chore: switch from develop/dev to main/latest image tags (#434)

Co-authored-by: Jason Woltje <jason@diversecanvas.com>
Co-committed-by: Jason Woltje <jason@diversecanvas.com>

.env.example

@@ -215,11 +215,9 @@ NODE_ENV=development
 # Used by docker-compose.yml (pulls images) and docker-swarm.yml
 # For local builds, use docker-compose.build.yml instead
 # Options:
-#   - dev: Pull development images from registry (default, built from develop branch)
+#   - latest: Pull latest images from registry (default, built from main branch)
-#   - latest: Pull latest stable images from registry (built from main branch)
-#   - <commit-sha>: Use specific commit SHA tag (e.g., 658ec077)
 #   - <version>: Use specific version tag (e.g., v1.0.0)
-IMAGE_TAG=dev
+IMAGE_TAG=latest
 
 # ======================
 # Docker Compose Profiles

.woodpecker/README.md

@@ -85,12 +85,11 @@ install -> [ruff-check, mypy, security-bandit, security-pip-audit, test]
 
 ## Image Tagging
 
-| Condition        | Tag                        | Purpose                    |
+| Condition     | Tag                        | Purpose                    |
-| ---------------- | -------------------------- | -------------------------- |
+| ------------- | -------------------------- | -------------------------- |
-| Always           | `${CI_COMMIT_SHA:0:8}`     | Immutable commit reference |
+| Always        | `${CI_COMMIT_SHA:0:8}`     | Immutable commit reference |
-| `main` branch    | `latest`                   | Current production release |
+| `main` branch | `latest`                   | Current latest build       |
-| `develop` branch | `dev`                      | Current development build  |
+| Git tag       | tag value (e.g., `v1.0.0`) | Semantic version release   |
-| Git tag          | tag value (e.g., `v1.0.0`) | Semantic version release   |
 
 ## Required Secrets
 
@@ -138,5 +137,5 @@ Fails on blockers or critical/high severity security findings.
 
 ### Pipeline runs Docker builds on pull requests
 
-- Docker build steps have `when: branch: [main, develop]` guards
+- Docker build steps have `when: branch: [main]` guards
 - PRs only run quality gates, not Docker builds

.woodpecker/api.yml

@@ -152,12 +152,10 @@ steps:
           DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-api:$CI_COMMIT_TAG"
         elif [ "$CI_COMMIT_BRANCH" = "main" ]; then
           DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-api:latest"
-        elif [ "$CI_COMMIT_BRANCH" = "develop" ]; then
-          DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-api:dev"
         fi
         /kaniko/executor --context . --dockerfile apps/api/Dockerfile --snapshot-mode=redo $DESTINATIONS
     when:
-      - branch: [main, develop]
+      - branch: [main]
         event: [push, manual, tag]
     depends_on:
       - build
@@ -180,7 +178,7 @@ steps:
         elif [ "$$CI_COMMIT_BRANCH" = "main" ]; then
           SCAN_TAG="latest"
         else
-          SCAN_TAG="dev"
+          SCAN_TAG="latest"
         fi
         mkdir -p ~/.docker
         echo "{\"auths\":{\"git.mosaicstack.dev\":{\"username\":\"$$GITEA_USER\",\"password\":\"$$GITEA_TOKEN\"}}}" > ~/.docker/config.json
@@ -188,7 +186,7 @@ steps:
           --ignorefile .trivyignore \
           git.mosaicstack.dev/mosaic/stack-api:$$SCAN_TAG
     when:
-      - branch: [main, develop]
+      - branch: [main]
         event: [push, manual, tag]
     depends_on:
       - docker-build-api
@@ -230,7 +228,7 @@ steps:
         }
         link_package "stack-api"
     when:
-      - branch: [main, develop]
+      - branch: [main]
         event: [push, manual, tag]
     depends_on:
       - security-trivy-api

.woodpecker/coordinator.yml

@@ -92,12 +92,10 @@ steps:
           DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-coordinator:$CI_COMMIT_TAG"
         elif [ "$CI_COMMIT_BRANCH" = "main" ]; then
           DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-coordinator:latest"
-        elif [ "$CI_COMMIT_BRANCH" = "develop" ]; then
-          DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-coordinator:dev"
         fi
         /kaniko/executor --context apps/coordinator --dockerfile apps/coordinator/Dockerfile --snapshot-mode=redo $DESTINATIONS
     when:
-      - branch: [main, develop]
+      - branch: [main]
         event: [push, manual, tag]
     depends_on:
       - ruff-check
@@ -124,7 +122,7 @@ steps:
         elif [ "$$CI_COMMIT_BRANCH" = "main" ]; then
           SCAN_TAG="latest"
         else
-          SCAN_TAG="dev"
+          SCAN_TAG="latest"
         fi
         mkdir -p ~/.docker
         echo "{\"auths\":{\"git.mosaicstack.dev\":{\"username\":\"$$GITEA_USER\",\"password\":\"$$GITEA_TOKEN\"}}}" > ~/.docker/config.json
@@ -132,7 +130,7 @@ steps:
           --ignorefile .trivyignore \
           git.mosaicstack.dev/mosaic/stack-coordinator:$$SCAN_TAG
     when:
-      - branch: [main, develop]
+      - branch: [main]
         event: [push, manual, tag]
     depends_on:
       - docker-build-coordinator
@@ -174,7 +172,7 @@ steps:
         }
         link_package "stack-coordinator"
     when:
-      - branch: [main, develop]
+      - branch: [main]
         event: [push, manual, tag]
     depends_on:
       - security-trivy-coordinator

.woodpecker/infra.yml

@@ -36,12 +36,10 @@ steps:
           DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-postgres:$CI_COMMIT_TAG"
         elif [ "$CI_COMMIT_BRANCH" = "main" ]; then
           DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-postgres:latest"
-        elif [ "$CI_COMMIT_BRANCH" = "develop" ]; then
-          DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-postgres:dev"
         fi
         /kaniko/executor --context docker/postgres --dockerfile docker/postgres/Dockerfile --snapshot-mode=redo $DESTINATIONS
     when:
-      - branch: [main, develop]
+      - branch: [main]
         event: [push, manual, tag]
 
   docker-build-openbao:
@@ -61,12 +59,10 @@ steps:
           DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-openbao:$CI_COMMIT_TAG"
         elif [ "$CI_COMMIT_BRANCH" = "main" ]; then
           DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-openbao:latest"
-        elif [ "$CI_COMMIT_BRANCH" = "develop" ]; then
-          DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-openbao:dev"
         fi
         /kaniko/executor --context docker/openbao --dockerfile docker/openbao/Dockerfile --snapshot-mode=redo $DESTINATIONS
     when:
-      - branch: [main, develop]
+      - branch: [main]
         event: [push, manual, tag]
 
   # === Container Security Scans ===
@@ -87,7 +83,7 @@ steps:
         elif [ "$$CI_COMMIT_BRANCH" = "main" ]; then
           SCAN_TAG="latest"
         else
-          SCAN_TAG="dev"
+          SCAN_TAG="latest"
         fi
         mkdir -p ~/.docker
         echo "{\"auths\":{\"git.mosaicstack.dev\":{\"username\":\"$$GITEA_USER\",\"password\":\"$$GITEA_TOKEN\"}}}" > ~/.docker/config.json
@@ -95,7 +91,7 @@ steps:
           --ignorefile .trivyignore \
           git.mosaicstack.dev/mosaic/stack-postgres:$$SCAN_TAG
     when:
-      - branch: [main, develop]
+      - branch: [main]
         event: [push, manual, tag]
     depends_on:
       - docker-build-postgres
@@ -116,7 +112,7 @@ steps:
         elif [ "$$CI_COMMIT_BRANCH" = "main" ]; then
           SCAN_TAG="latest"
         else
-          SCAN_TAG="dev"
+          SCAN_TAG="latest"
         fi
         mkdir -p ~/.docker
         echo "{\"auths\":{\"git.mosaicstack.dev\":{\"username\":\"$$GITEA_USER\",\"password\":\"$$GITEA_TOKEN\"}}}" > ~/.docker/config.json
@@ -124,7 +120,7 @@ steps:
           --ignorefile .trivyignore \
           git.mosaicstack.dev/mosaic/stack-openbao:$$SCAN_TAG
     when:
-      - branch: [main, develop]
+      - branch: [main]
         event: [push, manual, tag]
     depends_on:
       - docker-build-openbao
@@ -167,7 +163,7 @@ steps:
         link_package "stack-postgres"
         link_package "stack-openbao"
     when:
-      - branch: [main, develop]
+      - branch: [main]
         event: [push, manual, tag]
     depends_on:
       - security-trivy-postgres

.woodpecker/orchestrator.yml

@@ -109,12 +109,10 @@ steps:
           DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-orchestrator:$CI_COMMIT_TAG"
         elif [ "$CI_COMMIT_BRANCH" = "main" ]; then
           DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-orchestrator:latest"
-        elif [ "$CI_COMMIT_BRANCH" = "develop" ]; then
-          DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-orchestrator:dev"
         fi
         /kaniko/executor --context . --dockerfile apps/orchestrator/Dockerfile --snapshot-mode=redo $DESTINATIONS
     when:
-      - branch: [main, develop]
+      - branch: [main]
         event: [push, manual, tag]
     depends_on:
       - build
@@ -137,7 +135,7 @@ steps:
         elif [ "$$CI_COMMIT_BRANCH" = "main" ]; then
           SCAN_TAG="latest"
         else
-          SCAN_TAG="dev"
+          SCAN_TAG="latest"
         fi
         mkdir -p ~/.docker
         echo "{\"auths\":{\"git.mosaicstack.dev\":{\"username\":\"$$GITEA_USER\",\"password\":\"$$GITEA_TOKEN\"}}}" > ~/.docker/config.json
@@ -145,7 +143,7 @@ steps:
           --ignorefile .trivyignore \
           git.mosaicstack.dev/mosaic/stack-orchestrator:$$SCAN_TAG
     when:
-      - branch: [main, develop]
+      - branch: [main]
         event: [push, manual, tag]
     depends_on:
       - docker-build-orchestrator
@@ -187,7 +185,7 @@ steps:
         }
         link_package "stack-orchestrator"
     when:
-      - branch: [main, develop]
+      - branch: [main]
         event: [push, manual, tag]
     depends_on:
       - security-trivy-orchestrator

.woodpecker/web.yml

@@ -120,12 +120,10 @@ steps:
           DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-web:$CI_COMMIT_TAG"
         elif [ "$CI_COMMIT_BRANCH" = "main" ]; then
           DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-web:latest"
-        elif [ "$CI_COMMIT_BRANCH" = "develop" ]; then
-          DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-web:dev"
         fi
         /kaniko/executor --context . --dockerfile apps/web/Dockerfile --snapshot-mode=redo --build-arg NEXT_PUBLIC_API_URL=https://api.mosaicstack.dev $DESTINATIONS
     when:
-      - branch: [main, develop]
+      - branch: [main]
         event: [push, manual, tag]
     depends_on:
       - build
@@ -148,7 +146,7 @@ steps:
         elif [ "$$CI_COMMIT_BRANCH" = "main" ]; then
           SCAN_TAG="latest"
         else
-          SCAN_TAG="dev"
+          SCAN_TAG="latest"
         fi
         mkdir -p ~/.docker
         echo "{\"auths\":{\"git.mosaicstack.dev\":{\"username\":\"$$GITEA_USER\",\"password\":\"$$GITEA_TOKEN\"}}}" > ~/.docker/config.json
@@ -156,7 +154,7 @@ steps:
           --ignorefile .trivyignore \
           git.mosaicstack.dev/mosaic/stack-web:$$SCAN_TAG
     when:
-      - branch: [main, develop]
+      - branch: [main]
         event: [push, manual, tag]
     depends_on:
       - docker-build-web
@@ -198,7 +196,7 @@ steps:
         }
         link_package "stack-web"
     when:
-      - branch: [main, develop]
+      - branch: [main]
         event: [push, manual, tag]
     depends_on:
       - security-trivy-web

README.md

@@ -232,7 +232,7 @@ docker compose -f docker-compose.openbao.yml up -d
 sleep 30  # Wait for auto-initialization
 
 # 5. Deploy swarm stack
-IMAGE_TAG=dev ./scripts/deploy-swarm.sh mosaic
+IMAGE_TAG=latest ./scripts/deploy-swarm.sh mosaic
 
 # 6. Check deployment status
 docker stack services mosaic
@@ -526,10 +526,9 @@ KNOWLEDGE_CACHE_TTL=300  # 5 minutes
 
 ### Branch Strategy
 
-- `main` — Stable releases only
+- `main` — Trunk branch (all development merges here)
-- `develop` — Active development (default working branch)
+- `feature/*` — Feature branches from main
-- `feature/*` — Feature branches from develop
+- `fix/*` — Bug fix branches from main
-- `fix/*` — Bug fix branches
 
 ### Running Locally
 
@@ -739,7 +738,7 @@ See [Type Sharing Strategy](docs/2-development/3-type-sharing/1-strategy.md) for
 4. Run tests: `pnpm test`
 5. Build: `pnpm build`
 6. Commit with conventional format: `feat(#issue): Description`
-7. Push and create a pull request to `develop`
+7. Push and create a pull request to `main`
 
 ### Commit Format
 

docker-compose.openbao.yml

@@ -14,7 +14,7 @@ services:
   # OpenBao Secrets Vault
   # ======================
   openbao:
-    image: git.mosaicstack.dev/mosaic/stack-openbao:${IMAGE_TAG:-dev}
+    image: git.mosaicstack.dev/mosaic/stack-openbao:${IMAGE_TAG:-latest}
     entrypoint: ["dumb-init", "--"]
     command: ["bao", "server", "-config=/openbao/config/config.hcl"]
     environment:
@@ -48,7 +48,7 @@ services:
   # Has built-in retry logic (polls OpenBao API for 60 seconds).
   # After init, runs an unseal watch loop to handle container restarts.
   openbao-init:
-    image: git.mosaicstack.dev/mosaic/stack-openbao:${IMAGE_TAG:-dev}
+    image: git.mosaicstack.dev/mosaic/stack-openbao:${IMAGE_TAG:-latest}
     command: /openbao/init.sh
     environment:
       VAULT_ADDR: http://openbao:8200

docker-compose.yml

@@ -3,7 +3,7 @@ services:
   # PostgreSQL Database
   # ======================
   postgres:
-    image: git.mosaicstack.dev/mosaic/stack-postgres:${IMAGE_TAG:-dev}
+    image: git.mosaicstack.dev/mosaic/stack-postgres:${IMAGE_TAG:-latest}
     container_name: mosaic-postgres
     restart: unless-stopped
     environment:
@@ -251,7 +251,7 @@ services:
   # OpenBao Secrets Management (Optional)
   # ======================
   openbao:
-    image: git.mosaicstack.dev/mosaic/stack-openbao:${IMAGE_TAG:-dev}
+    image: git.mosaicstack.dev/mosaic/stack-openbao:${IMAGE_TAG:-latest}
     container_name: mosaic-openbao
     restart: unless-stopped
     user: root
@@ -283,7 +283,7 @@ services:
       - "com.mosaic.description=OpenBao secrets management"
 
   openbao-init:
-    image: git.mosaicstack.dev/mosaic/stack-openbao:${IMAGE_TAG:-dev}
+    image: git.mosaicstack.dev/mosaic/stack-openbao:${IMAGE_TAG:-latest}
     container_name: mosaic-openbao-init
     restart: unless-stopped
     user: root
@@ -345,7 +345,7 @@ services:
   # Mosaic API
   # ======================
   api:
-    image: git.mosaicstack.dev/mosaic/stack-api:${IMAGE_TAG:-dev}
+    image: git.mosaicstack.dev/mosaic/stack-api:${IMAGE_TAG:-latest}
     container_name: mosaic-api
     restart: unless-stopped
     environment:
@@ -424,7 +424,7 @@ services:
   # Mosaic Orchestrator
   # ======================
   orchestrator:
-    image: git.mosaicstack.dev/mosaic/stack-orchestrator:${IMAGE_TAG:-dev}
+    image: git.mosaicstack.dev/mosaic/stack-orchestrator:${IMAGE_TAG:-latest}
     container_name: mosaic-orchestrator
     restart: unless-stopped
     # Run as non-root user (node:node, UID 1000)
@@ -491,7 +491,7 @@ services:
   # Mosaic Web
   # ======================
   web:
-    image: git.mosaicstack.dev/mosaic/stack-web:${IMAGE_TAG:-dev}
+    image: git.mosaicstack.dev/mosaic/stack-web:${IMAGE_TAG:-latest}
     container_name: mosaic-web
     restart: unless-stopped
     environment:

docker/DOCKER-COMPOSE-GUIDE.md

@@ -12,10 +12,10 @@ Pull and run the latest images from the Gitea container registry:
 # Copy environment template
 cp .env.example .env
 
-# Edit .env and set IMAGE_TAG (optional, defaults to 'dev')
+# Edit .env and set IMAGE_TAG (optional, defaults to 'latest')
-# IMAGE_TAG=dev        # Development images (develop branch)
+# IMAGE_TAG=latest     # Latest images from main branch (default)
-# IMAGE_TAG=latest     # Production images (main branch)
 # IMAGE_TAG=658ec077   # Specific commit SHA
+# IMAGE_TAG=v1.0.0     # Specific version tag
 
 # Pull and start services
 docker compose pull
@@ -49,8 +49,7 @@ docker compose -f docker-compose.build.yml up -d --build
 
 The `IMAGE_TAG` environment variable controls which image version to pull:
 
-- `dev` - Latest development build from `develop` branch (default)
+- `latest` - Latest build from `main` branch (default)
-- `latest` - Latest stable build from `main` branch
 - `658ec077` - Specific commit SHA (first 8 characters)
 - `v1.0.0` - Specific version tag
 
@@ -210,7 +209,7 @@ The repository includes three example compose files for common deployment scenar
 ```bash
 # Set in .env
 COMPOSE_PROFILES=full
-IMAGE_TAG=dev
+IMAGE_TAG=latest
 
 # Start all services
 docker compose up -d

docs/AGENTS.md

@@ -29,12 +29,12 @@ Context = tokens = cost. Be smart.
 2. Code      → TDD: write test (RED), implement (GREEN), refactor
 3. Test      → pnpm test (must pass)
 4. Push      → git push origin feature/XX-description
-5. PR        → Create PR to develop (not main)
+5. PR        → Create PR to main
 6. Review    → Wait for approval or self-merge if authorized
 7. Close     → Close related issues via API
 ```
 
-**Never merge directly to develop without a PR.**
+**Never merge directly to main without a PR.**
 
 ### Issue Management
 
@@ -53,7 +53,7 @@ curl -s -X PATCH -H "Authorization: token $TOKEN" -H "Content-Type: application/
   -d '{"state":"closed"}'
 
 # Create PR (tea CLI works for this)
-tea pulls create --repo mosaic/stack --base develop --head feature/XX-name \
+tea pulls create --repo mosaic/stack --base main --head feature/XX-name \
   --title "feat(#XX): Title" --description "Description"
 ```
 

docs/CONTRIBUTING.md

@@ -159,13 +159,12 @@ We follow a Git-based workflow with the following branch types:
 
 ### Workflow
 
-1. Always branch from `develop`
+1. Always branch from `main`
-2. Merge back to `develop` via pull request
+2. Merge back to `main` via pull request
-3. `main` is for stable releases only
 
 ```bash
 # Start a new feature
-git checkout develop
+git checkout main
 git pull --rebase
 git checkout -b feature/my-feature-name
 
@@ -269,7 +268,7 @@ Clarified pagination and filtering parameters.
 2. Create a PR via GitLab at:
    https://git.mosaicstack.dev/mosaic/stack/-/merge_requests
 
-3. Target branch: `develop`
+3. Target branch: `main`
 
 4. Fill in the PR template:
    - **Title:** `feat(#issue): Brief description` (follows commit format)

docs/OPENBAO-DEPLOYMENT.md

@@ -144,7 +144,7 @@ sleep 30
 docker logs mosaic-openbao-init
 
 # 3. Deploy swarm stack
-IMAGE_TAG=dev ./scripts/deploy-swarm.sh mosaic
+IMAGE_TAG=latest ./scripts/deploy-swarm.sh mosaic
 
 # 4. Verify API connects to OpenBao
 docker service logs mosaic_api | grep -i openbao
@@ -172,7 +172,7 @@ docker logs mosaic-openbao-init
 # OPENBAO_SECRET_ID=...
 
 # 2. Deploy stack (no OpenBao)
-IMAGE_TAG=dev ./scripts/deploy-swarm.sh mosaic
+IMAGE_TAG=latest ./scripts/deploy-swarm.sh mosaic
 
 # 3. Verify API connects to external Vault
 docker service logs mosaic_api | grep -i vault

docs/PORTAINER-DEPLOYMENT.md

@@ -62,7 +62,7 @@ If using private registry images from `git.mosaicstack.dev`:
 4. **Web editor:** Copy and paste contents of `docker-compose.portainer.yml`
 5. **Environment variables:**
    ```
-   IMAGE_TAG=dev
+   IMAGE_TAG=latest
    OPENBAO_PORT=8200
    ```
 6. Click **Deploy the stack**
@@ -90,7 +90,7 @@ If using private registry images from `git.mosaicstack.dev`:
 **Option A: Git Repository (Recommended)**
 
 - Repository URL: `https://git.mosaicstack.dev/mosaic/stack`
-- Repository reference: `refs/heads/develop`
+- Repository reference: `refs/heads/main`
 - Compose path: `docker-compose.swarm.yml`
 - Authentication: Enable if repository is private
 - Enable **Automatic updates** (optional)
@@ -103,7 +103,7 @@ If using private registry images from `git.mosaicstack.dev`:
 4. **Environment variables:**
 
    ```
-   IMAGE_TAG=dev
+   IMAGE_TAG=latest
    POSTGRES_PASSWORD=<your-secure-password>
    JWT_SECRET=<your-jwt-secret>
    BETTER_AUTH_SECRET=<your-auth-secret>
@@ -148,7 +148,7 @@ If using private registry images from `git.mosaicstack.dev`:
 
 ```bash
 # Image Configuration
-IMAGE_TAG=dev                    # or 'latest' or specific commit SHA
+IMAGE_TAG=latest                    # or 'latest' or specific commit SHA
 
 # Database
 POSTGRES_PASSWORD=<secure-password>

docs/SWARM-DEPLOYMENT.md

@@ -49,7 +49,7 @@ nano .env
 - `OIDC_CLIENT_ID` - From your Authentik/OIDC provider
 - `OIDC_CLIENT_SECRET` - From your Authentik/OIDC provider
 - `OIDC_ISSUER` - Your OIDC provider URL (must end with `/`)
-- `IMAGE_TAG` - `dev` or `latest` or specific commit SHA
+- `IMAGE_TAG` - `latest` (default) or specific version/commit SHA
 
 ### 2. Configure for External Services (Optional)
 
@@ -131,10 +131,10 @@ See [OpenBao Deployment Guide](OPENBAO-DEPLOYMENT.md) for detailed options.
 cd /opt/mosaic/stack
 
 # Using the deploy script (recommended)
-IMAGE_TAG=dev ./scripts/deploy-swarm.sh mosaic
+IMAGE_TAG=latest ./scripts/deploy-swarm.sh mosaic
 
 # Or manually
-IMAGE_TAG=dev docker stack deploy \
+IMAGE_TAG=latest docker stack deploy \
   -c docker-compose.swarm.yml \
   --with-registry-auth mosaic
 ```

docs/harbor-tag-retention-policy.md

@@ -9,17 +9,15 @@ Images are tagged based on branch and event type:
 | Trigger           | Tags Applied      | Example              |
 | ----------------- | ----------------- | -------------------- |
 | Push to `main`    | `{sha}`, `latest` | `658ec077`, `latest` |
-| Push to `develop` | `{sha}`, `dev`    | `a1b2c3d4`, `dev`    |
 | Git tag (release) | `{sha}`, `{tag}`  | `658ec077`, `v1.0.0` |
 
 ### Tag Meanings
 
-| Tag                        | Purpose                                    | Stability |
+| Tag                        | Purpose                            | Stability |
-| -------------------------- | ------------------------------------------ | --------- |
+| -------------------------- | ---------------------------------- | --------- |
-| `latest`                   | Current production-ready build from `main` | Stable    |
+| `latest`                   | Current build from `main`          | Latest    |
-| `dev`                      | Current development build from `develop`   | Unstable  |
+| `v*` (e.g., `v1.0.0`)      | Versioned release                  | Immutable |
-| `v*` (e.g., `v1.0.0`)      | Versioned release                          | Immutable |
+| `{sha}` (e.g., `658ec077`) | Specific commit for traceability   | Immutable |
-| `{sha}` (e.g., `658ec077`) | Specific commit for traceability           | Immutable |
 
 ## Retention Policy Configuration