chore(ci): add staging config protection and validation

- Add staging-config-check.yml workflow to validate HTTPS URLs on PRs
- Add CODEOWNERS to require team lead review for critical config files
- Update GIT_WORKFLOW.md with config file protection guidelines

Prevents accidental reversion of staging URLs (HTTP vs HTTPS) during rebases.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

.github/CODEOWNERS

@@ -0,0 +1,38 @@
+# CODEOWNERS - Defines code ownership for PR review requirements
+# https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners
+
+# =============================================================================
+# Staging & Production Configuration
+# =============================================================================
+# These files control production/staging deployments and require team lead review
+# to prevent accidental configuration regressions (like HTTP vs HTTPS URLs)
+
+docker-compose.staging.yml              @wuesteon
+docker-compose.production.yml           @wuesteon
+docker/caddy/Caddyfile.staging          @wuesteon
+docker/caddy/Caddyfile.production       @wuesteon
+
+# =============================================================================
+# CI/CD Workflows
+# =============================================================================
+# Changes to deployment pipelines require review
+
+.github/workflows/cd-*.yml              @wuesteon
+.github/workflows/ci.yml                @wuesteon
+
+# =============================================================================
+# Core Infrastructure
+# =============================================================================
+# Shared packages and services that affect all apps
+
+services/mana-core-auth/                @wuesteon
+packages/shared-nestjs-auth/            @wuesteon
+packages/shared-auth/                   @wuesteon
+
+# =============================================================================
+# Workspace Configuration
+# =============================================================================
+# Root configuration files that affect the entire monorepo
+
+pnpm-workspace.yaml                     @wuesteon
+turbo.json                              @wuesteon

.github/workflows/staging-config-check.yml

@@ -0,0 +1,103 @@
+name: Staging Config Check
+
+on:
+  pull_request:
+    paths:
+      - 'docker-compose.staging.yml'
+      - 'docker/caddy/Caddyfile.staging'
+
+jobs:
+  check-staging-urls:
+    name: Validate Staging URLs
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Check for HTTP IP addresses in _CLIENT URLs
+        run: |
+          echo "Checking docker-compose.staging.yml for HTTP IP addresses..."
+
+          # Check that no _CLIENT URLs use HTTP IP addresses
+          if grep -E '_CLIENT:.*http://[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' docker-compose.staging.yml; then
+            echo ""
+            echo "::error::Found HTTP IP addresses in _CLIENT URLs!"
+            echo "All _CLIENT URLs must use HTTPS staging domains (e.g., https://auth.staging.manacore.ai)"
+            exit 1
+          fi
+
+          echo "No HTTP IP addresses found in _CLIENT URLs"
+
+      - name: Check for non-HTTPS external URLs
+        run: |
+          echo "Checking for non-HTTPS external URLs in _CLIENT variables..."
+
+          # Check that _CLIENT URLs use HTTPS (excluding localhost for dev)
+          VIOLATIONS=$(grep -E '_CLIENT:.*http://' docker-compose.staging.yml | grep -v localhost || true)
+
+          if [ -n "$VIOLATIONS" ]; then
+            echo ""
+            echo "::error::Found non-HTTPS URLs in _CLIENT variables!"
+            echo "$VIOLATIONS"
+            echo ""
+            echo "All _CLIENT URLs must use HTTPS for staging domains."
+            exit 1
+          fi
+
+          echo "All _CLIENT URLs use HTTPS"
+
+      - name: Verify required HTTPS domains
+        run: |
+          echo "Verifying required HTTPS staging domains are configured..."
+
+          REQUIRED_DOMAINS=(
+            "https://auth.staging.manacore.ai"
+            "https://staging.manacore.ai"
+          )
+
+          MISSING=0
+          for domain in "${REQUIRED_DOMAINS[@]}"; do
+            if ! grep -q "$domain" docker-compose.staging.yml; then
+              echo "::warning::Missing required domain: $domain"
+              MISSING=1
+            fi
+          done
+
+          if [ $MISSING -eq 1 ]; then
+            echo ""
+            echo "::warning::Some required staging domains are not configured. Please verify this is intentional."
+          fi
+
+          echo "Domain verification complete"
+
+      - name: Check CORS origins include HTTPS
+        run: |
+          echo "Checking CORS_ORIGINS for HTTPS staging domains..."
+
+          # Extract CORS_ORIGINS lines and check they include staging domains
+          CORS_LINES=$(grep "CORS_ORIGINS:" docker-compose.staging.yml || true)
+
+          if [ -n "$CORS_LINES" ]; then
+            # Check if any CORS line has HTTP staging domains (not localhost)
+            HTTP_CORS=$(echo "$CORS_LINES" | grep -E 'http://[a-z]+\.staging\.manacore\.ai' || true)
+
+            if [ -n "$HTTP_CORS" ]; then
+              echo ""
+              echo "::error::Found HTTP (non-HTTPS) staging domains in CORS_ORIGINS!"
+              echo "$HTTP_CORS"
+              exit 1
+            fi
+          fi
+
+          echo "CORS origins are correctly configured"
+
+      - name: Summary
+        run: |
+          echo ""
+          echo "======================================"
+          echo "Staging Configuration Check: PASSED"
+          echo "======================================"
+          echo ""
+          echo "All checks passed:"
+          echo "  - No HTTP IP addresses in _CLIENT URLs"
+          echo "  - All external _CLIENT URLs use HTTPS"
+          echo "  - CORS origins correctly configured"

docs/GIT_WORKFLOW.md

@@ -224,6 +224,58 @@ git checkout till-dev
 git reset --hard origin/dev
 ```
 
+## Critical Configuration Files
+
+### Protected Files (CODEOWNERS)
+
+The following files are protected via `.github/CODEOWNERS` and require team lead review:
+
+| File | Reason |
+|------|--------|
+| `docker-compose.staging.yml` | Staging deployment config |
+| `docker-compose.production.yml` | Production deployment config |
+| `docker/caddy/Caddyfile.*` | Reverse proxy configuration |
+| `.github/workflows/cd-*.yml` | Deployment pipelines |
+
+### Configuration Conflict Prevention
+
+**Problem:** When rebasing a long-lived branch, configuration files can accidentally overwrite critical settings (e.g., HTTPS URLs reverted to HTTP).
+
+**Solution:** Always review configuration files carefully during rebase conflicts:
+
+```bash
+# During rebase, if docker-compose.staging.yml has conflicts:
+git diff HEAD -- docker-compose.staging.yml  # See what changed
+
+# Key things to verify:
+# 1. _CLIENT URLs use HTTPS staging domains (not HTTP IP addresses)
+# 2. CORS_ORIGINS include all HTTPS staging domains
+# 3. Environment variables haven't regressed
+```
+
+### Staging URL Rules
+
+**NEVER** use HTTP IP addresses for `_CLIENT` variables:
+
+```yaml
+# WRONG - HTTP IP address
+PUBLIC_MANA_CORE_AUTH_URL_CLIENT: http://46.224.108.214:3001
+
+# CORRECT - HTTPS staging domain
+PUBLIC_MANA_CORE_AUTH_URL_CLIENT: https://auth.staging.manacore.ai
+```
+
+**CI Check:** The `staging-config-check.yml` workflow validates this on every PR that touches `docker-compose.staging.yml`.
+
+### Rebase Checklist for Config Files
+
+Before completing a rebase that touched configuration files:
+
+- [ ] `_CLIENT` URLs use `https://*.staging.manacore.ai` format
+- [ ] `CORS_ORIGINS` include all HTTPS staging domains
+- [ ] No HTTP IP addresses in client-facing URLs
+- [ ] Caddy config matches docker-compose port mappings
+
 ## Troubleshooting
 
 ### "fatal: no rebase in progress"