improve(engineering): enhance tdd-guide, env-secrets-manager, senior-secops, database-designer, senior-devops

tdd-guide (164 → 412 lines):
- Spec-first workflow, per-language examples (TS/Python/Go)
- Bounded autonomy rules, property-based testing, mutation testing

env-secrets-manager (78 → 260 lines):
- Cloud secret store integration (Vault, AWS SM, Azure KV, GCP SM)
- Secret rotation workflow, CI/CD injection, pre-commit detection, audit logging

senior-secops (422 → 505 lines):
- OWASP Top 10 quick-check, secret scanning tools comparison
- Supply chain security (SBOM, Sigstore, SLSA levels)

database-designer (66 → 289 lines):
- Query patterns (JOINs, CTEs, window functions), migration patterns
- Performance optimization (indexing, EXPLAIN, N+1, connection pooling)
- Multi-DB decision matrix, sharding & replication

senior-devops (275 → 323 lines):
- Multi-cloud cross-references (AWS, Azure, GCP architects)
- Cloud-agnostic IaC section (Terraform/OpenTofu, Pulumi)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

engineering-team/senior-devops/SKILL.md

@@ -270,6 +270,54 @@ kubectl get pods -n production -l app=myapp
 curl -sf https://app.example.com/healthz || echo "ROLLBACK FAILED — escalate"
 ```
 
+## Multi-Cloud Cross-References
+
+Use these companion skills for cloud-specific deep dives:
+
+| Skill | Cloud | Use When |
+|-------|-------|----------|
+| **aws-solution-architect** | AWS | ECS/EKS, Lambda, VPC design, cost optimization |
+| **azure-cloud-architect** | Azure | AKS, App Service, Virtual Networks, Azure DevOps |
+| **gcp-cloud-architect** | GCP | GKE, Cloud Run, VPC, Cloud Build *(coming soon)* |
+
+**Multi-cloud vs single-cloud decision:**
+- **Single-cloud** (default) — lower operational complexity, deeper managed-service integration, better cost leverage with committed-use discounts
+- **Multi-cloud** — required when mandated by compliance/data residency, acquiring companies on different clouds, or needing best-of-breed services across providers (e.g., AWS for compute + GCP for ML)
+- **Hybrid** — on-prem + cloud; use when regulated workloads must stay on-prem while burst/non-sensitive workloads run in the cloud
+
+> Start single-cloud. Add a second cloud only when there is a concrete business or compliance driver — not for theoretical redundancy.
+
+---
+
+## Cloud-Agnostic IaC
+
+### Terraform / OpenTofu (Default Choice)
+
+Terraform (or its open-source fork OpenTofu) is the recommended IaC tool for most teams:
+- Single language (HCL) across AWS, Azure, GCP, and 3,000+ providers
+- State management with remote backends (S3, GCS, Azure Blob)
+- Plan-before-apply workflow prevents drift surprises
+- Cross-reference **terraform-patterns** for module structure, state isolation, and CI/CD integration
+
+### Pulumi (Programming Language IaC)
+
+Choose Pulumi when the team strongly prefers TypeScript, Python, Go, or C# over HCL:
+- Full programming language — loops, conditionals, unit tests native
+- Same cloud provider coverage as Terraform
+- Easier onboarding for dev teams that resist learning HCL
+
+### When to Use Cloud-Native IaC
+
+| Tool | Use When |
+|------|----------|
+| **CloudFormation** | AWS-only shop; need native AWS support (StackSets, Service Catalog) |
+| **Bicep** | Azure-only shop; simpler syntax than ARM templates |
+| **Cloud Deployment Manager** | GCP-only; rare — most GCP teams prefer Terraform |
+
+> **Rule of thumb:** Use Terraform/OpenTofu unless you are 100% committed to a single cloud AND the cloud-native tool offers a feature Terraform cannot replicate (e.g., AWS Service Catalog integration).
+
+---
+
 ## Troubleshooting
 
 Check the comprehensive troubleshooting section in `references/deployment_strategies.md`.