@donotdev/cli 0.0.14 → 0.0.16

package/templates/root-consumer/guides/dndev/SETUP_CRUD.md.example

@@ -20,6 +20,34 @@
 
 ---
 
+## 0. Provider configuration (required)
+
+CRUD operations use the **CRUD provider** registered at app startup. You must call `configureProviders()` before any component uses `useCrud`.
+
+- **Where:** In a dedicated module, e.g. `src/config/providers.ts`.
+- **When:** Import that module from your root component (e.g. `App.tsx`) so it runs before any CRUD usage.
+
+```typescript
+// App.tsx
+import './config/providers';  // Before any useCrud
+// ...
+```
+
+```typescript
+// config/providers.ts
+import { configureProviders } from '@donotdev/core';
+import { FirestoreAdapter } from '@donotdev/firebase';  // or SupabaseCrudAdapter from '@donotdev/supabase'
+
+configureProviders({
+  crud: new FirestoreAdapter(),
+  // auth, storage optional
+});
+```
+
+If you skip this step, `useCrud` will throw at runtime: "Provider \"crud\" not available. Call configureProviders() at app startup."
+
+---
+
 ## 1. Define Entity
 
 ```typescript
@@ -80,7 +108,7 @@ For multi-tenant apps where data belongs to a company/tenant/workspace:
 ### Step 1: Register Scope Provider (once at app startup)
 
 ```typescript
-// src/main.tsx or src/App.tsx
+// src/App.tsx
 import { registerScopeProvider } from '@donotdev/core';
 import { useCurrentCompanyStore } from './stores/currentCompanyStore';
 
@@ -665,9 +693,15 @@ transmission: {
 
 ## 7. Custom Fields & Schemas
 
-### Custom Field Types with UI Components
+A custom field type (when the requirement is not a built-in type) needs up to four things: **(1)** entity field with your custom `type` and `validation.schema`, **(2)** form component(s) so the field is editable, **(3)** optional **display** formatter so list/card/detail views render the value correctly, **(4)** optional **filter** so the field appears in EntityFilters with the right filter UI. All four are wired through a single `registerFieldType({ ... })` call.
 
-For custom field types that need custom UI components:
+> **Custom type strings work out of the box.** Just use any string as the `type` — no declaration file or module augmentation needed. The framework accepts any string while still autocompleting built-in types.
+>
+> `CustomFieldOptionsMap` augmentation (see below) is only needed if you want type-checked `options.fieldSpecific` for your custom type.
+
+### Form (required for editable fields)
+
+You must register a **controlled component** so the field appears in forms. Optionally register an **uncontrolled component** (e.g. for submit/reset-style fields).
 
 ```typescript
 import { registerFieldType, useController } from '@donotdev/crud';
@@ -687,7 +721,6 @@ function RepairOperationsField({
     control: control,
   });
 
-  // Use field.value and field.onChange for form state
   const value = (field.value as any) || [];
 
   return (
@@ -701,13 +734,13 @@ function RepairOperationsField({
   );
 }
 
-// Register UI component
+// Minimal registration (form only)
 registerFieldType({
   type: 'repairOperations',
   controlledComponent: RepairOperationsField,
 });
 
-// Then define schema in entity
+// Entity with schema
 export const carEntity = defineEntity({
   name: 'Car',
   collection: 'cars',
@@ -715,11 +748,10 @@ export const carEntity = defineEntity({
     repairs: {
       name: 'repairs',
       label: 'repairs',
-      type: 'repairOperations' as any,
+      type: 'repairOperations',
       visibility: 'admin',
       validation: {
         required: false,
-        // Custom Valibot schema - single source of truth
         schema: v.nullish(v.array(v.object({
           operation: v.string(),
           cost: v.number(),
@@ -730,10 +762,207 @@ export const carEntity = defineEntity({
 });
 ```
 
-**Important:**
-- Custom controlled components receive `control` prop, NOT `field` prop
-- You MUST use `useController` hook to get `field` and `fieldState`
-- Define schema in `validation.schema` - it's the single source of truth
+**Important:** Custom controlled components receive `control` prop, NOT `field` prop. You MUST use `useController` to get `field` and `fieldState`. Define schema in `validation.schema` — it's the single source of truth.
+
+### Display (list/card/detail)
+
+Without a **displayFormatter**, list/card/detail views show the raw value (or a fallback). To control how the value is rendered in read-only views, pass `displayFormatter` in the same `registerFieldType` call. Signature: `(value, fieldConfig, t, options?) => string | ReactNode`. Use `options?.compact` for list/card vs detail.
+
+```typescript
+// Example: format a custom object for display
+displayFormatter: (value, fieldConfig, t, options) => {
+  if (value == null) return '';
+  const arr = Array.isArray(value) ? value : [];
+  if (options?.compact) return `${arr.length} item(s)`;
+  return arr.map((item: any) => `${item.operation}: ${item.cost}`).join(', ') || '—';
+}
+```
+
+### Filter (EntityFilters)
+
+For the field to appear in the list/card **filters** section (EntityFilters), set **filterable: true** and **filterType** in `registerFieldType`. The filter type determines the filter UI:
+
+| filterType     | Use for |
+|----------------|--------|
+| `'text'`       | Free text search |
+| `'range'`      | Numbers, dates (min/max) |
+| `'select'`     | Single choice (e.g. enum) |
+| `'multiselect'`| Multiple choices |
+| `'address'`    | Address-based filter |
+| `'none'`       | Not filterable (omit or set filterable: false) |
+
+```typescript
+registerFieldType({
+  type: 'repairOperations',
+  controlledComponent: RepairOperationsField,
+  displayFormatter: (value, fieldConfig, t, options) => { /* ... */ },
+  filterable: true,
+  filterType: 'text',  // or 'range', 'select', 'multiselect', 'address', 'none'
+});
+```
+
+### Full example: form + display + filter
+
+One registration with form, displayFormatter, and filter:
+
+```typescript
+import { registerFieldType, useController } from '@donotdev/crud';
+import type { ControlledFieldProps } from '@donotdev/crud';
+import { defineEntity } from '@donotdev/core';
+import * as v from 'valibot';
+
+function StatusTierField({ fieldConfig, control, errors, t }: ControlledFieldProps) {
+  const { field, fieldState } = useController({ name: fieldConfig.name, control });
+  return (
+    <div>
+      <label>{t(fieldConfig.label)}</label>
+      <select value={field.value ?? ''} onChange={(e) => field.onChange(e.target.value)}>
+        <option value="">—</option>
+        <option value="basic">Basic</option>
+        <option value="premium">Premium</option>
+      </select>
+      {fieldState?.error && <span className="error">{fieldState.error.message}</span>}
+    </div>
+  );
+}
+
+registerFieldType({
+  type: 'statusTier',
+  controlledComponent: StatusTierField,
+  displayFormatter: (value) => (value ? String(value) : '—'),
+  filterable: true,
+  filterType: 'select',
+});
+
+export const productEntity = defineEntity({
+  name: 'Product',
+  collection: 'products',
+  fields: {
+    statusTier: {
+      name: 'statusTier',
+      label: 'statusTier',
+      type: 'statusTier',
+      visibility: 'guest',
+      validation: { schema: v.optional(v.picklist(['basic', 'premium'])) },
+    },
+  },
+});
+```
+
+### Typing custom field options
+
+To get type-checked `options.fieldSpecific` for custom types (e.g. `extractDistrictCode: boolean`), augment the framework's `CustomFieldOptionsMap` in your app:
+
+```typescript
+// e.g. in src/types/crud.d.ts or next to your entity
+import '@donotdev/core';
+declare module '@donotdev/core' {
+  interface CustomFieldOptionsMap {
+    'repairOperations': { maxItems?: number };
+    'isousou-address': { extractDistrictCode?: boolean };
+  }
+}
+```
+
+Then in entity fields you can use `type: 'repairOperations'` and `options: { fieldSpecific: { maxItems: 10 } }` without type errors or `as any`.
+
+### Reference Select Fields (Entity Lookup)
+
+A common pattern: a field stores a **reference ID** (e.g. `author_ref`) pointing to another entity (e.g. `Author`). The form needs a select/combobox populated with that entity's records, and list/detail views need to display a human-readable label instead of a raw ID.
+
+The framework's built-in `reference` type uses `fieldSpecific.displayField` and `fieldSpecific.searchFields`. For **custom** reference types (e.g. `author-select`), follow the same pattern with `fieldSpecific.labelFields`.
+
+**Step 1: Augment `CustomFieldOptionsMap`** so `labelFields` is typed:
+
+```typescript
+// entities/crud.d.ts
+import '@donotdev/core';
+declare module '@donotdev/core' {
+  interface CustomFieldOptionsMap {
+    'author-select': { labelFields: string[] };
+  }
+}
+```
+
+**Step 2: Declare `labelFields` in the entity definition** (SSOT — never hardcode field names in components):
+
+```typescript
+// entities/book.ts
+import { defineEntity } from '@donotdev/core';
+
+export const bookEntity = defineEntity({
+  name: 'Book',
+  collection: 'books',
+  fields: {
+    author_ref: {
+      name: 'author_ref',
+      label: 'fields.author',
+      type: 'author-select',
+      visibility: 'admin',
+      validation: { required: false, reference: 'authors' },
+      options: { fieldSpecific: { labelFields: ['first_name', 'last_name'] } },
+    },
+    // ...
+  },
+});
+```
+
+**Step 3: Build labels from `labelFields`** in your shared formatters:
+
+```typescript
+// entities/formatters.ts
+/**
+ * Build a display label from a record using labelFields from entity field config.
+ * Handles Supabase fieldMapper camelCase conversion: tries camelCase first, then snake_case.
+ */
+export function buildRecordLabel(
+  record: Record<string, unknown>,
+  labelFields: string[],
+): string {
+  return labelFields
+    .map((field) => {
+      const camel = field.replace(/_([a-z])/g, (_, c: string) => c.toUpperCase());
+      return record[camel] ?? record[field] ?? '';
+    })
+    .join(' ')
+    .trim();
+}
+```
+
+**Step 4: Read `labelFields` in your custom component** (never hardcode field names):
+
+```typescript
+// components/fields/AuthorSelectField.tsx
+import { buildRecordLabel } from 'entities/formatters';
+
+// Inside the component:
+const labelFields: string[] =
+  fieldConfig.options?.fieldSpecific?.labelFields ?? [];
+
+const options = useMemo(() => {
+  return items.map((item) => ({
+    value: String(item.id ?? ''),
+    label: buildRecordLabel(item, labelFields),
+  }));
+}, [items, labelFields]);
+```
+
+**Step 5: Use the same utility for `displayFormatter`** so list/detail views resolve IDs to labels:
+
+```typescript
+// In registerFieldType or in your display formatter
+displayFormatter: (value, config) => {
+  if (value == null) return '';
+  const options = config?.validation?.options;
+  if (Array.isArray(options)) {
+    const match = options.find((opt: any) => opt.value === value);
+    if (match?.label) return String(match.label);
+  }
+  return String(value);
+}
+```
+
+> **Key principle:** Entity field definitions are SSOT. Components read `fieldConfig.options.fieldSpecific.labelFields` — they never hardcode which fields to display. This means changing the label format (e.g. adding `company_name`) only requires editing the entity definition, not every component.
 
 ### Custom Schemas (No Custom UI)
 

package/templates/root-consumer/guides/dndev/SETUP_FIREBASE.md.example

@@ -7,7 +7,7 @@
 ## Step 1: Run Firebase Setup
 
 ```bash
-dndev firebase:setup
+dndev setup firebase
 ```
 
 This command:
@@ -94,7 +94,7 @@ This handles everything:
 | `functions/.env` | Server secrets: STRIPE_SECRET_KEY, OAuth secrets | Cloud Functions runtime |
 | Root `.env` | **Not read by Vite.** Reference only. | Nothing |
 
-**`dndev firebase:setup` writes Firebase vars to `apps/<app>/.env` automatically.**
+**`dndev setup firebase` writes Firebase vars to `apps/<app>/.env` automatically.**
 
 **Custom domains:** Framework uses `APP_URL` hostname as `authDomain` in production (not Firebase's `projectId.firebaseapp.com`). Copy/paste `FIREBASE_AUTH_DOMAIN` from Firebase Console in both `.env.local` and `.env.production` — framework handles the rest.
 
@@ -103,7 +103,7 @@ This handles everything:
 ## Staging Environment (Optional)
 
 1. Create a second Firebase project (e.g., `my-app-staging`)
-2. Run `dndev firebase:setup` again and select the staging project
+2. Run `dndev setup firebase` again and select the staging project
 3. Add to `.firebaserc`: `{ "projects": { "staging": "my-app-staging" } }`
 4. Create `service-account-key.staging.json` (same steps as production)
 5. Deploy: `dndev staging`
@@ -112,23 +112,29 @@ This handles everything:
 
 ## Secrets (Stripe, OAuth, etc.)
 
-Server-side secrets go in `functions/.env`, not the app `.env`:
+Server-side secrets go in `functions/.env`, not the app `.env`.
+
+**We NEVER ask for secret keys.** You place them yourself:
 
 ```bash
 # functions/.env
 STRIPE_SECRET_KEY=sk_live_...
 STRIPE_WEBHOOK_SECRET=whsec_...
+SUPABASE_SERVICE_ROLE_KEY=eyJ...   # if using Supabase
 GITHUB_CLIENT_SECRET=...
 ```
 
-Push to Firebase Secret Manager:
+Then sync to your runtime and CI/CD:
 
 ```bash
-dndev sync-secrets
+dndev sync-secrets                    # Firebase Secret Manager / Vercel env
+dndev sync-secrets --target github    # GitHub Secrets (for CI/CD workflows)
 ```
 
 Secrets are auto-loaded by Cloud Functions at runtime. Never put server secrets in `VITE_*` variables — those are exposed to the browser.
 
+See [ENV_SETUP.md → Secrets Philosophy](./ENV_SETUP.md#secrets-philosophy) for the full policy.
+
 ---
 
 ## Cloud Run IAM (Technical Detail)
@@ -165,4 +171,4 @@ If you deploy manually with `firebase deploy`, you'll need to run this yourself.
 
 ---
 
-**`dndev firebase:setup` → download service account key → enable Auth + Firestore → `dndev emu start` → `dndev deploy`. That's it.**
+**`dndev setup firebase` → download service account key → enable Auth + Firestore → `dndev emu start` → `dndev deploy`. That's it.**

package/templates/root-consumer/guides/dndev/SETUP_OAUTH_PROVIDERS.md.example

@@ -0,0 +1,60 @@
+# OAuth Provider Setup Guide
+
+Each OAuth provider requires manual registration in their developer console.
+`dndev setup oauth` computes the correct redirect URI for you.
+
+## Redirect URIs
+
+### Firebase
+```
+https://{{PROJECT_ID}}.firebaseapp.com/__/auth/handler
+```
+> If you use a custom auth domain, replace `{{PROJECT_ID}}.firebaseapp.com` with your custom domain.
+
+### Supabase
+```
+https://{{PROJECT_ID}}.supabase.co/auth/v1/callback
+```
+
+---
+
+## Google OAuth
+
+1. Go to https://console.cloud.google.com/apis/credentials
+2. Create **OAuth 2.0 Client ID** (type: Web application)
+3. Add **Authorized redirect URI** (see above)
+4. Copy **Client ID** and **Client Secret**
+5. Enable in your backend:
+   - Firebase: Console > Authentication > Sign-in method > Google
+   - Supabase: Dashboard > Authentication > Providers > Google
+
+## GitHub OAuth
+
+1. Go to https://github.com/settings/developers
+2. Click **New OAuth App**
+3. Set **Authorization callback URL** (see redirect URI above)
+4. Copy **Client ID** and **Client Secret**
+5. Enable in your backend:
+   - Firebase: Console > Authentication > Sign-in method > GitHub
+   - Supabase: Dashboard > Authentication > Providers > GitHub
+
+## Apple Sign In
+
+1. Go to https://developer.apple.com/account/resources/identifiers/list/serviceId
+2. Create a **Services ID**
+3. Enable **Sign In with Apple**
+4. Add **Redirect URL** (see above)
+5. Create a **Key** for Sign In with Apple
+6. Enable in your backend:
+   - Firebase: Console > Authentication > Sign-in method > Apple
+   - Supabase: Dashboard > Authentication > Providers > Apple
+
+> **Note:** Apple requires an Apple Developer Program membership ($99/year).
+
+## Verify
+
+```bash
+dndev doctor
+```
+
+Check that auth providers are detected and backend configuration is referenced.

package/templates/root-consumer/guides/dndev/SETUP_SOC2.md.example

@@ -0,0 +1,234 @@
+# Setup: SOC2 Readiness
+
+**DoNotDev auto-enforces SOC2 baseline controls.** Zero config needed for the MVP. This guide covers advanced controls and audit verification.
+
+---
+
+## Zero-Config Baseline (Always On)
+
+When you wire `DndevSecurity` into your app, these controls activate automatically:
+
+| Control | Default | SOC2 Criteria |
+|---------|---------|---------------|
+| Structured audit logging (all CRUD + auth) | ✅ Automatic | CC7.1 |
+| Rate limiting (100 writes/min, 500 reads/min) | ✅ Automatic | CC6.6 |
+| Brute-force lockout (5 attempts → 15 min) | ✅ Automatic | CC6.1 |
+| Session timeout (8h idle) | ✅ Automatic | CC6.1 |
+| Field-level RBAC + visibility | ✅ Always on (entity config) | CC6.3 |
+| Supabase RLS / Firestore default-deny | ✅ By convention | CC6.3 |
+
+---
+
+## 1. Wire `DndevSecurity` (Required Once)
+
+```typescript
+// src/security.ts
+import { DndevSecurity } from '@donotdev/security/server';
+
+export const security = new DndevSecurity({
+  // Optional: override defaults
+  // rateLimit: { writesPerMin: 50, readsPerMin: 200 },
+  // lockout: { maxAttempts: 3, lockoutMs: 30 * 60 * 1000 },
+  // sessionTimeoutMs: 4 * 60 * 60 * 1000,
+
+  // Required for PII encryption (see § PII Encryption below)
+  // piiSecret: process.env.PII_SECRET,
+
+  // Optional: send anomaly alerts to your SIEM/Slack
+  // anomalyHandler: async (alert) => { await fetch(process.env.SIEM_WEBHOOK!, { method: 'POST', body: JSON.stringify(alert) }); },
+});
+```
+
+```typescript
+// src/main.ts (or app entry point)
+import { security } from './security';
+import { crudService } from './crud'; // your CrudService instance
+import { auth } from './auth';        // your SupabaseAuth or FirebaseSDK instance
+
+crudService.setSecurity(security);
+auth.setSecurity(security);
+```
+
+---
+
+## 2. PII Encryption (Opt-In — C1 Confidentiality)
+
+Required only for entities storing personal data (email, phone, SSN, health data, etc.).
+
+```typescript
+// entities/user.ts
+export const userEntity = defineEntity({
+  name: 'User',
+  collection: 'users',
+  security: {
+    piiFields: ['email', 'phone', 'dateOfBirth'], // Encrypted at rest with AES-256-GCM
+  },
+  fields: { /* ... */ },
+});
+```
+
+```bash
+# Add to .env (min 32 chars, generate with: openssl rand -hex 32)
+PII_SECRET=your-secret-key-min-32-chars-here
+```
+
+Pass to security:
+```typescript
+export const security = new DndevSecurity({
+  piiSecret: process.env.PII_SECRET,
+});
+```
+
+---
+
+## 3. MFA Enforcement (Opt-In — CC6.1)
+
+Enforce MFA for specific roles on sensitive entities:
+
+```typescript
+export const paymentEntity = defineEntity({
+  name: 'Payment',
+  collection: 'payments',
+  security: {
+    requireMfa: 'admin', // 'admin' | 'manager' | 'user'
+  },
+  fields: { /* ... */ },
+});
+```
+
+Enable MFA in your provider:
+- **Supabase:** Dashboard → Auth → Multi Factor Authentication → Enable TOTP
+- **Firebase:** Firebase Console → Authentication → Multi-factor Auth → Enable
+
+---
+
+## 4. Data Retention (Opt-In — P6 Privacy)
+
+```typescript
+export const auditLogEntity = defineEntity({
+  name: 'AuditLog',
+  collection: 'audit_logs',
+  security: {
+    retention: { days: 365 }, // Auto-flag records for purge after 1 year
+  },
+  fields: { /* ... */ },
+});
+```
+
+Run retention purge (e.g., in a scheduled Cloud Function):
+```typescript
+import { privacyManager } from '@donotdev/security/server';
+// privacyManager.shouldPurge(record.createdAt, retentionDays) → boolean
+```
+
+---
+
+## 5. Right to Erasure (GDPR Art. 17 / P8)
+
+```typescript
+import { DndevSecurity } from '@donotdev/security/server';
+
+// In your account deletion handler:
+await security.privacyManager.eraseUser(userId, async (uid) => {
+  // Your custom erasure logic per collection
+  await db.from('orders').update({ userId: null }).eq('userId', uid);
+  await db.from('profiles').delete().eq('id', uid);
+});
+```
+
+---
+
+## 6. Health Monitoring (Opt-In — A1 Availability)
+
+```typescript
+// src/client/health.ts
+import { HealthMonitor } from '@donotdev/security';
+
+const dbMonitor = new HealthMonitor({ failureThreshold: 3, successThreshold: 2, timeoutMs: 5000 });
+
+// Wrap all downstream DB calls through the circuit breaker
+export const safeQuery = (fn: () => Promise<unknown>) => dbMonitor.protect(fn);
+
+// Expose a health endpoint (Next.js example)
+// app/api/health/route.ts
+export async function GET() {
+  return Response.json({ status: dbMonitor.checkLiveness() });
+}
+```
+
+---
+
+## 7. Anomaly Detection (Opt-In — CC7.2)
+
+Triggered automatically when brute-force or bulk-delete thresholds are exceeded. Wire a handler to send alerts:
+
+```typescript
+export const security = new DndevSecurity({
+  anomalyHandler: async (alert) => {
+    // Send to Slack, PagerDuty, Datadog, etc.
+    await fetch(process.env.SLACK_WEBHOOK!, {
+      method: 'POST',
+      body: JSON.stringify({ text: `🚨 SOC2 Anomaly: ${alert.type} — ${alert.details}` }),
+    });
+  },
+});
+```
+
+---
+
+## 8. Audit Log Output
+
+Audit events write to `process.stdout` as NDJSON — pipe to your SIEM:
+
+```json
+{"timestamp":"2025-01-15T10:23:00.000Z","type":"crud.create","userId":"u_123","resource":"products","resourceId":"p_456","ip":"192.168.1.1"}
+{"timestamp":"2025-01-15T10:23:01.000Z","type":"auth.login.failure","userId":"unknown","resource":"auth","ip":"10.0.0.5","details":"brute_force_lockout"}
+```
+
+**Cloud Logging (Firebase / GCP):** Stdout is captured automatically.
+**Datadog:** Set `DD_LOGS_INJECTION=true` and pipe stdout to the Datadog agent.
+**Supabase:** Export `process.stderr` anomaly alerts to Logflare.
+
+---
+
+## SOC2 Readiness Check
+
+Run before any audit:
+
+```bash
+dn soc2                    # Scan current app
+dn soc2 --app my-app       # Scan specific app
+dn soc2 --json             # Machine-readable JSON output (CI/CD)
+dn soc2 --verbose          # Show details for passing checks too
+```
+
+**Exit codes:** `0` = all checks pass, `1` = one or more checks failed (CI-friendly).
+
+**Checks run:**
+
+| Check | Criteria | What It Looks For |
+|-------|----------|--------------------|
+| SecurityContext wired | CC6.1 | `DndevSecurity` in source |
+| PII encryption secret | C1 | `PII_SECRET` in env when `piiFields` defined |
+| Firestore default-deny | CC6.3 | `allow read, write: if false` in `firestore.rules` |
+| Supabase RLS | CC6.3 | `ENABLE ROW LEVEL SECURITY` in SQL migrations |
+| Audit logging | CC7.1 | `.audit()` / `AuditLogger` usage |
+| Rate limiting | CC6.6 | `rateLimit` / `DndevRateLimiter` usage |
+| Retention policies | P6 | `retention.days` in entity config |
+| Health monitoring | A1 | `HealthMonitor` or `/api/health` endpoint |
+| MFA enforcement | CC6.1 | `requireMfa` in sensitive entities |
+
+---
+
+## Coverage After Full Setup
+
+| SOC2 Criteria | Control | Status |
+|---------------|---------|--------|
+| CC6.1 Auth hardening | Lockout + session timeout + MFA | Framework-enforced |
+| CC6.3 Authorization | RBAC + field visibility + RLS/Firestore rules | Framework-enforced |
+| CC6.6 Rate limiting | Per-user sliding window | Framework-enforced |
+| CC7.1 Audit logging | All CRUD + auth events as NDJSON | Framework-enforced |
+| CC7.2 Anomaly detection | Auth failures + bulk ops threshold alerts | Opt-in handler |
+| A1 Availability | Circuit breaker + liveness probes | Opt-in `HealthMonitor` |
+| C1 Confidentiality | AES-256-GCM field encryption | Opt-in `piiFields` |
+| P1–P8 Privacy | Retention policies + right-to-erasure | Opt-in `retention` |