SOC 2 Controls

I'm preparing for a **SOC 2 Type II** code-level control assessment. Please help me collect the relevant files and information.

## SOC 2 context (fill in)
- Trust Services Categories in scope: [e.g. Security only, Security + Availability, all five]
- Current SOC 2 status: [e.g. "first-time readiness", "preparing for Type II after Type I", "annual renewal"]
- Service description: [brief description of the SaaS service and its users]
- Data types processed: [e.g. PII, business data, financial data, credentials]
- Known control gaps: [e.g. "no formal access reviews", "audit logging incomplete", "no DR testing"]

## Files to gather — organized by Trust Services Criteria

### 1. Authentication & Authorization (CC6.1, CC6.2, CC6.3)
- Authentication middleware and configuration
- Session management (token expiration, refresh logic)
- RBAC/ABAC role definitions and permission checks
- User provisioning and deprovisioning logic
- MFA enforcement configuration
- API key management and rotation

### 2. Audit Logging & Monitoring (CC4.1, CC7.2, CC7.3)
- Logging middleware and configuration
- Audit log schema (what fields are captured)
- Log retention and rotation configuration
- Monitoring and alerting rules
- Health check endpoints
- Error tracking configuration

### 3. Change Management (CC8.1)
- CI/CD pipeline configuration (.github/workflows, Jenkinsfile, etc.)
- Branch protection rules or configuration
- PR review requirements
- Deployment approval gates
- Rollback procedures
- Infrastructure-as-code files (Terraform, CloudFormation)

### 4. Encryption & Data Protection (CC6.7, C1.1, C1.2)
- Encryption at rest configuration (database, file storage)
- TLS/mTLS configuration
- Key management setup (KMS, Vault, etc.)
- Data classification logic or labels
- PII handling and masking
- Data retention and disposal logic

### 5. Availability & Recovery (A1.1, A1.2, A1.3)
- Backup configuration and schedules
- Auto-scaling configuration
- Load balancer and health check setup
- Disaster recovery configuration
- RTO/RPO definitions (if in code or config)
- Failover and redundancy setup

### 6. Input Validation & Processing Integrity (PI1.2, PI1.3, PI1.4)
- Input validation and sanitization
- Data transformation and processing logic
- Idempotency implementation
- Error handling patterns
- Transaction management

### 7. Vendor & Dependency Management (CC9.2)
- Dependency manifest (package.json, requirements.txt, etc.)
- Dependency scanning configuration (Dependabot, Snyk, etc.)
- Third-party API integrations

## Formatting rules

Format each file:
\`\`\`
--- lib/auth/middleware.ts (authentication — CC6.1) ---
--- lib/rbac/permissions.ts (authorization — CC6.3) ---
--- lib/logging/audit-logger.ts (audit logging — CC7.2) ---
--- .github/workflows/deploy.yml (change management — CC8.1) ---
--- terraform/backup.tf (availability — A1.2) ---
\`\`\`

## Don't forget
- [ ] Include authentication AND authorization code (they map to different criteria)
- [ ] Show the complete audit logging pipeline — capture, storage, retention
- [ ] Include CI/CD with review gates and deployment approvals
- [ ] Show encryption for both data at rest and in transit
- [ ] Include backup and recovery configuration
- [ ] Note which Trust Services Categories are in scope for your audit

Keep total under 30,000 characters.