwards-incompatible changes introduced in the future, we will try to do our best and highlight this in the [release notes](https://github.com/cirruslabs/orchard/releases) accordingly.
+
+## Observability
+
+Both the Controller and Worker produce some useful OpenTelemetry metrics. Metrics are scoped with `org.cirruslabs.orchard` prefix and include information about resource utilization, statuses or Workers, scheduling/pull time and many more.
+
+By default, the telemetry is sent to `https://localhost:4317` using the gRPC protocol and to `http://localhost:4318` using the HTTP protocol.
+
+You can override this by setting the [standard OpenTelemetry environment variable](https://opentelemetry.io/docs/specs/otel/configuration/sdk-environment-variables/) `OTEL_EXPORTER_OTLP_ENDPOINT`.
+
+Please refer to [OTEL Collector documentation](https://opentelemetry.io/docs/collector/) for instruction on how to setup a sidecar for the metrics collections or find out if your SaaS monitoring has an available OTEL endpoint (see [Honeycomb](https://docs.honeycomb.io/send-data/opentelemetry/) as an example).
+
+### Sending metrics to Google Cloud Platform
+
+There are two standard options of ingesting metrics procuded by Orchard Controller and Workers into the GCP:
+
+* [OpenTelemetry Collector](https://opentelemetry.io/docs/collector/) + [Google Cloud Exporter](https://github.com/open-telemetry/opentelemetry-collector-contrib/blob/main/exporter/googlecloudexporter/README.md) — open-source solution that can be later re-purposed to send metrics to any OTLP-compatible endpoint by swapping a single [exporter](https://opentelemetry.io/docs/collector/configuration/#exporters)
+* [Ops Agent](https://cloud.google.com/monitoring/agent/ops-agent/otlp) — Google-backed solution with a syntax similar to OpenTelemetry Collector, but tied to GCP-only
diff --git a/docs/orchard/quick-start.md b/docs/orchard/quick-start.md
new file mode 100644
index 00000000..9d3507c2
--- /dev/null
+++ b/docs/orchard/quick-start.md
@@ -0,0 +1,101 @@
+Tart is great for running workloads on a single machine, but what if you have more than one computer at your disposal
+and
+a couple of VMs is not enough anymore for your needs? This is where [Orchard](https://github.com/cirruslabs/orchard)
+comes in to play!
+
+It allows you to orchestrate multiple Tart-capable hosts from either an Orchard CLI (which we demonstrate below)
+or [through the API](integration-guide.md).
+
+The easiest way to start is to run Orchard in local development mode:
+
+```shell
+brew install cirruslabs/cli/orchard
+orchard dev
+```
+
+This will run an Orchard Controller and an Orchard Worker in a single process on your local machine, allowing you to
+test both the CLI functionality and the API from a tool like cURL or programming language of choice, without the need to
+authenticate requests.
+
+Note that in production deployments, these two components are started separately and enable security by default. Please
+refer to [Deploying Controller](deploying-controller.md) and [Deploying Workers](deploying-workers.md) for
+more information.
+
+## Creating Virtual Machines
+
+Now, let's create a Virtual Machine:
+
+```shell
+orchard create vm --image ghcr.io/cirruslabs/macos-sequoia-base:latest sequoia-base
+```
+
+You can check a list of VM resources to see if the Virtual Machine we've created above is already running:
+
+```shell
+orchard list vms
+```
+
+## Accessing Virtual Machines
+
+Orchard has an ability to do port forwarding that `ssh` and `vnc` commands are built on top of. All port forwarding
+connections are done via the Orchard Controller instance which "proxies" a secure connection to the Orchard Workers.
+
+Therefore, your workers can be located under a stricter firewall that only allows connections to the Orchard Controller
+instance. Orchard Controller instance is secured by default and all API calls are authenticated and authorized.
+
+### SSH
+
+To SSH into a VM, use the `orchard ssh` command:
+
+```shell
+orchard ssh vm sequoia-base
+```
+
+You can specify the `--username` and `--password` flags to specify the username/password pair to use for the SSH
+protocol. By default, `admin`/`admin` is used.
+
+You can also execute remote commands instead of spawning a login shell, similarly to how OpenSSH's `ssh` command accepts
+a command argument:
+
+```shell
+orchard ssh vm sequoia-base "uname -a"
+```
+
+You can execute scripts remotely this way, by telling the remote command-line interpreter to read from the standard
+input and using the redirection operator as follows:
+
+```shell
+orchard ssh vm sequoia-base "bash -s" < script.sh
+```
+
+### VNC
+
+Similarly to `ssh` command, you can use `vnc` command to open Screen Sharing into a remote VM:
+
+```shell
+orchard vnc vm sequoia-base
+```
+
+You can specify the `--username` and `--password` flags to specify the username/password pair to use for the VNC
+protocol. By default, `admin`/`admin` is used.
+
+## Deleting Virtual Machines
+
+The following command will delete the VM we've created above and clean-up the resources associated with it:
+
+```shell
+orchard delete vm sequoia-base
+```
+
+## Environment variables
+
+In addition to controlling the Orchard via the CLI arguments, there are environment variables that may be beneficial
+both when automating Orchard and in daily use:
+
+| Variable name | Description |
+|---------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `ORCHARD_HOME` | Override Orchard's home directory. Useful when running multiple Orchard instances on the same host and when testing. |
+| `ORCHARD_LICENSE_TIER` | The default license limit only allows connecting 4 Orchard Workers to the Orchard Controller. If you've purchased a [Gold Tier License](../licensing.md), set this variable to `gold` to increase the limit to 20 Orchard Workers. And if you've purchased a [Platinum Tier License](../licensing.md), set this variable to `platinum` to increase the limit to 200 Orchard Workers. |
+| `ORCHARD_URL` | Override controller URL on per-command basis. |
+| `ORCHARD_SERVICE_ACCOUNT_NAME` | Override service account name (used for controller API auth) on per-command basis. |
+| `ORCHARD_SERVICE_ACCOUNT_TOKEN` | Override service account token (used for controller API auth) on per-command basis. |
diff --git a/docs/orchard/using-orchard-cli.md b/docs/orchard/using-orchard-cli.md
new file mode 100644
index 00000000..8ba5db8e
--- /dev/null
+++ b/docs/orchard/using-orchard-cli.md
@@ -0,0 +1,86 @@
+## Installation
+
+The easiest way to install Orchard CLI is through the [Homebrew](https://brew.sh/):
+
+```shell
+brew install cirruslabs/cli/orchard
+```
+
+Binaries and packages for other architectures can be found in [GitHub Releases](https://github.com/cirruslabs/orchard/releases).
+
+## Setting up a context
+
+The first step after installing the Orchard CLI is to configure its context. Configuring context is like pairing with the specified Orchard Controller, so that the commands like `orchard create vm`, `orchard ssh vm` will work.
+
+To configure a context, `orchard context` has a subfamily of commands:
+
+* `orchard context create ` — creates a new context to communicate with Orchard Controller available on the specified address
+* `orchard context default ` — sets a context with a given Orchard Controller address as default (in case there's more than one context configured)
+* `orchard context list` — lists all the configured contexts, indicating the default one
+* `orchard context delete ` — deletes a context for the specified Orchard Controller address
+
+Most of the time, you'll only need the `orchard context create`. For example, if you've deployed your Orchard Controller to `orchard-controller.example.com`, a new context can be configured like so:
+
+```shell
+orchard context create orchard-controller.example.com
+```
+
+`orchard context create` assumes port 6120 by default, so if you use a different port for the Orchard Controller, simply specify the port explicitly:
+
+```shell
+orchard context create orchard-controller.example.com:8080
+```
+
+When creating a new context you will be prompted for the service account name and token, which can be obtained from:
+
+* `orchard controller run` logs
+ * if this is a first start
+* `orchard get service-account`
+ * from an already configured Orchard CLI
+
+## Using labels when creating VMs
+
+Labels are useful if you want to restrict scheduling of a VM to workers whose labels include a subset of the VM's specified labels.
+
+For example, you might have an Orchard Cluster consisting of the following workers:
+
+* Mac Minis (`orchard worker run --labels location=DC1-R12-S4,model=macmini`)
+* Mac Studios (`orchard worker run --labels location=DC1-R18-S8,model=macstudio`)
+
+To create and run a VM specifically on Mac Studio machines, pass the `--labels` command-line argument to `orchard create vm` when creating a VM:
+
+```shell
+orchard create vm --labels model=macstudio
+```
+
+When processing this VM, the scheduler will only place it on available Mac Studio workers.
+
+## Using resources when creating VMs
+
+Resources are useful if you want to restrict scheduling of a VM to workers that still have enough of the specified resource to fit the VM's requirements.
+
+The difference between the labels is that the resources are finite and are automatically accounted by the scheduler.
+
+To illustrate this with an example, let's say you have an Orchard Cluster consisting of the following workers:
+
+* Mac Mini with 1 Gbps bandwidth (`orchard worker run --resources bandwidth-mbps=1000`)
+* Mac Studio with 10 Gbps bandwidth (`orchard worker run --resources bandwidth-mbps=10000`)
+
+VM created using the command below will only be scheduled on a Mac Studio with 10 Gbps bandwidth:
+
+```shell
+orchard create vm --resources bandwidth-mbps=7500
+```
+
+However, after this VM is scheduled, the 10 Gbps Mac Studio will only be able to accommodate one more VM (due to internal Apple EULA limit for macOS virtualization) with `bandwidth-mbps=2500` or less.
+
+After the VM finishes, the unused resources will be available again.
+
+## Automatic resources
+
+In addition to manually specifying resources when starting a worker, the following resources are discovered and set automatically by the worker for convenience:
+
+* `org.cirruslabs.logical-cores` — number of logical cores on the host
+* `org.cirruslabs.memory-mib` — total memory in MiB (mebibytes) on the host
+
+Note that the values for these resources are scraped only once at worker startup.
diff --git a/docs/quick-start.md b/docs/quick-start.md
new file mode 100644
index 00000000..ec053df8
--- /dev/null
+++ b/docs/quick-start.md
@@ -0,0 +1,163 @@
+---
+hide:
+ - navigation
+title: Quick Start
+description: Install Tart and run your first virtual machine on Apple Silicon in minutes.
+---
+
+Try running a Tart VM on your Apple Silicon device running macOS 13.0 (Ventura) or later (will download a 25 GB image):
+
+```bash
+brew install cirruslabs/cli/tart
+tart clone ghcr.io/cirruslabs/macos-sequoia-base:latest sequoia-base
+tart run sequoia-base
+```
+
+??? info "Manual installation from a release archive"
+ It's also possible to manually install `tart` binary from the latest released archive:
+
+ ```bash
+ curl -LO https://github.com/cirruslabs/tart/releases/latest/download/tart.tar.gz
+ tar -xzvf tart.tar.gz
+ ./tart.app/Contents/MacOS/tart clone ghcr.io/cirruslabs/macos-sequoia-base:latest sequoia-base
+ ./tart.app/Contents/MacOS/tart run sequoia-base
+ ```
+
+ Please note that `./tart.app/Contents/MacOS/tart` binary is required to be used in order to trick macOS
+ to pick `tart.app/Contents/embedded.provisionprofile` for elevated privileges that Tart needs.
+
+
+
+
+
+## VM images
+
+The following macOS images are currently available:
+
+* macOS 15 (Sequoia)
+ * `ghcr.io/cirruslabs/macos-sequoia-vanilla:latest`
+ * `ghcr.io/cirruslabs/macos-sequoia-base:latest`
+ * `ghcr.io/cirruslabs/macos-sequoia-xcode:latest`
+* macOS 14 (Sonoma)
+ * `ghcr.io/cirruslabs/macos-sonoma-vanilla:latest`
+ * `ghcr.io/cirruslabs/macos-sonoma-base:latest`
+ * `ghcr.io/cirruslabs/macos-sonoma-xcode:latest`
+* macOS 13 (Ventura)
+ * `ghcr.io/cirruslabs/macos-ventura-vanilla:latest`
+ * `ghcr.io/cirruslabs/macos-ventura-base:latest`
+ * `ghcr.io/cirruslabs/macos-ventura-xcode:latest`
+* macOS 12 (Monterey)
+ * `ghcr.io/cirruslabs/macos-monterey-vanilla:latest`
+ * `ghcr.io/cirruslabs/macos-monterey-base:latest`
+ * `ghcr.io/cirruslabs/macos-monterey-xcode:latest`
+
+There's also a [full list of images](https://github.com/orgs/cirruslabs/packages?tab=packages&q=macos-) in which you can discovery specific tags (e.g. `ghcr.io/cirruslabs/macos-monterey-xcode:15`) and [macOS-specific Packer templates](https://github.com/cirruslabs/macos-image-templates) that were used to generate these images.
+
+For, Linux the options are as follows:
+
+* Ubuntu
+ * `ghcr.io/cirruslabs/ubuntu:latest`
+* Debian
+ * `ghcr.io/cirruslabs/debian:latest`
+* Fedora
+ * `ghcr.io/cirruslabs/fedora:latest`
+
+Note that these Linux images have a minimal disk size of 20 GB, and you might want to resize them right after cloning:
+
+```bash
+tart clone ghcr.io/cirruslabs/ubuntu:latest ubuntu
+tart set ubuntu --disk-size 50
+tart run ubuntu
+```
+
+These Linux images can be ran natively on [Vetu](https://github.com/cirruslabs/vetu), our virtualization solution for Linux, assuming that Vetu itself is running on an `arm64` machine.
+
+Similarly to macOS, there's also a [full list of images](https://github.com/orgs/cirruslabs/packages?repo_name=linux-image-templates) in which you can discovery specific tags (e.g. `ghcr.io/cirruslabs/ubuntu:22.04`) and [Linux-specific Packer templates](https://github.com/cirruslabs/linux-image-templates) that were used to generate these images.
+
+All images above use the following credentials:
+
+* Username: `admin`
+* Password: `admin`
+
+These credentials work both for logging in via GUI, console (Linux) and SSH.
+
+## SSH access
+
+If the guest VM is running and configured to accept incoming SSH connections you can conveniently connect to it like so:
+
+```bash
+ssh admin@$(tart ip sequoia-base)
+```
+
+!!! tip "Running scripts inside Tart virtual machines"
+ We recommend using [Cirrus CLI](integrations/cirrus-cli.md) to run scripts and/or retrieve artifacts
+ from within Tart virtual machines. Alternatively, you can use plain ssh connection and `tart ip` command:
+
+ ```bash
+ brew install cirruslabs/cli/sshpass
+ sshpass -p admin ssh -o "StrictHostKeyChecking no" -o "UserKnownHostsFile=/dev/null" admin@$(tart ip sequoia-base) "uname -a"
+ sshpass -p admin ssh -o "StrictHostKeyChecking no" -o "UserKnownHostsFile=/dev/null" admin@$(tart ip sequoia-base) < script.sh
+ ```
+
+## Mounting directories
+
+To mount a directory, run the VM with the `--dir` argument:
+
+```bash
+tart run --dir=project:~/src/project vm
+```
+
+Here, the `project` specifies a mount name, whereas the `~/src/project` is a path to the host's directory to expose to the VM.
+
+It is also possible to mount directories in read-only mode by adding a third parameter, `ro`:
+
+```bash
+tart run --dir=project:~/src/project:ro vm
+```
+
+To mount multiple directories, repeat the `--dir` argument for each directory:
+
+```bash
+tart run --dir=www1:~/project1/www --dir=www2:~/project2/www
+```
+
+Note that the first parameter in each `--dir` argument must be unique, otherwise only the last `--dir` argument using that name will be used.
+
+Note: to use the directory mounting feature, the host needs to run macOS 13.0 (Ventura) or newer.
+
+### Accessing mounted directories in macOS guests
+
+All shared directories are automatically mounted to `/Volumes/My Shared Files` directory.
+
+The directory we've mounted above will be accessible from the `/Volumes/My Shared Files/project` path inside a guest VM.
+
+Note: to use the directory mounting feature, the guest VM needs to run macOS 13.0 (Ventura) or newer.
+
+??? tip "Changing mount location"
+ It is possible to remount the directories after a virtual machine is started by running the following commands:
+
+ ```bash
+ sudo umount "/Volumes/My Shared Files"
+ mkdir ~/workspace
+ mount_virtiofs com.apple.virtio-fs.automount ~/workspace
+ ```
+
+ After running the above commands the direcory will be available at `~/workspace/project`
+
+### Accessing mounted directories in Linux guests
+
+To be able to access the shared directories from the Linux guest, you need to manually mount the virtual filesystem first:
+
+```bash
+sudo mkdir /mnt/shared
+sudo mount -t virtiofs com.apple.virtio-fs.automount /mnt/shared
+```
+
+The directory we've mounted above will be accessible from the `/mnt/shared/project` path inside a guest VM.
+
+??? info "Auto-mount at boot time"
+ To automatically mount this directory at boot time, add the following line to the `/etc/fstab` file:
+
+ ```shell
+ com.apple.virtio-fs.automount /mnt/shared virtiofs rw,relatime 0 0
+ ```
diff --git a/docs/robots.txt b/docs/robots.txt
new file mode 100644
index 00000000..5eaa492a
--- /dev/null
+++ b/docs/robots.txt
@@ -0,0 +1,4 @@
+User-agent: *
+Allow: *
+Disallow:
+Sitemap: https://tart.run/sitemap.xml
diff --git a/docs/stylesheets/extra.css b/docs/stylesheets/extra.css
new file mode 100644
index 00000000..ede6e613
--- /dev/null
+++ b/docs/stylesheets/extra.css
@@ -0,0 +1,34 @@
+/* Remove default title on the page */
+.md-content__inner h1:first-child {
+ display: none;
+}
+
+/* Adjust to 2px to align with the title */
+.md-logo {
+ padding-top: 6px;
+}
+
+.btn {
+ border: none;
+ padding: 14px 28px;
+ cursor: pointer;
+ display: inline-block;
+
+ background: #009688;
+ color: white;
+}
+
+.btn:hover {
+ background: #00bfa5;
+ color: white;
+}
+
+.center {
+ display: block;
+ margin-left: auto;
+ margin-right: auto;
+}
+
+.text-center {
+ text-align: center;
+}
diff --git a/docs/stylesheets/landing.css b/docs/stylesheets/landing.css
new file mode 100644
index 00000000..7e2b531a
--- /dev/null
+++ b/docs/stylesheets/landing.css
@@ -0,0 +1,305 @@
+.tx-container {
+ background: linear-gradient(
+ to bottom,
+ var(--md-primary-fg-color),
+ var(--md-default-bg-color) 100%
+ );
+}
+[data-md-color-scheme="slate"] .tx-container {
+ background: linear-gradient(
+ to bottom,
+ var(--md-primary-fg-color),
+ var(--md-default-bg-color) 100%
+ );
+}
+
+.tx-landing {
+ margin: 0 0.8rem;
+ color: var(--md-primary-bg-color);
+}
+
+.tx-landing__logos {
+ display: flex;
+ flex-direction: row;
+ flex-wrap: wrap;
+ justify-content: center;
+}
+
+.tx-landing__quote {
+ display: flex;
+ border-radius: 1em;
+ padding: 1em 1em 5em 1em;
+ text-align: center;
+ background: var(--md-primary-fg-color);
+}
+
+.tx-landing__quote blockquote {
+ border: 0;
+ color: #fff;
+}
+
+.tx-landing__quotes figure {
+ margin: 2em auto 2em auto;
+}
+
+.tx-landing__logos img {
+ height: 8vh;
+ max-height: 81px; /* max height of images */
+ width: auto;
+ margin: 2vh;
+ vertical-align: middle;
+}
+
+.tx-landing__quote a img {
+ height: 6vh;
+ max-height: 81px; /* max height of images */
+ display: block;
+ margin-left: auto;
+ margin-right: auto;
+}
+
+.tx-landing__content p a {
+ color: inherit;
+ text-decoration: underline;
+}
+.tx-landing__content p a:hover {
+ color: darkblue;
+ text-decoration: underline;
+}
+
+.tx-landing .md-button {
+ margin-top: 0.5rem;
+ margin-right: 0.5rem;
+ color: var(--md-primary-bg-color);
+}
+.tx-landing .md-button:hover,
+.tx-landing .md-button:focus {
+ color: var(--md-default-bg-color);
+ background-color: var(--md-default-fg-color);
+ border-color: var(--md-default-fg-color);
+}
+
+.tx-landing__testimonials {
+ width: 100%;
+ text-align: center;
+}
+
+.tx-landing h1 {
+ margin-bottom: 1rem;
+ color: currentColor;
+ font-weight: 700;
+}
+
+.md-typeset h2 + h3 {
+ font-size: 1em;
+ margin-top: -0.8em;
+}
+
+.md-typeset figure {
+ display: flex;
+}
+
+.md-content header {
+ display: block;
+}
+
+.mdx-spotlight {
+ margin: 2em 0;
+}
+
+.mdx-spotlight__feature {
+ display: flex;
+ flex: 1 0 48%;
+ flex-flow: row nowrap;
+ gap: 3.2rem;
+ margin: 0 0 3.2rem;
+}
+.mdx-spotlight__feature:last-child {
+ margin-bottom: 1em;
+}
+
+.mdx-spotlight__feature > img {
+ display: block;
+ flex-shrink: 0;
+ border-radius: 0.2rem;
+ box-shadow: var(--md-shadow-z2);
+ width: 25rem;
+ max-width: 100%;
+}
+
+.mdx-spotlight__feature > #lottie-player {
+ display: block;
+ flex-shrink: 0;
+ border-radius: 0.2rem;
+ box-shadow: var(--md-shadow-z2);
+ width: 25rem;
+ max-width: 100%;
+ background-color: rgb(5 62 94);
+}
+
+.mdx-spotlight__feature figcaption {
+ margin-top: 0.8rem;
+}
+
+.mdx-parallax__group {
+ background-color: var(--md-default-bg-color);
+ color: var(--md-typeset-color);
+ display: block;
+ position: relative;
+ transform-style: preserve-3d;
+}
+.mdx-parallax__group:first-child {
+ background-color: initial;
+ contain: strict;
+ height: 140vh;
+}
+.mdx-parallax__group:last-child {
+ background-color: var(--md-default-bg-color);
+}
+
+.mdx-installations {
+ display: block;
+}
+
+.mdx-users {
+ display: flex;
+ gap: 3.2rem;
+ margin: 2.4rem 0;
+}
+
+.mdx-users__testimonial {
+ display: flex;
+ flex: 1;
+ flex-direction: column;
+ gap: 1.2rem;
+ margin: 0;
+ text-align: center;
+}
+
+.mdx-users__testimonial img {
+ border-radius: 5rem;
+ height: auto;
+ margin-left: auto;
+ margin-right: auto;
+ width: 10rem;
+}
+
+.mdx-users__testimonial figcaption {
+ display: block;
+}
+
+.mdx-users__testimonial hr {
+ margin-left: auto;
+ margin-right: auto;
+ width: 5rem;
+}
+
+.mdx-users__testimonial cite {
+ display: block;
+ -webkit-hyphens: auto;
+ hyphens: auto;
+ text-align: justify;
+}
+
+/* General media */
+@media screen and (max-width: 30em) {
+ .tx-landing h1 {
+ font-size: 1.4rem;
+ }
+}
+
+@media screen and (max-width: 59.9375em) {
+ .mdx-spotlight__feature {
+ flex-direction: column;
+ gap: 0;
+ }
+
+ .mdx-spotlight__feature > img {
+ margin-left: auto;
+ margin-right: auto;
+ height: auto;
+ }
+
+ .mdx-users {
+ flex-direction: column;
+ }
+
+ /* Reset one padding between sections */
+ .md-content__inner-testimonials {
+ padding: 0px 0px 2.2rem !important;
+ }
+}
+
+@media screen and (min-width: 60em) {
+ .tx-container {
+ padding-bottom: 7vw;
+ }
+
+ .tx-landing {
+ display: flex;
+ align-items: stretch;
+ height: 85%;
+ }
+
+ .tx-landing__content {
+ align-self: center;
+ max-width: 19rem;
+ margin-top: 3.5rem;
+ }
+
+ .tx-landing__image {
+ order: 1;
+ width: 38rem;
+ }
+
+ .tx-landing__quotes {
+ margin: 1em 5em;
+ }
+
+ .mdx-spotlight__feature:nth-child(odd) {
+ flex-direction: row-reverse;
+ }
+}
+
+/* Extra media for .mdx-parallax__group:first-child */
+@media (min-width: 125vh) {
+ .mdx-parallax__group:first-child {
+ height: 120vw;
+ }
+}
+
+@media (min-width: 137.5vh) {
+ .mdx-parallax__group:first-child {
+ height: 125vw;
+ }
+}
+
+@media (min-width: 150vh) {
+ .mdx-parallax__group:first-child {
+ height: 130vw;
+ }
+}
+
+@media (min-width: 162.5vh) {
+ .mdx-parallax__group:first-child {
+ height: 135vw;
+ }
+}
+
+@media (min-width: 175vh) {
+ .mdx-parallax__group:first-child {
+ height: 140vw;
+ }
+}
+
+@media (min-width: 187.5vh) {
+ .mdx-parallax__group:first-child {
+ height: 145vw;
+ }
+}
+
+@media (min-width: 200vh) {
+ .mdx-parallax__group:first-child {
+ height: 150vw;
+ }
+}
diff --git a/docs/theme/overrides/home.html b/docs/theme/overrides/home.html
new file mode 100644
index 00000000..09d0d0cc
--- /dev/null
+++ b/docs/theme/overrides/home.html
@@ -0,0 +1,325 @@
+{% extends "base.html" %}
+
+
+{% block tabs %} {{ super() }}
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Tart is a virtualization toolset to build, run and
+ manage macOS and Linux virtual machines on
+ Apple Silicon.
+
+ Tart is using Apple’s native
+ Virtualization.Framework that was developed along with
+ architecting the first M1 chip. This seamless integration
+ between hardware and software ensures smooth performance without
+ any drawbacks.
+
+
+
+
+
+
+
Remote storage for Virtual Machines
+
+ For storing virtual machine images Tart integrates with
+ OCI-compatible container registries. Work with virtual machines as
+ you used to with Docker containers.
+
+
+
+
+
+
+
Seamless integration with your existing automations
+
+ Tart integrates with many continuous integration systems, including a dedicated
+ service of on-demand GitHub Actions Runners. With a single line change, you can cut your
+ CI/CD costs by up to 30 times by using Cirrus
+ Runners
+ to run your workflows.
+
+ Tart toolset includes Orchard Orchestration — tool to run and manage Tart virtual
+ machines at scale on a cluster of Apple Silicon hosts. An Orchard Cluster exposes a simple REST API to
+ manage thousands virtual machines. Orchard CLI allows accessing remote virtual machines like they run
+ locally.
+
+ With more than 25,000 installations to date, Tart has been
+ adopted for various scenarios.
+ Its applications range from powering CI/CD pipelines and reproducible local development environments,
+ to helping in the testing of device management systems without actual physical devices.
+
+
+
+ Thanks to the minimal overhead of using the Apple Virtualization
+ API, we’ve seen some performance improvements in booting new
+ virtual machines compared with Anka.
+
+
+
+
+
+
+
+
+
+ Tart was the practical way for us to use the Virtualization framework. Cirrus Labs’
+ continued maintenance and support gives us confidence, and it is also important for us
+ to be able to read the source code when we need to understand an abstraction layer below.
+
+
+
+
+
+
+
+
+
+ The Snowflake Red Team had a need for macOS CI/CD and a segmented macOS development
+ environment. We solved this problem and shared our implementation with macOS EC2 and Tart.
+ We also automated this process with Terraform/Packer to simplify the deployment of our
+ infrastructure and machine images.
+
+
+
+
+ 
+ 
+ 
+ 
+ 
+