Enable strict mode (zero warnings)

.github/workflows/docs-build.yml

@@ -11,7 +11,7 @@ jobs:
     uses: elastic/docs-builder/.github/workflows/preview-build.yml@main
     with:
       continue-on-error: false
-      strict: false
+      strict: true
     permissions:
       deployments: write
       id-token: write

deploy-manage/cloud-organization/billing/manage-subscription.md

@@ -39,7 +39,7 @@ To change your subscription level:
 
 ### Feature usage notifications [ec_feature_usage_notifications]
 
-:::{applies}
+:::{applies_to}
 :hosted: all
 :::
 

deploy-manage/deploy/cloud-enterprise/manage-elastic-stack-versions.md

@@ -348,7 +348,7 @@ You can add new Elastic Stack packs to your installation through the Cloud UI, t
 
 To add a new Elastic Stack pack from the Cloud UI:
 
-1. Download the [Elastic Stack version]() that you want.
+1. Download the Elastic Stack version that you want.
 2. [Log into the Cloud UI](log-into-cloud-ui.md).
 3. From the **Platform** menu, select **Elastic Stack**.
 4. Select **Upload Elastic Stack pack**.

deploy-manage/deploy/cloud-on-k8s/configuration-fleet.md

@@ -92,7 +92,7 @@ spec:
 * `xpack.fleet.agents.elasticsearch.hosts` must point to the {{es}} cluster where {{agents}} should send data. For ECK-managed {{es}} clusters ECK creates a Service accessible through `https://ES_RESOURCE_NAME-es-http.ES_RESOURCE_NAMESPACE.svc:9200` URL, where `ES_RESOURCE_NAME` is the name of {{es}} resource and `ES_RESOURCE_NAMESPACE` is the namespace it was deployed within. See [Storing local state in host path volume](configuration-examples-standalone.md#k8s_storing_local_state_in_host_path_volume) for details on adjusting this field when running agent as non-root as it becomes required.
 * `xpack.fleet.agents.fleet_server.hosts` must point to {{fleet-server}} that {{agents}} should connect to. For ECK-managed {{fleet-server}} instances, ECK creates a Service accessible through `https://FS_RESOURCE_NAME-agent-http.FS_RESOURCE_NAMESPACE.svc:8220` URL, where `FS_RESOURCE_NAME` is the name of {{agent}} resource with {{fleet-server}} enabled and `FS_RESOURCE_NAMESPACE` is the namespace it was deployed in.
 * `xpack.fleet.packages` are required packages to enable {{fleet-server}} and {{agents}} to enroll.
-* `xpack.fleet.agentPolicies` policies are needed for {{fleet-server}} and {{agents}} to enroll to, check {{fleet-guide}}/agent-policy.html for more information.
+* `xpack.fleet.agentPolicies` policies are needed for {{fleet-server}} and {{agents}} to enroll to, check https://www.elastic.co/guide/en/fleet/current/agent-policy.html for more information.
 
 
 ## Set referenced resources [k8s-elastic-agent-fleet-configuration-setting-referenced-resources]

deploy-manage/deploy/cloud-on-k8s/logstash-plugins.md

@@ -7,7 +7,7 @@ mapped_pages:
 
 # Logstash plugins [k8s-logstash-plugins]
 
-The power of {{ls}} is in the plugins--{{logstash-ref}}/input-plugins.html[inputs], [outputs](https://www.elastic.co/guide/en/logstash/current/output-plugins.html), [filters,](https://www.elastic.co/guide/en/logstash/current/filter-plugins.html) and [codecs](https://www.elastic.co/guide/en/logstash/current/codec-plugins.html).
+The power of {{ls}} is in the plugins--[inputs](https://www.elastic.co/guide/en/logstash/current/input-plugins.html), [outputs](https://www.elastic.co/guide/en/logstash/current/output-plugins.html), [filters,](https://www.elastic.co/guide/en/logstash/current/filter-plugins.html) and [codecs](https://www.elastic.co/guide/en/logstash/current/codec-plugins.html).
 
 In {{ls}} on ECK, you can use the same plugins that you use for other {{ls}} instances—​including Elastic-supported, community-supported, and custom plugins. However, you may have other factors to consider, such as how you configure your {{k8s}} resources, how you specify additional resources, and how you scale your {{ls}} installation.
 

deploy-manage/deploy/elastic-cloud/manage-integrations-server.md

@@ -28,8 +28,6 @@ The APM secret token can no longer be reset from the Elasticsearch Service UI. C
 
 This example demonstrates how to use the Elasticsearch Service RESTful API to create a deployment with Integrations Server enabled.
 
-For more information on how to manage Integrations Server from the UI, check [Manage your Integrations Server]()
-
 
 #### Requirements [ec_requirements_2]
 

deploy-manage/distributed-architecture/discovery-cluster-formation/modules-discovery-bootstrap-cluster.md

@@ -74,7 +74,7 @@ By default each node will automatically bootstrap itself into a single-node clus
 * `discovery.seed_hosts`
 * `cluster.initial_master_nodes`
 
-To add a new node into an existing cluster, configure `discovery.seed_hosts` or other relevant discovery settings so that the new node can discover the existing master-eligible nodes in the cluster. To bootstrap a new multi-node cluster, configure `cluster.initial_master_nodes` as described in the [section on cluster bootstrapping]() as well as `discovery.seed_hosts` or other relevant discovery settings.
+To add a new node into an existing cluster, configure `discovery.seed_hosts` or other relevant discovery settings so that the new node can discover the existing master-eligible nodes in the cluster. To bootstrap a new multi-node cluster, configure `cluster.initial_master_nodes` as described in the section on cluster bootstrapping as well as `discovery.seed_hosts` or other relevant discovery settings.
 
 ::::{admonition} Forming a single cluster
 :name: modules-discovery-bootstrap-cluster-joining

deploy-manage/monitor/logging-configuration/auditing-search-queries.md

@@ -11,7 +11,7 @@ applies:
 
 # Audit Elasticsearch search queries [auditing-search-queries]
 
-There is no [audit event type]() (asciidocalypse://elasticsearch/docs/reference/elasticsearch/elasticsearch-audit-events) specifically dedicated to search queries. Search queries are analyzed and then processed; the processing triggers authorization actions that are audited. However, the original raw query, as submitted by the client, is not accessible downstream when authorization auditing occurs.
+There is no [audit event type](asciidocalypse://elasticsearch/docs/reference/elasticsearch/elasticsearch-audit-events) specifically dedicated to search queries. Search queries are analyzed and then processed; the processing triggers authorization actions that are audited. However, the original raw query, as submitted by the client, is not accessible downstream when authorization auditing occurs.
 
 Search queries are contained inside HTTP request bodies, however, and some audit events that are generated by the REST layer, on the coordinating node, can be toggled to output the request body to the audit log. Therefore, one must audit request bodies in order to audit search queries.
 

deploy-manage/monitor/logging-configuration/configuring-audit-logs.md

@@ -24,7 +24,7 @@ When auditing security events, a single client request might generate multiple a
     ::::
 
 For a complete description of event details and format, refer to the following resources:
-  * [{{es}} audit events details and schema]() asciidocalypse://elasticsearch/docs/reference/elasticsearch/elasticsearch-audit-events
+  * [{{es}} audit events details and schema](asciidocalypse://elasticsearch/docs/reference/elasticsearch/elasticsearch-audit-events)
   * [{{es}} log entry output format](/deploy-manage/monitor/logging-configuration/logfile-audit-output.md#audit-log-entry-format)
 
 ### Kibana auditing configuration

deploy-manage/monitor/logging-configuration/correlating-kibana-elasticsearch-audit-logs.md

@@ -24,7 +24,7 @@ When an {{es}} request generates multiple audit events across multiple nodes, yo
 
 This identifier allows you to trace the flow of a request across the {{es}} cluster and reconstruct the full context of an operation.
 
-Refer to [linkTBD]() asciidocalypse://elasticsearch/docs/reference/elasticsearch/elasticsearch-audit-events for a complete reference of event types and attributes.
+Refer to [Audit events](asciidocalypse://elasticsearch/docs/reference/elasticsearch/elasticsearch-audit-events) for a complete reference of event types and attributes.
 
 ## `trace.id` field in {{kib}} audit events
 

deploy-manage/monitor/logging-configuration/logfile-audit-events-ignore-policies.md

@@ -35,7 +35,7 @@ xpack.security.audit.logfile.events.ignore_filters:
 
 An audit event generated by the *kibana_system* user and operating over multiple indices , some of which do not match the indices wildcard, will not match. As expected, operations generated by all other users (even operating only on indices that match the *indices* filter) will not match this policy either.
 
-Audit events of different types may have [different attributes]() asciidocalypse://elasticsearch/docs/reference/elasticsearch/elasticsearch-audit-events/#audit-event-attributes. If an event does not contain an attribute for which some policy defines filters, the event will not match the policy. For example, the following policy will never match `authentication_success` or `authentication_failed` events, irrespective of the user’s roles, because these event schemas do not contain the `role` attribute:
+Audit events of different types may have [different attributes](asciidocalypse://elasticsearch/docs/reference/elasticsearch/elasticsearch-audit-events/#audit-event-attributes). If an event does not contain an attribute for which some policy defines filters, the event will not match the policy. For example, the following policy will never match `authentication_success` or `authentication_failed` events, irrespective of the user’s roles, because these event schemas do not contain the `role` attribute:
 
 ```yaml
 xpack.security.audit.logfile.events.ignore_filters:

deploy-manage/monitor/logging-configuration/logfile-audit-output.md

@@ -32,4 +32,4 @@ There are however a few attributes that are exceptions to the above format. The
 
 When the `request.body` attribute is present (see [Auditing search queries](auditing-search-queries.md)), it contains a string value containing the full HTTP request body, escaped as per the JSON RFC 4677.
 
-Refer to [audit event types]() (asciidocalypse://elasticsearch/docs/reference/elasticsearch/elasticsearch-audit-events) for a complete list of fields, as well as examples, for each entry type.
+Refer to [audit event types](asciidocalypse://elasticsearch/docs/reference/elasticsearch/elasticsearch-audit-events) for a complete list of fields, as well as examples, for each entry type.

deploy-manage/monitor/logging-configuration/security-event-audit-logging.md

@@ -32,5 +32,5 @@ By following these guidelines, you can effectively audit system activity, enhanc
 
 For a complete description of audit event details and format, refer to:
 
-* [Elasticsearch audit events]() asciidocalypse://elasticsearch/docs/reference/elasticsearch/elasticsearch-audit-events
-* [Kibana audit events]() asciidocalypse://kibana/docs/reference/kibana-audit-events
+* [Elasticsearch audit events](asciidocalypse://elasticsearch/docs/reference/elasticsearch/elasticsearch-audit-events)
+* [Kibana audit events](asciidocalypse://kibana/docs/reference/kibana-audit-events)

deploy-manage/security/supported-ssltls-versions-by-jdk-version.md

@@ -107,6 +107,6 @@ To enable your custom security policy, create a file named `java.security.option
 
 SSL/TLS versions can be enabled and disabled within {{es}} via the [`ssl.supported_protocols` settings](https://www.elastic.co/guide/en/elasticsearch/reference/current/security-settings.html#ssl-tls-settings).
 
-{{es}} will only support the TLS versions that are enabled by the [underlying JDK](). If you configure `ssl.supported_procotols` to include a TLS version that is not enabled in your JDK, then it will be silently ignored.
+{{es}} will only support the TLS versions that are enabled by the underlying JDK. If you configure `ssl.supported_procotols` to include a TLS version that is not enabled in your JDK, then it will be silently ignored.
 
 Similarly, a TLS version that is enabled in your JDK, will not be used unless it is configured as one of the `ssl.supported_protocols` in {{es}}.

deploy-manage/tools/snapshot-and-restore/azure-repository.md

@@ -73,15 +73,15 @@ In progress snapshot or restore jobs will not be preempted by a **reload** of th
 
 ## Client settings [repository-azure-client-settings]
 
-The following list describes the available client settings. Those that must be stored in the keystore are marked as ({{ref}}/secure-settings.html[Secure], [reloadable](../../security/secure-settings.md#reloadable-secure-settings)); the other settings must be stored in the `elasticsearch.yml` file. The default `CLIENT_NAME` is `default` but you may configure a client with a different name and specify that client by name when registering a repository.
+The following list describes the available client settings. Those that must be stored in the keystore are marked as ([Secure](https://www.elastic.co/guide/en/elasticsearch/reference/current/secure-settings.html), [reloadable](../../security/secure-settings.md#reloadable-secure-settings)); the other settings must be stored in the `elasticsearch.yml` file. The default `CLIENT_NAME` is `default` but you may configure a client with a different name and specify that client by name when registering a repository.
 
-`azure.client.CLIENT_NAME.account` ({{ref}}/secure-settings.html[Secure], [reloadable](../../security/secure-settings.md#reloadable-secure-settings))
+`azure.client.CLIENT_NAME.account` ([Secure](https://www.elastic.co/guide/en/elasticsearch/reference/current/secure-settings.html), [reloadable](../../security/secure-settings.md#reloadable-secure-settings))
 :   The Azure account name, which is used by the repository’s internal Azure client. This setting is required for all clients.
 
 `azure.client.CLIENT_NAME.endpoint_suffix`
 :   The Azure endpoint suffix to connect to. The default value is `core.windows.net`.
 
-`azure.client.CLIENT_NAME.key` ({{ref}}/secure-settings.html[Secure], [reloadable](../../security/secure-settings.md#reloadable-secure-settings))
+`azure.client.CLIENT_NAME.key` ([Secure](https://www.elastic.co/guide/en/elasticsearch/reference/current/secure-settings.html), [reloadable](../../security/secure-settings.md#reloadable-secure-settings))
 :   The Azure secret key, which is used by the repository’s internal Azure client. Alternatively, use `sas_token`.
 
 `azure.client.CLIENT_NAME.max_retries`
@@ -96,7 +96,7 @@ The following list describes the available client settings. Those that must be s
 `azure.client.CLIENT_NAME.proxy.type`
 :   Register a proxy type for the client. Supported values are `direct`, `http`, and `socks`. For example: `azure.client.default.proxy.type: http`. When `proxy.type` is set to `http` or `socks`, `proxy.host` and `proxy.port` must also be provided. The default value is `direct`.
 
-`azure.client.CLIENT_NAME.sas_token` ({{ref}}/secure-settings.html[Secure], [reloadable](../../security/secure-settings.md#reloadable-secure-settings))
+`azure.client.CLIENT_NAME.sas_token` ([Secure](https://www.elastic.co/guide/en/elasticsearch/reference/current/secure-settings.html), [reloadable](../../security/secure-settings.md#reloadable-secure-settings))
 :   A shared access signatures (SAS) token, which the repository’s internal Azure client uses for authentication. The SAS token must have read (r), write (w), list (l), and delete (d) permissions for the repository base path and all its contents. These permissions must be granted for the blob service (b) and apply to resource types service (s), container (c), and object (o). Alternatively, use `key`.
 
 `azure.client.CLIENT_NAME.timeout`

deploy-manage/tools/snapshot-and-restore/cloud-enterprise.md

@@ -99,9 +99,6 @@ To edit a snapshot repository configuration from your Elastic Cloud Enterprise i
 1. [Log into the Cloud UI](../../deploy/cloud-enterprise/log-into-cloud-ui.md).
 2. From the **Platform** menu, select **Repositories**.
 3. Select **Edit** to modify a snapshot repository configuration.
-
-    For available options that you can change, check [Add Snapshot Repository Configurations]().
-
 4. Select **Save**.
 
 
@@ -136,7 +133,7 @@ You might need to update existing Elasticsearch clusters to use a different snap
 To change the snapshot repository for an existing Elasticsearch cluster:
 
 1. [Log into the Cloud UI](../../deploy/cloud-enterprise/log-into-cloud-ui.md).
-2. Optional: If you need to use a repository that is not yet listed, [add a snapshot repository configuration]() first.
+2. Optional: If you need to use a repository that is not yet listed, add a snapshot repository configuration first.
 3. From the **Deployments** page, select your deployment.
 
     Narrow the list by name, ID, or choose from several other filters. To further define the list, use a combination of filters.

deploy-manage/tools/snapshot-and-restore/google-cloud-storage-repository.md

@@ -123,7 +123,7 @@ bin/elasticsearch-keystore add-file gcs.client.default.credentials_file /path/se
 
 The following are the available client settings. Those that must be stored in the keystore are marked as `Secure`.
 
-`credentials_file` ({{ref}}/secure-settings.html[Secure], [reloadable](../../security/secure-settings.md#reloadable-secure-settings))
+`credentials_file` ([Secure](https://www.elastic.co/guide/en/elasticsearch/reference/current/secure-settings.html), [reloadable](../../security/secure-settings.md#reloadable-secure-settings))
 :   The service account file that is used to authenticate to the Google Cloud Storage service.
 
 `endpoint`

deploy-manage/tools/snapshot-and-restore/s3-repository.md

@@ -72,13 +72,13 @@ Define the relevant secure settings in each node’s keystore before starting th
 
 The following list contains the available client settings. Those that must be stored in the keystore are marked as "secure" and are **reloadable**; the other settings belong in the `elasticsearch.yml` file.
 
-`access_key` ({{ref}}/secure-settings.html[Secure], [reloadable](../../security/secure-settings.md#reloadable-secure-settings))
+`access_key` ([Secure](https://www.elastic.co/guide/en/elasticsearch/reference/current/secure-settings.html), [reloadable](../../security/secure-settings.md#reloadable-secure-settings))
 :   An S3 access key. If set, the `secret_key` setting must also be specified. If unset, the client will use the instance or container role instead.
 
-`secret_key` ({{ref}}/secure-settings.html[Secure], [reloadable](../../security/secure-settings.md#reloadable-secure-settings))
+`secret_key` ([Secure](https://www.elastic.co/guide/en/elasticsearch/reference/current/secure-settings.html), [reloadable](../../security/secure-settings.md#reloadable-secure-settings))
 :   An S3 secret key. If set, the `access_key` setting must also be specified.
 
-`session_token` ({{ref}}/secure-settings.html[Secure], [reloadable](../../security/secure-settings.md#reloadable-secure-settings))
+`session_token` ([Secure](https://www.elastic.co/guide/en/elasticsearch/reference/current/secure-settings.html), [reloadable](../../security/secure-settings.md#reloadable-secure-settings))
 :   An S3 session token. If set, the `access_key` and `secret_key` settings must also be specified.
 
 `endpoint`
@@ -96,10 +96,10 @@ The following list contains the available client settings. Those that must be st
 `proxy.scheme`
 :   The scheme to use for the proxy connection to S3. Valid values are either `http` or `https`. Defaults to `http`. This setting allows to specify the protocol used for communication with the proxy server
 
-`proxy.username` ({{ref}}/secure-settings.html[Secure], [reloadable](../../security/secure-settings.md#reloadable-secure-settings))
+`proxy.username` ([Secure](https://www.elastic.co/guide/en/elasticsearch/reference/current/secure-settings.html), [reloadable](../../security/secure-settings.md#reloadable-secure-settings))
 :   The username to connect to the `proxy.host` with.
 
-`proxy.password` ({{ref}}/secure-settings.html[Secure], [reloadable](../../security/secure-settings.md#reloadable-secure-settings))
+`proxy.password` ([Secure](https://www.elastic.co/guide/en/elasticsearch/reference/current/secure-settings.html), [reloadable](../../security/secure-settings.md#reloadable-secure-settings))
 :   The password to connect to the `proxy.host` with.
 
 `read_timeout`

deploy-manage/tools/snapshot-and-restore/source-only-repository.md

@@ -46,7 +46,7 @@ PUT _snapshot/my_src_only_repository
 `delegate_type`
 :   (Optional, string) Delegated repository type. For valid values, see the [`type` parameter](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-snapshot-create-repository#put-snapshot-repo-api-request-type).
 
-    `source` repositories can use `settings` properties for its delegated repository type. See [Source-only repository]().
+    `source` repositories can use `settings` properties for its delegated repository type.
 
 
 `max_number_of_snapshots`