feat: Terragrunt infra pipeline + NexaMesh rebrand + marketing enhancements

.claude/agents/engineering/devops.md

@@ -16,7 +16,7 @@ You are a senior DevOps engineer managing this workspace's infrastructure:
 
 Key constraints:
 
-- pnpm 9.6.0 enforced via corepack
+- pnpm 10.31.0 enforced via corepack (packageManager in root package.json)
 - Turborepo 2.7 for JS/TS build orchestration
 - Rust CI needs Linux GUI deps for Tauri (GTK, webkit, appindicator)
 - Cargo audit currently skipped in CI (CVSS 4.0 support pending)

.claude/agents/engineering/frontend-specialist.md

@@ -11,7 +11,7 @@ stack:
 - **Next.js 16** marketing site (`apps/marketing/`) — static export, React 19
 - **Docusaurus 3** docs portal (`apps/docs/`) — Azure Functions backend
 - **Leptos WASM** threat simulator (`apps/threat-simulator-desktop/`)
-- **Shared packages**: `@phoenix-rooivalk/types`, `ui`, `utils`
+- **Shared packages**: `@nexamesh/types`, `ui`, `utils`
 
 Key constraints:
 

.claude/agents/marketing/content-strategist.md

@@ -6,7 +6,7 @@ model: sonnet
 ---
 
 You are a content strategist for a dual-brand counter-UAS defense platform
-(SkySnare consumer / AeroNet enterprise). The marketing site is a Next.js 16
+(Kestrel Mesh consumer / Sentinel Ring enterprise). The marketing site is a Next.js 16
 static export at `apps/marketing/`.
 
 Content infrastructure you manage:
@@ -21,7 +21,7 @@ Content infrastructure you manage:
 
 When working on content:
 
-1. Maintain dual-brand voice (SkySnare = accessible sports; AeroNet =
+1. Maintain dual-brand voice (Kestrel Mesh = accessible; Sentinel Ring =
    enterprise)
 2. Defense terminology must be accurate but accessible
 3. SEO: every page needs title, description, Open Graph, and canonical URL

.claude/agents/marketing/market-finder.md

@@ -36,8 +36,8 @@ Canonical market and competitor data (docs-side):
 
 Market segments:
 
-1. **Consumer sports/training** (SkySnare) — Drone racing, hobby events
-2. **Critical infrastructure** (AeroNet) — Airports, power plants, prisons
+1. **Consumer sports/training** (Kestrel Mesh) — Consumer detection, hobby events
+2. **Critical infrastructure** (Sentinel Ring) — Airports, power plants, prisons
 3. **Government/military** — SBIR, DoD, law enforcement
 4. **Events/venues** — Stadiums, concerts, VIP protection
 5. **Agriculture** — Crop protection, livestock monitoring

.claude/agents/product/product-manager.md

@@ -12,8 +12,8 @@ Product infrastructure:
 
 - **Product catalog** (`apps/marketing/src/data/products.ts`): 24 products with
   SKU, pricing, COGS, margins, specs, phase tracking
-- **Product lines**: SkySnare (1), NetSnare (3), SkyWatch (8), NetSentry (3),
-  AeroNet (2), RKV (3) — 24 total
+- **Product lines**: KestrelMesh (1), NetSnare (3), SkyWatch (8), NetSentry (3),
+  SentinelRing (2), RKV (3) — 24 total
 - **Categories**: consumer, prosumer, enterprise, military
 - **Phases**: seed, series-a, series-b, series-c, scale
 - **Docs-side data** (`apps/docs/src/data/`): Canonical business numbers

.claude/agents/product/product-pricer.md

@@ -31,11 +31,11 @@ Product economics schema per product:
 
 Product lines and categories:
 
-- **SkySnare** (consumer): Entry-level, highest volume, lowest margin
+- **Kestrel Mesh** (consumer): Entry-level, highest volume, lowest margin
 - **NetSnare** (prosumer): Mid-range, hobby/small-business
 - **SkyWatch** (prosumer): Surveillance-focused
 - **NetSentry** (enterprise): Perimeter security, recurring revenue
-- **AeroNet** (enterprise): Full AI-enabled platform, highest margin
+- **Sentinel Ring** (enterprise): Full AI-enabled platform, highest margin
 - **RKV** (military): Specialized, government contract pricing
 
 x402 API pricing tiers:

.claude/rules/typescript.md

@@ -15,7 +15,7 @@ paths:
 - WCAG AA+ accessibility: ARIA labels, keyboard navigation, 4.5:1 contrast
 - ESLint security plugin enabled — no `dangerouslySetInnerHTML`, no `eval`
 - Cross-package imports use workspace protocol:
-  `"@phoenix-rooivalk/types": "workspace:*"`
+  `"@nexamesh/types": "workspace:*"`
 - Path aliases: `@/*` maps to `./src/*` in marketing app
 - Next.js marketing is static export (`output: "export"`) — no SSR, no API
   routes, no server components

.claude/settings.local.json

@@ -0,0 +1,13 @@
+{
+  "permissions": {
+    "allow": [
+      "Bash(cd /c/Users/smitj/repos/phoenix-rooivalk git add apps/docs/docs/technical/control/ apps/docs/docs/technical/hardware/board-bringup-and-flashing.mdx apps/docs/docs/technical/hardware/index.mdx apps/docs/docs/technical/hardware/power-budgeting-and-rail-isolation.mdx apps/docs/docs/technical/hardware/prototype-compute-tiers.mdx apps/docs/docs/technical/hardware/salvage-and-zero-budget-hardware.mdx apps/docs/docs/technical/hardware/servo-selection-and-calibration.mdx apps/docs/docs/technical/hardware/phase1/avoid-list.mdx apps/docs/docs/technical/hardware/phase1/buy-now-vs-later.mdx apps/docs/docs/technical/hardware/phase1/safety-boundary.mdx apps/docs/docs/technical/hardware/phase1/platform-bom-v1.mdx apps/docs/docs/technical/architecture/interfaces/ apps/docs/docs/technical/architecture/adr-0202-x402-data-marketplace.mdx apps/docs/docs/operations/runbooks/ apps/docs/docs/business/prd/depin-network-strategy.mdx apps/docs/docs/business/prd/data-marketplace-prd.mdx apps/docs/docs/business/prd/partnership-strategy.mdx apps/docs/docs/legal/compliance/ apps/docs/sidebars.ts __NEW_LINE_f00f39e4ca34aa14__ git status --short)",
+      "Bash(curl -s -X POST \"https://stitch.googleapis.com/mcp\" -H \"Content-Type: application/json\" -H \"X-Goog-Api-Key: AQ.Ab8RN6J2ikC8PyiV8XZjdsHIKOLtcve88czpBa1TExnc_-SZng\" -d '{\"\"\"\"jsonrpc\"\"\"\":\"\"\"\"2.0\"\"\"\",\"\"\"\"id\"\"\"\":20,\"\"\"\"method\"\"\"\":\"\"\"\"tools/list\"\"\"\",\"\"\"\"params\"\"\"\":{}}')",
+      "Bash(python3 -c \"import sys,json; tools=json.load\\(sys.stdin\\)[''''result''''][''''tools'''']; [print\\(t[''''name'''']\\) for t in tools]\")"
+    ]
+  },
+  "enabledMcpjsonServers": [
+    "stitch"
+  ],
+  "enableAllProjectMcpServers": true
+}

.github/workflows/ci-marketing.yml

@@ -32,7 +32,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Setup pnpm
-        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4
 
       - name: Setup Rust (for threat-simulator-desktop WASM dependencies)
         uses: dtolnay/rust-toolchain@stable
@@ -52,9 +52,9 @@ jobs:
           fi
 
       - name: Setup Node.js
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
         with:
-          node-version: "20"
+          node-version: "24"
           package-manager-cache: false
 
       - name: Install dependencies

.github/workflows/codeql.yml

@@ -1,24 +1,8 @@
 name: "CodeQL Security Analysis"
 
 on:
-  push:
-    branches: ["main"]
-    paths:
-      - "**/*.ts"
-      - "**/*.tsx"
-      - "**/*.js"
-      - "**/*.jsx"
-      - "**/*.rs"
-      - ".github/workflows/codeql.yml"
-  pull_request:
-    branches: ["main"]
-    paths:
-      - "**/*.ts"
-      - "**/*.tsx"
-      - "**/*.js"
-      - "**/*.jsx"
-      - "**/*.rs"
-      - ".github/workflows/codeql.yml"
+  # Reduced to weekly + manual to cut GitHub Actions costs
+  # Was running on every push/PR including Renovate bot
   schedule:
     - cron: "30 2 * * 1" # Weekly on Monday at 2:30 AM UTC
   workflow_dispatch:
@@ -76,7 +60,7 @@ jobs:
         if:
           ${{ steps.codeql-check.outputs.enabled == 'true' && matrix.language ==
           'rust' }}
-        uses: actions-rust-lang/setup-rust-toolchain@a0b538fa0b742a6aa35d6e2c169b4bd06d225a98 # v1
+        uses: actions-rust-lang/setup-rust-toolchain@150fca883cd4034361b621bd4e6a9d34e5143606 # v1
         with:
           toolchain: stable
           components: rustfmt, clippy
@@ -85,13 +69,13 @@ jobs:
         if:
           ${{ steps.codeql-check.outputs.enabled == 'true' && matrix.language ==
           'rust' }}
-        uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 # v2
+        uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2
         with:
           shared-key: codeql-rust
 
       - name: Setup pnpm
         if: matrix.language == 'javascript-typescript'
-        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4
 
       - name: Generate lockfile if missing
         if: matrix.language == 'javascript-typescript'
@@ -103,9 +87,9 @@ jobs:
 
       - name: Setup Node.js
         if: matrix.language == 'javascript-typescript'
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
         with:
-          node-version: "20"
+          node-version: "24"
           package-manager-cache: false
 
       - name: Install dependencies
@@ -116,15 +100,15 @@ jobs:
 
       - name: Initialize CodeQL
         if: steps.codeql-check.outputs.enabled == 'true'
-        uses: github/codeql-action/init@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4
+        uses: github/codeql-action/init@38697555549f1db7851b81482ff19f1fa5c4fedc # v4
         with:
           languages: ${{ matrix.language }}
           build-mode: ${{ matrix.build-mode }}
           config-file: .github/codeql-config.yml
 
       - name: Perform CodeQL Analysis
         if: steps.codeql-check.outputs.enabled == 'true'
-        uses: github/codeql-action/analyze@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4
+        uses: github/codeql-action/analyze@38697555549f1db7851b81482ff19f1fa5c4fedc # v4
         with:
           category: "/language:${{matrix.language}}"
           upload: false
@@ -133,7 +117,7 @@ jobs:
       - name: Upload SARIF results (non-fatal)
         if: steps.codeql-check.outputs.enabled == 'true'
         continue-on-error: true
-        uses: github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4
+        uses: github/codeql-action/upload-sarif@38697555549f1db7851b81482ff19f1fa5c4fedc # v4
         with:
           sarif_file: codeql-results.sarif
           checkout_path: ${{ github.workspace }}

.github/workflows/deploy-azure-functions.yml

@@ -150,15 +150,15 @@ jobs:
               echo "::error::  2. Delete the AZURE_FUNCTIONAPP_NAME secret"
               echo "::error::  3. Go to Variables tab → New repository variable"
               echo "::error::  4. Name: AZURE_FUNCTIONAPP_NAME"
-              echo "::error::  5. Value: Your function app name (e.g., phoenix-rooivalk-functions)"
+              echo "::error::  5. Value: Your function app name (e.g., nex-dev-docs-func)"
               MISCONFIG_WARNINGS="${MISCONFIG_WARNINGS}\n  ⚠️  AZURE_FUNCTIONAPP_NAME is set as a SECRET but should be a VARIABLE"
               echo "::warning::AZURE_FUNCTIONAPP_NAME is configured as a secret but should be a variable. Delete the secret and set it as a variable instead."
             else
               echo "::error::To fix: Add AZURE_FUNCTIONAPP_NAME as a repository VARIABLE (not secret)"
               echo "::error::  1. Go to Settings → Secrets and variables → Actions → Variables tab"
               echo "::error::  2. Click 'New repository variable'"
               echo "::error::  3. Name: AZURE_FUNCTIONAPP_NAME"
-              echo "::error::  4. Value: Your function app name (e.g., phoenix-rooivalk-functions)"
+              echo "::error::  4. Value: Your function app name (e.g., nex-dev-docs-func)"
             fi
           else
             echo "✅ AZURE_FUNCTIONAPP_NAME is configured: ${{ vars.AZURE_FUNCTIONAPP_NAME }}"
@@ -397,14 +397,12 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Setup Node.js
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
         with:
           node-version: ${{ env.NODE_VERSION }}
 
       - name: Setup pnpm
-        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4
-        with:
-          version: 9.15.9
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4
 
       - name: Install dependencies
         run: pnpm install --no-frozen-lockfile
@@ -499,13 +497,13 @@ jobs:
       url: https://${{ vars.AZURE_FUNCTIONAPP_NAME }}.azurewebsites.net
     steps:
       - name: Download build artifact
-        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           name: azure-functions-build
           path: deploy-package
 
       - name: Azure Login
-        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2
+        uses: azure/login@532459ea530d8321f2fb9bb10d1e0bcf23869a43 # v3.0.0
         with:
           creds: ${{ secrets.AZURE_CREDENTIALS }}
 
@@ -535,14 +533,14 @@ jobs:
           echo "Configuring CORS for Azure Functions..."
           az functionapp cors add \
             --name "${{ vars.AZURE_FUNCTIONAPP_NAME }}" \
-            --resource-group "${{ vars.AZURE_RESOURCE_GROUP || 'dev-euw-rg-rooivalk' }}" \
-            --allowed-origins "https://docs.phoenixrooivalk.com" "https://phoenixrooivalk.com" "http://localhost:3000" "http://localhost:3001" \
+            --resource-group "${{ vars.AZURE_RESOURCE_GROUP || 'nex-dev-rg' }}" \
+            --allowed-origins "https://docs.nexamesh.ai" "https://nexamesh.ai" "http://localhost:3000" "http://localhost:3001" \
             2>/dev/null || echo "CORS origins may already exist"
 
           # Enable credentials
           az functionapp cors credentials \
             --name "${{ vars.AZURE_FUNCTIONAPP_NAME }}" \
-            --resource-group "${{ vars.AZURE_RESOURCE_GROUP || 'dev-euw-rg-rooivalk' }}" \
+            --resource-group "${{ vars.AZURE_RESOURCE_GROUP || 'nex-dev-rg' }}" \
             --enable true \
             2>/dev/null || echo "CORS credentials already enabled"
 
@@ -597,7 +595,7 @@ jobs:
         env:
           COSMOS_DB_CONNECTION_STRING:
             ${{ secrets.COSMOS_DB_CONNECTION_STRING }}
-          COSMOS_DB_DATABASE: phoenix-docs
+          COSMOS_DB_DATABASE: nexamesh-docs
         run: |
           echo "🌱 Seeding known emails to Cosmos DB..."
           npm install @azure/cosmos --no-save
@@ -642,14 +640,12 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Setup Node.js
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
         with:
           node-version: ${{ env.NODE_VERSION }}
 
       - name: Setup pnpm
-        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4
-        with:
-          version: 9.15.9
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4
 
       - name: Install dependencies
         run: pnpm install --no-frozen-lockfile

.github/workflows/deploy-docs-azure.yml

@@ -165,12 +165,12 @@ jobs:
           lfs: false
 
       - name: Setup pnpm
-        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4
 
       - name: Setup Node.js
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
         with:
-          node-version: "20"
+          node-version: "24"
 
       - name: Install dependencies
         working-directory: ${{ env.APP_LOCATION }}
@@ -345,12 +345,12 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Setup pnpm
-        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4
 
       - name: Setup Node.js
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
         with:
-          node-version: "20"
+          node-version: "24"
 
       - name: Install Azure Functions dependencies
         working-directory: apps/docs/azure-functions
@@ -380,7 +380,7 @@ jobs:
           echo "✅ Deployment package created"
 
       - name: Azure Login
-        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2
+        uses: azure/login@532459ea530d8321f2fb9bb10d1e0bcf23869a43 # v3.0.0
         with:
           creds: ${{ secrets.AZURE_CREDENTIALS }}