go-duck-cli 1.0.9 → 1.1.12

package/templates/docs/pages/security.hbs

@@ -1,51 +1,157 @@
-<h1 class="text-4xl font-extrabold text-gray-900 mb-4">Security & Resilience</h1>
-<p class="text-lg text-gray-600 mb-8">Out-of-the-box infrastructure protecting your core microservices.</p>
-
-<section class="mb-10">
-    <h2 class="text-2xl font-bold text-gray-800 mb-4 border-b pb-2">1. Identity & Access Management (OIDC)</h2>
-    <p class="mb-4">GO-DUCK generated apps utilize strict Keycloak JWT Authorization. No entity router functions without traversing the <code>jwtAuthMiddleware</code> and extracting structural properties of the connected user from the signed payload utilizing the pre-configured realm secret.</p>
-    
-    <div class="bg-indigo-50 border-l-4 border-indigo-500 p-4 mb-6 rounded-r">
-        <p class="text-indigo-900"><strong>Golden Rule:</strong> In <code>application-dev.yml</code>, ensure your Keycloak Realm, ClientID, and Secret are accurately synced with the local running Docker Keycloak image.</p>
+<div class="prose prose-slate max-w-none">
+    <div class="flex items-center space-x-3 mb-8 text-black">
+        <div class="p-4 bg-gradient-to-br from-slate-800 to-black rounded-2xl shadow-xl shadow-slate-200">
+            <svg class="w-8 h-8 text-white" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M12 15v2m-6 4h12a2 2 0 002-2v-6a2 2 0 00-2-2H6a2 2 0 00-2 2v6a2 2 0 002 2zm10-10V7a4 4 0 00-8 0v4h8z" />
+            </svg>
+        </div>
+        <h1 class="text-5xl font-black text-slate-900 m-0 tracking-tighter leading-none">Zero-Trust Identity</h1>
     </div>
 
-    <h2 class="text-2xl font-bold text-gray-800 mb-4 border-b pb-2">2. Tenant Context Integrity</h2>
-    <p class="mb-4">
-        GO-DUCK implements <strong>Enterprise-Grade Data Isolation</strong>. While the <code>X-Tenant-ID</code> header is required for request context, the system is immune to "Tenant Spoofing" attacks.
+    <p class="text-2xl text-slate-500 font-medium mb-12 leading-relaxed">
+        GO-DUCK enforces a battle-hardened, identity-first firewall. Built on standard OIDC, our zero-trust architecture ensures every request is verified, authorized, and traced from the gateway to the database.
     </p>
-    <div class="grid grid-cols-1 md:grid-cols-2 gap-6 mb-6">
-        <div class="bg-slate-50 p-5 rounded-xl border border-slate-200">
-            <h4 class="font-bold text-slate-900 mb-2">Internal Cross-Verification</h4>
-            <p class="text-xs text-slate-600 leading-relaxed">
-                The <code>TenantMiddleware</code> extracts authorized roles from the signed JWT and performs a server-side lookup of the valid DB context. It then <strong>cross-checks</strong> this against the <code>X-Tenant-ID</code> header.
-            </p>
+
+    <!-- Key Security Pillars -->
+    <div class="grid grid-cols-1 md:grid-cols-2 lg:grid-cols-3 gap-8 mb-20 px-4">
+        <div class="p-8 bg-white rounded-3xl border border-slate-200 shadow-sm border-t-8 border-t-indigo-600">
+            <h5 class="font-black text-slate-900 mb-2 uppercase text-xs tracking-widest">OIDC Hardened</h5>
+            <p class="text-sm text-slate-600 leading-relaxed font-medium">Native integration with Keycloak for real-time JWT validation and anti-spoofing context verification.</p>
         </div>
-        <div class="bg-rose-50 p-5 rounded-xl border border-rose-200">
-            <h4 class="font-bold text-rose-900 mb-2">Spoof Protection</h4>
-            <p class="text-xs text-rose-700 leading-relaxed">
-                If a user attempts to access <code>Tenant-B</code> by modifying headers while their JWT is only valid for <code>Tenant-A</code>, the request is immediately aborted with a <code>403 Forbidden - Security Breach</code> error. 
-                <a href="multitenancy.html" class="text-rose-600 font-bold hover:underline mt-2 inline-block">Learn more about isolation &rarr;</a>
-            </p>
+        <div class="p-8 bg-white rounded-3xl border border-slate-200 shadow-sm border-t-8 border-t-emerald-600">
+            <h5 class="font-black text-slate-900 mb-2 uppercase text-xs tracking-widest">RSA Signed WebSocket</h5>
+            <p class="text-sm text-slate-600 leading-relaxed font-medium">Secure "REST-over-WS" implementation using HMAC-SHA256 signatures for total message integrity.</p>
+        </div>
+        <div class="p-8 bg-white rounded-3xl border border-slate-200 shadow-sm border-t-8 border-t-rose-600">
+            <h5 class="font-black text-slate-900 mb-2 uppercase text-xs tracking-widest">Zero-Trust Multi-Tenancy</h5>
+            <p class="text-sm text-slate-600 leading-relaxed font-medium">No cross-tenant data leakage. Identity automatically selects the secure silo at the middleware layer.</p>
         </div>
     </div>
 
-    <h3 class="font-semibold mb-2 mt-6">3. Burst Protection (Rate Limiting)</h3>
-    <p class="mb-4">Using the standard <code>x/time/rate</code> package, a Token Bucket rate limiter is attached to the Gin Engine globally to mitigate DDOS vectors and abusive scripting.</p>
-    <pre><code class="language-yaml"># Inside your application-prod.yml
-go-duck:
-  security:
-    rate-limit:
-      rps: 150.0  # Allow up to 150 Req/Sec
-      burst: 300  # Burstable tokens
-</code></pre>
-</section>
-
-<section class="mb-10">
-    <h2 class="text-2xl font-bold text-gray-800 mb-4 border-b pb-2">3. Sony/go-breaker (Circuit Breakers)</h2>
-    <p class="mb-4">When a Microservice starts rejecting requests globally due to a failing dependent macro-service (e.g. Redis node goes down / DB locks / MQTT broker drops), your application handles this gracefully by "tripping" an open Circuit Breaker to prevent Request Queue Pile-ups.</p>
-    
-    <pre><code class="language-go">resilience.Execute(func() (interface{}, error) {
-    // Risky Network / DB Operations wrapped automatically!
-    return s.repo.DB.First(&entity, req.Id).Error
-})</code></pre>
-</section>
+    <!-- Identity Lifecycle Section -->
+    <section class="mb-20">
+        <h2 class="text-3xl font-black text-slate-900 mb-8 tracking-tighter italic uppercase text-center decoration-slate-400 underline underline-offset-8">The Secure Lifecycle</h2>
+        <div class="space-y-6">
+            <div class="bg-slate-900 rounded-[2.5rem] p-10 text-white shadow-2xl relative overflow-hidden flex flex-col md:flex-row gap-12 group hover:scale-[1.01] transition-transform duration-300">
+                <div class="flex-shrink-0">
+                    <div class="text-[5rem] font-black text-slate-800 absolute -left-10 -top-5 opacity-40 pointer-events-none group-hover:scale-110 duration-500 italic">01</div>
+                    <h2 class="text-3xl font-black mb-6 relative">Protocol Verification</h2>
+                    <p class="text-indigo-200 mb-6 leading-relaxed max-w-sm">Every request—HTTP, gRPC, or WebSocket—is challenged for a valid OIDC identity. The generator automatically scaffolds the necessary middleware for each protocol.</p>
+                    <div class="flex gap-2">
+                        <span class="px-3 py-1 bg-white/10 rounded-lg text-xs font-bold font-mono tracking-widest text-indigo-300">gin.jwt</span>
+                        <span class="px-3 py-1 bg-white/10 rounded-lg text-xs font-bold font-mono tracking-widest text-indigo-300">kratos.authn</span>
+                    </div>
+                </div>
+                <div class="flex-grow p-6 bg-slate-800/50 rounded-3xl border border-slate-700/50 backdrop-blur-sm self-center">
+                    <pre class="text-xs text-green-300 leading-relaxed whitespace-pre font-mono">
+<span class="text-slate-500">// Example: JWTMiddleware automatically extracting Federated Role</span>
+authHeader := ctx.GetHeader("Authorization")
+claims, _ := keycloak.Verify(authHeader)
+
+<span class="text-slate-500">// Silo matching happens here!</span>
+siloID := MapRoleToSilo(claims.RealmRole)
+                    </pre>
+                </div>
+            </div>
+        </div>
+    </section>
+    <!-- Silo Discovery & Privacy -->
+    <section class="mb-20">
+        <h2 class="text-3xl font-black text-slate-900 mb-8 tracking-tighter italic uppercase text-center decoration-slate-400 underline underline-offset-8">Silo Discovery & Privacy</h2>
+        <div class="grid grid-cols-1 md:grid-cols-2 gap-8 px-4">
+            <div class="p-8 bg-slate-50 border border-slate-200 rounded-[2.5rem] shadow-sm italic hover:bg-white transition-all">
+                <h3 class="text-xl font-bold text-slate-900 mb-4">Silo Discovery API</h3>
+                <p class="text-slate-600 text-sm leading-relaxed mb-6 italic">
+                    Authenticated users can discover their accessible silos via <code>GET /api/silos/me</code>. This allows front-end applications to build dynamic tenant selection interfaces.
+                </p>
+                <div class="p-4 bg-white rounded-2xl border border-slate-200 text-[11px] font-mono text-blue-800">
+                    GET /api/silos/me<br>
+                    [<br>
+                    &nbsp;&nbsp;{ "tenantId": "bc72-91a0...", "roleName": "branch_usa" }<br>
+                    ]
+                </div>
+            </div>
+            
+            <div class="p-8 bg-slate-900 border border-slate-800 rounded-[2.5rem] text-white shadow-xl italic relative overflow-hidden group">
+                <div class="relative z-10">
+                    <h3 class="text-xl font-bold mb-4 text-emerald-400 shadow-emerald-400">HideSiloNames Toggle</h3>
+                    <p class="text-slate-400 text-sm leading-relaxed mb-6 italic">
+                        For maximum zero-trust compliance, you can hide internal <strong>DB-Names</strong> from the discovery API by enabling the <code>HideSiloNames</code> toggle in <code>application.yml</code>.
+                    </p>
+                    <div class="p-4 bg-white/5 rounded-2xl border border-white/10 text-[11px] font-mono text-emerald-300">
+                        go-duck:<br>
+                        &nbsp;&nbsp;multitenancy:<br>
+                        &nbsp;&nbsp;&nbsp;&nbsp;hide-silo-names: true
+                    </div>
+                </div>
+            </div>
+        </div>
+    </section>
+
+    <!-- Anti-Burst Rate Limiting Module -->
+    <section class="mb-20">
+        <div class="bg-gradient-to-r from-red-900 to-black rounded-[2.5rem] p-16 text-white text-center shadow-2xl relative overflow-hidden group">
+            <h2 class="text-4xl font-black mb-6 tracking-tight">Anti-Burst Shielding <br><span class="text-rose-500 italic font-medium">Distributed Protection.</span></h2>
+            <p class="text-rose-100 text-lg mb-10 max-w-3xl mx-auto leading-relaxed italic">
+                Protect your infrastructure from "Noisy Neighbors" and NAT spoofing. Our Distributed Redis Rate Limiter tracks clients by <strong>Keycloak UserID</strong>—ensuring that limiting persists even if a user switches IPs or devices.
+            </p>
+            <div class="flex flex-col md:flex-row gap-6 justify-center">
+                <div class="px-8 py-4 bg-white/10 rounded-2xl border border-white/10 flex flex-col items-center group-hover:bg-white/20 transition-all duration-300">
+                    <span class="text-red-400 font-black text-2xl uppercase italic">Redis-Backed</span>
+                    <span class="text-xs text-white/50 tracking-[0.2em] font-bold">Fixed-Window Limit</span>
+                </div>
+                <div class="px-8 py-4 bg-white/10 rounded-2xl border border-white/10 flex flex-col items-center group-hover:bg-white/20 transition-all duration-300">
+                    <span class="text-red-400 font-black text-2xl uppercase italic">Identity-First</span>
+                    <span class="text-xs text-white/50 tracking-[0.2em] font-bold">Safe from NAT Spoofing</span>
+                </div>
+            </div>
+        </div>
+    </section>
+
+    <!-- Super Admin & Confidential Boundaries -->
+    <section class="mb-20">
+        <h2 class="text-3xl font-black text-slate-900 mb-8 tracking-tighter italic uppercase text-center decoration-red-500 underline underline-offset-8">The Super Admin Boundary</h2>
+        <div class="grid grid-cols-1 lg:grid-cols-2 gap-10">
+            <div class="p-10 bg-white border border-slate-200 rounded-[3rem] shadow-sm italic hover:bg-slate-50 transition-all">
+                <h3 class="text-2xl font-bold text-slate-900 mb-4 tracking-tight">Standard Business APIs</h3>
+                <p class="text-slate-500 text-sm leading-relaxed mb-6 italic">
+                    Endpoints under <code>/api/*</code> are accessible to any authenticated user with a valid silo mapping. These handle standard CRUD, Federated Search, and Usage Reporting.
+                </p>
+                <div class="flex flex-wrap gap-2">
+                    <span class="px-3 py-1 bg-blue-50 text-blue-700 rounded-lg text-[10px] font-bold font-mono">/api/cars</span>
+                    <span class="px-3 py-1 bg-blue-50 text-blue-700 rounded-lg text-[10px] font-bold font-mono">/api/silos/me</span>
+                    <span class="px-3 py-1 bg-blue-50 text-blue-700 rounded-lg text-[10px] font-bold font-mono">/api/search/*</span>
+                </div>
+            </div>
+
+            <div class="p-10 bg-slate-900 border border-slate-800 rounded-[3rem] text-white shadow-2xl italic relative overflow-hidden group">
+                <div class="relative z-10">
+                    <h3 class="text-2xl font-bold mb-4 text-rose-500 tracking-tight">Confidential Control Plane</h3>
+                    <p class="text-slate-400 text-sm leading-relaxed mb-6 italic">
+                        Sensitive endpoints under <code>/management/*</code> and <code>/api/admin/*</code> are restricted to the <strong>Super Admin Role</strong> defined in <code>application.yml</code>.
+                    </p>
+                    <div class="p-4 bg-white/5 rounded-2xl border border-white/10 text-[11px] font-mono text-rose-300">
+                        go-duck:
+                          security:
+                            super-admin-role: "platform_admin"
+                    </div>
+                </div>
+                <!-- Infrastructure Group Badge -->
+                <div class="absolute bottom-6 right-8 p-3 bg-rose-500/10 rounded-xl border border-rose-500/20">
+                    <span class="text-[10px] text-rose-400 font-black uppercase tracking-widest">Confidential Mode Enabled</span>
+                </div>
+            </div>
+        </div>
+    </section>
+
+    <!-- Dev CTA -->
+    <section class="mb-16">
+        <h2 class="text-3xl font-black text-slate-900 mb-6 tracking-tighter text-center">Ready for Production Security?</h2>
+        <p class="text-slate-500 text-center font-medium italic mb-8">Deploy zero-trust identity across your cluster with one command.</p>
+        <div class="flex flex-col md:flex-row gap-4 justify-center">
+            <a href="keycloak.html" class="px-10 py-4 bg-slate-900 text-white font-black rounded-2xl hover:scale-105 transition-all text-sm uppercase tracking-widest text-center">
+                Review Keycloak Setup
+            </a>
+        </div>
+    </section>
+</div>

package/templates/docs/pages/serverless.hbs

@@ -0,0 +1,157 @@
+<div class="mb-12">
+    <h1 class="text-4xl font-extrabold tracking-tight text-slate-900 sm:text-5xl mb-4">
+        Serverless <span class="gradient-text">Transformation</span>
+    </h1>
+    <p class="text-xl text-slate-600 leading-relaxed max-w-3xl">
+        GO-DUCK isn't just for heavy-duty containers. With the <strong>Serverless Transformation Layer</strong>, your entire Federated Microservice can be deployed as an elastic, zero-cost-when-idle function on AWS, GCP, or Vercel.
+    </p>
+</div>
+
+<!-- Elite Adapter Concept -->
+<div class="grid grid-cols-1 md:grid-cols-2 gap-8 mb-16">
+    <div class="p-8 rounded-3xl bg-slate-50 border border-slate-100 shadow-sm">
+        <div class="w-12 h-12 bg-blue-100 text-blue-600 rounded-2xl flex items-center justify-center mb-6">
+            <svg class="w-6 h-6" fill="none" stroke="currentColor" viewBox="0 0 24 24"><path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M19 11H5m14 0a2 2 0 012 2v6a2 2 0 01-2 2H5a2 2 0 01-2-2v-6a2 2 0 012-2m14 0V9a2 2 0 00-2-2M5 11V9a2 2 0 012-2m0 0V5a2 2 0 012-2h6a2 2 0 012 2v2M7 7h10"></path></svg>
+        </div>
+        <h3 class="text-xl font-bold text-slate-900 mb-3">Stateless Silo Routing</h3>
+        <p class="text-slate-600 leading-relaxed">
+            Every serverless invocation is fully isolated and stateless. The system resolves the tenant's database silo dynamically from the JWT, ensuring 100% data privacy even in shared-compute environments.
+        </p>
+    </div>
+    <div class="p-8 rounded-3xl bg-slate-50 border border-slate-100 shadow-sm">
+        <div class="w-12 h-12 bg-purple-100 text-purple-600 rounded-2xl flex items-center justify-center mb-6">
+            <svg class="w-6 h-6" fill="none" stroke="currentColor" viewBox="0 0 24 24"><path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M13 10V3L4 14h7v7l9-11h-7z"></path></svg>
+        </div>
+        <h3 class="text-xl font-bold text-slate-900 mb-3">Shared Router Pattern</h3>
+        <p class="text-slate-600 leading-relaxed">
+            We use a unified internal <code>router</code> package. This means your security middlewares, search logic, and endpoint definitions are shared between <code>main.go</code> and all serverless entrypoints.
+        </p>
+    </div>
+</div>
+
+<!-- Deployment Options -->
+<section class="mb-16">
+    <h2 class="text-2xl font-bold text-slate-900 mb-8 flex items-center">
+        <span class="w-8 h-8 bg-slate-900 text-white rounded-lg flex items-center justify-center text-sm mr-3">1</span>
+        AWS Lambda
+    </h2>
+    <div class="prose prose-slate max-w-none">
+        <p>GO-DUCK generates a specialized <code>lambda_main.go</code> utilizing the <code>aws-lambda-go-api-proxy</code>. This adapter wraps the Gin router and translates API Gateway events into standard HTTP requests.</p>
+        
+        <div class="bg-slate-900 rounded-2xl p-6 mb-6">
+            <h4 class="text-slate-400 text-xs font-bold uppercase tracking-wider mb-4">Build for AWS Lambda</h4>
+            <pre class="bg-transparent border-none p-0 m-0"><code class="language-bash"># Set target OS and Architecture
+export GOOS=linux
+export GOARCH=amd64
+
+# Build with lambda tag to include the handler
+go build -tags lambda -o bootstrap lambda_main.go
+
+# Zip and deploy to AWS
+zip function.zip bootstrap</code></pre>
+        </div>
+        <div class="bg-blue-50 border-l-4 border-blue-400 p-6 rounded-r-xl">
+            <div class="flex">
+                <div class="flex-shrink-0">
+                    <svg class="h-5 w-5 text-blue-400" viewBox="0 0 20 20" fill="currentColor">
+                        <path fill-rule="evenodd" d="M18 10a8 8 0 11-16 0 8 8 0 0116 0zm-7-4a1 1 0 11-2 0 1 1 0 012 0zM9 9a1 1 0 000 2v3a1 1 0 001 1h1a1 1 0 100-2v-3a1 1 0 00-1-1H9z" clip-rule="evenodd" />
+                    </svg>
+                </div>
+                <div class="ml-3">
+                    <p class="text-sm text-blue-700">
+                        <strong>Cold Start Warning:</strong> Lambda initializations include DB connection pooling. The shared router uses <code>sync.Once</code> to keep these connections warm across subsequent invocations.
+                    </p>
+                </div>
+            </div>
+        </div>
+    </div>
+</section>
+
+<section class="mb-16">
+    <h2 class="text-2xl font-bold text-slate-900 mb-8 flex items-center">
+        <span class="w-8 h-8 bg-slate-900 text-white rounded-lg flex items-center justify-center text-sm mr-3">2</span>
+        Vercel (Serverless Functions)
+    </h2>
+    <div class="prose prose-slate max-w-none">
+        <p>The system generates an <code>api/index.go</code> file compatible with Vercel's Go runtime. By using the generated <code>vercel.json</code>, all incoming traffic is routed to this single entrypoint.</p>
+        
+        <div class="bg-slate-900 rounded-2xl p-6 mb-6">
+            <h4 class="text-slate-400 text-xs font-bold uppercase tracking-wider mb-4">Immediate Deployment</h4>
+            <pre class="bg-transparent border-none p-0 m-0"><code class="language-bash"># Login to vercel
+vercel login
+
+# Deploy the project
+vercel deploy --prod</code></pre>
+        </div>
+
+        <p>The <code>vercel.json</code> configuration handles the necessary rewrites to ensure paths like <code>/api/users</code> are correctly served by the Go handler:</p>
+        <div class="bg-slate-900 rounded-2xl p-6 mb-6">
+            <pre class="bg-transparent border-none p-0 m-0"><code class="language-json">{
+  "version": 2,
+  "rewrites": [
+    { "source": "/(.*)", "destination": "/api/index" }
+  ]
+}</code></pre>
+        </div>
+    </div>
+</section>
+
+<section class="mb-16">
+    <h2 class="text-2xl font-bold text-slate-900 mb-8 flex items-center">
+        <span class="w-8 h-8 bg-slate-900 text-white rounded-lg flex items-center justify-center text-sm mr-3">3</span>
+        Google Cloud Functions (GCF)
+    </h2>
+    <div class="prose prose-slate max-w-none">
+        <p>For GCP, we use the <strong>Functions Framework for Go</strong>. The generated <code>gcf_handler.go</code> exports a standard HTTP trigger named <code>GoDuckEntry</code>.</p>
+        
+        <div class="bg-slate-900 rounded-2xl p-6 mb-6">
+            <h4 class="text-slate-400 text-xs font-bold uppercase tracking-wider mb-4">Deploying to Cloud Functions</h4>
+            <pre class="bg-transparent border-none p-0 m-0"><code class="language-bash"># Deploy using gcloud CLI
+gcloud functions deploy GoDuckEntry \
+  --runtime go124 \
+  --trigger-http \
+  --allow-unauthenticated \
+  --region us-central1</code></pre>
+        </div>
+        
+        <p>Ensure the <code>//go:build gcf</code> tag is handled correctly by your deployment pipeline if you are building remotely.</p>
+    </div>
+</section>
+
+<!-- Performance Tuning Table -->
+<section class="mb-16">
+    <h3 class="text-xl font-bold text-slate-900 mb-6">Configuration Comparison</h3>
+    <div class="overflow-x-auto">
+        <table class="w-full text-left border-collapse">
+            <thead>
+                <tr class="border-b border-slate-200">
+                    <th class="py-4 font-bold text-slate-900">Feature</th>
+                    <th class="py-4 font-bold text-slate-900">Standard (Binary)</th>
+                    <th class="py-4 font-bold text-slate-900">Serverless</th>
+                </tr>
+            </thead>
+            <tbody class="text-slate-600">
+                <tr class="border-b border-slate-100">
+                    <td class="py-4 font-medium text-slate-900">Execution Mode</td>
+                    <td class="py-4">Persistent Process</td>
+                    <td class="py-4">On-Demand Invocations</td>
+                </tr>
+                <tr class="border-b border-slate-100">
+                    <td class="py-4 font-medium text-slate-900">gRPC Server (Kratos)</td>
+                    <td class="py-4 text-green-600 font-bold">Enabled</td>
+                    <td class="py-4 text-red-500">Disabled (Async only)</td>
+                </tr>
+                <tr class="border-b border-slate-100">
+                    <td class="py-4 font-medium text-slate-900">Outbox Worker</td>
+                    <td class="py-4 text-green-600 font-bold">Automatic Background</td>
+                    <td class="py-4 text-slate-400 italic">Recommended via Cloud Cron</td>
+                </tr>
+                <tr class="border-b border-slate-100">
+                    <td class="py-4 font-medium text-slate-900">Cold Start Optimization</td>
+                    <td class="py-4">N/A</td>
+                    <td class="py-4">sync.Once initialization</td>
+                </tr>
+            </tbody>
+        </table>
+    </div>
+</section>

package/templates/docs/pages/storage.hbs

@@ -0,0 +1,127 @@
+<div class="prose prose-slate max-w-none">
+    <div class="flex items-center space-x-3 mb-8">
+        <div class="p-4 bg-gradient-to-br from-blue-600 to-indigo-700 rounded-2xl shadow-lg shadow-indigo-200">
+            <svg class="w-8 h-8 text-white" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M3 15a4 4 0 004 4h9a5 5 0 10-.1-9.999 5.002 5.002 0 10-9.78 2.096A4.001 4.001 0 003 15z" />
+            </svg>
+        </div>
+        <h1 class="text-5xl font-black text-slate-900 m-0 tracking-tight">The Universal Storage Bridge</h1>
+    </div>
+
+    <p class="text-2xl text-slate-500 font-medium mb-12 leading-relaxed">
+        Say goodbye to vendor lock-in. GO-DUCK provides an elite, cloud-agnostic abstraction that bridges 7 global storage providers under a single, unified developer experience.
+    </p>
+
+    <!-- The 7 Wonders Section -->
+    <div class="grid grid-cols-1 md:grid-cols-3 gap-6 mb-16">
+        <div class="p-6 bg-white rounded-3xl border border-slate-200 shadow-sm">
+            <div class="text-3xl mb-4 text-blue-600">☁️</div>
+            <h4 class="font-bold text-slate-900 mb-2">Cloud Native</h4>
+            <p class="text-sm text-slate-600">AWS S3, Google Cloud Storage, and Cloudflare R2.</p>
+        </div>
+        <div class="p-6 bg-white rounded-3xl border border-slate-200 shadow-sm">
+            <div class="text-3xl mb-4 text-green-600">🏛️</div>
+            <h4 class="font-bold text-slate-900 mb-2">On-Premises</h4>
+            <p class="text-sm text-slate-600">High-performance MinIO and Generic S3-compatible clusters.</p>
+        </div>
+        <div class="p-6 bg-white rounded-3xl border border-slate-200 shadow-sm">
+            <div class="text-3xl mb-4 text-purple-600">🛡️</div>
+            <h4 class="font-bold text-slate-900 mb-2">Legacy & Git</h4>
+            <p class="text-sm text-slate-600">High-security SFTP (SSH) and Private GitHub persistence.</p>
+        </div>
+    </div>
+
+    <!-- The Masterpiece: GitHub Remote Bootstrapper -->
+    <section class="mb-20">
+        <div class="bg-gradient-to-r from-slate-900 to-indigo-950 rounded-[2.5rem] p-12 text-white shadow-2xl relative overflow-hidden">
+            <div class="relative z-10">
+                <div class="inline-block px-4 py-1 rounded-full bg-indigo-500/20 border border-indigo-400/30 text-indigo-300 text-xs font-bold uppercase tracking-widest mb-6">
+                    Featured Elite Service
+                </div>
+                <h2 class="text-4xl font-black mb-6 leading-tight">GitHub Remote Bootstrapper <br><span class="text-indigo-400">The Death of Secret Sprawl.</span></h2>
+                
+                <p class="text-indigo-100 text-lg mb-8 max-w-3xl leading-relaxed">
+                    In modern, ephemeral Kubernetes clusters, host-path storage is a liability and "baking" keys into Docker images is a security nightmare. The **GitHub Remote Bootstrapper** is your Zero-Trust solution for identity management.
+                </p>
+
+                <div class="grid grid-cols-1 lg:grid-cols-2 gap-12">
+                    <div class="space-y-6">
+                        <h4 class="text-indigo-300 font-bold uppercase text-sm tracking-widest">Why Architects Love It:</h4>
+                        <ul class="space-y-4">
+                            <li class="flex items-start">
+                                <span class="bg-indigo-500/20 p-1 rounded-lg mr-3 text-indigo-400">✓</span>
+                                <div><strong class="text-white">Zero-Bake Images:</strong> Your Docker images remain clean and generic. No customer-specific keys are ever stored in the container layers.</div>
+                            </li>
+                            <li class="flex items-start">
+                                <span class="bg-indigo-500/20 p-1 rounded-lg mr-3 text-indigo-400">✓</span>
+                                <div><strong class="text-white">Ephemeral Isolation:</strong> Credentials are pulled into volatile RAM/Config storage on startup. When the pod dies, the keys vanish.</div>
+                            </li>
+                            <li class="flex items-start">
+                                <span class="bg-indigo-500/20 p-1 rounded-lg mr-3 text-indigo-400">✓</span>
+                                <div><strong class="text-white">Centralized Identity:</strong> Rotate keys for 1,000 pods instantly by updating a single private GitHub repository.</div>
+                            </li>
+                        </ul>
+                    </div>
+                    <div class="bg-slate-800/50 rounded-2xl p-6 border border-slate-700/50 backdrop-blur-sm">
+                        <div class="flex items-center space-x-2 mb-4">
+                            <div class="w-3 h-3 rounded-full bg-red-400"></div>
+                            <div class="w-3 h-3 rounded-full bg-yellow-400"></div>
+                            <div class="w-3 h-3 rounded-full bg-green-400"></div>
+                        </div>
+                        <pre class="text-xs text-indigo-200 leading-relaxed">
+# application.yml
+go-duck:
+  storage:
+    bootstrap:
+      enabled: true
+      owner: "MyOrg"
+      repo: "InfraSecrets"
+      branch: "prod"
+      token: "${GH_BOOTSTRAP_TOKEN}"
+      files: 
+        - "gcs-service-account.json"
+        - "id_rsa"
+                        </pre>
+                        <p class="mt-4 text-[10px] text-slate-400 italic font-mono">Automatically supplied to GCS & SFTP providers upon successful handshake.</p>
+                    </div>
+                </div>
+            </div>
+        </div>
+    </section>
+
+    <!-- Implementation Architecture -->
+    <section class="mb-16">
+        <h2 class="text-3xl font-bold text-slate-900 mb-8 tracking-tight">The 3-Tier Lifecycle</h2>
+        <div class="grid grid-cols-1 md:grid-cols-3 gap-4">
+            <div class="p-8 bg-slate-50 rounded-3xl border border-slate-100">
+                <div class="font-black text-slate-300 text-4xl mb-4">01</div>
+                <h5 class="font-bold text-slate-900 mb-2">The Fetch</h5>
+                <p class="text-sm text-slate-600">Worker connects to GitHub API at T-0 (App Startup).</p>
+            </div>
+            <div class="p-8 bg-slate-50 rounded-3xl border border-slate-100">
+                <div class="font-black text-slate-300 text-4xl mb-4">02</div>
+                <h5 class="font-bold text-slate-900 mb-2">The Pulse</h5>
+                <p class="text-sm text-slate-600">Secrets are hydrated locally in the ephemeral `config/` directory.</p>
+            </div>
+            <div class="p-8 bg-slate-50 rounded-3xl border border-slate-100">
+                <div class="font-black text-slate-300 text-4xl mb-4">03</div>
+                <h5 class="font-bold text-slate-900 mb-2">The Link</h5>
+                <p class="text-sm text-slate-600">Storage drivers discover the keys and initialize with zero friction.</p>
+            </div>
+        </div>
+    </section>
+
+    <!-- Interface Snippet -->
+    <section class="mb-16">
+        <h2 class="text-3xl font-bold text-slate-900 mb-6 tracking-tight">One Interface. Infinite Clouds.</h2>
+        <div class="bg-slate-900 rounded-3xl p-10 shadow-2xl">
+            <pre class="text-blue-400 font-mono text-sm leading-8">
+<span class="text-slate-500">// Your code never changes, whether you are on SFTP, S3, or GCS.</span>
+provider, _ := storage.NewStorageProvider(cfg)
+
+<span class="text-slate-500">// Upload to the active provider (e.g., GCS Hydrated by Bootstrapper)</span>
+url, err := provider.Upload(ctx, "invoices/March.pdf", data)
+            </pre>
+        </div>
+    </section>
+</div>