diff --git a/docs/architecture-design-company-inc.md b/docs/architecture-design-company-inc.md
index 47f3984..17596d6 100644
--- a/docs/architecture-design-company-inc.md
+++ b/docs/architecture-design-company-inc.md
@@ -58,23 +58,17 @@ This document outlines a robust, scalable, secure, and cost-effective infrastruc
 
 ### 3.3 Network Topology (High-Level)
 
-```
-Internet
-    |
-    v
-[Cloud Load Balancer] (HTTPS)
-    |
-    v
-[GKE Ingress Controller]
-    |
-    v
-[VPC Private Subnets]
-    |
-    +-- [GKE Cluster - API Pods]
-    +-- [GKE Cluster - Frontend Pods]
-    |
-    v
-[Private connectivity to MongoDB]
+```mermaid
+flowchart TD
+    Internet((Internet))
+    Internet --> LB[Cloud Load Balancer<br/>HTTPS termination]
+    LB --> Ingress[GKE Ingress Controller]
+
+    subgraph VPC["VPC — Private Subnets"]
+        Ingress --> API[API Pods<br/>Python / Flask]
+        Ingress --> SPA[Frontend Pods<br/>React SPA]
+        API --> DB[(MongoDB<br/>Private Endpoint)]
+    end
 ```
 
 ---
@@ -146,43 +140,31 @@ Internet
 
 ## 6. High-Level Architecture Diagram
 
-The following diagram illustrates the main components (implement in draw.io or Lucidchart):
+```mermaid
+flowchart TB
+    Users((Users))
 
-```
-+------------------------------------------------------------------+
-|                         COMPANY INC. INFRASTRUCTURE               |
-+------------------------------------------------------------------+
+    Users --> CDN[Cloud CDN<br/>Static Assets]
+    Users --> LB[Cloud Load Balancer<br/>HTTPS]
 
-    [Users]
-        |
-        v
-+-------------------+     +-------------------+
-|  Cloud CDN        |     |  Cloud LB (HTTPS) |
-|  (Static Assets) |     |  (API + SPA)      |
-+-------------------+     +-------------------+
-        |                         |
-        v                         v
-+------------------------------------------------------------------+
-|  GKE CLUSTER (Private)                                           |
-|  +------------------+  +------------------+  +-----------------+ |
-|  | Ingress          |  | Backend (Flask)  |  | Frontend (SPA)  | |
-|  | Controller       |  | - HPA            |  | - Nginx/React   | |
-|  +------------------+  +------------------+  +-----------------+ |
-|        |                       |                       |        |
-|        +-----------------------+-----------------------+        |
-|                                |                                |
-|  +------------------+  +------------------+                     |
-|  | Redis (cache)    |  | Observability    |                     |
-|  | (Memorystore)    |  | (Prometheus/Grafana)                    |
-|  +------------------+  +------------------+                     |
-+------------------------------------------------------------------+
-        |
-        v
-+------------------------------------------------------------------+
-|  MongoDB Atlas (GCP)  |  Secret Manager  |  Artifact Registry  |
-|  - Replica Set       |  - App secrets   |  - Container images |
-|  - Private endpoint  |  - DB credentials|                     |
-+------------------------------------------------------------------+
+    subgraph GKE["GKE Cluster — Private"]
+        LB --> Ingress[Ingress Controller]
+        Ingress --> API[Backend — Flask<br/>HPA 2–3 replicas]
+        Ingress --> SPA[Frontend — React SPA<br/>Nginx]
+        CDN --> SPA
+        API --> Redis[Redis<br/>Memorystore]
+        API --> Obs[Observability<br/>Prometheus / Grafana]
+    end
+
+    subgraph Data["Managed Services"]
+        Mongo[(MongoDB Atlas<br/>Replica Set · Private Endpoint)]
+        Secrets[Secret Manager<br/>App & DB credentials]
+        Registry[Artifact Registry<br/>Container images]
+    end
+
+    API --> Mongo
+    API --> Secrets
+    GKE --> Registry
 ```
 
 ---
@@ -200,4 +182,4 @@ The following diagram illustrates the main components (implement in draw.io or L
 
 ---
 
-*This document should be accompanied by an HLD diagram (draw.io or Lucidchart) reflecting the architecture above.*
+*See [architecture-hld.md](architecture-hld.md) for the standalone HLD diagram.*
diff --git a/docs/architecture-hld.md b/docs/architecture-hld.md
index c6e33ba..c255209 100644
--- a/docs/architecture-hld.md
+++ b/docs/architecture-hld.md
@@ -1,85 +1,88 @@
 # High-Level Architecture Diagram: Company Inc.
 
-Use this as reference when creating your diagram in [draw.io](https://draw.io) or [Lucidchart](https://lucidchart.com).
-
-## Mermaid Source (for Git-rendered diagrams)
+## Cloud Infrastructure (GCP + GKE)
 
 ```mermaid
 flowchart TB
-    subgraph Internet["Internet"]
-        Users[Users]
+    subgraph Internet
+        Users((Users))
     end
 
-    subgraph GCP["GCP"]
-        subgraph Projects["Projects"]
+    subgraph GCP["Google Cloud Platform"]
+        subgraph Projects["Project Structure"]
             Prod[company-inc-prod]
             Staging[company-inc-staging]
             Shared[company-inc-shared]
+            Sandbox[company-inc-sandbox]
         end
 
-        subgraph Networking["Network"]
-            LB[Cloud Load Balancer<br/>HTTPS]
+        subgraph Edge["Edge / Networking"]
+            LB[Cloud Load Balancer<br/>HTTPS · TLS termination]
             CDN[Cloud CDN<br/>Static Assets]
-            VPC[VPC - Private Subnets]
+            NAT[Cloud NAT<br/>Egress]
         end
 
-        subgraph GKE["GKE Cluster (Private)"]
-            Ingress[Ingress Controller]
-            subgraph Workloads["Workloads"]
-                API[Backend - Python/Flask<br/>HPA 2-3 replicas]
-                SPA[Frontend - React SPA<br/>Nginx]
+        subgraph VPC["VPC — Private Subnets"]
+            subgraph GKE["GKE Autopilot Cluster"]
+                Ingress[Ingress Controller]
+                subgraph Workloads
+                    API[Backend — Python / Flask<br/>HPA · 2–3 replicas]
+                    SPA[Frontend — React SPA<br/>Nginx]
+                end
+                Redis[Redis — Memorystore<br/>Session / Cache]
+                Monitoring[Prometheus + Grafana<br/>Observability]
             end
-            Redis[Redis - Memorystore]
         end
 
-        subgraph Data["Data & Services"]
-            Mongo[(MongoDB Atlas<br/>Replica Set)]
+        subgraph Managed["Managed Services"]
+            Mongo[(MongoDB Atlas<br/>3-node Replica Set<br/>Private Endpoint)]
             Secrets[Secret Manager]
             Registry[Artifact Registry]
         end
     end
 
+    subgraph CICD["CI / CD"]
+        Git[Git Repository]
+        Actions[Gitea / GitHub Actions<br/>Build · Test · Scan]
+        Argo[ArgoCD / Flux<br/>GitOps Deploy]
+    end
+
     Users --> LB
     Users --> CDN
     LB --> Ingress
+    CDN --> SPA
     Ingress --> API
     Ingress --> SPA
-    CDN --> SPA
-    API --> Mongo
     API --> Redis
+    API --> Mongo
     API --> Secrets
     GKE --> Registry
+    GKE --> NAT
+
+    Git --> Actions
+    Actions --> Registry
+    Argo --> GKE
 ```
 
-## Draw.io / Lucidchart Layout Guide
+## CI / CD Pipeline
 
-### Top Row (External)
-- **Users** → Internet
+```mermaid
+flowchart LR
+    Dev[Developer] -->|push| Repo[Git Repo]
+    Repo -->|webhook| CI[CI Pipeline<br/>lint · test · build]
+    CI -->|push image| Registry[Artifact Registry]
+    CI -->|update manifests| GitOps[GitOps Repo]
+    GitOps -->|sync| Argo[ArgoCD / Flux]
+    Argo -->|deploy| GKE[GKE Cluster]
+```
 
-### Second Row (Edge)
-- **Cloud Load Balancer** (HTTPS)
-- **Cloud CDN** (for SPA static assets)
+## Network Security Layers
 
-### Third Row (GKE)
-- **GKE Cluster** (Private)
-  - Ingress Controller
-  - Backend (Flask) — 2–3 replicas, HPA
-  - Frontend (React SPA)
-  - Redis (Memorystore)
-
-### Fourth Row (Data)
-- **MongoDB Atlas** (Replica Set, private endpoint)
-- **Secret Manager**
-- **Artifact Registry**
-
-### Connections
-1. Users → LB, Users → CDN
-2. LB → Ingress → Backend + Frontend
-3. Backend → MongoDB, Redis, Secret Manager
-4. GKE → Artifact Registry (image pulls)
-
-### Colors (suggested)
-- External: Light blue
-- GCP managed: Light green
-- Workloads: Light yellow
-- Data: Light orange
+```mermaid
+flowchart TD
+    Internet((Internet)) --> FW[VPC Firewall<br/>Default deny]
+    FW --> LB[Load Balancer<br/>HTTPS only]
+    LB --> NP[K8s Network Policies]
+    NP --> Pods[Application Pods<br/>Private IPs only]
+    Pods --> PE[Private Endpoint<br/>MongoDB Atlas]
+```
diff --git a/docs/verification-log.md b/docs/verification-log.md
index 9f272a2..2d9cb17 100644
--- a/docs/verification-log.md
+++ b/docs/verification-log.md
@@ -1,25 +1,49 @@
-```
-Verifying FleetDM, MySQL, and Redis...
+# Verification Log
 
+## Local Deployment (`make verify`)
+
+```
 === Pods ===
-kubectl get pods -n fleetdm -o wide
-NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
-fleet-6747fdcc49-ljm2d 0/1 ContainerCreating 0 6m2s <none> fleetdm-control-plane <none> <none>
-fleet-migration-rwxnz 0/1 CreateContainerConfigError 0 6m2s 10.244.0.15 fleetdm-control-plane <none> <none>
-fleetdm-stack-mysql-0 0/1 ErrImagePull 0 6m2s 10.244.0.17 fleetdm-control-plane <none> <none>
-fleetdm-stack-redis-master-0 1/1 Running 0 6m2s 10.244.0.16 fleetdm-control-plane <none> <none>
+NAME                           READY   STATUS    RESTARTS   AGE
+fleet-75cbb4fd54-s7csh         1/1     Running   0          153m
+fleetdm-stack-mysql-0          1/1     Running   0          166m
+fleetdm-stack-redis-master-0   1/1     Running   0          166m
 
 === Services ===
-kubectl get svc -n fleetdm
-NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
-fleetdm-stack-mysql ClusterIP 10.96.140.26 <none> 3306/TCP 6m2s
-fleetdm-stack-mysql-headless ClusterIP None <none> 3306/TCP 6m2s
-fleetdm-stack-redis-headless ClusterIP None <none> 6379/TCP 6m2s
-fleetdm-stack-redis-master ClusterIP 10.96.248.50 <none> 6379/TCP 6m2s
-fleetdm-stack-service ClusterIP 10.96.24.191 <none> 8080/TCP 6m2s
+NAME                           TYPE        CLUSTER-IP      PORT(S)    AGE
+fleetdm-stack-mysql            ClusterIP   10.96.3.64      3306/TCP   166m
+fleetdm-stack-mysql-headless   ClusterIP   None            3306/TCP   166m
+fleetdm-stack-redis-headless   ClusterIP   None            6379/TCP   166m
+fleetdm-stack-redis-master     ClusterIP   10.96.159.221   6379/TCP   166m
+fleetdm-stack-service          ClusterIP   10.96.189.212   8080/TCP   166m
 
 === Ingress ===
-kubectl get ingress -n fleetdm
-NAME CLASS HOSTS ADDRESS PORTS AGE
-fleetdm-stack nginx fleet.localhost localhost 80 6m2s
+NAME            CLASS   HOSTS             ADDRESS     PORTS   AGE
+fleetdm-stack   nginx   fleet.localhost   localhost   80      166m
+```
+
+## Fleet UI Access
+
+```
+$ curl -sk -o /dev/null -w "%{http_code}" https://localhost:8585/setup
+200
+```
+
+Fleet setup page loads successfully at `https://localhost:8585` via `make port-forward`.
+
+## Gitea Actions CI
+
+| Run | Job               | Status  | Commit                                               |
+| --- | ----------------- | ------- | ---------------------------------------------------- |
+| #5  | Lint Helm Chart   | success | Fix CI lint: remove head pipe that causes SIGPIPE 141 |
+| #5  | Release Helm Chart| skipped | (only triggers on `v*` tags)                          |
+
+## Helm Chart
+
+```
+$ helm lint fleetdm-stack/
+==> Linting fleetdm-stack/
+[INFO] Chart.yaml: icon is recommended
+
+1 chart(s) linted, 0 chart(s) failed
 ```