@synergyerp/backend-standards 1.0.0 → 1.1.0

package/CICD_STANDARDS.md

@@ -0,0 +1,1888 @@
+# CI/CD Standardization & DevOps Guide
+
+> **Purpose**: Company-wide standards for CI/CD pipelines, containerization, deployment, infrastructure, and DevOps practices.
+> **Target Audience**: DevOps engineers, Tech Leads, QA engineers.
+> **Date**: June 2026
+> **Status**: v1.0 -- Standard
+
+---
+
+## Table of Contents
+
+1. [Core Principles](#1-core-principles)
+2. [Git Branching Strategy](#2-git-branching-strategy)
+3. [Pipeline Architecture Overview](#3-pipeline-architecture-overview)
+4. [CI Pipeline Standards](#4-ci-pipeline-standards)
+5. [CD Pipeline Standards](#5-cd-pipeline-standards)
+6. [Containerization Standards](#6-containerization-standards)
+7. [Environment Strategy](#7-environment-strategy)
+8. [Infrastructure as Code (IaC)](#8-infrastructure-as-code-iac)
+9. [Secret Management](#9-secret-management)
+10. [Database Migration Strategy](#10-database-migration-strategy)
+11. [Monitoring & Alerting](#11-monitoring--alerting)
+12. [Security Scanning](#12-security-scanning)
+13. [Rollback Strategy](#13-rollback-strategy)
+14. [Incident Response](#14-incident-response)
+15. [Tool-Specific Pipeline Templates](#15-tool-specific-pipeline-templates)
+16. [Appendix: Quick References](#16-appendix-quick-references)
+17. [Implementation Validation & Enforcement Mechanisms](#17-implementation-validation--enforcement-mechanisms)
+18. [L1: Editor-Level Validation (VS Code)](#18-l1-editor-level-validation-vs-code)
+19. [L2: Git Hook Validation (Husky + lint-staged)](#19-l2-git-hook-validation-husky--lint-staged)
+20. [L3: CI Pipeline Validation (GitHub Actions)](#20-l3-ci-pipeline-validation-github-actions)
+21. [Validation Rules Summary](#21-validation-rules-summary)
+
+---
+
+## 1. Core Principles
+
+### 1.1 The Ten Commandments of CI/CD
+
+1. **Fail Fast, Fail Loud**: Pipelines must fail immediately on any error. No continueOnError: true for lint, test, or build steps.
+2. **Reproducible Builds**: Lockfiles are sacred. **pnpm-lock.yaml** is the preferred standard and must always be committed. (npm/yarn lockfiles are acceptable for legacy projects).
+3. **Immutable Artifacts**: Every build produces a versioned artifact (Docker image) that is never modified after creation.
+4. **Shift Left**: Security scanning, linting, and testing happen as early as possible in the pipeline.
+5. **No Secrets In Code**: All secrets come from a secrets manager (Azure Key Vault, AWS Secrets Manager, GitHub Secrets, etc.).
+6. **Manual Gate To Production**: Automated deployment stops at staging. Production requires human approval.
+7. **Zero-Downtime Deployments**: All production deployments must use rolling updates or blue/green strategy.
+8. **Everything As Code**: Pipeline definitions, infrastructure, and configuration are all version-controlled.
+9. **Observability**: Every deployment emits metrics, logs, and traces. Alerts are configured before the first production deploy.
+10. **Documented Rollback**: Every service must have a documented and tested rollback procedure.
+
+### 1.2 Separation From Frontend Standards
+
+This document **only** covers CI/CD, DevOps, and deployment concerns. For frontend code quality, testing, linting, and component standards, refer to the Frontend Standards document.
+
+---
+
+## 2. Git Branching Strategy
+
+### 2.1 Branch Model
+
+```
+main                --- Production-ready code (protected)
+  develop           --- Integration branch (protected)
+    feature/*       --- New features (branch from develop)
+    bugfix/*        --- Bug fixes (branch from develop)
+    hotfix/*        --- Critical fixes (branch from main)
+    release/*       --- Release candidates (branch from develop)
+```
+
+### 2.2 Branch Protection Rules
+
+| Branch | Required Reviews | Status Checks | Direct Push |
+|--------|-----------------|---------------|-------------|
+| main | 2 approvals | CI must pass, coverage >=80% lines, >=75% branches | Blocked |
+| develop | 1 approval | CI must pass | Blocked |
+| release/* | 1 approval | CI must pass | Allowed for admins |
+
+### 2.3 GitHub Branch Protection Setup
+
+To configure branch protection in GitHub:
+
+1. Go to **Settings > Branches > Add branch protection rule**
+2. Apply to `main`, `develop`, `release/*`
+3. Enable:
+   - [x] Require pull request reviews (2 for main, 1 for develop)
+   - [x] Dismiss stale pull request approvals when new commits are pushed
+   - [x] Require status checks before merging (CI pipeline)
+   - [x] Require branches to be up to date
+   - [x] Require conversation resolution
+   - [x] Do not allow bypassing the above settings
+
+> For Azure DevOps, use **Branch Policies** under Repos > Branches to achieve the same protections.
+
+### 2.4 Trigger Mapping
+
+| Event | Branch | Pipeline |
+|-------|--------|----------|
+| PR opened/synced | feature/* -> develop | CI (lint, test, build) |
+| PR merged to develop | develop | CI + CD (deploy to Dev) |
+| PR opened/synced | develop -> main | CI (lint, test, build) |
+| PR merged to main | main | CI + CD (deploy to Staging) |
+| Tag pushed | v* | CI + CD (deploy to Production) |
+| Push to hotfix/* | hotfix/* -> main | CI + CD (hotfix deploy) |
+
+---
+
+## 3. Pipeline Architecture Overview
+
+### 3.1 High-Level Flow
+
+```
+DEVELOPER PUSHES CODE
+         |
+         v
++---------------------------------------+
+|           CI PIPELINE                 |
+|                                        |
+|  Lint -> Type Check -> Test -> Scan -> Build |
++---------------------------------------+
+         |
+   (if merged to develop/main)
+         |
+         v
++---------------------------------------+
+|           CD PIPELINE                 |
+|                                        |
+|  Build Docker -> Push Registry -> Deploy -> Smoke Tests |
++---------------------------------------+
+```
+
+### 3.2 Pipeline Separation
+
+| Pipeline | Trigger | Duration Target | Includes |
+|----------|---------|-----------------|----------|
+| CI | Every PR + push | < 10 minutes | Lint, types, tests, security, build |
+| CD (Dev) | Merge to develop | < 5 minutes | Docker build, deploy Dev, smoke tests |
+| CD (Staging) | Merge to main | < 10 minutes | Docker build, deploy Staging, E2E tests |
+| CD (Production) | Tag v* + approval | < 15 minutes | Docker build, deploy Prod, health checks |
+
+---
+
+## 4. CI Pipeline Standards
+
+### 4.1 Mandatory Steps (In Order)
+
+```
+1. Checkout source code
+2. Setup Node.js (version from .nvmrc or engines in package.json)
+3. Cache dependencies (keyed on lockfile hash - pnpm-lock.yaml preferred)
+4. Install dependencies (--frozen-lockfile). Note: While developers may use any manager locally, CI/CD is optimized for **pnpm**.
+5. Lint (must pass, zero warnings threshold)
+6. TypeScript type check (must pass)
+7. Unit/Integration tests with coverage (>=80% lines, 75% branches, 80% functions, 80% statements)
+8. Security audit (npm audit / pnpm audit / Snyk)
+9. Build application
+10. Upload test results + coverage reports
+```
+
+### 4.2 Caching Strategy
+
+```yaml
+- name: Cache pnpm dependencies
+  uses: actions/cache@v4
+  with:
+    key: pnpm-${{ runner.os }}-${{ hashFiles('pnpm-lock.yaml') }}
+    path: |
+      ~/.pnpm-store
+      node_modules
+    restore-keys: |
+      pnpm-${{ runner.os }}-
+```
+
+### 4.3 Non-Negotiables
+
+| Rule | Enforcement |
+|------|-------------|
+| Pipeline fails on lint errors | Exit code 1 |
+| Pipeline fails on type errors | Exit code 1 |
+| Pipeline fails on test failures | Exit code 1 |
+| Pipeline fails if coverage < 80% lines, 75% branches, 80% functions, 80% statements | Jest/Vitest coverage threshold |
+| Pipeline fails on high/critical audit findings | npm audit --audit-level=high |
+| Lockfile must be frozen | --frozen-lockfile flag |
+| No console.log / debugger | ESLint rule no-console: error (warn/error allowed) |
+| **Pipeline fails on modularization violations** | **pnpm check-modularization exit code 1** |
+| **Pipeline fails on barrel file / cross-domain violations** | **ESLint boundaries + import/no-internal-modules** |
+| **Commit messages must follow conventional commits** | **commitlint in CI (anti-bypass for --no-verify)** |
+
+### 4.4 CI Pipeline Concurrency & Timeouts
+
+All CI workflows must include concurrency groups to cancel redundant runs and hard timeouts to prevent hung jobs:
+
+```yaml
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  quality:
+    timeout-minutes: 15
+    # ...
+  docker:
+    timeout-minutes: 20
+```
+
+---
+
+## 5. CD Pipeline Standards
+
+### 5.1 Deployment Stages
+
+```
+DEVELOP BRANCH: Build & Push -> Deploy Dev -> Smoke Tests
+MAIN BRANCH:    Build & Push -> Deploy Staging -> E2E Tests -> [Manual Approval] -> Deploy Prod -> Health Checks
+```
+
+### 5.2 Image Tagging Strategy
+
+```yaml
+# GitHub Actions
+tags: |
+  ghcr.io/${{ github.repository }}:${{ github.run_id }}
+  ghcr.io/${{ github.repository }}:${{ github.sha }}
+  ghcr.io/${{ github.repository }}:latest
+
+# Azure Pipelines  
+tags: |
+  $(dockerRegistry)/$(imageRepository):$(Build.BuildId)
+  $(dockerRegistry)/$(imageRepository):$(Build.SourceVersion)
+  $(dockerRegistry)/$(imageRepository):latest
+```
+
+### 5.3 Deployment Strategy by Environment
+
+| Environment | Strategy | Max Downtime | Notes |
+|-------------|----------|--------------|-------|
+| Dev | Recreate | 1-2 minutes | Fast iteration, accept downtime |
+| Staging | Rolling update | Zero | Match production behavior |
+| Production | Rolling update or Blue/Green | Zero | Canary if high risk |
+
+### 5.4 Health Check Endpoint Requirement
+
+Every service must expose a /health endpoint:
+```json
+{
+  "status": "ok",
+  "timestamp": "2026-06-17T12:00:00Z",
+  "version": "1.2.3",
+  "checks": {
+    "database": { "status": "ok", "latency_ms": 5 },
+    "redis": { "status": "ok", "latency_ms": 2 }
+  }
+}
+```
+
+### 5.6 Feature Flag Deployment Integration
+
+Feature flags enable dark launches, A/B testing, canary releases, and instant kill-switches. All new features that touch critical paths must be deployed behind a feature flag.
+
+| Rule | Requirement |
+|------|-------------|
+| Flag provider | LaunchDarkly, Unleash, or Flagsmith (OSS) |
+| Flag naming | `kebab-case` domain prefix: `employee-new-dashboard`, `billing-v2-checkout` |
+| Flag lifecycle | Remove flag code within 2 sprints of 100% rollout |
+| CI integration | Flag creation as part of feature PR (provider API) |
+| Kill switch | Critical feature flags serve as instant rollback mechanism |
+| No nested flags | Flags must not depend on other flags |
+
+---
+
+## 6. Containerization Standards
+
+### 6.1 Dockerfile Template
+
+```dockerfile
+FROM node:20-alpine AS base
+RUN corepack enable && corepack prepare pnpm@9 --activate
+WORKDIR /app
+
+FROM base AS deps
+COPY package.json pnpm-lock.yaml ./
+COPY apps/*/package.json ./apps/
+COPY packages/*/package.json ./packages/
+RUN pnpm install --frozen-lockfile
+
+FROM base AS builder
+COPY --from=deps /app/node_modules ./node_modules
+COPY . .
+RUN pnpm build
+
+FROM node:20-alpine AS runner
+WORKDIR /app
+ENV NODE_ENV=production
+ENV PORT=3000
+RUN addgroup --system --gid 1001 appgroup && \
+    adduser --system --uid 1001 appuser
+COPY --from=builder --chown=appuser:appgroup /app/dist ./dist
+COPY --from=builder --chown=appuser:appgroup /app/package.json ./
+COPY --from=builder --chown=appuser:appgroup /app/node_modules ./node_modules
+USER appuser
+EXPOSE 3000
+HEALTHCHECK --interval=30s --timeout=5s --start-period=40s --retries=3 \
+  CMD wget --no-verbose --tries=1 --spider http://localhost:3000/health || exit 1
+CMD ["node", "dist/server.js"]
+```
+
+### 6.2 Dockerfile Rules
+
+| Rule | Reason |
+|------|--------|
+| Always use -alpine base images | Smaller attack surface, smaller size |
+| Multi-stage builds | Separate build deps from runtime |
+| Non-root user | Security best practice |
+| Pin specific Node.js version | Reproducibility |
+| Include HEALTHCHECK | K8s readiness/liveness probes |
+| Copy only dist, not source | Smaller images, no source code in prod |
+| Use --chown for file ownership | Match non-root user |
+
+### 6.3 .dockerignore Template
+
+```
+**/node_modules
+npm-debug.log
+pnpm-debug.log
+dist
+.next
+.turbo
+build
+out
+coverage
+.env
+.env.*
+!.env.example
+.git
+.gitignore
+.gitattributes
+.idea
+.vscode
+*.swp
+.github
+.azure-pipelines
+.husky
+*.md
+docs
+.DS_Store
+Thumbs.db
+logs
+*.log
+Dockerfile
+docker-compose*.yml
+.dockerignore
+```
+
+---
+
+## 7. Environment Strategy
+
+### 7.1 Environment Matrix
+
+| Environment | Purpose | Deploy Trigger | Replicas | Backup |
+|-------------|---------|---------------|----------|--------|
+| Dev | Developer testing, feature validation | Merge to develop | 1 | No |
+| Staging | QA, UAT, integration testing | Merge to main | 2 | No |
+| Production | Live user-facing | Tag + manual approval | 3+ (auto-scale) | Yes |
+
+### 7.2 Configuration Files
+
+| File | Location | Git-Committed? | Contains Secrets? |
+|------|----------|----------------|-------------------|
+| .env.example | Project root | Yes | No (placeholders) |
+| .env | Project root | No (.gitignored) | Yes |
+| ConfigMap | k8s/base/configmap.yaml | Yes | No |
+| Secrets | Secret Manager | No | Yes |
+
+---
+
+## 8. Infrastructure as Code (IaC)
+
+### 8.1 Kubernetes Manifest Structure
+
+```
+k8s/
+  base/
+    namespace.yaml
+    deployment.yaml
+    service.yaml
+    ingress.yaml
+    configmap.yaml
+    hpa.yaml
+    pdb.yaml
+    kustomization.yaml
+  overlays/
+    dev/
+      kustomization.yaml
+    staging/
+      kustomization.yaml
+    prod/
+      kustomization.yaml
+      hpa-patch.yaml
+```
+
+### 8.2 Required Kubernetes Manifests
+
+| Manifest | Purpose | Required? |
+|----------|---------|-----------|
+| Deployment | Pod deployment with rolling update | Yes |
+| Service | Internal service discovery | Yes |
+| Ingress | External HTTP/S routing | Yes |
+| ConfigMap | Non-sensitive configuration | Yes |
+| Secret | Sensitive configuration | Yes |
+| HorizontalPodAutoscaler | Auto-scaling | For production |
+| PodDisruptionBudget | Min available during updates | For production |
+| NetworkPolicy | Pod-to-pod traffic restrictions | Recommended |
+| Namespace | Environment isolation | Yes |
+
+### 8.3 Kustomize Base Template
+
+```yaml
+# k8s/base/kustomization.yaml
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - namespace.yaml
+  - deployment.yaml
+  - service.yaml
+  - ingress.yaml
+  - configmap.yaml
+  - hpa.yaml
+
+commonLabels:
+  app: my-project
+  managed-by: kustomize
+```
+
+```yaml
+# k8s/overlays/prod/kustomization.yaml
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ../../base
+
+patches:
+  - target:
+      kind: Deployment
+      name: app
+    patch: |-
+      - op: replace
+        path: /spec/replicas
+        value: 5
+```
+
+### 8.4 Pod Anti-Affinity (Required for Production)
+
+```yaml
+spec:
+  template:
+    spec:
+      affinity:
+        podAntiAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+            - weight: 100
+              podAffinityTerm:
+                labelSelector:
+                  matchLabels:
+                    app: my-project
+                topologyKey: kubernetes.io/hostname
+```
+
+### 8.5 Resource Quotas (Required for Production)
+
+```yaml
+apiVersion: v1
+kind: ResourceQuota
+metadata:
+  name: app-quota
+  namespace: production
+spec:
+  hard:
+    requests.cpu: "10"
+    requests.memory: 20Gi
+    limits.cpu: "20"
+    limits.memory: 40Gi
+```
+
+### 8.6 SSL/TLS Certificate Management
+
+```yaml
+# cert-manager ClusterIssuer (Let's Encrypt)
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-prod
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: devops@company.com
+    privateKeySecretRef:
+      name: letsencrypt-prod
+    solvers:
+      - http01:
+          ingress:
+            class: nginx
+```
+
+| Rule | Requirement |
+|------|-------------|
+| Issuer | Let's Encrypt via cert-manager (production). Staging issuer for dev/staging. |
+| Renewal | Auto-renew at 30 days before expiry |
+| Monitoring | Alert at < 30 days to expiry |
+| Minimum TLS | TLS 1.2+ only; TLS 1.0/1.1 disabled |
+
+---
+
+## 9. Secret Management
+
+### 9.1 GitHub Secrets Setup
+
+GitHub Secrets is the **preferred** method for storing sensitive values in CI/CD pipelines.
+
+**Where to configure**: Repo **Settings > Secrets and variables > Actions**
+
+**How to use in workflows**:
+```yaml
+# Reference in pipeline
+- run: echo "${{ secrets.DOCKER_PASSWORD }}" | docker login --username "${{ secrets.DOCKER_USERNAME }}" --password-stdin
+
+# Or pass as environment variable
+- run: pnpm build
+  env:
+    API_KEY: ${{ secrets.API_KEY }}
+    DATABASE_URL: ${{ secrets.DATABASE_URL }}
+```
+
+**Recommended GitHub Secrets per project**:
+
+| Secret Name | Example Value | Purpose |
+|-------------|--------------|---------|
+| `DOCKER_REGISTRY` | `ghcr.io/myorg` | Container registry URL |
+| `DOCKER_USERNAME` | `myorg-bot` | Registry login user |
+| `DOCKER_PASSWORD` | `ghp_abc...` | Registry token (GitHub PAT) |
+| `KUBE_CONFIG_DEV` | `apiVersion: v1...` | Dev K8s kubeconfig (base64) |
+| `KUBE_CONFIG_STAGING` | `apiVersion: v1...` | Staging K8s kubeconfig |
+| `KUBE_CONFIG_PROD` | `apiVersion: v1...` | Production K8s kubeconfig |
+| `SLACK_WEBHOOK` | `https://hooks.slack.com/...` | Deployment notifications |
+| `SENTRY_DSN` | `https://xxx@sentry.io/xxx` | Error tracking |
+| `SONAR_TOKEN` | `sqp_...` | SonarQube authentication |
+
+### 9.2 GitHub Environments for Deployment Gates
+
+GitHub **Environments** provide manual approval gates for production deployments.
+
+**Setup**:
+1. Go to **Settings > Environments**
+2. Create `production` environment
+3. Add **Required reviewers** (2-3 senior devs/leads)
+4. Add **Deployment branches** (`main` only)
+
+**Workflow integration**:
+```yaml
+jobs:
+  deploy-production:
+    runs-on: ubuntu-latest
+    environment: production    # <-- This triggers the approval gate
+    steps:
+      - run: ./deploy.sh
+```
+
+> The pipeline will **pause** automatically until the required reviewers approve, then proceed.
+
+### 9.3 Alternative: Azure Key Vault
+
+If the organization uses Azure DevOps, use Azure Key Vault via variable groups:
+
+1. Create a Key Vault in Azure
+2. Add secrets to the vault
+3. Link the vault as a Variable Group in Azure DevOps Library
+4. Reference in pipeline: `$(secret-name)`
+
+### 9.4 Secret Sources By Environment
+
+| Environment | Secret Source | Implementation |
+|-------------|--------------|----------------|
+| Local dev | `.env` file (gitignored) | dotenv / VITE_* |
+| CI Pipeline | **GitHub Secrets** (preferred) or Azure Variable Groups | Injected at runtime |
+| Dev K8s | Kubernetes Secrets (from CI) | Base64 encoded |
+| Staging K8s | K8s Secrets + External Secrets Operator | Sync from GitHub Secrets |
+| Production K8s | External Secrets Operator + Cloud Vault | Never stored in etcd |
+
+### 9.5 GitHub Container Registry (GHCR) Setup
+
+GitHub Container Registry is the **preferred** container registry for GitHub-hosted projects.
+
+**Enable GHCR**:
+1. Go to **Settings > Packages** and ensure "GitHub Container Registry" is enabled
+2. Create a **Personal Access Token (PAT)**:
+   - Go to **Settings > Developer settings > Personal access tokens > Fine-grained tokens**
+   - Permissions required: `read:packages`, `write:packages`, `delete:packages`
+
+**Login in CI**:
+```yaml
+- name: Log in to GHCR
+  uses: docker/login-action@v3
+  with:
+    registry: ghcr.io
+    username: ${{ github.actor }}
+    password: ${{ secrets.GITHUB_TOKEN }}  # Auto-generated, no setup needed
+```
+
+**Image naming convention**:
+```
+ghcr.io/<organization>/<project>:<tag>
+
+Examples:
+ghcr.io/mycompany/frontend:abc123
+ghcr.io/mycompany/backend:latest
+ghcr.io/mycompany/web:v1.2.3
+```
+
+> The `GITHUB_TOKEN` secret is **auto-generated** by GitHub for each workflow run. No manual setup required.
+
+### 9.6 Never Commit These
+
+```
+# NEVER COMMIT THESE
+*.pem
+*.key
+*.cert
+.env
+.env.local
+.env.production
+service-account.json
+credentials.json
+secrets.yml
+**/secret/**
+```
+
+---
+
+## 10. Database Migration Strategy
+
+### 10.1 Migration Pipeline Integration
+
+```yaml
+steps:
+  - task: Kubernetes@1
+    displayName: "Run database migrations"
+    inputs:
+      command: "exec"
+      arguments: "deployment/app -- pnpm db:migrate"
+```
+
+### 10.2 Migration Rules
+
+| Rule | Reason |
+|------|--------|
+| Migrations run AFTER new pods are deployed | Old pods can still serve traffic |
+| Migrations must be backward compatible | Rollback must be possible |
+| Never auto-run migrations in production | Require manual trigger |
+| Always run migrations in Dev and Staging first | Catch issues early |
+| Test files must not exist in migration directories | TypeORM CLI fails on test files |
+
+### 10.3 Migration Directory Convention
+
+```
+apps/backend/src/database/
+  migrations/     # ONLY migration files (NO test files)
+  seeds/          # ONLY seed files (NO test files)
+  factories/      # Test factories only
+```
+
+### 10.4 Database Backup Strategy
+
+| Rule | Requirement |
+|------|-------------|
+| Backup tool | Velero (K8s) or pg_dump (bare metal) |
+| Frequency | Production: daily full + continuous WAL archiving. Staging: daily. |
+| Retention | 30 daily, 12 monthly, 7 yearly |
+| Encryption | At rest (AES-256) + in transit (TLS) |
+| Restore testing | Quarterly restore drill required; results documented |
+| Offsite | Backups replicated to secondary region within 24 hours |
+
+---
+
+## 11. Monitoring & Alerting
+
+### 11.1 Required Metrics & Alerts
+
+| Metric | Source | Alert Threshold |
+|--------|--------|----------------|
+| CPU Usage | K8s Metrics Server | >80% for 5 minutes |
+| Memory Usage | K8s Metrics Server | >85% for 5 minutes |
+| HTTP 5xx Rate | Application metrics | >1% for 5 minutes |
+| HTTP 4xx Rate | Application metrics | >5% for 5 minutes |
+| Request Latency (p95) | Application metrics | >2000ms for 5 minutes |
+| Disk Usage | Node exporter | >85% |
+| Pod Restarts | K8s | >3 in 10 minutes |
+| Certificate Expiry | Cert manager | <30 days |
+
+### 11.2 Alert Notification Channels
+
+| Channel | Severity | Use Case |
+|---------|----------|----------|
+| Slack | All | General alerts |
+| PagerDuty/OpsGenie | Critical | Production outages |
+| Email | Warning | Non-urgent notifications |
+| SMS | Critical | Escalation (if PagerDuty not ackd) |
+
+---
+
+## 12. Security Scanning
+
+### 12.1 Mandatory Scans
+
+| Scan | Tool | When | Fail On |
+|------|------|------|---------|
+| Dependency audit | npm audit / pnpm audit | Every CI run | High/Critical |
+| SAST (Static Analysis) | ESLint + SonarQube | Every CI run | Blocker issues |
+| Container scan | Trivy / Snyk | Every Docker build | High/Critical CVEs |
+| Secret detection | GitLeaks / TruffleHog | Every PR | Any secret found |
+| License compliance | FOSSA / License Checker | Weekly | Non-approved licenses |
+
+### 12.2 CI Security Steps
+
+```yaml
+- run: pnpm audit --audit-level=high
+- uses: sonarsource/sonarcloud-github-action@master
+- run: trivy image --exit-code 1 --severity CRITICAL,HIGH myapp:latest
+- uses: gitleaks/gitleaks-action@v2
+```
+
+### 12.3 Vulnerability Handling SLA
+
+| Severity | Response Time | Fix Deadline |
+|----------|--------------|--------------|
+| Critical | < 1 hour | < 24 hours |
+| High | < 4 hours | < 7 days |
+| Medium | < 1 business day | < 30 days |
+| Low | < 1 week | Next release |
+
+---
+
+## 13. Rollback Strategy
+
+### 13.1 Rollback Triggers
+
+- Error rate spike > 5% after deployment
+- p95 latency increase > 100% after deployment
+- Critical security vulnerability discovered
+- Database migration failure
+- Manual decision by on-call engineer
+
+### 13.2 Rollback Procedures
+
+| Deployment Type | Rollback Method | Time To Recover |
+|----------------|----------------|-----------------|
+| Kubernetes | kubectl rollout undo deployment/app | < 2 minutes |
+| Docker Compose | docker compose down && docker compose -f docker-compose.prev.yml up | < 5 minutes |
+| Blue/Green | Switch traffic back to previous slot | < 1 minute |
+| DB migration | Run migration:revert (must be tested) | < 5 minutes |
+
+### 13.3 Kubernetes Rollback Commands
+
+```bash
+# Check rollout history
+kubectl rollout history deployment/app
+
+# Rollback to previous version
+kubectl rollout undo deployment/app
+
+# Rollback to specific revision
+kubectl rollout undo deployment/app --to-revision=3
+
+# Verify rollback
+kubectl rollout status deployment/app
+
+# Check pod health
+kubectl get pods -l app=myapp
+```
+
+### 13.4 Database Rollback
+
+```bash
+pnpm db:revert  # Reverts the last migration
+pnpm db:status  # Verify current state
+```
+
+---
+
+## 14. Incident Response
+
+### 14.1 Incident Severity Levels
+
+| Level | Description | Response | Example |
+|-------|-------------|----------|---------|
+| SEV1 | Complete service outage | Immediate, all hands | App is down |
+| SEV2 | Major feature degradation | < 15 minutes | Login broken |
+| SEV3 | Minor feature issue | < 1 hour | UI cosmetic bug |
+| SEV4 | Non-urgent issue | Next business day | Missing documentation |
+
+### 14.2 Incident Response Flow
+
+```
+INCIDENT DETECTED (Alert or User Report)
+        |
+        v
+Acknowledge (PagerDuty/Slack within 5 minutes)
+        |
+        v
+Triage (Determine severity, assign owner)
+        |
+        v
+Mitigate (Rollback / feature flag / hotfix)
+        |
+        v
+Communicate (Update status page, stakeholders)
+        |
+        v
+Post-Mortem / RCA (Within 48 hours, documented in ADR)
+```
+
+### 14.3 Post-Mortem Template
+
+```markdown
+## Incident Post-Mortem
+
+### Summary
+[What happened, when, impact]
+
+### Timeline
+- [Time] Issue detected
+- [Time] Investigation started
+- [Time] Root cause identified
+- [Time] Mitigation applied
+- [Time] Service recovered
+
+### Root Cause
+[Technical explanation]
+
+### Impact
+- Users affected: [number]
+- Downtime: [duration]
+- Revenue impact: [amount]
+
+### Action Items
+- [ ] Fix [permanent fix]
+- [ ] Add monitoring for [gap]
+- [ ] Update runbook for [procedure]
+- [ ] Schedule post-mortem review
+
+### Prevention
+[How to prevent recurrence]
+```
+
+### 14.4 Service-Level Objectives (SLO)
+
+| Severity | Acknowledgement | Mitigation | Resolution | Uptime Target |
+|----------|----------------|------------|------------|---------------|
+| SEV1 | < 5 min | < 15 min | < 1 hour | 99.9% monthly |
+| SEV2 | < 15 min | < 1 hour | < 4 hours | -- |
+| SEV3 | < 1 hour | < 4 hours | < 24 hours | -- |
+| SEV4 | < 4 hours | -- | Next business day | -- |
+
+### 14.5 Disaster Recovery Standards
+
+| Metric | Target |
+|--------|--------|
+| RTO (Recovery Time Objective) | < 4 hours |
+| RPO (Recovery Point Objective) | < 1 hour |
+| Multi-region | Production must span at least 2 availability zones |
+| Failover | Documented runbook tested quarterly |
+| Cross-region replication | Database replication to secondary region (async, < 5 min lag) |
+
+---
+
+## 15. Tool-Specific Pipeline Templates
+
+### 15.1 Platform Decision: GitHub Actions (Recommended) vs Azure Pipelines
+
+| Factor | GitHub Actions (Recommended) | Azure Pipelines |
+|--------|------------------------------|-----------------|
+| **Repo hosting** | GitHub | Azure Repos / GitHub |
+| **Setup complexity** | Minimal (built-in to GitHub) | Moderate (requires Azure DevOps org) |
+| **Secret management** | GitHub Secrets (built-in) | Azure Key Vault + Variable Groups |
+| **Container registry** | GHCR (built-in, free) | Azure Container Registry (paid) |
+| **Approval gates** | GitHub Environments | Azure DevOps Deployment Gates |
+| **Cost** | Free for public / 2000 min/mo private | Free for 5 users, paid tiers |
+| **Kubernetes deploy** | `kubectl` or helm actions | KubernetesManifest task |
+| **Community** | Largest ecosystem of actions | Smaller, mostly enterprise |
+
+> **Recommendation**: Use **GitHub Actions** for all new projects. If the company standardizes on Azure DevOps, Azure Pipelines is a capable alternative. Both templates are provided below.
+
+### 15.2 GitHub Actions (Full CI) -- Primary Option
+
+```yaml
+# .github/workflows/ci.yml
+name: CI Pipeline
+
+on:
+  push:
+    branches: [main, develop]
+  pull_request:
+    branches: [main, develop]
+
+env:
+  NODE_VERSION: "20"
+  PNPM_VERSION: "9"
+
+jobs:
+  quality:
+    name: Quality Checks
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+
+      - uses: pnpm/action-setup@v2
+        with:
+          version: ${{ env.PNPM_VERSION }}
+
+      - name: Cache pnpm
+        uses: actions/cache@v4
+        with:
+          key: pnpm-${{ runner.os }}-${{ hashFiles('pnpm-lock.yaml') }}
+          path: ~/.pnpm-store
+
+      - run: pnpm install --frozen-lockfile
+
+      - run: pnpm lint
+      - run: pnpm check-types
+      - run: pnpm test:ci
+
+      - run: pnpm audit --audit-level=high
+
+      - run: pnpm build
+
+      - uses: codecov/codecov-action@v4
+        with:
+          files: ./coverage/cobertura-coverage.xml
+
+  docker:
+    name: Build & Push Docker
+    needs: quality
+    if: github.event_name == 'push'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: true
+          tags: |
+            ghcr.io/${{ github.repository }}:${{ github.sha }}
+            ghcr.io/${{ github.repository }}:${{ github.ref_name }}
+            ghcr.io/${{ github.repository }}:latest
+### 15.3 GitHub Actions (CD) -- Primary Option
+
+```yaml
+# .github/workflows/cd.yml
+name: CD Pipeline
+
+on:
+  push:
+    branches: [develop, main]
+
+env:
+  GHCR_IMAGE: ghcr.io/${{ github.repository }}
+
+jobs:
+  deploy-dev:
+    name: Deploy to Dev
+    if: github.ref == 'refs/heads/develop'
+    runs-on: ubuntu-latest
+    environment: dev
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up kubectl
+        uses: azure/setup-kubectl@v4
+        with:
+          version: "latest"
+
+      - name: Configure K8s context
+        run: |
+          mkdir -p $HOME/.kube
+          echo "${{ secrets.KUBE_CONFIG_DEV }}" | base64 --decode > $HOME/.kube/config
+          chmod 600 $HOME/.kube/config
+
+      - name: Deploy to K8s
+        run: |
+          kubectl set image deployment/app \
+            app=${{ env.GHCR_IMAGE }}:${{ github.sha }} \
+            --namespace=dev
+          kubectl rollout status deployment/app --namespace=dev
+
+      - name: Run database migrations
+        run: |
+          kubectl exec deployment/app --namespace=dev -- pnpm db:migrate
+
+      - name: Verify deployment
+        run: |
+          kubectl get pods --namespace=dev -l app=app
+          kubectl get ingress --namespace=dev
+
+  deploy-staging:
+    name: Deploy to Staging
+    if: github.ref == 'refs/heads/main'
+    runs-on: ubuntu-latest
+    environment: staging
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Configure K8s context
+        run: |
+          mkdir -p $HOME/.kube
+          echo "${{ secrets.KUBE_CONFIG_STAGING }}" | base64 --decode > $HOME/.kube/config
+
+      - name: Deploy to K8s
+        run: |
+          kubectl set image deployment/app \
+            app=${{ env.GHCR_IMAGE }}:${{ github.sha }} \
+            --namespace=staging
+          kubectl rollout status deployment/app --namespace=staging
+
+      - name: Run migrations
+        run: |
+          kubectl exec deployment/app --namespace=staging -- pnpm db:migrate
+
+      - name: Run E2E smoke tests
+        run: |
+          kubectl exec deployment/app --namespace=staging -- pnpm test:e2e
+
+  deploy-production:
+    name: Deploy to Production
+    if: startsWith(github.ref, 'refs/tags/v')
+    runs-on: ubuntu-latest
+    needs: [deploy-staging]
+    environment: production  # <-- Manual approval gate via GitHub Environments
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Configure K8s context
+        run: |
+          mkdir -p $HOME/.kube
+          echo "${{ secrets.KUBE_CONFIG_PROD }}" | base64 --decode > $HOME/.kube/config
+
+      - name: Deploy to K8s (rolling update, zero-downtime)
+        run: |
+          kubectl set image deployment/app \
+            app=${{ env.GHCR_IMAGE }}:${{ github.sha }} \
+            --namespace=production
+          kubectl rollout status deployment/app --namespace=production
+
+      - name: Run migrations
+        run: |
+          kubectl exec deployment/app --namespace=production -- pnpm db:migrate
+
+      - name: Health check
+        run: |
+          kubectl get pods --namespace=production -l app=app
+          kubectl describe ingress --namespace=production
+
+      - name: Notify Slack on success
+        if: success()
+        run: |
+          curl -X POST -H "Content-type: application/json" \
+            --data '{"text":"Deployment to Production successful: ${{ github.ref_name }}"}' \
+            ${{ secrets.SLACK_WEBHOOK }}
+
+      - name: Notify Slack on failure
+        if: failure()
+        run: |
+          curl -X POST -H "Content-type: application/json" \
+            --data '{"text":":x: Deployment to Production FAILED: ${{ github.ref_name }}"}' \
+            ${{ secrets.SLACK_WEBHOOK }}
+```
+
+### 15.4 Azure Pipelines (Alternative Option)
+
+Use this if the organization standardizes on Azure DevOps instead of GitHub.
+
+```yaml
+# azure-pipelines.yml
+trigger:
+  branches:
+    include:
+      - main
+      - develop
+      - release/*
+  paths:
+    exclude:
+      - docs/*
+      - "*.md"
+
+pr:
+  branches:
+    include:
+      - main
+      - develop
+
+variables:
+  - group: common-vars
+  - name: nodeVersion
+    value: "20.x"
+  - name: pnpmVersion
+    value: "9"
+  - name: dockerRegistry
+    value: "your-acr.azurecr.io"  # Change to your ACR
+  - name: imageRepository
+    value: "myapp"
+
+stages:
+  - stage: Build
+    displayName: "Build and Test"
+    jobs:
+      - job: BuildAndTest
+        steps:
+          - task: NodeTool@0
+            inputs:
+              versionSpec: $(nodeVersion)
+          - script: corepack enable && corepack prepare pnpm@$(pnpmVersion) --activate
+          - task: Cache@2
+            inputs:
+              key: 'pnpm | "$(Agent.OS)" | pnpm-lock.yaml'
+              path: $(PNPM_STORE_PATH)
+          - script: pnpm install --frozen-lockfile
+          - script: pnpm lint
+          - script: pnpm check-types
+          - script: pnpm test:ci
+          - task: PublishTestResults@2
+            inputs:
+              testResultsFiles: "**/junit.xml"
+          - task: PublishCodeCoverageResults@1
+            inputs:
+              codeCoverageTool: "Cobertura"
+              summaryFileLocation: "**/cobertura-coverage.xml"
+          - script: pnpm build
+          - task: PublishBuildArtifacts@1
+            inputs:
+              pathToPublish: "$(Build.ArtifactStagingDirectory)"
+              artifactName: "build"
+
+  - stage: DeployDev
+    displayName: "Deploy to Dev"
+    dependsOn: Build
+    condition: eq(variables['Build.SourceBranchName'], 'develop')
+    jobs:
+      - deployment: DeployDev
+        environment: "dev"
+        strategy:
+          runOnce:
+            deploy:
+              steps:
+                - task: KubernetesManifest@0
+                  inputs:
+                    action: "deploy"
+                    kubernetesServiceConnection: "k8s-dev"
+                    namespace: "app-dev"
+                    manifests: "k8s/overlays/dev/*.yaml"
+                    containers: "$(dockerRegistry)/app:$(Build.BuildId)"
+                - script: |
+                    kubectl exec deployment/app -n app-dev -- pnpm db:migrate
+
+  - stage: DeployProduction
+    displayName: "Deploy to Production"
+    dependsOn: DeployDev
+    condition: and(succeeded(), eq(variables['Build.SourceBranchName'], 'main'))
+    jobs:
+      - deployment: DeployProduction
+        environment: "production"
+        strategy:
+          runOnce:
+            deploy:
+              steps:
+                - task: KubernetesManifest@0
+                  inputs:
+                    action: "deploy"
+                    kubernetesServiceConnection: "k8s-prod"
+                    namespace: "app-prod"
+                    manifests: "k8s/overlays/prod/*.yaml"
+                    containers: "$(dockerRegistry)/app:$(Build.BuildId)"
+                - script: |
+                    kubectl exec deployment/app -n app-prod -- pnpm db:migrate
+```
+
+### 15.5 GitLab CI (Quick Reference)
+
+```yaml
+# .gitlab-ci.yml
+stages:
+  - lint
+  - test
+  - build
+  - docker
+  - deploy
+
+image: node:20-alpine
+
+cache:
+  key: ${CI_COMMIT_REF_SLUG}
+  paths:
+    - node_modules/
+    - ~/.pnpm-store
+
+before_script:
+  - corepack enable && corepack prepare pnpm@9 --activate
+  - pnpm install --frozen-lockfile
+
+lint:
+  stage: lint
+  script:
+    - pnpm lint
+    - pnpm check-types
+
+test:
+  stage: test
+  script:
+    - pnpm test:ci
+  artifacts:
+    reports:
+      coverage_report:
+        coverage_format: cobertura
+        path: coverage/cobertura-coverage.xml
+
+build:
+  stage: build
+  script:
+    - pnpm build
+  artifacts:
+    paths:
+      - dist/
+
+docker:
+  stage: docker
+  script:
+    - docker build -t $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA .
+    - docker push $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
+  only:
+    - main
+    - develop
+
+deploy:
+  stage: deploy
+  script:
+    - kubectl set image deployment/app app=$CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
+    - kubectl rollout status deployment/app
+  environment:
+    name: $CI_ENVIRONMENT_NAME
+  only:
+    - main
+    - develop
+```
+
+---
+
+## 16. Appendix: Quick References
+
+### 16.1 Common Commands
+
+```bash
+# Docker
+docker build -t app:latest .
+docker compose up -d
+docker compose down
+docker system prune -f
+
+# Kubernetes
+kubectl get pods -n app
+kubectl logs -f deployment/app -n app
+kubectl rollout status deployment/app -n app
+kubectl rollout undo deployment/app -n app
+kubectl set image deployment/app app=app:newtag
+kubectl exec deployment/app -- pnpm db:migrate
+kubectl get hpa -n app
+kubectl describe pod app-xxx -n app
+
+# Kustomize
+kubectl kustomize k8s/overlays/prod/
+kubectl apply -k k8s/overlays/prod/
+
+# Debug
+kubectl describe deployment/app
+kubectl get events --sort-by='.lastTimestamp'
+```
+
+### 16.2 Required DevOps Files Checklist
+
+| File | Purpose | Required For |
+|------|---------|-------------|
+| Dockerfile | Multi-stage container build | Every project |
+| .dockerignore | Exclude files from build | Every project |
+| docker-compose.yml | Local dev stack | Every project |
+| docker-compose.dev.yml | Dev with hot-reload | Multi-service projects |
+| k8s/base/deployment.yaml | K8s deployment config | K8s-deployed projects |
+| k8s/base/service.yaml | K8s service config | K8s-deployed projects |
+| k8s/base/ingress.yaml | K8s ingress config | K8s-deployed projects |
+| k8s/base/kustomization.yaml | Kustomize entry point | K8s-deployed projects |
+| k8s/overlays/dev/kustomization.yaml | Dev overlay | K8s-deployed projects |
+| k8s/overlays/prod/kustomization.yaml | Prod overlay | K8s-deployed projects |
+| .github/workflows/ci.yml | CI pipeline | GitHub repos |
+| .github/workflows/cd.yml | CD pipeline | GitHub repos |
+| azure-pipelines.yml | CI/CD pipeline | Azure DevOps |
+| monitoring/prometheus.yml | Metrics config | If using Prometheus |
+| scripts/health-check.sh | Health check script | Every project |
+| .nvmrc | Node version pinning | Every project |
+
+### 16.3 Environment Variable Naming
+
+| Scope | Prefix | Example |
+|-------|--------|---------|
+| Build-time (Vite) | VITE_ | VITE_API_URL |
+| Build-time (Next.js) | NEXT_PUBLIC_ | NEXT_PUBLIC_API_URL |
+| Runtime (Node) | No prefix | DATABASE_URL |
+| Docker | Service-specific | DB_HOST, REDIS_URL |
+
+### 16.4 Key CI/CD Terms
+
+| Term | Definition |
+|------|-----------|
+| CI | Continuous Integration -- automatically build and test every change |
+| CD | Continuous Delivery/Deployment -- automatically deploy to environments |
+| Artifact | Build output (Docker image, compiled files) |
+| Lockfile | File that locks dependency versions (pnpm-lock.yaml) |
+| Blue/Green | Deployment strategy with two identical environments |
+| Canary | Gradual rollout to a subset of users |
+| Rolling Update | Gradual replacement of pods (Kubernetes default) |
+| Readiness Probe | Checks if pod is ready to serve traffic |
+| Liveness Probe | Checks if pod is alive (restarts if failed) |
+| HPA | Horizontal Pod Autoscaler (auto-scale replicas) |
+| PDB | PodDisruptionBudget (min pods during maintenance) |
+| Kustomize | Kubernetes configuration customization tool |
+| Helm | Kubernetes package manager |
+
+---
+
+> **This is a living document.** It should be reviewed and updated quarterly by the DevOps lead and architecture team. All pipeline changes must follow these standards. Deviations require an Architecture Decision Record (ADR).
+
+---
+
+## 17. Implementation Validation & Enforcement Mechanisms
+
+### 17.1 Validation Architecture Overview
+
+```
++------------------+     +------------------+     +---------------------+     +-------------+
+|   DEVELOPER      |     |   GIT/HOOKS      |     |   CI PIPELINE       |     |   PRODUCTION |
+|   WORKSPACE      |     |   (HUSKY)        |     |   (GITHUB ACTIONS)  |     |   DEPLOYMENT |
++------------------+     +------------------+     +---------------------+     +-------------+
+          |                       |                        |                       |
+          v                       v                        v                       v
++------------------+     +------------------+     +---------------------+     +-------------+
+| L1: Editor       |     | L2: Pre-commit   |     | L3: PR Validation   |     | L4: Post-   |
+| (VS Code /      |     | (lint-staged +   |     | (lint, types, tests, |     | deploy Smoke|
+|  ESLint/Prettier)|     |  commitlint)     |     |  coverage, security)|     | tests       |
++------------------+     +------------------+     +---------------------+     +-------------+
+```
+
+**Four enforcement layers protect every rule in this document**:
+
+| Layer | Tool | Trigger | Purpose |
+|-------|------|---------|---------|
+| L1 Editor          | VS Code + ESLint extension | Every save    | Instant feedback while coding |
+| L2 Pre-commit       | Husky + lint-staged        | Every commit  | Block bad code before git history |
+| L3 CI Pipeline      | GitHub Actions             | Every PR      | Enforce before merge |
+| L4 Post-deploy      | Smoke tests + monitoring    | Every deploy  | Catch runtime issues |
+
+---
+
+## 18. L1: Editor-Level Validation (VS Code)
+
+### 18.1 Required VS Code Extensions
+
+Create `.vscode/extensions.json` at the project root:
+
+```json
+{
+  "recommendations": [
+    "dbaeumer.vscode-eslint",
+    "esbenp.prettier-vscode",
+    "usernamehw.commitlint",
+    "christian-kohler.npm-intellisense",
+    "christian-kohler.path-intellisense"
+  ]
+}
+```
+
+### 18.2 VS Code Settings (Required Per Project)
+
+Create `.vscode/settings.json`:
+
+```json
+{
+  // === FORMATTING ===
+  "editor.formatOnSave": true,
+  "editor.defaultFormatter": "esbenp.prettier-vscode",
+  "editor.codeActionsOnSave": {
+    "source.fixAll.eslint": "explicit",
+    "source.organizeImports": "never"
+  },
+
+  // === TYPESCRIPT ===
+  "typescript.preferences.importModuleSpecifier": "non-relative",
+  "typescript.preferences.quoteStyle": "single",
+  "typescript.tsdk": "node_modules/typescript/lib",
+
+  // === FILE SCOPES ===
+  "files.eol": "\n",
+  "files.trimTrailingWhitespace": true,
+  "files.insertFinalNewline": true,
+  "files.autoSave": "onFocusChange",
+
+  // === EDITOR ===
+  "editor.tabSize": 2,
+  "editor.insertSpaces": true,
+  "editor.detectIndentation": false,
+  "editor.renderWhitespace": "boundary",
+  "editor.rulers": [100],
+  "editor.wordWrapColumn": 100,
+
+  // === SEARCH & REPLACE ===
+  "search.useIgnoreFilesByDefault": true,
+  "search.exclude": {
+    "**/node_modules": true,
+    "**/dist": true,
+    "**/coverage": true
+  }
+}
+```
+
+### 18.3 Editor Validation Checklist
+
+- [ ] ESLint extension installed and active
+- [ ] Prettier extension installed and active
+- [ ] Settings.json committed to repo (shared across team)
+- [ ] Format-on-save enabled
+- [ ] Auto-fix on save enabled
+- [ ] TS extension enabled with project TypeScript version
+
+---
+
+## 19. L2: Git Hook Validation (Husky + lint-staged)
+
+### 19.1 Complete Husky Setup
+
+```bash
+# 1. Install
+pnpm add -D husky lint-staged
+
+# 2. Enable
+pnpm prepare  # Runs husky init, creates .husky/
+
+# 3. Create hooks
+npx husky add .husky/pre-commit "pnpm exec lint-staged"
+npx husky add .husky/commit-msg "pnpm exec commitlint --edit \$1"
+npx husky add .husky/pre-push "pnpm lint && pnpm check-modularization && pnpm check-types && pnpm test:ci"
+
+# 4. Verify
+pnpm prepare
+```
+
+The `check-modularization` script validates domain-folder structure, barrel file compliance, and module isolation rules defined in the Frontend and Backend Standards documents.
+
+### 19.1.1 Anti-Bypass Protection (`--no-verify` Enforcement)
+
+The `git commit --no-verify` (or `-n`) flag skips local pre-commit and commit-msg hooks. To prevent this from being used to circumvent standards:
+
+**1. CI Duplicates All Local Checks** — Every check that runs in pre-commit/pre-push also runs in CI (see Section 20). Using `--no-verify` only delays validation; it never bypasses it.
+
+**2. Commit Message Validation in CI**:
+
+```yaml
+# .github/workflows/ci.yml
+- name: Validate Commit Messages (anti-bypass for --no-verify / commit-msg)
+  run: pnpm exec commitlint --from origin/${{ github.base_ref }} --to HEAD
+```
+
+**3. Branch Protection Blocks Non-Compliant PRs** — Even if hooks are skipped locally, CI must pass before merge. The PR cannot merge with failing lint, modularization, type, or test checks.
+
+**`--no-verify` Policy**:
+
+| Bypass Attempt | Result |
+|----------------|--------|
+| `git commit --no-verify` | Commit lands locally. CI runs all skipped checks on push. PR blocked if failing. |
+| `git push --no-verify` | Push succeeds. CI pre-push checks (lint + modularization + types + tests) run anyway. PR blocked if failing. |
+| Removing `.husky/` directory | Caught in code review — `.husky/` is committed. CI lint detects missing config. |
+| Disabling husky in `package.json` | CI `pnpm install` re-installs husky; `pnpm prepare` re-creates hooks. |
+
+> **No commit reaches `main` or `develop` without passing every standard check, regardless of local hook bypass attempts.**
+
+### 19.2 Package.json Scripts Template
+
+```json
+{
+  "scripts": {
+    "prepare": "husky",
+    "lint": "eslint --ext .ts,.tsx --max-warnings 0 .",
+    "lint:fix": "eslint --ext .ts,.tsx . --fix",
+    "format": "prettier --write \"src/**/*.{ts,tsx,json,css,md,yml,yaml}\"",
+    "format:check": "prettier --check \"src/**/*.{ts,tsx,json,css,md,yml,yaml}\"",
+    "check-types": "tsc --noEmit",
+    "check-modularization": "node scripts/check-modularization.mjs",
+    "audit": "pnpm audit --audit-level=high",
+    "test:ci": "vitest run --coverage",
+    "test:ui": "vitest",
+    "validate": "pnpm lint && pnpm check-modularization && pnpm check-types && pnpm test:ci"
+  },
+  "lint-staged": {
+    "src/**/*.{ts,tsx}": ["eslint --fix --max-warnings 0", "prettier --write"],
+    "src/**/*.{css,scss}": ["prettier --write"],
+    "*.{json,md,yaml,yml}": ["prettier --write"]
+  }
+}
+```
+
+### 19.3 Hook Execution Flow
+
+```
+git commit
+  |
+  v
++------------------+
+| Pre-commit hook  |
+| (lint-staged)    | -- Runs ESLint + Prettier on STAGED files only
++------------------+ -- Blocks commit if errors found
+  |
+  v (passes)
++------------------+
+| Commit-msg hook  |
+| (commitlint)     | -- Validates message against conventional commits
++------------------+ -- Blocks commit if invalid
+  |
+  v
+Commit succeeds
+
+
+git push
+  |
+  v
++------------------+
+| Pre-push hook    |
+| (full checks)    | -- Lint + Modularization + Types + Tests
++------------------+ -- Blocks push if fails
+  |
+  v
+Push succeeds
+```
+
+> **Note**: If `--no-verify` is used to skip hooks, all checks still run in CI (Section 20). The PR will be blocked.
+
+---
+
+## 20. L3: CI Pipeline Validation (GitHub Actions)
+
+### 20.1 Required CI Workflow
+
+Every project must have `.github/workflows/ci.yml`. A partial or missing workflow is a blocking issue in onboarding review.
+
+### 20.2 Mandatory CI Checks
+
+| Step | Command | Fails On | Time Limit |
+|------|---------|----------|------------|
+| 1. Lint           | `pnpm lint`              | Any ESLint error (including boundaries + `no-internal-modules`) | 2 min |
+| 2. Modularization | `pnpm check-modularization` | Flat files at root, missing barrel files, cross-domain imports | 30s |
+| 3. Commit Messages | `pnpm exec commitlint --from origin/${{ github.base_ref }} --to HEAD` | Non-conventional commits (anti-bypass) | 10s |
+| 4. Type Check     | `pnpm check-types`       | Any TS type error                 | 1 min |
+| 5. Format Check   | `pnpm format:check`      | Any formatting difference         | 30s |
+| 6. Unit Tests     | `pnpm test:ci`           | Test failure OR coverage < 80% lines, 75% branches, 80% functions, 80% statements    | 5 min |
+| 7. Security Audit | `pnpm audit --audit-level=high` | High/Critical CVEs    | 1 min |
+| 8. Build          | `pnpm build`             | Build failure                     | 3 min |
+
+**Total target CI duration**: < 10 minutes
+
+### 20.3 Complete CI Workflow
+
+```yaml
+name: CI Pipeline
+on:
+  push:
+    branches: [main, develop]
+  pull_request:
+    branches: [main, develop]
+
+env:
+  NODE_VERSION: "20"
+  PNPM_VERSION: "9"
+
+jobs:
+  quality:
+    name: Quality Checks
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0  # Required for commitlint --from/--to
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+          cache: "pnpm"
+      - uses: pnpm/action-setup@v2
+        with: { version: ${{ env.PNPM_VERSION }} }
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Lint (ESLint + boundaries + no-internal-modules)
+        run: pnpm lint
+
+      - name: Check Modularization (domain structure + barrels)
+        run: pnpm check-modularization
+
+      - name: Validate Commit Messages (anti-bypass for --no-verify)
+        if: github.event_name == 'pull_request'
+        run: pnpm exec commitlint --from origin/${{ github.base_ref }} --to HEAD
+
+      - name: Type Check
+        run: pnpm check-types
+
+      - name: Format Check
+        run: pnpm format:check
+
+      - name: Test with Coverage
+        run: pnpm test:ci
+
+      - name: Security Audit
+        run: pnpm audit --audit-level=high
+
+      - name: Build
+        run: pnpm build
+
+      - uses: codecov/codecov-action@v4
+        if: always()
+        with:
+          files: ./coverage/cobertura-coverage.xml
+          fail_ci_if_error: false
+```
+
+### 20.4 CD Workflow
+
+```yaml
+name: CD Pipeline
+on:
+  push:
+    branches: [develop, main]
+
+jobs:
+  deploy-dev:
+    if: github.ref == 'refs/heads/develop'
+    runs-on: ubuntu-latest
+    environment: dev
+    steps:
+      - uses: actions/checkout@v4
+      - uses: azure/setup-kubectl@v4
+      - name: Configure kubeconfig
+        run: |
+          mkdir -p $HOME/.kube
+          echo "${{ secrets.KUBE_CONFIG_DEV }}" | base64 --decode > $HOME/.kube/config
+      - name: Deploy
+        run: |
+          kubectl set image deployment/app \
+            app=ghcr.io/${{ github.repository }}:${{ github.sha }} \
+            --namespace=dev
+          kubectl rollout status deployment/app --namespace=dev
+      - name: Migrate
+        run: kubectl exec deployment/app --namespace=dev -- pnpm db:migrate
+
+  deploy-staging:
+    needs: [deploy-dev]
+    if: github.ref == 'refs/heads/main'
+    runs-on: ubuntu-latest
+    environment: staging
+    steps:
+      - uses: actions/checkout@v4
+      - name: Configure kubeconfig
+        run: |
+          mkdir -p $HOME/.kube
+          echo "${{ secrets.KUBE_CONFIG_STAGING }}" | base64 --decode > $HOME/.kube/config
+      - name: Deploy
+        run: |
+          kubectl set image deployment/app \
+            app=ghcr.io/${{ github.repository }}:${{ github.sha }} \
+            --namespace=staging
+          kubectl rollout status deployment/app --namespace=staging
+      - name: Migrate
+        run: kubectl exec deployment/app --namespace=staging -- pnpm db:migrate
+      - name: Smoke Tests
+        run: kubectl exec deployment/app --namespace=staging -- pnpm test:e2e
+
+  deploy-production:
+    needs: [deploy-staging]
+    if: startsWith(github.ref, 'refs/tags/v')
+    runs-on: ubuntu-latest
+    environment: production
+    steps:
+      - uses: actions/checkout@v4
+      - name: Configure kubeconfig
+        run: |
+          mkdir -p $HOME/.kube
+          echo "${{ secrets.KUBE_CONFIG_PROD }}" | base64 --decode > $HOME/.kube/config
+      - name: Deploy (rolling update)
+        run: |
+          kubectl set image deployment/app \
+            app=ghcr.io/${{ github.repository }}:${{ github.sha }} \
+            --namespace=production
+          kubectl rollout status deployment/app --namespace=production
+      - name: Migrate
+        run: kubectl exec deployment/app --namespace=production -- pnpm db:migrate
+      - name: Health Check
+        run: kubectl get pods,ingress --namespace=production
+```
+
+---
+
+## 21. Validation Rules Summary
+
+### 21.1 Rules That Must Be Enforced (Every Project)
+
+| Rule | Enforcement | Tool | Severity |
+|------|-------------|------|----------|
+| No ESLint errors           | Exit code != 0   | ESLint           | BLOCK |
+| No TypeScript errors       | Exit code != 0   | TypeScript       | BLOCK |
+| No formatting errors      | Exit code != 0   | Prettier         | BLOCK |
+| Tests pass                | Exit code != 0   | Vitest / Jest    | BLOCK |
+| Coverage >= 80% lines, 75% branches, 80% functions, 80% statements     | Threshold fail   | Vitest coverage  | BLOCK |
+| No high/critical CVEs     | Exit code != 0   | pnpm audit       | BLOCK |
+| Conventional commits      | Message reject   | Commitlint       | BLOCK |
+| **Domain modularization** | **Exit code != 0** | **check-modularization + ESLint boundaries** | **BLOCK** |
+| **Barrel files present**  | **Exit code != 0** | **check-modularization** | **BLOCK** |
+| **No deep imports bypassing barrels** | **ESLint error** | **import/no-internal-modules** | **BLOCK** |
+| Lockfile committed        | CI check         | husky + git      | BLOCK |
+| No secrets in code        | CI scan          | GitLeaks / ESLint | BLOCK |
+| Naming (camelCase, etc)   | CI lint error    | ESLint           | BLOCK |
+| No unused vars            | CI lint error    | ESLint           | BLOCK |
+| Single letters banned     | CI lint error    | ESLint id-length  | BLOCK |
+| **Anti-bypass (--no-verify)** | **CI runs all checks regardless** | **GitHub Actions** | **BLOCK** |
+| **PR template compliance** | **PR must follow .github/PULL_REQUEST_TEMPLATE.md** | **Code review + CI checklist gates** | **BLOCK** |
+
+### 21.2 New Project Validation Checklist
+
+When a new project is created, the following must verify before it is allowed to merge its first PR:
+
+- [ ] `.vscode/settings.json` exists and is committed
+- [ ] `.vscode/extensions.json` exists and lists required extensions
+- [ ] `pnpm lint` exits with 0 and reports 0 errors (including boundaries + `no-internal-modules`)
+- [ ] `pnpm check-modularization` exits with 0 (all domain folders have barrel files, no flat files at roots)
+- [ ] `pnpm check-types` exits with 0
+- [ ] `pnpm format:check` exits with 0
+- [ ] `pnpm test:ci` passes and coverage >= 80%
+- [ ] `pnpm audit --audit-level=high` reports nothing
+- [ ] `.husky/pre-commit` exists and runs without error
+- [ ] `.husky/commit-msg` rejects bad commit messages
+- [ ] `.husky/pre-push` runs lint + modularization + types + tests
+- [ ] `.github/workflows/ci.yml` exists and all steps pass (including modularization + commit message validation)
+- [ ] `.github/workflows/cd.yml` exists with dev/staging/prod jobs
+- [ ] Coverage threshold configured in `vitest.config.ts` or `jest.config.ts`
+- [ ] `commitlint.config.js` exists and is enforced
+- [ ] Branch protection rules configured on GitHub
+- [ ] `.github/PULL_REQUEST_TEMPLATE.md` exists (copied from standards package)
+- [ ] Every domain subdirectory (`services/<domain>/`, `hooks/<domain>/`, etc.) has an `index.ts` barrel file
+- [ ] No flat/orphaned domain files at `services/`, `hooks/`, `store/`, `components/`, `lib/` roots
+
+### 21.3 Non-Compliant Project Remediation
+
+If an existing project is found not meeting these standards:
+
+1. **Week 1**: Add missing config files (`.vscode/`, `.husky/`, `.github/workflows/`)
+2. **Week 2**: Run `pnpm lint:fix` and `pnpm format` on entire codebase
+3. **Week 3**: Add missing tests until coverage >= 80% (start with critical paths)
+4. **Week 4**: Enable branch protection, require PR reviews, merge only compliant code
+
+---
+## Appendix B. CI/CD Cost & Pricing Reference (June 2026)
+
+> Use this to estimate platform costs when proposing a new project or evaluating vendors. Prices are mid-2026 commercial estimates and vary by vendor, region, and contract terms.
+
+### Partner Benefits & Azure Cost Relief
+
+As a **Microsoft Partner**, your organization may qualify for:
+
+- **Microsoft Action Pack / Solutions Partner** benefits: included Azure credits, free/dev CI-CD minutes, and co-selling/support access.
+- **Azure Hybrid Benefit / Reserved Instances**: reduces VM and managed-service compute cost by **20%–40%**.
+- **Visual Studio Enterprise / GitHub Enterprise** bundled licensing: avoids duplicate license spend and typically lowers total cost of ownership.
+- **Azure for Startups / ISV Pied Piper**: early-stage credits and advisory hours to reduce ramp-up cost.
+- **FastTrack / Partner Support**: faster migrations and production-readiness reviews reduce delivery risk and project overruns.
+
+Use this table to compare partner-inclusive pricing vs. standard list pricing when planning workloads.
+
+### B.1 Estimated Annual Costs by Project Scale
+
+| Project Scale | Runners / Minutes | Container Registry | Secrets / Vault | Monitoring | Total Est. Annual |
+|---|---|---|---|---|---|
+| Startup / MVP | ~5,000 min/mo | GHCR free tier | GitHub Secrets included | Free OSS | ~USD 500 – USD 3,000 |
+| Growth / Series A | ~25,000 min/mo | GHCR + ACR | Key Vault / Doppler | Sentry / Grafana Cloud | ~USD 5,000 – USD 25,000 |
+| Scaleup / Enterprise | ~100,000+ min/mo | ACR/ECR/GCR + cache | Key Vault / Doppler | Datadog / New Relic | ~USD 30,000 – USD 120,000+ |
+| Regulated / Fintech | ~50,000 min/mo | Private registry + signing | Dedicated HSM / Azure KV | ELK / Splunk + APM | ~USD 50,000 – USD 200,000+ |
+
+### B.2 Tooling & License Costs (Annual)
+
+| Tool / Service | Purpose | Typical Tier | Est. Cost | Notes |
+|---|---|---|---|---|
+| GitHub Actions (private) | CI minutes beyond free tier | 2,000 min free; then ~USD 0.008/min | USD 2,400 – USD 10,000/yr | Cache and matrix strategies dramatically affect cost. |
+| Azure DevOps | Pipelines, Artifacts, Boards | Basic: free; Parallel jobs: ~USD 40/job/mo | USD 0 – USD 8,000/yr | Parallel jobs are the main cost driver. |
+| GitLab.com | CI/CD minutes and storage | Free tier 400 min/mo; Premium ~USD 19/user/mo | USD 0 – USD 10,000/yr | Self-managed runners shift cost to infra. |
+| SonarCloud / SonarQube | Static analysis, quality gate | Developer: ~USD 25/dev/mo; Enterprise annually | USD 2,000 – USD 15,000/yr | SonarCloud SaaS vs self-hosted on same infra. |
+| Snyk / Trivy / Dependabot | Dependency & container scanning | Snyk Team: ~USD 19/dev/mo; Trivy: free | USD 0 – USD 5,000/yr | Trivy + Dependabot cover most needs at zero marginal cost. |
+| Datadog / New Relic / Azure Monitor | APM, logs, traces, RUM | Host/ingestion based | USD 1,500 – USD 10,000+/yr | Datadog is easy to adopt; Grafana Cloud is cheaper. |
+| Grafana Cloud | Metrics + dashboards | Free tier; Pro: ~USD 8–29/user/mo | USD 100 – USD 3,000/yr | Good value for metrics-heavy setups. |
+| Slack / Teams Notifications | Deployment notifications | Included in workspace | Usually free | Webhook costs are typically negligible. |
+| HashiCorp Vault / Azure Key Vault | Secret management | Small tier / per-secret pricing | USD 200 – USD 1,500/yr | Avoids expensive breach remediation. |
+| Terraform Cloud / Bicep / Pulumi | IaC collaboration + state | Free tier; Standard ~USD 0.011/run | USD 100 – USD 1,000/yr | Workspace isolation and RBAC are worth the cost. |
+
+### B.3 Infrastructure Costs (Monthly)
+
+| Environment | Typical Specs | Est. Monthly | Annual Est. |
+|---|---|---|---|
+| Dev (1 replica, no HA) | 1 vCPU / 2 GB RAM | USD 30 – USD 120 | USD 360 – USD 1,440 |
+| Staging (2 replicas) | 2 vCPU / 4 GB RAM each | USD 100 – USD 300 | USD 1,200 – USD 3,600 |
+| Production (3+ replicas, autoscale) | 2 vCPU / 4 GB RAM + LB | USD 250 – USD 900 | USD 3,000 – USD 10,800 |
+| Database (managed Postgres) | 2 vCPU / 8 GB + storage | USD 120 – USD 500 | USD 1,440 – USD 6,000 |
+| Redis / Valkey (managed) | 1 vCPU / 2 GB | USD 15 – USD 50 | USD 180 – USD 600 |
+| Object Storage | 1 TB + egress | USD 20 – USD 80 | USD 240 – USD 960 |
+| Load Balancer / Ingress | Basic LB | USD 15 – USD 30 | USD 180 – USD 360 |
+| DNS, certs, monitoring | Managed | Included in hosting or minimal extra | Often < USD 50/mo |
+
+> These are mid-2026 market reference prices. Reserved/commitment terms and savings plans can reduce compute costs by 20%–40%.
+
+---
+
+### B.4 Open-Source vs Commercial Alternatives (2026)
+
+| Need | Commercial Option | OSS Alternative | Est. Savings | Trade-offs / Notes |
+|---|---|---|---|---|
+| CI/CD Platform | GitHub Actions / Azure DevOps / GitLab.com | **Woodpecker**, **Gitea Actions**, **Jenkins**, **Drone CI** | Up to ~USD 10,000+/yr on high volume | OSS needs self-hosted runners/infra. Woodpecker/Gitea give closest DX to GitHub Actions without cloud minute bills. |
+| Static Analysis | SonarCloud / SonarQube Enterprise | **SonarQube Community Edition**, **ESLint + TypeScript strict + Coverage**, GitHub **CodeQL** | ~USD 2,000 – USD 15,000/yr | CodeQL is free for public and private repos on GitHub. SonarQube CE is fully capable for most teams. |
+| Dependency Scanning | Snyk | **Trivy**, **OWASP Dependency-Check**, GitHub Dependabot, **Renovate** | ~USD 0 – USD 5,000/yr | Trivy + Dependabot cover most needs at zero license cost. Renovate is best when you want automated PR updates too. |
+| Container Registry | Azure Container Registry / AWS ECR | **GHCR** (GitHub Container Registry), **Harbor** | ~USD 100 – USD 1,000/yr | GHCR is free with GitHub Actions. Harbor is best for air-gapped / on-prem / high egress cost scenarios. |
+| Secret Management | HashiCorp Vault Enterprise / Azure Key Vault premium | **HashiCorp Vault OSS**, **SOPS + age/GPG**, **Doppler CLI (free tier)** | ~USD 200 – USD 1,500/yr | Vault OSS is mature. SOPS is ideal when secrets are already in Git via encryption. |
+| Monitoring/APM | Datadog / New Relic / Azure Monitor | **Prometheus + Grafana**, **SigNoz**, **Uptime Kuma**, **Grafana Cloud Free/Pro** | ~USD 1,500 – USD 10,000+/yr | Grafana Cloud Pro is still far cheaper than Datadog. Self-hosted Prometheus saves the most but needs operator skill. |
+| Log Aggregation | Splunk / Datadog Logs / ELK Cloud | **Loki + Promtail**, **OpenSearch**, **Vector + ClickHouse** | ~USD 1,000 – USD 8,000/yr | Loki is the easiest OSS drop-in for Kubernetes logging. OpenSearch is heavier but more capable search. |
+| IaC Platform | Terraform Cloud / Pulumi Business | **Terraform OSS + local backend/S3**, **OpenTofu** | ~USD 100 – USD 1,000/yr | OpenTofu is the open-source fork and is now widely adopted. State in S3 + DynamoDB lock is still the cheapest backend. |
+| Deployment Gates | Azure DevOps Gates / Cloud Native features | **OpenPolicyAgent / Gatekeeper**, **Kyverno**, GitHub Environments + required reviewers | Often free | Policy-as-code replaces many manual gate features at no license cost. |
+
+### B.5 OSS Selection Cheat Sheet
+
+| Solution | Setup Effort | Ongoing Maintenance | When It Wins | When to Buy Commercial |
+|---|---|---|---|---|
+| Woodpecker / Gitea Actions | Medium | Medium | Heavy CI usage, private repo cost control | When you want zero per-minute billing and out-of-box hosted UX |
+| Prometheus + Grafana | Medium | Medium | Metrics-heavy infra with in-house SRE knowledge | When support SLAs and fully hosted dashboards are mandatory |
+| SonarQube CE / CodeQL | Low | Low | Security + quality gates with minimal licensing | When you need enterprise support contracts or custom plugins |
+| Trivy + Dependabot | Low | Low | Dependency and container scanning | When you want integrated vendor support and policy enforcement |
+| Harbor | Medium | Medium | Air-gapped/on-prem, large images, compliance | When cloud registries are blocked by policy |
+| OpenTofu / Terraform OSS | Medium | Medium | IaC state and collaboration | When workspaces, RBAC, and managed runs justify SaaS pricing |
+| Sentry Self-Hosted / GlitchTip | Medium | Medium | High error volume, sensitive logs, privacy requirements | When incident response support and uptime guarantees matter more than license cost |
+
+### B.6 Sources & Methodology
+
+- Pricing is based on **public list prices** from vendor pricing pages:
+  - GitHub Actions: https://docs.github.com/en/billing/actions/usage-limits-for-billed-users
+  - Azure pricing: https://azure.microsoft.com/en-us/pricing/
+  - Azure DevOps pricing: https://azure.microsoft.com/en-us/pricing/details/devops/azure-devops-services/
+  - GitLab pricing: https://about.gitlab.com/pricing/
+  - Datadog: https://www.datadoghq.com/pricing/
+  - Sentry: https://sentry.io/pricing/
+  - Grafana Cloud: https://grafana.com/products/grafana-cloud/pricing/
+  - SonarCloud: https://www.sonarsource.com/pricing/
+  - Snyk: https://snyk.io/pricing/
+  - Trivy: https://github.com/aquasecurity/trivy (open source)
+  - Harbor: https://goharbor.io/ (open source)
+- Microsoft Partner benefits sourced from:
+  - Microsoft Partner Network: https://partner.microsoft.com/
+  - Microsoft for Startups / ISV Pied Piper: https://startups.microsoft.com/
+  - Azure Hybrid Benefit: https://azure.microsoft.com/en-us/pricing/benefits/azure-hybrid-benefit/
+  - Visual Studio subscriptions: https://visualstudio.microsoft.com/subscriptions/
+  - FastTrack: https://azure.microsoft.com/en-us/programs/azure-fasttrack/
+  Actual entitlement depends on partner tier, agreement, and region; treat these as **items to explore** with your account team.
+- Infrastructure estimates assume managed cloud VM/service pricing with no reserved/commitment discounts by default; see cloud provider calculators for exact region-specific pricing.