chore: sweep github.com/shankar0123/certctl URL refs to certctl-io/certctl

Post-transfer cosmetic + release-critical URL refresh after moving the repo from github.com/shankar0123/certctl to github.com/certctl-io/certctl (2026-05-03). GitHub HTTP redirects continue to forward old URLs forever, so existing operators are not broken — but aligns the canonical references with the new owner so: - procurement engineers / contributors browsing the docs see the right URL on first read - operators copying the agent install one-liner hit the new path directly without going through a redirect - the Helm chart's default image repository points at the canonical org registry path - the OnboardingWizard rendered to first-run UI users shows the new URL in the install snippets and doc anchor links - the GitHub Actions release workflow pushes container images to ghcr.io/certctl-io/certctl-{server,agent} (was: shankar0123) - the release-notes Markdown body in release.yml — which gets stamped into every future release page — references the post-transfer cert-identity (cosign keyless signing now uses the certctl-io workflow URL) and the post-transfer SLSA provenance source-uri. Without this, every cosign verify / slsa-verifier command on a v2.1.0+ release would fail because the cert-identity-regexp would not match the signing identity GitHub Actions OIDC issues post- transfer. Old releases (v2.0.67 and earlier) keep their immutable release-notes pointing at the shankar0123 path and remain verifiable via their own published instructions. Customer impact: - Operators on ghcr.io/shankar0123/certctl-{server,agent}:latest silently freeze on whatever tag was current at transfer time. They get no errors; they just stop receiving updates. The next release notes need a one-line callout (Phase 3.1 of cowork/transfer- certctl-to-org.md) telling them to update their image path to ghcr.io/certctl-io/certctl-{server,agent}. - All other URLs (git clone, install one-liner, raw.githubusercontent URLs, browser links, GitHub API) continue to resolve via permanent HTTP redirects. The sweep is cosmetic for those. Files swept (30 total): .github/workflows/release.yml — IMAGE_NAMESPACE, source-uri, cosign cert-identity-regexp, IMAGE= snippet (5 refs total). CHANGELOG.md, README.md — anchor links, badges, install one-liner, cosign verify snippets in operator-facing sections. api/openapi.yaml — info / externalDocs URLs. install-agent.sh — GITHUB_REPO const + systemd unit Documentation= field. deploy/ENVIRONMENTS.md, deploy/helm/{CHART_SUMMARY,INDEX, INSTALLATION,README}.md, deploy/helm/certctl/{Chart.yaml, README.md,values.yaml}, deploy/helm/examples/values-*.yaml — chart docs + image repository defaults across dev / prod-ha overrides. docs/{certctl-for-cert-manager-users,connector-iis,connectors, migrate-from-acmesh,migrate-from-certbot,quickstart,test-env, why-certctl}.md — operator-facing doc URLs. examples/{acme-nginx,acme-wildcard-dns01,multi-issuer, private-ca-traefik,step-ca-haproxy}/docker-compose.yml + examples/step-ca-haproxy/step-ca-haproxy.md — example image: paths and accompanying narrative. web/src/pages/OnboardingWizard.tsx — first-run-UI URL refs (curl install one-liners, agent docker image path, doc anchor links). Files intentionally NOT swept (Choice A from cowork/transfer-certctl- to-org.md): go.mod, go.sum — module declaration stays github.com/shankar0123/ certctl. Existing imports compile because Go uses the path declared in go.mod, not the URL it was fetched from. Internal- only project; no external Go consumers; rename will land as a mechanical sed when one materializes. ~250 *.go files — every import remains github.com/shankar0123/ certctl/internal/... deploy/test/f5-mock-icontrol/go.mod — separate test sub-module; same Choice A logic; module path stays. Files intentionally NOT swept (other reasons): README.md lines 244-245 — Scarf-pixel docker-pull commands. shankar0123.docker.scarf.sh/... is a Scarf-account hostname (per-user, not per-repo) and the pixel keeps tracking pulls against the operator's personal Scarf account. Migrating to a certctl-io Scarf account is a separate decision (create org Scarf account → re-create package → update README). deploy/test/f5-mock-icontrol/f5-mock-icontrol — checked-in compiled binary with shankar0123/certctl baked into Go build info via the sub-module path. Out of scope for a URL sweep; will refresh on the next `make test-integration` rebuild. Verification: gofmt: clean (no .go files touched). go vet ./...: clean (verified at this SHA in 1.3 of the transfer checklist; no .go changes since). go build ./...: clean (same). go test -short on representative packages: green (same). Diff shape: 30 files, 74 insertions / 74 deletions, net-zero size, pure URL substitution.
2026-06-07 15:01:32 +00:00 · 2026-05-03 23:39:50 +00:00
parent 502823dfdf
commit bc6039a79e
30 changed files with 74 additions and 74 deletions
@@ -9,7 +9,7 @@ env:
  REGISTRY: ghcr.io
  # Keep in lock-step with .github/workflows/ci.yml (M-3).
  GO_VERSION: '1.25.9'
-  IMAGE_NAMESPACE: shankar0123
+  IMAGE_NAMESPACE: certctl-io
 jobs:
  # ----------------------------------------------------------------------
@@ -348,7 +348,7 @@ jobs:
        with:
          generate_release_notes: true
          body: |
-            > **Install / upgrade:** see the [Quick Start section in the README](https://github.com/shankar0123/certctl/blob/master/README.md#quick-start) for Docker Compose, agent install, Helm, and binary download instructions.
+            > **Install / upgrade:** see the [Quick Start section in the README](https://github.com/certctl-io/certctl/blob/master/README.md#quick-start) for Docker Compose, agent install, Helm, and binary download instructions.
            ## Verifying this release
@@ -369,7 +369,7 @@ jobs:
            ```bash
            cosign verify-blob \
              --bundle checksums.txt.sigstore.json \
-              --certificate-identity-regexp '^https://github\.com/shankar0123/certctl/\.github/workflows/release\.yml@refs/tags/' \
+              --certificate-identity-regexp '^https://github\.com/certctl-io/certctl/\.github/workflows/release\.yml@refs/tags/' \
              --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
              checksums.txt
            ```
@@ -383,7 +383,7 @@ jobs:
            ```bash
            slsa-verifier verify-artifact \
              --provenance-path multiple.intoto.jsonl \
-              --source-uri github.com/shankar0123/certctl \
+              --source-uri github.com/certctl-io/certctl \
              --source-tag ${{ steps.version.outputs.VERSION }} \
              certctl-agent-linux-amd64
            ```
@@ -391,21 +391,21 @@ jobs:
            **4. Verify container image signature and attestations:**
            ```bash
-            IMAGE=ghcr.io/shankar0123/certctl-server:${{ steps.version.outputs.VERSION }}
+            IMAGE=ghcr.io/certctl-io/certctl-server:${{ steps.version.outputs.VERSION }}
            cosign verify \
-              --certificate-identity-regexp '^https://github\.com/shankar0123/certctl/\.github/workflows/release\.yml@refs/tags/' \
+              --certificate-identity-regexp '^https://github\.com/certctl-io/certctl/\.github/workflows/release\.yml@refs/tags/' \
              --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
              "$IMAGE"
            # SBOM attestation (SPDX-JSON) emitted by docker/build-push-action
            cosign verify-attestation --type spdxjson \
-              --certificate-identity-regexp '^https://github\.com/shankar0123/certctl/' \
+              --certificate-identity-regexp '^https://github\.com/certctl-io/certctl/' \
              --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
              "$IMAGE"
            # SLSA provenance attestation (mode=max)
            cosign verify-attestation --type slsaprovenance \
-              --certificate-identity-regexp '^https://github\.com/shankar0123/certctl/' \
+              --certificate-identity-regexp '^https://github\.com/certctl-io/certctl/' \
              --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
              "$IMAGE"
            ```
@@ -5,7 +5,7 @@ notes are auto-generated from commit messages between consecutive tags.
 **Where to find what changed in a given release:**
- **[GitHub Releases](https://github.com/shankar0123/certctl/releases)** — every
+- **[GitHub Releases](https://github.com/certctl-io/certctl/releases)** — every
  tag has an auto-generated "What's Changed" section pulled from the commits
  between that tag and the previous one, plus per-release supply-chain
  verification instructions (Cosign / SLSA / SBOM).
@@ -27,5 +27,5 @@ without depending on the author to manually update a separate file.
 **For the historical record:** earlier versions (pre-v2.2.0 and the [2.2.0]
 tag itself) had a hand-edited CHANGELOG. That content is preserved in
-[git history](https://github.com/shankar0123/certctl/blob/v2.2.0/CHANGELOG.md)
+[git history](https://github.com/certctl-io/certctl/blob/v2.2.0/CHANGELOG.md)
 at the v2.2.0 tag.
@@ -5,9 +5,9 @@
 # certctl — Self-Hosted Certificate Lifecycle Platform
 [![License](https://img.shields.io/badge/license-BSL%201.1-blue.svg)](LICENSE)
-[![Go Report Card](https://goreportcard.com/badge/github.com/shankar0123/certctl)](https://goreportcard.com/report/github.com/shankar0123/certctl)
+[![Go Report Card](https://goreportcard.com/badge/github.com/certctl-io/certctl)](https://goreportcard.com/report/github.com/certctl-io/certctl)
-[![GitHub Release](https://img.shields.io/github/v/release/shankar0123/certctl)](https://github.com/shankar0123/certctl/releases)
+[![GitHub Release](https://img.shields.io/github/v/release/certctl-io/certctl)](https://github.com/certctl-io/certctl/releases)
-[![GitHub Stars](https://img.shields.io/github/stars/shankar0123/certctl?style=flat&logo=github)](https://github.com/shankar0123/certctl/stargazers)
+[![GitHub Stars](https://img.shields.io/github/stars/certctl-io/certctl?style=flat&logo=github)](https://github.com/certctl-io/certctl/stargazers)
 TLS certificate lifespans are shrinking fast. The CA/Browser Forum passed [Ballot SC-081v3](https://cabforum.org/2025/04/11/ballot-sc081v3-introduce-schedule-of-reducing-validity-and-data-reuse-periods/) unanimously in April 2025, setting a phased reduction: **200 days** by March 2026, **100 days** by March 2027, and **47 days** by March 2029. Organizations managing dozens or hundreds of certificates can no longer rely on spreadsheets, calendar reminders, or manual renewal workflows. The math doesn't work — at 47-day lifespans, a team managing 100 certificates is processing 7+ renewals per week, every week, forever.
@@ -33,7 +33,7 @@ gantt
        47 days                :crit, 2020-01-01, 47d
 ```
-> **Actively maintained — shipping weekly.** Found something? [Open a GitHub issue](https://github.com/shankar0123/certctl/issues) — issues get triaged same-day. CI runs the full test suite with race detection, static analysis, and vulnerability scanning on every commit.
+> **Actively maintained — shipping weekly.** Found something? [Open a GitHub issue](https://github.com/certctl-io/certctl/issues) — issues get triaged same-day. CI runs the full test suite with race detection, static analysis, and vulnerability scanning on every commit.
 **Ready to try it?** Jump to the [Quick Start](#quick-start) — you'll have a running dashboard in under 5 minutes.
@@ -198,7 +198,7 @@ For the complete capability breakdown, see the [Feature Inventory](docs/features
 ### Docker Compose (Recommended)
 ```bash
-git clone https://github.com/shankar0123/certctl.git
+git clone https://github.com/certctl-io/certctl.git
 cd certctl
 docker compose -f deploy/docker-compose.yml up -d --build
 ```
@@ -223,7 +223,7 @@ The control plane is HTTPS-only (TLS 1.3, no plaintext listener). See [`docs/tls
 ### Agent Install (One-Liner)
 ```bash
-curl -sSL https://raw.githubusercontent.com/shankar0123/certctl/master/install-agent.sh | bash
+curl -sSL https://raw.githubusercontent.com/certctl-io/certctl/master/install-agent.sh | bash
 ```
 Detects your OS and architecture, downloads the binary, configures systemd (Linux) or launchd (macOS), and starts the agent. See [install-agent.sh](install-agent.sh) for details.
@@ -251,7 +251,7 @@ Every `v*` tag publishes signed, attested release artefacts. Binaries
 (`certctl-agent`, `certctl-server`, `certctl-cli`, `certctl-mcp-server` for
 `linux|darwin × amd64|arm64`) ship alongside a `checksums.txt`, per-binary
 SPDX-JSON SBOMs, Cosign signatures, and SLSA Level 3 provenance. Container
-images on `ghcr.io/shankar0123/certctl-{server,agent}` are built with
+images on `ghcr.io/certctl-io/certctl-{server,agent}` are built with
 `docker/build-push-action` `provenance: mode=max` + `sbom: true` and are
 additionally signed with Cosign at the image digest.
@@ -269,7 +269,7 @@ sha256sum -c checksums.txt
 ```bash
 cosign verify-blob \
  --bundle checksums.txt.sigstore.json \
-  --certificate-identity-regexp '^https://github\.com/shankar0123/certctl/\.github/workflows/release\.yml@refs/tags/' \
+  --certificate-identity-regexp '^https://github\.com/certctl-io/certctl/\.github/workflows/release\.yml@refs/tags/' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  checksums.txt
 ```
@@ -285,7 +285,7 @@ directly.
 ```bash
 slsa-verifier verify-artifact \
  --provenance-path multiple.intoto.jsonl \
-  --source-uri github.com/shankar0123/certctl \
+  --source-uri github.com/certctl-io/certctl \
  --source-tag v2.1.0 \
  certctl-agent-linux-amd64
 ```
@@ -293,22 +293,22 @@ slsa-verifier verify-artifact \
 **4. Verify a container image signature and its SBOM / provenance attestations:**
 ```bash
-IMAGE=ghcr.io/shankar0123/certctl-server:v2.1.0
+IMAGE=ghcr.io/certctl-io/certctl-server:v2.1.0
 cosign verify \
-  --certificate-identity-regexp '^https://github\.com/shankar0123/certctl/\.github/workflows/release\.yml@refs/tags/' \
+  --certificate-identity-regexp '^https://github\.com/certctl-io/certctl/\.github/workflows/release\.yml@refs/tags/' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  "$IMAGE"
 # SBOM attestation (SPDX-JSON, emitted by docker/build-push-action)
 cosign verify-attestation --type spdxjson \
-  --certificate-identity-regexp '^https://github\.com/shankar0123/certctl/' \
+  --certificate-identity-regexp '^https://github\.com/certctl-io/certctl/' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  "$IMAGE"
 # SLSA provenance attestation (docker/build-push-action `provenance: mode=max`)
 cosign verify-attestation --type slsaprovenance \
-  --certificate-identity-regexp '^https://github\.com/shankar0123/certctl/' \
+  --certificate-identity-regexp '^https://github\.com/certctl-io/certctl/' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  "$IMAGE"
 ```
@@ -331,7 +331,7 @@ Each directory contains a `docker-compose.yml` and a `README.md` explaining the
 ```bash
 # Install
-go install github.com/shankar0123/certctl/cmd/cli@latest
+go install github.com/certctl-io/certctl/cmd/cli@latest
 # Configure
 export CERTCTL_SERVER_URL=https://localhost:8443
@@ -355,7 +355,7 @@ certctl ships a standalone MCP (Model Context Protocol) server that exposes all
 ```bash
 # Install and run
-go install github.com/shankar0123/certctl/cmd/mcp-server@latest
+go install github.com/certctl-io/certctl/cmd/mcp-server@latest
 export CERTCTL_SERVER_URL=https://localhost:8443
 export CERTCTL_API_KEY=your-api-key
 export CERTCTL_SERVER_CA_BUNDLE_PATH=/path/to/ca.crt   # required for self-signed bootstrap
@@ -426,4 +426,4 @@ The release-time SBOM is published as a syft-produced cyclonedx file alongside e
 ---
-If certctl solves a problem you have, [star the repo](https://github.com/shankar0123/certctl) to help others find it. Questions, bugs, or feature requests — [open an issue](https://github.com/shankar0123/certctl/issues).
+If certctl solves a problem you have, [star the repo](https://github.com/certctl-io/certctl) to help others find it. Questions, bugs, or feature requests — [open an issue](https://github.com/certctl-io/certctl/issues).
@@ -14,7 +14,7 @@ info:
  version: 2.0.0
  license:
    name: BSL 1.1
-    url: https://github.com/shankar0123/certctl/blob/master/LICENSE
+    url: https://github.com/certctl-io/certctl/blob/master/LICENSE
 servers:
  - url: https://localhost:8443
@@ -77,7 +77,7 @@ Three services on a private bridge network:
 ### Starting it
 ```bash
-git clone https://github.com/shankar0123/certctl.git
+git clone https://github.com/certctl-io/certctl.git
 cd certctl
 docker compose -f deploy/docker-compose.yml up -d --build
 ```
@@ -452,8 +452,8 @@ monitoring:
 ## Support
 For issues, questions, or contributions:
- GitHub: https://github.com/shankar0123/certctl
+- GitHub: https://github.com/certctl-io/certctl
- Documentation: https://github.com/shankar0123/certctl/tree/main/docs
+- Documentation: https://github.com/certctl-io/certctl/tree/main/docs
 ## License
@@ -216,7 +216,7 @@ kubectl logs -l app.kubernetes.io/component=server -f
 ## Support
- **GitHub**: https://github.com/shankar0123/certctl
+- **GitHub**: https://github.com/certctl-io/certctl
 - **Issues**: Report on GitHub issues
 - **Documentation**: All docs are in `deploy/helm/`
@@ -94,4 +94,4 @@ helm install certctl certctl/ --dry-run --debug
 - Full documentation in `README.md`
 - Troubleshooting in `DEPLOYMENT_GUIDE.md`
- Issues: https://github.com/shankar0123/certctl
+- Issues: https://github.com/certctl-io/certctl
@@ -508,8 +508,8 @@ kubectl exec -it <pod> -- \
 ## Support and Contributing
 For issues, questions, or contributions, visit:
- GitHub: https://github.com/shankar0123/certctl
+- GitHub: https://github.com/certctl-io/certctl
- Documentation: https://github.com/shankar0123/certctl/tree/main/docs
+- Documentation: https://github.com/certctl-io/certctl/tree/main/docs
 ## License
@@ -14,7 +14,7 @@ keywords:
  - kubernetes
 maintainers:
  - name: certctl
-home: https://github.com/shankar0123/certctl
+home: https://github.com/certctl-io/certctl
 sources:
-  - https://github.com/shankar0123/certctl
+  - https://github.com/certctl-io/certctl
 license: BSL-1.1
@@ -1,6 +1,6 @@
 # certctl Helm Chart
-Production-ready Helm chart for deploying [certctl](https://github.com/shankar0123/certctl) on Kubernetes. Wires up the certctl server (Deployment), PostgreSQL (StatefulSet with PVC), and the agent (DaemonSet — one per node) on a private cluster, with health probes, security contexts, and optional Ingress.
+Production-ready Helm chart for deploying [certctl](https://github.com/certctl-io/certctl) on Kubernetes. Wires up the certctl server (Deployment), PostgreSQL (StatefulSet with PVC), and the agent (DaemonSet — one per node) on a private cluster, with health probes, security contexts, and optional Ingress.
 ## Quick install
@@ -20,7 +20,7 @@ server:
  # Image configuration
  image:
-    repository: ghcr.io/shankar0123/certctl
+    repository: ghcr.io/certctl-io/certctl
    tag: "" # defaults to Chart.appVersion
    pullPolicy: IfNotPresent
@@ -410,7 +410,7 @@ agent:
  # Image configuration
  image:
-    repository: ghcr.io/shankar0123/certctl-agent
+    repository: ghcr.io/certctl-io/certctl-agent
    tag: ""  # defaults to Chart.appVersion
    pullPolicy: IfNotPresent
@@ -10,7 +10,7 @@ server:
  replicas: 1
  image:
-    repository: ghcr.io/shankar0123/certctl
+    repository: ghcr.io/certctl-io/certctl
    pullPolicy: IfNotPresent  # Use latest tag
  port: 8443
@@ -72,7 +72,7 @@ agent:
  replicas: 1
  image:
-    repository: ghcr.io/shankar0123/certctl-agent
+    repository: ghcr.io/certctl-io/certctl-agent
    pullPolicy: IfNotPresent
  resources:
@@ -12,7 +12,7 @@ server:
  replicas: 3
  image:
-    repository: ghcr.io/shankar0123/certctl
+    repository: ghcr.io/certctl-io/certctl
    tag: "2.1.0"
    pullPolicy: IfNotPresent
@@ -84,7 +84,7 @@ agent:
  kind: DaemonSet
  image:
-    repository: ghcr.io/shankar0123/certctl-agent
+    repository: ghcr.io/certctl-io/certctl-agent
    tag: "2.1.0"
    pullPolicy: IfNotPresent
@@ -53,7 +53,7 @@ helm install certctl deploy/helm/certctl/ \
 On each VM, bare-metal server, or appliance (via proxy agent):
 ```bash
 # Linux amd64
-curl -sSL https://github.com/shankar0123/certctl/releases/download/v2.1.0/certctl-agent-linux-amd64 \
+curl -sSL https://github.com/certctl-io/certctl/releases/download/v2.1.0/certctl-agent-linux-amd64 \
  -o /usr/local/bin/certctl-agent
 chmod +x /usr/local/bin/certctl-agent
@@ -158,7 +158,7 @@ The real IIS connector validation lives in:
 ```powershell
 # Clone + checkout
-git clone https://github.com/shankar0123/certctl.git
+git clone https://github.com/certctl-io/certctl.git
 cd certctl
 git fetch --tags
 git checkout v2.X.0  # whichever release is being validated
@@ -702,7 +702,7 @@ import (
    "fmt"
    vaultapi "github.com/hashicorp/vault/api"
-    "github.com/shankar0123/certctl/internal/connector/issuer"
+    "github.com/certctl-io/certctl/internal/connector/issuer"
 )
 type Config struct {
@@ -1774,7 +1774,7 @@ The adapter (`internal/service/issuer_adapter.go`) translates between the two in
 ```go
 // Wrap your connector implementation with the adapter
-import "github.com/shankar0123/certctl/internal/service"
+import "github.com/certctl-io/certctl/internal/service"
 myIssuer := myissuer.New(config)
 adapted := service.NewIssuerConnectorAdapter(myIssuer)
@@ -29,7 +29,7 @@ certctl adds a control plane that sees all your certificates, deploys with verif
 Start with Docker Compose (5 minutes):
 ```bash
-git clone https://github.com/shankar0123/certctl.git
+git clone https://github.com/certctl-io/certctl.git
 cd certctl/deploy
 docker compose up -d
 ```
@@ -41,7 +41,7 @@ Access the dashboard at `https://localhost:8443` with the API key from `.env`. T
 On each server running acme.sh certs, install the certctl agent:
 ```bash
-curl -sSL https://raw.githubusercontent.com/shankar0123/certctl/master/install-agent.sh | bash
+curl -sSL https://raw.githubusercontent.com/certctl-io/certctl/master/install-agent.sh | bash
 # Prompted for server URL and API key
 ```
@@ -49,7 +49,7 @@ Or manually:
 ```bash
 # Download and install agent binary
-wget https://github.com/shankar0123/certctl/releases/download/v2.1.0/certctl-agent-linux-amd64
+wget https://github.com/certctl-io/certctl/releases/download/v2.1.0/certctl-agent-linux-amd64
 chmod +x certctl-agent-linux-amd64
 sudo mv certctl-agent-linux-amd64 /usr/local/bin/certctl-agent
@@ -38,7 +38,7 @@ On each of your 10 servers running Certbot:
 ```bash
 # Linux amd64 (adjust for your architecture)
-curl -sSL https://github.com/shankar0123/certctl/releases/download/v2.1.0/certctl-agent-linux-amd64 \
+curl -sSL https://github.com/certctl-io/certctl/releases/download/v2.1.0/certctl-agent-linux-amd64 \
  -o /usr/local/bin/certctl-agent
 chmod +x /usr/local/bin/certctl-agent
@@ -46,7 +46,7 @@ On Linux, follow the official Docker install guide for your distribution.
 ### Docker Compose (Quick Start)
 ```bash
-git clone https://github.com/shankar0123/certctl.git
+git clone https://github.com/certctl-io/certctl.git
 cd certctl
 docker compose -f deploy/docker-compose.yml up -d --build
 ```
@@ -70,7 +70,7 @@ If this says "command not found", you have an old Docker version. Update Docker
 You need the certctl source code on your machine. If you haven't cloned it yet:
 ```bash
-git clone https://github.com/shankar0123/certctl.git
+git clone https://github.com/certctl-io/certctl.git
 cd certctl
 ```
@@ -105,7 +105,7 @@ certctl isn't the right tool for everyone:
 The demo seeds certificates across multiple issuers, agents, and deployment targets with 180 days of realistic history — jobs, audit events, discovery scans, approval workflows — so you can explore every feature immediately.
 ```bash
-git clone https://github.com/shankar0123/certctl.git
+git clone https://github.com/certctl-io/certctl.git
 cd certctl/deploy && docker compose up -d
 # Dashboard at https://localhost:8443 (self-signed cert — pin deploy/test/certs/ca.crt)
 ```
@@ -22,7 +22,7 @@ services:
  # certctl server (control plane)
  certctl-server:
-    image: ghcr.io/shankar0123/certctl-server:latest
+    image: ghcr.io/certctl-io/certctl-server:latest
    container_name: certctl-server-acme-nginx
    environment:
      # Database
@@ -71,7 +71,7 @@ services:
  # In this example, the agent is in the same compose file for simplicity.
  # In production, the agent runs on each server that needs certificates.
  certctl-agent:
-    image: ghcr.io/shankar0123/certctl-agent:latest
+    image: ghcr.io/certctl-io/certctl-agent:latest
    container_name: certctl-agent-acme-nginx
    environment:
      # Control plane connection
@@ -46,7 +46,7 @@ services:
  # certctl server (control plane + ACME orchestration)
  certctl-server:
-    image: ghcr.io/shankar0123/certctl-server:latest
+    image: ghcr.io/certctl-io/certctl-server:latest
    container_name: certctl-server-dns01
    environment:
      # Database
@@ -124,7 +124,7 @@ services:
  # In production, run agents on each host that needs certificates.
  # For demo, we include one agent in this compose.
  certctl-agent:
-    image: ghcr.io/shankar0123/certctl-agent:latest
+    image: ghcr.io/certctl-io/certctl-agent:latest
    container_name: certctl-agent-dns01
    environment:
      # Control plane connection
@@ -23,7 +23,7 @@ services:
  # certctl server (control plane)
  # Configured with BOTH ACME (Let's Encrypt) and Local CA issuers
  certctl-server:
-    image: ghcr.io/shankar0123/certctl-server:latest
+    image: ghcr.io/certctl-io/certctl-server:latest
    container_name: certctl-server-multi-issuer
    environment:
      # Database
@@ -72,7 +72,7 @@ services:
  # certctl agent (manages certificates on NGINX and application servers)
  certctl-agent:
-    image: ghcr.io/shankar0123/certctl-agent:latest
+    image: ghcr.io/certctl-io/certctl-agent:latest
    container_name: certctl-agent-multi-issuer
    environment:
      # Control plane connection
@@ -22,7 +22,7 @@ services:
  # certctl server (control plane) with Local CA in sub-CA mode
  certctl-server:
-    image: ghcr.io/shankar0123/certctl-server:latest
+    image: ghcr.io/certctl-io/certctl-server:latest
    container_name: certctl-server-private-ca
    environment:
      # Database
@@ -85,7 +85,7 @@ services:
  # certctl agent (deploys certs to Traefik)
  certctl-agent:
-    image: ghcr.io/shankar0123/certctl-agent:latest
+    image: ghcr.io/certctl-io/certctl-agent:latest
    container_name: certctl-agent-private-ca
    environment:
      # Control plane connection
@@ -77,7 +77,7 @@ services:
  # certctl server (control plane)
  certctl-server:
-    image: ghcr.io/shankar0123/certctl-server:latest
+    image: ghcr.io/certctl-io/certctl-server:latest
    container_name: certctl-server-stepca-haproxy
    environment:
      # Database
@@ -127,7 +127,7 @@ services:
  # certctl agent (runs on the target machine with HAProxy)
  certctl-agent:
-    image: ghcr.io/shankar0123/certctl-agent:latest
+    image: ghcr.io/certctl-io/certctl-agent:latest
    container_name: certctl-agent-stepca-haproxy
    environment:
      # Control plane connection
@@ -19,8 +19,8 @@ This is the natural choice if you're already invested in step-ca and want to con
 | Service | Image | Purpose |
 |---------|-------|---------|
 | **step-ca** | `smallstep/step-ca:latest` | Private internal CA |
-| **certctl-server** | `ghcr.io/shankar0123/certctl-server:latest` | Certificate management control plane |
+| **certctl-server** | `ghcr.io/certctl-io/certctl-server:latest` | Certificate management control plane |
-| **certctl-agent** | `ghcr.io/shankar0123/certctl-agent:latest` | Agent running on HAProxy server |
+| **certctl-agent** | `ghcr.io/certctl-io/certctl-agent:latest` | Agent running on HAProxy server |
 | **haproxy** | `haproxy:2.9-alpine` | Reverse proxy / load balancer |
 | **postgres** | `postgres:16-alpine` | certctl audit trail + config storage |
@@ -12,7 +12,7 @@ YELLOW='\033[1;33m'
 NC='\033[0m' # No Color
 # Configuration
-GITHUB_REPO="shankar0123/certctl"
+GITHUB_REPO="certctl-io/certctl"
 RELEASE_URL="https://github.com/${GITHUB_REPO}/releases/latest/download"
 INSTALL_DIR="/usr/local/bin"
 SERVICE_NAME="certctl-agent"
@@ -447,7 +447,7 @@ setup_systemd_service() {
    cat > "$service_file" <<'EOF'
 [Unit]
 Description=certctl Agent - Certificate Lifecycle Management
-Documentation=https://github.com/shankar0123/certctl
+Documentation=https://github.com/certctl-io/certctl
 After=network-online.target
 Wants=network-online.target
@@ -304,7 +304,7 @@ function AgentStep({ onNext, onSkip }: { onNext: () => void; onSkip: () => void
    linux: {
      label: 'Install via shell script (systemd service)',
      code: `# Non-interactive install (recommended for curl | bash):
-curl -sSL https://raw.githubusercontent.com/shankar0123/certctl/master/install-agent.sh \\
+curl -sSL https://raw.githubusercontent.com/certctl-io/certctl/master/install-agent.sh \\
  | sudo bash -s -- \\
      --server-url ${serverUrl} \\
      --api-key ${apiKey}
@@ -316,7 +316,7 @@ curl -sSL https://raw.githubusercontent.com/shankar0123/certctl/master/install-a
    macos: {
      label: 'Install via shell script (launchd service)',
      code: `# Non-interactive install (recommended for curl | bash):
-curl -sSL https://raw.githubusercontent.com/shankar0123/certctl/master/install-agent.sh \\
+curl -sSL https://raw.githubusercontent.com/certctl-io/certctl/master/install-agent.sh \\
  | bash -s -- \\
      --server-url ${serverUrl} \\
      --api-key ${apiKey}
@@ -330,7 +330,7 @@ curl -sSL https://raw.githubusercontent.com/shankar0123/certctl/master/install-a
      code: `docker run -d --name certctl-agent \\
  -e CERTCTL_SERVER_URL=${serverUrl} \\
  -e CERTCTL_API_KEY=${apiKey} \\
-  ghcr.io/shankar0123/certctl-agent:latest`,
+  ghcr.io/certctl-io/certctl-agent:latest`,
    },
  };
@@ -956,9 +956,9 @@ function CompleteStep({ onFinish, issuerName, certName }: {
      </button>
      <div className="flex justify-center gap-6 text-xs">
-        <a href="https://github.com/shankar0123/certctl/blob/master/docs/quickstart.md" target="_blank" rel="noopener noreferrer" className="text-accent hover:text-accent-bright">Quickstart Guide</a>
+        <a href="https://github.com/certctl-io/certctl/blob/master/docs/quickstart.md" target="_blank" rel="noopener noreferrer" className="text-accent hover:text-accent-bright">Quickstart Guide</a>
-        <a href="https://github.com/shankar0123/certctl/blob/master/docs/architecture.md" target="_blank" rel="noopener noreferrer" className="text-accent hover:text-accent-bright">Architecture</a>
+        <a href="https://github.com/certctl-io/certctl/blob/master/docs/architecture.md" target="_blank" rel="noopener noreferrer" className="text-accent hover:text-accent-bright">Architecture</a>
-        <a href="https://github.com/shankar0123/certctl/blob/master/docs/connectors.md" target="_blank" rel="noopener noreferrer" className="text-accent hover:text-accent-bright">Connectors</a>
+        <a href="https://github.com/certctl-io/certctl/blob/master/docs/connectors.md" target="_blank" rel="noopener noreferrer" className="text-accent hover:text-accent-bright">Connectors</a>
      </div>
    </div>
  );