Skip to content

docs: audit all 74 reference pages against implementation code#2138

Merged
desimone merged 1 commit intomainfrom
docs/reference-audit-against-code
Mar 28, 2026
Merged

docs: audit all 74 reference pages against implementation code#2138
desimone merged 1 commit intomainfrom
docs/reference-audit-against-code

Conversation

@desimone
Copy link
Copy Markdown
Contributor

@desimone desimone commented Mar 27, 2026

Summary

Systematically audited every reference documentation page (74 total) against the actual Go source code, protobuf definitions, and Envoy config builders in pomerium/pomerium to verify config keys, types, defaults, accepted values, and behavioral descriptions.

  • 44 files changed, 293 insertions, 192 deletions
  • 10 parallel audit agents, each reading docs + code + Envoy docs
  • Codex independently verified 20 key findings (19/20 confirmed, 1 partial on pre-existing macOS path)

Wrong config keys / env vars (would cause config failures)

  • metrics.mdx: metrics_basic_authentication -> metrics_basic_auth (options.go:216)
  • metrics.mdx: METRICS_CERTIFICATE_FILE_KEY -> METRICS_CERTIFICATE_KEY_FILE (options.go:221)
  • dns.mdx: default_lookup_family -> dns_lookup_family in examples (options_dns.go:28)
  • set-response-headers.mdx: env var SET_RESPONSE_HEADERS -> HEADERS (options.go:567)

Wrong defaults (would mislead users)

  • runtime-flags.md: grpc_databroker_keepalive default false -> true (runtime_flags.go:25); added 6 missing flags (15 total now match code)
  • dns.mdx: 4 defaults claimed specific values but code uses nil/Envoy defaults
  • set-response-headers.mdx: removed phantom X-Content-Type-Options: nosniff default header
  • timeouts.mdx: idle timeout default 5m -> not set (Envoy default applies)
  • cookies.mdx: CookieSameSite default Lax -> not set (browsers default to Lax)

Wrong types

  • jwt-claim-headers.mdx: string -> map of string (custom.go:105)
  • headers.mdx: 3 type mismatches fixed (remove_request_headers, set_response_headers, rewrite_response_headers)
  • certificates.mdx: certificates type corrected to array of objects with cert/key
  • policy.mdx: string -> object (PPL rule block)

Missing documentation

  • access-log-fields.mdx: added 2 fields (client-certificate, cluster-stat-name)
  • authorize-log-fields.mdx: added 5 fields (including route checksums)
  • tls.mdx: entire tls_server_name section was missing
  • circuit-breaker-thresholds.mdx: added global/route/internal cluster layering explanation

Removed fake env vars for per-route settings

  • additional-login-redirect-hosts.mdx, enable-google-cloud-serverless-authentication.mdx, tls.mdx

Incorrect descriptions

  • cluster-name.mdx: full rewrite -- was "Cluster Name", now accurately describes name setting
  • show-error-details.mdx: removed incorrect branding claim
  • address.mdx: "HTTP" -> "HTTPS"
  • databroker.mdx: connection string only required for postgres, not file

Test plan

  • npx prettier --check -- passed
  • npx cspell -- passed (0 issues)
  • yarn build -- passed (pre-existing broken anchors in unrelated pages only)
  • Codex independently verified 20 key code claims

AI disclosure

AI drafted all changes across 10 parallel audit agents. Each agent read the doc page, the corresponding Go struct/mapstructure tags, default values, and consumption sites, then compared and fixed. Codex independently verified findings against the code. Human reviewed agent summaries, consolidated reference.json updates, and approved the final diff.

@desimone
docs: audit all 74 reference pages against implementation code
435d09f 
Systematically audited every reference documentation page against the
actual Go source code, protobuf definitions, and Envoy config builders
in pomerium/pomerium to verify config keys, types, defaults, accepted
values, and behavioral descriptions.

Key fixes:

Wrong config keys / env vars (would cause config failures):
- metrics.mdx: metrics_basic_authentication -> metrics_basic_auth
- metrics.mdx: METRICS_CERTIFICATE_FILE_KEY -> METRICS_CERTIFICATE_KEY_FILE
- dns.mdx: default_lookup_family -> dns_lookup_family in examples
- set-response-headers.mdx: SET_RESPONSE_HEADERS -> HEADERS

Wrong defaults (would mislead users):
- runtime-flags.md: grpc_databroker_keepalive false -> true; added 6
  missing flags (15 total now match code)
- dns.mdx: 4 defaults claimed specific values but code uses nil
- set-response-headers.mdx: removed phantom X-Content-Type-Options
- timeouts.mdx: idle timeout default 5m -> not set
- cookies.mdx: CookieSameSite default Lax -> not set

Wrong types:
- jwt-claim-headers.mdx: string -> map of string
- headers.mdx: 3 type mismatches (remove_request_headers,
  set_response_headers, rewrite_response_headers)
- certificates.mdx: certificates type -> array of objects
- policy.mdx: string -> object (PPL rule block)

Missing documentation:
- access-log-fields.mdx: added client-certificate, cluster-stat-name
- authorize-log-fields.mdx: added 5 missing fields
- tls.mdx: added missing tls_server_name section
- circuit-breaker-thresholds.mdx: added layering explanation

Removed fake env vars for per-route settings:
- additional-login-redirect-hosts.mdx
- enable-google-cloud-serverless-authentication.mdx
- tls.mdx: tls_downstream_server_name, tls_upstream_server_name

Incorrect descriptions:
- cluster-name.mdx: full rewrite (name setting, not cluster name)
- show-error-details.mdx: removed incorrect branding claim
- address.mdx: HTTP -> HTTPS
- databroker.mdx: connection string only required for postgres

Also updated reference.json types and descriptions to match.

AI disclosure: AI drafted all changes across 10 parallel audit agents.
Each agent read code, compared claims, and edited docs. Codex
independently verified 20 key findings against the code (19/20
confirmed, 1 partial on pre-existing macOS autocert path gap).
Validation: prettier, cspell, yarn build all pass. Human reviewed
agent summaries and consolidated reference.json updates.
@desimone desimone requested a review from a team as a code owner March 27, 2026 22:33
@desimone desimone requested review from nickytonline and removed request for a team March 27, 2026 22:33
@netlify
Copy link
Copy Markdown

netlify bot commented Mar 27, 2026
edited
Loading

Deploy Preview for pomerium-docs ready!

Name Link
🔨 Latest commit 435d09f
🔍 Latest deploy log https://app.netlify.com/projects/pomerium-docs/deploys/69c705ce2997270008c31b30
😎 Deploy Preview https://deploy-preview-2138--pomerium-docs.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

desimone
desimone commented Mar 27, 2026
View reviewed changes
cspell.json
"jsonencode",
"kubeconfig",
"metallb",
"Minisforum",
Copy link
Copy Markdown
Contributor Author

@desimone desimone Mar 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

some spillover from another guide I'm writing but it's fine

nickytonline
nickytonline approved these changes Mar 28, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@nickytonline nickytonline left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹

@desimone desimone merged commit 0146ca0 into main Mar 28, 2026
9 checks passed
@desimone desimone deleted the docs/reference-audit-against-code branch March 28, 2026 15:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nickytonline nickytonline nickytonline approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@desimone @nickytonline