function ApiSecurityPosture() {
  const cards = [
    {
      h: 'SHA-256 hashed keys',
      b: 'Keys hashed with pepper in Cloudflare Secrets Store. Pepper lives only in Secrets Store — never in D1, logs, or git history.',
      mono: 'hash(key || pepper) → D1',
    },
    {
      h: 'Two-layer rate limiting',
      b: 'Workers API pre-auth (fail-closed) + D1 sliding window post-auth. Retry-After emitted on limit hit. Every decision logged.',
      mono: '60/60s IP · 1000/60s key',
    },
    {
      h: 'Tamper-evident audit log',
      b: '90-day retention, queryable via /v1/admin/audit-log. 11 event types covering auth, scoring, admin, and rate-limit decisions.',
      mono: '11 event types · 90d',
    },
  ];
  return (
    <section id="security" className="section section-surface">
      <div className="container">
        <div className="section-head">
          <div className="eyebrow">Security posture</div>
          <h2 className="h2">Three guarantees. All enforced at the edge.</h2>
        </div>
        <div className="sec-grid">
          {cards.map(c => (
            <article className="sec-card" key={c.h}>
              <div className="sec-h">{c.h}</div>
              <p className="sec-b">{c.b}</p>
              <div className="sec-mono mono">{c.mono}</div>
            </article>
          ))}
        </div>
      </div>
    </section>
  );
}
window.ApiSecurityPosture = ApiSecurityPosture;