DOCS-691: document 4.51.0 and 1.144.0 release updates

.github/markdownlint/fence-tabs.txt

@@ -69,10 +69,12 @@ dnf
 DNS with AWS
 DNS with Azure
 DNS with GCP
+DNS with Cloudflare
 Docker
 Docker Hub Target
 docker-compose.yml
 Dynamic
+HTTP
 Dynamic Group
 Dynamic Mode
 Dynamic Secret
@@ -160,7 +162,7 @@ MSSQL
 MSSQL RDS
 Multi region
 MyAES256SIVKey
-MySQL/MariaDB
+MySQL (and MariaDB)
 MySQLWordPress.yaml
 Native Kubernetes
 Oauth2.0

.pre-commit-config.yaml

@@ -21,7 +21,7 @@ repos:
         files: \.md$
         pass_filenames: true
         require_serial: true
-        stages: [commit]
+        stages: [pre-commit]
 
       - id: cspell
         name: cspell (edited markdown files)
@@ -30,7 +30,7 @@ repos:
         files: \.md$
         pass_filenames: true
         require_serial: true
-        stages: [commit]
+        stages: [pre-commit]
 
       - id: lychee
         name: lychee (edited markdown files)
@@ -39,4 +39,4 @@ repos:
         files: \.md$
         pass_filenames: true
         require_serial: true
-        stages: [commit]
+        stages: [pre-commit]

docs/Accessing Akeyless/access-and-authentication-methods/auth-with-aws.md

@@ -95,7 +95,7 @@ For optional features that apply across Authentication Methods, see [Common Opti
 * **Bounded Role Names:** Enter one or more IAM role names that are allowed to authenticate. In the Console, enter values as a comma-separated list. With the CLI, repeat `--bound-role-name` for each value.
 * **Bounded Role IDs:** Enter one or more IAM role IDs that are allowed to authenticate. In the Console, enter values as a comma-separated list. With the CLI, repeat `--bound-role-id` for each value.
 * **Bounded User names:** Enter one or more IAM user names that are allowed to authenticate. In the Console, enter values as a comma-separated list. With the CLI, repeat `--bound-user-name` for each value.
-* **Custom STS Endpoint:** Set a custom AWS STS endpoint URL if your environment requires a non-default endpoint. If not set, Akeyless uses `https://sts.amazonaws.com`.
+* **Custom STS Endpoint:** Set a custom AWS STS endpoint URL if your environment requires a non-default endpoint. If not set, Akeyless uses `https://sts.amazonaws.com`. For AWS China partitions, a regional endpoint is required; for example, `https://sts.cn-north-1.amazonaws.com.cn` for `cn-north-1`, or `https://sts.cn-northwest-1.amazonaws.cn` for `cn-northwest-1`.
 * **Unique Identifier:** Set a sub-claim key used to uniquely identify authenticated IAM principals.
 
 ## AWS Instance Metadata Service

docs/Advanced Functionality/audit-logs/log-actions.md

@@ -165,3 +165,12 @@ This page includes a thorough comb through all of the different options for the
 * `update_object_version_settings_for_account`: Update account settings for objects
 
 * `impersonation`: Impersonate another user in your Akeyless account
+
+## KMIP Certificate Expiry Observability
+
+KMIP certificate expiry is tracked through certificate event types in the [Event Center](https://docs.akeyless.io/docs/event-center), specifically:
+
+* `kmip-cert-pending-expiration`
+* `kmip-cert-expired`
+
+For KMIP-specific configuration actions in audit logs, use the KMIP action entries in this page (for example, `list_kmip_servers`) together with item and target actions, depending on the operation.

docs/Advanced Functionality/event-center/index.md

@@ -37,7 +37,7 @@ The following Events are currently supported:
 
 For `items-event-source-locations`:
 
-* `certificate-pending-expiration`: When a certificate is about to expire, the users sets and controls this event directly from the [PKI Issuer](https://docs.akeyless.io/docs/ssh-and-pkitls-certificates) or from the [Certificate](https://docs.akeyless.io/docs/certificate-storage) item.
+* `certificate-pending-expiration`: When a certificate is about to expire, the user sets and controls this event directly from the [PKI Issuer](https://docs.akeyless.io/docs/ssh-and-pkitls-certificates) or from the [Certificate](https://docs.akeyless.io/docs/certificate-storage) item.
 
 * `certificate-expired`: When a certificate is expired.
 
@@ -53,15 +53,17 @@ For `items-event-source-locations`:
 
 * `rotated-secret-failure`: Upon **automatic** rotation failure, including the error details.
 
+* `rotated-secret-partial-failure`: When an automatic rotation partially succeeds, some targets rotate successfully but at least one fails.
+
 * `secret-sync`: Upon **automatic** sync failure, including the error details.
 
 * `dynamic-secret-failure`: On general failure of a [Dynamic Secret](https://docs.akeyless.io/docs/how-to-create-dynamic-secret).
 
 * `static-secret-updated`: When a [Static Secret](https://docs.akeyless.io/docs/static-secrets) is set to trigger events on value changes.
 
-* `usage_unused`: When a global event is set in the Account settings, for secrets that have not been used or changed within the defined interval.
+* `usage-unused`: When a global event is set in the Account settings, for secrets that have not been used or changed within the defined interval.
 
-* `usage_unrotated`: When a global event is set in the Account settings, for [Rotated Secrets](https://docs.akeyless.io/docs/rotated-secrets) that have not been rotated within the defined interval.
+* `usage-unrotated`: When a global event is set in the Account settings, for [Rotated Secrets](https://docs.akeyless.io/docs/rotated-secrets) that have not been rotated within the defined interval.
 
 * `request-access`: When a user requests access, either for privilege permission or for a Secure Remote Access session. **Note**: Relevant also for `targets-event-source-locations`.
 
@@ -87,9 +89,20 @@ For `gateways-event-source-locations`:
 
 * `gateway-inactive`: When a Gateway changes its state to inactive, it must be set on the Gateway.
 
-* `gateway-certificate-about-to-expire`: When a Gateway certificate (Gateway Certificate Store) is about to expire.
+* `gateway-cert-pending-expiration`: When a Gateway certificate (Gateway Certificate Store) is about to expire, it must be set on the Gateway.
+
+* `gateway-cert-expired`: When a Gateway certificate (Gateway Certificate Store) is expired, it must be set on the Gateway.
+
+### KMIP Certificate Expiry Coverage
+
+Certificate expiration events also apply to certificates used by the [KMIP Server](https://docs.akeyless.io/docs/kmip-server), including KMIP server and KMIP client certificates. These events are emitted by the Gateway.
+
+Use the following event types to monitor KMIP certificate lifecycle:
+
+* `kmip-cert-pending-expiration`: When a KMIP certificate is about to expire, it must be set on the Gateway.
+* `kmip-cert-expired`: When a KMIP certificate has expired, it must be set on the Gateway.
 
-* `gateway-certificate-expired`: When a Gateway certificate (Gateway Certificate Store) is expired.
+To notify operations teams, configure forwarding rules in [Event Forwarders](https://docs.akeyless.io/docs/event-center#event-forwarders).
 
 ## Event Forwarders
 

docs/Akeyless Gateway/configure-gateway/gateway-automatic-migration.md

@@ -29,15 +29,42 @@ Before running migration workflows:
 * Validate network connectivity from Gateway to source systems and Akeyless services.
 * Prepare destination paths and required encryption settings.
 
+## Security Guidance
+
+* Use least-privilege credentials for source access.
+* Avoid broad admin permissions when migration-specific permissions are sufficient.
+* Rotate temporary migration credentials after the migration window closes.
+
 ## Configuration Scope
 
 Automatic migration configuration usually includes:
 
 * Source system connection parameters.
 * Authentication credentials or identity settings.
 * Migration mode and target path strategy.
+* [HashiCorp Vault metadata preservation mode](#hashicorp-vault-metadata-preservation-mode) (`full`, `minimal`, or `none`) when configuring HashiCorp Vault migrations.
 * Conflict handling behavior for existing items.
 
+## HashiCorp Vault Metadata Preservation Mode
+
+When migrating from HashiCorp Vault, Akeyless supports Key/Value (KV) v2 secret engines, which store metadata alongside each secret value. The `--hashi-metadata-mode` flag controls how much of that metadata is carried over to Akeyless.
+
+If the flag is omitted on `gateway-create-migration`, the mode defaults to `full`. On `gateway-update-migration`, omitting the flag leaves the existing mode unchanged.
+
+| Mode | What is migrated |
+| --- | --- |
+| `full` | The complete KV v2 metadata block, trimmed to only the secret versions being imported. |
+| `minimal` | Only the [custom_metadata](https://developer.hashicorp.com/vault/docs/secrets/kv/kv-v2#custom-metadata) field from the KV v2 metadata block. All other metadata fields are discarded. |
+| `none` | No metadata. Only the secret values are migrated. |
+
+### When to choose each mode
+
+* Use `full` when you need to preserve as much Vault context as possible, for example, when keeping version history alignment or retaining all metadata fields for auditing.
+* Use `minimal` when only your own custom key–value annotations (stored in [custom_metadata](https://developer.hashicorp.com/vault/docs/secrets/kv/kv-v2#custom-metadata)) are needed in Akeyless and you want to reduce migration payload size.
+* Use `none` when metadata is not relevant to your use case and you want the smallest possible migration footprint.
+
+Set the mode with the `--hashi-metadata-mode` flag on `gateway-create-migration` or `gateway-update-migration`. For full flag reference, see the [Automatic Migration CLI Reference](https://docs.akeyless.io/docs/cli-reference-automatic-migration).
+
 ## Operational Guidance
 
 Use a phased rollout:
@@ -47,12 +74,6 @@ Use a phased rollout:
 3. Expand migration scope after successful validation.
 4. Monitor Gateway logs during migration and remediation.
 
-## Security Guidance
-
-* Use least-privilege credentials for source access.
-* Avoid broad admin permissions when migration-specific permissions are sufficient.
-* Rotate temporary migration credentials after the migration window closes.
-
 ## CLI Reference
 
 For command-level usage and flags, use the Automatic Migration CLI reference:

docs/Encryption & KMS/kmip-server/index.md

@@ -18,6 +18,19 @@ The [Akeyless Gateway](https://docs.akeyless.io/docs/gateway-overview) built-in
 
 Cryptographic objects managed by the Akeyless KMIP server are stored under the `/kmip/default/` path, hence your [Akeyless Gateway](https://docs.akeyless.io/docs/gateway-overview) authentication method must have sufficient privileges, including `create`, `list`, `delete` and `read` rules, under the `/kmip/default/*` path. This path can be changed during the KMIP server setup.
 
+## KMIP Certificate Expiry Events
+
+KMIP server and KMIP client certificates are time-bound objects. To reduce renewal failures and service interruptions, monitor certificate expiration events in the [Event Center](https://docs.akeyless.io/docs/event-center).
+
+For KMIP certificate observability, use the following event types:
+
+* `kmip-cert-pending-expiration`: Triggered before certificate expiration based on the certificate's configured expiration-notification window. Set that window when you create or update the certificate, then use [Event Forwarders](https://docs.akeyless.io/docs/event-center) to route the alert.
+* `kmip-cert-expired`: Triggered when a certificate has expired.
+
+To route these events to operational channels, configure an [Event Forwarder](https://docs.akeyless.io/docs/event-center).
+
+For audit action taxonomy, see [Log Actions](https://docs.akeyless.io/docs/log-actions).
+
 > ℹ️ **Note:**
 >
 > Only users from your Gateway admins list can configure the KMIP server.

docs/Integrations & Plugins/cli-reference/cli-ref-auth/cli-reference-universal-identity.md

@@ -98,6 +98,88 @@ List the token children ids of Akeyless Universal Identity
 akeyless uid-list-children --auth-method-name <UID Auth Method Name>
 ```
 
+## `uid-auto-rotate`
+
+Configure automatic UID token rotation
+
+### Usage
+
+```shell
+akeyless uid-auto-rotate <init|rotate|status|uninstall>
+```
+
+The `init` subcommand initializes rotation and stores the token file. The `rotate`, `status`, and `uninstall` subcommands use the stored token file and the configured gateway URL.
+
+### `init`
+
+Initialize automatic UID token rotation.
+
+#### Usage
+
+```shell
+akeyless uid-auto-rotate init \
+--rotation-interval <1|15|60|240|1440> \
+--uid-token <UID Token>
+```
+
+#### Flags
+
+`-t, --uid-token`: Optional. Universal Identity token. If omitted, use the `AKEYLESS_UID_TOKEN` environment variable.
+
+`--rotation-interval`: **Required** for `init`. Rotation interval in minutes. Supported values: `1`, `15`, `60`, `240`, `1440`.
+
+`-i, --token-file-path`: Optional. Path to store the rotated UID token file. If omitted, Akeyless uses `~/.akeyless/uid_rotator/uid-token` on Unix-like systems or `PROGRAMDATA\akeyless\uid_rotator\uid-token` on Windows.
+
+`--gateway-api-url`: Optional. Gateway URL for rotation requests. If omitted, Akeyless uses the configured `AKEYLESS_GATEWAY_URL` value.
+
+`--scheduling-mode[=cron]`: Scheduler mode. Supported values: `cron`, `systemd`, `windows-task`.
+
+`--cron-mode[=user]`: Cron installation mode when `--scheduling-mode=cron`. Supported values: `user`, `system`.
+
+### `rotate`
+
+Rotate the current UID token on demand.
+
+#### Usage
+
+```shell
+akeyless uid-auto-rotate rotate
+```
+
+#### Flags
+
+`-i, --token-file-path`: Optional. Path to the rotated UID token file. If omitted, Akeyless uses `~/.akeyless/uid_rotator/uid-token` on Unix-like systems or `PROGRAMDATA\akeyless\uid_rotator\uid-token` on Windows.
+
+`--gateway-api-url`: Optional. Gateway URL for rotation requests. If omitted, Akeyless uses the configured `AKEYLESS_GATEWAY_URL` value.
+
+### `status`
+
+Check the current UID auto-rotate setup.
+
+#### Usage
+
+```shell
+akeyless uid-auto-rotate status
+```
+
+#### Flags
+
+`-i, --token-file-path`: Optional. Path to the rotated UID token file. If omitted, Akeyless uses `~/.akeyless/uid_rotator/uid-token` on Unix-like systems or `PROGRAMDATA\akeyless\uid_rotator\uid-token` on Windows.
+
+### `uninstall`
+
+Remove the UID auto-rotate setup and scheduled entry.
+
+#### Usage
+
+```shell
+akeyless uid-auto-rotate uninstall
+```
+
+#### Flags
+
+`-i, --token-file-path`: Optional. Path to the rotated UID token file. If omitted, Akeyless uses `~/.akeyless/uid_rotator/uid-token` on Unix-like systems or `PROGRAMDATA\akeyless\uid_rotator\uid-token` on Windows.
+
 ## `uid-revoke-token`
 
 Revoke token using Akeyless Universal Identity