forgot to add ovvoc to rejected tools

docs/pipeline-overview.md

@@ -152,3 +152,12 @@ To achieve this, the architecture utilizes "Defense in Depth," split across seve
 
 ### ❌ CrowdSec / Local WAFs
 *   **Why it was rejected:** Because the cluster's sole ingress is routed through Cloudflare Tunnels, malicious traffic and automated DDoS attempts are filtered at Cloudflare's edge network. Running a secondary WAF inside the cluster wastes compute resources to solve a problem that was already mitigated before the traffic reached the home network.
+
+Here is a concise, professional summary formatted to drop directly into your ADR's **"Tools Explicitly Evaluated and Rejected (The 'Why Not?' List)"** section:
+
+### ❌ Ovvoc (Automated Dependency Updates & Code Migration)
+* **What it does:** An advanced dependency updater that goes beyond version bumping by using AST transforms and AI to actively rewrite application code to fix breaking changes (e.g., migrating Express 4 to 5).
+* **Why it was rejected:** 
+  * **Cost-Prohibitive:** At $49/month for a single repository (and $249/month for up to 6), the enterprise pricing is not sustainable for a solo homelab environment.
+  * **Redundant AI Capabilities:** Because this architecture already relies heavily on local AI-assisted development (e.g., Cursor, Copilot, or Aider), local AI agents can easily be prompted to fix the occasional breaking change in seconds at no additional cost. 
+  * **Diminishing Returns:** The vast majority of security vulnerabilities are patched in non-breaking minor or patch updates. **Renovate Bot** handles these perfectly for free. Ovvoc solves a problem (major version breaking changes) that is too infrequent in a homelab to justify the extreme price tag.