The stages
Validate
Parse every YAML source, expand any OpenAPI-backed resources, check each resource against its schema, and extract the
${kind.ref_name} references that define dependencies.Closure
Topologically sort the resources from their references, so every dependency is created before the resource that needs it.
Reconcile
Diff your desired resources against what already exists remotely. Discovery decides, per resource, whether it must be created, updated, or left unchanged.
Plan
Compile the reconciliation result into a concrete set of create / update / delete operations in dependency order.
plan vs apply
plan and apply run the same pipeline through the Plan stage. The only difference is whether the Execute stage performs side effects:
| Command | Runs validate → plan | Executes operations | Side effects |
|---|---|---|---|
wxctl plan | yes | no | none — a dry run |
wxctl apply | yes | yes | creates / updates resources remotely |
plan is a faithful preview of what apply will do. destroy runs the same pipeline in reverse-dependency order to tear resources down leaves-first.
Late-bound identifier resolution
A reference like${tool.calculator} is not resolved when the file is parsed — the resource may not exist yet. It is resolved during Execute, once the referenced resource has been created and its real identifier is known. wxctl then substitutes that identifier in whatever shape the consuming API requires: a bare UUID or GUID, an href, a CRN, or a nested object.
This late binding is what lets one configuration work across environments. Nothing in the YAML is pinned to a specific instance — the identifiers are discovered or created fresh each run.
Next steps
Declarative model
Resources, references, and how YAML sources combine.
Profiles & credentials
How wxctl authenticates to each service.