content(esc): restructure top-level information architecture by jkodroff · Pull Request #19417 · pulumi/docs

jkodroff · 2026-05-28T01:37:07Z

Reorganizes the ESC docs around a new top-level taxonomy: Concepts · Environments · Providers · Operations · Guides · Integrations · Administration · Languages & SDKs · CLI · Comparisons.

What changed

Concepts → Providers & rotators — new flat concept page that unifies the prose explaining fn::open::* providers and fn::rotate::* rotators.
Providers (new top-level section) — reference catalog with three sub-sections: Login & OIDC, Secrets & config, Rotators. All 27 plugin pages live here.
Operations (new) — managing secrets, approvals, rotation connectors.
Guides — tool walkthroughs that don't have a dedicated ESC component: Pulumi IaC, Docker, direnv, GHA, Cloudflare, Kubernetes cluster access, OIDC setup, esc run.
Integrations (repurposed) — only first-party ESC components: PSP, Automation API, VS Code, ESO, CSI Driver.
Languages & SDKs — renamed from "Development"; SDK pages flattened.
Deleted with redirects: ESC self-hosting → `/docs/administration/self-hosting/`; ESC OIDC authentication → `/docs/administration/access-identity/oidc-issuers/`.

Aliases preserved on every move; 127 files, 732 insertions, 883 deletions.

Resolves #19415.

Reorganizes the ESC docs around a new section taxonomy: Concepts · Environments · Providers · Operations · Guides · Integrations · Administration · Languages & SDKs · CLI · Comparisons. Splits the catalog of providers and rotators from their conceptual introduction; separates first-party integrations (PSP, Automation API, VS Code, ESO, CSI Driver) from tool walkthroughs (Docker, direnv, GHA, Cloudflare, Kubernetes cluster access, OIDC setup); retires the legacy Development and Guides sections; deletes ESC-only self-hosting and OIDC-authentication pages in favor of Pulumi Cloud equivalents. Aliases preserved on every move. Resolves #19415. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

pulumi-bot · 2026-05-28T01:46:44Z

Your site preview for commit 43a2a60 is ready! 🎉

http://www-testing-pulumi-docs-origin-pr-19417-43a2a607.s3-website.us-west-2.amazonaws.com

pulumi-bot · 2026-05-28T01:50:15Z

Lighthouse Performance Report

Commit: 43a2a60 | Metric definitions

Page	Device	Score	FCP	LCP	TBT	CLS	SI
Homepage	Mobile	🔴 26	5.9s	8.0s	3037ms	0.074	9.4s
Homepage	Desktop	🟡 82	0.8s	1.2s	311ms	0.010	1.5s
Install Pulumi	Mobile	🟡 52	5.2s	8.6s	383ms	0.027	5.7s
Install Pulumi	Desktop	🟡 81	1.3s	1.9s	24ms	0.001	3.0s
AWS Get Started	Mobile	🟡 55	5.1s	7.6s	316ms	0.076	5.1s
AWS Get Started	Desktop	🟡 87	1.2s	1.8s	26ms	0.020	1.6s

…e-esc-docs

github-actions · 2026-05-28T02:41:01Z

Pre-merge Review — Last updated 2026-05-28T15:16:17Z

Tip

Summary: This PR is a major information-architecture restructure of the Pulumi ESC docs. It flattens integrations/dynamic-login-credentials/, integrations/dynamic-secrets/, integrations/rotated-secrets/, and integrations/infrastructure/ into a unified providers/{login,secrets,rotators}/ catalog; splits development/ into languages-sdks/ and an integrations/ slot for Pulumi-built consumers (Automation API, VS Code, Service Provider, Kubernetes integrations); and lifts day-to-day operator workflows (managing-secrets, approvals, rotation connectors) into a new top-level operations/ section. The kind of wrongness that would block a reader's success here is a broken internal link. All Real findings from the previous review have been resolved in 43a2a60: two broken cross-tree links fixed, one PR-internal alias collision removed, and the reference-cli orphan-parent finding conceded as a false positive (identifier confirmed present in config/_default/menus.yml). The 64 spurious verifier-limitation findings (verifier had checked master/live site, not the PR tree) are now clear.

Review confidence:

Dimension	Level	Notes
mechanics	HIGH	All previously-flagged mechanics issues resolved in `43a2a60`.
facts	MEDIUM	Verifier subagents could not see PR-local renames (they checked `master` and the live site); the trail is preserved verbatim, but most contradicted verdicts were triaged as spurious after spot-checking the PR tree.
cross-sibling consistency	HIGH
code correctness	HIGH

Investigation log

Cross-sibling reads: 4 of 4 siblings (content/docs/esc/integrations/_index.md, content/docs/esc/providers/_index.md, content/docs/esc/operations/_index.md, content/docs/esc/languages-sdks/_index.md)
External claim verification: 156 of 258 claims verified (12 unverifiable, 69 contradicted) · 4 specialists (numerical, cross-reference, capability, framing); 0 cross-specialist corroborations · routed: 0 inline, 230 Pass 1, 22 Pass 2 (verified 1, contradicted 21, unverifiable 0), 6 Pass 3 (verified 1, contradicted 4, unverifiable 1).
Cited-claim spot-checks: 22 of 22 cited claims fetched and compared
Frontmatter sweep: ran on body + meta_desc
Temporal-trigger sweep: ran (recency words present in diff; spot-check in-review)
Code execution: not run (no static/programs/ change)
Code-examples checks: ran (3 specialists: structural, existence, body-code-coverage); 0 findings
Editorial-balance pass: not run (not under content/blog/)

🚨 Outstanding	⚠️ Low-confidence	💡 Pre-existing	✅ Resolved
0	12	0	69

🔍 Verification trail

258 claims extracted · 156 verified · 12 unverifiable · 69 contradicted

L21-22 in content/docs/administration/access-identity/oidc-issuers/_index.md "- /docs/esc/access-management/oidc-authentication/" → ❌ contradicted (framing: shifted — claim uses /docs/esc/access-management/oidc-authentication/ but the correct/canonical path is /docs/esc/administration/oidc-authentication/; evidence: The canonical content file lives at content/docs/esc/administration/oidc-authentication.md (path /docs/esc/administration/oidc-authentication/); the path /docs/esc/access-management/oidc-authentication/ appears only as a redirect alias…; source: gh search code --owner pulumi "oidc-authentication" --extension md -R pulumi/docs)
L25 in content/docs/administration/access-identity/oidc-issuers/_index.md "Workloads registered as trusted OIDC Issuers in Pulumi Cloud present short-lived OIDC id_tokens and receive short-lived Pulumi access tokens in exchange, with…" → ✅ verified (evidence: The file at L25 states: "Workloads on the service then present their own short-lived OIDC id_tokens and receive short-lived Pulumi access tokens in exchange — no hardcoded credentials." This directly matches the claim's description; source: repo:content/docs/administration/access-identity/oidc-issuers/_index.md)
L25 in content/docs/administration/access-identity/oidc-issuers/_index.md "Instead of provisioning a long-lived Pulumi access token and storing it as a secret in a CI system, build runner, or Kubernetes cluster, you can register an ex…" → ✅ verified (evidence: The file at line 25 states: "Instead of provisioning a long-lived Pulumi access token and storing it as a secret in your CI system, build runner, or Kubernetes cluster, you register that external service as a trusted OIDC Issuer in Pulumi…; source: repo:content/docs/administration/access-identity/oidc-issuers/_index.md)
L69 in content/docs/administration/onboarding-guide/migrating-to-pulumi.md "Pulumi ESC and OIDC documentation for short-lived cloud credentials is located at the path /docs/esc/providers/login/." → ✅ verified (framing: strengthened — the path /docs/esc/providers/login/ is an alias (redirect) to the current canonical path, but the content is exactly about Pulumi ESC and OIDC…; evidence: The file content/docs/esc/providers/login/_index.md exists and its meta_desc states "Pulumi ESC login providers issue short-lived credentials for AWS, Azure, GCP, GitHub, and other services using OpenID Connect or static credentials."; source: repo:content/docs/esc/providers/login/_index.md)
L32 in content/docs/administration/onboarding-guide/setting-up-for-success.md "The Pulumi Registry at /registry/ is the complete list of supported providers and contains provider documentation and configuration guidance." → ✅ verified (framing: strengthened — the claim says "complete list of supported providers"; the registry does list all published providers but also includes community/third-party packages; source: https://www.pulumi.com/registry/)
L32 in content/docs/administration/onboarding-guide/setting-up-for-success.md "Pulumi supports SaaS infrastructure providers including Cloudflare, DataDog, MongoDB, and Snowflake." → ✅ verified (evidence: The source file at line 32 states: "Other supported providers include SaaS infrastructure products like Cloudflare, DataDog, MongoDB, and Snowflake, plus on-premises technologies like VMware vSphere."; source: repo:content/docs/administration/onboarding-guide/setting-up-for-success.md)
L34 in content/docs/administration/onboarding-guide/setting-up-for-success.md "Pulumi ESC supports OpenID Connect (OIDC) for dynamic, short-lived credentials, and this is described as the most secure method for cloud authentication." → ✅ verified (evidence: The source file at L34 states: "Use Pulumi ESC's OpenID Connect (OIDC) support for dynamic, short-lived credentials. This is the most secure method and should be preferred for supported providers."; source: repo:content/docs/administration/onboarding-guide/setting-up-for-success.md)
L36 in content/docs/administration/onboarding-guide/setting-up-for-success.md "Pulumi uses native tools and techniques for authentication, keeping it consistent with existing usage patterns." → ➖ not-a-claim (evidence: The phrase appears only in the PR's own content file and is not sourced from a referenced external resource; source: repo:content/docs/administration/onboarding-guide/setting-up-for-success.md)
L24 in content/docs/administration/self-hosting/_index.md "- /docs/esc/administration/self-hosting/" → ✅ verified (evidence: The file content/docs/administration/self-hosting/_index.md contains - /docs/esc/administration/self-hosting/ in its aliases list; source: repo:content/docs/administration/self-hosting/_index.md)
L58-60 in content/docs/ai/integrations/cli/_index.md "Pulumi Cloud federates with AWS IAM via OpenID Connect, and the aws-login provider exchanges a Pulumi-issued OIDC token for short-lived AWS credentials at task time." → ✅ verified (evidence: The claim is stated almost verbatim in the source file; source: repo:content/docs/ai/integrations/cli/_index.md and repo:content/docs/esc/providers/login/aws-login.md)
L62 in content/docs/ai/integrations/cli/_index.md "The aws-login, gcp-login, and azure-login providers also accept static credentials in addition to OIDC." → ✅ verified (evidence: The pulumi/esc source code confirms all three providers support static credentials; source: gh search code --owner pulumi --repo pulumi/esc "static credentials")
L66 in content/docs/ai/integrations/cli/_index.md "The Kubernetes Cluster Access guide is located at /docs/esc/guides/kubernetes-cluster-access/." → 🤷 unverifiable (evidence: The source file references /docs/esc/guides/kubernetes-cluster-access/ as the "Kubernetes Cluster Access" guide, but the verifier could not confirm the PR-local rename; source: repo:content/docs/esc/guides/kubernetes-cluster-access/_index.md (file not found in master))
L68 in content/docs/ai/integrations/cli/_index.md "The pulumi-stacks ESC provider can read a kubeconfig from an EKS, AKS, or GKE stack output and materialize it through files.KUBECONFIG." → 🤷 unverifiable (evidence: verification did not converge within 8 turns)
L42 in content/docs/ai/running-previews/_index.md "Pulumi ESC has native OIDC integration with all of the major cloud providers." → ✅ verified (evidence: The file itself and ESC docs confirm OIDC integration with AWS, Azure, and GCP; source: repo:content/docs/ai/running-previews/_index.md; repo:content/docs/esc/_index.md)
L42 in content/docs/ai/running-previews/_index.md "Pulumi ESC is the most flexible and scalable option for defining stack configuration and secrets." → ➖ not-a-claim (evidence: This is the PR author's own editorial assertion; source: repo:content/docs/ai/running-previews/_index.md)
L44 in content/docs/ai/running-previews/_index.md "The URL path for associating an ESC environment with a Pulumi IaC stack is /docs/esc/integrations/pulumi-iac/ (changed from /docs/esc/integrations/infrastructure/pulumi-iac/)." → ❌ contradicted (evidence: The repo's master branch still uses /docs/esc/integrations/infrastructure/pulumi-iac/; verifier checked master, not PR HEAD; source: gh search code --owner pulumi --repo pulumi/docs "integrations/infrastructure/pulumi-iac")
L26 in content/docs/deployments/deployments/cloud-credentials.md "Pulumi ESC Environments are more portable compared to Deployments OIDC." → ✅ verified (evidence: The file at L26 makes this comparison explicitly; source: repo:content/docs/deployments/deployments/cloud-credentials.md)
L27 in content/docs/deployments/deployments/cloud-credentials.md "Pulumi Deployments OIDC configuration must be repeated for every stack that uses Deployments OIDC." → ✅ verified (evidence: The file at L27 states this verbatim; source: repo:content/docs/deployments/deployments/cloud-credentials.md)
L27 in content/docs/deployments/deployments/cloud-credentials.md "Pulumi ESC Environments are centrally defined and may be imported into any number of Pulumi stacks." → ✅ verified (evidence: The file at L27 states this verbatim; source: repo:content/docs/deployments/deployments/cloud-credentials.md)
L27-30 in content/docs/deployments/deployments/cloud-credentials.md "Pulumi ESC has native integrations with popular clouds for both OIDC and managed secrets services, and other tools like Kubernetes and Docker." → ✅ verified (framing: strengthened — claim drops the comparative "more"; source: repo:content/docs/deployments/deployments/cloud-credentials.md)
L27 in content/docs/esc/_index.md "Pulumi ESC integrates with AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, HashiCorp Vault, and 1Password as secrets stores." → ✅ verified (evidence: The file confirms all five; source: repo:content/docs/esc/_index.md)
L31 in content/docs/esc/_index.md "The AWS Secrets Manager integration page is located at /docs/esc/providers/secrets/aws-secrets/." → ❌ contradicted (evidence: The actual path on master is /docs/esc/integrations/dynamic-secrets/aws-secrets/; verifier checked master; source: gh search code --owner pulumi "aws-secrets" --extension md)
L34 in content/docs/esc/_index.md "The Azure Key Vault integration page is located at /docs/esc/providers/secrets/azure-secrets/." → ❌ contradicted (evidence: Actual master path is /docs/esc/integrations/dynamic-secrets/azure-secrets/; verifier checked master; source: gh search code --owner pulumi "azure-secrets" --extension md)
L37 in content/docs/esc/_index.md "The GCP Secret Manager integration page is located at /docs/esc/providers/secrets/gcp-secrets/." → ✅ verified (evidence: The file explicitly links to /docs/esc/providers/secrets/gcp-secrets/; source: repo:content/docs/esc/_index.md)
L40 in content/docs/esc/_index.md "The HashiCorp Vault integration page is located at /docs/esc/providers/secrets/vault-secrets/." → ❌ contradicted (evidence: Actual master path is /docs/esc/integrations/dynamic-secrets/vault-secrets/; verifier checked master; source: gh search code --owner pulumi "vault-secrets")
L47 in content/docs/esc/_index.md "The ESC Node.js/JavaScript SDK documentation page is located at /docs/esc/languages-sdks/javascript/." → ❌ contradicted (framing: shifted — master uses /docs/esc/development/languages-sdks/javascript/; verifier checked master; source: repo:content/docs/esc/_index.md)
L50 in content/docs/esc/_index.md "The ESC Python SDK documentation page is located at /docs/esc/languages-sdks/python/." → ❌ contradicted (framing: shifted — master uses /docs/esc/development/languages-sdks/python/; verifier checked master; source: gh api repos/pulumi/docs/contents/content/docs/esc/development/languages-sdks)
L53 in content/docs/esc/_index.md "The ESC Go SDK documentation page is located at /docs/esc/languages-sdks/go/." → ❌ contradicted (framing: shifted — master uses /docs/esc/development/languages-sdks/go/; verifier checked master; source: repo:content/docs/esc/_index.md)
L64 in content/docs/esc/_index.md "The ESC 'Manage secrets' operations page is located at /docs/esc/operations/managing-secrets/." → ❌ contradicted (evidence: Master path is /docs/esc/guides/managing-secrets/; verifier checked master; source: gh search code --owner pulumi "managing-secrets" --repo pulumi/docs)
L67 in content/docs/esc/_index.md "The 'esc run' command injects environment values into any command or script." → ✅ verified (evidence: The file contains a card with this exact description; source: repo:content/docs/esc/_index.md)
L68 in content/docs/esc/_index.md "The ESC 'Run commands with esc run' guide page is located at /docs/esc/guides/running-commands/." → ❌ contradicted (framing: shifted — master file is running-commands-with-esc.md; verifier checked master; source: gh search code pulumi/docs "running-commands")
L72 in content/docs/esc/_index.md "The ESC 'Use ESC with Pulumi IaC' guide page is located at /docs/esc/guides/integrate-with-pulumi-iac/." → ✅ verified (evidence: The file exists with this alias; source: repo:content/docs/esc/guides/integrate-with-pulumi-iac.md)
L76 in content/docs/esc/_index.md "The ESC 'Compose environments' page is located at /docs/esc/environments/importing-environments/." → ❌ contradicted (evidence: Master links to /docs/esc/guides/importing-environments/; verifier checked master; source: repo:content/docs/esc/_index.md)
L86-87 in content/docs/esc/_index.md "Pulumi ESC Login providers support issuing short-lived OIDC credentials for AWS, Azure, GCP, GitHub, and more." → ✅ verified (framing: strengthened; source: content/docs/esc/_index.md and content/docs/esc/providers/login/_index.md)
L91 in content/docs/esc/_index.md "The ESC Secrets providers page is located at /docs/esc/providers/secrets/." → ✅ verified (evidence: The file exists with this alias; source: repo:content/docs/esc/providers/secrets/_index.md)
L101 in content/docs/esc/_index.md "Core ESC concepts include environments, sources, targets, and composition." → ✅ verified (evidence: The file contains this exact text; source: repo:content/docs/esc/_index.md)
L105 in content/docs/esc/_index.md "The ESC Environments section covers YAML syntax, imports, versioning, and webhooks." → ✅ verified (evidence: The file contains this description; source: repo:content/docs/esc/_index.md)
L109-110 in content/docs/esc/_index.md "Pulumi ESC Guides cover use with Docker, direnv, GitHub Actions, Kubernetes, Cloudflare, and Pulumi IaC." → ✅ verified (evidence: The /docs/esc/guides/ index page confirms all listed guides; source: repo:content/docs/esc/guides/_index.md)
L113 in content/docs/esc/_index.md "Pulumi ESC Languages & SDKs support programmatic management from .NET, Go, JavaScript, and Python." → ✅ verified (evidence: The languages-sdks page confirms all four; source: repo:content/docs/esc/_index.md and repo:content/docs/esc/languages-sdks/_index.md)
L113-114 in content/docs/esc/_index.md "Pulumi ESC Languages & SDKs support programmatic management from .NET, Go, JavaScript, and Python." → ✅ verified (evidence: confirmed; source: content/docs/esc/languages-sdks/_index.md)
L18-26 in content/docs/esc/administration/_index.md "Teams and Role-based access control (RBAC) manages permissions at the organization and environment levels, and is documented at /docs/administration/organizations-teams/teams/." → 🤝 matches (evidence: confirmed; source: repo:content/docs/esc/administration/_index.md)
L19-26 in content/docs/esc/administration/_index.md "Access control for ESC manages environment permissions with role-based access controls at the organization and team levels." → 🤝 matches (evidence: confirmed; source: repo:content/docs/esc/administration/_index.md)
L27 in content/docs/esc/administration/_index.md "The documentation for self-hosting Pulumi ESC is located at /docs/administration/self-hosting/ (not /docs/esc/administration/self-hosting/)." → ✅ verified (evidence: confirmed; source: repo:content/docs/esc/administration/_index.md and repo:content/docs/administration/self-hosting/_index.md)
L19 in content/docs/esc/cli/commands/esc_env_provider_aws-login.md "The full provider reference for the ESC AWS login provider is located at https://www.pulumi.com/docs/esc/providers/login/aws-login/" → ❌ contradicted (evidence: URL returns HTTP 404; verifier checked live site which doesn't have the PR's new pages; source: https://www.pulumi.com/docs/esc/providers/login/aws-login/)
L21 in content/docs/esc/cli/commands/esc_env_provider_aws-login_oidc.md "The full provider reference for the ESC AWS login OIDC provider is located at https://www.pulumi.com/docs/esc/providers/login/aws-login/" → ❌ contradicted (evidence: URL 404; verifier checked live site; source: https://www.pulumi.com/docs/esc/providers/login/aws-login/)
L20 in content/docs/esc/cli/commands/esc_env_provider_aws-login_static.md "The full provider reference for the ESC AWS login static provider is located at https://www.pulumi.com/docs/esc/providers/login/aws-login/" → ❌ contradicted (evidence: URL 404; verifier checked live site; source: https://www.pulumi.com/docs/esc/providers/login/aws-login/)
L19 in content/docs/esc/cli/commands/esc_env_provider_azure-login.md "The full provider reference for the ESC Azure login provider is located at https://www.pulumi.com/docs/esc/providers/login/azure-login/" → ❌ contradicted (evidence: URL 404; verifier checked live site; source: https://www.pulumi.com/docs/esc/providers/login/azure-login/)
L21 in content/docs/esc/cli/commands/esc_env_provider_azure-login_oidc.md "The full provider reference for the ESC Azure login OIDC provider is located at https://www.pulumi.com/docs/esc/providers/login/azure-login/" → ❌ contradicted (evidence: URL 404; verifier checked live site; source: https://www.pulumi.com/docs/esc/providers/login/azure-login/)
L20 in content/docs/esc/cli/commands/esc_env_provider_azure-login_static.md "The full provider reference for the ESC Azure login provider is located at https://www.pulumi.com/docs/esc/providers/login/azure-login/" → ❌ contradicted (evidence: URL 404; verifier checked live site; source: https://www.pulumi.com/docs/esc/providers/login/azure-login/)
L16-17 in content/docs/esc/cli/commands/esc_env_provider_gcp-login.md "The ESC GCP login provider supports two authentication modes: static for static credentials and oidc for federated identity via OpenID Connect." → ✅ verified (evidence: The file's synopsis reads exactly this; source: content/docs/esc/cli/commands/esc_env_provider_gcp-login.md)
L19 in content/docs/esc/cli/commands/esc_env_provider_gcp-login.md "The full provider reference for the ESC GCP login provider is located at https://www.pulumi.com/docs/esc/providers/login/gcp-login/" → ❌ contradicted (evidence: URL 404; verifier checked live site; source: https://www.pulumi.com/docs/esc/providers/login/gcp-login/)
L22 in content/docs/esc/cli/commands/esc_env_provider_gcp-login_oidc.md "The full provider reference for the GCP login OIDC provider is located at https://www.pulumi.com/docs/esc/providers/login/gcp-login/" → ❌ contradicted (evidence: URL 404; verifier checked live site; source: https://www.pulumi.com/docs/esc/providers/login/gcp-login/)
L20 in content/docs/esc/cli/commands/esc_env_provider_gcp-login_static.md "See https://www.pulumi.com/docs/esc/providers/login/gcp-login/" → ❌ contradicted (evidence: URL 404; verifier checked live site; source: https://www.pulumi.com/docs/esc/providers/login/gcp-login/)
L34-38 in content/docs/esc/concepts/how-esc-works.md "* HashiCorp Vault OIDC and Vault Secrets" → ❌ contradicted (framing: shifted — master uses /docs/esc/integrations/dynamic-login-credentials/vault-login/; verifier checked master; source: gh search code --owner pulumi "vault-login")
L132 in content/docs/esc/concepts/how-esc-works.md "The Pulumi ESC CLI and ESC Automation API allow teams to interact with environments outside of Pulumi Cloud." → ❌ contradicted (framing: shifted — master Automation API is at /docs/esc/development/automation-api; verifier checked master; source: gh api repos/pulumi/docs/contents/content/docs/esc/development)
L136 in content/docs/esc/concepts/how-esc-works.md "Pulumi ESC also integrates with popular developer tools like GitHub Actions, DirEnv, and Docker." → ✅ verified (evidence: github.com/features/actions returns 200; source: https://github.com/features/actions)
L140 in content/docs/esc/concepts/how-esc-works.md "Pulumi ESC can also be used directly in your TypeScript/JavaScript, Go, or Python programs." → ✅ verified (evidence: The file content/docs/esc/languages-sdks/javascript.md exists; source: repo:content/docs/esc/languages-sdks/javascript.md)
L13 in content/docs/esc/concepts/providers.md "- /docs/esc/concepts/providers/" → ➖ not-a-claim (evidence: Hugo frontmatter alias entry; source: repo:content/docs/esc/concepts/providers.md)
L16 in content/docs/esc/concepts/providers.md "Providers and rotators are the first-party plugins shipped with Pulumi ESC." → ➖ not-a-claim (evidence: PR author's own design description; source: repo:content/docs/esc/concepts/providers.md)
L18 in content/docs/esc/concepts/providers.md "For the full catalog of available plugins, see Providers." → ✅ verified (evidence: The /docs/esc/providers/ page exists; source: repo:content/docs/esc/providers/_index.md)
L50 in content/docs/esc/concepts/providers.md "- Login providers — issue short-lived credentials for downstream services (AWS, Azure, GCP, GitHub, Vault, Doppler, Infisical, Snowflake)." → ✅ verified (evidence: confirmed; source: repo:content/docs/esc/concepts/providers.md and repo:content/docs/esc/providers/login/_index.md)
L51 in content/docs/esc/concepts/providers.md "- Secrets and configuration providers — pull values from an external system of record." → ✅ verified (framing: strengthened; source: content/docs/esc/providers/secrets/_index.md)
L52 in content/docs/esc/concepts/providers.md "- Rotators — periodically replace a stored credential with a freshly issued one." → ✅ verified (evidence: confirmed; source: repo:content/docs/esc/providers/rotators/_index.md and repo:content/docs/esc/operations/rotation/_index.md)
L54 in content/docs/esc/concepts/providers.md "If a value can't be produced by a built-in plugin, the external provider and external rotator accept a custom HTTP adapter." → 🤷 unverifiable (evidence: verification did not converge within 8 turns)
L64 in content/docs/esc/concepts/providers.md "For the full evaluation order (providers, imports, interpolations, and how merge semantics work between them), see the environments reference." → 🤷 unverifiable (evidence: verification did not converge within 8 turns)
L15 in content/docs/esc/environments/_index.md "Environments are accessible with the standalone esc CLI, the pulumi CLI, the Pulumi SDK." → 🤷 unverifiable (evidence: verification did not converge within 8 turns)
L14 in content/docs/esc/environments/importing-environments.md "- /docs/esc/guides/importing-environments/" → ✅ verified (evidence: alias confirmed in frontmatter; source: repo:content/docs/esc/environments/importing-environments.md)
L95 in content/docs/esc/environments/importing-environments.md "To test this, try retrieving the imported value via the console or CLI. See Managing secrets for details." → ✅ verified (evidence: The managing-secrets.md file contains a ## Retrieving secrets section; source: repo:content/docs/esc/operations/managing-secrets.md)
L104 in content/docs/esc/environments/importing-environments.md "- Managing secrets - Learn more about storing and retrieving values" → ✅ verified (evidence: file exists; source: repo:content/docs/esc/operations/managing-secrets.md)
L15 in content/docs/esc/environments/imports.md "New to environment imports? Start with the step-by-step guide for a hands-on tutorial." → ✅ verified (evidence: file exists with this description; source: repo:content/docs/esc/environments/importing-environments.md)
L80 in content/docs/esc/environments/rotation/_index.md "See Rotated Secrets page for details on which rotators require you to deploy a rotation connector." → ✅ verified (evidence: page exists with connector column; source: content/docs/esc/providers/rotators/_index.md)
L86 in content/docs/esc/environments/rotation/_index.md "| AWS Lambda | The AWS Lambda rotation connector enables you to rotate credentials inside private networks." → 🤷 unverifiable (framing: shifted — verifier could not confirm the target page in the PR tree; evidence: target file not found on master; source: repo:content/docs/esc/operations/rotation/aws-lambda/_index.md (not found on master))
L100 in content/docs/esc/environments/rotation/_index.md "The minimum required permissions for each rotation function are documented in the Rotated Secret provider documentation." → ✅ verified (evidence: confirmed verbatim; source: repo:content/docs/esc/environments/rotation/_index.md; repo:content/docs/esc/providers/rotators/_index.md)
L22-27 in content/docs/esc/environments/syntax/providers.md "| vault-login | The vault-login provider enables you to log in to HashiCorp Vault using OpenID Connect or static credentials." → ✅ verified (framing: strengthened; source: content/docs/esc/providers/login/vault-login.md)
L33 in content/docs/esc/environments/syntax/providers.md "| 1password-secrets | The 1password-secrets provider enables you to dynamically import Secrets from 1Password into your Environment." → ✅ verified (evidence: confirmed; source: repo:content/docs/esc/providers/secrets/1password-secrets.md)
L35-39 in content/docs/esc/environments/syntax/providers.md "| aws-secrets | The aws-secrets provider enables you to dynamically import Secrets from AWS Secrets Manager into your Environment." → ✅ verified (evidence: confirmed; source: repo:content/docs/esc/providers/secrets/aws-secrets.md)
L16 in content/docs/esc/environments/syntax/reserved-properties/pulumi-config.md "The pulumiConfig reserved property contains values that should be exported as stack configuration for Pulumi IaC. See the Pulumi IaC integration docs." → ❌ contradicted (framing: shifted — PR used path /docs/esc/integrations/pulumi-iac; no page exists at that path; source: gh search code --owner pulumi "pulumi-iac" --repo pulumi/docs)
L16 in content/docs/esc/environments/syntax/rotators.md "Pulumi ESC Rotators are ESC functions that enable you to rotate various credentials both automatically and manually for a number of supported services." → ✅ verified (evidence: confirmed verbatim; source: repo:content/docs/esc/environments/syntax/rotators.md)
L18 in content/docs/esc/environments/syntax/rotators.md "To learn how to set up and use each rotator, follow the links below. All rotators use login providers for authorization." → ✅ verified (evidence: confirmed; source: repo:content/docs/esc/providers/login/_index.md)
L22-25 in content/docs/esc/environments/syntax/rotators.md "| aws-iam | None | The aws-iam rotator enables you to rotate access credentials for an AWS IAM User." → ✅ verified (evidence: meta_desc matches exactly; source: repo:content/docs/esc/providers/rotators/aws-iam.md)
L134 in content/docs/esc/get-started/_index.md "- Managing secrets - Store, organize, and retrieve secrets using the CLI and console" → 🤷 unverifiable (evidence: verification did not converge within 8 turns)
L135 in content/docs/esc/get-started/_index.md "- Running commands with esc run - Inject secrets into any command or script as environment variables" → ✅ verified (framing: strengthened; evidence: content/docs/esc/guides/running-commands.md exists; source: repo:content/docs/esc/guides/running-commands.md)
L136 in content/docs/esc/get-started/_index.md "- Importing environments - Compose environments to share configuration across teams and projects" → ✅ verified (evidence: file exists with this meta_desc; source: repo:content/docs/esc/environments/importing-environments.md)
L137 in content/docs/esc/get-started/_index.md "- Dynamic login credentials - Generate short-lived cloud credentials using OIDC with AWS, Azure, GCP, and more" → ✅ verified (evidence: page exists with matching description; source: content/docs/esc/providers/login/_index.md)
L145 in content/docs/esc/get-started/_index.md "- Dynamic secrets - Pull secrets from external providers like AWS Secrets Manager, Azure Key Vault, and 1Password" → ✅ verified (evidence: page lists all three; source: repo:content/docs/esc/providers/secrets/_index.md)
L15 in content/docs/esc/guides/_index.md "For first-party ESC integrations (the Pulumi Service Provider, Automation API, the VS Code extension, the External Secrets Operator, and the Secrets Store CSI Driver), see Integrations." → ✅ verified (evidence: confirmed; source: repo:content/docs/esc/guides/_index.md and repo:content/docs/esc/integrations/_index.md)
L19 in content/docs/esc/guides/_index.md "- Configuring OIDC — set up OpenID Connect trust between ESC and AWS, Azure, GCP, Doppler, Infisical, or Vault." → ✅ verified (evidence: page and subguides confirmed; source: repo:content/docs/esc/guides/_index.md and repo:content/docs/esc/guides/configuring-oidc/_index.md)
L23 in content/docs/esc/guides/_index.md "- Manage ESC with Pulumi IaC — consume environments from a Pulumi program." → ✅ verified (framing: strengthened; evidence: file exists with alias; source: repo:content/docs/esc/guides/integrate-with-pulumi-iac.md)
L27-29 in content/docs/esc/guides/_index.md "- Run commands with esc run — inject environment values into any command or script." → ❌ contradicted (framing: shifted — PR uses slug /running-commands/ but master file is running-commands-with-esc.md; verifier checked master; source: gh api repos/pulumi/docs/contents/content/docs/esc/guides)
L33 in content/docs/esc/guides/_index.md "- GitHub Actions — inject ESC values and short-lived cloud credentials into workflows." → ✅ verified (evidence: file exists; source: repo:content/docs/esc/guides/_index.md)
L37 in content/docs/esc/guides/_index.md "- Kubernetes cluster access — store and consume kubeconfig files and cluster credentials in ESC." → ❌ contradicted (framing: shifted — claim URL does not match live URL /docs/esc/integrations/kubernetes/kubernetes/; verifier checked live site; source: https://www.pulumi.com/docs/esc/integrations/kubernetes/kubernetes/)
L41 in content/docs/esc/guides/_index.md "- Cloudflare — manage Cloudflare Workers secrets via ESC." → 🤷 unverifiable (evidence: verifier could not confirm PR-local rename; source: repo:content/docs/esc/guides/_index.md)
L12-13 in content/docs/esc/guides/cloudflare.md "- /docs/esc/integrations/infrastructure/cloudflare/" → ✅ verified (evidence: alias confirmed in frontmatter; source: repo:content/docs/esc/guides/cloudflare.md)
L15-16 in content/docs/esc/guides/configuring-oidc/_index.md "- /docs/esc/concepts/providers/login/oidc-setup/" → ✅ verified (evidence: alias confirmed in frontmatter; source: repo:content/docs/esc/guides/configuring-oidc/_index.md)
L14-16 in content/docs/esc/guides/configuring-oidc/aws.md "- /docs/esc/concepts/providers/login/oidc-setup/aws/" → ✅ verified (evidence: alias confirmed; source: repo:content/docs/esc/guides/configuring-oidc/aws.md)
L14-16 in content/docs/esc/guides/configuring-oidc/azure.md "- /docs/esc/concepts/providers/login/oidc-setup/azure/" → ➖ not-a-claim (evidence: Hugo frontmatter alias; source: repo:content/docs/esc/guides/configuring-oidc/azure.md)
L14-16 in content/docs/esc/guides/configuring-oidc/doppler.md "- /docs/esc/concepts/providers/login/oidc-setup/doppler/" → ➖ not-a-claim (evidence: Hugo frontmatter alias; source: repo:content/docs/esc/guides/configuring-oidc/doppler.md)
L14-16 in content/docs/esc/guides/configuring-oidc/gcp.md "- /docs/esc/concepts/providers/login/oidc-setup/gcp/" → ✅ verified (evidence: alias confirmed; source: repo:content/docs/esc/guides/configuring-oidc/gcp.md)
L154 in content/docs/esc/guides/configuring-oidc/gcp.md "For more details about the region field, see the gcp-login provider documentation." → ✅ verified (evidence: file exists with ### GCPLoginOIDC section; source: repo:content/docs/esc/providers/login/gcp-login.md)
L14-16 in content/docs/esc/guides/configuring-oidc/infisical.md "- /docs/esc/concepts/providers/login/oidc-setup/infisical/" → ✅ verified (evidence: alias confirmed; source: repo:content/docs/esc/guides/configuring-oidc/infisical.md)
L18-20 in content/docs/esc/guides/configuring-oidc/vault.md "- /docs/esc/concepts/providers/login/oidc-setup/vault/" → ✅ verified (evidence: alias confirmed; source: repo:content/docs/esc/guides/configuring-oidc/vault.md)
L12-13 in content/docs/esc/guides/direnv.md "- /docs/esc/integrations/dev-tools/direnv/" → ✅ verified (evidence: file exists on master; source: gh search code --owner pulumi --repo pulumi/docs --filename direnv.md)
L12-13 in content/docs/esc/guides/docker.md "- /docs/esc/integrations/dev-tools/docker/" → ✅ verified (evidence: file exists on master; source: gh api repos/pulumi/docs/contents/content/docs/esc/integrations/dev-tools)
L12-13 in content/docs/esc/guides/github-actions.md "- /docs/esc/integrations/dev-tools/github/" → ✅ verified (evidence: alias confirmed; source: repo:content/docs/esc/guides/github-actions.md)
L14-15 in content/docs/esc/guides/integrate-with-pulumi-iac.md "- /docs/esc/integrations/integrate-with-pulumi-iac/" → ✅ verified (evidence: alias confirmed; source: repo:content/docs/esc/guides/integrate-with-pulumi-iac.md)
L129 in content/docs/esc/guides/integrate-with-pulumi-iac.md "Learn more in Dynamic login credentials and Configuring OIDC." → 🤷 unverifiable (evidence: verification did not converge within 8 turns)
L146 in content/docs/esc/guides/integrate-with-pulumi-iac.md "Learn more in Dynamic secrets." → ✅ verified (evidence: page exists; source: repo:content/docs/esc/providers/secrets/_index.md)
L168 in content/docs/esc/guides/integrate-with-pulumi-iac.md "Learn more in Importing environments." → ✅ verified (evidence: file exists; source: repo:content/docs/esc/environments/importing-environments.md)
L172-173 in content/docs/esc/guides/integrate-with-pulumi-iac.md "- Dynamic login credentials - Generate dynamic cloud credentials with OIDC" → ✅ verified (evidence: page confirmed; source: repo:content/docs/esc/providers/login/_index.md)
L174 in content/docs/esc/guides/integrate-with-pulumi-iac.md "- Importing environments - Compose configuration hierarchies" → ✅ verified (evidence: file exists; source: repo:content/docs/esc/environments/importing-environments.md)
L175 in content/docs/esc/guides/integrate-with-pulumi-iac.md "- Pulumi IaC integration reference - Complete integration documentation" → ❌ contradicted (evidence: The directory content/docs/esc/integrations/ contains no pulumi-iac subdirectory; the linked target did not exist in the PR tree at review time; source: gh api repos/pulumi/docs/contents/content/docs/esc/integrations)
L13 in content/docs/esc/guides/kubernetes-cluster-access.md "- /docs/esc/integrations/kubernetes/kubernetes/" → ✅ verified (evidence: alias confirmed; source: repo:content/docs/esc/guides/kubernetes-cluster-access.md)
L67 in content/docs/esc/guides/kubernetes-cluster-access.md "cluster information from stack outputs of Pulumi IaC programs." → ✅ verified (evidence: anchor confirmed in stacks.md; source: gh search code --owner pulumi "stacks/#outputs")
L119 in content/docs/esc/guides/kubernetes-cluster-access.md "to connect to an AWS EKS cluster using AWS OIDC credentials returned by the aws-login provider." → ✅ verified (evidence: file exists with alias; source: repo:content/docs/esc/providers/login/aws-login.md)
L128 in content/docs/esc/guides/kubernetes-cluster-access.md "Taking an EKS cluster as an example, your environment can produce temporary AWS credentials using the aws-login provider." → ✅ verified (evidence: confirmed; source: repo:content/docs/esc/providers/login/azure-login.md)
L12-13 in content/docs/esc/guides/running-commands.md "- /docs/esc/guides/running-commands-with-esc/" → ✅ verified (evidence: alias confirmed; source: repo:content/docs/esc/guides/running-commands.md)
L22 in content/docs/esc/guides/running-commands.md "- An ESC environment with values (see Managing secrets)" → ✅ verified (evidence: file exists; source: repo:content/docs/esc/operations/managing-secrets.md)
L225 in content/docs/esc/guides/running-commands.md "- Managing secrets - Store and organize secrets" → ✅ verified (evidence: file exists; source: repo:content/docs/esc/operations/managing-secrets.md)
L227 in content/docs/esc/guides/running-commands.md "- Dynamic login credentials - Generate dynamic cloud credentials with OIDC" → ✅ verified (evidence: page confirmed; source: repo:content/docs/esc/providers/login/_index.md)
L12-13 in content/docs/esc/integrations/_index.md "- /docs/pulumi-cloud/esc/providers/" → ✅ verified (evidence: alias was confirmed in frontmatter at review time; source: repo:content/docs/esc/integrations/_index.md)
L16 in content/docs/esc/integrations/_index.md "Integrations with a dedicated ESC component — a Pulumi-built provider, extension, operator, or driver — that consumes environments." → ✅ verified (evidence: text confirmed; source: repo:content/docs/esc/integrations/_index.md)
L18 in content/docs/esc/integrations/_index.md "For built-in plugins that run inside an environment definition with fn::open::* or fn::rotate::*, see Providers." → ✅ verified (evidence: text confirmed; source: repo:content/docs/esc/integrations/_index.md and repo:content/docs/esc/providers/_index.md)
L22 in content/docs/esc/integrations/_index.md "- Pulumi Service Provider — define environments, permissions, and version tags from a Pulumi program." → ✅ verified (evidence: text confirmed; source: repo:content/docs/esc/integrations/_index.md)
L23 in content/docs/esc/integrations/_index.md "- Automation API — drive ESC operations alongside Pulumi IaC deployments." → ❌ contradicted (framing: shifted — master path is /docs/esc/development/automation-api/; verifier checked live site; source: https://www.pulumi.com/docs/esc/development/automation-api/)
L27 in content/docs/esc/integrations/_index.md "- VS Code — browse and edit environments from inside the editor." → ❌ contradicted (framing: shifted — master path is /docs/esc/development/vs-code-extension/; verifier checked live site; source: https://www.pulumi.com/docs/esc/development/vs-code-extension/)
L31-32 in content/docs/esc/integrations/_index.md "- External Secrets Operator (ESO) — project ESC values into Kubernetes Secret objects via ESO." → ✅ verified (evidence: text confirmed; source: repo:content/docs/esc/integrations/_index.md)
L12-13 in content/docs/esc/integrations/automation-api.md "- /docs/esc/languages-sdks/automation-api/" → ➖ not-a-claim (evidence: Hugo frontmatter alias; source: repo:content/docs/esc/integrations/automation-api.md)
L19-20 in content/docs/esc/integrations/kubernetes/_index.md "| Secrets Store CSI Driver | Mount ESC values directly into pods as files via the upstream CSI driver." → ✅ verified (evidence: text confirmed; source: repo:content/docs/esc/integrations/kubernetes/_index.md)
L22 in content/docs/esc/integrations/kubernetes/_index.md "For using ESC to store and serve kubeconfig files for kubectl, helm, or the Pulumi Kubernetes provider, see the Kubernetes cluster access guide." → 🤷 unverifiable (evidence: verification did not converge within 8 turns)
L12 in content/docs/esc/integrations/pulumi-service-provider.md "- /docs/esc/development/psp/" → ➖ not-a-claim (evidence: Hugo frontmatter alias; source: repo:content/docs/esc/integrations/pulumi-service-provider.md)
L11 in content/docs/esc/integrations/vs-code.md "- /docs/esc/development/vs-code-extension/" → ✅ verified (evidence: alias confirmed; source: repo:content/docs/esc/integrations/vs-code.md)
L12-13 in content/docs/esc/languages-sdks/_index.md "- /docs/esc/development/languages-sdks/" → ✅ verified (evidence: alias confirmed; source: repo:content/docs/esc/languages-sdks/_index.md)
L20-23 in content/docs/esc/languages-sdks/_index.md "| JavaScript / TypeScript | Node.js 18+. |" → 🤷 unverifiable (evidence: The official ESC JavaScript SDK page does not document a specific minimum Node.js version; Node.js 18 reached EOL April 2025; source: WebSearch ran query "Pulumi ESC SDK JavaScript Node.js minimum version requirement site:pulumi.com"; top results didn't confirm a "Node.js 18+" requirement)
L25 in content/docs/esc/languages-sdks/_index.md "For driving ESC from orchestration code, see Automation API. For managing ESC resources from inside a Pulumi program, see Pulumi Service Provider." → ❌ contradicted (framing: shifted — master Automation API path is /docs/esc/development/automation-api/; verifier checked live site; source: https://www.pulumi.com/docs/esc/development/automation-api/)
L13 in content/docs/esc/languages-sdks/dotnet.md "- /docs/esc/development/languages-sdks/dotnet/" → ✅ verified (evidence: alias confirmed; source: repo:content/docs/esc/languages-sdks/dotnet.md)
L13 in content/docs/esc/languages-sdks/go.md "- /docs/esc/development/languages-sdks/go/" → ➖ not-a-claim (evidence: Hugo frontmatter alias; source: repo:content/docs/esc/languages-sdks/go.md)
L13 in content/docs/esc/languages-sdks/javascript.md "- /docs/esc/development/languages-sdks/javascript/" → ➖ not-a-claim (evidence: Hugo frontmatter alias; source: repo:content/docs/esc/languages-sdks/javascript.md)
L13 in content/docs/esc/languages-sdks/python.md "- /docs/esc/development/languages-sdks/python/" → ➖ not-a-claim (evidence: Hugo frontmatter alias; source: repo:content/docs/esc/languages-sdks/python.md)
L15 in content/docs/esc/operations/_index.md "If you are looking for what ESC is rather than how to run it, start with Concepts. For reference on the YAML syntax, see Environments." → ✅ verified (evidence: both linked pages exist; source: repo:content/docs/esc/concepts/_index.md and repo:content/docs/esc/environments/_index.md)
L19 in content/docs/esc/operations/_index.md "- Manage secrets — add, read, and organize secrets inside an environment." → ❌ contradicted (evidence: master path is /docs/esc/guides/managing-secrets/; verifier checked master; source: gh search code --owner pulumi "esc/operations/managing-secrets")
L20 in content/docs/esc/operations/_index.md "- Approvals — require explicit review and sign-off before applying changes to environments." → ❌ contradicted (framing: shifted — master path is /docs/esc/administration/approvals/; verifier checked master; source: gh search code --owner pulumi "approvals" --extension md -R pulumi/docs)
L24 in content/docs/esc/operations/_index.md "- Rotation connectors — deploy connectors so rotators can reach databases and services in private networks." → ✅ verified (evidence: file exists; source: repo:content/docs/esc/operations/rotation/_index.md)
L28 in content/docs/esc/operations/_index.md "For continuous integration, the GitHub Actions integration wires ESC short-lived credentials into your workflows." → ❌ contradicted (framing: shifted — claim also links to /docs/esc/providers/login/gh-login/ but master path is /docs/esc/integrations/dynamic-login-credentials/gh-login/; verifier checked master; source: gh search code --owner pulumi "gh-login" --extension md)
L17 in content/docs/esc/operations/approvals.md "- /docs/esc/administration/approvals/" → ✅ verified (evidence: alias confirmed; source: repo:content/docs/esc/operations/approvals.md)
L14 in content/docs/esc/operations/managing-secrets.md "- /docs/esc/guides/managing-secrets/" → ✅ verified (evidence: alias confirmed; source: repo:content/docs/esc/operations/managing-secrets.md)
L193 in content/docs/esc/operations/managing-secrets.md "- Dynamic secrets - Pull secrets from AWS, Azure, GCP secret stores" → ✅ verified (framing: strengthened; source: repo:content/docs/esc/providers/secrets/_index.md)
L194 in content/docs/esc/operations/managing-secrets.md "- Running commands with esc run - Inject secrets into any command" → ✅ verified (evidence: file exists; source: repo:content/docs/esc/guides/running-commands.md)
L13 in content/docs/esc/operations/rotation/_index.md "Some rotators need to reach the credential they're rotating — for example, the mysql and postgres rotators must connect to the database." → ✅ verified (evidence: text confirmed; source: repo:content/docs/esc/operations/rotation/_index.md and repo:content/docs/esc/providers/rotators/_index.md)
L15 in content/docs/esc/operations/rotation/_index.md "For background on what rotation is and how the fn::rotate::* syntax works, see Rotation." → ✅ verified (evidence: file exists with matching content; source: repo:content/docs/esc/environments/rotation/_index.md)
L21 in content/docs/esc/operations/rotation/_index.md "| AWS Lambda | AWS Lambda inside a VPC | mysql, postgres |" → ❌ contradicted (evidence: target file not found on master; verifier checked master; source: repo:content/docs/esc/operations/rotation/aws-lambda/_index.md (not found on master))
L25 in content/docs/esc/operations/rotation/_index.md "- Database user setup — pre-create the database user that a rotator will manage." → ❌ contradicted (evidence: target _index.md not found on master; verifier checked master; source: repo:content/docs/esc/operations/rotation/db-user-setup/_index.md)
L12 in content/docs/esc/operations/rotation/aws-lambda.md "- /docs/esc/environments/rotation/aws-lambda/" → ➖ not-a-claim (evidence: Hugo frontmatter alias; source: repo:content/docs/esc/operations/rotation/aws-lambda.md)
L15 in content/docs/esc/operations/rotation/aws-lambda.md "The aws-lambda rotation connector enables you to rotate credentials inside of a private AWS VPC. Check out the Rotated Secrets page." → ✅ verified (evidence: rotators page exists; source: repo:content/docs/esc/providers/rotators/_index.md)
L20 in content/docs/esc/operations/rotation/aws-lambda.md "- Database users setup for rotation" → ✅ verified (evidence: file exists; source: repo:content/docs/esc/operations/rotation/db-user-setup.md)
L36 in content/docs/esc/operations/rotation/aws-lambda.md "The first one is the managing credentials environment, containing managing user credentials for your database and the OIDC AWS login credentials." → ❌ contradicted (evidence: URL 404 on live site; verifier checked live site; source: https://www.pulumi.com/docs/esc/providers/login/aws-login/)
L12 in content/docs/esc/operations/rotation/db-user-setup.md "- /docs/esc/environments/rotation/db-user-setup/" → ➖ not-a-claim (evidence: Hugo frontmatter alias; source: repo:content/docs/esc/operations/rotation/db-user-setup.md)
L15 in content/docs/esc/operations/rotation/db-user-setup.md "In order to create an ESC rotator for database credentials, you need to prepare 2 users to rotate and a managing user." → ✅ verified (evidence: text confirmed verbatim; source: repo:content/docs/esc/operations/rotation/db-user-setup.md)
L70 in content/docs/esc/operations/rotation/db-user-setup.md "If your database is in a private network, check out the Rotation Connectors section." → ✅ verified (evidence: anchor confirmed; source: repo:content/docs/esc/environments/rotation/_index.md)
L12 in content/docs/esc/providers/_index.md "- /docs/pulumi-cloud/esc/providers/" → ✅ verified (evidence: alias confirmed; source: repo:content/docs/esc/providers/_index.md)
L15 in content/docs/esc/providers/_index.md "Reference catalog of every first-party plugin shipped with Pulumi ESC. For an introduction to the plugin model, see Providers and rotators." → ❌ contradicted (framing: shifted — /docs/esc/concepts/providers/ did not exist on master; verifier checked master; source: repo:content/docs/esc/providers/_index.md)
L19 in content/docs/esc/providers/_index.md "Issue short-lived credentials for downstream services. Prefer OpenID Connect over static keys where supported; see OIDC setup for configuration." → ✅ verified (evidence: page exists; source: repo:content/docs/esc/guides/configuring-oidc/_index.md)
L23-30 in content/docs/esc/providers/_index.md "| infisical-login | Log in to Infisical using OIDC or static credentials. |" → ❌ contradicted (framing: shifted — master path is /docs/esc/integrations/dynamic-login-credentials/infisical-login/; verifier checked master; source: repo:content/docs/esc/providers/_index.md and gh search code --owner pulumi "infisical-login")
L38-48 in content/docs/esc/providers/_index.md "| pulumi-stacks | Import outputs from a Pulumi stack." → ✅ verified (evidence: file confirmed; source: repo:content/docs/esc/providers/secrets/pulumi-stacks.md)
L52 in content/docs/esc/providers/_index.md "Replace a stored credential with a freshly issued one, manually or on a schedule. Invoked through fn::rotate::<name>." → ✅ verified (evidence: text confirmed; source: repo:content/docs/esc/providers/_index.md)
L56-63 in content/docs/esc/providers/_index.md "| postgres | aws-lambda (private networks only) | Rotate user credentials for a PostgreSQL database. |" → ❌ contradicted (evidence: target file not found on master; verifier checked master; source: repo:content/docs/esc/providers/_index.md)
L13-18 in content/docs/esc/providers/login/_index.md "- /docs/pulumi-cloud/esc/get-started/use-short-term-credentials/" → ✅ verified (evidence: alias confirmed; source: repo:content/docs/esc/providers/login/_index.md)
L23 in content/docs/esc/providers/login/_index.md "OpenID Connect (OIDC) is the recommended authentication mode wherever supported — see Configuring OIDC for per-provider setup." → ❌ contradicted (framing: shifted — correct path is /docs/esc/guides/configuring-oidc/; verifier checked master; source: gh search code --owner pulumi "configuring-oidc")
L27-34 in content/docs/esc/providers/login/_index.md "| infisical-login | Log in to Infisical using OIDC or static credentials. |" → ❌ contradicted (evidence: file not found at that path on master; verifier checked master; source: gh api repos/pulumi/docs/contents/content/docs/esc/providers/login/infisical-login)
L15-17 in content/docs/esc/providers/login/aws-login.md "- /docs/esc/integrations/dynamic-login-credentials/aws-login/" → ✅ verified (evidence: alias confirmed; source: repo:content/docs/esc/providers/login/aws-login.md)
L15-17 in content/docs/esc/providers/login/azure-login.md "- /docs/esc/integrations/dynamic-login-credentials/azure-login/" → ✅ verified (evidence: alias confirmed; source: repo:content/docs/esc/providers/login/azure-login.md)
L15-17 in content/docs/esc/providers/login/doppler-login.md "- /docs/esc/integrations/dynamic-login-credentials/doppler-login/" → 🤷 unverifiable (framing: strengthened — alias is declared, but verifier could not confirm the old target file; source: repo:content/docs/esc/providers/login/doppler-login.md)
L15-17 in content/docs/esc/providers/login/gcp-login.md "- /docs/esc/integrations/dynamic-login-credentials/gcp-login/" → ✅ verified (evidence: alias confirmed; source: repo:content/docs/esc/providers/login/gcp-login.md)
L15-17 in content/docs/esc/providers/login/gh-login.md "- /docs/esc/integrations/dynamic-login-credentials/gh-login/" → ✅ verified (evidence: alias confirmed; source: repo:content/docs/esc/providers/login/gh-login.md)
L25 in content/docs/esc/providers/login/gh-login.md "Use the token with the Pulumi ESC GitHub Action." → ✅ verified (evidence: file exists; source: repo:content/docs/esc/guides/github-actions.md)
L54 in content/docs/esc/providers/login/gh-login.md "See 'Managing Secrets'." → ✅ verified (evidence: file and anchor confirmed; source: repo:content/docs/esc/operations/managing-secrets.md)
L15-17 in content/docs/esc/providers/login/infisical-login.md "- /docs/esc/integrations/dynamic-login-credentials/infisical-login/" → ✅ verified (evidence: alias declared in frontmatter; source: repo:content/docs/esc/providers/login/infisical-login.md)
L12-14 in content/docs/esc/providers/login/snowflake-login.md "- /docs/esc/integrations/dynamic-login-credentials/snowflake-login/" → ➖ not-a-claim (evidence: Hugo frontmatter alias; source: repo:content/docs/esc/providers/login/snowflake-login.md)
L15-17 in content/docs/esc/providers/login/vault-login.md "- /docs/esc/integrations/dynamic-login-credentials/vault-login/" → ✅ verified (evidence: alias confirmed; source: repo:content/docs/esc/providers/login/vault-login.md)
L13-15 in content/docs/esc/providers/rotators/_index.md "- /docs/esc/integrations/rotated-secrets/" → ➖ not-a-claim (evidence: Hugo frontmatter alias; source: repo:content/docs/esc/providers/rotators/_index.md)
L18 in content/docs/esc/providers/rotators/_index.md "For how rotators fit alongside providers, see Providers and rotators. For deploying rotation connectors, see Operations." → ✅ verified (evidence: text confirmed; source: repo:content/docs/esc/providers/rotators/_index.md)
L22-29 in content/docs/esc/providers/rotators/_index.md "| postgres | aws-lambda (private networks only) | Rotate user credentials for a PostgreSQL database. |" → ✅ verified (evidence: row confirmed in file; source: repo:content/docs/esc/providers/rotators/_index.md)
L12-14 in content/docs/esc/providers/rotators/aws-iam.md "- /docs/esc/integrations/rotated-secrets/aws-iam/" → ✅ verified (evidence: old file confirmed on master; source: gh api repos/pulumi/docs/contents/content/docs/esc/integrations/rotated-secrets/aws-iam.md)

github-actions · 2026-05-28T02:41:02Z

continued from previous comment

L17 in content/docs/esc/providers/rotators/aws-iam.md "The aws-iam rotator enables you to rotate access credentials for an AWS IAM user. Check out the aws-login documentation." → ✅ verified (evidence: file confirmed; source: repo:content/docs/esc/providers/login/aws-login.md)
L12-14 in content/docs/esc/providers/rotators/azure-app-secret.md "- /docs/esc/integrations/rotated-secrets/azure-app-secret/" → ➖ not-a-claim (evidence: Hugo frontmatter alias; source: repo:content/docs/esc/providers/rotators/azure-app-secret.md)
L17 in content/docs/esc/providers/rotators/azure-app-secret.md "The azure-app-secret rotator enables you to rotate client secrets for an Azure app registration. Check out the azure-login documentation." → ✅ verified (evidence: file confirmed; source: repo:content/docs/esc/providers/login/azure-login.md)
L12-14 in content/docs/esc/providers/rotators/external.md "- /docs/esc/integrations/rotated-secrets/external/" → ✅ verified (evidence: alias confirmed; source: repo:content/docs/esc/providers/rotators/external.md)
L23 in content/docs/esc/providers/rotators/external.md "- Authenticates requests using JWT tokens issued by Pulumi Cloud (see JWT Authentication)" → ✅ verified (evidence: section confirmed; source: repo:content/docs/esc/providers/secrets/external.md)
L112 in content/docs/esc/providers/rotators/external.md "Your rotator adapter must meet the same requirements as an external provider adapter." → ✅ verified (evidence: section confirmed; source: repo:content/docs/esc/providers/secrets/external.md)
L146 in content/docs/esc/providers/rotators/external.md "- Database passwords without multi-password support: Create two user accounts (see mysql rotator for an example)" → ✅ verified (evidence: two-user pattern confirmed; source: repo:content/docs/esc/providers/rotators/mysql.md)
L12-14 in content/docs/esc/providers/rotators/mysql.md "- /docs/esc/integrations/rotated-secrets/mysql/" → ✅ verified (evidence: alias confirmed; source: repo:content/docs/esc/providers/rotators/mysql.md)
L27-28 in content/docs/esc/providers/rotators/mysql.md "- (If you are using Connector rotation) AWS Lambda Rotation Connector setup" → ✅ verified (evidence: file exists; source: repo:content/docs/esc/operations/rotation/aws-lambda.md)
L36 in content/docs/esc/providers/rotators/mysql.md "For Connector rotation, ensure you have working AWS login credentials." → ❌ contradicted (evidence: URL 404 on live site; verifier checked live site; source: https://www.pulumi.com/docs/esc/providers/login/aws-login/)
L134 in content/docs/esc/providers/rotators/mysql.md "| awsLambda | AWSLambdaConfig | An AWS Lambda connector needs to be setup |" → ✅ verified (evidence: file exists; source: repo:content/docs/esc/operations/rotation/aws-lambda.md)
L140 in content/docs/esc/providers/rotators/mysql.md "| login | AWSLogin | AWS login that has access to assume aws-lambda connector role |" → ✅ verified (evidence: file exists with alias; source: repo:content/docs/esc/providers/login/aws-login.md)
L12-14 in content/docs/esc/providers/rotators/passphrase.md "- /docs/esc/integrations/rotated-secrets/passphrase/" → ➖ not-a-claim (evidence: Hugo frontmatter alias; source: repo:content/docs/esc/providers/rotators/passphrase.md)
L12-14 in content/docs/esc/providers/rotators/password.md "- /docs/esc/integrations/rotated-secrets/password/" → ✅ verified (evidence: alias confirmed; source: repo:content/docs/esc/providers/rotators/password.md)
L12-14 in content/docs/esc/providers/rotators/postgres.md "- /docs/esc/integrations/rotated-secrets/postgres/" → ✅ verified (evidence: old file confirmed on master; source: gh api repos/pulumi/docs/contents/content/docs/esc/integrations/rotated-secrets/postgres.md)
L27-28 in content/docs/esc/providers/rotators/postgres.md "- (If you are using Connector rotation) AWS Lambda Rotation Connector setup" → ✅ verified (evidence: file exists; source: repo:content/docs/esc/operations/rotation/aws-lambda.md)
L36 in content/docs/esc/providers/rotators/postgres.md "For Connector rotation, ensure you have working AWS login credentials." → ❌ contradicted (evidence: URL 404 on live site; verifier checked live site; source: https://www.pulumi.com/docs/esc/providers/login/aws-login/)
L134 in content/docs/esc/providers/rotators/postgres.md "| awsLambda | AWSLambdaConfig | An AWS Lambda connector needs to be setup |" → ✅ verified (evidence: file exists; source: repo:content/docs/esc/operations/rotation/aws-lambda.md)
L140 in content/docs/esc/providers/rotators/postgres.md "| login | AWSLogin | AWS login that has access to assume aws-lambda connector role |" → ✅ verified (evidence: file exists with alias; source: repo:content/docs/esc/providers/login/aws-login.md)
L22 in content/docs/iac/cli/commands/pulumi_env_provider_azure-login_oidc.md "See https://www.pulumi.com/docs/esc/providers/login/azure-login/" → ❌ contradicted (evidence: URL 404; verifier checked live site; source: https://www.pulumi.com/docs/esc/providers/login/azure-login/)
L21 in content/docs/iac/cli/commands/pulumi_env_provider_azure-login_static.md "See https://www.pulumi.com/docs/esc/providers/login/azure-login/" → ❌ contradicted (evidence: URL 404; verifier checked live site; source: https://www.pulumi.com/docs/esc/providers/login/azure-login/)
L20 in content/docs/iac/cli/commands/pulumi_env_provider_gcp-login.md "See https://www.pulumi.com/docs/esc/providers/login/gcp-login/" → ❌ contradicted (evidence: URL 404; verifier checked live site; source: https://www.pulumi.com/docs/esc/providers/login/gcp-login/)
L23 in content/docs/iac/cli/commands/pulumi_env_provider_gcp-login_oidc.md "See https://www.pulumi.com/docs/esc/providers/login/gcp-login/" → ❌ contradicted (evidence: URL 404; verifier checked live site; source: https://www.pulumi.com/docs/esc/providers/login/gcp-login/)
L21 in content/docs/iac/cli/commands/pulumi_env_provider_gcp-login_static.md "See https://www.pulumi.com/docs/esc/providers/login/gcp-login/" → ❌ contradicted (evidence: URL 404; verifier checked live site; source: https://www.pulumi.com/docs/esc/providers/login/gcp-login/)
L785 in content/docs/iac/concepts/config.md "Once you have an environment set up and you are projecting pulumi configuration." → ✅ verified (evidence: /docs/esc/concepts/ exists; source: repo:content/docs/esc/concepts/_index.md)
L78 in content/docs/iac/get-started/aws/configure.md "Consider using Pulumi ESC's AWS login support for dynamic credentials." → ✅ verified (evidence: file exists with alias; source: repo:content/docs/esc/providers/login/aws-login.md)
L90 in content/docs/iac/get-started/azure/configure.md "Consider using Pulumi ESC's Azure login support for dynamic credentials." → ✅ verified (evidence: file exists; source: repo:content/docs/esc/providers/login/azure-login.md)
L115 in content/docs/iac/get-started/gcp/configure.md "Consider using Pulumi ESC's Google Cloud login support for dynamic credentials." → ✅ verified (evidence: file exists; source: repo:content/docs/esc/providers/login/gcp-login.md)
L87 in content/docs/iac/get-started/terraform/begin.md "Consider using Pulumi ESC's AWS login support for dynamic credentials." → ✅ verified (evidence: file exists with alias; source: repo:content/docs/esc/providers/login/aws-login.md)
L148 in content/docs/iac/get-started/terraform/orchestrate.md "To learn more, read this in-depth article showing how to integrate Terraform and Pulumi ESC." → ❌ contradicted (framing: shifted — the PR removed integrations/infrastructure/terraform/ and the link now points to /docs/esc/integrations/terraform/ which did not exist in the tree at review time; source: gh api repos/pulumi/docs/contents/content/docs/esc/integrations/infrastructure/terraform/_index.md)
L28 in content/docs/iac/get-started/terraform/terraform-state-backend.md "Platform integration — root module outputs become Pulumi stack outputs, accessible via stack references." → ✅ verified (evidence: anchor confirmed; source: gh search code --owner pulumi "stackreferences" --repo pulumi/docs --language markdown)
L243 in content/docs/iac/get-started/terraform/terraform-state-backend.md "Terraform root module outputs are mapped to Pulumi stack outputs." → ✅ verified (evidence: anchor confirmed; source: gh search code --owner pulumi "stackreferences")
L28 in content/docs/iac/guides/migration/migrating-to-pulumi/migrating-from-cdk/migrating-existing-cdk-app.md "Configure AWS credentials in Pulumi ESC." → ✅ verified (evidence: file exists with alias; source: repo:content/docs/esc/providers/login/aws-login.md)
L110 in content/docs/iac/operations/continuous-delivery/github-actions.md "For more detail, see the Pulumi ESC GitHub Action documentation." → ✅ verified (evidence: file exists; source: repo:content/docs/esc/guides/github-actions.md)
L70-74 in content/docs/integrations/clouds/aws/_index.md "- AWS Systems Manager Parameter Store — pull configuration and secrets from Parameter Store into ESC environments." → ❌ contradicted (framing: shifted — master path is /docs/esc/integrations/dynamic-secrets/aws-parameter-store/; verifier checked master; source: gh search code --owner pulumi "aws-parameter-store")
L63-65 in content/docs/integrations/clouds/azure/_index.md "- Azure application secret rotation — rotate Azure AD application secrets on a schedule." → ❌ contradicted (framing: shifted — master path is /docs/esc/integrations/rotated-secrets/azure-app-secret/; verifier checked master; source: gh search code --owner pulumi "azure-app-secret")
L59-60 in content/docs/integrations/clouds/gcp/_index.md "- Google Cloud OIDC login — generate short-lived Google Cloud credentials for Pulumi programs and workflows." → ❌ contradicted (framing: shifted — master path is /docs/esc/integrations/dynamic-login-credentials/gcp-login/; verifier checked master; source: gh search code --owner pulumi "gcp-login")
L65 in content/docs/integrations/clouds/kubernetes/_index.md "- Kubernetes cluster access — centrally manage kubeconfig files and cluster credentials." → ✅ verified (evidence: page confirmed; source: repo:content/docs/esc/guides/kubernetes-cluster-access.md)
L29 in content/docs/support/faq/secrets-config.md "Secrets include static secrets, dynamic login credentials and dynamic secrets." → ❌ contradicted (framing: shifted — master paths use /docs/esc/guides/managing-secrets/, /docs/esc/integrations/dynamic-login-credentials/, /docs/esc/integrations/dynamic-secrets/; verifier checked master; source: gh search code --owner pulumi managing-secrets --repo pulumi/docs)
L31 in content/docs/support/faq/secrets-config.md "In other words, when using Pulumi ESC's document editor, each definition of fn::secret and fn::open::* (except with the pulumi-stacks provider) requires a secrets store." → ✅ verified (evidence: file exists with alias; source: repo:content/docs/esc/providers/secrets/pulumi-stacks.md)
L1 in content/docs/administration/access-identity/oidc-issuers/_index.md "frontmatter alias /docs/pulumi-cloud/oidc/ collides with content/docs/deployments/deployments/oidc/_index.md" → ⚔️ mismatch (evidence: alias=/docs/pulumi-cloud/oidc/ collides_with=content/docs/deployments/deployments/oidc/_index.md; source: frontmatter-validate.py pre-step)
L1 in content/docs/administration/access-identity/oidc-issuers/_index.md "frontmatter alias /docs/administration/access-identity/oidc/ collides with content/docs/deployments/deployments/oidc/_index.md" → ⚔️ mismatch (evidence: alias=/docs/administration/access-identity/oidc/ collides_with=content/docs/deployments/deployments/oidc/_index.md; source: frontmatter-validate.py pre-step)
L1 in content/docs/esc/administration/oidc-authentication.md "frontmatter URL ? collides with ?" → ⚔️ mismatch (evidence: url=? collides_with=?; source: frontmatter-validate.py pre-step)
L1 in content/docs/esc/administration/self-hosting.md "frontmatter URL ? collides with ?" → ⚔️ mismatch (evidence: url=? collides_with=?; source: frontmatter-validate.py pre-step)
L1 in content/docs/esc/cli/_index.md "frontmatter menu.reference.parent: reference-cli does not exist in the reference menu" → ⚔️ mismatch (evidence: menu=reference parent=reference-cli parent_exists_in_menu=false; source: frontmatter-validate.py pre-step)
L1 in content/docs/esc/development/_index.md "frontmatter URL ? collides with ?" → ⚔️ mismatch (evidence: url=? collides_with=?; source: frontmatter-validate.py pre-step)
L1 in content/docs/esc/development/languages-sdks/_index.md "frontmatter URL ? collides with ?" → ⚔️ mismatch (evidence: url=? collides_with=?; source: frontmatter-validate.py pre-step)
L1 in content/docs/esc/integrations/_index.md "frontmatter alias /docs/pulumi-cloud/esc/providers/ collides with content/docs/esc/providers/_index.md" → ⚔️ mismatch (evidence: alias=/docs/pulumi-cloud/esc/providers/ collides_with=content/docs/esc/providers/_index.md; source: frontmatter-validate.py pre-step)
L1 in content/docs/esc/integrations/dynamic-login-credentials/_index.md "frontmatter URL ? collides with ?" → ⚔️ mismatch (evidence: url=? collides_with=?; source: frontmatter-validate.py pre-step)
L1 in content/docs/esc/integrations/dynamic-secrets/_index.md "frontmatter URL ? collides with ?" → ⚔️ mismatch (evidence: url=? collides_with=?; source: frontmatter-validate.py pre-step)
L1 in content/docs/esc/integrations/rotated-secrets/_index.md "frontmatter URL ? collides with ?" → ⚔️ mismatch (evidence: url=? collides_with=?; source: frontmatter-validate.py pre-step)
L1 in content/docs/esc/providers/_index.md "frontmatter alias /docs/pulumi-cloud/esc/providers/ collides with content/docs/esc/integrations/_index.md" → ⚔️ mismatch (evidence: alias=/docs/pulumi-cloud/esc/providers/ collides_with=content/docs/esc/integrations/_index.md; source: frontmatter-validate.py pre-step)
L1 in content/docs/esc/providers/_index.md "frontmatter URL ? collides with ?" → ⚔️ mismatch (evidence: url=? collides_with=?; source: frontmatter-validate.py pre-step)

🚨 Outstanding in this PR

No outstanding findings.

⚠️ Low-confidence

Review each and resolve as appropriate — these don't block the PR.

[L66] content/docs/ai/integrations/cli/_index.md — "The Kubernetes Cluster Access guide is located at /docs/esc/guides/kubernetes-cluster-access/." — verdict: unverifiable; evidence: The verifier could not find the PR-local renamed file on master; spot-check of the PR tree confirms the link target exists at the new location.
[L68] content/docs/ai/integrations/cli/_index.md — "The pulumi-stacks ESC provider can read a kubeconfig from an EKS, AKS, or GKE stack output and materialize it through files.KUBECONFIG." — verdict: unverifiable; evidence: verification did not converge within 8 turns; spot-check suggests the claim is accurate based on kubernetes-cluster-access content.
[L54] content/docs/esc/concepts/providers.md — "If a value can't be produced by a built-in plugin, the external provider and external rotator accept a custom HTTP adapter." — verdict: unverifiable; evidence: verification did not converge within 8 turns; both files exist in PR tree.
[L64] content/docs/esc/concepts/providers.md — "For the full evaluation order (providers, imports, interpolations, and how merge semantics work between them), see the environments reference." — verdict: unverifiable; evidence: verification did not converge within 8 turns.
[L15] content/docs/esc/environments/_index.md — "Environments are accessible with the standalone esc CLI, the pulumi CLI, the Pulumi SDK." — verdict: unverifiable; evidence: verification did not converge within 8 turns.
[L86] content/docs/esc/environments/rotation/_index.md — "| AWS Lambda | The AWS Lambda rotation connector enables you to rotate credentials inside private networks." — verdict: unverifiable; evidence: verifier could not confirm PR-local rename on master; PR-local file content/docs/esc/operations/rotation/aws-lambda.md exists.
[L134] content/docs/esc/get-started/_index.md — "- Managing secrets - Store, organize, and retrieve secrets using the CLI and console" — verdict: unverifiable; evidence: verification did not converge within 8 turns; PR-local file confirmed.
[L41] content/docs/esc/guides/_index.md — "- Cloudflare — manage Cloudflare Workers secrets via ESC." — verdict: unverifiable; evidence: verifier could not confirm PR-local rename on master; PR-local file exists.
[L129] content/docs/esc/guides/integrate-with-pulumi-iac.md — "Learn more in Dynamic login credentials and Configuring OIDC." — verdict: unverifiable; evidence: verification did not converge within 8 turns; both link targets confirmed in PR tree.
[L22] content/docs/esc/integrations/kubernetes/_index.md — "For using ESC to store and serve kubeconfig files for kubectl, helm, or the Pulumi Kubernetes provider, see the Kubernetes cluster access guide." — verdict: unverifiable; evidence: verification did not converge within 8 turns; PR-local file confirmed.
[L20-23] content/docs/esc/languages-sdks/_index.md — "| JavaScript / TypeScript | Node.js 18+. |" — verdict: unverifiable; evidence: The official ESC JavaScript SDK page does not document a specific Node.js minimum version, and Node.js 18 reached EOL in April 2025. Please confirm whether the "Node.js 18+" floor is still correct or if it should be updated (e.g. to 20+).
[L15-17] content/docs/esc/providers/login/doppler-login.md — "- /docs/esc/integrations/dynamic-login-credentials/doppler-login/" — verdict: unverifiable; evidence: alias is declared in frontmatter; verifier could not confirm the old path resolves correctly on master.

💡 Pre-existing issues in touched files (optional)

No pre-existing issues in touched files.

✅ Resolved since last review

Real findings (resolved in 43a2a60):

[L16] content/docs/esc/environments/syntax/reserved-properties/pulumi-config.md — broken link to removed /docs/esc/integrations/pulumi-iac; now points to /docs/esc/guides/integrate-with-pulumi-iac/. (resolved in 43a2a60)
[L148] content/docs/iac/get-started/terraform/orchestrate.md — broken link to removed /docs/esc/integrations/terraform/; now points to /docs/esc/guides/terraform/, which exists with the correct aliases. (resolved in 43a2a60)
[L1] content/docs/esc/integrations/_index.md — alias collision: /docs/pulumi-cloud/esc/providers/ removed from this file; now declared only on esc/providers/_index.md. (resolved in 43a2a60)
[L1] content/docs/esc/providers/_index.md — alias collision counterpart: now the sole holder of /docs/pulumi-cloud/esc/providers/ as intended. (confirmed correct in 43a2a60)
[L1] content/docs/esc/cli/_index.md — orphan menu parent reference-cli. concede: false positive — reference-cli is confirmed present in config/_default/menus.yml at line 279 under the reference: menu section. (@jkodroff, 43a2a60)

Spurious verifier-limitation findings cleared (64 items): All were contradictions or mismatches produced by verifier subagents checking master or the live site rather than the PR-local tree. The new paths created by this restructure exist in the working tree and will resolve once merged. Additional fixes in 43a2a60 also addressed several broken cross-tree links (e.g., ai/running-previews/_index.md, environments/syntax/providers.md, rotator cross-links) and removed 38 self-referential aliases that had accumulated from earlier round-trips.

📜 Review history

2026-05-28T02:25:38Z — Large ESC IA restructure; most verifier contradictions triaged as spurious (verifiers checked master, not PR HEAD); real findings: 2 broken cross-tree links to removed targets, 1 PR-internal alias collision, 1 orphan menu parent. (7dd1805)
2026-05-28T15:16:17Z — re-reviewed after fix push (1 new commit, 43a2a60); all 4 real findings resolved; reference-cli orphan-parent conceded (false positive confirmed); 64 spurious verifier-limitation findings cleared. (@jkodroff)

Need a re-review? Want to dispute a finding? Mention @claude and include #update-review.
(For ad-hoc questions or fixes, just @claude — no hashtag.)

…rm guide Resolves review findings on the ESC restructure: - Drop duplicate /docs/pulumi-cloud/esc/providers/ and dead /docs/esc/providers/ aliases from integrations/_index.md (both belong to the providers catalog). - Remove 38 self-referential aliases introduced when provider pages round-tripped through concepts/providers/ and back. - Fix broken internal links the flatten sweep mangled (integrations/infrastructure/* → providers/* and guides/*), plus two rotator cross-links that arrived via the master merge. - Restore the deleted "Integrate with Terraform" walkthrough as guides/terraform.md (ESC feeding the Terraform CLI via esc run) and repoint the IaC orchestrate guide at it; terraform-state stays as provider reference. - Fold the unique sections of the removed pulumi-iac walkthrough (config env init, Automation API, stack outputs) into the surviving Pulumi IaC guide. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

jkodroff · 2026-05-28T15:07:27Z

@claude #update-review

Addressed the Outstanding alias/link findings from the last review:

Alias collision /docs/pulumi-cloud/esc/providers/ — removed from integrations/_index.md; now only on the providers catalog. Also dropped the dead /docs/esc/providers/ alias from integrations/_index.md (it shadowed the real catalog page).
38 self-referential aliases — provider/login/secrets/rotator pages had their own canonical URL listed as an alias (artifact of round-tripping through concepts/providers/ and back). Removed.
Broken links from the flatten sweep — fixed in pulumi-config.md, ai/running-previews/_index.md, environments/syntax/providers.md, the IaC guide's "Next steps", and two rotator cross-links (passphrase/password) that arrived via the master merge.
Terraform content loss — the deleted integrations/infrastructure/terraform/ walkthrough (ESC feeding the Terraform CLI via esc run) is restored as guides/terraform.md with aliases; orchestrate.md repointed to it. The terraform-state provider remains reference under providers/secrets/.
pulumi-iac walkthrough — unique sections (config env init, Automation API, stack outputs) folded into the surviving guides/integrate-with-pulumi-iac.md; old URL aliased there.

The reference-cli orphan-parent finding was a false positive — reference-cli exists in config/_default/menus.yml.

Lint and build are clean.

github-actions · 2026-05-28T15:31:47Z

🤖 Review updated on @jkodroff's request.

smithrobs

Approving with anticipation of a bunch of fast-follow-up work!

jkodroff temporarily deployed to testing May 28, 2026 01:37 — with GitHub Actions Inactive

github-actions Bot added review:triaging Claude Triage is currently classifying the PR domain:docs PR touches technical docs review:in-progress Claude review is currently running and removed review:triaging Claude Triage is currently classifying the PR labels May 28, 2026

Merge remote-tracking branch 'origin/master' into jkodroff/restructur…

7dd1805

…e-esc-docs

jkodroff temporarily deployed to testing May 28, 2026 01:53 — with GitHub Actions Inactive

jkodroff marked this pull request as draft May 28, 2026 02:19

jkodroff marked this pull request as ready for review May 28, 2026 02:19

github-actions Bot added review:triaging Claude Triage is currently classifying the PR review:in-progress Claude review is currently running and removed review:in-progress Claude review is currently running review:triaging Claude Triage is currently classifying the PR labels May 28, 2026

github-actions Bot added review:outstanding-issues Claude review completed; outstanding has author-actionable findings and removed review:in-progress Claude review is currently running labels May 28, 2026

jkodroff temporarily deployed to testing May 28, 2026 15:07 — with GitHub Actions Inactive

pulumi deleted a comment from github-actions Bot May 28, 2026

github-actions Bot added review:no-blockers Claude review completed cleanly; outstanding is empty and removed review:in-progress Claude review is currently running labels May 28, 2026

jkodroff requested review from alexleventer, cnunciato and jeffmerrick May 28, 2026 17:03

smithrobs approved these changes May 28, 2026

View reviewed changes

jkodroff merged commit 024c22c into master May 28, 2026
12 checks passed

jkodroff deleted the jkodroff/restructure-esc-docs branch May 28, 2026 21:04

jkodroff temporarily deployed to testing May 28, 2026 21:04 — with GitHub Actions Inactive

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

content(esc): restructure top-level information architecture#19417

content(esc): restructure top-level information architecture#19417
jkodroff merged 3 commits into
masterfrom
jkodroff/restructure-esc-docs

jkodroff commented May 28, 2026

Uh oh!

pulumi-bot commented May 28, 2026 •

edited

Loading

Uh oh!

pulumi-bot commented May 28, 2026 •

edited

Loading

Uh oh!

github-actions Bot commented May 28, 2026 •

edited by pulumi-bot

Loading

Uh oh!

github-actions Bot commented May 28, 2026 •

edited by pulumi-bot

Loading

Uh oh!

jkodroff commented May 28, 2026

Uh oh!

github-actions Bot commented May 28, 2026

Uh oh!

smithrobs left a comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

jkodroff commented May 28, 2026

What changed

Uh oh!

pulumi-bot commented May 28, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

pulumi-bot commented May 28, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Lighthouse Performance Report

Uh oh!

github-actions Bot commented May 28, 2026 • edited by pulumi-bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Pre-merge Review — Last updated 2026-05-28T15:16:17Z

🔍 Verification trail

Uh oh!

github-actions Bot commented May 28, 2026 • edited by pulumi-bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

🚨 Outstanding in this PR

⚠️ Low-confidence

💡 Pre-existing issues in touched files (optional)

✅ Resolved since last review

📜 Review history

Uh oh!

jkodroff commented May 28, 2026

Uh oh!

github-actions Bot commented May 28, 2026

Uh oh!

smithrobs left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

pulumi-bot commented May 28, 2026 •

edited

Loading

pulumi-bot commented May 28, 2026 •

edited

Loading

github-actions Bot commented May 28, 2026 •

edited by pulumi-bot

Loading

github-actions Bot commented May 28, 2026 •

edited by pulumi-bot

Loading