chore: update Ory Console links to .com domain

[wassimoo]

Related Issue or Design Document

Checklist

• I have read the contributing guidelines and signed the CLA.
• I have referenced an issue containing the design document if my change introduces a new feature.
• I have read the security policy.
• I confirm that this pull request does not address a security vulnerability.
  If this pull request addresses a security vulnerability,
  I confirm that I got approval (please contact security@ory.com) from the maintainers to push the changes.
• I have added tests that prove my fix is effective or that my feature works.
• I have added the necessary documentation within the code base (if appropriate).

Summary by CodeRabbit

Release Notes

• Documentation

  • Updated all Ory Console links from console.ory.sh to console.ory.com across documentation and components.

• Chores

  • Added automated validation for console links to ensure consistency and accessibility across the codebase.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR migrates all Ory Console references from the legacy console.ory.sh domain to console.ory.com across components, documentation, and hooks. It simultaneously introduces a new validation script that scans the repository to detect remaining legacy links and verify endpoint reachability, integrated as a GitHub Actions check and npm command.

Changes

Console Domain Migration to ory.com

Layer / File(s)	Summary
Console link validation infrastructure src/scripts/check-console-links.js, package.json, .github/workflows/static_checks.yml	New Node.js script scans the repository for console URLs using configurable regex matching, detects legacy console.ory.sh links and reports them as errors, performs concurrent HTTP HEAD requests to validate console.ory.com reachability, and reports 404s or request failures with formatted output. Registered as npm run check-console-links and integrated into CI via a new GitHub Actions job.
Console domain URL updates src/components/ConsoleLink/console-routes.ts, src/components/ConsoleLink/console-link.tsx, src/components/OryHeroDemo.jsx, src/components/OryNetworkCta/ory-network-cta.tsx, src/components/welcomePage/ContentSection.tsx, src/hooks/index.ts, README.md, docs/kratos/guides/multi-tenancy-multitenant.md	All hardcoded references to console.ory.sh are replaced with console.ory.com in component examples, CTA configurations, registration links, documentation examples, and SDK helper hint text. The central routing configuration in console-routes.ts is updated first, followed by component usages and documentation references.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested labels

upstream

Suggested reviewers

• zepatrik
• piotrmsc
• vinckr
• aeneasr
• unatasha8

Poem

🐰 From .sh to .com, a URL takes flight,
The console hops domains, shiny and bright!
A guardian script now stands at the gate,
Catching old links before they're too late.
One domain unified—oh, what a sight! ✨

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description consists only of the template without any substantive content explaining the motivation, impact, or context for the changes.	Replace the template comments with actual explanations of why this change was made, what the impact is, and provide relevant issue/design document links if applicable.
Docstring Coverage	⚠️ Warning	Docstring coverage is 33.33% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main change: updating Ory Console links from .sh to .com domain across the repository.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/migrate-console-links-to-dot-com

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (3)

.github/workflows/static_checks.yml (2)

24-34: Consider least-privilege permissions for the new job.

This job (like the others in the file) relies on default workflow permissions and persisted credentials. Since it only checks out code and runs a Node script, scoping it to read-only would tighten the security posture without affecting behavior. This applies workflow-wide, so it may be better addressed consistently rather than for this job alone.

🔒 Example

   check-console-links:
     name: Check console links for 404s
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v6
+        with:
+          persist-credentials: false

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/static_checks.yml around lines 24 - 34, The
check-console-links job should use least-privilege credentials: add a
permissions block (e.g., permissions: contents: read) at the job or top-level
workflow to restrict token scope, and set the checkout action to not persist the
workflow token (set actions/checkout's persist-credentials to false) so Node npm
commands run without retaining write permissions; update the job named
check-console-links and the actions/checkout@v6 step to apply these changes (or
apply them workflow-wide for consistency).

---

33-33: 💤 Low value

Prefer npm ci for reproducible CI installs.

.github/workflows/static_checks.yml runs npm install, but the repo includes a root package-lock.json; switching to npm ci makes CI installs deterministic and lockfile-faithful.

♻️ Proposed change

-      - run: npm install
+      - run: npm ci

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/static_checks.yml at line 33, Replace the CI step that
runs the literal command "npm install" with "npm ci" in the workflow so the job
uses lockfile-faithful, reproducible installs; locate the step containing the
run command "npm install" in the static_checks.yml workflow and change that
value to "npm ci".

src/components/ConsoleLink/console-link.tsx (1)

63-64: ⚡ Quick win

Avoid hardcoding the Console base URL — reuse the centralized route.

routes.default.console already holds https://console.ory.com/, yet the base is hardcoded again here. This duplication is precisely what forces a multi-file change on each domain migration and risks future divergence. Reuse the single source of truth (mind the trailing slash, since resolvedRoute already begins with /).

♻️ Proposed change

   const renderedRoute =
-    "https://console.ory.com" + resolvedRoute.replace("[project]", "current")
+    routes.default.console.replace(/\/$/, "") +
+    resolvedRoute.replace("[project]", "current")

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/components/ConsoleLink/console-link.tsx` around lines 63 - 64, The code
hardcodes "https://console.ory.com" when building renderedRoute; instead use the
centralized routes.default.console value to avoid duplication. Update the
construction of renderedRoute to concatenate routes.default.console with
resolvedRoute.replace("[project]", "current"), ensuring you handle the trailing
slash (trim a trailing slash from routes.default.console or the leading slash
from resolvedRoute so you don't produce a double "//"). Reference:
renderedRoute, resolvedRoute, and routes.default.console.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/components/welcomePage/ContentSection.tsx`:
- Line 12: The registration CTA in ContentSection currently hardcodes a URL with
a specific flow query param ("https://console.ory.com/registration?flow=...");
remove the fixed flow parameter so the component/link uses the stable entrypoint
("https://console.ory.com/registration") instead (update the hardcoded string
where it appears in ContentSection.tsx or the constant that provides the URL),
ensuring the anchor/href or NavLink no longer appends "?flow=..." so sign-ups
use the server-generated/active flow.

In `@src/scripts/check-console-links.js`:
- Line 20: SKIP_FILES currently uses a basename set (SKIP_FILES) and walkDir
checks entry.name, which causes entire files like README.md and any file named
console-link.tsx anywhere to be ignored; change the logic to stop skipping
README.md entirely and instead match console-link.tsx by its repo-relative path
(or exact relative path suffix) when deciding to skip only the URL reachability
check. Update the skip check in the walkDir/scan routine to use the file's
repo-relative path (not entry.name) and, for console-link.tsx, only bypass the
external HTTP reachability test while still scanning the file contents for
legacy console.ory.sh links.

---

Nitpick comments:
In @.github/workflows/static_checks.yml:
- Around line 24-34: The check-console-links job should use least-privilege
credentials: add a permissions block (e.g., permissions: contents: read) at the
job or top-level workflow to restrict token scope, and set the checkout action
to not persist the workflow token (set actions/checkout's persist-credentials to
false) so Node npm commands run without retaining write permissions; update the
job named check-console-links and the actions/checkout@v6 step to apply these
changes (or apply them workflow-wide for consistency).
- Line 33: Replace the CI step that runs the literal command "npm install" with
"npm ci" in the workflow so the job uses lockfile-faithful, reproducible
installs; locate the step containing the run command "npm install" in the
static_checks.yml workflow and change that value to "npm ci".

In `@src/components/ConsoleLink/console-link.tsx`:
- Around line 63-64: The code hardcodes "https://console.ory.com" when building
renderedRoute; instead use the centralized routes.default.console value to avoid
duplication. Update the construction of renderedRoute to concatenate
routes.default.console with resolvedRoute.replace("[project]", "current"),
ensuring you handle the trailing slash (trim a trailing slash from
routes.default.console or the leading slash from resolvedRoute so you don't
produce a double "//"). Reference: renderedRoute, resolvedRoute, and
routes.default.console.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 59ec5970-e74a-4547-8361-03494aa15326

📥 Commits

Reviewing files that changed from the base of the PR and between 5405c36 and 278c775.

⛔ Files ignored due to path filters (56)

• docs/_common/get-started-setup.mdx is excluded by !**/*.mdx
• docs/_common/need-help.mdx is excluded by !**/*.mdx
• docs/account-experience/index.mdx is excluded by !**/*.mdx
• docs/actions/live-events.mdx is excluded by !**/*.mdx
• docs/concepts/cache.mdx is excluded by !**/*.mdx
• docs/concepts/personal-access-token.mdx is excluded by !**/*.mdx
• docs/console/change-owner.mdx is excluded by !**/*.mdx
• docs/console/single-sign-on.mdx is excluded by !**/*.mdx
• docs/console/usage-billing.mdx is excluded by !**/*.mdx
• docs/getting-started/_common/configure-production-sdk-url.mdx is excluded by !**/*.mdx
• docs/getting-started/_common/create-project.mdx is excluded by !**/*.mdx
• docs/getting-started/integrate-auth/14_auth-js.mdx is excluded by !**/*.mdx
• docs/getting-started/integrate-auth/16_nextjs_app_router.mdx is excluded by !**/*.mdx
• docs/getting-started/integrate-auth/17_nextjs_pages_router.mdx is excluded by !**/*.mdx
• docs/getting-started/local-development.mdx is excluded by !**/*.mdx
• docs/guides/cli/15_config-identity-service.mdx is excluded by !**/*.mdx
• docs/guides/cli/16_configure-oauth2-service.mdx is excluded by !**/*.mdx
• docs/guides/cli/17_configure-permission-service.mdx is excluded by !**/*.mdx
• docs/guides/cors.mdx is excluded by !**/*.mdx
• docs/guides/manage-project-via-api.mdx is excluded by !**/*.mdx
• docs/guides/permissions/overview.mdx is excluded by !**/*.mdx
• docs/hydra/guides/custom-ui-oauth2.mdx is excluded by !**/*.mdx
• docs/identities/get-started/account-recovery.mdx is excluded by !**/*.mdx
• docs/identities/get-started/mfa.mdx is excluded by !**/*.mdx
• docs/identities/get-started/passwordless.mdx is excluded by !**/*.mdx
• docs/identities/get-started/setup.mdx is excluded by !**/*.mdx
• docs/identities/get-started/social-sign-in.mdx is excluded by !**/*.mdx
• docs/identities/model/manage-identity-schema.mdx is excluded by !**/*.mdx
• docs/identities/sign-in/code_submission_limit.mdx is excluded by !**/*.mdx
• docs/identities/sign-in/identifier-first-authentication.mdx is excluded by !**/*.mdx
• docs/intro.mdx is excluded by !**/*.mdx
• docs/keto/index.mdx is excluded by !**/*.mdx
• docs/kratos/emails-sms/01_sending-emails-smtp.mdx is excluded by !**/*.mdx
• docs/kratos/manage-identities/25_import-user-accounts-identities.mdx is excluded by !**/*.mdx
• docs/kratos/mfa/05_step-up-authentication.mdx is excluded by !**/*.mdx
• docs/kratos/mfa/15_totp.mdx is excluded by !**/*.mdx
• docs/kratos/mfa/20_webauthn-fido-yubikey.mdx is excluded by !**/*.mdx
• docs/kratos/mfa/25_lookup-secrets.mdx is excluded by !**/*.mdx
• docs/kratos/organizations/organizations.mdx is excluded by !**/*.mdx
• docs/kratos/passwordless/05_passkeys.mdx is excluded by !**/*.mdx
• docs/kratos/quickstart.mdx is excluded by !**/*.mdx
• docs/kratos/sdk/05_go.mdx is excluded by !**/*.mdx
• docs/kratos/session-management/10_session-lifespan.mdx is excluded by !**/*.mdx
• docs/kratos/social-signin/01_overview.mdx is excluded by !**/*.mdx
• docs/kratos/social-signin/90_data-mapping.mdx is excluded by !**/*.mdx
• docs/migrate-to-ory/auth0.mdx is excluded by !**/*.mdx
• docs/migrate-to-ory/migrate/create-project.mdx is excluded by !**/*.mdx
• docs/network/getting-started/index.mdx is excluded by !**/*.mdx
• docs/security-compliance/personal-data-location.mdx is excluded by !**/*.mdx
• docs/self-hosted/oel/kratos/upgrade.mdx is excluded by !**/*.mdx
• docs/self-hosted/oel/oathkeeper/upgrade-oathkeeper.mdx is excluded by !**/*.mdx
• docs/troubleshooting/40_mandatory-redirect-uri.mdx is excluded by !**/*.mdx
• docs/troubleshooting/50_account-linking-response-code.mdx is excluded by !**/*.mdx
• src/components/Shared/keto/index.mdx is excluded by !**/*.mdx
• src/components/Shared/keto/overview.mdx is excluded by !**/*.mdx
• src/components/Shared/kratos/quickstart.mdx is excluded by !**/*.mdx

📒 Files selected for processing (11)

• .github/workflows/static_checks.yml
• README.md
• docs/kratos/guides/multi-tenancy-multitenant.md
• package.json
• src/components/ConsoleLink/console-link.tsx
• src/components/ConsoleLink/console-routes.ts
• src/components/OryHeroDemo.jsx
• src/components/OryNetworkCta/ory-network-cta.tsx
• src/components/welcomePage/ContentSection.tsx
• src/hooks/index.ts
• src/scripts/check-console-links.js