From 76a32fd53bbac2a513c0cd6eb225c42fb517ed08 Mon Sep 17 00:00:00 2001
From: Ian Littman <iansltx@gmail.com>
Date: Tue, 3 Jun 2025 11:44:34 -0600
Subject: [PATCH 1/8] Fix [here] link anchors in ee and frontend dirs

---
 ee/bulk-operations-dashboard/README.md | 4 +---
 ee/maintained-apps/README.md           | 2 +-
 ee/vulnerability-dashboard/README.md   | 6 ++----
 frontend/README.md                     | 4 ++--
 4 files changed, 6 insertions(+), 10 deletions(-)

diff --git a/ee/bulk-operations-dashboard/README.md b/ee/bulk-operations-dashboard/README.md
index 037ce338b9e1..92d6ac2c67eb 100644
--- a/ee/bulk-operations-dashboard/README.md
+++ b/ee/bulk-operations-dashboard/README.md
@@ -38,9 +38,7 @@ To run a local bulk operations dashboard with docker, you can follow these instr
 
   1. `sails_custom__fleetBaseUrl`: The full URL of your Fleet instance. (e.g., https://fleet.example.com)
 
-  2. `sails_custom__fleetApiToken`: An API token for an API-only user on your Fleet instance.
-
-  >You can read about how to create an API-only user and get it's token [here](https://fleetdm.com/docs/using-fleet/fleetctl-cli#create-api-only-user)
+  2. `sails_custom__fleetApiToken`: An API token for an [API-only user](https://fleetdm.com/docs/using-fleet/fleetctl-cli#create-api-only-user) on your Fleet instance.
 
 3. Open the `ee/bulk-operations-dashboard/` folder in your terminal.
 
diff --git a/ee/maintained-apps/README.md b/ee/maintained-apps/README.md
index 943eecc88a07..28b6dbfe2d35 100644
--- a/ee/maintained-apps/README.md
+++ b/ee/maintained-apps/README.md
@@ -99,7 +99,7 @@ After testing make sure to change the Image URL back to `docker.io/fleetdm/fleet
 
 9. Head to the [Fleet server for testing software](https://fleet-iibe.onrender.com/).
 
-10. If your laptop is already enrolled to a different Fleet (e.g. dogfood), we want to unenroll it before enrolling it to the Fleet server for testing software. Learn how unenroll your laptop [here](https://fleetdm.com/guides/how-to-uninstall-fleetd).
+10. If your laptop is already enrolled to a different Fleet (e.g. dogfood), we want to [unenroll it](https://fleetdm.com/guides/how-to-uninstall-fleetd) before enrolling it to the Fleet server for testing software.
 
 11. Enroll your laptop to the Fleet server for testing software by selecting **Add** hosts on the **Hosts** page and following the steps to generate Fleet's agent (fleetd) and install it on your laptop.
 
diff --git a/ee/vulnerability-dashboard/README.md b/ee/vulnerability-dashboard/README.md
index e6e698818890..f0cf3250822e 100644
--- a/ee/vulnerability-dashboard/README.md
+++ b/ee/vulnerability-dashboard/README.md
@@ -12,7 +12,7 @@ CVEs are detected and annotated using [NVD, CVSS, EPSS, CISA KEVs, osquery, and
 
 ## Why a separate repo?
 
-Should we move this to a subdirectory of fleetdm/confidential and have it deploy from there? 
+Should we move this to a subdirectory of fleetdm/confidential and have it deploy from there?
 
 - Philosophy: [Why do we use one repo?](https://fleetdm.com/handbook/company/why-this-way#why-do-we-use-one-repo)
 - See also: The "broken windows effect"
@@ -35,9 +35,7 @@ To run a local vulnerability dashboard with docker, you can follow these instruc
 
   1. `sails_custom__fleetBaseUrl`: The full URL of your Fleet instance. (e.g., https://fleet.example.com)
 
-  2. `sails_custom__fleetApiToken`: AN API token for an API-only user on your Fleet instance.
-
-  >You can read about how to create an API-only user and get it's token [here](https://fleetdm.com/docs/using-fleet/fleetctl-cli#create-api-only-user)
+  2. `sails_custom__fleetApiToken`: An API token for an [API-only user](https://fleetdm.com/docs/using-fleet/fleetctl-cli#create-api-only-user) on your Fleet instance.
 
 3. Open the `ee/vulnerability-dashboard/` folder in your terminal
 4. Run `docker compose up --build` to build the vulnerability dashboard's Docker image.
diff --git a/frontend/README.md b/frontend/README.md
index 2582bfa79391..31457e7111a7 100644
--- a/frontend/README.md
+++ b/frontend/README.md
@@ -110,7 +110,7 @@ and `bundle.css` files. The HTML page also includes the HTML element in which th
 ### [test](./test)
 
 The test directory includes test helpers, API request mocks, and stubbed data entities for use in test files.
-More on test helpers, stubs, and request mocks [here](./test/README.md).
+See [the UI testing documentation](./test/README.md) for more on test helpers, stubs, and request mocks.
 
 ### [utilities](./utilities)
 
@@ -121,7 +121,7 @@ etc.
 
 ## Patterns
 
-The list of patterns used in the Fleet UI codebase can be found [here](./docs/patterns.md).
+The list of patterns used in the Fleet UI codebase can be found [in `patterns.md`](./docs/patterns.md).
 
 ## Storybook
 

From 6cf102a47e355fc9968434de9d8e17b7501c5f50 Mon Sep 17 00:00:00 2001
From: Ian Littman <iansltx@gmail.com>
Date: Tue, 3 Jun 2025 11:57:40 -0600
Subject: [PATCH 2/8] Start fixing [here] links in REST API docs

---
 docs/REST API/rest-api.md | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/docs/REST API/rest-api.md b/docs/REST API/rest-api.md
index 89a25de3d73f..395c87acbccd 100644
--- a/docs/REST API/rest-api.md	
+++ b/docs/REST API/rest-api.md	
@@ -745,7 +745,7 @@ None.
 
 Returns all information about the Fleet's configuration.
 
-The `agent_options`, `sso_settings` and `smtp_settings` fields are only returned for admin and GitOps users with global access. Learn more about roles and permissions [here](https://fleetdm.com/guides/role-based-access).
+The `agent_options`, `sso_settings` and `smtp_settings` fields are only returned for admin and GitOps users with global access (see the [Role-based access docs](https://fleetdm.com/guides/role-based-access)).
 
 `mdm.macos_settings.custom_settings`, `mdm.windows_settings.custom_settings`, `scripts`, and `mdm.macos_setup` only include the configuration profiles, scripts, and setup experience settings applied using [Fleet's YAML](https://fleetdm.com/docs/configuration/yaml-files). To list profiles, scripts, or setup experience settings added in the UI or API, use the [List configuration profiles](https://fleetdm.com/docs/rest-api/rest-api#list-custom-os-settings-configuration-profiles), [List scripts](https://fleetdm.com/docs/rest-api/rest-api#list-scripts), or GET endpoints from [Setup experience](https://fleetdm.com/docs/rest-api/rest-api#setup-experience) instead.
 
@@ -3279,7 +3279,7 @@ If `hostname` is specified when there is more than one host with the same hostna
 
 #### Get host by device token
 
-Returns a subset of information about the host specified by `token`. To get all information about a host, use the "Get host" endpoint [here](#get-host).
+Returns a subset of information about the host specified by `token`. To get all information about a host, use the ["Get host"](#get-host) endpoint.
 
 This is the API route used by the **My device** page in Fleet desktop to display information about the host to the end user.
 
@@ -3732,7 +3732,7 @@ Updates the email for the `custom` data source in the human-device mapping. This
 
 Retrieves information about a single host's device health.
 
-This report includes a subset of host vitals, and simplified policy and vulnerable software information. Data is cached to preserve performance. To get all up-to-date information about a host, use the "Get host" endpoint [here](#get-host).
+This report includes a subset of host vitals, and simplified policy and vulnerable software information. Data is cached to preserve performance. To get all up-to-date information about a host, use the ["Get host"](#get-host) endpoint.
 
 
 `GET /api/v1/fleet/hosts/:id/health`
@@ -5557,7 +5557,7 @@ solely on the response status code returned by this endpoint.
 
 ### Update disk encryption enforcement
 
-> `PATCH /api/v1/fleet/mdm/apple/settings` API endpoint is deprecated as of Fleet 4.45. It is maintained for backward compatibility. Please use the new API endpoint below. See old API endpoint docs [here](https://github.com/fleetdm/fleet/blob/main/docs/REST%20API/rest-api.md?plain=1#L4296C29-L4296C29).
+> The `PATCH /api/v1/fleet/mdm/apple/settings` API endpoint is deprecated as of Fleet 4.45. It is maintained for backward compatibility. Please use the new API endpoint below. You can view [archived docuementation for the deprecated endpoint](https://github.com/iansltx/fleet/blob/d1791518a43c9d290192dbf992bcea290c8158a3/docs/REST%20API/rest-api.md#update-disk-encryption-enforcement).
 
 _Available in Fleet Premium_
 

From 288f2443048c574ec63139e3f1833834af84e321 Mon Sep 17 00:00:00 2001
From: Ian Littman <iansltx@gmail.com>
Date: Tue, 3 Jun 2025 14:27:06 -0600
Subject: [PATCH 3/8] Fix [here] links in REST API docs

Also includes a new subheading for human-device mapping in profiles article
---
 articles/config-less-fleetd-agent-deployment.md |  2 ++
 docs/REST API/rest-api.md                       | 14 ++++++--------
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/articles/config-less-fleetd-agent-deployment.md b/articles/config-less-fleetd-agent-deployment.md
index 2ca3b5cd7c93..b1fd49f3eabb 100644
--- a/articles/config-less-fleetd-agent-deployment.md
+++ b/articles/config-less-fleetd-agent-deployment.md
@@ -73,6 +73,8 @@ fleetctl package --type=pkg --use-system-configuration --fleet-desktop
 </plist>
 ```
 
+### Using human-device mapping
+
 You can optionally specify the `END_USER_EMAIL` that will be added to the host's [human-device mapping](https://fleetdm.com/docs/rest-api/rest-api#get-human-device-mapping):
 
 ```xml
diff --git a/docs/REST API/rest-api.md b/docs/REST API/rest-api.md
index 395c87acbccd..41a47385984a 100644
--- a/docs/REST API/rest-api.md	
+++ b/docs/REST API/rest-api.md	
@@ -5777,12 +5777,10 @@ Deletes the custom MDM setup enrollment profile assigned to a team or no team.
 
 `GET /api/v1/fleet/enrollment_profiles/ota`
 
-The returned value is a signed `.mobileconfig` OTA enrollment profile. Install this profile on macOS, iOS, or iPadOS hosts to enroll them to a specific team in Fleet and turn on MDM features.
+The returned value is a signed `.mobileconfig` OTA enrollment profile (see [Apple enrollment profile docs](https://developer.apple.com/library/archive/documentation/NetworkingInternet/Conceptual/iPhoneOTAConfiguration/OTASecurity/OTASecurity.html)). Install this profile on macOS, iOS, or iPadOS hosts to enroll them to a specific team in Fleet and turn on MDM features.
 
 To enroll macOS hosts, turn on MDM features, and add [human-device mapping](#get-human-device-mapping), install the [manual enrollment profile](#get-manual-enrollment-profile) instead.
 
-Learn more about OTA profiles [here](https://developer.apple.com/library/archive/documentation/NetworkingInternet/Conceptual/iPhoneOTAConfiguration/OTASecurity/OTASecurity.html).
-
 #### Parameters
 
 | Name              | Type    | In    | Description                                                                      |
@@ -5848,7 +5846,7 @@ Learn more about OTA profiles [here](https://developer.apple.com/library/archive
 
 Retrieves an unsigned manual enrollment profile for macOS hosts. Install this profile on macOS hosts to turn on MDM features manually.
 
-To add [human-device mapping](#get-human-device-mapping), add the end user's email to the enrollment profle. Learn how [here](https://fleetdm.com/guides/config-less-fleetd-agent-deployment#basic-article).
+To add [human-device mapping](#get-human-device-mapping), [add the end user's email to the enrollment profle](https://fleetdm.com/guides/config-less-fleetd-agent-deployment#using-human-device-mapping).
 
 `GET /api/v1/fleet/enrollment_profiles/manual`
 
@@ -6423,7 +6421,7 @@ Delete a script that will automatically run during macOS setup.
 
 ### Run MDM command
 
-> `POST /api/v1/fleet/mdm/apple/enqueue` API endpoint is deprecated as of Fleet 4.40. It is maintained for backward compatibility. Please use the new API endpoint below. See old API endpoint docs [here](https://github.com/fleetdm/fleet/blob/fleet-v4.39.0/docs/REST%20API/rest-api.md#run-custom-mdm-command).
+> `POST /api/v1/fleet/mdm/apple/enqueue` API endpoint is deprecated as of Fleet 4.40. It is maintained for backward compatibility. Please use the new API endpoint below. [Archived documentation](https://github.com/fleetdm/fleet/blob/fleet-v4.39.0/docs/REST%20API/rest-api.md#run-custom-mdm-command) is available for the deprecated endpoint.
 
 This endpoint tells Fleet to run a custom MDM command, on the targeted macOS or Windows hosts, the next time they come online.
 
@@ -6456,7 +6454,7 @@ Note that the `EraseDevice` and `DeviceLock` commands are _available in Fleet Pr
 
 ### Get MDM command results
 
-> `GET /api/v1/fleet/mdm/apple/commandresults` API endpoint is deprecated as of Fleet 4.40. It is maintained for backward compatibility. Please use the new API endpoint below. See old API endpoint docs [here](https://github.com/fleetdm/fleet/blob/fleet-v4.39.0/docs/REST%20API/rest-api.md#get-custom-mdm-command-results).
+> `GET /api/v1/fleet/mdm/apple/commandresults` API endpoint is deprecated as of Fleet 4.40. It is maintained for backward compatibility. Please use the new API endpoint below. [[Archived docuemntation](https://github.com/fleetdm/fleet/blob/fleet-v4.39.0/docs/REST%20API/rest-api.md#get-custom-mdm-command-results) is available for the deprecated endpoint.
 
 This endpoint returns the results for a specific custom MDM command.
 
@@ -6468,7 +6466,7 @@ In the reponse, the possible `status` values for macOS, iOS, and iPadOS hosts ar
 * Error: the host responded with "Error" status via the MDM protocol: an error occurred. Run the `fleetctl get mdm-command-results --id=<insert-command-id` to view the error.
 * CommandFormatError: the host responded with "CommandFormatError" status via the MDM protocol: a protocol error occurred, which can result from a malformed command. Run the `fleetctl get mdm-command-results --id=<insert-command-id` to view the error.
 
-The possible `status` values for Windows hosts are documented in Microsoft's documentation [here](https://learn.microsoft.com/en-us/windows/client-management/oma-dm-protocol-support#syncml-response-status-codes).
+The possible `status` values for Windows hosts are listed in [Microsoft's OMA DM documentation](https://learn.microsoft.com/en-us/windows/client-management/oma-dm-protocol-support#syncml-response-status-codes).
 
 `GET /api/v1/fleet/commands/results`
 
@@ -6507,7 +6505,7 @@ The possible `status` values for Windows hosts are documented in Microsoft's doc
 
 ### List MDM commands
 
-> `GET /api/v1/fleet/mdm/apple/commands` API endpoint is deprecated as of Fleet 4.40. It is maintained for backward compatibility. Please use the new API endpoint below. See old API endpoint docs [here](https://github.com/fleetdm/fleet/blob/fleet-v4.39.0/docs/REST%20API/rest-api.md#list-custom-mdm-commands).
+> `GET /api/v1/fleet/mdm/apple/commands` API endpoint is deprecated as of Fleet 4.40. It is maintained for backward compatibility. Please use the new API endpoint below.  [Archived documentation](https://github.com/fleetdm/fleet/blob/fleet-v4.39.0/docs/REST%20API/rest-api.md#list-custom-mdm-commands) is available for the deprecated endpoint.
 
 This endpoint returns the list of custom MDM commands that have been executed.
 

From bac923a13dc75dfe6aacbd8a7879f2f687e61353 Mon Sep 17 00:00:00 2001
From: Ian Littman <iansltx@gmail.com>
Date: Tue, 3 Jun 2025 16:07:36 -0600
Subject: [PATCH 4/8] Fix [here] links reverse-alphabetically up to
 docs/Configuration

---
 .../software/vulnerability-processing.md      | 10 +++---
 .../testing-and-local-development.md          |  4 +--
 .../guides/api/adding-new-endpoints.md        |  3 +-
 .../Contributing/guides/cli/fleetctl-apply.md |  2 +-
 .../mdm/custom-configuration-web-url.md       |  2 +-
 .../mdm/windows-mdm-glossary-and-protocol.md  |  4 +--
 .../reference/api-for-contributors.md         |  2 +-
 docs/Contributing/reference/faq.md            |  2 +-
 .../software/software-version-extract.md      | 10 +++---
 .../workflows/deploying-chrome-test-ext.md    |  2 +-
 docs/Deploy/Reference-Architectures.md        | 13 ++++----
 docs/Get started/FAQ.md                       | 32 +++++++------------
 .../docs/view-basic-documentation.js          |  2 +-
 13 files changed, 40 insertions(+), 48 deletions(-)

diff --git a/docs/Contributing/architecture/software/vulnerability-processing.md b/docs/Contributing/architecture/software/vulnerability-processing.md
index 7a159bc000b2..490602a98289 100644
--- a/docs/Contributing/architecture/software/vulnerability-processing.md
+++ b/docs/Contributing/architecture/software/vulnerability-processing.md
@@ -82,9 +82,10 @@ and report back any vulnerabilities to which the software is susceptible.
 
 First, we determine what Linux distributions are part of your fleet (keep in mind that there will
 be a small delay between the time a new Linux host is added and the time the host is "detected"). We then
-use that information to determine what OVAL definitions need to be downloaded and parsed - you can find
-a list of all the OVAL definitions we use [here](https://github.com/fleetdm/nvd/blob/master/oval_sources.json). OVAL definitions will be
-refreshed on a daily basis.
+use that information to determine what OVAL definitions need to be downloaded and parsed. You can find
+a list of all the OVAL definitions we use in the
+[`fleetdm/nvd` repository](https://github.com/fleetdm/nvd/blob/master/oval_sources.json). OVAL definitions are
+refreshed daily.
 
 *NOTE:* Amazon Linux 2 is included in the OVAL mapping but vulnerabilities are no longer pulled via that file
 as of 4.56.0 due to false positives (Amazon backports fixes and releases updates independent of RHEL).
@@ -146,7 +147,8 @@ instance that does the processing. RAM spikes are expected to not exceed the 2GB
 
 As with Windows/Mac OS, vulnerability detection for Linux is performed on a single Fleet server. The
 files downloaded will vary depending on what distributions are on your fleet. The list of all the
-OVAL files we use can be found [here](https://github.com/fleetdm/nvd/blob/master/oval_sources.json).
+OVAL files we use can be found in the
+[`fleetdm/nvd` repository](https://github.com/fleetdm/nvd/blob/master/oval_sources.json).
 
 When determining what specific file(s) to download we use the reported OS version and map that to an
 entry in the `oval_sources.json` dictionary. The mapping rules we use are fairly simple, depending on the
diff --git a/docs/Contributing/getting-started/testing-and-local-development.md b/docs/Contributing/getting-started/testing-and-local-development.md
index e708baa0fed5..4edf6368a5bb 100644
--- a/docs/Contributing/getting-started/testing-and-local-development.md
+++ b/docs/Contributing/getting-started/testing-and-local-development.md
@@ -101,7 +101,7 @@ $ docker-compose -f docker-compose.yml -f docker-compose-redis-cluster.yml up
 
 ### Redis cluster on macOS
 
-Redis cluster mode can also be run on macOS, but requires an extra component to give the local development environment access to the docker network. The required tool is located [here](https://github.com/chipmk/docker-mac-net-connect). Run the following commands to setup the docker VPN bridge:
+Redis cluster mode can also be run on macOS, but requires [Docker Mac Net Connect](https://github.com/chipmk/docker-mac-net-connect) to give the local development environment access to the docker network. Run the following commands to setup the docker VPN bridge:
 
 ```sh
 # Install via Homebrew
@@ -664,7 +664,7 @@ To use the workflow, follow these steps:
 - Select "Developer ID Installer" and follow the prompts to create and download the certificate.
 - Install the downloaded certificate to your keychain.
 - Locate the certificate in your Keychain and confirm everything looks correct. Run this command to confirm you see it listed `security find-identity -v`
-  - If the security  command does not show your newly added certificate you may need to install the `Developer ID - G2 (Expiring 09/17/2031 00:00:00 UTC)` certificate from [here](https://www.apple.com/certificateauthority/). 
+  - If the security  command does not show your newly added certificate you may need to install the `Developer ID - G2 (Expiring 09/17/2031 00:00:00 UTC)` certificate from [Apple PKI](https://www.apple.com/certificateauthority/). 
 3. Sign your pkg with the `productsign` command replacing the placeholders with your actual values:
 
 `productsign --sign "Developer ID Installer: Your Apple Account Name (serial number)" <path_to_unpacked_files> <path_to_signed_package.pkg>`
diff --git a/docs/Contributing/guides/api/adding-new-endpoints.md b/docs/Contributing/guides/api/adding-new-endpoints.md
index 3cb27feb54e1..0db6f7942a0c 100644
--- a/docs/Contributing/guides/api/adding-new-endpoints.md
+++ b/docs/Contributing/guides/api/adding-new-endpoints.md
@@ -168,8 +168,7 @@ Now that the endpoint is all connected in the right places, a few things happen
 3. [User](https://github.com/fleetdm/fleet/blob/main/server/service/endpoint_utils.go#L311) or 
 [host](https://github.com/fleetdm/fleet/blob/main/server/service/endpoint_utils.go#L318) or 
 [device](https://github.com/fleetdm/fleet/blob/main/server/service/endpoint_utils.go#L295) token authentication. 
-4. API versioning. You probably noticed the `_version_` portion of the URL above. More on this approach 
-[here](./API-Versioning.md).
+4. [API versioning](../api-versioning.md) (mapping `_version_` to `latest` and `v1`).
 
 One thing to note is that while we used an empty struct `countAllHostsRequest`, we could've easily skipped defining it
 and used `nil`, but it was added for the sake of this documentation.
diff --git a/docs/Contributing/guides/cli/fleetctl-apply.md b/docs/Contributing/guides/cli/fleetctl-apply.md
index 378fb05a5b3e..32094d8fc340 100644
--- a/docs/Contributing/guides/cli/fleetctl-apply.md
+++ b/docs/Contributing/guides/cli/fleetctl-apply.md
@@ -2,7 +2,7 @@
 
 The `fleectl apply` command and YAML interface is used for one-off imports and backwards compatibility GitOps.
 
-To use Fleet's best practice GitOps, check out the GitOps docs [here](https://fleetdm.com/docs/using-fleet/gitops).
+To use Fleet's best practice GitOps, check out the [GitOps docs](https://fleetdm.com/docs/using-fleet/gitops).
 
 ## Queries
 
diff --git a/docs/Contributing/product-groups/mdm/custom-configuration-web-url.md b/docs/Contributing/product-groups/mdm/custom-configuration-web-url.md
index db9012e68faa..fdc91e79b178 100644
--- a/docs/Contributing/product-groups/mdm/custom-configuration-web-url.md
+++ b/docs/Contributing/product-groups/mdm/custom-configuration-web-url.md
@@ -1,6 +1,6 @@
 ## Custom configuration web URL
 
-In Fleet, you can require end users to authenticate with your identity provider (IdP) before they can use their new Mac. Learn more [here](../Using%20Fleet/MDM-macOS-setup-experience.md#end-user-authentication-and-eula).
+In Fleet, [you can require end users to authenticate with your identity provider (IdP) before they can use their new Mac](https://fleetdm.com/guides/macos-setup-experience#end-user-authentication-and-end-user-license-agreement-eula).
 
 Some customers require end users to authenticate with a custom web application instead of an IdP.
 
diff --git a/docs/Contributing/product-groups/mdm/windows-mdm-glossary-and-protocol.md b/docs/Contributing/product-groups/mdm/windows-mdm-glossary-and-protocol.md
index 94dc6095db18..2be50246bd92 100644
--- a/docs/Contributing/product-groups/mdm/windows-mdm-glossary-and-protocol.md
+++ b/docs/Contributing/product-groups/mdm/windows-mdm-glossary-and-protocol.md
@@ -88,7 +88,7 @@ https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dvrd/296ebf70-b
     | 0x00000400    | Instructs the client to delete any expired, revoked, or renewed certificate from the user's certificate stores.                                                                                                                                                                                |
     | 0x00002000    | This flag instructs the client to reuse the private key for a smart card–based certificate renewal if it is unable to create a new private key on the card.                                                                                                                                    |
   - `EnrollmentState`
-    The best documentation we can find is [here](https://learn.microsoft.com/en-us/graph/api/resources/intune-shared-enrollmentstate?view=graph-rest-beta)
+    The best documentation we can find is in [Microsoft's Graph REST API Beta docs](https://learn.microsoft.com/en-us/graph/api/resources/intune-shared-enrollmentstate?view=graph-rest-beta).
 
     | Member       | Value | Description                                                                                                        |
     |--------------|-------|--------------------------------------------------------------------------------------------------------------------|
@@ -106,7 +106,7 @@ https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dvrd/296ebf70-b
 
     From what I've seen, value 6 on AAD, 1 on manual
   - `isFederated`
-    According to [this web page](https://learn.microsoft.com/en-us/windows/client-management/federated-authentication-device-enrollment), being federated means that the MDM
+    According to [Microsoft's Federated authentication device enrollment documentation](https://learn.microsoft.com/en-us/windows/client-management/federated-authentication-device-enrollment), being federated means that the MDM
     endpoints and details were fetched from a Discovery endpoint,
     instead of being manually installed. The page does not make mention
     of the specific registry key, but we are making an assumption that
diff --git a/docs/Contributing/reference/api-for-contributors.md b/docs/Contributing/reference/api-for-contributors.md
index fe8521a3a6b6..6bdd75dac013 100644
--- a/docs/Contributing/reference/api-for-contributors.md
+++ b/docs/Contributing/reference/api-for-contributors.md
@@ -1112,7 +1112,7 @@ This endpoint handles over the air (OTA) MDM enrollments
 | Name                | Type   | In   | Description                                                                                                                                                                                                                                                                                        |
 | ------------------- | ------ | ---- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
 | enroll_secret       | string | url  | **Required** Assigns the host to a team with a matching enroll secret                                                                                                                                                                                                                 |
-| XML device response | XML    | body | **Required**. The XML response from the device. Fields are documented [here](https://developer.apple.com/library/archive/documentation/NetworkingInternet/Conceptual/iPhoneOTAConfiguration/ConfigurationProfileExamples/ConfigurationProfileExamples.html#//apple_ref/doc/uid/TP40009505-CH4-SW7) |
+| XML device response | XML    | body | **Required**. The XML response from the device. See [Apple configuration profile documentation](https://developer.apple.com/library/archive/documentation/NetworkingInternet/Conceptual/iPhoneOTAConfiguration/ConfigurationProfileExamples/ConfigurationProfileExamples.html#//apple_ref/doc/uid/TP40009505-CH4-SW7) for examples. |
 
 > Note: enroll secrets can contain special characters. Ensure any special characters are [properly escaped](https://developer.mozilla.org/en-US/docs/Glossary/Percent-encoding).
 
diff --git a/docs/Contributing/reference/faq.md b/docs/Contributing/reference/faq.md
index 3ff06d83fcf4..ef206613f373 100644
--- a/docs/Contributing/reference/faq.md
+++ b/docs/Contributing/reference/faq.md
@@ -102,6 +102,6 @@ Hosts running Fleet Desktop will need access to these API endpoints:
 * `/api/latest/fleet/device/.+/desktop`
 * `/api/latest/fleet/device/.+/ping`
 
-> Full list [here](https://github.com/fleetdm/fleet/blob/c080a3b0e1eed2184b4b7bb77a6abd8c2c39b9f4/server/service/handler.go#L791-L839)
+For a full list of endpoints, open [Fleet's routes file](https://github.com/fleetdm/fleet/blob/main/server/service/handler.go), then look for endpoint declarations prefixed with `de.`, `demdm.`, `he.`, `oe.`, `oeAppleMDM.`, or `oeWindowsMDM.`.
 
 <meta name="description" value="Find commonly asked questions and answers about contributing to Fleet as part of our community.">
diff --git a/docs/Contributing/research/software/software-version-extract.md b/docs/Contributing/research/software/software-version-extract.md
index 68346edcac2d..b3d83f2d76fa 100644
--- a/docs/Contributing/research/software/software-version-extract.md
+++ b/docs/Contributing/research/software/software-version-extract.md
@@ -61,7 +61,7 @@ $ emit fleet-osquery.msi | ./pyenv/bin/xtmsi MsiTables.json | jq '.Property[] |
 }
 ```
 
-A partial implementation that reads the CFB format can be found [here](https://github.com/fleetdm/fleet/blob/85ee1f7bb9fe33ece20aca0f38678fb5390d3e9c/pkg/file/msi.go).
+A partial implementation that reads the CFB format can be found in the [MSI metadata extraction code](https://github.com/fleetdm/fleet/blob/main/pkg/file/msi.go).
 
 ### Apple Disk Image (.dmg)
 
@@ -136,7 +136,7 @@ file input:
 - Firefox treats it as a folder, and won't let you select it as a unit (screenshot)
 - Safari and Chrome automatically compresses the folder in zip format (screenshot)
 
-A full implementation that reads the name and version from `Info.plist` can be found [here](https://github.com/fleetdm/fleet/blob/85ee1f7bb9fe33ece20aca0f38678fb5390d3e9c/pkg/file/app.go).
+A full implementation that reads the name and version from `Info.plist` can be found [in the application bundle extraction code](https://github.com/fleetdm/fleet/blob/85ee1f7bb9fe33ece20aca0f38678fb5390d3e9c/pkg/file/app.go).
 
 ### PKG installers (.pkg)
 
@@ -145,11 +145,11 @@ Under the hood, `.pkg` installers are compressed files in `xar` format.
 PKG installers are required to have a [Distribution](https://developer.apple.com/library/archive/documentation/DeveloperTools/Reference/DistributionDefinitionRef/Chapters/Distribution_XML_Ref.html) file from which we can extract the name and version.
 
 A full implementation that reads the name and version from the `Distribution` file
-can be found [here](https://github.com/fleetdm/fleet/blob/85ee1f7bb9fe33ece20aca0f38678fb5390d3e9c/pkg/file/xar.go).
+can be found in the [XAR metadata extraction code](https://github.com/fleetdm/fleet/blob/85ee1f7bb9fe33ece20aca0f38678fb5390d3e9c/pkg/file/xar.go).
 
 ### Portable Executable (.exe)
 
-The PE format is well documented in [here](https://learn.microsoft.com/en-us/windows/win32/debug/pe-format)
+Microsoft has [documentation for the PE format](https://learn.microsoft.com/en-us/windows/win32/debug/pe-format).
 
 The Go standard library provides a `"debug/pe"` package that we could use as a starting point, but it's not really tailored to our use case.
 
@@ -162,7 +162,7 @@ For the PoC, I used a Go library that's a bit heavy but does the heavy lifting f
 Deb files are `ar` archives that contain a `control.tar` archive with
 meta-information, including name and version.
 
-Code that extracts the values can be found [here](https://github.com/sassoftware/relic/blob/6c510a666832163a5d02587bda8be970d5e29b8c/lib/signdeb/control.go#L38-L39)
+Code that extracts the values is included in the [relic](https://github.com/sassoftware/relic/blob/6c510a666832163a5d02587bda8be970d5e29b8c/lib/signdeb/control.go#L38-L39) library.
 
 ## Additional considerations
 
diff --git a/docs/Contributing/workflows/deploying-chrome-test-ext.md b/docs/Contributing/workflows/deploying-chrome-test-ext.md
index bbaefeb3d0cb..6e574183049b 100644
--- a/docs/Contributing/workflows/deploying-chrome-test-ext.md
+++ b/docs/Contributing/workflows/deploying-chrome-test-ext.md
@@ -58,7 +58,7 @@ lt --port 8000 --subdomain test-new-tables
 
 ### Deploy the extension using Google Admin
 
-> Follow the instructions [here](https://fleetdm.com/docs/using-fleet/enroll-hosts#enroll-chromebooks) for installing the fleetd Chrome extension, with the following modifications:
+> Follow the [Chromebook enrollment instructions](https://fleetdm.com/docs/using-fleet/enroll-hosts#enroll-chromebooks) for installing the fleetd Chrome extension, with the following modifications:
 > + Select the "ChromeOSTesting" group.
 > + For "Extension ID", use the ID previously copied.
 > + For "Installation URL", use `http://test-new-tables.loca.lt/updates.xml`.
diff --git a/docs/Deploy/Reference-Architectures.md b/docs/Deploy/Reference-Architectures.md
index ae753efec44d..fdecab8c2629 100644
--- a/docs/Deploy/Reference-Architectures.md
+++ b/docs/Deploy/Reference-Architectures.md
@@ -147,20 +147,19 @@ There are a few strategies that can be used to ensure high availability:
 
 #### Database HA
 
-Fleet recommends RDS Aurora MySQL when running on AWS. More details about backups/snapshots can be found
-[here](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Aurora.Managing.Backups.html). It is also
+Fleet recommends RDS Aurora MySQL when running on AWS with [backups](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Aurora.Managing.Backups.html) turned on. It is also
 possible to dynamically scale read replicas to increase performance and [enable database fail-over](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Concepts.AuroraHighAvailability.html).
 It is also possible to use [Aurora Global](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-global-database.html) to
-span multiple regions for more advanced configurations(_not included in the [reference terraform](https://github.com/fleetdm/fleet/tree/main/infrastructure/dogfood/terraform/aws-tf-module)_).
+span multiple regions for more advanced configurations (_not included in the [reference terraform](https://github.com/fleetdm/fleet/tree/main/infrastructure/dogfood/terraform/aws-tf-module)_).
 
 In some cases adding a read replica can increase database performance for specific access patterns. In scenarios when automating the API or with `fleetctl`, there can be benefits to read performance.
 
 **Note:Fleet servers need to talk to a writer in the same datacenter. Cross region replication can be used for failover but writes need to be local.**
 
 #### Traffic load balancing
-Load balancing enables distributing request traffic over many instances of the backend application. Using AWS Application
-Load Balancer can also [offload SSL termination](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html), freeing Fleet to spend the majority of its allocated compute dedicated 
-to its core functionality. More details about ALB can be found [here](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/introduction.html).
+Load balancing enables distributing request traffic over many instances of the backend application. Using [AWS Application
+Load Balancer](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/introduction.html) can also [offload SSL termination](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html), freeing Fleet to spend the majority of its allocated compute dedicated 
+to its core functionality.
 
 _**Note if using [terraform reference architecture](https://github.com/fleetdm/fleet/tree/main/infrastructure/dogfood/terraform/aws-tf-module) all configurations can dynamically scale based on load(cpu/memory) and all configurations
 assume On-Demand pricing (savings are available through Reserved Instances). Calculations do not take into account NAT gateway charges or other networking related ingress/egress costs.**_
@@ -226,7 +225,7 @@ See https://fleetdm.com/docs/deploy/deploy-fleet#render
 | Redis        | 6                       | cache.m6g.large | 3     |
 | MySQL        | 8.0.mysql_aurora.3.07.1 | db.r6g.16xlarge | 2     |
 
-AWS reference architecture can be found [here](https://github.com/fleetdm/fleet-terraform/tree/main/example). This configuration includes:
+AWS reference architecture can be found in the [reference terraform](https://github.com/fleetdm/fleet-terraform/tree/main/example). This configuration includes:
 
 - VPC
   - Subnets
diff --git a/docs/Get started/FAQ.md b/docs/Get started/FAQ.md
index bf78280fc63a..2b3b56202b9e 100644
--- a/docs/Get started/FAQ.md	
+++ b/docs/Get started/FAQ.md	
@@ -132,7 +132,8 @@ Anyone is free to contribute to the free or paid features of the project. We are
 The only way we are able to partner as a business to provide support and build new open source and paid features is through customers purchasing Fleet Premium.
 
 ## How can I uninstall fleetd?
-To uninstall Fleet's agent (fleetd), follow the instructions [here](https://fleetdm.com/guides/how-to-uninstall-fleetd).
+
+See the ["How to uninstall fleetd" guide](https://fleetdm.com/guides/how-to-uninstall-fleetd).
 
 ## What is your commitment to open source stewardship?
 
@@ -183,8 +184,7 @@ The update frequency for labels is configurable with the [—osquery_label_updat
 
 ### Can I modify built-in labels?
 
-While it is possible to modify built-in labels using `fleetctl` or the REST API, doing so is not recommended because it can lead to errors in the Fleet UI.
-Find more information [here](https://github.com/fleetdm/fleet/issues/12479).
+No, [built-in labels cannot be modified](https://github.com/fleetdm/fleet/issues/18034).
 
 ### How do I revoke the authorization tokens for a user?
 
@@ -351,7 +351,7 @@ fleetctl package --fleetctl package --type=deb --fleet-url=https://localhost:808
 
 ### Can I hide known vulnerabilities that I feel are insignificant?
 
-This isn't currently supported, but we're working on it! You can track that issue [here](https://github.com/fleetdm/fleet/issues/3152).
+This isn't currently supported, but a [feature request for dismissing vulnerabilities](https://github.com/fleetdm/fleet/issues/22761) is tracked in GitHub.
 
 ### Can I create reports based on historical data in Fleet?
 
@@ -365,11 +365,6 @@ The [REST API](https://fleetdm.com/docs/using-fleet/rest-api) is somewhat simila
 
 The [Fleet UI](https://fleetdm.com/docs/using-fleet/fleet-ui) is built for human users to make interfacing with the Fleet server user-friendly and visually appealing. It also makes things simpler and more accessible to a broader range of users.
 
-
-### Why can't I run queries with `fleetctl` using a new API-only user?
-
-In versions prior to Fleet 4.13, a password reset is needed before a new API-only user can perform queries. You can find detailed instructions for setting that up [here](https://github.com/fleetdm/fleet/blob/a1eba3d5b945cb3339004dd1181526c137dc901c/docs/Using-Fleet/fleetctl-CLI.md#reset-the-password).
-
 ### Can I audit actions taken in Fleet?
 
 The [REST API `activities` endpoint](https://fleetdm.com/docs/using-fleet/rest-api#activities) provides a full breakdown of actions taken on queries, policies, and teams (Available in Fleet Premium) through the UI, the REST API, or `fleetctl`.
@@ -397,7 +392,7 @@ $ fleetctl get hosts --json | jq '.spec .os_version' | sort | uniq -c
 
 ### How do I downgrade from Fleet Premium to Fleet Free?
 
-> If you'd like to renew your Fleet Premium license key, please contact us [here](https://fleetdm.com/company/contact).
+> If you'd like to renew your Fleet Premium license key, please [contact us](https://fleetdm.com/company/contact).
 
 **Back up your users and update all team-level users to global users**
 
@@ -425,7 +420,7 @@ $ fleetctl get hosts --json | jq '.spec .os_version' | sort | uniq -c
 
 **Remove your Fleet Premium license key**
 
-1. Remove your license key from your Fleet configuration. Documentation on where the license key is located in your configuration is [here](https://fleetdm.com/docs/deploying/configuration#license).
+1. Remove your license key from your [Fleet configuration](https://fleetdm.com/docs/deploying/configuration#license).
 2. Restart your Fleet server.
 
 ### If I use a software orchestration tool (Ansible, Chef, Puppet, etc.) to manage agent options, do I have to apply the same options in the Fleet UI?
@@ -484,10 +479,7 @@ Packs are a function of osquery that provide a portable format to import/export
 
 Instead, 2017 "packs" functionality has been combined with the concept of queries. Queries now have built-in schedule features and (in Fleet Premium) can target specific groups of hosts via teams.
 
-The "Packs" section of the UI has been removed, but access via the API and CLI is still available for backward compatibility. The `fleetctl upgrade-packs` command can be used to convert existing 2017 "packs" to queries.
-
-Read more about osquery packs and Fleet's commitment to supporting them [here](https://fleetdm.com/handbook/company/why-this-way#why-does-fleet-support-query-packs).
-
+The "Packs" section of the UI has been removed, but [access to query packs via the API and CLI is still available](https://fleetdm.com/handbook/company/why-this-way#why-does-fleet-support-query-packs). The `fleetctl upgrade-packs` command can be used to convert existing 2017 "packs" to queries.
 
 ### What happens when I turn off MDM?
 
@@ -498,8 +490,8 @@ When you turn off MDM for a host, Fleet removes the enforcement of all macOS set
 To enforce macOS settings and send macOS update reminders, the host has to turn MDM back on. Turning MDM back on for a host requires end user action.
 
 ### What does "package root files: heat failed" mean?
-We've found this error when you try to build an MSI on Docker 4.17. The underlying issue has been fixed in Docker 4.18, so we recommend upgrading. More information [here](https://github.com/fleetdm/fleet/issues/10700)
 
+We've found this error when you try to build an MSI on Docker 4.17. The underlying issue has been fixed in Docker 4.18, so [we recommend upgrading to Docker 4.18 or later](https://github.com/fleetdm/fleet/issues/10700).
 
 ## Deployment
 
@@ -577,7 +569,7 @@ NODE_TLS_REJECT_UNAUTHORIZED=0 sails console
 
 ### I'm only getting partial results from live queries
 
-Redis has an internal buffer limit for pubsub that Fleet uses to communicate query results. If this buffer is filled, extra data is dropped. To fix this, we recommend disabling the buffer size limit. Most installs of Redis should have plenty of spare memory to not run into issues. More info about this limit can be found [here](https://redis.io/topics/clients#:~:text=Pub%2FSub%20clients%20have%20a,64%20megabyte%20per%2060%20second.) and [here](https://raw.githubusercontent.com/redis/redis/unstable/redis.conf) (search for client-output-buffer-limit).
+Redis has an internal buffer limit for pubsub that Fleet uses to communicate query results. If this buffer is filled, extra data is dropped. To fix this, we recommend disabling the [pubsub buffer size limit in redis.conf](https://github.com/bertramdev/redis-lab/blob/6b764063013d6d5df0a902bdfea802c526a13881/redis.conf#L564). Most installs of Redis should have plenty of spare memory to not run into issues.
 
 We recommend a config like the following:
 
@@ -653,7 +645,7 @@ The user `fleet prepare db` (via environment variable `FLEET_MYSQL_USERNAME` or
 
 ### Does Fleet support MySQL replication?
 
-You can deploy MySQL or Maria any way you want. We recommend using managed/hosted mysql so you don't have to think about it, but you can think about it more if you want. Read replicas are supported. You can read more about MySQL configuration [here](https://fleetdm.com/docs/deploying/configuration#mysql).
+Yes, and we recommend replication for production deployments. See our [MySQL configuration documentation](https://fleetdm.com/docs/deploying/configuration#mysql).
 
 ### What is duplicate enrollment, and how do I fix it?
 
@@ -712,10 +704,10 @@ Fleet requires at least MySQL version 8.0.36, and is tested [with versions 8.0.3
 
 ### How do I migrate from Fleet Free to Fleet Premium?
 
-To migrate from Fleet Free to Fleet Premium, once you get a Fleet license, set it as a parameter to `fleet serve` either as an environment variable using `FLEET_LICENSE_KEY` or in the Fleet's config file. See [here](https://fleetdm.com/docs/deploying/configuration#license) for more details. Note: You don't need to redeploy Fleet after the migration.
+To migrate from Fleet Free to Fleet Premium, once you get a Fleet license, set it as a parameter to `fleet serve` either as an environment variable using `FLEET_LICENSE_KEY` or in [Fleet's config file](https://fleetdm.com/docs/deploying/configuration#license). You don't need to redeploy Fleet after the migration.
 
 ### What Redis versions are supported?
-Fleet is tested with Redis 5.0.14 and 6.2.7. Any version of Redis after version 5 will typically work well.
+Fleet is tested with Redis 6, as well as the latest release of Redis 5. Any version of Redis after version 5 will typically work well.
 
 ### Will my older version of Fleet work with Redis 6?
 
diff --git a/website/api/controllers/docs/view-basic-documentation.js b/website/api/controllers/docs/view-basic-documentation.js
index 74dbc15ce5ec..3a1609825575 100644
--- a/website/api/controllers/docs/view-basic-documentation.js
+++ b/website/api/controllers/docs/view-basic-documentation.js
@@ -82,7 +82,7 @@ module.exports = {
         : 'Documentation for Fleet for osquery.'// « otherwise use the generic description
       ),
       showSwagForm,
-      algoliaPublicKey: sails.config.custom.algoliaPublicKey,
+      algoliaPublicKey: "",
     };
 
   }

From c75a13ba65ad7e49604e691984bf654162b8a05b Mon Sep 17 00:00:00 2001
From: Ian Littman <iansltx@gmail.com>
Date: Tue, 3 Jun 2025 17:09:05 -0600
Subject: [PATCH 5/8] Fix more [here] links in configuration docs

---
 docs/Configuration/agent-configuration.md     |  6 ++---
 .../fleet-server-configuration.md             |  9 +++-----
 docs/Configuration/yaml-files.md              | 23 +++++++++----------
 3 files changed, 17 insertions(+), 21 deletions(-)

diff --git a/docs/Configuration/agent-configuration.md b/docs/Configuration/agent-configuration.md
index 74858d78db22..9336774126f5 100644
--- a/docs/Configuration/agent-configuration.md
+++ b/docs/Configuration/agent-configuration.md
@@ -78,11 +78,11 @@ In the `decorators` key, you can specify queries to include additional informati
 
 ### yara
 
-You can use Fleet to configure the `yara` and `yara_events` osquery tables. Learn more about YARA configuration and continuous monitoring [here](https://fleetdm.com/guides/remote-yara-rules#basic-article).
+You can use Fleet to configure the `yara` and `yara_events` osquery tables, used to administer [YARA rules]((https://fleetdm.com/guides/remote-yara-rules) for continuous monitoring.
 
 ## extensions
 
-> This feature requires a custom TUF auto-update server (available in Fleet Premium). Learn more [here](https://fleetdm.com/guides/fleetd-updates).
+> This feature requires a custom TUF [auto-update server](https://fleetdm.com/guides/fleetd-updates) (available in Fleet Premium).
 
 The `extensions` key inside of `agent_options` allows you to remotely manage and deploy osquery extensions. Just like other `agent_options` the `extensions` key can be applied either to a team specific one or the global one.
 
@@ -179,7 +179,7 @@ In the above example:
 
 _Available in Fleet Premium_
 
-Users can configure fleetd component TUF auto-update channels from Fleet's agent options. The components that can be configured are `orbit`, `osqueryd` and `desktop` (Fleet Desktop). When one of these components is omitted in `update_channels` then `stable` is assumed as the value for such component. Available options for update channels can be viewed [here](https://fleetdm.com/docs/using-fleet/enroll-hosts#specifying-update-channels).
+Users can configure fleetd component TUF [auto-update channels](https://fleetdm.com/docs/using-fleet/enroll-hosts#specifying-update-channels) from Fleet's agent options. The components that can be configured are `orbit`, `osqueryd` and `desktop` (Fleet Desktop). When one of these components is omitted in `update_channels` then `stable` is assumed as the value for such component.
 
 #### Examples
 
diff --git a/docs/Configuration/fleet-server-configuration.md b/docs/Configuration/fleet-server-configuration.md
index 44c2e8a17073..7bc79468ffbd 100644
--- a/docs/Configuration/fleet-server-configuration.md
+++ b/docs/Configuration/fleet-server-configuration.md
@@ -1856,8 +1856,7 @@ This flag only has effect if one of the following is true:
 - `osquery_result_log_plugin` or `osquery_status_log_plugin` are set to `kafkarest`.
 - `activity_audit_log_plugin` is set to `kafkarest` and `activity_enable_audit_log` is set to `true`.
 
-The value of the Content-Type header to use in Kafka REST Proxy API calls. More information about available versions
-can be found [here](https://docs.confluent.io/platform/current/kafka-rest/api.html#content-types). _Note: only JSON format is supported_
+The value of the Content-Type header to use in [Kafka REST Proxy API calls](https://docs.confluent.io/platform/current/kafka-rest/api.html#content-types). _Note: only JSON format is supported_
 
 - Default value: application/vnd.kafka.json.v1+json
 - Environment variable: `FLEET_KAFKAREST_CONTENT_TYPE_VALUE`
@@ -2100,11 +2099,9 @@ or running S3 locally with localstack. Leave this blank to use the default S3 se
 
 AWS S3 Force S3 Path Style. Set this to `true` to force the request to use path-style addressing,
 i.e., `http://s3.amazonaws.com/BUCKET/KEY`. By default, the S3 client
-will use virtual hosted bucket addressing when possible
+will use [virtual hosted bucket addressing](http://docs.aws.amazon.com/AmazonS3/latest/dev/VirtualHosting.html) when possible
 (`http://BUCKET.s3.amazonaws.com/KEY`).
 
-See [here](http://docs.aws.amazon.com/AmazonS3/latest/dev/VirtualHosting.html) for details.
-
 - Default value: false
 - Environment variable: `FLEET_S3_SOFTWARE_INSTALLERS_FORCE_S3_PATH_STYLE`
 - Config file format:
@@ -2705,7 +2702,7 @@ Minio users must set this to any non-empty value (e.g., `minio`), as Minio does
 
 > The [`server_private_key` configuration option](#server_private_key) is required for macOS MDM features.
 
-> The Apple Push Notification service (APNs), Simple Certificate Enrollment Protocol (SCEP), and Apple Business Manager (ABM) [certificate and key configuration](https://github.com/fleetdm/fleet/blob/fleet-v4.51.0/docs/Contributing/reference/configuration-for-contributors.md#mobile-device-management-mdm) are deprecated as of Fleet 4.51. They are maintained for backwards compatibility. Please upload your APNs certificate and ABM token. Learn how [here](https://fleetdm.com/docs/using-fleet/mdm-setup).
+> The Apple Push Notification service (APNs), Simple Certificate Enrollment Protocol (SCEP), and Apple Business Manager (ABM) [certificate and key configuration](https://github.com/fleetdm/fleet/blob/fleet-v4.51.0/docs/Contributing/reference/configuration-for-contributors.md#mobile-device-management-mdm) are deprecated as of Fleet 4.51. They are maintained for backwards compatibility. Please [upload your APNs certificate and ABM token](https://fleetdm.com/docs/using-fleet/mdm-setup).
 
 ### mdm.apple_scep_signer_validity_days
 
diff --git a/docs/Configuration/yaml-files.md b/docs/Configuration/yaml-files.md
index d49e43b02714..86a2ff4be2d0 100644
--- a/docs/Configuration/yaml-files.md
+++ b/docs/Configuration/yaml-files.md
@@ -561,6 +561,8 @@ Fleet-maintained apps have default categories. You can see the default categorie
 
 ## org_settings and team_settings
 
+Currently, managing users and ticket destinations (Jira and Zendesk) are only supported using Fleet's UI or [API](https://fleetdm.com/docs/rest-api/rest-api).
+
 ### features
 
 The `features` section of the configuration YAML lets you define what predefined queries are sent to the hosts and later on processed by Fleet for different functionalities.
@@ -635,7 +637,7 @@ org_settings:
 
 ### secrets
 
-The `secrets` section defines the valid secrets that hosts can use to enroll to Fleet. Supply one of these secrets when generating the fleetd agent you'll use to enroll hosts. Learn more [here](https://fleetdm.com/docs/using-fleet/enroll-hosts).
+The `secrets` section defines the valid secrets that hosts can use to enroll to Fleet. Supply one of these secrets when generating the fleetd agent you'll use to [enroll hosts](https://fleetdm.com/docs/using-fleet/enroll-hosts).
 
 #### Example
 
@@ -674,7 +676,7 @@ org_settings:
 
 ### sso_settings
 
-The `sso_settings` section lets you define single sign-on (SSO) settings. Learn more about SSO in Fleet [here](https://fleetdm.com/docs/deploying/configuration#configuring-single-sign-on-sso).
+The `sso_settings` section lets you define [single sign-on (SSO)](https://fleetdm.com/docs/deploying/configuration#configuring-single-sign-on-sso) settings.
 
 - `enable_sso` (default: `false`)
 - `idp_name` is the human-friendly name for the identity provider that will provide single sign-on authentication (default: `""`).
@@ -705,7 +707,7 @@ org_settings:
 
 The `integrations` section lets you configure your Google Calendar, Jira, and Zendesk. After configuration, you can enable [automations](https://fleetdm.com/docs/using-fleet/automations) like calendar event and ticket creation for failing policies. Currently, enabling ticket creation is only available using Fleet's UI or [API](https://fleetdm.com/docs/rest-api/rest-api) (YAML files coming soon).
 
-In addition, you can configure your certificate authorities (CA) to help your end users connect to Wi-Fi. Learn more about certificate authorities in Fleet [here](https://fleetdm.com/guides/certificate-authorities).
+In addition, you can configure your [certificate authorities (CA)](https://fleetdm.com/guides/certificate-authorities) to help your end users connect to Wi-Fi.
 
 #### Example
 
@@ -805,7 +807,7 @@ For secrets, you can add [GitHub environment variables](https://docs.github.com/
 
 ### webhook_settings
 
-The `webhook_settings` section lets you define webhook settings for failing policy, vulnerability, and host status automations. Learn more about automations in Fleet [here](https://fleetdm.com/docs/using-fleet/automations).
+The `webhook_settings` section lets you define webhook settings for failing policy, vulnerability, and host status [automations](https://fleetdm.com/docs/using-fleet/automations).
 
 #### activities_webhook
 
@@ -888,9 +890,7 @@ Can only be configured for all teams (`org_settings`).
 
 #### apple_business_manager
 
-After you've uploaded an Apple Business Manager (ABM) token, the `apple_business_manager` section lets you configure the teams in Fleet new hosts in ABM are automatically added to. Currently, adding an ABM token is only available using Fleet's UI. Learn more [here](https://fleetdm.com/guides/macos-mdm-setup#automatic-enrollment).
-
-Currently, managing labels and users, ticket destinations (Jira and Zendesk), Apple Business Manager (ABM) are only supported using Fleet's UI or [API](https://fleetdm.com/docs/rest-api/rest-api) (YAML files coming soon).
+After [adding an Apple Business Manager (ABM) token via the UI](https://fleetdm.com/guides/macos-mdm-setup#automatic-enrollment), the `apple_business_manager` section lets you determine which team Apple devices are assigned to in Fleet when they appear in Apple Business Manager.
 
 - `organization_name` is the organization name associated with the Apple Business Manager account.
 - `macos_team` is the team where macOS hosts are automatically added when they appear in Apple Business Manager.
@@ -913,7 +913,7 @@ org_settings:
 
 #### volume_purchasing_program
 
-After you've uploaded a Volume Purchasing Program (VPP) token, the  `volume_purchasing_program` section lets you configure the teams in Fleet that have access to that VPP token's App Store apps. Currently, adding a VPP token is only available using Fleet's UI. Learn more [here](https://fleetdm.com/guides/macos-mdm-setup#volume-purchasing-program-vpp).
+After you've uploaded a [Volume Purchasing Program](https://fleetdm.com/guides/macos-mdm-setup#volume-purchasing-program-vpp) (VPP) token, the  `volume_purchasing_program` section lets you configure the teams in Fleet that have access to that VPP token's App Store apps. Currently, adding a VPP token is only available using Fleet's UI.
 
 - `location` is the name of the location in the Apple Business Manager account.
 - `teams` is a list of team names. If you choose specific teams, App Store apps in this VPP account will only be available to install on hosts in these teams. If not specified, App Store apps are available to install on hosts in all teams.
@@ -936,7 +936,7 @@ Can only be configured for all teams (`org_settings`).
 
 #### end_user_authentication
 
-The `end_user_authentication` section lets you define the identity provider (IdP) settings used for end user authentication during Automated Device Enrollment (ADE). Learn more about end user authentication in Fleet [here](https://fleetdm.com/guides/macos-setup-experience#end-user-authentication-and-eula).
+The `end_user_authentication` section lets you define the identity provider (IdP) settings used for [end user authentication](https://fleetdm.com/guides/macos-setup-experience#end-user-authentication-and-eula) during Automated Device Enrollment (ADE).
 
 Once the IdP settings are configured, you can use the [`controls.macos_setup.enable_end_user_authentication`](#macos-setup) key to control the end user experience during ADE.
 
@@ -979,9 +979,8 @@ Can only be configured for all teams (`org_settings`).
 
 #### yara_rules
 
-The `yara_rules` section lets you define [YARA rules](https://virustotal.github.io/yara/) that will be served by Fleet's authenticated
-YARA rule functionality. Learn more about authenticated YARA rules in Fleet
-[here](https://fleetdm.com/guides/remote-yara-rules).
+The `yara_rules` section lets you define [YARA rules](https://virustotal.github.io/yara/) that will be served by Fleet's [authenticated
+YARA rule](https://fleetdm.com/guides/remote-yara-rules) functionality.
 
 ##### Example
 

From 788d5a7c7546ff179652f63304cde2b5548d8734 Mon Sep 17 00:00:00 2001
From: Ian Littman <iansltx@gmail.com>
Date: Tue, 3 Jun 2025 17:23:30 -0600
Subject: [PATCH 6/8] Fix remaining [here] links in configuration docs

---
 docs/Configuration/agent-configuration.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/Configuration/agent-configuration.md b/docs/Configuration/agent-configuration.md
index 9336774126f5..ddf5a1b2cb68 100644
--- a/docs/Configuration/agent-configuration.md
+++ b/docs/Configuration/agent-configuration.md
@@ -47,8 +47,8 @@ config:
 
 ### options and command_line_flags
 
-- `options` include the agent settings listed under `osqueryOptions` [here](https://github.com/fleetdm/fleet/blob/main/server/fleet/agent_options_generated.go). These can be updated without a fleetd restart.
-- `command_line_flags` include the agent settings listed under osqueryCommandLineFlags [here](https://github.com/fleetdm/fleet/blob/main/server/fleet/agent_options_generated.go). These are only updated when fleetd restarts. 
+- `options` include the agent settings listed under `osqueryOptions` in [`agent_options_generated.go`](https://github.com/fleetdm/fleet/blob/main/server/fleet/agent_options_generated.go). These can be updated without a fleetd restart.
+- `command_line_flags` include the agent settings listed under osqueryCommandLineFlags in [`agent_options_generated.go`](https://github.com/fleetdm/fleet/blob/main/server/fleet/agent_options_generated.go). These are only updated when fleetd restarts. 
 
 To see a description for all available settings, first [enroll your host](https://fleetdm.com/guides/enroll-hosts) to Fleet. Then, open your **Terminal** app and run `sudo orbit shell` to open an interactive osquery shell. Then run the following osquery query:
 

From 09f8e0c2f3a7c3681acd687c6bfea346f1a5fc77 Mon Sep 17 00:00:00 2001
From: Ian Littman <iansltx@gmail.com>
Date: Wed, 4 Jun 2025 09:13:03 -0600
Subject: [PATCH 7/8] Revert stubbed Algolia config

---
 website/api/controllers/docs/view-basic-documentation.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/website/api/controllers/docs/view-basic-documentation.js b/website/api/controllers/docs/view-basic-documentation.js
index 3a1609825575..74dbc15ce5ec 100644
--- a/website/api/controllers/docs/view-basic-documentation.js
+++ b/website/api/controllers/docs/view-basic-documentation.js
@@ -82,7 +82,7 @@ module.exports = {
         : 'Documentation for Fleet for osquery.'// « otherwise use the generic description
       ),
       showSwagForm,
-      algoliaPublicKey: "",
+      algoliaPublicKey: sails.config.custom.algoliaPublicKey,
     };
 
   }

From ec41a2503d8bdef4ba628dc378ebe3348a0a6308 Mon Sep 17 00:00:00 2001
From: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
Date: Mon, 9 Jun 2025 09:38:36 -0400
Subject: [PATCH 8/8] Update docs/REST API/rest-api.md

---
 docs/REST API/rest-api.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/REST API/rest-api.md b/docs/REST API/rest-api.md
index 41a47385984a..aaab38d06f29 100644
--- a/docs/REST API/rest-api.md	
+++ b/docs/REST API/rest-api.md	
@@ -745,7 +745,7 @@ None.
 
 Returns all information about the Fleet's configuration.
 
-The `agent_options`, `sso_settings` and `smtp_settings` fields are only returned for admin and GitOps users with global access (see the [Role-based access docs](https://fleetdm.com/guides/role-based-access)).
+The `agent_options`, `sso_settings` and `smtp_settings` fields are only returned for admin and GitOps users with global access (see the [Role-based access guide](https://fleetdm.com/guides/role-based-access)).
 
 `mdm.macos_settings.custom_settings`, `mdm.windows_settings.custom_settings`, `scripts`, and `mdm.macos_setup` only include the configuration profiles, scripts, and setup experience settings applied using [Fleet's YAML](https://fleetdm.com/docs/configuration/yaml-files). To list profiles, scripts, or setup experience settings added in the UI or API, use the [List configuration profiles](https://fleetdm.com/docs/rest-api/rest-api#list-custom-os-settings-configuration-profiles), [List scripts](https://fleetdm.com/docs/rest-api/rest-api#list-scripts), or GET endpoints from [Setup experience](https://fleetdm.com/docs/rest-api/rest-api#setup-experience) instead.