feat(inspect): add inspect module

Signed-off-by: Brandt Keller <brandt.keller@defenseunicorns.com>

Author: brandtkeller

02-deploy-zarf-package/README.md

@@ -61,13 +61,6 @@ zarf tools kubectl port-forward -n argocd service/argocd-server 42000:80
 Then open your browser to [http://localhost:42000](http://localhost:42000).
 
 
-## Conclusion
-
-You've built and deployed a complete Zarf package end-to-end. From here, Zarf has a lot more to offer for air-gapped software delivery:
-
-- Browse the [Zarf examples](https://github.com/zarf-dev/zarf/tree/main/examples) for more complex package configurations
-- Read the [Zarf documentation](https://docs.zarf.dev) for the full feature set
-
 ---
 
-**Back:** [Part 1: Create a Zarf Package](../01-create-zarf-package/README.md)
+**Back:** [Part 1: Create a Zarf Package](../01-create-zarf-package/README.md) | **Next:** [Part 3: Inspect a Zarf Package](../03-inspect-zarf-package/README.md)

03-inspect-zarf-package/README.md

@@ -0,0 +1,160 @@
+# Part 3: Inspect a Zarf Package
+
+A Zarf Package is meant to be a transparent "envelope" of what is packaged for secure software delivery. This is intentional such that they can transition organizational boundaries with provenance and trust.
+
+You can inspect a Zarf Package in multiple locations:
+- A tarball on your filesystem
+- Published to an OCI Registry
+- Deployed to your Kubernetes Cluster
+
+Make sure you're in the same `zarf-package` directory you used in Parts 1 and 2.
+
+## Declarative Packaging and the Filesystem (optional)
+
+You might be asking yourself — "What actually happened earlier when I packaged ArgoCD?"
+
+Decompress the package tarball to take a look:
+
+```bash
+zarf tools archiver decompress zarf-package-argocd-amd64-9.4.4.tar.zst unarchived/ --unarchive-all
+```
+
+> [!NOTE]
+> Replace the filename with the actual tarball name if your architecture differs (e.g., `arm64` instead of `amd64`).
+
+You should see a structure like the following:
+
+```
+unarchived
+├── checksums.txt
+├── components
+│   └── argocd
+│       ├── charts
+│       │   └── argo-cd-9.4.4.tgz
+│       └── values
+│           └── argo-cd-9.4.4-0
+├── images
+│   ├── blobs
+│   │   └── sha256
+│   │       └── ...
+│   ├── index.json
+│   ├── ingest
+│   └── oci-layout
+├── sboms
+│   ├── compare.html
+│   ├── docker.io_library_redis_8.2.3-alpine.json
+│   ├── quay.io_argoproj_argocd_v3.3.2.json
+│   ├── sbom-viewer-docker.io_library_redis_8.2.3-alpine.html
+│   └── sbom-viewer-quay.io_argoproj_argocd_v3.3.2.html
+└── zarf.yaml
+```
+
+This expands as you add more components to the manifest in such a way that Zarf can deterministically deploy 1→N applications from a given manifest.
+
+If you were to sign this Zarf Package, you would additionally see the signature included in the archive — creating more portable provenance for cryptographic integrity.
+
+## Inspect Commands (filesystem)
+
+The `zarf package inspect` command provides further transparency into the package:
+
+```bash
+zarf package inspect --help
+```
+
+This will output the following sub-commands:
+
+```
+  definition    Displays the 'zarf.yaml' definition for the specified package
+  documentation Extract documentation files from the package
+  images        List all container images contained in the package
+  manifests     Template and output all manifests and charts in a package
+  sbom          Output the package SBOM (Software Bill Of Materials) to the specified directory
+  values-files  Creates, templates, and outputs the values-files to be sent to each chart
+```
+
+Try a few of them:
+
+View the `zarf.yaml` definition for the package:
+
+```bash
+zarf package inspect definition zarf-package-argocd-amd64-9.4.4.tar.zst
+```
+
+See all of the rendered manifests for the packaged Helm charts:
+
+```bash
+zarf package inspect manifests zarf-package-argocd-amd64-9.4.4.tar.zst
+```
+
+View the values files that will be sent to each chart:
+
+```bash
+zarf package inspect values-files zarf-package-argocd-amd64-9.4.4.tar.zst
+```
+
+Output the package SBOMs to a local directory:
+
+```bash
+zarf package inspect sbom zarf-package-argocd-amd64-9.4.4.tar.zst
+```
+
+List the images included in the package:
+
+```bash
+zarf package inspect images zarf-package-argocd-amd64-9.4.4.tar.zst
+```
+
+## Inspect a Deployed Package
+
+Zarf doesn't just package applications into deterministic archives — it also tracks state when deploying. This enables users to identify which versions of applications they have deployed, as well as inspect or remove them.
+
+List deployed packages:
+
+```bash
+zarf package list
+```
+
+Inspect the definition of a deployed package:
+
+```bash
+zarf package inspect definition argocd
+```
+
+View the images from a deployed package:
+
+```bash
+zarf package inspect images argocd
+```
+
+> [!NOTE]
+> Currently Zarf does not store SBOMs or values-files for deployed packages.
+
+## Remove a Package from the Cluster
+
+Given that Zarf stores the deployed package state, you have the option to upgrade packages in-place or remove a package and all of its resources.
+
+Confirm the `argocd` package is still deployed:
+
+```bash
+zarf package list
+```
+
+Remove the `argocd` package from the cluster:
+
+```bash
+zarf package remove argocd
+```
+
+This will prompt you to confirm removal. You can also use the `--confirm` flag to auto-confirm.
+
+Verify the package has been removed:
+
+```bash
+zarf tools kubectl get all -n argocd
+```
+
+You should see that the argocd namespace and its resources are gone.
+
+---
+
+**Back:** [Part 2: Deploy a Zarf Package](../02-deploy-zarf-package/README.md)

README.md

@@ -10,6 +10,7 @@ In this tutorial, you'll build a Zarf package for [ArgoCD](https://argo-cd.readt
 - How to use `zarf dev find-images` to discover required container images
 - How to build a Zarf package tarball
 - How to deploy a Zarf package to a Kubernetes cluster
+- How to inspect and remove a deployed package
 
 ## Prerequisites
 
@@ -46,5 +47,14 @@ Select `y` to confirm deploying the package and `y` for the `git-server` compone
 |------|-------------|
 | [Part 1: Create a Zarf Package](./01-create-zarf-package/README.md) | Author a `zarf.yaml`, discover images, and build the package tarball |
 | [Part 2: Deploy a Zarf Package](./02-deploy-zarf-package/README.md) | Deploy the package to your cluster and access ArgoCD |
+| [Part 3: Inspect a Zarf Package](./03-inspect-zarf-package/README.md) | Inspect package contents, deployed state, and remove a package |
 
-Work through the parts in order — Part 2 depends on the package tarball produced in Part 1.
+Work through the parts in order — each part builds on the state from the previous one.
+
+## Next Steps
+
+After completing the tutorial, there's a lot more to explore with Zarf:
+
+- Browse the [Zarf examples](https://github.com/zarf-dev/zarf/tree/main/examples) for more complex package configurations (multi-component packages, OCI publishing, custom variables, etc.)
+- Read the [Zarf documentation](https://docs.zarf.dev) for the full feature set
+- Try packaging your own application — start with a skeleton `zarf.yaml` and iterate from there