diff --git a/.github/ISSUE_TEMPLATE/bug_report.yml b/.github/ISSUE_TEMPLATE/bug_report.yml
index 91cdb8a6..4896bb47 100644
--- a/.github/ISSUE_TEMPLATE/bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yml
@@ -19,7 +19,7 @@ body:
       options:
         - label: I have searched existing issues to ensure this is not a duplicate
           required: true
-        - label: I have read the documentation at https://rou-cru.github.io/idp-blueprint/
+        - label: I have read the documentation at https://idp-blueprint.roura.xyz/
           required: true
         - label: I am using the latest version from the main branch
           required: false
diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml
index b86751dd..b7226a38 100644
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@@ -1,7 +1,7 @@
 blank_issues_enabled: false
 contact_links:
   - name: 📖 Documentation
-    url: https://rou-cru.github.io/idp-blueprint/
+    url: https://idp-blueprint.roura.xyz/
     about: Read the comprehensive documentation for the IDP Blueprint
   - name: 💬 Discussions
     url: https://github.com/rou-cru/idp-blueprint/discussions
diff --git a/.github/ISSUE_TEMPLATE/documentation.yml b/.github/ISSUE_TEMPLATE/documentation.yml
index a8fdb6ae..037235ae 100644
--- a/.github/ISSUE_TEMPLATE/documentation.yml
+++ b/.github/ISSUE_TEMPLATE/documentation.yml
@@ -19,7 +19,7 @@ body:
       options:
         - label: I have searched existing issues to ensure this is not a duplicate
           required: true
-        - label: I have checked the documentation site at https://rou-cru.github.io/idp-blueprint/
+        - label: I have checked the documentation site at https://idp-blueprint.roura.xyz/
           required: true
 
   - type: dropdown
@@ -67,7 +67,7 @@ body:
     attributes:
       label: Page URL or File Path
       description: Link to the documentation page or file path
-      placeholder: "https://rou-cru.github.io/idp-blueprint/guides/getting-started or Docs/src/content/docs/guides/example.md"
+      placeholder: "https://idp-blueprint.roura.xyz/guides/getting-started or Docs/src/content/docs/guides/example.md"
     validations:
       required: false
 
diff --git a/.github/ISSUE_TEMPLATE/feature_request.yml b/.github/ISSUE_TEMPLATE/feature_request.yml
index 26d1c83e..e625cf1c 100644
--- a/.github/ISSUE_TEMPLATE/feature_request.yml
+++ b/.github/ISSUE_TEMPLATE/feature_request.yml
@@ -19,7 +19,7 @@ body:
       options:
         - label: I have searched existing issues to ensure this is not a duplicate
           required: true
-        - label: I have read the documentation at https://rou-cru.github.io/idp-blueprint/
+        - label: I have read the documentation at https://idp-blueprint.roura.xyz/
           required: true
         - label: This feature aligns with the IDP Blueprint's goals (GitOps, Observability, Security, Policy)
           required: true
diff --git a/.github/labeler.yml b/.github/labeler.yml
index 5aaf962b..baf990f3 100644
--- a/.github/labeler.yml
+++ b/.github/labeler.yml
@@ -19,8 +19,7 @@ github-actions:
           - ".github/dependabot.yml"
           - ".github/labeler.yml"
           - ".github/ISSUE_TEMPLATE/**/*"
-          - ".github/PULL_REQUEST_TEMPLATE.md"
-          - ".github/CODEOWNERS"
+          - ".github/pull_request_template.md"
 
 # Task Automation
 automation:
@@ -42,30 +41,31 @@ configuration:
 argocd:
   - changed-files:
       - any-glob-to-any-file:
-          - "Bootstrap/argocd/**/*"
-          - "Stacks/argocd/**/*"
+          - "IT/argocd/**/*"
+          - "K8s/**/argocd*/**/*"
           - "**/argocd-*.yaml"
 
 # Cilium / Networking
 cilium:
   - changed-files:
       - any-glob-to-any-file:
-          - "Bootstrap/cilium/**/*"
+          - "IT/cilium/**/*"
           - "**/cilium-*.yaml"
 
 # Vault / Secrets
 vault:
   - changed-files:
       - any-glob-to-any-file:
-          - "Bootstrap/vault/**/*"
-          - "Stacks/vault/**/*"
+          - "IT/vault/**/*"
+          - "K8s/**/vault/**/*"
           - "**/vault-*.yaml"
 
 # External Secrets
 external-secrets:
   - changed-files:
       - any-glob-to-any-file:
-          - "Bootstrap/external-secrets/**/*"
+          - "IT/external-secrets/**/*"
+          - "K8s/**/external-secrets/**/*"
           - "**/external-secret*.yaml"
           - "**/secret-store*.yaml"
 
@@ -73,8 +73,7 @@ external-secrets:
 kyverno:
   - changed-files:
       - any-glob-to-any-file:
-          - "Policies/**/*"
-          - "Stacks/kyverno/**/*"
+          - "K8s/policies/**/*"
           - "**/kyverno-*.yaml"
           - "**/*policy*.yaml"
 
@@ -82,10 +81,7 @@ kyverno:
 observability:
   - changed-files:
       - any-glob-to-any-file:
-          - "Stacks/prometheus/**/*"
-          - "Stacks/grafana/**/*"
-          - "Stacks/loki/**/*"
-          - "Stacks/fluent-bit/**/*"
+          - "K8s/observability/**/*"
           - "**/prometheus-*.yaml"
           - "**/grafana-*.yaml"
           - "**/loki-*.yaml"
@@ -94,8 +90,7 @@ observability:
 cicd:
   - changed-files:
       - any-glob-to-any-file:
-          - "Stacks/argo-workflows/**/*"
-          - "Stacks/sonarqube/**/*"
+          - "K8s/cicd/**/*"
           - "**/argo-workflow*.yaml"
           - "**/sonarqube-*.yaml"
 
@@ -103,7 +98,7 @@ cicd:
 cert-manager:
   - changed-files:
       - any-glob-to-any-file:
-          - "Bootstrap/cert-manager/**/*"
+          - "IT/cert-manager/**/*"
           - "**/cert-manager-*.yaml"
           - "**/certificate*.yaml"
           - "**/clusterissuer*.yaml"
@@ -112,7 +107,7 @@ cert-manager:
 gateway:
   - changed-files:
       - any-glob-to-any-file:
-          - "Bootstrap/gateway/**/*"
+          - "IT/gateway/**/*"
           - "**/gateway*.yaml"
           - "**/httproute*.yaml"
 
@@ -121,6 +116,7 @@ k3d:
   - changed-files:
       - any-glob-to-any-file:
           - "Task/k3d.yaml"
+          - "IT/k3d-cluster.yaml"
           - ".devcontainer/**/*"
           - "**/k3d-*.yaml"
 
@@ -145,7 +141,6 @@ security:
       - any-glob-to-any-file:
           - "SECURITY.md"
           - ".config/lint/.trufflehog-ignore"
-          - "Policies/**/*"
           - "**/rbac*.yaml"
           - "**/networkpolicy*.yaml"
 
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
new file mode 100644
index 00000000..47a4fcc3
--- /dev/null
+++ b/.github/pull_request_template.md
@@ -0,0 +1,13 @@
+## Summary
+- What does this change do?
+- Any user-facing or breaking changes?
+
+## Testing
+- [ ] Not run (explain why)
+- [ ] Added/updated automated tests
+- [ ] Manually tested (`<commands>`)
+
+## Checklist
+- [ ] Docs updated if needed
+- [ ] Conventional commit in title
+- [ ] Linked issue (if relevant)
diff --git a/.github/workflows/auto-merge.yaml b/.github/workflows/auto-merge.yaml
new file mode 100644
index 00000000..4093198b
--- /dev/null
+++ b/.github/workflows/auto-merge.yaml
@@ -0,0 +1,83 @@
+name: Auto Merge with CodeRabbit
+
+on:
+  pull_request_target:
+    types: [opened, reopened, synchronize, ready_for_review, review_requested]
+  workflow_run:
+    workflows: ["CI Pipeline", "Documentation"]
+    types: [completed]
+
+permissions:
+  contents: write
+  pull-requests: write
+  checks: read
+  statuses: read
+
+jobs:
+  auto-merge:
+    runs-on: ubuntu-latest
+    if: github.event.pull_request.head.repo.full_name == github.repository || github.event.workflow_run.event == 'pull_request'
+    steps:
+      - name: Get PR context
+        id: ctx
+        uses: actions/github-script@v8
+        with:
+          script: |
+            const pr = context.payload.pull_request
+              ? context.payload.pull_request
+              : await (async () => {
+                  // workflow_run path
+                  const run = context.payload.workflow_run
+                  const prData = run.pull_requests && run.pull_requests[0]
+                  if (!prData) return null
+                  const { data } = await github.rest.pulls.get({
+                    owner: context.repo.owner,
+                    repo: context.repo.repo,
+                    pull_number: prData.number,
+                  })
+                  return data
+                })()
+
+            if (!pr) {
+              core.setFailed('No pull_request context available')
+              return
+            }
+
+            // basic guards
+            if (pr.draft) {
+              core.setOutput('status', 'skip-draft')
+              return
+            }
+            if (pr.state !== 'open') {
+              core.setOutput('status', 'skip-closed')
+              return
+            }
+            if (pr.mergeable_state === 'behind') {
+              core.setOutput('status', 'skip-behind')
+              return
+            }
+            if (!pr.mergeable_state || pr.mergeable_state === 'unknown') {
+              core.setOutput('status', 'skip-unknown')
+              core.info('Mergeable state is unknown, waiting for GitHub to compute it')
+              return
+            }
+            const acceptableStates = ['clean', 'unstable', 'has_hooks']
+            if (!acceptableStates.includes(pr.mergeable_state)) {
+              core.setOutput('status', `skip-${pr.mergeable_state}`)
+              core.info(`Mergeable state '${pr.mergeable_state}' not acceptable for auto-merge`)
+              return
+            }
+
+            core.setOutput('pr-number', pr.number.toString())
+            core.setOutput('mergeable_state', pr.mergeable_state || 'unknown')
+            core.setOutput('status', 'ready')
+
+      - name: Enable auto-merge
+        if: steps.ctx.outputs.status == 'ready' &&
+            steps.ctx.outputs.mergeable_state != 'behind' &&
+            steps.ctx.outputs.mergeable_state != 'unknown'
+        uses: peter-evans/enable-pull-request-automerge@v3
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          pull-request-number: ${{ steps.ctx.outputs.pr-number }}
+          merge-method: squash
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 36644b3c..d5214005 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -4,15 +4,6 @@ on:
   # Run CI as Quality Gate on PRs only (not on push to main)
   pull_request:
     branches: [main]
-    paths-ignore:
-      - 'Docs/**'
-      - 'mkdocs.yml'
-      - '**.md'
-      - 'pyproject.toml'
-      - 'uv.lock'
-      - 'Scripts/generate-chart-metadata.sh'
-      - 'Scripts/helm-docs-*.sh'
-      - '.github/workflows/docs.yaml'
 
 # Prevent concurrent runs on the same PR
 concurrency:
@@ -23,34 +14,176 @@ permissions:
   contents: read
 
 jobs:
-  build-and-test:
+  changes:
+    name: Detect changed areas
     runs-on: ubuntu-latest
-    timeout-minutes: 20
+    outputs:
+      docs: ${{ steps.set.outputs.docs }}
+      values: ${{ steps.set.outputs.values }}
+      full: ${{ steps.set.outputs.full }}
+      targets: ${{ steps.set.outputs.targets }}
     steps:
-      - name: Checkout code
-        uses: actions/checkout@v6
+      - uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - uses: dorny/paths-filter@v3
+        id: filter
+        with:
+          filters: |
+            docs:
+              - 'Docs/**'
+              - '**/*.md'
+            values:
+              - '**/values.yaml'
+              - '**/values*.yaml'
+            base:
+              - 'Dockerfile'
+              - '.devcontainer/Dockerfile'
+              - 'docker-bake.hcl'
+              - 'Task/image.yaml'
+            dev:
+              - 'devbox.json'
+              - 'devbox.lock'
+            minimal:
+              - '.devcontainer/devbox-minimal.json'
+            ops:
+              - '.devcontainer/devbox-ops.json'
+            portal:
+              - 'UI/**'
+
+      - name: Calculate Matrix Targets
+        id: set
+        run: |
+          # Retrieve the list of modified filters (e.g., ["docs", "minimal"])
+          changes='${{ steps.filter.outputs.changes }}'
+
+          # If 'base' changed, force all build targets
+          if echo "$changes" | grep -q "base"; then
+            targets='["dev", "minimal", "ops", "portal"]'
+          else
+            # Otherwise, filter the changes list to only include build targets
+            # jq select filters out 'docs', 'values', 'base' from the list
+            targets=$(echo "$changes" | jq -c 'map(select(. == "dev" or . == "minimal" or . == "ops" or . == "portal"))')
+          fi
+
+          echo "targets=$targets" >> "$GITHUB_OUTPUT"
+
+          # Maintain compatibility flags
+          echo "docs=${{ steps.filter.outputs.docs }}" >> "$GITHUB_OUTPUT"
+          echo "values=${{ steps.filter.outputs.values }}" >> "$GITHUB_OUTPUT"
 
-      - name: Prepare Devbox configuration
-        run: ln -sf devbox-minimal.json devbox.json
-        working-directory: .devcontainer
+          # Determine 'full' run (any build target or values changed)
+          if [ "$targets" != "[]" ] || [ "${{ steps.filter.outputs.values }}" == "true" ]; then
+             echo "full=true" >> "$GITHUB_OUTPUT"
+          else
+             echo "full=false" >> "$GITHUB_OUTPUT"
+          fi
 
+  docs-pr:
+    name: Docs only
+    needs: changes
+    if: needs.changes.outputs.docs == 'true' && needs.changes.outputs.full == 'false'
+    runs-on: ubuntu-latest
+    env:
+      DEVBOX_CONFIG: .devcontainer/devbox-minimal.json
+    steps:
+      - uses: actions/checkout@v6
       - name: Install Devbox
         uses: jetpack-io/devbox-install-action@v0.14.0
         with:
           project-path: .devcontainer
           enable-cache: true
+      - name: Build docs
+        run: devbox run --config $DEVBOX_CONFIG -- task utils:docs:astro:build
 
+  core-ci:
+    name: Core CI
+    needs: changes
+    if: needs.changes.outputs.full == 'true'
+    runs-on: ubuntu-latest
+    timeout-minutes: 50
+    env:
+      DEVBOX_CONFIG: .devcontainer/devbox-minimal.json
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6
+      - name: Install Devbox
+        uses: jetpack-io/devbox-install-action@v0.14.0
+        with:
+          project-path: .devcontainer
+          enable-cache: true
       - name: Run Linting Tasks
-        run: devbox run -- task quality:lint
-        working-directory: .devcontainer
+        run: devbox run --config $DEVBOX_CONFIG -- task quality:lint
         timeout-minutes: 10
-
       - name: Run Security Scans
-        run: devbox run -- task quality:security
-        working-directory: .devcontainer
+        run: devbox run --config $DEVBOX_CONFIG -- task quality:security
         timeout-minutes: 15
-
       - name: Run Validations
-        run: devbox run -- task quality:validate
-        working-directory: .devcontainer
-        timeout-minutes: 10
+        run: devbox run --config $DEVBOX_CONFIG -- task quality:validate
+        timeout-minutes: 12
+      - name: Generate Helm docs (values.yaml changed)
+        if: needs.changes.outputs.values == 'true'
+        run: devbox run --config $DEVBOX_CONFIG -- task utils:docs:helm
+
+  docker-build:
+    name: Build ${{ matrix.target }}
+    needs: changes
+    if: needs.changes.outputs.full == 'true' && needs.changes.outputs.targets != '[]'
+    runs-on: ubuntu-latest
+    env:
+      DOCKER_IMAGE_NAME: ${{ vars.DOCKER_IMAGE_NAME }}
+      DOCKER_IMAGE_TAG: ${{ vars.DOCKER_IMAGE_TAG }}
+      DOCKER_IMAGE_TAG_MINIMAL: ${{ vars.DOCKER_IMAGE_TAG_MINIMAL }}
+      DOCKER_IMAGE_TAG_OPS: ${{ vars.DOCKER_IMAGE_TAG_OPS }}
+    strategy:
+      fail-fast: false
+      matrix:
+        target: ${{ fromJson(needs.changes.outputs.targets) }}
+    steps:
+      - uses: actions/checkout@v6
+      - name: Free Disk Space (Ubuntu)
+        uses: jlumbroso/free-disk-space@main
+        with:
+          tool-cache: false
+          android: true # ~12Gib Free
+          dotnet: true # ~4Gib Free
+          haskell: true # ~6Gib Free
+          large-packages: true # ~4.7Gib Free
+          swap-storage: true # ~4GiB Saved
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Install Devbox
+        uses: jetpack-io/devbox-install-action@v0.14.0
+        with:
+          project-path: .
+          enable-cache: true
+      - name: Setup Node.js (Portal only)
+        if: matrix.target == 'portal'
+        uses: actions/setup-node@v4
+        with:
+          node-version: 22
+          cache: yarn
+          cache-dependency-path: UI/yarn.lock
+      - name: Build Target
+        run: |
+          case "${{ matrix.target }}" in
+            "dev") devbox run -- task image:image:build ;;
+            "minimal") devbox run -- task image:image:build:minimal ;;
+            "ops") devbox run -- task image:image:build:ops ;;
+            "portal") devbox run -- task image:dev-portal:build ;;
+          esac
+
+  ci-green:
+    name: CI green
+    needs: [changes, docs-pr, core-ci, docker-build]
+    if: always()
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check for failures
+        if: contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled')
+        run: |
+          echo "::error::One or more required jobs failed or were cancelled"
+          exit 1
+      - name: Success
+        run: echo "✅ All CI checks passed"
diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml
index c3d52423..3deb901a 100644
--- a/.github/workflows/docs.yaml
+++ b/.github/workflows/docs.yaml
@@ -52,7 +52,7 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@v6
         with:
-          node-version: 24
+          node-version: 22
           cache: 'pnpm'
           cache-dependency-path: Docs/pnpm-lock.yaml
 
diff --git a/Task/bootstrap.yaml b/Task/bootstrap.yaml
index 3fe845cd..af12059b 100644
--- a/Task/bootstrap.yaml
+++ b/Task/bootstrap.yaml
@@ -64,6 +64,7 @@ tasks:
 
   cilium:deploy:
     desc: "Install Cilium as CNI"
+    internal: true
     dir: IT/cilium
     silent: false
     cmds:
@@ -79,6 +80,7 @@ tasks:
 
   it:bootstrap:
     desc: "Bootstrap cluster prerequisites and preload images"
+    internal: true
     silent: true
     deps:
       - cilium:preload
@@ -88,6 +90,7 @@ tasks:
 
   cert-manager:deploy:
     desc: "Deploy Cert-Manager to handle CA"
+    internal: true
     dir: IT/cert-manager
     silent: true
     cmds:
@@ -103,6 +106,7 @@ tasks:
 
   external-secrets:deploy:
     desc: "Install External Secrets Operator"
+    internal: true
     dir: IT/external-secrets
     silent: false
     cmds:
@@ -119,6 +123,7 @@ tasks:
 
   it:eso:apply-resources:
     desc: "Apply ESO SecretStores and ExternalSecrets"
+    internal: true
     dir: IT/external-secrets
     cmds:
       - kustomize build . | kubectl apply -f - --server-side
@@ -140,6 +145,7 @@ tasks:
 
   vault:generate-secrets:
     desc: "Generate initial secrets for all services using Vault"
+    internal: true
     vars:
       ARGOCD_USERNAME: "admin"
       SECRETS:
@@ -219,6 +225,7 @@ tasks:
 
   vault:deploy:
     desc: "Deploy HashiCorp Vault"
+    internal: true
     dir: IT/vault
     cmds:
       - |
@@ -232,6 +239,7 @@ tasks:
 
   it:deploy-secret-and-certs:
     desc: "Deploy cert-manager and vault"
+    internal: true
     silent: true
     deps:
       - cert-manager:deploy
@@ -239,6 +247,7 @@ tasks:
 
   argocd:deploy:
     desc: "Deploy ArgoCD GitOps Engine"
+    internal: true
     dir: IT/argocd
     silent: true
     env:
@@ -265,6 +274,7 @@ tasks:
 
   gateway:deploy:
     desc: "Deploy Gateway API Gateway resource"
+    internal: true
     dir: IT/gateway
     silent: true
     cmds:
diff --git a/Task/stacks.yaml b/Task/stacks.yaml
index 9d788d9e..9108432a 100644
--- a/Task/stacks.yaml
+++ b/Task/stacks.yaml
@@ -79,6 +79,7 @@ tasks:
 
   deploy:
     desc: "Deploy all application stacks via ArgoCD ApplicationSets (feature-gated)"
+    internal: true
     cmds:
       - task: policies
       - task: observability
diff --git a/Taskfile.yaml b/Taskfile.yaml
index d1b34c57..6c4d8ecf 100644
--- a/Taskfile.yaml
+++ b/Taskfile.yaml
@@ -36,6 +36,7 @@ tasks:
 
   deploy-core:
     desc: "Core deployment logic (do not run directly)"
+    internal: true
     deps:
       - internal:validate-tools
     preconditions:
diff --git a/UI/packages/app/package.json b/UI/packages/app/package.json
index d010b6fb..74ef3cf9 100644
--- a/UI/packages/app/package.json
+++ b/UI/packages/app/package.json
@@ -15,38 +15,39 @@
   },
   "dependencies": {
     "@backstage-community/plugin-github-actions": "^0.18.0",
+    "@backstage-community/plugin-grafana": "^0.12.0",
     "@backstage-community/plugin-sonarqube": "^0.20.1",
     "@backstage-community/plugin-sonarqube-react": "^0.12.0",
     "@backstage-community/plugin-topology": "^2.8.0",
     "@backstage-community/plugin-vault": "^0.14.0",
-    "@backstage/app-defaults": "^1.7.2",
+    "@backstage/app-defaults": "^1.7.3",
     "@backstage/catalog-model": "^1.7.6",
-    "@backstage/cli": "^0.34.5",
-    "@backstage/core-app-api": "^1.19.2",
-    "@backstage/core-components": "^0.18.3",
-    "@backstage/core-plugin-api": "^1.12.0",
-    "@backstage/integration-react": "^1.2.12",
-    "@backstage/plugin-api-docs": "^0.13.1",
-    "@backstage/plugin-catalog": "^1.32.0",
+    "@backstage/cli": "^0.35.1",
+    "@backstage/core-app-api": "^1.19.3",
+    "@backstage/core-components": "^0.18.4",
+    "@backstage/core-plugin-api": "^1.12.1",
+    "@backstage/integration-react": "^1.2.13",
+    "@backstage/plugin-api-docs": "^0.13.2",
+    "@backstage/plugin-catalog": "^1.32.1",
     "@backstage/plugin-catalog-common": "^1.1.7",
-    "@backstage/plugin-catalog-graph": "^0.5.3",
-    "@backstage/plugin-catalog-import": "^0.13.7",
-    "@backstage/plugin-catalog-react": "^1.21.3",
-    "@backstage/plugin-home": "^0.8.14",
-    "@backstage/plugin-kubernetes": "^0.12.13",
-    "@backstage/plugin-notifications": "^0.5.11",
-    "@backstage/plugin-org": "^0.6.46",
-    "@backstage/plugin-permission-react": "^0.4.38",
-    "@backstage/plugin-scaffolder": "^1.34.3",
-    "@backstage/plugin-search": "^1.5.0",
-    "@backstage/plugin-search-react": "^1.10.0",
-    "@backstage/plugin-signals": "^0.0.25",
-    "@backstage/plugin-techdocs": "^1.16.0",
-    "@backstage/plugin-techdocs-module-addons-contrib": "^1.1.30",
-    "@backstage/plugin-techdocs-react": "^1.3.5",
-    "@backstage/plugin-user-settings": "^0.8.29",
-    "@backstage/theme": "^0.7.0",
-    "@backstage/ui": "^0.9.0",
+    "@backstage/plugin-catalog-graph": "^0.5.4",
+    "@backstage/plugin-catalog-import": "^0.13.8",
+    "@backstage/plugin-catalog-react": "^1.21.4",
+    "@backstage/plugin-home": "^0.8.15",
+    "@backstage/plugin-kubernetes": "^0.12.14",
+    "@backstage/plugin-notifications": "^0.5.12",
+    "@backstage/plugin-org": "^0.6.47",
+    "@backstage/plugin-permission-react": "^0.4.39",
+    "@backstage/plugin-scaffolder": "^1.35.0",
+    "@backstage/plugin-search": "^1.5.1",
+    "@backstage/plugin-search-react": "^1.10.1",
+    "@backstage/plugin-signals": "^0.0.26",
+    "@backstage/plugin-techdocs": "^1.16.1",
+    "@backstage/plugin-techdocs-module-addons-contrib": "^1.1.31",
+    "@backstage/plugin-techdocs-react": "^1.3.6",
+    "@backstage/plugin-user-settings": "^0.8.30",
+    "@backstage/theme": "^0.7.1",
+    "@backstage/ui": "^0.10.0",
     "@dweber019/backstage-plugin-relations": "^0.1.1",
     "@dweber019/backstage-plugin-simple-icons": "^0.1.1",
     "@kyverno/backstage-plugin-policy-reporter": "^2.4.1",
@@ -59,7 +60,7 @@
     "react-router-dom": "^6.3.0"
   },
   "devDependencies": {
-    "@backstage/test-utils": "^1.7.13",
+    "@backstage/test-utils": "^1.7.14",
     "@playwright/test": "^1.32.3",
     "@testing-library/dom": "^9.0.0",
     "@testing-library/jest-dom": "^6.0.0",
diff --git a/UI/packages/app/src/components/catalog/EntityPage.tsx b/UI/packages/app/src/components/catalog/EntityPage.tsx
index 8e2a8f1d..4966bab4 100644
--- a/UI/packages/app/src/components/catalog/EntityPage.tsx
+++ b/UI/packages/app/src/components/catalog/EntityPage.tsx
@@ -34,7 +34,7 @@ import {
   EntityOwnershipCard,
 } from '@backstage/plugin-org';
 import { EntityTechdocsContent } from '@backstage/plugin-techdocs';
-import { EmptyState } from '@backstage/core-components';
+import { EmptyState, WarningPanel } from '@backstage/core-components';
 import {
   Direction,
   EntityCatalogGraphCard,
@@ -48,6 +48,7 @@ import {
   RELATION_HAS_PART,
   RELATION_PART_OF,
   RELATION_PROVIDES_API,
+  Entity,
 } from '@backstage/catalog-model';
 
 import { TechDocsAddons } from '@backstage/plugin-techdocs-react';
@@ -65,7 +66,96 @@ import {
 } from '@roadiehq/backstage-plugin-argo-cd';
 import { TopologyPage } from '@backstage-community/plugin-topology';
 import { EntityKyvernoPoliciesContent } from '@kyverno/backstage-plugin-policy-reporter';
-
+import { useEntity } from '@backstage/plugin-catalog-react';
+import { configApiRef, useApi } from '@backstage/core-plugin-api';
+import { makeStyles } from '@material-ui/core/styles';
+
+// Helper functions to check for relations
+const hasSubcomponents = (entity: Entity) => {
+  return entity?.relations?.some(
+    (r) => r.type === RELATION_HAS_PART
+  ) ?? false;
+};
+
+const hasApis = (entity: Entity) => {
+  return entity?.relations?.some(
+    (r) => r.type === RELATION_PROVIDES_API || r.type === RELATION_CONSUMES_API
+  ) ?? false;
+};
+
+const useStyles = makeStyles({
+  iframe: {
+    width: '100%',
+    height: '800px',
+    border: 'none',
+  },
+});
+
+const EntityLokiLogs = () => {
+  const classes = useStyles();
+  const { entity } = useEntity();
+  const config = useApi(configApiRef);
+
+  const grafanaUrl = config.getOptionalString('grafana.domain');
+
+  if (!grafanaUrl) {
+    return (
+      <WarningPanel
+        title="Integration Disabled"
+        message='The "grafana.domain" configuration is missing in app-config. Please check your K8s/backstage/backstage/templates/cm-tpl.yaml and ensure DNS_SUFFIX is set.'
+      />
+    );
+  }
+
+  const annotations = entity.metadata.annotations || {};
+  const namespace = annotations['backstage.io/kubernetes-namespace'] || entity.metadata.namespace || 'default';
+
+  // Dashboard UID: fRIvzUZMz (Container Log Dashboard)
+  const dashboardPath = '/d/fRIvzUZMz/container-log-dashboard';
+  const queryParams = `?var-namespace=${namespace}&var-pod=All&var-stream=All&var-searchable_pattern=&kiosk`;
+  const src = `${grafanaUrl}${dashboardPath}${queryParams}`;
+
+  return (
+    <iframe
+      title="Container Logs"
+      src={src}
+      className={classes.iframe}
+    />
+  );
+};
+
+const EntityKubernetesMetrics = () => {
+  const classes = useStyles();
+  const { entity } = useEntity();
+  const config = useApi(configApiRef);
+
+  const grafanaUrl = config.getOptionalString('grafana.domain');
+
+  if (!grafanaUrl) {
+    return (
+      <WarningPanel
+        title="Integration Disabled"
+        message='The "grafana.domain" configuration is missing in app-config. Please check your K8s/backstage/backstage/templates/cm-tpl.yaml and ensure DNS_SUFFIX is set.'
+      />
+    );
+  }
+
+  const annotations = entity.metadata.annotations || {};
+  const namespace = annotations['backstage.io/kubernetes-namespace'] || entity.metadata.namespace || 'default';
+
+  // Dashboard UID: GlXkUBGiz (Kubernetes - Pod Overview)
+  const dashboardPath = '/d/GlXkUBGiz/kubernetes-pod-overview';
+  const queryParams = `?var-namespace=${namespace}&var-pod=All&var-container=All&refresh=1m`;
+  const src = `${grafanaUrl}${dashboardPath}${queryParams}`;
+
+  return (
+    <iframe
+      title="Pod Metrics"
+      src={src}
+      className={classes.iframe}
+    />
+  );
+};
 
 const techdocsContent = (
   <EntityTechdocsContent>
@@ -150,9 +240,14 @@ const overviewContent = (
     <Grid item md={6} xs={12}>
       <EntityCatalogGraphCard variant="gridItem" height={400} />
     </Grid>
-    <Grid item md={8} xs={12}>
-      <EntityHasSubcomponentsCard variant="gridItem" />
-    </Grid>
+
+    <EntitySwitch>
+      <EntitySwitch.Case if={hasSubcomponents}>
+        <Grid item md={8} xs={12}>
+          <EntityHasSubcomponentsCard variant="gridItem" />
+        </Grid>
+      </EntitySwitch.Case>
+    </EntitySwitch>
 
     <EntitySwitch>
       <EntitySwitch.Case if={isArgocdAvailable}>
@@ -164,12 +259,36 @@ const overviewContent = (
   </Grid>
 );
 
+const logsContent = (
+  <Grid container spacing={3}>
+    <Grid item xs={12}>
+      <EntityLokiLogs />
+    </Grid>
+  </Grid>
+);
+
+const metricsContent = (
+  <Grid container spacing={3}>
+    <Grid item xs={12}>
+      <EntityKubernetesMetrics />
+    </Grid>
+  </Grid>
+);
+
 const serviceEntityPage = (
   <EntityLayout>
     <EntityLayout.Route path="/" title="Overview">
       {overviewContent}
     </EntityLayout.Route>
 
+    <EntityLayout.Route path="/logs" title="Logs">
+      {logsContent}
+    </EntityLayout.Route>
+
+    <EntityLayout.Route path="/metrics" title="Metrics">
+      {metricsContent}
+    </EntityLayout.Route>
+
     <EntityLayout.Route path="/ci-cd" title="CI/CD">
       {cicdContent}
     </EntityLayout.Route>
@@ -183,7 +302,11 @@ const serviceEntityPage = (
     </EntityLayout.Route>
 
 
-    <EntityLayout.Route path="/api" title="API">
+    <EntityLayout.Route
+      path="/api"
+      title="API"
+      if={hasApis}
+    >
       <Grid container spacing={3} alignItems="stretch">
         <Grid item md={6}>
           <EntityProvidedApisCard />
@@ -206,7 +329,9 @@ const serviceEntityPage = (
     </EntityLayout.Route>
 
     <EntityLayout.Route path="/topology" title="Topology">
-      <TopologyPage />
+      <div style={{ height: '100%', width: '100%', minHeight: '700px' }}>
+        <TopologyPage />
+      </div>
     </EntityLayout.Route>
 
     <EntityLayout.Route path="/policies" title="Policies">
@@ -225,6 +350,14 @@ const websiteEntityPage = (
       {overviewContent}
     </EntityLayout.Route>
 
+    <EntityLayout.Route path="/logs" title="Logs">
+      {logsContent}
+    </EntityLayout.Route>
+
+    <EntityLayout.Route path="/metrics" title="Metrics">
+      {metricsContent}
+    </EntityLayout.Route>
+
     <EntityLayout.Route path="/ci-cd" title="CI/CD">
       {cicdContent}
     </EntityLayout.Route>
@@ -250,7 +383,9 @@ const websiteEntityPage = (
     </EntityLayout.Route>
 
     <EntityLayout.Route path="/topology" title="Topology">
-      <TopologyPage />
+      <div style={{ height: '100%', width: '100%', minHeight: '700px' }}>
+        <TopologyPage />
+      </div>
     </EntityLayout.Route>
 
     <EntityLayout.Route path="/policies" title="Policies">
@@ -276,8 +411,14 @@ const defaultEntityPage = (
       {overviewContent}
     </EntityLayout.Route>
 
+    <EntityLayout.Route path="/logs" title="Logs">
+      {logsContent}
+    </EntityLayout.Route>
+
     <EntityLayout.Route path="/topology" title="Topology">
-      <TopologyPage />
+      <div style={{ height: '100%', width: '100%', minHeight: '700px' }}>
+        <TopologyPage />
+      </div>
     </EntityLayout.Route>
 
     <EntityLayout.Route path="/policies" title="Policies">
@@ -463,4 +604,4 @@ export const entityPage = (
 
     <EntitySwitch.Case>{defaultEntityPage}</EntitySwitch.Case>
   </EntitySwitch>
-);
+);
\ No newline at end of file
diff --git a/UI/packages/app/src/theme/primer.ts b/UI/packages/app/src/theme/primer.ts
index 739a27b5..1b751719 100644
--- a/UI/packages/app/src/theme/primer.ts
+++ b/UI/packages/app/src/theme/primer.ts
@@ -31,6 +31,11 @@ export const primerTheme = createUnifiedTheme({
       default: '#0d1117', // Canvas Default
       paper: '#161b22',   // Canvas Subtler
     },
+    text: {
+      primary: '#c9d1d9',   // FG Default - light gray for primary text
+      secondary: '#8b949e', // FG Muted - medium gray for secondary text
+      disabled: '#6e7681',  // FG Subtle - darker gray for disabled text
+    },
     banner: {
       info: '#044289', // Blue 800
       error: '#a40e26', // Red 800
@@ -75,7 +80,28 @@ export const primerTheme = createUnifiedTheme({
   components: {
     MuiCssBaseline: {
       styleOverrides: {
+        '@global': {
+          ':root': {
+            '--bui-bg': '#0d1117',
+          },
+          '[data-theme-mode="dark"]': {
+            '--bui-bg': '#0d1117',
+          },
+          html: {
+            WebkitFontSmoothing: 'auto',
+            height: '100%',
+            width: '100%',
+            backgroundColor: '#0d1117',
+          },
+          '#root': {
+            height: '100%',
+            width: '100%',
+            backgroundColor: '#0d1117',
+          },
+        },
         body: {
+          height: '100%',
+          width: '100%',
           backgroundColor: '#0d1117',
           color: '#c9d1d9',
         },
@@ -148,6 +174,176 @@ export const primerTheme = createUnifiedTheme({
         },
       },
     },
+    MuiTypography: {
+      styleOverrides: {
+        root: {
+          color: '#c9d1d9',
+        },
+      },
+    },
+    MuiTableCell: {
+      styleOverrides: {
+        root: {
+          color: '#c9d1d9',
+          borderColor: '#30363d',
+        },
+        head: {
+          color: '#c9d1d9',
+          fontWeight: 600,
+          backgroundColor: '#0d1117',
+        },
+      },
+    },
+    MuiTableHead: {
+      styleOverrides: {
+        root: {
+          backgroundColor: '#0d1117',
+        },
+      },
+    },
+    MuiLink: {
+      styleOverrides: {
+        root: {
+          color: '#58a6ff',
+          '&:hover': {
+            color: '#79c0ff',
+          },
+        },
+      },
+    },
+    MuiChip: {
+      styleOverrides: {
+        root: {
+          backgroundColor: '#161b22',
+          color: '#c9d1d9',
+          border: '1px solid #30363d',
+        },
+        outlined: {
+          borderColor: '#30363d',
+        },
+      },
+    },
+    MuiListItemText: {
+      styleOverrides: {
+        primary: {
+          color: '#c9d1d9',
+        },
+        secondary: {
+          color: '#8b949e',
+        },
+      },
+    },
+    MuiTab: {
+      styleOverrides: {
+        root: {
+          color: '#8b949e',
+          '&.Mui-selected': {
+            color: '#ffffff',
+          },
+        },
+      },
+    },
+    MuiTabs: {
+      styleOverrides: {
+        indicator: {
+          backgroundColor: '#f78166',
+        },
+      },
+    },
+    MuiDialogTitle: {
+      styleOverrides: {
+        root: {
+          color: '#c9d1d9',
+        },
+      },
+    },
+    MuiDialogContent: {
+      styleOverrides: {
+        root: {
+          color: '#c9d1d9',
+        },
+      },
+    },
+    MuiDialogContentText: {
+      styleOverrides: {
+        root: {
+          color: '#8b949e',
+        },
+      },
+    },
+    MuiIconButton: {
+      styleOverrides: {
+        root: {
+          color: '#8b949e',
+          '&:hover': {
+            backgroundColor: 'rgba(177, 186, 196, 0.12)',
+          },
+        },
+      },
+    },
+    MuiDivider: {
+      styleOverrides: {
+        root: {
+          borderColor: '#30363d',
+        },
+      },
+    },
+    MuiMenuItem: {
+      styleOverrides: {
+        root: {
+          color: '#c9d1d9',
+          '&:hover': {
+            backgroundColor: 'rgba(177, 186, 196, 0.12)',
+          },
+          '&.Mui-selected': {
+            backgroundColor: '#161b22',
+            '&:hover': {
+              backgroundColor: 'rgba(177, 186, 196, 0.12)',
+            },
+          },
+        },
+      },
+    },
+    MuiMenu: {
+      styleOverrides: {
+        paper: {
+          backgroundColor: '#161b22',
+        },
+      },
+    },
+    MuiTooltip: {
+      styleOverrides: {
+        tooltip: {
+          backgroundColor: '#161b22',
+          color: '#c9d1d9',
+          border: '1px solid #30363d',
+        },
+      },
+    },
+    MuiSelect: {
+      styleOverrides: {
+        icon: {
+          color: '#8b949e',
+        },
+      },
+    },
+    MuiFormLabel: {
+      styleOverrides: {
+        root: {
+          color: '#8b949e',
+          '&.Mui-focused': {
+            color: '#58a6ff',
+          },
+        },
+      },
+    },
+    MuiFormHelperText: {
+      styleOverrides: {
+        root: {
+          color: '#8b949e',
+        },
+      },
+    },
     // Override Backstage specific components if necessary
     BackstageHeader: {
       styleOverrides: {
diff --git a/UI/packages/backend/Dockerfile b/UI/packages/backend/Dockerfile
index b66be693..ded9521a 100644
--- a/UI/packages/backend/Dockerfile
+++ b/UI/packages/backend/Dockerfile
@@ -50,7 +50,7 @@ RUN tar xzf skeleton.tar.gz && rm skeleton.tar.gz
 
 # Install dependencies
 RUN --mount=type=cache,target=/home/node/.cache/yarn,sharing=locked,uid=1000,gid=1000 \
-    yarn workspaces focus --all --production && rm -rf "$(yarn cache clean)"
+    yarn workspaces focus --all --production && yarn cache clean
 
 # Copy the backend bundle
 COPY --chown=node:node packages/backend/dist/bundle.tar.gz app-config.yaml ./
diff --git a/UI/packages/backend/package.json b/UI/packages/backend/package.json
index 7b192693..ab78793b 100644
--- a/UI/packages/backend/package.json
+++ b/UI/packages/backend/package.json
@@ -16,38 +16,38 @@
     "build-image": "docker build ../.. -f Dockerfile --tag backstage"
   },
   "dependencies": {
-    "@backstage/backend-defaults": "^0.13.1",
+    "@backstage/backend-defaults": "^0.14.0",
     "@backstage/config": "^1.3.6",
-    "@backstage/plugin-app-backend": "^0.5.8",
-    "@backstage/plugin-auth-backend": "^0.25.6",
-    "@backstage/plugin-auth-backend-module-github-provider": "^0.3.9",
-    "@backstage/plugin-auth-backend-module-guest-provider": "^0.2.14",
-    "@backstage/plugin-auth-backend-module-oidc-provider": "^0.4.9",
-    "@backstage/plugin-auth-node": "^0.6.9",
-    "@backstage/plugin-catalog-backend": "^3.2.0",
-    "@backstage/plugin-catalog-backend-module-github": "^0.11.2",
-    "@backstage/plugin-catalog-backend-module-github-org": "^0.3.16",
-    "@backstage/plugin-catalog-backend-module-incremental-ingestion": "^0.7.6",
-    "@backstage/plugin-catalog-backend-module-logs": "^0.1.16",
-    "@backstage/plugin-catalog-backend-module-scaffolder-entity-model": "^0.2.14",
-    "@backstage/plugin-events-backend-module-github": "^0.4.6",
-    "@backstage/plugin-kubernetes-backend": "^0.20.4",
-    "@backstage/plugin-notifications-backend": "^0.6.0",
-    "@backstage/plugin-permission-backend": "^0.7.6",
-    "@backstage/plugin-permission-backend-module-allow-all-policy": "^0.2.14",
+    "@backstage/plugin-app-backend": "^0.5.9",
+    "@backstage/plugin-auth-backend": "^0.25.7",
+    "@backstage/plugin-auth-backend-module-github-provider": "^0.4.0",
+    "@backstage/plugin-auth-backend-module-guest-provider": "^0.2.15",
+    "@backstage/plugin-auth-backend-module-oidc-provider": "^0.4.10",
+    "@backstage/plugin-auth-node": "^0.6.10",
+    "@backstage/plugin-catalog-backend": "^3.3.0",
+    "@backstage/plugin-catalog-backend-module-github": "^0.12.0",
+    "@backstage/plugin-catalog-backend-module-github-org": "^0.3.17",
+    "@backstage/plugin-catalog-backend-module-incremental-ingestion": "^0.7.7",
+    "@backstage/plugin-catalog-backend-module-logs": "^0.1.17",
+    "@backstage/plugin-catalog-backend-module-scaffolder-entity-model": "^0.2.15",
+    "@backstage/plugin-events-backend-module-github": "^0.4.7",
+    "@backstage/plugin-kubernetes-backend": "^0.21.0",
+    "@backstage/plugin-notifications-backend": "^0.6.1",
+    "@backstage/plugin-permission-backend": "^0.7.7",
+    "@backstage/plugin-permission-backend-module-allow-all-policy": "^0.2.15",
     "@backstage/plugin-permission-common": "^0.9.3",
-    "@backstage/plugin-permission-node": "^0.10.6",
-    "@backstage/plugin-proxy-backend": "^0.6.8",
-    "@backstage/plugin-scaffolder-backend": "^3.0.1",
-    "@backstage/plugin-scaffolder-backend-module-github": "^0.9.2",
-    "@backstage/plugin-scaffolder-backend-module-notifications": "^0.1.16",
-    "@backstage/plugin-search-backend": "^2.0.8",
-    "@backstage/plugin-search-backend-module-catalog": "^0.3.10",
-    "@backstage/plugin-search-backend-module-pg": "^0.5.50",
-    "@backstage/plugin-search-backend-module-techdocs": "^0.4.8",
-    "@backstage/plugin-search-backend-node": "^1.3.17",
-    "@backstage/plugin-signals-backend": "^0.3.10",
-    "@backstage/plugin-techdocs-backend": "^2.1.2",
+    "@backstage/plugin-permission-node": "^0.10.7",
+    "@backstage/plugin-proxy-backend": "^0.6.9",
+    "@backstage/plugin-scaffolder-backend": "^3.1.0",
+    "@backstage/plugin-scaffolder-backend-module-github": "^0.9.3",
+    "@backstage/plugin-scaffolder-backend-module-notifications": "^0.1.17",
+    "@backstage/plugin-search-backend": "^2.0.9",
+    "@backstage/plugin-search-backend-module-catalog": "^0.3.11",
+    "@backstage/plugin-search-backend-module-pg": "^0.5.51",
+    "@backstage/plugin-search-backend-module-techdocs": "^0.4.9",
+    "@backstage/plugin-search-backend-node": "^1.4.0",
+    "@backstage/plugin-signals-backend": "^0.3.11",
+    "@backstage/plugin-techdocs-backend": "^2.1.3",
     "@kyverno/backstage-plugin-policy-reporter-backend": "^2.1.4",
     "@roadiehq/backstage-plugin-argo-cd-backend": "^4.5.1",
     "app": "link:../app",
@@ -56,7 +56,7 @@
     "pg": "^8.11.3"
   },
   "devDependencies": {
-    "@backstage/cli": "^0.34.5"
+    "@backstage/cli": "^0.35.1"
   },
   "files": [
     "dist"
diff --git a/load-test-gateway.js b/load-test-gateway.js
new file mode 100644
index 00000000..63e35f67
--- /dev/null
+++ b/load-test-gateway.js
@@ -0,0 +1,28 @@
+import http from 'k6/http';
+import { check } from 'k6';
+
+const TARGET_URL = __ENV.TARGET_URL || 'https://backstage.192-168-65-16.nip.io';
+
+export const options = {
+  scenarios: {
+    stress: {
+      executor: 'constant-vus',
+      vus: 300,
+      duration: '2m',
+    },
+  },
+  thresholds: {
+    http_req_duration: ['p(95)<200'], // Goal: p95 should be under 200ms
+  },
+  insecureSkipTLSVerify: true,
+};
+
+export default function () {
+  // Catalog API is heavier than the home page
+  const res = http.get(`${TARGET_URL}/api/catalog/entities`);
+  
+  check(res, {
+    'status is 200': (r) => r.status === 200,
+  });
+  // No sleep - maximum pressure
+}
diff --git a/merge-conflict.md b/merge-conflict.md
new file mode 100644
index 00000000..d64b70ce
--- /dev/null
+++ b/merge-conflict.md
@@ -0,0 +1,352 @@
+# Merge Conflict Resolution Strategy: `main` as Base (PR #77)
+
+## Strategic Pivot
+
+**Original Strategy:** Merge `main` → `update-docs` (hybrid approach)
+**New Strategy:** Keep `main` as base, cherry-pick valuable changes from `update-docs`
+
+**Rationale:** `main` contains 1500+ lines of critical architecture documentation and operational fixes that cannot be safely merged into the restructured `update-docs`. Inverting the strategy minimizes risk.
+
+## Overview
+This document analyzes what can be rescued from `update-docs` when `main` is kept as the foundation. Changes are classified by integration complexity and value.
+
+## Rescuable Changes from `update-docs` (Classified)
+
+### Category 1: Directly Rescuable (Low Risk, High Value)
+
+These changes can be cherry-picked or copied directly onto `main` with minimal/no conflict:
+
+#### 1.1 GitHub Actions Workflows (Complete Replacement)
+**Location:** `.github/workflows/`, `.github/dependabot.yml`, `.github/labeler.yml`, `.github/pull_request_template.md`, Issue templates
+
+**Value:** Production-grade CI/CD pipeline with:
+- **CI improvements:**
+  - Path-based change detection (docs-only vs full build)
+  - Concurrency control (cancel-in-progress)
+  - Matrix builds for docker targets (dev/minimal/ops/portal)
+  - Quality gates: lint, security scans, validations
+  - Conditional Helm docs generation on `values.yaml` changes
+  - PR-only execution (not on push to main)
+- **Auto-merge workflow** with CodeRabbit integration
+- **Docs deployment** workflow
+- **Auto-labeler** for PRs
+- **Stale issue management**
+
+**Action:** Copy entire `.github/` directory from `update-docs` → `main`
+
+**Risk:** None. `main` has minimal `.github/` content.
+
+---
+
+#### 1.2 Configuration Management (`config.toml`)
+**Location:** `config.toml` (root)
+
+**Value:** Centralized configuration for:
+- Cluster settings (name, network, nodeports)
+- Feature fuses (policies, security, observability, cicd, backstage, prod)
+- Component versions (Cilium, Cert-Manager, Vault, etc.)
+- Operational timeouts
+- Git repository settings
+- ArgoCD sync configuration
+- Registry credentials
+
+**Action:** Copy `config.toml` from `update-docs` → `main`
+
+**Risk:** Low. File doesn't exist in `main`.
+
+---
+
+#### 1.3 Docker Bake Configuration Enhancements
+**Location:** `docker-bake.hcl`
+
+**Changes:**
+- Adds `ops` target (cluster utility jobs)
+- Adds `dev-portal` target (Backstage backend)
+- Proper variant tagging (`:minimal`, `:ops`, `:latest`)
+- Separate release targets for each variant
+
+**Action:** Apply diff from `update-docs` → `main`
+
+**Risk:** Low. Changes are additive.
+
+---
+
+#### 1.4 Backstage Developer Portal (Complete UI/Backend)
+**Location:** `UI/packages/app/*`, `UI/packages/backend/*`
+
+**Value:** Full Backstage implementation:
+- Frontend: React app with Primer theme, catalog, search
+- Backend: Node.js server with Dockerfile
+- E2E tests with Playwright
+- Complete package configuration
+
+**Action:** Copy entire `UI/packages/` directory from `update-docs` → `main`
+
+**Risk:** None. Directory doesn't exist in `main`.
+
+---
+
+#### 1.5 Load Testing Script
+**Location:** `load-test-gateway.js` (root)
+
+**Value:** K6-compatible script for Gateway API load testing
+
+**Action:** Copy file from `update-docs` → `main`
+
+**Risk:** None.
+
+---
+
+### Category 2: Indirectly Rescuable (Requires Adaptation)
+
+These changes have valuable intent but conflict with `main` or require manual integration:
+
+#### 2.1 Taskfile UX Improvements (`internal` flags)
+**Location:** `Taskfile.yaml`, `Task/*.yaml` (9 files)
+
+**Value in `update-docs`:**
+- Adds `internal: true` to ~30 tasks (cleaner `task --list` output)
+- Adds global `dotenv: [".env"]` for environment loading
+- Refactored task structure (e.g., `deploy-core` as internal logic)
+
+**Conflict:** `main` has new tasks and operational logic (294 lines in `bootstrap.yaml` alone)
+
+**Rescue Strategy:**
+1. **Manual review:** Identify which tasks in `main` should be marked `internal: true`
+2. **Apply selectively:** Add `internal` flags to low-level tasks (apply-*, preload-*, etc.)
+3. **Keep `main` logic:** Do NOT alter `cmds:` or operational steps
+4. **Add `dotenv`:** Safe to add global dotenv declaration
+
+**Risk:** Medium. Requires line-by-line review to avoid breaking functionality.
+
+**Estimated Effort:** 2-3 hours manual work across 9 files.
+
+---
+
+#### 2.2 Documentation Reorganization (concepts → implementation)
+**Location:** `Docs/src/content/docs/`
+
+**Value in `update-docs`:**
+- Renamed `concepts/` → `implementation/` (semantic clarity)
+- Moved `components/` → `implementation/components/` (logical grouping)
+
+**Conflict:** `main` added 1500+ lines to `architecture/` and created `architecture/observability.mdx` (which replaces deleted `concepts/observability.mdx`)
+
+**Rescue Strategy:**
+1. **Defer restructure:** Keep `main` structure as-is
+2. **Track as future work:** Create issue for "Reorganize docs structure" referencing `update-docs` branch
+3. **Preserve intent:** Document that `concepts/` should become `implementation/` in future refactor
+
+**Risk:** High if attempted now. Low if deferred.
+
+**Recommendation:** **Do not rescue.** Architecture work in `main` supersedes this. Consider for post-merge cleanup.
+
+---
+
+### Category 3: Not Rescuable (Obsolete or Redundant)
+
+#### 3.1 Lockfiles
+**Location:** `UI/yarn.lock`, `Docs/pnpm-lock.yaml`
+
+**Reason:** Will be regenerated on `pnpm install` / `yarn install`
+
+---
+
+#### 3.2 Deleted Files
+**Location:** Various scripts/docs
+
+**Files:**
+- `docs/LABELS_STANDARD.md` (deleted in `update-docs`)
+- `scripts/helm-docs-common.sh` (deleted)
+- `scripts/validate-consistency.sh` (deleted)
+- `list-docs.md` (deleted)
+
+**Reason:** Potentially obsolete or superseded. Would require investigation to confirm if deletions are safe.
+
+**Recommendation:** Keep in `main` until proven obsolete.
+
+---
+
+## Execution Plan (Cherry-Pick Strategy)
+
+### Phase 1: Direct Integrations (Safe)
+1. Copy `.github/` directory from `update-docs` → `main`
+2. Copy `config.toml` from `update-docs` → `main`
+3. Apply `docker-bake.hcl` diff
+4. Copy `UI/packages/` directory
+5. Copy `load-test-gateway.js`
+6. Commit: `feat: integrate CI/CD pipeline, config management, and Backstage UI from PR #77`
+
+### Phase 2: Task UX Improvements (Manual)
+1. Create feature branch: `feat/task-ux-improvements`
+2. For each `Task/*.yaml` and `Taskfile.yaml`:
+   - Compare `main` vs `update-docs`
+   - Add `internal: true` to low-level tasks
+   - Preserve all `cmds:` logic from `main`
+3. Add global `dotenv: [".env"]` to `Taskfile.yaml`
+4. Test: `task --list` should show only user-facing tasks
+5. Commit: `feat: improve Taskfile UX with internal flags (from PR #77)`
+
+### Phase 3: Future Work (Deferred)
+1. Create issue: "Reorganize docs structure (concepts → implementation)"
+   - Reference: PR #77 (`update-docs` branch)
+   - Rationale: Semantic clarity, logical grouping
+   - Blockers: Conflicts with architecture/ content in `main`
+   - Estimated effort: 4-6 hours
+2. Create issue: "Audit deleted scripts from PR #77"
+   - Files: `helm-docs-common.sh`, `validate-consistency.sh`
+   - Action: Confirm if still needed or obsolete
+
+---
+
+## Verification Steps
+
+After Phase 1:
+- Run `task quality:check` to verify no regressions
+- Test GitHub Actions in PR (CI should pass)
+- Verify `config.toml` loads correctly: `task deploy` should read config
+- Build Backstage UI: `cd UI && yarn install && yarn build`
+- Run load test: `k6 run load-test-gateway.js` (once cluster is up)
+
+After Phase 2:
+- Run `task --list` → Should show ~15 user-facing tasks (not 40+)
+- Run key tasks: `task deploy`, `task destroy`, `task quality:check`
+- Verify `.env` loading works if present
+
+---
+
+## Summary Table (New Strategy)
+
+| Component | `update-docs` Value | Rescue Strategy | Priority |
+| :--- | :--- | :--- | :---: |
+| **GitHub Actions** | Production CI/CD pipeline | **Direct copy** | **P0** |
+| **config.toml** | Centralized configuration | **Direct copy** | **P0** |
+| **docker-bake.hcl** | Multi-target builds | **Direct apply** | **P0** |
+| **Backstage UI** | Complete implementation | **Direct copy** | **P0** |
+| **load-test-gateway.js** | Load testing tool | **Direct copy** | **P1** |
+| **Task `internal` flags** | Better UX | **Manual integration** | **P1** |
+| **Docs restructure** | Semantic clarity | **Defer (create issue)** | **P2** |
+| **Deleted scripts** | Potential cleanup | **Investigate first** | **P3** |
+
+**Priority Legend:** P0 = Critical, P1 = High value, P2 = Future work, P3 = Nice to have
+
+---
+
+## Appendix: Detailed File Mapping (Historical Reference)
+
+> **Note:** The mapping below was created for the original "merge main → update-docs" strategy. It's preserved for reference but is no longer the execution strategy.
+
+### A. Documentation Structure Changes
+
+#### A.1 Directory Reorganization
+| Old Path (`main`) | New Path (`update-docs`) | Action |
+| :--- | :--- | :--- |
+| `Docs/src/content/docs/concepts/` | `Docs/src/content/docs/implementation/` | **Renamed** |
+| `Docs/src/content/docs/components/` | `Docs/src/content/docs/implementation/components/` | **Moved** |
+
+#### A.2 Concept Files → Implementation Files
+| File in `main` (old path) | File in `update-docs` (new path) | Similarity | Action |
+| :--- | :--- | :---: | :--- |
+| `concepts/cicd.mdx` | `implementation/cicd.mdx` | 100% | Keep `update-docs` structure |
+| `concepts/design-philosophy.mdx` | `implementation/design-philosophy.mdx` | 95% | Apply `main` content edits |
+| `concepts/gitops-model.mdx` | `implementation/gitops-model.mdx` | 100% | Keep `update-docs` |
+| `concepts/networking-gateway.mdx` | `implementation/networking-gateway.mdx` | 97% | Apply `main` content edits |
+| `concepts/scheduling-nodepools.mdx` | `implementation/scheduling-nodepools.mdx` | 100% | Keep `update-docs` |
+| `concepts/security-policy-model.mdx` | `implementation/security-policy-model.mdx` | 97% | Apply `main` content edits |
+| `concepts/observability.mdx` | **DELETED in `update-docs`** | N/A | **Split into architecture/ files** |
+| `concepts/index.mdx` | **DELETED in `update-docs`** | N/A | **New index created** |
+
+#### A.3 Component Files → Implementation/Components Files
+| File in `main` | File in `update-docs` | Similarity | Action |
+| :--- | :--- | :---: | :--- |
+| `components/cicd/argo-workflows.mdx` | `implementation/components/cicd/argo-workflows.mdx` | 89% | **Apply `main` content** |
+| `components/cicd/index.mdx` | `implementation/components/cicd/index.mdx` | 100% | Keep |
+| `components/cicd/sonarqube.mdx` | `implementation/components/cicd/sonarqube.mdx` | 92% | **Apply `main` content** |
+| `components/developer-portal/backstage.mdx` | `implementation/components/developer-portal/backstage.mdx` | 100% | Keep |
+| `components/developer-portal/index.mdx` | `implementation/components/developer-portal/index.mdx` | 100% | Keep |
+| `components/eventing/argo-events.mdx` | `implementation/components/eventing/argo-events.mdx` | 96% | Apply edits |
+| `components/eventing/index.mdx` | `implementation/components/eventing/index.mdx` | 100% | Keep |
+| `components/infrastructure/argocd.mdx` | `implementation/components/infrastructure/argocd.mdx` | 90% | **Apply `main` content** |
+| `components/infrastructure/cert-manager.mdx` | `implementation/components/infrastructure/cert-manager.mdx` | 93% | Apply edits |
+| `components/infrastructure/cilium.mdx` | `implementation/components/infrastructure/cilium.mdx` | 94% | Apply edits |
+| `components/infrastructure/external-secrets.mdx` | `implementation/components/infrastructure/external-secrets.mdx` | 92% | Apply edits |
+| `components/infrastructure/gateway-api.mdx` | `implementation/components/infrastructure/gateway-api.mdx` | 94% | Apply edits |
+| `components/infrastructure/index.mdx` | `implementation/components/infrastructure/index.mdx` | 100% | Keep |
+| `components/infrastructure/vault.mdx` | `implementation/components/infrastructure/vault.mdx` | 92% | Apply edits |
+| `components/observability/fluent-bit.mdx` | `implementation/components/observability/fluent-bit.mdx` | 87% | **Apply `main` content** |
+| `components/observability/grafana.mdx` | `implementation/components/observability/grafana.mdx` | 95% | Apply edits |
+| `components/observability/index.mdx` | `implementation/components/observability/index.mdx` | 100% | Keep |
+| `components/observability/loki.mdx` | `implementation/components/observability/loki.mdx` | 88% | **Apply `main` content** |
+| `components/observability/prometheus.mdx` | `implementation/components/observability/prometheus.mdx` | 89% | **Apply `main` content** |
+| `components/observability/pyrra.mdx` | `implementation/components/observability/pyrra.mdx` | 95% | Apply edits |
+| `components/policy/index.mdx` | `implementation/components/policy/index.mdx` | 100% | Keep |
+| `components/policy/kyverno.mdx` | `implementation/components/policy/kyverno.mdx` | 91% | Apply edits |
+| `components/policy/policy-reporter.mdx` | `implementation/components/policy/policy-reporter.mdx` | 90% | Apply edits |
+| `components/security/index.mdx` | `implementation/components/security/index.mdx` | 100% | Keep |
+| `components/security/trivy.mdx` | `implementation/components/security/trivy.mdx` | 91% | Apply edits |
+
+**Note:** Files with similarity < 90% require **careful manual review** during merge.
+
+#### A.4 Architecture Files (Heavy Changes in `main`)
+These files in `architecture/` have **massive content additions** in `main` (100-250+ lines):
+
+| File | Lines Added in `main` | Action |
+| :--- | :---: | :--- |
+| `architecture/applications.mdx` | +231 | **Accept `main` version** |
+| `architecture/bootstrap.mdx` | +117 | **Accept `main` version** |
+| `architecture/driven-by-events.mdx` | +236 | **Accept `main` version** |
+| `architecture/infrastructure.mdx` | +188 | **Accept `main` version** |
+| `architecture/observability.mdx` | **NEW** | **Accept `main` version** |
+| `architecture/overview.mdx` | +142 | **Accept `main` version** |
+| `architecture/policies.mdx` | +151 | **Accept `main` version** |
+| `architecture/portal.mdx` | +258 | **Accept `main` version** |
+| `architecture/secrets.mdx` | +144 | **Accept `main` version** |
+
+**Plus 40+ new diagram files** (.d2 and .svg) in `assets/diagrams/architecture/` — **Accept all from `main`**.
+
+### B. Task Files (Hybrid Merge Required)
+
+All Task files have changes in **both branches**:
+
+| File | `main` Changes | `update-docs` Changes | Strategy |
+| :--- | :--- | :--- | :--- |
+| `Taskfile.yaml` | New global tasks | Refactored structure, `internal` flags | **Hybrid: Structure from `update-docs` + Logic from `main`** |
+| `Task/bootstrap.yaml` | 294 lines (new steps) | `internal: true` flags, cleanup | **Hybrid: Structure from `update-docs` + Steps from `main`** |
+| `Task/docs.yaml` | Logic updates | Refactored params | **Hybrid** |
+| `Task/image.yaml` | New commands | Structure cleanup | **Hybrid** |
+| `Task/k3d.yaml` | K3d tweaks | Refactored params | **Hybrid** |
+| `Task/quality.yaml` | New checks | Structure cleanup | **Hybrid** |
+| `Task/stacks.yaml` | New stacks | Refactored structure | **Hybrid** |
+| `Task/utils.yaml` | New utilities | Cleanup | **Hybrid** |
+| `Task/_internal.yaml` | Modified | Modified | **Hybrid** |
+
+**Critical:** Task files require **line-by-line manual merge** preserving:
+- `internal: true` flags from `update-docs`
+- New `cmds:` and logic from `main`
+
+### C. Kubernetes Values (Favor `main`)
+
+| File | Change Type | Action |
+| :--- | :--- | :--- |
+| `K8s/observability/kube-prometheus-stack/values.yaml` | `main`: symlink → real file (456 lines) | **Accept `main` version** |
+| `K8s/observability/loki/values.yaml` | Modified in both | **Accept `main` version** |
+
+**Rationale:** `main` contains critical SLO configurations, resource limits, and Alertmanager webhook configs required for platform stability.
+
+### D. Diagram Assets (Renamed in `update-docs`)
+
+**18 diagram pairs** (.d2 + .svg) moved from `concepts/` → `implementation/`:
+
+```
+assets/diagrams/concepts/backbone-loops.*           → assets/diagrams/implementation/backbone-loops.*
+assets/diagrams/concepts/design-philosophy-flow.*   → assets/diagrams/implementation/design-philosophy-flow.*
+assets/diagrams/concepts/gitops-appprojects-appsets.* → assets/diagrams/implementation/gitops-appprojects-appsets.*
+assets/diagrams/concepts/gitops-bootstrap-vs-gitops.* → assets/diagrams/implementation/gitops-bootstrap-vs-gitops.*
+assets/diagrams/concepts/gitops-eventing.*          → assets/diagrams/implementation/gitops-eventing.*
+assets/diagrams/concepts/networking-big-picture.*   → assets/diagrams/implementation/networking-big-picture.*
+assets/diagrams/concepts/networking-detailed-architecture.* → assets/diagrams/implementation/networking-detailed-architecture.*
+assets/diagrams/concepts/node-scheduling-priorities.* → assets/diagrams/implementation/node-scheduling-priorities.*
+assets/diagrams/concepts/scheduling-architecture.*  → assets/diagrams/implementation/scheduling-architecture.*
+```
+
+**Action:** Git will auto-detect renames (R100). No manual intervention required for these.