npm - proagents - Versions diffs - 1.6.16 → 1.6.18 - Mend

proagents 1.6.16 → 1.6.18

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (170) hide show

package/.claude/settings.local.json +169 -0
package/COMMANDS.md +595 -0
package/README.md +22 -64
package/bin/proagents.js +0 -2
package/lib/commands/init.js +4 -174
package/package.json +2 -7
package/.proagents/ai-models/README.md +0 -141
package/.proagents/ai-models/cost-management.md +0 -362
package/.proagents/ai-models/fallbacks.md +0 -342
package/.proagents/ai-models/model-config.md +0 -318
package/.proagents/ai-models/task-routing.md +0 -503
package/.proagents/ai-training/README.md +0 -155
package/.proagents/ai-training/continuous-learning.md +0 -413
package/.proagents/ai-training/domain-knowledge.md +0 -378
package/.proagents/ai-training/pattern-learning.md +0 -455
package/.proagents/ai-training/training-data.md +0 -337
package/.proagents/ai-training/user-preferences.md +0 -346
package/.proagents/approval-workflows/README.md +0 -146
package/.proagents/approval-workflows/approval-config.md +0 -332
package/.proagents/approval-workflows/approval-stages.md +0 -503
package/.proagents/approval-workflows/emergency-bypass.md +0 -351
package/.proagents/approval-workflows/examples.md +0 -859
package/.proagents/approval-workflows/notifications.md +0 -320
package/.proagents/compliance/README.md +0 -206
package/.proagents/compliance/access-control.md +0 -310
package/.proagents/compliance/audit-logging.md +0 -444
package/.proagents/compliance/compliance-frameworks.md +0 -429
package/.proagents/compliance/reports.md +0 -491
package/.proagents/compliance/retention-policies.md +0 -454
package/.proagents/config-versioning/README.md +0 -120
package/.proagents/config-versioning/changelog.md +0 -300
package/.proagents/config-versioning/rollback.md +0 -283
package/.proagents/config-versioning/versioning.md +0 -330
package/.proagents/contract-testing/README.md +0 -223
package/.proagents/contract-testing/contract-testing.md +0 -614
package/.proagents/contract-testing/pact-integration.md +0 -507
package/.proagents/contract-testing/schema-validation.md +0 -565
package/.proagents/dependency-management/README.md +0 -140
package/.proagents/dependency-management/automation.md +0 -363
package/.proagents/dependency-management/compatibility.md +0 -319
package/.proagents/dependency-management/security-scanning.md +0 -413
package/.proagents/dependency-management/update-policies.md +0 -374
package/.proagents/disaster-recovery/README.md +0 -247
package/.proagents/disaster-recovery/automation.md +0 -366
package/.proagents/disaster-recovery/backup-recovery.md +0 -571
package/.proagents/disaster-recovery/incident-response.md +0 -565
package/.proagents/disaster-recovery/rollback-procedures.md +0 -499
package/.proagents/disaster-recovery/runbooks.md +0 -603
package/.proagents/disaster-recovery/scenarios.md +0 -892
package/.proagents/disaster-recovery/testing.md +0 -438
package/.proagents/environments/README.md +0 -244
package/.proagents/environments/configuration.md +0 -437
package/.proagents/environments/promotion.md +0 -434
package/.proagents/environments/setup.md +0 -420
package/.proagents/examples/README.md +0 -55
package/.proagents/examples/backend-nodejs/README.md +0 -188
package/.proagents/examples/backend-nodejs/complete-conversation.md +0 -601
package/.proagents/examples/backend-nodejs/proagents.config.yaml +0 -415
package/.proagents/examples/backend-nodejs/workflow-example.md +0 -909
package/.proagents/examples/fullstack-nextjs/README.md +0 -155
package/.proagents/examples/fullstack-nextjs/complete-conversation.md +0 -604
package/.proagents/examples/fullstack-nextjs/proagents.config.yaml +0 -287
package/.proagents/examples/fullstack-nextjs/workflow-example.md +0 -553
package/.proagents/examples/mobile-react-native/README.md +0 -171
package/.proagents/examples/mobile-react-native/complete-conversation.md +0 -825
package/.proagents/examples/mobile-react-native/proagents.config.yaml +0 -330
package/.proagents/examples/mobile-react-native/workflow-example.md +0 -723
package/.proagents/examples/web-frontend-react/README.md +0 -125
package/.proagents/examples/web-frontend-react/complete-conversation.md +0 -556
package/.proagents/examples/web-frontend-react/proagents.config.yaml +0 -183
package/.proagents/examples/web-frontend-react/workflow-example.md +0 -603
package/.proagents/existing-projects/README.md +0 -65
package/.proagents/existing-projects/challenges.md +0 -861
package/.proagents/existing-projects/coexistence-mode.md +0 -483
package/.proagents/existing-projects/compatibility-assessment.md +0 -541
package/.proagents/existing-projects/gradual-adoption.md +0 -515
package/.proagents/existing-projects/migration-strategies.md +0 -788
package/.proagents/existing-projects/pattern-reconciliation.md +0 -489
package/.proagents/existing-projects/team-onboarding.md +0 -617
package/.proagents/existing-projects/technical-debt-handling.md +0 -644
package/.proagents/feature-flags/README.md +0 -263
package/.proagents/feature-flags/ab-testing.md +0 -413
package/.proagents/feature-flags/configuration.md +0 -420
package/.proagents/feature-flags/kill-switches.md +0 -444
package/.proagents/feature-flags/rollout-strategies.md +0 -392
package/.proagents/history.log +0 -12
package/.proagents/i18n/README.md +0 -133
package/.proagents/i18n/extraction.md +0 -433
package/.proagents/i18n/tms-integration.md +0 -332
package/.proagents/i18n/translation-workflow.md +0 -413
package/.proagents/i18n/validation.md +0 -355
package/.proagents/logging/README.md +0 -276
package/.proagents/logging/aggregation.md +0 -475
package/.proagents/logging/log-levels.md +0 -376
package/.proagents/logging/sensitive-data.md +0 -423
package/.proagents/logging/structured-logging.md +0 -406
package/.proagents/metrics/README.md +0 -69
package/.proagents/metrics/code-quality-kpis.md +0 -461
package/.proagents/metrics/deployment-metrics.md +0 -517
package/.proagents/metrics/developer-productivity.md +0 -368
package/.proagents/metrics/learning-effectiveness.md +0 -478
package/.proagents/migrations/README.md +0 -77
package/.proagents/migrations/from-claude-projects.md +0 -313
package/.proagents/migrations/from-cursor-rules.md +0 -345
package/.proagents/migrations/from-custom-workflows.md +0 -410
package/.proagents/monitoring/README.md +0 -308
package/.proagents/monitoring/alerting.md +0 -449
package/.proagents/monitoring/dashboards.md +0 -454
package/.proagents/monitoring/health-checks.md +0 -436
package/.proagents/monitoring/metrics.md +0 -434
package/.proagents/multi-project/README.md +0 -170
package/.proagents/multi-project/coordinated-deploy.md +0 -510
package/.proagents/multi-project/cross-project-deps.md +0 -395
package/.proagents/multi-project/unified-changelog.md +0 -477
package/.proagents/multi-project/walkthroughs/monorepo-setup.md +0 -787
package/.proagents/multi-project/workspace-config.md +0 -408
package/.proagents/notifications/README.md +0 -151
package/.proagents/notifications/channels.md +0 -457
package/.proagents/notifications/preferences.md +0 -415
package/.proagents/notifications/routing.md +0 -449
package/.proagents/notifications/scheduling.md +0 -425
package/.proagents/notifications/templates.md +0 -446
package/.proagents/offline-mode/README.md +0 -145
package/.proagents/offline-mode/caching.md +0 -344
package/.proagents/offline-mode/offline-operations.md +0 -312
package/.proagents/offline-mode/queue-specifications.md +0 -679
package/.proagents/offline-mode/sync.md +0 -475
package/.proagents/parallel-features/README.md +0 -85
package/.proagents/parallel-features/conflict-detection.md +0 -226
package/.proagents/parallel-features/dependency-management.md +0 -392
package/.proagents/parallel-features/merge-coordination.md +0 -506
package/.proagents/parallel-features/tracking-system.md +0 -416
package/.proagents/performance/README.md +0 -59
package/.proagents/performance/bundle-analysis.md +0 -375
package/.proagents/performance/load-testing.md +0 -563
package/.proagents/performance/runtime-metrics.md +0 -489
package/.proagents/performance/web-vitals.md +0 -425
package/.proagents/plugins/README.md +0 -139
package/.proagents/plugins/creating-plugins.md +0 -504
package/.proagents/plugins/plugin-api.md +0 -467
package/.proagents/plugins/plugin-registry.md +0 -276
package/.proagents/reporting/README.md +0 -158
package/.proagents/reporting/dashboards.md +0 -366
package/.proagents/reporting/exports.md +0 -524
package/.proagents/reporting/quality-metrics.md +0 -385
package/.proagents/reporting/templates/README.md +0 -56
package/.proagents/reporting/templates/dashboard-config.json +0 -187
package/.proagents/reporting/templates/metrics-queries.md +0 -427
package/.proagents/reporting/templates/react-dashboard.tsx +0 -544
package/.proagents/reporting/templates/widgets.md +0 -451
package/.proagents/reporting/velocity-metrics.md +0 -340
package/.proagents/reverse-engineering/README.md +0 -151
package/.proagents/reverse-engineering/architecture-extraction.md +0 -325
package/.proagents/reverse-engineering/code-analysis.md +0 -377
package/.proagents/reverse-engineering/dependency-mapping.md +0 -567
package/.proagents/reverse-engineering/diagram-generation.md +0 -586
package/.proagents/reverse-engineering/documentation-generation.md +0 -468
package/.proagents/reverse-engineering/pattern-detection.md +0 -569
package/.proagents/reverse-engineering/quality-assessment.md +0 -733
package/.proagents/secrets/README.md +0 -278
package/.proagents/secrets/access-control.md +0 -443
package/.proagents/secrets/rotation.md +0 -403
package/.proagents/secrets/scanning.md +0 -487
package/.proagents/secrets/storage.md +0 -394
package/.proagents/webhooks/README.md +0 -126
package/.proagents/webhooks/endpoints.md +0 -298
package/.proagents/webhooks/events.md +0 -316
package/.proagents/webhooks/payloads.md +0 -325
package/.proagents/webhooks/reliability.md +0 -363
package/.proagents/webhooks/security.md +0 -380

package/.proagents/secrets/README.md DELETED Viewed

@@ -1,278 +0,0 @@
-# Secret Management
-Secure handling of API keys, credentials, and sensitive data.
----
-## Overview
-Protect sensitive information throughout the development lifecycle.
-## Documentation
-| Document | Description |
-|----------|-------------|
-| [Secret Storage](./storage.md) | Where to store secrets |
-| [Secret Rotation](./rotation.md) | Rotating credentials |
-| [Access Control](./access-control.md) | Who can access secrets |
-| [Scanning](./scanning.md) | Detecting leaked secrets |
----
-## Secret Types
-| Type | Examples | Storage |
-|------|----------|---------|
-| API Keys | Stripe, Twilio, OpenAI | Vault/SSM |
-| Database | Connection strings, passwords | Vault/SSM |
-| Authentication | JWT secrets, OAuth credentials | Vault/SSM |
-| Infrastructure | AWS keys, SSH keys | Vault/SSM |
-| Encryption | AES keys, certificates | Vault/HSM |
----
-## Configuration
-### Secret Sources
-```yaml
-# proagents.config.yaml
-secrets:
-  # Primary source
-  provider: "aws-ssm"  # aws-ssm, vault, azure-keyvault, gcp-secrets
-  # Provider config
-  aws_ssm:
-    region: "us-east-1"
-    prefix: "/myapp/"
-  # Fallback for development
-  development:
-    provider: "dotenv"
-    file: ".env.local"
-```
-### Secret References
-```yaml
-# Reference secrets in config
-database:
-  url: "${secrets.DATABASE_URL}"
-api:
-  stripe_key: "${secrets.STRIPE_SECRET_KEY}"
-```
----
-## Secret Scanning
-### Pre-Commit Scanning
-```yaml
-secrets:
-  scanning:
-    enabled: true
-    # When to scan
-    hooks:
-      - "pre-commit"
-      - "pre-push"
-    # What to scan for
-    patterns:
-      - name: "AWS Access Key"
-        pattern: "AKIA[0-9A-Z]{16}"
-      - name: "Generic API Key"
-        pattern: "api[_-]?key['\"]?\\s*[:=]\\s*['\"][a-zA-Z0-9]{32,}"
-      - name: "Private Key"
-        pattern: "-----BEGIN (RSA|DSA|EC|OPENSSH) PRIVATE KEY-----"
-    # Block on detection
-    block_commit: true
-```
-### Scanning Commands
-```bash
-# Scan for secrets
-proagents secrets scan
-# Scan specific files
-proagents secrets scan src/
-# Scan git history
-proagents secrets scan --history
-# Check if clean
-proagents secrets check
-```
----
-## Secret Rotation
-### Rotation Policy
-```yaml
-secrets:
-  rotation:
-    enabled: true
-    policies:
-      # Rotate database passwords monthly
-      database:
-        interval: "30d"
-        auto_rotate: true
-      # Rotate API keys quarterly
-      api_keys:
-        interval: "90d"
-        auto_rotate: false
-        notify_before: "7d"
-      # Never auto-rotate these
-      encryption_keys:
-        auto_rotate: false
-        manual_review: true
-```
-### Rotation Commands
-```bash
-# Check rotation status
-proagents secrets rotation-status
-# Rotate specific secret
-proagents secrets rotate DATABASE_PASSWORD
-# Schedule rotation
-proagents secrets schedule-rotation API_KEY --date "2024-03-01"
-```
----
-## Access Control
-### Permission Model
-```yaml
-secrets:
-  access:
-    roles:
-      developer:
-        read:
-          - "development/*"
-        write: []
-      devops:
-        read:
-          - "development/*"
-          - "staging/*"
-          - "production/*"
-        write:
-          - "development/*"
-          - "staging/*"
-      admin:
-        read: ["*"]
-        write: ["*"]
-```
-### Audit Logging
-```yaml
-secrets:
-  audit:
-    enabled: true
-    log_access: true
-    log_changes: true
-    # Where to send logs
-    destinations:
-      - "cloudwatch"
-      - "splunk"
-```
----
-## Best Practices
-### Do's
-```
-✅ Use secret managers (not env files in production)
-✅ Rotate secrets regularly
-✅ Audit secret access
-✅ Use different secrets per environment
-✅ Encrypt secrets at rest and in transit
-✅ Limit secret access by role
-✅ Scan for leaked secrets
-```
-### Don'ts
-```
-❌ Commit secrets to git
-❌ Log secrets in application logs
-❌ Share secrets via Slack/email
-❌ Use same secrets across environments
-❌ Store secrets in code comments
-❌ Hardcode secrets in source code
-```
----
-## Emergency Procedures
-### Secret Leak Response
-```bash
-# 1. Immediately revoke the leaked secret
-proagents secrets revoke LEAKED_SECRET
-# 2. Rotate to new value
-proagents secrets rotate LEAKED_SECRET --emergency
-# 3. Audit access
-proagents secrets audit LEAKED_SECRET --since "24h"
-# 4. Scan for exposure
-proagents secrets scan --history
-```
-### Leak Response Checklist
-- [ ] Revoke compromised secret immediately
-- [ ] Generate new secret
-- [ ] Update all services using the secret
-- [ ] Check for unauthorized access
-- [ ] Scan git history for exposure
-- [ ] Document incident
-- [ ] Review access controls
----
-## Commands Reference
-```bash
-# List secrets (names only, not values)
-proagents secrets list
-# Get secret value (requires auth)
-proagents secrets get DATABASE_URL
-# Set secret
-proagents secrets set API_KEY "value" --env production
-# Delete secret
-proagents secrets delete OLD_SECRET
-# Sync secrets to environment
-proagents secrets sync --env staging
-# Export for backup (encrypted)
-proagents secrets export --encrypt --output secrets.enc
-```

package/.proagents/secrets/access-control.md DELETED Viewed

@@ -1,443 +0,0 @@
-# Secret Access Control
-Managing who and what can access secrets.
----
-## Access Principles
-| Principle | Description |
-|-----------|-------------|
-| **Least Privilege** | Grant minimum necessary access |
-| **Need to Know** | Only those who need it get access |
-| **Separation of Duties** | No single person has all access |
-| **Audit Everything** | Log all access attempts |
----
-## Role-Based Access
-### Configuration
-```yaml
-# proagents.config.yaml
-secrets:
-  access_control:
-    enabled: true
-    roles:
-      # Read-only access
-      viewer:
-        permissions:
-          - "secrets:read"
-        allowed_secrets:
-          - "public/*"
-      # Developer access
-      developer:
-        permissions:
-          - "secrets:read"
-        allowed_secrets:
-          - "development/*"
-          - "staging/*"
-        denied_secrets:
-          - "*/credentials"
-          - "*/api-keys"
-      # Operations access
-      operator:
-        permissions:
-          - "secrets:read"
-          - "secrets:rotate"
-        allowed_secrets:
-          - "*"
-        environments:
-          - "staging"
-          - "production"
-      # Admin access
-      admin:
-        permissions:
-          - "secrets:*"
-        allowed_secrets:
-          - "*"
-```
-### User Assignment
-```yaml
-secrets:
-  access_control:
-    users:
-      "developer@company.com":
-        roles: ["developer"]
-        teams: ["frontend"]
-      "ops@company.com":
-        roles: ["operator"]
-        teams: ["platform"]
-      "admin@company.com":
-        roles: ["admin"]
-        mfa_required: true
-    # Team-based access
-    teams:
-      frontend:
-        allowed_secrets:
-          - "frontend/*"
-      backend:
-        allowed_secrets:
-          - "backend/*"
-          - "database/*"
-      platform:
-        allowed_secrets:
-          - "*"
-```
----
-## Service Access
-### Service Accounts
-```yaml
-secrets:
-  access_control:
-    services:
-      # API service
-      api-service:
-        allowed_secrets:
-          - "database/connection-string"
-          - "redis/url"
-          - "jwt/signing-key"
-        environments:
-          - "${ENVIRONMENT}"
-      # Worker service
-      worker-service:
-        allowed_secrets:
-          - "database/connection-string"
-          - "queue/credentials"
-        environments:
-          - "${ENVIRONMENT}"
-      # CI/CD pipeline
-      ci-pipeline:
-        allowed_secrets:
-          - "ci/*"
-          - "npm/token"
-        allowed_operations:
-          - "read"
-```
-### Kubernetes Service Accounts
-```yaml
-secrets:
-  access_control:
-    kubernetes:
-      # Bind service accounts to secret access
-      bindings:
-        - service_account: "api-service"
-          namespace: "production"
-          secrets:
-            - "database-credentials"
-            - "api-keys"
-        - service_account: "worker"
-          namespace: "production"
-          secrets:
-            - "database-credentials"
-            - "queue-credentials"
-```
----
-## Access Policies
-### Policy Definition
-```yaml
-secrets:
-  access_control:
-    policies:
-      # Time-based access
-      production_access:
-        name: "Production Access"
-        conditions:
-          - type: "time_window"
-            days: ["monday", "tuesday", "wednesday", "thursday", "friday"]
-            hours: ["09:00", "18:00"]
-            timezone: "America/New_York"
-          - type: "ip_range"
-            ranges:
-              - "10.0.0.0/8"
-              - "192.168.1.0/24"
-      # Emergency access
-      emergency_access:
-        name: "Emergency Access"
-        conditions:
-          - type: "requires_approval"
-            approvers: ["security-team", "on-call-manager"]
-          - type: "time_limited"
-            duration: "4h"
-          - type: "audit_required"
-            notify: ["security@company.com"]
-```
-### Vault Policies
-```hcl
-# vault/policies/api-service.hcl
-path "secret/data/api/*" {
-  capabilities = ["read"]
-}
-path "secret/data/database/connection" {
-  capabilities = ["read"]
-}
-path "database/creds/api-role" {
-  capabilities = ["read"]
-}
-# Deny access to admin secrets
-path "secret/data/admin/*" {
-  capabilities = ["deny"]
-}
-```
-### AWS IAM Policies
-```json
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Sid": "AllowReadSecrets",
-      "Effect": "Allow",
-      "Action": [
-        "secretsmanager:GetSecretValue"
-      ],
-      "Resource": [
-        "arn:aws:secretsmanager:*:*:secret:myapp/production/*"
-      ],
-      "Condition": {
-        "StringEquals": {
-          "aws:PrincipalTag/Environment": "production"
-        }
-      }
-    },
-    {
-      "Sid": "DenyAdminSecrets",
-      "Effect": "Deny",
-      "Action": [
-        "secretsmanager:*"
-      ],
-      "Resource": [
-        "arn:aws:secretsmanager:*:*:secret:myapp/admin/*"
-      ]
-    }
-  ]
-}
-```
----
-## Access Auditing
-### Audit Configuration
-```yaml
-secrets:
-  access_control:
-    audit:
-      enabled: true
-      # Events to log
-      events:
-        - "secret_accessed"
-        - "secret_created"
-        - "secret_updated"
-        - "secret_deleted"
-        - "access_denied"
-        - "policy_changed"
-      # Log details
-      log_details:
-        - "timestamp"
-        - "user"
-        - "service"
-        - "secret_name"
-        - "action"
-        - "ip_address"
-        - "user_agent"
-      # Storage
-      destinations:
-        - type: "cloudwatch"
-          log_group: "/security/secret-access"
-        - type: "siem"
-          endpoint: "${SIEM_ENDPOINT}"
-      # Retention
-      retention: "2 years"
-```
-### Audit Alerts
-```yaml
-secrets:
-  access_control:
-    alerts:
-      # Suspicious access
-      - name: "Unusual Secret Access"
-        condition: |
-          access_count > normal_baseline * 3
-          AND time_of_day NOT IN business_hours
-        severity: "warning"
-        notify: ["security-team"]
-      # Access denied spike
-      - name: "Multiple Access Denied"
-        condition: "access_denied_count > 10 IN 5m"
-        severity: "critical"
-        notify: ["security-team", "pagerduty"]
-      # Sensitive secret access
-      - name: "Sensitive Secret Accessed"
-        condition: "secret_path MATCHES 'admin/*'"
-        severity: "info"
-        notify: ["security-team"]
-```
----
-## Emergency Access
-### Break-Glass Procedure
-```yaml
-secrets:
-  access_control:
-    emergency:
-      enabled: true
-      # Break-glass accounts
-      break_glass:
-        accounts:
-          - id: "emergency-1"
-            stored_in: "physical_safe"
-            access_log: "mandatory"
-          - id: "emergency-2"
-            stored_in: "cto_vault"
-            access_log: "mandatory"
-      # Procedure
-      procedure:
-        steps:
-          - "Contact security team"
-          - "Document incident number"
-          - "Retrieve break-glass credentials"
-          - "Access required secrets"
-          - "Complete incident report"
-          - "Rotate compromised credentials"
-      # Automatic actions
-      on_use:
-        - "alert_security_team"
-        - "start_audit_recording"
-        - "expire_in_4_hours"
-        - "require_followup_report"
-```
----
-## Implementation
-### Access Check Middleware
-```typescript
-// middleware/secretAccess.ts
-import { SecretAccessPolicy } from '../policies';
-export function checkSecretAccess(
-  user: User,
-  secretPath: string,
-  operation: 'read' | 'write' | 'delete'
-): boolean {
-  // Get user's roles and policies
-  const policies = getUserPolicies(user);
-  // Check each policy
-  for (const policy of policies) {
-    if (policy.allows(secretPath, operation)) {
-      // Log access
-      auditLog.record({
-        user: user.id,
-        secret: secretPath,
-        operation,
-        allowed: true,
-        timestamp: new Date(),
-      });
-      return true;
-    }
-  }
-  // Access denied
-  auditLog.record({
-    user: user.id,
-    secret: secretPath,
-    operation,
-    allowed: false,
-    timestamp: new Date(),
-  });
-  return false;
-}
-```
----
-## Commands
-```bash
-# Check access for user
-proagents secrets check-access --user developer@company.com --secret database/password
-# List user permissions
-proagents secrets permissions --user developer@company.com
-# Grant access
-proagents secrets grant --user developer@company.com --secret api/key --permission read
-# Revoke access
-proagents secrets revoke --user developer@company.com --secret api/key
-# View audit log
-proagents secrets audit-log --last 24h
-# Request emergency access
-proagents secrets emergency-access --reason "Production incident" --duration 4h
-```
----
-## Best Practices
-1. **Least Privilege**: Start with no access, grant as needed
-2. **Regular Reviews**: Audit access quarterly
-3. **Separation of Duties**: No one person has all keys
-4. **Time-Based Access**: Limit access to business hours when possible
-5. **Audit Everything**: Log all access, successful or not
-6. **Emergency Procedures**: Document and test break-glass access
-7. **Automate Reviews**: Use tools to flag excessive permissions