chore: update Ory Console links to .com domain

[wassimoo]

Related Issue or Design Document

Checklist

• I have read the contributing guidelines and signed the CLA.
• I have referenced an issue containing the design document if my change introduces a new feature.
• I have read the security policy.
• I confirm that this pull request does not address a security vulnerability.
  If this pull request addresses a security vulnerability,
  I confirm that I got approval (please contact security@ory.com) from the maintainers to push the changes.
• I have added tests that prove my fix is effective or that my feature works.
• I have added the necessary documentation within the code base (if appropriate).

Summary by CodeRabbit

• Documentation

  • Updated all Ory Console links from console.ory.sh to console.ory.com across docs and UI components.

• Chores

  • Added an automated console-link validation (runs in CI) to detect legacy or broken console links; fails on legacy/404s and warns on transient request errors.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 77626887-42ba-4419-8920-ad9472285719

📥 Commits

Reviewing files that changed from the base of the PR and between 278c775 and 1d3539d.

📒 Files selected for processing (1)

• package.json

🚧 Files skipped from review as they are similar to previous changes (1)

• package.json

---

📝 Walkthrough

Walkthrough

Replaces all console.ory.sh references with console.ory.com across components, hooks, and documentation, and adds a Node.js CLI plus CI job to detect legacy links and verify console.ory.com endpoints.

Changes

Console Domain Migration to ory.com

Layer / File(s)	Summary
Console link validation infrastructure src/scripts/check-console-links.js, package.json, .github/workflows/static_checks.yml	New Node.js script scans repository files for console URLs, reports legacy console.ory.sh as errors, performs concurrent HTTP HEAD checks for console.ory.com, reports 404s as errors and network failures as warnings; exposed as npm run check-console-links and added to Static Checks CI job.
Console domain URL updates src/components/ConsoleLink/console-routes.ts, src/components/ConsoleLink/console-link.tsx, src/components/OryHeroDemo.jsx, src/components/OryNetworkCta/ory-network-cta.tsx, src/components/welcomePage/ContentSection.tsx, src/hooks/index.ts, README.md, docs/kratos/guides/multi-tenancy-multitenant.md	All hardcoded console.ory.sh references replaced with console.ory.com in routing defaults, component examples, CTA links, welcome/registration links, SDK hint text, and documentation examples.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested labels

upstream

Suggested reviewers

• aeneasr
• zepatrik
• piotrmsc
• vinckr
• unatasha8

Poem

🐰 From .sh to .com the console did roam,
I hopped through the docs to give links a home.
A script guards the gates with a curious peep,
Hunting old URLs so the site stays neat.
Hooray—one domain now sleeps safe and warm.

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The pull request description is largely empty, containing only the template structure with all sections unfilled and no actual description of changes provided by the author.	Add a substantive description explaining the rationale for migrating console links, any impact analysis, and address the checklist items appropriately.
Docstring Coverage	⚠️ Warning	Docstring coverage is 33.33% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and concisely summarizes the main change: updating Ory Console links from .sh to .com domain across the repository.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/migrate-console-links-to-dot-com

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (3)

.github/workflows/static_checks.yml (2)

24-34: Consider least-privilege permissions for the new job.

This job (like the others in the file) relies on default workflow permissions and persisted credentials. Since it only checks out code and runs a Node script, scoping it to read-only would tighten the security posture without affecting behavior. This applies workflow-wide, so it may be better addressed consistently rather than for this job alone.

🔒 Example

   check-console-links:
     name: Check console links for 404s
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v6
+        with:
+          persist-credentials: false

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/static_checks.yml around lines 24 - 34, The
check-console-links job should use least-privilege credentials: add a
permissions block (e.g., permissions: contents: read) at the job or top-level
workflow to restrict token scope, and set the checkout action to not persist the
workflow token (set actions/checkout's persist-credentials to false) so Node npm
commands run without retaining write permissions; update the job named
check-console-links and the actions/checkout@v6 step to apply these changes (or
apply them workflow-wide for consistency).

---

33-33: 💤 Low value

Prefer npm ci for reproducible CI installs.

.github/workflows/static_checks.yml runs npm install, but the repo includes a root package-lock.json; switching to npm ci makes CI installs deterministic and lockfile-faithful.

♻️ Proposed change

-      - run: npm install
+      - run: npm ci

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/static_checks.yml at line 33, Replace the CI step that
runs the literal command "npm install" with "npm ci" in the workflow so the job
uses lockfile-faithful, reproducible installs; locate the step containing the
run command "npm install" in the static_checks.yml workflow and change that
value to "npm ci".

src/components/ConsoleLink/console-link.tsx (1)

63-64: ⚡ Quick win

Avoid hardcoding the Console base URL — reuse the centralized route.

routes.default.console already holds https://console.ory.com/, yet the base is hardcoded again here. This duplication is precisely what forces a multi-file change on each domain migration and risks future divergence. Reuse the single source of truth (mind the trailing slash, since resolvedRoute already begins with /).

♻️ Proposed change

   const renderedRoute =
-    "https://console.ory.com" + resolvedRoute.replace("[project]", "current")
+    routes.default.console.replace(/\/$/, "") +
+    resolvedRoute.replace("[project]", "current")

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/components/ConsoleLink/console-link.tsx` around lines 63 - 64, The code
hardcodes "https://console.ory.com" when building renderedRoute; instead use the
centralized routes.default.console value to avoid duplication. Update the
construction of renderedRoute to concatenate routes.default.console with
resolvedRoute.replace("[project]", "current"), ensuring you handle the trailing
slash (trim a trailing slash from routes.default.console or the leading slash
from resolvedRoute so you don't produce a double "//"). Reference:
renderedRoute, resolvedRoute, and routes.default.console.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/components/welcomePage/ContentSection.tsx`:
- Line 12: The registration CTA in ContentSection currently hardcodes a URL with
a specific flow query param ("https://console.ory.com/registration?flow=...");
remove the fixed flow parameter so the component/link uses the stable entrypoint
("https://console.ory.com/registration") instead (update the hardcoded string
where it appears in ContentSection.tsx or the constant that provides the URL),
ensuring the anchor/href or NavLink no longer appends "?flow=..." so sign-ups
use the server-generated/active flow.

In `@src/scripts/check-console-links.js`:
- Line 20: SKIP_FILES currently uses a basename set (SKIP_FILES) and walkDir
checks entry.name, which causes entire files like README.md and any file named
console-link.tsx anywhere to be ignored; change the logic to stop skipping
README.md entirely and instead match console-link.tsx by its repo-relative path
(or exact relative path suffix) when deciding to skip only the URL reachability
check. Update the skip check in the walkDir/scan routine to use the file's
repo-relative path (not entry.name) and, for console-link.tsx, only bypass the
external HTTP reachability test while still scanning the file contents for
legacy console.ory.sh links.

---

Nitpick comments:
In @.github/workflows/static_checks.yml:
- Around line 24-34: The check-console-links job should use least-privilege
credentials: add a permissions block (e.g., permissions: contents: read) at the
job or top-level workflow to restrict token scope, and set the checkout action
to not persist the workflow token (set actions/checkout's persist-credentials to
false) so Node npm commands run without retaining write permissions; update the
job named check-console-links and the actions/checkout@v6 step to apply these
changes (or apply them workflow-wide for consistency).
- Line 33: Replace the CI step that runs the literal command "npm install" with
"npm ci" in the workflow so the job uses lockfile-faithful, reproducible
installs; locate the step containing the run command "npm install" in the
static_checks.yml workflow and change that value to "npm ci".

In `@src/components/ConsoleLink/console-link.tsx`:
- Around line 63-64: The code hardcodes "https://console.ory.com" when building
renderedRoute; instead use the centralized routes.default.console value to avoid
duplication. Update the construction of renderedRoute to concatenate
routes.default.console with resolvedRoute.replace("[project]", "current"),
ensuring you handle the trailing slash (trim a trailing slash from
routes.default.console or the leading slash from resolvedRoute so you don't
produce a double "//"). Reference: renderedRoute, resolvedRoute, and
routes.default.console.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 59ec5970-e74a-4547-8361-03494aa15326

📥 Commits

Reviewing files that changed from the base of the PR and between 5405c36 and 278c775.

⛔ Files ignored due to path filters (56)

• docs/_common/get-started-setup.mdx is excluded by !**/*.mdx
• docs/_common/need-help.mdx is excluded by !**/*.mdx
• docs/account-experience/index.mdx is excluded by !**/*.mdx
• docs/actions/live-events.mdx is excluded by !**/*.mdx
• docs/concepts/cache.mdx is excluded by !**/*.mdx
• docs/concepts/personal-access-token.mdx is excluded by !**/*.mdx
• docs/console/change-owner.mdx is excluded by !**/*.mdx
• docs/console/single-sign-on.mdx is excluded by !**/*.mdx
• docs/console/usage-billing.mdx is excluded by !**/*.mdx
• docs/getting-started/_common/configure-production-sdk-url.mdx is excluded by !**/*.mdx
• docs/getting-started/_common/create-project.mdx is excluded by !**/*.mdx
• docs/getting-started/integrate-auth/14_auth-js.mdx is excluded by !**/*.mdx
• docs/getting-started/integrate-auth/16_nextjs_app_router.mdx is excluded by !**/*.mdx
• docs/getting-started/integrate-auth/17_nextjs_pages_router.mdx is excluded by !**/*.mdx
• docs/getting-started/local-development.mdx is excluded by !**/*.mdx
• docs/guides/cli/15_config-identity-service.mdx is excluded by !**/*.mdx
• docs/guides/cli/16_configure-oauth2-service.mdx is excluded by !**/*.mdx
• docs/guides/cli/17_configure-permission-service.mdx is excluded by !**/*.mdx
• docs/guides/cors.mdx is excluded by !**/*.mdx
• docs/guides/manage-project-via-api.mdx is excluded by !**/*.mdx
• docs/guides/permissions/overview.mdx is excluded by !**/*.mdx
• docs/hydra/guides/custom-ui-oauth2.mdx is excluded by !**/*.mdx
• docs/identities/get-started/account-recovery.mdx is excluded by !**/*.mdx
• docs/identities/get-started/mfa.mdx is excluded by !**/*.mdx
• docs/identities/get-started/passwordless.mdx is excluded by !**/*.mdx
• docs/identities/get-started/setup.mdx is excluded by !**/*.mdx
• docs/identities/get-started/social-sign-in.mdx is excluded by !**/*.mdx
• docs/identities/model/manage-identity-schema.mdx is excluded by !**/*.mdx
• docs/identities/sign-in/code_submission_limit.mdx is excluded by !**/*.mdx
• docs/identities/sign-in/identifier-first-authentication.mdx is excluded by !**/*.mdx
• docs/intro.mdx is excluded by !**/*.mdx
• docs/keto/index.mdx is excluded by !**/*.mdx
• docs/kratos/emails-sms/01_sending-emails-smtp.mdx is excluded by !**/*.mdx
• docs/kratos/manage-identities/25_import-user-accounts-identities.mdx is excluded by !**/*.mdx
• docs/kratos/mfa/05_step-up-authentication.mdx is excluded by !**/*.mdx
• docs/kratos/mfa/15_totp.mdx is excluded by !**/*.mdx
• docs/kratos/mfa/20_webauthn-fido-yubikey.mdx is excluded by !**/*.mdx
• docs/kratos/mfa/25_lookup-secrets.mdx is excluded by !**/*.mdx
• docs/kratos/organizations/organizations.mdx is excluded by !**/*.mdx
• docs/kratos/passwordless/05_passkeys.mdx is excluded by !**/*.mdx
• docs/kratos/quickstart.mdx is excluded by !**/*.mdx
• docs/kratos/sdk/05_go.mdx is excluded by !**/*.mdx
• docs/kratos/session-management/10_session-lifespan.mdx is excluded by !**/*.mdx
• docs/kratos/social-signin/01_overview.mdx is excluded by !**/*.mdx
• docs/kratos/social-signin/90_data-mapping.mdx is excluded by !**/*.mdx
• docs/migrate-to-ory/auth0.mdx is excluded by !**/*.mdx
• docs/migrate-to-ory/migrate/create-project.mdx is excluded by !**/*.mdx
• docs/network/getting-started/index.mdx is excluded by !**/*.mdx
• docs/security-compliance/personal-data-location.mdx is excluded by !**/*.mdx
• docs/self-hosted/oel/kratos/upgrade.mdx is excluded by !**/*.mdx
• docs/self-hosted/oel/oathkeeper/upgrade-oathkeeper.mdx is excluded by !**/*.mdx
• docs/troubleshooting/40_mandatory-redirect-uri.mdx is excluded by !**/*.mdx
• docs/troubleshooting/50_account-linking-response-code.mdx is excluded by !**/*.mdx
• src/components/Shared/keto/index.mdx is excluded by !**/*.mdx
• src/components/Shared/keto/overview.mdx is excluded by !**/*.mdx
• src/components/Shared/kratos/quickstart.mdx is excluded by !**/*.mdx

📒 Files selected for processing (11)

• .github/workflows/static_checks.yml
• README.md
• docs/kratos/guides/multi-tenancy-multitenant.md
• package.json
• src/components/ConsoleLink/console-link.tsx
• src/components/ConsoleLink/console-routes.ts
• src/components/OryHeroDemo.jsx
• src/components/OryNetworkCta/ory-network-cta.tsx
• src/components/welcomePage/ContentSection.tsx
• src/hooks/index.ts
• src/scripts/check-console-links.js

[unatasha8]

LGTM