docs: add Phase 3 validation strategy and project specifications

- Add 03-VALIDATION.md for Phase 3 (Lab 02 Network & VPC)
- Add CLAUDE.md v3.3 with hybrid agent-based development standards
- Add prd.md with product requirements for cloud course

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

.planning/phases/03-lab-02-network-vpc/03-VALIDATION.md

@@ -0,0 +1,95 @@
+---
+phase: 3
+slug: lab-02-network-vpc
+status: draft
+nyquist_compliant: false
+wave_0_complete: false
+created: 2026-03-25
+---
+
+# Phase 3 — Validation Strategy
+
+> Per-phase validation contract for network isolation and VPC simulation testing.
+
+---
+
+## Test Infrastructure
+
+| Property | Value |
+|----------|-------|
+| **Framework** | bash (test scripts) |
+| **Config file** | none |
+| **Quick run command** | `bash labs/lab-02-network/tests/quick-test.sh` |
+| **Full suite command** | `bash labs/lab-02-network/tests/run-all-tests.sh` |
+| **Estimated runtime** | ~30 seconds |
+
+---
+
+## Sampling Rate
+
+- **After every task commit:** Run `bash labs/lab-02-network/tests/quick-test.sh`
+- **After every plan wave:** Run `bash labs/lab-02-network/tests/run-all-tests.sh`
+- **Before `/gsd:verify-work`:** Full suite must be green
+- **Max feedback latency:** 30 seconds
+
+---
+
+## Per-Task Verification Map
+
+| Task ID | Plan | Wave | Requirement | Test Type | Automated Command | File Exists | Status |
+|---------|------|------|-------------|-----------|-------------------|-------------|--------|
+| 03-01-01 | 01 | 1 | LAB-02, TEST-01 | unit | `bash labs/lab-02-network/tests/test-network-isolation.sh` | ❌ W0 | ⬜ pending |
+| 03-01-02 | 01 | 1 | INF-02 | integration | `bash labs/lab-02-network/tests/test-private-network-no-expose.sh` | ❌ W0 | ⬜ pending |
+| 03-02-01 | 02 | 1 | DOCT-01, DOCT-02 | documentation | File existence check | ❌ W0 | ⬜ pending |
+| 03-03-01 | 03 | 2 | LAB-02, INF-02 | infrastructure | `docker-compose config` + container ping test | ❌ W0 | ⬜ pending |
+
+*Status: ⬜ pending · ✅ green · ❌ red · ⚠️ flaky*
+
+---
+
+## Wave 0 Requirements
+
+- [ ] `labs/lab-02-network/tests/test-network-isolation.sh` — stubs for network isolation tests
+- [ ] `labs/lab-02-network/tests/test-private-network-no-expose.sh` — stubs for INF-02 compliance
+- [ ] `labs/lab-02-network/tests/run-all-tests.sh` — test orchestration script
+- [ ] `labs/lab-02-network/tests/quick-test.sh` — quick validation script
+
+---
+
+## Manual-Only Verifications
+
+| Behavior | Requirement | Why Manual | Test Instructions |
+|----------|-------------|------------|-------------------|
+| Visual verification of network topology | LAB-02 | Requires human interpretation of docker network ls output | Student runs `docker network ls` and compares to expected VPC structure |
+| Documentation completeness | DOCT-01, DOCT-02, DOCT-03, DOCT-04 | Requires human judgment of Diátaxis quadrant coverage | Instructor reviews all 4 quadrants for completeness |
+
+---
+
+## Validation Sign-Off
+
+- [ ] All tasks have `<automated>` verify or Wave 0 dependencies
+- [ ] Sampling continuity: no 3 consecutive tasks without automated verify
+- [ ] Wave 0 covers all MISSING references
+- [ ] No watch-mode flags
+- [ ] Feedback latency < 30s
+- [ ] `nyquist_compliant: true` set in frontmatter
+
+**Approval:** pending
+
+---
+
+## Integration Points
+
+### Phase 2 Dependencies
+- IAM concepts from Lab 01 are foundational but Network lab can run independently
+- Test script patterns from Phase 2 (run-all-tests.sh, color output) should be reused
+
+### Future Phase Dependencies
+- Lab 04 (Storage & S3) will use networks created in this phase
+- Lab 05 (Database) will place database in private network created here
+- Network isolation is prerequisite for multi-tier architecture
+
+### INF-02 Compliance Verification
+- Private networks must NOT expose ports on 0.0.0.0
+- Test verifies `docker-compose config` output for `127.0.0.1:PORT:PORT` pattern
+- Manual verification: `netstat -tlnp | grep docker` shows no 0.0.0.0 bindings for private services