chore: WIP pre-implement cycle 14 baseline

Co-authored-by: Cursor <cursoragent@cursor.com>

_docs/02_document/deployment/ci_cd_pipeline.md

@@ -2,15 +2,24 @@
 
 ## Platform
 
-**CI Server**: Woodpecker CI (self-hosted)
-**Agent architecture**: ARM64 (AMD64 prepared but not yet active)
+**CI Server**: Woodpecker CI (self-hosted) — see suite [`_infra/ci/README.md`](../../../../_infra/ci/README.md) for agent install and registry wiring.
+
+| Agent pool | Woodpecker label | Host | Role for this repo |
+|------------|------------------|------|-------------------|
+| ARM64 | `platform: arm64` | Colocated with CI server (Jetson) | Unit tests (`01-test`); builds `{branch}-arm` images |
+| AMD64 | `platform: amd64` | Separate remote host | Builds `{branch}-amd64` images consumed by production deploy |
+
+**Developer machine**: Apple Silicon Mac (M1/M2/M3, `darwin/arm64`). Local Docker runs native `linux/arm64` — see [tests/environment.md](../tests/environment.md) § Platform.
 
 ## Pipeline Stages
 
 ```mermaid
 flowchart LR
-    Push[Push/PR to dev/stage/main] --> Test[01-test]
-    Test --> Build[02-build-push]
+    Push[Push/PR to dev/stage/main] --> Test[01-test arm64]
+    Test --> BuildArm[02-build-push arm64]
+    Test --> BuildAmd[02-build-push amd64]
+    BuildArm --> RegistryArm["registry … :branch-arm"]
+    BuildAmd --> RegistryAmd["registry … :branch-amd64"]
 ```
 
 ### 01-test (Unit Tests)
@@ -19,31 +28,41 @@ flowchart LR
 |----------|-------|
 | Trigger | push, pull_request, manual |
 | Branches | dev, stage, main |
-| Image | mcr.microsoft.com/dotnet/sdk:10.0 (was `:8.0` through cycle 3 — bumped by AZ-500) |
+| Agent | `platform: arm64` only (unit tests are arch-neutral; suite convention) |
+| Image | `mcr.microsoft.com/dotnet/sdk:10.0` |
 | Steps | `dotnet restore` → `dotnet test` (Release config) |
 | Output | TRX test results |
 
+Integration and perf suites are **not** run in CI — they run locally via `scripts/run-tests.sh` and `scripts/run-performance-tests.sh` (Docker Compose).
+
 ### 02-build-push (Docker Build & Push)
 
 | Property | Value |
 |----------|-------|
 | Trigger | push, manual |
 | Branches | dev, stage, main |
-| Depends on | 01-test (must pass) |
+| Depends on | `01-test` (must pass) |
+| Agent | `matrix:` fans out to `arm64` and `amd64` |
 | Image | docker (DinD via socket mount) |
-| Tag format | `{branch}-arm` (e.g., `dev-arm`) |
-| Registry | Private (from secrets: registry_host, registry_user, registry_token) |
+| Dockerfile | `SatelliteProvider.Api/Dockerfile` (same file for both arches — multi-arch base images) |
+| Tag format | `{branch}-arm` (arm64 agent), `{branch}-amd64` (amd64 agent) |
+| Registry | Gitea OCI via Caddy TLS (`registry_host`, `registry_user`, `registry_token` secrets) |
 
 ## Multi-Architecture Strategy
 
-- Currently: ARM64 only
-- Prepared: AMD64 entry commented out in matrix
-- Tag suffix distinguishes architectures (`-arm`, `-amd`)
+Follows the suite Woodpecker contract (`matrix:` + `labels: platform: ${PLATFORM}`):
+
+| Matrix entry | Agent | Registry tag | Deploy consumer |
+|--------------|-------|--------------|-----------------|
+| `PLATFORM: arm64`, `TAG_SUFFIX: arm` | Colocated Jetson agent | e.g. `dev-arm` | Not used by current deploy profiles |
+| `PLATFORM: amd64`, `TAG_SUFFIX: amd64` | Remote amd64 agent | e.g. `dev-amd64` | [`suite/_infra/deploy/satellite-provider/`](../../../../_infra/deploy/satellite-provider/) — Watchtower tracks `${BRANCH}-amd64` |
+
+Production deploy is **amd64-only** (dedicated satellite-provider host). The arm64 build validates that the Dockerfile and gRPC proto codegen path work on the colocated agent.
 
 ## Secrets
 
 | Secret | Purpose |
 |--------|---------|
-| registry_host | Container registry URL |
-| registry_user | Registry username |
-| registry_token | Registry password/token |
+| registry_host | Container registry URL (Gitea + Caddy, host:port) |
+| registry_user | Registry username (`azaion`) |
+| registry_token | Gitea `ci-push` PAT (`write:package`) |

_docs/02_document/deployment/containerization.md

@@ -5,6 +5,9 @@
 **Base image**: `mcr.microsoft.com/dotnet/aspnet:10.0` (was `:8.0` through cycle 3 — bumped by AZ-500)
 **Build image**: `mcr.microsoft.com/dotnet/sdk:10.0` (was `:8.0` through cycle 3 — bumped by AZ-500)
 **Build strategy**: Multi-stage (restore → build → publish → runtime)
+**Target platform**: Native host architecture — no `platform:` pins in compose. **Mac M1** dev and the Woodpecker **arm64** agent run `linux/arm64`; the Woodpecker **amd64** agent runs `linux/amd64` for production images. On arm64, Docker build stages install Debian `protobuf-compiler` and set `PROTOBUF_PROTOC` (bundled `Grpc.Tools` protoc segfaults). See [tests/environment.md](../tests/environment.md) § Platform and [ci_cd_pipeline.md](ci_cd_pipeline.md) § Multi-Architecture Strategy.
+
+**Registry tags** (Woodpecker `02-build-push`): `{branch}-arm` (arm64 agent), `{branch}-amd64` (amd64 agent). Production deploy (`suite/_infra/deploy/satellite-provider/`) pulls `${BRANCH}-amd64` via Watchtower.
 **Exposed ports**: 8080 (HTTP), 8081 (management/metrics)
 
 ## Container Composition (docker-compose.yml)