clearctx 3.0.0 → 3.1.0

package/skills/devops/SKILL.md

@@ -0,0 +1,1043 @@
+---
+name: devops
+description: Production-grade DevOps patterns for Docker, CI/CD, deployment strategies, Nginx, health checks, and infrastructure automation
+domain: devops
+keywords: [devops, docker, ci-cd, deployment, nginx, github-actions, health-checks, monitoring]
+version: 1.0.0
+---
+
+# DevOps & Infrastructure Expertise
+
+## Worker Context
+
+You are a DevOps specialist worker. Your role is to implement production-grade infrastructure configurations, containerization, CI/CD pipelines, deployment strategies, and monitoring solutions.
+
+### Dockerfile — Multi-Stage Builds & Layer Optimization
+
+**CRITICAL:** NEVER use `:latest` tag in production. Pin exact versions.
+
+**Layer caching strategy:**
+1. COPY package manifests FIRST (package.json, package-lock.json)
+2. RUN dependency installation (npm ci, yarn install --frozen-lockfile)
+3. COPY application source LAST
+
+```dockerfile
+# GOOD — Optimized multi-stage build
+FROM node:20.11.0-alpine AS builder
+WORKDIR /app
+COPY package*.json ./
+RUN npm ci --only=production && npm cache clean --force
+COPY src ./src
+RUN npm run build
+
+FROM node:20.11.0-alpine AS runner
+WORKDIR /app
+RUN addgroup -g 1001 -S nodejs && adduser -S nodejs -u 1001
+COPY --from=builder --chown=nodejs:nodejs /app/dist ./dist
+COPY --from=builder --chown=nodejs:nodejs /app/node_modules ./node_modules
+COPY --chown=nodejs:nodejs package.json ./
+USER nodejs
+EXPOSE 3000
+ENV NODE_ENV=production
+CMD ["node", "dist/server.js"]
+
+# BAD — Single stage, runs as root, uses :latest
+FROM node:latest
+WORKDIR /app
+COPY . .
+RUN npm install
+CMD ["node", "server.js"]
+```
+
+**IMPORTANT:** .dockerignore MUST exclude:
+```
+node_modules
+.git
+.env
+.env.*
+!.env.example
+*.log
+coverage/
+.DS_Store
+README.md
+```
+
+### Docker Compose — Service Dependencies & Health Checks
+
+**CRITICAL:** Use `condition: service_healthy` NOT `condition: service_started`. Services must be ready, not just running.
+
+```yaml
+# GOOD — Health checks with dependency orchestration
+version: '3.8'
+
+services:
+  postgres:
+    image: postgres:16.1-alpine
+    environment:
+      POSTGRES_USER: ${DB_USER}
+      POSTGRES_PASSWORD: ${DB_PASSWORD}
+      POSTGRES_DB: ${DB_NAME}
+    volumes:
+      - postgres_data:/var/lib/postgresql/data
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U ${DB_USER}"]
+      interval: 5s
+      timeout: 3s
+      retries: 5
+    networks:
+      - backend
+
+  redis:
+    image: redis:7.2.4-alpine
+    healthcheck:
+      test: ["CMD", "redis-cli", "ping"]
+      interval: 5s
+      timeout: 3s
+      retries: 5
+    networks:
+      - backend
+
+  api:
+    build:
+      context: .
+      dockerfile: Dockerfile
+    ports:
+      - "${API_PORT:-3000}:3000"
+    env_file:
+      - .env
+    depends_on:
+      postgres:
+        condition: service_healthy
+      redis:
+        condition: service_healthy
+    healthcheck:
+      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:3000/health"]
+      interval: 10s
+      timeout: 5s
+      retries: 3
+      start_period: 30s
+    networks:
+      - backend
+
+volumes:
+  postgres_data:
+
+networks:
+  backend:
+    driver: bridge
+
+# BAD — No health checks, vague depends_on
+version: '3.8'
+services:
+  db:
+    image: postgres
+    environment:
+      POSTGRES_PASSWORD: password123  # Hardcoded secret!
+
+  app:
+    build: .
+    depends_on:
+      - db  # No condition — app starts before DB is ready
+    ports:
+      - "3000:3000"
+```
+
+### CI/CD Pipelines — GitHub Actions Pattern
+
+**NEVER:** Hardcode secrets in workflow files. Use `${{ secrets.SECRET_NAME }}`.
+
+```yaml
+# GOOD — Parallel stages with caching and secrets
+name: CI/CD Pipeline
+
+on:
+  push:
+    branches: [main, develop]
+  pull_request:
+    branches: [main]
+
+env:
+  NODE_VERSION: '20.11.0'
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Run linter
+        run: npm run lint
+
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        node-version: [18.x, 20.x]
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup Node.js ${{ matrix.node-version }}
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ matrix.node-version }}
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Run tests
+        run: npm test -- --coverage
+
+      - name: Upload coverage
+        uses: codecov/codecov-action@v3
+        if: matrix.node-version == '20.x'
+
+  build:
+    runs-on: ubuntu-latest
+    needs: [lint, test]
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Build application
+        run: npm run build
+
+      - name: Upload build artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: dist
+          path: dist/
+
+  deploy:
+    runs-on: ubuntu-latest
+    needs: build
+    if: github.ref == 'refs/heads/main'
+    environment: production
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Download build artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: dist
+          path: dist/
+
+      - name: Deploy to production
+        env:
+          DEPLOY_KEY: ${{ secrets.DEPLOY_SSH_KEY }}
+          DEPLOY_HOST: ${{ secrets.DEPLOY_HOST }}
+          DEPLOY_USER: ${{ secrets.DEPLOY_USER }}
+        run: |
+          echo "$DEPLOY_KEY" > deploy_key
+          chmod 600 deploy_key
+          rsync -avz -e "ssh -i deploy_key -o StrictHostKeyChecking=no" \
+            dist/ $DEPLOY_USER@$DEPLOY_HOST:/var/www/app/
+
+# BAD — Sequential jobs, no caching, secrets exposed
+jobs:
+  build-and-deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - run: npm install  # Should use npm ci
+      - run: npm run lint
+      - run: npm test
+      - run: npm run build
+      - run: |
+          sshpass -p 'mypassword' ssh user@server.com  # SECRET IN CODE!
+```
+
+### Environment Management
+
+**CRITICAL:** NEVER commit `.env` files with real values. Commit `.env.example` with placeholder values only.
+
+```bash
+# GOOD — .env.example (committed to git)
+NODE_ENV=development
+PORT=3000
+DATABASE_URL=postgresql://user:password@localhost:5432/dbname
+REDIS_URL=redis://localhost:6379
+JWT_SECRET=your-secret-key-here
+API_KEY=your-api-key-here
+
+# GOOD — Config validation on startup (src/config.js)
+const requiredEnvVars = [
+  'NODE_ENV',
+  'DATABASE_URL',
+  'REDIS_URL',
+  'JWT_SECRET'
+];
+
+for (const envVar of requiredEnvVars) {
+  if (!process.env[envVar]) {
+    throw new Error(`Missing required environment variable: ${envVar}`);
+  }
+}
+
+const config = {
+  env: process.env.NODE_ENV,
+  port: parseInt(process.env.PORT, 10) || 3000,
+  db: {
+    url: process.env.DATABASE_URL,
+    pool: {
+      min: 2,
+      max: 10
+    }
+  },
+  redis: {
+    url: process.env.REDIS_URL
+  },
+  jwt: {
+    secret: process.env.JWT_SECRET,
+    expiresIn: '7d'
+  }
+};
+
+module.exports = config;
+```
+
+**Environment parity checklist:**
+- [ ] Same Node.js version across dev/staging/prod
+- [ ] Same dependency versions (use package-lock.json)
+- [ ] Same database version
+- [ ] Same environment variable names
+- [ ] Secrets stored in CI/CD vault, not in code
+
+### Deployment Strategies — Decision Tree
+
+| Strategy | Use When | Downtime | Rollback Speed | Complexity | Resource Cost |
+|----------|----------|----------|----------------|------------|---------------|
+| **Rolling** | Default for most apps | Minimal (partial) | Medium (redeploy previous) | Low | 1x |
+| **Blue-Green** | Zero-downtime critical, need instant rollback | None | Instant (switch routing) | Medium | 2x |
+| **Canary** | High-risk changes, gradual rollout | None | Fast (route 100% to stable) | High | 1.1-1.5x |
+| **Recreate** | Dev/staging only, breaking changes | Full | Slow (redeploy) | Very Low | 1x |
+
+**IMPORTANT:** Choose based on:
+1. Acceptable downtime: None → Blue-Green or Canary
+2. Resource budget: Limited → Rolling
+3. Risk level: High → Canary
+4. Rollback criticality: Instant needed → Blue-Green
+
+```yaml
+# GOOD — Rolling deployment (Kubernetes)
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: api
+spec:
+  replicas: 4
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 1        # Max 1 extra pod during update
+      maxUnavailable: 1  # Max 1 pod down during update
+  template:
+    spec:
+      containers:
+      - name: api
+        image: myapp:v2.0.0
+        readinessProbe:
+          httpGet:
+            path: /ready
+            port: 3000
+          initialDelaySeconds: 5
+          periodSeconds: 5
+        livenessProbe:
+          httpGet:
+            path: /health
+            Port: 3000
+          initialDelaySeconds: 15
+          periodSeconds: 10
+```
+
+### Nginx — Reverse Proxy & Static Serving
+
+**IMPORTANT:** Always set proper proxy headers for upstream to get real client IP.
+
+```nginx
+# GOOD — Production Nginx config
+upstream api_backend {
+    least_conn;
+    server api1:3000 max_fails=3 fail_timeout=30s;
+    server api2:3000 max_fails=3 fail_timeout=30s;
+    server api3:3000 max_fails=3 fail_timeout=30s;
+}
+
+# Rate limiting zone
+limit_req_zone $binary_remote_addr zone=api_limit:10m rate=10r/s;
+
+server {
+    listen 80;
+    server_name api.example.com;
+
+    # Redirect HTTP to HTTPS
+    return 301 https://$server_name$request_uri;
+}
+
+server {
+    listen 443 ssl http2;
+    server_name api.example.com;
+
+    # SSL certificates (Let's Encrypt)
+    ssl_certificate /etc/letsencrypt/live/api.example.com/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/api.example.com/privkey.pem;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers HIGH:!aNULL:!MD5;
+
+    # Security headers
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+
+    # Static files
+    location /static/ {
+        alias /var/www/static/;
+        expires 1y;
+        access_log off;
+        add_header Cache-Control "public, immutable";
+        try_files $uri $uri/ =404;
+    }
+
+    # API proxy with rate limiting
+    location /api/ {
+        limit_req zone=api_limit burst=20 nodelay;
+
+        proxy_pass http://api_backend;
+        proxy_http_version 1.1;
+
+        # Preserve original request info
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Request-ID $request_id;
+
+        # Timeouts
+        proxy_connect_timeout 5s;
+        proxy_send_timeout 60s;
+        proxy_read_timeout 60s;
+
+        # Buffering
+        proxy_buffering on;
+        proxy_buffer_size 4k;
+        proxy_buffers 8 4k;
+    }
+
+    # Health check endpoint (no rate limiting)
+    location /health {
+        access_log off;
+        proxy_pass http://api_backend;
+    }
+}
+
+# BAD — Insecure, no rate limiting, missing headers
+server {
+    listen 80;
+    server_name api.example.com;
+
+    location / {
+        proxy_pass http://localhost:3000;  # No upstream, hardcoded port
+    }
+}
+```
+
+### Health Checks — Liveness vs Readiness
+
+**CRITICAL distinction:**
+- **Liveness:** Is the process alive? (Kill and restart if fails)
+- **Readiness:** Can it serve traffic? (Remove from load balancer if fails)
+
+```javascript
+// GOOD — Comprehensive health check implementation
+const express = require('express');
+const app = express();
+
+// Liveness probe — lightweight, just confirms process is running
+app.get('/health', (req, res) => {
+  res.status(200).json({
+    status: 'ok',
+    timestamp: new Date().toISOString(),
+    uptime: process.uptime(),
+    version: process.env.APP_VERSION || 'unknown'
+  });
+});
+
+// Readiness probe — checks all dependencies
+app.get('/ready', async (req, res) => {
+  const checks = {
+    database: false,
+    redis: false,
+    diskSpace: false
+  };
+
+  try {
+    // Check database connection
+    await db.query('SELECT 1');
+    checks.database = true;
+
+    // Check Redis connection
+    await redis.ping();
+    checks.redis = true;
+
+    // Check disk space (optional but recommended)
+    const diskUsage = await checkDiskSpace('/');
+    checks.diskSpace = diskUsage.percentUsed < 90;
+
+    const allReady = Object.values(checks).every(status => status === true);
+
+    res.status(allReady ? 200 : 503).json({
+      status: allReady ? 'ready' : 'not_ready',
+      checks,
+      timestamp: new Date().toISOString()
+    });
+  } catch (error) {
+    res.status(503).json({
+      status: 'not_ready',
+      checks,
+      error: error.message,
+      timestamp: new Date().toISOString()
+    });
+  }
+});
+
+// BAD — Single endpoint, no dependency checks
+app.get('/health', (req, res) => {
+  res.send('OK');  // No JSON, no version info, doesn't check DB/Redis
+});
+```
+
+### Logging & Monitoring
+
+**IMPORTANT:** Use structured JSON logs for production. Include request IDs for correlation.
+
+```javascript
+// GOOD — Structured logging with request ID correlation
+const winston = require('winston');
+const { v4: uuidv4 } = require('uuid');
+
+const logger = winston.createLogger({
+  level: process.env.LOG_LEVEL || 'info',
+  format: winston.format.combine(
+    winston.format.timestamp(),
+    winston.format.json()
+  ),
+  defaultMeta: {
+    service: 'api',
+    version: process.env.APP_VERSION,
+    environment: process.env.NODE_ENV
+  },
+  transports: [
+    new winston.transports.Console()
+  ]
+});
+
+// Request ID middleware
+app.use((req, res, next) => {
+  req.id = req.headers['x-request-id'] || uuidv4();
+  res.setHeader('x-request-id', req.id);
+  next();
+});
+
+// Request logging middleware
+app.use((req, res, next) => {
+  const start = Date.now();
+
+  res.on('finish', () => {
+    const duration = Date.now() - start;
+    logger.info('HTTP request', {
+      requestId: req.id,
+      method: req.method,
+      path: req.path,
+      statusCode: res.statusCode,
+      duration,
+      userAgent: req.headers['user-agent'],
+      ip: req.headers['x-real-ip'] || req.ip
+    });
+  });
+
+  next();
+});
+
+// Prometheus metrics endpoint
+const client = require('prom-client');
+const register = new client.Registry();
+
+const httpRequestDuration = new client.Histogram({
+  name: 'http_request_duration_seconds',
+  help: 'Duration of HTTP requests in seconds',
+  labelNames: ['method', 'route', 'status_code'],
+  buckets: [0.1, 0.5, 1, 2, 5]
+});
+
+const httpRequestTotal = new client.Counter({
+  name: 'http_requests_total',
+  help: 'Total number of HTTP requests',
+  labelNames: ['method', 'route', 'status_code']
+});
+
+register.registerMetric(httpRequestDuration);
+register.registerMetric(httpRequestTotal);
+
+app.get('/metrics', async (req, res) => {
+  res.set('Content-Type', register.contentType);
+  res.end(await register.metrics());
+});
+
+// BAD — Unstructured logs, no correlation
+console.log('User logged in');  // No timestamp, no user ID, no request context
+```
+
+**Log levels decision tree:**
+| Level | Use For | Production Volume |
+|-------|---------|-------------------|
+| error | System failures, unhandled exceptions | Low |
+| warn | Recoverable issues, deprecated usage | Low-Medium |
+| info | Business events, HTTP requests | Medium |
+| debug | Detailed app flow, variable values | High (disable in prod) |
+
+### Database Migrations in CI/CD
+
+**CRITICAL:** Run migrations BEFORE deploying new code. Migration failures must block deployment.
+
+```yaml
+# GOOD — Separate migration job in CI/CD
+jobs:
+  migrate:
+    runs-on: ubuntu-latest
+    environment: production
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20.11.0'
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Run database migrations
+        env:
+          DATABASE_URL: ${{ secrets.PROD_DATABASE_URL }}
+        run: npm run migrate
+        timeout-minutes: 5
+
+      - name: Verify migration success
+        env:
+          DATABASE_URL: ${{ secrets.PROD_DATABASE_URL }}
+        run: npm run migrate:status
+
+  deploy:
+    runs-on: ubuntu-latest
+    needs: migrate  # Deploy ONLY if migrations succeed
+    environment: production
+    steps:
+      - name: Deploy application
+        run: ./deploy.sh
+```
+
+**NEVER do this:**
+```javascript
+// BAD — Running migrations in application startup
+async function startServer() {
+  await runMigrations();  // ❌ Causes race conditions with multiple instances
+  app.listen(3000);
+}
+```
+
+**Migration rollback strategy:**
+- Each migration must have a `down()` method
+- Test rollback in staging BEFORE production
+- Automate rollback on deployment failure
+- Keep migrations backward-compatible when possible
+
+### Git Workflow & Conventional Commits
+
+**Branch naming convention:**
+```
+feature/TICKET-123-add-user-auth
+bugfix/TICKET-456-fix-memory-leak
+hotfix/TICKET-789-patch-security-vuln
+chore/update-dependencies
+docs/api-documentation
+```
+
+**Conventional commits format:**
+```
+<type>(<scope>): <subject>
+
+<body>
+
+<footer>
+```
+
+**Types:**
+- `feat:` New feature
+- `fix:` Bug fix
+- `chore:` Maintenance (deps, config)
+- `docs:` Documentation only
+- `refactor:` Code change without behavior change
+- `test:` Adding or updating tests
+- `ci:` CI/CD pipeline changes
+- `perf:` Performance improvement
+
+**Example:**
+```
+feat(api): add user authentication endpoint
+
+Implement JWT-based authentication with refresh tokens.
+Includes rate limiting and brute-force protection.
+
+Closes #123
+```
+
+**Protected main branch settings:**
+- ✅ Require pull request reviews (min 1)
+- ✅ Require status checks to pass (CI pipeline)
+- ✅ Require branches to be up to date
+- ✅ Include administrators in restrictions
+- ❌ Allow force pushes
+- ❌ Allow deletions
+
+## Conventions
+
+### Response Formats
+**API health/ready responses:**
+```json
+{
+  "status": "ok" | "ready" | "not_ready",
+  "timestamp": "ISO 8601 string",
+  "checks": { "database": true, "redis": true },
+  "version": "semver string"
+}
+```
+
+### Naming Conventions
+- Environment variables: `SCREAMING_SNAKE_CASE`
+- Docker image tags: `semver` (e.g., `v1.2.3`) or `git-sha` (e.g., `abc1234`)
+- Kubernetes resources: `kebab-case`
+- Secrets in CI/CD: `UPPER_SNAKE_CASE` with service prefix (e.g., `DB_PASSWORD`, `API_KEY`)
+
+### File Paths
+- Always use relative paths in configs
+- Use environment variables for absolute paths that differ per environment
+- Example: `${PROJECT_ROOT}/dist` not `/home/user/project/dist`
+
+### Port Assignments
+| Service | Default Port | Environment Variable |
+|---------|--------------|---------------------|
+| API | 3000 | `API_PORT` |
+| Frontend | 8080 | `FRONTEND_PORT` |
+| PostgreSQL | 5432 | `DB_PORT` |
+| Redis | 6379 | `REDIS_PORT` |
+| Nginx | 80/443 | N/A |
+
+## Common Patterns
+
+### Pattern 1: Multi-Stage Docker Build with Non-Root User
+```dockerfile
+FROM node:20.11.0-alpine AS builder
+WORKDIR /app
+COPY package*.json ./
+RUN npm ci --only=production
+COPY . .
+RUN npm run build
+
+FROM node:20.11.0-alpine AS runner
+RUN addgroup -g 1001 -S nodejs && adduser -S nodejs -u 1001
+WORKDIR /app
+COPY --from=builder --chown=nodejs:nodejs /app/dist ./dist
+COPY --from=builder --chown=nodejs:nodejs /app/node_modules ./node_modules
+USER nodejs
+EXPOSE 3000
+CMD ["node", "dist/server.js"]
+```
+
+### Pattern 2: Docker Compose with Health-Based Dependencies
+```yaml
+version: '3.8'
+services:
+  db:
+    image: postgres:16.1-alpine
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U ${DB_USER}"]
+      interval: 5s
+      timeout: 3s
+      retries: 5
+
+  api:
+    build: .
+    depends_on:
+      db:
+        condition: service_healthy
+```
+
+### Pattern 3: GitHub Actions Parallel Pipeline
+```yaml
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '20.11.0'
+          cache: 'npm'
+      - run: npm ci
+      - run: npm run lint
+
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '20.11.0'
+          cache: 'npm'
+      - run: npm ci
+      - run: npm test
+
+  deploy:
+    needs: [lint, test]
+    runs-on: ubuntu-latest
+    if: github.ref == 'refs/heads/main'
+    steps:
+      - name: Deploy
+        run: ./deploy.sh
+```
+
+### Pattern 4: Nginx Reverse Proxy with Rate Limiting
+```nginx
+limit_req_zone $binary_remote_addr zone=api_limit:10m rate=10r/s;
+
+upstream api_backend {
+    least_conn;
+    server api1:3000;
+    server api2:3000;
+}
+
+server {
+    listen 443 ssl http2;
+
+    location /api/ {
+        limit_req zone=api_limit burst=20 nodelay;
+        proxy_pass http://api_backend;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    }
+}
+```
+
+### Pattern 5: Comprehensive Health Checks
+```javascript
+app.get('/health', (req, res) => {
+  res.status(200).json({
+    status: 'ok',
+    uptime: process.uptime(),
+    version: process.env.APP_VERSION
+  });
+});
+
+app.get('/ready', async (req, res) => {
+  const checks = {
+    database: await checkDB(),
+    redis: await checkRedis()
+  };
+  const ready = Object.values(checks).every(v => v === true);
+  res.status(ready ? 200 : 503).json({
+    status: ready ? 'ready' : 'not_ready',
+    checks
+  });
+});
+```
+
+## Anti-Patterns
+
+### Anti-Pattern 1: Secrets in Dockerfile or Code
+```dockerfile
+# BAD — Secret hardcoded in Dockerfile
+ENV DATABASE_PASSWORD=super_secret_password
+ENV API_KEY=sk-1234567890abcdef
+
+# GOOD — Secrets injected at runtime
+ENV DATABASE_PASSWORD=${DATABASE_PASSWORD}
+ENV API_KEY=${API_KEY}
+```
+
+```javascript
+// BAD — Secret hardcoded in code
+const dbPassword = 'mypassword123';
+
+// GOOD — Secret from environment variable
+const dbPassword = process.env.DATABASE_PASSWORD;
+if (!dbPassword) throw new Error('DATABASE_PASSWORD not set');
+```
+
+### Anti-Pattern 2: Running as Root in Containers
+```dockerfile
+# BAD — Runs as root (default)
+FROM node:20-alpine
+WORKDIR /app
+COPY . .
+CMD ["node", "server.js"]
+
+# GOOD — Creates and uses non-root user
+FROM node:20-alpine
+RUN addgroup -g 1001 -S nodejs && adduser -S nodejs -u 1001
+WORKDIR /app
+COPY --chown=nodejs:nodejs . .
+USER nodejs
+CMD ["node", "server.js"]
+```
+
+### Anti-Pattern 3: No Health Checks
+```yaml
+# BAD — No health checks, depends_on without condition
+services:
+  db:
+    image: postgres:16-alpine
+
+  api:
+    build: .
+    depends_on:
+      - db  # Starts when db container starts, NOT when postgres is ready
+
+# GOOD — Health checks with service_healthy condition
+services:
+  db:
+    image: postgres:16-alpine
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready"]
+      interval: 5s
+      retries: 5
+
+  api:
+    build: .
+    depends_on:
+      db:
+        condition: service_healthy
+```
+
+### Anti-Pattern 4: Manual SSH Deployments
+```bash
+# BAD — Manual deployment script
+sshpass -p 'password' ssh user@server.com "cd /var/www && git pull && npm install && pm2 restart app"
+
+# GOOD — Automated CI/CD deployment with secrets vault
+# In GitHub Actions:
+steps:
+  - name: Deploy via SSH
+    env:
+      SSH_KEY: ${{ secrets.DEPLOY_SSH_KEY }}
+      HOST: ${{ secrets.DEPLOY_HOST }}
+    run: |
+      echo "$SSH_KEY" > key
+      chmod 600 key
+      ssh -i key $HOST './deploy.sh'
+```
+
+### Anti-Pattern 5: Monolithic CI Jobs
+```yaml
+# BAD — One giant job that does everything sequentially
+jobs:
+  build-test-deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - run: npm run lint
+      - run: npm test
+      - run: npm run build
+      - run: npm run deploy  # If any step fails, all fail. No parallelization.
+
+# GOOD — Separate jobs that run in parallel
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - run: npm run lint
+
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - run: npm test
+
+  deploy:
+    needs: [lint, test]  # Runs only after both pass
+    runs-on: ubuntu-latest
+    steps:
+      - run: npm run deploy
+```
+
+## Integration Notes
+
+### Team Communication (if multi-session worker)
+1. **Before starting:** Call `team_check_inbox()` to check for messages from orchestrator or other workers
+2. **Read conventions:** Call `artifact_read({ artifactId: "shared-conventions" })` to get project-wide naming, format, and behavior standards
+3. **Publish infrastructure artifact:**
+```javascript
+artifact_publish({
+  artifactId: "infrastructure",
+  title: "Infrastructure Configuration",
+  data: {
+    files: [
+      "Dockerfile",
+      "docker-compose.yml",
+      ".dockerignore",
+      ".github/workflows/ci-cd.yml",
+      "nginx/nginx.conf"
+    ],
+    ports: {
+      api: 3000,
+      nginx: 80,
+      nginxSsl: 443
+    },
+    healthEndpoints: {
+      liveness: "/health",
+      readiness: "/ready",
+      metrics: "/metrics"
+    },
+    environmentVars: [
+      "NODE_ENV",
+      "DATABASE_URL",
+      "REDIS_URL",
+      "JWT_SECRET",
+      "API_PORT",
+      "APP_VERSION"
+    ],
+    deploymentStrategy: "rolling",
+    cicdPipeline: ".github/workflows/ci-cd.yml"
+  }
+})
+```
+4. **Coordinate with other workers:**
+   - **Backend worker:** Confirm API port, health check endpoints (`/health`, `/ready`), metrics endpoint (`/metrics`)
+   - **Database worker:** Get migration script paths, connection string format, health check query
+   - **Frontend worker:** Confirm static asset paths for Nginx serving
+5. **Broadcast completion:** Call `team_broadcast({ from: "devops", content: "Infrastructure setup complete. Dockerfile, docker-compose.yml, CI/CD pipeline, and Nginx config ready." })`
+6. **Use relative paths only:** All file paths in artifacts must be relative to project root (e.g., `src/config.js` NOT `/home/user/project/src/config.js`)
+
+### Standalone Worker Mode
+If operating independently (no team tools available):
+1. Create infrastructure files in project root: `Dockerfile`, `docker-compose.yml`, `.dockerignore`
+2. Create `.github/workflows/ci-cd.yml` for GitHub Actions pipeline
+3. Create `nginx/nginx.conf` if web server config is needed
+4. Create `.env.example` with all required environment variables (no real values)
+5. Verify all files use relative paths
+6. Report completion with list of created files and configuration summary