diff --git a/docs/migration/cert-manager-coexistence.md b/docs/migration/cert-manager-coexistence.md
index e45364e..cd9c011 100644
--- a/docs/migration/cert-manager-coexistence.md
+++ b/docs/migration/cert-manager-coexistence.md
@@ -143,5 +143,5 @@ For now: cert-manager handles Kubernetes, certctl handles everything else. They
 
 1. Run through the [Quick Start](../getting-started/quickstart.md) for a 5-minute demo
 2. Try the [Multi-Issuer example](../examples/multi-issuer/multi-issuer.md) — manages public and internal certs from one dashboard
-3. Explore [Architecture](./architecture.md#agents) for deployment patterns
+3. Explore [Architecture](../reference/architecture.md#agents) for deployment patterns
 4. Check the [Helm Chart](../deploy/helm/certctl/) for production Kubernetes deployment
diff --git a/docs/migration/from-certbot.md b/docs/migration/from-certbot.md
index 81c6e87..a1d2f71 100644
--- a/docs/migration/from-certbot.md
+++ b/docs/migration/from-certbot.md
@@ -171,5 +171,5 @@ certctl will stop renewing that cert when the policy is disabled. Certbot resume
 
 - Try the [ACME + NGINX example](../examples/acme-nginx/acme-nginx.md) — a working docker-compose you can run locally before deploying to production
 - Review the [Concepts Guide](../getting-started/concepts.md) for terminology (profiles, policies, agents, jobs)
-- Explore [Network Discovery](./quickstart.md#network-discovery-agentless) to find certificates you didn't know about
+- Explore [Network Discovery](../getting-started/quickstart.md#network-discovery-agentless) to find certificates you didn't know about
 - See all [Deployment Examples](../getting-started/examples.md) for other scenarios (wildcard DNS-01, private CA, step-ca, multi-issuer)
diff --git a/docs/reference/protocols/acme-server.md b/docs/reference/protocols/acme-server.md
index dd02041..1e116d0 100644
--- a/docs/reference/protocols/acme-server.md
+++ b/docs/reference/protocols/acme-server.md
@@ -75,7 +75,7 @@ profile rows retain whatever value they were created with.
 
 When certctl-server uses a self-signed TLS bootstrap cert
 (`deploy/test/certs/server.crt` is the demo default; see
-[`docs/tls.md`](./tls.md)), cert-manager 1.15+ will refuse to talk to
+[`docs/tls.md`](../../operator/tls.md)), cert-manager 1.15+ will refuse to talk to
 the directory URL unless the certctl root is trusted. The fix lives in
 `ClusterIssuer.spec.acme.caBundle`:
 
@@ -644,5 +644,5 @@ Read before writing a security review.
 - [Caddy integration walkthrough](../../migration/acme-from-caddy.md)
 - [Traefik integration walkthrough](../../migration/acme-from-traefik.md)
 - [Threat model](./acme-server-threat-model.md)
-- [TLS trust bootstrap reference](./tls.md)
-- [Architecture (control-plane)](./architecture.md)
+- [TLS trust bootstrap reference](../../operator/tls.md)
+- [Architecture (control-plane)](../architecture.md)