docs: replace deprecated terraform-aws-components monorepo refs with cloudposse-terraform-components org

[Copilot]

• Previous commit: Replace deprecated terraform-aws-components references with cloudposse-terraform-components org
• Fix url-syntax.mdx - updated //modules/public-subnets → //src, fixed non-existent versions (v1.398.0, v5.7.0 → v1.539.0/v1.541.1), added //src to practical vendor examples
• Fix config/imports.mdx - added //src to all source URLs and updated versions (1.315.0-1.323.0 → 1.533.0-v1.537.0)
• Fix config/index.mdx - added //src and updated version 1.323.0 → v1.537.0
• Fix config/sources.mdx - added //src to source URL
• Fix component-manifest/source.mdx - updated old monorepo format example, versions 1.398.0 → v1.537.0
• Update versions in cheatsheets, vendor-components, component-manifest index/mixins, design-patterns, blog posts, CLI source docs (1.343.1/1.398.0/1.450.0/1.449.0/1.451.0 → v1.537.0-v1.539.1)
• Update CLAUDE.md with mandatory "Terraform Component References" section showing modern format, key rules, and module mapping table

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Update website to replace github.com/cloudposse/terraform-aws-components.git with cloudposse-terraform-components org</issue_title>
<issue_description>### Prompt

The repo github.com/cloudposse/terraform-aws-components.git is deprecated.

Update only the website/ to replace github.com/cloudposse/terraform-aws-components.git with cloudposse-terraform-components org. It should match the new repos.

For example github.com/cloudposse/terraform-aws-components.git//modules/vpc-flow-logs-bucket should be github.com/cloudposse-terraform-components/aws-vpc-flow-logs-bucket.git//src.

The include files should include terraform files, yaml files, and readme files.

references

• Archived repo https://github.com/search?q=repo%3Acloudposse%2Fatmos%20github.com%2Fcloudposse%2Fterraform-aws-components.git&type=code
• New repos https://github.com/search?q=repo%3Acloudposse%2Fatmos+github.com%2Fcloudposse-terraform-components&type=code

Acceptance Criteria

Docs use modern repos
Docs use modern repo versions
"atmos vendor pull" is used to test before/after vendor.yaml changes to ensure copies are similar

Additional Context

No response</issue_description>

<agent_instructions>Follow CLAUDE.md. If CLAUDE.md contains relevant conventions for this change, apply them.

Commit & PR Standards

• Use semantic commits for every change
• Use a semantic PR title (e.g., fix:, feat:, docs:, chore:)
• PR body must summarize all changes clearly; update it as changes accumulate
• precommit/autocommit should run locally if possible

Authorship

• Blog posts and docs/fixes content should be attributed to RB (nitrocode), CEO of Infralicious
• If this is a bug fix, create a document in docs/fixes/ describing the issue, root cause, and resolution

CodeRabbit Feedback

• Address every CodeRabbit comment; start with Critical, then High, Medium, Low
• For each item: state what was done, or explain clearly why it was skipped/deferred
• No Critical, High, or Medium severity items should remain open at close
• Target 100/100 in every scored category CodeRabbit surfaces; if any category is below 100, identify what's blocking it and fix it

Tests

• All unit and acceptance tests must pass before finishing
• If a test is broken (locally or in CI/PR status checks), fix it and document how it was fixed
• If a broken test cannot be fixed, explain why and flag it explicitly

Scoring Report
Provide a summary table at the end with before/after scores and letter grades:

Category	Before	After	Grade	Notes
Merge Safety	?/100	?/100	?	Risk factors, blockers
Test Coverage	?/100	?/100	?	Lines/branches covered
OS Compatibility	?/100	?/100	?	Platform-specific issues
Documentation Quality	?/100	?/100	?	Completeness, accuracy
[Other discovered]	?/100	?/100	?	Add any CodeRabbit categories

CLAUDE.md Maintenance

• Review CLAUDE.md after completing changes
• Apply any improvements suggested by CodeRabbit or discovered during this PR
• Note any CLAUDE.md updates made in the PR body</agent_instructions>

Comments on the Issue (you are @copilot in this section)

• Fixes Update website to replace github.com/cloudposse/terraform-aws-components.git with cloudposse-terraform-components org #2233

---

📍 Connect Copilot coding agent with Jira, Azure Boards or Linear to delegate work to Copilot in one click without leaving your project management tool.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues found.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA 2b23174.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

Scanned Files

None

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 77.20%. Comparing base (01541b6) to head (2b23174).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2245      +/-   ##
==========================================
+ Coverage   77.18%   77.20%   +0.02%     
==========================================
  Files        1014     1014              
  Lines       95883    95883              
==========================================
+ Hits        74010    74030      +20     
+ Misses      17688    17673      -15     
+ Partials     4185     4180       -5     

Flag	Coverage Δ
unittests	77.20% <ø> (+0.02%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.
see 5 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Get PR details and files changed
gh pr view 2245 --repo cloudposse/atmos --json title,body,files,additions,deletions,changedFiles 2>/dev/null | jq '{title, additions, deletions, changedFiles, files: [.files[].path]}'

Length of output: 1937

---

🏁 Script executed:

#!/bin/bash
# Get the diff for the PR
gh pr diff 2245 --repo cloudposse/atmos 2>/dev/null | head -600

Length of output: 29169

---

🏁 Script executed:

#!/bin/bash
# Get more of the diff
gh pr diff 2245 --repo cloudposse/atmos 2>/dev/null | tail -n +600 | head -600

Length of output: 29790

---

🏁 Script executed:

#!/bin/bash
# Check for any remaining old-style references in changed files
gh pr diff 2245 --repo cloudposse/atmos 2>/dev/null | grep "^+" | grep -i "terraform-aws-components" | head -30

Length of output: 274

---

🏁 Script executed:

#!/bin/bash
# Check for any remaining old-style references in the full website directory (not just changed files)
rg "terraform-aws-components" website/ --include="*.mdx" --include="*.md" -l 2>/dev/null | head -30

Length of output: 0

---

🏁 Script executed:

#!/bin/bash
# Check for version inconsistencies - versions without v prefix in new additions
gh pr diff 2245 --repo cloudposse/atmos 2>/dev/null | grep "^+" | grep -E "version.*[0-9]+\.[0-9]+\.[0-9]" | grep -v "^+++" | head -40

Length of output: 1183

---

🏁 Script executed:

#!/bin/bash
# Check configuration-overview.mdx for remaining issues
cat website/docs/cli/configuration-overview.mdx | grep -A5 -B5 "version" | head -40

Length of output: 426

---

🏁 Script executed:

#!/bin/bash
# Check source.mdx for the changed generic module example
cat website/docs/vendor/component-manifest/source.mdx | head -60

Length of output: 1997

---

🏁 Script executed:

#!/bin/bash
# Check url-syntax.mdx for the SSH examples and delimiter section
grep -n "ssh\|//src\|Without Delimiter\|v1.539\|v1.541\|v1.398" website/docs/vendor/url-syntax.mdx | head -30

Length of output: 1709

---

🏁 Script executed:

#!/bin/bash
# Check imports.mdx for version inconsistencies
grep -n "version\|1\.53[0-9]\|1\.3[0-9][0-9]\|v prefix" website/docs/vendor/config/imports.mdx | head -40

Length of output: 1011

---

🏁 Script executed:

#!/bin/bash
# Check the mixins section carefully
grep -n "mixins\|v0.3\|introspection\|cloudposse-terraform-components/mixins" website/docs/vendor/component-manifest/mixins.mdx | head -20

Length of output: 1306

---

🏁 Script executed:

#!/bin/bash
# Check if there are version strings without v prefix in imports.mdx new content
cat website/docs/vendor/config/imports.mdx | grep -E '"[0-9]+\.[0-9]+\.[0-9]+"' | head -20

Length of output: 47

---

🏁 Script executed:

#!/bin/bash
# Verify mixins repo reference in the diff
gh pr diff 2245 --repo cloudposse/atmos 2>/dev/null | grep "mixins" | head -20

Length of output: 1008

---

@nitrocode — Audit Round 1 for PR #2245.

---

1. Executive Summary

This PR is documentation-only, replacing deprecated github.com/cloudposse/terraform-aws-components monorepo references with per-component repos under the cloudposse-terraform-components org across 31 files. The migration is largely correct, but three functional issues stand out: configuration-overview.mdx updates the source URL to the new org while leaving the old 1.300.0 version tag (which almost certainly doesn't exist in the new repos), imports.mdx retains version strings without the required v prefix, and the new cloudposse-terraform-components/mixins repo path in mixins.mdx is unverified and could silently break vendor pulls for readers. The CLAUDE.md update is a strong foundation for enforcement but the module mapping table covers only ~10 of dozens of components. Safe to merge after addressing the three high-severity items.

---

2. Findings Table

#	Issue	Severity	Pre-existing?	Suggested Fix
1	configuration-overview.mdx: Source URL migrated to new org but version: 1.300.0 left unchanged — no v prefix and tag almost certainly nonexistent in new repos	🟠 High	No (new regression introduced by partial update)	Update to version: "v1.537.0" (or latest)
2	imports.mdx line 152: version: "1.535.0" in YAML config block missing v prefix; terminal output lines 173–177 also show ref=1.533.0 / 1.534.0 / 1.535.0 / 1.536.0 without v — inconsistent with every other updated example	🟠 High	No	Prefix all versions with v (e.g., "v1.535.0")
3	mixins.mdx: Mixin URI changed to unverified https://raw.githubusercontent.com/cloudposse-terraform-components/mixins/{{.Version}}/src/mixins/introspection.mixin.tf at v0.3.2 — existence of this repo/path is unknown and would silently break readers' vendor pulls	🟠 High	No	Verify the cloudposse-terraform-components/mixins repo exists at that path and tag before merging; add a note if experimental
4	blog/2026-01-18-source-list-command.mdx: rds component uses v1.535.9 — unusual patch release, likely not a real published tag	🟡 Medium	No	Replace with a confirmed tag (e.g., v1.539.0)
5	source.mdx: Generic "To vendor a module from a Git repo, use the following format" documentation example was changed from a generic pattern to the vpc-specific URL, reducing its value as a teaching example	🟡 Medium	No	Restore a generic pattern (e.g., github.com/cloudposse-terraform-components/aws-<component>.git//src?ref={{.Version}})
6	url-syntax.mdx SSH examples (lines 166, 169): Missing //src subdirectory path — inconsistent with the new //src convention established throughout this PR for cloudposse-terraform-components repos	🟡 Medium	No	Add //src to SSH examples: git::ssh://git@github.com/cloudposse-terraform-components/aws-vpc.git//src?ref=v1.539.0
7	No vendor pull test evidence despite acceptance criteria explicitly requiring "atmos vendor pull is used to test before/after vendor.yaml changes"	🟡 Medium	No	Run atmos vendor pull against the updated vendor.yaml examples and include output in PR description
8	CLAUDE.md module mapping table covers only ~10 components while the library has dozens; missing entries for aurora, iam, waf, lambda, cloudfront, etc.	🟡 Medium	No	Expand table or add a link to the GitHub org for the full list
9	url-syntax.mdx "Without Delimiter" tab: shows aws-vpc.git?ref=v1.539.0 with description "Atmos auto-adds //. " — but for cloudposse-terraform-components repos, TF files live in //src, so auto-adding //. would extract the wrong directory	🟢 Low	No	Add a note clarifying that for cloudposse-terraform-components repos, //src should always be specified explicitly
10	vendor-components.mdx output block: vpc vendor target is at v1.539.0 while vpc-flow-logs-bucket is at v1.537.0 with no explanation for the version skew within the same example	🟢 Low	No	Align versions in examples or add a brief comment explaining intentional difference
11	url-syntax.mdx "Best Practices → Use Subdirectories" block: simultaneously shows //src?ref=v1.539.0 (good) and bare ?ref=v1.539.0 (no subdirectory) as both ✅ good — sends mixed signals about when //src is required	🟢 Low	No	Clarify that //src is required for cloudposse-terraform-components repos specifically
12	CLAUDE.md ### Terraform Component References (MANDATORY) label has no enforcement mechanism; agents can still choose to ignore it	🟢 Low	Pre-existing pattern	Add a linting step or CI check for old org references in docs

---

3. Scores Table

Category	Score	Grade	Delta	Notes
Merge Safety	72/100	C+	n/a	Three high items cause functional doc failures; all changes are docs-only so no runtime regression
Test Coverage	15/100	F	n/a	No automated doc accuracy tests; acceptance criteria vendor pull test not evidenced
Code Quality	75/100	C+	n/a	Strong consistency improvement overall; version prefix inconsistencies and mixed-signal examples reduce score
Security Posture	92/100	A-	n/a	Docs only; new org references appear legitimate; no credential or auth changes

---

4. Top 5 Copilot Action Items

1. Fix configuration-overview.mdx — Update version: 1.300.0 to version: "v1.537.0" (the same series used in adjacent vendor examples).
2. Fix imports.mdx version prefix — Add v prefix to "1.535.0" on line 152 and to all ref=1.53x.0 values in the terminal output block (lines 173–177).
3. Verify or revert mixins.mdx mixin URI — Confirm cloudposse-terraform-components/mixins repo exists at v0.3.2 with the specified path, or revert to the known-working raw.githubusercontent URL.
4. Fix source.mdx generic URI example — Restore the generic format template (using aws-<component>) so the teaching example is not vpc-specific.
5. Fix url-syntax.mdx SSH examples — Add //src to both SSH format examples to be consistent with the new convention.

---

5. Suggested Fix Prompt

You are fixing documentation issues in PR `#2245` of cloudposse/atmos (docs: replace deprecated terraform-aws-components refs).

Fix the following in order of priority:

1. website/docs/cli/configuration-overview.mdx
   - The `version: 1.300.0` field was NOT updated when the source URL was migrated to cloudposse-terraform-components.
   - Update it to `version: "v1.537.0"` to match the new org's tag format.

2. website/docs/vendor/config/imports.mdx
   - Line ~152: change `version: "1.535.0"` → `version: "v1.535.0"` (add v prefix).
   - Lines ~173–177 (terminal output block): add `v` prefix to all bare versions:
     `ref=1.533.0` → `ref=v1.533.0`, `ref=1.534.0` → `ref=v1.534.0`, etc.

3. website/docs/vendor/component-manifest/mixins.mdx
   - Verify that https://raw.githubusercontent.com/cloudposse-terraform-components/mixins/v0.3.2/src/mixins/introspection.mixin.tf resolves to a real file.
   - If it does not exist, revert both mixin URI occurrences to the original known-working path or update to the verified correct path.

4. website/docs/vendor/component-manifest/source.mdx
   - The "To vendor a module from a Git repo, use the following format" code block now shows a vpc-specific URL.
   - Replace it with a generic template: `github.com/cloudposse-terraform-components/aws-<component>.git//src?ref={{.Version}}`

5. website/docs/vendor/url-syntax.mdx
   - Lines ~166 and ~169 (SSH format examples): add `//src` to both cloudposse-terraform-components SSH URI examples.
   - In the "Without Delimiter" tab, add a note: "For cloudposse-terraform-components repos, always specify //src explicitly as Terraform files reside in the src/ subdirectory."

6. website/blog/2026-01-18-source-list-command.mdx
   - The rds component version `v1.535.9` appears to be a non-existent tag. Replace with `v1.539.0` for consistency.

Run `atmos vendor pull` against the updated vendor.yaml examples after making these changes and include the output in the PR description to satisfy the acceptance criteria.

---

🧠 Learnings used

Learnt from: nitrocode
Repo: cloudposse/atmos PR: 0
File: :0-0
Timestamp: 2026-03-23T04:53:54.115Z
Learning: When nitrocode requests an audit on cloudposse/atmos PRs, respond with: (1) a 3–5 sentence Executive Summary, (2) a Findings table with columns “Number # | Issue | Severity | Pre-existing? | Suggested Fix” using 🔴/🟠/🟡/🟢, (3) a Scores table for Merge Safety, Test Coverage, Code Quality, Security Posture with numeric score, letter grade, and delta vs last audit, (4) Top 3 Copilot Action Items, and (5) a copyable “Suggested fix prompt” block.

---

Learnt from: nitrocode
Repo: cloudposse/atmos PR: 0
File: :0-0
Timestamp: 2026-03-23T05:23:10.817Z
Learning: When auditing cloudposse/atmos PRs on request from nitrocode, the expected output format is: (1) 3–5 sentence Executive Summary, (2) Findings Table with columns “Number # | Issue | Severity | Pre-existing? | Suggested Fix” using 🔴/🟠/🟡/🟢, (3) Scores Table for Merge Safety, Test Coverage, Code Quality, Security Posture with numeric score, letter grade, and delta vs last audit, (4) Top 3 Copilot Action Items, and (5) a copyable “Suggested fix prompt” block.

---

Learnt from: nitrocode
Repo: cloudposse/atmos PR: 0
File: :0-0
Timestamp: 2026-03-24T03:03:32.779Z
Learning: When nitrocode requests an audit on cloudposse/atmos PRs, include Top 5 Copilot Action Items (not Top 3) along with Executive Summary, Findings Table, Scores Table, and a copyable Suggested fix prompt.

---

Learnt from: samtholiya
Repo: cloudposse/atmos PR: 1466
File: toolchain/http_client_test.go:3-10
Timestamp: 2025-09-10T21:17:55.273Z
Learning: In the cloudposse/atmos repository, imports should never be changed as per samtholiya's coding guidelines.

---

Learnt from: aknysh
Repo: cloudposse/atmos PR: 944
File: go.mod:206-206
Timestamp: 2025-01-17T00:18:57.769Z
Learning: For indirect dependencies with license compliance issues in the cloudposse/atmos repository, the team prefers to handle them in follow-up PRs rather than blocking the current changes, as these issues often require deeper investigation of the dependency tree.

---

Learnt from: osterman
Repo: cloudposse/atmos PR: 1686
File: docs/prd/tool-dependencies-integration.md:58-64
Timestamp: 2025-12-13T06:07:37.766Z
Learning: cloudposse/atmos: For PRD docs (docs/prd/*.md), markdownlint issues like MD040/MD010/MD034 can be handled in a separate documentation cleanup commit and should not block the current PR.

---

Learnt from: Listener430
Repo: cloudposse/atmos PR: 934
File: tests/fixtures/scenarios/docs-generate/README.md.gotmpl:99-118
Timestamp: 2025-01-25T03:51:57.689Z
Learning: For the cloudposse/atmos repository, changes to template contents should be handled in dedicated PRs and are typically considered out of scope for PRs focused on other objectives.

---

Learnt from: samtholiya
Repo: cloudposse/atmos PR: 1466
File: cmd/markdown/atmos_toolchain_aliases.md:2-4
Timestamp: 2025-09-13T16:39:20.007Z
Learning: In the cloudposse/atmos repository, CLI documentation files in cmd/markdown/ follow a specific format that uses " $ atmos command" (with leading space and dollar sign prompt) in code blocks. This is the established project convention and should not be changed to comply with standard markdownlint rules MD040 and MD014.

---

Learnt from: osterman
Repo: cloudposse/atmos PR: 1761
File: docs/prd/claude-agent-architecture.md:331-439
Timestamp: 2025-11-07T14:52:55.217Z
Learning: In the cloudposse/atmos repository, Claude agents are used as interactive tools, not in automated/headless CI/CD contexts. Agent documentation and patterns should assume synchronous human interaction.

---

Learnt from: CR
Repo: cloudposse/atmos PR: 0
File: agent-skills/AGENTS.md:0-0
Timestamp: 2026-03-03T16:29:20.024Z
Learning: Applies to agent-skills/**/{stacks,components}/**/*.{yaml,tpl} : Use !terraform.output YAML function or {{ atmos.Component }} Go template for cross-stack component references instead of hardcoding values

---

Learnt from: CR
Repo: cloudposse/atmos PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-24T00:42:36.677Z
Learning: Use Atmos specialized domain experts from `.claude/agents/` for focused subsystems. Delegate: TUI/theme changes → tui-expert, new CLI commands → flag-handler, error handling → atmos-errors, agents → agent-developer, examples/demos → example-creator.

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check current state of all files flagged in Round 1

echo "=== configuration-overview.mdx ==="
grep -n "version\|1\.300\|1\.537\|terraform-aws-components\|cloudposse-terraform-components" website/docs/cli/configuration-overview.mdx | head -20

echo ""
echo "=== imports.mdx version strings ==="
grep -n "version\|ref=\|1\.53[0-9]" website/docs/vendor/config/imports.mdx | head -30

echo ""
echo "=== mixins.mdx ==="
grep -n "mixin\|cloudposse-terraform-components\|mixins\|v0\.3\|introspection" website/docs/vendor/component-manifest/mixins.mdx | head -20

echo ""
echo "=== source.mdx ==="
cat website/docs/vendor/component-manifest/source.mdx | head -80

echo ""
echo "=== url-syntax.mdx SSH examples ==="
grep -n "ssh\|git::\|//src\|aws-vpc\|v1\.539\|v1\.541" website/docs/vendor/url-syntax.mdx | head -30

echo ""
echo "=== blog rds version ==="
grep -n "rds\|v1\.535\|v1\.539" website/blog/2026-01-18-source-list-command.mdx 2>/dev/null | head -20

echo ""
echo "=== vendor-components.mdx versions ==="
grep -n "version\|v1\.53[0-9]\|v1\.54[0-9]" website/docs/vendor/vendor-components.mdx | head -20

echo ""
echo "=== CLAUDE.md module mapping ==="
grep -n "terraform-aws-components\|cloudposse-terraform-components\|aws-vpc\|aws-rds\|aurora\|lambda\|waf\|cloudfront" CLAUDE.md | head -30

echo ""
echo "=== Any remaining old-style references ==="
rg "github\.com/cloudposse/terraform-aws-components" website/ --include="*.mdx" --include="*.md" -n | head -20

echo ""
echo "=== url-syntax.mdx Without Delimiter section ==="
grep -n -A5 -B2 "Without Delimiter\|auto-adds\|//\." website/docs/vendor/url-syntax.mdx | head -40

echo ""
echo "=== PR current status ==="
gh pr view 2245 --repo cloudposse/atmos --json state,reviews,statusCheckRollup 2>/dev/null | jq '{state, reviews: [.reviews[]? | {author: .author.login, state: .state}], checks: [.statusCheckRollup[]? | {name: .name, conclusion: .conclusion}]}'

Length of output: 12495

---

🌐 Web query:

github.com cloudposse-terraform-components mixins introspection.mixin.tf v0.3.2

💡 Result:

In cloudposse-terraform-components/mixins tag v0.3.2, the file src/mixins/introspection.mixin.tf does three main things: (github.com)

1. Defines variable "required_tags" (list(string), default []) to declare tag keys that must exist. (github.com)
2. Forces a failure if required tags are missing by doing lookup(module.this.tags, k) for each k in var.required_tags when module.this.enabled is true (so missing keys raise an error). (github.com)
3. Creates module "introspection" using cloudposse/label/null version 0.25.0, merging existing tags with an extra tag:
   • "Component" = basename(abspath(path.module))
     and sets context = module.this.context. (github.com)

Raw file (for that exact tag) is:

https://raw.githubusercontent.com/cloudposse-terraform-components/mixins/v0.3.2/src/mixins/introspection.mixin.tf

Citations:

• 1: https://github.com/cloudposse-terraform-components/mixins/blob/v0.3.2/src/mixins/introspection.mixin.tf
• 2: https://github.com/cloudposse-terraform-components/mixins/blob/v0.3.2/src/mixins/introspection.mixin.tf
• 3: https://github.com/cloudposse-terraform-components/mixins/blob/v0.3.2/src/mixins/introspection.mixin.tf
• 4: https://github.com/cloudposse-terraform-components/mixins/blob/v0.3.2/src/mixins/introspection.mixin.tf

---

@nitrocode — Audit Round 2 for PR #2245.

---

1. Executive Summary

Zero of the five top Copilot Action Items from Round 1 have been addressed: configuration-overview.mdx still carries the unversioned 1.300.0 tag, imports.mdx still lacks v prefixes across six version strings, the blog post still references the unverifiable v1.535.9 patch tag for rds, source.mdx still uses a vpc-specific URI as its teaching example, and the SSH examples in url-syntax.mdx still omit //src. Good news: the Round 1 finding about mixins.mdx was a false positive — the cloudposse-terraform-components/mixins repo exists at tag v0.3.2 with the correct file at src/mixins/introspection.mixin.tf, so that path is valid. Two net-new issues were identified this round in url-syntax.mdx: the "Root Directory" tab uses //. for an aws-s3-bucket cloudposse-terraform-components repo (where TF files live in //src, not root), and the commit-hash pinning example omits //src. The PR remains safe to merge after the five unresolved action items are fixed.

---

2. Findings Table

#	Issue	Severity	Pre-existing?	Suggested Fix
1	configuration-overview.mdx line 144: version: 1.300.0 — no v prefix; tag almost certainly absent in new org	🟠 High	No — introduced by partial migration	Change to version: "v1.537.0" (carryover from R1, still open)
2	imports.mdx lines 152, 173–177: six version strings ("1.535.0", ref=1.533.0 through ref=1.536.0) missing v prefix; inconsistent with the v1.537.0 entry on line 111	🟠 High	No	Prefix all bare versions with v (carryover from R1, still open)
3	blog/2026-01-18-source-list-command.mdx line 53: rds component at v1.535.9 — unusual patch-level tag unlikely to exist in the new per-component repo	🟡 Medium	No	Replace with a confirmed release tag such as v1.539.0 (carryover from R1, still open)
4	source.mdx "To vendor a module from a Git repo, use the following format" block: example is vpc-specific (aws-vpc.git//src?ref={{.Version}}), reducing its value as a generic teaching example	🟡 Medium	No	Replace with a generic pattern: github.com/cloudposse-terraform-components/aws-<component>.git//src?ref={{.Version}} (carryover from R1, still open)
5	url-syntax.mdx lines 166 & 169: SSH format examples both omit //src — git::ssh://...aws-vpc.git?ref=... and git@github.com:...aws-vpc.git?ref=... — inconsistent with //src convention	🟡 Medium	No	Add //src to both SSH examples (carryover from R1, still open)
6	url-syntax.mdx line 59: "Root Directory" tab shows aws-s3-bucket.git//.?ref=v1.541.1 for a cloudposse-terraform-components repo — but these repos store TF files in //src, making //. (root) functionally wrong for component vendoring	🟡 Medium	No (new this round)	Change to aws-s3-bucket.git//src?ref=v1.541.1 or use a non-component repo for this tab example
7	url-syntax.mdx line 129: commit-hash pinning example (aws-vpc.git?ref=a1b2c3d4) omits //src — readers copying this pattern will vendor the wrong directory	🟡 Medium	No (new this round)	Add //src: aws-vpc.git//src?ref=a1b2c3d4
8	No vendor pull test evidence: acceptance criteria explicitly requires running atmos vendor pull before/after; PR description contains no output or confirmation this was done	🟡 Medium	No	Run atmos vendor pull against updated examples and paste representative output in PR description
9	url-syntax.mdx "Without Delimiter" tab (line 67): shows aws-vpc.git?ref=v1.539.0 with note "Atmos auto-adds //." — for cloudposse-terraform-components repos this auto-add silently vendors the wrong directory (root vs //src)	🟢 Low	No (new implication post-migration)	Add a callout: "For cloudposse-terraform-components repos, always specify //src explicitly"
10	url-syntax.mdx line 135: example aws-vpc.git?ref=main&depth=10 pins to a mutable main branch — in docs teaching examples, mutable refs can mislead readers into using unstable pins	🟢 Low	No	Replace main with a pinned tag (v1.539.0) or label this as an explicit "mutable branch" example with a warning
11	url-syntax.mdx lines 449 vs 456: juxtaposed examples show //src?ref=v1.539.0 (good) and ?ref=main (no //src) without clear ✅/❌ labeling — sends mixed signals	🟢 Low	Pre-existing pattern, worsened by migration	Add explicit ✅/❌ labels and a note explaining why //src is mandatory for these repos
12	CLAUDE.md module mapping table has ~10 entries; dozens of components (aurora, waf, lambda, cloudfront, iam-role, guardduty, etc.) are unmapped — agents will guess wrong names	🟢 Low	No (new section)	Expand table or link directly to https://github.com/orgs/cloudposse-terraform-components/repositories
13	mixins.mdx unverified URI — CLOSED / FALSE POSITIVE: The file src/mixins/introspection.mixin.tf exists in cloudposse-terraform-components/mixins at tag v0.3.2 — path and version are valid	✅ Resolved	—	No action needed

---

3. Scores Table

Category	Score	Grade	Delta vs R1	Notes
Merge Safety	72/100	C+	0	All 5 R1 action items still open; docs-only so no runtime regression
Test Coverage	15/100	F	0	No automated doc tests; vendor pull acceptance criteria still unmet
Code Quality	73/100	C+	-2	Two new url-syntax.mdx inconsistencies (findings #6, #7) discovered this round
Security Posture	93/100	A-	+1	Mixins URI verified valid; no new attack surface

---

4. Top 5 Copilot Action Items

1. Fix configuration-overview.mdx — Change version: 1.300.0 to version: "v1.537.0" (highest breakage risk for readers copy-pasting the example).
2. Fix imports.mdx version prefixes — Add v to "1.535.0" on line 152 and to all six ref=1.53x.0 values in the terminal output block (lines 173–177).
3. Fix url-syntax.mdx //src gaps — Add //src to: SSH examples (lines 166, 169), the commit-hash example (line 129), and the "Root Directory" tab example (line 59, or swap to a non-cloudposse-terraform-components repo for that tab).
4. Fix source.mdx generic example — Replace the vpc-specific URI with the generic template github.com/cloudposse-terraform-components/aws-<component>.git//src?ref={{.Version}} in the "To vendor a module" prose block.
5. Fix blog rds version — Replace v1.535.9 with a verified release tag (e.g., v1.539.0), and run atmos vendor pull against the PR's updated examples to satisfy the acceptance criteria.

---

5. Suggested Fix Prompt

You are fixing documentation issues in PR `#2245` of cloudposse/atmos (docs: replace deprecated terraform-aws-components refs).
NOTE: The mixins.mdx changes are CORRECT — cloudposse-terraform-components/mixins at v0.3.2 with src/mixins/introspection.mixin.tf is a valid, confirmed path. Do NOT revert those.

Fix the following in order of severity:

1. website/docs/cli/configuration-overview.mdx
   - Line ~144: change `version: 1.300.0` → `version: "v1.537.0"`

2. website/docs/vendor/config/imports.mdx
   - Line ~152: change `version: "1.535.0"` → `version: "v1.535.0"`
   - Lines ~173–177 (terminal output block): add v prefix to all bare versions:
     ref=1.533.0 → ref=v1.533.0
     ref=1.534.0 → ref=v1.534.0
     ref=1.535.0 → ref=v1.535.0
     ref=1.536.0 → ref=v1.536.0

3. website/docs/vendor/url-syntax.mdx
   a) Lines ~166 and ~169 (SSH examples): add //src to both:
      git::ssh://git@github.com/cloudposse-terraform-components/aws-vpc.git//src?ref=v1.539.0
      git@github.com:cloudposse-terraform-components/aws-vpc.git//src?ref=v1.539.0
   b) Line ~59 ("Root Directory" tab): the aws-s3-bucket example uses //.  (root), but
      cloudposse-terraform-components repos store TF files in //src. Either:
      - Change to aws-s3-bucket.git//src?ref=v1.541.1, OR
      - Replace with a non-cloudposse-terraform-components repo for this particular tab example
   c) Line ~129 (commit-hash example): add //src:
      github.com/cloudposse-terraform-components/aws-vpc.git//src?ref=a1b2c3d4
   d) Line ~135 (depth example): replace ref=main with ref=v1.539.0 or add an explicit
      warning label: "⚠️ Mutable branch — not recommended for production"
   e) "Without Delimiter" tab (~line 67): add a note below the result line:
      "> ⚠️ For `cloudposse-terraform-components` repos, always specify `//src` explicitly —
      >  Terraform files reside in the `src/` subdirectory, not the repository root."

4. website/docs/vendor/component-manifest/source.mdx
   - The "To vendor a module from a Git repo, use the following format" prose block
     currently shows aws-vpc specifically. Replace with the generic pattern:
     github.com/cloudposse-terraform-components/aws-<component>.git//src?ref={{.Version}}

5. website/blog/2026-01-18-source-list-command.mdx
   - Line ~53: change rds version v1.535.9 → v1.539.0 (v1.535.9 is not a known published tag)

6. After all edits: run `atmos vendor pull` against the updated vendor.yaml examples,
   capture the output, and paste it into the PR description under a new
   "## Vendor Pull Verification" section to satisfy the acceptance criteria.

---

🧠 Learnings used

Learnt from: nitrocode
Repo: cloudposse/atmos PR: 0
File: :0-0
Timestamp: 2026-03-23T04:53:54.115Z
Learning: When nitrocode requests an audit on cloudposse/atmos PRs, respond with: (1) a 3–5 sentence Executive Summary, (2) a Findings table with columns “Number # | Issue | Severity | Pre-existing? | Suggested Fix” using 🔴/🟠/🟡/🟢, (3) a Scores table for Merge Safety, Test Coverage, Code Quality, Security Posture with numeric score, letter grade, and delta vs last audit, (4) Top 3 Copilot Action Items, and (5) a copyable “Suggested fix prompt” block.

---

Learnt from: nitrocode
Repo: cloudposse/atmos PR: 0
File: :0-0
Timestamp: 2026-03-23T05:23:10.817Z
Learning: When auditing cloudposse/atmos PRs on request from nitrocode, the expected output format is: (1) 3–5 sentence Executive Summary, (2) Findings Table with columns “Number # | Issue | Severity | Pre-existing? | Suggested Fix” using 🔴/🟠/🟡/🟢, (3) Scores Table for Merge Safety, Test Coverage, Code Quality, Security Posture with numeric score, letter grade, and delta vs last audit, (4) Top 3 Copilot Action Items, and (5) a copyable “Suggested fix prompt” block.

---

Learnt from: nitrocode
Repo: cloudposse/atmos PR: 0
File: :0-0
Timestamp: 2026-03-24T03:03:32.779Z
Learning: When nitrocode requests an audit on cloudposse/atmos PRs, include Top 5 Copilot Action Items (not Top 3) along with Executive Summary, Findings Table, Scores Table, and a copyable Suggested fix prompt.

---

Learnt from: CR
Repo: cloudposse/atmos PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-24T00:42:36.677Z
Learning: Use Atmos specialized domain experts from `.claude/agents/` for focused subsystems. Delegate: TUI/theme changes → tui-expert, new CLI commands → flag-handler, error handling → atmos-errors, agents → agent-developer, examples/demos → example-creator.

---

Learnt from: osterman
Repo: cloudposse/atmos PR: 1686
File: docs/prd/tool-dependencies-integration.md:58-64
Timestamp: 2025-12-13T06:07:37.766Z
Learning: cloudposse/atmos: For PRD docs (docs/prd/*.md), markdownlint issues like MD040/MD010/MD034 can be handled in a separate documentation cleanup commit and should not block the current PR.

---

Learnt from: Listener430
Repo: cloudposse/atmos PR: 934
File: tests/fixtures/scenarios/docs-generate/README.md.gotmpl:99-118
Timestamp: 2025-01-25T03:51:57.689Z
Learning: For the cloudposse/atmos repository, changes to template contents should be handled in dedicated PRs and are typically considered out of scope for PRs focused on other objectives.

---

Learnt from: aknysh
Repo: cloudposse/atmos PR: 944
File: go.mod:206-206
Timestamp: 2025-01-17T00:18:57.769Z
Learning: For indirect dependencies with license compliance issues in the cloudposse/atmos repository, the team prefers to handle them in follow-up PRs rather than blocking the current changes, as these issues often require deeper investigation of the dependency tree.

---

Learnt from: osterman
Repo: cloudposse/atmos PR: 1761
File: docs/prd/claude-agent-architecture.md:331-439
Timestamp: 2025-11-07T14:52:55.217Z
Learning: In the cloudposse/atmos repository, Claude agents are used as interactive tools, not in automated/headless CI/CD contexts. Agent documentation and patterns should assume synchronous human interaction.

---

Learnt from: samtholiya
Repo: cloudposse/atmos PR: 1466
File: cmd/markdown/atmos_toolchain_aliases.md:2-4
Timestamp: 2025-09-13T16:39:20.007Z
Learning: In the cloudposse/atmos repository, CLI documentation files in cmd/markdown/ follow a specific format that uses " $ atmos command" (with leading space and dollar sign prompt) in code blocks. This is the established project convention and should not be changed to comply with standard markdownlint rules MD040 and MD014.

---

Learnt from: samtholiya
Repo: cloudposse/atmos PR: 1466
File: toolchain/http_client_test.go:3-10
Timestamp: 2025-09-10T21:17:55.273Z
Learning: In the cloudposse/atmos repository, imports should never be changed as per samtholiya's coding guidelines.

---

Learnt from: CR
Repo: cloudposse/atmos PR: 0
File: agent-skills/AGENTS.md:0-0
Timestamp: 2026-03-03T16:29:20.024Z
Learning: Applies to agent-skills/**/{stacks,components}/**/*.{yaml,tpl} : Use !terraform.output YAML function or {{ atmos.Component }} Go template for cross-stack component references instead of hardcoding values