Security is rarely a feature. It’s an outcome that comes from making safe defaults the easy path through the codebase.
What we ship by default
Every product gets these on day one: short-lived sessions, scoped tokens, audit logs on state changes, environment isolation, and a documented incident-response loop.
Anything beyond that is project-specific.