docs: merge updated Ory Talos docs with path-based URLs#2603
Merged
Conversation
Adopt the updated public Ory Talos documentation with cleaner path-based page IDs, regenerate the API reference from the new OpenAPI v3 spec, rewire the OEL and OSS Talos sidebars, and add redirects from the old custom-ID URLs. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
aeneasr
requested review from
piotrmsc,
unatasha8,
vinckr,
wassimoo and
zepatrik
as code owners
aeneasr
commented
Jun 4, 2026
aeneasr
commented
Jun 4, 2026
Address PR review feedback: - Remove phantom /talos/quickstart/index redirect (URL never existed) - Add redirects for renamed CLI pages talos-keys-revoke and talos-serve-check - Re-add talos/operate/benchmarks to the OEL sidebar (dropped during the path-based rename) Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Plus Run ID: ⛔ Files ignored due to path filters (5)
📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
📝 WalkthroughWalkthroughLarge-scale Talos documentation overhaul: concepts rewritten, integrate/SDK examples updated, operate/deploy guides reworked, OpenAPI v2alpha1 spec added/renamed, CLI docs regenerated, sidebars and redirects adjusted, and admin/public API surface and token/key semantics clarified. ChangesTalos Docs and API Reference Overhaul
Estimated code review effort🎯 4 (Complex) | ⏱️ ~75 minutes Possibly related PRs
Suggested reviewers
Poem
✨ Finishing Touches🧪 Generate unit tests (beta)
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 16
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
docs/talos/reference/cli/talos-keys-issued.md (1)
19-19:⚠️ Potential issue | 🟡 Minor | ⚡ Quick winUpdate synopsis to include revoke for command parity.
Line 19 says “Get, list, update, and rotate issued API keys,” but Line 42 adds
revokeas a supported subcommand. Please include revoke in the synopsis for consistency.Also applies to: 42-42
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@docs/talos/reference/cli/talos-keys-issued.md` at line 19, Update the synopsis sentence that currently reads "Get, list, update, and rotate issued API keys" to include the revoke subcommand so it matches the supported subcommands (e.g., change it to "Get, list, update, rotate, and revoke issued API keys"); ensure the revised synopsis string is used in the same documentation section where the subcommands (including revoke) are listed so both stay consistent.
🧹 Nitpick comments (1)
docs/talos/reference/api/admin-get-issued-api-key.ParamsDetails.json (1)
1-1: ⚡ Quick winAdd description to key_id parameter for consistency.
The
key_idparameter lacks a description, while the equivalent parameter inadmin-get-imported-api-key.ParamsDetails.jsonincludes one. For documentation completeness and consistency, consider adding a description explaining what this parameter represents (e.g., the issued key identifier).📝 Suggested enhancement
-{"parameters":[{"in":"path","name":"key_id","required":true,"schema":{"type":"string"}}]} +{"parameters":[{"description":"Identifier of the issued API key (REQUIRED)","in":"path","name":"key_id","required":true,"schema":{"type":"string"}}]}🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@docs/talos/reference/api/admin-get-issued-api-key.ParamsDetails.json` at line 1, Add a "description" field to the parameter object for "key_id" (the issued API key identifier) so the parameter mirrors the equivalent entry in admin-get-imported-api-key.ParamsDetails.json; update the JSON parameter entry for "key_id" to include a concise description like "The issued API key identifier" to improve documentation consistency.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@docs/talos/operate/database/migrations.md`:
- Around line 95-98: Change the env var name from DB_DSN to the documented
TALOS_DB_DSN in the Kubernetes example so the CLI can find the DSN when running
args: ["migrate", "up"]; additionally either add a --database argument that
references the TALOS_DB_DSN env var to the args array or ensure the migrate
command reads TALOS_DB_DSN by default (update the env entry for DB_DSN ->
TALOS_DB_DSN and adjust args or command invocation accordingly).
In `@docs/talos/operate/deploy/docker.md`:
- Line 10: Replace the absolute GitHub URL used in the markdown link labeled
"GitHub releases" with a relative link to the local docs page (pointing to a .md
or .mdx file and including the file extension), keeping the link text but
ensuring the URL is a relative path (not starting with http://, https://, or a
leading slash) and conforms to the docs linking rule.
In `@docs/talos/operate/index.md`:
- Line 14: Update the Deploy list item text under the "Deploy" link so it
matches the new Deploy page: replace "run Talos with Docker, Kubernetes, or as a
systemd service" with a phrase reflecting the current options, e.g. "run Talos
using Docker or as a binary (systemd)" — edit the line containing the Deploy
link text shown in the diff to ensure the onboarding flow matches the updated
deploy docs.
In `@docs/talos/operate/multi-tenancy.md`:
- Around line 158-162: The curl example that ends with a pipeline to jq is
ambiguous; update the pipeline from `| jq` to `| jq .` in the code block
containing the POST to
"https://tenant3.talos.example.com/v2alpha1/admin/issuedApiKeys" (the snippet
that posts '{"name":"smoketest","actor_id":"system"}') so the example uses an
explicit jq filter and matches the docs' JSON-command convention.
In `@docs/talos/operate/secrets.md`:
- Around line 96-101: The shell snippet used to generate secrets.hmac.current
can yield fewer than 64 characters after stripping '+/='; replace the current
command (`openssl rand -base64 48 | tr -d '\n+/=' | cut -c1-64`) with a
deterministic fixed-length generator such as `openssl rand -hex 32` (which
produces exactly 64 hex characters) and update the docs text to recommend using
this deterministic 64-char generator for secrets.hmac.current so the length
guarantee is upheld.
In `@docs/talos/reference/api.json`:
- Around line 765-766: The sample Go snippets call a non-existent accessor
GetIsActive() even though the response field is is_valid; update the samples
(e.g., in the batchVerifyAPIKeys function and the verify-key example) to use the
generated accessor for is_valid (GetIsValid()) instead of GetIsActive(),
ensuring all occurrences in functions like batchVerifyAPIKeys and the verify-key
sample are replaced so the examples match the schema and compile.
- Around line 953-974: The Go sample for operationId adminImportApiKey
incorrectly assumes the 200 response is wrapped (calls
resp.GetImportedApiKey().GetKeyId()), but the OpenAPI 200 schema references the
flat components.schemas.ImportedApiKey which exposes key_id at the top level;
fix by changing the Go x-codeSample to access the flat response (e.g.
resp.GetKeyId()) or alternatively update the 200 response schema to a wrapper
object containing an imported_api_key field (and adjust
components.schemas.ImportedApiKey usage), ensuring the sample and the schema
both reference the same shape; search for resp.GetImportedApiKey(), GetKeyId(),
operationId adminImportApiKey, and the ImportedApiKey schema to make the change.
In `@docs/talos/reference/api/admin-delete-imported-api-key.StatusCodes.json`:
- Line 1: The 204 response currently includes a "content" payload which is
incorrect for a No Content response; update the "responses" object so that the
"204" entry contains only the "description" (e.g., "Imported key deleted
successfully.") and remove the entire "content" block under the "204" key in the
JSON (leave other responses like "200" and "default" unchanged).
In `@docs/talos/reference/api/admin-revoke-imported-api-key.StatusCodes.json`:
- Line 1: Remove the body/content definition for the 204 response in the JSON
responses object: locate the "responses.204" entry (in
admin-revoke-imported-api-key.StatusCodes.json) and delete the "content": {
"application/json": { "schema": {} } } so the 204 entry only has the description
"API key revoked successfully." and no payload definition.
In `@docs/talos/reference/api/admin-rotate-issued-api-key.StatusCodes.json`:
- Line 1: The API spec defines a 200 response with RotateIssuedApiKeyResponse
but also a 201 with an empty schema causing inconsistent success contracts;
update the responses in the responses object so success is consistent by either
removing the 201 entry if the server never returns 201, or by assigning the same
RotateIssuedApiKeyResponse schema to the 201 response (i.e., make 201
content.application/json.schema equal to the existing RotateIssuedApiKeyResponse
used for 200) and ensure the description matches ("API key rotated
successfully").
In `@docs/talos/reference/api/revoke-api-key.RequestSchema.json`:
- Line 1: The schema SelfRevokeApiKeyRequest currently sets reason.default to
REVOCATION_REASON_UNSPECIFIED while the schema text says that UNSPECIFIED is
rejected; remove the contradictory default (i.e., delete the "default" entry
under the "reason" property) or replace it with a valid, accepted enum value
(e.g., REVOCATION_REASON_KEY_COMPROMISE) so generated clients/forms do not send
an invalid default; update the "reason" property in the JSON schema accordingly.
In `@docs/talos/reference/cli/talos-migrate-down.md`:
- Line 28: Replace the plain-text reference "See:
docs/operate/database/migrations.md" with a relative Markdown link to the
migrations doc; update the line to use link text and a relative path (for
example: See: [database migrations](../../operate/database/migrations.md)) so it
includes the .md extension and conforms to the docs link format requirement.
In `@docs/talos/reference/cli/talos-migrate-up.md`:
- Around line 21-26: The docs conflict about which env vars are considered for
DB DSN: update the inherited command help (the generator/source command help
text that mentions TALOS_-prefixed env vars) to match the migration page
precedence by explicitly including DB_DSN and DSN as accepted variables, or
alternatively update the migration page to reflect only TALOS_-prefixed vars;
locate the help text that references TALOS_ env vars (the generator/source
command help) and change it to state the same resolution order used by the
migrate-up documentation: --database flag, DB_DSN, DSN, then --config's "db.dsn"
key, ensuring both synopsis and inherited help use identical wording.
In `@docs/talos/reference/cli/talos-proxy.md`:
- Around line 31-32: Replace the plain-text "See also:
docs/operate/deploy/edge-proxy.mdx" with a proper relative markdown link that
includes the file extension (e.g., "../../operate/deploy/edge-proxy.mdx") so the
"See also" line becomes a clickable MDX link; update the line containing "See
also: docs/operate/deploy/edge-proxy.mdx" accordingly to follow the guideline
that all links must be relative links to markdown/mdx files with extensions.
In `@docs/talos/reference/events.md`:
- Around line 61-68: Update the stale event constant names in the metadata
bullets to the canonical constants used in the event table: replace
EventTokenDerived with EventAPIKeyDerivedToken for `algorithm` and `ttl`;
replace EventAPIKeyRotated with the issued/import-specific rotate constants
(e.g., EventAPIKeyRotatedIssued and EventAPIKeyRotatedImported) for `old_key_id`
and `old_expires_at`; and replace EventAPIKeyRevoked with the
issued/import-specific revoke constants (e.g., EventAPIKeyRevokedIssued and
EventAPIKeyRevokedImported) for `initiated_by`; leave EventAPIKeyImportFailed
and EventAPIKeyVerificationFailed as-is.
---
Outside diff comments:
In `@docs/talos/reference/cli/talos-keys-issued.md`:
- Line 19: Update the synopsis sentence that currently reads "Get, list, update,
and rotate issued API keys" to include the revoke subcommand so it matches the
supported subcommands (e.g., change it to "Get, list, update, rotate, and revoke
issued API keys"); ensure the revised synopsis string is used in the same
documentation section where the subcommands (including revoke) are listed so
both stay consistent.
---
Nitpick comments:
In `@docs/talos/reference/api/admin-get-issued-api-key.ParamsDetails.json`:
- Line 1: Add a "description" field to the parameter object for "key_id" (the
issued API key identifier) so the parameter mirrors the equivalent entry in
admin-get-imported-api-key.ParamsDetails.json; update the JSON parameter entry
for "key_id" to include a concise description like "The issued API key
identifier" to improve documentation consistency.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro Plus
Run ID: e0df813f-e6de-4e23-966a-9175b56d0eac
⛔ Files ignored due to path filters (37)
docs/talos/concepts/architecture.mdxis excluded by!**/*.mdxdocs/talos/integrate/batch-operations.mdxis excluded by!**/*.mdxdocs/talos/integrate/derive-tokens.mdxis excluded by!**/*.mdxdocs/talos/integrate/error-handling.mdxis excluded by!**/*.mdxdocs/talos/integrate/import-keys.mdxis excluded by!**/*.mdxdocs/talos/integrate/ip-restrictions.mdxis excluded by!**/*.mdxdocs/talos/integrate/issue-and-verify.mdxis excluded by!**/*.mdxdocs/talos/integrate/key-lifecycle.mdxis excluded by!**/*.mdxdocs/talos/integrate/rate-limiting.mdxis excluded by!**/*.mdxdocs/talos/integrate/self-revocation.mdxis excluded by!**/*.mdxdocs/talos/operate/deploy/edge-proxy.mdxis excluded by!**/*.mdxdocs/talos/quickstart/docker-commercial.mdxis excluded by!**/*.mdxdocs/talos/quickstart/open-source.mdxis excluded by!**/*.mdxdocs/talos/quickstart/preview.mdxis excluded by!**/*.mdxdocs/talos/reference/api/admin-batch-create-imported-api-keys.api.mdxis excluded by!**/*.mdxdocs/talos/reference/api/admin-batch-import-api-keys.api.mdxis excluded by!**/*.mdxdocs/talos/reference/api/admin-batch-verify-api-keys.api.mdxis excluded by!**/*.mdxdocs/talos/reference/api/admin-delete-imported-api-key.api.mdxis excluded by!**/*.mdxdocs/talos/reference/api/admin-derive-token.api.mdxis excluded by!**/*.mdxdocs/talos/reference/api/admin-get-imported-api-key.api.mdxis excluded by!**/*.mdxdocs/talos/reference/api/admin-get-issued-api-key.api.mdxis excluded by!**/*.mdxdocs/talos/reference/api/admin-get-jwks.api.mdxis excluded by!**/*.mdxdocs/talos/reference/api/admin-import-api-key.api.mdxis excluded by!**/*.mdxdocs/talos/reference/api/admin-issue-api-key.api.mdxis excluded by!**/*.mdxdocs/talos/reference/api/admin-list-imported-api-keys.api.mdxis excluded by!**/*.mdxdocs/talos/reference/api/admin-list-issued-api-keys.api.mdxis excluded by!**/*.mdxdocs/talos/reference/api/admin-revoke-api-key.api.mdxis excluded by!**/*.mdxdocs/talos/reference/api/admin-revoke-imported-api-key.api.mdxis excluded by!**/*.mdxdocs/talos/reference/api/admin-revoke-issued-api-key.api.mdxis excluded by!**/*.mdxdocs/talos/reference/api/admin-rotate-issued-api-key.api.mdxis excluded by!**/*.mdxdocs/talos/reference/api/admin-update-imported-api-key.api.mdxis excluded by!**/*.mdxdocs/talos/reference/api/admin-update-issued-api-key.api.mdxis excluded by!**/*.mdxdocs/talos/reference/api/admin-verify-api-key.api.mdxis excluded by!**/*.mdxdocs/talos/reference/api/get-jwks.api.mdxis excluded by!**/*.mdxdocs/talos/reference/api/ory-talos-api.info.mdxis excluded by!**/*.mdxdocs/talos/reference/api/revoke-api-key.api.mdxis excluded by!**/*.mdxdocs/talos/reference/config.mdxis excluded by!**/*.mdx
📒 Files selected for processing (146)
docs/talos/concepts/architecture.mddocs/talos/concepts/caching.mddocs/talos/concepts/credential-types.mddocs/talos/concepts/index.mddocs/talos/concepts/ip-restrictions.mddocs/talos/concepts/rate-limiting.mddocs/talos/concepts/security-model.mddocs/talos/concepts/token-derivation-security.mddocs/talos/concepts/token-format.mddocs/talos/index.mddocs/talos/integrate/index.mddocs/talos/integrate/sdk/curl.mddocs/talos/integrate/sdk/go.mddocs/talos/operate/benchmarks.mddocs/talos/operate/cache/index.mddocs/talos/operate/cache/memory.mddocs/talos/operate/cache/redis.mddocs/talos/operate/configure.mddocs/talos/operate/database/cockroachdb.mddocs/talos/operate/database/index.mddocs/talos/operate/database/migrations.mddocs/talos/operate/database/mysql.mddocs/talos/operate/database/postgresql.mddocs/talos/operate/database/sqlite.mddocs/talos/operate/deploy/deployment-modes.mddocs/talos/operate/deploy/docker.mddocs/talos/operate/deploy/edge-proxy.mddocs/talos/operate/deploy/index.mddocs/talos/operate/deploy/kubernetes.mddocs/talos/operate/deploy/separate-planes.mddocs/talos/operate/index.mddocs/talos/operate/install.mddocs/talos/operate/monitoring/health-checks.mddocs/talos/operate/monitoring/index.mddocs/talos/operate/monitoring/metrics.mddocs/talos/operate/monitoring/tracing.mddocs/talos/operate/multi-tenancy.mddocs/talos/operate/secrets.mddocs/talos/operate/security-hardening.mddocs/talos/operate/security/admin-protection.mddocs/talos/operate/tls.mddocs/talos/operate/troubleshooting.mddocs/talos/reference/api.jsondocs/talos/reference/api/admin-batch-create-imported-api-keys.RequestSchema.jsondocs/talos/reference/api/admin-batch-create-imported-api-keys.StatusCodes.jsondocs/talos/reference/api/admin-batch-import-api-keys.RequestSchema.jsondocs/talos/reference/api/admin-batch-import-api-keys.StatusCodes.jsondocs/talos/reference/api/admin-batch-verify-api-keys.ParamsDetails.jsondocs/talos/reference/api/admin-batch-verify-api-keys.RequestSchema.jsondocs/talos/reference/api/admin-batch-verify-api-keys.StatusCodes.jsondocs/talos/reference/api/admin-delete-imported-api-key.ParamsDetails.jsondocs/talos/reference/api/admin-delete-imported-api-key.RequestSchema.jsondocs/talos/reference/api/admin-delete-imported-api-key.StatusCodes.jsondocs/talos/reference/api/admin-derive-token.RequestSchema.jsondocs/talos/reference/api/admin-derive-token.StatusCodes.jsondocs/talos/reference/api/admin-get-imported-api-key.ParamsDetails.jsondocs/talos/reference/api/admin-get-imported-api-key.RequestSchema.jsondocs/talos/reference/api/admin-get-imported-api-key.StatusCodes.jsondocs/talos/reference/api/admin-get-issued-api-key.ParamsDetails.jsondocs/talos/reference/api/admin-get-issued-api-key.RequestSchema.jsondocs/talos/reference/api/admin-get-issued-api-key.StatusCodes.jsondocs/talos/reference/api/admin-get-jwks.RequestSchema.jsondocs/talos/reference/api/admin-get-jwks.StatusCodes.jsondocs/talos/reference/api/admin-import-api-key.RequestSchema.jsondocs/talos/reference/api/admin-import-api-key.StatusCodes.jsondocs/talos/reference/api/admin-issue-api-key.RequestSchema.jsondocs/talos/reference/api/admin-issue-api-key.StatusCodes.jsondocs/talos/reference/api/admin-list-imported-api-keys.ParamsDetails.jsondocs/talos/reference/api/admin-list-imported-api-keys.RequestSchema.jsondocs/talos/reference/api/admin-list-imported-api-keys.StatusCodes.jsondocs/talos/reference/api/admin-list-issued-api-keys.ParamsDetails.jsondocs/talos/reference/api/admin-list-issued-api-keys.RequestSchema.jsondocs/talos/reference/api/admin-list-issued-api-keys.StatusCodes.jsondocs/talos/reference/api/admin-revoke-api-key.ParamsDetails.jsondocs/talos/reference/api/admin-revoke-api-key.RequestSchema.jsondocs/talos/reference/api/admin-revoke-api-key.StatusCodes.jsondocs/talos/reference/api/admin-revoke-imported-api-key.ParamsDetails.jsondocs/talos/reference/api/admin-revoke-imported-api-key.RequestSchema.jsondocs/talos/reference/api/admin-revoke-imported-api-key.StatusCodes.jsondocs/talos/reference/api/admin-revoke-issued-api-key.ParamsDetails.jsondocs/talos/reference/api/admin-revoke-issued-api-key.RequestSchema.jsondocs/talos/reference/api/admin-revoke-issued-api-key.StatusCodes.jsondocs/talos/reference/api/admin-rotate-issued-api-key.ParamsDetails.jsondocs/talos/reference/api/admin-rotate-issued-api-key.RequestSchema.jsondocs/talos/reference/api/admin-rotate-issued-api-key.StatusCodes.jsondocs/talos/reference/api/admin-update-imported-api-key.ParamsDetails.jsondocs/talos/reference/api/admin-update-imported-api-key.RequestSchema.jsondocs/talos/reference/api/admin-update-imported-api-key.StatusCodes.jsondocs/talos/reference/api/admin-update-issued-api-key.ParamsDetails.jsondocs/talos/reference/api/admin-update-issued-api-key.RequestSchema.jsondocs/talos/reference/api/admin-update-issued-api-key.StatusCodes.jsondocs/talos/reference/api/admin-verify-api-key.ParamsDetails.jsondocs/talos/reference/api/admin-verify-api-key.RequestSchema.jsondocs/talos/reference/api/admin-verify-api-key.StatusCodes.jsondocs/talos/reference/api/get-jwks.RequestSchema.jsondocs/talos/reference/api/get-jwks.StatusCodes.jsondocs/talos/reference/api/revoke-api-key.RequestSchema.jsondocs/talos/reference/api/revoke-api-key.StatusCodes.jsondocs/talos/reference/api/sidebar.tsdocs/talos/reference/cli/talos-jwk-generate-ecdsa.mddocs/talos/reference/cli/talos-jwk-generate-eddsa.mddocs/talos/reference/cli/talos-jwk-generate-hmac.mddocs/talos/reference/cli/talos-jwk-generate-rsa.mddocs/talos/reference/cli/talos-jwk-generate.mddocs/talos/reference/cli/talos-jwk-get.mddocs/talos/reference/cli/talos-jwk.mddocs/talos/reference/cli/talos-keys-batch-verify.mddocs/talos/reference/cli/talos-keys-derive-token.mddocs/talos/reference/cli/talos-keys-imported-batch-import.mddocs/talos/reference/cli/talos-keys-imported-delete.mddocs/talos/reference/cli/talos-keys-imported-get.mddocs/talos/reference/cli/talos-keys-imported-import.mddocs/talos/reference/cli/talos-keys-imported-list.mddocs/talos/reference/cli/talos-keys-imported-revoke.mddocs/talos/reference/cli/talos-keys-imported-update.mddocs/talos/reference/cli/talos-keys-imported.mddocs/talos/reference/cli/talos-keys-issue.mddocs/talos/reference/cli/talos-keys-issued-get.mddocs/talos/reference/cli/talos-keys-issued-issue.mddocs/talos/reference/cli/talos-keys-issued-list.mddocs/talos/reference/cli/talos-keys-issued-revoke.mddocs/talos/reference/cli/talos-keys-issued-rotate.mddocs/talos/reference/cli/talos-keys-issued-update.mddocs/talos/reference/cli/talos-keys-issued.mddocs/talos/reference/cli/talos-keys-revoke.mddocs/talos/reference/cli/talos-keys-self-revoke.mddocs/talos/reference/cli/talos-keys-verify.mddocs/talos/reference/cli/talos-keys.mddocs/talos/reference/cli/talos-migrate-down.mddocs/talos/reference/cli/talos-migrate-force.mddocs/talos/reference/cli/talos-migrate-status.mddocs/talos/reference/cli/talos-migrate-up.mddocs/talos/reference/cli/talos-migrate.mddocs/talos/reference/cli/talos-proxy.mddocs/talos/reference/cli/talos-serve-admin.mddocs/talos/reference/cli/talos-serve-check.mddocs/talos/reference/cli/talos-serve-public.mddocs/talos/reference/cli/talos-serve.mddocs/talos/reference/cli/talos.mddocs/talos/reference/error-codes.mddocs/talos/reference/events.mddocs/talos/reference/index.mddocs/talos/reference/token-format.mddocusaurus.config.tssidebars-oel.tssidebars-oss.ts
💤 Files with no reviewable changes (14)
- docs/talos/concepts/architecture.md
- docs/talos/operate/deploy/edge-proxy.md
- docs/talos/operate/deploy/separate-planes.md
- docs/talos/reference/cli/talos-serve-check.md
- docs/talos/reference/cli/talos-keys-revoke.md
- docs/talos/reference/api/admin-revoke-api-key.StatusCodes.json
- docs/talos/reference/api/admin-revoke-api-key.ParamsDetails.json
- docs/talos/operate/deploy/kubernetes.md
- docs/talos/concepts/token-derivation-security.md
- docs/talos/reference/api/admin-revoke-api-key.RequestSchema.json
- docs/talos/reference/api/admin-batch-import-api-keys.StatusCodes.json
- docs/talos/reference/api/admin-get-jwks.StatusCodes.json
- docs/talos/reference/api/admin-batch-import-api-keys.RequestSchema.json
- docs/talos/reference/api/admin-get-jwks.RequestSchema.json
| binary | ||
| 2. **[Configure](configure.md)** — set up the config file, environment variables, and secrets | ||
| 3. **[Database](database/index.md)** — choose and configure a database backend | ||
| 4. **[Deploy](deploy/index.md)** — run Talos with Docker, Kubernetes, or as a systemd service |
There was a problem hiding this comment.
Align deploy options with the current Deploy page.
Line 14 still says “Docker, Kubernetes, or as a systemd service,” but the updated deploy docs in this PR describe Docker/binary deployment paths. Please update this sentence to avoid a broken expectation in the main onboarding flow.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@docs/talos/operate/index.md` at line 14, Update the Deploy list item text
under the "Deploy" link so it matches the new Deploy page: replace "run Talos
with Docker, Kubernetes, or as a systemd service" with a phrase reflecting the
current options, e.g. "run Talos using Docker or as a binary (systemd)" — edit
the line containing the Deploy link text shown in the diff to ensure the
onboarding flow matches the updated deploy docs.
Comment on lines
+158
to
162
| ```shell | ||
| curl -sf -X POST "https://tenant3.talos.example.com/v2alpha1/admin/issuedApiKeys" \ | ||
| -H "Content-Type: application/json" \ | ||
| -d '{"name":"smoketest","actor_id":"system"}' | jq | ||
| ``` |
There was a problem hiding this comment.
Use explicit jq filter in the curl example.
Please change | jq to | jq . to match the docs JSON-command convention and avoid ambiguous jq behavior in examples.
As per coding guidelines: “Use jq instead of python3 for all JSON operations in code examples: prefer | jq . …”.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@docs/talos/operate/multi-tenancy.md` around lines 158 - 162, The curl example
that ends with a pipeline to jq is ambiguous; update the pipeline from `| jq` to
`| jq .` in the code block containing the POST to
"https://tenant3.talos.example.com/v2alpha1/admin/issuedApiKeys" (the snippet
that posts '{"name":"smoketest","actor_id":"system"}') so the example uses an
explicit jq filter and matches the docs' JSON-command convention.
Comment on lines
+96
to
+101
| ```shell | ||
| openssl rand -base64 48 | tr -d '\n+/=' | cut -c1-64 | ||
| ``` | ||
|
|
||
| This emits a 64-character URL-safe value suitable for either secret family. | ||
| This emits a URL-safe value of up to 64 characters. Stripping the `+`, `/`, and `=` characters can | ||
| leave fewer than 64; the result always stays well above the 32-char minimum. |
There was a problem hiding this comment.
Use a deterministic 64-char generator for secrets.hmac.current.
The current command can produce shorter-than-expected output after character stripping, so the “always well above 32” claim is not guaranteed. Prefer a fixed-length generator.
Suggested doc update
- openssl rand -base64 48 | tr -d '\n+/=' | cut -c1-64
+openssl rand -hex 32📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| ```shell | |
| openssl rand -base64 48 | tr -d '\n+/=' | cut -c1-64 | |
| ``` | |
| This emits a 64-character URL-safe value suitable for either secret family. | |
| This emits a URL-safe value of up to 64 characters. Stripping the `+`, `/`, and `=` characters can | |
| leave fewer than 64; the result always stays well above the 32-char minimum. |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@docs/talos/operate/secrets.md` around lines 96 - 101, The shell snippet used
to generate secrets.hmac.current can yield fewer than 64 characters after
stripping '+/='; replace the current command (`openssl rand -base64 48 | tr -d
'\n+/=' | cut -c1-64`) with a deterministic fixed-length generator such as
`openssl rand -hex 32` (which produces exactly 64 hex characters) and update the
docs text to recommend using this deterministic 64-char generator for
secrets.hmac.current so the length guarantee is upheld.
| "x-originalParamName": "body" | ||
| } | ||
| } | ||
| {"title":"Body","body":{"content":{"application/json":{"schema":{"description":"SelfRevokeApiKeyRequest allows an API key holder to revoke their own key\nby providing the full key secret as proof of possession.","properties":{"credential":{"title":"Full API key secret or imported key (REQUIRED)","type":"string"},"reason":{"default":"REVOCATION_REASON_UNSPECIFIED","description":"RevocationReason provides structured revocation reasons inspired by RFC 5280.\nUsed in both admin and self-revocation flows.\n\n - REVOCATION_REASON_UNSPECIFIED: Default zero value. Use a specific reason; UNSPECIFIED is rejected by\nadmin and self-revocation endpoints.\n - REVOCATION_REASON_KEY_COMPROMISE: The key was leaked or believed to be in the hands of an unauthorized\nparty.\n - REVOCATION_REASON_AFFILIATION_CHANGED: The owning actor's relationship with the issuer changed (e.g., role\nchange, departure).\n - REVOCATION_REASON_SUPERSEDED: A new key has replaced this one as part of a rotation.\n - REVOCATION_REASON_PRIVILEGE_WITHDRAWN: Admin-only. The actor's privilege to use this key was withdrawn by\nan operator. Self-revocation requests using this reason are rejected\nwith InvalidArgument. Pair with `description` on the admin revoke requests\nto record the operator-supplied justification.","enum":["REVOCATION_REASON_UNSPECIFIED","REVOCATION_REASON_KEY_COMPROMISE","REVOCATION_REASON_AFFILIATION_CHANGED","REVOCATION_REASON_SUPERSEDED","REVOCATION_REASON_PRIVILEGE_WITHDRAWN"],"type":"string","title":"RevocationReason"}},"type":"object","title":"SelfRevokeApiKeyRequest"}}},"description":"SelfRevokeApiKeyRequest allows an API key holder to revoke their own key\nby providing the full key secret as proof of possession.","required":true,"x-originalParamName":"body"}} No newline at end of file |
There was a problem hiding this comment.
Remove the contradictory default for reason.
Line 1 sets reason.default to REVOCATION_REASON_UNSPECIFIED, but the same schema says this value is rejected. This creates an inconsistent request contract and can cause generated clients/forms to send invalid payloads by default.
Suggested fix
- "reason":{"default":"REVOCATION_REASON_UNSPECIFIED","description":"RevocationReason provides structured revocation reasons inspired by RFC 5280....
+ "reason":{"description":"RevocationReason provides structured revocation reasons inspired by RFC 5280....📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| {"title":"Body","body":{"content":{"application/json":{"schema":{"description":"SelfRevokeApiKeyRequest allows an API key holder to revoke their own key\nby providing the full key secret as proof of possession.","properties":{"credential":{"title":"Full API key secret or imported key (REQUIRED)","type":"string"},"reason":{"default":"REVOCATION_REASON_UNSPECIFIED","description":"RevocationReason provides structured revocation reasons inspired by RFC 5280.\nUsed in both admin and self-revocation flows.\n\n - REVOCATION_REASON_UNSPECIFIED: Default zero value. Use a specific reason; UNSPECIFIED is rejected by\nadmin and self-revocation endpoints.\n - REVOCATION_REASON_KEY_COMPROMISE: The key was leaked or believed to be in the hands of an unauthorized\nparty.\n - REVOCATION_REASON_AFFILIATION_CHANGED: The owning actor's relationship with the issuer changed (e.g., role\nchange, departure).\n - REVOCATION_REASON_SUPERSEDED: A new key has replaced this one as part of a rotation.\n - REVOCATION_REASON_PRIVILEGE_WITHDRAWN: Admin-only. The actor's privilege to use this key was withdrawn by\nan operator. Self-revocation requests using this reason are rejected\nwith InvalidArgument. Pair with `description` on the admin revoke requests\nto record the operator-supplied justification.","enum":["REVOCATION_REASON_UNSPECIFIED","REVOCATION_REASON_KEY_COMPROMISE","REVOCATION_REASON_AFFILIATION_CHANGED","REVOCATION_REASON_SUPERSEDED","REVOCATION_REASON_PRIVILEGE_WITHDRAWN"],"type":"string","title":"RevocationReason"}},"type":"object","title":"SelfRevokeApiKeyRequest"}}},"description":"SelfRevokeApiKeyRequest allows an API key holder to revoke their own key\nby providing the full key secret as proof of possession.","required":true,"x-originalParamName":"body"}} | |
| {"title":"Body","body":{"content":{"application/json":{"schema":{"description":"SelfRevokeApiKeyRequest allows an API key holder to revoke their own key\nby providing the full key secret as proof of possession.","properties":{"credential":{"title":"Full API key secret or imported key (REQUIRED)","type":"string"},"reason":{"description":"RevocationReason provides structured revocation reasons inspired by RFC 5280.\nUsed in both admin and self-revocation flows.\n\n - REVOCATION_REASON_UNSPECIFIED: Default zero value. Use a specific reason; UNSPECIFIED is rejected by\nadmin and self-revocation endpoints.\n - REVOCATION_REASON_KEY_COMPROMISE: The key was leaked or believed to be in the hands of an unauthorized\nparty.\n - REVOCATION_REASON_AFFILIATION_CHANGED: The owning actor's relationship with the issuer changed (e.g., role\nchange, departure).\n - REVOCATION_REASON_SUPERSEDED: A new key has replaced this one as part of a rotation.\n - REVOCATION_REASON_PRIVILEGE_WITHDRAWN: Admin-only. The actor's privilege to use this key was withdrawn by\nan operator. Self-revocation requests using this reason are rejected\nwith InvalidArgument. Pair with `description` on the admin revoke requests\nto record the operator-supplied justification.","enum":["REVOCATION_REASON_UNSPECIFIED","REVOCATION_REASON_KEY_COMPROMISE","REVOCATION_REASON_AFFILIATION_CHANGED","REVOCATION_REASON_SUPERSEDED","REVOCATION_REASON_PRIVILEGE_WITHDRAWN"],"type":"string","title":"RevocationReason"}},"type":"object","title":"SelfRevokeApiKeyRequest"}}},"description":"SelfRevokeApiKeyRequest allows an API key holder to revoke their own key\nby providing the full key secret as proof of possession.","required":true,"x-originalParamName":"body"}} |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@docs/talos/reference/api/revoke-api-key.RequestSchema.json` at line 1, The
schema SelfRevokeApiKeyRequest currently sets reason.default to
REVOCATION_REASON_UNSPECIFIED while the schema text says that UNSPECIFIED is
rejected; remove the contradictory default (i.e., delete the "default" entry
under the "reason" property) or replace it with a valid, accepted enum value
(e.g., REVOCATION_REASON_KEY_COMPROMISE) so generated clients/forms do not send
an invalid default; update the "reason" property in the JSON schema accordingly.
| traffic to the previous version, and prefer rolling forward with a corrective migration over rolling | ||
| back. | ||
|
|
||
| See: docs/operate/database/migrations.md |
There was a problem hiding this comment.
Convert the “See” reference to a proper relative markdown link.
See: docs/operate/database/migrations.md is plain text and does not satisfy the docs link format requirement. Use a relative markdown link from this file, e.g. See: [database migrations](../../operate/database/migrations.md).
As per coding guidelines: “All links must be relative links to markdown/mdx files with the file extension. Never use absolute links (starting with /) or links without a file extension.”
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@docs/talos/reference/cli/talos-migrate-down.md` at line 28, Replace the
plain-text reference "See: docs/operate/database/migrations.md" with a relative
Markdown link to the migrations doc; update the line to use link text and a
relative path (for example: See: [database
migrations](../../operate/database/migrations.md)) so it includes the .md
extension and conforms to the docs link format requirement.
Comment on lines
+21
to
+26
| The database connection string is resolved in this order (first match wins): | ||
|
|
||
| - DB_DSN environment variable | ||
| - --database flag (overrides DB_DSN) | ||
| 1. --database flag | ||
| 2. DB_DSN environment variable | ||
| 3. DSN environment variable | ||
| 4. --config file's "db.dsn" key |
There was a problem hiding this comment.
Resolve contradictory env-var behavior between synopsis and inherited --config help.
This page says DSN resolution includes DB_DSN/DSN (Lines 24-25), but inherited help says that without config only TALOS_-prefixed env vars apply (Line 62). These statements conflict and can cause wrong operator expectations during migrations. Please align the inherited text (likely at generator/source command help) with the documented DSN precedence.
Also applies to: 62-62
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@docs/talos/reference/cli/talos-migrate-up.md` around lines 21 - 26, The docs
conflict about which env vars are considered for DB DSN: update the inherited
command help (the generator/source command help text that mentions
TALOS_-prefixed env vars) to match the migration page precedence by explicitly
including DB_DSN and DSN as accepted variables, or alternatively update the
migration page to reflect only TALOS_-prefixed vars; locate the help text that
references TALOS_ env vars (the generator/source command help) and change it to
state the same resolution order used by the migrate-up documentation: --database
flag, DB_DSN, DSN, then --config's "db.dsn" key, ensuring both synopsis and
inherited help use identical wording.
Comment on lines
+31
to
+32
| See also: docs/operate/deploy/edge-proxy.mdx for deployment topology, sidecar patterns, multi-tenant | ||
| safety, and upstream sizing guidance. |
There was a problem hiding this comment.
Fix malformed “See also” link to use a proper relative markdown link.
This is plain text and likely resolves incorrectly from docs/talos/reference/cli/. Convert it to a relative markdown link with extension (for example, ../../operate/deploy/edge-proxy.mdx).
As per coding guidelines: "All links must be relative links to markdown/mdx files with the file extension."
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@docs/talos/reference/cli/talos-proxy.md` around lines 31 - 32, Replace the
plain-text "See also: docs/operate/deploy/edge-proxy.mdx" with a proper relative
markdown link that includes the file extension (e.g.,
"../../operate/deploy/edge-proxy.mdx") so the "See also" line becomes a
clickable MDX link; update the line containing "See also:
docs/operate/deploy/edge-proxy.mdx" accordingly to follow the guideline that all
links must be relative links to markdown/mdx files with extensions.
Comment on lines
+61
to
+68
| - `algorithm` — Signing algorithm of a derived token (`EventTokenDerived`, e.g., `RS256`, `HS256`). | ||
| - `ttl` — Requested token lifetime in seconds (`EventTokenDerived`). | ||
| - `old_key_id` — ID of the previous key during rotation (`EventAPIKeyRotated`). | ||
| - `old_expires_at` — Previous expiry, RFC-3339 (`EventAPIKeyRotated`, only if the previous key had one). | ||
| - `index` — Zero-based row index of the failed entry (`EventAPIKeyImportFailed`). | ||
| - `error_code` — Stable error code for the failure (`EventAPIKeyImportFailed`). | ||
| - `credential_type` — Credential class that failed verification (`EventAPIKeyVerificationFailed`; e.g., `issued`, `imported`, `derived_jwt`, `derived_macaroon`). | ||
| - `initiated_by` — Set to `self` when self-revoke produced the event (`EventAPIKeyRevoked`). |
There was a problem hiding this comment.
Align metadata bullet event names with the event constants documented above.
This section references stale/ambiguous constants (EventTokenDerived, EventAPIKeyRotated, EventAPIKeyRevoked) that don’t match the event table (EventAPIKeyDerivedToken, issued/imported-specific rotate/revoke events). Please normalize names to the canonical constants used in this page.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@docs/talos/reference/events.md` around lines 61 - 68, Update the stale event
constant names in the metadata bullets to the canonical constants used in the
event table: replace EventTokenDerived with EventAPIKeyDerivedToken for
`algorithm` and `ttl`; replace EventAPIKeyRotated with the
issued/import-specific rotate constants (e.g., EventAPIKeyRotatedIssued and
EventAPIKeyRotatedImported) for `old_key_id` and `old_expires_at`; and replace
EventAPIKeyRevoked with the issued/import-specific revoke constants (e.g.,
EventAPIKeyRevokedIssued and EventAPIKeyRevokedImported) for `initiated_by`;
leave EventAPIKeyImportFailed and EventAPIKeyVerificationFailed as-is.
There was a problem hiding this comment.
Actionable comments posted: 4
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@docs/talos/reference/api/admin-import-api-key.RequestSchema.json`:
- Line 7: Replace the production-looking example API key in the "description"
example (the raw_key value) with a clearly synthetic placeholder to avoid
triggering secret scanners—update the string "sk_live_abc123xyz789" to a
non-live, obviously fake pattern (e.g., "sk_example_abc123" or
"api_key_example_000") wherever it appears in the ImportApiKeyRequest example in
docs/talos/reference/api/admin-import-api-key.RequestSchema.json (also update
the other occurrence mentioned at the same file) so examples remain illustrative
but not production-like.
In `@docs/talos/reference/api/admin-revoke-issued-api-key.StatusCodes.json`:
- Around line 7-9: Remove the advertised JSON response body for the "204" status
object in the admin-revoke-issued-api-key.StatusCodes.json contract: delete the
content -> application/json -> schema entry (or remove the entire content field)
from the "204" object so the 204 No Content response no longer declares a JSON
payload.
In `@docs/talos/reference/api/admin-verify-api-key.StatusCodes.json`:
- Line 77: The KeyStatus description mentions "See revocation_reason for the
cause" but VerifyApiKeyResponse does not have a revocation_reason field; update
the KeyStatus description to remove or replace that dangling reference (edit the
description string near "KeyStatus represents the lifecycle state of an API key"
so that KEY_STATUS_REVOKED no longer points to revocation_reason), optionally
referencing whichever existing field conveys revocation detail in
VerifyApiKeyResponse if one exists.
In `@docs/talos/reference/api/get-jwks.StatusCodes.json`:
- Around line 8-11: The jwks schema is currently an unstructured object; update
the schema for the "jwks" property to explicitly require a top-level "keys"
array: set "type":"object", add "required":["keys"], and add "properties": {
"keys": { "type":"array", "items": { "type":"object", "required":["kty","kid"],
"properties": { "kty": {"type":"string"}, "kid": {"type":"string"} },
"additionalProperties": true, "description":"JWK object with key-type-specific
fields (e.g., 'n'/'e' for RSA, 'x'/'crv' for OKP)" } } } so generators/clients
know jwks.keys is an array of JWK objects.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro Plus
Run ID: 9ce3fe1b-e00a-4336-a968-146641007636
⛔ Files ignored due to path filters (33)
docs/talos/concepts/architecture.mdxis excluded by!**/*.mdxdocs/talos/integrate/batch-operations.mdxis excluded by!**/*.mdxdocs/talos/integrate/derive-tokens.mdxis excluded by!**/*.mdxdocs/talos/integrate/error-handling.mdxis excluded by!**/*.mdxdocs/talos/integrate/import-keys.mdxis excluded by!**/*.mdxdocs/talos/integrate/ip-restrictions.mdxis excluded by!**/*.mdxdocs/talos/integrate/issue-and-verify.mdxis excluded by!**/*.mdxdocs/talos/integrate/key-lifecycle.mdxis excluded by!**/*.mdxdocs/talos/integrate/rate-limiting.mdxis excluded by!**/*.mdxdocs/talos/integrate/self-revocation.mdxis excluded by!**/*.mdxdocs/talos/operate/deploy/edge-proxy.mdxis excluded by!**/*.mdxdocs/talos/quickstart/docker-commercial.mdxis excluded by!**/*.mdxdocs/talos/quickstart/open-source.mdxis excluded by!**/*.mdxdocs/talos/reference/api/admin-batch-create-imported-api-keys.api.mdxis excluded by!**/*.mdxdocs/talos/reference/api/admin-batch-verify-api-keys.api.mdxis excluded by!**/*.mdxdocs/talos/reference/api/admin-delete-imported-api-key.api.mdxis excluded by!**/*.mdxdocs/talos/reference/api/admin-derive-token.api.mdxis excluded by!**/*.mdxdocs/talos/reference/api/admin-get-imported-api-key.api.mdxis excluded by!**/*.mdxdocs/talos/reference/api/admin-get-issued-api-key.api.mdxis excluded by!**/*.mdxdocs/talos/reference/api/admin-import-api-key.api.mdxis excluded by!**/*.mdxdocs/talos/reference/api/admin-issue-api-key.api.mdxis excluded by!**/*.mdxdocs/talos/reference/api/admin-list-imported-api-keys.api.mdxis excluded by!**/*.mdxdocs/talos/reference/api/admin-list-issued-api-keys.api.mdxis excluded by!**/*.mdxdocs/talos/reference/api/admin-revoke-imported-api-key.api.mdxis excluded by!**/*.mdxdocs/talos/reference/api/admin-revoke-issued-api-key.api.mdxis excluded by!**/*.mdxdocs/talos/reference/api/admin-rotate-issued-api-key.api.mdxis excluded by!**/*.mdxdocs/talos/reference/api/admin-update-imported-api-key.api.mdxis excluded by!**/*.mdxdocs/talos/reference/api/admin-update-issued-api-key.api.mdxis excluded by!**/*.mdxdocs/talos/reference/api/admin-verify-api-key.api.mdxis excluded by!**/*.mdxdocs/talos/reference/api/get-jwks.api.mdxis excluded by!**/*.mdxdocs/talos/reference/api/ory-talos-api.info.mdxis excluded by!**/*.mdxdocs/talos/reference/api/revoke-api-key.api.mdxis excluded by!**/*.mdxdocs/talos/reference/config.mdxis excluded by!**/*.mdx
📒 Files selected for processing (104)
docs/talos/concepts/caching.mddocs/talos/concepts/credential-types.mddocs/talos/concepts/index.mddocs/talos/concepts/ip-restrictions.mddocs/talos/concepts/rate-limiting.mddocs/talos/concepts/security-model.mddocs/talos/concepts/token-format.mddocs/talos/index.mddocs/talos/integrate/index.mddocs/talos/integrate/sdk/curl.mddocs/talos/integrate/sdk/go.mddocs/talos/operate/benchmarks.mddocs/talos/operate/cache/index.mddocs/talos/operate/cache/memory.mddocs/talos/operate/cache/redis.mddocs/talos/operate/configure.mddocs/talos/operate/database/cockroachdb.mddocs/talos/operate/database/index.mddocs/talos/operate/database/migrations.mddocs/talos/operate/database/mysql.mddocs/talos/operate/database/postgresql.mddocs/talos/operate/database/sqlite.mddocs/talos/operate/deploy/deployment-modes.mddocs/talos/operate/deploy/docker.mddocs/talos/operate/index.mddocs/talos/operate/install.mddocs/talos/operate/monitoring/health-checks.mddocs/talos/operate/monitoring/index.mddocs/talos/operate/monitoring/metrics.mddocs/talos/operate/monitoring/tracing.mddocs/talos/operate/multi-tenancy.mddocs/talos/operate/secrets.mddocs/talos/operate/security-hardening.mddocs/talos/operate/security/admin-protection.mddocs/talos/operate/tls.mddocs/talos/operate/troubleshooting.mddocs/talos/reference/api.jsondocs/talos/reference/api/admin-batch-create-imported-api-keys.RequestSchema.jsondocs/talos/reference/api/admin-batch-create-imported-api-keys.StatusCodes.jsondocs/talos/reference/api/admin-batch-verify-api-keys.ParamsDetails.jsondocs/talos/reference/api/admin-batch-verify-api-keys.RequestSchema.jsondocs/talos/reference/api/admin-batch-verify-api-keys.StatusCodes.jsondocs/talos/reference/api/admin-delete-imported-api-key.StatusCodes.jsondocs/talos/reference/api/admin-derive-token.RequestSchema.jsondocs/talos/reference/api/admin-derive-token.StatusCodes.jsondocs/talos/reference/api/admin-get-imported-api-key.StatusCodes.jsondocs/talos/reference/api/admin-get-issued-api-key.ParamsDetails.jsondocs/talos/reference/api/admin-get-issued-api-key.StatusCodes.jsondocs/talos/reference/api/admin-import-api-key.RequestSchema.jsondocs/talos/reference/api/admin-import-api-key.StatusCodes.jsondocs/talos/reference/api/admin-issue-api-key.RequestSchema.jsondocs/talos/reference/api/admin-issue-api-key.StatusCodes.jsondocs/talos/reference/api/admin-list-imported-api-keys.ParamsDetails.jsondocs/talos/reference/api/admin-list-imported-api-keys.StatusCodes.jsondocs/talos/reference/api/admin-list-issued-api-keys.ParamsDetails.jsondocs/talos/reference/api/admin-list-issued-api-keys.StatusCodes.jsondocs/talos/reference/api/admin-revoke-imported-api-key.ParamsDetails.jsondocs/talos/reference/api/admin-revoke-imported-api-key.RequestSchema.jsondocs/talos/reference/api/admin-revoke-imported-api-key.StatusCodes.jsondocs/talos/reference/api/admin-revoke-issued-api-key.ParamsDetails.jsondocs/talos/reference/api/admin-revoke-issued-api-key.RequestSchema.jsondocs/talos/reference/api/admin-revoke-issued-api-key.StatusCodes.jsondocs/talos/reference/api/admin-rotate-issued-api-key.RequestSchema.jsondocs/talos/reference/api/admin-rotate-issued-api-key.StatusCodes.jsondocs/talos/reference/api/admin-update-imported-api-key.ParamsDetails.jsondocs/talos/reference/api/admin-update-imported-api-key.RequestSchema.jsondocs/talos/reference/api/admin-update-imported-api-key.StatusCodes.jsondocs/talos/reference/api/admin-update-issued-api-key.ParamsDetails.jsondocs/talos/reference/api/admin-update-issued-api-key.RequestSchema.jsondocs/talos/reference/api/admin-update-issued-api-key.StatusCodes.jsondocs/talos/reference/api/admin-verify-api-key.ParamsDetails.jsondocs/talos/reference/api/admin-verify-api-key.RequestSchema.jsondocs/talos/reference/api/admin-verify-api-key.StatusCodes.jsondocs/talos/reference/api/get-jwks.RequestSchema.jsondocs/talos/reference/api/get-jwks.StatusCodes.jsondocs/talos/reference/api/revoke-api-key.RequestSchema.jsondocs/talos/reference/api/revoke-api-key.StatusCodes.jsondocs/talos/reference/api/sidebar.tsdocs/talos/reference/cli/talos-jwk-generate-ecdsa.mddocs/talos/reference/cli/talos-jwk-generate-hmac.mddocs/talos/reference/cli/talos-jwk-generate-rsa.mddocs/talos/reference/cli/talos-jwk-get.mddocs/talos/reference/cli/talos-jwk.mddocs/talos/reference/cli/talos-keys-derive-token.mddocs/talos/reference/cli/talos-keys-imported-batch-import.mddocs/talos/reference/cli/talos-keys-imported.mddocs/talos/reference/cli/talos-keys-issued.mddocs/talos/reference/cli/talos-keys-self-revoke.mddocs/talos/reference/cli/talos-keys-verify.mddocs/talos/reference/cli/talos-keys.mddocs/talos/reference/cli/talos-migrate-down.mddocs/talos/reference/cli/talos-migrate-force.mddocs/talos/reference/cli/talos-migrate-up.mddocs/talos/reference/cli/talos-proxy.mddocs/talos/reference/cli/talos-serve-admin.mddocs/talos/reference/cli/talos-serve-public.mddocs/talos/reference/cli/talos-serve.mddocs/talos/reference/cli/talos.mddocs/talos/reference/error-codes.mddocs/talos/reference/events.mddocs/talos/reference/token-format.mddocusaurus.config.tssidebars-oel.tssidebars-oss.ts
✅ Files skipped from review due to trivial changes (52)
- docs/talos/reference/cli/talos-keys-self-revoke.md
- docs/talos/operate/database/index.md
- docs/talos/reference/cli/talos-jwk.md
- docs/talos/reference/api/admin-revoke-imported-api-key.StatusCodes.json
- docs/talos/reference/api/admin-batch-verify-api-keys.ParamsDetails.json
- docs/talos/reference/cli/talos-jwk-generate-ecdsa.md
- docs/talos/reference/api/admin-verify-api-key.ParamsDetails.json
- docs/talos/reference/api/admin-get-issued-api-key.ParamsDetails.json
- docs/talos/reference/api/admin-revoke-imported-api-key.ParamsDetails.json
- docs/talos/reference/api/admin-revoke-issued-api-key.RequestSchema.json
- docs/talos/reference/cli/talos-serve.md
- docs/talos/reference/cli/talos-keys-verify.md
- docs/talos/reference/api/admin-delete-imported-api-key.StatusCodes.json
- docs/talos/reference/cli/talos-keys-imported.md
- docs/talos/operate/monitoring/health-checks.md
- docs/talos/reference/api/admin-list-imported-api-keys.ParamsDetails.json
- docs/talos/reference/cli/talos-migrate-up.md
- docs/talos/reference/cli/talos-serve-admin.md
- docs/talos/reference/cli/talos-serve-public.md
- docs/talos/reference/api/admin-batch-verify-api-keys.RequestSchema.json
- docs/talos/operate/monitoring/index.md
- docs/talos/reference/api/admin-verify-api-key.RequestSchema.json
- docs/talos/reference/api/admin-revoke-issued-api-key.ParamsDetails.json
- docs/talos/operate/cache/index.md
- docs/talos/reference/cli/talos-jwk-generate-hmac.md
- docs/talos/operate/cache/redis.md
- docs/talos/reference/cli/talos-jwk-generate-rsa.md
- docs/talos/operate/cache/memory.md
- docs/talos/reference/cli/talos-keys.md
- docs/talos/concepts/index.md
- docs/talos/reference/cli/talos.md
- docs/talos/reference/error-codes.md
- docs/talos/operate/install.md
- docs/talos/reference/cli/talos-keys-derive-token.md
- docs/talos/concepts/token-format.md
- docs/talos/index.md
- docs/talos/operate/deploy/deployment-modes.md
- docs/talos/reference/cli/talos-jwk-get.md
- docs/talos/reference/api/admin-list-issued-api-keys.ParamsDetails.json
- docs/talos/reference/token-format.md
- docs/talos/reference/api/revoke-api-key.RequestSchema.json
- docs/talos/reference/cli/talos-proxy.md
- docs/talos/operate/database/postgresql.md
- docs/talos/operate/database/cockroachdb.md
- docs/talos/integrate/sdk/curl.md
- sidebars-oel.ts
- docs/talos/operate/database/migrations.md
- docs/talos/operate/monitoring/metrics.md
- docs/talos/operate/database/mysql.md
- docs/talos/reference/api/admin-issue-api-key.RequestSchema.json
- docs/talos/operate/benchmarks.md
- docs/talos/reference/events.md
🚧 Files skipped from review as they are similar to previous changes (30)
- docs/talos/reference/cli/talos-keys-imported-batch-import.md
- docs/talos/reference/cli/talos-keys-issued.md
- docs/talos/reference/api/revoke-api-key.StatusCodes.json
- docs/talos/reference/api/admin-update-imported-api-key.ParamsDetails.json
- docs/talos/reference/api/admin-revoke-imported-api-key.RequestSchema.json
- docs/talos/reference/api/admin-import-api-key.StatusCodes.json
- docs/talos/reference/api/admin-derive-token.RequestSchema.json
- docs/talos/concepts/caching.md
- docs/talos/operate/troubleshooting.md
- docs/talos/reference/api/admin-batch-verify-api-keys.StatusCodes.json
- docs/talos/reference/api.json
- docs/talos/reference/api/admin-update-issued-api-key.ParamsDetails.json
- docs/talos/reference/api/admin-list-issued-api-keys.StatusCodes.json
- docs/talos/reference/api/admin-list-imported-api-keys.StatusCodes.json
- docusaurus.config.ts
- docs/talos/integrate/index.md
- docs/talos/concepts/ip-restrictions.md
- docs/talos/reference/api/admin-rotate-issued-api-key.RequestSchema.json
- docs/talos/reference/api/sidebar.ts
- docs/talos/reference/api/admin-issue-api-key.StatusCodes.json
- docs/talos/operate/secrets.md
- docs/talos/reference/api/admin-rotate-issued-api-key.StatusCodes.json
- docs/talos/operate/configure.md
- docs/talos/operate/database/sqlite.md
- docs/talos/operate/monitoring/tracing.md
- docs/talos/operate/index.md
- docs/talos/operate/multi-tenancy.md
- docs/talos/integrate/sdk/go.md
- sidebars-oss.ts
- docs/talos/operate/security/admin-protection.md
| "application/json": { | ||
| "schema": { | ||
| "description": "Example:\n {\n \"raw_key\": \"sk_live_abc123xyz789\",\n \"name\": \"Stripe Production Key\",\n \"actor_id\": \"payment-processor\",\n \"scopes\": [\"read\", \"write\"],\n \"ttl\": \"8760h\", // 1 year (also accepts: 31536000s)\n \"metadata\": {\"source\": \"stripe\", \"environment\": \"production\"}\n }", | ||
| "description": "ImportApiKeyRequest imports an external API key. The raw key is hashed with\nSHA-512/256 (over network_id + 0x00 + raw key) and only the hash is stored.\n\nExample:\n {\n \"raw_key\": \"sk_live_abc123xyz789\",\n \"name\": \"Stripe Production Key\",\n \"actor_id\": \"payment-processor\",\n \"scopes\": [\"read\", \"write\"],\n \"ttl\": \"8760h\", // 1 year (also accepts: 31536000s)\n \"metadata\": {\"source\": \"stripe\", \"environment\": \"production\"}\n }", |
There was a problem hiding this comment.
Replace live-looking Stripe key examples with clearly synthetic placeholders.
Using sk_live_... in docs can trip secret scanners and looks production-like. Use a non-live, clearly fake pattern.
Suggested patch
- "description": "ImportApiKeyRequest imports an external API key. The raw key is hashed with\nSHA-512/256 (over network_id + 0x00 + raw key) and only the hash is stored.\n\nExample:\n {\n \"raw_key\": \"sk_live_abc123xyz789\",\n \"name\": \"Stripe Production Key\",\n \"actor_id\": \"payment-processor\",\n \"scopes\": [\"read\", \"write\"],\n \"ttl\": \"8760h\", // 1 year (also accepts: 31536000s)\n \"metadata\": {\"source\": \"stripe\", \"environment\": \"production\"}\n }",
+ "description": "ImportApiKeyRequest imports an external API key. The raw key is hashed with\nSHA-512/256 (over network_id + 0x00 + raw key) and only the hash is stored.\n\nExample:\n {\n \"raw_key\": \"sk_example_abc123xyz789\",\n \"name\": \"Stripe Production Key\",\n \"actor_id\": \"payment-processor\",\n \"scopes\": [\"read\", \"write\"],\n \"ttl\": \"8760h\", // 1 year (also accepts: 31536000s)\n \"metadata\": {\"source\": \"stripe\", \"environment\": \"production\"}\n }",
@@
- "description": "ImportApiKeyRequest imports an external API key. The raw key is hashed with\nSHA-512/256 (over network_id + 0x00 + raw key) and only the hash is stored.\n\nExample:\n {\n \"raw_key\": \"sk_live_abc123xyz789\",\n \"name\": \"Stripe Production Key\",\n \"actor_id\": \"payment-processor\",\n \"scopes\": [\"read\", \"write\"],\n \"ttl\": \"8760h\", // 1 year (also accepts: 31536000s)\n \"metadata\": {\"source\": \"stripe\", \"environment\": \"production\"}\n }",
+ "description": "ImportApiKeyRequest imports an external API key. The raw key is hashed with\nSHA-512/256 (over network_id + 0x00 + raw key) and only the hash is stored.\n\nExample:\n {\n \"raw_key\": \"sk_example_abc123xyz789\",\n \"name\": \"Stripe Production Key\",\n \"actor_id\": \"payment-processor\",\n \"scopes\": [\"read\", \"write\"],\n \"ttl\": \"8760h\", // 1 year (also accepts: 31536000s)\n \"metadata\": {\"source\": \"stripe\", \"environment\": \"production\"}\n }",Also applies to: 87-87
🧰 Tools
🪛 Betterleaks (1.3.1)
[high] 7-7: Found a Stripe Access Token, posing a risk to payment processing services and sensitive financial data.
(stripe-access-token)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@docs/talos/reference/api/admin-import-api-key.RequestSchema.json` at line 7,
Replace the production-looking example API key in the "description" example (the
raw_key value) with a clearly synthetic placeholder to avoid triggering secret
scanners—update the string "sk_live_abc123xyz789" to a non-live, obviously fake
pattern (e.g., "sk_example_abc123" or "api_key_example_000") wherever it appears
in the ImportApiKeyRequest example in
docs/talos/reference/api/admin-import-api-key.RequestSchema.json (also update
the other occurrence mentioned at the same file) so examples remain illustrative
but not production-like.
Comment on lines
+7
to
+9
| "204": { | ||
| "content": { "application/json": { "schema": {} } }, | ||
| "description": "API key revoked successfully." |
There was a problem hiding this comment.
Remove response body schema from the 204 contract.
204 No Content should not advertise JSON payload content; keeping it can produce clients that try to deserialize a body that won’t exist.
Suggested patch
"204": {
- "content": { "application/json": { "schema": {} } },
"description": "API key revoked successfully."
},📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| "204": { | |
| "content": { "application/json": { "schema": {} } }, | |
| "description": "API key revoked successfully." | |
| "204": { | |
| "description": "API key revoked successfully." | |
| }, |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@docs/talos/reference/api/admin-revoke-issued-api-key.StatusCodes.json` around
lines 7 - 9, Remove the advertised JSON response body for the "204" status
object in the admin-revoke-issued-api-key.StatusCodes.json contract: delete the
content -> application/json -> schema entry (or remove the entire content field)
from the "204" object so the 204 No Content response no longer declares a JSON
payload.
| "scopes": { "items": { "type": "string" }, "type": "array" }, | ||
| "status": { | ||
| "default": "KEY_STATUS_UNSPECIFIED", | ||
| "description": "KeyStatus represents the lifecycle state of an API key.\n\n - KEY_STATUS_UNSPECIFIED: Default zero value. Never returned by the server. Treated as ACTIVE for\nbackward compatibility but should not be relied on.\n - KEY_STATUS_ACTIVE: The key is valid and can be used to authenticate.\n - KEY_STATUS_REVOKED: The key was revoked. Verification fails with VERIFICATION_ERROR_REVOKED.\nSee revocation_reason for the cause.\n - KEY_STATUS_EXPIRED: The key passed its expire_time. Verification fails with\nVERIFICATION_ERROR_EXPIRED. The transition is computed at read time and\nnot persisted.", |
There was a problem hiding this comment.
Remove dangling reference to revocation_reason in status docs.
Line 77 says “See revocation_reason for the cause,” but VerifyApiKeyResponse has no revocation_reason field. This is a broken schema hint for API consumers.
Suggested fix
- "description": "KeyStatus represents the lifecycle state of an API key.\n\n - KEY_STATUS_UNSPECIFIED: Default zero value. Never returned by the server. Treated as ACTIVE for\nbackward compatibility but should not be relied on.\n - KEY_STATUS_ACTIVE: The key is valid and can be used to authenticate.\n - KEY_STATUS_REVOKED: The key was revoked. Verification fails with VERIFICATION_ERROR_REVOKED.\nSee revocation_reason for the cause.\n - KEY_STATUS_EXPIRED: The key passed its expire_time. Verification fails with\nVERIFICATION_ERROR_EXPIRED. The transition is computed at read time and\nnot persisted.",
+ "description": "KeyStatus represents the lifecycle state of an API key.\n\n - KEY_STATUS_UNSPECIFIED: Default zero value. Never returned by the server. Treated as ACTIVE for\nbackward compatibility but should not be relied on.\n - KEY_STATUS_ACTIVE: The key is valid and can be used to authenticate.\n - KEY_STATUS_REVOKED: The key was revoked. Verification fails with VERIFICATION_ERROR_REVOKED.\nUse error_code to inspect the concrete verification failure reason.\n - KEY_STATUS_EXPIRED: The key passed its expire_time. Verification fails with\nVERIFICATION_ERROR_EXPIRED. The transition is computed at read time and\nnot persisted.",📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| "description": "KeyStatus represents the lifecycle state of an API key.\n\n - KEY_STATUS_UNSPECIFIED: Default zero value. Never returned by the server. Treated as ACTIVE for\nbackward compatibility but should not be relied on.\n - KEY_STATUS_ACTIVE: The key is valid and can be used to authenticate.\n - KEY_STATUS_REVOKED: The key was revoked. Verification fails with VERIFICATION_ERROR_REVOKED.\nSee revocation_reason for the cause.\n - KEY_STATUS_EXPIRED: The key passed its expire_time. Verification fails with\nVERIFICATION_ERROR_EXPIRED. The transition is computed at read time and\nnot persisted.", | |
| "description": "KeyStatus represents the lifecycle state of an API key.\n\n - KEY_STATUS_UNSPECIFIED: Default zero value. Never returned by the server. Treated as ACTIVE for\nbackward compatibility but should not be relied on.\n - KEY_STATUS_ACTIVE: The key is valid and can be used to authenticate.\n - KEY_STATUS_REVOKED: The key was revoked. Verification fails with VERIFICATION_ERROR_REVOKED.\nUse error_code to inspect the concrete verification failure reason.\n - KEY_STATUS_EXPIRED: The key passed its expire_time. Verification fails with\nVERIFICATION_ERROR_EXPIRED. The transition is computed at read time and\nnot persisted.", |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@docs/talos/reference/api/admin-verify-api-key.StatusCodes.json` at line 77,
The KeyStatus description mentions "See revocation_reason for the cause" but
VerifyApiKeyResponse does not have a revocation_reason field; update the
KeyStatus description to remove or replace that dangling reference (edit the
description string near "KeyStatus represents the lifecycle state of an API key"
so that KEY_STATUS_REVOKED no longer points to revocation_reason), optionally
referencing whichever existing field conveys revocation detail in
VerifyApiKeyResponse if one exists.
Comment on lines
+8
to
+11
| "jwks": { | ||
| "description": "jwks is a JSON Web Key Set (RFC 7517). Always contains a single top-level\nfield \"keys\" whose value is an array of JWK objects. Each JWK has at\nminimum a \"kty\" (key type), \"kid\" (key ID), and key-type-specific\nmaterial (e.g., \"x\" and \"crv\" for OKP/Ed25519, \"n\" and \"e\" for RSA).", | ||
| "type": "object" | ||
| } |
There was a problem hiding this comment.
Define jwks.keys explicitly instead of a free-form object.
The description guarantees a top-level keys array, but the schema currently exposes jwks as an unstructured object. This under-specifies the response contract for generators and clients.
Suggested fix
"jwks": {
"description": "jwks is a JSON Web Key Set (RFC 7517). Always contains a single top-level\nfield \"keys\" whose value is an array of JWK objects. Each JWK has at\nminimum a \"kty\" (key type), \"kid\" (key ID), and key-type-specific\nmaterial (e.g., \"x\" and \"crv\" for OKP/Ed25519, \"n\" and \"e\" for RSA).",
- "type": "object"
+ "type": "object",
+ "properties": {
+ "keys": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "additionalProperties": true
+ }
+ }
+ },
+ "required": ["keys"]
}🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@docs/talos/reference/api/get-jwks.StatusCodes.json` around lines 8 - 11, The
jwks schema is currently an unstructured object; update the schema for the
"jwks" property to explicitly require a top-level "keys" array: set
"type":"object", add "required":["keys"], and add "properties": { "keys": {
"type":"array", "items": { "type":"object", "required":["kty","kid"],
"properties": { "kty": {"type":"string"}, "kid": {"type":"string"} },
"additionalProperties": true, "description":"JWK object with key-type-specific
fields (e.g., 'n'/'e' for RSA, 'x'/'crv' for OKP)" } } } so generators/clients
know jwks.keys is an array of JWK objects.
vinckr
previously requested changes
Jun 4, 2026
Member
vinckr
left a comment
vinckr
left a comment
There was a problem hiding this comment.
- all files should be .mdx right?
- since when do we use
descriptionin the frontmatter?
Member
Author
|
Both answered from repo conventions: 1. No — not everything should be
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Replaces the public Ory Talos documentation with the updated upstream content, switching to cleaner path-based page IDs across concepts, integrate, operate, quickstart, and reference (renaming the quickstarts to
open-source/docker-commercial, addingdeploy/deployment-modesandsecurity/admin-protection, convertingarchitectureandedge-proxyto MDX, and droppingtoken-derivation-security,kubernetes, andseparate-planes). The API reference is regenerated from the new OpenAPI v3 spec (reference/api.json), adding theApiKeysgroup and methods likeadmin-revoke-issued-api-key,admin-revoke-imported-api-key,admin-batch-create-imported-api-keys, andget-jwks. The OEL and OSS Talos sidebars are rewired to the new path-based IDs while preserving their existing placement and icon, and 38 redirects are added indocusaurus.config.tsfrom the old custom-ID URLs./talosis kept as the Talos entrypoint and the Network sidebar is untouched;npm run buildpasses with no Talos-related broken links.Related Issue or Design Document
Documentation improvement; no issue reference required.
Checklist
Further comments
Documentation-only change. The
operate/benchmarkspage is intentionally left out of the OEL/OSS sidebars (matching upstream), but remains reachable at/talos/operate/benchmarksand its old URL redirects there.Summary by CodeRabbit