docs: add ONBOARDING.md engineering onboarding guide

[nollymar]

What

Adds a consolidated ONBOARDING.md at the repo root — the Engineering department's onboarding entry point, designed to be opened in Claude Code.

Closes #36113

Why

We had two partially-overlapping, stale onboarding docs (dotBackendOnboarding.md, dotFrontendOnboarding.md) pinned to old versions (Node 18, Angular 18, PrimeNG 17, Nx 19). This consolidates the still-useful content into one current guide that complements CLAUDE.md instead of duplicating it, and links back to the two discipline-specific guides for deeper detail.

What's in it

• Day-one setup — sdk env install / nvm use, just commands, Docker-by-default, recommended IDEs, and the Apple Silicon / Puppeteer Chromium fix
• Codebase mental model — com.dotcms.* (modern) vs com.dotmarketing.* (legacy); backend vs frontend build worlds
• Fast testing — targeted integration tests, IDE loop, Postman, Spectator conventions (never the full suite)
• Repo landmines — BOM-only versions, auto-generated openapi.yaml, Config/Logger, REST @Schema
• Local config — admin password, feature flags (on-by-default, DOT_ prefix, FeatureFlagName.java reference), JSP/Tomcat mounting, language overrides
• First-PR flow — including how the GitHub native merge queue works (merge_group branch, required checks: tests + security + 1 approval, ~1h average to merge)
• Claude Code skills available in the repo
• People & comms — Slack channels (#eng, #eng-adrs, #be-code-review, #guild-*, #feat-*, #team-*); everything else points to the How we do Engineering doc

Versions corrected throughout to Java 25, Node 22.15+, Angular 19+.

Also links to the discipline-specific dotFrontendOnboarding.md and dotBackendOnboarding.md guides.

Intentionally excluded

• dotCMS Utilities
• License setup
• Enterprise proxy / network setup (removed — not needed)

Status

All team-specific placeholders have been filled in — no <<PLACEHOLDER>> values remain. Ready for review.

Remaining follow-up (not blocking):

• Decide whether to delete/redirect the old dotBackendOnboarding.md / dotFrontendOnboarding.md

🤖 Generated with Claude Code

[claude]

Claude finished @nollymar's task in 46s —— View job

---

Rollback Safety Analysis

• Read rollback-unsafe categories reference
• Get full PR diff
• Analyze changes against unsafe categories
• Apply appropriate label

---

Result: ✅ Safe to Roll Back

All three changed files are pure documentation:

File	Change
CLAUDE.md	1-line version bump: Angular 19+ → 21+
ONBOARDING.md	New file — 296 lines of onboarding docs
dotFrontendOnboarding.md	Tech stack version numbers updated (Angular, PrimeNG, Nx, Node)

None of the changes touch any rollback-unsafe category:

• No database migrations / runonce tasks
• No Elasticsearch mapping changes
• No contentlet_as_json model version bump
• No DROP TABLE / DROP COLUMN / RENAME
• No REST/GraphQL API contract changes
• No OSGi interface changes
• No binary storage provider changes

The label AI: Safe To Rollback has been applied.

[github-actions]

🤖 Bedrock Review — qwen.qwen3-next-80b-a3b

No issues found.

---

_{Run: #28128759972 · tokens: in: 4764 · out: 14 · total: 4778}

[github-actions]

🤖 Bedrock Review — qwen.qwen3-next-80b-a3b

New Issues

• 🟡 Medium: ONBOARDING.md:288 — Suggests using export DOT_INITIAL_ADMIN_PASSWORD=admin without warning that this password is stored in shell history and may be logged in CI/CD environments; no guidance on secure secret handling (e.g., vaults, encrypted env vars). Assumption: This value is used in production-like environments. What to verify: Whether DOT_INITIAL_ADMIN_PASSWORD is ever used outside dev/local setup, and if so, whether it's being passed via insecure channels in CI.

Existing

• No prior findings to recheck.

Resolved

• No resolved items.

---

_{Run: #28129231461 · tokens: in: 4749 · out: 188 · total: 4937}

[github-actions]

🤖 Bedrock Review — qwen.qwen3-next-80b-a3b

New Issues

• 🟡 Medium: ONBOARDING.md:288 — Suggests using DOT_INITIAL_ADMIN_PASSWORD without warning about insecure storage in shell history or CI/CD environments (repeats prior finding)

Existing

• 🟡 Medium: ONBOARDING.md:288 — Suggests using DOT_INITIAL_ADMIN_PASSWORD without warning about insecure storage in shell history or CI/CD environments

Resolved

• ✅ dotFrontendOnboarding.md:7-11 — Angular/Node/Nx version updates are accurate and aligned with .nvmrc and repo requirements; no convention violation introduced.

---

_{Run: #28130244057 · tokens: in: 5139 · out: 191 · total: 5330}

[github-actions]

🤖 Bedrock Review — qwen.qwen3-next-80b-a3b

New Issues

• 🟡 Medium: ONBOARDING.md:288 — Suggests using DOT_INITIAL_ADMIN_PASSWORD without warning about insecure storage in shell history or CI/CD environments

Existing

• 🟡 Medium: ONBOARDING.md:288 — Prior finding still present (unchanged or incomplete fix)

Resolved

• ✅ CLAUDE.md:87 — Frontend Angular version update from 19+ to 21+ is intentional and aligned with dotFrontendOnboarding.md

---

_{Run: #28131029699 · tokens: in: 5358 · out: 171 · total: 5529}

[mergify]

Tick the box to add this pull request to the merge queue (same as @mergifyio queue).

• Queue this pull request

[fabrizzio-dotCMS]

Shouldn't this also include the setup of PGP for verified commits?

[nollymar]

good point! yes!

[fabrizzio-dotCMS]

test-karate ?

[fabrizzio-dotCMS]

Perhaps a section explaining what a starter is
Where and how it gets deployed
and a link to our artifactory