refactor: remove grades, reframe README ownership, rename week-prefixed folders to descriptive names

README.md

@@ -19,9 +19,9 @@
 
 ---
 
-## 🎯 Who This Is For
+## 🎯 About This Portfolio
 
-This portfolio is for engineering teams evaluating candidates for **Senior Cloud Engineer**, **DevSecOps Engineer**, or **Site Reliability Engineer** roles. Every project here solves a real engineering problem — not a tutorial exercise — using production-grade patterns, documented architectural decisions, and automated security validation.
+This is my production engineering portfolio. Every project solves a real infrastructure or security problem using production-grade patterns, documented architectural decisions, and automated security validation — no tutorials, no toy apps.
 
 ---
 
@@ -30,17 +30,17 @@ This portfolio is for engineering teams evaluating candidates for **Senior Cloud
 ```
 CloudDefense Engineering Portfolio
 │
-├── 🚀  KubeScale Platform         k8s-ecommerce-project/    Grade: A+
-├── 🔄  HA AWS Architecture        week8-ha-deploy/           Grade: A+
-├── 🛡️  S3 Secure Storage          week3-s3-localstack/       Grade: A+
-├── 🏛️  Enterprise Governance       governance/                Grade: A+
-├── ⚡  SOAR Threat Automation      automation/                Grade: A+
-├── 🔬  DFIR Investigation          forensics/                 Grade: A+
-├── 🏗️  Local Deploy (w5)           week5-local-deploy/        Grade: A
-├── 🔍  Full Security Stack (w6)    week6-deploy/              Grade: A
-├── 🧩  Reusable Terraform Modules  modules/                   Grade: A+
-├── 🔐  CI/CD Security Pipeline     .github/workflows/         Grade: A+
-└── 📚  Architecture Decision Records docs/adr/               Grade: A+
+├── 🚀  KubeScale Platform           k8s-ecommerce-project/
+├── 🔄  HA AWS Architecture          ha-aws-architecture/
+├── 🛡️  S3 Secure Storage            s3-secure-storage/
+├── 🏛️  Enterprise Governance         governance/
+├── ⚡  SOAR Threat Automation        automation/
+├── 🔬  DFIR Investigation            forensics/
+├── 🏗️  Secure Infrastructure (IaC)   aws-foundation/
+├── 🔍  Full Security Stack           security-stack/
+├── 🧩  Reusable Terraform Modules    modules/
+├── 🔐  CI/CD Security Pipeline       .github/workflows/
+└── 📚  Architecture Decision Records docs/adr/
 ```
 
 ---
@@ -67,7 +67,7 @@ The flagship project. An 11-service polyglot e-commerce platform running on Kube
 ---
 
 ### 2. �� High-Availability AWS Architecture
-**[→ View Project](./week8-ha-deploy)**
+**[→ View Project](./ha-aws-architecture)**
 
 Transforms a single server into a self-healing, multi-AZ fleet protected by WAF and monitored by GuardDuty — demonstrating the AWS Well-Architected Framework in code.
 
@@ -213,10 +213,10 @@ Formal documentation of major architectural decisions — demonstrating senior-l
 │   ├── email-service/          # Custom Python microservice (Flask + gunicorn)
 │   ├── finops/                 # LocalStack Pro docker-compose for zero-cost AWS emulation
 │   └── microservices-demo/     # Google Online Boutique source (all 11 services)
-├── week8-ha-deploy/            # HA Architecture: WAF + ALB + ASG + CloudTrail + GuardDuty
-├── week6-deploy/               # Full security stack: VPC + IAM + CloudTrail + GuardDuty + EC2
-├── week5-local-deploy/         # Foundation: VPC + IAM + hardened EC2
-├── week3-s3-localstack/        # Secure storage: S3 + KMS + TLS-only + versioning + lifecycle
+├── ha-aws-architecture/        # HA Architecture: WAF + ALB + ASG + CloudTrail + GuardDuty
+├── security-stack/             # Full security stack: VPC + IAM + CloudTrail + GuardDuty + EC2
+├── aws-foundation/             # Foundation: VPC + IAM + hardened EC2
+├── s3-secure-storage/          # Secure storage: S3 + KMS + TLS-only + versioning + lifecycle
 ├── governance/                 # Enterprise SCPs: 3 policies at org root
 ├── automation/                 # SOAR: Python NACL remediation + pytest test suite
 ├── forensics/                  # DFIR: MITRE ATT&CK mapped investigation

automation/auto_remediate_nacl.py

@@ -98,7 +98,7 @@ def find_vpc_id(ec2: boto3.client) -> str:
     vpcs = response.get("Vpcs", [])
     if not vpcs:
         raise VPCNotFoundError(
-            "No VPC found. Ensure Terraform has been applied in week8-ha-deploy."
+            "No VPC found. Ensure Terraform has been applied in ha-aws-architecture."
         )
 
     vpc_id = vpcs[0]["VpcId"]

week5-local-deploy/README.md → aws-foundation/README.md

@@ -62,10 +62,10 @@ Deploy a fully hardened, modular web server infrastructure using Terraform — d
 ## 3. Deployment
 
 ```bash
-cd week5-local-deploy
+cd aws-foundation
 
 # Start LocalStack
-docker-compose -f ../week3-s3-localstack/localstack-docker-compose.yml up -d
+docker-compose -f ../s3-secure-storage/localstack-docker-compose.yml up -d
 
 # Deploy
 terraform init
@@ -89,4 +89,4 @@ iam_instance_profile  = "local-ec2-profile"
 ---
 
 **Author:** Jimoh Sodiq Bolaji  
-**Next Project:** [week6-deploy](../week6-deploy) — adds CloudTrail + GuardDuty security monitoring layer
+**Next Project:** [security-stack](../security-stack) — adds CloudTrail + GuardDuty security monitoring layer

week5-local-deploy/main.tf → aws-foundation/main.tf

@@ -1,4 +1,4 @@
-# week5-local-deploy/main.tf
+# aws-foundation/main.tf
 # First full-stack local deployment: VPC + IAM + Security + Hardened EC2.
 # All four modules work together to create a production-mirrored local environment.
 # Demonstrates the module composition pattern used in all subsequent projects.
@@ -50,7 +50,7 @@
 # Inbound: HTTP from internet only
 # Outbound: Restricted to VPC CIDR (defence-in-depth, prevents exfiltration)
 # =============================================================================
 resource "aws_security_group" "web_sg" {
     name        = "web-server-sg"
     description = "Allow HTTP inbound; restrict egress to VPC"
     vpc_id      = module.vpc.vpc_id
@@ -76,7 +76,7 @@
 # EC2 WEB SERVER — Hardened Configuration
 # Security controls: IMDSv2, encrypted root volume, IAM role, no public IP
 # =============================================================================
 resource "aws_instance" "web" {
     ami                    = "ami-12345678"        # LocalStack dummy AMI
     instance_type          = "t2.micro"
     subnet_id              = module.vpc.public_subnet_id
@@ -102,7 +102,7 @@
     }
 
     tags = {
-        Name        = "Week5-Secure-WebServer"
+        Name        = "Secure-WebServer"
         Environment = "local"
         ManagedBy   = "Terraform"
     }

week5-local-deploy/outputs.tf → aws-foundation/outputs.tf

@@ -1,4 +1,4 @@
-# week5-local-deploy/outputs.tf
+# aws-foundation/outputs.tf
 
 output "vpc_id" {
     description = "VPC ID"

docs/adr/ADR-002-terraform-remote-state.md

@@ -26,7 +26,7 @@ Adopt the **S3 Remote Backend with DynamoDB State Locking** pattern for all prod
 terraform {
   backend "s3" {
     bucket         = "my-org-terraform-state"    # Dedicated state bucket
-    key            = "week8-ha-deploy/terraform.tfstate"
+    key            = "ha-aws-architecture/terraform.tfstate"
     region         = "us-east-1"
     encrypt        = true                        # SSE-KMS encryption at rest
     dynamodb_table = "terraform-state-lock"      # Prevents concurrent applies

governance/README.md

@@ -94,7 +94,7 @@ Denies all API actions performed by root account credentials. Root accounts shou
 cd governance
 
 # Start LocalStack Pro (organizations service required)
-docker-compose -f ../week3-s3-localstack/localstack-docker-compose.yml up -d
+docker-compose -f ../s3-secure-storage/localstack-docker-compose.yml up -d
 
 # Deploy governance stack
 terraform init

week8-ha-deploy/README.md → ha-aws-architecture/README.md

@@ -101,7 +101,7 @@ This project spans **two AZs** (`us-east-2a`, `us-east-2b`) — the minimum for
 ## 4. Module Architecture
 
 ```
-week8-ha-deploy/
+ha-aws-architecture/
 └── main.tf                 (Composes all modules)
     ├── ../modules/logging   → S3 bucket (KMS, versioning, TLS-only, lifecycle)
     ├── ../modules/security  → CloudTrail + GuardDuty
@@ -129,7 +129,7 @@ week8-ha-deploy/
 - Terraform ≥ 1.5.0
 
 ```bash
-cd week8-ha-deploy
+cd ha-aws-architecture
 
 # Initialise and validate
 terraform init

week8-ha-deploy/main.tf → ha-aws-architecture/main.tf

@@ -1,4 +1,4 @@
-# week8-ha-deploy/main.tf
+# ha-aws-architecture/main.tf
 # High-Availability, Fault-Tolerant AWS Web Application Infrastructure.
 # Architecture: WAF → ALB (multi-AZ) → ASG (auto-scaling EC2 fleet) → CloudTrail
 #
@@ -148,7 +148,7 @@
 # SECURITY GROUP: APPLICATION LOAD BALANCER
 # Internet-facing — accepts HTTP and HTTPS only
 # =============================================================================
 resource "aws_security_group" "alb_sg" {
     name        = "ha-alb-sg"
     description = "Allow Internet to ALB on HTTP and HTTPS"
     vpc_id      = module.vpc.vpc_id
@@ -183,7 +183,7 @@
 # Critical pattern: only the ALB security group can reach these instances.
 # Direct internet access to instances is completely blocked.
 # =============================================================================
 resource "aws_security_group" "instance_sg" {
     name        = "ha-instance-sg"
     description = "Allow HTTP inbound ONLY from ALB security group"
     vpc_id      = module.vpc.vpc_id
@@ -279,7 +279,7 @@
 # =============================================================================
 # APPLICATION LOAD BALANCER — Multi-AZ, Internet-Facing
 # =============================================================================
 resource "aws_lb" "main" {
     name                       = "ha-load-balancer"
     internal                   = false
     load_balancer_type         = "application"

week3-s3-localstack/README.md → s3-secure-storage/README.md

@@ -96,7 +96,7 @@ kms_key_id  = "abc123-..."
 ## 5. Deployment
 
 ```bash
-cd week3-s3-localstack
+cd s3-secure-storage
 
 # Start LocalStack
 docker-compose -f localstack-docker-compose.yml up -d

week3-s3-localstack/main.tf → s3-secure-storage/main.tf

@@ -1,4 +1,4 @@
-# week3-s3-localstack/main.tf
+# s3-secure-storage/main.tf
 # Secure-by-Design S3 storage provisioned with Terraform.
 # Security controls applied:
 #   - KMS Customer Managed Key (CMK) with annual rotation
@@ -18,7 +18,7 @@ resource "aws_kms_key" "logs_key" {
 }
 
 resource "aws_kms_alias" "logs_key_alias" {
-    name          = "alias/week3-logs-key"
+    name          = "alias/s3-secure-storage-logs-key"
     target_key_id = aws_kms_key.logs_key.key_id
 }
 
@@ -29,7 +29,7 @@ resource "aws_s3_bucket" "logs" {
     bucket = var.bucket_name
 
     tags = {
-        Name      = "week3-tf-s3"
+        Name      = "s3-secure-storage"
         Env       = "dev"
         ManagedBy = "Terraform"
     }

week3-s3-localstack/outputs.tf → s3-secure-storage/outputs.tf

@@ -1,4 +1,4 @@
-# week3-s3-localstack/outputs.tf
+# s3-secure-storage/outputs.tf
 
 output "bucket_name" {
     description = "Name of the created S3 bucket"

week6-deploy/README.md → security-stack/README.md

@@ -15,11 +15,11 @@
 
 ## 🎯 Project Mission
 
-Extend the week5 infrastructure with a **full security monitoring layer** — adding CloudTrail for API audit logging and GuardDuty for ML-powered threat detection, demonstrating the complete security stack required for production cloud environments.
+Extend the **aws-foundation** infrastructure with a **full security monitoring layer** — adding CloudTrail for API audit logging and GuardDuty for ML-powered threat detection, demonstrating the complete security stack required for production cloud environments.
 
 ---
 
-## 1. What's New in Week 6
+## 1. What's Added in This Project
 
 | Component | Added | Purpose |
 | :--- | :--- | :--- |
@@ -34,7 +34,7 @@ Extend the week5 infrastructure with a **full security monitoring layer** — ad
 ## 2. Module Composition
 
 ```
-week6-deploy/main.tf
+security-stack/main.tf
 ├── module "logging"   → S3 bucket (KMS, versioning, TLS-only)
 │                          Output: bucket_name, bucket_arn
 ├── module "security"  → CloudTrail + GuardDuty
@@ -75,10 +75,10 @@ GuardDuty analyses the log pattern
 ## 4. Deployment
 
 ```bash
-cd week6-deploy
+cd security-stack
 
 # Start LocalStack Pro
-docker-compose -f ../week3-s3-localstack/localstack-docker-compose.yml up -d
+docker-compose -f ../s3-secure-storage/localstack-docker-compose.yml up -d
 
 terraform init
 terraform apply -auto-approve
@@ -100,4 +100,4 @@ iam_instance_profile = "local-ec2-profile"
 ---
 
 **Author:** Jimoh Sodiq Bolaji  
-**Progression:** [week5-local-deploy](../week5-local-deploy) → **week6-deploy** → [week8-ha-deploy](../week8-ha-deploy) (HA + WAF + ALB)
+**Progression:** [aws-foundation](../aws-foundation) → **security-stack** → [ha-aws-architecture](../ha-aws-architecture) (HA + WAF + ALB)

week6-deploy/main.tf → security-stack/main.tf

@@ -1,6 +1,6 @@
-# week6-deploy/main.tf
+# security-stack/main.tf
 # Full-stack local deployment: VPC + IAM + Security Monitoring + Hardened EC2.
-# Extends week5 by adding CloudTrail audit trail and GuardDuty threat detection,
+# Extends aws-foundation by adding CloudTrail audit trail and GuardDuty threat detection,
 # demonstrating the "Security Layer" composition pattern.
 
 terraform {

week6-deploy/outputs.tf → security-stack/outputs.tf

@@ -1,4 +1,4 @@
-# week6-deploy/outputs.tf
+# security-stack/outputs.tf
 
 output "vpc_id" {
     description = "VPC ID"