100xprism 2.3.1

package/modules/churn-prevention/references/dunning-playbook.md

@@ -0,0 +1,408 @@
+# Dunning Playbook
+
+Complete guide to recovering failed payments and reducing involuntary churn.
+
+---
+
+## Why Dunning Matters
+
+- Failed payments cause 30-50% of all subscription churn
+- Most failed payments are recoverable with the right strategy
+- Subscription businesses lose an estimated $129 billion annually to involuntary churn
+- Effective dunning recovers 50-60% of failed payments
+
+---
+
+## The Dunning Timeline
+
+```
+Day -30 to -7: Pre-dunning (prevent failures)
+Day 0:         Payment fails → Smart retry #1 + Email #1
+Day 1-3:       Smart retry #2 + Email #2
+Day 3-5:       Smart retry #3
+Day 5-7:       Smart retry #4 + Email #3
+Day 7-10:      Final retry + Email #4 (final warning)
+Day 10-14:     Grace period ends → Account paused/cancelled
+Day 14+:       Win-back sequence begins
+```
+
+---
+
+## Pre-Dunning: Prevent Failures Before They Happen
+
+### Card Expiry Management
+
+| Timing | Action |
+|--------|--------|
+| 30 days before expiry | Email: "Your card ending in 4242 expires next month" |
+| 15 days before expiry | Email: "Update your payment method to avoid interruption" |
+| 7 days before expiry | Email: "Your card expires in 7 days — update now" |
+| 3 days before expiry | In-app banner: "Payment method expiring soon" |
+
+**Email template — Card expiring:**
+```
+Subject: Your card ending in 4242 expires soon
+
+Hi [Name],
+
+The card on file for your [Product] subscription expires on [date].
+
+Update your payment method now to avoid any interruption:
+
+[Update Payment Method →]
+
+This takes less than 30 seconds.
+
+— [Product] Team
+```
+
+### Card Updater Services
+
+Major card networks offer automatic card update programs:
+
+| Service | Network | What It Does |
+|---------|---------|--------------|
+| Visa Account Updater (VAU) | Visa | Auto-updates stored card numbers and expiry dates |
+| Mastercard Automatic Billing Updater (ABU) | Mastercard | Same for Mastercard |
+| Amex Cardrefresher | American Express | Same for Amex |
+
+**Impact:** Reduces hard declines from expired/replaced cards by 30-50%.
+
+**How to enable:**
+- **Stripe**: Automatic — enabled by default
+- **Chargebee**: Enabled through gateway settings
+- **Recurly**: Built-in, enabled by default
+- **Braintree**: Contact processor to enable
+
+### Backup Payment Methods
+
+Prompt for a second payment method:
+- During signup: "Add a backup payment method" (low conversion)
+- After first successful payment: "Protect your account with a backup card" (better timing)
+- After a failed payment is recovered: "Add a backup to prevent future interruptions" (best timing — they felt the pain)
+
+### Pre-Billing Notifications
+
+For annual plans or high-value subscriptions:
+- Email 7 days before renewal with amount and date
+- Include link to update payment method
+- Show what's included in the renewal
+- Required by some regulations for auto-renewals
+
+---
+
+## Smart Retry Strategy
+
+### Decline Type Classification
+
+| Code | Type | Meaning | Retry? |
+|------|------|---------|--------|
+| `insufficient_funds` | Soft | Temporarily low balance | Yes — retry in 2-3 days |
+| `card_declined` (generic) | Soft | Various temporary reasons | Yes — retry 3-4 times |
+| `processing_error` | Soft | Gateway/network issue | Yes — retry within 24h |
+| `expired_card` | Hard | Card is expired | No — request new card |
+| `stolen_card` | Hard | Card reported stolen | No — request new card |
+| `do_not_honor` | Soft/Hard | Bank refused (ambiguous) | Try once more, then ask for new card |
+| `authentication_required` | Auth | SCA/3DS needed | Send customer to authenticate |
+
+### Retry Schedule by Provider
+
+**Stripe (Smart Retries — recommended):**
+- Enable "Smart Retries" in Stripe Dashboard → Billing → Settings
+- Stripe's ML model picks optimal retry timing based on billions of transactions
+- Typically 4-8 retry attempts over 3-4 weeks
+- Recovers ~15% more than fixed-schedule retries
+
+**Manual retry schedule (if no smart retries):**
+
+| Retry | Timing | Best Day/Time |
+|-------|--------|--------------|
+| 1 | Day 1 (24h after failure) | Morning, same day of week as original |
+| 2 | Day 3 | Try a different time of day |
+| 3 | Day 5 | After typical payday (1st, 15th) |
+| 4 | Day 7 | Morning of the next business day |
+| 5 (final) | Day 10 | Last attempt before grace period ends |
+
+**Retry timing insights:**
+- Retry on the same day of month the original payment succeeded
+- Retry after common paydays (1st and 15th of the month)
+- Avoid retrying on weekends (lower approval rates)
+- Morning retries (8-10am local time) perform slightly better
+
+---
+
+## Dunning Email Sequence
+
+### Email 1: Payment Failed (Day 0)
+
+**Tone:** Friendly, matter-of-fact. No alarm.
+
+```
+Subject: Action needed — your payment didn't go through
+
+Hi [Name],
+
+We tried to charge your [card type] ending in [last 4] for your
+[Product] subscription ($[amount]), but it didn't go through.
+
+This happens sometimes — usually a quick card update fixes it.
+
+[Update Payment Method →]
+
+Your access isn't affected yet. We'll retry automatically, but
+updating your card is the fastest fix.
+
+Need help? Just reply to this email.
+
+— [Product] Team
+```
+
+### Email 2: Reminder (Day 3)
+
+**Tone:** Helpful, slightly more urgent.
+
+```
+Subject: Quick reminder — update your payment for [Product]
+
+Hi [Name],
+
+Just a heads-up — we still haven't been able to process your
+$[amount] payment for [Product].
+
+[Update Payment Method →]
+
+Takes less than 30 seconds. Your [data/projects/team access]
+is safe, but we'll need a valid payment method to keep your
+account active.
+
+Questions? Reply here and we'll help.
+
+— [Product] Team
+```
+
+### Email 3: Urgency (Day 7)
+
+**Tone:** Direct, clear consequences.
+
+```
+Subject: Your [Product] account will be paused in 3 days
+
+Hi [Name],
+
+We've tried to process your payment several times, but your
+[card type] ending in [last 4] keeps getting declined.
+
+If we don't receive payment by [date], your account will be
+paused and you'll lose access to:
+
+• [Key feature/data they use]
+• [Their projects/workspace]
+• [Team access for X members]
+
+[Update Payment Method Now →]
+
+Your data won't be deleted — you can reactivate anytime by
+updating your payment method.
+
+— [Product] Team
+```
+
+### Email 4: Final Warning (Day 10)
+
+**Tone:** Final, clear, no guilt.
+
+```
+Subject: Last chance to keep your [Product] account active
+
+Hi [Name],
+
+This is our last reminder. Your payment of $[amount] is past
+due, and your account will be paused tomorrow ([date]).
+
+[Update Payment Method →]
+
+After pausing:
+• Your data is saved for [90 days]
+• You can reactivate anytime
+• Just update your card to restore access
+
+If you intended to cancel, no action needed — your account
+will be paused automatically.
+
+— [Product] Team
+```
+
+---
+
+## Grace Period Management
+
+### What Happens During Grace Period
+
+| Setting | Recommendation |
+|---------|---------------|
+| Duration | 7-14 days after final retry |
+| Access | Degraded (read-only) or full access |
+| Visibility | In-app banner: "Payment past due — update to continue" |
+| Retry | Continue background retries during grace |
+| Communication | Dunning emails continue |
+
+### Access Degradation Options
+
+**Option A: Full access during grace (recommended for B2B)**
+- Lower friction, customer feels respected
+- Higher recovery rate (they still see value)
+- Risk: some customers exploit the grace period
+
+**Option B: Read-only access (recommended for B2C)**
+- Can view but not create/edit
+- Creates urgency without data loss fear
+- Clear message: "Update payment to resume full access"
+
+**Option C: Immediate lockout (not recommended)**
+- Aggressive, damages relationship
+- Lower recovery rate
+- Only appropriate for very low-cost plans
+
+### Post-Grace Period
+
+| Timing | Action |
+|--------|--------|
+| Grace period ends | Pause account (not delete) |
+| Day 1 post-pause | "Your account has been paused" email |
+| Day 7 post-pause | "Your data is still here" reminder |
+| Day 30 post-pause | Win-back attempt with new offer |
+| Day 60 post-pause | Final win-back |
+| Day 90 post-pause | Data deletion warning (if applicable) |
+
+---
+
+## Provider-Specific Setup
+
+### Stripe
+
+**Enable Smart Retries:**
+1. Dashboard → Settings → Billing → Subscriptions and emails
+2. Enable "Smart Retries" under retry rules
+3. Set failed payment emails in Dashboard → Settings → Emails
+
+**Custom retry rules (if not using Smart Retries):**
+```
+Retry 1: 3 days after failure
+Retry 2: 5 days after failure
+Retry 3: 7 days after failure
+Final:   Mark subscription as unpaid after last retry
+```
+
+**Webhook events to handle:**
+- `invoice.payment_failed` — trigger dunning
+- `invoice.paid` — cancel dunning, restore access
+- `customer.subscription.updated` — status changes
+- `customer.subscription.deleted` — final cancellation
+
+### Chargebee
+
+**Built-in dunning:**
+1. Settings → Configure Chargebee → Retry Settings
+2. Configure retry attempts and intervals
+3. Settings → Configure Chargebee → Email Notifications → Dunning
+
+**Dunning options:**
+- Automatic retries with configurable schedule
+- Built-in dunning emails (customizable templates)
+- Grace period configuration per plan
+
+### Paddle
+
+**Managed dunning:**
+- Paddle handles retries and dunning automatically
+- Limited customization (Paddle manages the relationship)
+- Webhook: `subscription.payment_failed`, `subscription.cancelled`
+- Best for hands-off approach
+
+### Recurly
+
+**Revenue Recovery:**
+1. Configuration → Dunning Management
+2. Set retry schedule per plan
+3. Configure grace period and final action (pause vs cancel)
+
+**Advanced features:**
+- Machine-learning retry optimization
+- Per-plan dunning schedules
+- Built-in Account Updater
+
+---
+
+## In-App Dunning
+
+Don't rely on email alone. Show payment failures in the app:
+
+### Banner Pattern
+```
+┌──────────────────────────────────────────────────────┐
+│ ⚠ Your payment of $29 failed. Update your card to    │
+│ avoid losing access. [Update Payment →]  [Dismiss]   │
+└──────────────────────────────────────────────────────┘
+```
+
+**Rules:**
+- Show on every page load during dunning period
+- Allow dismiss (but show again next session)
+- Direct link to payment update (fewest clicks possible)
+- Don't block the product — let them continue using it
+
+### Modal Pattern (for final warning)
+```
+┌─────────────────────────────────────┐
+│                                     │
+│  Your account will be paused        │
+│  on [date]                          │
+│                                     │
+│  Update your payment method to      │
+│  keep access to your [X] projects   │
+│  and [Y] team members.              │
+│                                     │
+│  [Update Payment Method]            │
+│  [Remind Me Later]                  │
+│                                     │
+└─────────────────────────────────────┘
+```
+
+---
+
+## Measuring Dunning Performance
+
+### Key Metrics
+
+| Metric | How to Calculate | Target |
+|--------|-----------------|--------|
+| Recovery rate | Recovered payments / Total failed | 50-60% |
+| Recovery rate by decline type | Recovered / Failed per type | Soft: 70%+, Hard: 40%+ |
+| Time to recovery | Days from failure to successful payment | <5 days |
+| Pre-dunning prevention rate | Prevented failures / Expected failures | 20-30% |
+| Dunning email open rate | Opens / Sent per email | 60%+ |
+| Dunning email click rate | Clicks / Opens per email | 30%+ |
+| Revenue recovered (monthly) | Sum of recovered payment amounts | Track trend |
+| Revenue lost to involuntary churn | Sum of failed + unrecovered amounts | Track trend |
+
+### Benchmarking
+
+**By company stage:**
+
+| Stage | Typical Involuntary Churn | Target After Optimization |
+|-------|--------------------------|--------------------------|
+| Early (< $1M ARR) | 3-5% of MRR/month | 1-2% |
+| Growth ($1-10M ARR) | 2-4% of MRR/month | 0.5-1.5% |
+| Scale ($10M+ ARR) | 1-3% of MRR/month | 0.3-0.8% |
+
+### ROI Calculation
+
+```
+Monthly failed payment MRR:        $10,000
+Current recovery rate:              30% ($3,000 recovered)
+Target recovery rate:               60% ($6,000 recovered)
+Monthly improvement:                $3,000/month
+Annual improvement:                 $36,000/year
+Cost of dunning optimization:       ~$200-500/month (tooling)
+ROI:                                6-15x
+```

package/modules/cloud-security/SKILL.md

@@ -0,0 +1,240 @@
+---
+name: cloud-security
+description: Rigorous security and data privacy scan for cloud deployments. Covers GCP infrastructure hardening, data privacy (PII/GDPR/CCPA), API security, container security, and compliance.
+category: quality
+tier: on-demand
+slash_command: /cloud-security
+---
+
+# Cloud Security — Cloud Security & Data Privacy Scan
+
+Rigorous security and data privacy scan for cloud deployments. Covers GCP infrastructure hardening, data privacy (PII/GDPR/CCPA), API security, container security, and compliance.
+
+## Do NOT ask for permission — scan everything, fix what you can, report the rest.
+
+---
+
+## Step 0 — Detect cloud config
+
+```bash
+PROJECT_ROOT=$(git rev-parse --show-toplevel)
+INSTRUCTION_FILE=$(for f in CLAUDE.md AGENTS.md .cursorrules .windsurfrules; do [ -f "$PROJECT_ROOT/$f" ] && echo "$PROJECT_ROOT/$f" && break; done)
+GCP_PROJECTS=$(grep -rh "GCP_PROJECT\|GOOGLE_CLOUD_PROJECT\|gcloud.*--project" ${INSTRUCTION_FILE:-/dev/null} .env.example terraform/ 2>/dev/null | grep -oE '[a-z][a-z0-9-]{4,28}' | sort -u | grep -v "^--" || true)
+HAS_DOCKER=$(ls Dockerfile docker-compose.yml 2>/dev/null | head -1 || true)
+HAS_TERRAFORM=$(ls terraform/*.tf infra/*.tf 2>/dev/null | head -1 || true)
+```
+
+---
+
+## Section 1 — GCP IAM & Access Control
+
+For each GCP project detected:
+
+```bash
+for PROJECT in $GCP_PROJECTS; do
+  echo "=== IAM: $PROJECT ==="
+  gcloud projects get-iam-policy "$PROJECT" --format=json 2>/dev/null \
+    | python3 -c "
+import sys,json
+p=json.load(sys.stdin)
+bad=['roles/editor','roles/owner','roles/iam.securityAdmin','roles/storage.admin']
+[print('[HIGH]',b['role'],m) for b in p.get('bindings',[]) for m in b['members'] if b['role'] in bad and ('serviceAccount' in m or 'allUsers' in m)]"
+  gcloud iam service-accounts list --project="$PROJECT" --format="value(email)" 2>/dev/null \
+    | while read SA; do
+        n=$(gcloud iam service-accounts keys list --iam-account="$SA" --filter="keyType=USER_MANAGED" --format="value(KEY_ID)" 2>/dev/null | wc -l)
+        [ "$n" -gt 0 ] && echo "[HIGH] $SA: $n user-managed key(s) — use Workload Identity instead"
+      done
+  gcloud projects get-iam-policy "$PROJECT" --format=json 2>/dev/null | grep -E "allUsers|allAuthenticatedUsers" && echo "[CRITICAL] Public IAM binding found" || true
+done
+```
+
+---
+
+## Section 2 — GCP Network & Firewall
+
+```bash
+for PROJECT in $GCP_PROJECTS; do
+  echo "=== Network: $PROJECT ==="
+  gcloud compute firewall-rules list --project="$PROJECT" --format=json 2>/dev/null \
+    | python3 -c "
+import sys,json
+sp={'22','3389','5432','6379','3306','27017','6443'}
+[print('[CRITICAL] Firewall',r['name'],'port',p,'open to 0.0.0.0/0') for r in json.load(sys.stdin) if '0.0.0.0/0' in r.get('sourceRanges',[]) or '::/0' in r.get('sourceRanges',[]) for a in r.get('allowed',[]) for p in a.get('ports',[]) if str(p) in sp]"
+  gcloud sql instances list --project="$PROJECT" --format=json 2>/dev/null \
+    | python3 -c "
+import sys,json
+for i in json.load(sys.stdin):
+  n,ip=i['name'],i.get('settings',{}).get('ipConfiguration',{})
+  [print('[CRITICAL] Cloud SQL',n,'public IP open to',net['value']) if net.get('value') in ('0.0.0.0/0','::/0') else print('[MEDIUM] Cloud SQL',n,'public IP enabled') for net in ip.get('authorizedNetworks',[])] if ip.get('ipv4Enabled') else None
+  print('[HIGH] Cloud SQL',n,'SSL not required') if not ip.get('requireSsl') and ip.get('sslMode','')!='ENCRYPTED_ONLY' else print('[PASS] Cloud SQL',n,'SSL enforced')
+  print('[HIGH] Cloud SQL',n,'backups disabled') if not i.get('settings',{}).get('backupConfiguration',{}).get('enabled') else None"
+done
+```
+
+---
+
+## Section 3 — GCP Data Storage (GCS Buckets)
+
+```bash
+for PROJECT in $GCP_PROJECTS; do
+  echo "=== Storage: $PROJECT ==="
+  gcloud storage buckets list --project="$PROJECT" --format="value(name)" 2>/dev/null | while read BUCKET; do
+    gcloud storage buckets get-iam-policy "gs://$BUCKET" --format=json 2>/dev/null \
+      | grep -qE "allUsers|allAuthenticatedUsers" && echo "[CRITICAL] Bucket gs://$BUCKET is public" || true
+    [ "$(gcloud storage buckets describe "gs://$BUCKET" --format="value(iamConfiguration.uniformBucketLevelAccess.enabled)" 2>/dev/null)" != "True" ] \
+      && echo "[MEDIUM] Bucket gs://$BUCKET: uniform access not enabled" || true
+    [ "$(gcloud storage buckets describe "gs://$BUCKET" --format="value(versioning.enabled)" 2>/dev/null)" != "True" ] \
+      && echo "[LOW] Bucket gs://$BUCKET: versioning not enabled" || true
+  done
+done
+```
+
+---
+
+## Section 4 — GCP Cloud Run Security
+
+```bash
+for PROJECT in $GCP_PROJECTS; do
+  echo "=== Cloud Run: $PROJECT ==="
+  gcloud run services list --project="$PROJECT" --format=json --region=us-central1 2>/dev/null \
+    | python3 -c "
+import sys,json
+[print('[HIGH] Cloud Run',s['metadata']['name'],'env',e['name'],'may contain hardcoded secret') for s in json.load(sys.stdin) for c in s.get('spec',{}).get('template',{}).get('spec',{}).get('containers',[]) for e in c.get('env',[]) if len(e.get('value',''))>20 and not e.get('value','').startswith('\$(') and 'secretKeyRef' not in str(e)]" 2>/dev/null || true
+  gcloud run services list --project="$PROJECT" --region=us-central1 --format="value(SERVICE)" 2>/dev/null \
+    | while read SVC; do
+        gcloud run services get-iam-policy "$SVC" --project="$PROJECT" --region=us-central1 --format=json 2>/dev/null \
+          | grep -q "allUsers" && echo "[INFO] Cloud Run $SVC: public — verify app-level auth" || true
+      done
+done
+```
+
+---
+
+## Section 5 — GCP Audit Logging
+
+```bash
+for PROJECT in $GCP_PROJECTS; do
+  echo "=== Audit Logging: $PROJECT ==="
+  gcloud projects get-iam-policy "$PROJECT" --format=json 2>/dev/null \
+    | python3 -c "
+import sys,json
+p=json.load(sys.stdin)
+svcs={c['service'] for c in p.get('auditConfigs',[]) for l in c.get('auditLogConfigs',[]) if l.get('logType') in ('DATA_READ','DATA_WRITE')}
+[print('[PASS] Audit logging:',s) if s in svcs else print('[MEDIUM] Audit logging not enabled:',s) for s in ['cloudsql.googleapis.com','storage.googleapis.com','secretmanager.googleapis.com']]"
+done
+```
+
+---
+
+## Section 6 — Secret Manager Hygiene
+
+```bash
+for PROJECT in $GCP_PROJECTS; do
+  echo "=== Secrets: $PROJECT ==="
+  gcloud secrets list --project="$PROJECT" --format=json 2>/dev/null \
+    | python3 -c "
+import sys,json
+[print('[LOW] Secret',s['name'].split('/')[-1],'no rotation policy') for s in json.load(sys.stdin) if not s.get('rotation')]"
+done
+```
+
+---
+
+## Section 7 — Container Security (if Dockerfile present)
+
+```bash
+if [ -n "$HAS_DOCKER" ]; then
+  echo "=== Container Security ==="
+  grep -rq "^USER root\|USER 0" Dockerfile 2>/dev/null && echo "[HIGH] Dockerfile: runs as root" || \
+    { grep -q "^USER" Dockerfile 2>/dev/null && echo "[PASS] non-root USER set" || echo "[HIGH] Dockerfile: no USER directive (defaults to root)"; }
+  grep -qE "^(ARG|ENV)\s+\w+(KEY|SECRET|PASSWORD|TOKEN|PASS)=\S+" Dockerfile 2>/dev/null \
+    && echo "[CRITICAL] Dockerfile: hardcoded secret in ARG/ENV" || echo "[PASS] No hardcoded secrets"
+  grep "^FROM" Dockerfile 2>/dev/null | head -1 | grep -q ":latest" \
+    && echo "[MEDIUM] Dockerfile: base image uses :latest — pin version" || echo "[PASS] Base image pinned"
+  grep -q "^RUN chown" Dockerfile 2>/dev/null && echo "[LOW] Dockerfile: use COPY --chown instead of RUN chown" || true
+fi
+```
+
+---
+
+## Section 8 — Data Privacy: PII in Source Code
+
+Scan for PII patterns that should never appear in source code or logs.
+
+```bash
+echo "=== PII in Source Code ==="
+EXCL="--exclude-dir=node_modules --exclude-dir=venv --exclude-dir=dist"
+# Hardcoded emails (non-test/example)
+grep -rn $EXCL '[a-zA-Z0-9._%+-]\+@[a-zA-Z0-9.-]\+\.[a-zA-Z]\{2,\}' --include="*.ts" --include="*.tsx" --include="*.py" --include="*.js" . 2>/dev/null \
+  | grep -v "example\.com\|test\|mock\|\.spec\.\|\.test\.\|noreply@\|support@\|hello@\|admin@" | head -5 \
+  | grep -q . && echo "[HIGH] Real email addresses found in source" || true
+# SSN / credit card patterns
+grep -rn $EXCL '[0-9]\{3\}-[0-9]\{2\}-[0-9]\{4\}' --include="*.ts" --include="*.py" . 2>/dev/null | head -5 | grep -q . && echo "[CRITICAL] SSN pattern in source" || true
+grep -rn $EXCL '[0-9]\{4\}[- ][0-9]\{4\}[- ][0-9]\{4\}[- ][0-9]\{4\}' --include="*.ts" --include="*.py" . 2>/dev/null | head -5 | grep -q . && echo "[CRITICAL] Credit card pattern in source" || true
+# PII in logs / error responses
+grep -rn $EXCL "console\.log\|logger\." --include="*.ts" --include="*.py" --exclude="*.test.*" . 2>/dev/null \
+  | grep -iE "email|password|ssn|credit.card|phone|dob|social.security" | head -5 \
+  | grep -q . && echo "[HIGH] PII field names in log statements" || echo "[PASS] No PII in log statements"
+grep -rn $EXCL "res\.json\|res\.send\|return.*error" --include="*.ts" --exclude="*.test.*" . 2>/dev/null \
+  | grep -iE "email|password|user\." | grep -v "error\.message\|//\|generic" | head -5 \
+  | grep -q . && echo "[MEDIUM] Possible PII in API error responses — verify generic" || true
+```
+
+---
+
+## Section 9 — Data Privacy Compliance Checklist
+
+Review manually. Report gaps.
+
+GDPR/CCPA: □ Privacy Policy □ Data Inventory □ Consent □ Right to Delete □ Right to Export □ Data Retention □ Third-party DPAs □ Breach Response □ Data Minimization □ Encryption at Rest □ Encryption Transit □ Audit Trail
+
+```bash
+grep -rn "DELETE.*user\|deleteUser\|deactivate" api/ src/ 2>/dev/null | head -3 || echo "[GAP] No delete user endpoint found"
+grep -rn "export.*user\|userExport\|data.*export" api/ src/ 2>/dev/null | head -3 || echo "[GAP] No export user endpoint found"
+grep -rn "retention\|expires\|cleanup\|purge" api/ 2>/dev/null | head -3 || echo "[GAP] No retention policy found"
+```
+
+---
+
+## Section 10 — API Security Hygiene
+
+```bash
+echo "=== API Security ==="
+X="--exclude-dir=node_modules"
+grep -rn $X "helmet\|Content-Security-Policy\|Strict-Transport" --include="*.ts" --include="*.py" . 2>/dev/null | grep -q . \
+  && echo "[PASS] Security headers configured" || echo "[HIGH] No security headers (helmet/CSP) found"
+grep -rn $X "rateLimit\|rate.limit\|RateLimiter\|throttle" --include="*.ts" --include="*.py" . 2>/dev/null | grep -q . \
+  && echo "[PASS] Rate limiting configured" || echo "[MEDIUM] No rate limiting found"
+grep -rn $X "origin.*['\"]\\*['\"]" --include="*.ts" --include="*.py" . 2>/dev/null | grep -q . \
+  && echo "[HIGH] CORS wildcard (*) origin found" || echo "[PASS] No CORS wildcard"
+grep -rn $X --exclude="*.test.*" "query.*\`.*\${" --include="*.ts" --include="*.py" . 2>/dev/null | grep -v '\$\${' | grep -q . \
+  && echo "[CRITICAL] SQL injection risk — string interpolation in queries" || echo "[PASS] No SQL injection patterns"
+grep -rn $X --exclude="*.test.*" "eval[(]" --include="*.ts" --include="*.tsx" --include="*.js" . 2>/dev/null | grep -q . \
+  && echo "[HIGH] unsafe-eval usage found" || echo "[PASS] No unsafe-eval usage"
+```
+
+---
+
+## Section 11 — Terraform / IaC Security (if present)
+
+```bash
+if [ -n "$HAS_TERRAFORM" ]; then
+  echo "=== Terraform Security ==="
+  grep -rn "roles/editor\|roles/owner\|storage\.admin\|secretmanager\.admin" terraform/ infra/ 2>/dev/null \
+    | grep -v "^#\|\.terraform" | grep -q . && echo "[HIGH] Overly broad IAM role in Terraform" || echo "[PASS] No overly broad IAM roles"
+  grep -rn "CHANGE_ME\|password.*default\|default.*password" terraform/ infra/ 2>/dev/null \
+    | grep -v "^#" | grep -q . && echo "[CRITICAL] Default/placeholder password in Terraform" || true
+  grep -rn "0\.0\.0\.0/0\|all_traffic\|allUsers" terraform/ infra/ 2>/dev/null \
+    | grep -v "^#\|egress" | grep -q . && echo "[HIGH] Possible public resource in Terraform" || true
+fi
+```
+
+---
+
+## Final report
+
+Summarize results per section: S1 IAM | S2 Network | S3 Storage | S4 Cloud Run | S5 Audit | S6 Secrets | S7 Container | S8 PII | S9 Privacy | S10 API | S11 Terraform
+
+Report totals: CRITICAL: N  HIGH: N  MEDIUM: N  LOW: N
+
+**Gate 5:** BLOCKED if any CRITICAL or HIGH. PASSED if zero critical + zero high.