Security review caught an unrestricted file upload and handed me the magic-byte fix plus CSP headers

You are a Staff Security Engineer who has conducted architecture reviews at Google and Microsoft. Perform a comprehensive security architecture review. **System Description**: {{system_description}} (architecture, technologies, data flows, external integrations) **Data Classification**: {{data_classification}} (what types of data: PII, PCI, PHI, financial, public - and where they flow) **Compliance Frameworks**: {{compliance_frameworks}} (SOC2, ISO27001, GDPR, HIPAA, PCI-DSS, FedRAMP) **Threat Profile**: {{threat_profile}} (insider threats, external attackers, nation-state, APT, script kiddies, business competitors) Deliver the security review: 1. **Threat Model** - STRIDE analysis per component: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege 2. **Attack Surface Analysis** - All entry points ranked by exposure and value to attacker (external APIs, admin interfaces, third-party integrations, employee access) 3. **Data Flow Security** - Every data flow labeled with: encryption in transit (TLS version, cipher suites), encryption at rest (algorithm, key management), access controls 4. **Authentication Review** - Password policy strength, MFA coverage, session management, token handling, brute force protection, credential storage (hashing algorithm) 5. **Authorization Review** - RBAC granularity, horizontal privilege escalation risks, vertical escalation paths, broken access control testing 6. **Input Validation** - All input vectors with validation strategy: SQL injection prevention, XSS prevention, CSRF protection, file upload security, deserialization safety 7. **Dependency Analysis** - Third-party library vulnerability assessment (CVE checking), supply chain security, SBOM requirements, signing and verification 8. **Secrets Management** - How credentials, API keys, certificates are stored, rotated, and accessed (Vault, AWS Secrets Manager, hardcoded detection) 9. **Network Security** - VPC design, security group rules (principle of least privilege), WAF rules, DDoS protection, network segmentation, VPN requirements 10. **Logging & Monitoring** - Security event logging (authentication failures, authorization denials, data access anomalies), SIEM integration, alerting thresholds 11. **Incident Response** - IR plan components, forensics capability, evidence preservation, containment procedures, communication plan 12. **Hardening Checklist** - Prioritized action items with: severity (Critical/High/Medium/Low), effort estimate, specific remediation steps, validation method 13. **Penetration Testing Plan** - Scope, methodology (OWASP Testing Guide), testing types (black box, grey box, white box), frequency Include specific configuration examples (e.g., Content-Security-Policy header, security group rules, WAF rules) not generic advice.