Selected findings (and what we did within the window)

• Single-threaded CI/CD pipeline owned by one engineer — Why it matters: continuity risk and delivery slippage jeopardize post-close revenue milestones. Action: documented pipeline, added a backup maintainer, and introduced protected branches. Partially addressed

• Secrets committed to repo; ad-hoc env configs — Why it matters: security incident and regulatory exposure create reputational damage and down-round risk. Action: rotated compromised secrets, moved to managed secrets, and standardized env var contracts. Addressed

• No automated rollback strategy; manual hotfixes — Why it matters: outage-driven churn and SLO breaches directly impact revenue reliability. Action: sketched canary + feature flag rollout and created a rollback runbook. Plan approved

• Risky DB migrations; missing verified backups — Why it matters: data loss/compliance events trigger escrow/indemnities and closing delays. Action: enabled daily PITR backups and instituted pre-flight migration checklist. Addressed

Investor decision: Go, with conditions. Conditions tied to completing rollout safety and cross-training within 30 days.

Selected findings (and what we did within the window)

• AI-generated code hotspots with duplication and limited tests — Why it matters: maintainability and velocity risk inflate burn and threaten growth targets. Action: instituted contribution guidelines; prioritized refactors with unit tests around critical paths. Partially addressed

• Shadow AI usage without governance — Why it matters: IP contamination/ownership ambiguity invites valuation haircut and legal friction at exit. Action: drafted and adopted an AI usage policy; centralized model access; created redline prompts repository. Addressed

• Third-party code snippets with unclear licenses — Why it matters: IP uncertainty can trigger closing conditions, escrow, or rework. Action: replaced suspect snippets; performed OSS license sweep; updated attribution. Addressed

Investor decision: Go, with conditions. Conditions tied to test coverage gates and AI governance evidence in the data room.

Selected findings (and what we did within the window)

• PII co-mingled in analytics bucket; lineage unclear — Why it matters: regulatory non-compliance and liability lead to delays, escrow, or indemnities. Action: segregated datasets; added tags and lineage annotations; updated retention policies. Partially addressed

• Shared admin credentials; weak least-privilege IAM — Why it matters: elevated breach probability impacts cyber insurance, brand, and board risk. Action: introduced group-based roles; enabled MFA; rotated credentials. Addressed

• No model drift monitoring in production — Why it matters: harmful/low-quality recommendations create legal and brand exposure. Action: implemented lightweight drift dashboards; defined model performance SLOs. Plan initiated

• Unclear RTO/RPO; no DR drills — Why it matters: reliability uncertainty and extended MTTR impact revenue stability and SLAs. Action: drafted DR plan; scheduled quarterly restore tests. Plan approved

Investor decision: Defer. Revisit in 60 days post-DR drill and consistent lineage reporting.

Selected findings (and what we did within the window)

• Hollow-core monolith with N+1 queries on hot paths — Why it matters: scalability ceiling drives margin compression; CAC payback extends. Action: prioritized query optimization; defined a strangler-fig decomposition plan. Partially addressed

• Synchronous external API in checkout critical path — Why it matters: revenue leakage via timeouts and SLO breaches increases churn. Action: introduced queue-based fallback design; added timeouts and retries. Plan approved

• Near-zero observability; logs only — Why it matters: high MTTR and blind spots obscure risk; undermines revenue stability. Action: added request tracing starter pack and error-rate dashboards. Addressed

• Payment integration owned by a single engineer — Why it matters: key-person dependency threatens continuity and roadmap execution. Action: created runbook and cross-training plan. Partially addressed

Investor decision: Go, with milestone tranches tied to decomposing the hot path and achieving SLOs.

Selected findings (and what we did within the window)

• Manual server provisioning; minimal IaC — Why it matters: environment drift and slow change jeopardize scale-up plan and audit readiness. Action: began Terraforming core services; codified networking and secrets. Partially addressed

• No blue/green or canary; risky full-cutover deploys — Why it matters: release outages during peak season drive SLA penalties and churn. Action: designed blue/green pipeline with health checks and gradual traffic shifting. Plan approved

• AGPL-licensed component embedded in a core service — Why it matters: license contagion threatens IP defensibility; potential deal blocker. Action: replaced with permissive alternative; initiated legal review for contamination risk. Addressed

• Vendor lock-in with no portability plan — Why it matters: pricing power and portability risks can compress gross margins post-close. Action: introduced abstraction at storage and messaging layers; exit checklist created. Partially addressed

Investor decision: Go, contingent on legal clearance of IP and completion of the first blue/green cutover.