[CLAUDE] Docs: tick Phase 5 Prep items in migration-todos

Follow-up: migration-todos Phase 5 section update bi miss trong commit truoc (Edit bi block boi system reminder). Apply lai:
- Tick 14 items Prep xong
- Split 'Deploy that (can Gitea URL)' va 'Phase 5.1 Security hardening'

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

docs/changelog/migration-todos.md

@@ -182,22 +182,44 @@
 
 ## Phase 5 — Production (T12-13)
 
-- [ ] `docs/guides/cicd.md` — CI/CD runbook
-- [ ] Gitea Actions workflow `.gitea/workflows/deploy.yml` — build .NET + 2 FE, deploy IIS qua SSH/WinRM
-- [ ] Pin Node 20.x trong workflow, test CI sớm (không để surprise cuối dự án)
-- [ ] `scripts/deploy-iis.ps1` — stop app pool, xcopy, start app pool
+### Prep xong (code + scripts + docs)
+
+- [x] `docs/guides/cicd.md` — CI/CD runbook
+- [x] Gitea Actions workflow `.gitea/workflows/deploy.yml` — build .NET + 2 FE, deploy IIS qua WinRM
+- [x] Pin Node `.nvmrc` 20 (gotcha #5)
+- [x] `scripts/deploy-iis.ps1` — stop pool → backup → xcopy → start → health check
+- [x] `scripts/backup-sql.ps1` — daily BACKUP DATABASE + COMPRESSION + retention 30d
+- [x] `appsettings.Production.json` template + user secrets pattern
+- [x] Rate limiting (built-in .NET 10) — auth-login 5/min + global 300/min
+- [x] Health check `/health/live` + `/health/ready` (DB probe)
+- [x] Serilog File sink rolling daily retention 30d
+- [x] HSTS production (1 year)
+- [x] `docs/guides/deployment-iis.md` — setup lần đầu + troubleshooting
+- [x] `docs/guides/security-checklist.md` — OWASP top 10
+- [x] `docs/guides/runbook.md` — operations (restart, rollback, restore)
+- [x] FE refresh token auto interceptor (queue pattern cả 2 app)
+
+### Deploy thật (cần Gitea URL)
+
 - [ ] Windows Server setup: IIS + URL Rewrite + ARR (reverse proxy FE → IIS)
-- [ ] SQL Server prod: backup plan daily + weekly full
-- [ ] HTTPS certificate (Let's Encrypt qua win-acme hoặc mua cert)
-- [ ] `appsettings.Production.json` + user secrets
-- [ ] Security audit: owasp top 10 check
-- [ ] Rate limiting middleware (AspNetCoreRateLimit hoặc built-in)
-- [ ] Health check endpoint `/health` cho IIS probe
-- [ ] Error tracking: Serilog → file rolling daily, retention 30 ngày
-- [ ] Runbook: restart app, rollback migration, restore backup
+- [ ] SQL Server prod + Task Scheduler trigger backup-sql.ps1
+- [ ] HTTPS certificate (Let's Encrypt qua win-acme)
+- [ ] Gitea remote setup + push all commits
+- [ ] Set 5 Gitea Actions secrets (IIS_HOST/USER/PASSWORD/JWT_SECRET/DB_CONNECTION)
+- [ ] Enable Gitea runner (Windows + Ubuntu)
+- [ ] Test CI/CD workflow lần đầu staging
 - [ ] UAT production 1 tuần với 2-3 user thật
 - [ ] Go-live checklist: backup, rollback plan, on-call contact
 
+### Phase 5.1 Security hardening
+
+- [ ] Security headers middleware (X-Content-Type-Options, X-Frame-Options, CSP, Referrer-Policy)
+- [ ] Identity account lockout (5 fail → 15min lock) — config trong `DependencyInjection.cs`
+- [ ] Password policy min 12 chars production
+- [ ] IDOR check ContractsController — user Drafter chỉ xem HĐ mình tạo hoặc có role giữ phase
+- [ ] Dependencies scan vào CI (`dotnet list package --vulnerable --include-transitive`, `npm audit --audit-level=high`)
+- [ ] Admin mặc định: đổi password prod hoặc disable sau setup user thật
+
 ## Post-launch (Phase 6+ — future)
 
 - [ ] E-signature integration (VNPT CA hoặc FPT CA)