diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml
index fe38a7a4876e..8f82ca61f4c9 100644
--- a/.github/workflows/claude.yml
+++ b/.github/workflows/claude.yml
@@ -1,3 +1,13 @@
+# FORK-ONLY TESTING TWEAK — NOT FOR UPSTREAM.
+# On camsoper/pulumi.docs we swap ESC + PULUMI_BOT_TOKEN for the default
+# GITHUB_TOKEN so @claude works without org-side ESC setup. Keeps all
+# of @claude's capabilities (re-entrant reviews, Q&A, make-changes
+# on PRs). The only difference: commits pushed via GITHUB_TOKEN do not
+# trigger downstream workflows, which is fine for fork testing where
+# nothing downstream is wired up.
+# Upstream keeps the ESC + PULUMI_BOT_TOKEN design. Do not cherry-pick
+# this commit to the PR branch.
+
 name: Claude Code
 
 on:
@@ -31,10 +41,6 @@ jobs:
         with:
           fetch-depth: 1
 
-      - name: Fetch secrets from ESC
-        id: esc-secrets
-        uses: pulumi/esc-action@v1
-
       - name: Check repository write access
         id: check-access
         run: |
@@ -144,8 +150,8 @@ jobs:
         uses: anthropics/claude-code-action@v1
         with:
           anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
-          # Use bot token so pushes trigger downstream workflows (e.g., social review)
-          github_token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
+          # FORK-ONLY: default GITHUB_TOKEN instead of PULUMI_BOT_TOKEN via ESC.
+          github_token: ${{ secrets.GITHUB_TOKEN }}
 
           # This is an optional setting that allows Claude to read CI results on PRs
           additional_permissions: |
@@ -189,10 +195,3 @@ jobs:
             -f body="$BODY" >/dev/null || true
           gh pr edit "$PR" --repo "$REPO" --remove-label review:claude-working || true
 
-env:
-  ESC_ACTION_OIDC_AUTH: true
-  ESC_ACTION_OIDC_ORGANIZATION: pulumi
-  ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
-  ESC_ACTION_ENVIRONMENT: github-secrets/pulumi-docs
-  ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: false
-
diff --git a/content/docs/iac/concepts/assets-archives.md b/content/docs/iac/concepts/assets-archives.md
index d1dd923bf8e2..1353811284ee 100644
--- a/content/docs/iac/concepts/assets-archives.md
+++ b/content/docs/iac/concepts/assets-archives.md
@@ -352,3 +352,7 @@ resources:
 {{% /choosable %}}
 
 {{< /chooser >}}
+
+## Multi-domain test section
+
+This section was added alongside a new program in `static/programs/multi-domain-bucket-typescript/` to exercise mixed-domain review.
diff --git a/scripts/programs/ignore.txt b/scripts/programs/ignore.txt
index 773bac570ea5..46d2dd712fc3 100644
--- a/scripts/programs/ignore.txt
+++ b/scripts/programs/ignore.txt
@@ -54,3 +54,6 @@ aws-static-website-with-runtime-logic-.*
 # Terraform reference project: intentionally not a Pulumi program (used as
 # an external tfstate source by other examples).
 tf-state-ref-terraform
+
+# Multi-domain test
+multi-domain-bucket-typescript
diff --git a/static/programs/multi-domain-bucket-typescript/Pulumi.yaml b/static/programs/multi-domain-bucket-typescript/Pulumi.yaml
new file mode 100644
index 000000000000..3e570b1a32fa
--- /dev/null
+++ b/static/programs/multi-domain-bucket-typescript/Pulumi.yaml
@@ -0,0 +1,3 @@
+name: multi-domain-bucket-typescript
+runtime: nodejs
+description: Multi-domain-test program.
diff --git a/static/programs/multi-domain-bucket-typescript/index.ts b/static/programs/multi-domain-bucket-typescript/index.ts
new file mode 100644
index 000000000000..df317a5c7142
--- /dev/null
+++ b/static/programs/multi-domain-bucket-typescript/index.ts
@@ -0,0 +1,5 @@
+import * as aws from "@pulumi/aws";
+
+const bucket = new aws.s3.BucketV2("multi-domain-bucket");
+
+export const id = bucket.id;
diff --git a/static/programs/multi-domain-bucket-typescript/package.json b/static/programs/multi-domain-bucket-typescript/package.json
new file mode 100644
index 000000000000..65b2bbf3cf6f
--- /dev/null
+++ b/static/programs/multi-domain-bucket-typescript/package.json
@@ -0,0 +1,12 @@
+{
+    "name": "multi-domain-bucket-typescript",
+    "main": "index.ts",
+    "dependencies": {
+        "@pulumi/aws": "^6.0.0",
+        "@pulumi/pulumi": "^3.0.0"
+    },
+    "devDependencies": {
+        "@types/node": "^18",
+        "typescript": "^5.0.0"
+    }
+}
diff --git a/static/programs/multi-domain-bucket-typescript/tsconfig.json b/static/programs/multi-domain-bucket-typescript/tsconfig.json
new file mode 100644
index 000000000000..cd76e4fc3720
--- /dev/null
+++ b/static/programs/multi-domain-bucket-typescript/tsconfig.json
@@ -0,0 +1,16 @@
+{
+    "compilerOptions": {
+        "strict": true,
+        "outDir": "bin",
+        "target": "es2016",
+        "module": "commonjs",
+        "moduleResolution": "node",
+        "sourceMap": true,
+        "experimentalDecorators": true,
+        "pretty": true,
+        "noFallthroughCasesInSwitch": true,
+        "noImplicitReturns": true,
+        "forceConsistentCasingInFileNames": true
+    },
+    "files": ["index.ts"]
+}