docs: add getting-started guide + refresh README quickstart

New docs/getting-started.md (254 lines) walks an outside reader from
clone to running app in ~10 minutes:
- Service inventory table (9 components, host vs docker, ports)
- Prerequisites (Docker, .NET 8, Node 20+, pnpm)
- One-time setup (env files, deps, nuget restore)
- Run order: infra → migrations+seed → 2 backend APIs → 2 frontend apps
- URLs + dev auth flow (cookie via /dev/sign-in, header for curl)
- Tests (backend dotnet test, frontend nx test/lint/e2e, contract drift)
- Troubleshooting (port in use, stale Vite optimized-deps, SQL refused)
- Tear-down (docker compose down [-v])

README.md:
- Status line refreshed: sub-projects 1-11 complete (was 1-5)
- New "Running the project" section at the top with a short version
  + prominent link to docs/getting-started.md
- Docs index links project-plan/, getting-started.md, runbooks/
- Stack section: Angular 19 (was 18.2), Entra ID (was Keycloak)
- Removed the redundant in-place quickstart + ADR list (kept in adr/)

Author: Moamen Kilany

README.md

@@ -1,89 +1,51 @@
-# CCE — Circular Carbon Economy Knowledge Center (Phase 2)
+# CCE — Circular Carbon Economy Knowledge Center
 
 **Client:** Saudi Ministry of Energy — Sustainability & Climate Change Agency
-**Status:** Sub-projects 1–5 complete (`foundation-v0.1.0`, `data-domain-v0.1.0`, `internal-api-v0.1.0`, `external-api-v0.1.0`, `admin-cms-v0.1.0`); sub-projects 6–9 to follow.
+**Status:** Sub-projects 1–11 complete — foundation, data-domain, internal API, external API, admin CMS, web portal, knowledge maps, interactive city, smart assistant, app productionization + deployment + production infra, and Entra ID migration. See [project plan](project-plan/README.md).
 
-A bilingual (Arabic RTL / English LTR) knowledge hub for the Circular Carbon Economy, meeting Saudi **DGA** UX and accessibility standards. The full project decomposes into nine sub-projects — see the [roadmap](docs/roadmap.md).
+A bilingual (Arabic RTL / English LTR) knowledge hub for the Circular Carbon Economy, meeting Saudi **DGA** UX and accessibility standards.
 
-## Documentation
-
-- [Roadmap](docs/roadmap.md) — sub-project map, status, BRD references.
-- [Foundation design spec](project-plan/specs/2026-04-24-foundation-design.md)
-- [Architecture Decision Records](docs/adr/) — 38 ADRs covering Foundation through Sub-5 decisions.
-- [Sub-project briefs](docs/subprojects/)
-- [Requirements traceability](docs/requirements-trace.csv) — BRD section → sub-project mapping.
-- [Threat model](docs/threat-model.md) — STRIDE.
-- [A11y manual checklist](docs/a11y-checklist.md) — what axe-core can't catch.
-- [Contributing](CONTRIBUTING.md) — branch model, commit format, PR checklist.
-
-## Stack
-
-- **Backend:** .NET 8 LTS, EF Core 8, SQL Server 2022 (Azure SQL Edge in dev — see [ADR-0016](docs/adr/0016-azure-sql-edge-for-arm64-dev.md)), Redis 7, MediatR, FluentValidation, Serilog, Swashbuckle, Sentry.
-- **Frontend:** Angular 18.2, Angular Material 18, Bootstrap 5 (grid + utilities only — see [ADR-0003](docs/adr/0003-material-bootstrap-grid-dga-tokens.md)), ngx-translate, angular-auth-oidc-client, Nx 20, pnpm.
-- **Identity:** Keycloak 25 (dev OIDC); ADFS in prod — see [ADR-0006](docs/adr/0006-keycloak-as-adfs-stand-in.md).
-- **Local infra:** Docker Compose (SQL, Redis, Keycloak, MailDev, ClamAV).
-- **Contracts:** OpenAPI as single source of truth — [ADR-0009](docs/adr/0009-openapi-as-contract-source.md).
-
-## Quickstart
-
-Prerequisites: Docker Engine v26+ (OrbStack / Docker Desktop / Colima), Docker Compose v2, .NET 8 SDK, Node 20+, pnpm 9+, `nc`.
-
-### 1. Bootstrap env
-
-```bash
-cp .env.example .env
-grep -E '^(SQL_PASSWORD|REDIS_PASSWORD|KEYCLOAK_CLIENT_SECRET_|SENTRY_DSN)' .env.local.example >> .env
-```
-
-Edit `.env` to change `SQL_PASSWORD` if desired (must meet SQL Server complexity rules).
-
-### 2. Start infrastructure
+## ▶ Running the project
 
-```bash
-docker compose up -d
-docker compose ps   # all services should report (healthy) within ~2 min
-```
-
-Host-exposed ports:
-
-| Port | Service                                              |
-| ---- | ---------------------------------------------------- |
-| 1433 | SQL (Azure SQL Edge; SQL Server 2022-compatible)     |
-| 6379 | Redis 7                                              |
-| 8080 | Keycloak admin console (user `admin` / pass `admin`) |
-| 1080 | MailDev inbox UI                                     |
-| 1025 | MailDev SMTP endpoint                                |
-| 3310 | ClamAV daemon (TCP)                                  |
+**[Full setup guide → `docs/getting-started.md`](docs/getting-started.md)** — clone-to-running in 10 minutes.
 
-### 3. Build + test backend
+Short version:
 
 ```bash
-dotnet restore backend/CCE.sln
-dotnet build   backend/CCE.sln
-dotnet test    backend/CCE.sln
+git clone https://github.com/Azm-Tech/cce-platform.git && cd cce-platform
+cp .env.example .env && cp .env.local.example .env.local
+docker compose up -d                                                 # infra (SQL, Redis, Meilisearch, MailDev, ClamAV)
+pnpm install --frozen-lockfile && dotnet restore backend/CCE.sln
+dotnet run --project backend/src/CCE.Seeder -- --migrate --demo      # one-shot: migrate + seed demo data
+# Then in separate terminals:
+cd backend/src/CCE.Api.External && ASPNETCORE_ENVIRONMENT=Development dotnet run --urls=http://localhost:5001
+cd backend/src/CCE.Api.Internal && ASPNETCORE_ENVIRONMENT=Development dotnet run --urls=http://localhost:5002
+pnpm nx serve web-portal --port 4200
+pnpm nx serve admin-cms  --port 4201
 ```
 
-### 4. Build + test frontend
-
-```bash
-pnpm install --frozen-lockfile
-pnpm nx run-many -t lint,test
-pnpm nx run-many -t build
-pnpm nx run-many -t e2e   # Playwright + axe-core
-```
+Then open **http://localhost:4200** (public portal) and **http://localhost:4201** (admin). Sign in via dev auth: hit `http://localhost:5001/dev/sign-in?role=cce-user` or `http://localhost:5002/dev/sign-in?role=cce-admin`.
 
-### 5. Contract drift check
+## Documentation
 
-```bash
-./scripts/check-contracts-clean.sh
-```
+- **[Getting started](docs/getting-started.md)** — clone, run, sign in.
+- **[Project plan](project-plan/README.md)** — every sub-project's spec, master plan, phase plans, completion reports, release tags.
+- **[Roadmap](docs/roadmap.md)** — sub-project map, status, BRD references.
+- **[Architecture Decision Records](docs/adr/)** — 60+ ADRs covering foundation through Entra ID migration.
+- **[Sub-project briefs](docs/subprojects/)** — one-page summary per sub-project.
+- **[Runbooks](docs/runbooks/)** — backup/restore, DR promotion, secret rotation, env promotion, migrations, rollback.
+- **[Requirements traceability](docs/requirements-trace.csv)** — BRD section → sub-project mapping.
+- **[Threat model](docs/threat-model.md)** — STRIDE.
+- **[A11y manual checklist](docs/a11y-checklist.md)** — what axe-core can't catch.
+- **[Contributing](CONTRIBUTING.md)** — branch model, commit format, PR checklist.
 
-### 6. Tear down
+## Stack
 
-```bash
-docker compose down       # keeps volumes
-docker compose down -v    # destroys all local data
-```
+- **Backend:** .NET 8 LTS, EF Core 8, SQL Server 2022 (Azure SQL Edge on arm64 — see [ADR-0016](docs/adr/0016-azure-sql-edge-for-arm64-dev.md)), Redis 7, Meilisearch, MediatR, FluentValidation, Serilog, Swashbuckle, Sentry.
+- **Frontend:** Angular 19, Angular Material 18, Bootstrap 5 (grid + utilities only — see [ADR-0003](docs/adr/0003-material-bootstrap-grid-dga-tokens.md)), ngx-translate, angular-auth-oidc-client, Nx 20, pnpm.
+- **Identity:** Microsoft Entra ID (multi-tenant, Microsoft.Identity.Web + Graph SDK) in prod; dev mode uses a header/cookie shim — see [Sub-11 spec](project-plan/specs/2026-05-04-sub-11-design.md).
+- **Local infra:** Docker Compose (SQL, Redis, Meilisearch, MailDev, ClamAV).
+- **Contracts:** OpenAPI as single source of truth — [ADR-0009](docs/adr/0009-openapi-as-contract-source.md).
 
 ## Repository layout
 

docs/getting-started.md

@@ -0,0 +1,254 @@
+# Getting Started
+
+Run the full CCE platform on your laptop in ~10 minutes — infra (SQL, Redis, Meilisearch, MailDev, ClamAV) + two .NET 8 APIs + two Angular 19 apps.
+
+> **TL;DR:** clone → `cp .env.example .env && cp .env.local.example .env.local` → `docker compose up -d` → `dotnet run --project backend/src/CCE.Seeder -- --migrate --demo` → start the 4 apps below → open **http://localhost:4200** (public portal) and **http://localhost:4201** (admin console).
+
+---
+
+## What you'll be running
+
+| # | Component | Stack | URL | Port |
+|---|---|---|---|---|
+| 1 | SQL Server 2022 | Azure SQL Edge (arm64) / SQL Server (x64) | `localhost,1433` | 1433 |
+| 2 | Redis 7 | distributed cache + rate limiter | `localhost:6379` | 6379 |
+| 3 | Meilisearch | full-text search | `http://localhost:7700` | 7700 |
+| 4 | MailDev | local SMTP inbox | `http://localhost:1080` | 1080 / 1025 |
+| 5 | ClamAV | antivirus daemon for uploads | `localhost:3310` | 3310 |
+| 6 | **External API** | .NET 8 minimal-API (BFF for public portal) | `http://localhost:5001` | 5001 |
+| 7 | **Internal API** | .NET 8 minimal-API (admin) | `http://localhost:5002` | 5002 |
+| 8 | **Web portal** | Angular 19 (public) | `http://localhost:4200` | 4200 |
+| 9 | **Admin CMS** | Angular 19 (back-office) | `http://localhost:4201` | 4201 |
+
+Services 1–5 run in Docker. Services 6–9 run on the host so hot-reload works.
+
+---
+
+## Prerequisites
+
+- **Docker** v26+ (OrbStack, Docker Desktop, or Colima) with **Docker Compose v2**
+- **.NET 8 SDK** (`dotnet --version` ≥ 8.0)
+- **Node.js** 20+ (`node -v` ≥ 20)
+- **pnpm** 9+ (`npm install -g pnpm` or `corepack enable`)
+- **`curl`** + **`nc`** for healthchecks (pre-installed on macOS/Linux)
+
+> **Apple Silicon note:** Docker uses Azure SQL Edge instead of SQL Server 2022 on arm64 — handled automatically, see [ADR-0016](adr/0016-azure-sql-edge-for-arm64-dev.md).
+
+---
+
+## One-time setup
+
+```bash
+# 1. Clone
+git clone https://github.com/Azm-Tech/cce-platform.git
+cd cce-platform
+
+# 2. Bootstrap env files
+cp .env.example      .env
+cp .env.local.example .env.local
+
+# 3. Install frontend deps (≈90 s)
+pnpm install --frozen-lockfile
+
+# 4. Restore backend NuGet packages
+dotnet restore backend/CCE.sln
+```
+
+The `.env.local` ships with **safe dev defaults** — `Strong!Passw0rd` for SQL, dev placeholders for Entra ID, etc. Real secrets (production Entra ID client secret, Sentry DSN) are never committed.
+
+---
+
+## Running the stack
+
+You'll need **four terminals** open (or use a multiplexer like tmux / iTerm panes).
+
+### Terminal 1 — infra
+
+```bash
+docker compose up -d
+docker compose ps   # wait until all are "(healthy)" — ~90 seconds
+```
+
+If a service shows `unhealthy`, run `docker compose logs <service>` to see why.
+
+### Terminal 2 — migrations + seed (one-shot)
+
+```bash
+dotnet run --project backend/src/CCE.Seeder -- --migrate --demo
+```
+
+This:
+
+1. Applies all EF Core migrations (creates schemas + tables).
+2. Seeds roles + permissions.
+3. Seeds 5 dev users (one per role: admin / editor / reviewer / expert / user) with deterministic GUIDs.
+4. Seeds demo data — topics, posts, replies, knowledge maps, news, events, country profiles, resources.
+
+You only need to re-run this if you reset the database or pull new migrations. Use `--migrate` (no `--demo`) to skip demo data.
+
+### Terminal 3 — External API (public BFF, port 5001)
+
+```bash
+cd backend/src/CCE.Api.External
+ASPNETCORE_ENVIRONMENT=Development dotnet run --urls=http://localhost:5001
+```
+
+This is the **public-facing API** consumed by the web portal. Implements BFF cookie auth + public-only endpoints.
+
+### Terminal 4 — Internal API (admin, port 5002)
+
+```bash
+cd backend/src/CCE.Api.Internal
+ASPNETCORE_ENVIRONMENT=Development dotnet run --urls=http://localhost:5002
+```
+
+This is the **admin API** consumed by admin-cms. Exposes moderation + CMS endpoints with permission checks.
+
+### Terminal 5 (or 3 again) — Frontend apps
+
+```bash
+# from the repo root
+pnpm nx serve web-portal --port 4200    # public site
+pnpm nx serve admin-cms  --port 4201    # admin console
+```
+
+You can run both at once with:
+
+```bash
+pnpm nx run-many -t serve -p web-portal,admin-cms
+```
+
+Each app proxies `/api/*` requests to its respective backend (web-portal → 5001, admin-cms → 5002), so cookies stay first-party.
+
+---
+
+## Accessing the apps
+
+### Public portal — http://localhost:4200
+
+Browse the homepage, knowledge center, community, world map, interactive city, country profiles, news, events. No login needed for read access.
+
+To **sign in as a regular user** during dev:
+
+```
+http://localhost:5001/dev/sign-in?role=cce-user
+```
+
+This sets a `cce-dev-role=cce-user` cookie that the dev auth shim (active when `Auth:DevMode=true`) recognizes as the seeded user `cce-user@cce.local`. Reload the portal — you're signed in.
+
+### Admin console — http://localhost:4201
+
+Same dev auth flow against the **internal** API:
+
+```
+http://localhost:5002/dev/sign-in?role=cce-admin
+```
+
+Then open http://localhost:4201 — you'll see all admin features: users, content, community moderation, knowledge maps, etc.
+
+Available dev roles:
+
+| Role | Capability |
+|---|---|
+| `cce-admin` | Full admin — all permissions |
+| `cce-editor` | Author + edit content |
+| `cce-reviewer` | Review-only |
+| `cce-expert` | Community expert (gold badge on replies) |
+| `cce-user` | Regular member |
+
+### Calling APIs directly (curl / Postman)
+
+Skip the cookie dance and pass the role in the `Authorization` header:
+
+```bash
+curl -H 'Authorization: Bearer dev:cce-admin' \
+     'http://localhost:5002/api/admin/community/posts?status=all'
+```
+
+> The dev auth shim is **only registered when `Auth:DevMode=true`** in `appsettings.Development.json`. Production deployments use real Entra ID and never expose this path — see [Sub-11 Entra ID migration](../project-plan/specs/2026-05-04-sub-11-design.md).
+
+---
+
+## Tests
+
+```bash
+# Backend (≈30 s)
+dotnet test backend/CCE.sln
+
+# Frontend unit tests (≈30 s)
+pnpm nx run-many -t test
+
+# Frontend lint (≈10 s)
+pnpm nx run-many -t lint
+
+# E2E with Playwright + axe-core (≈3 min — needs the stack running)
+pnpm nx run-many -t e2e
+
+# Contract drift check (OpenAPI ↔ generated TS clients)
+./scripts/check-contracts-clean.sh
+```
+
+---
+
+## Common issues
+
+### Port already in use
+
+```
+Error: listen EADDRINUSE: address already in use :::4200
+```
+
+Find and kill the process:
+
+```bash
+lsof -nP -iTCP:4200 -sTCP:LISTEN
+kill -9 <pid>
+```
+
+### Stale Vite optimized-deps (web-portal blank, "Failed to fetch dynamically imported module")
+
+Vite's dependency cache went out of sync with the running server. Clear it and restart:
+
+```bash
+rm -rf frontend/.angular frontend/node_modules/.vite
+# then restart `pnpm nx serve web-portal` and hard-reload your browser (⌘⇧R)
+```
+
+### Backend crash: `Infrastructure:SqlConnectionString missing`
+
+You launched `dotnet run` without `ASPNETCORE_ENVIRONMENT=Development`. Either prefix the env var (as shown above) or remove `--no-launch-profile` if you added it.
+
+### SQL connection refused
+
+```bash
+docker compose ps sqlserver   # is it healthy?
+docker compose logs sqlserver # what's it complaining about?
+```
+
+On low-memory machines (< 4 GB free), SQL Server / Azure SQL Edge can fail to start. Bump Docker's memory allocation.
+
+### Migrations failed
+
+Most often `Login failed for user 'sa'` — the SQL password in `.env.local` doesn't match the seeded SA password. Tear down with `docker compose down -v` (destroys data) and start fresh.
+
+---
+
+## Tearing down
+
+```bash
+# Stop services, keep data volumes
+docker compose down
+
+# Stop services AND destroy all SQL/Redis/Meilisearch data
+docker compose down -v
+```
+
+---
+
+## Next steps
+
+- **[`project-plan/README.md`](../project-plan/README.md)** — sub-project index (specs, plans, completion reports)
+- **[`docs/adr/`](adr/)** — 60+ architecture decisions explaining why things are built this way
+- **[`docs/runbooks/`](runbooks/)** — production operational procedures (DR, backup/restore, secret rotation)
+- **[`docs/subprojects/`](subprojects/)** — one-page brief per sub-project
+- **[`CONTRIBUTING.md`](../CONTRIBUTING.md)** — branch model, commit format, PR checklist