security-deep-audit

End-to-end security and exposure audit of the Annual Reports CRM stack (n8n + Cloudflare Workers + Pages + Airtable + Microsoft Graph + GitHub). Triggers on /security-deep-audit, /audit-security, /full-security-audit, or phrases like 'deep security audit', 'find all leaks', 'audit everything', 'find loose ends', or after a secret rotation completes (post-rotation paranoid sweep), or as a monthly cadence run. Hunts ten categories in parallel: public-repo git-history leakage, document/PII leakage, n8n credential and inline-secret drift, Worker/Pages drift, GitHub posture, local laptop hygiene, third-party SaaS posture, code-level auth/access patterns, time-decaying risks, and known dual-use HEAD constants. Read-only — never auto-rotates, commits, or pushes. Writes a prioritized report to .agent/audits/. Does NOT trigger for n8n silent-drop or workflow-correctness bugs (use silent-failure-hunt instead), single-PR secret reviews (use /security-review), or one-off targeted lookups.