{{ $kpis['security_score'] >= 70 ? 'strong controls active' : 'attention needed' }}

{{ $kpis['tfa_coverage'] }}%

{{ $kpis['tfa_enrolled'] }}/{{ $kpis['tfa_admins_total'] }} {{ __('admins enrolled') }}

{{ $kpis['webhook_failures'] }}%

@forelse ($risks as $r) @php $p = $sevPill($r['severity']); @endphp @empty @endforelse

{{ __('Severity') }}	{{ __('Signal') }}	{{ __('Workspace') }}	{{ __('Owner') }}	{{ __('Action') }}
{{ $r['severity'] }}	{{ $r['signal'] }} @if ($r['detail']) {{ $r['detail'] }} @endif	{{ $r['workspace'] }}	{{ $r['owner'] }}	{{ __('Inspect') }}
{{ __('All clear — no failures or warnings in the last 7 days.') }}

@foreach ($controls as $c) @php $col = $c['pct'] >= 75 ? 'bg-wa-deep text-wa-deep' : ($c['pct'] >= 50 ? 'bg-wa-teal text-wa-teal' : ($c['pct'] >= 25 ? 'bg-accent-amber text-accent-amber' : 'bg-accent-coral text-accent-coral')); [$bg, $fg] = explode(' ', $col); @endphp

{{ $c['label'] }}{{ $c['pct'] }}% ({{ $c['on'] }}/{{ $c['of'] }})

@endforeach

@if ($policy['emergency_send_halt'] ?? false) @else @endif

{{ __('Max login attempts') }} {{ __('Lockout window (min)') }} {{ __('Password age limit (days, 0 = never)') }} {{ __('Session timeout (min)') }}

{{-- New-password strength rules — applied at signup + password change only, never to an existing login, so tightening them can't lock anyone out. --}}

{{ __('Login alerts') }}{{ __('Email user on new device') }} {{ __('Country-change alerts') }}{{ __('Email on login from a new country') }}

{{ __('Require 2FA for admins') }}{{ __('Super Admin, Admin, Support Admin') }} {{ __('Require 2FA for workspace owners') }}{{ __('Anyone with role=owner') }} {{ __('Require 2FA for all users') }}{{ __('Mandatory across the platform') }}

@php $methods = is_array($policy['allowed_2fa_methods'] ?? null) ? $policy['allowed_2fa_methods'] : ['totp','email']; @endphp

@foreach (['totp' => 'Authenticator app', 'email' => 'Email code', 'telegram' => 'Telegram bot'] as $val => $lbl) {{ $lbl }} @endforeach

{{-- Master switch — gates EVERYTHING in this card. Off by default so nothing changes until an admin opts in. --}} @php $waMode = old('wa_guardrails_mode', $policy['wa_guardrails_mode'] ?? 'off'); @endphp

{{ __('The rate caps and content filters below only take effect based on this mode. Off changes nothing. Monitor runs the checks and logs what it would block (to the audit log) without stopping any send — use it to confirm the rules are right before turning them on. Enforce actually blocks matching sends.') }}

{{ __('Max sends per minute (0 = unlimited)') }} {{ __('Max sends per day (0 = unlimited)') }} {{ __('Hold if links exceed (0 = no limit)') }}

{{ __("Live block-rate health is read from each workspace's send pipeline. Hold + review fires automatically when configured limits are exceeded.") }}

{{ __('Block finance / get-rich terms') }}{{ __('Scam, fake investment, payment redirection patterns') }} {{ __('Block short / suspicious links') }}{{ __('bit.ly, tinyurl, freshly-registered domains') }} {{ __('Custom keyword blocklist (one per line)') }} {{ __('Outbound messages containing any of these are flagged + held for review.') }}

{{ __('API requests per minute') }} {{ __('Webhook replay window (sec)') }} {{ __('· reserved') }}{{ __('Saved but not yet enforced — Meta/Twilio inbound webhooks are already signature-verified.') }}

{{ __('Require trusted browser') }} {{ __('· reserved') }}{{ __('Saved but not yet enforced (no device-trust flow built).') }} {{ __('Auto-logout after inactive (days, 0 = never)') }} {{ __('Max concurrent sessions per user') }}

@foreach (['email' => 'Email', 'whatsapp' => 'WhatsApp', 'both' => 'Email + WhatsApp'] as $val => $lbl) {{ $lbl }} @endforeach

@if ($policy['emergency_send_halt'] ?? false) @else @endif

admin.security.sessions_revoked when sessions are wiped.
admin.security.force_password_reset_all when reset is forced.
admin.security.webhook_secrets_rotated when secrets rotate.
admin.security.emergency_halt_engaged when halt fires.
admin.security.policy_updated on any setting change above, with full before/after diff in payload.

View security audit trail →

{{ ('Security and') }} {{ ('compliance') }}

{{ __('Risk items to review') }}

{{ __('Account lockout rules') }}

{{ __('2FA enforcement') }}

{{ __('Guardrail enforcement') }}

{{ __('Hard caps') }}

{{ __('Anti-spam controls') }}

{{ __('Workspace health') }}

{{ __('Illegal-use prevention') }}

{{ __('Rate limits') }}

{{ __('Integrity') }}

{{ __('Admin panel access') }}

{{ __('Trust + session policy') }}

{{ __('Where alerts go') }}

{{ __('Irreversible platform-wide actions') }}

{{ __('Every action above writes an audit row') }}