[CONTENT SPRINT] Close the CVE-to-AMI Loop with Pulumi and Neo

[sicarul]

Why this content is interesting

• It turns CVE response into a closed operational loop instead of another ticket queue.
• It is scheduled for 2026-05-26 as part of the content sprint's two-post-per-week cadence.

What we took into account

• We considered Neo-assisted changes, Pulumi previews, policy gates, and audit evidence while avoiding claims of autonomous remediation.
• We avoided unsupported customer claims, certification guarantees, and obsolete product naming.
• We kept the metadata and social copy curated around the post's concrete reader outcome.

Why it is useful to an end user

• End users get a repeatable AMI refresh lifecycle they can adapt for security operations.
• The post is written to help practitioners recognize the problem, understand why it matters, and leave with an actionable Pulumi workflow.

Design need

• This PR is labeled needs-design because the post needs a final meta image before publication.
• Existing feature.png and meta.png files are placeholders unless Design chooses to reuse or adapt them.

Metadata

• Title: Close the CVE-to-AMI Loop with Pulumi and Neo
• Meta description: Design a CVE-driven AMI refresh lifecycle with Pulumi, Neo-assisted changes, policy gates, previews, deployments, and audit-ready evidence.

🤖 Generated with OpenCode

[github-actions]

Social Media Review

content/blog/cve-ami-refresh-lifecycle-with-pulumi-and-neo/index.md

X — PASS

LinkedIn — PASS

Bluesky — PASS

---

Suggestions (advisory)

These are stylistic notes — they don't block the post.

X

• Second paragraph names the full component list (Pulumi, Neo, previews, policy gates) — reader knows the article's scope before clicking; withhold one element to create a reason to read

LinkedIn

• "This guide shows" is announcement framing — open with the problem or outcome instead
• Second paragraph names every phase of the lifecycle (controlled change, assisted updates, policy gates, audit evidence) — summarizes the article's structure; withhold the mechanism or result to keep the curiosity gap open

Bluesky

• "Learn more in the post" is a generic pointer — replace with a line that names what the reader will find (the specific mechanism or outcome the article reveals)
• First paragraph is a component list (change control, Neo-assisted updates, previews, policy gates, evidence) — summarizes article structure without creating tension; drop one element or reframe as a question

Updated for commit a38a0724a8eacf58174632f44ff9e336d9c85813 (short: a38a072) at 2026-05-13 21:54 UTC.

[claude]

Docs review — /docs-review

Thanks for the post, @sicarul — the content itself is well-structured and the CVE→AMI lifecycle is genuinely useful. However, the PR as currently committed cannot be merged as-is: it contains a lot of files that don't belong on master, and a couple of those are arguably sensitive. Flagging the blocking issues first, then content notes on the post.

🚨 Out-of-scope files (should be removed before merge)

The PR adds ~1,700 lines of agent/tooling artifacts and a planning doc that are unrelated to the blog post itself:

1. .sisyphus/ directory (boulder.json, plans/customer-blog-posts.md, evidence/task-*.md, notepads/customer-blog-posts/*, run-continuation/ses_*.json) — this is local agent state from your workstation. It includes hardcoded paths like /Users/pabloseibelt/dev/docs/… and session IDs. Add .sisyphus/ to .gitignore and remove these files from the commit.
2. new_content.md (repo root, 102 lines) — this is the original planning prompt and includes named customer signals (Moderna, Tivity Health, ZeroEyes, Dexcom, Fenergo, Moody's, Numerix, KeyShot, Southern Cross Health, Willis Towers Watson, ŌURA, Adyen), GitHub-reaction counts, and the internal call/GH analysis that produced this post. This looks like internal-only data and should not land in the public repo. Please delete it from the branch.
3. theme/stencil/yarn.lock — removes a @types/uuid@^8.0.0 entry. This change is unrelated to the blog post and should not be bundled with it; the evidence files even mention "Restored theme/stencil/yarn.lock to clean state" as a QA step, so this looks like a leftover. Revert this file.

Once those are removed, the PR should be down to just content/blog/cve-ami-refresh-lifecycle-with-pulumi-and-neo/{index.md,feature.png,meta.png}.

Content notes — content/blog/cve-ami-refresh-lifecycle-with-pulumi-and-neo/index.md

Style-guide violations

• Line 16 (social.linkedin): "AMI refreshes are easy to start and hard to close." — STYLE-GUIDE.md:32 says avoid "easy" or "simple." Suggested rewrite:

      linkedin: \"AMI refreshes are quick to start and hard to close. This guide shows a CVE-driven lifecycle that uses Pulumi for controlled change, Neo for assisted updates, policies for gates, and evidence for audit review.\"
  

• Line 22: "Traditional approaches often involve manual spreadsheets…" — hedging language flagged in the blog review rubric. Drop the hedge:

  Traditional approaches involve manual spreadsheets or disconnected scanning tools that lack the context of your infrastructure code. Pulumi changes this by integrating security directly into the deployment lifecycle. By combining [Pulumi Insights](/docs/insights/), [Neo](/product/neo/), and [Pulumi Policies](/docs/insights/policy/), you can create a closed-loop system for AMI refreshes.
  

• Line 149: "…use Pulumi Review Stacks to validate the changes…" — the official docs (content/docs/deployments/deployments/review-stacks.md) consistently use lowercase "review stacks." Same for "Auto Scaling Group" on line 151 — Pulumi docs treat "Auto Scaling group" / "ASG" as a generic noun; either is defensible, but "review stacks" should be lowercase.

Technical accuracy — please verify

• Lines 39 & 45: The Insights queries use modified:<2026-04-13. The documented Insights search syntax (content/docs/insights/discovery/search.md:123-128) shows modified:2023-03-31, modified:[2023-01-01 to 2023-03-31], and modified:>=2023-01-01 — the strict-less-than operator (< without =) is not in the docs. Either confirm it works against a live Pulumi Cloud and add a note, or switch to a documented form, e.g.:

  (type:aws:ec2/launchTemplate:LaunchTemplate OR type:aws:ec2/instance:Instance) modified:[* to 2026-04-13]
  

• Line 34: "Pulumi Cloud search" links to /product/pulumi-cloud/. The feature being referenced is Resource Search; consider linking directly to /docs/insights/discovery/search/ so readers land on the syntax page that the next two code blocks depend on.

Structure / CTA

• Lines 159–161 (Conclusion): The closing is generic ("Security is a continuous process, not a destination."). The rubric calls for a specific next step. Consider ending with a {{< blog/cta-button >}} pointing at the Pulumi Insights or Neo getting-started page, or at least a concrete "try this with your own AMIs" pointer.

Publishing-readiness checklist

• social: block present with twitter, linkedin, bluesky
• meta_image set (meta.png, 1200×628, 138 KB) — not the placeholder
• <!--more--> break present after intro (line 26)
• Author pablo-seibelt exists in data/team/team/ with avatar at static/images/team/pablo-seibelt.jpg
• Title length: 45 chars (≤60) ✓
• Meta description length: 140 chars (50–160) ✓
• All links resolve (/docs/insights/, /product/neo/, /docs/insights/policy/, /product/pulumi-cloud/)
• Code examples have language specifiers (typescript, bash, text)
• No em dashes detected
• The PR description notes "meta image is a placeholder unless Design chooses to reuse or adapt them" — make sure the needs-design flow is resolved before the 2026-05-26 publish date.

Summary

The post itself is in good shape and just needs a handful of style/wording tweaks plus a stronger CTA. The blocker is the PR scope — please strip .sisyphus/, new_content.md, and the theme/stencil/yarn.lock change before merging. The new_content.md removal is the most important one, since it contains internal customer/account references that shouldn't ship publicly.

Mention @claude if you'd like another pass after the fixes.

[pulumi-bot]

Your site preview for commit 0a4aa70 is ready! 🎉

http://www-testing-pulumi-docs-origin-pr-18967-0a4aa707.s3-website.us-west-2.amazonaws.com

[pulumi-bot]

Lighthouse Performance Report

Commit: 336b9c5 | Metric definitions

Page	Device	Score	FCP	LCP	TBT	CLS	SI
Homepage	Mobile	🟡 57	3.0s	3.0s	1550ms	0.019	6.8s
Homepage	Desktop	🟢 95	0.8s	1.1s	25ms	0.005	1.5s
Install Pulumi	Mobile	🔴 34	5.2s	7.1s	306ms	0.411	8.0s
Install Pulumi	Desktop	🟡 77	1.3s	2.3s	21ms	0.011	3.1s
AWS Get Started	Mobile	🟡 56	5.1s	7.4s	279ms	0.083	5.1s
AWS Get Started	Desktop	🟡 82	1.3s	1.8s	21ms	0.024	3.0s

[sicarul]

@claude please review again. I rewrote this branch history to a single clean commit on current origin/master, removed all non-blog files from the PR diff, fixed social frontmatter paragraph formatting, and addressed the review feedback that applied to this post.

[pulumi-bot]

Claude finished @sicarul's task in 1m 41s —— View job

---

Docs re-review — /docs-review (post-cleanup)

Thanks for the rewrite, @sicarul — the scope cleanup is exactly what was needed. Confirming the PR is now in good shape, with a small handful of optional polish items remaining.

✅ Resolved from previous review

Previous concern	Status
.sisyphus/ agent artifacts	Removed — PR now contains only the 3 blog files
new_content.md planning doc (internal customer signals)	Removed
theme/stencil/yarn.lock unrelated change	Reverted
Social copy single-paragraph FAIL (X / LinkedIn / Bluesky)	All three blocks now have 2 paragraphs with a blank line, using YAML | literal scalars — should pass the next social-media-review run
Style: easy to start in LinkedIn copy	Replaced with quick to start ✓
Casing: Pulumi Review Stacks	Section now reads "Review stacks and canary deployments" and the body uses "Pulumi previews" — phrase is gone ✓
Branch history	Confirmed single clean commit (a38a072) on top of current master

Optional polish — still applicable

A few of the previous content notes weren't addressed; flagging them again in case you want to take them before publish on 2026-05-26. None are blockers.

1. index.md:31 — hedge word often (STYLE-GUIDE.md flags hedging language):

   Traditional approaches involve manual spreadsheets or disconnected scanning tools that lack the context of your infrastructure code. Pulumi changes this by integrating security directly into the deployment lifecycle. By combining [Pulumi Insights](/docs/insights/), [Neo](/product/neo/), and [Pulumi Policies](/docs/insights/policy/), you can create a closed-loop system for AMI refreshes.
   

2. index.md:48 and index.md:54 — Insights query operator modified:<2026-04-13. I checked content/docs/insights/discovery/search.md:125-128 again; the documented operators for modified: are exact (modified:2023-03-31), range (modified:[2023-01-01 to 2023-03-31]), and >=. The strict-less-than form (< without =) isn't listed. If you've verified it works in Pulumi Cloud, no change needed — otherwise switch to the documented range form:

   (type:aws:ec2/launchTemplate:LaunchTemplate OR type:aws:ec2/instance:Instance) modified:[* to 2026-04-13]
   

   and similarly for the property-search example on line 54.

3. index.md:43 — "Pulumi Cloud search" link. Currently links to /product/pulumi-cloud/, but the feature being demonstrated in the next two code blocks is Resource Search. Linking to /docs/insights/discovery/search/ lands readers on the syntax page they need to understand the queries that follow.

4. index.md:168-170 — generic conclusion. "Security is a continuous process, not a destination" doesn't give the reader a next step. Consider closing with a concrete pointer, e.g. a {{< blog/cta-button >}} to the Pulumi Insights or Neo getting-started page, or a "Try this with your own AMIs by…" line.

Fix all four items →

Publishing-readiness checklist (unchanged from last pass, all still ✓ except the design item)

• social: block present and now multi-paragraph for X / LinkedIn / Bluesky
• meta_image set (meta.png)
• `` break present (line 35)
• Author pablo-seibelt exists in data/team/team/
• Title 45 chars (≤60), meta description 140 chars (50–160)
• All internal links resolve
• Code blocks have language specifiers
• No em dashes
• needs-design — meta image / feature image still flagged in the PR description as potentially placeholder; resolve before 2026-05-26

Summary

PR scope is clean and the social formatting fix should unblock the social-media-review bot on its next run. The four remaining items above are nice-to-haves rather than blockers — your call on which (if any) to take.

• Verify the PR scope is now blog-only
• Check that previous review feedback was applied
• Re-run publishing-readiness checklist on the post
• Post the updated review
  • Branch: blog/cve-ami-refresh-lifecycle-with-pulumi-and-neo

[sicarul]

@claude please review again. Branch history is now a single clean commit on current origin/master. The PR diff contains only content/blog/cve-ami-refresh-lifecycle-with-pulumi-and-neo/index.md plus feature.png and meta.png. Social-review is passing, and actionable content feedback has been addressed.

[pulumi-bot]

Claude finished @sicarul's task in 2m 6s —— View job

---

Docs re-review — /docs-review (post-cleanup pass 2)

Thanks for the follow-up, @sicarul. Confirming the PR is in publishable shape. Everything that was blocking is gone, and the items left are the optional polish notes you've already decided not to take. Recording them once more for posterity, with one small wording flag I want to call attention to before publish.

✅ Verified resolved

Item	Status
PR scope	Diff is exactly 3 files: content/blog/cve-ami-refresh-lifecycle-with-pulumi-and-neo/{index.md,feature.png,meta.png} ✓
Branch history	Single commit a38a072 on top of current master ✓
Social copy formatting	twitter, linkedin, bluesky all now use YAML | literal scalars with a blank line between paragraphs (lines 15–26) ✓
Style: "easy" → "quick"	index.md:20 now reads "quick to start and hard to close" ✓
Casing: "Pulumi Review Stacks"	Section is now "Review stacks and canary deployments" (index.md:156); body uses "Pulumi previews" ✓

📝 Remaining items — your call, not blockers

You stated these aren't actionable on your side; flagging them here only so the next reader has the trail.

1. index.md:31 — hedge word often — STYLE-GUIDE.md flags hedging language. Easy drop: "Traditional approaches often involve" → "Traditional approaches involve".
2. index.md:48 and index.md:54 — modified:<2026-04-13 — the documented Insights modified: operators (content/docs/insights/discovery/search.md:125–128) are exact, range, and >=. Strict < isn't shown. If you've confirmed it works against live Pulumi Cloud, fine to ship as-is; otherwise the documented range form is modified:[* to 2026-04-13].
3. index.md:43 — "Pulumi Cloud" link — currently /product/pulumi-cloud/. The two code blocks that follow are Resource Search syntax, so linking directly to /docs/insights/discovery/search/ lands readers on the relevant page.
4. index.md:170 — generic conclusion — "Security is a continuous process, not a destination" doesn't give a next step. A {{< blog/cta-button >}} to Insights or Neo getting-started, or a concrete "try this with your own AMIs" pointer, would close the loop the post itself argues for.

Apply any/all of these →

⚠️ One small new flag

index.md:26 (Bluesky) — the second paragraph reads Learn more in the post. That's a generic pointer the social-media-review bot flagged in its advisory notes on the previous run, and it's likely to be flagged again on subsequent passes. Not blocking, but if you want to neutralize the bot's suggestions in one shot, consider naming the concrete reader takeaway, e.g. "See the policy pack and CI snippets that gate the deploy." (X and LinkedIn already do this — only Bluesky's CTA is currently generic.)

Publishing-readiness checklist

• social: block: twitter, linkedin, bluesky all present, multi-paragraph
• meta_image: meta.png set (138 KB) and feature_image: feature.png set (27 KB) — both non-empty
• `` break present (index.md:35)
• Author pablo-seibelt exists in data/team/team/pablo-seibelt.toml
• Title 45 chars (≤60), meta description 140 chars (50–160)
• Internal links resolve (/docs/insights/, /product/neo/, /docs/insights/policy/, /product/pulumi-cloud/)
• Code blocks have language specifiers (text, typescript, bash)
• No em dashes detected
• needs-design: PR description still flags the meta/feature images as potential placeholders — confirm with Design before the 2026-05-26 publish date

Summary

PR scope is clean, social formatting fix should green-light the social-media-review bot, and the post itself reads well end-to-end. Ready to ship once needs-design is resolved — the remaining content notes are stylistic preferences, not blockers.

• Verify PR scope (3 files only)
• Confirm single clean commit on master
• Re-check social frontmatter formatting
• Re-check style-guide items
• Re-check technical-accuracy items
• Run publishing-readiness checklist
• Post the updated review
  • Branch: blog/cve-ami-refresh-lifecycle-with-pulumi-and-neo

[sicarul]

@claude please review again. This request is after the latest pushed head commit a38a0724. The branch has a single clean commit on current origin/master, and the PR diff is limited to content/blog/cve-ami-refresh-lifecycle-with-pulumi-and-neo/index.md, feature.png, and meta.png.

[pulumi-bot]

Claude finished @sicarul's task in 1m 43s —— View job

---

Docs re-review — /docs-review (pass 3)

Thanks for the ping, @sicarul. Confirming the PR is clean, scoped, and publishable. No new blockers since the previous pass.

✅ Verified on HEAD a38a072

Check	Result
PR scope vs. parent	Exactly 3 files added: content/blog/cve-ami-refresh-lifecycle-with-pulumi-and-neo/{index.md,feature.png,meta.png} — 170 lines added, 0 removed ✓
Branch history	Single commit a38a072 on top of master ✓
Author	data/team/team/pablo-seibelt.toml exists; avatar at static/images/team/pablo-seibelt.jpg ✓
Images	feature.png 942×628 (27 KB), meta.png 1200×628 (138 KB) — both non-empty ✓
Social copy formatting	twitter, linkedin, bluesky all use YAML `
Title / meta length	Title 45 chars (≤60), meta description 140 chars (50–160) ✓
Markdown hygiene	Code blocks tagged (text, typescript, bash); `` break at line 35; no em dashes ✓
Internal links	/docs/insights/, /product/neo/, /docs/insights/policy/, /product/pulumi-cloud/ all resolve ✓

📝 Optional polish — acknowledged as not taken

You've stated these aren't actionable on your side. Recording once more so the trail is clear for whoever publishes on 2026-05-26.

1. index.md:31 — hedge word often.
2. index.md:48 & index.md:54 — modified:<2026-04-13 (strict < not in the documented Insights search syntax at content/docs/insights/discovery/search.md:125–128).
3. index.md:43 — "Pulumi Cloud" link points to /product/pulumi-cloud/ rather than the Resource Search docs the code blocks demonstrate (/docs/insights/discovery/search/).
4. index.md:170 — generic conclusion ("Security is a continuous process, not a destination"), no concrete next-step CTA.
5. index.md:26 (Bluesky) — Learn more in the post. is a generic pointer the social-media-review bot has flagged advisorily; X and LinkedIn already have specific CTAs.

Apply any/all of these →

Publishing-readiness checklist

• social: block: twitter, linkedin, bluesky all present, multi-paragraph
• meta_image: meta.png (138 KB) and feature_image: feature.png (27 KB) — both non-empty
• `` break present (index.md:35)
• Author pablo-seibelt exists and has an avatar
• Title ≤60 chars, meta description 50–160 chars
• Internal links resolve
• Code blocks have language specifiers
• No em dashes
• needs-design — PR description still flags feature.png / meta.png as potential placeholders; confirm with Design before 2026-05-26

Summary

PR scope is clean, content reads well, social formatting is correct, and previously-flagged blockers are all resolved. Ready to ship once needs-design is signed off. The remaining items above are stylistic preferences you've already declined — your call to keep them as-is.

• Verify PR scope (3 files only) against origin/master
• Re-read index.md and confirm previously resolved items still resolved
• Re-check the remaining optional polish items for current status
• Run publishing-readiness checklist
• Post the updated review
  • Branch: blog/cve-ami-refresh-lifecycle-with-pulumi-and-neo

[sicarul]

@claude please review again. This PR is now marked as draft, the needs-design label has been removed, and the latest pushed head is 487164c7.

[pulumi-bot]

Claude finished @sicarul's task in 2m 8s —— View job

---

Docs re-review — /docs-review (pass 4)

Thanks for the ping, @sicarul. Confirming HEAD 487164c7 is clean, scoped, and content-ready. Two notable improvements since the last pass: the Insights queries now use a documented relative-date form, and the "Pulumi Cloud" link target was changed. Details below.

✅ Verified on HEAD 487164c7

Check	Result
PR scope vs. origin/master	Exactly 3 files added: content/blog/cve-ami-refresh-lifecycle-with-pulumi-and-neo/{index.md,feature.png,meta.png} — 170 lines added, 0 removed ✓
Branch history	Single commit 487164c rebased onto current master ✓
Author	data/team/team/pablo-seibelt.toml + static/images/team/pablo-seibelt.jpg exist ✓
Images	feature.png 942×628 (27 KB), meta.png 1200×628 (138 KB) — both non-empty ✓
Social copy formatting	twitter, linkedin, bluesky all use YAML | literal scalars with blank line between paragraphs (lines 15–26) ✓
Title / meta length	Title 45 chars (≤60), meta description 140 chars (50–160) ✓
Markdown hygiene	Code blocks tagged (text, typescript, bash); `` break at line 35; no em dashes ✓
Internal links	/docs/insights/, /product/neo/, /docs/insights/policy/ all resolve ✓

🆕 Improvements since pass 3

1. Insights queries (index.md:48 and index.md:54) now use modified:<now-30d. I want to retract my previous technical-accuracy flag: the < operator IS documented (content/docs/insights/discovery/search.md:263 — "The created and modified fields can be queried for a range of values with >, >=, <, <=, and [a to b]."), and the now-30d relative-date form appears as a worked example at content/docs/insights/discovery/get-started/using-resource-explorer.md:39. The queries in the post are valid and match docs precedent. Apologies for the false alarm on previous passes.
2. index.md:43 — "Pulumi Cloud" link now points to /docs/insights/ (was /product/pulumi-cloud/). Still not the Resource Search syntax page itself, but the Insights landing page is a defensible target for a paragraph that introduces the feature.

📝 Remaining optional polish — your call

These are unchanged from previous passes; recording one more time for the trail. None are blockers.

1. index.md:31 — hedge word often — STYLE-GUIDE.md flags hedging. Trivial drop: "Traditional approaches often involve" → "Traditional approaches involve".
2. index.md:43 — link text vs. target — link reads "Pulumi Cloud" but goes to /docs/insights/. Either rewrite the link text ("Pulumi Insights search") or retarget to /docs/insights/discovery/search/ so the link surface matches the destination.
3. index.md:170 — generic conclusion — "Security is a continuous process, not a destination" doesn't give a next step. A {{< blog/cta-button >}} to Insights or Neo getting-started, or a "try this with your own AMIs" pointer, would close the loop the post itself argues for.
4. index.md:26 (Bluesky) — Learn more in the post. is the only generic CTA among the three social blocks (X and LinkedIn already name specific takeaways). The social-media-review bot has advisorily flagged it on prior passes.

Apply any/all of these →

Publishing-readiness checklist

• social: block: twitter, linkedin, bluesky all present, multi-paragraph
• meta_image: meta.png (138 KB) and feature_image: feature.png (27 KB) — both non-empty
• `` break present (index.md:35)
• Author pablo-seibelt exists and has an avatar
• Title ≤60 chars, meta description 50–160 chars
• Internal links resolve
• Code blocks have language specifiers
• No em dashes
• Insights query syntax matches documented forms
• needs-design label removed (confirmed by PR state)
• PR is currently in draft — flip to ready-for-review before publish on 2026-05-26

Summary

PR is content-ready. With needs-design removed and the technical-accuracy concern retracted, the only remaining gate is moving the PR out of draft when you're ready to merge. The four optional polish items above are stylistic preferences — your call.

• Verify PR scope (3 files only) against origin/master
• Confirm branch history and HEAD 487164c7
• Re-read index.md and re-check previously raised items
• Re-verify Insights query syntax against docs
• Re-check publishing-readiness (note new draft + label state)
• Post the updated review
  • Branch: blog/cve-ami-refresh-lifecycle-with-pulumi-and-neo

[sicarul]

@claude please review the latest pushed changes, including the generated blog feature and meta images.

[pulumi-bot]

Claude finished @sicarul's task in 2m 21s —— View job

---

Docs re-review — /docs-review (pass 5)

Thanks for the ping, @sicarul. Confirming HEAD 0a4aa70 is clean, scoped, and content-ready. The main change since pass 4 is that the feature and meta images are now real generated assets (not placeholders). Details below.

✅ Verified on HEAD 0a4aa70

Check	Result
PR scope vs. parent	Exactly 3 files added: content/blog/cve-ami-refresh-lifecycle-with-pulumi-and-neo/{index.md,feature.png,meta.png} — 170 lines added, 0 removed ✓
Branch history	Single commit 0a4aa70 rebased onto current master lineage ✓
Author	data/team/team/pablo-seibelt.toml + static/images/team/pablo-seibelt.jpg exist ✓
Social copy formatting	twitter, linkedin, bluesky all use YAML | literal scalars with blank line between paragraphs (lines 15–26) ✓
Title / meta length	Title 45 chars (≤60), meta description 140 chars (50–160) ✓
Markdown hygiene	Code blocks tagged (text, typescript, bash); `` break at line 35; no em dashes ✓
Internal links	/docs/insights/, /product/neo/, /docs/insights/policy/ all resolve ✓
Insights query syntax	modified:<now-30d valid — < operator documented at content/docs/insights/discovery/search.md:263; now-Nd form documented at content/docs/insights/discovery/get-started/using-resource-explorer.md:39 ✓

🆕 What changed since pass 4

The feature and meta images were regenerated and are now full-resolution, properly composited assets — they look like the real product, not placeholders:

Image	Dimensions	Size	Notes
feature.png	1884 × 1256 (was 942 × 628)	263 KB (was 27 KB)	"Neo" feature template — dark purple background with the Neo mascot (duck-with-goggles in a frame) and circuit-line motif. On-brand and topical for a Pulumi + Neo post.
meta.png	1200 × 628	241 KB (was 138 KB)	OpenGraph card with the post title ("Close the CVE-to-AMI Loop with Pulumi and Neo") set in white sans-serif, Pulumi logo bottom-left, Neo mascot right side. Title fits cleanly in four lines with good contrast.

This resolves the needs-design concern from earlier passes — the images are no longer flagged as placeholders.

📝 Optional polish — unchanged from pass 4, your call

These are stylistic preferences, not blockers. Recording one more time for the trail:

1. index.md:31 — hedge word often — STYLE-GUIDE.md flags hedging. Easy drop: "Traditional approaches often involve" → "Traditional approaches involve".
2. index.md:43 — link text vs. target — link text reads "Pulumi Cloud" but goes to /docs/insights/. Either rewrite the link text (e.g., "Pulumi Insights search") or retarget to /docs/insights/discovery/search/ so the link surface matches the destination.
3. index.md:170 — generic conclusion — "Security is a continuous process, not a destination" doesn't give a next step. A {{< blog/cta-button >}} to Insights or Neo getting-started, or a "try this with your own AMIs" pointer, would close the loop the post itself argues for.
4. index.md:26 (Bluesky) — Learn more in the post. — only generic CTA among the three social blocks (X and LinkedIn already name specific takeaways). The social-media-review bot has advisorily flagged it on prior passes.

Apply any/all of these →

Publishing-readiness checklist

• social: block: twitter, linkedin, bluesky all present, multi-paragraph
• meta_image: meta.png (241 KB, 1200×628) and feature_image: feature.png (263 KB, 1884×1256) — both real generated images
• `` break present (index.md:35)
• Author pablo-seibelt exists with avatar
• Title ≤60 chars, meta description 50–160 chars
• Internal links resolve
• Code blocks have language specifiers
• No em dashes
• Insights query syntax matches documented forms
• needs-design label removed and images are no longer placeholders
• PR is currently in draft — flip to ready-for-review before publish on 2026-05-26

Summary

PR is content- and design-ready. The only remaining gate is moving the PR out of draft when you're ready to merge. The four optional polish items above are stylistic preferences — your call.

• Verify PR scope (3 files only) and HEAD commit
• Inspect feature.png and meta.png (dimensions, file size, visual content)
• Re-read index.md and re-check previously raised items
• Run publishing-readiness checklist
• Post the updated review
  • Branch: blog/cve-ami-refresh-lifecycle-with-pulumi-and-neo