feat: add talos docs

[aeneasr]

This adds docs for Ory Talos. Early work!

Summary by CodeRabbit

• Documentation
  • Added comprehensive Ory Talos docs: architecture and concepts, token/credential formats, security model, and token-derivation guidance.
  • New integration and SDK guides, extensive API reference and OpenAPI schemas, and full CLI reference.
  • Operate/Deploy content: configuration, DB guides, caching, rate limiting, multi‑tenancy, TLS, edge‑proxy, Docker/Kubernetes, migrations, and benchmarks.
  • Added monitoring, secrets, troubleshooting, and security‑hardening operational guides.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: e1918ced-c68e-48ba-ac69-4ef7b9de2d38

📥 Commits

Reviewing files that changed from the base of the PR and between 86893a1 and f5f5745.

⛔ Files ignored due to path filters (1)

• src/content/announcement-banner.mdx is excluded by !**/*.mdx

📒 Files selected for processing (3)

• sidebars-oel.ts
• sidebars-oss.ts
• src/theme/sidebarProductLabels.ts

🚧 Files skipped from review as they are similar to previous changes (3)

• src/theme/sidebarProductLabels.ts
• sidebars-oel.ts
• sidebars-oss.ts

---

📝 Walkthrough

Walkthrough

Adds complete Ory Talos documentation, generated API/CLI reference artifacts, and Docusaurus site integration: authoring guidance, concepts, integration SDKs, operations/deploy guides, database backends, caching/rate-limiting/security, monitoring, troubleshooting, and sidebar/theme/plugin wiring.

Changes

Talos docs and site wiring

Layer / File(s)	Summary
Authoring rules and doc entrypoints docs/talos/CLAUDE.md, docs/talos/index.md, docs/talos/integrate/index.md, docs/talos/operate/index.md, docs/talos/reference/index.md	Adds house style for examples/links and the primary landing/index pages for Talos sections.
Concepts, verification model, and security docs/talos/concepts/*	Documents architecture, credential routing, caching, IP restrictions, rate limiting, token formats, derived-token semantics, and the security model.
Integration guides and SDK walkthroughs docs/talos/integrate/*	Provides curl and Go SDK flows for issuing, verifying, revoking, deriving tokens, batch ops, and health checks.
Operate basics, caching, configuration, and benchmarks docs/talos/operate/*/cache/*, docs/talos/operate/configure.md, docs/talos/operate/benchmarks.md, docs/talos/operate/install.md	Covers install, configuration (hot-reload/durations), cache backends, and k6 benchmarks with thresholds.
Database setup and deployment topologies docs/talos/operate/database/*, docs/talos/operate/deploy/*	Backend guides (SQLite/Postgres/MySQL/CockroachDB), migrations, and deploy patterns (Docker, Kubernetes, edge proxy, separate planes).
Runtime operations, observability, tenancy, and secrets `docs/talos/operate/*(monitoring	multi-tenancy
Technical reference pages `docs/talos/reference/*(error-codes	events
API reference for verification, derivation, and self-service `docs/talos/reference/api/*(verify	batch-verify
API reference for admin key management `docs/talos/reference/api/*(issue	import
CLI docs for JWK and key commands docs/talos/reference/cli/talos-*	Generated CLI reference for JWK, keys (issued/imported), verify, derive, revoke, and batch operations.
CLI runtime commands and site wiring `docs/talos/reference/cli/(talos	serve

Sequence Diagram(s)

(skipped)

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• ory/docs#2505 — Also updates Docusaurus config, sidebars, and theme elements for product documentation navigation.

Suggested reviewers

• zepatrik
• piotrmsc
• vinckr
• unatasha8

Poem

A rabbit taps keys in the Talos glade,
Pages sprout paths where concepts are laid.
Curls hop, Go runs, tokens take flight—
Caches blink green in observability light.
Sidebars bloom, a pastel array—🐇✨

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch add-talos

[Copilot]

Pull request overview

Adds an initial Ory Talos documentation set to the docs site, including generated API/CLI references and new operational/integration guides. This also introduces the Docusaurus OpenAPI Docs plugin/theme to render the Talos OpenAPI reference.

Changes:

• Add docusaurus-plugin-openapi-docs + docusaurus-theme-openapi-docs and configure the OpenAPI docs plugin for Talos.
• Introduce Talos documentation pages (Quickstart, Integrate, Operate, Concepts, Reference).
• Commit generated Talos API reference pages (OpenAPI) and CLI reference pages.

Reviewed changes

Copilot reviewed 160 out of 162 changed files in this pull request and generated 12 comments.

Show a summary per file

File	Description
package.json	Adds OpenAPI Docs plugin/theme dependencies.
docusaurus.config.ts	Registers OpenAPI docs plugin/theme and configures Talos OpenAPI generation/output.
docs/talos/CLAUDE.md	Adds Talos doc authoring/doctest guidelines and linking conventions.
docs/talos/index.md	Adds Talos docs landing page and navigation entry points.
docs/talos/quickstart/index.mdx	Adds OSS quickstart flow.
docs/talos/quickstart/preview.mdx	Adds preview/early access quickstart content.
docs/talos/quickstart/docker-commercial.mdx	Adds commercial Docker Compose quickstart.
docs/talos/concepts/index.md	Adds Concepts section index.
docs/talos/concepts/architecture.md	Documents admin/data plane architecture.
docs/talos/concepts/credential-types.md	Defines issued/imported/derived credential types.
docs/talos/concepts/token-format.md	Summarizes API key token format.
docs/talos/concepts/security-model.md	Documents crypto primitives and tenant isolation model.
docs/talos/concepts/caching.md	Explains caching and revocation consistency tradeoffs.
docs/talos/concepts/token-derivation-security.md	Explains stateless derived-token verification and revocation semantics.
docs/talos/concepts/rate-limiting.md	Describes per-key rate limiting behavior by edition.
docs/talos/concepts/ip-restrictions.md	Describes CIDR allowlist behavior and fail-closed semantics.
docs/talos/integrate/index.md	Adds integration overview and endpoint allowlisting guidance.
docs/talos/integrate/issue-and-verify.mdx	Documents issuing and verifying keys with examples.
docs/talos/integrate/import-keys.mdx	Documents importing external keys.
docs/talos/integrate/derive-tokens.mdx	Documents deriving JWT/macaroon tokens.
docs/talos/integrate/batch-operations.mdx	Documents batch verify/import usage.
docs/talos/integrate/key-lifecycle.mdx	Documents update/rotate/revoke workflows.
docs/talos/integrate/self-revocation.mdx	Documents self-service revocation workflow.
docs/talos/integrate/ip-restrictions.mdx	Integration guidance for IP restriction configuration/behavior.
docs/talos/integrate/rate-limiting.mdx	Integration guidance for rate limit policy usage.
docs/talos/integrate/error-handling.mdx	Documents error envelope + retry guidance.
docs/talos/integrate/sdk/curl.md	Provides curl “SDK” reference snippets.
docs/talos/integrate/sdk/go.md	Documents generated Go client usage and generation.
docs/talos/operate/index.md	Adds Operate section landing page and production checklist.
docs/talos/operate/install.md	Documents install/build instructions.
docs/talos/operate/configure.md	Documents configuration, hot-reload, and duration syntax.
docs/talos/operate/benchmarks.md	Documents k6 benchmark suite and profiles.
docs/talos/operate/multi-tenancy.md	Documents multi-tenant deployment behavior (commercial).
docs/talos/operate/secrets.md	Documents HMAC/pagination secrets and rotation.
docs/talos/operate/tls.md	Documents TLS termination guidance.
docs/talos/operate/troubleshooting.md	Adds troubleshooting playbook and common errors.
docs/talos/operate/security-hardening.md	Adds deployment hardening checklist and patterns.
docs/talos/operate/cache/index.md	Adds cache section index and consistency notes.
docs/talos/operate/cache/memory.md	Documents in-memory cache backend (commercial).
docs/talos/operate/cache/redis.md	Documents Redis cache backend (commercial).
docs/talos/operate/database/index.md	Adds database section index and supported backends.
docs/talos/operate/database/sqlite.md	Documents SQLite backend usage/limits.
docs/talos/operate/database/postgresql.md	Documents PostgreSQL backend (commercial).
docs/talos/operate/database/mysql.md	Documents MySQL backend (commercial).
docs/talos/operate/database/cockroachdb.md	Documents CockroachDB backend (commercial).
docs/talos/operate/database/migrations.md	Documents migration commands and safe workflows.
docs/talos/operate/deploy/index.md	Adds deploy section index and topology options.
docs/talos/operate/deploy/docker.md	Documents Docker deployment patterns.
docs/talos/operate/deploy/kubernetes.md	Documents Kubernetes deployment patterns.
docs/talos/operate/deploy/separate-planes.md	Documents split admin/data plane topology.
docs/talos/operate/deploy/edge-proxy.md	Documents edge proxy deployment (commercial).
docs/talos/operate/monitoring/index.md	Adds monitoring section index.
docs/talos/operate/monitoring/metrics.md	Documents Prometheus metrics endpoint and key metrics.
docs/talos/operate/monitoring/tracing.md	Documents OpenTelemetry tracing configuration.
docs/talos/operate/monitoring/health-checks.md	Documents health endpoints and probes.
docs/talos/reference/index.md	Adds Talos Reference section index.
docs/talos/reference/config.mdx	Adds Talos configuration reference (generated).
docs/talos/reference/error-codes.md	Adds error code reference (generated).
docs/talos/reference/events.md	Adds audit event reference (generated).
docs/talos/reference/token-format.md	Adds detailed token format reference.
docs/talos/reference/cli/.gitkeep	Ensures CLI reference directory tracked.
docs/talos/reference/cli/talos.md	Generated Talos CLI root command doc.
docs/talos/reference/cli/talos-serve.md	Generated CLI doc for talos serve.
docs/talos/reference/cli/talos-serve-check.md	Generated CLI doc for talos serve check.
docs/talos/reference/cli/talos-serve-admin.md	Generated CLI doc for talos serve admin.
docs/talos/reference/cli/talos-proxy.md	Generated CLI doc for talos proxy.
docs/talos/reference/cli/talos-migrate.md	Generated CLI doc for talos migrate.
docs/talos/reference/cli/talos-migrate-up.md	Generated CLI doc for talos migrate up.
docs/talos/reference/cli/talos-migrate-status.md	Generated CLI doc for talos migrate status.
docs/talos/reference/cli/talos-migrate-force.md	Generated CLI doc for talos migrate force.
docs/talos/reference/cli/talos-migrate-down.md	Generated CLI doc for talos migrate down.
docs/talos/reference/cli/talos-keys.md	Generated CLI doc for talos keys.
docs/talos/reference/cli/talos-keys-verify.md	Generated CLI doc for talos keys verify.
docs/talos/reference/cli/talos-keys-self-revoke.md	Generated CLI doc for talos keys self-revoke.
docs/talos/reference/cli/talos-keys-revoke.md	Generated CLI doc for talos keys revoke.
docs/talos/reference/cli/talos-keys-issued.md	Generated CLI doc for talos keys issued.
docs/talos/reference/cli/talos-keys-issued-update.md	Generated CLI doc for talos keys issued update.
docs/talos/reference/cli/talos-keys-issued-rotate.md	Generated CLI doc for talos keys issued rotate.
docs/talos/reference/cli/talos-keys-issued-list.md	Generated CLI doc for talos keys issued list.
docs/talos/reference/cli/talos-keys-issued-issue.md	Generated CLI doc for talos keys issued issue.
docs/talos/reference/cli/talos-keys-issued-get.md	Generated CLI doc for talos keys issued get.
docs/talos/reference/cli/talos-keys-issue.md	Generated CLI doc for talos keys issue.
docs/talos/reference/cli/talos-keys-imported.md	Generated CLI doc for talos keys imported.
docs/talos/reference/cli/talos-keys-imported-revoke.md	Generated CLI doc for talos keys imported revoke.
docs/talos/reference/cli/talos-keys-imported-list.md	Generated CLI doc for talos keys imported list.
docs/talos/reference/cli/talos-keys-imported-import.md	Generated CLI doc for talos keys imported import.
docs/talos/reference/cli/talos-keys-imported-get.md	Generated CLI doc for talos keys imported get.
docs/talos/reference/cli/talos-keys-imported-delete.md	Generated CLI doc for talos keys imported delete.
docs/talos/reference/cli/talos-keys-imported-batch-import.md	Generated CLI doc for talos keys imported batch-import.
docs/talos/reference/cli/talos-keys-derive-token.md	Generated CLI doc for talos keys derive-token.
docs/talos/reference/cli/talos-keys-batch-verify.md	Generated CLI doc for talos keys batch-verify.
docs/talos/reference/cli/talos-jwk.md	Generated CLI doc for talos jwk.
docs/talos/reference/cli/talos-jwk-get.md	Generated CLI doc for talos jwk get.
docs/talos/reference/cli/talos-jwk-generate.md	Generated CLI doc for talos jwk generate.
docs/talos/reference/cli/talos-jwk-generate-rsa.md	Generated CLI doc for talos jwk generate rsa.
docs/talos/reference/cli/talos-jwk-generate-hmac.md	Generated CLI doc for talos jwk generate hmac.
docs/talos/reference/cli/talos-jwk-generate-eddsa.md	Generated CLI doc for talos jwk generate eddsa.
docs/talos/reference/cli/talos-jwk-generate-ecdsa.md	Generated CLI doc for talos jwk generate ecdsa.
docs/talos/reference/api/sidebar.ts	Generated OpenAPI sidebar definition for Talos API.
docs/talos/reference/api/ory-talos-api.info.mdx	OpenAPI API overview/info page.
docs/talos/reference/api/admin-issue-api-key.api.mdx	OpenAPI method page (issue key).
docs/talos/reference/api/admin-issue-api-key.RequestSchema.json	OpenAPI request schema (issue key).
docs/talos/reference/api/admin-issue-api-key.StatusCodes.json	OpenAPI responses (issue key).
docs/talos/reference/api/admin-import-api-key.api.mdx	OpenAPI method page (import key).
docs/talos/reference/api/admin-import-api-key.RequestSchema.json	OpenAPI request schema (import key).
docs/talos/reference/api/admin-import-api-key.StatusCodes.json	OpenAPI responses (import key).
docs/talos/reference/api/admin-list-issued-api-keys.api.mdx	OpenAPI method page (list issued keys).
docs/talos/reference/api/admin-list-issued-api-keys.RequestSchema.json	OpenAPI request schema (list issued keys).
docs/talos/reference/api/admin-list-issued-api-keys.ParamsDetails.json	OpenAPI params (list issued keys).
docs/talos/reference/api/admin-list-issued-api-keys.StatusCodes.json	OpenAPI responses (list issued keys).
docs/talos/reference/api/admin-list-imported-api-keys.api.mdx	OpenAPI method page (list imported keys).
docs/talos/reference/api/admin-list-imported-api-keys.RequestSchema.json	OpenAPI request schema (list imported keys).
docs/talos/reference/api/admin-list-imported-api-keys.ParamsDetails.json	OpenAPI params (list imported keys).
docs/talos/reference/api/admin-list-imported-api-keys.StatusCodes.json	OpenAPI responses (list imported keys).
docs/talos/reference/api/admin-get-issued-api-key.api.mdx	OpenAPI method page (get issued key).
docs/talos/reference/api/admin-get-issued-api-key.RequestSchema.json	OpenAPI request schema (get issued key).
docs/talos/reference/api/admin-get-issued-api-key.ParamsDetails.json	OpenAPI params (get issued key).
docs/talos/reference/api/admin-get-issued-api-key.StatusCodes.json	OpenAPI responses (get issued key).
docs/talos/reference/api/admin-get-imported-api-key.api.mdx	OpenAPI method page (get imported key).
docs/talos/reference/api/admin-get-imported-api-key.RequestSchema.json	OpenAPI request schema (get imported key).
docs/talos/reference/api/admin-get-imported-api-key.ParamsDetails.json	OpenAPI params (get imported key).
docs/talos/reference/api/admin-get-imported-api-key.StatusCodes.json	OpenAPI responses (get imported key).
docs/talos/reference/api/admin-update-issued-api-key.api.mdx	OpenAPI method page (update issued key).
docs/talos/reference/api/admin-update-issued-api-key.RequestSchema.json	OpenAPI request schema (update issued key).
docs/talos/reference/api/admin-update-issued-api-key.ParamsDetails.json	OpenAPI params (update issued key).
docs/talos/reference/api/admin-update-issued-api-key.StatusCodes.json	OpenAPI responses (update issued key).
docs/talos/reference/api/admin-update-imported-api-key.api.mdx	OpenAPI method page (update imported key).
docs/talos/reference/api/admin-update-imported-api-key.RequestSchema.json	OpenAPI request schema (update imported key).
docs/talos/reference/api/admin-update-imported-api-key.ParamsDetails.json	OpenAPI params (update imported key).
docs/talos/reference/api/admin-update-imported-api-key.StatusCodes.json	OpenAPI responses (update imported key).
docs/talos/reference/api/admin-rotate-issued-api-key.api.mdx	OpenAPI method page (rotate issued key).
docs/talos/reference/api/admin-rotate-issued-api-key.RequestSchema.json	OpenAPI request schema (rotate issued key).
docs/talos/reference/api/admin-rotate-issued-api-key.ParamsDetails.json	OpenAPI params (rotate issued key).
docs/talos/reference/api/admin-rotate-issued-api-key.StatusCodes.json	OpenAPI responses (rotate issued key).
docs/talos/reference/api/admin-revoke-api-key.api.mdx	OpenAPI method page (admin revoke).
docs/talos/reference/api/admin-revoke-api-key.RequestSchema.json	OpenAPI request schema (admin revoke).
docs/talos/reference/api/admin-revoke-api-key.ParamsDetails.json	OpenAPI params (admin revoke).
docs/talos/reference/api/admin-revoke-api-key.StatusCodes.json	OpenAPI responses (admin revoke).
docs/talos/reference/api/revoke-api-key.api.mdx	OpenAPI method page (self revoke).
docs/talos/reference/api/revoke-api-key.RequestSchema.json	OpenAPI request schema (self revoke).
docs/talos/reference/api/revoke-api-key.StatusCodes.json	OpenAPI responses (self revoke).
docs/talos/reference/api/admin-verify-api-key.api.mdx	OpenAPI method page (verify).
docs/talos/reference/api/admin-verify-api-key.RequestSchema.json	OpenAPI request schema (verify).
docs/talos/reference/api/admin-verify-api-key.StatusCodes.json	OpenAPI responses (verify).
docs/talos/reference/api/admin-batch-verify-api-keys.api.mdx	OpenAPI method page (batch verify).
docs/talos/reference/api/admin-batch-verify-api-keys.RequestSchema.json	OpenAPI request schema (batch verify).
docs/talos/reference/api/admin-batch-verify-api-keys.StatusCodes.json	OpenAPI responses (batch verify).
docs/talos/reference/api/admin-derive-token.api.mdx	OpenAPI method page (derive token).
docs/talos/reference/api/admin-derive-token.RequestSchema.json	OpenAPI request schema (derive token).
docs/talos/reference/api/admin-derive-token.StatusCodes.json	OpenAPI responses (derive token).
docs/talos/reference/api/admin-get-jwks.api.mdx	OpenAPI method page (get JWKS).
docs/talos/reference/api/admin-get-jwks.RequestSchema.json	OpenAPI request schema (get JWKS).
docs/talos/reference/api/admin-get-jwks.StatusCodes.json	OpenAPI responses (get JWKS).
docs/talos/reference/api/admin-delete-imported-api-key.api.mdx	OpenAPI method page (delete imported key).
docs/talos/reference/api/admin-delete-imported-api-key.RequestSchema.json	OpenAPI request schema (delete imported key).
docs/talos/reference/api/admin-delete-imported-api-key.ParamsDetails.json	OpenAPI params (delete imported key).
docs/talos/reference/api/admin-delete-imported-api-key.StatusCodes.json	OpenAPI responses (delete imported key).
docs/talos/reference/api/admin-batch-import-api-keys.api.mdx	OpenAPI method page (batch import).
docs/talos/reference/api/admin-batch-import-api-keys.RequestSchema.json	OpenAPI request schema (batch import).
docs/talos/reference/api/admin-batch-import-api-keys.StatusCodes.json	OpenAPI responses (batch import).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Actionable comments posted: 19

🧹 Nitpick comments (2)

docs/talos/reference/api/sidebar.ts (1)

12-109: ⚡ Quick win

Consider grouping related operations for better navigation.

The StaticCredentials category items are currently ordered somewhat arbitrarily, mixing operations across different resource types (imported keys, issued keys, verification, tokens). Grouping related operations together would improve the user experience.

♻️ Suggested organization by resource type

       type: "category",
       label: "StaticCredentials",
       items: [
+        // Verification operations
         {
           type: "doc",
-          id: "reference/api/admin-revoke-api-key",
-          label: "Revoke API Key",
+          id: "reference/api/admin-verify-api-key",
+          label: "Verify API Key",
           className: "api-method post",
         },
         {
           type: "doc",
           id: "reference/api/admin-batch-verify-api-keys",
           label: "Batch Verify API Keys",
           className: "api-method post",
         },
+        // Token operations
         {
           type: "doc",
           id: "reference/api/admin-derive-token",
           label: "Derive Token",
           className: "api-method post",
         },
         {
           type: "doc",
-          id: "reference/api/admin-verify-api-key",
-          label: "Verify API Key",
-          className: "api-method post",
-        },
-        {
-          type: "doc",
           id: "reference/api/admin-get-jwks",
           label: "Get JWKS",
           className: "api-method get",
         },
+        // Imported API key operations
         {
           type: "doc",
-          id: "reference/api/admin-list-imported-api-keys",
-          label: "List Imported API Keys",
-          className: "api-method get",
-        },
-        {
-          type: "doc",
           id: "reference/api/admin-import-api-key",
           label: "Import API Key",
           className: "api-method post",
         },
         {
           type: "doc",
-          id: "reference/api/admin-delete-imported-api-key",
-          label: "Delete Imported API Key",
-          className: "api-method delete",
+          id: "reference/api/admin-batch-import-api-keys",
+          label: "Batch Import API Keys",
+          className: "api-method post",
+        },
+        {
+          type: "doc",
+          id: "reference/api/admin-list-imported-api-keys",
+          label: "List Imported API Keys",
+          className: "api-method get",
         },
         {
           type: "doc",
           id: "reference/api/admin-get-imported-api-key",
           label: "Get Imported API Key",
           className: "api-method get",
         },
         {
           type: "doc",
           id: "reference/api/admin-update-imported-api-key",
           label: "Update Imported API Key",
           className: "api-method patch",
         },
         {
           type: "doc",
-          id: "reference/api/admin-batch-import-api-keys",
-          label: "Batch Import API Keys",
-          className: "api-method post",
+          id: "reference/api/admin-delete-imported-api-key",
+          label: "Delete Imported API Key",
+          className: "api-method delete",
         },
+        // Issued API key operations
         {
           type: "doc",
-          id: "reference/api/admin-list-issued-api-keys",
-          label: "List Issued API Keys",
-          className: "api-method get",
-        },
-        {
-          type: "doc",
           id: "reference/api/admin-issue-api-key",
           label: "Issue API Key",
           className: "api-method post",
         },
         {
           type: "doc",
+          id: "reference/api/admin-list-issued-api-keys",
+          label: "List Issued API Keys",
+          className: "api-method get",
+        },
+        {
+          type: "doc",
           id: "reference/api/admin-get-issued-api-key",
           label: "Get Issued API Key",
           className: "api-method get",
         },
         {
           type: "doc",
           id: "reference/api/admin-update-issued-api-key",
           label: "Update Issued API Key",
           className: "api-method patch",
         },
         {
           type: "doc",
           id: "reference/api/admin-rotate-issued-api-key",
           label: "Rotate Issued API Key",
           className: "api-method post",
         },
+        // Revoke operations
+        {
+          type: "doc",
+          id: "reference/api/admin-revoke-api-key",
+          label: "Revoke API Key",
+          className: "api-method post",
+        },
       ],

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/talos/reference/api/sidebar.ts` around lines 12 - 109, Reorder the items
array in sidebar.ts to group related StaticCredentials operations by resource
and purpose: place all "imported" operations together (ids like
reference/api/admin-list-imported-api-keys, admin-import-api-key,
admin-get-imported-api-key, admin-update-imported-api-key,
admin-delete-imported-api-key, admin-batch-import-api-keys), then group "issued"
operations (admin-list-issued-api-keys, admin-issue-api-key,
admin-get-issued-api-key, admin-update-issued-api-key,
admin-rotate-issued-api-key), then verification/token/JWKS actions
(admin-verify-api-key, admin-batch-verify-api-keys, admin-derive-token,
admin-get-jwks), and finally administrative actions like admin-revoke-api-key;
keep className values intact and preserve existing labels.

docusaurus.config.ts (1)

157-186: 🏗️ Heavy lift

Make OpenAPI renderer isolation optional, not required
docItemComponent: "@theme/ApiItem" is intended to be set on the docs plugin instance used by docusaurus-plugin-openapi-docs (it’s wired via docsPluginId: "default"). Keeping it on the id: "default" instance matches the recommended minimal setup; isolate into a dedicated @docusaurus/plugin-content-docs instance only if regular markdown docs must retain the default DocItem renderer instead of @theme/ApiItem.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docusaurus.config.ts` around lines 157 - 186, The docs plugin config
currently sets docItemComponent: "`@theme/ApiItem`" on the default
"`@docusaurus/plugin-content-docs`" instance which forces the API renderer for all
docs; move or remove docItemComponent from the default docs plugin and instead
set docItemComponent: "`@theme/ApiItem`" on the specific docs instance used by
docusaurus-plugin-openapi-docs (the instance identified by docsPluginId:
"default" in the docusaurus-plugin-openapi-docs config) so regular markdown docs
keep the default DocItem renderer and only the OpenAPI-generated docs use
ApiItem.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/talos/CLAUDE.md`:
- Around line 97-105: Remove the duplicated "Incorrect" callout block so there's
only one instance of the markdown snippet ":::note Internal package The Go
client is in an `internal/` package and cannot be imported by external Go
modules. :::" followed immediately by the corrected "Correct:" block;
specifically, delete the second identical ```md ... :::``` block and ensure the
document flows: single Incorrect example, then the Correct example.

In `@docs/talos/concepts/credential-types.md`:
- Around line 25-27: The sentence fragment "Can be verified independently using
the JWKS endpoint (`GET /v2alpha1/admin/derivedKeys/jwks.json`)" lacks a
subject; update the JWT section sentence that follows "Short-lived tokens
derived from a parent API key..." to include an explicit subject such as "They
can be verified independently using the JWKS endpoint (`GET
/v2alpha1/admin/derivedKeys/jwks.json`)." Ensure the revised sentence still
mentions the signing algorithm (`alg` in the JWK), claim examples (`key_id`,
`actor_id`, scopes, and expiration), and reads as a complete sentence.

In `@docs/talos/concepts/token-derivation-security.md`:
- Line 16: Update the documented derive endpoint string to match the rest of the
docs: replace the occurrence of "POST /v2alpha1/tokens:derive" with "POST
/v2alpha1/admin/apiKeys:derive" so the page's example aligns with the
integration and SDK docs and prevents broken requests.

In `@docs/talos/integrate/sdk/go.md`:
- Around line 35-37: Replace the absolute GitHub URL used in the markdown
sentence that links to the example file (the current text containing
[`tools/doctest/examples/go_sdk/main.go`](https://github.com/ory-corp/talos/blob/dev/tools/doctest/examples/go_sdk/main.go))
with a relative markdown link that includes the file extension (e.g., use a
relative path like tools/doctest/examples/go_sdk/main.go) so the link follows
docs conventions and remains stable across branches; edit the line in
docs/talos/integrate/sdk/go.md where that link appears and ensure the link text
and path are updated accordingly.

In `@docs/talos/operate/database/migrations.md`:
- Around line 47-48: The doc currently warns to pin migration images but still
shows examples using the mutable tag ":latest"; update all example image tags so
they use explicit version tags instead of ":latest" (replace any occurrences of
":latest" in the migration job examples and example app image lines with
concrete versioned tags), so the guidance near the sentence "Pin the migration
image to the same version as the application image. Do not use mutable tags
(`latest`, `staging`)..." is consistent with the examples; search for and update
the example strings ":latest" referenced in the migration examples and the other
example blocks to explicit versioned tags.

In `@docs/talos/operate/deploy/edge-proxy.md`:
- Around line 191-213: The Compose snippet references TALOS_DB_DSN pointing at
host "db" (TALOS_DB_DSN=postgres://talos:secret@db:5432/...) but there is no
"db" service defined; either add a postgres service named "db" to the example
compose (or explicitly document that "db" must be an external PostgreSQL host
resolvable in the Compose network) and update the docs near the snippet (the
block containing TALOS_DB_DSN, proxy, and app) to clearly indicate which
approach is used so users won't encounter unresolved host errors.

In `@docs/talos/operate/deploy/kubernetes.md`:
- Around line 73-79: The manifest currently maps TALOS_SECRETS_DEFAULT_CURRENT
to the hmac-secret key and is missing TALOS_SECRETS_HMAC_CURRENT; update the env
vars so TALOS_SECRETS_HMAC_CURRENT valueFrom.secretKeyRef.name = talos-secrets
and key = hmac-secret, and change TALOS_SECRETS_DEFAULT_CURRENT to point to the
correct default/current secret key (e.g., the non-HMAC key used for default
secrets) so HMAC material is explicitly shared across replicas and
cross-instance verification remains consistent.

In `@docs/talos/operate/secrets.md`:
- Around line 93-95: Replace the current brittle command that strips +/ and then
truncates with a deterministic 64-char generator: use openssl rand -hex 32 to
produce exactly 64 hex characters (and strip the trailing newline if needed),
i.e., replace the existing openssl rand | tr | cut pipeline with a single
openssl rand -hex 32 invocation (and ensure any consumer strips the final
newline).

In `@docs/talos/operate/security-hardening.md`:
- Line 34: Replace the broken markdown link `[IP
restrictions](../integrate/ip-restrictions.mdx)` with the correct relative path
that matches the repo's Talos docs structure and includes the file extension
(e.g., change the target to the actual page file like `[IP
restrictions](../integrate/ip-restrictions.md)` or the correct subpath with
.mdx); ensure the link text remains the same and the target points to the real
existing file so navigation works.

In `@docs/talos/reference/api/admin-batch-verify-api-keys.RequestSchema.json`:
- Around line 7-23: The schema currently allows empty payloads because
"requests" is optional and item objects may omit "credential"; update the
v2alpha1BatchVerifyAPIKeysRequest schema to require the top-level "requests"
property (add "required": ["requests"]) and ensure the array items
(v2alpha1VerifyAPIKeyRequest) require "credential" (add "required":
["credential"] inside the item schema); optionally also add "minItems": 1 on
"requests" to forbid an empty array.

In `@docs/talos/reference/api/admin-delete-imported-api-key.StatusCodes.json`:
- Around line 3-10: The OpenAPI response shows both "200" (with
application/json) and "204" (which incorrectly includes a content object);
remove the content field from the "204" response (no content allowed for 204)
and then choose a single success status to document—either keep the "204" entry
with no content and delete the "200" entry, or keep the "200" JSON response and
remove the "204" entry—so update the JSON to reflect only one success status and
ensure "204" has no content property if it remains.

In `@docs/talos/reference/api/admin-derive-token.RequestSchema.json`:
- Around line 19-21: The request schema for admin-derive-token currently defines
the "credential" property but does not mark it required; update the source
OpenAPI/proto schema for the AdminDeriveToken request so that "credential" is
added to the schema-level required array (i.e., ensure the Request schema for
admin-derive-token includes required: ["credential"]). Apply the same change for
the other instance mentioned (the similar schema at the other occurrence). This
will cause the generated admin-derive-token.RequestSchema.json to emit a
required entry and prevent an empty object from being considered valid.

In `@docs/talos/reference/api/admin-issue-api-key.StatusCodes.json`:
- Around line 3-113: The API currently documents a populated "200" response and
an empty "201" for the same create operation, causing ambiguity; pick a single
canonical success status (prefer 201 for resource creation), move the response
schema (the v2alpha1IssueAPIKeyResponse containing issued_api_key and secret)
from "200" into the "201" response's content.application/json.schema, and remove
or make the "200" response a simple redirect/alias so only one success status
documents the creation-only fields (referencing the "200"/"201" codes and the
issued_api_key, secret and v2alpha1IssueAPIKeyResponse symbols to locate the
change).

In `@docs/talos/reference/api/admin-verify-api-key.RequestSchema.json`:
- Around line 7-15: The schema v2alpha1VerifyAPIKeyRequest currently allows an
empty object because the "credential" property isn't required; update the object
schema (title "v2alpha1VerifyAPIKeyRequest") to include a required array with
"credential" (i.e. add "required": ["credential"]) so the request body must
include the credential string property.

In `@docs/talos/reference/api/revoke-api-key.RequestSchema.json`:
- Around line 8-25: The JSON schema for the self-revoke request is inconsistent:
the "credential" property is described as required but not listed in the
schema's required array, and the "reason" enum incorrectly includes
"REVOCATION_REASON_PRIVILEGE_WITHDRAWN" which must be disallowed for
self-revocation; update the schema by adding "credential" to the top-level
"required" array and remove "REVOCATION_REASON_PRIVILEGE_WITHDRAWN" from the
"reason" property's "enum" (or replace the enum with one that excludes that
value) so the schema enforces the endpoint rules for the "credential" and
"reason" fields.

In `@docs/talos/reference/events.md`:
- Around line 18-22: The table has a stray line ("Use the KeyType attribute...")
outside the EventAPIKeyCreated row; move that sentence into the Description cell
for EventAPIKeyCreated so the table remains valid. Edit the markdown row for
`EventAPIKeyCreated` (the cell containing "EventAPIKeyCreated is emitted when an
API key is created (issued or imported).") to append "Use the KeyType attribute
to distinguish between the two origins." ensuring the row remains a single table
entry and the rest of the table (including `EventAPIKeyUpdated`) stays
unchanged.
- Around line 36-39: Fill the empty OTEL Key cell for the required attribute by
putting the exact emitted attribute key used by the generator for
AttrNetworkID/NetworkID (e.g., "nid" or the canonical key like "network.id");
open the generator source to confirm the exact string and replace the blank cell
in the table with that exact key so the reference is unambiguous.

In `@src/sidebar-old.ts`:
- Around line 1054-1058: Update the API category's link to point at the
generated API overview `.info` doc: change the link.id in the category object
(the object with type:"category" and label:"API") from
"talos/reference/api/ory-talos-api" to "talos/reference/api/ory-talos-api.info"
so the sidebar points to the canonical API overview; leave the rest (items:
prefixSidebarIds(apiSidebar, "talos/")) unchanged.
- Around line 951-976: Remove or comment out sidebar entries that point to
non-existent Talos docs so Docusaurus won't fail at build: specifically remove
the "talos/quickstart/docker-commercial" entry and any integrate items that are
not present such as "talos/integrate/issue-and-verify",
"talos/integrate/import-keys", "talos/integrate/derive-tokens",
"talos/integrate/batch-operations", "talos/integrate/key-lifecycle",
"talos/integrate/self-revocation", "talos/integrate/ip-restrictions",
"talos/integrate/rate-limiting", "talos/integrate/error-handling" (and the SDK
children "talos/integrate/sdk/go", "talos/integrate/sdk/curl") from the sidebar
definition; alternatively add minimal stub docs for those IDs in the docs layer
if they should remain. Ensure changes target the sidebar object containing type:
"category" entries and the items arrays shown so the sidebar only references
existing doc ids.

---

Nitpick comments:
In `@docs/talos/reference/api/sidebar.ts`:
- Around line 12-109: Reorder the items array in sidebar.ts to group related
StaticCredentials operations by resource and purpose: place all "imported"
operations together (ids like reference/api/admin-list-imported-api-keys,
admin-import-api-key, admin-get-imported-api-key, admin-update-imported-api-key,
admin-delete-imported-api-key, admin-batch-import-api-keys), then group "issued"
operations (admin-list-issued-api-keys, admin-issue-api-key,
admin-get-issued-api-key, admin-update-issued-api-key,
admin-rotate-issued-api-key), then verification/token/JWKS actions
(admin-verify-api-key, admin-batch-verify-api-keys, admin-derive-token,
admin-get-jwks), and finally administrative actions like admin-revoke-api-key;
keep className values intact and preserve existing labels.

In `@docusaurus.config.ts`:
- Around line 157-186: The docs plugin config currently sets docItemComponent:
"`@theme/ApiItem`" on the default "`@docusaurus/plugin-content-docs`" instance which
forces the API renderer for all docs; move or remove docItemComponent from the
default docs plugin and instead set docItemComponent: "`@theme/ApiItem`" on the
specific docs instance used by docusaurus-plugin-openapi-docs (the instance
identified by docsPluginId: "default" in the docusaurus-plugin-openapi-docs
config) so regular markdown docs keep the default DocItem renderer and only the
OpenAPI-generated docs use ApiItem.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: ace11d1e-bd75-46bb-89d5-87758cda814e

📥 Commits

Reviewing files that changed from the base of the PR and between 9ac94e6 and dd41c5e.

⛔ Files ignored due to path filters (32)

• docs/talos/integrate/batch-operations.mdx is excluded by !**/*.mdx
• docs/talos/integrate/derive-tokens.mdx is excluded by !**/*.mdx
• docs/talos/integrate/error-handling.mdx is excluded by !**/*.mdx
• docs/talos/integrate/import-keys.mdx is excluded by !**/*.mdx
• docs/talos/integrate/ip-restrictions.mdx is excluded by !**/*.mdx
• docs/talos/integrate/issue-and-verify.mdx is excluded by !**/*.mdx
• docs/talos/integrate/key-lifecycle.mdx is excluded by !**/*.mdx
• docs/talos/integrate/rate-limiting.mdx is excluded by !**/*.mdx
• docs/talos/integrate/self-revocation.mdx is excluded by !**/*.mdx
• docs/talos/quickstart/docker-commercial.mdx is excluded by !**/*.mdx
• docs/talos/quickstart/index.mdx is excluded by !**/*.mdx
• docs/talos/quickstart/preview.mdx is excluded by !**/*.mdx
• docs/talos/reference/api/admin-batch-import-api-keys.api.mdx is excluded by !**/*.mdx
• docs/talos/reference/api/admin-batch-verify-api-keys.api.mdx is excluded by !**/*.mdx
• docs/talos/reference/api/admin-delete-imported-api-key.api.mdx is excluded by !**/*.mdx
• docs/talos/reference/api/admin-derive-token.api.mdx is excluded by !**/*.mdx
• docs/talos/reference/api/admin-get-imported-api-key.api.mdx is excluded by !**/*.mdx
• docs/talos/reference/api/admin-get-issued-api-key.api.mdx is excluded by !**/*.mdx
• docs/talos/reference/api/admin-get-jwks.api.mdx is excluded by !**/*.mdx
• docs/talos/reference/api/admin-import-api-key.api.mdx is excluded by !**/*.mdx
• docs/talos/reference/api/admin-issue-api-key.api.mdx is excluded by !**/*.mdx
• docs/talos/reference/api/admin-list-imported-api-keys.api.mdx is excluded by !**/*.mdx
• docs/talos/reference/api/admin-list-issued-api-keys.api.mdx is excluded by !**/*.mdx
• docs/talos/reference/api/admin-revoke-api-key.api.mdx is excluded by !**/*.mdx
• docs/talos/reference/api/admin-rotate-issued-api-key.api.mdx is excluded by !**/*.mdx
• docs/talos/reference/api/admin-update-imported-api-key.api.mdx is excluded by !**/*.mdx
• docs/talos/reference/api/admin-update-issued-api-key.api.mdx is excluded by !**/*.mdx
• docs/talos/reference/api/admin-verify-api-key.api.mdx is excluded by !**/*.mdx
• docs/talos/reference/api/ory-talos-api.info.mdx is excluded by !**/*.mdx
• docs/talos/reference/api/revoke-api-key.api.mdx is excluded by !**/*.mdx
• docs/talos/reference/config.mdx is excluded by !**/*.mdx
• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (130)

• docs/talos/CLAUDE.md
• docs/talos/concepts/architecture.md
• docs/talos/concepts/caching.md
• docs/talos/concepts/credential-types.md
• docs/talos/concepts/index.md
• docs/talos/concepts/ip-restrictions.md
• docs/talos/concepts/rate-limiting.md
• docs/talos/concepts/security-model.md
• docs/talos/concepts/token-derivation-security.md
• docs/talos/concepts/token-format.md
• docs/talos/index.md
• docs/talos/integrate/index.md
• docs/talos/integrate/sdk/curl.md
• docs/talos/integrate/sdk/go.md
• docs/talos/operate/benchmarks.md
• docs/talos/operate/cache/index.md
• docs/talos/operate/cache/memory.md
• docs/talos/operate/cache/redis.md
• docs/talos/operate/configure.md
• docs/talos/operate/database/cockroachdb.md
• docs/talos/operate/database/index.md
• docs/talos/operate/database/migrations.md
• docs/talos/operate/database/mysql.md
• docs/talos/operate/database/postgresql.md
• docs/talos/operate/database/sqlite.md
• docs/talos/operate/deploy/docker.md
• docs/talos/operate/deploy/edge-proxy.md
• docs/talos/operate/deploy/index.md
• docs/talos/operate/deploy/kubernetes.md
• docs/talos/operate/deploy/separate-planes.md
• docs/talos/operate/index.md
• docs/talos/operate/install.md
• docs/talos/operate/monitoring/health-checks.md
• docs/talos/operate/monitoring/index.md
• docs/talos/operate/monitoring/metrics.md
• docs/talos/operate/monitoring/tracing.md
• docs/talos/operate/multi-tenancy.md
• docs/talos/operate/secrets.md
• docs/talos/operate/security-hardening.md
• docs/talos/operate/tls.md
• docs/talos/operate/troubleshooting.md
• docs/talos/reference/api/admin-batch-import-api-keys.RequestSchema.json
• docs/talos/reference/api/admin-batch-import-api-keys.StatusCodes.json
• docs/talos/reference/api/admin-batch-verify-api-keys.RequestSchema.json
• docs/talos/reference/api/admin-batch-verify-api-keys.StatusCodes.json
• docs/talos/reference/api/admin-delete-imported-api-key.ParamsDetails.json
• docs/talos/reference/api/admin-delete-imported-api-key.RequestSchema.json
• docs/talos/reference/api/admin-delete-imported-api-key.StatusCodes.json
• docs/talos/reference/api/admin-derive-token.RequestSchema.json
• docs/talos/reference/api/admin-derive-token.StatusCodes.json
• docs/talos/reference/api/admin-get-imported-api-key.ParamsDetails.json
• docs/talos/reference/api/admin-get-imported-api-key.RequestSchema.json
• docs/talos/reference/api/admin-get-imported-api-key.StatusCodes.json
• docs/talos/reference/api/admin-get-issued-api-key.ParamsDetails.json
• docs/talos/reference/api/admin-get-issued-api-key.RequestSchema.json
• docs/talos/reference/api/admin-get-issued-api-key.StatusCodes.json
• docs/talos/reference/api/admin-get-jwks.RequestSchema.json
• docs/talos/reference/api/admin-get-jwks.StatusCodes.json
• docs/talos/reference/api/admin-import-api-key.RequestSchema.json
• docs/talos/reference/api/admin-import-api-key.StatusCodes.json
• docs/talos/reference/api/admin-issue-api-key.RequestSchema.json
• docs/talos/reference/api/admin-issue-api-key.StatusCodes.json
• docs/talos/reference/api/admin-list-imported-api-keys.ParamsDetails.json
• docs/talos/reference/api/admin-list-imported-api-keys.RequestSchema.json
• docs/talos/reference/api/admin-list-imported-api-keys.StatusCodes.json
• docs/talos/reference/api/admin-list-issued-api-keys.ParamsDetails.json
• docs/talos/reference/api/admin-list-issued-api-keys.RequestSchema.json
• docs/talos/reference/api/admin-list-issued-api-keys.StatusCodes.json
• docs/talos/reference/api/admin-revoke-api-key.ParamsDetails.json
• docs/talos/reference/api/admin-revoke-api-key.RequestSchema.json
• docs/talos/reference/api/admin-revoke-api-key.StatusCodes.json
• docs/talos/reference/api/admin-rotate-issued-api-key.ParamsDetails.json
• docs/talos/reference/api/admin-rotate-issued-api-key.RequestSchema.json
• docs/talos/reference/api/admin-rotate-issued-api-key.StatusCodes.json
• docs/talos/reference/api/admin-update-imported-api-key.ParamsDetails.json
• docs/talos/reference/api/admin-update-imported-api-key.RequestSchema.json
• docs/talos/reference/api/admin-update-imported-api-key.StatusCodes.json
• docs/talos/reference/api/admin-update-issued-api-key.ParamsDetails.json
• docs/talos/reference/api/admin-update-issued-api-key.RequestSchema.json
• docs/talos/reference/api/admin-update-issued-api-key.StatusCodes.json
• docs/talos/reference/api/admin-verify-api-key.RequestSchema.json
• docs/talos/reference/api/admin-verify-api-key.StatusCodes.json
• docs/talos/reference/api/revoke-api-key.RequestSchema.json
• docs/talos/reference/api/revoke-api-key.StatusCodes.json
• docs/talos/reference/api/sidebar.ts
• docs/talos/reference/cli/.gitkeep
• docs/talos/reference/cli/talos-jwk-generate-ecdsa.md
• docs/talos/reference/cli/talos-jwk-generate-eddsa.md
• docs/talos/reference/cli/talos-jwk-generate-hmac.md
• docs/talos/reference/cli/talos-jwk-generate-rsa.md
• docs/talos/reference/cli/talos-jwk-generate.md
• docs/talos/reference/cli/talos-jwk-get.md
• docs/talos/reference/cli/talos-jwk.md
• docs/talos/reference/cli/talos-keys-batch-verify.md
• docs/talos/reference/cli/talos-keys-derive-token.md
• docs/talos/reference/cli/talos-keys-imported-batch-import.md
• docs/talos/reference/cli/talos-keys-imported-delete.md
• docs/talos/reference/cli/talos-keys-imported-get.md
• docs/talos/reference/cli/talos-keys-imported-import.md
• docs/talos/reference/cli/talos-keys-imported-list.md
• docs/talos/reference/cli/talos-keys-imported-revoke.md
• docs/talos/reference/cli/talos-keys-imported.md
• docs/talos/reference/cli/talos-keys-issue.md
• docs/talos/reference/cli/talos-keys-issued-get.md
• docs/talos/reference/cli/talos-keys-issued-issue.md
• docs/talos/reference/cli/talos-keys-issued-list.md
• docs/talos/reference/cli/talos-keys-issued-rotate.md
• docs/talos/reference/cli/talos-keys-issued-update.md
• docs/talos/reference/cli/talos-keys-issued.md
• docs/talos/reference/cli/talos-keys-revoke.md
• docs/talos/reference/cli/talos-keys-self-revoke.md
• docs/talos/reference/cli/talos-keys-verify.md
• docs/talos/reference/cli/talos-keys.md
• docs/talos/reference/cli/talos-migrate-down.md
• docs/talos/reference/cli/talos-migrate-force.md
• docs/talos/reference/cli/talos-migrate-status.md
• docs/talos/reference/cli/talos-migrate-up.md
• docs/talos/reference/cli/talos-migrate.md
• docs/talos/reference/cli/talos-proxy.md
• docs/talos/reference/cli/talos-serve-admin.md
• docs/talos/reference/cli/talos-serve-check.md
• docs/talos/reference/cli/talos-serve.md
• docs/talos/reference/cli/talos.md
• docs/talos/reference/error-codes.md
• docs/talos/reference/events.md
• docs/talos/reference/index.md
• docs/talos/reference/token-format.md
• docusaurus.config.ts
• package.json
• src/sidebar-old.ts

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Duplicate “Incorrect” callout example creates ambiguity.

There are two identical “Incorrect” examples in a row, which makes the before/after contrast harder to follow. Keep a single incorrect block, then the corrected block.

Suggested edit

 **Incorrect:**

 ```md
 :::note Internal package The Go client is in an `internal/` package and cannot be imported by external Go modules. :::

-md -:::note Internal package The Go client is in an `internal/` package and cannot be imported by external Go modules. ::: -

Correct:

</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @docs/talos/CLAUDE.md around lines 97 - 105, Remove the duplicated
"Incorrect" callout block so there's only one instance of the markdown snippet
":::note Internal package The Go client is in an internal/ package and cannot
be imported by external Go modules. :::" followed immediately by the corrected
"Correct:" block; specifically, delete the second identical md ... :::
block and ensure the document flows: single Incorrect example, then the Correct
example.

</details>

<!-- fingerprinting:phantom:triton:hawk -->

<!-- This is an auto-generated comment by CodeRabbit -->

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Sentence fragment in JWT section reduces clarity.

“Can be verified independently...” should include an explicit subject for smooth reading.

Suggested edit

-Short-lived tokens derived from a parent API key. The signing algorithm is determined by the `alg` field in the JWK (EdDSA or
-RS256). Can be verified independently using the JWKS endpoint (`GET /v2alpha1/admin/derivedKeys/jwks.json`). Claims include
+Short-lived tokens derived from a parent API key. The signing algorithm is determined by the `alg` field in the JWK (EdDSA or
+RS256). They can be verified independently using the JWKS endpoint (`GET /v2alpha1/admin/derivedKeys/jwks.json`). Claims include
 `key_id`, `actor_id`, scopes, and expiration.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	Short-lived tokens derived from a parent API key. The signing algorithm is determined by the `alg` field in the JWK (EdDSA or
	RS256). Can be verified independently using the JWKS endpoint (`GET /v2alpha1/admin/derivedKeys/jwks.json`). Claims include
	`key_id`, `actor_id`, scopes, and expiration.
	Short-lived tokens derived from a parent API key. The signing algorithm is determined by the `alg` field in the JWK (EdDSA or
	RS256). They can be verified independently using the JWKS endpoint (`GET /v2alpha1/admin/derivedKeys/jwks.json`). Claims include
	`key_id`, `actor_id`, scopes, and expiration.

🧰 Tools

🪛 LanguageTool

[style] ~26-~26: To form a complete sentence, be sure to include a subject.
Context: ...alg` field in the JWK (EdDSA or RS256). Can be verified independently using the JWK...

(MISSING_IT_THERE)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/talos/concepts/credential-types.md` around lines 25 - 27, The sentence
fragment "Can be verified independently using the JWKS endpoint (`GET
/v2alpha1/admin/derivedKeys/jwks.json`)" lacks a subject; update the JWT section
sentence that follows "Short-lived tokens derived from a parent API key..." to
include an explicit subject such as "They can be verified independently using
the JWKS endpoint (`GET /v2alpha1/admin/derivedKeys/jwks.json`)." Ensure the
revised sentence still mentions the signing algorithm (`alg` in the JWK), claim
examples (`key_id`, `actor_id`, scopes, and expiration), and reads as a complete
sentence.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Fix derive endpoint path to match the rest of the docs.

This page uses POST /v2alpha1/tokens:derive, but the integration and SDK docs in this PR consistently document POST /v2alpha1/admin/apiKeys:derive. Please align this endpoint here to avoid broken requests from readers.

Suggested patch

-When a token is derived via `POST /v2alpha1/tokens:derive`, all security constraints are enforced before the token is signed:
+When a token is derived via `POST /v2alpha1/admin/apiKeys:derive`, all security constraints are enforced before the token is signed:

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	When a token is derived via `POST /v2alpha1/tokens:derive`, all security constraints are enforced before the token is signed:
	When a token is derived via `POST /v2alpha1/admin/apiKeys:derive`, all security constraints are enforced before the token is signed:

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/talos/concepts/token-derivation-security.md` at line 16, Update the
documented derive endpoint string to match the rest of the docs: replace the
occurrence of "POST /v2alpha1/tokens:derive" with "POST
/v2alpha1/admin/apiKeys:derive" so the page's example aligns with the
integration and SDK docs and prevents broken requests.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Use a relative docs link instead of an absolute GitHub URL.

Switch this to a relative markdown link with file extension so it follows docs conventions and stays stable across branches.

Suggested patch

-Full working example: see
-[`tools/doctest/examples/go_sdk/main.go`](https://github.com/ory-corp/talos/blob/dev/tools/doctest/examples/go_sdk/main.go) for a
+Full working example: see
+[`tools/doctest/examples/go_sdk/main.go`](../../../../tools/doctest/examples/go_sdk/main.go) for a
 complete, runnable program that exercises all operations shown below.

As per coding guidelines: "Use relative markdown links with file extensions ... instead of absolute links."

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	Full working example: see
	[`tools/doctest/examples/go_sdk/main.go`](https://github.com/ory-corp/talos/blob/dev/tools/doctest/examples/go_sdk/main.go) for a
	complete, runnable program that exercises all operations shown below.
	Full working example: see
	[`tools/doctest/examples/go_sdk/main.go`](../../../../tools/doctest/examples/go_sdk/main.go) for a
	complete, runnable program that exercises all operations shown below.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/talos/integrate/sdk/go.md` around lines 35 - 37, Replace the absolute
GitHub URL used in the markdown sentence that links to the example file (the
current text containing
[`tools/doctest/examples/go_sdk/main.go`](https://github.com/ory-corp/talos/blob/dev/tools/doctest/examples/go_sdk/main.go))
with a relative markdown link that includes the file extension (e.g., use a
relative path like tools/doctest/examples/go_sdk/main.go) so the link follows
docs conventions and remains stable across branches; edit the line in
docs/talos/integrate/sdk/go.md where that link appears and ensure the link text
and path are updated accordingly.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Conflicting image-tag guidance (pin versions vs latest)

Line 47-48 correctly warns against mutable tags, but Line 70-71 and Line 84 use :latest. Please make the examples consistent by using explicit version tags everywhere to avoid migration drift.

Suggested doc fix

-Use a Job to apply migrations once, then start the application Deployment. The OSS image (`oryd/talos:latest`) only ships SQLite
+Use a Job to apply migrations once, then start the application Deployment. The OSS image (`oryd/talos:vX.Y.Z`) only ships SQLite
 migrations; for PostgreSQL, MySQL, or CockroachDB use `oryd/talos-commercial:latest`.

-          image: oryd/talos-commercial:latest # Pin to the same tag as the application image.
+          image: oryd/talos-commercial:vX.Y.Z # Pin to the same tag as the application image.

Also applies to: 70-71, 84-85

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/talos/operate/database/migrations.md` around lines 47 - 48, The doc
currently warns to pin migration images but still shows examples using the
mutable tag ":latest"; update all example image tags so they use explicit
version tags instead of ":latest" (replace any occurrences of ":latest" in the
migration job examples and example app image lines with concrete versioned
tags), so the guidance near the sentence "Pin the migration image to the same
version as the application image. Do not use mutable tags (`latest`,
`staging`)..." is consistent with the examples; search for and update the
example strings ":latest" referenced in the migration examples and the other
example blocks to explicit versioned tags.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Align the self-revoke schema with the endpoint rules.

credential is labeled required but is not in required, and the enum still advertises REVOCATION_REASON_PRIVILEGE_WITHDRAWN even though the description says self-revocation must reject it. The rendered API reference will therefore permit invalid requests.

Suggested fix

         "schema": {
           "description": "SelfRevokeAPIKeyRequest allows an API key holder to revoke their own key\nby providing the full key secret as proof of possession.",
+          "required": ["credential"],
           "properties": {
             "credential": {
               "title": "Full API key secret or imported key (REQUIRED)",
               "type": "string"
             },
@@
               "enum": [
                 "REVOCATION_REASON_UNSPECIFIED",
                 "REVOCATION_REASON_KEY_COMPROMISE",
                 "REVOCATION_REASON_AFFILIATION_CHANGED",
-                "REVOCATION_REASON_SUPERSEDED",
-                "REVOCATION_REASON_PRIVILEGE_WITHDRAWN"
+                "REVOCATION_REASON_SUPERSEDED"
               ],

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"properties": {
	"credential": {
	"title": "Full API key secret or imported key (REQUIRED)",
	"type": "string"
	},
	"reason": {
	"default": "REVOCATION_REASON_UNSPECIFIED",
	"description": "RevocationReason provides structured revocation reasons inspired by RFC 5280.\nUsed in both admin and self-revocation flows.\n\n - REVOCATION_REASON_PRIVILEGE_WITHDRAWN: Admin-only: not allowed in self-revocation",
	"enum": [
	"REVOCATION_REASON_UNSPECIFIED",
	"REVOCATION_REASON_KEY_COMPROMISE",
	"REVOCATION_REASON_AFFILIATION_CHANGED",
	"REVOCATION_REASON_SUPERSEDED",
	"REVOCATION_REASON_PRIVILEGE_WITHDRAWN"
	],
	"type": "string",
	"title": "v2alpha1RevocationReason"
	}
	"schema": {
	"description": "SelfRevokeAPIKeyRequest allows an API key holder to revoke their own key\nby providing the full key secret as proof of possession.",
	"required": ["credential"],
	"properties": {
	"credential": {
	"title": "Full API key secret or imported key (REQUIRED)",
	"type": "string"
	},
	"reason": {
	"default": "REVOCATION_REASON_UNSPECIFIED",
	"description": "RevocationReason provides structured revocation reasons inspired by RFC 5280.\nUsed in both admin and self-revocation flows.\n\n - REVOCATION_REASON_PRIVILEGE_WITHDRAWN: Admin-only: not allowed in self-revocation",
	"enum": [
	"REVOCATION_REASON_UNSPECIFIED",
	"REVOCATION_REASON_KEY_COMPROMISE",
	"REVOCATION_REASON_AFFILIATION_CHANGED",
	"REVOCATION_REASON_SUPERSEDED"
	],
	"type": "string",
	"title": "v2alpha1RevocationReason"
	}
	}
	}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/talos/reference/api/revoke-api-key.RequestSchema.json` around lines 8 -
25, The JSON schema for the self-revoke request is inconsistent: the
"credential" property is described as required but not listed in the schema's
required array, and the "reason" enum incorrectly includes
"REVOCATION_REASON_PRIVILEGE_WITHDRAWN" which must be disallowed for
self-revocation; update the schema by adding "credential" to the top-level
"required" array and remove "REVOCATION_REASON_PRIVILEGE_WITHDRAWN" from the
"reason" property's "enum" (or replace the enum with one that excludes that
value) so the schema enforces the endpoint rules for the "credential" and
"reason" fields.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Fix broken markdown table row in Event types.

Line 21 is emitted as a standalone row, so the table structure is invalid and the note won’t render as intended. Keep it in the Description cell for EventAPIKeyCreated.

Suggested diff

 | `EventAPIKeyCreated`                                              | `APIKeyCreated`            | EventAPIKeyCreated is emitted when an API key is created (issued or imported).         |
-| Use the KeyType attribute to distinguish between the two origins. |
+|                                                                   |                            | Use the `KeyType` attribute to distinguish between issued and imported origins.         |

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/talos/reference/events.md` around lines 18 - 22, The table has a stray
line ("Use the KeyType attribute...") outside the EventAPIKeyCreated row; move
that sentence into the Description cell for EventAPIKeyCreated so the table
remains valid. Edit the markdown row for `EventAPIKeyCreated` (the cell
containing "EventAPIKeyCreated is emitted when an API key is created (issued or
imported).") to append "Use the KeyType attribute to distinguish between the two
origins." ensuring the row remains a single table entry and the rest of the
table (including `EventAPIKeyUpdated`) stays unchanged.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Populate the required OTEL key name for NetworkID.

The OTEL Key cell is empty for a required attribute, which makes this reference ambiguous.

Suggested diff

-| ``             | `NetworkID`  | uuid.UUID         | Required | AttrNetworkID uses the shared semconv NID key so the analytics pipeline can route by project. |
+| `nid`          | `NetworkID`  | uuid.UUID         | Required | AttrNetworkID uses the shared semconv NID key so the analytics pipeline can route by project. |

If the canonical key is not nid, please replace it with the exact emitted attribute key from the generator source.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	| OTEL Key | Struct Field | Type | Required | Description |
	| -------------- | ------------ | ----------------- | -------- | --------------------------------------------------------------------------------------------- |
	| `` | `NetworkID` | uuid.UUID | Required | AttrNetworkID uses the shared semconv NID key so the analytics pipeline can route by project. |
	| `APIKeyID` | `KeyID` | string | Optional | Key identification (present for key-related events) |
	| OTEL Key | Struct Field | Type | Required | Description |
	| -------------- | ------------ | ----------------- | -------- | --------------------------------------------------------------------------------------------- |
	| `nid` | `NetworkID` | uuid.UUID | Required | AttrNetworkID uses the shared semconv NID key so the analytics pipeline can route by project. |
	| `APIKeyID` | `KeyID` | string | Optional | Key identification (present for key-related events) |

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/talos/reference/events.md` around lines 36 - 39, Fill the empty OTEL Key
cell for the required attribute by putting the exact emitted attribute key used
by the generator for AttrNetworkID/NetworkID (e.g., "nid" or the canonical key
like "network.id"); open the generator source to confirm the exact string and
replace the blank cell in the table with that exact key so the reference is
unambiguous.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Trim sidebar entries that do not have backing Talos docs yet.

Line 954, Line 955, Lines 963-971, and Line 1060 reference Talos pages that are not present in the supplied docs layers. Docusaurus resolves these IDs during build, so this sidebar will break until those pages land or the placeholders are removed.

Also applies to: 1060-1060

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/sidebar-old.ts` around lines 951 - 976, Remove or comment out sidebar
entries that point to non-existent Talos docs so Docusaurus won't fail at build:
specifically remove the "talos/quickstart/docker-commercial" entry and any
integrate items that are not present such as "talos/integrate/issue-and-verify",
"talos/integrate/import-keys", "talos/integrate/derive-tokens",
"talos/integrate/batch-operations", "talos/integrate/key-lifecycle",
"talos/integrate/self-revocation", "talos/integrate/ip-restrictions",
"talos/integrate/rate-limiting", "talos/integrate/error-handling" (and the SDK
children "talos/integrate/sdk/go", "talos/integrate/sdk/curl") from the sidebar
definition; alternatively add minimal stub docs for those IDs in the docs layer
if they should remain. Ensure changes target the sidebar object containing type:
"category" entries and the items arrays shown so the sidebar only references
existing doc ids.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Point the API category at the generated .info overview page.

The canonical Talos API overview doc is talos/reference/api/ory-talos-api.info, so talos/reference/api/ory-talos-api will not resolve here.

Based on learnings: Use the API overview page at reference/api/ory-talos-api.info.mdx as the canonical reference for API information.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/sidebar-old.ts` around lines 1054 - 1058, Update the API category's link
to point at the generated API overview `.info` doc: change the link.id in the
category object (the object with type:"category" and label:"API") from
"talos/reference/api/ory-talos-api" to "talos/reference/api/ory-talos-api.info"
so the sidebar points to the canonical API overview; leave the rest (items:
prefixSidebarIds(apiSidebar, "talos/")) unchanged.

[coderabbitai]

Actionable comments posted: 15

♻️ Duplicate comments (10)

docs/talos/concepts/token-derivation-security.md (1)

18-18: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Align derive endpoint with the rest of Talos docs.

This still documents POST /v2alpha1/tokens:derive; update it to POST /v2alpha1/admin/apiKeys:derive to prevent broken copy-paste requests.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/talos/concepts/token-derivation-security.md` at line 18, Update the
documented derive endpoint text so it matches the current API: replace any
occurrence of "POST /v2alpha1/tokens:derive" with "POST
/v2alpha1/admin/apiKeys:derive" (and update any nearby examples or curl snippets
that reference the old path) so the docs and the derive endpoint in
token-derivation-security.md align with the rest of Talos docs.

docs/talos/integrate/sdk/go.md (1)

37-39: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Replace absolute GitHub link with a repository-relative link.

Use a relative path in this docs page instead of https://github.com/... to keep links branch-stable and consistent with docs conventions.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/talos/integrate/sdk/go.md` around lines 37 - 39, Replace the absolute
GitHub URL in the docs text with a repository-relative path to the example file:
change the link target from
"https://github.com/ory-corp/talos/blob/dev/tools/doctest/examples/go_sdk/main.go"
to a relative repository path like "tools/doctest/examples/go_sdk/main.go"
(keeping the same link text), ensuring the link remains branch-stable and
conforms to docs conventions.

docs/talos/operate/deploy/kubernetes.md (1)

75-79: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Secret env mapping is still swapped/missing for HMAC.

TALOS_SECRETS_DEFAULT_CURRENT currently uses hmac-secret, and TALOS_SECRETS_HMAC_CURRENT is missing. Update the mapping so default and HMAC secrets are explicitly set to their respective keys.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/talos/operate/deploy/kubernetes.md` around lines 75 - 79, The env
mapping is incorrect: change the TALOS_SECRETS_DEFAULT_CURRENT env var to
reference the secretKeyRef key for the default secret (e.g., key:
default-secret) and add a new env var TALOS_SECRETS_HMAC_CURRENT that references
the talos-secrets secretKeyRef key: hmac-secret; update the secretKeyRef blocks
for TALOS_SECRETS_DEFAULT_CURRENT and TALOS_SECRETS_HMAC_CURRENT so each points
to the proper key under name: talos-secrets.

docs/talos/operate/deploy/edge-proxy.md (1)

193-193: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Compose example references an undefined db host.

TALOS_DB_DSN points to db:5432, but this Compose example does not define a db service (or clearly state it is external). Add a db service or an explicit prerequisite note so the snippet is runnable as written.

Also applies to: 186-215

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/talos/operate/deploy/edge-proxy.md` at line 193, The Compose example
uses TALOS_DB_DSN pointing to host "db" but the snippet doesn't define a db
service or state it's external; update the docs by either adding a matching
service named "db" to the Compose YAML or explicitly note as a prerequisite that
an external PostgreSQL reachable at host "db:5432" must exist (and provide
guidance on changing TALOS_DB_DSN if the host differs); edit the Compose snippet
and the TALOS_DB_DSN line to ensure the example is runnable as written and keep
the note consistent for lines referencing the same snippet (186-215).

docs/talos/operate/database/migrations.md (1)

72-73: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Conflicting migration image-tag guidance still present.

This page says not to use mutable tags, but the examples still use :latest, which undermines the production-safety instruction and can cause migration drift. Please switch these examples to explicit version tags (same tag as the app image).

Also applies to: 86-86

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/talos/operate/database/migrations.md` around lines 72 - 73, The docs
currently advise against mutable tags but still show examples using
oryd/talos:latest and oryd/talos-commercial:latest; update those examples to use
explicit, immutable version tags that match the application image tag (replace
"oryd/talos:latest" and "oryd/talos-commercial:latest" in the examples with the
same explicit version string used for the app image, e.g.,
"oryd/talos:<app-version>" or an exact version like "oryd/talos:1.2.3"), and
make the same replacement at the second occurrence noted in the comment so both
examples follow the non-mutable-tag guidance.

docs/talos/operate/security-hardening.md (1)

36-36: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Fix the IP restrictions link target.

This link points to ../integrate/ip-restrictions.mdx, which does not match the Talos docs structure shown in this PR context; the documented page is under concepts.

Suggested fix

- [IP restrictions](../integrate/ip-restrictions.mdx).
+ [IP restrictions](../concepts/ip-restrictions.md).

As per coding guidelines: "Use relative links to markdown/mdx files with file extensions (never absolute links or links without extensions) for all documentation references".

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/talos/operate/security-hardening.md` at line 36, The markdown link
currently points to "../integrate/ip-restrictions.mdx" which is the wrong
target; update that link to the correct relative path under the concepts section
(e.g. "../concepts/ip-restrictions.mdx") so it matches the repository doc
structure and follows the guideline to use relative links with file extensions;
replace the existing "../integrate/ip-restrictions.mdx" reference with the
corrected "../concepts/ip-restrictions.mdx" wherever it appears.

docs/talos/operate/secrets.md (1)

95-100: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Use a deterministic 64-character secret generator.

This pipeline can output fewer than 64 characters after stripping +/=. Prefer a fixed-length generator.

Suggested fix

- openssl rand -base64 48 | tr -d '\n+/=' | cut -c1-64
+ openssl rand -hex 32

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/talos/operate/secrets.md` around lines 95 - 100, The current pipeline
(openssl rand -base64 48 | tr -d '\n+/=' | cut -c1-64) can produce fewer than 64
characters after stripping +/=: generate extra entropy before base64 encoding to
guarantee at least 64 URL-safe characters (e.g., use openssl rand -base64 49 and
then replace +/ with -_ and strip '=' before truncating), or use an alternative
fixed-length generator like openssl rand -hex 32 to produce a deterministic
64-character secret; update the command in the docs to one of these safe options
and replace the shown pipeline accordingly.

docs/talos/reference/api/admin-verify-api-key.RequestSchema.json (1)

7-15: ⚠️ Potential issue | 🟠 Major

credential is not required in the request object schema.

body.required: true is set, but {} still validates because the schema does not require credential.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/talos/reference/api/admin-verify-api-key.RequestSchema.json` around
lines 7 - 15, The JSON schema for v2alpha1VerifyAPIKeyRequest currently allows
an empty object because the "credential" property is not marked required; update
the schema object (the block defining "title": "v2alpha1VerifyAPIKeyRequest") to
include a "required": ["credential"] array so that "credential" is mandatory;
ensure the "credential" property remains as type "string" and keep the existing
title and structure.

docs/talos/reference/api/admin-batch-verify-api-keys.RequestSchema.json (1)

7-23: ⚠️ Potential issue | 🟠 Major

requests and nested credential are still optional in the schema.

The schema still allows empty/partially-empty batch payloads ({} and {"requests":[{}]}), which weakens the API contract for this endpoint.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/talos/reference/api/admin-batch-verify-api-keys.RequestSchema.json`
around lines 7 - 23, The JSON schema currently leaves "requests" and the nested
"credential" optional, allowing empty payloads like {} or {"requests":[{}]};
update the schema for the v2alpha1BatchVerifyAPIKeysRequest and its item type
v2alpha1VerifyAPIKeyRequest so that "requests" is a required property on
v2alpha1BatchVerifyAPIKeysRequest and each item object in the "requests" array
requires "credential" (make "credential" required inside
v2alpha1VerifyAPIKeyRequest) to enforce non-empty batch payloads and valid
credentials.

docs/talos/reference/api/admin-derive-token.RequestSchema.json (1)

19-31: ⚠️ Potential issue | 🟠 Major

credential remains optional in the derive-token request schema.

The request body is required, but object fields are not; without required: ["credential"], an empty object still validates.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/talos/reference/api/admin-derive-token.RequestSchema.json` around lines
19 - 31, The schema currently allows an empty request because the "credential"
property is not required; update the Token derivation request schema by adding a
required array that includes "credential" (e.g., add "required": ["credential"]
to the object that defines "credential", "custom_claims", "scopes", "ttl") so
the derive-token request body must include the credential field; keep the rest
of the property definitions unchanged.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/talos/concepts/architecture.md`:
- Line 4: The sidebar_label value is misspelled; update the sidebar_label string
from "Ory Talso architecture" to "Ory Talos architecture" in the document's
frontmatter (look for the sidebar_label key near the top of the file) so the
navigation shows the correct project name.

In `@docs/talos/concepts/rate-limiting.md`:
- Line 3: The page frontmatter title contains a product-name typo: replace the
title string "Ory Talso rate limiting" with the correct "Ory Talos rate
limiting" in the frontmatter (the title: line) so the displayed page title uses
the proper product name.

In `@docs/talos/operate/benchmarks.md`:
- Around line 13-18: The note callout using the :::note block should have two
blank lines before and after its inner content instead of the current single
blank line; update the callout around the PostgreSQL/SQLite sentence by ensuring
there are exactly two line breaks following the opening ":::note" and two line
breaks before the closing ":::". Locate the ":::note" block in
docs/talos/operate/benchmarks.md (the block containing the Commercial edition /
SQLite paragraph) and adjust spacing so the callout content is separated by two
blank lines to meet the markdown guideline.

In `@docs/talos/operate/cache/redis.md`:
- Around line 47-48: The Redis docs contain a contradiction: reconcile the
statements so both files agree on which cache settings are hot-reloadable;
explicitly list which parameters are mutable (e.g., pool_size and timeout) and
which require a restart. Edit the Redis page text to either remove the blanket
"All Redis parameters are immutable" or change it to "Most Redis parameters are
immutable; pool_size and timeout are hot-reloadable" and then update
docs/talos/operate/configure.md to match that same wording; reference the
settings by name (pool_size, timeout) and ensure both documents use identical
phrasing about restart vs hot-reload behavior.

In `@docs/talos/operate/security-hardening.md`:
- Line 22: The current guidance uses `openssl rand -base64 48 | tr -d '\n+/=' |
cut -c1-64` which can yield fewer than 64 characters after deletion; replace it
with a command that guarantees fixed-length output (for example use `openssl
rand -hex 32` to produce exactly 64 hex characters or use `openssl rand -base64
48 | tr -d '\n' | head -c64` to reliably cut to 64 chars). Update the documented
line that currently shows the `openssl rand -base64 48 | tr -d '\n+/=' | cut
-c1-64` command to one of these deterministic alternatives so secret length is
always 64 characters.

In `@docs/talos/reference/api/admin-batch-import-api-keys.RequestSchema.json`:
- Line 11: Replace the vendor-specific example API key in the JSON schema
description by updating the "raw_key" example value to a clearly fake,
product-neutral placeholder (e.g., "example_api_key_123" or
"sk_live_example_000000") so secret scanners stop flagging it; modify the
description text that contains "raw_key": "sk_live_abc123xyz789" in the Admin
batch import request schema (look for the "raw_key", "name", "actor_id",
"scopes", "ttl", "metadata" example block) and substitute the fake placeholder
while keeping the rest of the example unchanged.
- Around line 8-95: The JSON Schema omits required arrays: add a top-level
"required": ["requests"] to the v2alpha1BatchImportAPIKeysRequest object and add
"required": ["actor_id","name","raw_key"] to the ImportAPIKeyRequest schema (the
array item under "requests"); regenerate the OpenAPI artifacts so the published
contract enforces these required fields (refer to the "requests" property, the
"title": "v2alpha1BatchImportAPIKeysRequest" object, and the "title":
"ImportAPIKeyRequest imports an external HMAC-based API key" item schema).

In `@docs/talos/reference/api/admin-batch-import-api-keys.StatusCodes.json`:
- Around line 156-158: The "201" response entry in
admin-batch-import-api-keys.StatusCodes.json documents an empty schema but its
description refers to per-item results; update the "201" response to match the
successful response shape used by "200" (reuse the same "content" ->
"application/json" -> "schema" object) so the body and description are
consistent, or remove the entire "201" entry if the API only returns the single
"200" success shape; target the "201" object in the JSON and make it identical
to the "200" response schema (or delete it).

In `@docs/talos/reference/api/admin-import-api-key.RequestSchema.json`:
- Line 7: Update the example JSON inside the "description" field of
admin-import-api-key.RequestSchema.json so it is valid, copy-pasteable JSON and
scanner-safe: remove the inline JavaScript-style comment (the // 1 year note)
and replace the secret-looking placeholder value for "raw_key" with a clearly
non-sensitive example token (e.g., a non-Stripe-like sample string). Ensure the
rest of the example JSON (fields like "name", "actor_id", "scopes", "ttl",
"metadata") remains intact and valid JSON (no trailing comments or commas).
- Around line 8-83: The JSON schema for ImportAPIKeyRequest is missing a
"required" array so documented required fields are treated as optional; update
the schema (the object titled "ImportAPIKeyRequest") to add a required array
listing "actor_id", "name", and "raw_key" so validators and generators enforce
those fields; ensure the required array is placed alongside "properties" and
keep existing descriptions intact.

In `@docs/talos/reference/api/admin-revoke-api-key.StatusCodes.json`:
- Around line 7-10: The 204 response object currently includes a
content/application/json schema which is invalid for No Content; edit the "204"
response entry (the "204" response object in
admin-revoke-api-key.StatusCodes.json) to remove the entire "content" block so
the response only contains the description ("API key revoked successfully.") and
no payload schema.

In `@docs/talos/reference/api/admin-rotate-issued-api-key.StatusCodes.json`:
- Around line 200-203: The "201" response block currently documents an empty
JSON schema but the real successful rotation returns the rotated key in the
"secret" field, creating an inconsistent reference; update the "201" entry in
the admin-rotate-issued-api-key.StatusCodes.json to either remove the "201"
response if the endpoint never emits it, or replace its "content" schema with
the same response schema used for the actual success payload (including the
"secret" property) so both success responses are consistent.

In `@docs/talos/reference/cli/talos-migrate-force.md`:
- Line 27: The warning callout line "WARNING: This command should be used
carefully as it can lead to inconsistent database state if used incorrectly."
needs two blank lines before and after it; update
docs/talos/reference/cli/talos-migrate-force.md by inserting an extra empty line
above the WARNING line and another empty line below it so the callout is
separated by two line breaks on both sides to match the markdown callout spacing
guideline.

In `@sidebars-oel.ts`:
- Around line 472-589: The sidebar contains incorrect doc IDs (extra "talos-"
prefixes) that don't match the actual doc filenames and will break navigation;
update the items in the Talos sidebar block so each entry matches the real doc
ID/path (e.g., change "talos/concepts/talos-architecture" →
"talos/concepts/architecture", "talos/concepts/talos-token-format" →
"talos/concepts/token-format", "talos/operate/talos-install" →
"talos/operate/install", "talos/integrate/sdk/talos-curl" →
"talos/integrate/sdk/curl", etc.), and scan the entire Talos category (items
arrays under the "Quickstart", "Concepts", "Integrate", "Operate", "Reference"
categories) to replace any other mismatched "talos/..." IDs so they exactly
match the doc filenames added in this PR.

In `@sidebars-oss.ts`:
- Around line 481-608: The sidebar contains mismatched doc IDs — update the
Talos category item strings to match the real doc filenames so Docusaurus can
resolve them; for example replace "talos/concepts/talos-architecture" with
"talos/concepts/architecture", "talos/operate/talos-configure" with
"talos/operate/configure", "talos/integrate/sdk/talos-curl" with
"talos/integrate/sdk/curl", "talos/reference/talos-error-codes" with
"talos/reference/error-codes" and similarly reconcile any other entries under
the "Ory Talos" category (items arrays, nested categories like "Concepts",
"Integrate", "Operate", "Reference") to the actual docs' paths/names.

---

Duplicate comments:
In `@docs/talos/concepts/token-derivation-security.md`:
- Line 18: Update the documented derive endpoint text so it matches the current
API: replace any occurrence of "POST /v2alpha1/tokens:derive" with "POST
/v2alpha1/admin/apiKeys:derive" (and update any nearby examples or curl snippets
that reference the old path) so the docs and the derive endpoint in
token-derivation-security.md align with the rest of Talos docs.

In `@docs/talos/integrate/sdk/go.md`:
- Around line 37-39: Replace the absolute GitHub URL in the docs text with a
repository-relative path to the example file: change the link target from
"https://github.com/ory-corp/talos/blob/dev/tools/doctest/examples/go_sdk/main.go"
to a relative repository path like "tools/doctest/examples/go_sdk/main.go"
(keeping the same link text), ensuring the link remains branch-stable and
conforms to docs conventions.

In `@docs/talos/operate/database/migrations.md`:
- Around line 72-73: The docs currently advise against mutable tags but still
show examples using oryd/talos:latest and oryd/talos-commercial:latest; update
those examples to use explicit, immutable version tags that match the
application image tag (replace "oryd/talos:latest" and
"oryd/talos-commercial:latest" in the examples with the same explicit version
string used for the app image, e.g., "oryd/talos:<app-version>" or an exact
version like "oryd/talos:1.2.3"), and make the same replacement at the second
occurrence noted in the comment so both examples follow the non-mutable-tag
guidance.

In `@docs/talos/operate/deploy/edge-proxy.md`:
- Line 193: The Compose example uses TALOS_DB_DSN pointing to host "db" but the
snippet doesn't define a db service or state it's external; update the docs by
either adding a matching service named "db" to the Compose YAML or explicitly
note as a prerequisite that an external PostgreSQL reachable at host "db:5432"
must exist (and provide guidance on changing TALOS_DB_DSN if the host differs);
edit the Compose snippet and the TALOS_DB_DSN line to ensure the example is
runnable as written and keep the note consistent for lines referencing the same
snippet (186-215).

In `@docs/talos/operate/deploy/kubernetes.md`:
- Around line 75-79: The env mapping is incorrect: change the
TALOS_SECRETS_DEFAULT_CURRENT env var to reference the secretKeyRef key for the
default secret (e.g., key: default-secret) and add a new env var
TALOS_SECRETS_HMAC_CURRENT that references the talos-secrets secretKeyRef key:
hmac-secret; update the secretKeyRef blocks for TALOS_SECRETS_DEFAULT_CURRENT
and TALOS_SECRETS_HMAC_CURRENT so each points to the proper key under name:
talos-secrets.

In `@docs/talos/operate/secrets.md`:
- Around line 95-100: The current pipeline (openssl rand -base64 48 | tr -d
'\n+/=' | cut -c1-64) can produce fewer than 64 characters after stripping +/=:
generate extra entropy before base64 encoding to guarantee at least 64 URL-safe
characters (e.g., use openssl rand -base64 49 and then replace +/ with -_ and
strip '=' before truncating), or use an alternative fixed-length generator like
openssl rand -hex 32 to produce a deterministic 64-character secret; update the
command in the docs to one of these safe options and replace the shown pipeline
accordingly.

In `@docs/talos/operate/security-hardening.md`:
- Line 36: The markdown link currently points to
"../integrate/ip-restrictions.mdx" which is the wrong target; update that link
to the correct relative path under the concepts section (e.g.
"../concepts/ip-restrictions.mdx") so it matches the repository doc structure
and follows the guideline to use relative links with file extensions; replace
the existing "../integrate/ip-restrictions.mdx" reference with the corrected
"../concepts/ip-restrictions.mdx" wherever it appears.

In `@docs/talos/reference/api/admin-batch-verify-api-keys.RequestSchema.json`:
- Around line 7-23: The JSON schema currently leaves "requests" and the nested
"credential" optional, allowing empty payloads like {} or {"requests":[{}]};
update the schema for the v2alpha1BatchVerifyAPIKeysRequest and its item type
v2alpha1VerifyAPIKeyRequest so that "requests" is a required property on
v2alpha1BatchVerifyAPIKeysRequest and each item object in the "requests" array
requires "credential" (make "credential" required inside
v2alpha1VerifyAPIKeyRequest) to enforce non-empty batch payloads and valid
credentials.

In `@docs/talos/reference/api/admin-derive-token.RequestSchema.json`:
- Around line 19-31: The schema currently allows an empty request because the
"credential" property is not required; update the Token derivation request
schema by adding a required array that includes "credential" (e.g., add
"required": ["credential"] to the object that defines "credential",
"custom_claims", "scopes", "ttl") so the derive-token request body must include
the credential field; keep the rest of the property definitions unchanged.

In `@docs/talos/reference/api/admin-verify-api-key.RequestSchema.json`:
- Around line 7-15: The JSON schema for v2alpha1VerifyAPIKeyRequest currently
allows an empty object because the "credential" property is not marked required;
update the schema object (the block defining "title":
"v2alpha1VerifyAPIKeyRequest") to include a "required": ["credential"] array so
that "credential" is mandatory; ensure the "credential" property remains as type
"string" and keep the existing title and structure.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 1c8df39f-f064-42f6-9930-a4df0ce1570e

📥 Commits

Reviewing files that changed from the base of the PR and between 9ac94e6 and 938b510.

⛔ Files ignored due to path filters (33)

• docs/talos/integrate/batch-operations.mdx is excluded by !**/*.mdx
• docs/talos/integrate/derive-tokens.mdx is excluded by !**/*.mdx
• docs/talos/integrate/error-handling.mdx is excluded by !**/*.mdx
• docs/talos/integrate/import-keys.mdx is excluded by !**/*.mdx
• docs/talos/integrate/ip-restrictions.mdx is excluded by !**/*.mdx
• docs/talos/integrate/issue-and-verify.mdx is excluded by !**/*.mdx
• docs/talos/integrate/key-lifecycle.mdx is excluded by !**/*.mdx
• docs/talos/integrate/rate-limiting.mdx is excluded by !**/*.mdx
• docs/talos/integrate/self-revocation.mdx is excluded by !**/*.mdx
• docs/talos/quickstart/docker-commercial.mdx is excluded by !**/*.mdx
• docs/talos/quickstart/index.mdx is excluded by !**/*.mdx
• docs/talos/quickstart/preview.mdx is excluded by !**/*.mdx
• docs/talos/reference/api/admin-batch-import-api-keys.api.mdx is excluded by !**/*.mdx
• docs/talos/reference/api/admin-batch-verify-api-keys.api.mdx is excluded by !**/*.mdx
• docs/talos/reference/api/admin-delete-imported-api-key.api.mdx is excluded by !**/*.mdx
• docs/talos/reference/api/admin-derive-token.api.mdx is excluded by !**/*.mdx
• docs/talos/reference/api/admin-get-imported-api-key.api.mdx is excluded by !**/*.mdx
• docs/talos/reference/api/admin-get-issued-api-key.api.mdx is excluded by !**/*.mdx
• docs/talos/reference/api/admin-get-jwks.api.mdx is excluded by !**/*.mdx
• docs/talos/reference/api/admin-import-api-key.api.mdx is excluded by !**/*.mdx
• docs/talos/reference/api/admin-issue-api-key.api.mdx is excluded by !**/*.mdx
• docs/talos/reference/api/admin-list-imported-api-keys.api.mdx is excluded by !**/*.mdx
• docs/talos/reference/api/admin-list-issued-api-keys.api.mdx is excluded by !**/*.mdx
• docs/talos/reference/api/admin-revoke-api-key.api.mdx is excluded by !**/*.mdx
• docs/talos/reference/api/admin-rotate-issued-api-key.api.mdx is excluded by !**/*.mdx
• docs/talos/reference/api/admin-update-imported-api-key.api.mdx is excluded by !**/*.mdx
• docs/talos/reference/api/admin-update-issued-api-key.api.mdx is excluded by !**/*.mdx
• docs/talos/reference/api/admin-verify-api-key.api.mdx is excluded by !**/*.mdx
• docs/talos/reference/api/ory-talos-api.info.mdx is excluded by !**/*.mdx
• docs/talos/reference/api/revoke-api-key.api.mdx is excluded by !**/*.mdx
• docs/talos/reference/config.mdx is excluded by !**/*.mdx
• package-lock.json is excluded by !**/package-lock.json
• src/content/announcement-banner.mdx is excluded by !**/*.mdx

📒 Files selected for processing (137)

• docs/talos/CLAUDE.md
• docs/talos/concepts/architecture.md
• docs/talos/concepts/caching.md
• docs/talos/concepts/credential-types.md
• docs/talos/concepts/index.md
• docs/talos/concepts/ip-restrictions.md
• docs/talos/concepts/rate-limiting.md
• docs/talos/concepts/security-model.md
• docs/talos/concepts/token-derivation-security.md
• docs/talos/concepts/token-format.md
• docs/talos/index.md
• docs/talos/integrate/index.md
• docs/talos/integrate/sdk/curl.md
• docs/talos/integrate/sdk/go.md
• docs/talos/operate/benchmarks.md
• docs/talos/operate/cache/index.md
• docs/talos/operate/cache/memory.md
• docs/talos/operate/cache/redis.md
• docs/talos/operate/configure.md
• docs/talos/operate/database/cockroachdb.md
• docs/talos/operate/database/index.md
• docs/talos/operate/database/migrations.md
• docs/talos/operate/database/mysql.md
• docs/talos/operate/database/postgresql.md
• docs/talos/operate/database/sqlite.md
• docs/talos/operate/deploy/docker.md
• docs/talos/operate/deploy/edge-proxy.md
• docs/talos/operate/deploy/index.md
• docs/talos/operate/deploy/kubernetes.md
• docs/talos/operate/deploy/separate-planes.md
• docs/talos/operate/index.md
• docs/talos/operate/install.md
• docs/talos/operate/monitoring/health-checks.md
• docs/talos/operate/monitoring/index.md
• docs/talos/operate/monitoring/metrics.md
• docs/talos/operate/monitoring/tracing.md
• docs/talos/operate/multi-tenancy.md
• docs/talos/operate/secrets.md
• docs/talos/operate/security-hardening.md
• docs/talos/operate/tls.md
• docs/talos/operate/troubleshooting.md
• docs/talos/reference/api/admin-batch-import-api-keys.RequestSchema.json
• docs/talos/reference/api/admin-batch-import-api-keys.StatusCodes.json
• docs/talos/reference/api/admin-batch-verify-api-keys.RequestSchema.json
• docs/talos/reference/api/admin-batch-verify-api-keys.StatusCodes.json
• docs/talos/reference/api/admin-delete-imported-api-key.ParamsDetails.json
• docs/talos/reference/api/admin-delete-imported-api-key.RequestSchema.json
• docs/talos/reference/api/admin-delete-imported-api-key.StatusCodes.json
• docs/talos/reference/api/admin-derive-token.RequestSchema.json
• docs/talos/reference/api/admin-derive-token.StatusCodes.json
• docs/talos/reference/api/admin-get-imported-api-key.ParamsDetails.json
• docs/talos/reference/api/admin-get-imported-api-key.RequestSchema.json
• docs/talos/reference/api/admin-get-imported-api-key.StatusCodes.json
• docs/talos/reference/api/admin-get-issued-api-key.ParamsDetails.json
• docs/talos/reference/api/admin-get-issued-api-key.RequestSchema.json
• docs/talos/reference/api/admin-get-issued-api-key.StatusCodes.json
• docs/talos/reference/api/admin-get-jwks.RequestSchema.json
• docs/talos/reference/api/admin-get-jwks.StatusCodes.json
• docs/talos/reference/api/admin-import-api-key.RequestSchema.json
• docs/talos/reference/api/admin-import-api-key.StatusCodes.json
• docs/talos/reference/api/admin-issue-api-key.RequestSchema.json
• docs/talos/reference/api/admin-issue-api-key.StatusCodes.json
• docs/talos/reference/api/admin-list-imported-api-keys.ParamsDetails.json
• docs/talos/reference/api/admin-list-imported-api-keys.RequestSchema.json
• docs/talos/reference/api/admin-list-imported-api-keys.StatusCodes.json
• docs/talos/reference/api/admin-list-issued-api-keys.ParamsDetails.json
• docs/talos/reference/api/admin-list-issued-api-keys.RequestSchema.json
• docs/talos/reference/api/admin-list-issued-api-keys.StatusCodes.json
• docs/talos/reference/api/admin-revoke-api-key.ParamsDetails.json
• docs/talos/reference/api/admin-revoke-api-key.RequestSchema.json
• docs/talos/reference/api/admin-revoke-api-key.StatusCodes.json
• docs/talos/reference/api/admin-rotate-issued-api-key.ParamsDetails.json
• docs/talos/reference/api/admin-rotate-issued-api-key.RequestSchema.json
• docs/talos/reference/api/admin-rotate-issued-api-key.StatusCodes.json
• docs/talos/reference/api/admin-update-imported-api-key.ParamsDetails.json
• docs/talos/reference/api/admin-update-imported-api-key.RequestSchema.json
• docs/talos/reference/api/admin-update-imported-api-key.StatusCodes.json
• docs/talos/reference/api/admin-update-issued-api-key.ParamsDetails.json
• docs/talos/reference/api/admin-update-issued-api-key.RequestSchema.json
• docs/talos/reference/api/admin-update-issued-api-key.StatusCodes.json
• docs/talos/reference/api/admin-verify-api-key.RequestSchema.json
• docs/talos/reference/api/admin-verify-api-key.StatusCodes.json
• docs/talos/reference/api/revoke-api-key.RequestSchema.json
• docs/talos/reference/api/revoke-api-key.StatusCodes.json
• docs/talos/reference/api/sidebar.ts
• docs/talos/reference/cli/.gitkeep
• docs/talos/reference/cli/talos-jwk-generate-ecdsa.md
• docs/talos/reference/cli/talos-jwk-generate-eddsa.md
• docs/talos/reference/cli/talos-jwk-generate-hmac.md
• docs/talos/reference/cli/talos-jwk-generate-rsa.md
• docs/talos/reference/cli/talos-jwk-generate.md
• docs/talos/reference/cli/talos-jwk-get.md
• docs/talos/reference/cli/talos-jwk.md
• docs/talos/reference/cli/talos-keys-batch-verify.md
• docs/talos/reference/cli/talos-keys-derive-token.md
• docs/talos/reference/cli/talos-keys-imported-batch-import.md
• docs/talos/reference/cli/talos-keys-imported-delete.md
• docs/talos/reference/cli/talos-keys-imported-get.md
• docs/talos/reference/cli/talos-keys-imported-import.md
• docs/talos/reference/cli/talos-keys-imported-list.md
• docs/talos/reference/cli/talos-keys-imported-revoke.md
• docs/talos/reference/cli/talos-keys-imported.md
• docs/talos/reference/cli/talos-keys-issue.md
• docs/talos/reference/cli/talos-keys-issued-get.md
• docs/talos/reference/cli/talos-keys-issued-issue.md
• docs/talos/reference/cli/talos-keys-issued-list.md
• docs/talos/reference/cli/talos-keys-issued-rotate.md
• docs/talos/reference/cli/talos-keys-issued-update.md
• docs/talos/reference/cli/talos-keys-issued.md
• docs/talos/reference/cli/talos-keys-revoke.md
• docs/talos/reference/cli/talos-keys-self-revoke.md
• docs/talos/reference/cli/talos-keys-verify.md
• docs/talos/reference/cli/talos-keys.md
• docs/talos/reference/cli/talos-migrate-down.md
• docs/talos/reference/cli/talos-migrate-force.md
• docs/talos/reference/cli/talos-migrate-status.md
• docs/talos/reference/cli/talos-migrate-up.md
• docs/talos/reference/cli/talos-migrate.md
• docs/talos/reference/cli/talos-proxy.md
• docs/talos/reference/cli/talos-serve-admin.md
• docs/talos/reference/cli/talos-serve-check.md
• docs/talos/reference/cli/talos-serve.md
• docs/talos/reference/cli/talos.md
• docs/talos/reference/error-codes.md
• docs/talos/reference/events.md
• docs/talos/reference/index.md
• docs/talos/reference/token-format.md
• docusaurus.config.ts
• package.json
• sidebars-oel.ts
• sidebars-oss.ts
• src/components/AnnouncementBanner/AnnouncementBanner.module.css
• src/components/AnnouncementBanner/AnnouncementBanner.tsx
• src/css/theme.css
• src/sidebar-old.ts
• src/theme/Root.js
• src/theme/sidebarProductLabels.ts

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Fix typo in sidebar label (Talso → Talos).

This shows up in navigation and looks unpolished.

Suggested fix

-sidebar_label: Ory Talso architecture
+sidebar_label: Ory Talos architecture

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	sidebar_label: Ory Talso architecture
	sidebar_label: Ory Talos architecture

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/talos/concepts/architecture.md` at line 4, The sidebar_label value is
misspelled; update the sidebar_label string from "Ory Talso architecture" to
"Ory Talos architecture" in the document's frontmatter (look for the
sidebar_label key near the top of the file) so the navigation shows the correct
project name.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Fix product-name typo in page title.

Ory Talso should be Ory Talos in the frontmatter title to avoid user-facing inconsistency.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/talos/concepts/rate-limiting.md` at line 3, The page frontmatter title
contains a product-name typo: replace the title string "Ory Talso rate limiting"
with the correct "Ory Talos rate limiting" in the frontmatter (the title: line)
so the displayed page title uses the proper product name.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Resolve restart/hot-reload contradiction for Redis cache settings.

This section says all Redis parameters are immutable, then immediately says pool_size and timeout can be changed without restart. It also conflicts with docs/talos/operate/configure.md (Line 31), which states all cache settings require restart. Please align both docs to one authoritative behavior.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/talos/operate/cache/redis.md` around lines 47 - 48, The Redis docs
contain a contradiction: reconcile the statements so both files agree on which
cache settings are hot-reloadable; explicitly list which parameters are mutable
(e.g., pool_size and timeout) and which require a restart. Edit the Redis page
text to either remove the blanket "All Redis parameters are immutable" or change
it to "Most Redis parameters are immutable; pool_size and timeout are
hot-reloadable" and then update docs/talos/operate/configure.md to match that
same wording; reference the settings by name (pool_size, timeout) and ensure
both documents use identical phrasing about restart vs hot-reload behavior.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Avoid variable-length secret output in hardening guidance.

This command may produce fewer than 64 characters after character deletion, which undermines the recommendation.

Suggested fix

- **Generate secrets cryptographically**: `openssl rand -base64 48 | tr -d '\n+/=' | cut -c1-64`.
+ **Generate secrets cryptographically**: `openssl rand -hex 32`.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/talos/operate/security-hardening.md` at line 22, The current guidance
uses `openssl rand -base64 48 | tr -d '\n+/=' | cut -c1-64` which can yield
fewer than 64 characters after deletion; replace it with a command that
guarantees fixed-length output (for example use `openssl rand -hex 32` to
produce exactly 64 hex characters or use `openssl rand -base64 48 | tr -d '\n' |
head -c64` to reliably cut to 64 chars). Update the documented line that
currently shows the `openssl rand -base64 48 | tr -d '\n+/=' | cut -c1-64`
command to one of these deterministic alternatives so secret length is always 64
characters.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Remove the body from the 204 response.

204 No Content cannot carry a payload, so documenting application/json here makes the reference contract inaccurate and can cause generated clients/docs to expect a body where none is allowed. Drop the content block for this response.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/talos/reference/api/admin-revoke-api-key.StatusCodes.json` around lines
7 - 10, The 204 response object currently includes a content/application/json
schema which is invalid for No Content; edit the "204" response entry (the "204"
response object in admin-revoke-api-key.StatusCodes.json) to remove the entire
"content" block so the response only contains the description ("API key revoked
successfully.") and no payload schema.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Don’t document a successful rotation with an empty body here.

This file says secret is only returned once on success, but the alternate 201 success response is documented as {}. That makes the reference internally inconsistent and can mislead integrators into ignoring the only copy of the rotated key. Either remove 201 if the endpoint never emits it, or give it the same response schema as the real success payload.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/talos/reference/api/admin-rotate-issued-api-key.StatusCodes.json` around
lines 200 - 203, The "201" response block currently documents an empty JSON
schema but the real successful rotation returns the rotated key in the "secret"
field, creating an inconsistent reference; update the "201" entry in the
admin-rotate-issued-api-key.StatusCodes.json to either remove the "201" response
if the endpoint never emits it, or replace its "content" schema with the same
response schema used for the actual success payload (including the "secret"
property) so both success responses are consistent.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Fix Talos sidebar doc IDs to match actual Talos doc paths.

Several entries in this new sidebar block reference IDs that do not match the Talos files introduced in this PR context, which will cause unresolved sidebar items (build/nav break).
Examples: talos/concepts/talos-architecture vs docs/talos/concepts/architecture.md, talos/concepts/talos-token-format vs docs/talos/concepts/token-format.md, talos/operate/talos-install vs docs/talos/operate/install.md, talos/integrate/sdk/talos-curl vs docs/talos/integrate/sdk/curl.md.

Please align the items IDs with the actual doc IDs/file paths used by the Talos docs added in this PR.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@sidebars-oel.ts` around lines 472 - 589, The sidebar contains incorrect doc
IDs (extra "talos-" prefixes) that don't match the actual doc filenames and will
break navigation; update the items in the Talos sidebar block so each entry
matches the real doc ID/path (e.g., change "talos/concepts/talos-architecture" →
"talos/concepts/architecture", "talos/concepts/talos-token-format" →
"talos/concepts/token-format", "talos/operate/talos-install" →
"talos/operate/install", "talos/integrate/sdk/talos-curl" →
"talos/integrate/sdk/curl", etc.), and scan the entire Talos category (items
arrays under the "Quickstart", "Concepts", "Integrate", "Operate", "Reference"
categories) to replace any other mismatched "talos/..." IDs so they exactly
match the doc filenames added in this PR.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Align the Talos sidebar IDs with the actual doc paths.

Several entries in this tree don't match the supplied Talos docs, so the sidebar will reference unresolved doc IDs. Examples: talos/concepts/talos-architecture vs docs/talos/concepts/architecture.md, talos/operate/talos-configure vs docs/talos/operate/configure.md, talos/integrate/sdk/talos-curl vs docs/talos/integrate/sdk/curl.md, and talos/reference/talos-error-codes vs docs/talos/reference/error-codes.md. Please reconcile this block against the actual filenames before merge.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@sidebars-oss.ts` around lines 481 - 608, The sidebar contains mismatched doc
IDs — update the Talos category item strings to match the real doc filenames so
Docusaurus can resolve them; for example replace
"talos/concepts/talos-architecture" with "talos/concepts/architecture",
"talos/operate/talos-configure" with "talos/operate/configure",
"talos/integrate/sdk/talos-curl" with "talos/integrate/sdk/curl",
"talos/reference/talos-error-codes" with "talos/reference/error-codes" and
similarly reconcile any other entries under the "Ory Talos" category (items
arrays, nested categories like "Concepts", "Integrate", "Operate", "Reference")
to the actual docs' paths/names.