DOCS-775: nav path style, remove carots

.github/markdownlint/fence-tabs.txt

@@ -69,10 +69,12 @@ dnf
 DNS with AWS
 DNS with Azure
 DNS with GCP
+DNS with Cloudflare
 Docker
 Docker Hub Target
 docker-compose.yml
 Dynamic
+HTTP
 Dynamic Group
 Dynamic Mode
 Dynamic Secret

docs/Accessing Akeyless/access-and-authentication-methods/auth-with-aws.md

@@ -95,7 +95,7 @@ For optional features that apply across Authentication Methods, see [Common Opti
 * **Bounded Role Names:** Enter one or more IAM role names that are allowed to authenticate. In the Console, enter values as a comma-separated list. With the CLI, repeat `--bound-role-name` for each value.
 * **Bounded Role IDs:** Enter one or more IAM role IDs that are allowed to authenticate. In the Console, enter values as a comma-separated list. With the CLI, repeat `--bound-role-id` for each value.
 * **Bounded User names:** Enter one or more IAM user names that are allowed to authenticate. In the Console, enter values as a comma-separated list. With the CLI, repeat `--bound-user-name` for each value.
-* **Custom STS Endpoint:** Set a custom AWS STS endpoint URL if your environment requires a non-default endpoint. If not set, Akeyless uses `https://sts.amazonaws.com`.
+* **Custom STS Endpoint:** Set a custom AWS STS endpoint URL if your environment requires a non-default endpoint. If not set, Akeyless uses `https://sts.amazonaws.com`. For AWS China partitions, a regional endpoint is required; for example, `https://sts.cn-north-1.amazonaws.com.cn` for `cn-north-1`, or `https://sts.cn-northwest-1.amazonaws.cn` for `cn-northwest-1`.
 * **Unique Identifier:** Set a sub-claim key used to uniquely identify authenticated IAM principals.
 
 ## AWS Instance Metadata Service

docs/Advanced Functionality/account-settings/encryption-key-policy.md

@@ -47,7 +47,7 @@ Where:
 
 ## Set an Encryption Key Policy with the Console
 
-1. Log in to the Akeyless Console, and go to **Account Settings** > **Key Management**.
+1. Log in to the Akeyless Console, and go to **Account Settings**, then **Key Management**.
 2. In the **Key Management Policies** section, press **Add**.
 3. Define the remaining parameters as follows:
     * **Object Type**: Choose either **Item** or **Target**.

docs/Advanced Functionality/audit-logs/log-actions.md

@@ -165,3 +165,12 @@ This page includes a thorough comb through all of the different options for the
 * `update_object_version_settings_for_account`: Update account settings for objects
 
 * `impersonation`: Impersonate another user in your Akeyless account
+
+## KMIP Certificate Expiry Observability
+
+KMIP certificate expiry is tracked through certificate event types in the [Event Center](https://docs.akeyless.io/docs/event-center), specifically:
+
+* `kmip-cert-pending-expiration`
+* `kmip-cert-expired`
+
+For KMIP-specific configuration actions in audit logs, use the KMIP action entries in this page (for example, `list_kmip_servers`) together with item and target actions, depending on the operation.

docs/Advanced Functionality/aws-best-practices/crossaccount-configuration-using-terraform.md

@@ -220,15 +220,15 @@ Once finish, you will have a new role in the source Account that trusts itself a
 
 To work with this role from Akeyless, an [AWS Target](https://docs.akeyless.io/docs/aws-targets) is required:
 
-1. Navigate to **Targets** > **New** > **AWS**. Press **Next**.
+1. Navigate to **Targets**, then **New**, then **AWS**. Press **Next**.
 2. Give the Target a **Name** and optionally, a **Location**. Press **Next**.
 3. Choose **Use Gateway's Cloud Identity** and click **Finish**
 
 ## Destination Account Configuration
 
 To have a centralized Gateway that will be able to manage resources in multiple AWS Accounts, A target in Akeyless with an [External ID](https://aws.amazon.com/blogs/apn/securely-using-external-id-for-accessing-aws-accounts-owned-by-others/) is required.
 
-1. Navigate to **Targets** > **New** > **AWS**. Press **Next**.
+1. Navigate to **Targets**, then **New**, then **AWS**. Press **Next**.
 2. Give the Target a **Name** and optionally, a **Location**. Press **Next**.
 3. Choose **Use Gateway's Cloud Identity** and check the **External ID** option.
 
@@ -485,7 +485,7 @@ Then, enter the GW console - `https://public-ip>:8000/console`
 
 This example will use **IAM\_USER** mode, this will create a new temporary user in the destination account in AWS.
 
-In Akeyless, Navigate to **Items** > **New** > **Dynamic Secret** > **AWS**.
+In Akeyless, Navigate to **Items**, then **New**, then **Dynamic Secret**, then **AWS**.
 
 1. Give the Dynamic Secret a name and select **Next**.
 2. Choose the **Target** that was created with the **External ID**.
@@ -500,7 +500,7 @@ You will get the credentials of the new temporary user that was created in the d
 
 Now, we will use an AWS [Rotated Secret](https://docs.akeyless.io/docs/create-an-aws-rotated-secret).
 
-In Akeyless, Navigate to **Items** > **New** > **Rotated Secret** > **AWS**.
+In Akeyless, Navigate to **Items**, then **New**, then **Rotated Secret**, then **AWS**.
 
 1. Give the Dynamic Secret a name and select **Next**.
 2. Choose the **Target** that was created with the **External ID**.

docs/Advanced Functionality/aws-best-practices/deploy-a-gateway-using-cloudformation.md

@@ -28,13 +28,13 @@ In this case, for simplicity, we used [API Key](https://docs.akeyless.io/docs/au
 
 In the Akeyless Console, navigate to **Users & Auth Methods**.
 
-1. Click **New** > **AWS IAM**.
+1. Click **New**, then **AWS IAM**.
 
 2. Provide a name AWS Account and click **Finish**. More details about the AWS IAM authentication method can be found [here](https://docs.akeyless.io/docs/auth-with-aws)
 
 In addition, to create an authentication methods that support user login, for simplicity, we will use [API Key](https://docs.akeyless.io/docs/auth-with-api-key)
 
-1. Click **New** > **API Key**
+1. Click **New**, then **API Key**
 2. Provide a name and click **Finish**
 
 > ℹ️ **Note (API Key Credentials):**
@@ -65,7 +65,7 @@ The following steps will be used to set up the Gateway and create the required *
 
 To deploy the Akeyless Gateway using [AWS CloudFormation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html):
 
-1. Open the **AWS Console**, navigate to **CloudFormation** > **Create Stack** > **With new resources (standard)**
+1. Open the **AWS Console**, navigate to **CloudFormation**, then **Create Stack**, then **With new resources (standard)**
 
 2. Select **Upload a template file**, then upload the `yaml` file containing the CloudFormation template.
 
@@ -587,7 +587,7 @@ The following steps will create the required resources in Akeyless to generate a
 
 ### Create a Rotated Secret
 
-1. Go to **Items** > **New** > **Rotated Secret**, then select **AWS**.
+1. Go to **Items**, then **New**, then **Rotated Secret**, then select **AWS**.
 
 2. Provide a name and location.
 
@@ -605,7 +605,7 @@ Click the **eye** icon to view the current credentials, or select **Rotate Secre
 
 ### Create a Universal Secret Connector (USC)
 
-1. Go to **Items** > **New** > **Universal Secret Connector**, and choose **AWS**.
+1. Go to **Items**, then **New**, then **Universal Secret Connector**, and choose **AWS**.
 
 2. Provide a name and location.
 

docs/Advanced Functionality/event-center/index.md

@@ -37,7 +37,7 @@ The following Events are currently supported:
 
 For `items-event-source-locations`:
 
-* `certificate-pending-expiration`: When a certificate is about to expire, the users sets and controls this event directly from the [PKI Issuer](https://docs.akeyless.io/docs/ssh-and-pkitls-certificates) or from the [Certificate](https://docs.akeyless.io/docs/certificate-storage) item.
+* `certificate-pending-expiration`: When a certificate is about to expire, the user sets and controls this event directly from the [PKI Issuer](https://docs.akeyless.io/docs/ssh-and-pkitls-certificates) or from the [Certificate](https://docs.akeyless.io/docs/certificate-storage) item.
 
 * `certificate-expired`: When a certificate is expired.
 
@@ -53,15 +53,17 @@ For `items-event-source-locations`:
 
 * `rotated-secret-failure`: Upon **automatic** rotation failure, including the error details.
 
+* `rotated-secret-partial-failure`: When an automatic rotation partially succeeds, some targets rotate successfully but at least one fails.
+
 * `secret-sync`: Upon **automatic** sync failure, including the error details.
 
 * `dynamic-secret-failure`: On general failure of a [Dynamic Secret](https://docs.akeyless.io/docs/how-to-create-dynamic-secret).
 
 * `static-secret-updated`: When a [Static Secret](https://docs.akeyless.io/docs/static-secrets) is set to trigger events on value changes.
 
-* `usage_unused`: When a global event is set in the Account settings, for secrets that have not been used or changed within the defined interval.
+* `usage-unused`: When a global event is set in the Account settings, for secrets that have not been used or changed within the defined interval.
 
-* `usage_unrotated`: When a global event is set in the Account settings, for [Rotated Secrets](https://docs.akeyless.io/docs/rotated-secrets) that have not been rotated within the defined interval.
+* `usage-unrotated`: When a global event is set in the Account settings, for [Rotated Secrets](https://docs.akeyless.io/docs/rotated-secrets) that have not been rotated within the defined interval.
 
 * `request-access`: When a user requests access, either for privilege permission or for a Secure Remote Access session. **Note**: Relevant also for `targets-event-source-locations`.
 
@@ -87,9 +89,20 @@ For `gateways-event-source-locations`:
 
 * `gateway-inactive`: When a Gateway changes its state to inactive, it must be set on the Gateway.
 
-* `gateway-certificate-about-to-expire`: When a Gateway certificate (Gateway Certificate Store) is about to expire.
+* `gateway-cert-pending-expiration`: When a Gateway certificate (Gateway Certificate Store) is about to expire, it must be set on the Gateway.
+
+* `gateway-cert-expired`: When a Gateway certificate (Gateway Certificate Store) is expired, it must be set on the Gateway.
+
+### KMIP Certificate Expiry Coverage
+
+Certificate expiration events also apply to certificates used by the [KMIP Server](https://docs.akeyless.io/docs/kmip-server), including KMIP server and KMIP client certificates. These events are emitted by the Gateway.
+
+Use the following event types to monitor KMIP certificate lifecycle:
+
+* `kmip-cert-pending-expiration`: When a KMIP certificate is about to expire, it must be set on the Gateway.
+* `kmip-cert-expired`: When a KMIP certificate has expired, it must be set on the Gateway.
 
-* `gateway-certificate-expired`: When a Gateway certificate (Gateway Certificate Store) is expired.
+To notify operations teams, configure forwarding rules in [Event Forwarders](https://docs.akeyless.io/docs/event-center).
 
 ## Event Forwarders
 

docs/Akeyless Gateway/configure-gateway/gateway-automatic-migration.md

@@ -29,15 +29,42 @@ Before running migration workflows:
 * Validate network connectivity from Gateway to source systems and Akeyless services.
 * Prepare destination paths and required encryption settings.
 
+## Security Guidance
+
+* Use least-privilege credentials for source access.
+* Avoid broad admin permissions when migration-specific permissions are sufficient.
+* Rotate temporary migration credentials after the migration window closes.
+
 ## Configuration Scope
 
 Automatic migration configuration usually includes:
 
 * Source system connection parameters.
 * Authentication credentials or identity settings.
 * Migration mode and target path strategy.
+* [HashiCorp Vault metadata preservation mode](#hashicorp-vault-metadata-preservation-mode) (`full`, `minimal`, or `none`) when configuring HashiCorp Vault migrations.
 * Conflict handling behavior for existing items.
 
+## HashiCorp Vault Metadata Preservation Mode
+
+When migrating from HashiCorp Vault, Akeyless supports KV v2 secret engines, which store metadata alongside each secret value. The `--hashi-metadata-mode` flag controls how much of that metadata is carried over to Akeyless.
+
+If the flag is omitted on `gateway-create-migration`, the mode defaults to `full`. On `gateway-update-migration`, omitting the flag leaves the existing mode unchanged.
+
+| Mode | What is migrated |
+| --- | --- |
+| `full` | The complete KV v2 metadata block, trimmed to only the secret versions being imported. |
+| `minimal` | Only the [custom_metadata](https://developer.hashicorp.com/vault/docs/secrets/kv/kv-v2#custom-metadata) field from the KV v2 metadata block. All other metadata fields are discarded. |
+| `none` | No metadata. Only the secret values are migrated. |
+
+### When to choose each mode
+
+* Use `full` when you need to preserve as much Vault context as possible, for example, when keeping version history alignment or retaining all metadata fields for auditing.
+* Use `minimal` when only your own custom key–value annotations (stored in [custom_metadata](https://developer.hashicorp.com/vault/docs/secrets/kv/kv-v2#custom-metadata)) are needed in Akeyless and you want to reduce migration payload size.
+* Use `none` when metadata is not relevant to your use case and you want the smallest possible migration footprint.
+
+Set the mode with the `--hashi-metadata-mode` flag on `gateway-create-migration` or `gateway-update-migration`. For full flag reference, see the [Automatic Migration CLI Reference](https://docs.akeyless.io/docs/cli-reference-automatic-migration).
+
 ## Operational Guidance
 
 Use a phased rollout:
@@ -47,12 +74,6 @@ Use a phased rollout:
 3. Expand migration scope after successful validation.
 4. Monitor Gateway logs during migration and remediation.
 
-## Security Guidance
-
-* Use least-privilege credentials for source access.
-* Avoid broad admin permissions when migration-specific permissions are sufficient.
-* Rotate temporary migration credentials after the migration window closes.
-
 ## CLI Reference
 
 For command-level usage and flags, use the Automatic Migration CLI reference:

docs/Akeyless Gateway/configure-gateway/gateway-caching/index.md

@@ -41,7 +41,7 @@ For Kubernetes proactive cache sizing guidance, see [Gateway Best Practices: Res
 To manage cache runtime settings from Gateway Configuration Manager:
 
 1. Open `https://<your-gateway-url>:8000/console`.
-2. Go to **Gateways** > **Your Gateway** > **Manage Gateway** > **Caching Configuration**.
+2. Go to **Gateways**, then **Your Gateway**, then **Manage Gateway**, then **Caching Configuration**.
 3. Configure cache and proactive cache options.
 4. Save changes.
 

docs/Akeyless Gateway/configure-gateway/gateway-caching/proactive-caching.md

@@ -72,7 +72,7 @@ Do not use proactive caching when:
 
 | Deployment option | How to configure |
 | --- | --- |
-| Gateway Console | In the Gateway UI, go to **Manage Gateway** > **Caching** and turn on the **Enable Proactive Caching** toggle. (Requires **Enable Caching** to be on first.) |
+| Gateway Console | In the Gateway UI, go to **Manage Gateway**, then **Caching** and turn on the **Enable Proactive Caching** toggle. (Requires **Enable Caching** to be on first.) |
 | [Kubernetes (Helm)](https://docs.akeyless.io/docs/gateway-deploy-kubernetes-helm) | Set environment variables under `globalConfig.env` in `values.yaml` and [apply a Helm upgrade](https://helm.sh/docs/helm/helm_upgrade/). |
 | [Standalone Docker](https://docs.akeyless.io/docs/gateway-deploy-standalone-docker) | Set proactive cache environment variables in container runtime configuration. |
 | [Docker Compose](https://docs.akeyless.io/docs/gateway-deploy-docker-compose) | Set the same environment variables in the compose service definition and redeploy. |

docs/Akeyless Gateway/configure-gateway/gateway-caching/runtime-caching.md

@@ -67,7 +67,7 @@ Use the following deployment-specific options to configure runtime caching:
 
 | Deployment option | How to configure |
 | --- | --- |
-| Gateway Console | In the Gateway UI, go to **Manage Gateway** > **Caching** and turn on the **Enable Caching** toggle. |
+| Gateway Console | In the Gateway UI, go to **Manage Gateway**, then **Caching** and turn on the **Enable Caching** toggle. |
 | [Kubernetes (Helm)](https://docs.akeyless.io/docs/gateway-deploy-kubernetes-helm) | Set runtime behavior keys under `globalConfig.env` in `values.yaml` (for example `CACHE_ENABLE`, `PREFER_CLUSTER_CACHE_FIRST`) and [apply a Helm upgrade](https://helm.sh/docs/helm/helm_upgrade/). Set `IGNORE_REDIS_HEALTH` separately when you want to change health-check behavior. |
 | [Standalone Docker](https://docs.akeyless.io/docs/gateway-deploy-standalone-docker) | Set cache-related environment variables (for example `CACHE_ENABLE`, `PREFER_CLUSTER_CACHE_FIRST`) in container runtime configuration. |
 | [Docker Compose](https://docs.akeyless.io/docs/gateway-deploy-docker-compose) | Set the same cache-related environment variables in the compose service definition and redeploy. |

docs/Akeyless Gateway/configure-gateway/gateway-certificate-store.md

@@ -78,4 +78,4 @@ To remove certificates from your gateway using the UI, follow these steps:
 
 2. Go to **Certificate Store**.
 
-3. Choose the certificate you wish to remove and select the **Action Menu** > **Delete**.
+3. Choose the certificate you wish to remove and select the **Action Menu**, then **Delete**.

docs/Akeyless Gateway/deploy-gateway/gateway-cloud-serverless-deployments/gateway-deploy-serverless-aws.md

@@ -187,7 +187,7 @@ Find more information about the available Terraform [configuration files](https:
 The **Serverless Gateway** version can be updated to different versions based on your preferences, follow these steps to update the Gateway:
 
 * Enter the [Serverless Gateway](https://github.com/akeyless-community/akeyless-serverless-gateway) repo in **GitHub**
-* Go to **Lambda Docker Image Configuration** > **Selecting a Different Version**
+* Go to **Lambda Docker Image Configuration**, then **Selecting a Different Version**
 * [View available versions](https://gallery.ecr.aws/akeyless/serverless-gateway)
 * In `variables.tf` file, change the field `image-tag` to the version you desire
 * Run `terraform apply`

docs/Certificate Lifecycle Management/certificate-discovery.md

@@ -47,12 +47,12 @@ Use the following mapping when translating Console fields to CLI flags:
 
 ## Setting a Certificate Discovery in the Akeyless Console
 
-1. Log in to the Akeyless Console, and go to **Discovery & Migration** > **New** > **Certificate Discovery**.
+1. Log in to the Akeyless Console, and go to **Discovery & Migration**, then **New**, then **Certificate Discovery**.
 2. Define a Name for the certificate discovery, and specify the **Target Location** as a path to the virtual folder where you want the scanned certificates to be saved in. If the folder does not exist, it will be created together with the scanned certificates.
 3. Add the **Sources** of the scan, such as: **IPs**, **CIDR ranges**, or **DNS names**
 4. Add the relevant ports, the default value is `443`.
 5. Press **Finish**.
 
 ## Run the Certificate Discovery
 
-To run the discovery, select the discovery item and choose **Action Menu** > **Start Scan**. If the scan completes successfully, a new folder will appear under **Items** containing all the certificates that were found.
+To run the discovery, select the discovery item and choose **Action Menu**, then **Start Scan**. If the scan completes successfully, a new folder will appear under **Items** containing all the certificates that were found.

docs/Certificate Lifecycle Management/certificate-storage.md

@@ -75,7 +75,7 @@ All of the parameters from the creation command will also apply here.
 
 ## Managing a Certificate in the Console
 
-1. Select **Items** > **New** > **Certificate**.
+1. Select **Items**, then **New**, then **Certificate**.
 
 2. Basic Configuration (fill in the following parameters):
 

docs/Contributing Guides/technical-documentation-style-guide/index.md

@@ -163,6 +163,15 @@ With context:
 * `Monospace`: For commands, code, filenames, configuration keys.
 * Avoid underlines (can be confused with hyperlinks).
 
+### UI Navigation Paths
+
+Write out navigation steps using words. Use bold for UI element names and "then" between steps. Do not use `>` as a navigation separator.
+
+* **Correct**: go to **Account Settings**, then **Key Management**
+* **Incorrect**: go to **Account Settings** > **Key Management**
+
+This applies to all UIs, including third-party consoles such as the AWS Console, Azure Portal, and GitHub.
+
 ## Terminology
 
 * Capitalize proper nouns and feature names (For example, Akeyless MCP Server).

docs/Encryption & KMS/classic-keys/create-a-classic-key.md

@@ -59,7 +59,7 @@ The full list of options for this command is:
 
 You can create a classic key using the Akeyless Gateway. If you’d prefer, see how to do this from the [Akeyless CLI](https://docs.akeyless.io/docs/create-a-classic-key#create-a-classic-key-from-the-cli) instead.
 
-1. In the Akeyless Gateway UI, select **Classic Keys** > **New**.
+1. In the Akeyless Gateway UI, select **Classic Keys**, then **New**.
 
 2. Define the following:
    * **Name:** The name of the classic key.

docs/Encryption & KMS/classic-keys/index.md

@@ -86,7 +86,7 @@ Additional parameters can be found in the [CLI Reference](https://docs.akeyless.
 
 ### Creating a Classic Key
 
-1. In the Akeyless Console, select **Items** > **New** > **Encryption Key** > **Classic**.
+1. In the Akeyless Console, select **Items**, then **New**, then **Encryption Key**, then **Classic**.
 
 2. Define the following: