[CONTENT SPRINT] One ESC Environment, Many Secret Stores

[sicarul]

Why this content is interesting

• It reflects how secrets actually live across several stores in mature environments.
• It is scheduled for 2026-07-02 as part of the content sprint's two-post-per-week cadence.

What we took into account

• We considered AWS Secrets Manager, HashiCorp Vault, 1Password, conflict naming, and a single consumer interface.
• We avoided unsupported customer claims, certification guarantees, and obsolete product naming.
• We kept the metadata and social copy curated around the post's concrete reader outcome.

Why it is useful to an end user

• End users get a model for composing multiple secret sources into one resolved ESC environment.
• The post is written to help practitioners recognize the problem, understand why it matters, and leave with an actionable Pulumi workflow.

Design need

• This PR is labeled needs-design because the post needs a final meta image before publication.
• Existing feature.png and meta.png files are placeholders unless Design chooses to reuse or adapt them.

Metadata

• Title: One ESC Environment, Many Secret Stores
• Meta description: Compose Pulumi ESC environments from AWS Secrets Manager, HashiCorp Vault, and 1Password so apps consume one resolved configuration view.

🤖 Generated with OpenCode

[github-actions]

Social Media Review

content/blog/multi-source-secrets-with-pulumi-esc/index.md

X — PASS

LinkedIn — PASS

Bluesky — PASS

---

Suggestions (advisory)

These are stylistic notes — they don't block the post.

X

• Missing pointer — the post ends without a line connecting to the article; the reader has no signal to click through
• "compose … into one resolved environment" gives away the mechanism; withhold how ESC unifies the stores and let the article deliver that

LinkedIn

• Missing pointer — the post ends on "consistently" with no line directing the reader to the article
• "compose … into one environment that applications and stacks can consume consistently" gives away the mechanism and the outcome; the article has nothing left to do

Bluesky

• Missing pointer — "one resolved config view" closes the post with the verdict; add a line that signals the answer lives in the article

---

Updated for commit f1a46b1a35619f1c6a6a706a2e8450b9795f6faf (short: f1a46b1) at 2026-05-13 21:55 UTC.

[claude]

test body

[claude]

short test body

[claude]

Docs review for PR 18957

Reviewing as a CI agent. Two distinct problems: a sizable stack of unrelated agent artifacts that shouldn`t ship in this PR, and some style/structure issues in the blog post itself.

Out-of-scope files (blocker)

This PR is titled "One ESC Environment, Many Secret Stores" but ~95% of the diff has nothing to do with that post. Please drop the following before merging — they look like local Sisyphus/agent planning artifacts and a raw research dump that escaped a worktrees/ setup:

• .sisyphus/boulder.json, .sisyphus/evidence/*, .sisyphus/notepads/*, .sisyphus/plans/customer-blog-posts.md, .sisyphus/run-continuation/* — agent state, not project content.
• new_content.md (repo root) — the Platybot customer-signal analysis. Useful as a working doc, but doesnt belong at the root of pulumi/docs`. The plan itself even instructs "do NOT push a PR" for this exploratory work.

If you want to keep this scaffolding locally, the plans own foundation step adds worktrees/to.git/info/exclude— consider doing the same for.sisyphus/andnew_content.md` so they stop following you into PRs.

Blog post: content/blog/multi-source-secrets-with-pulumi-esc/index.md

1. Placeholder meta and feature images (blocker). meta.png and feature.png are byte-identical (verified via md5) to .claude/commands/_common/images/blog-post-meta-placeholder.png and blog-post-feature-placeholder.png. The PR body acknowledges this with the needs-design label, so flagging only to confirm: this can`t publish until Design lands real assets.

2. Duplicate content across the more-break. Line 25 opens "The pain of secret sprawl" with "As organizations grow, secrets naturally scatter across different platforms." Line 39 then opens "The Challenge of Secret Sprawl" with the same sentence verbatim and re-covers identical material as a list. Pick one — the list version on line 39–44 is tighter; the prose version on line 25 can be cut entirely. The intro on line 19–21 is sufficient hook on its own.

3. More-tag placement is too deep (line 35). The criteria call for the break after 1–3 paragraphs. Right now four sections (intro, The pain of secret sprawl, Why it matters now, Reader outcome) sit above the fold. Once the duplicate "The pain of secret sprawl" is removed, move the more-tag up to right after the intro on line 21, before the first H2.

4. H2 heading case (STYLE-GUIDE.md — H2+ is sentence case). Four headings are Title Case and should be lowercased to sentence case:

• Line 37: The Challenge of Secret Sprawl → The challenge of secret sprawl
• Line 48: Composing a Multi-Source Environment → Composing a multi-source environment
• Line 104: Namespacing and Precedence → Namespacing and precedence
• Line 110: Consuming the Resolved View → Consuming the resolved view

The first three H2s (lines 23, 27, 31) are correctly sentence-cased — these four are the outliers.

5. Missing first-mention links. Per blog criteria, every tool/product gets hyperlinked on first mention. None of these are linked anywhere in the post:

• Line 19: AWS Secrets Manager, HashiCorp Vault, 1Password
• Line 114: Pulumi CLI

/docs/esc/ is the only link in the post (line 33).

6. Weak ending; no CTA shortcode. Line 122 wraps with a generic summary. Feature/integration posts should land with a concrete next step using the blog/cta-button shortcode pointing at the most relevant doc (e.g. /docs/esc/integrations/dynamic-secrets/ or the AWS/Vault/1Password integration pages directly).

7. Vault snippet worth confirming. Line 79–82 reads ${vault.secrets.stripe-key.data.key}. The narration on line 102 says this refers to "the key field stored at secret/data/stripe". For the Vault KV v2 engine, the data wrapper is part of the API path (secret/data/...) — the returned value from fn::open::vault-secrets is whats stored under that paths data object. Whether you need .data.key or just .key depends on the engine version and whether ESC unwraps it. Worth verifying against a working environment before publish; if KV v2 is implied, calling that out explicitly will help readers.

8. ESC YAML otherwise checks out. I cross-referenced the fn::open::aws-secrets, fn::open::vault-login/vault-secrets, and fn::open::1password-secrets blocks against content/docs/esc/integrations/dynamic-secrets/*.md and the syntax matches.

9. Minor AI/hedging language. A few phrases lean generic — "naturally scatter", "best-of-breed", "improve your security posture". Easy to tighten in a pass after the structural changes above.

Publishing readiness checklist

• social: block present with twitter / linkedin / bluesky copy
• meta_image set but is the placeholder (verified via md5)
• meta_image uses current Pulumi logos — N/A until real asset
• More-tag present but placement too deep
• Author profile exists (data/team/team/pablo-seibelt.toml) with avatar (static/images/team/pablo-seibelt.jpg)
• All links resolve (only /docs/esc/)
• Code examples correct, language specifiers present
• No animated GIFs used as meta_image
• Title ≤60 chars (36)

meta_desc length is 137 chars — within the 50–160 window.

---

@claude — mention me on this PR if you would like another pass after these changes, or want me to look at anything specific.

[pulumi-bot]

Your site preview for commit 039cb9d is ready! 🎉

http://www-testing-pulumi-docs-origin-pr-18957-039cb9d4.s3-website.us-west-2.amazonaws.com

[sicarul]

@claude please review again. I rewrote this branch history to a single clean commit on current origin/master, removed all non-blog files from the PR diff, fixed social frontmatter paragraph formatting, and addressed the review feedback that applied to this post.

[pulumi-bot]

Claude finished @sicarul's task in 2m 12s —— View job

---

Re-review for PR 18957 (commit f1a46b1)

Branch cleanup confirmed: git diff HEAD~1..HEAD --stat shows only the three intended files (index.md, feature.png, meta.png). The .sisyphus/ and new_content.md artifacts from the prior diff are gone. Single clean commit on top of current origin/master (a853d02). Nice scoping.

What's addressed since last review

• Out-of-scope files removed. Diff is now scoped to the blog post only.
• Duplicate "The pain of secret sprawl" prose section removed. The intro flows straight into "Why it matters now" without retreading the same ground.
• Social frontmatter formatting fixed. Each of twitter, linkedin, bluesky now has the required paragraph break — matches the bot's earlier suggested copy verbatim. The 2026-05-13 20:50 social-media-review FAIL should clear on its next run.

Still applies to this post

A handful of the prior items weren't addressed and still apply to this PR (not blockers, but worth picking up before publish):

1. H2 heading case — STYLE-GUIDE violation (AGENTS.md: "H2+ = Sentence case"). Four headings remain Title Case:

• Line 42: The Challenge of Secret Sprawl → The challenge of secret sprawl
• Line 53: Composing a Multi-Source Environment → Composing a multi-source environment
• Line 109: Namespacing and Precedence → Namespacing and precedence
• Line 115: Consuming the Resolved View → Consuming the resolved view

The first three H2s (lines 32, 36, and the removed-duplicate-replacement) are correctly sentence-cased, so the rule is being applied — just inconsistently. Fix this →

2. First-mention links still missing. Per blog criteria, every product/tool gets a link on first mention. /docs/esc/ on line 38 remains the only outbound link. Suggested targets:

• Line 28 — AWS Secrets Manager → /docs/esc/integrations/dynamic-secrets/aws-secrets/
• Line 28 — HashiCorp Vault → /docs/esc/integrations/dynamic-secrets/vault-secrets/
• Line 28 — 1Password → /docs/esc/integrations/dynamic-secrets/1password-secrets/
• Line 119 — Pulumi CLI → /docs/install/

All four target files exist (verified content/docs/esc/integrations/dynamic-secrets/).

3. No CTA shortcode at the end. Line 127 still closes with a generic "reduce complexity and improve your security posture" summary. Feature/integration posts conventionally close with the blog/cta-button shortcode — a natural target here is /docs/esc/integrations/dynamic-secrets/ (the integrations landing page) or /docs/esc/get-started/.

4. Vault .data.key reference (line 103, 107) — worth double-checking before publish. Cross-referenced against content/docs/esc/integrations/dynamic-secrets/vault-secrets.md:

• The official docs example uses path: api-key (no secret/data/ prefix), and the rendered output shows vault.secrets.<name>.data.<field> — so .data.key is consistent with how ESC wraps the response.
• However, the post uses path: secret/data/stripe (the KV v2 raw API path). That's a different convention than the docs example. Worth confirming whether ESC expects the KV v2 logical path (secret/stripe) or the raw API path (secret/data/stripe) — and whether the .data wrapper is double-applied in the latter case.

If KV v2 is what you're modeling here, calling that out in the prose ("for KV v2 mounts, the data/ segment in the path is required, and the returned value lives under .data") will save readers a debugging round.

5. More-tag placement — minor. After removing the duplicate section, the break (line 40) now sits below intro + "Why it matters now" + "Reader outcome" — three small sections / four paragraphs above the fold. The criteria suggest 1–3 paragraphs. Reasonable judgment call either way; flagging only as a soft note. If you want it tighter, moving it to right after line 30 (before ## Why it matters now) would be conventional.

6. AI/hedging phrasing — soft. Three phrases stand out as generic and easy to tighten in a polish pass: "naturally scatter" (line 44), "best-of-breed" (line 34), "improve your security posture" (line 127). Not a blocker; just opportunities.

Acknowledged in PR body — confirming status

• Placeholder images. feature.png and meta.png are still byte-identical to .claude/commands/_common/images/blog-post-feature-placeholder.png and blog-post-meta-placeholder.png (verified via md5). The needs-design label on the PR already covers this — not asking you to fix, just confirming for the record that real assets are still pending before publish on 2026-07-02.

Updated publishing checklist

• social: block present, paragraph formatting now compliant
• Diff scoped to blog files only
• Author profile exists (data/team/team/pablo-seibelt.toml) with avatar
• Code examples have language specifiers, ESC YAML cross-checks against docs
• Title ≤60 chars (36)
• meta_desc length 137 chars (within 50–160)
• meta_image is the placeholder — pending Design (acknowledged)
• H2 heading case (4 headings)
• First-mention links (4 missing)
• CTA shortcode at the end
• Confirm Vault path/.data convention
• More-tag placement (minor, judgment call)

---

The rewrite genuinely cleaned up the structural mess and the social-copy fix is exactly right. The remaining items are concentrated in style-guide adherence (H2 case), first-mention links, and the ending CTA — all small mechanical edits.

@sicarul — mention me again if you'd like a final pass after those, or want me to make the H2-case and link edits directly.
· branch blog/multi-source-secrets-with-pulumi-esc

[sicarul]

@claude please review again. Branch history is now a single clean commit on current origin/master. The PR diff contains only content/blog/multi-source-secrets-with-pulumi-esc/index.md plus feature.png and meta.png. Social-review is passing, and actionable content feedback has been addressed.

[pulumi-bot]

Claude finished @sicarul's task in 1m 20s —— View job

---

Re-review for PR 18957 (commit f1a46b1)

Heads up — the branch is on the same commit (f1a46b1a35619f1c6a6a706a2e8450b9795f6faf) I reviewed in my prior pass. Nothing new has been pushed since 21:55 UTC, so the file is byte-identical to what was already reviewed. If you intended to push changes addressing the content feedback, they didn't make it to the remote — git push may have failed silently, or the work may still be local/uncommitted.

• Verify branch state and PR scope
• Read current index.md
• Check H2 heading case
• Check first-mention links
• Check for CTA shortcode
• Verify placeholder images
• Cross-check Vault path/.data reference
• Confirm more-tag placement

Confirmed: what's already in good shape

• Diff scope is clean — git diff HEAD~1..HEAD --stat shows only the three intended files (index.md, feature.png, meta.png). The earlier .sisyphus/ / new_content.md cleanup is holding.
• Social frontmatter paragraph formatting is correct (each of twitter, linkedin, bluesky has the required blank line).
• Duplicate "The pain of secret sprawl" prose section is gone — intro flows into "Why it matters now" cleanly.
• Single clean commit on top of recent origin/master.

Still outstanding (unchanged from prior review)

These items from the 21:55 UTC review still apply verbatim — the file hasn't been edited:

1. H2 heading case (AGENTS.md: "H2+ = Sentence case"). Four headings remain Title Case:

• Line 42: The Challenge of Secret Sprawl → The challenge of secret sprawl
• Line 53: Composing a Multi-Source Environment → Composing a multi-source environment
• Line 109: Namespacing and Precedence → Namespacing and precedence
• Line 115: Consuming the Resolved View → Consuming the resolved view

Fix this →

2. First-mention links still missing. /docs/esc/ on line 38 is the only outbound link. Verified targets exist:

• Line 28 — AWS Secrets Manager → /docs/esc/integrations/dynamic-secrets/aws-secrets/
• Line 28 — HashiCorp Vault → /docs/esc/integrations/dynamic-secrets/vault-secrets/
• Line 28 — 1Password → /docs/esc/integrations/dynamic-secrets/1password-secrets/
• Line 119 — Pulumi CLI → /docs/install/

3. No CTA shortcode at the end. Line 127 still closes with "reduce complexity and improve your security posture." Feature/integration posts conventionally close with the blog/cta-button shortcode — natural target is /docs/esc/integrations/dynamic-secrets/ or /docs/esc/get-started/.

4. Vault .data.key (lines 103, 107) — worth confirming. The post uses path: secret/data/stripe (KV v2 raw API path), then ${vault.secrets.stripe-key.data.key}. The official docs example at content/docs/esc/integrations/dynamic-secrets/vault-secrets.md uses path: api-key (logical path) with .data.<field>. Either confirm both conventions work with this .data access pattern, or switch to the canonical path: secret/stripe form and call out in prose that the .data wrapper is the KV v2 response shape.

5. More-tag placement (minor). Break at line 40 sits below intro + "Why it matters now" + "Reader outcome" (criteria suggest 1–3 paragraphs). Judgment call — moving the break to right after line 30 would tighten it.

6. AI/hedging phrasing (soft). "naturally scatter" (line 44), "best-of-breed" (line 34), "improve your security posture" (line 127).

Acknowledged (pending Design)

• feature.png and meta.png confirmed byte-identical to .claude/commands/_common/images/blog-post-{feature,meta}-placeholder.png. Covered by the needs-design label — flagging for the record only.

Updated checklist

• social: block present, paragraph formatting compliant
• Diff scoped to blog files only
• Author profile exists (data/team/team/pablo-seibelt.toml) with avatar
• Code examples have language specifiers; ESC YAML cross-checks against docs
• Title ≤60 chars (36); meta_desc 137 chars (within 50–160)
• meta_image is the placeholder — pending Design (acknowledged)
• H2 heading case (4 headings)
• First-mention links (4 missing)
• CTA shortcode at the end
• Confirm Vault path/.data convention
• More-tag placement (minor, judgment call)

---

If you'd like me to make the H2-case and first-mention-link edits directly on this branch, mention me again with that ask and I'll push the changes. Otherwise, once you push the edits locally, ping me for a final pass.
· branch blog/multi-source-secrets-with-pulumi-esc

[sicarul]

@claude please review again. This request is after the latest pushed head commit f1a46b1a. The branch has a single clean commit on current origin/master, and the PR diff is limited to content/blog/multi-source-secrets-with-pulumi-esc/index.md, feature.png, and meta.png.

[pulumi-bot]

Claude finished @sicarul's task in 2m 13s —— View job

---

Re-review for PR 18957 (commit f1a46b1)

Heads up — HEAD is still f1a46b1a35619f1c6a6a706a2e8450b9795f6faf, the same commit reviewed in my prior two passes. git log origin/master..HEAD shows a single commit unchanged from 21:55 and 22:32 UTC. content/blog/multi-source-secrets-with-pulumi-esc/index.md is byte-identical to what was already reviewed. If you intended to push edits between the previous review and this one, they didn't land on the remote — please confirm whether the content feedback was meant to be addressed already, or whether this re-ping was just to confirm the cleanup landed.

• Verify branch state and PR scope
• Read current index.md
• Check H2 heading case
• Check first-mention links
• Check for CTA shortcode
• Verify placeholder images
• Cross-check Vault path/.data reference

Confirmed: cleanup is holding

• Diff is scoped exactly as the PR body claims — git diff HEAD~1..HEAD --stat shows only index.md, feature.png, meta.png. No agent artifacts.
• Single clean commit on top of recent origin/master.
• Social frontmatter paragraph formatting is correct on all three platforms (twitter, linkedin, bluesky each have the required blank line).
• Author profile (data/team/team/pablo-seibelt.toml) and avatar are present.
• ESC YAML cross-checks against content/docs/esc/integrations/dynamic-secrets/*.md.

Still outstanding (unchanged from prior reviews — file hasn't been edited)

1. H2 heading case (AGENTS.md: "H2+ = Sentence case"). Four headings remain Title Case:

• Line 42: The Challenge of Secret Sprawl → The challenge of secret sprawl
• Line 53: Composing a Multi-Source Environment → Composing a multi-source environment
• Line 109: Namespacing and Precedence → Namespacing and precedence
• Line 115: Consuming the Resolved View → Consuming the resolved view

The first three H2s in the post are correctly sentence-cased, so the rule is being applied — just inconsistently. Fix this →

2. First-mention links missing. /docs/esc/ on line 38 is the only outbound link. All four targets verified to exist:

• Line 28 — AWS Secrets Manager → /docs/esc/integrations/dynamic-secrets/aws-secrets/
• Line 28 — HashiCorp Vault → /docs/esc/integrations/dynamic-secrets/vault-secrets/
• Line 28 — 1Password → /docs/esc/integrations/dynamic-secrets/1password-secrets/
• Line 119 — Pulumi CLI → /docs/install/ (alias on content/docs/get-started/download-install/_index.md)

3. No CTA shortcode at the end. Line 127 still closes with "reduce complexity and improve your security posture." Feature/integration posts conventionally close with the blog/cta-button shortcode — natural target is /docs/esc/integrations/dynamic-secrets/ or /docs/esc/get-started/.

4. Vault .data.key reference (lines 87, 103, 107) — worth confirming. The post uses path: secret/data/stripe (KV v2 raw API path) and ${vault.secrets.stripe-key.data.key}. The canonical ESC docs example at content/docs/esc/integrations/dynamic-secrets/vault-secrets.md (lines 28–35) uses path: api-key (logical path) and the rendered output shows vault.secrets.<name>.data.<field>. Two reasonable resolutions:

• Switch to the canonical form: path: secret/stripe (or path: stripe, depending on mount) and keep ${vault.secrets.stripe-key.data.key} — and add a one-line explanation that .data is the KV v2 response wrapper.
• Keep path: secret/data/stripe and confirm in a working environment that .data.key still resolves (the raw API path may or may not be double-wrapped).

Either way, calling out KV v2 explicitly in the prose around line 107 will help readers who are debugging.

5. More-tag placement (minor). Break at line 40 sits below intro + "Why it matters now" + "Reader outcome" (criteria suggest 1–3 paragraphs). Judgment call.

6. AI/hedging phrasing (soft). "naturally scatter" (line 44), "best-of-breed" (line 34), "improve your security posture" (line 127).

Acknowledged (pending Design)

• feature.png and meta.png confirmed byte-identical to .claude/commands/_common/images/blog-post-{feature,meta}-placeholder.png (md5 48463367ebce5dd43763ed327d76ccb2 and 3fe3652ebd5404a44395b707b16bcf71 match on both sides). Covered by the needs-design label.

Checklist

• social: block present, paragraph formatting compliant
• Diff scoped to blog files only
• Author profile + avatar exist
• Code examples have language specifiers; ESC YAML cross-checks against docs
• Title ≤60 chars (36); meta_desc 137 chars (within 50–160)
• meta_image is the placeholder — pending Design (acknowledged)
• H2 heading case (4 headings)
• First-mention links (4 missing)
• CTA shortcode at the end
• Confirm Vault path/.data convention
• More-tag placement (minor, judgment call)

---

The structural cleanup is solid and the social-copy formatting is correct. If you'd like me to apply the H2-case fixes, first-mention links, and CTA shortcode directly to the branch, just say the word and I'll push the edits. Otherwise, once you push them locally, ping me for a final pass.
· branch blog/multi-source-secrets-with-pulumi-esc

[sicarul]

@claude please review again. This PR is now marked as draft, the needs-design label has been removed, and the latest pushed head is f1a46b1a.

[pulumi-bot]

Claude finished @sicarul's task in 1m 7s —— View job

---

Re-review for PR 18957 (commit f1a46b1)

• Verify branch state and PR scope
• Read current index.md
• Check whether content-feedback items were addressed
• Note draft/needs-design status change

HEAD is still f1a46b1a35619f1c6a6a706a2e8450b9795f6faf — the same commit reviewed at 21:55, 22:32, and 22:35 UTC. content/blog/multi-source-secrets-with-pulumi-esc/index.md is byte-identical to those passes; feature.png / meta.png md5s still match the placeholders. No new push has landed since 21:55 UTC.

Status change acknowledged

• PR is now draft — appropriate given the open content items below and the pending Design assets.
• needs-design label removed — flagging because the meta/feature PNGs are still byte-identical to .claude/commands/_common/images/blog-post-{feature,meta}-placeholder.png (md5 48463367ebce5dd43763ed327d76ccb2 and 3fe3652ebd5404a44395b707b16bcf71 match on both sides). If Design is no longer expected to provide assets, the placeholders need replacing before this comes out of draft — otherwise the label likely belongs back on the PR. Either is fine; just confirming the situation isn't accidental.

Outstanding content items (unchanged — file hasn't been edited since 21:55 UTC)

Restating the punch list from my prior pass since nothing has moved on the content side:

• H2 heading case — lines 42, 53, 109, 115 still Title Case (AGENTS.md requires sentence case for H2+). Fix this →
• First-mention links — lines 28 (AWS Secrets Manager, HashiCorp Vault, 1Password) and 119 (Pulumi CLI) are still unlinked. Targets all verified.
• CTA shortcode at the end — line 127 still closes with a generic summary; conventional ending for feature/integration posts is blog/cta-button.
• Vault .data.key convention — path: secret/data/stripe + .data.key at lines 87, 103, 107 still worth confirming or annotating as KV v2.
• More-tag placement (minor, judgment call); AI/hedging phrasing (soft).

Confirmed: still in good shape

• Diff scoped to the three intended files only.
• Social frontmatter paragraph formatting compliant on twitter/linkedin/bluesky.
• Author profile + avatar present.
• Code examples have language specifiers; ESC YAML cross-checks against content/docs/esc/integrations/dynamic-secrets/.
• Title 36 chars; meta_desc 137 chars (within 50–160).

---

Since this is now draft and the punch list is mechanical, want me to push the H2-case fixes, first-mention links, and CTA shortcode directly? Just confirm and I'll make the edits. (I'd leave the Vault .data decision to you since it depends on the engine setup you tested.)
· branch blog/multi-source-secrets-with-pulumi-esc

[sicarul]

@claude please review the latest pushed changes.

[pulumi-bot]

Claude finished @sicarul's task in 1m 28s —— View job

---

Re-review for PR 18957 (commit 23518a9)

This is a new commit — HEAD is now 23518a9dd1e7350f37508db2c2b672c936c68b6b, replacing the prior f1a46b1a reviewed three times. Single clean commit on top of current origin/master (a853d02); diff scope is still just the three intended files.

• Verify current HEAD and branch state
• Read current index.md
• Diff against prior reviewed commit
• Re-check outstanding items
• Post review

Addressed in this push

• H2 heading case — all four fixed. Verified all ^## headings are now sentence case:

  • Line 42: ## The challenge of secret sprawl ✓
  • Line 53: ## Composing a multi-source environment ✓
  • Line 109: ## Namespacing and precedence ✓
  • Line 115: ## Consuming the resolved view ✓

  Style-guide compliance on headings is now complete.

Still outstanding

1. First-mention links — unchanged. grep confirms /docs/esc/ on line 38 is still the only outbound link. Four products remain unlinked on first mention:

• Line 28 — AWS Secrets Manager → /docs/esc/integrations/dynamic-secrets/aws-secrets/
• Line 28 — HashiCorp Vault → /docs/esc/integrations/dynamic-secrets/vault-secrets/
• Line 28 — 1Password → /docs/esc/integrations/dynamic-secrets/1password-secrets/
• Line 119 — Pulumi CLI → /docs/install/

All four target files verified to exist. Fix this →

2. No CTA shortcode at the end. Line 127 still closes with "reduce complexity and improve your security posture." Feature/integration posts conventionally end with the blog/cta-button shortcode — natural target is /docs/esc/integrations/dynamic-secrets/ or /docs/esc/get-started/. grep for cta-button / {{< returned nothing.

3. Vault .data.key reference (lines 87, 103, 107) — worth confirming. Unchanged. The post uses path: secret/data/stripe (KV v2 raw API path) plus ${vault.secrets.stripe-key.data.key}. The canonical ESC docs example at content/docs/esc/integrations/dynamic-secrets/vault-secrets.md uses path: api-key with .data.<field>. Either:

• Switch path to secret/stripe and add a line explaining .data is the KV v2 response wrapper, or
• Confirm via a working environment that the raw-API-path form still resolves .data.key correctly.

4. More-tag placement (minor, judgment call). Break at line 40 still sits below intro + "Why it matters now" + "Reader outcome" (criteria suggest 1–3 paragraphs above the break).

5. AI/hedging phrasing (soft). Still present: "best-of-breed" (line 34), "naturally scatter" (line 44), "improve your security posture" (line 127). Easy polish pass; not a blocker.

Acknowledged

• Placeholder images. feature.png md5 48463367ebce5dd43763ed327d76ccb2 and meta.png md5 3fe3652ebd5404a44395b707b16bcf71 both still match .claude/commands/_common/images/blog-post-{feature,meta}-placeholder.png. The needs-design label was removed earlier today — flagging because real assets still need to land before this comes out of draft. If Design is no longer expected to provide them, the placeholders need replacing here. (Acceptable while the PR is draft.)

Confirmed still in good shape

• Diff scoped to the three intended files only
• Single clean commit on top of current origin/master
• Social frontmatter paragraph formatting compliant on twitter/linkedin/bluesky
• Author profile (data/team/team/pablo-seibelt.toml) + avatar present
• Code examples have language specifiers; ESC YAML cross-checks against content/docs/esc/integrations/dynamic-secrets/
• Title 36 chars; meta_desc 137 chars (within 50–160)
• H2 heading case (all six H2s now sentence case)

Updated checklist

• social: block paragraph formatting compliant
• Diff scoped to blog files only
• Author profile + avatar exist
• Code examples have language specifiers; ESC YAML cross-checks against docs
• Title ≤60 chars; meta_desc within 50–160
• H2 heading case ← newly resolved
• meta_image is the placeholder (pending Design; needs-design label removed — recommend re-adding or replacing assets)
• First-mention links (4 missing)
• CTA shortcode at the end
• Confirm Vault path/.data convention
• More-tag placement (minor, judgment call)

---

Good progress on the headings — that fully closes the style-guide gap. Remaining items are mechanical (links + CTA), one verification call (Vault .data), and one stale-label question (placeholder images vs removed needs-design). Want me to push the links + CTA edits directly? Just confirm and I'll make the changes.
· branch blog/multi-source-secrets-with-pulumi-esc

[sicarul]

@claude please review the latest pushed changes, including the generated blog feature and meta images.

[pulumi-bot]

Claude finished @sicarul's task in 1m 52s —— View job

---

Re-review for PR 18957 (commit 039cb9d)

New commit on the branch — 039cb9d replaces the prior 23518a9. Single clean commit on top of current origin/master (a853d02); diff scope is still just the three intended files (index.md, feature.png, meta.png). The notable change in this push is the meta and feature images, which are no longer placeholders.

• Verify current HEAD and branch state
• Diff against prior reviewed commit (23518a9)
• Inspect feature.png and meta.png (confirm they differ from placeholders)
• Re-check outstanding items (first-mention links, CTA shortcode, Vault .data, etc.)
• Post review

Addressed in this push

• Feature and meta images are now real assets, not placeholders.
  • feature.png md5 0cfc4e08c0a2dddd6966016352625a05 (previously 48463367ebce5dd43763ed327d76ccb2, matching blog-post-feature-placeholder.png).
  • meta.png md5 d99c3843d054b7693a7ca0d83ac6fbbc (previously 3fe3652ebd5404a44395b707b16bcf71, matching blog-post-meta-placeholder.png).
  • Dimensions are correct: feature.png is 1884×1256, meta.png is 1200×628 (matches the blog-meta-image skill's spec).
  • Visual check: both use the shield template — thematically on-point for a secrets/security post. meta.png renders the title "One ESC Environment, Many Secret Stores" cleanly across four lines on the left with the Pulumi logo at the bottom-left, shield motif on the right. feature.png is the unbranded shield-and-concentric-circles version, no text, suitable for in-post display. Both look publication-ready.

Still outstanding (unchanged — index.md is byte-identical to the prior review)

The text content (md5 843551306da0e1d86f470fc0bce71755, 127 lines) wasn't touched in this push, so the same content punch list still applies:

1. First-mention links missing. /docs/esc/ on line 38 remains the only outbound link. Four products are still unlinked on first mention:

• Line 28 — AWS Secrets Manager → /docs/esc/integrations/dynamic-secrets/aws-secrets/
• Line 28 — HashiCorp Vault → /docs/esc/integrations/dynamic-secrets/vault-secrets/
• Line 28 — 1Password → /docs/esc/integrations/dynamic-secrets/1password-secrets/
• Line 119 — Pulumi CLI → /docs/install/

All four target files verified to exist. Fix this →

2. No CTA shortcode at the end. Line 127 still closes with the generic "reduce complexity and improve your security posture." Feature/integration posts conventionally end with the blog/cta-button shortcode — natural targets: /docs/esc/integrations/dynamic-secrets/ or /docs/esc/get-started/. grep confirms no cta-button / {{< in the file.

3. Vault .data.key reference (lines 87, 103, 107) — worth confirming. Unchanged. The post uses path: secret/data/stripe (KV v2 raw API path) and ${vault.secrets.stripe-key.data.key}. The canonical ESC docs example at content/docs/esc/integrations/dynamic-secrets/vault-secrets.md uses path: api-key (logical path) with .data.<field>. Either:

• Switch to path: secret/stripe and add one line explaining .data is the KV v2 response wrapper, or
• Confirm via a working environment that the raw-API-path form still resolves .data.key correctly.

4. More-tag placement (minor, judgment call). Break at line 40 still sits below intro + "Why it matters now" + "Reader outcome" (criteria suggest 1–3 paragraphs above the break).

5. AI/hedging phrasing (soft). Still present: "best-of-breed" (line 34), "naturally scatter" (line 44), "improve your security posture" (line 127). Easy polish; not a blocker.

Updated checklist

• social: block paragraph formatting compliant
• Diff scoped to blog files only
• Author profile (data/team/team/pablo-seibelt.toml) + avatar present
• Code examples have language specifiers; ESC YAML cross-checks against content/docs/esc/integrations/dynamic-secrets/
• Title 36 chars; meta_desc 137 chars (within 50–160)
• H2 heading case (all six H2s sentence case)
• feature.png and meta.png are real assets at the correct dimensions ← newly resolved
• First-mention links (4 missing)
• CTA shortcode at the end
• Confirm Vault path/.data convention
• More-tag placement (minor, judgment call)

---

The images close the largest pre-publish blocker — the shield template is a fitting choice and the title renders cleanly on meta.png. The remaining content items are all small, mechanical edits (links + CTA) plus one verification call on the Vault path convention. Want me to push the first-mention links and CTA shortcode directly? Just say the word.
· branch blog/multi-source-secrets-with-pulumi-esc

[sicarul]

@claude please review the latest normal commit on top. Addressed the current pulumi-bot feedback items for this PR.

[sicarul]

@claude please retry the review. The previous review request appears to have failed or stalled due to GitHub rate limits. Please review the latest HEAD and confirm whether the prior feedback is addressed.