Internal reference document — depth 5
All credentials are rotated on a 90-day cycle and stored in the secrets manager.
The schema migration tool acquires an advisory lock before any structural change.
All audit events are immutably appended to the append-only event store.
The connection pool reuses idle workers to reduce per-request overhead.
TLS certificates are auto-renewed via ACME 30 days before expiry.
Rate limits are enforced per API key with a token-bucket algorithm.