diff --git a/apps/api/.env.example b/apps/api/.env.example
index 290ce034a..85f9ccd9b 100644
--- a/apps/api/.env.example
+++ b/apps/api/.env.example
@@ -28,4 +28,9 @@ TRIGGER_SECRET_KEY=
 
 OPENAI_API_KEY=
 ANTHROPIC_API_KEY=
-GROQ_API_KEY=
\ No newline at end of file
+GROQ_API_KEY=
+
+# Resend (for sending emails)
+RESEND_API_KEY=
+RESEND_FROM_SYSTEM= # e.g., noreply@mail.trycomp.ai
+RESEND_FROM_DEFAULT= # e.g., hello@mail.trycomp.ai
\ No newline at end of file
diff --git a/apps/api/package.json b/apps/api/package.json
index a821d9618..acc62c3f0 100644
--- a/apps/api/package.json
+++ b/apps/api/package.json
@@ -54,6 +54,7 @@
     "reflect-metadata": "^0.2.2",
     "resend": "^6.4.2",
     "rxjs": "^7.8.1",
+    "safe-stable-stringify": "^2.5.0",
     "swagger-ui-express": "^5.0.1",
     "xlsx": "^0.18.5",
     "zod": "^4.0.14"
diff --git a/apps/api/src/app.module.ts b/apps/api/src/app.module.ts
index afae6031c..31be83c2c 100644
--- a/apps/api/src/app.module.ts
+++ b/apps/api/src/app.module.ts
@@ -17,10 +17,13 @@ import { OrganizationModule } from './organization/organization.module';
 import { PoliciesModule } from './policies/policies.module';
 import { RisksModule } from './risks/risks.module';
 import { TasksModule } from './tasks/tasks.module';
+import { EvidenceExportModule } from './tasks/evidence-export/evidence-export.module';
 import { VendorsModule } from './vendors/vendors.module';
 import { ContextModule } from './context/context.module';
 import { TrustPortalModule } from './trust-portal/trust-portal.module';
 import { TaskTemplateModule } from './framework-editor/task-template/task-template.module';
+import { FindingTemplateModule } from './finding-template/finding-template.module';
+import { FindingsModule } from './findings/findings.module';
 import { QuestionnaireModule } from './questionnaire/questionnaire.module';
 import { VectorStoreModule } from './vector-store/vector-store.module';
 import { KnowledgeBaseModule } from './knowledge-base/knowledge-base.module';
@@ -30,6 +33,7 @@ import { CloudSecurityModule } from './cloud-security/cloud-security.module';
 import { BrowserbaseModule } from './browserbase/browserbase.module';
 import { TaskManagementModule } from './task-management/task-management.module';
 import { AssistantChatModule } from './assistant-chat/assistant-chat.module';
+import { TrainingModule } from './training/training.module';
 
 @Module({
   imports: [
@@ -59,10 +63,13 @@ import { AssistantChatModule } from './assistant-chat/assistant-chat.module';
     DeviceAgentModule,
     AttachmentsModule,
     TasksModule,
+    EvidenceExportModule,
     CommentsModule,
     HealthModule,
     TrustPortalModule,
     TaskTemplateModule,
+    FindingTemplateModule,
+    FindingsModule,
     QuestionnaireModule,
     VectorStoreModule,
     KnowledgeBaseModule,
@@ -72,6 +79,7 @@ import { AssistantChatModule } from './assistant-chat/assistant-chat.module';
     BrowserbaseModule,
     TaskManagementModule,
     AssistantChatModule,
+    TrainingModule,
   ],
   controllers: [AppController],
   providers: [
diff --git a/apps/api/src/email/resend.ts b/apps/api/src/email/resend.ts
index b16b232be..998ecff0d 100644
--- a/apps/api/src/email/resend.ts
+++ b/apps/api/src/email/resend.ts
@@ -5,6 +5,12 @@ export const resend = process.env.RESEND_API_KEY
   ? new Resend(process.env.RESEND_API_KEY)
   : null;
 
+export interface EmailAttachment {
+  filename: string;
+  content: Buffer | string;
+  contentType?: string;
+}
+
 export const sendEmail = async ({
   to,
   subject,
@@ -14,6 +20,7 @@ export const sendEmail = async ({
   test,
   cc,
   scheduledAt,
+  attachments,
 }: {
   to: string;
   subject: string;
@@ -23,6 +30,7 @@ export const sendEmail = async ({
   test?: boolean;
   cc?: string | string[];
   scheduledAt?: string;
+  attachments?: EmailAttachment[];
 }) => {
   if (!resend) {
     throw new Error('Resend not initialized - missing API key');
@@ -64,6 +72,11 @@ export const sendEmail = async ({
       // @ts-ignore – React node allowed by the SDK
       react,
       scheduledAt,
+      attachments: attachments?.map((att) => ({
+        filename: att.filename,
+        content: att.content,
+        contentType: att.contentType,
+      })),
     });
 
     if (error) {
diff --git a/apps/api/src/email/templates/finding-notification.tsx b/apps/api/src/email/templates/finding-notification.tsx
new file mode 100644
index 000000000..5d85b22bd
--- /dev/null
+++ b/apps/api/src/email/templates/finding-notification.tsx
@@ -0,0 +1,147 @@
+import * as React from 'react';
+import {
+  Body,
+  Button,
+  Container,
+  Font,
+  Heading,
+  Html,
+  Link,
+  Preview,
+  Section,
+  Tailwind,
+  Text,
+} from '@react-email/components';
+import { Footer } from '../components/footer';
+import { Logo } from '../components/logo';
+import { getUnsubscribeUrl } from '@trycompai/email';
+
+interface Props {
+  toName: string;
+  toEmail: string;
+  heading: string;
+  message: string;
+  taskTitle: string;
+  organizationName: string;
+  findingType: string;
+  findingContent: string;
+  newStatus?: string;
+  findingUrl: string;
+}
+
+export const FindingNotificationEmail = ({
+  toName,
+  toEmail,
+  heading,
+  message,
+  taskTitle,
+  organizationName,
+  findingType,
+  findingContent,
+  newStatus,
+  findingUrl,
+}: Props) => {
+  const unsubscribeUrl = getUnsubscribeUrl(toEmail);
+  return (
+    <Html>
+      <Tailwind>
+        <head>
+          <Font
+            fontFamily="Geist"
+            fallbackFontFamily="Helvetica"
+            fontWeight={400}
+            fontStyle="normal"
+          />
+          <Font
+            fontFamily="Geist"
+            fallbackFontFamily="Helvetica"
+            fontWeight={500}
+            fontStyle="normal"
+          />
+        </head>
+        <Preview>
+          {heading}: {taskTitle}
+        </Preview>
+
+        <Body className="mx-auto my-auto bg-[#fff] font-sans">
+          <Container
+            className="mx-auto my-[40px] max-w-[600px] border-transparent p-[20px] md:border-[#E8E7E1]"
+            style={{ borderStyle: 'solid', borderWidth: 1 }}
+          >
+            <Logo />
+            <Heading className="mx-0 my-[30px] p-0 text-center text-[24px] font-normal text-[#121212]">
+              {heading}
+            </Heading>
+
+            <Text className="text-[14px] leading-[24px] text-[#121212]">
+              Hello {toName},
+            </Text>
+
+            <Text className="text-[14px] leading-[24px] text-[#121212]">
+              {message}
+            </Text>
+
+            {/* Finding Details Box */}
+            <Section
+              className="mt-[24px] mb-[24px] rounded-[8px] bg-[#f5f5f5] p-[16px]"
+              style={{ border: '1px solid #e0e0e0' }}
+            >
+              <Text className="m-0 text-[12px] font-medium uppercase tracking-wide text-[#666666]">
+                Finding Details
+              </Text>
+
+              <Text className="mt-[8px] mb-[4px] text-[14px] font-medium text-[#121212]">
+                Organization: {organizationName}
+              </Text>
+
+              <Text className="mt-[4px] mb-[4px] text-[14px] font-medium text-[#121212]">
+                Task: {taskTitle}
+              </Text>
+
+              <Text className="mt-[4px] mb-[4px] text-[13px] text-[#666666]">
+                Type: {findingType}
+                {newStatus && <> | Status: {newStatus}</>}
+              </Text>
+
+              <Text className="mt-[12px] mb-0 text-[13px] italic text-[#444444]">
+                "{findingContent}"
+              </Text>
+            </Section>
+
+            <Section className="mt-[32px] mb-[32px] text-center">
+              <Button
+                className="rounded-[3px] bg-[#121212] px-[20px] py-[12px] text-center text-[14px] font-semibold text-white no-underline"
+                href={findingUrl}
+              >
+                View Finding
+              </Button>
+            </Section>
+
+            <Text className="text-[14px] leading-[24px] text-[#121212]">
+              or copy and paste this URL into your browser:{' '}
+              <a href={findingUrl} className="text-[#121212] underline">
+                {findingUrl}
+              </a>
+            </Text>
+
+            <Section className="mt-[30px] mb-[20px]">
+              <Text className="text-[12px] leading-[20px] text-[#666666]">
+                Don't want to receive finding notifications?{' '}
+                <Link href={unsubscribeUrl} className="text-[#121212] underline">
+                  Manage your email preferences
+                </Link>
+                .
+              </Text>
+            </Section>
+
+            <br />
+
+            <Footer />
+          </Container>
+        </Body>
+      </Tailwind>
+    </Html>
+  );
+};
+
+export default FindingNotificationEmail;
diff --git a/apps/api/src/email/templates/task-assignee-changed.tsx b/apps/api/src/email/templates/task-assignee-changed.tsx
new file mode 100644
index 000000000..ce6e16f37
--- /dev/null
+++ b/apps/api/src/email/templates/task-assignee-changed.tsx
@@ -0,0 +1,119 @@
+import * as React from 'react';
+import {
+  Body,
+  Button,
+  Container,
+  Font,
+  Heading,
+  Html,
+  Link,
+  Preview,
+  Section,
+  Tailwind,
+  Text,
+} from '@react-email/components';
+import { Footer } from '../components/footer';
+import { Logo } from '../components/logo';
+import { getUnsubscribeUrl } from '@trycompai/email';
+
+interface Props {
+  toName: string;
+  toEmail: string;
+  taskTitle: string;
+  oldAssigneeName: string;
+  newAssigneeName: string;
+  changedByName: string;
+  organizationName: string;
+  taskUrl: string;
+}
+
+export const TaskAssigneeChangedEmail = ({
+  toName,
+  toEmail,
+  taskTitle,
+  oldAssigneeName,
+  newAssigneeName,
+  changedByName,
+  organizationName,
+  taskUrl,
+}: Props) => {
+  const unsubscribeUrl = getUnsubscribeUrl(toEmail);
+
+  return (
+    <Html>
+      <Tailwind>
+        <head>
+          <Font
+            fontFamily="Geist"
+            fallbackFontFamily="Helvetica"
+            fontWeight={400}
+            fontStyle="normal"
+          />
+          <Font
+            fontFamily="Geist"
+            fallbackFontFamily="Helvetica"
+            fontWeight={500}
+            fontStyle="normal"
+          />
+        </head>
+        <Preview>
+          {`Task "${taskTitle}" reassigned from ${oldAssigneeName} to ${newAssigneeName}`}
+        </Preview>
+
+        <Body className="mx-auto my-auto bg-[#fff] font-sans">
+          <Container
+            className="mx-auto my-[40px] max-w-[600px] border-transparent p-[20px] md:border-[#E8E7E1]"
+            style={{ borderStyle: 'solid', borderWidth: 1 }}
+          >
+            <Logo />
+            <Heading className="mx-0 my-[30px] p-0 text-center text-[24px] font-normal text-[#121212]">
+              Task Reassigned
+            </Heading>
+
+            <Text className="text-[14px] leading-[24px] text-[#121212]">
+              Hello {toName},
+            </Text>
+
+            <Text className="text-[14px] leading-[24px] text-[#121212]">
+              <strong>{changedByName}</strong> reassigned task <strong>"{taskTitle}"</strong> from{' '}
+              <strong>{oldAssigneeName}</strong> to <strong>{newAssigneeName}</strong> in{' '}
+              <strong>{organizationName}</strong>.
+            </Text>
+
+            <Section className="mt-[32px] mb-[32px] text-center">
+              <Button
+                className="rounded-[3px] bg-[#121212] px-[20px] py-[12px] text-center text-[14px] font-semibold text-white no-underline"
+                href={taskUrl}
+              >
+                View Task
+              </Button>
+            </Section>
+
+            <Text className="text-[14px] leading-[24px] text-[#121212]">
+              or copy and paste this URL into your browser:{' '}
+              <a href={taskUrl} className="text-[#121212] underline">
+                {taskUrl}
+              </a>
+            </Text>
+
+            <Section className="mt-[30px] mb-[20px]">
+              <Text className="text-[12px] leading-[20px] text-[#666666]">
+                Don't want to receive task assignment notifications?{' '}
+                <Link href={unsubscribeUrl} className="text-[#121212] underline">
+                  Manage your email preferences
+                </Link>
+                .
+              </Text>
+            </Section>
+
+            <br />
+
+            <Footer />
+          </Container>
+        </Body>
+      </Tailwind>
+    </Html>
+  );
+};
+
+export default TaskAssigneeChangedEmail;
diff --git a/apps/api/src/email/templates/task-bulk-assignee-changed.tsx b/apps/api/src/email/templates/task-bulk-assignee-changed.tsx
new file mode 100644
index 000000000..e6bf76dac
--- /dev/null
+++ b/apps/api/src/email/templates/task-bulk-assignee-changed.tsx
@@ -0,0 +1,117 @@
+import * as React from 'react';
+import {
+  Body,
+  Button,
+  Container,
+  Font,
+  Heading,
+  Html,
+  Link,
+  Preview,
+  Section,
+  Tailwind,
+  Text,
+} from '@react-email/components';
+import { Footer } from '../components/footer';
+import { Logo } from '../components/logo';
+import { getUnsubscribeUrl } from '@trycompai/email';
+
+interface Props {
+  toName: string;
+  toEmail: string;
+  taskCount: number;
+  newAssigneeName: string;
+  changedByName: string;
+  organizationName: string;
+  tasksUrl: string;
+}
+
+export const TaskBulkAssigneeChangedEmail = ({
+  toName,
+  toEmail,
+  taskCount,
+  newAssigneeName,
+  changedByName,
+  organizationName,
+  tasksUrl,
+}: Props) => {
+  const unsubscribeUrl = getUnsubscribeUrl(toEmail);
+  const taskText = taskCount === 1 ? 'task' : 'tasks';
+
+  return (
+    <Html>
+      <Tailwind>
+        <head>
+          <Font
+            fontFamily="Geist"
+            fallbackFontFamily="Helvetica"
+            fontWeight={400}
+            fontStyle="normal"
+          />
+          <Font
+            fontFamily="Geist"
+            fallbackFontFamily="Helvetica"
+            fontWeight={500}
+            fontStyle="normal"
+          />
+        </head>
+        <Preview>
+          {`${taskCount} ${taskText} reassigned to ${newAssigneeName}`}
+        </Preview>
+
+        <Body className="mx-auto my-auto bg-[#fff] font-sans">
+          <Container
+            className="mx-auto my-[40px] max-w-[600px] border-transparent p-[20px] md:border-[#E8E7E1]"
+            style={{ borderStyle: 'solid', borderWidth: 1 }}
+          >
+            <Logo />
+            <Heading className="mx-0 my-[30px] p-0 text-center text-[24px] font-normal text-[#121212]">
+              Tasks Reassigned
+            </Heading>
+
+            <Text className="text-[14px] leading-[24px] text-[#121212]">
+              Hello {toName},
+            </Text>
+
+            <Text className="text-[14px] leading-[24px] text-[#121212]">
+              <strong>{changedByName}</strong> reassigned <strong>{taskCount} {taskText}</strong> to{' '}
+              <strong>{newAssigneeName}</strong> in <strong>{organizationName}</strong>.
+            </Text>
+
+            <Section className="mt-[32px] mb-[32px] text-center">
+              <Button
+                className="rounded-[3px] bg-[#121212] px-[20px] py-[12px] text-center text-[14px] font-semibold text-white no-underline"
+                href={tasksUrl}
+              >
+                View Tasks
+              </Button>
+            </Section>
+
+            <Text className="text-[14px] leading-[24px] text-[#121212]">
+              or copy and paste this URL into your browser:{' '}
+              <a href={tasksUrl} className="text-[#121212] underline">
+                {tasksUrl}
+              </a>
+            </Text>
+
+            <Section className="mt-[30px] mb-[20px]">
+              <Text className="text-[12px] leading-[20px] text-[#666666]">
+                Don't want to receive task assignment notifications?{' '}
+                <Link href={unsubscribeUrl} className="text-[#121212] underline">
+                  Manage your email preferences
+                </Link>
+                .
+              </Text>
+            </Section>
+
+            <br />
+
+            <Footer />
+          </Container>
+        </Body>
+      </Tailwind>
+    </Html>
+  );
+};
+
+export default TaskBulkAssigneeChangedEmail;
diff --git a/apps/api/src/email/templates/task-bulk-status-changed.tsx b/apps/api/src/email/templates/task-bulk-status-changed.tsx
new file mode 100644
index 000000000..0f8022d86
--- /dev/null
+++ b/apps/api/src/email/templates/task-bulk-status-changed.tsx
@@ -0,0 +1,119 @@
+import * as React from 'react';
+import {
+  Body,
+  Button,
+  Container,
+  Font,
+  Heading,
+  Html,
+  Link,
+  Preview,
+  Section,
+  Tailwind,
+  Text,
+} from '@react-email/components';
+import { Footer } from '../components/footer';
+import { Logo } from '../components/logo';
+import { getUnsubscribeUrl } from '@trycompai/email';
+
+interface Props {
+  toName: string;
+  toEmail: string;
+  taskCount: number;
+  newStatus: string;
+  changedByName: string;
+  organizationName: string;
+  tasksUrl: string;
+}
+
+export const TaskBulkStatusChangedEmail = ({
+  toName,
+  toEmail,
+  taskCount,
+  newStatus,
+  changedByName,
+  organizationName,
+  tasksUrl,
+}: Props) => {
+  const unsubscribeUrl = getUnsubscribeUrl(toEmail);
+  const taskText = taskCount === 1 ? 'task' : 'tasks';
+  const statusText = newStatus.charAt(0).toUpperCase() + newStatus.slice(1);
+
+  return (
+    <Html>
+      <Tailwind>
+        <head>
+          <Font
+            fontFamily="Geist"
+            fallbackFontFamily="Helvetica"
+            fontWeight={400}
+            fontStyle="normal"
+          />
+          <Font
+            fontFamily="Geist"
+            fallbackFontFamily="Helvetica"
+            fontWeight={500}
+            fontStyle="normal"
+          />
+        </head>
+        <Preview>
+          {`${taskCount} ${taskText} status changed to ${statusText}`}
+        </Preview>
+
+        <Body className="mx-auto my-auto bg-[#fff] font-sans">
+          <Container
+            className="mx-auto my-[40px] max-w-[600px] border-transparent p-[20px] md:border-[#E8E7E1]"
+            style={{ borderStyle: 'solid', borderWidth: 1 }}
+          >
+            <Logo />
+            <Heading className="mx-0 my-[30px] p-0 text-center text-[24px] font-normal text-[#121212]">
+              Task Status Updated
+            </Heading>
+
+            <Text className="text-[14px] leading-[24px] text-[#121212]">
+              Hello {toName},
+            </Text>
+
+            <Text className="text-[14px] leading-[24px] text-[#121212]">
+              <strong>{changedByName}</strong> changed the status of{' '}
+              <strong>{taskCount} {taskText}</strong> to <strong>{statusText}</strong> in{' '}
+              <strong>{organizationName}</strong>.
+            </Text>
+
+            <Section className="mt-[32px] mb-[32px] text-center">
+              <Button
+                className="rounded-[3px] bg-[#121212] px-[20px] py-[12px] text-center text-[14px] font-semibold text-white no-underline"
+                href={tasksUrl}
+              >
+                View Tasks
+              </Button>
+            </Section>
+
+            <Text className="text-[14px] leading-[24px] text-[#121212]">
+              or copy and paste this URL into your browser:{' '}
+              <a href={tasksUrl} className="text-[#121212] underline">
+                {tasksUrl}
+              </a>
+            </Text>
+
+            <Section className="mt-[30px] mb-[20px]">
+              <Text className="text-[12px] leading-[20px] text-[#666666]">
+                Don't want to receive task assignment notifications?{' '}
+                <Link href={unsubscribeUrl} className="text-[#121212] underline">
+                  Manage your email preferences
+                </Link>
+                .
+              </Text>
+            </Section>
+
+            <br />
+
+            <Footer />
+          </Container>
+        </Body>
+      </Tailwind>
+    </Html>
+  );
+};
+
+export default TaskBulkStatusChangedEmail;
diff --git a/apps/api/src/email/templates/task-status-changed.tsx b/apps/api/src/email/templates/task-status-changed.tsx
new file mode 100644
index 000000000..97be7cb29
--- /dev/null
+++ b/apps/api/src/email/templates/task-status-changed.tsx
@@ -0,0 +1,121 @@
+import * as React from 'react';
+import {
+  Body,
+  Button,
+  Container,
+  Font,
+  Heading,
+  Html,
+  Link,
+  Preview,
+  Section,
+  Tailwind,
+  Text,
+} from '@react-email/components';
+import { Footer } from '../components/footer';
+import { Logo } from '../components/logo';
+import { getUnsubscribeUrl } from '@trycompai/email';
+
+interface Props {
+  toName: string;
+  toEmail: string;
+  taskTitle: string;
+  oldStatus: string;
+  newStatus: string;
+  changedByName: string;
+  organizationName: string;
+  taskUrl: string;
+}
+
+export const TaskStatusChangedEmail = ({
+  toName,
+  toEmail,
+  taskTitle,
+  oldStatus,
+  newStatus,
+  changedByName,
+  organizationName,
+  taskUrl,
+}: Props) => {
+  const unsubscribeUrl = getUnsubscribeUrl(toEmail);
+  const oldStatusText = oldStatus.charAt(0).toUpperCase() + oldStatus.slice(1);
+  const newStatusText = newStatus.charAt(0).toUpperCase() + newStatus.slice(1);
+
+  return (
+    <Html>
+      <Tailwind>
+        <head>
+          <Font
+            fontFamily="Geist"
+            fallbackFontFamily="Helvetica"
+            fontWeight={400}
+            fontStyle="normal"
+          />
+          <Font
+            fontFamily="Geist"
+            fallbackFontFamily="Helvetica"
+            fontWeight={500}
+            fontStyle="normal"
+          />
+        </head>
+        <Preview>
+          {`Task "${taskTitle}" status changed from ${oldStatusText} to ${newStatusText}`}
+        </Preview>
+
+        <Body className="mx-auto my-auto bg-[#fff] font-sans">
+          <Container
+            className="mx-auto my-[40px] max-w-[600px] border-transparent p-[20px] md:border-[#E8E7E1]"
+            style={{ borderStyle: 'solid', borderWidth: 1 }}
+          >
+            <Logo />
+            <Heading className="mx-0 my-[30px] p-0 text-center text-[24px] font-normal text-[#121212]">
+              Task Status Updated
+            </Heading>
+
+            <Text className="text-[14px] leading-[24px] text-[#121212]">
+              Hello {toName},
+            </Text>
+
+            <Text className="text-[14px] leading-[24px] text-[#121212]">
+              <strong>{changedByName}</strong> changed the status of task{' '}
+              <strong>"{taskTitle}"</strong> from <strong>{oldStatusText}</strong> to{' '}
+              <strong>{newStatusText}</strong> in <strong>{organizationName}</strong>.
+            </Text>
+
+            <Section className="mt-[32px] mb-[32px] text-center">
+              <Button
+                className="rounded-[3px] bg-[#121212] px-[20px] py-[12px] text-center text-[14px] font-semibold text-white no-underline"
+                href={taskUrl}
+              >
+                View Task
+              </Button>
+            </Section>
+
+            <Text className="text-[14px] leading-[24px] text-[#121212]">
+              or copy and paste this URL into your browser:{' '}
+              <a href={taskUrl} className="text-[#121212] underline">
+                {taskUrl}
+              </a>
+            </Text>
+
+            <Section className="mt-[30px] mb-[20px]">
+              <Text className="text-[12px] leading-[20px] text-[#666666]">
+                Don't want to receive task assignment notifications?{' '}
+                <Link href={unsubscribeUrl} className="text-[#121212] underline">
+                  Manage your email preferences
+                </Link>
+                .
+              </Text>
+            </Section>
+
+            <br />
+
+            <Footer />
+          </Container>
+        </Body>
+      </Tailwind>
+    </Html>
+  );
+};
+
+export default TaskStatusChangedEmail;
diff --git a/apps/api/src/email/templates/training-completed.tsx b/apps/api/src/email/templates/training-completed.tsx
new file mode 100644
index 000000000..0b9da73a8
--- /dev/null
+++ b/apps/api/src/email/templates/training-completed.tsx
@@ -0,0 +1,112 @@
+import {
+  Body,
+  Container,
+  Font,
+  Heading,
+  Html,
+  Preview,
+  Section,
+  Tailwind,
+  Text,
+} from '@react-email/components';
+import { Footer } from '../components/footer';
+import { Logo } from '../components/logo';
+
+interface Props {
+  email: string;
+  userName: string;
+  organizationName: string;
+  completedAt: Date;
+}
+
+export const TrainingCompletedEmail = ({
+  email,
+  userName,
+  organizationName,
+  completedAt,
+}: Props) => {
+  const formattedDate = new Date(completedAt).toLocaleDateString('en-US', {
+    year: 'numeric',
+    month: 'long',
+    day: 'numeric',
+  });
+
+  return (
+    <Html>
+      <Tailwind>
+        <head>
+          <Font
+            fontFamily="Geist"
+            fallbackFontFamily="Helvetica"
+            fontWeight={400}
+            fontStyle="normal"
+          />
+          <Font
+            fontFamily="Geist"
+            fallbackFontFamily="Helvetica"
+            fontWeight={500}
+            fontStyle="normal"
+          />
+        </head>
+        <Preview>
+          Congratulations! You've completed your Security Awareness Training
+        </Preview>
+
+        <Body className="mx-auto my-auto bg-[#fff] font-sans">
+          <Container
+            className="mx-auto my-[40px] max-w-[600px] border-transparent p-[20px] md:border-[#E8E7E1]"
+            style={{ borderStyle: 'solid', borderWidth: 1 }}
+          >
+            <Logo />
+            <Heading className="mx-0 my-[30px] p-0 text-center text-[24px] font-normal text-[#121212]">
+              Training Complete!
+            </Heading>
+
+            <Text className="text-[14px] leading-[24px] text-[#121212]">
+              Hi {userName},
+            </Text>
+
+            <Text className="text-[14px] leading-[24px] text-[#121212]">
+              Congratulations! You have successfully completed all Security
+              Awareness Training modules for <strong>{organizationName}</strong>
+              .
+            </Text>
+
+            <Section
+              className="mt-[24px] mb-[24px] rounded-[8px] p-[24px] text-center"
+              style={{ backgroundColor: '#f0fdf4', border: '1px solid #bbf7d0' }}
+            >
+              <Text className="m-0 text-[16px] font-medium text-[#166534]">
+                Completion Date: {formattedDate}
+              </Text>
+            </Section>
+
+            <Text className="text-[14px] leading-[24px] text-[#121212]">
+              Your training completion certificate is attached to this email.
+              Please save it for your records.
+            </Text>
+
+            <Text className="text-[14px] leading-[24px] text-[#121212]">
+              Thank you for your commitment to maintaining security awareness
+              and helping protect {organizationName}.
+            </Text>
+
+            <br />
+            <Section>
+              <Text className="text-[12px] leading-[24px] text-[#666666]">
+                This notification was intended for{' '}
+                <span className="text-[#121212]">{email}</span>.
+              </Text>
+            </Section>
+
+            <br />
+
+            <Footer />
+          </Container>
+        </Body>
+      </Tailwind>
+    </Html>
+  );
+};
+
+export default TrainingCompletedEmail;
diff --git a/apps/api/src/finding-template/dto/create-finding-template.dto.ts b/apps/api/src/finding-template/dto/create-finding-template.dto.ts
new file mode 100644
index 000000000..82d6cb740
--- /dev/null
+++ b/apps/api/src/finding-template/dto/create-finding-template.dto.ts
@@ -0,0 +1,39 @@
+import { ApiProperty } from '@nestjs/swagger';
+import { IsString, IsNotEmpty, IsInt, IsOptional, Min } from 'class-validator';
+
+export class CreateFindingTemplateDto {
+  @ApiProperty({
+    description: 'Category of the finding template',
+    example: 'evidence_issue',
+  })
+  @IsString()
+  @IsNotEmpty()
+  category: string;
+
+  @ApiProperty({
+    description: 'Short title of the finding template',
+    example: 'Issue with uploaded evidence',
+  })
+  @IsString()
+  @IsNotEmpty()
+  title: string;
+
+  @ApiProperty({
+    description: 'Full message content of the finding template',
+    example:
+      'The uploaded evidence does not clearly show the Organization Name or URL. Please provide a screenshot showing the context.',
+  })
+  @IsString()
+  @IsNotEmpty()
+  content: string;
+
+  @ApiProperty({
+    description: 'Display order for the template',
+    example: 0,
+    required: false,
+  })
+  @IsInt()
+  @Min(0)
+  @IsOptional()
+  order?: number;
+}
diff --git a/apps/api/src/finding-template/dto/update-finding-template.dto.ts b/apps/api/src/finding-template/dto/update-finding-template.dto.ts
new file mode 100644
index 000000000..40083ddde
--- /dev/null
+++ b/apps/api/src/finding-template/dto/update-finding-template.dto.ts
@@ -0,0 +1,6 @@
+import { PartialType } from '@nestjs/swagger';
+import { CreateFindingTemplateDto } from './create-finding-template.dto';
+
+export class UpdateFindingTemplateDto extends PartialType(
+  CreateFindingTemplateDto,
+) {}
diff --git a/apps/api/src/finding-template/finding-template.controller.ts b/apps/api/src/finding-template/finding-template.controller.ts
new file mode 100644
index 000000000..72e2b1649
--- /dev/null
+++ b/apps/api/src/finding-template/finding-template.controller.ts
@@ -0,0 +1,191 @@
+import {
+  Controller,
+  Get,
+  Post,
+  Patch,
+  Delete,
+  Body,
+  Param,
+  UseGuards,
+  UsePipes,
+  ValidationPipe,
+} from '@nestjs/common';
+import {
+  ApiBody,
+  ApiOperation,
+  ApiParam,
+  ApiResponse,
+  ApiTags,
+} from '@nestjs/swagger';
+import { HybridAuthGuard } from '../auth/hybrid-auth.guard';
+import { PlatformAdminGuard } from '../auth/platform-admin.guard';
+import { FindingTemplateService } from './finding-template.service';
+import { CreateFindingTemplateDto } from './dto/create-finding-template.dto';
+import { UpdateFindingTemplateDto } from './dto/update-finding-template.dto';
+import { ValidateFindingTemplateIdPipe } from './pipes/validate-id.pipe';
+
+@ApiTags('Finding Templates')
+@Controller({ path: 'finding-template', version: '1' })
+export class FindingTemplateController {
+  constructor(
+    private readonly findingTemplateService: FindingTemplateService,
+  ) {}
+
+  @Get()
+  @UseGuards(HybridAuthGuard)
+  @ApiOperation({
+    summary: 'Get all finding templates',
+    description: 'Retrieve all finding templates ordered by category and order',
+  })
+  @ApiResponse({
+    status: 200,
+    description: 'List of all finding templates',
+  })
+  @ApiResponse({
+    status: 401,
+    description: 'Unauthorized',
+  })
+  async getAllFindingTemplates() {
+    return await this.findingTemplateService.findAll();
+  }
+
+  @Get(':id')
+  @UseGuards(HybridAuthGuard)
+  @ApiOperation({
+    summary: 'Get finding template by ID',
+    description: 'Retrieve a specific finding template by its ID',
+  })
+  @ApiParam({
+    name: 'id',
+    description: 'Finding template ID',
+    example: 'fnd_t_abc123',
+  })
+  @ApiResponse({
+    status: 200,
+    description: 'The finding template',
+  })
+  @ApiResponse({
+    status: 401,
+    description: 'Unauthorized',
+  })
+  @ApiResponse({
+    status: 404,
+    description: 'Finding template not found',
+  })
+  async getFindingTemplateById(
+    @Param('id', ValidateFindingTemplateIdPipe) id: string,
+  ) {
+    return await this.findingTemplateService.findById(id);
+  }
+
+  @Post()
+  @UseGuards(PlatformAdminGuard)
+  @ApiOperation({
+    summary: 'Create a finding template',
+    description: 'Create a new finding template (Platform Admin only)',
+  })
+  @ApiBody({
+    type: CreateFindingTemplateDto,
+    description: 'Finding template data',
+  })
+  @ApiResponse({
+    status: 201,
+    description: 'The created finding template',
+  })
+  @ApiResponse({
+    status: 401,
+    description: 'Unauthorized',
+  })
+  @ApiResponse({
+    status: 403,
+    description: 'Forbidden - Platform admin required',
+  })
+  @UsePipes(
+    new ValidationPipe({
+      whitelist: true,
+      forbidNonWhitelisted: true,
+      transform: true,
+    }),
+  )
+  async createFindingTemplate(@Body() createDto: CreateFindingTemplateDto) {
+    return await this.findingTemplateService.create(createDto);
+  }
+
+  @Patch(':id')
+  @UseGuards(PlatformAdminGuard)
+  @ApiOperation({
+    summary: 'Update a finding template',
+    description: 'Update an existing finding template (Platform Admin only)',
+  })
+  @ApiParam({
+    name: 'id',
+    description: 'Finding template ID',
+    example: 'fnd_t_abc123',
+  })
+  @ApiBody({
+    type: UpdateFindingTemplateDto,
+    description: 'Finding template update data',
+  })
+  @ApiResponse({
+    status: 200,
+    description: 'The updated finding template',
+  })
+  @ApiResponse({
+    status: 401,
+    description: 'Unauthorized',
+  })
+  @ApiResponse({
+    status: 403,
+    description: 'Forbidden - Platform admin required',
+  })
+  @ApiResponse({
+    status: 404,
+    description: 'Finding template not found',
+  })
+  @UsePipes(
+    new ValidationPipe({
+      whitelist: true,
+      forbidNonWhitelisted: true,
+      transform: true,
+    }),
+  )
+  async updateFindingTemplate(
+    @Param('id', ValidateFindingTemplateIdPipe) id: string,
+    @Body() updateDto: UpdateFindingTemplateDto,
+  ) {
+    return await this.findingTemplateService.updateById(id, updateDto);
+  }
+
+  @Delete(':id')
+  @UseGuards(PlatformAdminGuard)
+  @ApiOperation({
+    summary: 'Delete a finding template',
+    description: 'Delete a finding template (Platform Admin only)',
+  })
+  @ApiParam({
+    name: 'id',
+    description: 'Finding template ID',
+    example: 'fnd_t_abc123',
+  })
+  @ApiResponse({
+    status: 200,
+    description: 'Finding template deleted successfully',
+  })
+  @ApiResponse({
+    status: 401,
+    description: 'Unauthorized',
+  })
+  @ApiResponse({
+    status: 403,
+    description: 'Forbidden - Platform admin required',
+  })
+  @ApiResponse({
+    status: 404,
+    description: 'Finding template not found',
+  })
+  async deleteFindingTemplate(
+    @Param('id', ValidateFindingTemplateIdPipe) id: string,
+  ) {
+    return await this.findingTemplateService.deleteById(id);
+  }
+}
diff --git a/apps/api/src/finding-template/finding-template.module.ts b/apps/api/src/finding-template/finding-template.module.ts
new file mode 100644
index 000000000..1914442bf
--- /dev/null
+++ b/apps/api/src/finding-template/finding-template.module.ts
@@ -0,0 +1,12 @@
+import { Module } from '@nestjs/common';
+import { AuthModule } from '../auth/auth.module';
+import { FindingTemplateController } from './finding-template.controller';
+import { FindingTemplateService } from './finding-template.service';
+
+@Module({
+  imports: [AuthModule],
+  controllers: [FindingTemplateController],
+  providers: [FindingTemplateService],
+  exports: [FindingTemplateService],
+})
+export class FindingTemplateModule {}
diff --git a/apps/api/src/finding-template/finding-template.service.ts b/apps/api/src/finding-template/finding-template.service.ts
new file mode 100644
index 000000000..2d3f8264c
--- /dev/null
+++ b/apps/api/src/finding-template/finding-template.service.ts
@@ -0,0 +1,118 @@
+import { Injectable, NotFoundException, Logger } from '@nestjs/common';
+import { db } from '@trycompai/db';
+import { CreateFindingTemplateDto } from './dto/create-finding-template.dto';
+import { UpdateFindingTemplateDto } from './dto/update-finding-template.dto';
+
+@Injectable()
+export class FindingTemplateService {
+  private readonly logger = new Logger(FindingTemplateService.name);
+
+  async findAll() {
+    try {
+      const templates = await db.findingTemplate.findMany({
+        orderBy: [{ category: 'asc' }, { order: 'asc' }, { title: 'asc' }],
+      });
+
+      this.logger.log(`Retrieved ${templates.length} finding templates`);
+      return templates;
+    } catch (error) {
+      this.logger.error('Failed to retrieve finding templates:', error);
+      throw error;
+    }
+  }
+
+  async findById(id: string) {
+    try {
+      const template = await db.findingTemplate.findUnique({
+        where: { id },
+      });
+
+      if (!template) {
+        throw new NotFoundException(`Finding template with ID ${id} not found`);
+      }
+
+      this.logger.log(
+        `Retrieved finding template: ${template.title} (${id})`,
+      );
+      return template;
+    } catch (error) {
+      if (error instanceof NotFoundException) {
+        throw error;
+      }
+      this.logger.error(`Failed to retrieve finding template ${id}:`, error);
+      throw error;
+    }
+  }
+
+  async create(createDto: CreateFindingTemplateDto) {
+    try {
+      const template = await db.findingTemplate.create({
+        data: {
+          category: createDto.category,
+          title: createDto.title,
+          content: createDto.content,
+          order: createDto.order ?? 0,
+        },
+      });
+
+      this.logger.log(
+        `Created finding template: ${template.title} (${template.id})`,
+      );
+      return template;
+    } catch (error) {
+      this.logger.error('Failed to create finding template:', error);
+      throw error;
+    }
+  }
+
+  async updateById(id: string, updateDto: UpdateFindingTemplateDto) {
+    try {
+      // First check if the template exists
+      await this.findById(id);
+
+      const updatedTemplate = await db.findingTemplate.update({
+        where: { id },
+        data: updateDto,
+      });
+
+      this.logger.log(
+        `Updated finding template: ${updatedTemplate.title} (${id})`,
+      );
+      return updatedTemplate;
+    } catch (error) {
+      if (error instanceof NotFoundException) {
+        throw error;
+      }
+      this.logger.error(`Failed to update finding template ${id}:`, error);
+      throw error;
+    }
+  }
+
+  async deleteById(id: string) {
+    try {
+      // First check if the template exists
+      const existingTemplate = await this.findById(id);
+
+      await db.findingTemplate.delete({
+        where: { id },
+      });
+
+      this.logger.log(
+        `Deleted finding template: ${existingTemplate.title} (${id})`,
+      );
+      return {
+        message: 'Finding template deleted successfully',
+        deletedTemplate: {
+          id: existingTemplate.id,
+          title: existingTemplate.title,
+        },
+      };
+    } catch (error) {
+      if (error instanceof NotFoundException) {
+        throw error;
+      }
+      this.logger.error(`Failed to delete finding template ${id}:`, error);
+      throw error;
+    }
+  }
+}
diff --git a/apps/api/src/finding-template/index.ts b/apps/api/src/finding-template/index.ts
new file mode 100644
index 000000000..039114969
--- /dev/null
+++ b/apps/api/src/finding-template/index.ts
@@ -0,0 +1,5 @@
+export * from './finding-template.module';
+export * from './finding-template.service';
+export * from './finding-template.controller';
+export * from './dto/create-finding-template.dto';
+export * from './dto/update-finding-template.dto';
diff --git a/apps/api/src/finding-template/pipes/validate-id.pipe.ts b/apps/api/src/finding-template/pipes/validate-id.pipe.ts
new file mode 100644
index 000000000..768f46759
--- /dev/null
+++ b/apps/api/src/finding-template/pipes/validate-id.pipe.ts
@@ -0,0 +1,18 @@
+import { PipeTransform, Injectable, BadRequestException } from '@nestjs/common';
+
+@Injectable()
+export class ValidateFindingTemplateIdPipe implements PipeTransform {
+  transform(value: string): string {
+    // Finding template IDs should match the pattern: fnd_t_[alphanumeric with underscores]
+    // Examples: fnd_t_abc123, fnd_t_evidence_issue_01
+    const findingTemplateIdPattern = /^fnd_t_[a-z0-9_]+$/;
+
+    if (!findingTemplateIdPattern.test(value)) {
+      throw new BadRequestException(
+        `Invalid finding template ID format. Expected format: fnd_t_[alphanumeric_with_underscores]`,
+      );
+    }
+
+    return value;
+  }
+}
diff --git a/apps/api/src/findings/dto/create-finding.dto.ts b/apps/api/src/findings/dto/create-finding.dto.ts
new file mode 100644
index 000000000..ada5d1ee9
--- /dev/null
+++ b/apps/api/src/findings/dto/create-finding.dto.ts
@@ -0,0 +1,48 @@
+import { ApiProperty } from '@nestjs/swagger';
+import {
+  IsString,
+  IsNotEmpty,
+  IsEnum,
+  IsOptional,
+  MaxLength,
+} from 'class-validator';
+import { FindingType } from '@trycompai/db';
+
+export class CreateFindingDto {
+  @ApiProperty({
+    description: 'Task ID this finding is associated with',
+    example: 'tsk_abc123',
+  })
+  @IsString()
+  @IsNotEmpty()
+  taskId: string;
+
+  @ApiProperty({
+    description: 'Type of finding (SOC 2 or ISO 27001)',
+    enum: FindingType,
+    default: FindingType.soc2,
+  })
+  @IsEnum(FindingType)
+  @IsOptional()
+  type?: FindingType;
+
+  @ApiProperty({
+    description: 'Finding template ID (optional)',
+    example: 'fnd_t_abc123',
+    required: false,
+  })
+  @IsString()
+  @IsOptional()
+  templateId?: string;
+
+  @ApiProperty({
+    description: 'Finding content/message',
+    example:
+      'The uploaded evidence does not clearly show the Organization Name or URL.',
+    maxLength: 5000,
+  })
+  @IsString()
+  @IsNotEmpty()
+  @MaxLength(5000)
+  content: string;
+}
diff --git a/apps/api/src/findings/dto/update-finding.dto.ts b/apps/api/src/findings/dto/update-finding.dto.ts
new file mode 100644
index 000000000..7c0ade1b7
--- /dev/null
+++ b/apps/api/src/findings/dto/update-finding.dto.ts
@@ -0,0 +1,42 @@
+import { ApiProperty } from '@nestjs/swagger';
+import {
+  IsString,
+  IsEnum,
+  IsOptional,
+  IsNotEmpty,
+  MaxLength,
+} from 'class-validator';
+import { FindingStatus, FindingType } from '@trycompai/db';
+
+export class UpdateFindingDto {
+  @ApiProperty({
+    description: 'Finding status',
+    enum: FindingStatus,
+    required: false,
+  })
+  @IsEnum(FindingStatus)
+  @IsOptional()
+  status?: FindingStatus;
+
+  @ApiProperty({
+    description: 'Type of finding (SOC 2 or ISO 27001)',
+    enum: FindingType,
+    required: false,
+  })
+  @IsEnum(FindingType)
+  @IsOptional()
+  type?: FindingType;
+
+  @ApiProperty({
+    description: 'Finding content/message',
+    example:
+      'The uploaded evidence does not clearly show the Organization Name or URL.',
+    maxLength: 5000,
+    required: false,
+  })
+  @IsString()
+  @IsOptional()
+  @IsNotEmpty({ message: 'Content cannot be empty if provided' })
+  @MaxLength(5000)
+  content?: string;
+}
diff --git a/apps/api/src/findings/finding-audit.service.ts b/apps/api/src/findings/finding-audit.service.ts
new file mode 100644
index 000000000..d7698cead
--- /dev/null
+++ b/apps/api/src/findings/finding-audit.service.ts
@@ -0,0 +1,226 @@
+import { Injectable, Logger } from '@nestjs/common';
+import { db, FindingStatus, FindingType } from '@db';
+
+export interface FindingAuditParams {
+  findingId: string;
+  organizationId: string;
+  userId: string;
+  memberId: string;
+}
+
+@Injectable()
+export class FindingAuditService {
+  private readonly logger = new Logger(FindingAuditService.name);
+
+  /**
+   * Log finding creation
+   */
+  async logFindingCreated(
+    params: FindingAuditParams & {
+      taskId: string;
+      taskTitle: string;
+      content: string;
+      type: FindingType;
+    },
+  ): Promise<void> {
+    try {
+      await db.auditLog.create({
+        data: {
+          organizationId: params.organizationId,
+          userId: params.userId,
+          memberId: params.memberId,
+          entityType: 'finding',
+          entityId: params.findingId,
+          description: 'created this finding',
+          data: {
+            action: 'created',
+            findingId: params.findingId,
+            taskId: params.taskId,
+            taskTitle: params.taskTitle,
+            content: params.content,
+            type: params.type,
+            status: FindingStatus.open,
+          },
+        },
+      });
+    } catch (error) {
+      this.logger.error('Failed to log finding creation:', error);
+      // Don't throw - audit log failures should not block operations
+    }
+  }
+
+  /**
+   * Log finding status change
+   */
+  async logFindingStatusChanged(
+    params: FindingAuditParams & {
+      previousStatus: FindingStatus;
+      newStatus: FindingStatus;
+    },
+  ): Promise<void> {
+    try {
+      await db.auditLog.create({
+        data: {
+          organizationId: params.organizationId,
+          userId: params.userId,
+          memberId: params.memberId,
+          entityType: 'finding',
+          entityId: params.findingId,
+          description: `changed status from ${this.formatStatus(params.previousStatus)} to ${this.formatStatus(params.newStatus)}`,
+          data: {
+            action: 'status_changed',
+            findingId: params.findingId,
+            previousStatus: params.previousStatus,
+            newStatus: params.newStatus,
+          },
+        },
+      });
+    } catch (error) {
+      this.logger.error('Failed to log finding status change:', error);
+    }
+  }
+
+  /**
+   * Log finding content update
+   */
+  async logFindingContentUpdated(
+    params: FindingAuditParams & {
+      previousContent: string;
+      newContent: string;
+    },
+  ): Promise<void> {
+    try {
+      await db.auditLog.create({
+        data: {
+          organizationId: params.organizationId,
+          userId: params.userId,
+          memberId: params.memberId,
+          entityType: 'finding',
+          entityId: params.findingId,
+          description: 'updated the finding content',
+          data: {
+            action: 'content_updated',
+            findingId: params.findingId,
+            previousContent: params.previousContent,
+            newContent: params.newContent,
+          },
+        },
+      });
+    } catch (error) {
+      this.logger.error('Failed to log finding content update:', error);
+    }
+  }
+
+  /**
+   * Log finding type change
+   */
+  async logFindingTypeChanged(
+    params: FindingAuditParams & {
+      previousType: FindingType;
+      newType: FindingType;
+    },
+  ): Promise<void> {
+    try {
+      await db.auditLog.create({
+        data: {
+          organizationId: params.organizationId,
+          userId: params.userId,
+          memberId: params.memberId,
+          entityType: 'finding',
+          entityId: params.findingId,
+          description: `changed type from ${this.formatType(params.previousType)} to ${this.formatType(params.newType)}`,
+          data: {
+            action: 'type_changed',
+            findingId: params.findingId,
+            previousType: params.previousType,
+            newType: params.newType,
+          },
+        },
+      });
+    } catch (error) {
+      this.logger.error('Failed to log finding type change:', error);
+    }
+  }
+
+  /**
+   * Log finding deletion
+   */
+  async logFindingDeleted(
+    params: FindingAuditParams & {
+      taskId: string;
+      taskTitle: string;
+      content: string;
+    },
+  ): Promise<void> {
+    try {
+      await db.auditLog.create({
+        data: {
+          organizationId: params.organizationId,
+          userId: params.userId,
+          memberId: params.memberId,
+          entityType: 'finding',
+          entityId: params.findingId,
+          description: 'deleted this finding',
+          data: {
+            action: 'deleted',
+            findingId: params.findingId,
+            taskId: params.taskId,
+            taskTitle: params.taskTitle,
+            content: params.content,
+          },
+        },
+      });
+    } catch (error) {
+      this.logger.error('Failed to log finding deletion:', error);
+    }
+  }
+
+  /**
+   * Get activity logs for a finding
+   */
+  async getFindingActivity(findingId: string, organizationId: string) {
+    try {
+      return await db.auditLog.findMany({
+        where: {
+          organizationId,
+          entityType: 'finding',
+          entityId: findingId,
+        },
+        include: {
+          user: {
+            select: {
+              id: true,
+              name: true,
+              email: true,
+              image: true,
+            },
+          },
+        },
+        orderBy: {
+          timestamp: 'desc', // Newest first
+        },
+      });
+    } catch (error) {
+      this.logger.error('Failed to fetch finding activity:', error);
+      return [];
+    }
+  }
+
+  private formatStatus(status: FindingStatus): string {
+    const labels: Record<FindingStatus, string> = {
+      [FindingStatus.open]: 'Open',
+      [FindingStatus.ready_for_review]: 'Ready for Review',
+      [FindingStatus.needs_revision]: 'Needs Revision',
+      [FindingStatus.closed]: 'Closed',
+    };
+    return labels[status] || status;
+  }
+
+  private formatType(type: FindingType): string {
+    const labels: Record<FindingType, string> = {
+      [FindingType.soc2]: 'SOC 2',
+      [FindingType.iso27001]: 'ISO 27001',
+    };
+    return labels[type] || type;
+  }
+}
diff --git a/apps/api/src/findings/finding-notifier.service.ts b/apps/api/src/findings/finding-notifier.service.ts
new file mode 100644
index 000000000..361099b0c
--- /dev/null
+++ b/apps/api/src/findings/finding-notifier.service.ts
@@ -0,0 +1,584 @@
+import { db, FindingStatus, FindingType } from '@db';
+import { Injectable, Logger } from '@nestjs/common';
+import { isUserUnsubscribed } from '@trycompai/email';
+import { sendEmail } from '../email/resend';
+import { FindingNotificationEmail } from '../email/templates/finding-notification';
+import { NovuService } from '../notifications/novu.service';
+
+// ============================================================================
+// Constants
+// ============================================================================
+
+const FINDING_WORKFLOW_ID = 'finding-notification';
+const EMAIL_CONTENT_MAX_LENGTH = 200;
+const NOVU_CONTENT_MAX_LENGTH = 100;
+
+// ============================================================================
+// Types
+// ============================================================================
+
+type FindingAction = 'created' | 'ready_for_review' | 'needs_revision' | 'closed';
+
+interface Recipient {
+  userId: string;
+  email: string;
+  name: string;
+}
+
+interface NotificationParams {
+  organizationId: string;
+  findingId: string;
+  taskId: string;
+  taskTitle: string;
+  findingContent: string;
+  findingType: FindingType;
+  actorUserId: string;
+  actorName: string;
+}
+
+interface SendNotificationParams extends NotificationParams {
+  action: FindingAction;
+  recipients: Recipient[];
+  subject: string;
+  heading: string;
+  message: string;
+  newStatus?: FindingStatus;
+}
+
+// ============================================================================
+// Label Maps
+// ============================================================================
+
+const STATUS_LABELS: Record<FindingStatus, string> = {
+  [FindingStatus.open]: 'Open',
+  [FindingStatus.ready_for_review]: 'Ready for Review',
+  [FindingStatus.needs_revision]: 'Needs Revision',
+  [FindingStatus.closed]: 'Closed',
+};
+
+const TYPE_LABELS: Record<FindingType, string> = {
+  [FindingType.soc2]: 'SOC 2',
+  [FindingType.iso27001]: 'ISO 27001',
+};
+
+// ============================================================================
+// Helper Functions
+// ============================================================================
+
+function truncateContent(content: string, maxLength: number): string {
+  if (content.length <= maxLength) {
+    return content;
+  }
+  return `${content.substring(0, maxLength)}...`;
+}
+
+function getAppUrl(): string {
+  return (
+    process.env.NEXT_PUBLIC_APP_URL ??
+    process.env.BETTER_AUTH_URL ??
+    'https://app.trycomp.ai'
+  );
+}
+
+// ============================================================================
+// Service
+// ============================================================================
+
+@Injectable()
+export class FindingNotifierService {
+  private readonly logger = new Logger(FindingNotifierService.name);
+
+  constructor(private readonly novuService: NovuService) {}
+
+  // ==========================================================================
+  // Public Methods - Notification Triggers
+  // ==========================================================================
+
+  /**
+   * Notify when a new finding is created.
+   * Recipients: Task assignee + Organization admins/owners
+   */
+  async notifyFindingCreated(params: NotificationParams): Promise<void> {
+    const { organizationId, taskId, taskTitle, findingType, actorUserId, actorName } = params;
+
+    const recipients = await this.getTaskAssigneeAndAdmins(organizationId, taskId, actorUserId);
+
+    if (recipients.length === 0) {
+      this.logger.log('No recipients for finding created notification');
+      return;
+    }
+
+    await this.sendNotifications({
+      ...params,
+      action: 'created',
+      recipients,
+      subject: `New finding on task: ${taskTitle}`,
+      heading: 'New Finding Created',
+      message: `${actorName} created a new ${TYPE_LABELS[findingType]} finding on the task "${taskTitle}".`,
+    });
+  }
+
+  /**
+   * Notify when status changes to Ready for Review.
+   * Recipients: Finding creator (the auditor who raised it)
+   */
+  async notifyReadyForReview(
+    params: NotificationParams & { findingCreatorMemberId: string },
+  ): Promise<void> {
+    const { findingId, taskTitle, actorUserId, actorName, findingCreatorMemberId } = params;
+
+    this.logger.log(
+      `[notifyReadyForReview] Finding ${findingId}: Looking for creator (memberId: ${findingCreatorMemberId}), excluding actor (userId: ${actorUserId})`,
+    );
+
+    const recipients = await this.getFindingCreator(findingCreatorMemberId, actorUserId);
+
+    if (recipients.length === 0) {
+      this.logger.warn(
+        `[notifyReadyForReview] Finding ${findingId}: No recipients found. Creator memberId: ${findingCreatorMemberId}, Actor userId: ${actorUserId}`,
+      );
+      return;
+    }
+
+    this.logger.log(
+      `[notifyReadyForReview] Finding ${findingId}: Sending to ${recipients.length} recipient(s): ${recipients.map((r) => r.email).join(', ')}`,
+    );
+
+    await this.sendNotifications({
+      ...params,
+      action: 'ready_for_review',
+      recipients,
+      subject: `Finding ready for review: ${taskTitle}`,
+      heading: 'Finding Ready for Review',
+      message: `${actorName} marked a finding on "${taskTitle}" as ready for your review.`,
+      newStatus: FindingStatus.ready_for_review,
+    });
+  }
+
+  /**
+   * Notify when status changes to Needs Revision.
+   * Recipients: Task assignee + Organization admins/owners
+   */
+  async notifyNeedsRevision(params: NotificationParams): Promise<void> {
+    const { organizationId, taskId, taskTitle, actorUserId, actorName } = params;
+
+    const recipients = await this.getTaskAssigneeAndAdmins(organizationId, taskId, actorUserId);
+
+    if (recipients.length === 0) {
+      this.logger.log('No recipients for needs revision notification');
+      return;
+    }
+
+    await this.sendNotifications({
+      ...params,
+      action: 'needs_revision',
+      recipients,
+      subject: `Finding needs revision: ${taskTitle}`,
+      heading: 'Finding Needs Revision',
+      message: `${actorName} reviewed a finding on "${taskTitle}" and marked it as needing revision.`,
+      newStatus: FindingStatus.needs_revision,
+    });
+  }
+
+  /**
+   * Notify when finding is closed.
+   * Recipients: Task assignee + Organization admins/owners
+   */
+  async notifyFindingClosed(params: NotificationParams): Promise<void> {
+    const { organizationId, taskId, taskTitle, actorUserId, actorName } = params;
+
+    const recipients = await this.getTaskAssigneeAndAdmins(organizationId, taskId, actorUserId);
+
+    if (recipients.length === 0) {
+      this.logger.log('No recipients for finding closed notification');
+      return;
+    }
+
+    await this.sendNotifications({
+      ...params,
+      action: 'closed',
+      recipients,
+      subject: `Finding closed: ${taskTitle}`,
+      heading: 'Finding Closed',
+      message: `${actorName} closed a finding on "${taskTitle}". The issue has been resolved.`,
+      newStatus: FindingStatus.closed,
+    });
+  }
+
+  // ==========================================================================
+  // Private Methods - Core Logic
+  // ==========================================================================
+
+  /**
+   * Send notifications to all recipients via email and in-app (Novu).
+   * Failures are logged but don't throw - fire-and-forget pattern.
+   */
+  private async sendNotifications(params: SendNotificationParams): Promise<void> {
+    const {
+      organizationId,
+      findingId,
+      taskId,
+      taskTitle,
+      findingContent,
+      findingType,
+      action,
+      recipients,
+      subject,
+      heading,
+      message,
+      newStatus,
+    } = params;
+
+    // Fetch organization name
+    const organization = await db.organization.findUnique({
+      where: { id: organizationId },
+      select: { name: true },
+    });
+    const organizationName = organization?.name ?? 'your organization';
+
+    const findingUrl = `${getAppUrl()}/${organizationId}/tasks/${taskId}`;
+    const typeLabel = TYPE_LABELS[findingType];
+    const statusLabel = newStatus ? STATUS_LABELS[newStatus] : undefined;
+
+    // Process each recipient
+    await Promise.allSettled(
+      recipients.map((recipient) =>
+        this.sendToRecipient({
+          recipient,
+          organizationId,
+          organizationName,
+          findingId,
+          taskId,
+          taskTitle,
+          findingContent,
+          findingType: typeLabel,
+          action,
+          subject,
+          heading,
+          message,
+          newStatus: statusLabel,
+          findingUrl,
+        }),
+      ),
+    );
+  }
+
+  /**
+   * Send email and in-app notification to a single recipient.
+   */
+  private async sendToRecipient(params: {
+    recipient: Recipient;
+    organizationId: string;
+    organizationName: string;
+    findingId: string;
+    taskId: string;
+    taskTitle: string;
+    findingContent: string;
+    findingType: string;
+    action: FindingAction;
+    subject: string;
+    heading: string;
+    message: string;
+    newStatus?: string;
+    findingUrl: string;
+  }): Promise<void> {
+    const {
+      recipient,
+      organizationId,
+      organizationName,
+      findingId,
+      taskId,
+      taskTitle,
+      findingContent,
+      findingType,
+      action,
+      subject,
+      heading,
+      message,
+      newStatus,
+      findingUrl,
+    } = params;
+
+    try {
+      // Check unsubscribe preferences
+      const isUnsubscribed = await isUserUnsubscribed(db, recipient.email, 'findingNotifications');
+
+      if (isUnsubscribed) {
+        this.logger.log(`Skipping notification: ${recipient.email} is unsubscribed`);
+        return;
+      }
+
+      this.logger.log(`Sending ${action} notification to ${recipient.email}`);
+
+      // Send email and in-app notifications in parallel
+      await Promise.allSettled([
+        this.sendEmailNotification({
+          recipient,
+          subject,
+          heading,
+          message,
+          taskTitle,
+          organizationName,
+          findingType,
+          findingContent: truncateContent(findingContent, EMAIL_CONTENT_MAX_LENGTH),
+          newStatus,
+          findingUrl,
+        }),
+        this.sendInAppNotification({
+          recipient,
+          organizationId,
+          organizationName,
+          findingId,
+          taskId,
+          taskTitle,
+          findingType,
+          findingContent: truncateContent(findingContent, NOVU_CONTENT_MAX_LENGTH),
+          action,
+          heading,
+          message,
+          newStatus,
+          findingUrl,
+        }),
+      ]);
+    } catch (error) {
+      this.logger.error(
+        `Failed to send notification to ${recipient.email}:`,
+        error instanceof Error ? error.message : 'Unknown error',
+      );
+    }
+  }
+
+  /**
+   * Send email notification via Resend.
+   */
+  private async sendEmailNotification(params: {
+    recipient: Recipient;
+    subject: string;
+    heading: string;
+    message: string;
+    taskTitle: string;
+    organizationName: string;
+    findingType: string;
+    findingContent: string;
+    newStatus?: string;
+    findingUrl: string;
+  }): Promise<void> {
+    const {
+      recipient,
+      subject,
+      heading,
+      message,
+      taskTitle,
+      organizationName,
+      findingType,
+      findingContent,
+      newStatus,
+      findingUrl,
+    } = params;
+
+    try {
+      const { id } = await sendEmail({
+        to: recipient.email,
+        subject,
+        react: FindingNotificationEmail({
+          toName: recipient.name,
+          toEmail: recipient.email,
+          heading,
+          message,
+          taskTitle,
+          organizationName,
+          findingType,
+          findingContent,
+          newStatus,
+          findingUrl,
+        }),
+        system: true,
+      });
+
+      this.logger.log(`Email sent to ${recipient.email} (ID: ${id})`);
+    } catch (error) {
+      this.logger.error(
+        `Failed to send email to ${recipient.email}:`,
+        error instanceof Error ? error.message : 'Unknown error',
+      );
+    }
+  }
+
+  /**
+   * Send in-app notification via Novu.
+   */
+  private async sendInAppNotification(params: {
+    recipient: Recipient;
+    organizationId: string;
+    organizationName: string;
+    findingId: string;
+    taskId: string;
+    taskTitle: string;
+    findingType: string;
+    findingContent: string;
+    action: FindingAction;
+    heading: string;
+    message: string;
+    newStatus?: string;
+    findingUrl: string;
+  }): Promise<void> {
+    const {
+      recipient,
+      organizationId,
+      organizationName,
+      findingId,
+      taskId,
+      taskTitle,
+      findingType,
+      findingContent,
+      action,
+      heading,
+      message,
+      newStatus,
+      findingUrl,
+    } = params;
+
+    try {
+      await this.novuService.trigger({
+        workflowId: FINDING_WORKFLOW_ID,
+        subscriberId: `${recipient.userId}-${organizationId}`,
+        email: recipient.email,
+        payload: {
+          action,
+          heading,
+          message,
+          findingId,
+          taskId,
+          taskTitle,
+          organizationName,
+          findingType,
+          findingContent,
+          newStatus,
+          organizationId,
+          findingUrl,
+        },
+      });
+
+      this.logger.log(`[NOVU] In-app notification sent to ${recipient.userId}`);
+    } catch (error) {
+      this.logger.error(
+        `[NOVU] Failed to send to ${recipient.userId}:`,
+        error instanceof Error ? error.message : 'Unknown error',
+      );
+    }
+  }
+
+  // ==========================================================================
+  // Private Methods - Recipient Resolution
+  // ==========================================================================
+
+  /**
+   * Get task assignee and organization admins/owners as recipients.
+   * Excludes the actor (person who triggered the action).
+   */
+  private async getTaskAssigneeAndAdmins(
+    organizationId: string,
+    taskId: string,
+    excludeUserId: string,
+  ): Promise<Recipient[]> {
+    try {
+      // Fetch task assignee and org members in parallel
+      const [task, allMembers] = await Promise.all([
+        db.task.findUnique({
+          where: { id: taskId },
+          select: {
+            assignee: {
+              select: {
+                user: { select: { id: true, email: true, name: true } },
+              },
+            },
+          },
+        }),
+        db.member.findMany({
+          where: {
+            organizationId,
+            deactivated: false,
+          },
+          select: {
+            role: true,
+            user: { select: { id: true, email: true, name: true } },
+          },
+        }),
+      ]);
+
+      // Filter for admins/owners (roles can be comma-separated, e.g., "admin,auditor")
+      const adminMembers = allMembers.filter(
+        (member) => member.role.includes('admin') || member.role.includes('owner'),
+      );
+
+      const recipients: Recipient[] = [];
+      const addedUserIds = new Set<string>();
+
+      // Add task assignee
+      const assigneeUser = task?.assignee?.user;
+      if (assigneeUser && assigneeUser.id !== excludeUserId && assigneeUser.email) {
+        recipients.push({
+          userId: assigneeUser.id,
+          email: assigneeUser.email,
+          name: assigneeUser.name || assigneeUser.email,
+        });
+        addedUserIds.add(assigneeUser.id);
+      }
+
+      // Add org admins/owners (deduplicated)
+      for (const member of adminMembers) {
+        const user = member.user;
+        if (user.id !== excludeUserId && user.email && !addedUserIds.has(user.id)) {
+          recipients.push({
+            userId: user.id,
+            email: user.email,
+            name: user.name || user.email,
+          });
+          addedUserIds.add(user.id);
+        }
+      }
+
+      return recipients;
+    } catch (error) {
+      this.logger.error(
+        'Failed to get task assignee and admins:',
+        error instanceof Error ? error.message : 'Unknown error',
+      );
+      return [];
+    }
+  }
+
+  /**
+   * Get the finding creator as recipient (for Ready for Review notifications).
+   * Excludes the actor (person who triggered the action).
+   */
+  private async getFindingCreator(creatorMemberId: string, excludeUserId: string): Promise<Recipient[]> {
+    try {
+      const member = await db.member.findUnique({
+        where: { id: creatorMemberId },
+        select: {
+          user: { select: { id: true, email: true, name: true } },
+        },
+      });
+
+      const user = member?.user;
+      if (user && user.id !== excludeUserId && user.email) {
+        return [
+          {
+            userId: user.id,
+            email: user.email,
+            name: user.name || user.email,
+          },
+        ];
+      }
+
+      return [];
+    } catch (error) {
+      this.logger.error(
+        'Failed to get finding creator:',
+        error instanceof Error ? error.message : 'Unknown error',
+      );
+      return [];
+    }
+  }
+}
diff --git a/apps/api/src/findings/findings.controller.ts b/apps/api/src/findings/findings.controller.ts
new file mode 100644
index 000000000..a4006a2dd
--- /dev/null
+++ b/apps/api/src/findings/findings.controller.ts
@@ -0,0 +1,426 @@
+import {
+  Controller,
+  Get,
+  Post,
+  Patch,
+  Delete,
+  Body,
+  Param,
+  Query,
+  UseGuards,
+  UsePipes,
+  ValidationPipe,
+  BadRequestException,
+  ForbiddenException,
+} from '@nestjs/common';
+import {
+  ApiBody,
+  ApiOperation,
+  ApiParam,
+  ApiQuery,
+  ApiResponse,
+  ApiTags,
+  ApiHeader,
+  ApiSecurity,
+} from '@nestjs/swagger';
+import { FindingStatus } from '@trycompai/db';
+import { HybridAuthGuard } from '../auth/hybrid-auth.guard';
+import { RequireRoles } from '../auth/role-validator.guard';
+import { AuthContext } from '../auth/auth-context.decorator';
+import type { AuthContext as AuthContextType } from '../auth/types';
+import { FindingsService } from './findings.service';
+import { CreateFindingDto } from './dto/create-finding.dto';
+import { UpdateFindingDto } from './dto/update-finding.dto';
+import { ValidateFindingIdPipe } from './pipes/validate-finding-id.pipe';
+import { db } from '@trycompai/db';
+
+@ApiTags('Findings')
+@Controller({ path: 'findings', version: '1' })
+@UseGuards(HybridAuthGuard)
+@ApiSecurity('apikey')
+@ApiHeader({
+  name: 'X-Organization-Id',
+  description:
+    'Organization ID (required for session auth, optional for API key auth)',
+  required: false,
+})
+export class FindingsController {
+  constructor(private readonly findingsService: FindingsService) {}
+
+  @Get()
+  @ApiOperation({
+    summary: 'Get findings for a task',
+    description: 'Retrieve all findings for a specific task',
+  })
+  @ApiQuery({
+    name: 'taskId',
+    required: true,
+    description: 'Task ID to get findings for',
+    example: 'tsk_abc123',
+  })
+  @ApiResponse({
+    status: 200,
+    description: 'List of findings for the task',
+  })
+  @ApiResponse({
+    status: 401,
+    description: 'Unauthorized',
+  })
+  @ApiResponse({
+    status: 404,
+    description: 'Task not found',
+  })
+  async getFindingsByTask(
+    @Query('taskId') taskId: string,
+    @AuthContext() authContext: AuthContextType,
+  ) {
+    if (!taskId) {
+      throw new BadRequestException('taskId query parameter is required');
+    }
+    return await this.findingsService.findByTaskId(
+      authContext.organizationId,
+      taskId,
+    );
+  }
+
+  @Get('organization')
+  @ApiOperation({
+    summary: 'Get all findings for organization',
+    description: 'Retrieve all findings for the organization',
+  })
+  @ApiQuery({
+    name: 'status',
+    required: false,
+    enum: FindingStatus,
+    description: 'Filter by status',
+  })
+  @ApiResponse({
+    status: 200,
+    description: 'List of all findings for the organization',
+  })
+  @ApiResponse({
+    status: 400,
+    description: 'Invalid status value',
+  })
+  @ApiResponse({
+    status: 401,
+    description: 'Unauthorized',
+  })
+  async getOrganizationFindings(
+    @Query('status') status: string | undefined,
+    @AuthContext() authContext: AuthContextType,
+  ) {
+    // Validate status enum if provided
+    let validatedStatus: FindingStatus | undefined;
+    if (status) {
+      if (!Object.values(FindingStatus).includes(status as FindingStatus)) {
+        throw new BadRequestException(
+          `Invalid status value. Must be one of: ${Object.values(FindingStatus).join(', ')}`,
+        );
+      }
+      validatedStatus = status as FindingStatus;
+    }
+
+    return await this.findingsService.findByOrganizationId(
+      authContext.organizationId,
+      validatedStatus,
+    );
+  }
+
+  @Get(':id')
+  @ApiOperation({
+    summary: 'Get finding by ID',
+    description: 'Retrieve a specific finding by its ID',
+  })
+  @ApiParam({
+    name: 'id',
+    description: 'Finding ID',
+    example: 'fnd_abc123',
+  })
+  @ApiResponse({
+    status: 200,
+    description: 'The finding',
+  })
+  @ApiResponse({
+    status: 401,
+    description: 'Unauthorized',
+  })
+  @ApiResponse({
+    status: 404,
+    description: 'Finding not found',
+  })
+  async getFindingById(
+    @Param('id', ValidateFindingIdPipe) id: string,
+    @AuthContext() authContext: AuthContextType,
+  ) {
+    return await this.findingsService.findById(authContext.organizationId, id);
+  }
+
+  @Post()
+  @UseGuards(RequireRoles('auditor', 'admin', 'owner'))
+  @ApiOperation({
+    summary: 'Create a finding',
+    description:
+      'Create a new finding for a task (Auditor or Platform Admin only)',
+  })
+  @ApiBody({
+    type: CreateFindingDto,
+    description: 'Finding data',
+  })
+  @ApiResponse({
+    status: 201,
+    description: 'The created finding',
+  })
+  @ApiResponse({
+    status: 401,
+    description: 'Unauthorized',
+  })
+  @ApiResponse({
+    status: 403,
+    description: 'Forbidden - Auditor or Platform Admin required',
+  })
+  @ApiResponse({
+    status: 404,
+    description: 'Task not found',
+  })
+  @UsePipes(
+    new ValidationPipe({
+      whitelist: true,
+      forbidNonWhitelisted: true,
+      transform: true,
+    }),
+  )
+  async createFinding(
+    @Body() createDto: CreateFindingDto,
+    @AuthContext() authContext: AuthContextType,
+  ) {
+    // Validate userId first (required for session auth)
+    if (!authContext.userId) {
+      throw new BadRequestException('User ID is required');
+    }
+
+    // Verify user has auditor role or is platform admin
+    const isAuditor = authContext.userRoles?.includes('auditor');
+    const isPlatformAdmin = await this.checkPlatformAdmin(authContext.userId);
+
+    if (!isAuditor && !isPlatformAdmin) {
+      throw new ForbiddenException(
+        'Only auditors or platform admins can create findings',
+      );
+    }
+
+    // Get member ID for the user
+    const member = await db.member.findFirst({
+      where: {
+        userId: authContext.userId,
+        organizationId: authContext.organizationId,
+        deactivated: false,
+      },
+    });
+
+    if (!member) {
+      throw new BadRequestException(
+        'User is not a member of this organization',
+      );
+    }
+
+    return await this.findingsService.create(
+      authContext.organizationId,
+      member.id,
+      authContext.userId,
+      createDto,
+    );
+  }
+
+  @Patch(':id')
+  @UseGuards(RequireRoles('auditor', 'admin', 'owner'))
+  @ApiOperation({
+    summary: 'Update a finding',
+    description:
+      'Update a finding. Status transition rules apply based on user role.',
+  })
+  @ApiParam({
+    name: 'id',
+    description: 'Finding ID',
+    example: 'fnd_abc123',
+  })
+  @ApiBody({
+    type: UpdateFindingDto,
+    description: 'Finding update data',
+  })
+  @ApiResponse({
+    status: 200,
+    description: 'The updated finding',
+  })
+  @ApiResponse({
+    status: 401,
+    description: 'Unauthorized',
+  })
+  @ApiResponse({
+    status: 403,
+    description: 'Forbidden - Insufficient permissions for status transition',
+  })
+  @ApiResponse({
+    status: 404,
+    description: 'Finding not found',
+  })
+  @UsePipes(
+    new ValidationPipe({
+      whitelist: true,
+      forbidNonWhitelisted: true,
+      transform: true,
+    }),
+  )
+  async updateFinding(
+    @Param('id', ValidateFindingIdPipe) id: string,
+    @Body() updateDto: UpdateFindingDto,
+    @AuthContext() authContext: AuthContextType,
+  ) {
+    // Validate userId first (required for session auth)
+    if (!authContext.userId) {
+      throw new BadRequestException('User ID is required');
+    }
+
+    const isPlatformAdmin = await this.checkPlatformAdmin(authContext.userId);
+
+    // Get member ID for audit logging
+    const member = await db.member.findFirst({
+      where: {
+        userId: authContext.userId,
+        organizationId: authContext.organizationId,
+        deactivated: false,
+      },
+    });
+
+    if (!member) {
+      throw new BadRequestException(
+        'User is not a member of this organization',
+      );
+    }
+
+    return await this.findingsService.update(
+      authContext.organizationId,
+      id,
+      updateDto,
+      authContext.userRoles || [],
+      isPlatformAdmin,
+      authContext.userId,
+      member.id,
+    );
+  }
+
+  @Delete(':id')
+  @UseGuards(RequireRoles('auditor', 'admin', 'owner'))
+  @ApiOperation({
+    summary: 'Delete a finding',
+    description: 'Delete a finding (Auditor or Platform Admin only)',
+  })
+  @ApiParam({
+    name: 'id',
+    description: 'Finding ID',
+    example: 'fnd_abc123',
+  })
+  @ApiResponse({
+    status: 200,
+    description: 'Finding deleted successfully',
+  })
+  @ApiResponse({
+    status: 401,
+    description: 'Unauthorized',
+  })
+  @ApiResponse({
+    status: 403,
+    description: 'Forbidden - Auditor or Platform Admin required',
+  })
+  @ApiResponse({
+    status: 404,
+    description: 'Finding not found',
+  })
+  async deleteFinding(
+    @Param('id', ValidateFindingIdPipe) id: string,
+    @AuthContext() authContext: AuthContextType,
+  ) {
+    // Validate userId first (required for session auth)
+    if (!authContext.userId) {
+      throw new BadRequestException('User ID is required');
+    }
+
+    // Verify user has auditor role or is platform admin
+    const isAuditor = authContext.userRoles?.includes('auditor');
+    const isPlatformAdmin = await this.checkPlatformAdmin(authContext.userId);
+
+    if (!isAuditor && !isPlatformAdmin) {
+      throw new ForbiddenException(
+        'Only auditors or platform admins can delete findings',
+      );
+    }
+
+    // Get member ID for audit logging
+    const member = await db.member.findFirst({
+      where: {
+        userId: authContext.userId,
+        organizationId: authContext.organizationId,
+        deactivated: false,
+      },
+    });
+
+    if (!member) {
+      throw new BadRequestException(
+        'User is not a member of this organization',
+      );
+    }
+
+    return await this.findingsService.delete(
+      authContext.organizationId,
+      id,
+      authContext.userId,
+      member.id,
+    );
+  }
+
+  @Get(':id/history')
+  @ApiOperation({
+    summary: 'Get finding history',
+    description: 'Retrieve the activity history for a specific finding',
+  })
+  @ApiParam({
+    name: 'id',
+    description: 'Finding ID',
+    example: 'fnd_abc123',
+  })
+  @ApiResponse({
+    status: 200,
+    description: 'List of audit log entries for the finding',
+  })
+  @ApiResponse({
+    status: 401,
+    description: 'Unauthorized',
+  })
+  @ApiResponse({
+    status: 404,
+    description: 'Finding not found',
+  })
+  async getFindingHistory(
+    @Param('id', ValidateFindingIdPipe) id: string,
+    @AuthContext() authContext: AuthContextType,
+  ) {
+    return await this.findingsService.getActivity(
+      authContext.organizationId,
+      id,
+    );
+  }
+
+  /**
+   * Check if the user is a platform admin
+   */
+  private async checkPlatformAdmin(userId?: string): Promise<boolean> {
+    if (!userId) return false;
+
+    const user = await db.user.findUnique({
+      where: { id: userId },
+      select: { isPlatformAdmin: true },
+    });
+
+    return user?.isPlatformAdmin ?? false;
+  }
+}
diff --git a/apps/api/src/findings/findings.module.ts b/apps/api/src/findings/findings.module.ts
new file mode 100644
index 000000000..975b20351
--- /dev/null
+++ b/apps/api/src/findings/findings.module.ts
@@ -0,0 +1,20 @@
+import { Module } from '@nestjs/common';
+import { AuthModule } from '../auth/auth.module';
+import { NovuService } from '../notifications/novu.service';
+import { FindingAuditService } from './finding-audit.service';
+import { FindingNotifierService } from './finding-notifier.service';
+import { FindingsController } from './findings.controller';
+import { FindingsService } from './findings.service';
+
+@Module({
+  imports: [AuthModule],
+  controllers: [FindingsController],
+  providers: [
+    FindingsService,
+    FindingAuditService,
+    FindingNotifierService,
+    NovuService,
+  ],
+  exports: [FindingsService, FindingAuditService],
+})
+export class FindingsModule {}
diff --git a/apps/api/src/findings/findings.service.ts b/apps/api/src/findings/findings.service.ts
new file mode 100644
index 000000000..9b7d18e66
--- /dev/null
+++ b/apps/api/src/findings/findings.service.ts
@@ -0,0 +1,494 @@
+import {
+  Injectable,
+  NotFoundException,
+  BadRequestException,
+  ForbiddenException,
+  Logger,
+} from '@nestjs/common';
+import { db, FindingStatus, FindingType } from '@trycompai/db';
+import { CreateFindingDto } from './dto/create-finding.dto';
+import { UpdateFindingDto } from './dto/update-finding.dto';
+import { FindingAuditService } from './finding-audit.service';
+import { FindingNotifierService } from './finding-notifier.service';
+
+@Injectable()
+export class FindingsService {
+  private readonly logger = new Logger(FindingsService.name);
+
+  constructor(
+    private readonly findingAuditService: FindingAuditService,
+    private readonly findingNotifierService: FindingNotifierService,
+  ) {}
+
+  /**
+   * Get all findings for a specific task
+   */
+  async findByTaskId(organizationId: string, taskId: string) {
+    // Verify task belongs to organization
+    const task = await db.task.findFirst({
+      where: { id: taskId, organizationId },
+    });
+
+    if (!task) {
+      throw new NotFoundException(
+        `Task with ID ${taskId} not found in organization`,
+      );
+    }
+
+    const findings = await db.finding.findMany({
+      where: { taskId, organizationId },
+      include: {
+        createdBy: {
+          include: {
+            user: {
+              select: {
+                id: true,
+                name: true,
+                email: true,
+                image: true,
+              },
+            },
+          },
+        },
+        template: {
+          select: {
+            id: true,
+            category: true,
+            title: true,
+          },
+        },
+        task: {
+          select: {
+            id: true,
+            title: true,
+          },
+        },
+      },
+      orderBy: [
+        // Sort by status: open first, then ready_for_review, needs_revision, closed
+        { status: 'asc' },
+        { createdAt: 'desc' },
+      ],
+    });
+
+    this.logger.log(
+      `Retrieved ${findings.length} findings for task ${taskId}`,
+    );
+    return findings;
+  }
+
+  /**
+   * Get all findings for an organization
+   */
+  async findByOrganizationId(organizationId: string, status?: FindingStatus) {
+    const findings = await db.finding.findMany({
+      where: {
+        organizationId,
+        ...(status && { status }),
+      },
+      include: {
+        createdBy: {
+          include: {
+            user: {
+              select: {
+                id: true,
+                name: true,
+                email: true,
+                image: true,
+              },
+            },
+          },
+        },
+        template: {
+          select: {
+            id: true,
+            category: true,
+            title: true,
+          },
+        },
+        task: {
+          select: {
+            id: true,
+            title: true,
+          },
+        },
+      },
+      orderBy: [{ status: 'asc' }, { createdAt: 'desc' }],
+    });
+
+    this.logger.log(
+      `Retrieved ${findings.length} findings for organization ${organizationId}`,
+    );
+    return findings;
+  }
+
+  /**
+   * Get a single finding by ID
+   */
+  async findById(organizationId: string, findingId: string) {
+    const finding = await db.finding.findFirst({
+      where: { id: findingId, organizationId },
+      include: {
+        createdBy: {
+          include: {
+            user: {
+              select: {
+                id: true,
+                name: true,
+                email: true,
+                image: true,
+              },
+            },
+          },
+        },
+        template: {
+          select: {
+            id: true,
+            category: true,
+            title: true,
+          },
+        },
+        task: {
+          select: {
+            id: true,
+            title: true,
+          },
+        },
+      },
+    });
+
+    if (!finding) {
+      throw new NotFoundException(
+        `Finding with ID ${findingId} not found in organization`,
+      );
+    }
+
+    return finding;
+  }
+
+  /**
+   * Create a new finding (auditor or platform admin only)
+   */
+  async create(
+    organizationId: string,
+    memberId: string,
+    userId: string,
+    createDto: CreateFindingDto,
+  ) {
+    // Verify task belongs to organization
+    const task = await db.task.findFirst({
+      where: { id: createDto.taskId, organizationId },
+    });
+
+    if (!task) {
+      throw new NotFoundException(
+        `Task with ID ${createDto.taskId} not found in organization`,
+      );
+    }
+
+    // Verify template exists if provided
+    if (createDto.templateId) {
+      const template = await db.findingTemplate.findUnique({
+        where: { id: createDto.templateId },
+      });
+
+      if (!template) {
+        throw new BadRequestException(
+          `Finding template with ID ${createDto.templateId} not found`,
+        );
+      }
+    }
+
+    const finding = await db.finding.create({
+      data: {
+        taskId: createDto.taskId,
+        type: createDto.type,
+        content: createDto.content,
+        templateId: createDto.templateId,
+        createdById: memberId,
+        organizationId,
+        status: FindingStatus.open,
+      },
+      include: {
+        createdBy: {
+          include: {
+            user: {
+              select: {
+                id: true,
+                name: true,
+                email: true,
+                image: true,
+              },
+            },
+          },
+        },
+        template: {
+          select: {
+            id: true,
+            category: true,
+            title: true,
+          },
+        },
+        task: {
+          select: {
+            id: true,
+            title: true,
+          },
+        },
+      },
+    });
+
+    // Log to audit trail
+    await this.findingAuditService.logFindingCreated({
+      findingId: finding.id,
+      organizationId,
+      userId,
+      memberId,
+      taskId: createDto.taskId,
+      taskTitle: task.title,
+      content: createDto.content,
+      type: createDto.type ?? FindingType.soc2,
+    });
+
+    // Send notifications (fire-and-forget)
+    const actorName =
+      finding.createdBy?.user?.name ||
+      finding.createdBy?.user?.email ||
+      'Someone';
+    void this.findingNotifierService.notifyFindingCreated({
+      organizationId,
+      findingId: finding.id,
+      taskId: createDto.taskId,
+      taskTitle: task.title,
+      findingContent: createDto.content,
+      findingType: createDto.type ?? FindingType.soc2,
+      actorUserId: userId,
+      actorName,
+    });
+
+    this.logger.log(
+      `Created finding ${finding.id} for task ${createDto.taskId}`,
+    );
+    return finding;
+  }
+
+  /**
+   * Update a finding with role-based status transition validation
+   *
+   * Status transition rules:
+   * - ready_for_review: Only non-auditor admins/owners can set (clients signal to auditor)
+   * - needs_revision, closed: Only auditor or platform admin
+   */
+  async update(
+    organizationId: string,
+    findingId: string,
+    updateDto: UpdateFindingDto,
+    userRoles: string[],
+    isPlatformAdmin: boolean,
+    userId: string,
+    memberId: string,
+  ) {
+    // Verify finding exists and get current state for audit
+    const finding = await this.findById(organizationId, findingId);
+    const previousStatus = finding.status as FindingStatus;
+    const previousType = finding.type as FindingType;
+    const previousContent = finding.content;
+
+    // Validate status transition permissions
+    if (updateDto.status) {
+      const isAuditor = userRoles.includes('auditor');
+      const canSetRestrictedStatus = isPlatformAdmin || isAuditor;
+
+      // needs_revision and closed can only be set by auditor or platform admin
+      if (
+        (updateDto.status === FindingStatus.needs_revision ||
+          updateDto.status === FindingStatus.closed) &&
+        !canSetRestrictedStatus
+      ) {
+        throw new ForbiddenException(
+          `Only auditors or platform admins can set status to '${updateDto.status}'`,
+        );
+      }
+
+      // ready_for_review can only be set by non-auditor admins/owners (client signals to auditor)
+      if (updateDto.status === FindingStatus.ready_for_review && isAuditor && !isPlatformAdmin) {
+        throw new ForbiddenException(
+          `Auditors cannot set status to 'ready_for_review'. This status is for clients to signal readiness.`,
+        );
+      }
+    }
+
+    const updatedFinding = await db.finding.update({
+      where: { id: findingId },
+      data: {
+        ...(updateDto.status !== undefined && { status: updateDto.status }),
+        ...(updateDto.type !== undefined && { type: updateDto.type }),
+        ...(updateDto.content !== undefined && { content: updateDto.content }),
+      },
+      include: {
+        createdBy: {
+          include: {
+            user: {
+              select: {
+                id: true,
+                name: true,
+                email: true,
+                image: true,
+              },
+            },
+          },
+        },
+        template: {
+          select: {
+            id: true,
+            category: true,
+            title: true,
+          },
+        },
+        task: {
+          select: {
+            id: true,
+            title: true,
+          },
+        },
+      },
+    });
+
+    // Log changes to audit trail
+    const auditParams = {
+      findingId,
+      organizationId,
+      userId,
+      memberId,
+    };
+
+    if (updateDto.status && updateDto.status !== previousStatus) {
+      await this.findingAuditService.logFindingStatusChanged({
+        ...auditParams,
+        previousStatus,
+        newStatus: updateDto.status,
+      });
+    }
+
+    if (updateDto.type && updateDto.type !== previousType) {
+      await this.findingAuditService.logFindingTypeChanged({
+        ...auditParams,
+        previousType,
+        newType: updateDto.type,
+      });
+    }
+
+    if (updateDto.content && updateDto.content !== previousContent) {
+      await this.findingAuditService.logFindingContentUpdated({
+        ...auditParams,
+        previousContent,
+        newContent: updateDto.content,
+      });
+    }
+
+    // Send status change notifications (fire-and-forget)
+    if (updateDto.status && updateDto.status !== previousStatus) {
+      this.logger.log(
+        `Status changed for finding ${findingId}: ${previousStatus} → ${updateDto.status}. Triggering notification.`,
+      );
+
+      const actorUser = await db.user.findUnique({
+        where: { id: userId },
+        select: { name: true, email: true },
+      });
+      const actorName = actorUser?.name || actorUser?.email || 'Someone';
+
+      const notificationParams = {
+        organizationId,
+        findingId,
+        taskId: finding.taskId,
+        taskTitle: finding.task.title,
+        findingContent: updatedFinding.content,
+        findingType: updatedFinding.type as FindingType,
+        actorUserId: userId,
+        actorName,
+      };
+
+      switch (updateDto.status) {
+        case FindingStatus.ready_for_review:
+          this.logger.log(`Triggering 'ready_for_review' notification for finding ${findingId}`);
+          void this.findingNotifierService.notifyReadyForReview({
+            ...notificationParams,
+            findingCreatorMemberId: finding.createdById,
+          });
+          break;
+        case FindingStatus.needs_revision:
+          this.logger.log(`Triggering 'needs_revision' notification for finding ${findingId}`);
+          void this.findingNotifierService.notifyNeedsRevision(notificationParams);
+          break;
+        case FindingStatus.closed:
+          this.logger.log(`Triggering 'closed' notification for finding ${findingId}`);
+          void this.findingNotifierService.notifyFindingClosed(notificationParams);
+          break;
+        case FindingStatus.open:
+          this.logger.log(`Status changed to 'open' for finding ${findingId}. No notification sent.`);
+          break;
+        default:
+          this.logger.warn(
+            `Unknown status ${updateDto.status} for finding ${findingId}. No notification sent.`,
+          );
+      }
+    } else if (updateDto.status && updateDto.status === previousStatus) {
+      this.logger.log(
+        `Status unchanged for finding ${findingId}: ${previousStatus}. Skipping notification.`,
+      );
+    }
+
+    this.logger.log(
+      `Updated finding ${findingId}: status=${updatedFinding.status}`,
+    );
+    return updatedFinding;
+  }
+
+  /**
+   * Delete a finding (auditor or platform admin only)
+   */
+  async delete(
+    organizationId: string,
+    findingId: string,
+    userId: string,
+    memberId: string,
+  ) {
+    // Verify finding exists and get details for audit
+    const finding = await this.findById(organizationId, findingId);
+
+    await db.finding.delete({
+      where: { id: findingId },
+    });
+
+    // Log to audit trail
+    await this.findingAuditService.logFindingDeleted({
+      findingId,
+      organizationId,
+      userId,
+      memberId,
+      taskId: finding.taskId,
+      taskTitle: finding.task.title,
+      content: finding.content,
+    });
+
+    this.logger.log(`Deleted finding ${findingId} from task ${finding.taskId}`);
+    return {
+      message: 'Finding deleted successfully',
+      deletedFinding: {
+        id: finding.id,
+        taskId: finding.taskId,
+      },
+    };
+  }
+
+  /**
+   * Get activity history for a finding
+   */
+  async getActivity(organizationId: string, findingId: string) {
+    // Verify finding exists
+    await this.findById(organizationId, findingId);
+
+    return this.findingAuditService.getFindingActivity(findingId, organizationId);
+  }
+}
diff --git a/apps/api/src/findings/index.ts b/apps/api/src/findings/index.ts
new file mode 100644
index 000000000..78dc066e4
--- /dev/null
+++ b/apps/api/src/findings/index.ts
@@ -0,0 +1,5 @@
+export * from './findings.module';
+export * from './findings.service';
+export * from './findings.controller';
+export * from './dto/create-finding.dto';
+export * from './dto/update-finding.dto';
diff --git a/apps/api/src/findings/pipes/validate-finding-id.pipe.ts b/apps/api/src/findings/pipes/validate-finding-id.pipe.ts
new file mode 100644
index 000000000..5c1bf649d
--- /dev/null
+++ b/apps/api/src/findings/pipes/validate-finding-id.pipe.ts
@@ -0,0 +1,17 @@
+import { PipeTransform, Injectable, BadRequestException } from '@nestjs/common';
+
+@Injectable()
+export class ValidateFindingIdPipe implements PipeTransform {
+  transform(value: string): string {
+    // Finding IDs should match the pattern: fnd_[cuid]
+    const findingIdPattern = /^fnd_[a-z0-9]+$/;
+
+    if (!findingIdPattern.test(value)) {
+      throw new BadRequestException(
+        `Invalid finding ID format. Expected format: fnd_[alphanumeric]`,
+      );
+    }
+
+    return value;
+  }
+}
diff --git a/apps/api/src/main.ts b/apps/api/src/main.ts
index 739e5fd52..42b11e7df 100644
--- a/apps/api/src/main.ts
+++ b/apps/api/src/main.ts
@@ -19,6 +19,7 @@ async function bootstrap(): Promise<void> {
   app.enableCors({
     origin: true,
     credentials: true,
+    exposedHeaders: ['Content-Disposition'],
   });
 
   // STEP 2: Security headers
diff --git a/apps/api/src/tasks/attachments.service.ts b/apps/api/src/tasks/attachments.service.ts
index 9e2fe9005..c33d884ba 100644
--- a/apps/api/src/tasks/attachments.service.ts
+++ b/apps/api/src/tasks/attachments.service.ts
@@ -193,7 +193,7 @@ export class AttachmentsService {
         entityType,
       },
       orderBy: {
-        createdAt: 'asc',
+        createdAt: 'desc',
       },
     });
 
diff --git a/apps/api/src/tasks/automations/automations.module.ts b/apps/api/src/tasks/automations/automations.module.ts
index 27127d42f..7c784dd2c 100644
--- a/apps/api/src/tasks/automations/automations.module.ts
+++ b/apps/api/src/tasks/automations/automations.module.ts
@@ -1,13 +1,13 @@
-import { Module } from '@nestjs/common';
+import { Module, forwardRef } from '@nestjs/common';
 import { AuthModule } from '../../auth/auth.module';
-import { TasksService } from '../tasks.service';
+import { TasksModule } from '../tasks.module';
 import { AutomationsController } from './automations.controller';
 import { AutomationsService } from './automations.service';
 
 @Module({
-  imports: [AuthModule],
+  imports: [AuthModule, forwardRef(() => TasksModule)],
   controllers: [AutomationsController],
-  providers: [AutomationsService, TasksService],
+  providers: [AutomationsService],
   exports: [AutomationsService],
 })
 export class AutomationsModule {}
diff --git a/apps/api/src/tasks/evidence-export/evidence-export.controller.ts b/apps/api/src/tasks/evidence-export/evidence-export.controller.ts
new file mode 100644
index 000000000..910735327
--- /dev/null
+++ b/apps/api/src/tasks/evidence-export/evidence-export.controller.ts
@@ -0,0 +1,262 @@
+import {
+  Controller,
+  Get,
+  Param,
+  Query,
+  Res,
+  UseGuards,
+  Logger,
+} from '@nestjs/common';
+import {
+  ApiHeader,
+  ApiOperation,
+  ApiParam,
+  ApiQuery,
+  ApiResponse,
+  ApiSecurity,
+  ApiTags,
+} from '@nestjs/swagger';
+import type { Response } from 'express';
+import { OrganizationId } from '../../auth/auth-context.decorator';
+import { HybridAuthGuard } from '../../auth/hybrid-auth.guard';
+import { RequireRoles } from '../../auth/role-validator.guard';
+import { EvidenceExportService } from './evidence-export.service';
+import { TasksService } from '../tasks.service';
+
+@ApiTags('Evidence Export')
+@Controller({ path: 'tasks', version: '1' })
+@UseGuards(HybridAuthGuard)
+@ApiSecurity('apikey')
+@ApiHeader({
+  name: 'X-Organization-Id',
+  description:
+    'Organization ID (required for session auth, optional for API key auth)',
+  required: false,
+})
+export class EvidenceExportController {
+  private readonly logger = new Logger(EvidenceExportController.name);
+
+  constructor(
+    private readonly evidenceExportService: EvidenceExportService,
+    private readonly tasksService: TasksService,
+  ) {}
+
+  /**
+   * Get evidence summary for a task
+   */
+  @Get(':taskId/evidence')
+  @ApiOperation({
+    summary: 'Get task evidence summary',
+    description:
+      'Retrieve a summary of all automation evidence for a specific task',
+  })
+  @ApiParam({
+    name: 'taskId',
+    description: 'Unique task identifier',
+    example: 'tsk_abc123def456',
+  })
+  @ApiResponse({
+    status: 200,
+    description: 'Evidence summary retrieved successfully',
+  })
+  @ApiResponse({
+    status: 404,
+    description: 'Task not found',
+  })
+  async getTaskEvidenceSummary(
+    @OrganizationId() organizationId: string,
+    @Param('taskId') taskId: string,
+  ) {
+    this.logger.log('Get task evidence summary', { organizationId, taskId });
+    await this.tasksService.verifyTaskAccess(organizationId, taskId);
+    return this.evidenceExportService.getTaskEvidenceSummary(
+      organizationId,
+      taskId,
+    );
+  }
+
+  /**
+   * Export a single automation's evidence as PDF
+   */
+  @Get(':taskId/evidence/automation/:automationId/pdf')
+  @ApiOperation({
+    summary: 'Export automation evidence as PDF',
+    description:
+      'Generate and download a PDF containing all evidence for a specific automation',
+  })
+  @ApiParam({
+    name: 'taskId',
+    description: 'Unique task identifier',
+  })
+  @ApiParam({
+    name: 'automationId',
+    description: 'Unique automation identifier (checkId for app automations)',
+  })
+  @ApiResponse({
+    status: 200,
+    description: 'PDF file generated successfully',
+    content: {
+      'application/pdf': {},
+    },
+  })
+  @ApiResponse({
+    status: 404,
+    description: 'Task or automation not found',
+  })
+  async exportAutomationPDF(
+    @OrganizationId() organizationId: string,
+    @Param('taskId') taskId: string,
+    @Param('automationId') automationId: string,
+    @Res() res: Response,
+  ) {
+    this.logger.log('Export automation evidence PDF', {
+      organizationId,
+      taskId,
+      automationId,
+    });
+    await this.tasksService.verifyTaskAccess(organizationId, taskId);
+
+    const result = await this.evidenceExportService.exportAutomationPDF(
+      organizationId,
+      taskId,
+      automationId,
+    );
+
+    res.setHeader('Content-Type', result.mimeType);
+    res.setHeader(
+      'Content-Disposition',
+      `attachment; filename="${result.filename}"`,
+    );
+    res.send(result.fileBuffer);
+  }
+
+  /**
+   * Export all evidence for a task as ZIP
+   */
+  @Get(':taskId/evidence/export')
+  @ApiOperation({
+    summary: 'Export task evidence as ZIP',
+    description:
+      'Generate and download a ZIP file containing all automation evidence for a task',
+  })
+  @ApiParam({
+    name: 'taskId',
+    description: 'Unique task identifier',
+  })
+  @ApiQuery({
+    name: 'includeJson',
+    description: 'Include raw JSON files alongside PDFs',
+    type: 'boolean',
+    required: false,
+  })
+  @ApiResponse({
+    status: 200,
+    description: 'ZIP file generated successfully',
+    content: {
+      'application/zip': {},
+    },
+  })
+  @ApiResponse({
+    status: 404,
+    description: 'Task not found',
+  })
+  async exportTaskEvidenceZip(
+    @OrganizationId() organizationId: string,
+    @Param('taskId') taskId: string,
+    @Query('includeJson') includeJson: string,
+    @Res() res: Response,
+  ) {
+    this.logger.log('Export task evidence ZIP', {
+      organizationId,
+      taskId,
+      includeJson: includeJson === 'true',
+    });
+    await this.tasksService.verifyTaskAccess(organizationId, taskId);
+
+    const result = await this.evidenceExportService.exportTaskEvidenceZip(
+      organizationId,
+      taskId,
+      { includeRawJson: includeJson === 'true' },
+    );
+
+    res.setHeader('Content-Type', result.mimeType);
+    res.setHeader(
+      'Content-Disposition',
+      `attachment; filename="${result.filename}"`,
+    );
+    res.send(result.fileBuffer);
+  }
+}
+
+/**
+ * Auditor-only controller for bulk evidence export
+ */
+@ApiTags('Evidence Export (Auditor)')
+@Controller({ path: 'evidence-export', version: '1' })
+@UseGuards(HybridAuthGuard)
+@ApiSecurity('apikey')
+@ApiHeader({
+  name: 'X-Organization-Id',
+  description:
+    'Organization ID (required for session auth, optional for API key auth)',
+  required: false,
+})
+export class AuditorEvidenceExportController {
+  private readonly logger = new Logger(AuditorEvidenceExportController.name);
+
+  constructor(private readonly evidenceExportService: EvidenceExportService) {}
+
+  /**
+   * Export all evidence for the organization (auditor only)
+   */
+  @Get('all')
+  @UseGuards(RequireRoles('auditor', 'admin', 'owner'))
+  @ApiOperation({
+    summary: 'Export all organization evidence as ZIP (Auditor only)',
+    description:
+      'Generate and download a ZIP file containing all automation evidence across all tasks. Only accessible by auditors.',
+  })
+  @ApiQuery({
+    name: 'includeJson',
+    description: 'Include raw JSON files alongside PDFs',
+    type: 'boolean',
+    required: false,
+  })
+  @ApiResponse({
+    status: 200,
+    description: 'ZIP file generated successfully',
+    content: {
+      'application/zip': {},
+    },
+  })
+  @ApiResponse({
+    status: 403,
+    description: 'Access denied - Auditor role required',
+  })
+  async exportAllEvidence(
+    @OrganizationId() organizationId: string,
+    @Query('includeJson') includeJson: string,
+    @Res() res: Response,
+  ) {
+    this.logger.log(
+      'Auditor exporting all evidence',
+      {
+        organizationId,
+        includeJson: includeJson === 'true',
+      },
+    );
+
+    const result =
+      await this.evidenceExportService.exportOrganizationEvidenceZip(
+        organizationId,
+        { includeRawJson: includeJson === 'true' },
+      );
+
+    res.setHeader('Content-Type', result.mimeType);
+    res.setHeader(
+      'Content-Disposition',
+      `attachment; filename="${result.filename}"`,
+    );
+    res.send(result.fileBuffer);
+  }
+}
diff --git a/apps/api/src/tasks/evidence-export/evidence-export.module.ts b/apps/api/src/tasks/evidence-export/evidence-export.module.ts
new file mode 100644
index 000000000..28837b2e3
--- /dev/null
+++ b/apps/api/src/tasks/evidence-export/evidence-export.module.ts
@@ -0,0 +1,16 @@
+import { Module, forwardRef } from '@nestjs/common';
+import { AuthModule } from '../../auth/auth.module';
+import { TasksModule } from '../tasks.module';
+import { EvidenceExportService } from './evidence-export.service';
+import {
+  EvidenceExportController,
+  AuditorEvidenceExportController,
+} from './evidence-export.controller';
+
+@Module({
+  imports: [AuthModule, forwardRef(() => TasksModule)],
+  controllers: [EvidenceExportController, AuditorEvidenceExportController],
+  providers: [EvidenceExportService],
+  exports: [EvidenceExportService],
+})
+export class EvidenceExportModule {}
diff --git a/apps/api/src/tasks/evidence-export/evidence-export.service.ts b/apps/api/src/tasks/evidence-export/evidence-export.service.ts
new file mode 100644
index 000000000..be5a298c3
--- /dev/null
+++ b/apps/api/src/tasks/evidence-export/evidence-export.service.ts
@@ -0,0 +1,443 @@
+import { Injectable, Logger, NotFoundException } from '@nestjs/common';
+import { db } from '@trycompai/db';
+import AdmZip from 'adm-zip';
+import { format } from 'date-fns';
+import { configure as configureStringify } from 'safe-stable-stringify';
+import type {
+  TaskEvidenceSummary,
+  EvidenceExportResult,
+} from './evidence-export.types';
+import { buildTaskEvidenceSummary } from './evidence-normalizer';
+import {
+  generateAutomationPDF,
+  generateTaskSummaryPDF,
+  sanitizeFilename,
+} from './evidence-pdf-generator';
+import { redactSensitiveData } from './evidence-redaction';
+
+// Configure safe stringify to handle BigInt, circular refs, etc.
+const safeStringify = configureStringify({
+  bigint: true,
+  circularValue: '[Circular]',
+  deterministic: false,
+});
+
+@Injectable()
+export class EvidenceExportService {
+  private readonly logger = new Logger(EvidenceExportService.name);
+
+  /**
+   * Get task evidence summary with all automation runs
+   */
+  async getTaskEvidenceSummary(
+    organizationId: string,
+    taskId: string,
+  ): Promise<TaskEvidenceSummary> {
+    this.logger.log('Building task evidence summary', {
+      organizationId,
+      taskId,
+    });
+    // Get task with organization
+    const task = await db.task.findFirst({
+      where: {
+        id: taskId,
+        organizationId,
+      },
+      include: {
+        organization: {
+          select: { name: true },
+        },
+      },
+    });
+
+    if (!task) {
+      throw new NotFoundException('Task not found');
+    }
+
+    // Get app automation runs (integration check runs)
+    const appAutomationRuns = await db.integrationCheckRun.findMany({
+      where: { taskId },
+      include: {
+        results: true,
+        connection: {
+          include: {
+            provider: true,
+          },
+        },
+      },
+      orderBy: { createdAt: 'desc' },
+    });
+
+    // Get custom automation runs (evidence automation runs)
+    // Only include published runs (version !== null), exclude draft runs
+    const customAutomationRuns = await db.evidenceAutomationRun.findMany({
+      where: {
+        evidenceAutomation: {
+          taskId,
+        },
+        version: { not: null },
+      },
+      include: {
+        evidenceAutomation: {
+          select: {
+            id: true,
+            name: true,
+          },
+        },
+      },
+      orderBy: { createdAt: 'desc' },
+    });
+
+    const summary = buildTaskEvidenceSummary({
+      taskId: task.id,
+      taskTitle: task.title,
+      organizationId,
+      organizationName: task.organization.name,
+      appAutomationRuns: appAutomationRuns.map((run) => ({
+        id: run.id,
+        checkId: run.checkId,
+        checkName: run.checkName,
+        status: run.status,
+        startedAt: run.startedAt,
+        completedAt: run.completedAt,
+        durationMs: run.durationMs,
+        totalChecked: run.totalChecked,
+        passedCount: run.passedCount,
+        failedCount: run.failedCount,
+        errorMessage: run.errorMessage,
+        logs: run.logs,
+        createdAt: run.createdAt,
+        connection: {
+          provider: run.connection.provider
+            ? {
+                slug: run.connection.provider.slug,
+                name: run.connection.provider.name,
+              }
+            : undefined,
+        },
+        results: run.results.map((r) => ({
+          id: r.id,
+          passed: r.passed,
+          resourceType: r.resourceType,
+          resourceId: r.resourceId,
+          title: r.title,
+          description: r.description,
+          severity: r.severity,
+          remediation: r.remediation,
+          evidence: r.evidence,
+          collectedAt: r.collectedAt,
+        })),
+      })),
+      customAutomationRuns: customAutomationRuns.map((run) => ({
+        id: run.id,
+        status: run.status,
+        startedAt: run.startedAt,
+        completedAt: run.completedAt,
+        runDuration: run.runDuration,
+        success: run.success,
+        error: run.error,
+        logs: run.logs,
+        output: run.output,
+        evaluationStatus: run.evaluationStatus,
+        evaluationReason: run.evaluationReason,
+        createdAt: run.createdAt,
+        evidenceAutomation: {
+          id: run.evidenceAutomation.id,
+          name: run.evidenceAutomation.name,
+        },
+      })),
+    });
+
+    this.logger.log('Task evidence summary built', {
+      organizationId,
+      taskId,
+      appRuns: appAutomationRuns.length,
+      customRuns: customAutomationRuns.length,
+      automations: summary.automations.length,
+    });
+
+    return summary;
+  }
+
+  /**
+   * Export a single automation's evidence as PDF
+   */
+  async exportAutomationPDF(
+    organizationId: string,
+    taskId: string,
+    automationId: string,
+  ): Promise<EvidenceExportResult> {
+    const summary = await this.getTaskEvidenceSummary(organizationId, taskId);
+
+    const automation = summary.automations.find((a) => a.id === automationId);
+
+    if (!automation) {
+      throw new NotFoundException('Automation not found');
+    }
+
+    const pdfBuffer = generateAutomationPDF(automation, {
+      organizationName: summary.organizationName,
+      taskTitle: summary.taskTitle,
+    });
+
+    this.logger.log('Automation evidence PDF generated', {
+      organizationId,
+      taskId,
+      automationId,
+      runs: automation.runs.length,
+      pdfBytes: pdfBuffer.length,
+    });
+
+    const filename = `${sanitizeFilename(summary.organizationName)}_${sanitizeFilename(automation.name)}_evidence_${format(new Date(), 'yyyy-MM-dd')}.pdf`;
+
+    return {
+      fileBuffer: pdfBuffer,
+      mimeType: 'application/pdf',
+      filename,
+    };
+  }
+
+  /**
+   * Export all evidence for a task as a ZIP file
+   */
+  async exportTaskEvidenceZip(
+    organizationId: string,
+    taskId: string,
+    options: { includeRawJson?: boolean } = {},
+  ): Promise<EvidenceExportResult> {
+    const summary = await this.getTaskEvidenceSummary(organizationId, taskId);
+
+    const zip = new AdmZip();
+    const folderName = `${sanitizeFilename(summary.organizationName)}_${sanitizeFilename(summary.taskTitle)}_evidence`;
+
+    // Add summary PDF
+    const summaryPdf = generateTaskSummaryPDF(summary);
+    zip.addFile(`${folderName}/00-summary.pdf`, summaryPdf);
+
+    // Add individual automation PDFs
+    for (const automation of summary.automations) {
+      const typePrefix =
+        automation.type === 'app_automation' ? 'app' : 'custom';
+      // Include short ID suffix to prevent path collisions when names sanitize identically
+      const idSuffix = automation.id.slice(-8);
+      const automationFolder = `${folderName}/${typePrefix}-${sanitizeFilename(automation.name)}-${idSuffix}`;
+
+      // Generate PDF for this automation
+      const pdfBuffer = generateAutomationPDF(automation, {
+        organizationName: summary.organizationName,
+        taskTitle: summary.taskTitle,
+      });
+
+      zip.addFile(`${automationFolder}/evidence.pdf`, pdfBuffer);
+
+      // Optionally include raw JSON
+      if (options.includeRawJson) {
+        const jsonData = safeStringify(
+          redactSensitiveData({
+            automation: {
+              id: automation.id,
+              name: automation.name,
+              type: automation.type,
+              integrationName: automation.integrationName,
+              totalRuns: automation.totalRuns,
+              successfulRuns: automation.successfulRuns,
+              failedRuns: automation.failedRuns,
+              latestRunAt: automation.latestRunAt,
+            },
+            runs: automation.runs.map((run) => ({
+              id: run.id,
+              status: run.status,
+              startedAt: run.startedAt,
+              completedAt: run.completedAt,
+              durationMs: run.durationMs,
+              totalChecked: run.totalChecked,
+              passedCount: run.passedCount,
+              failedCount: run.failedCount,
+              evaluationStatus: run.evaluationStatus,
+              evaluationReason: run.evaluationReason,
+              logs: run.logs,
+              output: run.output,
+              error: run.error,
+              results: run.results,
+              createdAt: run.createdAt,
+            })),
+            exportedAt: summary.exportedAt,
+          }),
+          null,
+          2,
+        );
+
+        zip.addFile(
+          `${automationFolder}/evidence.json`,
+          Buffer.from(jsonData ?? '{}', 'utf-8'),
+        );
+      }
+    }
+
+    const filename = `${folderName}_${format(new Date(), 'yyyy-MM-dd')}.zip`;
+
+    const zipBuffer = zip.toBuffer();
+
+    this.logger.log('Task evidence ZIP generated', {
+      organizationId,
+      taskId,
+      automations: summary.automations.length,
+      includeRawJson: !!options.includeRawJson,
+      zipBytes: zipBuffer.length,
+    });
+
+    return {
+      fileBuffer: zipBuffer,
+      mimeType: 'application/zip',
+      filename,
+    };
+  }
+
+  /**
+   * Export all evidence for an organization (auditor bulk export)
+   */
+  async exportOrganizationEvidenceZip(
+    organizationId: string,
+    options: { includeRawJson?: boolean } = {},
+  ): Promise<EvidenceExportResult> {
+    // Get organization
+    const organization = await db.organization.findUnique({
+      where: { id: organizationId },
+      select: { name: true },
+    });
+
+    if (!organization) {
+      throw new NotFoundException('Organization not found');
+    }
+
+    // Get all tasks with automation runs (only count published runs for custom automations)
+    const tasksWithRuns = await db.task.findMany({
+      where: {
+        organizationId,
+        OR: [
+          {
+            integrationCheckRuns: {
+              some: {},
+            },
+          },
+          {
+            evidenceAutomations: {
+              some: {
+                runs: {
+                  some: { version: { not: null } },
+                },
+              },
+            },
+          },
+        ],
+      },
+      select: {
+        id: true,
+        title: true,
+      },
+      orderBy: { title: 'asc' },
+    });
+
+    if (tasksWithRuns.length === 0) {
+      throw new NotFoundException('No tasks with evidence found');
+    }
+
+    const zip = new AdmZip();
+    const orgFolder = sanitizeFilename(organization.name);
+    const exportDate = format(new Date(), 'yyyy-MM-dd');
+
+    // Add a manifest file
+    const manifest = {
+      organization: organization.name,
+      organizationId,
+      exportedAt: new Date().toISOString(),
+      tasksCount: tasksWithRuns.length,
+      tasks: tasksWithRuns.map((t) => ({ id: t.id, title: t.title })),
+    };
+    zip.addFile(
+      `${orgFolder}/manifest.json`,
+      Buffer.from(safeStringify(manifest, null, 2) ?? '{}', 'utf-8'),
+    );
+
+    // Export each task
+    for (const task of tasksWithRuns) {
+      try {
+        const summary = await this.getTaskEvidenceSummary(
+          organizationId,
+          task.id,
+        );
+
+        if (summary.automations.length === 0) {
+          continue;
+        }
+
+        // Include short task ID suffix to prevent path collisions
+        const taskIdSuffix = task.id.slice(-8);
+        const taskFolder = `${orgFolder}/${sanitizeFilename(task.title)}-${taskIdSuffix}`;
+
+        // Add task summary PDF
+        const summaryPdf = generateTaskSummaryPDF(summary);
+        zip.addFile(`${taskFolder}/00-summary.pdf`, summaryPdf);
+
+        // Add automation PDFs
+        for (const automation of summary.automations) {
+          const typePrefix =
+            automation.type === 'app_automation' ? 'app' : 'custom';
+          const automationName = sanitizeFilename(automation.name);
+          // Include short automation ID suffix to prevent path collisions
+          const automationIdSuffix = automation.id.slice(-8);
+
+          const pdfBuffer = generateAutomationPDF(automation, {
+            organizationName: summary.organizationName,
+            taskTitle: summary.taskTitle,
+          });
+
+          zip.addFile(
+            `${taskFolder}/${typePrefix}-${automationName}-${automationIdSuffix}.pdf`,
+            pdfBuffer,
+          );
+
+          // Optional JSON
+          if (options.includeRawJson) {
+            const jsonData = safeStringify(
+              redactSensitiveData({
+                automation: {
+                  id: automation.id,
+                  name: automation.name,
+                  type: automation.type,
+                },
+                runs: automation.runs,
+                exportedAt: summary.exportedAt,
+              }),
+              null,
+              2,
+            );
+            zip.addFile(
+              `${taskFolder}/${typePrefix}-${automationName}-${automationIdSuffix}.json`,
+              Buffer.from(jsonData ?? '{}', 'utf-8'),
+            );
+          }
+        }
+      } catch (error) {
+        this.logger.warn(`Failed to export task ${task.id}: ${error}`);
+      }
+    }
+
+    const filename = `${orgFolder}_all-evidence_${exportDate}.zip`;
+
+    const zipBuffer = zip.toBuffer();
+
+    this.logger.log('Organization evidence ZIP generated', {
+      organizationId,
+      tasks: tasksWithRuns.length,
+      includeRawJson: !!options.includeRawJson,
+      zipBytes: zipBuffer.length,
+    });
+
+    return {
+      fileBuffer: zipBuffer,
+      mimeType: 'application/zip',
+      filename,
+    };
+  }
+}
diff --git a/apps/api/src/tasks/evidence-export/evidence-export.types.ts b/apps/api/src/tasks/evidence-export/evidence-export.types.ts
new file mode 100644
index 000000000..787f10b19
--- /dev/null
+++ b/apps/api/src/tasks/evidence-export/evidence-export.types.ts
@@ -0,0 +1,97 @@
+/**
+ * Evidence Export Types
+ * Normalized data structures for automation evidence export
+ */
+
+/**
+ * Normalized evidence run - combines app automations and custom automations into a unified format
+ */
+export interface NormalizedEvidenceRun {
+  id: string;
+  type: 'app_automation' | 'custom_automation';
+  automationName: string;
+  automationId: string;
+  status: 'success' | 'failed' | 'running' | 'pending' | 'cancelled';
+  startedAt: Date | null;
+  completedAt: Date | null;
+  durationMs: number | null;
+  // Summary metrics
+  totalChecked: number;
+  passedCount: number;
+  failedCount: number;
+  // Evaluation (for custom automations)
+  evaluationStatus: 'pass' | 'fail' | null;
+  evaluationReason: string | null;
+  // Content
+  logs: unknown;
+  output: unknown;
+  error: string | null;
+  // Results (for app automations)
+  results: NormalizedEvidenceResult[];
+  createdAt: Date;
+}
+
+/**
+ * Normalized evidence result - individual check results
+ */
+export interface NormalizedEvidenceResult {
+  id: string;
+  passed: boolean;
+  resourceType: string;
+  resourceId: string;
+  title: string;
+  description: string | null;
+  severity: 'info' | 'low' | 'medium' | 'high' | 'critical' | null;
+  remediation: string | null;
+  evidence: unknown;
+  collectedAt: Date;
+}
+
+/**
+ * Normalized automation - groups runs by automation
+ */
+export interface NormalizedAutomation {
+  id: string;
+  name: string;
+  type: 'app_automation' | 'custom_automation';
+  // For app automations
+  integrationName?: string;
+  integrationLogoUrl?: string;
+  checkId?: string;
+  // Runs
+  runs: NormalizedEvidenceRun[];
+  // Summary
+  totalRuns: number;
+  successfulRuns: number;
+  failedRuns: number;
+  latestRunAt: Date | null;
+}
+
+/**
+ * Task evidence summary - all automations for a task
+ */
+export interface TaskEvidenceSummary {
+  taskId: string;
+  taskTitle: string;
+  organizationId: string;
+  organizationName: string;
+  automations: NormalizedAutomation[];
+  exportedAt: Date;
+}
+
+/**
+ * Export options for evidence
+ */
+export interface EvidenceExportOptions {
+  includeRawJson: boolean;
+  format: 'pdf' | 'zip';
+}
+
+/**
+ * Export result
+ */
+export interface EvidenceExportResult {
+  fileBuffer: Buffer;
+  mimeType: string;
+  filename: string;
+}
diff --git a/apps/api/src/tasks/evidence-export/evidence-normalizer.spec.ts b/apps/api/src/tasks/evidence-export/evidence-normalizer.spec.ts
new file mode 100644
index 000000000..01ee7c429
--- /dev/null
+++ b/apps/api/src/tasks/evidence-export/evidence-normalizer.spec.ts
@@ -0,0 +1,342 @@
+import {
+  normalizeAppAutomationRun,
+  normalizeCustomAutomationRun,
+  groupAppAutomationRuns,
+  groupCustomAutomationRuns,
+  buildTaskEvidenceSummary,
+} from './evidence-normalizer';
+
+describe('Evidence Normalizer', () => {
+  describe('normalizeAppAutomationRun', () => {
+    it('should normalize a successful app automation run', () => {
+      const run = {
+        id: 'icr_123',
+        checkId: 'mfa-check',
+        checkName: 'MFA Enabled Check',
+        status: 'success',
+        startedAt: new Date('2024-01-15T10:00:00Z'),
+        completedAt: new Date('2024-01-15T10:00:05Z'),
+        durationMs: 5000,
+        totalChecked: 10,
+        passedCount: 9,
+        failedCount: 1,
+        errorMessage: null,
+        logs: [{ level: 'info', message: 'Check started' }],
+        createdAt: new Date('2024-01-15T10:00:00Z'),
+        connection: {
+          provider: {
+            slug: 'google',
+            name: 'Google Workspace',
+          },
+        },
+        results: [
+          {
+            id: 'icx_1',
+            passed: true,
+            resourceType: 'user',
+            resourceId: 'user@example.com',
+            title: 'MFA Enabled',
+            description: 'User has MFA enabled',
+            severity: null,
+            remediation: null,
+            evidence: { mfaEnabled: true },
+            collectedAt: new Date('2024-01-15T10:00:05Z'),
+          },
+        ],
+      };
+
+      const normalized = normalizeAppAutomationRun(run);
+
+      expect(normalized.id).toBe('icr_123');
+      expect(normalized.type).toBe('app_automation');
+      expect(normalized.automationName).toBe('MFA Enabled Check');
+      expect(normalized.automationId).toBe('mfa-check');
+      expect(normalized.status).toBe('success');
+      expect(normalized.totalChecked).toBe(10);
+      expect(normalized.passedCount).toBe(9);
+      expect(normalized.failedCount).toBe(1);
+      expect(normalized.results).toHaveLength(1);
+      expect(normalized.results[0].passed).toBe(true);
+    });
+
+    it('should normalize a failed app automation run', () => {
+      const run = {
+        id: 'icr_456',
+        checkId: 'mfa-check',
+        checkName: 'MFA Enabled Check',
+        status: 'failed',
+        startedAt: new Date('2024-01-15T10:00:00Z'),
+        completedAt: new Date('2024-01-15T10:00:02Z'),
+        durationMs: 2000,
+        totalChecked: 0,
+        passedCount: 0,
+        failedCount: 0,
+        errorMessage: 'API connection failed',
+        logs: null,
+        createdAt: new Date('2024-01-15T10:00:00Z'),
+        connection: {
+          provider: undefined,
+        },
+        results: [],
+      };
+
+      const normalized = normalizeAppAutomationRun(run);
+
+      expect(normalized.status).toBe('failed');
+      expect(normalized.error).toBe('API connection failed');
+      expect(normalized.results).toHaveLength(0);
+    });
+  });
+
+  describe('normalizeCustomAutomationRun', () => {
+    it('should normalize a successful custom automation run', () => {
+      const run = {
+        id: 'ear_123',
+        status: 'completed',
+        startedAt: new Date('2024-01-15T10:00:00Z'),
+        completedAt: new Date('2024-01-15T10:01:00Z'),
+        runDuration: 60000,
+        success: true,
+        error: null,
+        logs: 'Execution logs here',
+        output: { data: 'test output' },
+        evaluationStatus: 'pass',
+        evaluationReason: 'All checks passed',
+        createdAt: new Date('2024-01-15T10:00:00Z'),
+        evidenceAutomation: {
+          id: 'ea_123',
+          name: 'Custom Evidence Collection',
+        },
+      };
+
+      const normalized = normalizeCustomAutomationRun(run);
+
+      expect(normalized.id).toBe('ear_123');
+      expect(normalized.type).toBe('custom_automation');
+      expect(normalized.automationName).toBe('Custom Evidence Collection');
+      expect(normalized.automationId).toBe('ea_123');
+      expect(normalized.status).toBe('success');
+      expect(normalized.evaluationStatus).toBe('pass');
+      expect(normalized.evaluationReason).toBe('All checks passed');
+      expect(normalized.passedCount).toBe(1);
+      expect(normalized.failedCount).toBe(0);
+    });
+
+    it('should normalize a failed custom automation run', () => {
+      const run = {
+        id: 'ear_456',
+        status: 'failed',
+        startedAt: new Date('2024-01-15T10:00:00Z'),
+        completedAt: null,
+        runDuration: null,
+        success: false,
+        error: 'Script execution failed',
+        logs: null,
+        output: null,
+        evaluationStatus: 'fail',
+        evaluationReason: 'Evidence not found',
+        createdAt: new Date('2024-01-15T10:00:00Z'),
+        evidenceAutomation: {
+          id: 'ea_456',
+          name: 'Failed Automation',
+        },
+      };
+
+      const normalized = normalizeCustomAutomationRun(run);
+
+      expect(normalized.status).toBe('failed');
+      expect(normalized.evaluationStatus).toBe('fail');
+      expect(normalized.error).toBe('Script execution failed');
+      expect(normalized.passedCount).toBe(0);
+      expect(normalized.failedCount).toBe(1);
+    });
+  });
+
+  describe('groupAppAutomationRuns', () => {
+    it('should group runs by check ID', () => {
+      const runs = [
+        {
+          id: 'icr_1',
+          checkId: 'mfa-check',
+          checkName: 'MFA Check',
+          status: 'success',
+          startedAt: new Date('2024-01-15T10:00:00Z'),
+          completedAt: new Date('2024-01-15T10:00:05Z'),
+          durationMs: 5000,
+          totalChecked: 5,
+          passedCount: 5,
+          failedCount: 0,
+          errorMessage: null,
+          logs: null,
+          createdAt: new Date('2024-01-15T10:00:00Z'),
+          connection: { provider: { slug: 'google', name: 'Google' } },
+          results: [],
+        },
+        {
+          id: 'icr_2',
+          checkId: 'mfa-check',
+          checkName: 'MFA Check',
+          status: 'success',
+          startedAt: new Date('2024-01-16T10:00:00Z'),
+          completedAt: new Date('2024-01-16T10:00:05Z'),
+          durationMs: 5000,
+          totalChecked: 5,
+          passedCount: 5,
+          failedCount: 0,
+          errorMessage: null,
+          logs: null,
+          createdAt: new Date('2024-01-16T10:00:00Z'),
+          connection: { provider: { slug: 'google', name: 'Google' } },
+          results: [],
+        },
+        {
+          id: 'icr_3',
+          checkId: 'encryption-check',
+          checkName: 'Encryption Check',
+          status: 'failed',
+          startedAt: new Date('2024-01-15T10:00:00Z'),
+          completedAt: new Date('2024-01-15T10:00:05Z'),
+          durationMs: 5000,
+          totalChecked: 3,
+          passedCount: 1,
+          failedCount: 2,
+          errorMessage: null,
+          logs: null,
+          createdAt: new Date('2024-01-15T10:00:00Z'),
+          connection: { provider: { slug: 'aws', name: 'AWS' } },
+          results: [],
+        },
+      ];
+
+      const grouped = groupAppAutomationRuns(runs);
+
+      expect(grouped).toHaveLength(2);
+
+      const mfaAutomation = grouped.find((a) => a.id === 'mfa-check');
+      expect(mfaAutomation).toBeDefined();
+      expect(mfaAutomation?.runs).toHaveLength(2);
+      expect(mfaAutomation?.totalRuns).toBe(2);
+      expect(mfaAutomation?.successfulRuns).toBe(2);
+      expect(mfaAutomation?.failedRuns).toBe(0);
+
+      const encryptionAutomation = grouped.find(
+        (a) => a.id === 'encryption-check',
+      );
+      expect(encryptionAutomation).toBeDefined();
+      expect(encryptionAutomation?.runs).toHaveLength(1);
+      expect(encryptionAutomation?.failedRuns).toBe(1);
+    });
+  });
+
+  describe('groupCustomAutomationRuns', () => {
+    it('should group runs by automation ID', () => {
+      const runs = [
+        {
+          id: 'ear_1',
+          status: 'completed',
+          startedAt: new Date('2024-01-15T10:00:00Z'),
+          completedAt: new Date('2024-01-15T10:01:00Z'),
+          runDuration: 60000,
+          success: true,
+          error: null,
+          logs: null,
+          output: null,
+          evaluationStatus: 'pass',
+          evaluationReason: null,
+          createdAt: new Date('2024-01-15T10:00:00Z'),
+          evidenceAutomation: { id: 'ea_1', name: 'Automation 1' },
+        },
+        {
+          id: 'ear_2',
+          status: 'completed',
+          startedAt: new Date('2024-01-16T10:00:00Z'),
+          completedAt: new Date('2024-01-16T10:01:00Z'),
+          runDuration: 60000,
+          success: true,
+          error: null,
+          logs: null,
+          output: null,
+          evaluationStatus: 'pass',
+          evaluationReason: null,
+          createdAt: new Date('2024-01-16T10:00:00Z'),
+          evidenceAutomation: { id: 'ea_1', name: 'Automation 1' },
+        },
+      ];
+
+      const grouped = groupCustomAutomationRuns(runs);
+
+      expect(grouped).toHaveLength(1);
+      expect(grouped[0].id).toBe('ea_1');
+      expect(grouped[0].runs).toHaveLength(2);
+      expect(grouped[0].totalRuns).toBe(2);
+      expect(grouped[0].successfulRuns).toBe(2);
+    });
+  });
+
+  describe('buildTaskEvidenceSummary', () => {
+    it('should build a complete task evidence summary', () => {
+      const params = {
+        taskId: 'tsk_123',
+        taskTitle: 'Implement MFA',
+        organizationId: 'org_123',
+        organizationName: 'Test Org',
+        appAutomationRuns: [
+          {
+            id: 'icr_1',
+            checkId: 'mfa-check',
+            checkName: 'MFA Check',
+            status: 'success',
+            startedAt: new Date('2024-01-15T10:00:00Z'),
+            completedAt: new Date('2024-01-15T10:00:05Z'),
+            durationMs: 5000,
+            totalChecked: 5,
+            passedCount: 5,
+            failedCount: 0,
+            errorMessage: null,
+            logs: null,
+            createdAt: new Date('2024-01-15T10:00:00Z'),
+            connection: { provider: { slug: 'google', name: 'Google' } },
+            results: [],
+          },
+        ],
+        customAutomationRuns: [
+          {
+            id: 'ear_1',
+            status: 'completed',
+            startedAt: new Date('2024-01-15T10:00:00Z'),
+            completedAt: new Date('2024-01-15T10:01:00Z'),
+            runDuration: 60000,
+            success: true,
+            error: null,
+            logs: null,
+            output: null,
+            evaluationStatus: 'pass',
+            evaluationReason: null,
+            createdAt: new Date('2024-01-15T10:00:00Z'),
+            evidenceAutomation: { id: 'ea_1', name: 'Custom Automation' },
+          },
+        ],
+      };
+
+      const summary = buildTaskEvidenceSummary(params);
+
+      expect(summary.taskId).toBe('tsk_123');
+      expect(summary.taskTitle).toBe('Implement MFA');
+      expect(summary.organizationName).toBe('Test Org');
+      expect(summary.automations).toHaveLength(2);
+      expect(summary.exportedAt).toBeInstanceOf(Date);
+
+      const appAutomation = summary.automations.find(
+        (a) => a.type === 'app_automation',
+      );
+      expect(appAutomation).toBeDefined();
+      expect(appAutomation?.name).toBe('MFA Check');
+
+      const customAutomation = summary.automations.find(
+        (a) => a.type === 'custom_automation',
+      );
+      expect(customAutomation).toBeDefined();
+      expect(customAutomation?.name).toBe('Custom Automation');
+    });
+  });
+});
diff --git a/apps/api/src/tasks/evidence-export/evidence-normalizer.ts b/apps/api/src/tasks/evidence-export/evidence-normalizer.ts
new file mode 100644
index 000000000..fb2503112
--- /dev/null
+++ b/apps/api/src/tasks/evidence-export/evidence-normalizer.ts
@@ -0,0 +1,319 @@
+/**
+ * Evidence Normalizer
+ * Transforms app automation and custom automation runs into a unified format
+ */
+
+import type {
+  NormalizedEvidenceRun,
+  NormalizedEvidenceResult,
+  NormalizedAutomation,
+  TaskEvidenceSummary,
+} from './evidence-export.types';
+
+interface AppAutomationRun {
+  id: string;
+  checkId: string;
+  checkName: string;
+  status: string;
+  startedAt: Date | null;
+  completedAt: Date | null;
+  durationMs: number | null;
+  totalChecked: number;
+  passedCount: number;
+  failedCount: number;
+  errorMessage: string | null;
+  logs: unknown;
+  createdAt: Date;
+  connection: {
+    provider?: {
+      slug: string;
+      name: string;
+    };
+  };
+  results: Array<{
+    id: string;
+    passed: boolean;
+    resourceType: string;
+    resourceId: string;
+    title: string;
+    description: string | null;
+    severity: string | null;
+    remediation: string | null;
+    evidence: unknown;
+    collectedAt: Date;
+  }>;
+}
+
+interface CustomAutomationRun {
+  id: string;
+  status: string;
+  startedAt: Date | null;
+  completedAt: Date | null;
+  runDuration: number | null;
+  success: boolean | null;
+  error: string | null;
+  logs: unknown;
+  output: unknown;
+  evaluationStatus: string | null;
+  evaluationReason: string | null;
+  createdAt: Date;
+  evidenceAutomation: {
+    id: string;
+    name: string;
+  };
+}
+
+/**
+ * Normalize an app automation run to the unified format
+ */
+export function normalizeAppAutomationRun(
+  run: AppAutomationRun,
+): NormalizedEvidenceRun {
+  return {
+    id: run.id,
+    type: 'app_automation',
+    automationName: run.checkName,
+    automationId: run.checkId,
+    status: normalizeStatus(run.status),
+    startedAt: run.startedAt,
+    completedAt: run.completedAt,
+    durationMs: run.durationMs,
+    totalChecked: run.totalChecked,
+    passedCount: run.passedCount,
+    failedCount: run.failedCount,
+    evaluationStatus: null,
+    evaluationReason: null,
+    logs: run.logs,
+    output: null,
+    error: run.errorMessage,
+    results: run.results.map(normalizeResult),
+    createdAt: run.createdAt,
+  };
+}
+
+/**
+ * Normalize a custom automation run to the unified format
+ */
+export function normalizeCustomAutomationRun(
+  run: CustomAutomationRun,
+): NormalizedEvidenceRun {
+  const hasPassed = run.evaluationStatus === 'pass';
+  const hasFailed = run.evaluationStatus === 'fail';
+
+  return {
+    id: run.id,
+    type: 'custom_automation',
+    automationName: run.evidenceAutomation.name,
+    automationId: run.evidenceAutomation.id,
+    status: normalizeStatus(run.status),
+    startedAt: run.startedAt,
+    completedAt: run.completedAt,
+    durationMs: run.runDuration,
+    totalChecked: hasPassed || hasFailed ? 1 : 0,
+    passedCount: hasPassed ? 1 : 0,
+    failedCount: hasFailed ? 1 : 0,
+    evaluationStatus: run.evaluationStatus as 'pass' | 'fail' | null,
+    evaluationReason: run.evaluationReason,
+    logs: run.logs,
+    output: run.output,
+    error: run.error,
+    results: [],
+    createdAt: run.createdAt,
+  };
+}
+
+/**
+ * Normalize a check result
+ */
+function normalizeResult(result: {
+  id: string;
+  passed: boolean;
+  resourceType: string;
+  resourceId: string;
+  title: string;
+  description: string | null;
+  severity: string | null;
+  remediation: string | null;
+  evidence: unknown;
+  collectedAt: Date;
+}): NormalizedEvidenceResult {
+  return {
+    id: result.id,
+    passed: result.passed,
+    resourceType: result.resourceType,
+    resourceId: result.resourceId,
+    title: result.title,
+    description: result.description,
+    severity: result.severity as
+      | 'info'
+      | 'low'
+      | 'medium'
+      | 'high'
+      | 'critical'
+      | null,
+    remediation: result.remediation,
+    evidence: result.evidence,
+    collectedAt: result.collectedAt,
+  };
+}
+
+/**
+ * Normalize status to unified format
+ */
+function normalizeStatus(
+  status: string,
+): 'success' | 'failed' | 'running' | 'pending' | 'cancelled' {
+  switch (status.toLowerCase()) {
+    case 'success':
+    case 'completed':
+      return 'success';
+    case 'failed':
+    case 'error':
+      return 'failed';
+    case 'running':
+      return 'running';
+    case 'pending':
+      return 'pending';
+    case 'cancelled':
+      return 'cancelled';
+    default:
+      return 'pending';
+  }
+}
+
+/**
+ * Group app automation runs by check
+ */
+export function groupAppAutomationRuns(
+  runs: AppAutomationRun[],
+): NormalizedAutomation[] {
+  const grouped = new Map<string, NormalizedAutomation>();
+
+  for (const run of runs) {
+    const key = run.checkId;
+    const normalized = normalizeAppAutomationRun(run);
+
+    if (!grouped.has(key)) {
+      grouped.set(key, {
+        id: run.checkId,
+        name: run.checkName,
+        type: 'app_automation',
+        integrationName: run.connection.provider?.name,
+        checkId: run.checkId,
+        runs: [],
+        totalRuns: 0,
+        successfulRuns: 0,
+        failedRuns: 0,
+        latestRunAt: null,
+      });
+    }
+
+    const automation = grouped.get(key)!;
+    automation.runs.push(normalized);
+    automation.totalRuns++;
+
+    if (normalized.status === 'success' && normalized.failedCount === 0) {
+      automation.successfulRuns++;
+    } else if (normalized.status === 'failed' || normalized.failedCount > 0) {
+      automation.failedRuns++;
+    }
+
+    if (
+      !automation.latestRunAt ||
+      normalized.createdAt > automation.latestRunAt
+    ) {
+      automation.latestRunAt = normalized.createdAt;
+    }
+  }
+
+  // Sort runs by date descending
+  for (const automation of grouped.values()) {
+    automation.runs.sort(
+      (a, b) => b.createdAt.getTime() - a.createdAt.getTime(),
+    );
+  }
+
+  return Array.from(grouped.values());
+}
+
+/**
+ * Group custom automation runs by automation
+ */
+export function groupCustomAutomationRuns(
+  runs: CustomAutomationRun[],
+): NormalizedAutomation[] {
+  const grouped = new Map<string, NormalizedAutomation>();
+
+  for (const run of runs) {
+    const key = run.evidenceAutomation.id;
+    const normalized = normalizeCustomAutomationRun(run);
+
+    if (!grouped.has(key)) {
+      grouped.set(key, {
+        id: run.evidenceAutomation.id,
+        name: run.evidenceAutomation.name,
+        type: 'custom_automation',
+        runs: [],
+        totalRuns: 0,
+        successfulRuns: 0,
+        failedRuns: 0,
+        latestRunAt: null,
+      });
+    }
+
+    const automation = grouped.get(key)!;
+    automation.runs.push(normalized);
+    automation.totalRuns++;
+
+    if (normalized.evaluationStatus === 'pass') {
+      automation.successfulRuns++;
+    } else if (
+      normalized.evaluationStatus === 'fail' ||
+      normalized.status === 'failed'
+    ) {
+      automation.failedRuns++;
+    }
+
+    if (
+      !automation.latestRunAt ||
+      normalized.createdAt > automation.latestRunAt
+    ) {
+      automation.latestRunAt = normalized.createdAt;
+    }
+  }
+
+  // Sort runs by date descending
+  for (const automation of grouped.values()) {
+    automation.runs.sort(
+      (a, b) => b.createdAt.getTime() - a.createdAt.getTime(),
+    );
+  }
+
+  return Array.from(grouped.values());
+}
+
+/**
+ * Build a task evidence summary from app and custom automation runs
+ */
+export function buildTaskEvidenceSummary(params: {
+  taskId: string;
+  taskTitle: string;
+  organizationId: string;
+  organizationName: string;
+  appAutomationRuns: AppAutomationRun[];
+  customAutomationRuns: CustomAutomationRun[];
+}): TaskEvidenceSummary {
+  const appAutomations = groupAppAutomationRuns(params.appAutomationRuns);
+  const customAutomations = groupCustomAutomationRuns(
+    params.customAutomationRuns,
+  );
+
+  return {
+    taskId: params.taskId,
+    taskTitle: params.taskTitle,
+    organizationId: params.organizationId,
+    organizationName: params.organizationName,
+    automations: [...appAutomations, ...customAutomations],
+    exportedAt: new Date(),
+  };
+}
diff --git a/apps/api/src/tasks/evidence-export/evidence-pdf-generator.spec.ts b/apps/api/src/tasks/evidence-export/evidence-pdf-generator.spec.ts
new file mode 100644
index 000000000..53ba6a939
--- /dev/null
+++ b/apps/api/src/tasks/evidence-export/evidence-pdf-generator.spec.ts
@@ -0,0 +1,231 @@
+import {
+  generateAutomationPDF,
+  generateTaskSummaryPDF,
+  sanitizeFilename,
+} from './evidence-pdf-generator';
+import type {
+  NormalizedAutomation,
+  TaskEvidenceSummary,
+} from './evidence-export.types';
+
+describe('Evidence PDF Generator', () => {
+  describe('sanitizeFilename', () => {
+    it('should convert to lowercase and replace special characters', () => {
+      expect(sanitizeFilename('Test Name')).toBe('test-name');
+      expect(sanitizeFilename('MFA Enabled Check!')).toBe('mfa-enabled-check');
+      expect(sanitizeFilename('Test@#$%^&*()Name')).toBe('test-name');
+    });
+
+    it('should trim leading and trailing dashes', () => {
+      expect(sanitizeFilename('---Test---')).toBe('test');
+      expect(sanitizeFilename('  Test  ')).toBe('test');
+    });
+
+    it('should truncate to 50 characters', () => {
+      const longName =
+        'This is a very long automation name that should be truncated to fifty characters';
+      expect(sanitizeFilename(longName).length).toBeLessThanOrEqual(50);
+    });
+
+    it('should handle empty strings with fallback', () => {
+      expect(sanitizeFilename('')).toBe('export');
+    });
+
+    it('should handle non-ASCII only names with fallback', () => {
+      expect(sanitizeFilename('日本語会社')).toBe('export');
+      expect(sanitizeFilename('شركة عربية')).toBe('export');
+    });
+  });
+
+  describe('generateAutomationPDF', () => {
+    it('should generate a PDF buffer for an app automation', () => {
+      const automation: NormalizedAutomation = {
+        id: 'mfa-check',
+        name: 'MFA Enabled Check',
+        type: 'app_automation',
+        integrationName: 'Google Workspace',
+        checkId: 'mfa-check',
+        runs: [
+          {
+            id: 'icr_123',
+            type: 'app_automation',
+            automationName: 'MFA Enabled Check',
+            automationId: 'mfa-check',
+            status: 'success',
+            startedAt: new Date('2024-01-15T10:00:00Z'),
+            completedAt: new Date('2024-01-15T10:00:05Z'),
+            durationMs: 5000,
+            totalChecked: 10,
+            passedCount: 9,
+            failedCount: 1,
+            evaluationStatus: null,
+            evaluationReason: null,
+            logs: null,
+            output: null,
+            error: null,
+            results: [
+              {
+                id: 'icx_1',
+                passed: true,
+                resourceType: 'user',
+                resourceId: 'user@example.com',
+                title: 'MFA Enabled',
+                description: 'User has MFA enabled',
+                severity: null,
+                remediation: null,
+                evidence: { mfaEnabled: true },
+                collectedAt: new Date('2024-01-15T10:00:05Z'),
+              },
+            ],
+            createdAt: new Date('2024-01-15T10:00:00Z'),
+          },
+        ],
+        totalRuns: 1,
+        successfulRuns: 1,
+        failedRuns: 0,
+        latestRunAt: new Date('2024-01-15T10:00:00Z'),
+      };
+
+      const context = {
+        organizationName: 'Test Organization',
+        taskTitle: 'Implement MFA',
+      };
+
+      const pdfBuffer = generateAutomationPDF(automation, context);
+
+      expect(pdfBuffer).toBeInstanceOf(Buffer);
+      expect(pdfBuffer.length).toBeGreaterThan(0);
+
+      // Check that it's a valid PDF by checking the header
+      const header = pdfBuffer.slice(0, 5).toString('ascii');
+      expect(header).toBe('%PDF-');
+    });
+
+    it('should generate a PDF buffer for a custom automation', () => {
+      const automation: NormalizedAutomation = {
+        id: 'ea_123',
+        name: 'Custom Evidence Collection',
+        type: 'custom_automation',
+        runs: [
+          {
+            id: 'ear_123',
+            type: 'custom_automation',
+            automationName: 'Custom Evidence Collection',
+            automationId: 'ea_123',
+            status: 'success',
+            startedAt: new Date('2024-01-15T10:00:00Z'),
+            completedAt: new Date('2024-01-15T10:01:00Z'),
+            durationMs: 60000,
+            totalChecked: 1,
+            passedCount: 1,
+            failedCount: 0,
+            evaluationStatus: 'pass',
+            evaluationReason: 'All evidence collected successfully',
+            logs: 'Execution completed',
+            output: { data: 'test output' },
+            error: null,
+            results: [],
+            createdAt: new Date('2024-01-15T10:00:00Z'),
+          },
+        ],
+        totalRuns: 1,
+        successfulRuns: 1,
+        failedRuns: 0,
+        latestRunAt: new Date('2024-01-15T10:00:00Z'),
+      };
+
+      const context = {
+        organizationName: 'Test Organization',
+        taskTitle: 'Collect Evidence',
+      };
+
+      const pdfBuffer = generateAutomationPDF(automation, context);
+
+      expect(pdfBuffer).toBeInstanceOf(Buffer);
+      expect(pdfBuffer.length).toBeGreaterThan(0);
+    });
+
+    it('should handle automations with no runs', () => {
+      const automation: NormalizedAutomation = {
+        id: 'empty-check',
+        name: 'Empty Check',
+        type: 'app_automation',
+        runs: [],
+        totalRuns: 0,
+        successfulRuns: 0,
+        failedRuns: 0,
+        latestRunAt: null,
+      };
+
+      const context = {
+        organizationName: 'Test Organization',
+        taskTitle: 'Test Task',
+      };
+
+      const pdfBuffer = generateAutomationPDF(automation, context);
+
+      expect(pdfBuffer).toBeInstanceOf(Buffer);
+      expect(pdfBuffer.length).toBeGreaterThan(0);
+    });
+  });
+
+  describe('generateTaskSummaryPDF', () => {
+    it('should generate a summary PDF for a task with multiple automations', () => {
+      const summary: TaskEvidenceSummary = {
+        taskId: 'tsk_123',
+        taskTitle: 'Implement Security Controls',
+        organizationId: 'org_123',
+        organizationName: 'Test Organization',
+        automations: [
+          {
+            id: 'mfa-check',
+            name: 'MFA Enabled Check',
+            type: 'app_automation',
+            integrationName: 'Google Workspace',
+            runs: [],
+            totalRuns: 5,
+            successfulRuns: 4,
+            failedRuns: 1,
+            latestRunAt: new Date('2024-01-15T10:00:00Z'),
+          },
+          {
+            id: 'ea_123',
+            name: 'Custom Evidence Collection',
+            type: 'custom_automation',
+            runs: [],
+            totalRuns: 3,
+            successfulRuns: 3,
+            failedRuns: 0,
+            latestRunAt: new Date('2024-01-16T10:00:00Z'),
+          },
+        ],
+        exportedAt: new Date('2024-01-17T10:00:00Z'),
+      };
+
+      const pdfBuffer = generateTaskSummaryPDF(summary);
+
+      expect(pdfBuffer).toBeInstanceOf(Buffer);
+      expect(pdfBuffer.length).toBeGreaterThan(0);
+
+      // Check that it's a valid PDF
+      const header = pdfBuffer.slice(0, 5).toString('ascii');
+      expect(header).toBe('%PDF-');
+    });
+
+    it('should handle tasks with no automations', () => {
+      const summary: TaskEvidenceSummary = {
+        taskId: 'tsk_123',
+        taskTitle: 'Empty Task',
+        organizationId: 'org_123',
+        organizationName: 'Test Organization',
+        automations: [],
+        exportedAt: new Date('2024-01-17T10:00:00Z'),
+      };
+
+      const pdfBuffer = generateTaskSummaryPDF(summary);
+
+      expect(pdfBuffer).toBeInstanceOf(Buffer);
+      expect(pdfBuffer.length).toBeGreaterThan(0);
+    });
+  });
+});
diff --git a/apps/api/src/tasks/evidence-export/evidence-pdf-generator.ts b/apps/api/src/tasks/evidence-export/evidence-pdf-generator.ts
new file mode 100644
index 000000000..7f8653b67
--- /dev/null
+++ b/apps/api/src/tasks/evidence-export/evidence-pdf-generator.ts
@@ -0,0 +1,603 @@
+/**
+ * Evidence PDF Generator
+ * Generates PDF documents for automation evidence export
+ */
+
+import { jsPDF } from 'jspdf';
+import { format } from 'date-fns';
+import { inspect } from 'node:util';
+import stringify from 'safe-stable-stringify';
+import { redactSensitiveData } from './evidence-redaction';
+import type {
+  NormalizedAutomation,
+  TaskEvidenceSummary,
+} from './evidence-export.types';
+
+interface PDFConfig {
+  doc: jsPDF;
+  pageWidth: number;
+  pageHeight: number;
+  margin: number;
+  contentWidth: number;
+  lineHeight: number;
+  defaultFontSize: number;
+  yPosition: number;
+}
+
+/**
+ * Clean text for safe PDF rendering
+ */
+function cleanTextForPDF(text: string): string {
+  if (!text) return '';
+
+  // Strip invisible/control unicode chars
+  const stripped = text
+    .replace(/\u00AD/g, '')
+    .replace(/[\u200B-\u200F]/g, '')
+    .replace(/[\u202A-\u202E]/g, '')
+    .replace(/[\u2060-\u206F]/g, '')
+    .replace(/\uFEFF/g, '')
+    .replace(/\uFFFD/g, '');
+
+  // Replace problematic characters
+  const replacements: Record<string, string> = {
+    '\u2018': "'",
+    '\u2019': "'",
+    '\u201C': '"',
+    '\u201D': '"',
+    '\u2013': '-',
+    '\u2014': '-',
+    '\u2026': '...',
+    '\u00A0': ' ',
+    '\u2022': '*',
+  };
+
+  let cleaned = stripped;
+  for (const [unicode, replacement] of Object.entries(replacements)) {
+    cleaned = cleaned.replace(new RegExp(unicode, 'g'), replacement);
+  }
+
+  return cleaned;
+}
+
+/**
+ * Check and handle page breaks
+ */
+function checkPageBreak(
+  config: PDFConfig,
+  requiredHeight: number = config.lineHeight,
+): void {
+  if (config.yPosition + requiredHeight > config.pageHeight - config.margin) {
+    config.doc.addPage();
+    config.yPosition = config.margin;
+  }
+}
+
+/**
+ * Add text with word wrapping
+ */
+function addText(
+  config: PDFConfig,
+  text: string,
+  options: {
+    fontSize?: number;
+    bold?: boolean;
+    color?: [number, number, number];
+    indent?: number;
+  } = {},
+): void {
+  const {
+    fontSize = config.defaultFontSize,
+    bold = false,
+    color = [0, 0, 0],
+    indent = 0,
+  } = options;
+
+  const cleanText = cleanTextForPDF(text);
+  config.doc.setFontSize(fontSize);
+  config.doc.setTextColor(color[0], color[1], color[2]);
+  config.doc.setFont('helvetica', bold ? 'bold' : 'normal');
+
+  const lines: string[] = config.doc.splitTextToSize(
+    cleanText,
+    config.contentWidth - indent,
+  ) as string[];
+
+  for (const line of lines) {
+    checkPageBreak(config);
+    config.doc.text(line, config.margin + indent, config.yPosition);
+    config.yPosition += config.lineHeight;
+  }
+}
+
+/**
+ * Add a section header
+ */
+function addSectionHeader(config: PDFConfig, title: string): void {
+  config.yPosition += config.lineHeight;
+  checkPageBreak(config, config.lineHeight * 2);
+  addText(config, title, { fontSize: 12, bold: true });
+  config.yPosition += config.lineHeight * 0.5;
+}
+
+/**
+ * Add a horizontal line separator
+ */
+function addSeparator(config: PDFConfig): void {
+  checkPageBreak(config);
+  config.doc.setDrawColor(200, 200, 200);
+  config.doc.setLineWidth(0.3);
+  config.doc.line(
+    config.margin,
+    config.yPosition,
+    config.margin + config.contentWidth,
+    config.yPosition,
+  );
+  config.yPosition += config.lineHeight;
+}
+
+/**
+ * Format JSON for display in PDF
+ */
+const MAX_INSPECT_DEPTH = 4;
+
+const safeStringify = stringify.configure({
+  bigint: true,
+  circularValue: '[Circular]',
+});
+
+function safeJsonStringify(data: unknown): string | null {
+  try {
+    return (
+      safeStringify(
+      data,
+      (_key, value) => {
+        if (value instanceof Date) {
+          return value.toISOString();
+        }
+        if (value instanceof Error) {
+          return {
+            name: value.name,
+            message: value.message,
+            stack: value.stack,
+          };
+        }
+        if (value instanceof Map) {
+          return { type: 'Map', entries: Array.from(value.entries()) };
+        }
+        if (value instanceof Set) {
+          return { type: 'Set', values: Array.from(value.values()) };
+        }
+        if (typeof value === 'function') {
+          return `[Function ${value.name || 'anonymous'}]`;
+        }
+        if (typeof value === 'symbol') {
+          return value.toString();
+        }
+        return value;
+      },
+        2,
+      ) ?? null
+    );
+  } catch {
+    return null;
+  }
+}
+
+function formatJsonForPDF(data: unknown): string {
+  const redacted = redactSensitiveData(data);
+
+  if (redacted === null || redacted === undefined) return 'N/A';
+
+  if (typeof redacted === 'string') {
+    return redacted;
+  }
+
+  if (typeof redacted === 'number' || typeof redacted === 'boolean') {
+    return String(redacted);
+  }
+
+  if (typeof redacted === 'bigint') {
+    return redacted.toString();
+  }
+
+  const json = safeJsonStringify(redacted);
+  if (json !== null && json !== undefined) {
+    return json;
+  }
+
+  const inspected = inspect(redacted, {
+    depth: MAX_INSPECT_DEPTH,
+    breakLength: 80,
+    maxArrayLength: 50,
+  });
+
+  return inspected;
+}
+
+/**
+ * Add page numbers to all pages
+ */
+function addPageNumbers(config: PDFConfig): void {
+  const totalPages = config.doc.internal.pages.length - 1;
+  for (let i = 1; i <= totalPages; i++) {
+    config.doc.setPage(i);
+    config.doc.setFontSize(8);
+    config.doc.setFont('helvetica', 'normal');
+    config.doc.setTextColor(128, 128, 128);
+    config.doc.text(
+      `Page ${i} of ${totalPages}`,
+      config.pageWidth - config.margin - 25,
+      config.pageHeight - 10,
+    );
+  }
+}
+
+/**
+ * Generate PDF for a single automation
+ */
+export function generateAutomationPDF(
+  automation: NormalizedAutomation,
+  context: {
+    organizationName: string;
+    taskTitle: string;
+  },
+): Buffer {
+  const doc = new jsPDF();
+  const config: PDFConfig = {
+    doc,
+    pageWidth: doc.internal.pageSize.getWidth(),
+    pageHeight: doc.internal.pageSize.getHeight(),
+    margin: 20,
+    contentWidth: doc.internal.pageSize.getWidth() - 40,
+    lineHeight: 6,
+    defaultFontSize: 10,
+    yPosition: 20,
+  };
+
+  // Header
+  addText(config, context.organizationName, { fontSize: 14, bold: true });
+  config.yPosition += config.lineHeight * 0.5;
+  addText(config, `Task: ${context.taskTitle}`, { fontSize: 11 });
+  config.yPosition += config.lineHeight;
+
+  // Automation title
+  const typeLabel =
+    automation.type === 'app_automation'
+      ? 'App Automation'
+      : 'Custom Automation';
+  addText(config, `${typeLabel}: ${automation.name}`, {
+    fontSize: 13,
+    bold: true,
+  });
+
+  if (automation.integrationName) {
+    addText(config, `Integration: ${automation.integrationName}`, {
+      fontSize: 10,
+      color: [100, 100, 100],
+    });
+  }
+
+  config.yPosition += config.lineHeight;
+
+  // Export timestamp
+  addText(config, `Exported: ${format(new Date(), 'PPpp')}`, {
+    fontSize: 9,
+    color: [128, 128, 128],
+  });
+
+  addSeparator(config);
+
+  // Summary section
+  addSectionHeader(config, 'Summary');
+  addText(config, `Total Runs: ${automation.totalRuns}`);
+  addText(config, `Successful: ${automation.successfulRuns}`);
+  addText(config, `Failed: ${automation.failedRuns}`);
+
+  if (automation.latestRunAt) {
+    addText(config, `Latest Run: ${format(automation.latestRunAt, 'PPpp')}`);
+  }
+
+  addSeparator(config);
+
+  // Runs section
+  addSectionHeader(config, 'Run History');
+
+  for (const run of automation.runs) {
+    checkPageBreak(config, config.lineHeight * 8);
+
+    // Run header
+    const statusColor = getStatusColor(run.status, run.failedCount > 0);
+    addText(config, `Run: ${format(run.createdAt, 'PPpp')}`, {
+      fontSize: 10,
+      bold: true,
+    });
+    addText(config, `Status: ${run.status.toUpperCase()}`, {
+      fontSize: 9,
+      color: statusColor,
+    });
+
+    if (run.durationMs) {
+      addText(config, `Duration: ${run.durationMs}ms`, { fontSize: 9 });
+    }
+
+    // Metrics
+    if (run.type === 'app_automation') {
+      addText(
+        config,
+        `Checked: ${run.totalChecked} | Passed: ${run.passedCount} | Failed: ${run.failedCount}`,
+        { fontSize: 9 },
+      );
+    } else if (run.evaluationStatus) {
+      addText(config, `Evaluation: ${run.evaluationStatus.toUpperCase()}`, {
+        fontSize: 9,
+        color: run.evaluationStatus === 'pass' ? [0, 128, 0] : [200, 0, 0],
+      });
+      if (run.evaluationReason) {
+        addText(config, `Reason: ${run.evaluationReason}`, {
+          fontSize: 9,
+          indent: 10,
+        });
+      }
+    }
+
+    // Error
+    if (run.error) {
+      config.yPosition += config.lineHeight * 0.5;
+      addText(config, 'Error:', {
+        fontSize: 9,
+        bold: true,
+        color: [200, 0, 0],
+      });
+      addText(config, run.error, {
+        fontSize: 8,
+        color: [150, 0, 0],
+        indent: 10,
+      });
+    }
+
+    // Output (for custom automations)
+    if (run.output) {
+      config.yPosition += config.lineHeight * 0.5;
+      addText(config, 'Output:', { fontSize: 9, bold: true });
+      const outputText = formatJsonForPDF(run.output);
+      addMonospaceText(config, outputText);
+    }
+
+    // Logs
+    if (run.logs) {
+      config.yPosition += config.lineHeight * 0.5;
+      addText(config, 'Logs:', { fontSize: 9, bold: true });
+      const logsText = formatJsonForPDF(run.logs);
+      addMonospaceText(config, logsText);
+    }
+
+    // Results (for app automations)
+    if (run.results.length > 0) {
+      config.yPosition += config.lineHeight * 0.5;
+      addText(config, `Results (${run.results.length}):`, {
+        fontSize: 9,
+        bold: true,
+      });
+
+      for (const result of run.results) {
+        checkPageBreak(config, config.lineHeight * 5);
+
+        const resultIcon = result.passed ? '[PASS]' : '[FAIL]';
+        const resultColor: [number, number, number] = result.passed
+          ? [0, 100, 0]
+          : [180, 0, 0];
+
+        addText(config, `${resultIcon} ${result.title}`, {
+          fontSize: 9,
+          bold: true,
+          color: resultColor,
+          indent: 10,
+        });
+
+        addText(
+          config,
+          `Resource: ${result.resourceType}/${result.resourceId}`,
+          {
+            fontSize: 8,
+            indent: 15,
+          },
+        );
+
+        if (result.description) {
+          addText(config, result.description, { fontSize: 8, indent: 15 });
+        }
+
+        if (result.severity) {
+          addText(config, `Severity: ${result.severity}`, {
+            fontSize: 8,
+            indent: 15,
+          });
+        }
+
+        if (result.remediation) {
+          addText(config, `Remediation: ${result.remediation}`, {
+            fontSize: 8,
+            indent: 15,
+          });
+        }
+
+        if (result.evidence) {
+          addText(config, 'Evidence:', { fontSize: 8, bold: true, indent: 15 });
+          const evidenceText = formatJsonForPDF(result.evidence);
+          addMonospaceText(config, evidenceText, 20);
+        }
+
+        config.yPosition += config.lineHeight * 0.5;
+      }
+    }
+
+    config.yPosition += config.lineHeight;
+    addSeparator(config);
+  }
+
+  addPageNumbers(config);
+
+  return Buffer.from(doc.output('arraybuffer'));
+}
+
+/**
+ * Add monospace text block for JSON/logs
+ */
+function addMonospaceText(
+  config: PDFConfig,
+  text: string,
+  indent: number = 10,
+): void {
+  const monospaceLineHeight = 4;
+  const textWidth = config.contentWidth - indent - 4;
+
+  config.doc.setFontSize(7);
+  config.doc.setFont('courier', 'normal');
+  config.doc.setTextColor(60, 60, 60);
+
+  const lines = text.split('\n');
+
+  for (const line of lines) {
+    const wrappedLines = config.doc.splitTextToSize(
+      line,
+      textWidth,
+    ) as string[];
+
+    for (const wrappedLine of wrappedLines) {
+      checkPageBreak(config, monospaceLineHeight + 2);
+      config.doc.setFillColor(245, 245, 245);
+      config.doc.rect(
+        config.margin + indent,
+        config.yPosition - 2,
+        textWidth + 2,
+        monospaceLineHeight + 2,
+        'F',
+      );
+      config.doc.text(
+        cleanTextForPDF(wrappedLine),
+        config.margin + indent + 2,
+        config.yPosition + 2,
+      );
+      config.yPosition += monospaceLineHeight;
+    }
+  }
+
+  config.yPosition += config.lineHeight * 0.5;
+
+  // Reset font
+  config.doc.setFont('helvetica', 'normal');
+  config.doc.setFontSize(config.defaultFontSize);
+}
+
+/**
+ * Get color for status display
+ */
+function getStatusColor(
+  status: string,
+  hasFailed: boolean,
+): [number, number, number] {
+  if (status === 'failed' || hasFailed) {
+    return [180, 0, 0];
+  }
+  if (status === 'success') {
+    return [0, 100, 0];
+  }
+  if (status === 'running') {
+    return [0, 100, 180];
+  }
+  return [100, 100, 100];
+}
+
+/**
+ * Generate a summary PDF for a task with all automations
+ */
+export function generateTaskSummaryPDF(summary: TaskEvidenceSummary): Buffer {
+  const doc = new jsPDF();
+  const config: PDFConfig = {
+    doc,
+    pageWidth: doc.internal.pageSize.getWidth(),
+    pageHeight: doc.internal.pageSize.getHeight(),
+    margin: 20,
+    contentWidth: doc.internal.pageSize.getWidth() - 40,
+    lineHeight: 6,
+    defaultFontSize: 10,
+    yPosition: 20,
+  };
+
+  // Header
+  addText(config, summary.organizationName, { fontSize: 16, bold: true });
+  config.yPosition += config.lineHeight;
+  addText(config, 'Evidence Export Summary', { fontSize: 14 });
+  config.yPosition += config.lineHeight;
+  addText(config, `Task: ${summary.taskTitle}`, { fontSize: 12 });
+  config.yPosition += config.lineHeight * 0.5;
+  addText(config, `Exported: ${format(summary.exportedAt, 'PPpp')}`, {
+    fontSize: 9,
+    color: [128, 128, 128],
+  });
+
+  addSeparator(config);
+
+  // Automations overview
+  addSectionHeader(config, 'Automations Overview');
+
+  const appAutomations = summary.automations.filter(
+    (a) => a.type === 'app_automation',
+  );
+  const customAutomations = summary.automations.filter(
+    (a) => a.type === 'custom_automation',
+  );
+
+  addText(config, `Total Automations: ${summary.automations.length}`);
+  addText(config, `App Automations: ${appAutomations.length}`);
+  addText(config, `Custom Automations: ${customAutomations.length}`);
+
+  config.yPosition += config.lineHeight;
+
+  // List each automation with summary
+  for (const automation of summary.automations) {
+    checkPageBreak(config, config.lineHeight * 4);
+
+    const typeLabel =
+      automation.type === 'app_automation' ? '[APP]' : '[CUSTOM]';
+
+    addText(config, `${typeLabel} ${automation.name}`, {
+      fontSize: 10,
+      bold: true,
+    });
+    addText(
+      config,
+      `  Runs: ${automation.totalRuns} | Passed: ${automation.successfulRuns} | Failed: ${automation.failedRuns}`,
+      { fontSize: 9 },
+    );
+
+    if (automation.latestRunAt) {
+      addText(config, `  Last Run: ${format(automation.latestRunAt, 'PPpp')}`, {
+        fontSize: 9,
+        color: [100, 100, 100],
+      });
+    }
+
+    config.yPosition += config.lineHeight * 0.5;
+  }
+
+  addPageNumbers(config);
+
+  return Buffer.from(doc.output('arraybuffer'));
+}
+
+/**
+ * Sanitize filename for safe file system usage
+ * Falls back to 'export' if name contains only non-ASCII characters
+ */
+export function sanitizeFilename(name: string): string {
+  const sanitized = name
+    .toLowerCase()
+    .replace(/[^a-z0-9]+/g, '-')
+    .replace(/^-+|-+$/g, '')
+    .slice(0, 50);
+
+  // Fallback for names with only non-ASCII characters (e.g., Japanese, Arabic)
+  return sanitized || 'export';
+}
diff --git a/apps/api/src/tasks/evidence-export/evidence-redaction.ts b/apps/api/src/tasks/evidence-export/evidence-redaction.ts
new file mode 100644
index 000000000..e4e70cd39
--- /dev/null
+++ b/apps/api/src/tasks/evidence-export/evidence-redaction.ts
@@ -0,0 +1,135 @@
+/**
+ * Evidence Redaction
+ * Redacts sensitive values from evidence data while preserving structure.
+ */
+
+const DEFAULT_SENSITIVE_KEYS = [
+  'password',
+  'passphrase',
+  'secret',
+  'token',
+  'access_token',
+  'refresh_token',
+  'id_token',
+  'api_key',
+  'apikey',
+  'client_secret',
+  'authorization',
+  'cookie',
+  'set-cookie',
+  'private_key',
+  'ssh_key',
+  'bearer',
+  'session',
+  'sessionid',
+];
+
+const DEFAULT_VALUE_PATTERNS: RegExp[] = [
+  /^Bearer\s+[A-Za-z0-9\-_.=]+$/i,
+  /^eyJ[A-Za-z0-9-_]+?\.[A-Za-z0-9-_]+?\.[A-Za-z0-9-_]+$/,
+  /^sk_(live|test)_/i,
+  /^gh[pousr]_/i,
+];
+
+interface RedactionOptions {
+  redactKeys?: string[];
+  redactValuePatterns?: RegExp[];
+}
+
+function isSensitiveKey(key: string, sensitiveKeys: string[]): boolean {
+  const lowerKey = key.toLowerCase();
+  return sensitiveKeys.some((sensitiveKey) => lowerKey.includes(sensitiveKey));
+}
+
+function shouldRedactValue(value: string, patterns: RegExp[]): boolean {
+  return patterns.some((pattern) => pattern.test(value));
+}
+
+export function redactSensitiveData(
+  data: unknown,
+  options: RedactionOptions = {},
+): unknown {
+  const sensitiveKeys = options.redactKeys ?? DEFAULT_SENSITIVE_KEYS;
+  const valuePatterns = options.redactValuePatterns ?? DEFAULT_VALUE_PATTERNS;
+  const seen = new WeakMap<object, unknown>();
+
+  function redact(value: unknown): unknown {
+    if (value === null || value === undefined) {
+      return value;
+    }
+
+    if (typeof value === 'string') {
+      return shouldRedactValue(value, valuePatterns) ? '[REDACTED]' : value;
+    }
+
+    if (typeof value !== 'object') {
+      return value;
+    }
+
+    if (value instanceof Date || value instanceof Error) {
+      return value;
+    }
+
+    // Check for circular references BEFORE processing any object type
+    if (seen.has(value)) {
+      return '[Circular]';
+    }
+
+    if (value instanceof Map) {
+      const result: [unknown, unknown][] = [];
+      seen.set(value, result);
+      for (const [key, mapValue] of value.entries()) {
+        // Check if the key is sensitive (only for string keys)
+        if (typeof key === 'string' && isSensitiveKey(key, sensitiveKeys)) {
+          result.push([key, '[REDACTED]']);
+        } else if (typeof mapValue === 'string' && shouldRedactValue(mapValue, valuePatterns)) {
+          result.push([key, '[REDACTED]']);
+        } else {
+          result.push([key, redact(mapValue)]);
+        }
+      }
+      return result;
+    }
+
+    if (value instanceof Set) {
+      const result: unknown[] = [];
+      seen.set(value, result);
+      for (const item of value.values()) {
+        result.push(redact(item));
+      }
+      return result;
+    }
+
+    if (Array.isArray(value)) {
+      const redactedArray: unknown[] = [];
+      seen.set(value, redactedArray);
+      for (const item of value) {
+        redactedArray.push(redact(item));
+      }
+      return redactedArray;
+    }
+
+    const redactedObject: Record<string, unknown> = {};
+    seen.set(value, redactedObject);
+
+    for (const [key, objectValue] of Object.entries(value)) {
+      if (isSensitiveKey(key, sensitiveKeys)) {
+        redactedObject[key] = '[REDACTED]';
+        continue;
+      }
+
+      if (typeof objectValue === 'string') {
+        redactedObject[key] = shouldRedactValue(objectValue, valuePatterns)
+          ? '[REDACTED]'
+          : objectValue;
+        continue;
+      }
+
+      redactedObject[key] = redact(objectValue);
+    }
+
+    return redactedObject;
+  }
+
+  return redact(data);
+}
diff --git a/apps/api/src/tasks/evidence-export/index.ts b/apps/api/src/tasks/evidence-export/index.ts
new file mode 100644
index 000000000..002b9e8e9
--- /dev/null
+++ b/apps/api/src/tasks/evidence-export/index.ts
@@ -0,0 +1,7 @@
+export * from './evidence-export.types';
+export * from './evidence-normalizer';
+export * from './evidence-pdf-generator';
+export * from './evidence-export.service';
+export * from './evidence-export.controller';
+export * from './evidence-export.module';
+export * from './evidence-redaction';
diff --git a/apps/api/src/tasks/task-notifier.service.ts b/apps/api/src/tasks/task-notifier.service.ts
new file mode 100644
index 000000000..e37bf8158
--- /dev/null
+++ b/apps/api/src/tasks/task-notifier.service.ts
@@ -0,0 +1,831 @@
+import { db } from '@db';
+import { Injectable, Logger } from '@nestjs/common';
+import { TaskStatus } from '@db';
+import { isUserUnsubscribed } from '@trycompai/email';
+import { sendEmail } from '../email/resend';
+import { TaskBulkStatusChangedEmail } from '../email/templates/task-bulk-status-changed';
+import { TaskBulkAssigneeChangedEmail } from '../email/templates/task-bulk-assignee-changed';
+import { TaskStatusChangedEmail } from '../email/templates/task-status-changed';
+import { TaskAssigneeChangedEmail } from '../email/templates/task-assignee-changed';
+import { NovuService } from '../notifications/novu.service';
+
+const BULK_TASK_WORKFLOW_ID = 'evidence-bulk-updated';
+const TASK_WORKFLOW_ID = 'evidence-updated';
+
+@Injectable()
+export class TaskNotifierService {
+  private readonly logger = new Logger(TaskNotifierService.name);
+
+  constructor(private readonly novuService: NovuService) {}
+
+  async notifyBulkStatusChange(params: {
+    organizationId: string;
+    taskIds: string[];
+    newStatus: TaskStatus;
+    changedByUserId: string;
+  }): Promise<void> {
+    const { organizationId, taskIds, newStatus, changedByUserId } = params;
+
+    try {
+      const [organization, changedByUser, tasks, allMembers] = await Promise.all([
+        db.organization.findUnique({
+          where: { id: organizationId },
+          select: { name: true },
+        }),
+        db.user.findUnique({
+          where: { id: changedByUserId },
+          select: { name: true, email: true },
+        }),
+        db.task.findMany({
+          where: {
+            id: { in: taskIds },
+            organizationId,
+          },
+          select: {
+            id: true,
+            title: true,
+            assigneeId: true,
+            assignee: {
+              select: {
+                id: true,
+                user: {
+                  select: {
+                    id: true,
+                    name: true,
+                    email: true,
+                  },
+                },
+              },
+            },
+          },
+        }),
+        db.member.findMany({
+          where: {
+            organizationId,
+            deactivated: false,
+          },
+          select: {
+            id: true,
+            role: true,
+            user: {
+              select: {
+                id: true,
+                name: true,
+                email: true,
+              },
+            },
+          },
+        }),
+      ]);
+
+      // Filter for admins/owners (roles can be comma-separated, e.g., "admin,auditor")
+      const adminMembers = allMembers.filter(
+        (member) => member.role && (member.role.includes('admin') || member.role.includes('owner')),
+      );
+
+      this.logger.debug(
+        `[notifyBulkStatusChange] Found ${allMembers.length} total members, ${adminMembers.length} admins/owners for organization ${organizationId}`,
+      );
+
+      const organizationName = organization?.name ?? 'your organization';
+      const changedByName =
+        changedByUser?.name?.trim() || changedByUser?.email?.trim() || 'Someone';
+
+      // Build recipient list: unique assignees + admins, excluding actor
+      const recipientMap = new Map<string, { id: string; name: string; email: string }>();
+
+      // Add assignees from affected tasks
+      for (const task of tasks) {
+        if (task.assignee?.user?.id && task.assignee.user.email) {
+          const userId = task.assignee.user.id;
+          if (userId !== changedByUserId) {
+            recipientMap.set(userId, {
+              id: userId,
+              name: task.assignee.user.name?.trim() || task.assignee.user.email?.trim() || 'User',
+              email: task.assignee.user.email,
+            });
+          }
+        }
+      }
+
+      // Add admin members
+      for (const member of adminMembers) {
+        if (member.user?.id && member.user.email) {
+          const userId = member.user.id;
+          if (userId !== changedByUserId) {
+            recipientMap.set(userId, {
+              id: userId,
+              name: member.user.name?.trim() || member.user.email?.trim() || 'User',
+              email: member.user.email,
+            });
+          }
+        }
+      }
+
+      this.logger.debug(
+        `[notifyBulkStatusChange] Found ${allMembers.length} total members, ${adminMembers.length} admins/owners for organization ${organizationId}`,
+      );
+
+      const recipients = Array.from(recipientMap.values());
+      const taskCount = tasks.length;
+      const statusLabel = newStatus.replace('_', ' ');
+
+      const appUrl =
+        process.env.NEXT_PUBLIC_APP_URL ??
+        process.env.BETTER_AUTH_URL ??
+        'https://app.trycomp.ai';
+      const tasksUrl = `${appUrl}/${organizationId}/tasks`;
+
+      this.logger.log(
+        `Sending bulk status change notifications to ${recipients.length} recipients for ${taskCount} task(s)`,
+      );
+
+      // Send notifications to each recipient
+      await Promise.allSettled(
+        recipients.map(async (recipient) => {
+          const isUnsubscribed = await isUserUnsubscribed(
+            db,
+            recipient.email,
+            'taskAssignments',
+          );
+
+          if (isUnsubscribed) {
+            this.logger.log(
+              `Skipping notification: user ${recipient.email} is unsubscribed from task assignments`,
+            );
+            return;
+          }
+
+          // Send email notification
+          try {
+            const { id } = await sendEmail({
+              to: recipient.email,
+              subject: `${taskCount} task${taskCount === 1 ? '' : 's'} status changed to ${statusLabel}`,
+              react: TaskBulkStatusChangedEmail({
+                toName: recipient.name,
+                toEmail: recipient.email,
+                taskCount,
+                newStatus: statusLabel,
+                changedByName,
+                organizationName,
+                tasksUrl,
+              }),
+              system: true,
+            });
+
+            this.logger.log(
+              `Bulk status change email sent to ${recipient.email} (ID: ${id})`,
+            );
+          } catch (error) {
+            this.logger.error(
+              `Failed to send bulk status change email to ${recipient.email}:`,
+              error instanceof Error ? error.message : 'Unknown error',
+            );
+          }
+
+          // Send in-app notification
+          try {
+            const title = `${taskCount} task${taskCount === 1 ? '' : 's'} status changed`;
+            const message = `${changedByName} changed the status of ${taskCount} task${taskCount === 1 ? '' : 's'} to ${statusLabel} in ${organizationName}`;
+            
+            await this.novuService.trigger({
+              workflowId: BULK_TASK_WORKFLOW_ID,
+              subscriberId: `${recipient.id}-${organizationId}`,
+              email: recipient.email,
+              payload: {
+                title,
+                message,
+                url: tasksUrl,
+              },
+            });
+
+            this.logger.log(
+              `[NOVU] Bulk status change in-app notification sent to ${recipient.id}`,
+            );
+          } catch (error) {
+            this.logger.error(
+              `[NOVU] Failed to send bulk status change in-app notification to ${recipient.id}:`,
+              error instanceof Error ? error.message : 'Unknown error',
+            );
+          }
+        }),
+      );
+    } catch (error) {
+      this.logger.error('Failed to send bulk status change notifications', error as Error);
+    }
+  }
+
+  async notifyBulkAssigneeChange(params: {
+    organizationId: string;
+    taskIds: string[];
+    newAssigneeId: string | null;
+    changedByUserId: string;
+  }): Promise<void> {
+    const { organizationId, taskIds, newAssigneeId, changedByUserId } = params;
+
+    try {
+      const [organization, changedByUser, tasks, allMembers, newAssigneeMember] =
+        await Promise.all([
+          db.organization.findUnique({
+            where: { id: organizationId },
+            select: { name: true },
+          }),
+          db.user.findUnique({
+            where: { id: changedByUserId },
+            select: { name: true, email: true },
+          }),
+          db.task.findMany({
+            where: {
+              id: { in: taskIds },
+              organizationId,
+            },
+            select: {
+              id: true,
+              title: true,
+            },
+          }),
+          db.member.findMany({
+            where: {
+              organizationId,
+              deactivated: false,
+            },
+            select: {
+              id: true,
+              role: true,
+              user: {
+                select: {
+                  id: true,
+                  name: true,
+                  email: true,
+                },
+              },
+            },
+          }),
+          newAssigneeId
+            ? db.member.findUnique({
+                where: { id: newAssigneeId },
+                select: {
+                  user: {
+                    select: {
+                      id: true,
+                      name: true,
+                      email: true,
+                    },
+                  },
+                },
+              })
+            : Promise.resolve(null),
+        ]);
+
+      // Filter for admins/owners (roles can be comma-separated, e.g., "admin,auditor")
+      const adminMembers = allMembers.filter(
+        (member) => member.role && (member.role.includes('admin') || member.role.includes('owner')),
+      );
+
+      this.logger.debug(
+        `[notifyBulkAssigneeChange] Found ${allMembers.length} total members, ${adminMembers.length} admins/owners for organization ${organizationId}`,
+      );
+
+      const organizationName = organization?.name ?? 'your organization';
+      const changedByName =
+        changedByUser?.name?.trim() || changedByUser?.email?.trim() || 'Someone';
+      const newAssigneeName = newAssigneeMember?.user
+        ? newAssigneeMember.user.name?.trim() ||
+          newAssigneeMember.user.email?.trim() ||
+          'Unassigned'
+        : 'Unassigned';
+
+      // Build recipient list: new assignee + admins, excluding actor
+      const recipientMap = new Map<string, { id: string; name: string; email: string }>();
+
+      // Add new assignee if exists
+      if (newAssigneeMember?.user?.id && newAssigneeMember.user.email) {
+        const userId = newAssigneeMember.user.id;
+        if (userId !== changedByUserId) {
+          recipientMap.set(userId, {
+            id: userId,
+            name: newAssigneeMember.user.name?.trim() ||
+              newAssigneeMember.user.email?.trim() ||
+              'User',
+            email: newAssigneeMember.user.email,
+          });
+        }
+      }
+
+      // Add admin members
+      for (const member of adminMembers) {
+        if (member.user?.id && member.user.email) {
+          const userId = member.user.id;
+          if (userId !== changedByUserId) {
+            recipientMap.set(userId, {
+              id: userId,
+              name: member.user.name?.trim() || member.user.email?.trim() || 'User',
+              email: member.user.email,
+            });
+          }
+        }
+      }
+
+      const recipients = Array.from(recipientMap.values());
+      const taskCount = tasks.length;
+
+      const appUrl =
+        process.env.NEXT_PUBLIC_APP_URL ??
+        process.env.BETTER_AUTH_URL ??
+        'https://app.trycomp.ai';
+      const tasksUrl = `${appUrl}/${organizationId}/tasks`;
+
+      this.logger.log(
+        `Sending bulk assignee change notifications to ${recipients.length} recipients for ${taskCount} task(s)`,
+      );
+
+      // Send notifications to each recipient
+      await Promise.allSettled(
+        recipients.map(async (recipient) => {
+          const isUnsubscribed = await isUserUnsubscribed(
+            db,
+            recipient.email,
+            'taskAssignments',
+          );
+
+          if (isUnsubscribed) {
+            this.logger.log(
+              `Skipping notification: user ${recipient.email} is unsubscribed from task assignments`,
+            );
+            return;
+          }
+
+          // Send email notification
+          try {
+            const { id } = await sendEmail({
+              to: recipient.email,
+              subject: `${taskCount} task${taskCount === 1 ? '' : 's'} reassigned to ${newAssigneeName}`,
+              react: TaskBulkAssigneeChangedEmail({
+                toName: recipient.name,
+                toEmail: recipient.email,
+                taskCount,
+                newAssigneeName,
+                changedByName,
+                organizationName,
+                tasksUrl,
+              }),
+              system: true,
+            });
+
+            this.logger.log(
+              `Bulk assignee change email sent to ${recipient.email} (ID: ${id})`,
+            );
+          } catch (error) {
+            this.logger.error(
+              `Failed to send bulk assignee change email to ${recipient.email}:`,
+              error instanceof Error ? error.message : 'Unknown error',
+            );
+          }
+
+          // Send in-app notification
+          try {
+            const title = `${taskCount} task${taskCount === 1 ? '' : 's'} reassigned`;
+            const message = `${changedByName} reassigned ${taskCount} task${taskCount === 1 ? '' : 's'} to ${newAssigneeName} in ${organizationName}`;
+            
+            await this.novuService.trigger({
+              workflowId: BULK_TASK_WORKFLOW_ID,
+              subscriberId: `${recipient.id}-${organizationId}`,
+              email: recipient.email,
+              payload: {
+                title,
+                message,
+                url: tasksUrl,
+              },
+            });
+
+            this.logger.log(
+              `[NOVU] Bulk assignee change in-app notification sent to ${recipient.id}`,
+            );
+          } catch (error) {
+            this.logger.error(
+              `[NOVU] Failed to send bulk assignee change in-app notification to ${recipient.id}:`,
+              error instanceof Error ? error.message : 'Unknown error',
+            );
+          }
+        }),
+      );
+    } catch (error) {
+      this.logger.error('Failed to send bulk assignee change notifications', error as Error);
+    }
+  }
+
+  async notifyStatusChange(params: {
+    organizationId: string;
+    taskId: string;
+    taskTitle: string;
+    oldStatus: TaskStatus;
+    newStatus: TaskStatus;
+    changedByUserId: string;
+  }): Promise<void> {
+    const { organizationId, taskId, taskTitle, oldStatus, newStatus, changedByUserId } = params;
+
+    try {
+      const [organization, changedByUser, task, allMembers] = await Promise.all([
+        db.organization.findUnique({
+          where: { id: organizationId },
+          select: { name: true },
+        }),
+        db.user.findUnique({
+          where: { id: changedByUserId },
+          select: { name: true, email: true },
+        }),
+        db.task.findUnique({
+          where: { id: taskId },
+          select: {
+            assignee: {
+              select: {
+                user: {
+                  select: {
+                    id: true,
+                    name: true,
+                    email: true,
+                  },
+                },
+              },
+            },
+          },
+        }),
+        db.member.findMany({
+          where: {
+            organizationId,
+            deactivated: false,
+          },
+          select: {
+            id: true,
+            role: true,
+            user: {
+              select: {
+                id: true,
+                name: true,
+                email: true,
+              },
+            },
+          },
+        }),
+      ]);
+
+      // Filter for admins/owners (roles can be comma-separated, e.g., "admin,auditor")
+      const adminMembers = allMembers.filter(
+        (member) => member.role && (member.role.includes('admin') || member.role.includes('owner')),
+      );
+
+      this.logger.debug(
+        `[notifyStatusChange] Found ${allMembers.length} total members, ${adminMembers.length} admins/owners for organization ${organizationId}`,
+      );
+      this.logger.debug(
+        `[notifyStatusChange] Task assignee: ${task?.assignee ? 'exists' : 'none'}, assignee user: ${task?.assignee?.user?.id || 'none'}`,
+      );
+
+      const organizationName = organization?.name ?? 'your organization';
+      const changedByName =
+        changedByUser?.name?.trim() || changedByUser?.email?.trim() || 'Someone';
+      const oldStatusLabel = oldStatus.replace('_', ' ');
+      const newStatusLabel = newStatus.replace('_', ' ');
+
+      // Build recipient list: assignee + admins, excluding actor
+      const recipientMap = new Map<string, { id: string; name: string; email: string }>();
+
+      // Add assignee if exists
+      if (task?.assignee?.user?.id && task.assignee.user.email) {
+        const userId = task.assignee.user.id;
+        if (userId !== changedByUserId) {
+          recipientMap.set(userId, {
+            id: userId,
+            name: task.assignee.user.name?.trim() || task.assignee.user.email?.trim() || 'User',
+            email: task.assignee.user.email,
+          });
+        }
+      }
+
+      // Add admin members
+      for (const member of adminMembers) {
+        if (member.user?.id && member.user.email) {
+          const userId = member.user.id;
+          if (userId !== changedByUserId) {
+            recipientMap.set(userId, {
+              id: userId,
+              name: member.user.name?.trim() || member.user.email?.trim() || 'User',
+              email: member.user.email,
+            });
+          }
+        }
+      }
+
+      const recipients = Array.from(recipientMap.values());
+
+      const appUrl =
+        process.env.NEXT_PUBLIC_APP_URL ??
+        process.env.BETTER_AUTH_URL ??
+        'https://app.trycomp.ai';
+      const taskUrl = `${appUrl}/${organizationId}/tasks/${taskId}`;
+
+      this.logger.log(
+        `Sending status change notifications to ${recipients.length} recipients for task "${taskTitle}"`,
+      );
+
+      // Send notifications to each recipient
+      await Promise.allSettled(
+        recipients.map(async (recipient) => {
+          const isUnsubscribed = await isUserUnsubscribed(
+            db,
+            recipient.email,
+            'taskAssignments',
+          );
+
+          if (isUnsubscribed) {
+            this.logger.log(
+              `Skipping notification: user ${recipient.email} is unsubscribed from task assignments`,
+            );
+            return;
+          }
+
+          // Send email notification
+          try {
+            const { id } = await sendEmail({
+              to: recipient.email,
+              subject: `Task "${taskTitle}" status changed to ${newStatusLabel}`,
+              react: TaskStatusChangedEmail({
+                toName: recipient.name,
+                toEmail: recipient.email,
+                taskTitle,
+                oldStatus: oldStatusLabel,
+                newStatus: newStatusLabel,
+                changedByName,
+                organizationName,
+                taskUrl,
+              }),
+              system: true,
+            });
+
+            this.logger.log(`Status change email sent to ${recipient.email} (ID: ${id})`);
+          } catch (error) {
+            this.logger.error(
+              `Failed to send status change email to ${recipient.email}:`,
+              error instanceof Error ? error.message : 'Unknown error',
+            );
+          }
+
+          // Send in-app notification
+          try {
+            const title = `Task status updated`;
+            const message = `${changedByName} changed the status of "${taskTitle}" from ${oldStatusLabel} to ${newStatusLabel} in ${organizationName}`;
+            
+            await this.novuService.trigger({
+              workflowId: TASK_WORKFLOW_ID,
+              subscriberId: `${recipient.id}-${organizationId}`,
+              email: recipient.email,
+              payload: {
+                title,
+                message,
+                url: taskUrl,
+              },
+            });
+
+            this.logger.log(`[NOVU] Status change in-app notification sent to ${recipient.id}`);
+          } catch (error) {
+            this.logger.error(
+              `[NOVU] Failed to send status change in-app notification to ${recipient.id}:`,
+              error instanceof Error ? error.message : 'Unknown error',
+            );
+          }
+        }),
+      );
+    } catch (error) {
+      this.logger.error('Failed to send status change notifications', error as Error);
+    }
+  }
+
+  async notifyAssigneeChange(params: {
+    organizationId: string;
+    taskId: string;
+    taskTitle: string;
+    oldAssigneeId: string | null;
+    newAssigneeId: string | null;
+    changedByUserId: string;
+  }): Promise<void> {
+    const {
+      organizationId,
+      taskId,
+      taskTitle,
+      oldAssigneeId,
+      newAssigneeId,
+      changedByUserId,
+    } = params;
+
+    try {
+      const [organization, changedByUser, oldAssigneeMember, newAssigneeMember, allMembers] =
+        await Promise.all([
+          db.organization.findUnique({
+            where: { id: organizationId },
+            select: { name: true },
+          }),
+          db.user.findUnique({
+            where: { id: changedByUserId },
+            select: { name: true, email: true },
+          }),
+          oldAssigneeId
+            ? db.member.findUnique({
+                where: { id: oldAssigneeId },
+                select: {
+                  user: {
+                    select: {
+                      id: true,
+                      name: true,
+                      email: true,
+                    },
+                  },
+                },
+              })
+            : Promise.resolve(null),
+          newAssigneeId
+            ? db.member.findUnique({
+                where: { id: newAssigneeId },
+                select: {
+                  user: {
+                    select: {
+                      id: true,
+                      name: true,
+                      email: true,
+                    },
+                  },
+                },
+              })
+            : Promise.resolve(null),
+          db.member.findMany({
+            where: {
+              organizationId,
+              deactivated: false,
+            },
+            select: {
+              id: true,
+              role: true,
+              user: {
+                select: {
+                  id: true,
+                  name: true,
+                  email: true,
+                },
+              },
+            },
+          }),
+        ]);
+
+      // Filter for admins/owners (roles can be comma-separated, e.g., "admin,auditor")
+      const adminMembers = allMembers.filter(
+        (member) => member.role && (member.role.includes('admin') || member.role.includes('owner')),
+      );
+
+      this.logger.debug(
+        `[notifyAssigneeChange] Found ${allMembers.length} total members, ${adminMembers.length} admins/owners for organization ${organizationId}`,
+      );
+
+      const organizationName = organization?.name ?? 'your organization';
+      const changedByName =
+        changedByUser?.name?.trim() || changedByUser?.email?.trim() || 'Someone';
+      const oldAssigneeName = oldAssigneeMember?.user
+        ? oldAssigneeMember.user.name?.trim() ||
+          oldAssigneeMember.user.email?.trim() ||
+          'Unassigned'
+        : 'Unassigned';
+      const newAssigneeName = newAssigneeMember?.user
+        ? newAssigneeMember.user.name?.trim() ||
+          newAssigneeMember.user.email?.trim() ||
+          'Unassigned'
+        : 'Unassigned';
+
+      // Build recipient list: old assignee + new assignee + admins, excluding actor
+      const recipientMap = new Map<string, { id: string; name: string; email: string }>();
+
+      // Add old assignee if exists
+      if (oldAssigneeMember?.user?.id && oldAssigneeMember.user.email) {
+        const userId = oldAssigneeMember.user.id;
+        if (userId !== changedByUserId) {
+          recipientMap.set(userId, {
+            id: userId,
+            name:
+              oldAssigneeMember.user.name?.trim() ||
+              oldAssigneeMember.user.email?.trim() ||
+              'User',
+            email: oldAssigneeMember.user.email,
+          });
+        }
+      }
+
+      // Add new assignee if exists
+      if (newAssigneeMember?.user?.id && newAssigneeMember.user.email) {
+        const userId = newAssigneeMember.user.id;
+        if (userId !== changedByUserId) {
+          recipientMap.set(userId, {
+            id: userId,
+            name:
+              newAssigneeMember.user.name?.trim() ||
+              newAssigneeMember.user.email?.trim() ||
+              'User',
+            email: newAssigneeMember.user.email,
+          });
+        }
+      }
+
+      // Add admin members
+      for (const member of adminMembers) {
+        if (member.user?.id && member.user.email) {
+          const userId = member.user.id;
+          if (userId !== changedByUserId) {
+            recipientMap.set(userId, {
+              id: userId,
+              name: member.user.name?.trim() || member.user.email?.trim() || 'User',
+              email: member.user.email,
+            });
+          }
+        }
+      }
+
+      const recipients = Array.from(recipientMap.values());
+
+      const appUrl =
+        process.env.NEXT_PUBLIC_APP_URL ??
+        process.env.BETTER_AUTH_URL ??
+        'https://app.trycomp.ai';
+      const taskUrl = `${appUrl}/${organizationId}/tasks/${taskId}`;
+
+      this.logger.log(
+        `Sending assignee change notifications to ${recipients.length} recipients for task "${taskTitle}"`,
+      );
+
+      // Send notifications to each recipient
+      await Promise.allSettled(
+        recipients.map(async (recipient) => {
+          const isUnsubscribed = await isUserUnsubscribed(
+            db,
+            recipient.email,
+            'taskAssignments',
+          );
+
+          if (isUnsubscribed) {
+            this.logger.log(
+              `Skipping notification: user ${recipient.email} is unsubscribed from task assignments`,
+            );
+            return;
+          }
+
+          // Send email notification
+          try {
+            const { id } = await sendEmail({
+              to: recipient.email,
+              subject: `Task "${taskTitle}" reassigned to ${newAssigneeName}`,
+              react: TaskAssigneeChangedEmail({
+                toName: recipient.name,
+                toEmail: recipient.email,
+                taskTitle,
+                oldAssigneeName,
+                newAssigneeName,
+                changedByName,
+                organizationName,
+                taskUrl,
+              }),
+              system: true,
+            });
+
+            this.logger.log(`Assignee change email sent to ${recipient.email} (ID: ${id})`);
+          } catch (error) {
+            this.logger.error(
+              `Failed to send assignee change email to ${recipient.email}:`,
+              error instanceof Error ? error.message : 'Unknown error',
+            );
+          }
+
+          // Send in-app notification
+          try {
+            const title = `Task reassigned`;
+            const message = `${changedByName} reassigned "${taskTitle}" from ${oldAssigneeName} to ${newAssigneeName} in ${organizationName}`;
+            
+            await this.novuService.trigger({
+              workflowId: TASK_WORKFLOW_ID,
+              subscriberId: `${recipient.id}-${organizationId}`,
+              email: recipient.email,
+              payload: {
+                title,
+                message,
+                url: taskUrl,
+              },
+            });
+
+            this.logger.log(`[NOVU] Assignee change in-app notification sent to ${recipient.id}`);
+          } catch (error) {
+            this.logger.error(
+              `[NOVU] Failed to send assignee change in-app notification to ${recipient.id}:`,
+              error instanceof Error ? error.message : 'Unknown error',
+            );
+          }
+        }),
+      );
+    } catch (error) {
+      this.logger.error('Failed to send assignee change notifications', error as Error);
+    }
+  }
+}
diff --git a/apps/api/src/tasks/tasks.controller.ts b/apps/api/src/tasks/tasks.controller.ts
index 43b7c0daa..48fef07ad 100644
--- a/apps/api/src/tasks/tasks.controller.ts
+++ b/apps/api/src/tasks/tasks.controller.ts
@@ -96,6 +96,166 @@ export class TasksController {
     return await this.tasksService.getTasks(organizationId);
   }
 
+  @Patch('bulk')
+  @ApiOperation({
+    summary: 'Update status for multiple tasks',
+    description: 'Bulk update the status of multiple tasks',
+  })
+  @ApiBody({
+    schema: {
+      type: 'object',
+      properties: {
+        taskIds: {
+          type: 'array',
+          items: { type: 'string' },
+          example: ['tsk_abc123', 'tsk_def456'],
+        },
+        status: {
+          type: 'string',
+          enum: Object.values(TaskStatus),
+          example: TaskStatus.in_progress,
+        },
+        reviewDate: {
+          type: 'string',
+          format: 'date-time',
+          example: '2025-01-01T00:00:00.000Z',
+          description: 'Optional review date to set on all tasks',
+        },
+      },
+      required: ['taskIds', 'status'],
+    },
+  })
+  @ApiResponse({
+    status: 200,
+    description: 'Tasks updated successfully',
+    schema: {
+      type: 'object',
+      properties: {
+        updatedCount: { type: 'number', example: 2 },
+      },
+    },
+  })
+  @ApiResponse({
+    status: 400,
+    description: 'Invalid request body',
+  })
+  async updateTasksStatus(
+    @OrganizationId() organizationId: string,
+    @AuthContext() authContext: AuthContextType,
+    @Body()
+    body: {
+      taskIds: string[];
+      status: TaskStatus;
+      reviewDate?: string;
+    },
+  ): Promise<{ updatedCount: number }> {
+    const { taskIds, status, reviewDate } = body;
+
+    if (!Array.isArray(taskIds) || taskIds.length === 0) {
+      throw new BadRequestException('taskIds must be a non-empty array');
+    }
+
+    if (!Object.values(TaskStatus).includes(status)) {
+      throw new BadRequestException('status is invalid');
+    }
+
+    let parsedReviewDate: Date | undefined;
+    if (reviewDate !== undefined) {
+      if (reviewDate === null || typeof reviewDate !== 'string') {
+        throw new BadRequestException('reviewDate is invalid');
+      }
+      parsedReviewDate = new Date(reviewDate);
+      if (Number.isNaN(parsedReviewDate.getTime())) {
+        throw new BadRequestException('reviewDate is invalid');
+      }
+    }
+
+    // Get userId from auth context
+    if (!authContext.userId) {
+      throw new BadRequestException(
+        'User ID is required. Bulk operations require authenticated user session.',
+      );
+    }
+    const userId = authContext.userId;
+
+    return await this.tasksService.updateTasksStatus(
+      organizationId,
+      taskIds,
+      status,
+      parsedReviewDate,
+      userId,
+    );
+  }
+
+  @Patch('bulk/assignee')
+  @ApiOperation({
+    summary: 'Update assignee for multiple tasks',
+    description: 'Bulk update the assignee of multiple tasks',
+  })
+  @ApiBody({
+    schema: {
+      type: 'object',
+      properties: {
+        taskIds: {
+          type: 'array',
+          items: { type: 'string' },
+          example: ['tsk_abc123', 'tsk_def456'],
+        },
+        assigneeId: {
+          type: 'string',
+          nullable: true,
+          example: 'mem_abc123',
+          description: 'Assignee member ID, or null to unassign',
+        },
+      },
+      required: ['taskIds'],
+    },
+  })
+  @ApiResponse({
+    status: 200,
+    description: 'Tasks updated successfully',
+    schema: {
+      type: 'object',
+      properties: {
+        updatedCount: { type: 'number', example: 2 },
+      },
+    },
+  })
+  @ApiResponse({
+    status: 400,
+    description: 'Invalid request body',
+  })
+  async updateTasksAssignee(
+    @OrganizationId() organizationId: string,
+    @AuthContext() authContext: AuthContextType,
+    @Body()
+    body: {
+      taskIds: string[];
+      assigneeId: string | null;
+    },
+  ): Promise<{ updatedCount: number }> {
+    const { taskIds, assigneeId } = body;
+
+    if (!Array.isArray(taskIds) || taskIds.length === 0) {
+      throw new BadRequestException('taskIds must be a non-empty array');
+    }
+
+    // Get userId from auth context
+    if (!authContext.userId) {
+      throw new BadRequestException(
+        'User ID is required. Bulk operations require authenticated user session.',
+      );
+    }
+    const userId = authContext.userId;
+
+    return await this.tasksService.updateTasksAssignee(
+      organizationId,
+      taskIds,
+      assigneeId ?? null,
+      userId,
+    );
+  }
+
   @Get(':taskId')
   @ApiOperation({
     summary: 'Get task by ID',
@@ -147,84 +307,113 @@ export class TasksController {
     return await this.tasksService.getTask(organizationId, taskId);
   }
 
-  @Patch('bulk')
+  @Patch(':taskId')
   @ApiOperation({
-    summary: 'Update status for multiple tasks',
-    description: 'Bulk update the status of multiple tasks',
+    summary: 'Update a task',
+    description: 'Update an existing task (status, assignee, frequency, department, reviewDate)',
+  })
+  @ApiParam({
+    name: 'taskId',
+    description: 'Unique task identifier',
+    example: 'tsk_abc123def456',
   })
   @ApiBody({
     schema: {
       type: 'object',
       properties: {
-        taskIds: {
-          type: 'array',
-          items: { type: 'string' },
-          example: ['tsk_abc123', 'tsk_def456'],
-        },
         status: {
           type: 'string',
           enum: Object.values(TaskStatus),
           example: TaskStatus.in_progress,
         },
+        assigneeId: {
+          type: 'string',
+          nullable: true,
+          example: 'mem_abc123',
+          description: 'Assignee member ID, or null to unassign',
+        },
+        frequency: {
+          type: 'string',
+          enum: ['daily', 'weekly', 'monthly', 'quarterly', 'yearly'],
+          example: 'monthly',
+        },
+        department: {
+          type: 'string',
+          enum: ['none', 'admin', 'gov', 'hr', 'it', 'itsm', 'qms'],
+          example: 'it',
+        },
         reviewDate: {
           type: 'string',
           format: 'date-time',
           example: '2025-01-01T00:00:00.000Z',
-          description: 'Optional review date to set on all tasks',
         },
       },
-      required: ['taskIds', 'status'],
     },
   })
   @ApiResponse({
     status: 200,
-    description: 'Tasks updated successfully',
-    schema: {
-      type: 'object',
-      properties: {
-        updatedCount: { type: 'number', example: 2 },
+    description: 'Task updated successfully',
+    content: {
+      'application/json': {
+        schema: { $ref: '#/components/schemas/TaskResponseDto' },
       },
     },
   })
   @ApiResponse({
     status: 400,
-    description: 'Invalid request body',
+    description: 'Invalid request body or task not found',
   })
-  async updateTasksStatus(
+  @ApiResponse({
+    status: 404,
+    description: 'Task not found',
+  })
+  async updateTask(
     @OrganizationId() organizationId: string,
+    @AuthContext() authContext: AuthContextType,
+    @Param('taskId') taskId: string,
     @Body()
     body: {
-      taskIds: string[];
-      status: TaskStatus;
+      status?: TaskStatus;
+      assigneeId?: string | null;
+      frequency?: string;
+      department?: string;
       reviewDate?: string;
     },
-  ): Promise<{ updatedCount: number }> {
-    const { taskIds, status, reviewDate } = body;
-
-    if (!Array.isArray(taskIds) || taskIds.length === 0) {
-      throw new BadRequestException('taskIds must be a non-empty array');
-    }
-
-    if (!Object.values(TaskStatus).includes(status)) {
-      throw new BadRequestException('status is invalid');
+  ): Promise<TaskResponseDto> {
+    // Get userId from auth context
+    if (!authContext.userId) {
+      throw new BadRequestException(
+        'User ID is required. Task updates require authenticated user session.',
+      );
     }
+    const userId = authContext.userId;
 
-    let parsedReviewDate: Date | undefined;
-    if (reviewDate !== undefined) {
-      if (reviewDate === null || typeof reviewDate !== 'string') {
-        throw new BadRequestException('reviewDate is invalid');
-      }
-      parsedReviewDate = new Date(reviewDate);
-      if (Number.isNaN(parsedReviewDate.getTime())) {
+    let parsedReviewDate: Date | null | undefined;
+    if (body.reviewDate !== undefined) {
+      if (body.reviewDate === null) {
+        // null means clear the reviewDate
+        parsedReviewDate = null;
+      } else if (typeof body.reviewDate !== 'string') {
         throw new BadRequestException('reviewDate is invalid');
+      } else {
+        parsedReviewDate = new Date(body.reviewDate);
+        if (Number.isNaN(parsedReviewDate.getTime())) {
+          throw new BadRequestException('reviewDate is invalid');
+        }
       }
     }
 
-    return await this.tasksService.updateTasksStatus(
+    return await this.tasksService.updateTask(
       organizationId,
-      taskIds,
-      status,
-      parsedReviewDate,
+      taskId,
+      {
+        status: body.status,
+        assigneeId: body.assigneeId,
+        frequency: body.frequency,
+        department: body.department,
+        reviewDate: parsedReviewDate,
+      },
+      userId,
     );
   }
 
diff --git a/apps/api/src/tasks/tasks.module.ts b/apps/api/src/tasks/tasks.module.ts
index 914cb2612..888d2503e 100644
--- a/apps/api/src/tasks/tasks.module.ts
+++ b/apps/api/src/tasks/tasks.module.ts
@@ -1,14 +1,16 @@
-import { Module } from '@nestjs/common';
+import { Module, forwardRef } from '@nestjs/common';
 import { AttachmentsModule } from '../attachments/attachments.module';
 import { AuthModule } from '../auth/auth.module';
 import { AutomationsModule } from './automations/automations.module';
+import { NovuService } from '../notifications/novu.service';
 import { TasksController } from './tasks.controller';
 import { TasksService } from './tasks.service';
+import { TaskNotifierService } from './task-notifier.service';
 
 @Module({
-  imports: [AuthModule, AttachmentsModule, AutomationsModule],
+  imports: [AuthModule, AttachmentsModule, forwardRef(() => AutomationsModule)],
   controllers: [TasksController],
-  providers: [TasksService],
-  exports: [TasksService],
+  providers: [TasksService, TaskNotifierService, NovuService],
+  exports: [TasksService, TaskNotifierService],
 })
 export class TasksModule {}
diff --git a/apps/api/src/tasks/tasks.service.ts b/apps/api/src/tasks/tasks.service.ts
index 660332155..f42d16cf8 100644
--- a/apps/api/src/tasks/tasks.service.ts
+++ b/apps/api/src/tasks/tasks.service.ts
@@ -5,10 +5,11 @@ import {
 } from '@nestjs/common';
 import { db, TaskStatus } from '@trycompai/db';
 import { TaskResponseDto } from './dto/task-responses.dto';
+import { TaskNotifierService } from './task-notifier.service';
 
 @Injectable()
 export class TasksService {
-  constructor() {}
+  constructor(private readonly taskNotifierService: TaskNotifierService) {}
 
   /**
    * Get all tasks for an organization
@@ -121,7 +122,8 @@ export class TasksService {
     organizationId: string,
     taskIds: string[],
     status: TaskStatus,
-    reviewDate?: Date,
+    reviewDate: Date | undefined,
+    changedByUserId: string,
   ): Promise<{ updatedCount: number }> {
     try {
       const result = await db.task.updateMany({
@@ -144,6 +146,18 @@ export class TasksService {
         );
       }
 
+      // Send notifications (fire-and-forget, don't block response)
+      this.taskNotifierService
+        .notifyBulkStatusChange({
+          organizationId,
+          taskIds,
+          newStatus: status,
+          changedByUserId,
+        })
+        .catch((error) => {
+          console.error('Failed to send bulk status change notifications:', error);
+        });
+
       return { updatedCount: result.count };
     } catch (error) {
       console.error('Error updating task statuses:', error);
@@ -153,4 +167,172 @@ export class TasksService {
       throw new InternalServerErrorException('Failed to update task statuses');
     }
   }
+
+  /**
+   * Update assignee for multiple tasks
+   */
+  async updateTasksAssignee(
+    organizationId: string,
+    taskIds: string[],
+    assigneeId: string | null,
+    changedByUserId: string,
+  ): Promise<{ updatedCount: number }> {
+    try {
+      const result = await db.task.updateMany({
+        where: {
+          id: {
+            in: taskIds,
+          },
+          organizationId,
+        },
+        data: {
+          assigneeId,
+          updatedAt: new Date(),
+        },
+      });
+
+      if (result.count === 0) {
+        throw new BadRequestException(
+          'No tasks were updated. Check task IDs or organization access.',
+        );
+      }
+
+      // Send notifications (fire-and-forget, don't block response)
+      this.taskNotifierService
+        .notifyBulkAssigneeChange({
+          organizationId,
+          taskIds,
+          newAssigneeId: assigneeId,
+          changedByUserId,
+        })
+        .catch((error) => {
+          console.error('Failed to send bulk assignee change notifications:', error);
+        });
+
+      return { updatedCount: result.count };
+    } catch (error) {
+      console.error('Error updating task assignees:', error);
+      if (error instanceof BadRequestException) {
+        throw error;
+      }
+      throw new InternalServerErrorException('Failed to update task assignees');
+    }
+  }
+
+  /**
+   * Update a single task
+   */
+  async updateTask(
+    organizationId: string,
+    taskId: string,
+    updateData: {
+      status?: TaskStatus;
+      assigneeId?: string | null;
+      frequency?: string;
+      department?: string;
+      reviewDate?: Date | null;
+    },
+    changedByUserId: string,
+  ): Promise<TaskResponseDto> {
+    try {
+      // Get existing task to track changes
+      const existingTask = await db.task.findFirst({
+        where: {
+          id: taskId,
+          organizationId,
+        },
+        select: {
+          id: true,
+          title: true,
+          status: true,
+          assigneeId: true,
+        },
+      });
+
+      if (!existingTask) {
+        throw new BadRequestException('Task not found or access denied');
+      }
+
+      // Prepare update data - Prisma handles updatedAt automatically
+      const dataToUpdate: {
+        status?: TaskStatus;
+        assigneeId?: string | null;
+        frequency?: string;
+        department?: string;
+        reviewDate?: Date | null;
+      } = {};
+
+      if (updateData.status !== undefined) {
+        dataToUpdate.status = updateData.status;
+      }
+      if (updateData.assigneeId !== undefined) {
+        // Convert null to undefined for Prisma, or keep string value
+        dataToUpdate.assigneeId = updateData.assigneeId === null ? null : updateData.assigneeId;
+      }
+      if (updateData.frequency !== undefined) {
+        dataToUpdate.frequency = updateData.frequency;
+      }
+      if (updateData.department !== undefined) {
+        dataToUpdate.department = updateData.department;
+      }
+      if (updateData.reviewDate !== undefined) {
+        dataToUpdate.reviewDate = updateData.reviewDate;
+      }
+
+      // Update the task
+      const updatedTask = await db.task.update({
+        where: {
+          id: taskId,
+          organizationId,
+        },
+        data: dataToUpdate as any, // Type assertion needed due to Prisma's strict typing
+        include: {
+          assignee: true,
+        },
+      });
+
+      // Send notifications for status changes
+      if (updateData.status !== undefined && existingTask.status !== updateData.status) {
+        this.taskNotifierService
+          .notifyStatusChange({
+            organizationId,
+            taskId,
+            taskTitle: existingTask.title,
+            oldStatus: existingTask.status,
+            newStatus: updateData.status,
+            changedByUserId,
+          })
+          .catch((error) => {
+            console.error('Failed to send status change notifications:', error);
+          });
+      }
+
+      // Send notifications for assignee changes
+      if (
+        updateData.assigneeId !== undefined &&
+        (existingTask.assigneeId ?? null) !== (updateData.assigneeId ?? null)
+      ) {
+        this.taskNotifierService
+          .notifyAssigneeChange({
+            organizationId,
+            taskId,
+            taskTitle: existingTask.title,
+            oldAssigneeId: existingTask.assigneeId,
+            newAssigneeId: updateData.assigneeId,
+            changedByUserId,
+          })
+          .catch((error) => {
+            console.error('Failed to send assignee change notifications:', error);
+          });
+      }
+
+      return updatedTask;
+    } catch (error) {
+      console.error('Error updating task:', error);
+      if (error instanceof BadRequestException) {
+        throw error;
+      }
+      throw new InternalServerErrorException('Failed to update task');
+    }
+  }
 }
diff --git a/apps/api/src/training/dto/send-training-completion.dto.ts b/apps/api/src/training/dto/send-training-completion.dto.ts
new file mode 100644
index 000000000..a36917f4f
--- /dev/null
+++ b/apps/api/src/training/dto/send-training-completion.dto.ts
@@ -0,0 +1,35 @@
+import { ApiProperty } from '@nestjs/swagger';
+import { IsString, IsNotEmpty } from 'class-validator';
+
+export class SendTrainingCompletionDto {
+  @ApiProperty({
+    description: 'The member ID who completed training',
+    example: 'mem_abc123',
+  })
+  @IsString()
+  @IsNotEmpty()
+  memberId: string;
+
+  @ApiProperty({
+    description: 'The organization ID',
+    example: 'org_abc123',
+  })
+  @IsString()
+  @IsNotEmpty()
+  organizationId: string;
+}
+
+export class SendTrainingCompletionResponseDto {
+  @ApiProperty({
+    description: 'Whether the email was sent',
+    example: true,
+  })
+  sent: boolean;
+
+  @ApiProperty({
+    description: 'Reason if email was not sent',
+    example: 'training_not_complete',
+    required: false,
+  })
+  reason?: string;
+}
diff --git a/apps/api/src/training/training-certificate-pdf.service.ts b/apps/api/src/training/training-certificate-pdf.service.ts
new file mode 100644
index 000000000..81c644c32
--- /dev/null
+++ b/apps/api/src/training/training-certificate-pdf.service.ts
@@ -0,0 +1,230 @@
+import { Injectable } from '@nestjs/common';
+import { jsPDF } from 'jspdf';
+
+// Primary brand color (teal/green) - hsl(165, 100%, 15%)
+const PRIMARY_COLOR = { r: 0, g: 77, b: 61 };
+
+const COMP_AI_LOGO_URL = 'https://assets.trycomp.ai/logo.png';
+
+const getLogoDataUrl = async (): Promise<string | null> => {
+  try {
+    const response = await fetch(COMP_AI_LOGO_URL);
+    if (!response.ok) {
+      return null;
+    }
+    const arrayBuffer = await response.arrayBuffer();
+    const base64 = Buffer.from(arrayBuffer).toString('base64');
+    return `data:image/png;base64,${base64}`;
+  } catch {
+    return null;
+  }
+};
+
+@Injectable()
+export class TrainingCertificatePdfService {
+  /**
+   * Clean text for PDF rendering by handling unicode characters
+   */
+  private cleanTextForPDF(text: string): string {
+    const strippedText = text
+      .replace(/\u00AD/g, '')
+      .replace(/[\u200B-\u200F]/g, '')
+      .replace(/[\u202A-\u202E]/g, '')
+      .replace(/[\u2060-\u206F]/g, '')
+      .replace(/\uFEFF/g, '')
+      .replace(/\uFFFD/g, '');
+
+    const replacements: { [key: string]: string } = {
+      '\u2018': "'",
+      '\u2019': "'",
+      '\u201C': '"',
+      '\u201D': '"',
+      '\u2013': '-',
+      '\u2014': '-',
+      '\u2026': '...',
+      '\u00A0': ' ',
+    };
+
+    let cleanedText = strippedText;
+    for (const [unicode, replacement] of Object.entries(replacements)) {
+      cleanedText = cleanedText.replace(new RegExp(unicode, 'g'), replacement);
+    }
+
+    return cleanedText;
+  }
+
+  /**
+   * Generates a training completion certificate PDF with Comp AI branding
+   */
+  async generateTrainingCertificatePdf(params: {
+    userName: string;
+    organizationName: string;
+    completedAt: Date;
+  }): Promise<Buffer> {
+    const { userName, organizationName, completedAt } = params;
+
+    const doc = new jsPDF({
+      orientation: 'landscape',
+      unit: 'mm',
+      format: 'a4',
+    });
+
+    const pageWidth = doc.internal.pageSize.getWidth();
+    const pageHeight = doc.internal.pageSize.getHeight();
+
+    // Background - light cream/off-white
+    doc.setFillColor(252, 251, 248);
+    doc.rect(0, 0, pageWidth, pageHeight, 'F');
+
+    // Decorative border using primary color
+    doc.setDrawColor(PRIMARY_COLOR.r, PRIMARY_COLOR.g, PRIMARY_COLOR.b);
+    doc.setLineWidth(2);
+    doc.rect(10, 10, pageWidth - 20, pageHeight - 20, 'S');
+
+    // Inner decorative border
+    doc.setLineWidth(0.5);
+    doc.rect(15, 15, pageWidth - 30, pageHeight - 30, 'S');
+
+    // Add Comp AI logo at top center
+    const logoDataUrl = await getLogoDataUrl();
+    if (logoDataUrl) {
+      const logoWidth = 15;
+      const logoHeight = 15;
+      doc.addImage(
+        logoDataUrl,
+        'PNG',
+        pageWidth / 2 - logoWidth / 2,
+        22,
+        logoWidth,
+        logoHeight,
+      );
+    }
+
+    // Certificate header
+    doc.setFont('helvetica', 'normal');
+    doc.setFontSize(14);
+    doc.setTextColor(100, 100, 100);
+    doc.text('CERTIFICATE OF COMPLETION', pageWidth / 2, 48, {
+      align: 'center',
+    });
+
+    // Main title in black
+    doc.setFont('helvetica', 'bold');
+    doc.setFontSize(26);
+    doc.setTextColor(18, 18, 18);
+    doc.text('Security Awareness Training', pageWidth / 2, 62, {
+      align: 'center',
+    });
+
+    // Decorative line with primary color
+    doc.setDrawColor(PRIMARY_COLOR.r, PRIMARY_COLOR.g, PRIMARY_COLOR.b);
+    doc.setLineWidth(0.8);
+    doc.line(pageWidth / 2 - 50, 68, pageWidth / 2 + 50, 68);
+
+    // "This certifies that" text
+    doc.setFont('helvetica', 'normal');
+    doc.setFontSize(11);
+    doc.setTextColor(100, 100, 100);
+    doc.text('This is to certify that', pageWidth / 2, 82, { align: 'center' });
+
+    // Employee name
+    const cleanUserName = this.cleanTextForPDF(userName);
+    doc.setFont('helvetica', 'bold');
+    doc.setFontSize(22);
+    doc.setTextColor(18, 18, 18);
+    doc.text(cleanUserName, pageWidth / 2, 95, { align: 'center' });
+
+    // Underline for name with primary color
+    const nameWidth = doc.getTextWidth(cleanUserName);
+    doc.setDrawColor(PRIMARY_COLOR.r, PRIMARY_COLOR.g, PRIMARY_COLOR.b);
+    doc.setLineWidth(0.4);
+    doc.line(
+      pageWidth / 2 - nameWidth / 2 - 10,
+      98,
+      pageWidth / 2 + nameWidth / 2 + 10,
+      98,
+    );
+
+    // Description
+    const cleanOrgName = this.cleanTextForPDF(organizationName);
+    doc.setFont('helvetica', 'normal');
+    doc.setFontSize(11);
+    doc.setTextColor(80, 80, 80);
+    doc.text(
+      'has successfully completed all modules of the',
+      pageWidth / 2,
+      110,
+      {
+        align: 'center',
+      },
+    );
+    doc.text('Security Awareness Training program', pageWidth / 2, 117, {
+      align: 'center',
+    });
+    // "for" in normal, org name in bold - manually center
+    doc.setFont('helvetica', 'normal');
+    const forText = 'for ';
+    const forWidth = doc.getTextWidth(forText);
+    doc.setFont('helvetica', 'bold');
+    const orgWidth = doc.getTextWidth(cleanOrgName);
+    const totalWidth = forWidth + orgWidth;
+    const startX = pageWidth / 2 - totalWidth / 2;
+
+    doc.setFont('helvetica', 'normal');
+    doc.text(forText, startX, 124);
+    doc.setFont('helvetica', 'bold');
+    doc.setTextColor(18, 18, 18);
+    doc.text(cleanOrgName, startX + forWidth, 124);
+    doc.setFont('helvetica', 'normal');
+
+    // Completion date with primary color
+    const formattedDate = new Date(completedAt).toLocaleDateString('en-US', {
+      year: 'numeric',
+      month: 'long',
+      day: 'numeric',
+    });
+
+    doc.setFont('helvetica', 'bold');
+    doc.setFontSize(12);
+    doc.setTextColor(18, 18, 18);
+    doc.text(`Completed on ${formattedDate}`, pageWidth / 2, 140, {
+      align: 'center',
+    });
+
+    // Certified by section
+    doc.setFont('helvetica', 'normal');
+    doc.setFontSize(10);
+    doc.setTextColor(120, 120, 120);
+    doc.text('Certified by', pageWidth / 2, 158, { align: 'center' });
+
+    // Comp AI branding with logo
+    doc.setFont('helvetica', 'bold');
+    doc.setFontSize(18);
+    doc.setTextColor(18, 18, 18);
+    const compAiText = 'Comp AI';
+    const compAiTextWidth = doc.getTextWidth(compAiText);
+    const logoSize = 8;
+    const gap = 3;
+    const totalBrandWidth = logoSize + gap + compAiTextWidth;
+    const brandStartX = pageWidth / 2 - totalBrandWidth / 2;
+
+    // Add small logo next to text
+    if (logoDataUrl) {
+      doc.addImage(logoDataUrl, 'PNG', brandStartX, 164, logoSize, logoSize);
+    }
+    doc.text(compAiText, brandStartX + logoSize + gap, 171);
+
+    // Footer
+    doc.setFont('helvetica', 'normal');
+    doc.setFontSize(8);
+    doc.setTextColor(150, 150, 150);
+    doc.text('AI-powered compliance platform', pageWidth / 2, 178, {
+      align: 'center',
+    });
+    doc.text('https://trycomp.ai', pageWidth / 2, 183, { align: 'center' });
+
+    // Get the PDF as a buffer
+    const pdfOutput = doc.output('arraybuffer');
+    return Buffer.from(pdfOutput);
+  }
+}
diff --git a/apps/api/src/training/training-email.service.ts b/apps/api/src/training/training-email.service.ts
new file mode 100644
index 000000000..480c2ec3b
--- /dev/null
+++ b/apps/api/src/training/training-email.service.ts
@@ -0,0 +1,61 @@
+import { Injectable, Logger } from '@nestjs/common';
+import { sendEmail } from '../email/resend';
+import { TrainingCompletedEmail } from '../email/templates/training-completed';
+import { TrainingCertificatePdfService } from './training-certificate-pdf.service';
+
+@Injectable()
+export class TrainingEmailService {
+  private readonly logger = new Logger(TrainingEmailService.name);
+
+  constructor(
+    private readonly certificatePdfService: TrainingCertificatePdfService,
+  ) {}
+
+  async sendTrainingCompletedEmail(params: {
+    toEmail: string;
+    toName: string;
+    organizationName: string;
+    completedAt: Date;
+  }): Promise<void> {
+    const { toEmail, toName, organizationName, completedAt } = params;
+
+    // Generate the certificate PDF
+    const certificatePdf =
+      await this.certificatePdfService.generateTrainingCertificatePdf({
+        userName: toName,
+        organizationName,
+        completedAt,
+      });
+
+    this.logger.log(
+      `Generated training certificate PDF for ${toEmail} (${certificatePdf.length} bytes)`,
+    );
+
+    // Generate a safe filename
+    const safeUserName = toName.replace(/[^a-zA-Z0-9]/g, '-').toLowerCase();
+    const filename = `security-awareness-training-certificate-${safeUserName}.pdf`;
+
+    const { id } = await sendEmail({
+      to: toEmail,
+      subject: `Congratulations! You've completed your Security Awareness Training - ${organizationName}`,
+      react: TrainingCompletedEmail({
+        email: toEmail,
+        userName: toName,
+        organizationName,
+        completedAt,
+      }),
+      system: true,
+      attachments: [
+        {
+          filename,
+          content: certificatePdf,
+          contentType: 'application/pdf',
+        },
+      ],
+    });
+
+    this.logger.log(
+      `Training completed email sent to ${toEmail} with certificate (ID: ${id})`,
+    );
+  }
+}
diff --git a/apps/api/src/training/training.controller.ts b/apps/api/src/training/training.controller.ts
new file mode 100644
index 000000000..2ba695bf1
--- /dev/null
+++ b/apps/api/src/training/training.controller.ts
@@ -0,0 +1,120 @@
+import {
+  Controller,
+  Post,
+  Body,
+  HttpCode,
+  HttpStatus,
+  Res,
+  BadRequestException,
+  UnauthorizedException,
+  Headers,
+} from '@nestjs/common';
+import {
+  ApiTags,
+  ApiOperation,
+  ApiResponse,
+  ApiProduces,
+  ApiHeader,
+} from '@nestjs/swagger';
+import type { Response } from 'express';
+import { TrainingService } from './training.service';
+import {
+  SendTrainingCompletionDto,
+  SendTrainingCompletionResponseDto,
+} from './dto/send-training-completion.dto';
+
+@ApiTags('Training')
+@Controller('training')
+export class TrainingController {
+  private validateInternalToken(token: string | undefined): void {
+    const expectedToken = process.env.INTERNAL_API_TOKEN;
+
+    if (!expectedToken) {
+      throw new UnauthorizedException(
+        'INTERNAL_API_TOKEN not configured on server',
+      );
+    }
+
+    if (!token || token !== expectedToken) {
+      throw new UnauthorizedException('Invalid or missing internal API token');
+    }
+  }
+  constructor(private readonly trainingService: TrainingService) {}
+
+  @Post('send-completion-email')
+  @HttpCode(HttpStatus.OK)
+  @ApiHeader({
+    name: 'x-internal-token',
+    description: 'Internal API token for service-to-service calls',
+    required: true,
+  })
+  @ApiOperation({
+    summary: 'Send training completion email with certificate',
+    description:
+      'Checks if the member has completed all training videos. If so, sends an email with the training certificate attached.',
+  })
+  @ApiResponse({
+    status: 200,
+    description: 'Email sent or reason why it was not sent',
+    type: SendTrainingCompletionResponseDto,
+  })
+  async sendTrainingCompletionEmail(
+    @Headers('x-internal-token') token: string,
+    @Body() dto: SendTrainingCompletionDto,
+  ): Promise<SendTrainingCompletionResponseDto> {
+    this.validateInternalToken(token);
+
+    const result =
+      await this.trainingService.sendTrainingCompletionEmailIfComplete(
+        dto.memberId,
+        dto.organizationId,
+      );
+
+    return result;
+  }
+
+  @Post('generate-certificate')
+  @HttpCode(HttpStatus.OK)
+  @ApiHeader({
+    name: 'x-internal-token',
+    description: 'Internal API token for service-to-service calls',
+    required: true,
+  })
+  @ApiOperation({
+    summary: 'Generate training completion certificate PDF',
+    description:
+      'Generates a PDF certificate for a member who has completed all training videos. Returns the PDF as a downloadable file.',
+  })
+  @ApiProduces('application/pdf')
+  @ApiResponse({
+    status: 200,
+    description: 'PDF certificate file',
+  })
+  @ApiResponse({
+    status: 400,
+    description: 'Training not complete or member not found',
+  })
+  async generateCertificate(
+    @Headers('x-internal-token') token: string,
+    @Body() dto: SendTrainingCompletionDto,
+    @Res() res: Response,
+  ): Promise<void> {
+    this.validateInternalToken(token);
+
+    const result = await this.trainingService.generateCertificate(
+      dto.memberId,
+      dto.organizationId,
+    );
+
+    if ('error' in result) {
+      throw new BadRequestException(result.error);
+    }
+
+    res.setHeader('Content-Type', 'application/pdf');
+    res.setHeader(
+      'Content-Disposition',
+      `attachment; filename="${result.fileName}"`,
+    );
+    res.send(result.pdf);
+  }
+}
diff --git a/apps/api/src/training/training.module.ts b/apps/api/src/training/training.module.ts
new file mode 100644
index 000000000..8bf61d95e
--- /dev/null
+++ b/apps/api/src/training/training.module.ts
@@ -0,0 +1,20 @@
+import { Module } from '@nestjs/common';
+import { TrainingController } from './training.controller';
+import { TrainingService } from './training.service';
+import { TrainingEmailService } from './training-email.service';
+import { TrainingCertificatePdfService } from './training-certificate-pdf.service';
+
+@Module({
+  controllers: [TrainingController],
+  providers: [
+    TrainingService,
+    TrainingEmailService,
+    TrainingCertificatePdfService,
+  ],
+  exports: [
+    TrainingService,
+    TrainingEmailService,
+    TrainingCertificatePdfService,
+  ],
+})
+export class TrainingModule {}
diff --git a/apps/api/src/training/training.service.ts b/apps/api/src/training/training.service.ts
new file mode 100644
index 000000000..517f67d59
--- /dev/null
+++ b/apps/api/src/training/training.service.ts
@@ -0,0 +1,194 @@
+import { Injectable, Logger } from '@nestjs/common';
+import { db } from '@db';
+import { TrainingEmailService } from './training-email.service';
+import { TrainingCertificatePdfService } from './training-certificate-pdf.service';
+
+// Training video IDs - these must match what's in training-videos.ts
+const TRAINING_VIDEO_IDS = ['sat-1', 'sat-2', 'sat-3', 'sat-4', 'sat-5'];
+
+@Injectable()
+export class TrainingService {
+  private readonly logger = new Logger(TrainingService.name);
+
+  constructor(
+    private readonly trainingEmailService: TrainingEmailService,
+    private readonly trainingCertificatePdfService: TrainingCertificatePdfService,
+  ) {}
+
+  /**
+   * Check if a member has completed all training videos
+   */
+  async hasCompletedAllTraining(memberId: string): Promise<boolean> {
+    const completions = await db.employeeTrainingVideoCompletion.findMany({
+      where: {
+        memberId,
+        videoId: { in: TRAINING_VIDEO_IDS },
+        completedAt: { not: null },
+      },
+    });
+
+    return completions.length === TRAINING_VIDEO_IDS.length;
+  }
+
+  /**
+   * Get the completion date for training (the most recent video completion)
+   */
+  async getTrainingCompletionDate(memberId: string): Promise<Date | null> {
+    const completions = await db.employeeTrainingVideoCompletion.findMany({
+      where: {
+        memberId,
+        videoId: { in: TRAINING_VIDEO_IDS },
+        completedAt: { not: null },
+      },
+      orderBy: { completedAt: 'desc' },
+      take: 1,
+    });
+
+    if (completions.length === 0 || !completions[0].completedAt) {
+      return null;
+    }
+
+    return completions[0].completedAt;
+  }
+
+  /**
+   * Send training completion email with certificate if all training is complete
+   * Returns true if email was sent, false if training is not complete
+   */
+  async sendTrainingCompletionEmailIfComplete(
+    memberId: string,
+    organizationId: string,
+  ): Promise<{ sent: boolean; reason?: string }> {
+    // Check if all training is complete
+    const isComplete = await this.hasCompletedAllTraining(memberId);
+    if (!isComplete) {
+      return { sent: false, reason: 'training_not_complete' };
+    }
+
+    // Get member details
+    const member = await db.member.findUnique({
+      where: { id: memberId },
+      include: {
+        user: {
+          select: {
+            email: true,
+            name: true,
+          },
+        },
+        organization: {
+          select: {
+            name: true,
+          },
+        },
+      },
+    });
+
+    if (!member || !member.user) {
+      this.logger.warn(`Member not found or no user: ${memberId}`);
+      return { sent: false, reason: 'member_not_found' };
+    }
+
+    if (!member.user.email) {
+      this.logger.warn(`Member has no email: ${memberId}`);
+      return { sent: false, reason: 'no_email' };
+    }
+
+    // Check if member's organization matches
+    if (member.organizationId !== organizationId) {
+      this.logger.warn(
+        `Member organization mismatch: ${member.organizationId} !== ${organizationId}`,
+      );
+      return { sent: false, reason: 'organization_mismatch' };
+    }
+
+    // Get completion date
+    const completedAt = await this.getTrainingCompletionDate(memberId);
+    if (!completedAt) {
+      return { sent: false, reason: 'no_completion_date' };
+    }
+
+    // Send the email with certificate
+    try {
+      await this.trainingEmailService.sendTrainingCompletedEmail({
+        toEmail: member.user.email,
+        toName: member.user.name || 'Team Member',
+        organizationName: member.organization?.name || 'Your Organization',
+        completedAt,
+      });
+
+      this.logger.log(
+        `Training completion email sent to ${member.user.email} for member ${memberId}`,
+      );
+
+      return { sent: true };
+    } catch (error) {
+      this.logger.error(
+        `Failed to send training completion email to ${member.user.email}:`,
+        error,
+      );
+      throw error;
+    }
+  }
+
+  /**
+   * Generate a training certificate PDF for a member
+   * Returns the PDF as a Buffer, or null if training is not complete
+   */
+  async generateCertificate(
+    memberId: string,
+    organizationId: string,
+  ): Promise<{ pdf: Buffer; fileName: string } | { error: string }> {
+    // Check if all training is complete
+    const isComplete = await this.hasCompletedAllTraining(memberId);
+    if (!isComplete) {
+      return { error: 'training_not_complete' };
+    }
+
+    // Get member details
+    const member = await db.member.findUnique({
+      where: { id: memberId },
+      include: {
+        user: {
+          select: {
+            name: true,
+          },
+        },
+        organization: {
+          select: {
+            name: true,
+          },
+        },
+      },
+    });
+
+    if (!member || !member.user) {
+      return { error: 'member_not_found' };
+    }
+
+    // Check if member's organization matches
+    if (member.organizationId !== organizationId) {
+      return { error: 'organization_mismatch' };
+    }
+
+    // Get completion date
+    const completedAt = await this.getTrainingCompletionDate(memberId);
+    if (!completedAt) {
+      return { error: 'no_completion_date' };
+    }
+
+    const userName = member.user.name || 'Team Member';
+    const organizationName = member.organization?.name || 'Organization';
+
+    // Generate the PDF
+    const pdf =
+      await this.trainingCertificatePdfService.generateTrainingCertificatePdf({
+        userName,
+        organizationName,
+        completedAt,
+      });
+
+    const fileName = `training-certificate-${userName.replace(/\s+/g, '-').toLowerCase()}.pdf`;
+
+    return { pdf, fileName };
+  }
+}
diff --git a/apps/api/src/trigger/integration-platform/run-task-integration-checks.ts b/apps/api/src/trigger/integration-platform/run-task-integration-checks.ts
index c9945b617..025366f72 100644
--- a/apps/api/src/trigger/integration-platform/run-task-integration-checks.ts
+++ b/apps/api/src/trigger/integration-platform/run-task-integration-checks.ts
@@ -134,6 +134,7 @@ export const runTaskIntegrationChecks = task({
     // Track overall results across all checks for this task
     let totalFindings = 0;
     let totalPassing = 0;
+    let hasFailedChecks = false;
 
     // Run only the checks that apply to this task
     try {
@@ -159,6 +160,9 @@ export const runTaskIntegrationChecks = task({
         // Accumulate results
         totalFindings += checkResult.result.findings.length;
         totalPassing += checkResult.result.passingResults.length;
+        if (checkResult.status === 'failed' || checkResult.status === 'error') {
+          hasFailedChecks = true;
+        }
 
         // Store check run
         const checkRun = await db.integrationCheckRun.create({
@@ -228,15 +232,15 @@ export const runTaskIntegrationChecks = task({
       });
 
       // Update task status based on check results
-      // If any findings (failures), mark as failed
-      // If all passing and no findings, mark as done (only if not already done)
-      if (totalFindings > 0) {
+      // If any findings or check failures, mark as failed
+      // If all checks pass with no findings, mark as done (only if not already done)
+      if (totalFindings > 0 || hasFailedChecks) {
         await db.task.update({
           where: { id: taskId },
           data: { status: 'failed' },
         });
         logger.info(
-          `Task ${taskId} marked as failed due to ${totalFindings} findings`,
+          `Task ${taskId} marked as failed due to ${totalFindings} findings${hasFailedChecks ? ' and failed checks' : ''}`,
         );
       } else if (totalPassing > 0) {
         // Only update to done if not already done
@@ -282,7 +286,11 @@ export const runTaskIntegrationChecks = task({
         totalPassing,
         totalFindings,
         taskStatus:
-          totalFindings > 0 ? 'failed' : totalPassing > 0 ? 'done' : null,
+          totalFindings > 0 || hasFailedChecks
+            ? 'failed'
+            : totalPassing > 0
+              ? 'done'
+              : null,
       };
     } catch (error) {
       logger.error(`Failed to run checks for task ${taskId}`, {
diff --git a/apps/app/.env.example b/apps/app/.env.example
index be2acd8c1..680205be6 100644
--- a/apps/app/.env.example
+++ b/apps/app/.env.example
@@ -60,4 +60,7 @@ AUTH_MICROSOFT_CLIENT_ID=
 AUTH_MICROSOFT_CLIENT_SECRET=
 
 NOVU_API_KEY=
-NEXT_PUBLIC_NOVU_APPLICATION_IDENTIFIER=
\ No newline at end of file
+NEXT_PUBLIC_NOVU_APPLICATION_IDENTIFIER=
+
+# Internal API Authentication
+INTERNAL_API_TOKEN= # Shared secret for internal API calls (must match API's)
\ No newline at end of file
diff --git a/apps/app/src/actions/organization/accept-invitation.ts b/apps/app/src/actions/organization/accept-invitation.ts
index 5b907f49e..30731b97f 100644
--- a/apps/app/src/actions/organization/accept-invitation.ts
+++ b/apps/app/src/actions/organization/accept-invitation.ts
@@ -3,7 +3,6 @@
 import { createTrainingVideoEntries } from '@/lib/db/employee';
 import { db } from '@db';
 import { revalidatePath, revalidateTag } from 'next/cache';
-import { redirect } from 'next/navigation';
 import { z } from 'zod';
 import { authActionClientWithoutOrg } from '../safe-action';
 import type { ActionResponse } from '../types';
@@ -99,8 +98,16 @@ export const completeInvitation = authActionClientWithoutOrg
             });
           }
 
-          // Server redirect to the organization's root
-          redirect(`/${invitation.organizationId}/`);
+          revalidatePath(`/${invitation.organization.id}`);
+          revalidateTag(`user_${user.id}`, 'max');
+
+          return {
+            success: true,
+            data: {
+              accepted: true,
+              organizationId: invitation.organizationId,
+            },
+          };
         }
 
         if (!invitation.role) {
@@ -141,11 +148,16 @@ export const completeInvitation = authActionClientWithoutOrg
         revalidatePath(`/${invitation.organization.id}/settings/users`);
         revalidateTag(`user_${user.id}`, 'max');
 
-        // Server redirect to the organization's root
-        redirect(`/${invitation.organizationId}/`);
+        return {
+          success: true,
+          data: {
+            accepted: true,
+            organizationId: invitation.organizationId,
+          },
+        };
       } catch (error) {
         console.error('Error accepting invitation:', error);
-        throw new Error(error as string);
+        throw new Error(error instanceof Error ? error.message : String(error));
       }
     },
   );
diff --git a/apps/app/src/actions/organization/bulk-invite-employees.ts b/apps/app/src/actions/organization/bulk-invite-employees.ts
index cbc4e67db..6192e722a 100644
--- a/apps/app/src/actions/organization/bulk-invite-employees.ts
+++ b/apps/app/src/actions/organization/bulk-invite-employees.ts
@@ -1,7 +1,7 @@
 'use server';
 
+import { maskEmailForLogs } from '@/lib/mask-email';
 import { auth } from '@/utils/auth';
-import { authClient } from '@/utils/auth-client';
 import { createSafeActionClient } from 'next-safe-action';
 import { headers } from 'next/headers';
 import { z } from 'zod';
@@ -23,9 +23,12 @@ export const bulkInviteEmployees = createSafeActionClient()
   .inputSchema(schema)
   .action(async ({ parsedInput }) => {
     const { organizationId, emails } = parsedInput;
+    const requestId = crypto.randomUUID();
+    const startTime = Date.now();
 
     const session = await auth.api.getSession({ headers: await headers() });
     if (session?.session.activeOrganizationId !== organizationId) {
+      console.warn('[bulkInviteEmployees] unauthorized', { requestId, organizationId });
       return {
         success: false,
         error: 'Unauthorized or invalid organization.',
@@ -35,20 +38,44 @@ export const bulkInviteEmployees = createSafeActionClient()
     const results: InviteResult[] = [];
     let allSuccess = true;
 
+    console.info('[bulkInviteEmployees] start', {
+      requestId,
+      organizationId,
+      count: emails.length,
+    });
+
     for (const email of emails) {
       try {
-        await authClient.organization.inviteMember({
-          email: email,
-          role: 'employee',
+        await auth.api.createInvitation({
+          headers: await headers(),
+          body: {
+            email,
+            role: 'employee',
+            organizationId,
+          },
         });
         results.push({ email, success: true });
       } catch (error) {
         allSuccess = false;
-        console.error(`Failed to invite ${email}:`, error);
+        console.error('[bulkInviteEmployees] invite failed', {
+          requestId,
+          organizationId,
+          invitedEmail: maskEmailForLogs(email),
+          error: error instanceof Error ? error.message : String(error),
+        });
         const errorMessage = error instanceof Error ? error.message : 'Invitation failed';
         results.push({ email, success: false, error: errorMessage });
       }
     }
 
+    console.info('[bulkInviteEmployees] complete', {
+      requestId,
+      organizationId,
+      total: emails.length,
+      successCount: results.filter((result) => result.success).length,
+      failureCount: results.filter((result) => !result.success).length,
+      durationMs: Date.now() - startTime,
+    });
+
     return { success: true, data: results };
   });
diff --git a/apps/app/src/actions/organization/invite-employee.ts b/apps/app/src/actions/organization/invite-employee.ts
index d17e33fe9..d9db6b2e1 100644
--- a/apps/app/src/actions/organization/invite-employee.ts
+++ b/apps/app/src/actions/organization/invite-employee.ts
@@ -1,7 +1,9 @@
 'use server';
 
-import { authClient } from '@/utils/auth-client';
+import { maskEmailForLogs } from '@/lib/mask-email';
+import { auth } from '@/utils/auth';
 import { revalidatePath, revalidateTag } from 'next/cache';
+import { headers } from 'next/headers';
 import { z } from 'zod';
 import { authActionClient } from '../safe-action';
 import type { ActionResponse } from '../types';
@@ -22,8 +24,10 @@ export const inviteEmployee = authActionClient
   .inputSchema(inviteEmployeeSchema)
   .action(async ({ parsedInput, ctx }): Promise<ActionResponse<{ invited: boolean }>> => {
     const organizationId = ctx.session.activeOrganizationId;
+    const requestId = crypto.randomUUID();
 
     if (!organizationId) {
+      console.warn('[inviteEmployee] missing organization', { requestId });
       return {
         success: false,
         error: 'Organization not found',
@@ -31,23 +35,52 @@ export const inviteEmployee = authActionClient
     }
 
     const { email } = parsedInput; // Role is removed from input
+    const safeEmail = maskEmailForLogs(email);
+    const startTime = Date.now();
+
+    console.info('[inviteEmployee] start', {
+      requestId,
+      organizationId,
+      invitedEmail: safeEmail,
+      role: 'employee',
+    });
 
     try {
-      await authClient.organization.inviteMember({
-        email,
-        role: 'employee', // Hardcoded role
+      const inviteResult = await auth.api.createInvitation({
+        headers: await headers(),
+        body: {
+          email,
+          role: 'employee', // Hardcoded role
+          organizationId,
+        },
       });
 
       // Revalidate the employees list page
       revalidatePath(`/${organizationId}/people/all`);
       revalidateTag(`user_${ctx.user.id}`, 'max'); // Keep user tag revalidation
 
+      console.info('[inviteEmployee] success', {
+        requestId,
+        organizationId,
+        invitedEmail: safeEmail,
+        role: 'employee',
+        durationMs: Date.now() - startTime,
+        resultKeys: inviteResult && typeof inviteResult === 'object' ? Object.keys(inviteResult) : [],
+      });
+
       return {
         success: true,
         data: { invited: true },
       };
     } catch (error) {
-      console.error('Error inviting employee:', error);
+      console.error('[inviteEmployee] failure', {
+        requestId,
+        organizationId,
+        invitedEmail: safeEmail,
+        role: 'employee',
+        durationMs: Date.now() - startTime,
+        error: error instanceof Error ? error.message : String(error),
+      });
       const errorMessage = error instanceof Error ? error.message : 'Failed to invite employee';
       return {
         success: false,
diff --git a/apps/app/src/actions/organization/invite-member.ts b/apps/app/src/actions/organization/invite-member.ts
index 44c51e9b9..767a4666b 100644
--- a/apps/app/src/actions/organization/invite-member.ts
+++ b/apps/app/src/actions/organization/invite-member.ts
@@ -1,7 +1,9 @@
 'use server';
 
-import { authClient } from '@/utils/auth-client';
+import { maskEmailForLogs } from '@/lib/mask-email';
+import { auth } from '@/utils/auth';
 import { revalidatePath, revalidateTag } from 'next/cache';
+import { headers } from 'next/headers';
 import { z } from 'zod';
 import { authActionClient } from '../safe-action';
 import type { ActionResponse } from '../types';
@@ -22,8 +24,10 @@ export const inviteMember = authActionClient
   .inputSchema(inviteMemberSchema)
   .action(async ({ parsedInput, ctx }): Promise<ActionResponse<{ invited: boolean }>> => {
     const organizationId = ctx.session.activeOrganizationId;
+    const requestId = crypto.randomUUID();
 
     if (!organizationId) {
+      console.warn('[inviteMember] missing organization', { requestId });
       return {
         success: false,
         error: 'Organization not found',
@@ -31,22 +35,51 @@ export const inviteMember = authActionClient
     }
 
     const { email, role } = parsedInput;
+    const safeEmail = maskEmailForLogs(email);
+    const startTime = Date.now();
+
+    console.info('[inviteMember] start', {
+      requestId,
+      organizationId,
+      invitedEmail: safeEmail,
+      role,
+    });
 
     try {
-      await authClient.organization.inviteMember({
-        email,
-        role,
+      const inviteResult = await auth.api.createInvitation({
+        headers: await headers(),
+        body: {
+          email,
+          role,
+          organizationId,
+        },
       });
 
       revalidatePath(`/${organizationId}/settings/users`);
       revalidateTag(`user_${ctx.user.id}`, 'max');
 
+      console.info('[inviteMember] success', {
+        requestId,
+        organizationId,
+        invitedEmail: safeEmail,
+        role,
+        durationMs: Date.now() - startTime,
+        resultKeys: inviteResult && typeof inviteResult === 'object' ? Object.keys(inviteResult) : [],
+      });
+
       return {
         success: true,
         data: { invited: true },
       };
     } catch (error) {
-      console.error('Error inviting member:', error);
+      console.error('[inviteMember] failure', {
+        requestId,
+        organizationId,
+        invitedEmail: safeEmail,
+        role,
+        durationMs: Date.now() - startTime,
+        error: error instanceof Error ? error.message : String(error),
+      });
       const errorMessage = error instanceof Error ? error.message : 'Failed to invite member';
       return {
         success: false,
diff --git a/apps/app/src/app/(app)/[orgId]/auditor/(overview)/components/AuditorView.tsx b/apps/app/src/app/(app)/[orgId]/auditor/(overview)/components/AuditorView.tsx
index f990ac7cf..fc066ab3d 100644
--- a/apps/app/src/app/(app)/[orgId]/auditor/(overview)/components/AuditorView.tsx
+++ b/apps/app/src/app/(app)/[orgId]/auditor/(overview)/components/AuditorView.tsx
@@ -1,7 +1,22 @@
 'use client';
 
+import { downloadAllEvidenceZip } from '@/lib/evidence-download';
+import {
+  Button,
+  Popover,
+  PopoverContent,
+  PopoverDescription,
+  PopoverHeader,
+  PopoverTitle,
+  PopoverTrigger,
+  Switch,
+} from '@trycompai/design-system';
+import { ArrowDown } from '@trycompai/design-system/icons';
 import { Download } from 'lucide-react';
 import Image from 'next/image';
+import { useParams } from 'next/navigation';
+import { useState } from 'react';
+import { toast } from 'sonner';
 
 interface AuditorViewProps {
   initialContent: Record<string, string>;
@@ -20,29 +35,80 @@ export function AuditorView({
   cSuite,
   reportSignatory,
 }: AuditorViewProps) {
+  const params = useParams();
+  const orgId = params.orgId as string;
+  const [isDownloading, setIsDownloading] = useState(false);
+  const [includeJson, setIncludeJson] = useState(false);
+  const [isPopoverOpen, setIsPopoverOpen] = useState(false);
+
+  const handleDownloadAllEvidence = async () => {
+    setIsDownloading(true);
+    try {
+      await downloadAllEvidenceZip({
+        organizationId: orgId,
+        organizationName,
+        includeJson,
+      });
+      toast.success('Evidence package downloaded successfully');
+      setIsPopoverOpen(false);
+    } catch (err) {
+      toast.error('Failed to download evidence. Please try again.');
+      console.error('Evidence download error:', err);
+    } finally {
+      setIsDownloading(false);
+    }
+  };
+
   return (
     <div className="flex flex-col gap-10">
       {/* Header */}
-      <div className="flex items-center gap-4">
-        {logoUrl && (
-          <a
-            href={logoUrl}
-            download={`${organizationName.replace(/[^a-zA-Z0-9]/g, '_')}_logo`}
-            className="group relative h-14 w-14 shrink-0 overflow-hidden rounded-lg border bg-background transition-all hover:shadow-md"
-            title="Download logo"
-          >
-            <Image src={logoUrl} alt={`${organizationName} logo`} fill className="object-contain" />
-            <div className="absolute inset-0 flex items-center justify-center bg-black/50 opacity-0 transition-opacity group-hover:opacity-100">
-              <Download className="h-4 w-4 text-white" />
-            </div>
-          </a>
-        )}
-        <div>
-          <h1 className="text-foreground text-xl font-semibold tracking-tight">
-            {organizationName}
-          </h1>
-          <p className="text-muted-foreground text-sm">Company Overview</p>
+      <div className="flex items-center justify-between">
+        <div className="flex items-center gap-4">
+          {logoUrl && (
+            <a
+              href={logoUrl}
+              download={`${organizationName.replace(/[^a-zA-Z0-9]/g, '_')}_logo`}
+              className="group relative h-14 w-14 shrink-0 overflow-hidden rounded-lg border bg-background transition-all hover:shadow-md"
+              title="Download logo"
+            >
+              <Image src={logoUrl} alt={`${organizationName} logo`} fill className="object-contain" />
+              <div className="absolute inset-0 flex items-center justify-center bg-black/50 opacity-0 transition-opacity group-hover:opacity-100">
+                <Download className="h-4 w-4 text-white" />
+              </div>
+            </a>
+          )}
+          <div>
+            <h1 className="text-foreground text-xl font-semibold tracking-tight">
+              {organizationName}
+            </h1>
+            <p className="text-muted-foreground text-sm">Company Overview</p>
+          </div>
         </div>
+
+        {/* Download All Evidence Button */}
+        <Popover open={isPopoverOpen} onOpenChange={setIsPopoverOpen}>
+          <PopoverTrigger style={{ cursor: 'pointer' }}>
+            <Button variant="outline">Export All Evidence</Button>
+          </PopoverTrigger>
+          <PopoverContent align="end" side="bottom" sideOffset={8}>
+            <PopoverHeader>
+              <PopoverTitle>Export Options</PopoverTitle>
+              <PopoverDescription>Download all task evidence as ZIP</PopoverDescription>
+            </PopoverHeader>
+            <div className="flex items-center justify-between gap-3 py-1">
+              <span className="text-sm">Include raw JSON files</span>
+              <Switch checked={includeJson} onCheckedChange={(checked) => setIncludeJson(checked)} />
+            </div>
+            <Button
+              iconLeft={<ArrowDown />}
+              onClick={handleDownloadAllEvidence}
+              disabled={isDownloading}
+              width="full"
+            >
+              {isDownloading ? 'Preparing…' : 'Export'}
+            </Button>
+          </PopoverContent>
+        </Popover>
       </div>
 
       {/* Company Information */}
diff --git a/apps/app/src/app/(app)/[orgId]/frameworks/components/FindingsOverview.tsx b/apps/app/src/app/(app)/[orgId]/frameworks/components/FindingsOverview.tsx
new file mode 100644
index 000000000..d35037136
--- /dev/null
+++ b/apps/app/src/app/(app)/[orgId]/frameworks/components/FindingsOverview.tsx
@@ -0,0 +1,235 @@
+'use client';
+
+import { Badge } from '@comp/ui/badge';
+import { Button } from '@comp/ui/button';
+import { Card, CardContent, CardHeader, CardTitle } from '@comp/ui/card';
+import { ScrollArea } from '@comp/ui/scroll-area';
+import { Finding, FindingStatus } from '@db';
+import { ArrowRight, CheckCircle2, FileWarning } from 'lucide-react';
+import Link from 'next/link';
+import { useMemo, useState } from 'react';
+
+const STATUS_COLORS: Record<FindingStatus, string> = {
+  open: 'bg-red-100 text-red-700 border-red-200',
+  ready_for_review: 'bg-yellow-100 text-yellow-700 border-yellow-200',
+  needs_revision: 'bg-orange-100 text-orange-700 border-orange-200',
+  closed: 'bg-primary/10 text-primary border-primary/20',
+};
+
+const STATUS_LABELS: Record<FindingStatus, string> = {
+  open: 'Open',
+  ready_for_review: 'Review',
+  needs_revision: 'Revision',
+  closed: 'Closed',
+};
+
+const TYPE_LABELS: Record<string, string> = {
+  soc2: 'SOC 2',
+  iso27001: 'ISO 27001',
+};
+
+// Filter button styles matching status colors
+const FILTER_BUTTON_STYLES: Record<FindingStatus, { active: string; inactive: string }> = {
+  open: {
+    active: 'bg-red-100 text-red-700 border-red-300 hover:bg-red-100',
+    inactive: 'hover:bg-red-50 hover:text-red-700 hover:border-red-200',
+  },
+  ready_for_review: {
+    active: 'bg-yellow-100 text-yellow-700 border-yellow-300 hover:bg-yellow-100',
+    inactive: 'hover:bg-yellow-50 hover:text-yellow-700 hover:border-yellow-200',
+  },
+  needs_revision: {
+    active: 'bg-orange-100 text-orange-700 border-orange-300 hover:bg-orange-100',
+    inactive: 'hover:bg-orange-50 hover:text-orange-700 hover:border-orange-200',
+  },
+  closed: {
+    active: 'bg-primary/10 text-primary border-primary/30 hover:bg-primary/10',
+    inactive: 'hover:bg-primary/5 hover:text-primary hover:border-primary/20',
+  },
+};
+
+// Order for displaying filter buttons
+const STATUS_DISPLAY_ORDER: FindingStatus[] = [
+  FindingStatus.open,
+  FindingStatus.needs_revision,
+  FindingStatus.ready_for_review,
+  FindingStatus.closed,
+];
+
+interface FindingWithTask extends Finding {
+  task: {
+    id: string;
+    title: string;
+  };
+}
+
+export function FindingsOverview({
+  findings,
+  organizationId,
+}: {
+  findings: FindingWithTask[];
+  organizationId: string;
+}) {
+  const [activeFilter, setActiveFilter] = useState<FindingStatus | null>(null);
+
+  // Sort findings by updatedAt only (most recently updated first)
+  const sortedFindings = useMemo(() => {
+    return [...findings].sort((a, b) => {
+      return new Date(b.updatedAt).getTime() - new Date(a.updatedAt).getTime();
+    });
+  }, [findings]);
+
+  // Filter findings based on active filter
+  const filteredFindings = useMemo(() => {
+    if (activeFilter === null) return sortedFindings;
+    return sortedFindings.filter((f) => f.status === activeFilter);
+  }, [sortedFindings, activeFilter]);
+
+  // Count by status for filter buttons
+  const statusCounts = useMemo(() => {
+    return findings.reduce(
+      (acc, finding) => {
+        acc[finding.status] = (acc[finding.status] || 0) + 1;
+        return acc;
+      },
+      {} as Record<FindingStatus, number>,
+    );
+  }, [findings]);
+
+  const closedCount = statusCounts.closed || 0;
+  const totalCount = findings.length;
+  const progressWidth = totalCount > 0 ? (closedCount / totalCount) * 100 : 100;
+
+  const handleFilterClick = (status: FindingStatus) => {
+    setActiveFilter((current) => (current === status ? null : status));
+  };
+
+  return (
+    <Card className="flex flex-col h-full">
+      <CardHeader className="pb-2">
+        <div className="flex items-center justify-between">
+          <CardTitle className="flex items-center gap-2">
+            <FileWarning className="h-4 w-4" />
+            Findings
+          </CardTitle>
+        </div>
+
+        <div className="bg-secondary/50 relative mt-2 h-1 w-full overflow-hidden rounded-full">
+          <div
+            className="bg-primary h-full transition-all"
+            style={{
+              width: `${progressWidth}%`,
+            }}
+          />
+        </div>
+        <p className="text-xs text-muted-foreground mt-1">
+          {closedCount} of {totalCount} findings resolved
+        </p>
+
+        {/* Status filter buttons */}
+        {totalCount > 0 && (
+          <div className="flex flex-wrap gap-1.5 mt-3">
+            {STATUS_DISPLAY_ORDER.map((status) => {
+              const count = statusCounts[status] || 0;
+              if (count === 0) return null;
+              const isActive = activeFilter === status;
+              const styles = FILTER_BUTTON_STYLES[status];
+
+              return (
+                <button
+                  key={status}
+                  type="button"
+                  onClick={() => handleFilterClick(status)}
+                  className={`
+                    inline-flex items-center gap-1.5 px-2 py-1 rounded-md text-xs font-medium
+                    border transition-colors cursor-pointer
+                    ${isActive ? styles.active : `bg-transparent border-border ${styles.inactive}`}
+                  `}
+                >
+                  {STATUS_LABELS[status]}
+                  <span
+                    className={`
+                      inline-flex items-center justify-center min-w-[18px] h-[18px] px-1 rounded text-[10px] font-semibold
+                      ${isActive ? 'bg-white/50' : 'bg-muted'}
+                    `}
+                  >
+                    {count}
+                  </span>
+                </button>
+              );
+            })}
+            {activeFilter !== null && (
+              <button
+                type="button"
+                onClick={() => setActiveFilter(null)}
+                className="inline-flex items-center px-2 py-1 rounded-md text-xs font-medium text-muted-foreground hover:text-foreground transition-colors cursor-pointer"
+              >
+                Clear
+              </button>
+            )}
+          </div>
+        )}
+      </CardHeader>
+
+      <CardContent className="flex flex-col flex-1">
+        {findings.length === 0 ? (
+          <div className="flex items-center justify-center gap-2 rounded-lg p-4 mt-2 bg-border/50">
+            <CheckCircle2 className="h-4 w-4 text-primary" />
+            <span className="text-sm text-primary">No findings</span>
+          </div>
+        ) : filteredFindings.length === 0 ? (
+          <div className="flex items-center justify-center gap-2 rounded-lg p-4 mt-2 bg-border/50">
+            <span className="text-sm text-muted-foreground">
+              No {activeFilter ? STATUS_LABELS[activeFilter].toLowerCase() : ''} findings
+            </span>
+          </div>
+        ) : (
+          <div className="h-[300px] mt-2">
+            <ScrollArea className="h-full">
+              <div className="space-y-0 pr-4">
+                {filteredFindings.map((finding, index) => (
+                  <div key={finding.id}>
+                    <div className="flex items-start justify-between py-3 px-1">
+                      <div className="flex items-start gap-3 flex-1 min-w-0">
+                        <div className="flex h-6 w-6 items-center justify-center rounded-full shrink-0">
+                          <FileWarning className="h-3 w-3" />
+                        </div>
+                        <div className="flex flex-col flex-1 min-w-0">
+                          <span className="text-sm font-medium text-foreground line-clamp-1">
+                            {finding.task.title}
+                          </span>
+                          <div className="flex items-center gap-2 mt-1 flex-wrap">
+                            <Badge
+                              variant="outline"
+                              className={`text-[10px] px-1.5 py-0 ${STATUS_COLORS[finding.status]}`}
+                            >
+                              {STATUS_LABELS[finding.status]}
+                            </Badge>
+                            <Badge variant="outline" className="text-[10px] px-1.5 py-0">
+                              {TYPE_LABELS[finding.type] || finding.type}
+                            </Badge>
+                          </div>
+                          <p className="text-xs text-muted-foreground mt-1 line-clamp-2">
+                            {finding.content}
+                          </p>
+                        </div>
+                      </div>
+                      <Button asChild size="icon" variant="outline" className="shrink-0 ml-2">
+                        <Link href={`/${organizationId}/tasks/${finding.task.id}`}>
+                          <ArrowRight className="h-3 w-3" />
+                        </Link>
+                      </Button>
+                    </div>
+                    {index < filteredFindings.length - 1 && (
+                      <div className="border-t border-muted/30" />
+                    )}
+                  </div>
+                ))}
+              </div>
+            </ScrollArea>
+          </div>
+        )}
+      </CardContent>
+    </Card>
+  );
+}
diff --git a/apps/app/src/app/(app)/[orgId]/frameworks/components/Overview.tsx b/apps/app/src/app/(app)/[orgId]/frameworks/components/Overview.tsx
index d8a19e24a..d2193cab3 100644
--- a/apps/app/src/app/(app)/[orgId]/frameworks/components/Overview.tsx
+++ b/apps/app/src/app/(app)/[orgId]/frameworks/components/Overview.tsx
@@ -1,9 +1,10 @@
 'use client';
 
-import { FrameworkEditorFramework, Policy, Task } from '@db';
+import { Finding, FrameworkEditorFramework, Policy, Task } from '@db';
 import { FrameworkInstanceWithControls } from '../types';
 import { ComplianceOverview } from './ComplianceOverview';
 import { DraggableCards } from './DraggableCards';
+import { FindingsOverview } from './FindingsOverview';
 import { FrameworksOverview } from './FrameworksOverview';
 import { ToDoOverview } from './ToDoOverview';
 import { FrameworkInstanceWithComplianceScore } from './types';
@@ -27,6 +28,13 @@ export interface PeopleScore {
   completedMembers: number;
 }
 
+export interface FindingWithTask extends Finding {
+  task: {
+    id: string;
+    title: string;
+  };
+}
+
 export interface OverviewProps {
   frameworksWithControls: FrameworkInstanceWithControls[];
   frameworksWithCompliance: FrameworkInstanceWithComplianceScore[];
@@ -37,6 +45,7 @@ export interface OverviewProps {
   peopleScore: PeopleScore;
   currentMember: { id: string; role: string } | null;
   onboardingTriggerJobId: string | null;
+  findings: FindingWithTask[];
 }
 
 export const Overview = ({
@@ -49,6 +58,7 @@ export const Overview = ({
   peopleScore,
   currentMember,
   onboardingTriggerJobId,
+  findings,
 }: OverviewProps) => {
   return (
     <DraggableCards>
@@ -81,6 +91,7 @@ export const Overview = ({
         currentMember={currentMember}
         onboardingTriggerJobId={onboardingTriggerJobId}
       />
+      <FindingsOverview findings={findings} organizationId={organizationId} />
     </DraggableCards>
   );
 };
diff --git a/apps/app/src/app/(app)/[orgId]/frameworks/page.tsx b/apps/app/src/app/(app)/[orgId]/frameworks/page.tsx
index 3e1abe34d..eaffde8b7 100644
--- a/apps/app/src/app/(app)/[orgId]/frameworks/page.tsx
+++ b/apps/app/src/app/(app)/[orgId]/frameworks/page.tsx
@@ -1,5 +1,5 @@
 import { auth } from '@/utils/auth';
-import { db } from '@db';
+import { db, FindingStatus } from '@db';
 import { headers } from 'next/headers';
 import { redirect } from 'next/navigation';
 import { cache } from 'react';
@@ -67,6 +67,7 @@ export default async function DashboardPage({ params }: { params: Promise<{ orgI
   });
 
   const scores = await getScores();
+  const findings = await getOrganizationFindings(organizationId);
 
   return (
     <Overview
@@ -79,6 +80,7 @@ export default async function DashboardPage({ params }: { params: Promise<{ orgI
       peopleScore={scores.peopleScore}
       currentMember={member}
       onboardingTriggerJobId={onboarding?.triggerJobId ?? null}
+      findings={findings}
     />
   );
 }
@@ -149,3 +151,25 @@ const getControlTasks = cache(async () => {
 
   return tasks;
 });
+
+const getOrganizationFindings = cache(async (organizationId: string) => {
+  const findings = await db.finding.findMany({
+    where: {
+      organizationId,
+    },
+    include: {
+      task: {
+        select: {
+          id: true,
+          title: true,
+        },
+      },
+    },
+    orderBy: [
+      { status: 'asc' },
+      { createdAt: 'desc' },
+    ],
+  });
+
+  return findings;
+});
diff --git a/apps/app/src/app/(app)/[orgId]/integrations/actions/get-relevant-tasks.ts b/apps/app/src/app/(app)/[orgId]/integrations/actions/get-relevant-tasks.ts
index daddc5fef..0907a8875 100644
--- a/apps/app/src/app/(app)/[orgId]/integrations/actions/get-relevant-tasks.ts
+++ b/apps/app/src/app/(app)/[orgId]/integrations/actions/get-relevant-tasks.ts
@@ -15,12 +15,19 @@ const RelevantTasksSchema = z.object({
   ),
 });
 
-export async function getRelevantTasksForIntegration(
-  integrationName: string,
-  integrationDescription: string,
-  taskTemplates: Array<{ id: string; name: string; description: string }>,
-): Promise<{ taskTemplateId: string; taskName: string; reason: string; prompt: string }[]> {
-  if (taskTemplates.length === 0) {
+export async function getRelevantTasksForIntegration({
+  integrationName,
+  integrationDescription,
+  taskTemplates,
+  examplePrompts,
+}: {
+  integrationName: string;
+  integrationDescription: string;
+  taskTemplates: Array<{ id: string; name: string; description: string }>;
+  examplePrompts?: string[];
+}): Promise<{ taskTemplateId: string; taskName: string; reason: string; prompt: string }[]> {
+  // Defensive check for undefined or empty taskTemplates
+  if (!taskTemplates || taskTemplates.length === 0) {
     return [];
   }
 
@@ -36,14 +43,35 @@ export async function getRelevantTasksForIntegration(
     })
     .join('\n');
 
-  const systemPrompt = `GRC expert. Find tasks relevant to integration. Return JSON with an array of tasks. Each task must have: taskTemplateId, taskName, reason (1 sentence), prompt (actionable, ready to use). Be selective. ALWAYS return an array, even if there's only one task.`;
+  // Create a set of valid task IDs for validation
+  const validTaskIds = new Set(taskTemplates.map((t) => t.id));
 
-  const userPrompt = `Integration: ${integrationName} - ${integrationDescription}
+  const systemPrompt = `You are a GRC expert matching compliance tasks to integrations.
 
-Tasks (format: ID|Name|Description):
+CRITICAL RULES:
+1. Every prompt you generate MUST be specific to "${integrationName}" - use the exact integration name
+2. NEVER mention other vendors (e.g., don't say "Google Workspace" for Okta, don't say "Azure" for AWS)
+3. Prompts should be actionable and ready to execute against ${integrationName}
+4. Be selective - only return tasks that are clearly relevant to this specific integration
+5. ONLY use taskTemplateId values from the provided list - do not invent new IDs
+
+Return JSON with an array of tasks. Each task must have: taskTemplateId (from the list), taskName, reason (1 sentence), prompt (specific to ${integrationName}).`;
+
+  const examplePromptsSection =
+    examplePrompts && examplePrompts.length > 0
+      ? `\n\nExample prompts showing the style for ${integrationName}:\n${examplePrompts
+          .map((prompt, index) => `- ${prompt}`)
+          .join('\n')}\n\nUse these as inspiration - generate similar prompts that mention ${integrationName} specifically.`
+      : '';
+
+  const userPrompt = `Integration: ${integrationName}
+Description: ${integrationDescription}${examplePromptsSection}
+
+Available Tasks (format: ID|Name|Description):
 ${tasksList}
 
-Return ONLY clearly relevant tasks as an ARRAY. Format: {"relevantTasks": [{"taskTemplateId": "...", "taskName": "...", "reason": "...", "prompt": "..."}, ...]}`;
+Return ONLY tasks relevant to ${integrationName}. Each prompt MUST mention "${integrationName}" or be clearly specific to it.
+Format: {"relevantTasks": [{"taskTemplateId": "...", "taskName": "...", "reason": "...", "prompt": "..."}, ...]}`;
 
   const promptSize = (systemPrompt + userPrompt).length;
   console.log(`[getRelevantTasks] Prompt size: ${promptSize} chars, ${taskTemplates.length} tasks`);
@@ -69,11 +97,22 @@ Return ONLY clearly relevant tasks as an ARRAY. Format: {"relevantTasks": [{"tas
       }
     }
 
+    // Filter out any tasks with invalid taskTemplateIds (AI hallucination protection)
+    const validTasks = tasks.filter((task) => {
+      if (!validTaskIds.has(task.taskTemplateId)) {
+        console.warn(
+          `[getRelevantTasks] Filtered out invalid taskTemplateId: ${task.taskTemplateId}`,
+        );
+        return false;
+      }
+      return true;
+    });
+
     console.log(
-      `[getRelevantTasks] Generated ${tasks.length} tasks in ${duration}ms (tokens: ${usage?.totalTokens || 'unknown'})`,
+      `[getRelevantTasks] Generated ${validTasks.length} valid tasks (${tasks.length - validTasks.length} filtered) in ${duration}ms (tokens: ${usage?.totalTokens || 'unknown'})`,
     );
 
-    return tasks;
+    return validTasks;
   } catch (error) {
     console.error('Error generating relevant tasks:', error);
     // Try to extract tasks from error if available
@@ -86,9 +125,13 @@ Return ONLY clearly relevant tasks as an ARRAY. Format: {"relevantTasks": [{"tas
             const tasks = Array.isArray(parsed.relevantTasks)
               ? parsed.relevantTasks
               : [parsed.relevantTasks];
-            if (tasks.length > 0 && tasks[0].taskTemplateId) {
-              console.log(`[getRelevantTasks] Recovered ${tasks.length} tasks from error response`);
-              return tasks;
+            // Filter to only valid task IDs
+            const validTasks = tasks.filter(
+              (t: { taskTemplateId?: string }) => t.taskTemplateId && validTaskIds.has(t.taskTemplateId),
+            );
+            if (validTasks.length > 0) {
+              console.log(`[getRelevantTasks] Recovered ${validTasks.length} valid tasks from error response`);
+              return validTasks;
             }
           }
         }
diff --git a/apps/app/src/app/(app)/[orgId]/integrations/components/PlatformIntegrations.tsx b/apps/app/src/app/(app)/[orgId]/integrations/components/PlatformIntegrations.tsx
index ac9eaf0b3..111548c91 100644
--- a/apps/app/src/app/(app)/[orgId]/integrations/components/PlatformIntegrations.tsx
+++ b/apps/app/src/app/(app)/[orgId]/integrations/components/PlatformIntegrations.tsx
@@ -60,6 +60,7 @@ const providerNeedsConfiguration = (
 };
 
 interface RelevantTask {
+  taskId: string; // Actual task ID for navigation
   taskTemplateId: string;
   taskName: string;
   reason: string;
@@ -72,7 +73,7 @@ type UnifiedIntegration =
 
 interface PlatformIntegrationsProps {
   className?: string;
-  taskTemplates: Array<{ id: string; name: string; description: string }>;
+  taskTemplates: Array<{ id: string; taskId: string; name: string; description: string }>;
 }
 
 export function PlatformIntegrations({ className, taskTemplates }: PlatformIntegrationsProps) {
@@ -289,16 +290,32 @@ export function PlatformIntegrations({ className, taskTemplates }: PlatformInteg
     window.history.replaceState({}, '', url.toString());
   }, [searchParams, connections, providers, loadingConnections, loadingProviders]);
 
+  // Create a map from templateId to taskId for quick lookup
+  const templateToTaskMap = useMemo(
+    () => new Map(taskTemplates.map((t) => [t.id, t.taskId])),
+    [taskTemplates],
+  );
+
   // Custom integration task loading
   useEffect(() => {
-    if (selectedCustomIntegration && orgId && taskTemplates.length > 0) {
+    if (selectedCustomIntegration && orgId && taskTemplates && taskTemplates.length > 0) {
       setIsLoadingTasks(true);
-      getRelevantTasksForIntegration(
-        selectedCustomIntegration.name,
-        selectedCustomIntegration.description,
-        taskTemplates,
-      )
-        .then((tasks) => setRelevantTasks(tasks))
+      getRelevantTasksForIntegration({
+        integrationName: selectedCustomIntegration.name,
+        integrationDescription: selectedCustomIntegration.description,
+        taskTemplates: taskTemplates.map((t) => ({ id: t.id, name: t.name, description: t.description })),
+        examplePrompts: selectedCustomIntegration.examplePrompts,
+      })
+        .then((aiTasks) => {
+          // Map AI results to include actual taskId
+          const tasksWithIds = aiTasks
+            .map((task) => ({
+              ...task,
+              taskId: templateToTaskMap.get(task.taskTemplateId) || '',
+            }))
+            .filter((task) => task.taskId); // Only keep tasks we can navigate to
+          setRelevantTasks(tasksWithIds);
+        })
         .catch((error) => {
           console.error('Error fetching relevant tasks:', error);
           setRelevantTasks([]);
@@ -307,7 +324,7 @@ export function PlatformIntegrations({ className, taskTemplates }: PlatformInteg
     } else {
       setRelevantTasks([]);
     }
-  }, [selectedCustomIntegration, orgId, taskTemplates]);
+  }, [selectedCustomIntegration, orgId, taskTemplates, templateToTaskMap]);
 
   const handleCopyPrompt = (prompt: string) => {
     navigator.clipboard.writeText(prompt);
@@ -790,6 +807,30 @@ export function PlatformIntegrations({ className, taskTemplates }: PlatformInteg
                   </div>
                 </div>
 
+                {selectedCustomIntegration.examplePrompts.length > 0 && (
+                  <div className="space-y-3">
+                    <div className="flex items-center gap-2">
+                      <div className="w-8 h-8 rounded-lg bg-primary/10 flex items-center justify-center">
+                        <Sparkles className="w-4 h-4 text-primary" />
+                      </div>
+                      <h4 className="text-base font-semibold text-foreground">Example Prompts</h4>
+                    </div>
+                    <div className="space-y-2">
+                      {selectedCustomIntegration.examplePrompts.map((prompt, index) => (
+                        <button
+                          key={`${selectedCustomIntegration.id}-prompt-${index}`}
+                          onClick={() => handleCopyPrompt(prompt)}
+                          className="w-full p-3 rounded-lg bg-muted/40 border border-border/60 hover:border-primary/30 transition-colors text-left group"
+                        >
+                          <p className="text-sm text-foreground/80 group-hover:text-foreground">
+                            "{prompt}"
+                          </p>
+                        </button>
+                      ))}
+                    </div>
+                  </div>
+                )}
+
                 <div className="space-y-3">
                   <div className="flex items-center gap-2">
                     <div className="w-8 h-8 rounded-lg bg-primary/10 flex items-center justify-center">
diff --git a/apps/app/src/app/(app)/[orgId]/integrations/components/TaskCard.tsx b/apps/app/src/app/(app)/[orgId]/integrations/components/TaskCard.tsx
index 6991b903e..2100d2d6d 100644
--- a/apps/app/src/app/(app)/[orgId]/integrations/components/TaskCard.tsx
+++ b/apps/app/src/app/(app)/[orgId]/integrations/components/TaskCard.tsx
@@ -1,13 +1,12 @@
 'use client';
 
-import { api } from '@/lib/api-client';
 import { Skeleton } from '@comp/ui/skeleton';
 import { ArrowRight, Loader2 } from 'lucide-react';
-import { useRouter } from 'next/navigation';
 import { useState } from 'react';
 import { toast } from 'sonner';
 
 interface RelevantTask {
+  taskId: string;
   taskTemplateId: string;
   taskName: string;
   reason: string;
@@ -16,45 +15,14 @@ interface RelevantTask {
 
 export function TaskCard({ task, orgId }: { task: RelevantTask; orgId: string }) {
   const [isNavigating, setIsNavigating] = useState(false);
-  const router = useRouter();
 
-  const handleCardClick = async () => {
+  const handleCardClick = () => {
     setIsNavigating(true);
-    toast.loading('Opening task automation...', { id: 'navigating' });
+    toast.success('Opening task automation...', { duration: 1000 });
 
-    try {
-      const response = await api.get<Array<{ id: string; taskTemplateId: string | null }>>(
-        '/v1/tasks',
-        orgId,
-      );
-
-      if (response.error || !response.data) {
-        throw new Error(response.error || 'Failed to fetch tasks');
-      }
-
-      const matchingTask = response.data.find(
-        (t) => t.taskTemplateId && t.taskTemplateId === task.taskTemplateId,
-      );
-
-      if (!matchingTask) {
-        toast.dismiss('navigating');
-        toast.error(`Task "${task.taskName}" not found. Please create it first.`);
-        setIsNavigating(false);
-        await router.push(`/${orgId}/tasks`);
-        return;
-      }
-
-      const url = `/${orgId}/tasks/${matchingTask.id}/automation/new?prompt=${encodeURIComponent(task.prompt)}`;
-      toast.dismiss('navigating');
-      toast.success('Redirecting...', { duration: 1000 });
-
-      window.location.href = url;
-    } catch (error) {
-      console.error('Error finding task:', error);
-      toast.dismiss('navigating');
-      toast.error('Failed to find task');
-      setIsNavigating(false);
-    }
+    // Navigate directly using the task ID we already have
+    const url = `/${orgId}/tasks/${task.taskId}/automation/new?prompt=${encodeURIComponent(task.prompt)}`;
+    window.location.href = url;
   };
 
   return (
@@ -114,4 +82,3 @@ export function TaskCardSkeleton() {
     </div>
   );
 }
-
diff --git a/apps/app/src/app/(app)/[orgId]/integrations/page.tsx b/apps/app/src/app/(app)/[orgId]/integrations/page.tsx
index 50de6920d..4fc96033a 100644
--- a/apps/app/src/app/(app)/[orgId]/integrations/page.tsx
+++ b/apps/app/src/app/(app)/[orgId]/integrations/page.tsx
@@ -2,19 +2,38 @@ import { db } from '@db';
 import { PageHeader, PageLayout, Stack } from '@trycompai/design-system';
 import { PlatformIntegrations } from './components/PlatformIntegrations';
 
-export default async function IntegrationsPage() {
-  // Fetch task templates server-side
-  const taskTemplates = await db.frameworkEditorTaskTemplate.findMany({
+interface PageProps {
+  params: Promise<{ orgId: string }>;
+}
+
+export default async function IntegrationsPage({ params }: PageProps) {
+  const { orgId } = await params;
+
+  // Fetch organization's tasks that have a template (can be automated)
+  const orgTasks = await db.task.findMany({
+    where: {
+      organizationId: orgId,
+      taskTemplateId: { not: null },
+    },
     select: {
       id: true,
-      name: true,
+      title: true,
       description: true,
+      taskTemplateId: true,
     },
     orderBy: {
-      name: 'asc',
+      title: 'asc',
     },
   });
 
+  // Map to the format expected by the component
+  const taskTemplates = orgTasks.map((task) => ({
+    id: task.taskTemplateId as string, // Used as taskTemplateId for matching
+    taskId: task.id, // Actual task ID for navigation
+    name: task.title,
+    description: task.description,
+  }));
+
   return (
     <PageLayout>
       <Stack gap="md">
diff --git a/apps/app/src/app/(app)/[orgId]/people/[employeeId]/actions/download-training-certificate.ts b/apps/app/src/app/(app)/[orgId]/people/[employeeId]/actions/download-training-certificate.ts
new file mode 100644
index 000000000..b316711db
--- /dev/null
+++ b/apps/app/src/app/(app)/[orgId]/people/[employeeId]/actions/download-training-certificate.ts
@@ -0,0 +1,68 @@
+'use server';
+
+import { authActionClient } from '@/actions/safe-action';
+import { env } from '@/env.mjs';
+import { z } from 'zod';
+
+const downloadCertificateSchema = z.object({
+  memberId: z.string(),
+  organizationId: z.string(),
+});
+
+/**
+ * Downloads a training certificate PDF for a member by calling the API
+ */
+export const downloadTrainingCertificate = authActionClient
+  .inputSchema(downloadCertificateSchema)
+  .metadata({
+    name: 'downloadTrainingCertificate',
+    track: {
+      event: 'downloadTrainingCertificate',
+      channel: 'server',
+    },
+  })
+  .action(async ({ parsedInput, ctx }) => {
+    const { memberId, organizationId } = parsedInput;
+    const { session } = ctx;
+
+    // Verify the caller has access to this organization
+    if (session.activeOrganizationId !== organizationId) {
+      throw new Error(
+        'Unauthorized: You do not have access to this organization',
+      );
+    }
+
+    // Call the API to generate the certificate
+    const apiUrl =
+      env.NEXT_PUBLIC_API_URL ||
+      process.env.API_BASE_URL ||
+      'http://localhost:3333';
+
+    const internalToken = env.INTERNAL_API_TOKEN;
+    if (!internalToken) {
+      throw new Error('INTERNAL_API_TOKEN not configured');
+    }
+
+    const response = await fetch(`${apiUrl}/v1/training/generate-certificate`, {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        'x-internal-token': internalToken,
+      },
+      body: JSON.stringify({
+        memberId,
+        organizationId,
+      }),
+    });
+
+    if (!response.ok) {
+      const errorText = await response.text();
+      throw new Error(`Failed to generate certificate: ${errorText}`);
+    }
+
+    // Get the PDF as a buffer and convert to base64
+    const pdfBuffer = await response.arrayBuffer();
+    const pdfBase64 = Buffer.from(pdfBuffer).toString('base64');
+
+    return pdfBase64;
+  });
diff --git a/apps/app/src/app/(app)/[orgId]/people/[employeeId]/components/Employee.tsx b/apps/app/src/app/(app)/[orgId]/people/[employeeId]/components/Employee.tsx
index 0f7eea54f..a263922fc 100644
--- a/apps/app/src/app/(app)/[orgId]/people/[employeeId]/components/Employee.tsx
+++ b/apps/app/src/app/(app)/[orgId]/people/[employeeId]/components/Employee.tsx
@@ -1,7 +1,7 @@
 'use client';
 
 import type { TrainingVideo } from '@/lib/data/training-videos';
-import type { EmployeeTrainingVideoCompletion, Member, Policy, User } from '@db';
+import type { EmployeeTrainingVideoCompletion, Member, Organization, Policy, User } from '@db';
 import { Stack } from '@trycompai/design-system';
 import type { FleetPolicy, Host } from '../../devices/types';
 import { EmployeeDetails } from './EmployeeDetails';
@@ -18,6 +18,7 @@ interface EmployeeDetailsProps {
   fleetPolicies: FleetPolicy[];
   host: Host;
   canEdit: boolean;
+  organization: Organization;
 }
 
 export function Employee({
@@ -27,6 +28,7 @@ export function Employee({
   fleetPolicies,
   host,
   canEdit,
+  organization,
 }: EmployeeDetailsProps) {
   return (
     <Stack gap="4">
@@ -37,6 +39,7 @@ export function Employee({
         trainingVideos={trainingVideos}
         fleetPolicies={fleetPolicies}
         host={host}
+        organization={organization}
       />
     </Stack>
   );
diff --git a/apps/app/src/app/(app)/[orgId]/people/[employeeId]/components/EmployeeTasks.tsx b/apps/app/src/app/(app)/[orgId]/people/[employeeId]/components/EmployeeTasks.tsx
index 84db2e6b2..cf66e3446 100644
--- a/apps/app/src/app/(app)/[orgId]/people/[employeeId]/components/EmployeeTasks.tsx
+++ b/apps/app/src/app/(app)/[orgId]/people/[employeeId]/components/EmployeeTasks.tsx
@@ -1,9 +1,8 @@
 'use client';
 
 import type { TrainingVideo } from '@/lib/data/training-videos';
-import type { EmployeeTrainingVideoCompletion, Member, Policy, User } from '@db';
+import type { EmployeeTrainingVideoCompletion, Member, Organization, Policy, User } from '@db';
 
-import { cn } from '@/lib/utils';
 import { Card, CardContent, CardHeader, CardTitle } from '@comp/ui/card';
 import {
   Section,
@@ -14,8 +13,11 @@ import {
   TabsTrigger,
   Text,
 } from '@trycompai/design-system';
-import { AlertCircle, CheckCircle2, XCircle } from 'lucide-react';
+import { AlertCircle, Award, CheckCircle2, Download } from 'lucide-react';
 import type { FleetPolicy, Host } from '../../devices/types';
+import { PolicyItem } from '../../devices/components/PolicyItem';
+import { downloadTrainingCertificate } from '../actions/download-training-certificate';
+import { cn } from '@/lib/utils';
 
 export const EmployeeTasks = ({
   employee,
@@ -23,6 +25,7 @@ export const EmployeeTasks = ({
   trainingVideos,
   host,
   fleetPolicies,
+  organization,
 }: {
   employee: Member & {
     user: User;
@@ -33,7 +36,49 @@ export const EmployeeTasks = ({
   })[];
   host: Host;
   fleetPolicies: FleetPolicy[];
+  organization: Organization;
 }) => {
+  // Calculate training completion status
+  const completedVideos = trainingVideos.filter((v) => v.completedAt !== null);
+  const allTrainingComplete =
+    completedVideos.length === trainingVideos.length && trainingVideos.length > 0;
+
+  // Get the most recent completion date as the overall training completion date
+  const trainingCompletionDate = allTrainingComplete
+    ? completedVideos.reduce((latest, video) => {
+        if (!latest || !video.completedAt) return latest;
+        return video.completedAt > latest ? video.completedAt : latest;
+      }, completedVideos[0]?.completedAt || null)
+    : null;
+
+  const handleDownloadCertificate = async () => {
+    if (!trainingCompletionDate) return;
+
+    const result = await downloadTrainingCertificate({
+      memberId: employee.id,
+      organizationId: organization.id,
+    });
+
+    if (result?.data) {
+      // Convert base64 to blob and download
+      const byteCharacters = atob(result.data);
+      const byteNumbers = new Array(byteCharacters.length);
+      for (let i = 0; i < byteCharacters.length; i++) {
+        byteNumbers[i] = byteCharacters.charCodeAt(i);
+      }
+      const byteArray = new Uint8Array(byteNumbers);
+      const blob = new Blob([byteArray], { type: 'application/pdf' });
+
+      const url = window.URL.createObjectURL(blob);
+      const link = document.createElement('a');
+      link.href = url;
+      link.download = `training-certificate-${employee.user.name?.replace(/\s+/g, '-').toLowerCase() || 'employee'}.pdf`;
+      document.body.appendChild(link);
+      link.click();
+      document.body.removeChild(link);
+      window.URL.revokeObjectURL(url);
+    }
+  };
   return (
     <Section title="Employee Tasks">
       <Tabs defaultValue="policies">
@@ -75,40 +120,97 @@ export const EmployeeTasks = ({
           </TabsContent>
 
           <TabsContent value="training">
-            <Stack gap="sm">
-              {trainingVideos.length === 0 ? (
-                <div className="py-6 text-center">
-                  <Text variant="muted">No training videos required to watch.</Text>
-                </div>
-              ) : (
-                trainingVideos.map((video) => {
-                  const isCompleted = video.completedAt !== null;
-
-                  return (
+            <Stack gap="md">
+              {/* Training Completion Summary */}
+              {trainingVideos.length > 0 && (
+                <div
+                  className={cn(
+                    'flex items-center justify-between rounded-lg border p-4',
+                    allTrainingComplete
+                      ? 'border-primary/20 bg-primary/5'
+                      : 'border-muted bg-muted/30',
+                  )}
+                >
+                  <div className="flex items-center gap-3">
                     <div
-                      key={video.id}
-                      className="flex items-center justify-between gap-2 rounded-md border p-3"
+                      className={cn(
+                        'flex h-10 w-10 items-center justify-center rounded-full',
+                        allTrainingComplete ? 'bg-primary/10' : 'bg-muted',
+                      )}
                     >
-                      <Stack gap="xs">
-                        <div className="flex items-center gap-2">
-                          {isCompleted ? (
-                            <CheckCircle2 className="h-4 w-4 text-primary" />
-                          ) : (
-                            <AlertCircle className="h-4 w-4 text-destructive" />
-                          )}
-                          <Text>{video.metadata.title}</Text>
-                        </div>
-                        {isCompleted && (
-                          <Text size="xs" variant="muted">
-                            Completed -{' '}
-                            {video.completedAt && new Date(video.completedAt).toLocaleDateString()}
-                          </Text>
+                      <Award
+                        className={cn(
+                          'h-5 w-5',
+                          allTrainingComplete ? 'text-primary' : 'text-muted-foreground',
                         )}
-                      </Stack>
+                      />
                     </div>
-                  );
-                })
+                    <div>
+                      <Text weight="medium">
+                        {allTrainingComplete
+                          ? 'All Training Complete'
+                          : `${completedVideos.length}/${trainingVideos.length} Videos Completed`}
+                      </Text>
+                      {trainingCompletionDate && (
+                        <Text size="sm" variant="muted">
+                          Completed on{' '}
+                          {new Date(trainingCompletionDate).toLocaleDateString('en-US', {
+                            year: 'numeric',
+                            month: 'long',
+                            day: 'numeric',
+                          })}
+                        </Text>
+                      )}
+                    </div>
+                  </div>
+                  {allTrainingComplete && (
+                    <button
+                      onClick={handleDownloadCertificate}
+                      className="inline-flex items-center gap-2 rounded-lg border border-primary bg-primary px-3 py-1.5 text-sm font-medium text-primary-foreground transition-all duration-200 hover:bg-primary/90 hover:shadow-sm focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-primary/20 focus-visible:ring-offset-1 cursor-pointer"
+                    >
+                      <Download className="h-3.5 w-3.5" />
+                      Certificate
+                    </button>
+                  )}
+                </div>
               )}
+
+              <Stack gap="sm">
+                {trainingVideos.length === 0 ? (
+                  <div className="py-6 text-center">
+                    <Text variant="muted">No training videos required to watch.</Text>
+                  </div>
+                ) : (
+                  trainingVideos.map((video) => {
+                    const isCompleted = video.completedAt !== null;
+
+                    return (
+                      <div
+                        key={video.id}
+                        className="flex items-center justify-between gap-2 rounded-md border p-3"
+                      >
+                        <Stack gap="xs">
+                          <div className="flex items-center gap-2">
+                            {isCompleted ? (
+                              <CheckCircle2 className="h-4 w-4 text-primary" />
+                            ) : (
+                              <AlertCircle className="h-4 w-4 text-destructive" />
+                            )}
+                            <Text>{video.metadata.title}</Text>
+                          </div>
+                          {isCompleted && (
+                            <Text size="xs" variant="muted">
+                              Completed -{' '}
+                              {video.completedAt &&
+                                new Date(video.completedAt).toLocaleDateString()}
+                            </Text>
+                          )}
+                        </Stack>
+                      </div>
+                    );
+                  })
+                )}
+              </Stack>
             </Stack>
           </TabsContent>
 
@@ -119,28 +221,7 @@ export const EmployeeTasks = ({
                   <CardTitle>{host.computer_name}&apos;s Policies</CardTitle>
                 </CardHeader>
                 <CardContent className="space-y-3">
-                  {fleetPolicies.map((policy) => (
-                    <div
-                      key={policy.id}
-                      className={cn(
-                        'hover:bg-muted/50 flex items-center justify-between rounded-md border border-l-4 p-3 shadow-sm transition-colors',
-                        policy.response === 'pass' ? 'border-l-primary' : 'border-l-destructive',
-                      )}
-                    >
-                      <Text weight="medium">{policy.name}</Text>
-                      {policy.response === 'pass' ? (
-                        <div className="flex items-center gap-1 text-primary">
-                          <CheckCircle2 size={16} />
-                          <Text size="sm">Pass</Text>
-                        </div>
-                      ) : (
-                        <div className="flex items-center gap-1 text-destructive">
-                          <XCircle size={16} />
-                          <Text size="sm">Fail</Text>
-                        </div>
-                      )}
-                    </div>
-                  ))}
+                  {fleetPolicies.map((policy) => <PolicyItem key={policy.id} policy={policy} />)}
                 </CardContent>
               </Card>
             ) : (
diff --git a/apps/app/src/app/(app)/[orgId]/people/[employeeId]/page.tsx b/apps/app/src/app/(app)/[orgId]/people/[employeeId]/page.tsx
index 486da9a02..807a57078 100644
--- a/apps/app/src/app/(app)/[orgId]/people/[employeeId]/page.tsx
+++ b/apps/app/src/app/(app)/[orgId]/people/[employeeId]/page.tsx
@@ -13,6 +13,8 @@ import { headers } from 'next/headers';
 import { notFound, redirect } from 'next/navigation';
 import { Employee } from './components/Employee';
 
+const MDM_POLICY_ID = -9999;
+
 export default async function EmployeeDetailsPage({
   params,
 }: {
@@ -47,6 +49,15 @@ export default async function EmployeeDetailsPage({
     notFound();
   }
 
+  // Get organization for certificate generation
+  const organization = await db.organization.findUnique({
+    where: { id: orgId },
+  });
+
+  if (!organization) {
+    notFound();
+  }
+
   const { fleetPolicies, device } = await getFleetPolicies(employee);
 
   return (
@@ -68,6 +79,7 @@ export default async function EmployeeDetailsPage({
         fleetPolicies={fleetPolicies}
         host={device}
         canEdit={canEditMembers}
+        organization={organization}
       />
     </PageLayout>
   );
@@ -199,9 +211,38 @@ const getFleetPolicies = async (member: Member & { user: User }) => {
     }
 
     const deviceWithPolicies = await fleet.get(`/hosts/${device.id}`);
-    const fleetPolicies = deviceWithPolicies.data.host.policies || [];
-
-    return { fleetPolicies, device: deviceWithPolicies.data.host };
+    const host = deviceWithPolicies.data.host;
+
+    const results = await db.fleetPolicyResult.findMany({
+      where: {
+        organizationId: member.organizationId,
+        userId: member.userId,
+      },
+      orderBy: { createdAt: 'desc' },
+    });
+
+    const platform = host.platform?.toLowerCase();
+    const osVersion = host.os_version?.toLowerCase();
+    const isMacOS =
+      platform === 'darwin' ||
+      platform === 'macos' ||
+      platform === 'osx' ||
+      osVersion?.includes('mac');
+
+    return {
+      fleetPolicies: [
+        ...(host.policies || []),
+        ...(isMacOS ? [{ id: MDM_POLICY_ID, name: 'MDM Enabled', response: host.mdm.connected_to_fleet ? 'pass' : 'fail' }] : []),
+      ].map((policy) => {
+        const policyResult = results.find((result) => result.fleetPolicyId === policy.id);
+        return {
+          ...policy,
+          response: policy.response === 'pass' || policyResult?.fleetPolicyResponse === 'pass' ? 'pass' : 'fail',
+          attachments: policyResult?.attachments || [],
+        };
+      }),
+      device: host
+    };
   } catch (error) {
     console.error(
       `Failed to get device using individual fleet label for member: ${member.id}`,
diff --git a/apps/app/src/app/(app)/[orgId]/people/all/actions/addEmployeeWithoutInvite.ts b/apps/app/src/app/(app)/[orgId]/people/all/actions/addEmployeeWithoutInvite.ts
index 66d1da59d..8d72f710b 100644
--- a/apps/app/src/app/(app)/[orgId]/people/all/actions/addEmployeeWithoutInvite.ts
+++ b/apps/app/src/app/(app)/[orgId]/people/all/actions/addEmployeeWithoutInvite.ts
@@ -29,13 +29,25 @@ export const addEmployeeWithoutInvite = async ({
       },
     });
 
-    if (
-      !currentUserMember ||
-      (!currentUserMember.role.includes('admin') && !currentUserMember.role.includes('owner'))
-    ) {
+    if (!currentUserMember) {
       throw new Error("You don't have permission to add members.");
     }
 
+    const isAdmin =
+      currentUserMember.role.includes('admin') || currentUserMember.role.includes('owner');
+    const isAuditor = currentUserMember.role.includes('auditor');
+
+    if (!isAdmin && !isAuditor) {
+      throw new Error("You don't have permission to add members.");
+    }
+
+    if (isAuditor && !isAdmin) {
+      const onlyAuditorRole = roles.length === 1 && roles[0] === 'auditor';
+      if (!onlyAuditorRole) {
+        throw new Error("Auditors can only add users with the 'auditor' role.");
+      }
+    }
+
     let userId = '';
     const existingUser = await db.user.findFirst({
       where: {
diff --git a/apps/app/src/app/(app)/[orgId]/people/all/actions/checkMemberStatus.ts b/apps/app/src/app/(app)/[orgId]/people/all/actions/checkMemberStatus.ts
index 0634cef8b..a94692482 100644
--- a/apps/app/src/app/(app)/[orgId]/people/all/actions/checkMemberStatus.ts
+++ b/apps/app/src/app/(app)/[orgId]/people/all/actions/checkMemberStatus.ts
@@ -28,7 +28,9 @@ export const checkMemberStatus = async ({
 
     if (
       !currentUserMember ||
-      (!currentUserMember.role.includes('admin') && !currentUserMember.role.includes('owner'))
+      (!currentUserMember.role.includes('admin') &&
+        !currentUserMember.role.includes('owner') &&
+        !currentUserMember.role.includes('auditor'))
     ) {
       throw new Error("You don't have permission to reactivate members.");
     }
diff --git a/apps/app/src/app/(app)/[orgId]/people/all/actions/inviteNewMember.ts b/apps/app/src/app/(app)/[orgId]/people/all/actions/inviteNewMember.ts
new file mode 100644
index 000000000..30c12210a
--- /dev/null
+++ b/apps/app/src/app/(app)/[orgId]/people/all/actions/inviteNewMember.ts
@@ -0,0 +1,115 @@
+'use server';
+
+import { maskEmailForLogs } from '@/lib/mask-email';
+import { auth } from '@/utils/auth';
+import type { Role } from '@db';
+import { db } from '@db';
+import { headers } from 'next/headers';
+
+export const inviteNewMember = async ({
+  email,
+  organizationId,
+  roles,
+}: {
+  email: string;
+  organizationId: string;
+  roles: Role[];
+}) => {
+  const requestId = crypto.randomUUID();
+  const safeEmail = maskEmailForLogs(email);
+  const roleString = roles.join(',');
+  const startTime = Date.now();
+
+  console.info('[inviteNewMember] start', {
+    requestId,
+    organizationId,
+    invitedEmail: safeEmail,
+    roles: roleString,
+  });
+
+  try {
+    const session = await auth.api.getSession({ headers: await headers() });
+    if (!session?.session) {
+      console.warn('[inviteNewMember] missing session', { requestId, organizationId });
+      throw new Error('Authentication required.');
+    }
+
+    const currentUserId = session.session.userId;
+    const currentUserMember = await db.member.findFirst({
+      where: {
+        organizationId: organizationId,
+        userId: currentUserId,
+        deactivated: false,
+      },
+    });
+
+    if (!currentUserMember) {
+      console.warn('[inviteNewMember] inviter not in org', {
+        requestId,
+        organizationId,
+        inviterUserId: currentUserId,
+      });
+      throw new Error("You don't have permission to invite members.");
+    }
+
+    const isAdmin =
+      currentUserMember.role.includes('admin') || currentUserMember.role.includes('owner');
+    const isAuditor = currentUserMember.role.includes('auditor');
+
+    if (!isAdmin && !isAuditor) {
+      console.warn('[inviteNewMember] inviter lacks role', {
+        requestId,
+        organizationId,
+        inviterUserId: currentUserId,
+        inviterRole: currentUserMember.role,
+      });
+      throw new Error("You don't have permission to invite members.");
+    }
+
+    // Auditors can only invite other auditors
+    if (isAuditor && !isAdmin) {
+      const onlyAuditorRole = roles.length === 1 && roles[0] === 'auditor';
+      if (!onlyAuditorRole) {
+        console.warn('[inviteNewMember] auditor role mismatch', {
+          requestId,
+          organizationId,
+          inviterUserId: currentUserId,
+          invitedRoles: roleString,
+        });
+        throw new Error("Auditors can only invite users with the 'auditor' role.");
+      }
+    }
+
+    // Use server-side auth API to create the invitation
+    // Role should be a comma-separated string for multiple roles
+    const inviteResult = await auth.api.createInvitation({
+      headers: await headers(),
+      body: {
+        email: email.toLowerCase(),
+        role: roleString,
+        organizationId,
+      },
+    });
+
+    console.info('[inviteNewMember] success', {
+      requestId,
+      organizationId,
+      invitedEmail: safeEmail,
+      roles: roleString,
+      durationMs: Date.now() - startTime,
+      resultKeys: inviteResult && typeof inviteResult === 'object' ? Object.keys(inviteResult) : [],
+    });
+
+    return { success: true };
+  } catch (error) {
+    console.error('[inviteNewMember] failure', {
+      requestId,
+      organizationId,
+      invitedEmail: safeEmail,
+      roles: roleString,
+      durationMs: Date.now() - startTime,
+      error: error instanceof Error ? error.message : String(error),
+    });
+    throw error;
+  }
+};
diff --git a/apps/app/src/app/(app)/[orgId]/people/all/actions/sendInvitationEmail.ts b/apps/app/src/app/(app)/[orgId]/people/all/actions/sendInvitationEmail.ts
index 0d9b4d66f..bb9adb0da 100644
--- a/apps/app/src/app/(app)/[orgId]/people/all/actions/sendInvitationEmail.ts
+++ b/apps/app/src/app/(app)/[orgId]/people/all/actions/sendInvitationEmail.ts
@@ -29,13 +29,25 @@ export const sendInvitationEmailToExistingMember = async ({
       },
     });
 
-    if (
-      !currentUserMember ||
-      (!currentUserMember.role.includes('admin') && !currentUserMember.role.includes('owner'))
-    ) {
+    if (!currentUserMember) {
       throw new Error("You don't have permission to send invitations.");
     }
 
+    const isAdmin =
+      currentUserMember.role.includes('admin') || currentUserMember.role.includes('owner');
+    const isAuditor = currentUserMember.role.includes('auditor');
+
+    if (!isAdmin && !isAuditor) {
+      throw new Error("You don't have permission to send invitations.");
+    }
+
+    if (isAuditor && !isAdmin) {
+      const onlyAuditorRole = roles.length === 1 && roles[0] === 'auditor';
+      if (!onlyAuditorRole) {
+        throw new Error("Auditors can only add users with the 'auditor' role.");
+      }
+    }
+
     // Get organization name
     const organization = await db.organization.findUnique({
       where: { id: organizationId },
diff --git a/apps/app/src/app/(app)/[orgId]/people/all/components/InviteMembersModal.tsx b/apps/app/src/app/(app)/[orgId]/people/all/components/InviteMembersModal.tsx
index bc04368b9..97443acc5 100644
--- a/apps/app/src/app/(app)/[orgId]/people/all/components/InviteMembersModal.tsx
+++ b/apps/app/src/app/(app)/[orgId]/people/all/components/InviteMembersModal.tsx
@@ -4,13 +4,12 @@ import type { Role } from '@db';
 import { zodResolver } from '@hookform/resolvers/zod';
 import { Loader2, PlusCircle, Trash2 } from 'lucide-react';
 import { useRouter } from 'next/navigation';
-import { useEffect, useState } from 'react';
+import { useMemo, useState } from 'react';
 import { Controller, useFieldArray, useForm } from 'react-hook-form';
 import { toast } from 'sonner';
 import { z } from 'zod';
 
 import type { ActionResponse } from '@/actions/types';
-import { authClient } from '@/utils/auth-client';
 import { Button } from '@comp/ui/button';
 import {
   Dialog,
@@ -33,51 +32,57 @@ import { Input } from '@comp/ui/input';
 import { Tabs, TabsContent, TabsList, TabsTrigger } from '@comp/ui/tabs';
 import { addEmployeeWithoutInvite } from '../actions/addEmployeeWithoutInvite';
 import { checkMemberStatus } from '../actions/checkMemberStatus';
+import { inviteNewMember } from '../actions/inviteNewMember';
 import { sendInvitationEmailToExistingMember } from '../actions/sendInvitationEmail';
 import { MultiRoleCombobox } from './MultiRoleCombobox';
 
 // --- Constants for Roles ---
-const selectableRoles = ['admin', 'auditor', 'employee', 'contractor'] as const satisfies Readonly<
-  [Role, ...Role[]]
->;
-type InviteRole = (typeof selectableRoles)[number];
+const ALL_SELECTABLE_ROLES = [
+  'admin',
+  'auditor',
+  'employee',
+  'contractor',
+] as const satisfies Readonly<[Role, ...Role[]]>;
+type InviteRole = (typeof ALL_SELECTABLE_ROLES)[number];
 const DEFAULT_ROLES: InviteRole[] = [];
 
-// Type guard to check if a string is a valid InviteRole
-const isInviteRole = (role: string): role is InviteRole => {
-  return role === 'admin' || role === 'auditor' || role === 'employee' || role === 'contractor';
+const isInviteRole = (role: string, allowedRoles: InviteRole[]): role is InviteRole => {
+  return allowedRoles.includes(role as InviteRole);
 };
 
-// --- Schemas ---
-const manualInviteSchema = z.object({
-  email: z.string().email({ message: 'Invalid email address.' }),
-  roles: z.array(z.enum(selectableRoles)).min(1, { message: 'Please select at least one role.' }),
-});
+const createFormSchema = (allowedRoles: InviteRole[]) => {
+  const roleEnum = z.enum(allowedRoles as [InviteRole, ...InviteRole[]]);
+  const manualInviteSchema = z.object({
+    email: z.string().email({ message: 'Invalid email address.' }),
+    roles: z.array(roleEnum).min(1, { message: 'Please select at least one role.' }),
+  });
 
-// Define base schemas for each mode
-const manualModeSchema = z.object({
-  mode: z.literal('manual'),
-  manualInvites: z.array(manualInviteSchema).min(1, { message: 'Please add at least one invite.' }),
-  csvFile: z.any().optional(), // Optional here, validated by union
-});
+  const manualModeSchema = z.object({
+    mode: z.literal('manual'),
+    manualInvites: z
+      .array(manualInviteSchema)
+      .min(1, { message: 'Please add at least one invite.' }),
+    csvFile: z.any().optional(), // Optional here, validated by union
+  });
 
-const csvModeSchema = z.object({
-  mode: z.literal('csv'),
-  manualInvites: z.array(manualInviteSchema).optional(), // Optional here
-  csvFile: z.any().refine((val) => val instanceof FileList && val.length === 1, {
-    message: 'Please select a single CSV file.',
-  }),
-});
+  const csvModeSchema = z.object({
+    mode: z.literal('csv'),
+    manualInvites: z.array(manualInviteSchema).optional(), // Optional here
+    csvFile: z.any().refine((val) => val instanceof FileList && val.length === 1, {
+      message: 'Please select a single CSV file.',
+    }),
+  });
 
-// Combine using discriminatedUnion
-const formSchema = z.discriminatedUnion('mode', [manualModeSchema, csvModeSchema]);
+  return z.discriminatedUnion('mode', [manualModeSchema, csvModeSchema]);
+};
 
-type FormData = z.infer<typeof formSchema>;
+type FormData = z.infer<ReturnType<typeof createFormSchema>>;
 
 interface InviteMembersModalProps {
   open: boolean;
   onOpenChange: (open: boolean) => void;
   organizationId: string;
+  allowedRoles: InviteRole[];
 }
 
 interface BulkInviteResultData {
@@ -92,6 +97,7 @@ export function InviteMembersModal({
   open,
   onOpenChange,
   organizationId,
+  allowedRoles,
 }: InviteMembersModalProps) {
   const router = useRouter();
   const [mode, setMode] = useState<'manual' | 'csv'>('manual');
@@ -99,6 +105,12 @@ export function InviteMembersModal({
   const [csvFileName, setCsvFileName] = useState<string | null>(null);
   const [lastResult, setLastResult] = useState<ActionResponse<BulkInviteResultData> | null>(null);
 
+  const normalizedAllowedRoles = allowedRoles.length > 0 ? allowedRoles : [...ALL_SELECTABLE_ROLES];
+  const formSchema = useMemo(
+    () => createFormSchema(normalizedAllowedRoles),
+    [normalizedAllowedRoles.join(',')],
+  );
+
   const form = useForm<FormData>({
     resolver: zodResolver(formSchema),
     defaultValues: {
@@ -114,13 +126,6 @@ export function InviteMembersModal({
     mode: 'onChange',
   });
 
-  // Log form errors on change
-  useEffect(() => {
-    if (Object.keys(form.formState.errors).length > 0) {
-      console.error('Form Validation Errors:', form.formState.errors);
-    }
-  }, [form.formState.errors]);
-
   const { fields, append, remove } = useFieldArray({
     control: form.control,
     name: 'manualInvites',
@@ -154,7 +159,7 @@ export function InviteMembersModal({
           return;
         }
 
-        // Process invitations client-side using authClient
+        // Process invitations
         let successCount = 0;
         const failedInvites: { email: string; error: string }[] = [];
 
@@ -185,10 +190,11 @@ export function InviteMembersModal({
                   roles: invite.roles,
                 });
               } else {
-                // Member doesn't exist - use authClient to send the invitation
-                await authClient.organization.inviteMember({
+                // Member doesn't exist - use server action to send the invitation
+                await inviteNewMember({
                   email: invite.email.toLowerCase(),
-                  role: invite.roles.length === 1 ? invite.roles[0] : invite.roles,
+                  organizationId,
+                  roles: invite.roles,
                 });
               }
             }
@@ -206,13 +212,13 @@ export function InviteMembersModal({
         if (successCount > 0) {
           toast.success(`Successfully invited ${successCount} member(s).`);
 
-          // Revalidate the page to refresh the member list
-          router.refresh();
-
           if (failedInvites.length === 0) {
             form.reset();
             onOpenChange(false);
           }
+
+          // Revalidate the page to refresh the member list
+          router.refresh();
         }
 
         if (failedInvites.length > 0) {
@@ -326,12 +332,12 @@ export function InviteMembersModal({
 
             // Validate role(s) - split by pipe for multiple roles
             const roles = roleValue.split('|').map((r) => r.trim());
-            const validRoles = roles.filter(isInviteRole);
+            const validRoles = roles.filter((role) => isInviteRole(role, normalizedAllowedRoles));
 
             if (validRoles.length === 0) {
               failedInvites.push({
                 email,
-                error: `Invalid role(s): ${roleValue}. Must be one of: ${selectableRoles.join(', ')}`,
+                error: `Invalid role(s): ${roleValue}. Must be one of: ${normalizedAllowedRoles.join(', ')}`,
               });
               continue;
             }
@@ -362,10 +368,11 @@ export function InviteMembersModal({
                     roles: validRoles,
                   });
                 } else {
-                  // Member doesn't exist - use authClient to send the invitation
-                  await authClient.organization.inviteMember({
+                  // Member doesn't exist - use server action to send the invitation
+                  await inviteNewMember({
                     email: email.toLowerCase(),
-                    role: validRoles,
+                    organizationId,
+                    roles: validRoles,
                   });
                 }
               }
@@ -383,13 +390,13 @@ export function InviteMembersModal({
           if (successCount > 0) {
             toast.success(`Successfully invited ${successCount} member(s).`);
 
-            // Revalidate the page to refresh the member list
-            router.refresh();
-
             if (failedInvites.length === 0) {
               form.reset();
               onOpenChange(false);
             }
+
+            // Revalidate the page to refresh the member list
+            router.refresh();
           }
 
           if (failedInvites.length > 0) {
@@ -429,12 +436,21 @@ export function InviteMembersModal({
     }
   };
 
-  const csvTemplate = `email,role
-john@company.com,employee
-jane@company.com,employee|admin
-bob@company.com,auditor
-sarah@company.com,employee|auditor
-mike@company.com,admin`;
+  const csvTemplate = useMemo(() => {
+    const primaryRole = normalizedAllowedRoles[0];
+    const secondaryRole = normalizedAllowedRoles[1];
+    const multiRoleExample =
+      normalizedAllowedRoles.length > 1 ? `${primaryRole}|${secondaryRole}` : primaryRole;
+
+    const rows = [
+      'email,role',
+      `john@company.com,${primaryRole}`,
+      `jane@company.com,${multiRoleExample}`,
+    ];
+
+    return rows.join('\n');
+  }, [normalizedAllowedRoles]);
+
   const csvTemplateDataUri = `data:text/csv;charset=utf-8,${encodeURIComponent(csvTemplate)}`;
 
   return (
@@ -488,6 +504,7 @@ mike@company.com,admin`;
                           <MultiRoleCombobox
                             selectedRoles={value || []}
                             onSelectedRolesChange={onChange}
+                            allowedRoles={normalizedAllowedRoles}
                             placeholder={'Select a role'}
                           />
                           <FormMessage>{error?.message}</FormMessage>
diff --git a/apps/app/src/app/(app)/[orgId]/people/all/components/MemberRow.tsx b/apps/app/src/app/(app)/[orgId]/people/all/components/MemberRow.tsx
index b529666ff..a4643cd52 100644
--- a/apps/app/src/app/(app)/[orgId]/people/all/components/MemberRow.tsx
+++ b/apps/app/src/app/(app)/[orgId]/people/all/components/MemberRow.tsx
@@ -2,8 +2,8 @@
 
 import { Edit, Laptop, MoreHorizontal, Trash2 } from 'lucide-react';
 import Link from 'next/link';
-import { useParams, useRouter } from 'next/navigation';
-import { useRef, useState } from 'react';
+import { useParams } from 'next/navigation';
+import { useState } from 'react';
 
 import { Avatar, AvatarFallback, AvatarImage } from '@comp/ui/avatar';
 import { Badge } from '@comp/ui/badge';
@@ -15,7 +15,6 @@ import {
   DialogFooter,
   DialogHeader,
   DialogTitle,
-  DialogTrigger,
 } from '@comp/ui/dialog';
 import {
   DropdownMenu,
@@ -64,9 +63,7 @@ export function MemberRow({
   canEdit,
   isCurrentUserOwner,
 }: MemberRowProps) {
-  const params = useParams<{ orgId: string }>();
-  const router = useRouter();
-  const { orgId } = params;
+  const { orgId } = useParams<{ orgId: string }>();
 
   const [isRemoveAlertOpen, setIsRemoveAlertOpen] = useState(false);
   const [isRemoveDeviceAlertOpen, setIsRemoveDeviceAlertOpen] = useState(false);
@@ -78,8 +75,6 @@ export function MemberRow({
   const [isUpdating, setIsUpdating] = useState(false);
   const [isRemoving, setIsRemoving] = useState(false);
   const [isRemovingDevice, setIsRemovingDevice] = useState(false);
-  const dropdownTriggerRef = useRef<HTMLButtonElement>(null);
-  const focusRef = useRef<HTMLButtonElement | null>(null);
 
   const memberName = member.user.name || member.user.email || 'Member';
   const memberEmail = member.user.email || '';
@@ -95,26 +90,16 @@ export function MemberRow({
 
   const isOwner = currentRoles.includes('owner');
   const canRemove = !isOwner;
-
-  const isEmployee = currentRoles.includes('employee');
-  const isContractor = currentRoles.includes('contractor');
   const isDeactivated = member.deactivated;
   const canViewProfile = !isDeactivated;
   const profileHref = canViewProfile ? `/${orgId}/people/${memberId}` : null;
 
-  const handleDialogItemSelect = () => {
-    focusRef.current = dropdownTriggerRef.current;
-  };
-
-  const handleDialogOpenChange = (open: boolean) => {
-    setIsUpdateRolesOpen(open);
-    if (open === false) {
-      setDropdownOpen(false);
-    }
+  const handleEditRolesClick = () => {
+    setDropdownOpen(false); // Close dropdown first
+    setIsUpdateRolesOpen(true); // Then open dialog
   };
 
   const handleUpdateRolesClick = async () => {
-    console.log('handleUpdateRolesClick');
     let rolesToUpdate = selectedRoles;
     if (isOwner && !rolesToUpdate.includes('owner')) {
       rolesToUpdate = [...rolesToUpdate, 'owner'];
@@ -133,17 +118,20 @@ export function MemberRow({
 
   const handleRemoveClick = async () => {
     if (!canRemove) return;
-    setIsRemoving(true);
-    await onRemove(memberId);
-    setIsRemoving(false);
     setIsRemoveAlertOpen(false);
+    setIsRemoving(true);
+    try {
+      await onRemove(memberId);
+    } finally {
+      setIsRemoving(false);
+    }
   };
 
   const handleRemoveDeviceClick = async () => {
     try {
+      setIsRemoveDeviceAlertOpen(false);
       setIsRemovingDevice(true);
       await onRemoveDevice(memberId);
-      setIsRemoveDeviceAlertOpen(false);
     } catch (error) {
       toast.error(error instanceof Error ? error.message : 'Failed to unlink device');
     } finally {
@@ -232,82 +220,24 @@ export function MemberRow({
           {!isDeactivated && (
             <DropdownMenu open={dropdownOpen} onOpenChange={setDropdownOpen}>
               <DropdownMenuTrigger asChild>
-                <Button
-                  ref={dropdownTriggerRef}
-                  variant="ghost"
-                  size="sm"
-                  className="h-8 w-8 p-0"
-                  disabled={!canEdit}
-                >
+                <Button variant="ghost" size="sm" className="h-8 w-8 p-0" disabled={!canEdit}>
                   <MoreHorizontal className="h-4 w-4" />
                 </Button>
               </DropdownMenuTrigger>
-              <DropdownMenuContent
-                align="end"
-                hidden={isUpdateRolesOpen}
-                onCloseAutoFocus={(event) => {
-                  if (focusRef.current) {
-                    focusRef.current.focus();
-                    focusRef.current = null;
-                    event.preventDefault();
-                  }
-                }}
-              >
+              <DropdownMenuContent align="end">
                 {canEdit && (
-                  <Dialog open={isUpdateRolesOpen} onOpenChange={handleDialogOpenChange}>
-                    <DialogTrigger asChild>
-                      <DropdownMenuItem
-                        onSelect={(event) => {
-                          event.preventDefault();
-                          handleDialogItemSelect();
-                        }}
-                      >
-                        <Edit className="mr-2 h-4 w-4" />
-                        <span>{'Edit Roles'}</span>
-                      </DropdownMenuItem>
-                    </DialogTrigger>
-                    <DialogContent>
-                      <DialogHeader>
-                        <DialogTitle>{'Edit Member Roles'}</DialogTitle>
-                        <DialogDescription>
-                          {'Change roles for'} {memberName}
-                        </DialogDescription>
-                      </DialogHeader>
-                      <div className="space-y-4 py-4">
-                        <div className="space-y-2">
-                          <Label htmlFor={`role-${memberId}`}>{'Roles'}</Label>
-                          <MultiRoleCombobox
-                            selectedRoles={selectedRoles}
-                            onSelectedRolesChange={setSelectedRoles}
-                            placeholder={'Select a role'}
-                            lockedRoles={isOwner ? ['owner'] : []}
-                          />
-                          {isOwner && (
-                            <p className="text-muted-foreground mt-1 text-xs">
-                              {'The owner role cannot be removed.'}
-                            </p>
-                          )}
-                          <p className="text-muted-foreground mt-1 text-xs">
-                            {'Members must have at least one role.'}
-                          </p>
-                        </div>
-                      </div>
-                      <DialogFooter>
-                        <Button variant="outline" onClick={() => setIsUpdateRolesOpen(false)}>
-                          Cancel
-                        </Button>
-                        <Button
-                          onClick={handleUpdateRolesClick}
-                          disabled={isUpdating || selectedRoles.length === 0}
-                        >
-                          {'Update'}
-                        </Button>
-                      </DialogFooter>
-                    </DialogContent>
-                  </Dialog>
+                  <DropdownMenuItem onSelect={handleEditRolesClick}>
+                    <Edit className="mr-2 h-4 w-4" />
+                    <span>{'Edit Roles'}</span>
+                  </DropdownMenuItem>
                 )}
                 {member.fleetDmLabelId && isCurrentUserOwner && (
-                  <DropdownMenuItem onSelect={() => setIsRemoveDeviceAlertOpen(true)}>
+                  <DropdownMenuItem
+                    onSelect={() => {
+                      setDropdownOpen(false);
+                      setIsRemoveDeviceAlertOpen(true);
+                    }}
+                  >
                     <Laptop className="mr-2 h-4 w-4" />
                     <span>{'Remove Device'}</span>
                   </DropdownMenuItem>
@@ -315,7 +245,10 @@ export function MemberRow({
                 {canRemove && (
                   <DropdownMenuItem
                     className="text-destructive focus:text-destructive focus:bg-destructive/10"
-                    onSelect={() => setIsRemoveAlertOpen(true)}
+                    onSelect={() => {
+                      setDropdownOpen(false);
+                      setIsRemoveAlertOpen(true);
+                    }}
                   >
                     <Trash2 className="mr-2 h-4 w-4" />
                     <span>{'Remove Member'}</span>
@@ -341,6 +274,48 @@ export function MemberRow({
         onRemove={handleRemoveDeviceClick}
         isRemoving={isRemovingDevice}
       />
+
+      {/* Edit Roles Dialog - moved outside DropdownMenu to avoid overlay conflicts */}
+      <Dialog open={isUpdateRolesOpen} onOpenChange={setIsUpdateRolesOpen}>
+        <DialogContent>
+          <DialogHeader>
+            <DialogTitle>{'Edit Member Roles'}</DialogTitle>
+            <DialogDescription>
+              {'Change roles for'} {memberName}
+            </DialogDescription>
+          </DialogHeader>
+          <div className="space-y-4 py-4">
+            <div className="space-y-2">
+              <Label htmlFor={`role-${memberId}`}>{'Roles'}</Label>
+              <MultiRoleCombobox
+                selectedRoles={selectedRoles}
+                onSelectedRolesChange={setSelectedRoles}
+                placeholder={'Select a role'}
+                lockedRoles={isOwner ? ['owner'] : []}
+              />
+              {isOwner && (
+                <p className="text-muted-foreground mt-1 text-xs">
+                  {'The owner role cannot be removed.'}
+                </p>
+              )}
+              <p className="text-muted-foreground mt-1 text-xs">
+                {'Members must have at least one role.'}
+              </p>
+            </div>
+          </div>
+          <DialogFooter>
+            <Button variant="outline" onClick={() => setIsUpdateRolesOpen(false)}>
+              Cancel
+            </Button>
+            <Button
+              onClick={handleUpdateRolesClick}
+              disabled={isUpdating || selectedRoles.length === 0}
+            >
+              {'Update'}
+            </Button>
+          </DialogFooter>
+        </DialogContent>
+      </Dialog>
     </>
   );
 }
diff --git a/apps/app/src/app/(app)/[orgId]/people/all/components/MultiRoleCombobox.tsx b/apps/app/src/app/(app)/[orgId]/people/all/components/MultiRoleCombobox.tsx
index 694bfef7f..e655597ae 100644
--- a/apps/app/src/app/(app)/[orgId]/people/all/components/MultiRoleCombobox.tsx
+++ b/apps/app/src/app/(app)/[orgId]/people/all/components/MultiRoleCombobox.tsx
@@ -3,7 +3,7 @@
 import type { Role } from '@db';
 import * as React from 'react';
 
-import { Dialog, DialogContent } from '@comp/ui/dialog';
+import { Popover, PopoverContent, PopoverTrigger } from '@comp/ui/popover';
 import { MultiRoleComboboxContent } from './MultiRoleComboboxContent';
 import { MultiRoleComboboxTrigger } from './MultiRoleComboboxTrigger';
 
@@ -46,6 +46,7 @@ interface MultiRoleComboboxProps {
   placeholder?: string;
   disabled?: boolean;
   lockedRoles?: Role[]; // Roles that cannot be deselected
+  allowedRoles?: Role[];
 }
 
 export function MultiRoleCombobox({
@@ -54,6 +55,7 @@ export function MultiRoleCombobox({
   placeholder,
   disabled = false,
   lockedRoles = [],
+  allowedRoles,
 }: MultiRoleComboboxProps) {
   const [open, setOpen] = React.useState(false);
   const [searchTerm, setSearchTerm] = React.useState('');
@@ -67,10 +69,20 @@ export function MultiRoleCombobox({
 
   const isOwner = selectedRoles.includes('owner');
 
+  const normalizedAllowedRoles = React.useMemo(() => {
+    if (allowedRoles && allowedRoles.length > 0) {
+      return allowedRoles;
+    }
+    return selectableRoles.map((role) => role.value);
+  }, [allowedRoles]);
+
   // Filter out owner role for non-owners
   const availableRoles = React.useMemo(() => {
-    return selectableRoles.filter((role) => role.value !== 'owner' || isOwner);
-  }, [isOwner]);
+    return selectableRoles.filter(
+      (role) =>
+        normalizedAllowedRoles.includes(role.value) && (role.value !== 'owner' || isOwner),
+    );
+  }, [isOwner, normalizedAllowedRoles]);
 
   const handleSelect = (roleValue: Role) => {
     // Never allow owner role to be changed
@@ -116,30 +128,31 @@ export function MultiRoleCombobox({
   });
 
   return (
-    <>
-      <MultiRoleComboboxTrigger
-        selectedRoles={selectedRoles}
-        lockedRoles={lockedRoles}
-        triggerText={triggerText}
-        disabled={disabled}
-        handleSelect={handleSelect} // For badge clicks
-        getRoleLabel={getRoleLabel}
-        onClick={() => setOpen(true)}
-        ariaExpanded={open}
-      />
-      <Dialog open={open} onOpenChange={setOpen}>
-        <DialogContent className="p-0">
-          <MultiRoleComboboxContent
-            searchTerm={searchTerm}
-            setSearchTerm={setSearchTerm}
-            filteredRoles={filteredRoles}
-            handleSelect={handleSelect} // For item selection
-            lockedRoles={lockedRoles}
+    <Popover open={open} onOpenChange={setOpen}>
+      <PopoverTrigger asChild>
+        <div>
+          <MultiRoleComboboxTrigger
             selectedRoles={selectedRoles}
-            onCloseDialog={() => setOpen(false)}
+            lockedRoles={lockedRoles}
+            triggerText={triggerText}
+            disabled={disabled}
+            handleSelect={handleSelect}
+            getRoleLabel={getRoleLabel}
+            ariaExpanded={open}
           />
-        </DialogContent>
-      </Dialog>
-    </>
+        </div>
+      </PopoverTrigger>
+      <PopoverContent className="w-[200px] p-0" align="start">
+        <MultiRoleComboboxContent
+          searchTerm={searchTerm}
+          setSearchTerm={setSearchTerm}
+          filteredRoles={filteredRoles}
+          handleSelect={handleSelect}
+          lockedRoles={lockedRoles}
+          selectedRoles={selectedRoles}
+          onCloseDialog={() => setOpen(false)}
+        />
+      </PopoverContent>
+    </Popover>
   );
 }
diff --git a/apps/app/src/app/(app)/[orgId]/people/all/components/PendingInvitationRow.tsx b/apps/app/src/app/(app)/[orgId]/people/all/components/PendingInvitationRow.tsx
index ff561a63d..19349a629 100644
--- a/apps/app/src/app/(app)/[orgId]/people/all/components/PendingInvitationRow.tsx
+++ b/apps/app/src/app/(app)/[orgId]/people/all/components/PendingInvitationRow.tsx
@@ -10,7 +10,6 @@ import {
   DialogFooter,
   DialogHeader,
   DialogTitle,
-  DialogTrigger,
 } from '@comp/ui/dialog';
 import {
   DropdownMenu,
@@ -20,7 +19,7 @@ import {
 } from '@comp/ui/dropdown-menu';
 import type { Invitation } from '@db';
 import { Clock, MoreHorizontal, Trash2 } from 'lucide-react';
-import { useEffect, useMemo, useRef, useState } from 'react';
+import { useEffect, useMemo, useState } from 'react';
 
 interface PendingInvitationRowProps {
   invitation: Invitation & {
@@ -39,23 +38,15 @@ export function PendingInvitationRow({
   const [isCancelDialogOpen, setIsCancelDialogOpen] = useState(false);
   const [isCancelling, setIsCancelling] = useState(false);
   const [dropdownOpen, setDropdownOpen] = useState(false);
-  const dropdownTriggerRef = useRef<HTMLButtonElement>(null);
-  const focusRef = useRef<HTMLButtonElement | null>(null);
-
-  const handleDialogItemSelect = () => {
-    focusRef.current = dropdownTriggerRef.current;
-  };
-
   const [pendingRemove, setPendingRemove] = useState(false);
 
-  const handleDialogOpenChange = (open: boolean) => {
+  const handleCancelDialogOpenChange = (open: boolean) => {
     setIsCancelDialogOpen(open);
-    if (!open) {
-      setDropdownOpen(false);
-      setTimeout(() => {
-        dropdownTriggerRef.current?.focus();
-      }, 0);
-    }
+  };
+
+  const handleOpenCancelDialog = () => {
+    setDropdownOpen(false);
+    setIsCancelDialogOpen(true);
   };
 
   const handleCancelClick = () => {
@@ -111,7 +102,6 @@ export function PendingInvitationRow({
           </div>
           <DropdownMenu open={dropdownOpen} onOpenChange={setDropdownOpen}>
             <DropdownMenuTrigger
-              ref={dropdownTriggerRef}
               asChild
               disabled={isCancelling || !canCancel}
             >
@@ -120,61 +110,42 @@ export function PendingInvitationRow({
                 <span className="sr-only">Open menu</span>
               </Button>
             </DropdownMenuTrigger>
-            <DropdownMenuContent
-              align="end"
-              hidden={isCancelDialogOpen}
-              onCloseAutoFocus={(event) => {
-                if (focusRef.current) {
-                  focusRef.current.focus();
-                  focusRef.current = null;
-                  event.preventDefault();
-                }
-              }}
-            >
-              <Dialog open={isCancelDialogOpen} onOpenChange={handleDialogOpenChange}>
-                <DialogTrigger asChild>
-                  <DropdownMenuItem
-                    className="text-destructive focus:text-destructive focus:bg-destructive/10"
-                    onSelect={(event) => {
-                      event.preventDefault();
-                    }}
-                  >
-                    <Trash2 className="mr-2 h-4 w-4" />
-                    <span>Cancel Invitation</span>
-                  </DropdownMenuItem>
-                </DialogTrigger>
-                <DialogContent
-                  className="space-y-4 py-4"
-                  onInteractOutside={(e) => e.preventDefault()}
-                  showCloseButton={false}
-                >
-                  <DialogHeader>
-                    <DialogTitle>Cancel Invitation</DialogTitle>
-                    <DialogDescription>
-                      Are you sure you want to cancel the invitation for {invitation.email}?
-                    </DialogDescription>
-                  </DialogHeader>
-                  <p className="text-muted-foreground mt-1 text-xs">
-                    This action cannot be undone.
-                  </p>
-                  <DialogFooter>
-                    <Button variant="outline" onClick={() => setIsCancelDialogOpen(false)}>
-                      Cancel
-                    </Button>
-                    <Button
-                      variant="destructive"
-                      onClick={handleCancelClick}
-                      disabled={isCancelling}
-                    >
-                      Confirm
-                    </Button>
-                  </DialogFooter>
-                </DialogContent>
-              </Dialog>
+            <DropdownMenuContent align="end">
+              <DropdownMenuItem
+                className="text-destructive focus:text-destructive focus:bg-destructive/10"
+                onSelect={handleOpenCancelDialog}
+              >
+                <Trash2 className="mr-2 h-4 w-4" />
+                <span>Cancel Invitation</span>
+              </DropdownMenuItem>
             </DropdownMenuContent>
           </DropdownMenu>
         </div>
       </div>
+
+      <Dialog open={isCancelDialogOpen} onOpenChange={handleCancelDialogOpenChange}>
+        <DialogContent
+          className="space-y-4 py-4"
+          onInteractOutside={(e) => e.preventDefault()}
+          showCloseButton={false}
+        >
+          <DialogHeader>
+            <DialogTitle>Cancel Invitation</DialogTitle>
+            <DialogDescription>
+              Are you sure you want to cancel the invitation for {invitation.email}?
+            </DialogDescription>
+          </DialogHeader>
+          <p className="text-muted-foreground mt-1 text-xs">This action cannot be undone.</p>
+          <DialogFooter>
+            <Button variant="outline" onClick={() => setIsCancelDialogOpen(false)}>
+              Cancel
+            </Button>
+            <Button variant="destructive" onClick={handleCancelClick} disabled={isCancelling}>
+              Confirm
+            </Button>
+          </DialogFooter>
+        </DialogContent>
+      </Dialog>
     </>
   );
 }
diff --git a/apps/app/src/app/(app)/[orgId]/people/all/components/RemoveDeviceAlert.tsx b/apps/app/src/app/(app)/[orgId]/people/all/components/RemoveDeviceAlert.tsx
index b639432e1..f02f22524 100644
--- a/apps/app/src/app/(app)/[orgId]/people/all/components/RemoveDeviceAlert.tsx
+++ b/apps/app/src/app/(app)/[orgId]/people/all/components/RemoveDeviceAlert.tsx
@@ -2,7 +2,6 @@
 
 import {
   AlertDialog,
-  AlertDialogAction,
   AlertDialogCancel,
   AlertDialogContent,
   AlertDialogDescription,
@@ -10,6 +9,7 @@ import {
   AlertDialogHeader,
   AlertDialogTitle,
 } from '@comp/ui/alert-dialog';
+import { Button } from '@comp/ui/button';
 
 interface RemoveDeviceAlertProps {
   open: boolean;
@@ -38,9 +38,9 @@ export function RemoveDeviceAlert({
         </AlertDialogHeader>
         <AlertDialogFooter>
           <AlertDialogCancel>{'Cancel'}</AlertDialogCancel>
-          <AlertDialogAction onClick={onRemove} disabled={isRemoving}>
+          <Button variant="destructive" onClick={onRemove} disabled={isRemoving}>
             {'Remove'}
-          </AlertDialogAction>
+          </Button>
         </AlertDialogFooter>
       </AlertDialogContent>
     </AlertDialog>
diff --git a/apps/app/src/app/(app)/[orgId]/people/all/components/RemoveMemberAlert.tsx b/apps/app/src/app/(app)/[orgId]/people/all/components/RemoveMemberAlert.tsx
index 58462ef1a..28c7f5860 100644
--- a/apps/app/src/app/(app)/[orgId]/people/all/components/RemoveMemberAlert.tsx
+++ b/apps/app/src/app/(app)/[orgId]/people/all/components/RemoveMemberAlert.tsx
@@ -2,7 +2,6 @@
 
 import {
   AlertDialog,
-  AlertDialogAction,
   AlertDialogCancel,
   AlertDialogContent,
   AlertDialogDescription,
@@ -10,6 +9,7 @@ import {
   AlertDialogHeader,
   AlertDialogTitle,
 } from '@comp/ui/alert-dialog';
+import { Button } from '@comp/ui/button';
 
 interface RemoveMemberAlertProps {
   open: boolean;
@@ -38,9 +38,9 @@ export function RemoveMemberAlert({
         </AlertDialogHeader>
         <AlertDialogFooter>
           <AlertDialogCancel>{'Cancel'}</AlertDialogCancel>
-          <AlertDialogAction onClick={onRemove} disabled={isRemoving}>
+          <Button variant="destructive" onClick={onRemove} disabled={isRemoving}>
             {'Remove'}
-          </AlertDialogAction>
+          </Button>
         </AlertDialogFooter>
       </AlertDialogContent>
     </AlertDialog>
diff --git a/apps/app/src/app/(app)/[orgId]/people/all/components/TeamMembers.tsx b/apps/app/src/app/(app)/[orgId]/people/all/components/TeamMembers.tsx
index 99b4be700..533644ea3 100644
--- a/apps/app/src/app/(app)/[orgId]/people/all/components/TeamMembers.tsx
+++ b/apps/app/src/app/(app)/[orgId]/people/all/components/TeamMembers.tsx
@@ -38,6 +38,8 @@ export async function TeamMembers() {
   // Parse roles from comma-separated string and check if user has admin or owner role
   const currentUserRoles = currentUserMember?.role?.split(',').map((r) => r.trim()) ?? [];
   const canManageMembers = currentUserRoles.some((role) => ['owner', 'admin'].includes(role));
+  const isAuditor = currentUserRoles.includes('auditor');
+  const canInviteUsers = canManageMembers || isAuditor;
   const isCurrentUserOwner = currentUserRoles.includes('owner');
 
   let members: MemberWithUser[] = [];
@@ -86,6 +88,8 @@ export async function TeamMembers() {
       removeMemberAction={removeMember}
       revokeInvitationAction={revokeInvitation}
       canManageMembers={canManageMembers}
+      canInviteUsers={canInviteUsers}
+      isAuditor={isAuditor}
       isCurrentUserOwner={isCurrentUserOwner}
       employeeSyncData={employeeSyncData}
     />
diff --git a/apps/app/src/app/(app)/[orgId]/people/all/components/TeamMembersClient.tsx b/apps/app/src/app/(app)/[orgId]/people/all/components/TeamMembersClient.tsx
index 3a96aa9d0..ef42ff910 100644
--- a/apps/app/src/app/(app)/[orgId]/people/all/components/TeamMembersClient.tsx
+++ b/apps/app/src/app/(app)/[orgId]/people/all/components/TeamMembersClient.tsx
@@ -35,6 +35,8 @@ interface TeamMembersClientProps {
   removeMemberAction: typeof removeMember;
   revokeInvitationAction: typeof revokeInvitation;
   canManageMembers: boolean;
+  canInviteUsers: boolean;
+  isAuditor: boolean;
   isCurrentUserOwner: boolean;
   employeeSyncData: EmployeeSyncConnectionsData;
 }
@@ -57,6 +59,8 @@ export function TeamMembersClient({
   removeMemberAction,
   revokeInvitationAction,
   canManageMembers,
+  canInviteUsers,
+  isAuditor,
   isCurrentUserOwner,
   employeeSyncData,
 }: TeamMembersClientProps) {
@@ -249,6 +253,9 @@ export function TeamMembersClient({
         open={isInviteModalOpen}
         onOpenChange={setIsInviteModalOpen}
         organizationId={organizationId}
+        allowedRoles={
+          canManageMembers ? ['admin', 'auditor', 'employee', 'contractor'] : ['auditor']
+        }
       />
 
       <div className="mb-4 flex items-center justify-between gap-4">
@@ -431,7 +438,7 @@ export function TeamMembersClient({
             </Select>
           </div>
         )}
-        <Button onClick={() => setIsInviteModalOpen(true)} disabled={!canManageMembers}>
+        <Button onClick={() => setIsInviteModalOpen(true)} disabled={!canInviteUsers}>
           <UserPlus className="h-4 w-4" />
           {'Add User'}
         </Button>
@@ -475,7 +482,11 @@ export function TeamMembersClient({
               <p className="text-muted-foreground mt-2 max-w-xs text-sm">
                 {'Get started by inviting your first team member.'}
               </p>
-              <Button className="mt-4" onClick={() => setIsInviteModalOpen(true)}>
+              <Button
+                className="mt-4"
+                onClick={() => setIsInviteModalOpen(true)}
+                disabled={!canInviteUsers}
+              >
                 <UserPlus className="mr-2 h-4 w-4" />
                 {'Add User'}
               </Button>
diff --git a/apps/app/src/app/(app)/[orgId]/people/devices/components/PolicyImagePreview.tsx b/apps/app/src/app/(app)/[orgId]/people/devices/components/PolicyImagePreview.tsx
index 22b90b4a3..f38dd9234 100644
--- a/apps/app/src/app/(app)/[orgId]/people/devices/components/PolicyImagePreview.tsx
+++ b/apps/app/src/app/(app)/[orgId]/people/devices/components/PolicyImagePreview.tsx
@@ -1,5 +1,6 @@
 import useSWR from 'swr';
 import Image from 'next/image';
+import { useParams } from 'next/navigation';
 
 const fetcher = async (key: string) => {
   const res = await fetch(key, { cache: 'no-store' });
@@ -14,8 +15,15 @@ const fetcher = async (key: string) => {
 };
 
 export function PolicyImagePreview({ image }: { image: string }) {
+  const params = useParams<{ orgId: string }>();
+  const orgIdParam = params?.orgId;
+  const organizationId = Array.isArray(orgIdParam) ? orgIdParam[0] : orgIdParam;
+
   const { data: signedUrl, error, isLoading } = useSWR(
-    () => (image ? `/api/get-image-url?key=${encodeURIComponent(image)}` : null),
+    () =>
+      image && organizationId
+        ? `/api/get-image-url?key=${encodeURIComponent(image)}&organizationId=${encodeURIComponent(organizationId)}`
+        : null,
     fetcher,
   );
 
diff --git a/apps/app/src/app/(app)/[orgId]/policies/(overview)/components/policy-assignee-chart.tsx b/apps/app/src/app/(app)/[orgId]/policies/(overview)/components/policy-assignee-chart.tsx
index 692311cc6..8c186ec8e 100644
--- a/apps/app/src/app/(app)/[orgId]/policies/(overview)/components/policy-assignee-chart.tsx
+++ b/apps/app/src/app/(app)/[orgId]/policies/(overview)/components/policy-assignee-chart.tsx
@@ -44,17 +44,23 @@ export function PolicyAssigneeChart({ data }: PolicyAssigneeChartProps) {
 
   // Calculate totals for footer
   const totalAssignees = data?.length ?? 0;
-  const totalAssignedPolicies = data?.reduce((sum, a) => sum + a.total, 0) ?? 0;
 
   if (!data || data.length === 0) {
     return (
       <Card title="Policies by Assignee" width="full" size="sm" spacing="tight">
-        <div className="flex h-[140px] flex-col items-center justify-center gap-2">
+        <div className="flex h-[120px] flex-col items-center justify-center gap-2">
           <UserMultiple size={20} className="text-muted-foreground opacity-30" />
           <Text size="xs" variant="muted">
             No policies assigned to users
           </Text>
         </div>
+        <div className="border-t border-border pt-3 mt-3">
+          <HStack justify="end" align="center">
+            <Text size="xs" variant="muted">
+              0 assignees
+            </Text>
+          </HStack>
+        </div>
       </Card>
     );
   }
@@ -72,21 +78,27 @@ export function PolicyAssigneeChart({ data }: PolicyAssigneeChartProps) {
     },
   } satisfies ChartConfig;
 
-  // Dynamic height based on number of assignees
-  const barHeight = 28;
-  const chartHeight = Math.max(sortedData.length * barHeight, 80);
+  // Fixed height to match Policy Status chart, with scrolling for many assignees
+  const barHeight = 24;
+  const chartHeight = sortedData.length * barHeight;
+  const containerHeight = 120; // Match Policy Status chart height
+  const actualChartHeight = Math.max(chartHeight, containerHeight);
 
   const showingLimited = totalAssignees > 5;
 
   return (
     <Card title="Policies by Assignee" width="full" size="sm" spacing="tight">
-      <div className="flex h-[120px] items-center px-2">
-        <ChartContainer config={chartConfig} className="w-full">
-          <ResponsiveContainer width="100%" height={chartHeight}>
+      <div className="flex items-center px-2 h-[120px] overflow-y-auto">
+        <ChartContainer
+          config={chartConfig}
+          className="w-full"
+          style={{ height: actualChartHeight }}
+        >
+          <ResponsiveContainer width="100%" height={actualChartHeight}>
             <BarChart
               data={chartData}
               layout="vertical"
-              barSize={18}
+              barSize={16}
               margin={{ top: 0, right: 40, bottom: 0, left: 0 }}
             >
               <XAxis type="number" hide />
diff --git a/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/components/BrowserAutomations.tsx b/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/components/BrowserAutomations.tsx
index 752f94d5d..ecb7923a9 100644
--- a/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/components/BrowserAutomations.tsx
+++ b/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/components/BrowserAutomations.tsx
@@ -2,23 +2,25 @@
 
 import { useParams } from 'next/navigation';
 import { useCallback, useEffect, useState } from 'react';
+import type { BrowserAutomation } from '../hooks/types';
 import { useBrowserAutomations } from '../hooks/useBrowserAutomations';
 import { useBrowserContext } from '../hooks/useBrowserContext';
 import { useBrowserExecution } from '../hooks/useBrowserExecution';
-import type { BrowserAutomation } from '../hooks/types';
 import {
+  BrowserAutomationConfigDialog,
   BrowserAutomationsList,
   BrowserLiveView,
-  BrowserAutomationConfigDialog,
   EmptyWithContextState,
   NoContextState,
 } from './browser-automations';
 
 interface BrowserAutomationsProps {
   taskId: string;
+  /** When true, disables creating new automations (shows existing ones read-only) */
+  isManualTask?: boolean;
 }
 
-export function BrowserAutomations({ taskId }: BrowserAutomationsProps) {
+export function BrowserAutomations({ taskId, isManualTask = false }: BrowserAutomationsProps) {
   const { orgId } = useParams<{ orgId: string }>();
   const [dialogState, setDialogState] = useState<{
     open: boolean;
@@ -83,8 +85,13 @@ export function BrowserAutomations({ taskId }: BrowserAutomationsProps) {
     );
   }
 
-  // No context - show setup prompt
-  if (context.status === 'no-context' && automations.automations.length === 0) {
+  // For manual tasks with no existing automations, don't show empty states
+  if (isManualTask && automations.automations.length === 0) {
+    return null;
+  }
+
+  // No context - show setup prompt (only for non-manual tasks)
+  if (!isManualTask && context.status === 'no-context' && automations.automations.length === 0) {
     return (
       <NoContextState
         isStartingAuth={context.isStartingAuth}
@@ -96,8 +103,8 @@ export function BrowserAutomations({ taskId }: BrowserAutomationsProps) {
     );
   }
 
-  // Empty state with context
-  if (automations.automations.length === 0) {
+  // Empty state with context (only for non-manual tasks)
+  if (!isManualTask && automations.automations.length === 0) {
     return (
       <>
         <EmptyWithContextState
@@ -116,7 +123,7 @@ export function BrowserAutomations({ taskId }: BrowserAutomationsProps) {
     );
   }
 
-  // List of automations
+  // List of automations (disable creation for manual tasks, but allow editing)
   return (
     <>
       <BrowserAutomationsList
@@ -124,10 +131,8 @@ export function BrowserAutomations({ taskId }: BrowserAutomationsProps) {
         hasContext={context.status === 'has-context'}
         runningAutomationId={execution.runningAutomationId}
         onRun={execution.runAutomation}
-        onCreateClick={() => setDialogState({ open: true, mode: 'create' })}
-        onEditClick={(automation) =>
-          setDialogState({ open: true, mode: 'edit', automation })
-        }
+        onCreateClick={isManualTask ? undefined : () => setDialogState({ open: true, mode: 'create' })}
+        onEditClick={(automation) => setDialogState({ open: true, mode: 'edit', automation })}
       />
       <BrowserAutomationConfigDialog
         isOpen={dialogState.open}
diff --git a/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/components/PropertySelector.tsx b/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/components/PropertySelector.tsx
index ce2988cd8..4d1bfedb4 100644
--- a/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/components/PropertySelector.tsx
+++ b/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/components/PropertySelector.tsx
@@ -25,6 +25,8 @@ export interface PropertySelectorProps<T> {
   allowUnassign?: boolean; // Specific flag for assignee-like scenarios
   unassignValue?: string;
   unassignLabel?: string;
+  getSearchValue?: (option: T) => string; // Optional function to get searchable text for filtering
+  showCheck?: boolean; // Whether to show check icon (default: true)
 }
 
 export function PropertySelector<T>({
@@ -41,6 +43,8 @@ export function PropertySelector<T>({
   allowUnassign = false,
   unassignValue = 'unassigned',
   unassignLabel = 'Unassigned',
+  getSearchValue,
+  showCheck = true,
 }: PropertySelectorProps<T>) {
   const [popoverOpen, setPopoverOpen] = useState(false);
 
@@ -64,32 +68,42 @@ export function PropertySelector<T>({
                     onSelect(null); // Pass null for unassignment
                     setPopoverOpen(false);
                   }}
+                  className="flex items-center cursor-pointer transition-colors hover:bg-accent hover:text-accent-foreground"
                 >
-                  <Check
-                    className={cn(
-                      'mr-2 h-4 w-4',
-                      value === null || value === undefined ? 'opacity-100' : 'opacity-0',
-                    )}
-                  />
-                  <span className="text-muted-foreground">{unassignLabel}</span>
+                  {showCheck && (
+                    <Check
+                      className={cn(
+                        'mr-2 h-4 w-4 shrink-0',
+                        value === null || value === undefined ? 'opacity-100' : 'opacity-0',
+                      )}
+                    />
+                  )}
+                  <span className="text-muted-foreground flex-1">{unassignLabel}</span>
                 </CommandItem>
               )}
               {/* Dynamic Options */}
               {options.map((option) => {
                 const key = getKey(option);
+                // Use searchable value if provided, otherwise fall back to key
+                const searchValue = getSearchValue ? getSearchValue(option) : key;
                 return (
                   <CommandItem
                     key={key}
-                    value={key} // Primarily used for filtering/selection
-                    onSelect={(currentValue) => {
-                      onSelect(currentValue);
+                    value={searchValue} // Used for filtering/searching
+                    onSelect={() => {
+                      onSelect(key); // Always use the key for selection
                       setPopoverOpen(false);
                     }}
+                    className="flex items-center cursor-pointer transition-colors hover:bg-accent hover:text-accent-foreground"
                   >
-                    <Check
-                      className={cn('mr-2 h-4 w-4', value === key ? 'opacity-100' : 'opacity-0')}
-                    />
-                    {renderOption(option)}
+                    {showCheck && (
+                      <Check
+                        className={cn('mr-2 h-4 w-4 shrink-0', value === key ? 'opacity-100' : 'opacity-0')}
+                      />
+                    )}
+                    <div className={cn('flex-1 min-w-0 overflow-hidden', !showCheck && 'w-full')}>
+                      {renderOption(option)}
+                    </div>
                   </CommandItem>
                 );
               })}
diff --git a/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/components/SingleTask.tsx b/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/components/SingleTask.tsx
index d34cc1cbf..1cc888b99 100644
--- a/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/components/SingleTask.tsx
+++ b/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/components/SingleTask.tsx
@@ -1,6 +1,7 @@
 'use client';
 
 import { regenerateTaskAction } from '@/actions/tasks/regenerate-task-action';
+import { downloadTaskEvidenceZip } from '@/lib/evidence-download';
 import {
   Breadcrumb,
   BreadcrumbItem,
@@ -24,21 +25,25 @@ import {
   type Control,
   type Member,
   type Task,
+  type TaskStatus,
   type User,
 } from '@db';
-import { ChevronRight, RefreshCw, Trash2 } from 'lucide-react';
+import { ChevronRight, Download, RefreshCw, Trash2 } from 'lucide-react';
 import { useAction } from 'next-safe-action/hooks';
 import Link from 'next/link';
 import { useParams } from 'next/navigation';
 import { useState } from 'react';
 import { toast } from 'sonner';
+import { useActiveMember } from '@/utils/auth-client';
 import { Comments } from '../../../../../../components/comments/Comments';
-import { updateTask } from '../../actions/updateTask';
+import { apiClient } from '@/lib/api-client';
 import { useTask } from '../hooks/use-task';
 import { useTaskAutomations } from '../hooks/use-task-automations';
-import { useTaskIntegrationChecks } from '../hooks/use-task-integration-checks';
 import { BrowserAutomations } from './BrowserAutomations';
+import { FindingHistoryPanel } from './findings/FindingHistoryPanel';
+import { FindingsList } from './findings/FindingsList';
 import { TaskAutomations } from './TaskAutomations';
+import { TaskAutomationStatusBadge } from './TaskAutomationStatusBadge';
 import { TaskDeleteDialog } from './TaskDeleteDialog';
 import { TaskIntegrationChecks } from './TaskIntegrationChecks';
 import { TaskMainContent } from './TaskMainContent';
@@ -53,12 +58,14 @@ interface SingleTaskProps {
   initialMembers?: (Member & { user: User })[];
   initialAutomations: AutomationWithRuns[];
   isWebAutomationsEnabled: boolean;
+  isPlatformAdmin: boolean;
 }
 
 export function SingleTask({
   initialTask,
   initialAutomations,
   isWebAutomationsEnabled,
+  isPlatformAdmin,
 }: SingleTaskProps) {
   const params = useParams();
   const orgId = params.orgId as string;
@@ -74,10 +81,19 @@ export function SingleTask({
   const { automations } = useTaskAutomations({
     initialData: initialAutomations,
   });
-  const { hasMappedChecks } = useTaskIntegrationChecks();
+
+  // Get current member role information for findings permissions
+  const { data: activeMember } = useActiveMember();
+
+  // Parse member roles
+  const memberRoles = activeMember?.role?.split(',').map((r: string) => r.trim()) || [];
+  const isAuditor = memberRoles.includes('auditor');
+  const isAdminOrOwner = memberRoles.includes('admin') || memberRoles.includes('owner');
+  // isPlatformAdmin is passed from the server component (page.tsx)
 
   const [deleteDialogOpen, setDeleteDialogOpen] = useState(false);
   const [isRegenerateConfirmOpen, setRegenerateConfirmOpen] = useState(false);
+  const [selectedFindingIdForHistory, setSelectedFindingIdForHistory] = useState<string | null>(null);
 
   const regenerate = useAction(regenerateTaskAction, {
     onSuccess: () => {
@@ -91,32 +107,54 @@ export function SingleTask({
   const handleUpdateTask = async (
     data: Partial<Pick<Task, 'status' | 'assigneeId' | 'frequency' | 'department' | 'reviewDate'>>,
   ) => {
-    const updatePayload: Partial<
-      Pick<Task, 'status' | 'assigneeId' | 'frequency' | 'department' | 'reviewDate'>
-    > = {};
+    if (!task || !orgId) return;
 
-    if (!task) return;
+    const updatePayload: {
+      status?: TaskStatus;
+      assigneeId?: string | null;
+      frequency?: string | null;
+      department?: string | null;
+      reviewDate?: string | null;
+    } = {};
 
     if (data.status !== undefined) {
       updatePayload.status = data.status;
     }
     if (data.department !== undefined) {
-      updatePayload.department = data.department;
+      updatePayload.department = data.department ?? null;
     }
     if (data.assigneeId !== undefined) {
       updatePayload.assigneeId = data.assigneeId;
     }
     if (Object.prototype.hasOwnProperty.call(data, 'frequency')) {
-      updatePayload.frequency = data.frequency;
+      updatePayload.frequency = data.frequency ?? null;
     }
     if (data.reviewDate !== undefined) {
-      updatePayload.reviewDate = data.reviewDate;
+      updatePayload.reviewDate =
+        data.reviewDate instanceof Date
+          ? data.reviewDate.toISOString()
+          : data.reviewDate
+            ? String(data.reviewDate)
+            : null;
     }
+
     if (Object.keys(updatePayload).length > 0) {
-      const result = await updateTask({ id: task.id, ...updatePayload });
-      if (result.success) {
+      try {
+        const response = await apiClient.patch<Task>(
+          `/v1/tasks/${task.id}`,
+          updatePayload,
+          orgId,
+        );
+
+        if (response.error) {
+          throw new Error(response.error);
+        }
+
         // Refresh the task data from the server
         await mutateTask();
+      } catch (error) {
+        console.error('Failed to update task:', error);
+        toast.error(error instanceof Error ? error.message : 'Failed to update task');
       }
     }
   };
@@ -162,9 +200,12 @@ export function SingleTask({
           <div>
             <div className="flex items-start justify-between gap-4 mb-3">
               <div className="flex-1">
-                <h1 className="text-2xl font-semibold tracking-tight text-foreground mb-2">
-                  {task.title}
-                </h1>
+                <div className="flex items-center gap-2 mb-2">
+                  <h1 className="text-2xl font-semibold tracking-tight text-foreground">
+                    {task.title}
+                  </h1>
+                  <TaskAutomationStatusBadge status={task.automationStatus} />
+                </div>
                 {task.description && (
                   <p className="text-sm text-muted-foreground leading-relaxed">
                     {task.description}
@@ -172,6 +213,27 @@ export function SingleTask({
                 )}
               </div>
               <div className="flex items-center gap-1">
+                <Button
+                  variant="ghost"
+                  size="icon"
+                  onClick={async () => {
+                    try {
+                      await downloadTaskEvidenceZip({
+                        taskId: task.id,
+                        taskTitle: task.title,
+                        organizationId: orgId,
+                        includeJson: true,
+                      });
+                      toast.success('Task evidence downloaded');
+                    } catch (err) {
+                      toast.error('Failed to download evidence');
+                    }
+                  }}
+                  className="h-8 w-8 text-muted-foreground hover:text-foreground"
+                  title="Download task evidence"
+                >
+                  <Download className="h-4 w-4" />
+                </Button>
                 <Button
                   variant="ghost"
                   size="icon"
@@ -200,16 +262,35 @@ export function SingleTask({
           </div>
 
           {/* Integration Checks Section */}
-          <TaskIntegrationChecks taskId={task.id} onTaskUpdated={() => mutateTask()} />
+          <TaskIntegrationChecks
+            taskId={task.id}
+            onTaskUpdated={() => mutateTask()}
+            isManualTask={task.automationStatus === 'MANUAL'}
+          />
 
-          {/* Browser Automations Section */}
-          {isWebAutomationsEnabled && <BrowserAutomations taskId={task.id} />}
+          {/* Findings Section */}
+          <FindingsList
+            taskId={task.id}
+            isAuditor={isAuditor}
+            isPlatformAdmin={isPlatformAdmin}
+            isAdminOrOwner={isAdminOrOwner}
+            onViewHistory={setSelectedFindingIdForHistory}
+          />
 
-          {/* Custom Automations Section - always show if automations exist, or show empty state if no integration checks */}
-          {((automations && automations.length > 0) || !hasMappedChecks) && (
-            <TaskAutomations automations={automations || []} />
+          {/* Browser Automations Section */}
+          {isWebAutomationsEnabled && (
+            <BrowserAutomations
+              taskId={task.id}
+              isManualTask={task.automationStatus === 'MANUAL'}
+            />
           )}
 
+          {/* Custom Automations Section */}
+          <TaskAutomations
+            automations={automations || []}
+            isManualTask={task.automationStatus === 'MANUAL'}
+          />
+
           {/* Comments Section */}
           <div>
             <Comments
@@ -222,8 +303,16 @@ export function SingleTask({
 
         {/* Right Column - Properties */}
         <div className="lg:col-span-1">
-          <div className="pl-6 border-l border-border">
+          <div className="pl-6 border-l border-border space-y-6">
             <TaskPropertiesSidebar handleUpdateTask={handleUpdateTask} />
+
+            {/* Finding History Panel */}
+            {selectedFindingIdForHistory && (
+              <FindingHistoryPanel
+                findingId={selectedFindingIdForHistory}
+                onClose={() => setSelectedFindingIdForHistory(null)}
+              />
+            )}
           </div>
         </div>
       </div>
diff --git a/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/components/TaskAutomationStatusBadge.tsx b/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/components/TaskAutomationStatusBadge.tsx
new file mode 100644
index 000000000..24aef034e
--- /dev/null
+++ b/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/components/TaskAutomationStatusBadge.tsx
@@ -0,0 +1,62 @@
+'use client';
+
+import { Badge } from '@comp/ui/badge';
+import { cn } from '@comp/ui/cn';
+import {
+  Tooltip,
+  TooltipContent,
+  TooltipProvider,
+  TooltipTrigger,
+} from '@comp/ui/tooltip';
+import type { TaskAutomationStatus } from '@db';
+
+interface TaskAutomationStatusBadgeProps {
+  status: TaskAutomationStatus;
+  className?: string;
+}
+
+export function TaskAutomationStatusBadge({ status, className }: TaskAutomationStatusBadgeProps) {
+  if (status === 'AUTOMATED') {
+    return (
+      <TooltipProvider>
+        <Tooltip>
+          <TooltipTrigger asChild>
+            <Badge
+              variant="outline"
+              className={cn(
+                'inline-flex items-center gap-1.5 border-primary/20 bg-primary/10 text-primary hover:bg-primary/15 cursor-help',
+                className,
+              )}
+            >
+              <span className="text-xs font-medium">Automated</span>
+            </Badge>
+          </TooltipTrigger>
+          <TooltipContent>
+            <p>This task can be automated</p>
+          </TooltipContent>
+        </Tooltip>
+      </TooltipProvider>
+    );
+  }
+
+  return (
+    <TooltipProvider>
+      <Tooltip>
+        <TooltipTrigger asChild>
+          <Badge
+            variant="outline"
+            className={cn(
+              'inline-flex items-center gap-1.5 border-muted-foreground/20 bg-muted text-muted-foreground hover:bg-muted/80 cursor-help',
+              className,
+            )}
+          >
+            <span className="text-xs font-medium">Manual</span>
+          </Badge>
+        </TooltipTrigger>
+        <TooltipContent>
+          <p>This task requires manual execution and cannot be automated</p>
+        </TooltipContent>
+      </Tooltip>
+    </TooltipProvider>
+  );
+}
diff --git a/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/components/TaskAutomations.tsx b/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/components/TaskAutomations.tsx
index 59b9a2ef2..30cc0cf23 100644
--- a/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/components/TaskAutomations.tsx
+++ b/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/components/TaskAutomations.tsx
@@ -1,12 +1,23 @@
 'use client';
 
+import { downloadAutomationPDF } from '@/lib/evidence-download';
 import { cn } from '@/lib/utils';
 import { EvidenceAutomation, EvidenceAutomationRun } from '@db';
 import { formatDistanceToNow } from 'date-fns';
-import { ArrowRight, Brain, CheckCircle2, Loader2, Plus, TrendingUp, XCircle } from 'lucide-react';
+import {
+  ArrowRight,
+  Brain,
+  CheckCircle2,
+  Download,
+  Loader2,
+  Plus,
+  TrendingUp,
+  XCircle,
+} from 'lucide-react';
 import Link from 'next/link';
 import { useParams, useRouter } from 'next/navigation';
 import { useState } from 'react';
+import { toast } from 'sonner';
 import { useTaskAutomations } from '../hooks/use-task-automations';
 
 type AutomationWithLatestRun = EvidenceAutomation & {
@@ -15,20 +26,28 @@ type AutomationWithLatestRun = EvidenceAutomation & {
 
 interface TaskAutomationsProps {
   automations: AutomationWithLatestRun[];
+  /** When true, disables creating new automations (shows existing ones read-only) */
+  isManualTask?: boolean;
 }
 
-export const TaskAutomations = ({ automations }: TaskAutomationsProps) => {
+export const TaskAutomations = ({ automations, isManualTask = false }: TaskAutomationsProps) => {
   const { orgId, taskId } = useParams<{ orgId: string; taskId: string }>();
   const router = useRouter();
   const [isCreating, setIsCreating] = useState(false);
   const { mutate: mutateAutomations } = useTaskAutomations();
 
   const handleCreateAutomation = async () => {
+    if (isManualTask) return;
     // Redirect to automation builder with ephemeral mode
     // The automation will only be created once the user sends their first message
     router.push(`/${orgId}/tasks/${taskId}/automation/new`);
   };
 
+  // For manual tasks with no existing automations, don't show the section
+  if (isManualTask && automations.length === 0) {
+    return null;
+  }
+
   // If there are no automations, show a prominent empty state card
   if (automations.length === 0) {
     return (
@@ -40,7 +59,9 @@ export const TaskAutomations = ({ automations }: TaskAutomationsProps) => {
             </div>
             <div>
               <h3 className="text-sm font-semibold text-foreground">Custom Automations</h3>
-              <p className="text-xs text-muted-foreground">Build AI-powered automations for this task</p>
+              <p className="text-xs text-muted-foreground">
+                Build AI-powered automations for this task
+              </p>
             </div>
           </div>
         </div>
@@ -235,6 +256,30 @@ export const TaskAutomations = ({ automations }: TaskAutomationsProps) => {
                       )}
                     </div>
 
+                    {latestVersionRun && (
+                      <button
+                        onClick={async (e) => {
+                          e.preventDefault();
+                          e.stopPropagation();
+                          try {
+                            await downloadAutomationPDF({
+                              taskId,
+                              automationId: automation.id,
+                              automationName: automation.name,
+                              organizationId: orgId,
+                            });
+                            toast.success('Evidence PDF downloaded');
+                          } catch (err) {
+                            toast.error('Failed to download evidence');
+                          }
+                        }}
+                        className="p-1.5 rounded-md hover:bg-muted transition-colors shrink-0"
+                        title="Download evidence PDF"
+                      >
+                        <Download className="w-4 h-4 text-muted-foreground hover:text-foreground" />
+                      </button>
+                    )}
+
                     <ArrowRight className="w-4 h-4 shrink-0 text-muted-foreground group-hover:text-foreground transition-colors" />
                   </div>
                 </Link>
@@ -242,23 +287,25 @@ export const TaskAutomations = ({ automations }: TaskAutomationsProps) => {
             })}
           </div>
 
-          <button
-            onClick={handleCreateAutomation}
-            disabled={isCreating}
-            className="w-full flex items-center justify-center gap-2 py-2.5 rounded-lg border border-dashed border-border/60 hover:border-border hover:bg-muted/30 transition-all text-xs text-muted-foreground hover:text-foreground"
-          >
-            {isCreating ? (
-              <>
-                <Loader2 className="w-3.5 h-3.5 animate-spin" />
-                Creating...
-              </>
-            ) : (
-              <>
-                <Plus className="w-3.5 h-3.5" />
-                Create Another
-              </>
-            )}
-          </button>
+          {!isManualTask && (
+            <button
+              onClick={handleCreateAutomation}
+              disabled={isCreating}
+              className="w-full flex items-center justify-center gap-2 py-2.5 rounded-lg border border-dashed border-border/60 hover:border-border hover:bg-muted/30 transition-all text-xs text-muted-foreground hover:text-foreground"
+            >
+              {isCreating ? (
+                <>
+                  <Loader2 className="w-3.5 h-3.5 animate-spin" />
+                  Creating...
+                </>
+              ) : (
+                <>
+                  <Plus className="w-3.5 h-3.5" />
+                  Create Another
+                </>
+              )}
+            </button>
+          )}
         </div>
       </div>
     </div>
diff --git a/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/components/TaskBody.tsx b/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/components/TaskBody.tsx
index 8c4dfe328..07c2f2beb 100644
--- a/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/components/TaskBody.tsx
+++ b/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/components/TaskBody.tsx
@@ -30,6 +30,12 @@ function getErrorMessage(errorMessage: string): string {
   return errorMessage || 'Failed to upload file. Please try again.';
 }
 
+function formatUploadMonthYear(dateString: string): string {
+  const date = new Date(dateString);
+  if (Number.isNaN(date.getTime())) return '';
+  return date.toLocaleDateString('en-US', { month: 'short', year: 'numeric' });
+}
+
 export function TaskBody({
   taskId,
   title,
@@ -323,6 +329,7 @@ export function TaskBody({
                   const isPDF = fileExt === 'pdf';
                   const isImage = ['jpg', 'jpeg', 'png', 'gif', 'webp'].includes(fileExt);
                   const isDoc = ['doc', 'docx'].includes(fileExt);
+                  const uploadMonthYear = formatUploadMonthYear(attachment.createdAt);
 
                   const getFileTypeStyles = () => {
                     if (isPDF)
@@ -363,6 +370,9 @@ export function TaskBody({
                       >
                         {attachment.name}
                       </Button>
+                      {uploadMonthYear && (
+                        <span className="text-xs text-muted-foreground">({uploadMonthYear})</span>
+                      )}
                       <Button
                         variant="ghost"
                         size="icon"
diff --git a/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/components/TaskIntegrationChecks.tsx b/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/components/TaskIntegrationChecks.tsx
index eed05ca91..ff4bdad45 100644
--- a/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/components/TaskIntegrationChecks.tsx
+++ b/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/components/TaskIntegrationChecks.tsx
@@ -3,7 +3,9 @@
 import { ConnectIntegrationDialog } from '@/components/integrations/ConnectIntegrationDialog';
 import { ManageIntegrationDialog } from '@/components/integrations/ManageIntegrationDialog';
 import { api } from '@/lib/api-client';
+import { downloadAutomationPDF } from '@/lib/evidence-download';
 import { cn } from '@/lib/utils';
+import { useActiveOrganization } from '@/utils/auth-client';
 import { Badge } from '@comp/ui/badge';
 import { Button } from '@comp/ui/button';
 import { addDays, formatDistanceToNow, isBefore, setHours, setMinutes } from 'date-fns';
@@ -14,6 +16,7 @@ import {
   Bot,
   CheckCircle2,
   ChevronDown,
+  Download,
   ExternalLink,
   Loader2,
   Play,
@@ -22,7 +25,6 @@ import {
   TrendingUp,
   XCircle,
 } from 'lucide-react';
-import { useActiveOrganization } from '@/utils/auth-client';
 import Image from 'next/image';
 import Link from 'next/link';
 import { useParams, useRouter, useSearchParams } from 'next/navigation';
@@ -85,9 +87,15 @@ interface StoredCheckRun {
 interface TaskIntegrationChecksProps {
   taskId: string;
   onTaskUpdated?: () => void;
+  /** When true, disables creating new automations (shows existing ones read-only) */
+  isManualTask?: boolean;
 }
 
-export function TaskIntegrationChecks({ taskId, onTaskUpdated }: TaskIntegrationChecksProps) {
+export function TaskIntegrationChecks({
+  taskId,
+  onTaskUpdated,
+  isManualTask = false,
+}: TaskIntegrationChecksProps) {
   const params = useParams();
   const searchParams = useSearchParams();
   const orgId = params.orgId as string;
@@ -343,6 +351,7 @@ export function TaskIntegrationChecks({ taskId, onTaskUpdated }: TaskIntegration
             hasNoMappedChecks={true}
             orgId={orgId}
             taskId={taskId}
+            isManualTask={isManualTask}
           />
         ) : connectedChecks.length === 0 ? (
           <IntegrationEmptyState
@@ -350,6 +359,7 @@ export function TaskIntegrationChecks({ taskId, onTaskUpdated }: TaskIntegration
             hasNoMappedChecks={false}
             orgId={orgId}
             taskId={taskId}
+            isManualTask={isManualTask}
           />
         ) : (
           <div className="space-y-5">
@@ -569,6 +579,30 @@ export function TaskIntegrationChecks({ taskId, onTaskUpdated }: TaskIntegration
                               )}
                               <span className="ml-1.5 text-xs">Run</span>
                             </Button>
+                            {checkRuns.length > 0 && (
+                              <Button
+                                size="sm"
+                                variant="ghost"
+                                className="h-8 w-8 p-0"
+                                title="Download evidence PDF"
+                                onClick={async (e) => {
+                                  e.stopPropagation();
+                                  try {
+                                    await downloadAutomationPDF({
+                                      taskId,
+                                      automationId: check.checkId,
+                                      automationName: check.checkName,
+                                      organizationId: orgId,
+                                    });
+                                    toast.success('Evidence PDF downloaded');
+                                  } catch (err) {
+                                    toast.error('Failed to download evidence');
+                                  }
+                                }}
+                              >
+                                <Download className="h-4 w-4" />
+                              </Button>
+                            )}
                             <Button
                               size="sm"
                               variant="ghost"
@@ -991,11 +1025,13 @@ function IntegrationEmptyState({
   hasNoMappedChecks,
   orgId,
   taskId,
+  isManualTask = false,
 }: {
   disconnectedChecks: TaskIntegrationCheck[];
   hasNoMappedChecks: boolean;
   orgId: string;
   taskId?: string;
+  isManualTask?: boolean;
 }) {
   const params = useParams();
   const router = useRouter();
@@ -1072,9 +1108,21 @@ function IntegrationEmptyState({
   };
 
   const handleAutomationClick = () => {
+    if (isManualTask) return;
     router.push(`/${orgId}/tasks/${currentTaskId}/automation/new`);
   };
 
+  // For manual tasks, show a simple message instead of automation prompts
+  if (isManualTask) {
+    return (
+      <div className="py-6 px-6 text-center border-t border-border/40">
+        <p className="text-muted-foreground text-sm">
+          This task requires manual execution and cannot be automated.
+        </p>
+      </div>
+    );
+  }
+
   // If no mapped checks, show simple automation CTA
   if (hasNoMappedChecks) {
     return (
diff --git a/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/components/TaskPropertiesSidebar.tsx b/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/components/TaskPropertiesSidebar.tsx
index da06eb905..46a983ef9 100644
--- a/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/components/TaskPropertiesSidebar.tsx
+++ b/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/components/TaskPropertiesSidebar.tsx
@@ -59,7 +59,7 @@ export function TaskPropertiesSidebar({ handleUpdateTask }: TaskPropertiesSideba
             trigger={
               <Button
                 variant="ghost"
-                className="hover:bg-muted data-[state=open]:bg-muted flex h-auto w-auto items-center gap-2 px-2 py-0.5 font-medium capitalize"
+                className="hover:bg-muted data-[state=open]:bg-muted flex h-auto w-auto items-center gap-2 px-2 py-0.5 font-medium capitalize transition-colors cursor-pointer"
               >
                 <TaskStatusIndicator status={task.status} />
                 {task.status.replace('_', ' ')}
@@ -78,15 +78,18 @@ export function TaskPropertiesSidebar({ handleUpdateTask }: TaskPropertiesSideba
             value={task.assigneeId}
             options={members ?? []}
             getKey={(member) => member.id}
+            getSearchValue={(member) => `${member.user?.name || ''} ${member.user?.email || ''}`.trim() || member.id}
             renderOption={(member) => (
-              <div className="flex items-center gap-2">
-                <Avatar className="h-5 w-5">
+              <div className="flex items-center gap-2 w-full">
+                <Avatar className="h-5 w-5 shrink-0">
                   {member.user?.image && (
-                    <AvatarImage src={member.user.image} alt={member.user.name ?? ''} />
+                    <AvatarImage src={member.user.image} alt={member.user.name ?? member.user.email ?? ''} />
                   )}
-                  <AvatarFallback>{member.user?.name?.charAt(0) ?? '?'}</AvatarFallback>
+                  <AvatarFallback>
+                    {member.user?.name?.charAt(0) ?? member.user?.email?.charAt(0)?.toUpperCase() ?? '?'}
+                  </AvatarFallback>
                 </Avatar>
-                <span>{member.user.name}</span>
+                <span className="truncate">{member.user.name || member.user.email}</span>
               </div>
             )}
             onSelect={(selectedAssigneeId) => {
@@ -97,7 +100,7 @@ export function TaskPropertiesSidebar({ handleUpdateTask }: TaskPropertiesSideba
             trigger={
               <Button
                 variant="ghost"
-                className="hover:bg-muted data-[state=open]:bg-muted flex h-auto w-auto items-center justify-end gap-1.5 px-2 py-0.5"
+                className="hover:bg-muted data-[state=open]:bg-muted flex h-auto w-auto items-center justify-end gap-1.5 px-2 py-0.5 transition-colors cursor-pointer"
                 disabled={members?.length === 0}
               >
                 {assignedMember ? (
@@ -106,14 +109,14 @@ export function TaskPropertiesSidebar({ handleUpdateTask }: TaskPropertiesSideba
                       {assignedMember.user?.image && (
                         <AvatarImage
                           src={assignedMember.user.image}
-                          alt={assignedMember.user.name ?? ''}
+                          alt={assignedMember.user.name ?? assignedMember.user.email ?? ''}
                         />
                       )}
                       <AvatarFallback className="text-[10px]">
-                        {assignedMember.user?.name?.charAt(0) ?? '?'}
+                        {assignedMember.user?.name?.charAt(0) ?? assignedMember.user?.email?.charAt(0)?.toUpperCase() ?? '?'}
                       </AvatarFallback>
                     </Avatar>
-                    <span className="font-medium">{assignedMember.user.name}</span>
+                    <span className="font-medium">{assignedMember.user.name || assignedMember.user.email}</span>
                   </>
                 ) : (
                   <span className="font-medium">Unassigned</span>
@@ -122,9 +125,10 @@ export function TaskPropertiesSidebar({ handleUpdateTask }: TaskPropertiesSideba
             }
             searchPlaceholder="Change assignee..."
             emptyText="No member found."
-            contentWidth="w-56"
+            contentWidth="w-64"
             disabled={members?.length === 0}
             allowUnassign={true} // Enable unassign option
+            showCheck={false} // Hide check icon for assignee selector
           />
         </div>
 
@@ -145,7 +149,7 @@ export function TaskPropertiesSidebar({ handleUpdateTask }: TaskPropertiesSideba
             trigger={
               <Button
                 variant="ghost"
-                className="hover:bg-muted data-[state=open]:bg-muted h-auto w-auto px-2 py-0.5 font-medium capitalize"
+                className="hover:bg-muted data-[state=open]:bg-muted h-auto w-auto px-2 py-0.5 font-medium capitalize transition-colors cursor-pointer"
               >
                 {task.frequency ? task.frequency.replace('_', ' ') : 'None'}
               </Button>
@@ -194,21 +198,20 @@ export function TaskPropertiesSidebar({ handleUpdateTask }: TaskPropertiesSideba
             trigger={
               <Button
                 variant="ghost"
-                // Adjust class slightly to handle text vs badge alignment if needed
-                className="flex h-auto w-auto items-center justify-end p-0 px-1 hover:bg-transparent data-[state=open]:bg-transparent"
+                className="flex h-auto w-auto items-center justify-end gap-1.5 px-2 py-0.5 hover:bg-muted data-[state=open]:bg-muted transition-colors cursor-pointer"
               >
                 {(() => {
                   const currentDept = task.department ?? 'none';
                   if (currentDept === 'none') {
                     // Render 'None' as plain text for the trigger
-                    return <span className="px-1 font-medium">None</span>;
+                    return <span className="font-medium">None</span>;
                   }
                   // Render other departments as colored badges
                   const mainColor = DEPARTMENT_COLORS[currentDept] ?? DEPARTMENT_COLORS.none; // Fallback
                   const lightBgColor = `${mainColor}1A`; // Add opacity
                   return (
                     <Badge
-                      className="border-l-2 px-1.5 py-0.5 text-xs font-normal uppercase hover:opacity-80"
+                      className="border-l-2 px-1.5 py-0 text-xs font-normal uppercase"
                       style={{
                         backgroundColor: lightBgColor,
                         color: mainColor,
diff --git a/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/components/browser-automations/BrowserAutomationsList.tsx b/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/components/browser-automations/BrowserAutomationsList.tsx
index 67ef12508..86198188d 100644
--- a/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/components/browser-automations/BrowserAutomationsList.tsx
+++ b/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/components/browser-automations/BrowserAutomationsList.tsx
@@ -29,7 +29,8 @@ interface BrowserAutomationsListProps {
   hasContext: boolean;
   runningAutomationId: string | null;
   onRun: (automationId: string) => void;
-  onCreateClick: () => void;
+  /** When undefined, the create button is hidden (e.g., for manual tasks) */
+  onCreateClick?: () => void;
   onEditClick: (automation: BrowserAutomation) => void;
 }
 
@@ -100,13 +101,15 @@ export function BrowserAutomationsList({
           ))}
         </div>
 
-        <button
-          onClick={onCreateClick}
-          className="w-full flex items-center justify-center gap-2 py-2.5 mt-3 rounded-lg border border-dashed border-border/60 hover:border-border hover:bg-muted/30 transition-all text-xs text-muted-foreground hover:text-foreground"
-        >
-          <Plus className="w-3.5 h-3.5" />
-          Create Another
-        </button>
+        {onCreateClick && (
+          <button
+            onClick={onCreateClick}
+            className="w-full flex items-center justify-center gap-2 py-2.5 mt-3 rounded-lg border border-dashed border-border/60 hover:border-border hover:bg-muted/30 transition-all text-xs text-muted-foreground hover:text-foreground"
+          >
+            <Plus className="w-3.5 h-3.5" />
+            Create Another
+          </button>
+        )}
       </div>
     </div>
   );
diff --git a/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/components/findings/CreateFindingButton.tsx b/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/components/findings/CreateFindingButton.tsx
new file mode 100644
index 000000000..8dd538b7a
--- /dev/null
+++ b/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/components/findings/CreateFindingButton.tsx
@@ -0,0 +1,29 @@
+'use client';
+
+import { Button } from '@trycompai/design-system';
+import { Plus } from 'lucide-react';
+import { useState } from 'react';
+import { CreateFindingSheet } from './CreateFindingSheet';
+
+interface CreateFindingButtonProps {
+  taskId: string;
+  onSuccess?: () => void;
+}
+
+export function CreateFindingButton({ taskId, onSuccess }: CreateFindingButtonProps) {
+  const [open, setOpen] = useState(false);
+
+  return (
+    <>
+      <Button variant="default" size="icon-sm" onClick={() => setOpen(true)} title="Create Finding">
+        <Plus className="h-4 w-4 text-white" strokeWidth={2.5} />
+      </Button>
+      <CreateFindingSheet
+        taskId={taskId}
+        open={open}
+        onOpenChange={setOpen}
+        onSuccess={onSuccess}
+      />
+    </>
+  );
+}
diff --git a/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/components/findings/CreateFindingSheet.tsx b/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/components/findings/CreateFindingSheet.tsx
new file mode 100644
index 000000000..10ead5087
--- /dev/null
+++ b/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/components/findings/CreateFindingSheet.tsx
@@ -0,0 +1,266 @@
+'use client';
+
+import {
+  useFindingActions,
+  useFindingTemplates,
+  FINDING_CATEGORY_LABELS,
+  FINDING_TYPE_LABELS,
+  DEFAULT_FINDING_TEMPLATES,
+  type FindingTemplate,
+} from '@/hooks/use-findings-api';
+import { Form, FormControl, FormField, FormItem, FormLabel, FormMessage } from '@comp/ui/form';
+import { useMediaQuery } from '@comp/ui/hooks';
+import { FindingType } from '@db';
+import { zodResolver } from '@hookform/resolvers/zod';
+import {
+  Button,
+  Drawer,
+  DrawerContent,
+  DrawerHeader,
+  DrawerTitle,
+  Select,
+  SelectContent,
+  SelectGroup,
+  SelectItem,
+  SelectLabel,
+  SelectTrigger,
+  Sheet,
+  SheetBody,
+  SheetContent,
+  SheetHeader,
+  SheetTitle,
+  Textarea,
+} from '@trycompai/design-system';
+import { ArrowRight } from '@trycompai/design-system/icons';
+import { useCallback, useEffect, useMemo, useState } from 'react';
+import { useForm } from 'react-hook-form';
+import { toast } from 'sonner';
+import { z } from 'zod';
+
+const createFindingSchema = z.object({
+  type: z.nativeEnum(FindingType),
+  templateId: z.string().nullable().optional(),
+  content: z.string().min(1, {
+    message: 'Finding content is required',
+  }),
+});
+
+interface CreateFindingSheetProps {
+  taskId: string;
+  open: boolean;
+  onOpenChange: (open: boolean) => void;
+  onSuccess?: () => void;
+}
+
+export function CreateFindingSheet({
+  taskId,
+  open,
+  onOpenChange,
+  onSuccess,
+}: CreateFindingSheetProps) {
+  const isDesktop = useMediaQuery('(min-width: 768px)');
+  const [isSubmitting, setIsSubmitting] = useState(false);
+
+  const { data: templatesData } = useFindingTemplates();
+  const { createFinding } = useFindingActions();
+
+  const form = useForm<z.infer<typeof createFindingSchema>>({
+    resolver: zodResolver(createFindingSchema),
+    defaultValues: {
+      type: FindingType.soc2,
+      templateId: null,
+      content: '',
+    },
+  });
+
+  // Watch for template selection
+  const selectedTemplateId = form.watch('templateId');
+
+  // Get templates array from the API response, fall back to defaults if empty
+  const apiTemplates: FindingTemplate[] = templatesData?.data || [];
+  const templates: FindingTemplate[] = apiTemplates.length > 0 ? apiTemplates : DEFAULT_FINDING_TEMPLATES;
+
+  // Find the selected template
+  const selectedTemplate = useMemo(() => {
+    if (!selectedTemplateId || templates.length === 0) return null;
+    return templates.find((t) => t.id === selectedTemplateId);
+  }, [selectedTemplateId, templates]);
+
+  // Auto-fill content when template is selected
+  useEffect(() => {
+    if (selectedTemplate) {
+      form.setValue('content', selectedTemplate.content);
+    }
+  }, [selectedTemplate, form]);
+
+  const onSubmit = useCallback(
+    async (data: z.infer<typeof createFindingSchema>) => {
+      setIsSubmitting(true);
+      try {
+        // Don't save templateId for built-in default templates (they don't exist in DB)
+        const templateId = data.templateId?.startsWith('default_') ? undefined : data.templateId;
+        
+        await createFinding({
+          taskId,
+          type: data.type,
+          templateId: templateId || undefined,
+          content: data.content,
+        });
+        toast.success('Finding created successfully');
+        onOpenChange(false);
+        form.reset();
+        onSuccess?.();
+      } catch (error) {
+        toast.error(error instanceof Error ? error.message : 'Failed to create finding');
+      } finally {
+        setIsSubmitting(false);
+      }
+    },
+    [createFinding, taskId, onOpenChange, form, onSuccess],
+  );
+
+  const handleTemplateChange = useCallback(
+    (value: string | null, onChange: (value: string | null) => void) => {
+      if (!value || value === 'none') {
+        onChange(null);
+        form.setValue('content', '');
+      } else {
+        onChange(value);
+      }
+    },
+    [form],
+  );
+
+  // Group templates by category for the selector
+  const groupedTemplates = useMemo((): Record<string, FindingTemplate[]> => {
+    return templates.reduce<Record<string, FindingTemplate[]>>(
+      (acc, template) => {
+        if (!acc[template.category]) {
+          acc[template.category] = [];
+        }
+        acc[template.category].push(template);
+        return acc;
+      },
+      {},
+    );
+  }, [templates]);
+
+  const findingForm = (
+    <Form {...form}>
+      <form onSubmit={form.handleSubmit(onSubmit)} className="space-y-4 w-full max-w-none">
+        <FormField
+          control={form.control}
+          name="type"
+          render={({ field }) => (
+            <FormItem className="w-full">
+              <FormLabel>Finding Type</FormLabel>
+              <Select value={field.value} onValueChange={field.onChange}>
+                <SelectTrigger>
+                  {FINDING_TYPE_LABELS[field.value as FindingType]}
+                </SelectTrigger>
+                <SelectContent>
+                  {Object.entries(FINDING_TYPE_LABELS).map(([value, label]) => (
+                    <SelectItem key={value} value={value}>
+                      {label}
+                    </SelectItem>
+                  ))}
+                </SelectContent>
+              </Select>
+              <FormMessage />
+            </FormItem>
+          )}
+        />
+
+        <FormField
+          control={form.control}
+          name="templateId"
+          render={({ field }) => {
+            const selectedTpl = selectedTemplate;
+            return (
+              <FormItem className="w-full">
+                <FormLabel>Finding Template (Optional)</FormLabel>
+                <Select
+                  value={field.value || 'none'}
+                  onValueChange={(value) => handleTemplateChange(value, field.onChange)}
+                >
+                  <SelectTrigger>
+                    {selectedTpl ? selectedTpl.title : 'Select a template...'}
+                  </SelectTrigger>
+                  <SelectContent>
+                    <SelectItem value="none">No template - Custom finding</SelectItem>
+                    {Object.entries(groupedTemplates).map(([category, templates]) => (
+                      <SelectGroup key={category}>
+                        <SelectLabel>
+                          {FINDING_CATEGORY_LABELS[category] || category}
+                        </SelectLabel>
+                        {(templates as FindingTemplate[]).map((template) => (
+                          <SelectItem key={template.id} value={template.id}>
+                            {template.title}
+                          </SelectItem>
+                        ))}
+                      </SelectGroup>
+                    ))}
+                  </SelectContent>
+                </Select>
+                <FormMessage />
+              </FormItem>
+            );
+          }}
+        />
+
+        <FormField
+          control={form.control}
+          name="content"
+          render={({ field }) => (
+            <FormItem className="w-full">
+              <FormLabel>Finding Details</FormLabel>
+              <FormControl>
+                <Textarea
+                  {...field}
+                  placeholder="Describe the finding in detail..."
+                  rows={6}
+                />
+              </FormControl>
+              <FormMessage />
+            </FormItem>
+          )}
+        />
+
+        <div className="flex justify-end pt-4">
+          <Button
+            type="submit"
+            disabled={isSubmitting}
+            loading={isSubmitting}
+            iconRight={<ArrowRight size={16} />}
+          >
+            Create Finding
+          </Button>
+        </div>
+      </form>
+    </Form>
+  );
+
+  if (isDesktop) {
+    return (
+      <Sheet open={open} onOpenChange={onOpenChange}>
+        <SheetContent>
+          <SheetHeader>
+            <SheetTitle>Create Finding</SheetTitle>
+          </SheetHeader>
+          <SheetBody>{findingForm}</SheetBody>
+        </SheetContent>
+      </Sheet>
+    );
+  }
+
+  return (
+    <Drawer open={open} onOpenChange={onOpenChange}>
+      <DrawerContent>
+        <DrawerHeader>
+          <DrawerTitle>Create Finding</DrawerTitle>
+        </DrawerHeader>
+        <div className="p-4">{findingForm}</div>
+      </DrawerContent>
+    </Drawer>
+  );
+}
diff --git a/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/components/findings/FindingHistoryPanel.tsx b/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/components/findings/FindingHistoryPanel.tsx
new file mode 100644
index 000000000..5d341d4f6
--- /dev/null
+++ b/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/components/findings/FindingHistoryPanel.tsx
@@ -0,0 +1,108 @@
+'use client';
+
+import { useFindingHistory, type FindingHistoryEntry } from '@/hooks/use-findings-api';
+import { Avatar, AvatarFallback, AvatarImage } from '@comp/ui/avatar';
+import { Button } from '@comp/ui/button';
+import { ScrollArea } from '@comp/ui/scroll-area';
+import { formatDistanceToNow } from 'date-fns';
+import { History, Loader2, X } from 'lucide-react';
+
+interface FindingHistoryPanelProps {
+  findingId: string;
+  onClose: () => void;
+}
+
+const ACTION_ICONS: Record<string, string> = {
+  created: '➕',
+  status_changed: '🔄',
+  type_changed: '🏷️',
+  content_updated: '✏️',
+  deleted: '🗑️',
+};
+
+export function FindingHistoryPanel({ findingId, onClose }: FindingHistoryPanelProps) {
+  const { data, isLoading, error } = useFindingHistory(findingId);
+  const history = data?.data || [];
+
+  return (
+    <div className="rounded-lg border border-border bg-card overflow-hidden">
+      <div className="px-4 py-3 border-b border-border flex items-center justify-between">
+        <div className="flex items-center gap-2">
+          <History className="h-4 w-4 text-muted-foreground" />
+          <h3 className="text-sm font-semibold">Finding History</h3>
+        </div>
+        <Button variant="ghost" size="icon" className="h-7 w-7" onClick={onClose}>
+          <X className="h-4 w-4" />
+        </Button>
+      </div>
+
+      <div className="p-4">
+        {isLoading ? (
+          <div className="flex items-center justify-center py-6">
+            <Loader2 className="h-5 w-5 animate-spin text-muted-foreground" />
+          </div>
+        ) : error ? (
+          <div className="text-center py-6 text-sm text-destructive">Failed to load history</div>
+        ) : history.length === 0 ? (
+          <div className="text-center py-6 text-sm text-muted-foreground">No history available</div>
+        ) : (
+          <ScrollArea className="h-[300px]">
+            <div className="space-y-3 pr-2">
+              {history.map((entry: FindingHistoryEntry, index: number) => (
+                <HistoryEntry key={entry.id} entry={entry} isLast={index === history.length - 1} />
+              ))}
+            </div>
+          </ScrollArea>
+        )}
+      </div>
+    </div>
+  );
+}
+
+function HistoryEntry({ entry, isLast }: { entry: FindingHistoryEntry; isLast: boolean }) {
+  const initials =
+    entry.user?.name
+      ?.split(' ')
+      .map((n) => n[0])
+      .join('')
+      .toUpperCase()
+      .slice(0, 2) || '??';
+
+  const actionIcon = ACTION_ICONS[entry.data.action] || '📝';
+
+  return (
+    <div className="relative">
+      {/* Timeline connector */}
+      {!isLast && <div className="absolute left-3 top-8 bottom-0 w-px bg-border" />}
+
+      <div className="flex gap-2.5">
+        <Avatar className="h-6 w-6 shrink-0 ring-2 ring-background">
+          <AvatarImage src={entry.user?.image || undefined} alt={entry.user?.name} />
+          <AvatarFallback className="text-[10px]">{initials}</AvatarFallback>
+        </Avatar>
+
+        <div className="flex-1 min-w-0 pb-3">
+          <div className="flex items-center gap-1.5 flex-wrap">
+            <span className="font-medium text-xs">{entry.user?.name || 'Unknown'}</span>
+            <span className="text-[10px] text-muted-foreground">
+              {formatDistanceToNow(new Date(entry.timestamp), { addSuffix: true })}
+            </span>
+          </div>
+
+          <div className="mt-0.5 flex items-start gap-1.5">
+            <span className="text-xs">{actionIcon}</span>
+            <p className="text-xs text-foreground/80">{entry.description}</p>
+          </div>
+
+          {/* Show additional details for content updates */}
+          {entry.data.action === 'content_updated' && entry.data.newContent && (
+            <div className="mt-1.5 p-1.5 rounded bg-muted/50 text-[10px] text-muted-foreground">
+              <p className="font-medium mb-0.5">New content:</p>
+              <p className="line-clamp-2">{entry.data.newContent}</p>
+            </div>
+          )}
+        </div>
+      </div>
+    </div>
+  );
+}
diff --git a/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/components/findings/FindingHistorySheet.tsx b/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/components/findings/FindingHistorySheet.tsx
new file mode 100644
index 000000000..5f30c7495
--- /dev/null
+++ b/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/components/findings/FindingHistorySheet.tsx
@@ -0,0 +1,137 @@
+'use client';
+
+import { useFindingHistory, type FindingHistoryEntry } from '@/hooks/use-findings-api';
+import { Avatar, AvatarFallback, AvatarImage } from '@comp/ui/avatar';
+import { ScrollArea } from '@comp/ui/scroll-area';
+import {
+  Sheet,
+  SheetContent,
+  SheetDescription,
+  SheetHeader,
+  SheetTitle,
+} from '@comp/ui/sheet';
+import { formatDistanceToNow } from 'date-fns';
+import { History, Loader2 } from 'lucide-react';
+
+interface FindingHistorySheetProps {
+  findingId: string;
+  open: boolean;
+  onOpenChange: (open: boolean) => void;
+}
+
+const ACTION_ICONS: Record<string, string> = {
+  created: '➕',
+  status_changed: '🔄',
+  type_changed: '🏷️',
+  content_updated: '✏️',
+  deleted: '🗑️',
+};
+
+export function FindingHistorySheet({
+  findingId,
+  open,
+  onOpenChange,
+}: FindingHistorySheetProps) {
+  const { data, isLoading, error } = useFindingHistory(open ? findingId : null);
+  const history = data?.data || [];
+
+  return (
+    <Sheet open={open} onOpenChange={onOpenChange}>
+      <SheetContent className="sm:max-w-md">
+        <SheetHeader>
+          <SheetTitle className="flex items-center gap-2">
+            <History className="h-4 w-4" />
+            Finding History
+          </SheetTitle>
+          <SheetDescription>
+            Activity log for this finding
+          </SheetDescription>
+        </SheetHeader>
+
+        <div className="mt-6">
+          {isLoading ? (
+            <div className="flex items-center justify-center py-8">
+              <Loader2 className="h-6 w-6 animate-spin text-muted-foreground" />
+            </div>
+          ) : error ? (
+            <div className="text-center py-8 text-destructive">
+              Failed to load history
+            </div>
+          ) : history.length === 0 ? (
+            <div className="text-center py-8 text-muted-foreground">
+              No history available
+            </div>
+          ) : (
+            <ScrollArea className="h-[calc(100vh-200px)]">
+              <div className="space-y-4 pr-4">
+                {history.map((entry: FindingHistoryEntry, index: number) => (
+                  <HistoryEntry 
+                    key={entry.id} 
+                    entry={entry} 
+                    isLast={index === history.length - 1}
+                  />
+                ))}
+              </div>
+            </ScrollArea>
+          )}
+        </div>
+      </SheetContent>
+    </Sheet>
+  );
+}
+
+function HistoryEntry({ 
+  entry, 
+  isLast 
+}: { 
+  entry: FindingHistoryEntry; 
+  isLast: boolean;
+}) {
+  const initials =
+    entry.user?.name
+      ?.split(' ')
+      .map((n) => n[0])
+      .join('')
+      .toUpperCase()
+      .slice(0, 2) || '??';
+
+  const actionIcon = ACTION_ICONS[entry.data.action] || '📝';
+
+  return (
+    <div className="relative">
+      {/* Timeline connector */}
+      {!isLast && (
+        <div className="absolute left-4 top-10 bottom-0 w-px bg-border" />
+      )}
+
+      <div className="flex gap-3">
+        <Avatar className="h-8 w-8 shrink-0 ring-2 ring-background">
+          <AvatarImage src={entry.user?.image || undefined} alt={entry.user?.name} />
+          <AvatarFallback className="text-xs">{initials}</AvatarFallback>
+        </Avatar>
+
+        <div className="flex-1 min-w-0 pb-4">
+          <div className="flex items-center gap-2 flex-wrap">
+            <span className="font-medium text-sm">{entry.user?.name || 'Unknown'}</span>
+            <span className="text-xs text-muted-foreground">
+              {formatDistanceToNow(new Date(entry.timestamp), { addSuffix: true })}
+            </span>
+          </div>
+
+          <div className="mt-1 flex items-start gap-2">
+            <span className="text-sm">{actionIcon}</span>
+            <p className="text-sm text-foreground/80">{entry.description}</p>
+          </div>
+
+          {/* Show additional details for certain actions */}
+          {entry.data.action === 'content_updated' && entry.data.newContent && (
+            <div className="mt-2 p-2 rounded bg-muted/50 text-xs text-muted-foreground">
+              <p className="font-medium mb-1">New content:</p>
+              <p className="line-clamp-3">{entry.data.newContent}</p>
+            </div>
+          )}
+        </div>
+      </div>
+    </div>
+  );
+}
diff --git a/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/components/findings/FindingItem.tsx b/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/components/findings/FindingItem.tsx
new file mode 100644
index 000000000..21003576d
--- /dev/null
+++ b/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/components/findings/FindingItem.tsx
@@ -0,0 +1,219 @@
+'use client';
+
+import type { Finding } from '@/hooks/use-findings-api';
+import { FINDING_TYPE_LABELS } from '@/hooks/use-findings-api';
+import { cn } from '@/lib/utils';
+import { Avatar, AvatarFallback, AvatarImage } from '@comp/ui/avatar';
+import { Badge } from '@comp/ui/badge';
+import { Button } from '@comp/ui/button';
+import {
+  DropdownMenu,
+  DropdownMenuContent,
+  DropdownMenuItem,
+  DropdownMenuSeparator,
+  DropdownMenuTrigger,
+} from '@comp/ui/dropdown-menu';
+import { FindingStatus, FindingType } from '@db';
+import { formatDistanceToNow } from 'date-fns';
+import { ChevronDown, MoreVertical, Trash2 } from 'lucide-react';
+import { useState } from 'react';
+import { FindingHistorySheet } from './FindingHistorySheet';
+import { FindingStatusBadge } from './FindingStatusBadge';
+
+interface FindingItemProps {
+  finding: Finding;
+  isExpanded: boolean;
+  canChangeStatus: boolean;
+  canSetRestrictedStatus: boolean;
+  isAuditor: boolean;
+  isPlatformAdmin: boolean;
+  onToggleExpand: () => void;
+  onStatusChange: (status: FindingStatus) => void;
+  onDelete: () => void;
+  onViewHistory?: () => void;
+}
+
+export function FindingItem({
+  finding,
+  isExpanded,
+  canChangeStatus,
+  canSetRestrictedStatus,
+  isAuditor,
+  isPlatformAdmin,
+  onToggleExpand,
+  onStatusChange,
+  onDelete,
+  onViewHistory,
+}: FindingItemProps) {
+  // Only use local state for sheet if onViewHistory is not provided
+  const [historyOpen, setHistoryOpen] = useState(false);
+
+  const handleViewHistory = () => {
+    if (onViewHistory) {
+      onViewHistory();
+    } else {
+      setHistoryOpen(true);
+    }
+  };
+
+  const author = finding.createdBy?.user;
+  const initials =
+    author?.name
+      ?.split(' ')
+      .map((n) => n[0])
+      .join('')
+      .toUpperCase()
+      .slice(0, 2) || '??';
+
+  // Status options based on permissions
+  // - Platform admins can set any status (full control)
+  // - Auditors can set: open, needs_revision, closed
+  // - Non-auditor admins/owners can set: open, ready_for_review
+  const getStatusOptions = () => {
+    // Platform admins bypass all restrictions
+    const canSetReadyForReview = isPlatformAdmin || !isAuditor;
+    const showReadyForReviewHint = !canSetReadyForReview;
+
+    const options: { value: FindingStatus; label: string; disabled: boolean; hint?: string }[] = [
+      { value: FindingStatus.open, label: 'Open', disabled: false },
+      {
+        value: FindingStatus.ready_for_review,
+        label: 'Ready for Review',
+        disabled: !canSetReadyForReview,
+        hint: showReadyForReviewHint ? 'Client only' : undefined,
+      },
+      {
+        value: FindingStatus.needs_revision,
+        label: 'Needs Revision',
+        disabled: !canSetRestrictedStatus,
+        hint: !canSetRestrictedStatus ? 'Auditor only' : undefined,
+      },
+      {
+        value: FindingStatus.closed,
+        label: 'Closed',
+        disabled: !canSetRestrictedStatus,
+        hint: !canSetRestrictedStatus ? 'Auditor only' : undefined,
+      },
+    ];
+    return options;
+  };
+
+  return (
+    <div
+      className={cn(
+        'rounded-lg border transition-all duration-300',
+        isExpanded
+          ? 'border-primary/30 shadow-sm bg-primary/2'
+          : 'border-border/50 hover:border-border hover:shadow-sm',
+      )}
+    >
+      <div className="flex items-start gap-3 px-4 py-3">
+        <Avatar className="h-8 w-8 shrink-0">
+          <AvatarImage src={author?.image || undefined} alt={author?.name} />
+          <AvatarFallback className="text-xs">{initials}</AvatarFallback>
+        </Avatar>
+
+        <div className="flex-1 min-w-0">
+          <div className="flex items-center gap-2 flex-wrap">
+            <span className="font-medium text-sm text-foreground">{author?.name}</span>
+            <Badge variant="outline" className="text-xs">
+              {FINDING_TYPE_LABELS[finding.type as FindingType]}
+            </Badge>
+            <FindingStatusBadge status={finding.status as FindingStatus} />
+          </div>
+          <p className="text-xs text-muted-foreground mt-0.5">
+            {formatDistanceToNow(new Date(finding.createdAt), { addSuffix: true })}
+            {finding.template && (
+              <span className="ml-1">
+                · Template: <span className="text-foreground/70">{finding.template.title}</span>
+              </span>
+            )}
+          </p>
+          <p className="text-sm text-foreground/90 mt-2 line-clamp-2">{finding.content}</p>
+        </div>
+
+        <div className="flex items-center gap-1 shrink-0">
+          {canChangeStatus && (
+            <DropdownMenu>
+              <DropdownMenuTrigger asChild>
+                <Button variant="ghost" size="sm" className="h-8">
+                  Status
+                  <ChevronDown className="ml-1 h-3 w-3" />
+                </Button>
+              </DropdownMenuTrigger>
+              <DropdownMenuContent align="end">
+                {getStatusOptions().map((option) => (
+                  <DropdownMenuItem
+                    key={option.value}
+                    disabled={option.disabled || finding.status === option.value}
+                    onClick={() => onStatusChange(option.value)}
+                    className={cn(
+                      finding.status === option.value && 'bg-accent',
+                      option.disabled && 'opacity-50 cursor-not-allowed',
+                    )}
+                  >
+                    {option.label}
+                    {option.hint && (
+                      <span className="ml-2 text-xs text-muted-foreground">({option.hint})</span>
+                    )}
+                  </DropdownMenuItem>
+                ))}
+              </DropdownMenuContent>
+            </DropdownMenu>
+          )}
+
+          <DropdownMenu>
+            <DropdownMenuTrigger asChild>
+              <Button variant="ghost" size="icon" className="h-8 w-8">
+                <MoreVertical className="h-4 w-4" />
+              </Button>
+            </DropdownMenuTrigger>
+            <DropdownMenuContent align="end">
+              <DropdownMenuItem onClick={onToggleExpand}>
+                {isExpanded ? 'Collapse' : 'Expand'}
+              </DropdownMenuItem>
+              <DropdownMenuItem onClick={handleViewHistory}>
+                History
+              </DropdownMenuItem>
+              {canSetRestrictedStatus && (
+                <>
+                  <DropdownMenuSeparator />
+                  <DropdownMenuItem
+                    className="text-destructive focus:text-destructive"
+                    onClick={onDelete}
+                  >
+                    <Trash2 className="mr-2 h-4 w-4" />
+                    Delete
+                  </DropdownMenuItem>
+                </>
+              )}
+            </DropdownMenuContent>
+          </DropdownMenu>
+        </div>
+      </div>
+
+      {/* Finding History Sheet - only used as fallback when onViewHistory is not provided */}
+      {!onViewHistory && (
+        <FindingHistorySheet
+          findingId={finding.id}
+          open={historyOpen}
+          onOpenChange={setHistoryOpen}
+        />
+      )}
+
+      {/* Expanded content */}
+      <div
+        className={cn(
+          'grid transition-all duration-500 ease-in-out',
+          isExpanded ? 'grid-rows-[1fr]' : 'grid-rows-[0fr]',
+        )}
+      >
+        <div className="overflow-hidden">
+          <div className="px-4 pb-4 pt-2 border-t border-border/50">
+            <p className="text-sm text-foreground whitespace-pre-wrap">{finding.content}</p>
+          </div>
+        </div>
+      </div>
+    </div>
+  );
+}
diff --git a/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/components/findings/FindingStatusBadge.tsx b/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/components/findings/FindingStatusBadge.tsx
new file mode 100644
index 000000000..44267cd5d
--- /dev/null
+++ b/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/components/findings/FindingStatusBadge.tsx
@@ -0,0 +1,46 @@
+'use client';
+
+import { Badge } from '@comp/ui/badge';
+import { FindingStatus } from '@db';
+import { cn } from '@/lib/utils';
+
+const STATUS_CONFIG: Record<
+  FindingStatus,
+  { label: string; variant: 'default' | 'secondary' | 'destructive' | 'outline'; className: string }
+> = {
+  open: {
+    label: 'Open',
+    variant: 'destructive',
+    className: 'bg-red-100 text-red-700 border-red-200 hover:bg-red-100',
+  },
+  ready_for_review: {
+    label: 'Ready for Review',
+    variant: 'secondary',
+    className: 'bg-yellow-100 text-yellow-700 border-yellow-200 hover:bg-yellow-100',
+  },
+  needs_revision: {
+    label: 'Needs Revision',
+    variant: 'secondary',
+    className: 'bg-orange-100 text-orange-700 border-orange-200 hover:bg-orange-100',
+  },
+  closed: {
+    label: 'Closed',
+    variant: 'default',
+    className: 'bg-primary/10 text-primary border-primary/20 hover:bg-primary/10',
+  },
+};
+
+interface FindingStatusBadgeProps {
+  status: FindingStatus;
+  className?: string;
+}
+
+export function FindingStatusBadge({ status, className }: FindingStatusBadgeProps) {
+  const config = STATUS_CONFIG[status];
+
+  return (
+    <Badge variant={config.variant} className={cn(config.className, className)}>
+      {config.label}
+    </Badge>
+  );
+}
diff --git a/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/components/findings/FindingsList.tsx b/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/components/findings/FindingsList.tsx
new file mode 100644
index 000000000..11480bb7e
--- /dev/null
+++ b/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/components/findings/FindingsList.tsx
@@ -0,0 +1,199 @@
+'use client';
+
+import { useFindingActions, useTaskFindings, type Finding } from '@/hooks/use-findings-api';
+import { Button } from '@comp/ui/button';
+import { FindingStatus } from '@db';
+import { AlertTriangle, ChevronDown, ChevronUp, FileWarning, Loader2 } from 'lucide-react';
+import { useCallback, useMemo, useState } from 'react';
+import { toast } from 'sonner';
+import { CreateFindingButton } from './CreateFindingButton';
+import { FindingItem } from './FindingItem';
+
+// Number of findings to show initially
+const INITIAL_DISPLAY_COUNT = 5;
+
+interface FindingsListProps {
+  taskId: string;
+  // Role information for permission checks
+  isAuditor: boolean;
+  isPlatformAdmin: boolean;
+  isAdminOrOwner: boolean;
+  // Callback to view finding history in sidebar
+  onViewHistory?: (findingId: string) => void;
+}
+
+// Status priority for sorting (lower = higher priority)
+const STATUS_ORDER: Record<FindingStatus, number> = {
+  [FindingStatus.open]: 0,
+  [FindingStatus.needs_revision]: 1,
+  [FindingStatus.ready_for_review]: 2,
+  [FindingStatus.closed]: 3,
+};
+
+export function FindingsList({
+  taskId,
+  isAuditor,
+  isPlatformAdmin,
+  isAdminOrOwner,
+  onViewHistory,
+}: FindingsListProps) {
+  const { data, isLoading, error, mutate } = useTaskFindings(taskId);
+  const { updateFinding, deleteFinding } = useFindingActions();
+  const [expandedId, setExpandedId] = useState<string | null>(null);
+  const [showAll, setShowAll] = useState(false);
+
+  const rawFindings = data?.data || [];
+
+  // Sort findings: by status priority, then by updatedAt (most recently updated first)
+  const sortedFindings = useMemo(() => {
+    return [...rawFindings].sort((a: Finding, b: Finding) => {
+      const statusDiff = STATUS_ORDER[a.status] - STATUS_ORDER[b.status];
+      if (statusDiff !== 0) return statusDiff;
+      return new Date(b.updatedAt).getTime() - new Date(a.updatedAt).getTime();
+    });
+  }, [rawFindings]);
+
+  // Determine visible findings based on showAll state
+  const visibleFindings = showAll ? sortedFindings : sortedFindings.slice(0, INITIAL_DISPLAY_COUNT);
+  const hiddenCount = sortedFindings.length - visibleFindings.length;
+
+  // Permission checks
+  const canCreateFinding = isAuditor || isPlatformAdmin;
+  const canChangeStatus = isAuditor || isPlatformAdmin || isAdminOrOwner;
+  const canSetRestrictedStatus = isAuditor || isPlatformAdmin;
+
+  const handleStatusChange = useCallback(
+    async (findingId: string, status: FindingStatus) => {
+      try {
+        await updateFinding(findingId, { status });
+        toast.success('Finding status updated');
+        mutate();
+      } catch (error) {
+        toast.error(error instanceof Error ? error.message : 'Failed to update status');
+      }
+    },
+    [updateFinding, mutate],
+  );
+
+  const handleDelete = useCallback(
+    async (findingId: string) => {
+      if (!confirm('Are you sure you want to delete this finding?')) {
+        return;
+      }
+
+      try {
+        await deleteFinding(findingId);
+        toast.success('Finding deleted');
+        mutate();
+      } catch (error) {
+        toast.error(error instanceof Error ? error.message : 'Failed to delete finding');
+      }
+    },
+    [deleteFinding, mutate],
+  );
+
+  // Count open findings for the alert
+  const openFindingsCount = sortedFindings.filter(
+    (f: Finding) => f.status === FindingStatus.open || f.status === FindingStatus.needs_revision,
+  ).length;
+
+  if (isLoading) {
+    return (
+      <div className="flex items-center justify-center py-8">
+        <Loader2 className="h-6 w-6 animate-spin text-muted-foreground" />
+      </div>
+    );
+  }
+
+  if (error) {
+    return (
+      <div className="flex items-center justify-center py-8 text-destructive">
+        <AlertTriangle className="h-5 w-5 mr-2" />
+        <span>Failed to load findings</span>
+      </div>
+    );
+  }
+
+  return (
+    <div className="rounded-lg border border-border bg-card overflow-hidden">
+      <div className="px-5 py-4 border-b border-border">
+        <div className="flex items-center justify-between">
+          <div className="flex items-center gap-2.5">
+            <div className="p-1.5 rounded-md bg-muted">
+              <FileWarning className="h-4 w-4 text-primary" />
+            </div>
+            <div>
+              <h3 className="text-sm font-semibold text-foreground">Findings</h3>
+              <p className="text-xs text-muted-foreground">
+                Audit findings and issues requiring attention
+              </p>
+            </div>
+          </div>
+
+          <div className="flex items-center gap-3">
+            {openFindingsCount > 0 && (
+              <div className="flex items-center gap-2 px-3 py-1.5 rounded-md bg-red-50 border border-red-100">
+                <div className="w-2 h-2 rounded-full bg-red-500" />
+                <span className="text-xs font-medium text-red-700">
+                  {openFindingsCount} requires action
+                </span>
+              </div>
+            )}
+
+            {canCreateFinding && <CreateFindingButton taskId={taskId} onSuccess={() => mutate()} />}
+          </div>
+        </div>
+      </div>
+
+      <div className="p-5">
+        {sortedFindings.length === 0 ? (
+          <div className="flex flex-col items-center justify-center py-8 text-muted-foreground">
+            <FileWarning className="h-10 w-10 mb-3 opacity-50" />
+            <p className="text-sm">No findings for this task</p>
+            {canCreateFinding && <p className="text-xs mt-1">Create a finding to flag an issue</p>}
+          </div>
+        ) : (
+          <div className="space-y-2">
+            {visibleFindings.map((finding: Finding) => (
+              <FindingItem
+                key={finding.id}
+                finding={finding}
+                isAuditor={isAuditor}
+                isPlatformAdmin={isPlatformAdmin}
+                isExpanded={expandedId === finding.id}
+                canChangeStatus={canChangeStatus}
+                canSetRestrictedStatus={canSetRestrictedStatus}
+                onToggleExpand={() => setExpandedId(expandedId === finding.id ? null : finding.id)}
+                onStatusChange={(status) => handleStatusChange(finding.id, status)}
+                onDelete={() => handleDelete(finding.id)}
+                onViewHistory={onViewHistory ? () => onViewHistory(finding.id) : undefined}
+              />
+            ))}
+
+            {/* Show more / Show less button */}
+            {sortedFindings.length > INITIAL_DISPLAY_COUNT && (
+              <Button
+                variant="ghost"
+                size="sm"
+                className="w-full mt-2 text-muted-foreground hover:text-foreground"
+                onClick={() => setShowAll(!showAll)}
+              >
+                {showAll ? (
+                  <>
+                    <ChevronUp className="h-4 w-4 mr-1.5" />
+                    Show less
+                  </>
+                ) : (
+                  <>
+                    <ChevronDown className="h-4 w-4 mr-1.5" />
+                    Show {hiddenCount} more {hiddenCount === 1 ? 'finding' : 'findings'}
+                  </>
+                )}
+              </Button>
+            )}
+          </div>
+        )}
+      </div>
+    </div>
+  );
+}
diff --git a/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/components/findings/index.ts b/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/components/findings/index.ts
new file mode 100644
index 000000000..376fc8ea6
--- /dev/null
+++ b/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/components/findings/index.ts
@@ -0,0 +1,7 @@
+export { CreateFindingButton } from './CreateFindingButton';
+export { CreateFindingSheet } from './CreateFindingSheet';
+export { FindingHistoryPanel } from './FindingHistoryPanel';
+export { FindingHistorySheet } from './FindingHistorySheet';
+export { FindingItem } from './FindingItem';
+export { FindingsList } from './FindingsList';
+export { FindingStatusBadge } from './FindingStatusBadge';
diff --git a/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/page.tsx b/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/page.tsx
index ec4958862..f32bfb1f5 100644
--- a/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/page.tsx
+++ b/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/page.tsx
@@ -24,11 +24,20 @@ export default async function TaskPage({
   });
 
   let isWebAutomationsEnabled = false;
+  let isPlatformAdmin = false;
+
   if (session?.user?.id) {
     const flags = await getFeatureFlags(session.user.id);
     isWebAutomationsEnabled =
       flags['is-web-automations-enabled'] === true ||
       flags['is-web-automations-enabled'] === 'true';
+
+    // Check if user is platform admin
+    const user = await db.user.findUnique({
+      where: { id: session.user.id },
+      select: { isPlatformAdmin: true },
+    });
+    isPlatformAdmin = user?.isPlatformAdmin ?? false;
   }
 
   return (
@@ -36,6 +45,7 @@ export default async function TaskPage({
       initialTask={task}
       initialAutomations={automations}
       isWebAutomationsEnabled={isWebAutomationsEnabled}
+      isPlatformAdmin={isPlatformAdmin}
     />
   );
 }
diff --git a/apps/app/src/app/(app)/[orgId]/tasks/components/BulkTaskAssigneeChangeModal.tsx b/apps/app/src/app/(app)/[orgId]/tasks/components/BulkTaskAssigneeChangeModal.tsx
new file mode 100644
index 000000000..ff21706e4
--- /dev/null
+++ b/apps/app/src/app/(app)/[orgId]/tasks/components/BulkTaskAssigneeChangeModal.tsx
@@ -0,0 +1,174 @@
+'use client';
+
+import { useEffect, useState, useMemo } from 'react';
+import { Button } from '@comp/ui/button';
+import {
+  Dialog,
+  DialogContent,
+  DialogDescription,
+  DialogFooter,
+  DialogHeader,
+  DialogTitle,
+} from '@comp/ui/dialog';
+import { Label } from '@comp/ui/label';
+import { Select, SelectContent, SelectItem, SelectTrigger } from '@comp/ui/select';
+import { Avatar, AvatarFallback, AvatarImage } from '@comp/ui/avatar';
+import { Member, User } from '@db';
+import { Loader2, UserIcon } from 'lucide-react';
+import { useParams, useRouter } from 'next/navigation';
+import { apiClient } from '@/lib/api-client';
+import { toast } from 'sonner';
+
+interface BulkTaskAssigneeChangeModalProps {
+  open: boolean;
+  selectedTaskIds: string[];
+  members: (Member & { user: User })[];
+  onOpenChange: (open: boolean) => void;
+  onSuccess?: () => void;
+}
+
+const UnassignedAvatar = () => (
+  <div className="bg-muted flex h-5 w-5 items-center justify-center rounded-full">
+    <UserIcon className="h-3 w-3" />
+  </div>
+);
+
+const MemberAvatar = ({ member }: { member: Member & { user: User } }) => (
+  <Avatar className="h-5 w-5">
+    <AvatarImage src={member.user.image ?? undefined} alt={member.user.name ?? 'Assignee'} />
+    <AvatarFallback>
+      {member.user.name?.charAt(0) ?? member.user.email?.charAt(0).toUpperCase() ?? '?'}
+    </AvatarFallback>
+  </Avatar>
+);
+
+const MemberDisplayName = ({ member }: { member: Member & { user: User } }) => (
+  <span>{member.user.name ?? member.user.email ?? 'Unknown'}</span>
+);
+
+export function BulkTaskAssigneeChangeModal({
+  open,
+  onOpenChange,
+  selectedTaskIds,
+  members,
+  onSuccess,
+}: BulkTaskAssigneeChangeModalProps) {
+  const router = useRouter();
+  const params = useParams<{ orgId: string }>();
+  const orgIdParam = Array.isArray(params.orgId) ? params.orgId[0] : params.orgId;
+
+  const [assigneeId, setAssigneeId] = useState<string | null>(null);
+  const [isSubmitting, setIsSubmitting] = useState(false);
+
+  const selectedCount = selectedTaskIds.length;
+  const isSingular = selectedCount === 1;
+  const selectedAssignee = useMemo(
+    () => (assigneeId ? members.find((m) => m.id === assigneeId) : null),
+    [assigneeId, members],
+  );
+
+  useEffect(() => {
+    if (open) {
+      setAssigneeId(null);
+    }
+  }, [open]);
+
+  const handleAssigneeChange = (value: string) => {
+    setAssigneeId(value === 'none' ? null : value);
+  };
+
+  const handleUpdate = async () => {
+    if (!orgIdParam || selectedTaskIds.length === 0) {
+      return;
+    }
+
+    try {
+      setIsSubmitting(true);
+      const payload = {
+        taskIds: selectedTaskIds,
+        assigneeId: assigneeId ?? null,
+      };
+
+      const response = await apiClient.patch<{ updatedCount: number }>(
+        '/v1/tasks/bulk/assignee',
+        payload,
+        orgIdParam,
+      );
+
+      if (response.error) {
+        throw new Error(response.error);
+      }
+
+      const updatedCount = response.data?.updatedCount ?? selectedTaskIds.length;
+      toast.success(`Updated assignee for ${updatedCount} task${updatedCount === 1 ? '' : 's'}`);
+      onSuccess?.();
+      onOpenChange(false);
+      router.refresh();
+    } catch (error) {
+      console.error('Failed to bulk update task assignees', error);
+      const message = error instanceof Error ? error.message : 'Failed to update tasks';
+      toast.error(message);
+    } finally {
+      setIsSubmitting(false);
+    }
+  };
+
+  return (
+    <Dialog open={open} onOpenChange={onOpenChange}>
+      <DialogContent>
+        <DialogHeader>
+          <DialogTitle>Bulk Assignee Update</DialogTitle>
+          <DialogDescription>
+            {`${selectedCount} item${isSingular ? '' : 's'} ${
+              isSingular ? 'is' : 'are'
+            } selected. Are you sure you want to change the assignee?`}
+          </DialogDescription>
+        </DialogHeader>
+
+        <div className="space-y-2 flex flex-row items-center gap-4">
+          <Label htmlFor="task-assignee">Assignee</Label>
+          <Select value={assigneeId || 'none'} onValueChange={handleAssigneeChange}>
+            <SelectTrigger id="task-assignee" className="w-full">
+              {selectedAssignee ? (
+                <div className="flex items-center gap-2">
+                  <MemberAvatar member={selectedAssignee} />
+                  <MemberDisplayName member={selectedAssignee} />
+                </div>
+              ) : (
+                <div className="flex items-center gap-2">
+                  <UnassignedAvatar />
+                  <span>Unassigned</span>
+                </div>
+              )}
+            </SelectTrigger>
+            <SelectContent>
+              <SelectItem value="none">
+                <div className="flex items-center gap-2">
+                  <UnassignedAvatar />
+                  <span>Unassigned</span>
+                </div>
+              </SelectItem>
+              {members.map((member) => (
+                <SelectItem key={member.id} value={member.id}>
+                  <div className="flex items-center gap-2">
+                    <MemberAvatar member={member} />
+                    <MemberDisplayName member={member} />
+                  </div>
+                </SelectItem>
+              ))}
+            </SelectContent>
+          </Select>
+        </div>
+
+        <DialogFooter className="flex justify-end gap-2">
+          <Button variant="outline" onClick={() => onOpenChange(false)}>
+            Cancel
+          </Button>
+          <Button onClick={handleUpdate} disabled={isSubmitting}>
+            {isSubmitting ? <Loader2 className="h-4 w-4 animate-spin" /> : 'Change Assignee'}
+          </Button>
+        </DialogFooter>
+      </DialogContent>
+    </Dialog>
+  );
+}
diff --git a/apps/app/src/app/(app)/[orgId]/tasks/components/BulkTaskStatusChangeModal.tsx b/apps/app/src/app/(app)/[orgId]/tasks/components/BulkTaskStatusChangeModal.tsx
index a43dc8c11..b6007c592 100644
--- a/apps/app/src/app/(app)/[orgId]/tasks/components/BulkTaskStatusChangeModal.tsx
+++ b/apps/app/src/app/(app)/[orgId]/tasks/components/BulkTaskStatusChangeModal.tsx
@@ -1,6 +1,6 @@
 'use client';
 
-import { useEffect, useMemo, useState } from 'react';
+import { apiClient } from '@/lib/api-client';
 import { Button } from '@comp/ui/button';
 import {
   Dialog,
@@ -15,7 +15,7 @@ import { Select, SelectContent, SelectItem, SelectTrigger, SelectValue } from '@
 import { TaskStatus } from '@db';
 import { Loader2 } from 'lucide-react';
 import { useParams, useRouter } from 'next/navigation';
-import { apiClient } from '@/lib/api-client';
+import { useEffect, useMemo, useState } from 'react';
 import { toast } from 'sonner';
 import { TaskStatusIndicator } from './TaskStatusIndicator';
 
@@ -129,4 +129,4 @@ export function BulkTaskStatusChangeModal({
       </DialogContent>
     </Dialog>
   );
-}
\ No newline at end of file
+}
diff --git a/apps/app/src/app/(app)/[orgId]/tasks/components/ModernSingleStatusTaskList.tsx b/apps/app/src/app/(app)/[orgId]/tasks/components/ModernSingleStatusTaskList.tsx
index 93610c05d..73cd236ad 100644
--- a/apps/app/src/app/(app)/[orgId]/tasks/components/ModernSingleStatusTaskList.tsx
+++ b/apps/app/src/app/(app)/[orgId]/tasks/components/ModernSingleStatusTaskList.tsx
@@ -2,10 +2,14 @@
 
 import { useEffect, useMemo, useState } from 'react';
 
-import { Member, Task, User } from '@db';
 import { Checkbox } from '@comp/ui/checkbox';
+import { Button } from '@comp/ui/button';
+import { Member, Task, User } from '@db';
+import { RefreshCw, User as UserIcon } from 'lucide-react';
 import { ModernTaskListItem } from './ModernTaskListItem';
 import { TaskBulkActions } from './TaskBulkActions';
+import { BulkTaskStatusChangeModal } from './BulkTaskStatusChangeModal';
+import { BulkTaskAssigneeChangeModal } from './BulkTaskAssigneeChangeModal';
 
 interface ModernSingleStatusTaskListProps {
   config: {
@@ -33,9 +37,16 @@ interface ModernSingleStatusTaskListProps {
   handleTaskClick: (taskId: string) => void;
 }
 
-export function ModernSingleStatusTaskList({ config, tasks, members, handleTaskClick }: ModernSingleStatusTaskListProps) {
+export function ModernSingleStatusTaskList({
+  config,
+  tasks,
+  members,
+  handleTaskClick,
+}: ModernSingleStatusTaskListProps) {
   const [selectable, setSelectable] = useState(false);
   const [selectedTaskIds, setSelectedTaskIds] = useState<string[]>([]);
+  const [openBulkStatus, setOpenBulkStatus] = useState(false);
+  const [openBulkAssignee, setOpenBulkAssignee] = useState(false);
   const StatusIcon = config.icon;
 
   useEffect(() => {
@@ -71,12 +82,18 @@ export function ModernSingleStatusTaskList({ config, tasks, members, handleTaskC
   };
 
   const handleSelect = (taskId: string, checked: boolean) => {
-    setSelectedTaskIds((prev) => {
-      if (checked) return Array.from(new Set([...prev, taskId]));
-      return prev.filter((id) => id !== taskId);
-    });
+    setSelectedTaskIds((prev) =>
+      checked ? Array.from(new Set([...prev, taskId])) : prev.filter((id) => id !== taskId),
+    );
+  };
+
+  const handleBulkActionSuccess = () => {
+    setSelectedTaskIds([]);
+    setSelectable(false);
   };
 
+  const buttonClassName = 'h-8 gap-1.5 text-xs font-medium text-muted-foreground hover:text-foreground hover:bg-accent';
+
   return (
     <div className="space-y-2">
       <div className="flex items-center gap-2 border-b border-border/50 pb-2">
@@ -87,11 +104,9 @@ export function ModernSingleStatusTaskList({ config, tasks, members, handleTaskC
         <span className="text-muted-foreground/60 text-xs font-medium">({tasks.length})</span>
         <TaskBulkActions
           selectedTaskIds={selectedTaskIds}
+          isEditing={selectable}
           onEdit={setSelectable}
-          onClearSelection={() => {
-            setSelectedTaskIds([]);
-            setSelectable(false);
-          }}
+          onClearSelection={handleBulkActionSuccess}
         />
       </div>
       <div className="divide-y divide-border/50 overflow-hidden rounded-lg border border-border/60 bg-card">
@@ -103,6 +118,41 @@ export function ModernSingleStatusTaskList({ config, tasks, members, handleTaskC
               aria-label="Select all tasks"
             />
             <span className="text-sm text-muted-foreground">Select all</span>
+            <div className="ml-auto flex items-center gap-2">
+              <Button
+                variant="outline"
+                size="sm"
+                onClick={() => setOpenBulkStatus(true)}
+                disabled={selectedTaskIds.length === 0}
+                className={buttonClassName}
+              >
+                <RefreshCw className="h-3.5 w-3.5" />
+                <span>Status</span>
+              </Button>
+              <Button
+                variant="outline"
+                size="sm"
+                onClick={() => setOpenBulkAssignee(true)}
+                disabled={selectedTaskIds.length === 0}
+                className={buttonClassName}
+              >
+                <UserIcon className="h-3.5 w-3.5" />
+                <span>Assignee</span>
+              </Button>
+            </div>
+            <BulkTaskStatusChangeModal
+              selectedTaskIds={selectedTaskIds}
+              open={openBulkStatus}
+              onOpenChange={setOpenBulkStatus}
+              onSuccess={handleBulkActionSuccess}
+            />
+            <BulkTaskAssigneeChangeModal
+              selectedTaskIds={selectedTaskIds}
+              members={members}
+              open={openBulkAssignee}
+              onOpenChange={setOpenBulkAssignee}
+              onSuccess={handleBulkActionSuccess}
+            />
           </div>
         ) : null}
         {tasks.map((task) => (
diff --git a/apps/app/src/app/(app)/[orgId]/tasks/components/TaskBulkActions.tsx b/apps/app/src/app/(app)/[orgId]/tasks/components/TaskBulkActions.tsx
index 37e976db7..fc9506e4f 100644
--- a/apps/app/src/app/(app)/[orgId]/tasks/components/TaskBulkActions.tsx
+++ b/apps/app/src/app/(app)/[orgId]/tasks/components/TaskBulkActions.tsx
@@ -1,62 +1,46 @@
 'use client';
 
-import { useEffect, useState } from 'react';
 import { Button } from '@comp/ui/button';
-import { DropdownMenu, DropdownMenuContent, DropdownMenuItem, DropdownMenuTrigger } from '@comp/ui';
-import { ArrowUpDown, ChevronDown, Pencil, X } from 'lucide-react';
-import { BulkTaskStatusChangeModal } from './BulkTaskStatusChangeModal';
+import { Pencil, X } from 'lucide-react';
 
 interface TaskBulkActionsProps {
   selectedTaskIds: string[];
+  isEditing: boolean;
   onEdit: (isEditing: boolean) => void;
   onClearSelection: () => void;
 }
 
-export function TaskBulkActions({ selectedTaskIds, onEdit, onClearSelection }: TaskBulkActionsProps) {
-  const [isEditing, setIsEditing] = useState(false);
-  const [openBulk, setOpenBulk] = useState(false);
+export function TaskBulkActions({
+  selectedTaskIds,
+  isEditing,
+  onEdit,
+  onClearSelection,
+}: TaskBulkActionsProps) {
+  const handleToggleEdit = () => {
+    onEdit(!isEditing);
+  };
 
-  useEffect(() => {
-    onEdit(isEditing);
-  }, [isEditing, onEdit]);
+  const handleClose = () => {
+    onEdit(false);
+    onClearSelection();
+  };
 
   return (
     <div className="ml-auto flex items-center gap-2">
       {isEditing ? (
         <>
-          <span className="text-xs text-slate-500">{`${selectedTaskIds.length} item${selectedTaskIds.length > 1 ? 's' : ''} selected`}</span>
-          <DropdownMenu>
-            <DropdownMenuTrigger asChild>
-              <Button variant="ghost">
-                <span className="text-slate-500">Actions</span>
-                <ChevronDown className="h-4 w-4 text-slate-500" />
-              </Button>
-            </DropdownMenuTrigger>
-            <DropdownMenuContent align="end">
-              <DropdownMenuItem onClick={() => setOpenBulk(true)} disabled={selectedTaskIds.length === 0}>
-                <ArrowUpDown className="mr-2 h-4 w-4 text-slate-500" />
-                Change Status
-              </DropdownMenuItem>
-            </DropdownMenuContent>
-          </DropdownMenu>
-          <Button variant="ghost" size="icon" onClick={() => setIsEditing(false)}>
+          <span className="text-xs text-slate-500">
+            {`${selectedTaskIds.length} item${selectedTaskIds.length > 1 ? 's' : ''} selected`}
+          </span>
+          <Button variant="ghost" size="icon" onClick={handleClose}>
             <X className="h-4 w-4 text-slate-400" />
           </Button>
         </>
       ) : (
-        <Button variant="ghost" size="icon" onClick={() => setIsEditing(true)}>
+        <Button variant="ghost" size="icon" onClick={handleToggleEdit}>
           <Pencil className="h-4 w-4 text-slate-500" />
         </Button>
       )}
-      <BulkTaskStatusChangeModal
-        selectedTaskIds={selectedTaskIds}
-        open={openBulk}
-        onOpenChange={setOpenBulk}
-        onSuccess={() => {
-          onClearSelection();
-          setIsEditing(false);
-        }}
-      />
     </div>
   );
 }
diff --git a/apps/app/src/app/(app)/[orgId]/tasks/components/TasksPageClient.tsx b/apps/app/src/app/(app)/[orgId]/tasks/components/TasksPageClient.tsx
index 2278f6294..c7aec158b 100644
--- a/apps/app/src/app/(app)/[orgId]/tasks/components/TasksPageClient.tsx
+++ b/apps/app/src/app/(app)/[orgId]/tasks/components/TasksPageClient.tsx
@@ -1,9 +1,22 @@
 'use client';
 
-import { Button, PageHeader, PageLayout } from '@trycompai/design-system';
-import { Add } from '@trycompai/design-system/icons';
+import { downloadAllEvidenceZip } from '@/lib/evidence-download';
 import type { Member, Task, User } from '@db';
+import {
+  Button,
+  PageHeader,
+  PageLayout,
+  Popover,
+  PopoverContent,
+  PopoverDescription,
+  PopoverHeader,
+  PopoverTitle,
+  PopoverTrigger,
+  Switch,
+} from '@trycompai/design-system';
+import { Add, ArrowDown } from '@trycompai/design-system/icons';
 import { useState } from 'react';
+import { toast } from 'sonner';
 import { CreateTaskSheet } from './CreateTaskSheet';
 import { TaskList } from './TaskList';
 
@@ -27,10 +40,42 @@ interface TasksPageClientProps {
   members: (Member & { user: User })[];
   controls: { id: string; name: string }[];
   activeTab: 'categories' | 'list';
+  orgId: string;
+  organizationName: string | null;
+  hasEvidenceExportAccess: boolean;
 }
 
-export function TasksPageClient({ tasks, members, controls, activeTab }: TasksPageClientProps) {
+export function TasksPageClient({
+  tasks,
+  members,
+  controls,
+  activeTab,
+  orgId,
+  organizationName,
+  hasEvidenceExportAccess,
+}: TasksPageClientProps) {
   const [isCreateSheetOpen, setIsCreateSheetOpen] = useState(false);
+  const [isDownloadingAll, setIsDownloadingAll] = useState(false);
+  const [includeRawJson, setIncludeRawJson] = useState(false);
+  const [isPopoverOpen, setIsPopoverOpen] = useState(false);
+
+  const handleDownloadAllEvidence = async () => {
+    setIsDownloadingAll(true);
+    try {
+      await downloadAllEvidenceZip({
+        organizationId: orgId,
+        organizationName: organizationName ?? undefined,
+        includeJson: includeRawJson,
+      });
+      toast.success('Evidence package downloaded successfully');
+      setIsPopoverOpen(false);
+    } catch (err) {
+      toast.error('Failed to download evidence. Please try again.');
+      console.error('Evidence download error:', err);
+    } finally {
+      setIsDownloadingAll(false);
+    }
+  };
 
   return (
     <PageLayout
@@ -38,9 +83,39 @@ export function TasksPageClient({ tasks, members, controls, activeTab }: TasksPa
         <PageHeader
           title="Evidence"
           actions={
-            <Button iconLeft={<Add />} onClick={() => setIsCreateSheetOpen(true)}>
-              Create Evidence
-            </Button>
+            <div className="flex items-center gap-2">
+              {hasEvidenceExportAccess && (
+                <Popover open={isPopoverOpen} onOpenChange={setIsPopoverOpen}>
+                  <PopoverTrigger className="inline-flex items-center justify-center gap-2 whitespace-nowrap rounded-md text-sm font-medium transition-colors focus-visible:outline-none focus-visible:ring-1 focus-visible:ring-ring disabled:pointer-events-none disabled:opacity-50 border border-input bg-background shadow-sm hover:bg-accent hover:text-accent-foreground h-7 px-2 cursor-pointer">
+                    Export All Evidence
+                  </PopoverTrigger>
+                  <PopoverContent align="end" side="bottom" sideOffset={8}>
+                    <PopoverHeader>
+                      <PopoverTitle>Export Options</PopoverTitle>
+                      <PopoverDescription>Download all task evidence as ZIP</PopoverDescription>
+                    </PopoverHeader>
+                    <div className="flex items-center justify-between gap-3 py-1">
+                      <span className="text-sm">Include raw JSON files</span>
+                      <Switch
+                        checked={includeRawJson}
+                        onCheckedChange={(checked) => setIncludeRawJson(checked)}
+                      />
+                    </div>
+                    <Button
+                      iconLeft={<ArrowDown />}
+                      onClick={handleDownloadAllEvidence}
+                      disabled={isDownloadingAll}
+                      width="full"
+                    >
+                      {isDownloadingAll ? 'Preparing…' : 'Export'}
+                    </Button>
+                  </PopoverContent>
+                </Popover>
+              )}
+              <Button iconLeft={<Add />} onClick={() => setIsCreateSheetOpen(true)}>
+                Create Evidence
+              </Button>
+            </div>
           }
         />
       }
diff --git a/apps/app/src/app/(app)/[orgId]/tasks/page.tsx b/apps/app/src/app/(app)/[orgId]/tasks/page.tsx
index e7b894027..218f04457 100644
--- a/apps/app/src/app/(app)/[orgId]/tasks/page.tsx
+++ b/apps/app/src/app/(app)/[orgId]/tasks/page.tsx
@@ -27,6 +27,8 @@ export default async function TasksPage({
   const tasks = await getTasks();
   const members = await getMembersWithMetadata();
   const controls = await getControls();
+  const { hasEvidenceExportAccess, organizationName } =
+    await getEvidenceExportContext(orgId);
 
   // Read tab preference from cookie (server-side, no hydration issues)
   const cookieStore = await cookies();
@@ -34,10 +36,63 @@ export default async function TasksPage({
   const activeTab = savedView === 'categories' || savedView === 'list' ? savedView : 'categories';
 
   return (
-    <TasksPageClient tasks={tasks} members={members} controls={controls} activeTab={activeTab} />
+    <TasksPageClient
+      tasks={tasks}
+      members={members}
+      controls={controls}
+      activeTab={activeTab}
+      orgId={orgId}
+      organizationName={organizationName}
+      hasEvidenceExportAccess={hasEvidenceExportAccess}
+    />
   );
 }
 
+// Helper to safely parse comma-separated roles string
+function parseRolesString(rolesStr: string | null | undefined): Role[] {
+  if (!rolesStr) return [];
+  return rolesStr
+    .split(',')
+    .map((r) => r.trim())
+    .filter((r) => r in Role) as Role[];
+}
+
+const getEvidenceExportContext = async (organizationId: string) => {
+  const session = await auth.api.getSession({
+    headers: await headers(),
+  });
+
+  if (!session) {
+    return { hasEvidenceExportAccess: false, organizationName: null };
+  }
+
+  const [member, organization] = await Promise.all([
+    db.member.findFirst({
+      where: {
+        userId: session.user.id,
+        organizationId,
+        deactivated: false,
+      },
+      select: { role: true },
+    }),
+    db.organization.findUnique({
+      where: { id: organizationId },
+      select: { name: true },
+    }),
+  ]);
+
+  const roles = parseRolesString(member?.role);
+  const hasEvidenceExportAccess =
+    roles.includes(Role.auditor) ||
+    roles.includes(Role.admin) ||
+    roles.includes(Role.owner);
+
+  return {
+    hasEvidenceExportAccess,
+    organizationName: organization?.name ?? null,
+  };
+};
+
 const getTasks = async () => {
   const session = await auth.api.getSession({
     headers: await headers(),
diff --git a/apps/app/src/app/(app)/invite/[code]/page.tsx b/apps/app/src/app/(app)/invite/[code]/page.tsx
index 7ad36bd76..f6e7891ff 100644
--- a/apps/app/src/app/(app)/invite/[code]/page.tsx
+++ b/apps/app/src/app/(app)/invite/[code]/page.tsx
@@ -29,6 +29,7 @@ export default async function InvitePage({ params }: InvitePageProps) {
     include: {
       organization: {
         select: {
+          id: true,
           name: true,
         },
       },
@@ -51,6 +52,22 @@ export default async function InvitePage({ params }: InvitePageProps) {
   }
 
   if (invitation.status !== 'pending') {
+    // Check if the current user is a member of this organization
+    // If so, this means they just accepted the invite and we should redirect them
+    const membership = await db.member.findFirst({
+      where: {
+        userId: session.user.id,
+        organizationId: invitation.organizationId,
+        deactivated: false,
+      },
+    });
+
+    if (membership) {
+      // User is a member - redirect to the organization
+      return redirect(`/${invitation.organizationId}`);
+    }
+
+    // User is not a member - show the appropriate message
     return (
       <OnboardingLayout variant="setup" currentOrganization={null}>
         <div className="flex min-h-[calc(100dvh-80px)] w-full items-center justify-center p-4">
diff --git a/apps/app/src/app/(app)/setup/components/accept-invite.tsx b/apps/app/src/app/(app)/setup/components/accept-invite.tsx
index 7a4fef68f..e4a939a8b 100644
--- a/apps/app/src/app/(app)/setup/components/accept-invite.tsx
+++ b/apps/app/src/app/(app)/setup/components/accept-invite.tsx
@@ -7,7 +7,6 @@ import { Icons } from '@comp/ui/icons';
 import { Loader2 } from 'lucide-react';
 import { useAction } from 'next-safe-action/hooks';
 import Link from 'next/link';
-import { redirect } from 'next/navigation';
 import { toast } from 'sonner';
 
 export function AcceptInvite({
@@ -17,25 +16,36 @@ export function AcceptInvite({
   inviteCode: string;
   organizationName: string;
 }) {
-  // Using next/navigation redirect to avoid showing invite page after accept
-
   const { execute, isPending } = useAction(completeInvitation, {
     onSuccess: async (result) => {
       if (result.data?.data?.organizationId) {
-        // Set the active organization before redirecting
-        await authClient.organization.setActive({
-          organizationId: result.data.data.organizationId,
-        });
+        const orgId = result.data.data.organizationId;
+        try {
+          // Set the active organization before redirecting
+          await authClient.organization.setActive({
+            organizationId: orgId,
+          });
+        } catch (error) {
+          console.error('Failed to set active organization:', error);
+          // Continue with redirect even if setActive fails
+        }
+        // Use hard redirect to prevent React re-rendering the page
+        // Server actions cause the parent Server Component to re-fetch data,
+        // which would show "already accepted" before router.replace() executes
+        window.location.href = `/${orgId}`;
+      } else {
+        // Fallback to home if no organizationId
+        window.location.href = '/';
       }
     },
     onError: (error) => {
+      console.error('Accept invitation error:', error);
       toast.error('Failed to accept invitation');
     },
   });
 
   const handleAccept = async () => {
     await execute({ inviteCode });
-    redirect(`/`);
   };
 
   return (
diff --git a/apps/app/src/app/(public)/auth/page.tsx b/apps/app/src/app/(public)/auth/page.tsx
index 8a121372b..93018cf82 100644
--- a/apps/app/src/app/(public)/auth/page.tsx
+++ b/apps/app/src/app/(public)/auth/page.tsx
@@ -1,6 +1,7 @@
 import { LoginForm } from '@/components/login-form';
 import { env } from '@/env.mjs';
 import { auth } from '@/utils/auth';
+import { getSafeRedirectPath } from '@/utils/auth-callback';
 import {
   Card,
   CardContent,
@@ -22,12 +23,13 @@ export const metadata: Metadata = {
 export default async function Page({
   searchParams,
 }: {
-  searchParams: Promise<{ inviteCode?: string }>;
+  searchParams: Promise<{ inviteCode?: string; redirectTo?: string }>;
 }) {
   const session = await auth.api.getSession({
     headers: await headers(),
   });
-  const { inviteCode } = await searchParams;
+  const { inviteCode, redirectTo } = await searchParams;
+  const safeRedirectTo = getSafeRedirectPath(redirectTo);
 
   const orgId = session?.session?.activeOrganizationId;
 
@@ -57,7 +59,13 @@ export default async function Page({
             </CardDescription>
           </CardHeader>
           <CardContent className="space-y-6 pb-6 px-8">
-            <LoginForm inviteCode={inviteCode} showGoogle={showGoogle} showGithub={showGithub} showMicrosoft={showMicrosoft} />
+            <LoginForm
+              inviteCode={inviteCode}
+              redirectTo={safeRedirectTo}
+              showGoogle={showGoogle}
+              showGithub={showGithub}
+              showMicrosoft={showMicrosoft}
+            />
           </CardContent>
           <CardFooter className="pb-10">
             <p className="w-full px-6 text-center text-xs text-muted-foreground">
diff --git a/apps/app/src/app/api/get-image-url/route.ts b/apps/app/src/app/api/get-image-url/route.ts
index 0bfb72594..100acc12b 100644
--- a/apps/app/src/app/api/get-image-url/route.ts
+++ b/apps/app/src/app/api/get-image-url/route.ts
@@ -2,6 +2,7 @@ import { auth } from '@/utils/auth';
 import { APP_AWS_ORG_ASSETS_BUCKET, s3Client } from '@/app/s3';
 import { GetObjectCommand } from '@aws-sdk/client-s3';
 import { getSignedUrl } from '@aws-sdk/s3-request-presigner';
+import { db } from '@db';
 import { NextRequest, NextResponse } from 'next/server';
 
 export async function GET(req: NextRequest) {
@@ -11,11 +12,24 @@ export async function GET(req: NextRequest) {
     return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
   }
 
-  const organizationId = session.session?.activeOrganizationId;
+  const organizationId = req.nextUrl.searchParams.get('organizationId');
   if (!organizationId) {
     return NextResponse.json({ error: 'No active organization' }, { status: 400 });
   }
 
+  const member = await db.member.findFirst({
+    where: {
+      userId: session.user.id,
+      organizationId,
+      deactivated: false,
+    },
+    select: { id: true },
+  });
+
+  if (!member) {
+    return NextResponse.json({ error: 'Forbidden' }, { status: 403 });
+  }
+
   const key = req.nextUrl.searchParams.get('key');
 
   if (!key) {
diff --git a/apps/app/src/components/github-sign-in.tsx b/apps/app/src/components/github-sign-in.tsx
index d85608a56..b6120e645 100644
--- a/apps/app/src/components/github-sign-in.tsx
+++ b/apps/app/src/components/github-sign-in.tsx
@@ -1,38 +1,28 @@
 'use client';
 
 import { authClient } from '@/utils/auth-client';
+import { buildAuthCallbackUrl } from '@/utils/auth-callback';
 import { Button } from '@comp/ui/button';
 import { Icons } from '@comp/ui/icons';
 import { Loader2 } from 'lucide-react';
 import { useState } from 'react';
 
-export function GithubSignIn({
-  inviteCode,
-  searchParams,
-}: {
+interface GithubSignInProps {
   inviteCode?: string;
-  searchParams?: URLSearchParams;
-}) {
+  redirectTo?: string;
+}
+
+export function GithubSignIn({ inviteCode, redirectTo }: GithubSignInProps) {
   const [isLoading, setLoading] = useState(false);
 
   const handleSignIn = async () => {
     setLoading(true);
 
-    // Build the callback URL with search params
-    const baseURL = window.location.origin;
-    const path = inviteCode ? `/invite/${inviteCode}` : '/';
-    const redirectTo = new URL(path, baseURL);
-
-    // Append all search params if they exist
-    if (searchParams) {
-      searchParams.forEach((value, key) => {
-        redirectTo.searchParams.append(key, value);
-      });
-    }
+    const callbackURL = buildAuthCallbackUrl({ inviteCode, redirectTo });
 
     await authClient.signIn.social({
       provider: 'github',
-      callbackURL: redirectTo.toString(),
+      callbackURL,
     });
   };
 
diff --git a/apps/app/src/components/google-sign-in.tsx b/apps/app/src/components/google-sign-in.tsx
index 3aa6098e6..fe0ef3d4d 100644
--- a/apps/app/src/components/google-sign-in.tsx
+++ b/apps/app/src/components/google-sign-in.tsx
@@ -1,38 +1,28 @@
 'use client';
 
 import { authClient } from '@/utils/auth-client';
+import { buildAuthCallbackUrl } from '@/utils/auth-callback';
 import { Button } from '@comp/ui/button';
 import { Icons } from '@comp/ui/icons';
 import { Loader2 } from 'lucide-react';
 import { useState } from 'react';
 
-export function GoogleSignIn({
-  inviteCode,
-  searchParams,
-}: {
+interface GoogleSignInProps {
   inviteCode?: string;
-  searchParams?: URLSearchParams;
-}) {
+  redirectTo?: string;
+}
+
+export function GoogleSignIn({ inviteCode, redirectTo }: GoogleSignInProps) {
   const [isLoading, setLoading] = useState(false);
 
   const handleSignIn = async () => {
     setLoading(true);
 
-    // Build the callback URL with search params
-    const baseURL = window.location.origin;
-    const path = inviteCode ? `/invite/${inviteCode}` : '/';
-    const redirectTo = new URL(path, baseURL);
-
-    // Append all search params if they exist
-    if (searchParams) {
-      searchParams.forEach((value, key) => {
-        redirectTo.searchParams.append(key, value);
-      });
-    }
+    const callbackURL = buildAuthCallbackUrl({ inviteCode, redirectTo });
 
     await authClient.signIn.social({
       provider: 'google',
-      callbackURL: redirectTo.toString(),
+      callbackURL,
     });
   };
 
diff --git a/apps/app/src/components/integrations/ManageIntegrationDialog.tsx b/apps/app/src/components/integrations/ManageIntegrationDialog.tsx
index 18dfa50ae..5eff646cc 100644
--- a/apps/app/src/components/integrations/ManageIntegrationDialog.tsx
+++ b/apps/app/src/components/integrations/ManageIntegrationDialog.tsx
@@ -87,6 +87,26 @@ interface ManageIntegrationDialogProps {
   onSaved?: () => void;
 }
 
+const validateTargetRepos = (
+  values: Record<string, string | number | boolean | string[]>,
+): boolean => {
+  const targetReposValue = values.target_repos;
+  if (!Array.isArray(targetReposValue) || targetReposValue.length === 0) {
+    return true;
+  }
+  for (const value of targetReposValue) {
+    const colonIndex = String(value).lastIndexOf(':');
+    if (colonIndex <= 0) {
+      return false;
+    }
+    const branch = String(value).substring(colonIndex + 1).trim();
+    if (!branch) {
+      return false;
+    }
+  }
+  return true;
+};
+
 export function ManageIntegrationDialog({
   open,
   onOpenChange,
@@ -322,9 +342,14 @@ export function ManageIntegrationDialog({
     setDynamicOptions({});
   };
 
+  const hasVariables = variables.length > 0;
+  const hasCredentials = authStrategy === 'custom' && credentialFields.length > 0;
+  const showTabs = hasVariables && hasCredentials;
+  const isTargetReposValid = validateTargetRepos(variableValues);
+
   return (
     <Dialog open={open} onOpenChange={handleClose}>
-      <DialogContent className="max-w-lg">
+      <DialogContent className="max-w-lg max-h-[85vh] flex flex-col">
         <DialogHeader>
           <DialogTitle className="flex items-center gap-3">
             <div className="w-8 h-8 rounded-lg bg-background border border-border flex items-center justify-center overflow-hidden">
@@ -350,28 +375,43 @@ export function ManageIntegrationDialog({
           </DialogDescription>
         </DialogHeader>
 
-        {loadingVariables ? (
-          <div className="py-8 flex items-center justify-center">
-            <Loader2 className="h-6 w-6 animate-spin text-muted-foreground" />
-          </div>
-        ) : (
-          <ConfigurationContent
-            variables={variables}
-            variableValues={variableValues}
-            setVariableValues={setVariableValues}
-            dynamicOptions={dynamicOptions}
-            loadingDynamicOptions={loadingDynamicOptions}
-            fetchDynamicOptions={fetchDynamicOptions}
+        <div className="flex-1 min-h-0 overflow-y-auto">
+          {loadingVariables ? (
+            <div className="py-8 flex items-center justify-center">
+              <Loader2 className="h-6 w-6 animate-spin text-muted-foreground" />
+            </div>
+          ) : (
+            <ConfigurationContent
+              variables={variables}
+              variableValues={variableValues}
+              setVariableValues={setVariableValues}
+              dynamicOptions={dynamicOptions}
+              loadingDynamicOptions={loadingDynamicOptions}
+              fetchDynamicOptions={fetchDynamicOptions}
+              credentialFields={credentialFields}
+              credentialValues={credentialValues}
+              setCredentialValues={setCredentialValues}
+              hasVariables={hasVariables}
+              hasCredentials={hasCredentials}
+              showTabs={showTabs}
+              activeTab={activeTab}
+              setActiveTab={setActiveTab}
+            />
+          )}
+        </div>
+
+        {!loadingVariables && (
+          <ConfigurationFooterActions
+            hasVariables={hasVariables}
+            hasCredentials={hasCredentials}
+            showTabs={showTabs}
+            activeTab={activeTab}
             savingVariables={savingVariables}
             handleSaveVariables={handleSaveVariables}
-            credentialFields={credentialFields}
-            credentialValues={credentialValues}
-            setCredentialValues={setCredentialValues}
+            isTargetReposValid={isTargetReposValid}
             savingCredentials={savingCredentials}
             handleSaveCredentials={handleSaveCredentials}
-            authStrategy={authStrategy}
-            activeTab={activeTab}
-            setActiveTab={setActiveTab}
+            showActionsFooter={!configureOnly}
           />
         )}
 
@@ -428,14 +468,12 @@ function ConfigurationContent({
   dynamicOptions,
   loadingDynamicOptions,
   fetchDynamicOptions,
-  savingVariables,
-  handleSaveVariables,
   credentialFields,
   credentialValues,
   setCredentialValues,
-  savingCredentials,
-  handleSaveCredentials,
-  authStrategy,
+  hasVariables,
+  hasCredentials,
+  showTabs,
   activeTab,
   setActiveTab,
 }: {
@@ -447,44 +485,15 @@ function ConfigurationContent({
   dynamicOptions: Record<string, { value: string; label: string }[]>;
   loadingDynamicOptions: Record<string, boolean>;
   fetchDynamicOptions: (variableId: string) => void;
-  savingVariables: boolean;
-  handleSaveVariables: () => void;
   credentialFields: CredentialField[];
   credentialValues: Record<string, string>;
   setCredentialValues: React.Dispatch<React.SetStateAction<Record<string, string>>>;
-  savingCredentials: boolean;
-  handleSaveCredentials: () => void;
-  authStrategy: string;
+  hasVariables: boolean;
+  hasCredentials: boolean;
+  showTabs: boolean;
   activeTab: 'variables' | 'credentials';
   setActiveTab: (tab: 'variables' | 'credentials') => void;
 }) {
-  const hasVariables = variables.length > 0;
-  const hasCredentials = authStrategy === 'custom' && credentialFields.length > 0;
-  const showTabs = hasVariables && hasCredentials;
-
-  // Validate target_repos - each repo must have at least one branch
-  const validateTargetRepos = (): boolean => {
-    const targetReposValue = variableValues.target_repos;
-    if (!Array.isArray(targetReposValue) || targetReposValue.length === 0) {
-      return true; // No repos selected is OK (will be caught by required check)
-    }
-    // Check that each repo has a branch specified
-    for (const value of targetReposValue) {
-      const colonIndex = String(value).lastIndexOf(':');
-      if (colonIndex <= 0) {
-        // No colon means no branch specified
-        return false;
-      }
-      const branch = String(value).substring(colonIndex + 1).trim();
-      if (!branch) {
-        return false;
-      }
-    }
-    return true;
-  };
-
-  const isTargetReposValid = validateTargetRepos();
-
   // If neither available, show empty state
   if (!hasVariables && !hasCredentials) {
     return (
@@ -601,21 +610,6 @@ function ConfigurationContent({
           </div>
         );
       })}
-
-      <Button
-        onClick={handleSaveVariables}
-        disabled={savingVariables || !isTargetReposValid}
-        className="w-full"
-      >
-        {savingVariables ? (
-          <>
-            <Loader2 className="h-4 w-4 mr-2 animate-spin" />
-            Saving...
-          </>
-        ) : (
-          'Save Configuration'
-        )}
-      </Button>
     </div>
   );
 
@@ -723,17 +717,6 @@ function ConfigurationContent({
           )}
         </div>
       ))}
-
-      <Button onClick={handleSaveCredentials} disabled={savingCredentials} className="w-full">
-        {savingCredentials ? (
-          <>
-            <Loader2 className="h-4 w-4 mr-2 animate-spin" />
-            Updating...
-          </>
-        ) : (
-          'Update Credentials'
-        )}
-      </Button>
     </div>
   );
 
@@ -765,6 +748,71 @@ function ConfigurationContent({
   return <div className="space-y-4">{variablesContent || credentialsContent}</div>;
 }
 
+function ConfigurationFooterActions({
+  hasVariables,
+  hasCredentials,
+  showTabs,
+  activeTab,
+  savingVariables,
+  handleSaveVariables,
+  isTargetReposValid,
+  savingCredentials,
+  handleSaveCredentials,
+  showActionsFooter,
+}: {
+  hasVariables: boolean;
+  hasCredentials: boolean;
+  showTabs: boolean;
+  activeTab: 'variables' | 'credentials';
+  savingVariables: boolean;
+  handleSaveVariables: () => void;
+  isTargetReposValid: boolean;
+  savingCredentials: boolean;
+  handleSaveCredentials: () => void;
+  showActionsFooter: boolean;
+}) {
+  if (!hasVariables && !hasCredentials) {
+    return null;
+  }
+
+  const showVariablesButton = hasVariables && (!showTabs || activeTab === 'variables');
+  const showCredentialsButton = hasCredentials && (!showTabs || activeTab === 'credentials');
+  const footerClassName = showActionsFooter ? 'pt-4' : 'border-t pt-4';
+
+  return (
+    <div className={footerClassName}>
+      {showVariablesButton && (
+        <Button
+          onClick={handleSaveVariables}
+          disabled={savingVariables || !isTargetReposValid}
+          className="w-full"
+        >
+          {savingVariables ? (
+            <>
+              <Loader2 className="h-4 w-4 mr-2 animate-spin" />
+              Saving...
+            </>
+          ) : (
+            'Save Configuration'
+          )}
+        </Button>
+      )}
+      {showCredentialsButton && (
+        <Button onClick={handleSaveCredentials} disabled={savingCredentials} className="w-full">
+          {savingCredentials ? (
+            <>
+              <Loader2 className="h-4 w-4 mr-2 animate-spin" />
+              Updating...
+            </>
+          ) : (
+            'Update Credentials'
+          )}
+        </Button>
+      )}
+    </div>
+  );
+}
+
 /**
  * Parse a stored value like "owner/repo:branch" into parts.
  * Handles trailing colons, empty branches, and non-string values.
diff --git a/apps/app/src/components/login-form.tsx b/apps/app/src/components/login-form.tsx
index b63723c76..792717e36 100644
--- a/apps/app/src/components/login-form.tsx
+++ b/apps/app/src/components/login-form.tsx
@@ -8,20 +8,25 @@ import { Button } from '@comp/ui/button';
 import { Card, CardContent, CardDescription, CardTitle } from '@comp/ui/card';
 import { Collapsible, CollapsibleContent, CollapsibleTrigger } from '@comp/ui/collapsible';
 import { CheckCircle2, ChevronDown, ChevronUp } from 'lucide-react';
-import { useSearchParams } from 'next/navigation';
 import { useState } from 'react';
 
 interface LoginFormProps {
   inviteCode?: string;
+  redirectTo?: string;
   showGoogle: boolean;
   showGithub: boolean;
   showMicrosoft: boolean;
 }
 
-export function LoginForm({ inviteCode, showGoogle, showGithub, showMicrosoft }: LoginFormProps) {
+export function LoginForm({
+  inviteCode,
+  redirectTo,
+  showGoogle,
+  showGithub,
+  showMicrosoft,
+}: LoginFormProps) {
   const [isOptionsOpen, setIsOptionsOpen] = useState(false);
   const [magicLinkState, setMagicLinkState] = useState({ sent: false, email: '' });
-  const searchParams = useSearchParams();
 
   const handleMagicLinkSent = (email: string) => {
     setMagicLinkState({ sent: true, email });
@@ -51,12 +56,12 @@ export function LoginForm({ inviteCode, showGoogle, showGithub, showMicrosoft }:
   }
 
   const preferredSignInOption = showGoogle ? (
-    <GoogleSignIn inviteCode={inviteCode} searchParams={searchParams as URLSearchParams} />
+    <GoogleSignIn inviteCode={inviteCode} redirectTo={redirectTo} />
   ) : (
     <MagicLinkSignIn
       key="preferred-magic"
       inviteCode={inviteCode}
-      searchParams={searchParams as URLSearchParams}
+      redirectTo={redirectTo}
       onMagicLinkSubmit={handleMagicLinkSent}
     />
   );
@@ -67,27 +72,19 @@ export function LoginForm({ inviteCode, showGoogle, showGithub, showMicrosoft }:
       <MagicLinkSignIn
         key="secondary-magic"
         inviteCode={inviteCode}
-        searchParams={searchParams as URLSearchParams}
+        redirectTo={redirectTo}
         onMagicLinkSubmit={handleMagicLinkSent}
       />,
     );
   }
   if (showMicrosoft) {
     moreOptionsList.push(
-      <MicrosoftSignIn
-        key="microsoft"
-        inviteCode={inviteCode}
-        searchParams={searchParams as URLSearchParams}
-      />,
+      <MicrosoftSignIn key="microsoft" inviteCode={inviteCode} redirectTo={redirectTo} />,
     );
   }
   if (showGithub) {
     moreOptionsList.push(
-      <GithubSignIn
-        key="github"
-        inviteCode={inviteCode}
-        searchParams={searchParams as URLSearchParams}
-      />,
+      <GithubSignIn key="github" inviteCode={inviteCode} redirectTo={redirectTo} />,
     );
   }
 
diff --git a/apps/app/src/components/magic-link.tsx b/apps/app/src/components/magic-link.tsx
index 40ee7f4bb..269cf9720 100644
--- a/apps/app/src/components/magic-link.tsx
+++ b/apps/app/src/components/magic-link.tsx
@@ -1,6 +1,7 @@
 'use client';
 
 import { authClient } from '@/utils/auth-client';
+import { buildAuthCallbackUrl } from '@/utils/auth-callback';
 import { Button } from '@comp/ui/button';
 import { cn } from '@comp/ui/cn';
 import { Form, FormControl, FormField, FormItem } from '@comp/ui/form';
@@ -16,14 +17,19 @@ const formSchema = z.object({
   email: z.string().email(),
 });
 
-type Props = {
+interface MagicLinkSignInProps {
   className?: string;
   inviteCode?: string;
-  searchParams?: URLSearchParams;
+  redirectTo?: string;
   onMagicLinkSubmit?: (email: string) => void;
-};
+}
 
-export function MagicLinkSignIn({ className, inviteCode, searchParams, onMagicLinkSubmit }: Props) {
+export function MagicLinkSignIn({
+  className,
+  inviteCode,
+  redirectTo,
+  onMagicLinkSubmit,
+}: MagicLinkSignInProps) {
   const [isLoading, setLoading] = useState(false);
 
   const form = useForm<z.infer<typeof formSchema>>({
@@ -36,31 +42,18 @@ export function MagicLinkSignIn({ className, inviteCode, searchParams, onMagicLi
   async function onSubmit({ email }: z.infer<typeof formSchema>) {
     setLoading(true);
 
-    // Build the callback URL with search params
-    const baseURL = window.location.origin;
-    const path = inviteCode ? `/invite/${inviteCode}` : '/';
-    const callbackURL = new URL(path, baseURL);
-
-    // Append all search params if they exist
-    if (searchParams) {
-      searchParams.forEach((value, key) => {
-        callbackURL.searchParams.append(key, value);
-      });
-    }
+    const callbackURL = buildAuthCallbackUrl({ inviteCode, redirectTo });
 
-    const { data, error } = await authClient.signIn.magicLink({
-      email: email,
-      callbackURL: callbackURL.toString(),
+    const { error } = await authClient.signIn.magicLink({
+      email,
+      callbackURL,
     });
 
     if (error) {
       toast.error('Error sending email - try again?');
       setLoading(false);
-    } else {
-      // Call the callback if provided
-      if (onMagicLinkSubmit) {
-        onMagicLinkSubmit(email);
-      }
+    } else if (onMagicLinkSubmit) {
+      onMagicLinkSubmit(email);
     }
   }
 
diff --git a/apps/app/src/components/microsoft-sign-in.tsx b/apps/app/src/components/microsoft-sign-in.tsx
index b82a79da3..4b46fe440 100644
--- a/apps/app/src/components/microsoft-sign-in.tsx
+++ b/apps/app/src/components/microsoft-sign-in.tsx
@@ -1,40 +1,30 @@
 'use client';
 
 import { authClient } from '@/utils/auth-client';
+import { buildAuthCallbackUrl } from '@/utils/auth-callback';
 import { Button } from '@comp/ui/button';
 import { Icons } from '@comp/ui/icons';
 import { Loader2 } from 'lucide-react';
 import { useState } from 'react';
 import { toast } from 'sonner';
 
-export function MicrosoftSignIn({
-  inviteCode,
-  searchParams,
-}: {
+interface MicrosoftSignInProps {
   inviteCode?: string;
-  searchParams?: URLSearchParams;
-}) {
+  redirectTo?: string;
+}
+
+export function MicrosoftSignIn({ inviteCode, redirectTo }: MicrosoftSignInProps) {
   const [isLoading, setLoading] = useState(false);
 
   const handleSignIn = async () => {
     setLoading(true);
 
     try {
-      // Build the callback URL with search params
-      const baseURL = window.location.origin;
-      const path = inviteCode ? `/invite/${inviteCode}` : '/';
-      const redirectTo = new URL(path, baseURL);
-
-      // Append all search params if they exist
-      if (searchParams) {
-        searchParams.forEach((value, key) => {
-          redirectTo.searchParams.append(key, value);
-        });
-      }
+      const callbackURL = buildAuthCallbackUrl({ inviteCode, redirectTo });
 
       await authClient.signIn.social({
         provider: 'microsoft',
-        callbackURL: redirectTo.toString(),
+        callbackURL,
       });
     } catch (error) {
       setLoading(false);
@@ -45,7 +35,6 @@ export function MicrosoftSignIn({
         timestamp: new Date().toISOString(),
       });
 
-      // Show specific error messages based on error type
       if (error instanceof Error) {
         if (error.message.includes('redirect_uri_mismatch')) {
           toast.error('Configuration error', {
diff --git a/apps/app/src/hooks/use-findings-api.ts b/apps/app/src/hooks/use-findings-api.ts
new file mode 100644
index 000000000..87de7d23c
--- /dev/null
+++ b/apps/app/src/hooks/use-findings-api.ts
@@ -0,0 +1,359 @@
+'use client';
+
+import { useApi } from '@/hooks/use-api';
+import { useApiSWR, UseApiSWROptions } from '@/hooks/use-api-swr';
+import type { FindingStatus, FindingType } from '@db';
+import { useCallback } from 'react';
+
+// Types for findings
+export interface Finding {
+  id: string;
+  type: FindingType;
+  status: FindingStatus;
+  content: string;
+  createdAt: string;
+  updatedAt: string;
+  taskId: string;
+  templateId: string | null;
+  createdById: string;
+  organizationId: string;
+  createdBy: {
+    id: string;
+    user: {
+      id: string;
+      name: string;
+      email: string;
+      image: string | null;
+    };
+  };
+  template: {
+    id: string;
+    category: string;
+    title: string;
+  } | null;
+  task: {
+    id: string;
+    title: string;
+  };
+}
+
+export interface FindingTemplate {
+  id: string;
+  category: string;
+  title: string;
+  content: string;
+  order: number;
+  createdAt: string;
+  updatedAt: string;
+}
+
+interface CreateFindingData {
+  taskId: string;
+  type?: FindingType;
+  templateId?: string;
+  content: string;
+}
+
+interface UpdateFindingData {
+  status?: FindingStatus;
+  type?: FindingType;
+  content?: string;
+}
+
+export interface FindingHistoryEntry {
+  id: string;
+  timestamp: string;
+  description: string;
+  data: {
+    action: string;
+    findingId: string;
+    previousStatus?: FindingStatus;
+    newStatus?: FindingStatus;
+    previousType?: FindingType;
+    newType?: FindingType;
+    previousContent?: string;
+    newContent?: string;
+    taskId?: string;
+    taskTitle?: string;
+    content?: string;
+    type?: FindingType;
+    status?: FindingStatus;
+  };
+  user: {
+    id: string;
+    name: string;
+    email: string;
+    image: string | null;
+  };
+}
+
+// Default polling interval for real-time updates
+const DEFAULT_FINDINGS_POLLING_INTERVAL = 10000;
+
+export interface UseFindingsOptions extends UseApiSWROptions<Finding[]> {
+  organizationId?: string;
+}
+
+/**
+ * Hook to fetch findings for a specific task
+ */
+export function useTaskFindings(taskId: string | null, options: UseFindingsOptions = {}) {
+  const endpoint = taskId ? `/v1/findings?taskId=${taskId}` : null;
+
+  return useApiSWR<Finding[]>(endpoint, {
+    ...options,
+    refreshInterval: options.refreshInterval ?? DEFAULT_FINDINGS_POLLING_INTERVAL,
+  });
+}
+
+/**
+ * Hook to fetch all findings for an organization
+ */
+export function useOrganizationFindings(status?: FindingStatus, options: UseFindingsOptions = {}) {
+  const endpoint = status
+    ? `/v1/findings/organization?status=${status}`
+    : '/v1/findings/organization';
+
+  return useApiSWR<Finding[]>(endpoint, {
+    ...options,
+    refreshInterval: options.refreshInterval ?? DEFAULT_FINDINGS_POLLING_INTERVAL,
+  });
+}
+
+/**
+ * Hook to fetch all finding templates
+ */
+export function useFindingTemplates(options: UseApiSWROptions<FindingTemplate[]> = {}) {
+  return useApiSWR<FindingTemplate[]>('/v1/finding-template', options);
+}
+
+/**
+ * Hook to fetch finding history/activity log
+ */
+export function useFindingHistory(
+  findingId: string | null,
+  options: UseApiSWROptions<FindingHistoryEntry[]> = {},
+) {
+  const endpoint = findingId ? `/v1/findings/${findingId}/history` : null;
+
+  return useApiSWR<FindingHistoryEntry[]>(endpoint, {
+    ...options,
+    refreshInterval: options.refreshInterval ?? DEFAULT_FINDINGS_POLLING_INTERVAL,
+  });
+}
+
+/**
+ * Hook for finding CRUD operations
+ */
+export function useFindingActions() {
+  const api = useApi();
+
+  const createFinding = useCallback(
+    async (data: CreateFindingData) => {
+      const response = await api.post<Finding>('/v1/findings', data);
+      if (response.error) {
+        throw new Error(response.error);
+      }
+      return response.data!;
+    },
+    [api],
+  );
+
+  const updateFinding = useCallback(
+    async (findingId: string, data: UpdateFindingData) => {
+      const response = await api.patch<Finding>(`/v1/findings/${findingId}`, data);
+      if (response.error) {
+        throw new Error(response.error);
+      }
+      return response.data!;
+    },
+    [api],
+  );
+
+  const deleteFinding = useCallback(
+    async (findingId: string) => {
+      const response = await api.delete(`/v1/findings/${findingId}`);
+      if (response.error) {
+        throw new Error(response.error);
+      }
+      return { success: true };
+    },
+    [api],
+  );
+
+  return {
+    createFinding,
+    updateFinding,
+    deleteFinding,
+  };
+}
+
+/**
+ * Grouped finding templates by category
+ */
+export function useGroupedFindingTemplates(options: UseApiSWROptions<FindingTemplate[]> = {}) {
+  const { data, ...rest } = useFindingTemplates(options);
+
+  const groupedTemplates = data?.data?.reduce(
+    (acc, template) => {
+      if (!acc[template.category]) {
+        acc[template.category] = [];
+      }
+      acc[template.category].push(template);
+      return acc;
+    },
+    {} as Record<string, FindingTemplate[]>,
+  );
+
+  return {
+    ...rest,
+    data: data ? { ...data, grouped: groupedTemplates } : undefined,
+  };
+}
+
+/**
+ * Category labels for display
+ */
+export const FINDING_CATEGORY_LABELS: Record<string, string> = {
+  evidence_issue: 'Issue with uploaded evidence',
+  further_evidence: 'Further evidence needed',
+  task_specific: 'Task-specific issues',
+  na_incorrect: 'Marked N/A incorrectly',
+};
+
+/**
+ * Built-in default templates (used when no database templates exist)
+ */
+export const DEFAULT_FINDING_TEMPLATES: FindingTemplate[] = [
+  {
+    id: 'default_evidence_issue_01',
+    category: 'evidence_issue',
+    title: 'Missing organization context',
+    content:
+      'The uploaded evidence does not clearly show the Organization Name or URL. Please provide a screenshot showing the context.',
+    order: 1,
+    createdAt: '',
+    updatedAt: '',
+  },
+  {
+    id: 'default_evidence_issue_02',
+    category: 'evidence_issue',
+    title: 'Evidence outside audit window',
+    content:
+      'The evidence date falls outside the currently active audit observation window. Please ensure evidence is relevant to the current period.',
+    order: 2,
+    createdAt: '',
+    updatedAt: '',
+  },
+  {
+    id: 'default_evidence_issue_03',
+    category: 'evidence_issue',
+    title: 'Unreadable or corrupted file',
+    content:
+      'The auditor could not open or read the file due to low resolution or corruption. Please re-upload a clear copy.',
+    order: 3,
+    createdAt: '',
+    updatedAt: '',
+  },
+  {
+    id: 'default_further_evidence_01',
+    category: 'further_evidence',
+    title: 'Statement of intent - need proof of operation',
+    content:
+      'The attached document(s) is a statement of intent. This control requires Evidence of Operation (proof of action). Please upload specific logs, screenshots, system configs, or tickets that demonstrate this policy is currently being enforced.',
+    order: 1,
+    createdAt: '',
+    updatedAt: '',
+  },
+  {
+    id: 'default_further_evidence_02',
+    category: 'further_evidence',
+    title: 'No evidence attached',
+    content:
+      "This task was marked as 'Done', but no file was attached. For an external audit, every completed task requires proof of execution. Please upload the specific evidence (screenshot, PDF, or export) and re-submit.",
+    order: 2,
+    createdAt: '',
+    updatedAt: '',
+  },
+  {
+    id: 'default_task_specific_01',
+    category: 'task_specific',
+    title: 'Pull Request samples required',
+    content:
+      'Please upload a sample of recently merged Pull Requests (5 examples). The evidence must clearly show: 1. The Author, 2. The Approver (must be different from the author), and 3. The Build/Test Status checks.',
+    order: 1,
+    createdAt: '',
+    updatedAt: '',
+  },
+  {
+    id: 'default_task_specific_02',
+    category: 'task_specific',
+    title: 'Alert screenshot required',
+    content:
+      'Please upload a screenshot of an actual triggered alert (e.g., a notification from PagerDuty, Slack, or Email). The evidence must clearly show: 1. The Alert Name, 2. The Timestamp, and 3. The Severity Level.',
+    order: 2,
+    createdAt: '',
+    updatedAt: '',
+  },
+  {
+    id: 'default_task_specific_03',
+    category: 'task_specific',
+    title: 'System logs sample required',
+    content:
+      'Please provide a sample of System or Infrastructure Logs (e.g., AWS CloudWatch, Google Cloud Logging, Datadog). The sample must clearly show headers including: Timestamp, Event/Error Message, and Source/User.',
+    order: 3,
+    createdAt: '',
+    updatedAt: '',
+  },
+  {
+    id: 'default_na_incorrect_01',
+    category: 'na_incorrect',
+    title: 'Control required for compliance',
+    content:
+      'This control is required for SOC 2 compliance, regardless of company size. However, the evidence can be scaled down to fit your stage. Please see the guidance documentation for acceptable lightweight evidence.',
+    order: 1,
+    createdAt: '',
+    updatedAt: '',
+  },
+];
+
+/**
+ * Status labels and colors for display
+ */
+export const FINDING_STATUS_CONFIG: Record<
+  FindingStatus,
+  { label: string; color: string; bgColor: string; icon: string }
+> = {
+  open: {
+    label: 'Open',
+    color: 'text-red-600',
+    bgColor: 'bg-red-100',
+    icon: '🔴',
+  },
+  ready_for_review: {
+    label: 'Ready for Review',
+    color: 'text-yellow-600',
+    bgColor: 'bg-yellow-100',
+    icon: '🟡',
+  },
+  needs_revision: {
+    label: 'Needs Revision',
+    color: 'text-orange-600',
+    bgColor: 'bg-orange-100',
+    icon: '🟠',
+  },
+  closed: {
+    label: 'Closed',
+    color: 'text-primary',
+    bgColor: 'bg-primary/10',
+    icon: '✓',
+  },
+};
+
+/**
+ * Finding type labels
+ */
+export const FINDING_TYPE_LABELS: Record<FindingType, string> = {
+  soc2: 'SOC 2',
+  iso27001: 'ISO 27001',
+};
diff --git a/apps/app/src/lib/evidence-download.ts b/apps/app/src/lib/evidence-download.ts
new file mode 100644
index 000000000..8236f383f
--- /dev/null
+++ b/apps/app/src/lib/evidence-download.ts
@@ -0,0 +1,148 @@
+'use client';
+
+import { env } from '@/env.mjs';
+import { jwtManager } from '@/utils/jwt-manager';
+
+/**
+ * Download evidence PDF for a specific automation
+ */
+export async function downloadAutomationPDF({
+  taskId,
+  automationId,
+  automationName,
+  organizationId,
+}: {
+  taskId: string;
+  automationId: string;
+  automationName?: string;
+  organizationId: string;
+}): Promise<void> {
+  const baseUrl = env.NEXT_PUBLIC_API_URL || 'http://localhost:3333';
+  const endpoint = `/v1/tasks/${taskId}/evidence/automation/${automationId}/pdf`;
+
+  await downloadFile(baseUrl + endpoint, organizationId, {
+    fallbackBaseName: automationName ? `${automationName}-evidence` : 'automation-evidence',
+    fallbackExtension: 'pdf',
+  });
+}
+
+/**
+ * Download evidence ZIP for a task
+ */
+export async function downloadTaskEvidenceZip({
+  taskId,
+  taskTitle,
+  organizationId,
+  includeJson = false,
+}: {
+  taskId: string;
+  taskTitle?: string;
+  organizationId: string;
+  includeJson?: boolean;
+}): Promise<void> {
+  const baseUrl = env.NEXT_PUBLIC_API_URL || 'http://localhost:3333';
+  const endpoint = `/v1/tasks/${taskId}/evidence/export?includeJson=${includeJson}`;
+
+  await downloadFile(baseUrl + endpoint, organizationId, {
+    fallbackBaseName: taskTitle ? `${taskTitle}-evidence` : 'task-evidence',
+    fallbackExtension: 'zip',
+  });
+}
+
+/**
+ * Download all evidence for the organization (auditor only)
+ */
+export async function downloadAllEvidenceZip({
+  organizationName,
+  organizationId,
+  includeJson = false,
+}: {
+  organizationName?: string;
+  organizationId: string;
+  includeJson?: boolean;
+}): Promise<void> {
+  const baseUrl = env.NEXT_PUBLIC_API_URL || 'http://localhost:3333';
+  const endpoint = `/v1/evidence-export/all?includeJson=${includeJson}`;
+
+  await downloadFile(baseUrl + endpoint, organizationId, {
+    fallbackBaseName: organizationName
+      ? `${organizationName}-all-evidence`
+      : 'all-evidence',
+    fallbackExtension: 'zip',
+  });
+}
+
+/**
+ * Internal function to download a file from the API
+ */
+function sanitizeFilename(input: string): string {
+  return input
+    .trim()
+    .toLowerCase()
+    .replace(/[^a-z0-9]+/g, '-')
+    .replace(/^-+|-+$/g, '')
+    .slice(0, 64);
+}
+
+function buildFallbackFilename(baseName: string, extension: string): string {
+  const safeBase = sanitizeFilename(baseName) || 'evidence-export';
+  const dateSuffix = new Date().toISOString().slice(0, 10);
+  return `${safeBase}_${dateSuffix}.${extension}`;
+}
+
+async function downloadFile(
+  url: string,
+  organizationId: string,
+  fallback?: { fallbackBaseName: string; fallbackExtension: string },
+): Promise<void> {
+  const headers: Record<string, string> = {
+    'X-Organization-Id': organizationId,
+  };
+
+  // Add JWT token for authentication
+  if (typeof window !== 'undefined') {
+    try {
+      const token = await jwtManager.getValidToken();
+      if (token) {
+        headers['Authorization'] = `Bearer ${token}`;
+      }
+    } catch (error) {
+      console.error('Error getting JWT token:', error);
+      throw new Error('Authentication failed');
+    }
+  }
+
+  const response = await fetch(url, {
+    method: 'GET',
+    headers,
+    credentials: 'include',
+  });
+
+  if (!response.ok) {
+    const error = await response.text();
+    throw new Error(error || `Failed to download: ${response.statusText}`);
+  }
+
+  // Get filename from Content-Disposition header
+  const contentDisposition = response.headers.get('Content-Disposition');
+  let filename = fallback
+    ? buildFallbackFilename(fallback.fallbackBaseName, fallback.fallbackExtension)
+    : 'evidence-export';
+  if (contentDisposition) {
+    const filenameMatch = contentDisposition.match(/filename="?([^";\n]+)"?/);
+    if (filenameMatch) {
+      filename = filenameMatch[1];
+    }
+  }
+
+  // Download the file
+  const blob = await response.blob();
+  const downloadUrl = URL.createObjectURL(blob);
+  const link = document.createElement('a');
+  link.href = downloadUrl;
+  link.download = filename;
+  document.body.appendChild(link);
+  link.click();
+  document.body.removeChild(link);
+  URL.revokeObjectURL(downloadUrl);
+}
diff --git a/apps/app/src/lib/mask-email.ts b/apps/app/src/lib/mask-email.ts
new file mode 100644
index 000000000..cd4296918
--- /dev/null
+++ b/apps/app/src/lib/mask-email.ts
@@ -0,0 +1,17 @@
+/**
+ * Masks an email address for safe server logging.
+ * Keeps first and last char of local part, replaces middle with asterisks.
+ * Domain is preserved for debugging purposes.
+ *
+ * Example: john.doe@example.com → j******e@example.com
+ *
+ * Note: For user-facing display where domain should also be masked,
+ * use the maskEmail function in invite/[code]/utils.ts instead.
+ */
+export function maskEmailForLogs(value: string): string {
+  const [name = '', domain = ''] = value.toLowerCase().split('@');
+  if (!domain) return 'invalid-email';
+  const safeName =
+    name.length <= 2 ? name[0] ?? '' : `${name[0]}${'*'.repeat(name.length - 2)}${name.at(-1)}`;
+  return `${safeName}@${domain}`;
+}
diff --git a/apps/app/src/proxy.ts b/apps/app/src/proxy.ts
index 33b534462..639bc0846 100644
--- a/apps/app/src/proxy.ts
+++ b/apps/app/src/proxy.ts
@@ -72,6 +72,10 @@ export async function proxy(request: NextRequest) {
       nextUrl.searchParams.forEach((value, key) => {
         url.searchParams.set(key, value);
       });
+      const originalPath = `${nextUrl.pathname}${nextUrl.search}`;
+      if (originalPath !== '/') {
+        url.searchParams.set('redirectTo', originalPath);
+      }
       return NextResponse.redirect(url);
     }
 
diff --git a/apps/app/src/trigger/tasks/onboarding/onboard-organization-helpers.ts b/apps/app/src/trigger/tasks/onboarding/onboard-organization-helpers.ts
index c3c997654..1909fdb55 100644
--- a/apps/app/src/trigger/tasks/onboarding/onboard-organization-helpers.ts
+++ b/apps/app/src/trigger/tasks/onboarding/onboard-organization-helpers.ts
@@ -759,7 +759,9 @@ export async function extractRisksFromContext(
     }),
     system: `Create a list of 8-12 risks that are relevant to the organization. Use action-oriented language, assume reviewers understand basic termilology - skip definitions.
           Your mandate is to propose risks that satisfy both ISO 27001:2022 clause 6.1 (risk management) and SOC 2 trust services criteria CC3 and CC4.
-          Return the risk name, description, treatment strategy, treatment strategy description, residual probability, residual impact, category, and department.`,
+          Return the risk name, description, treatment strategy, treatment strategy description, residual probability, residual impact, category, and department.
+          
+          For the "category" field, you must use ONLY one of these exact values: ${Object.values(RiskCategory).join(', ')}.`,
     prompt: `
           The organization is ${organizationName}.
 
diff --git a/apps/app/src/utils/auth-callback.ts b/apps/app/src/utils/auth-callback.ts
new file mode 100644
index 000000000..84af3ac21
--- /dev/null
+++ b/apps/app/src/utils/auth-callback.ts
@@ -0,0 +1,56 @@
+/**
+ * Validates that a redirect path is safe (no open redirect vulnerabilities).
+ *
+ * Only checks the path portion (before ?) to allow URLs in query params
+ * like /dashboard?shareUrl=https://example.com
+ */
+export const isValidRedirectPath = (path?: string | null): path is string => {
+  if (!path || typeof path !== 'string') {
+    return false;
+  }
+
+  // Must start with single slash (relative path)
+  if (!path.startsWith('/') || path.startsWith('//')) {
+    return false;
+  }
+
+  // Only check the path portion (before query string) for protocol
+  const pathWithoutQuery = path.split('?')[0];
+  return !pathWithoutQuery.includes('://');
+};
+
+/**
+ * Returns the path if valid, undefined otherwise.
+ */
+export const getSafeRedirectPath = (path?: string | null): string | undefined => {
+  return isValidRedirectPath(path) ? path : undefined;
+};
+
+/**
+ * Builds the auth callback URL for sign-in flows.
+ *
+ * Priority:
+ * 1. If inviteCode is provided, redirect to /invite/{code}
+ * 2. If redirectTo is provided and valid, use it
+ * 3. Otherwise, redirect to /
+ */
+export const buildAuthCallbackUrl = (options?: {
+  inviteCode?: string;
+  redirectTo?: string;
+}): string => {
+  const { inviteCode, redirectTo } = options ?? {};
+
+  // Invite code takes priority
+  if (inviteCode) {
+    return `/invite/${inviteCode}`;
+  }
+
+  // Use redirectTo if valid
+  const safeRedirect = getSafeRedirectPath(redirectTo);
+  if (safeRedirect) {
+    return safeRedirect;
+  }
+
+  // Default to root
+  return '/';
+};
diff --git a/apps/app/src/utils/auth-client.ts b/apps/app/src/utils/auth-client.ts
index 769d9dfb7..069adfb1c 100644
--- a/apps/app/src/utils/auth-client.ts
+++ b/apps/app/src/utils/auth-client.ts
@@ -45,7 +45,8 @@ export const authClient = createAuthClient({
     },
     auth: {
       type: 'Bearer',
-      token: () => localStorage.getItem('bearer_token') || '',
+      token: () =>
+        typeof window !== 'undefined' ? localStorage.getItem('bearer_token') || '' : '',
     },
   },
 });
diff --git a/apps/app/src/utils/auth.ts b/apps/app/src/utils/auth.ts
index 9c3a6113c..8d52e71c4 100644
--- a/apps/app/src/utils/auth.ts
+++ b/apps/app/src/utils/auth.ts
@@ -1,4 +1,5 @@
 import { env } from '@/env.mjs';
+import { maskEmailForLogs } from '@/lib/mask-email';
 import { MagicLinkEmail, OTPVerificationEmail } from '@comp/email';
 import { sendInviteMemberEmail } from '@comp/email/lib/invite-member';
 import { sendEmail } from '@comp/email/lib/resend';
@@ -17,6 +18,8 @@ const dub = env.DUB_API_KEY
     })
   : undefined;
 
+const MAGIC_LINK_EXPIRES_IN_SECONDS = 60 * 60; // 1 hour
+
 let socialProviders = {};
 
 if (env.AUTH_GOOGLE_ID && env.AUTH_GOOGLE_SECRET) {
@@ -156,16 +159,43 @@ export const auth = betterAuth({
       },
     }),
     magicLink({
-      sendMagicLink: async ({ email, url }, request) => {
+      expiresIn: MAGIC_LINK_EXPIRES_IN_SECONDS,
+      sendMagicLink: async ({ email, url }) => {
+        const requestId = crypto.randomUUID();
+        const startTime = Date.now();
+        const safeEmail = maskEmailForLogs(email);
         const urlWithInviteCode = `${url}`;
-        await sendEmail({
-          to: email,
-          subject: 'Login to Comp AI',
-          react: MagicLinkEmail({
-            email,
-            url: urlWithInviteCode,
-          }),
+
+        console.info('[magicLink] send start', {
+          requestId,
+          email: safeEmail,
+          expiresInSec: MAGIC_LINK_EXPIRES_IN_SECONDS,
         });
+
+        try {
+          await sendEmail({
+            to: email,
+            subject: 'Login to Comp AI',
+            react: MagicLinkEmail({
+              email,
+              url: urlWithInviteCode,
+            }),
+          });
+
+          console.info('[magicLink] send success', {
+            requestId,
+            email: safeEmail,
+            durationMs: Date.now() - startTime,
+          });
+        } catch (error) {
+          console.error('[magicLink] send failure', {
+            requestId,
+            email: safeEmail,
+            durationMs: Date.now() - startTime,
+            error: error instanceof Error ? error.message : String(error),
+          });
+          throw error;
+        }
       },
     }),
     emailOTP({
diff --git a/apps/app/src/utils/permissions.ts b/apps/app/src/utils/permissions.ts
index 86fce15c3..e9ef88bf3 100644
--- a/apps/app/src/utils/permissions.ts
+++ b/apps/app/src/utils/permissions.ts
@@ -40,6 +40,8 @@ export const admin = ac.newRole({
 export const auditor = ac.newRole({
   app: ['read'],
   organization: ['read'],
+  invitation: ['create'],
+  member: ['create'],
 });
 
 /**
diff --git a/apps/portal/.env.example b/apps/portal/.env.example
index 1c537c3e1..233cb8e6e 100644
--- a/apps/portal/.env.example
+++ b/apps/portal/.env.example
@@ -20,3 +20,7 @@ APP_AWS_ENDPOINT="" # optional for using services like MinIO
 # Microsoft sign-in
 AUTH_MICROSOFT_CLIENT_ID=
 AUTH_MICROSOFT_CLIENT_SECRET=
+
+# API
+NEXT_PUBLIC_API_URL=http://localhost:3333
+INTERNAL_API_TOKEN= # Shared secret for internal API calls (must match API's INTERNAL_API_TOKEN)
diff --git a/apps/portal/package.json b/apps/portal/package.json
index 7dcb8a953..d171688ec 100644
--- a/apps/portal/package.json
+++ b/apps/portal/package.json
@@ -20,6 +20,7 @@
     "better-auth": "^1.4.5",
     "class-variance-authority": "^0.7.1",
     "geist": "^1.3.1",
+    "jspdf": "^3.0.3",
     "jszip": "^3.10.1",
     "next": "^16.0.10",
     "next-safe-action": "^8.0.3",
diff --git a/apps/portal/src/app/(app)/(home)/[orgId]/components/tasks/FleetPolicyItem.tsx b/apps/portal/src/app/(app)/(home)/[orgId]/components/tasks/FleetPolicyItem.tsx
index 4a2901cda..07baf80b8 100644
--- a/apps/portal/src/app/(app)/(home)/[orgId]/components/tasks/FleetPolicyItem.tsx
+++ b/apps/portal/src/app/(app)/(home)/[orgId]/components/tasks/FleetPolicyItem.tsx
@@ -89,7 +89,7 @@ export function FleetPolicyItem({ policy }: FleetPolicyItemProps) {
         </div>
         <div className="flex items-center gap-3">
           {policy.response === 'pass' ? (
-            <div className="flex items-center gap-1 text-green-600 dark:text-green-400">
+            <div className="flex items-center gap-1 text-primary">
               <CheckCircle2 size={16} />
               <span className="text-sm">Pass</span>
             </div>
diff --git a/apps/portal/src/app/(app)/(home)/[orgId]/components/tasks/PolicyImageUploadModal.tsx b/apps/portal/src/app/(app)/(home)/[orgId]/components/tasks/PolicyImageUploadModal.tsx
index 1b577eaf4..967c03a76 100644
--- a/apps/portal/src/app/(app)/(home)/[orgId]/components/tasks/PolicyImageUploadModal.tsx
+++ b/apps/portal/src/app/(app)/(home)/[orgId]/components/tasks/PolicyImageUploadModal.tsx
@@ -12,7 +12,7 @@ import {
 } from '@comp/ui/dialog';
 import { ImagePlus, Trash2, Loader2 } from 'lucide-react';
 import Image from 'next/image';
-import { useRouter } from 'next/navigation';
+import { useParams, useRouter } from 'next/navigation';
 import { toast } from 'sonner';
 import { FleetPolicy } from '../../types';
 
@@ -27,6 +27,9 @@ export function PolicyImageUploadModal({ open, onOpenChange, policy }: PolicyIma
   const [files, setFiles] = useState<Array<{ file: File; previewUrl: string }>>([]);
   const [isLoading, setIsLoading] = useState(false);
   const router = useRouter();
+  const params = useParams<{ orgId: string }>();
+  const orgIdParam = params?.orgId;
+  const organizationId = Array.isArray(orgIdParam) ? orgIdParam[0] : orgIdParam;
 
   const handleFileChange = (e: React.ChangeEvent<HTMLInputElement>) => {
     const selected = Array.from(e.target.files ?? []);
@@ -58,6 +61,10 @@ export function PolicyImageUploadModal({ open, onOpenChange, policy }: PolicyIma
 
   const handleSubmit = async () => {
     if (files.length === 0 || isLoading) return;
+    if (!organizationId) {
+      toast.error('Missing organization ID from URL');
+      return;
+    }
 
     try {
       setIsLoading(true);
@@ -65,6 +72,7 @@ export function PolicyImageUploadModal({ open, onOpenChange, policy }: PolicyIma
       const formData = new FormData();
       formData.append('policyId', String(policy.id));
       formData.append('policyName', policy.name);
+      formData.append('organizationId', organizationId);
 
       files.forEach(({ file }) => {
         formData.append('files', file, file.name);
diff --git a/apps/portal/src/app/(app)/(home)/[orgId]/page.tsx b/apps/portal/src/app/(app)/(home)/[orgId]/page.tsx
index da571fecd..4056bbebf 100644
--- a/apps/portal/src/app/(app)/(home)/[orgId]/page.tsx
+++ b/apps/portal/src/app/(app)/(home)/[orgId]/page.tsx
@@ -107,7 +107,7 @@ const getFleetPolicies = async (
     ];
 
     // Get Policy Results from the database.
-    const fleetPolicyResults = await getFleetPolicyResults();
+    const fleetPolicyResults = await getFleetPolicyResults(member.organizationId);
     return {
       device,
       fleetPolicies: fleetPolicies.map((policy) => {
@@ -130,14 +130,21 @@ const getFleetPolicies = async (
   }
 };
 
-const getFleetPolicyResults = async (): Promise<FleetPolicyResult[]> => {
+const getFleetPolicyResults = async (organizationId: string): Promise<FleetPolicyResult[]> => {
   try {
     const portalBase = process.env.NEXT_PUBLIC_BETTER_AUTH_URL?.replace(/\/$/, '');
-    const url = `${portalBase}/api/fleet-policy`;
+    const url = `${portalBase}/api/fleet-policy?organizationId=${organizationId}`;
+
+    // Convert ReadonlyHeaders to a plain object for fetch
+    const headersList = await headers();
+    const headersObject: Record<string, string> = {};
+    headersList.forEach((value, key) => {
+      headersObject[key] = value;
+    });
 
     const res = await fetch(url, {
       method: 'GET',
-      headers: await headers(),
+      headers: headersObject,
       cache: 'no-store',
     });
 
diff --git a/apps/portal/src/app/(app)/(home)/actions/markVideoAsCompleted.ts b/apps/portal/src/app/(app)/(home)/actions/markVideoAsCompleted.ts
index fa28b61a6..db72a1b76 100644
--- a/apps/portal/src/app/(app)/(home)/actions/markVideoAsCompleted.ts
+++ b/apps/portal/src/app/(app)/(home)/actions/markVideoAsCompleted.ts
@@ -1,12 +1,17 @@
 'use server';
 
 import { authActionClient } from '@/actions/safe-action';
+import { env } from '@/env.mjs';
+import { trainingVideos } from '@/lib/data/training-videos';
 import { logger } from '@/utils/logger';
 import { db } from '@db';
 import { revalidatePath } from 'next/cache';
 import { headers } from 'next/headers';
 import { z } from 'zod';
 
+// Derive training video IDs from the canonical source
+const TRAINING_VIDEO_IDS = trainingVideos.map((v) => v.id);
+
 export const markVideoAsCompleted = authActionClient
   .inputSchema(z.object({ videoId: z.string(), organizationId: z.string() }))
   .metadata({
@@ -59,12 +64,13 @@ export const markVideoAsCompleted = authActionClient
     }
 
     // Try to find existing record
-    let organizationTrainingVideo = await db.employeeTrainingVideoCompletion.findFirst({
-      where: {
-        videoId: videoId, // This is the metadata ID like 'sat-1'
-        memberId: member.id,
-      },
-    });
+    let organizationTrainingVideo =
+      await db.employeeTrainingVideoCompletion.findFirst({
+        where: {
+          videoId: videoId, // This is the metadata ID like 'sat-1'
+          memberId: member.id,
+        },
+      });
 
     logger('Searched for existing video completion', {
       videoId,
@@ -80,13 +86,14 @@ export const markVideoAsCompleted = authActionClient
         memberId: member.id,
       });
 
-      organizationTrainingVideo = await db.employeeTrainingVideoCompletion.create({
-        data: {
-          videoId,
-          memberId: member.id,
-          completedAt: new Date(), // Mark as completed immediately
-        },
-      });
+      organizationTrainingVideo =
+        await db.employeeTrainingVideoCompletion.create({
+          data: {
+            videoId,
+            memberId: member.id,
+            completedAt: new Date(), // Mark as completed immediately
+          },
+        });
 
       logger('Video completion record created and marked as completed', {
         videoId,
@@ -103,14 +110,15 @@ export const markVideoAsCompleted = authActionClient
       }
 
       logger('Updating video completion', { videoId, userId: user.id });
-      organizationTrainingVideo = await db.employeeTrainingVideoCompletion.update({
-        where: {
-          id: organizationTrainingVideo.id,
-        },
-        data: {
-          completedAt: new Date(),
-        },
-      });
+      organizationTrainingVideo =
+        await db.employeeTrainingVideoCompletion.update({
+          where: {
+            id: organizationTrainingVideo.id,
+          },
+          data: {
+            completedAt: new Date(),
+          },
+        });
 
       logger('Video successfully marked as completed', {
         videoId,
@@ -118,9 +126,81 @@ export const markVideoAsCompleted = authActionClient
       });
     }
 
+    // Check if all training videos are now complete
+    const completions = await db.employeeTrainingVideoCompletion.findMany({
+      where: {
+        memberId: member.id,
+        videoId: { in: TRAINING_VIDEO_IDS },
+        completedAt: { not: null },
+      },
+    });
+
+    const allTrainingComplete = completions.length === TRAINING_VIDEO_IDS.length;
+
+    if (allTrainingComplete) {
+      logger('All training videos completed, triggering certificate email via API', {
+        memberId: member.id,
+        userId: user.id,
+      });
+
+      // Call the API to send the completion email with certificate
+      const apiUrl = env.NEXT_PUBLIC_API_URL || 'http://localhost:3333';
+      const internalToken = env.INTERNAL_API_TOKEN;
+
+      if (!internalToken) {
+        logger('INTERNAL_API_TOKEN not configured, skipping API call', {
+          memberId: member.id,
+        });
+        return organizationTrainingVideo;
+      }
+
+      try {
+        const response = await fetch(`${apiUrl}/v1/training/send-completion-email`, {
+          method: 'POST',
+          headers: {
+            'Content-Type': 'application/json',
+            'x-internal-token': internalToken,
+          },
+          body: JSON.stringify({
+            memberId: member.id,
+            organizationId,
+          }),
+        });
+
+        if (response.ok) {
+          const result = await response.json();
+          if (result.sent) {
+            logger('Training completion email sent successfully via API', {
+              email: user.email,
+              memberId: member.id,
+            });
+          } else {
+            logger('API declined to send email', {
+              reason: result.reason,
+              memberId: member.id,
+            });
+          }
+        } else {
+          const errorText = await response.text();
+          logger('Failed to send training completion email via API', {
+            status: response.status,
+            error: errorText,
+            memberId: member.id,
+          });
+        }
+      } catch (error) {
+        // Log error but don't fail the action - video was still marked complete
+        logger('Error calling training completion API', {
+          error: error instanceof Error ? error.message : String(error),
+          memberId: member.id,
+        });
+      }
+    }
+
     // Revalidate path following cursor rules
     const headersList = await headers();
-    let path = headersList.get('x-pathname') || headersList.get('referer') || '';
+    let path =
+      headersList.get('x-pathname') || headersList.get('referer') || '';
     path = path.replace(/\/[a-z]{2}\//, '/');
     revalidatePath(path);
 
diff --git a/apps/portal/src/app/api/confirm-fleet-policy/route.ts b/apps/portal/src/app/api/confirm-fleet-policy/route.ts
index b33a8eae5..fe2510ce7 100644
--- a/apps/portal/src/app/api/confirm-fleet-policy/route.ts
+++ b/apps/portal/src/app/api/confirm-fleet-policy/route.ts
@@ -1,5 +1,6 @@
 import { auth } from '@/app/lib/auth';
 import { APP_AWS_ORG_ASSETS_BUCKET, s3Client } from '@/utils/s3';
+import { validateMemberAndOrg } from '@/app/api/download-agent/utils';
 import { DeleteObjectsCommand, PutObjectCommand } from '@aws-sdk/client-s3';
 import { db } from '@db';
 import { Buffer } from 'node:buffer';
@@ -23,16 +24,21 @@ export async function POST(req: NextRequest) {
   const formData = await req.formData();
   const policyIdValue = formData.get('policyId');
   const policyName = formData.get('policyName');
+  const organizationId = formData.get('organizationId') as string;
   const files = formData.getAll('files');
 
   const policyId = typeof policyIdValue === 'string' ? Number(policyIdValue) : null;
-  const organizationId = session.session?.activeOrganizationId;
   const userId = session.user.id;
 
   if (!organizationId) {
     return NextResponse.json({ error: 'No active organization' }, { status: 400 });
   }
 
+  const member = await validateMemberAndOrg(userId, organizationId);
+  if (!member) {
+    return NextResponse.json({ error: 'Forbidden' }, { status: 403 });
+  }
+
   if (!policyId || Number.isNaN(policyId)) {
     return NextResponse.json({ error: 'Invalid policyId' }, { status: 400 });
   }
diff --git a/apps/portal/src/app/api/fleet-policy/route.ts b/apps/portal/src/app/api/fleet-policy/route.ts
index 472716b93..906bfde58 100644
--- a/apps/portal/src/app/api/fleet-policy/route.ts
+++ b/apps/portal/src/app/api/fleet-policy/route.ts
@@ -1,4 +1,5 @@
 import { auth } from '@/app/lib/auth';
+import { validateMemberAndOrg } from '@/app/api/download-agent/utils';
 import { APP_AWS_ORG_ASSETS_BUCKET, s3Client } from '@/utils/s3';
 import { GetObjectCommand } from '@aws-sdk/client-s3';
 import { getSignedUrl } from '@aws-sdk/s3-request-presigner';
@@ -9,16 +10,21 @@ export const runtime = 'nodejs';
 export const dynamic = 'force-dynamic';
 
 export async function GET(req: NextRequest) {
+  const organizationId = req.nextUrl.searchParams.get('organizationId');
+
+  if (!organizationId) {
+    return NextResponse.json({ error: 'No organization ID' }, { status: 400 });
+  }
+
   const session = await auth.api.getSession({ headers: req.headers });
 
   if (!session?.user) {
     return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
   }
 
-  const organizationId = session.session?.activeOrganizationId;
-
-  if (!organizationId) {
-    return NextResponse.json({ error: 'No active organization' }, { status: 400 });
+  const member = await validateMemberAndOrg(session.user.id, organizationId);
+  if (!member) {
+    return NextResponse.json({ error: 'Forbidden' }, { status: 403 });
   }
 
   const results = await db.fleetPolicyResult.findMany({
diff --git a/apps/portal/src/env.mjs b/apps/portal/src/env.mjs
index 3d0686eb7..b023a9054 100644
--- a/apps/portal/src/env.mjs
+++ b/apps/portal/src/env.mjs
@@ -13,18 +13,21 @@ export const env = createEnv({
     AUTH_MICROSOFT_CLIENT_ID: z.string().optional(),
     AUTH_MICROSOFT_CLIENT_SECRET: z.string().optional(),
     AUTH_SECRET: z.string(),
+    INTERNAL_API_TOKEN: z.string().optional(),
   },
 
   client: {
     NEXT_PUBLIC_POSTHOG_KEY: z.string().optional(),
     NEXT_PUBLIC_POSTHOG_HOST: z.string().optional(),
     NEXT_PUBLIC_BETTER_AUTH_URL: z.string(),
+    NEXT_PUBLIC_API_URL: z.string().optional(),
   },
 
   runtimeEnv: {
     NEXT_PUBLIC_POSTHOG_KEY: process.env.NEXT_PUBLIC_POSTHOG_KEY,
     NEXT_PUBLIC_POSTHOG_HOST: process.env.NEXT_PUBLIC_POSTHOG_HOST,
     NEXT_PUBLIC_BETTER_AUTH_URL: process.env.NEXT_PUBLIC_BETTER_AUTH_URL,
+    NEXT_PUBLIC_API_URL: process.env.NEXT_PUBLIC_API_URL,
     BETTER_AUTH_SECRET: process.env.BETTER_AUTH_SECRET,
     BETTER_AUTH_URL: process.env.BETTER_AUTH_URL,
     RESEND_API_KEY: process.env.RESEND_API_KEY,
@@ -35,6 +38,7 @@ export const env = createEnv({
     AUTH_MICROSOFT_CLIENT_ID: process.env.AUTH_MICROSOFT_CLIENT_ID,
     AUTH_MICROSOFT_CLIENT_SECRET: process.env.AUTH_MICROSOFT_CLIENT_SECRET,
     AUTH_SECRET: process.env.AUTH_SECRET,
+    INTERNAL_API_TOKEN: process.env.INTERNAL_API_TOKEN,
   },
 
   skipValidation: !!process.env.CI || !!process.env.SKIP_ENV_VALIDATION,
diff --git a/bun.lock b/bun.lock
index c7a43a229..2528e1de4 100644
--- a/bun.lock
+++ b/bun.lock
@@ -120,6 +120,7 @@
         "reflect-metadata": "^0.2.2",
         "resend": "^6.4.2",
         "rxjs": "^7.8.1",
+        "safe-stable-stringify": "^2.5.0",
         "swagger-ui-express": "^5.0.1",
         "xlsx": "^0.18.5",
         "zod": "^4.0.14",
@@ -329,6 +330,7 @@
         "better-auth": "^1.4.5",
         "class-variance-authority": "^0.7.1",
         "geist": "^1.3.1",
+        "jspdf": "^3.0.3",
         "jszip": "^3.10.1",
         "next": "^16.0.10",
         "next-safe-action": "^8.0.3",
diff --git a/packages/db/prisma/migrations/20260126181351_add_findings/migration.sql b/packages/db/prisma/migrations/20260126181351_add_findings/migration.sql
new file mode 100644
index 000000000..670814257
--- /dev/null
+++ b/packages/db/prisma/migrations/20260126181351_add_findings/migration.sql
@@ -0,0 +1,52 @@
+-- CreateEnum
+CREATE TYPE "FindingType" AS ENUM ('soc2', 'iso27001');
+
+-- CreateEnum
+CREATE TYPE "FindingStatus" AS ENUM ('open', 'ready_for_review', 'needs_revision', 'closed');
+
+-- CreateTable
+CREATE TABLE "FindingTemplate" (
+    "id" TEXT NOT NULL DEFAULT generate_prefixed_cuid('fnd_t'::text),
+    "category" TEXT NOT NULL,
+    "title" TEXT NOT NULL,
+    "content" TEXT NOT NULL,
+    "order" INTEGER NOT NULL DEFAULT 0,
+    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updatedAt" TIMESTAMP(3) NOT NULL,
+
+    CONSTRAINT "FindingTemplate_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateTable
+CREATE TABLE "Finding" (
+    "id" TEXT NOT NULL DEFAULT generate_prefixed_cuid('fnd'::text),
+    "type" "FindingType" NOT NULL DEFAULT 'soc2',
+    "status" "FindingStatus" NOT NULL DEFAULT 'open',
+    "content" TEXT NOT NULL,
+    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updatedAt" TIMESTAMP(3) NOT NULL,
+    "taskId" TEXT NOT NULL,
+    "templateId" TEXT,
+    "createdById" TEXT NOT NULL,
+    "organizationId" TEXT NOT NULL,
+
+    CONSTRAINT "Finding_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateIndex
+CREATE INDEX "Finding_taskId_idx" ON "Finding"("taskId");
+
+-- CreateIndex
+CREATE INDEX "Finding_organizationId_status_idx" ON "Finding"("organizationId", "status");
+
+-- AddForeignKey
+ALTER TABLE "Finding" ADD CONSTRAINT "Finding_taskId_fkey" FOREIGN KEY ("taskId") REFERENCES "Task"("id") ON DELETE CASCADE ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "Finding" ADD CONSTRAINT "Finding_templateId_fkey" FOREIGN KEY ("templateId") REFERENCES "FindingTemplate"("id") ON DELETE SET NULL ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "Finding" ADD CONSTRAINT "Finding_createdById_fkey" FOREIGN KEY ("createdById") REFERENCES "Member"("id") ON DELETE RESTRICT ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "Finding" ADD CONSTRAINT "Finding_organizationId_fkey" FOREIGN KEY ("organizationId") REFERENCES "Organization"("id") ON DELETE CASCADE ON UPDATE CASCADE;
diff --git a/packages/db/prisma/migrations/20260126202751_add_finding_to_audit_log_entity_type/migration.sql b/packages/db/prisma/migrations/20260126202751_add_finding_to_audit_log_entity_type/migration.sql
new file mode 100644
index 000000000..8027571f3
--- /dev/null
+++ b/packages/db/prisma/migrations/20260126202751_add_finding_to_audit_log_entity_type/migration.sql
@@ -0,0 +1,2 @@
+-- AlterEnum
+ALTER TYPE "AuditLogEntityType" ADD VALUE 'finding';
diff --git a/packages/db/prisma/schema/auth.prisma b/packages/db/prisma/schema/auth.prisma
index b71467592..9535d7fa7 100644
--- a/packages/db/prisma/schema/auth.prisma
+++ b/packages/db/prisma/schema/auth.prisma
@@ -115,6 +115,7 @@ model Member {
   createdTaskItems       TaskItem[]           @relation("TaskItemCreator")
   updatedTaskItems       TaskItem[]           @relation("TaskItemUpdater")
   assignedTaskItems      TaskItem[]           @relation("TaskItemAssignee")
+  createdFindings        Finding[]            @relation("FindingCreatedBy")
 }
 
 model Invitation {
diff --git a/packages/db/prisma/schema/finding.prisma b/packages/db/prisma/schema/finding.prisma
new file mode 100644
index 000000000..0124e97d4
--- /dev/null
+++ b/packages/db/prisma/schema/finding.prisma
@@ -0,0 +1,46 @@
+enum FindingType {
+  soc2
+  iso27001
+}
+
+enum FindingStatus {
+  open
+  ready_for_review
+  needs_revision
+  closed
+}
+
+model FindingTemplate {
+  id        String   @id @default(dbgenerated("generate_prefixed_cuid('fnd_t'::text)"))
+  category  String // e.g., "evidence_issue", "further_evidence", "task_specific", "na_incorrect"
+  title     String // Short title
+  content   String // Full message template
+  order     Int      @default(0)
+  createdAt DateTime @default(now())
+  updatedAt DateTime @updatedAt
+
+  findings Finding[]
+}
+
+model Finding {
+  id      String        @id @default(dbgenerated("generate_prefixed_cuid('fnd'::text)"))
+  type    FindingType   @default(soc2)
+  status  FindingStatus @default(open)
+  content String // Custom message or copied from template
+
+  createdAt DateTime @default(now())
+  updatedAt DateTime @updatedAt
+
+  // Relationships
+  taskId         String
+  task           Task             @relation(fields: [taskId], references: [id], onDelete: Cascade)
+  templateId     String?
+  template       FindingTemplate? @relation(fields: [templateId], references: [id])
+  createdById    String
+  createdBy      Member           @relation("FindingCreatedBy", fields: [createdById], references: [id])
+  organizationId String
+  organization   Organization     @relation(fields: [organizationId], references: [id], onDelete: Cascade)
+
+  @@index([taskId])
+  @@index([organizationId, status])
+}
diff --git a/packages/db/prisma/schema/organization.prisma b/packages/db/prisma/schema/organization.prisma
index ea5743c9f..20dbf4321 100644
--- a/packages/db/prisma/schema/organization.prisma
+++ b/packages/db/prisma/schema/organization.prisma
@@ -55,5 +55,8 @@ model Organization {
   browserbaseContext BrowserbaseContext?
   fleetPolicyResults FleetPolicyResult[]
 
+  // Findings
+  findings Finding[]
+
   @@index([slug])
 }
diff --git a/packages/db/prisma/schema/shared.prisma b/packages/db/prisma/schema/shared.prisma
index 83339d52d..d7491366d 100644
--- a/packages/db/prisma/schema/shared.prisma
+++ b/packages/db/prisma/schema/shared.prisma
@@ -49,6 +49,7 @@ enum AuditLogEntityType {
   tests
   integration
   trust
+  finding
 }
 
 model GlobalVendors {
diff --git a/packages/db/prisma/schema/task.prisma b/packages/db/prisma/schema/task.prisma
index ba33a2e4b..457b6eb91 100644
--- a/packages/db/prisma/schema/task.prisma
+++ b/packages/db/prisma/schema/task.prisma
@@ -30,6 +30,7 @@ model Task {
 
   EvidenceAutomationRun EvidenceAutomationRun[]
   integrationCheckRuns  IntegrationCheckRun[]
+  findings              Finding[]
 }
 
 enum TaskStatus {
diff --git a/packages/db/prisma/seed/frameworkEditorSchemas.ts b/packages/db/prisma/seed/frameworkEditorSchemas.ts
index 80b470c89..bfea56e56 100644
--- a/packages/db/prisma/seed/frameworkEditorSchemas.ts
+++ b/packages/db/prisma/seed/frameworkEditorSchemas.ts
@@ -168,6 +168,31 @@ export const FrameworkEditorControlTemplateSchema = z.object({
   // controls: Control[] - relational, omitted
 });
 
+export const FindingTemplateSchema = z.object({
+  id: z.string().optional(), // @id @default
+  category: z.string(),
+  title: z.string(),
+  content: z.string(),
+  order: z.number().optional(), // @default(0)
+  createdAt: z
+    .preprocess(
+      datePreprocess,
+      z.string().datetime({
+        message: 'Invalid datetime string for createdAt. Expected ISO 8601 format.',
+      }),
+    )
+    .optional(), // @default(now())
+  updatedAt: z
+    .preprocess(
+      datePreprocess,
+      z.string().datetime({
+        message: 'Invalid datetime string for updatedAt. Expected ISO 8601 format.',
+      }),
+    )
+    .optional(), // @default(now()) @updatedAt
+  // findings: Finding[] - relational, omitted
+});
+
 // For use in seed script validation
 export const frameworkEditorModelSchemas = {
   FrameworkEditorVideo: FrameworkEditorVideoSchema,
@@ -176,4 +201,5 @@ export const frameworkEditorModelSchemas = {
   FrameworkEditorPolicyTemplate: FrameworkEditorPolicyTemplateSchema,
   FrameworkEditorTaskTemplate: FrameworkEditorTaskTemplateSchema,
   FrameworkEditorControlTemplate: FrameworkEditorControlTemplateSchema,
+  FindingTemplate: FindingTemplateSchema,
 };
diff --git a/packages/db/prisma/seed/primitives/FindingTemplate.json b/packages/db/prisma/seed/primitives/FindingTemplate.json
new file mode 100644
index 000000000..cef1a14e6
--- /dev/null
+++ b/packages/db/prisma/seed/primitives/FindingTemplate.json
@@ -0,0 +1,83 @@
+[
+  {
+    "id": "fnd_t_evidence_issue_01",
+    "category": "evidence_issue",
+    "title": "Missing organization context",
+    "content": "The uploaded evidence does not clearly show the Organization Name or URL. Please provide a screenshot showing the context.",
+    "order": 1,
+    "createdAt": "2025-01-26 00:00:00.000",
+    "updatedAt": "2025-01-26 00:00:00.000"
+  },
+  {
+    "id": "fnd_t_evidence_issue_02",
+    "category": "evidence_issue",
+    "title": "Evidence outside audit window",
+    "content": "The evidence date falls outside the currently active audit observation window. Please ensure evidence is relevant to the current period.",
+    "order": 2,
+    "createdAt": "2025-01-26 00:00:00.000",
+    "updatedAt": "2025-01-26 00:00:00.000"
+  },
+  {
+    "id": "fnd_t_evidence_issue_03",
+    "category": "evidence_issue",
+    "title": "Unreadable or corrupted file",
+    "content": "The auditor could not open or read the file due to low resolution or corruption. Please re-upload a clear copy.",
+    "order": 3,
+    "createdAt": "2025-01-26 00:00:00.000",
+    "updatedAt": "2025-01-26 00:00:00.000"
+  },
+  {
+    "id": "fnd_t_further_evidence_01",
+    "category": "further_evidence",
+    "title": "Statement of intent - need proof of operation",
+    "content": "The attached document(s) is a statement of intent. This control requires Evidence of Operation (proof of action). Please upload specific logs, screenshots, system configs, or tickets that demonstrate this policy is currently being enforced.",
+    "order": 1,
+    "createdAt": "2025-01-26 00:00:00.000",
+    "updatedAt": "2025-01-26 00:00:00.000"
+  },
+  {
+    "id": "fnd_t_further_evidence_02",
+    "category": "further_evidence",
+    "title": "No evidence attached",
+    "content": "This task was marked as 'Done', but no file was attached. For an external audit, every completed task requires proof of execution. Please upload the specific evidence (screenshot, PDF, or export) and re-submit.",
+    "order": 2,
+    "createdAt": "2025-01-26 00:00:00.000",
+    "updatedAt": "2025-01-26 00:00:00.000"
+  },
+  {
+    "id": "fnd_t_task_specific_01",
+    "category": "task_specific",
+    "title": "Pull Request samples required",
+    "content": "Please upload a sample of recently merged Pull Requests (5 examples). The evidence must clearly show: 1. The Author, 2. The Approver (must be different from the author), and 3. The Build/Test Status checks.",
+    "order": 1,
+    "createdAt": "2025-01-26 00:00:00.000",
+    "updatedAt": "2025-01-26 00:00:00.000"
+  },
+  {
+    "id": "fnd_t_task_specific_02",
+    "category": "task_specific",
+    "title": "Alert screenshot required",
+    "content": "Please upload a screenshot of an actual triggered alert (e.g., a notification from PagerDuty, Slack, or Email). The evidence must clearly show: 1. The Alert Name, 2. The Timestamp, and 3. The Severity Level.",
+    "order": 2,
+    "createdAt": "2025-01-26 00:00:00.000",
+    "updatedAt": "2025-01-26 00:00:00.000"
+  },
+  {
+    "id": "fnd_t_task_specific_03",
+    "category": "task_specific",
+    "title": "System logs sample required",
+    "content": "Please provide a sample of System or Infrastructure Logs (e.g., AWS CloudWatch, Google Cloud Logging, Datadog). The sample must clearly show headers including: Timestamp, Event/Error Message, and Source/User.",
+    "order": 3,
+    "createdAt": "2025-01-26 00:00:00.000",
+    "updatedAt": "2025-01-26 00:00:00.000"
+  },
+  {
+    "id": "fnd_t_na_incorrect_01",
+    "category": "na_incorrect",
+    "title": "Control required for compliance",
+    "content": "This control is required for SOC 2 compliance, regardless of company size. However, the evidence can be scaled down to fit your stage. Please see the guidance documentation for acceptable lightweight evidence.",
+    "order": 1,
+    "createdAt": "2025-01-26 00:00:00.000",
+    "updatedAt": "2025-01-26 00:00:00.000"
+  }
+]
diff --git a/packages/docs/openapi.json b/packages/docs/openapi.json
index 84b87b47e..44a4af016 100644
--- a/packages/docs/openapi.json
+++ b/packages/docs/openapi.json
@@ -6037,6 +6037,174 @@
         ]
       }
     },
+    "/v1/tasks/bulk": {
+      "patch": {
+        "description": "Bulk update the status of multiple tasks",
+        "operationId": "TasksController_updateTasksStatus_v1",
+        "parameters": [
+          {
+            "name": "X-Organization-Id",
+            "in": "header",
+            "description": "Organization ID (required for session auth, optional for API key auth)",
+            "required": false,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "requestBody": {
+          "required": true,
+          "content": {
+            "application/json": {
+              "schema": {
+                "type": "object",
+                "properties": {
+                  "taskIds": {
+                    "type": "array",
+                    "items": {
+                      "type": "string"
+                    },
+                    "example": [
+                      "tsk_abc123",
+                      "tsk_def456"
+                    ]
+                  },
+                  "status": {
+                    "type": "string",
+                    "enum": [
+                      "todo",
+                      "in_progress",
+                      "done",
+                      "not_relevant",
+                      "failed"
+                    ],
+                    "example": "in_progress"
+                  },
+                  "reviewDate": {
+                    "type": "string",
+                    "format": "date-time",
+                    "example": "2025-01-01T00:00:00.000Z",
+                    "description": "Optional review date to set on all tasks"
+                  }
+                },
+                "required": [
+                  "taskIds",
+                  "status"
+                ]
+              }
+            }
+          }
+        },
+        "responses": {
+          "200": {
+            "description": "Tasks updated successfully",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "updatedCount": {
+                      "type": "number",
+                      "example": 2
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "400": {
+            "description": "Invalid request body"
+          }
+        },
+        "security": [
+          {
+            "apikey": []
+          }
+        ],
+        "summary": "Update status for multiple tasks",
+        "tags": [
+          "Tasks"
+        ]
+      }
+    },
+    "/v1/tasks/bulk/assignee": {
+      "patch": {
+        "description": "Bulk update the assignee of multiple tasks",
+        "operationId": "TasksController_updateTasksAssignee_v1",
+        "parameters": [
+          {
+            "name": "X-Organization-Id",
+            "in": "header",
+            "description": "Organization ID (required for session auth, optional for API key auth)",
+            "required": false,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "requestBody": {
+          "required": true,
+          "content": {
+            "application/json": {
+              "schema": {
+                "type": "object",
+                "properties": {
+                  "taskIds": {
+                    "type": "array",
+                    "items": {
+                      "type": "string"
+                    },
+                    "example": [
+                      "tsk_abc123",
+                      "tsk_def456"
+                    ]
+                  },
+                  "assigneeId": {
+                    "type": "string",
+                    "nullable": true,
+                    "example": "mem_abc123",
+                    "description": "Assignee member ID, or null to unassign"
+                  }
+                },
+                "required": [
+                  "taskIds"
+                ]
+              }
+            }
+          }
+        },
+        "responses": {
+          "200": {
+            "description": "Tasks updated successfully",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "updatedCount": {
+                      "type": "number",
+                      "example": 2
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "400": {
+            "description": "Invalid request body"
+          }
+        },
+        "security": [
+          {
+            "apikey": []
+          }
+        ],
+        "summary": "Update assignee for multiple tasks",
+        "tags": [
+          "Tasks"
+        ]
+      }
+    },
     "/v1/tasks/{taskId}": {
       "get": {
         "description": "Retrieve a specific task by its ID",
@@ -6107,12 +6275,10 @@
         "tags": [
           "Tasks"
         ]
-      }
-    },
-    "/v1/tasks/bulk": {
+      },
       "patch": {
-        "description": "Bulk update the status of multiple tasks",
-        "operationId": "TasksController_updateTasksStatus_v1",
+        "description": "Update an existing task (status, assignee, frequency, department, reviewDate)",
+        "operationId": "TasksController_updateTask_v1",
         "parameters": [
           {
             "name": "X-Organization-Id",
@@ -6122,6 +6288,16 @@
             "schema": {
               "type": "string"
             }
+          },
+          {
+            "name": "taskId",
+            "required": true,
+            "in": "path",
+            "description": "Unique task identifier",
+            "schema": {
+              "example": "tsk_abc123def456",
+              "type": "string"
+            }
           }
         ],
         "requestBody": {
@@ -6131,16 +6307,6 @@
               "schema": {
                 "type": "object",
                 "properties": {
-                  "taskIds": {
-                    "type": "array",
-                    "items": {
-                      "type": "string"
-                    },
-                    "example": [
-                      "tsk_abc123",
-                      "tsk_def456"
-                    ]
-                  },
                   "status": {
                     "type": "string",
                     "enum": [
@@ -6152,40 +6318,62 @@
                     ],
                     "example": "in_progress"
                   },
+                  "assigneeId": {
+                    "type": "string",
+                    "nullable": true,
+                    "example": "mem_abc123",
+                    "description": "Assignee member ID, or null to unassign"
+                  },
+                  "frequency": {
+                    "type": "string",
+                    "enum": [
+                      "daily",
+                      "weekly",
+                      "monthly",
+                      "quarterly",
+                      "yearly"
+                    ],
+                    "example": "monthly"
+                  },
+                  "department": {
+                    "type": "string",
+                    "enum": [
+                      "none",
+                      "admin",
+                      "gov",
+                      "hr",
+                      "it",
+                      "itsm",
+                      "qms"
+                    ],
+                    "example": "it"
+                  },
                   "reviewDate": {
                     "type": "string",
                     "format": "date-time",
-                    "example": "2025-01-01T00:00:00.000Z",
-                    "description": "Optional review date to set on all tasks"
+                    "example": "2025-01-01T00:00:00.000Z"
                   }
-                },
-                "required": [
-                  "taskIds",
-                  "status"
-                ]
+                }
               }
             }
           }
         },
         "responses": {
           "200": {
-            "description": "Tasks updated successfully",
+            "description": "Task updated successfully",
             "content": {
               "application/json": {
                 "schema": {
-                  "type": "object",
-                  "properties": {
-                    "updatedCount": {
-                      "type": "number",
-                      "example": 2
-                    }
-                  }
+                  "$ref": "#/components/schemas/TaskResponseDto"
                 }
               }
             }
           },
           "400": {
-            "description": "Invalid request body"
+            "description": "Invalid request body or task not found"
+          },
+          "404": {
+            "description": "Task not found"
           }
         },
         "security": [
@@ -6193,7 +6381,7 @@
             "apikey": []
           }
         ],
-        "summary": "Update status for multiple tasks",
+        "summary": "Update a task",
         "tags": [
           "Tasks"
         ]
@@ -7196,10 +7384,10 @@
         ]
       }
     },
-    "/v1/comments": {
+    "/v1/tasks/{taskId}/evidence": {
       "get": {
-        "description": "Retrieve all comments for a specific entity (task, policy, vendor, etc.)",
-        "operationId": "CommentsController_getComments_v1",
+        "description": "Retrieve a summary of all automation evidence for a specific task",
+        "operationId": "EvidenceExportController_getTaskEvidenceSummary_v1",
         "parameters": [
           {
             "name": "X-Organization-Id",
@@ -7211,44 +7399,22 @@
             }
           },
           {
-            "name": "entityId",
+            "name": "taskId",
             "required": true,
-            "in": "query",
-            "description": "ID of the entity to get comments for",
+            "in": "path",
+            "description": "Unique task identifier",
             "schema": {
               "example": "tsk_abc123def456",
               "type": "string"
             }
-          },
-          {
-            "name": "entityType",
-            "required": true,
-            "in": "query",
-            "description": "Type of entity",
-            "schema": {
-              "enum": [
-                "task",
-                "vendor",
-                "risk",
-                "policy"
-              ],
-              "type": "string"
-            }
           }
         ],
         "responses": {
           "200": {
-            "description": "Comments retrieved successfully",
-            "content": {
-              "application/json": {
-                "schema": {
-                  "type": "array",
-                  "items": {
-                    "$ref": "#/components/schemas/CommentResponseDto"
-                  }
-                }
-              }
-            }
+            "description": "Evidence summary retrieved successfully"
+          },
+          "404": {
+            "description": "Task not found"
           }
         },
         "security": [
@@ -7256,11 +7422,233 @@
             "apikey": []
           }
         ],
-        "summary": "Get comments for an entity",
+        "summary": "Get task evidence summary",
         "tags": [
-          "Comments"
+          "Evidence Export"
         ]
-      },
+      }
+    },
+    "/v1/tasks/{taskId}/evidence/automation/{automationId}/pdf": {
+      "get": {
+        "description": "Generate and download a PDF containing all evidence for a specific automation",
+        "operationId": "EvidenceExportController_exportAutomationPDF_v1",
+        "parameters": [
+          {
+            "name": "X-Organization-Id",
+            "in": "header",
+            "description": "Organization ID (required for session auth, optional for API key auth)",
+            "required": false,
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "taskId",
+            "required": true,
+            "in": "path",
+            "description": "Unique task identifier",
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "automationId",
+            "required": true,
+            "in": "path",
+            "description": "Unique automation identifier (checkId for app automations)",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "PDF file generated successfully",
+            "content": {
+              "application/pdf": {}
+            }
+          },
+          "404": {
+            "description": "Task or automation not found"
+          }
+        },
+        "security": [
+          {
+            "apikey": []
+          }
+        ],
+        "summary": "Export automation evidence as PDF",
+        "tags": [
+          "Evidence Export"
+        ]
+      }
+    },
+    "/v1/tasks/{taskId}/evidence/export": {
+      "get": {
+        "description": "Generate and download a ZIP file containing all automation evidence for a task",
+        "operationId": "EvidenceExportController_exportTaskEvidenceZip_v1",
+        "parameters": [
+          {
+            "name": "X-Organization-Id",
+            "in": "header",
+            "description": "Organization ID (required for session auth, optional for API key auth)",
+            "required": false,
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "taskId",
+            "required": true,
+            "in": "path",
+            "description": "Unique task identifier",
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "includeJson",
+            "required": false,
+            "in": "query",
+            "description": "Include raw JSON files alongside PDFs",
+            "schema": {
+              "type": "boolean"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "ZIP file generated successfully",
+            "content": {
+              "application/zip": {}
+            }
+          },
+          "404": {
+            "description": "Task not found"
+          }
+        },
+        "security": [
+          {
+            "apikey": []
+          }
+        ],
+        "summary": "Export task evidence as ZIP",
+        "tags": [
+          "Evidence Export"
+        ]
+      }
+    },
+    "/v1/evidence-export/all": {
+      "get": {
+        "description": "Generate and download a ZIP file containing all automation evidence across all tasks. Only accessible by auditors.",
+        "operationId": "AuditorEvidenceExportController_exportAllEvidence_v1",
+        "parameters": [
+          {
+            "name": "X-Organization-Id",
+            "in": "header",
+            "description": "Organization ID (required for session auth, optional for API key auth)",
+            "required": false,
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "includeJson",
+            "required": false,
+            "in": "query",
+            "description": "Include raw JSON files alongside PDFs",
+            "schema": {
+              "type": "boolean"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "ZIP file generated successfully",
+            "content": {
+              "application/zip": {}
+            }
+          },
+          "403": {
+            "description": "Access denied - Auditor role required"
+          }
+        },
+        "security": [
+          {
+            "apikey": []
+          }
+        ],
+        "summary": "Export all organization evidence as ZIP (Auditor only)",
+        "tags": [
+          "Evidence Export (Auditor)"
+        ]
+      }
+    },
+    "/v1/comments": {
+      "get": {
+        "description": "Retrieve all comments for a specific entity (task, policy, vendor, etc.)",
+        "operationId": "CommentsController_getComments_v1",
+        "parameters": [
+          {
+            "name": "X-Organization-Id",
+            "in": "header",
+            "description": "Organization ID (required for session auth, optional for API key auth)",
+            "required": false,
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "entityId",
+            "required": true,
+            "in": "query",
+            "description": "ID of the entity to get comments for",
+            "schema": {
+              "example": "tsk_abc123def456",
+              "type": "string"
+            }
+          },
+          {
+            "name": "entityType",
+            "required": true,
+            "in": "query",
+            "description": "Type of entity",
+            "schema": {
+              "enum": [
+                "task",
+                "vendor",
+                "risk",
+                "policy"
+              ],
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "Comments retrieved successfully",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "array",
+                  "items": {
+                    "$ref": "#/components/schemas/CommentResponseDto"
+                  }
+                }
+              }
+            }
+          }
+        },
+        "security": [
+          {
+            "apikey": []
+          }
+        ],
+        "summary": "Get comments for an entity",
+        "tags": [
+          "Comments"
+        ]
+      },
       "post": {
         "description": "Create a comment on an entity with optional file attachments",
         "operationId": "CommentsController_createComment_v1",
@@ -9083,18 +9471,578 @@
               }
             }
           },
-          "500": {
-            "description": "Internal server error",
-            "content": {
-              "application/json": {
-                "schema": {
-                  "example": {
-                    "statusCode": 500,
-                    "message": "Internal server error"
-                  }
-                }
-              }
-            }
+          "500": {
+            "description": "Internal server error",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "example": {
+                    "statusCode": 500,
+                    "message": "Internal server error"
+                  }
+                }
+              }
+            }
+          }
+        },
+        "security": [
+          {
+            "apikey": []
+          }
+        ],
+        "summary": "Update framework editor task template",
+        "tags": [
+          "Framework Editor Task Templates"
+        ]
+      },
+      "delete": {
+        "description": "Delete a framework editor task template by ID",
+        "operationId": "TaskTemplateController_deleteTaskTemplate_v1",
+        "parameters": [
+          {
+            "name": "X-Organization-Id",
+            "in": "header",
+            "description": "Organization ID (required for session auth, optional for API key auth)",
+            "required": false,
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "id",
+            "required": true,
+            "in": "path",
+            "description": "Framework editor task template ID",
+            "schema": {
+              "example": "frk_tt_abc123def456",
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "Successfully deleted framework editor task template",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "example": {
+                    "message": "Framework editor task template deleted successfully",
+                    "deletedTaskTemplate": {
+                      "id": "frk_tt_abc123def456",
+                      "name": "Monthly Security Review"
+                    },
+                    "authType": "session",
+                    "authenticatedUser": {
+                      "id": "user_123",
+                      "email": "user@example.com"
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "401": {
+            "description": "Unauthorized - Invalid or missing authentication",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "example": {
+                    "statusCode": 401,
+                    "message": "Unauthorized"
+                  }
+                }
+              }
+            }
+          },
+          "404": {
+            "description": "Framework editor task template not found",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "example": {
+                    "statusCode": 404,
+                    "message": "Framework editor task template with ID frk_tt_abc123def456 not found"
+                  }
+                }
+              }
+            }
+          },
+          "500": {
+            "description": "Internal server error",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "example": {
+                    "statusCode": 500,
+                    "message": "Internal server error"
+                  }
+                }
+              }
+            }
+          }
+        },
+        "security": [
+          {
+            "apikey": []
+          }
+        ],
+        "summary": "Delete framework editor task template",
+        "tags": [
+          "Framework Editor Task Templates"
+        ]
+      }
+    },
+    "/v1/finding-template": {
+      "get": {
+        "description": "Retrieve all finding templates ordered by category and order",
+        "operationId": "FindingTemplateController_getAllFindingTemplates_v1",
+        "parameters": [],
+        "responses": {
+          "200": {
+            "description": "List of all finding templates"
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "summary": "Get all finding templates",
+        "tags": [
+          "Finding Templates"
+        ]
+      },
+      "post": {
+        "description": "Create a new finding template (Platform Admin only)",
+        "operationId": "FindingTemplateController_createFindingTemplate_v1",
+        "parameters": [],
+        "requestBody": {
+          "required": true,
+          "description": "Finding template data",
+          "content": {
+            "application/json": {
+              "schema": {
+                "$ref": "#/components/schemas/CreateFindingTemplateDto"
+              }
+            }
+          }
+        },
+        "responses": {
+          "201": {
+            "description": "The created finding template"
+          },
+          "401": {
+            "description": "Unauthorized"
+          },
+          "403": {
+            "description": "Forbidden - Platform admin required"
+          }
+        },
+        "summary": "Create a finding template",
+        "tags": [
+          "Finding Templates"
+        ]
+      }
+    },
+    "/v1/finding-template/{id}": {
+      "get": {
+        "description": "Retrieve a specific finding template by its ID",
+        "operationId": "FindingTemplateController_getFindingTemplateById_v1",
+        "parameters": [
+          {
+            "name": "id",
+            "required": true,
+            "in": "path",
+            "description": "Finding template ID",
+            "schema": {
+              "example": "fnd_t_abc123",
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "The finding template"
+          },
+          "401": {
+            "description": "Unauthorized"
+          },
+          "404": {
+            "description": "Finding template not found"
+          }
+        },
+        "summary": "Get finding template by ID",
+        "tags": [
+          "Finding Templates"
+        ]
+      },
+      "patch": {
+        "description": "Update an existing finding template (Platform Admin only)",
+        "operationId": "FindingTemplateController_updateFindingTemplate_v1",
+        "parameters": [
+          {
+            "name": "id",
+            "required": true,
+            "in": "path",
+            "description": "Finding template ID",
+            "schema": {
+              "example": "fnd_t_abc123",
+              "type": "string"
+            }
+          }
+        ],
+        "requestBody": {
+          "required": true,
+          "description": "Finding template update data",
+          "content": {
+            "application/json": {
+              "schema": {
+                "$ref": "#/components/schemas/UpdateFindingTemplateDto"
+              }
+            }
+          }
+        },
+        "responses": {
+          "200": {
+            "description": "The updated finding template"
+          },
+          "401": {
+            "description": "Unauthorized"
+          },
+          "403": {
+            "description": "Forbidden - Platform admin required"
+          },
+          "404": {
+            "description": "Finding template not found"
+          }
+        },
+        "summary": "Update a finding template",
+        "tags": [
+          "Finding Templates"
+        ]
+      },
+      "delete": {
+        "description": "Delete a finding template (Platform Admin only)",
+        "operationId": "FindingTemplateController_deleteFindingTemplate_v1",
+        "parameters": [
+          {
+            "name": "id",
+            "required": true,
+            "in": "path",
+            "description": "Finding template ID",
+            "schema": {
+              "example": "fnd_t_abc123",
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "Finding template deleted successfully"
+          },
+          "401": {
+            "description": "Unauthorized"
+          },
+          "403": {
+            "description": "Forbidden - Platform admin required"
+          },
+          "404": {
+            "description": "Finding template not found"
+          }
+        },
+        "summary": "Delete a finding template",
+        "tags": [
+          "Finding Templates"
+        ]
+      }
+    },
+    "/v1/findings": {
+      "get": {
+        "description": "Retrieve all findings for a specific task",
+        "operationId": "FindingsController_getFindingsByTask_v1",
+        "parameters": [
+          {
+            "name": "X-Organization-Id",
+            "in": "header",
+            "description": "Organization ID (required for session auth, optional for API key auth)",
+            "required": false,
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "taskId",
+            "required": true,
+            "in": "query",
+            "description": "Task ID to get findings for",
+            "schema": {
+              "example": "tsk_abc123",
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "List of findings for the task"
+          },
+          "401": {
+            "description": "Unauthorized"
+          },
+          "404": {
+            "description": "Task not found"
+          }
+        },
+        "security": [
+          {
+            "apikey": []
+          }
+        ],
+        "summary": "Get findings for a task",
+        "tags": [
+          "Findings"
+        ]
+      },
+      "post": {
+        "description": "Create a new finding for a task (Auditor or Platform Admin only)",
+        "operationId": "FindingsController_createFinding_v1",
+        "parameters": [
+          {
+            "name": "X-Organization-Id",
+            "in": "header",
+            "description": "Organization ID (required for session auth, optional for API key auth)",
+            "required": false,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "requestBody": {
+          "required": true,
+          "description": "Finding data",
+          "content": {
+            "application/json": {
+              "schema": {
+                "$ref": "#/components/schemas/CreateFindingDto"
+              }
+            }
+          }
+        },
+        "responses": {
+          "201": {
+            "description": "The created finding"
+          },
+          "401": {
+            "description": "Unauthorized"
+          },
+          "403": {
+            "description": "Forbidden - Auditor or Platform Admin required"
+          },
+          "404": {
+            "description": "Task not found"
+          }
+        },
+        "security": [
+          {
+            "apikey": []
+          }
+        ],
+        "summary": "Create a finding",
+        "tags": [
+          "Findings"
+        ]
+      }
+    },
+    "/v1/findings/organization": {
+      "get": {
+        "description": "Retrieve all findings for the organization",
+        "operationId": "FindingsController_getOrganizationFindings_v1",
+        "parameters": [
+          {
+            "name": "X-Organization-Id",
+            "in": "header",
+            "description": "Organization ID (required for session auth, optional for API key auth)",
+            "required": false,
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "status",
+            "required": false,
+            "in": "query",
+            "description": "Filter by status",
+            "schema": {
+              "enum": [
+                "open",
+                "ready_for_review",
+                "needs_revision",
+                "closed"
+              ],
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "List of all findings for the organization"
+          },
+          "400": {
+            "description": "Invalid status value"
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "security": [
+          {
+            "apikey": []
+          }
+        ],
+        "summary": "Get all findings for organization",
+        "tags": [
+          "Findings"
+        ]
+      }
+    },
+    "/v1/findings/{id}": {
+      "get": {
+        "description": "Retrieve a specific finding by its ID",
+        "operationId": "FindingsController_getFindingById_v1",
+        "parameters": [
+          {
+            "name": "X-Organization-Id",
+            "in": "header",
+            "description": "Organization ID (required for session auth, optional for API key auth)",
+            "required": false,
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "id",
+            "required": true,
+            "in": "path",
+            "description": "Finding ID",
+            "schema": {
+              "example": "fnd_abc123",
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "The finding"
+          },
+          "401": {
+            "description": "Unauthorized"
+          },
+          "404": {
+            "description": "Finding not found"
+          }
+        },
+        "security": [
+          {
+            "apikey": []
+          }
+        ],
+        "summary": "Get finding by ID",
+        "tags": [
+          "Findings"
+        ]
+      },
+      "patch": {
+        "description": "Update a finding. Status transition rules apply based on user role.",
+        "operationId": "FindingsController_updateFinding_v1",
+        "parameters": [
+          {
+            "name": "X-Organization-Id",
+            "in": "header",
+            "description": "Organization ID (required for session auth, optional for API key auth)",
+            "required": false,
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "id",
+            "required": true,
+            "in": "path",
+            "description": "Finding ID",
+            "schema": {
+              "example": "fnd_abc123",
+              "type": "string"
+            }
+          }
+        ],
+        "requestBody": {
+          "required": true,
+          "description": "Finding update data",
+          "content": {
+            "application/json": {
+              "schema": {
+                "$ref": "#/components/schemas/UpdateFindingDto"
+              }
+            }
+          }
+        },
+        "responses": {
+          "200": {
+            "description": "The updated finding"
+          },
+          "401": {
+            "description": "Unauthorized"
+          },
+          "403": {
+            "description": "Forbidden - Insufficient permissions for status transition"
+          },
+          "404": {
+            "description": "Finding not found"
+          }
+        },
+        "security": [
+          {
+            "apikey": []
+          }
+        ],
+        "summary": "Update a finding",
+        "tags": [
+          "Findings"
+        ]
+      },
+      "delete": {
+        "description": "Delete a finding (Auditor or Platform Admin only)",
+        "operationId": "FindingsController_deleteFinding_v1",
+        "parameters": [
+          {
+            "name": "X-Organization-Id",
+            "in": "header",
+            "description": "Organization ID (required for session auth, optional for API key auth)",
+            "required": false,
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "id",
+            "required": true,
+            "in": "path",
+            "description": "Finding ID",
+            "schema": {
+              "example": "fnd_abc123",
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "Finding deleted successfully"
+          },
+          "401": {
+            "description": "Unauthorized"
+          },
+          "403": {
+            "description": "Forbidden - Auditor or Platform Admin required"
+          },
+          "404": {
+            "description": "Finding not found"
           }
         },
         "security": [
@@ -9102,14 +10050,16 @@
             "apikey": []
           }
         ],
-        "summary": "Update framework editor task template",
+        "summary": "Delete a finding",
         "tags": [
-          "Framework Editor Task Templates"
+          "Findings"
         ]
-      },
-      "delete": {
-        "description": "Delete a framework editor task template by ID",
-        "operationId": "TaskTemplateController_deleteTaskTemplate_v1",
+      }
+    },
+    "/v1/findings/{id}/history": {
+      "get": {
+        "description": "Retrieve the activity history for a specific finding",
+        "operationId": "FindingsController_getFindingHistory_v1",
         "parameters": [
           {
             "name": "X-Organization-Id",
@@ -9124,73 +10074,22 @@
             "name": "id",
             "required": true,
             "in": "path",
-            "description": "Framework editor task template ID",
+            "description": "Finding ID",
             "schema": {
-              "example": "frk_tt_abc123def456",
+              "example": "fnd_abc123",
               "type": "string"
             }
           }
         ],
         "responses": {
           "200": {
-            "description": "Successfully deleted framework editor task template",
-            "content": {
-              "application/json": {
-                "schema": {
-                  "example": {
-                    "message": "Framework editor task template deleted successfully",
-                    "deletedTaskTemplate": {
-                      "id": "frk_tt_abc123def456",
-                      "name": "Monthly Security Review"
-                    },
-                    "authType": "session",
-                    "authenticatedUser": {
-                      "id": "user_123",
-                      "email": "user@example.com"
-                    }
-                  }
-                }
-              }
-            }
+            "description": "List of audit log entries for the finding"
           },
           "401": {
-            "description": "Unauthorized - Invalid or missing authentication",
-            "content": {
-              "application/json": {
-                "schema": {
-                  "example": {
-                    "statusCode": 401,
-                    "message": "Unauthorized"
-                  }
-                }
-              }
-            }
+            "description": "Unauthorized"
           },
           "404": {
-            "description": "Framework editor task template not found",
-            "content": {
-              "application/json": {
-                "schema": {
-                  "example": {
-                    "statusCode": 404,
-                    "message": "Framework editor task template with ID frk_tt_abc123def456 not found"
-                  }
-                }
-              }
-            }
-          },
-          "500": {
-            "description": "Internal server error",
-            "content": {
-              "application/json": {
-                "schema": {
-                  "example": {
-                    "statusCode": 500,
-                    "message": "Internal server error"
-                  }
-                }
-              }
-            }
+            "description": "Finding not found"
           }
         },
         "security": [
@@ -9198,9 +10097,9 @@
             "apikey": []
           }
         ],
-        "summary": "Delete framework editor task template",
+        "summary": "Get finding history",
         "tags": [
-          "Framework Editor Task Templates"
+          "Findings"
         ]
       }
     },
@@ -12843,6 +13742,88 @@
           "Assistant Chat"
         ]
       }
+    },
+    "/v1/training/send-completion-email": {
+      "post": {
+        "description": "Checks if the member has completed all training videos. If so, sends an email with the training certificate attached.",
+        "operationId": "TrainingController_sendTrainingCompletionEmail_v1",
+        "parameters": [
+          {
+            "name": "x-internal-token",
+            "required": true,
+            "in": "header",
+            "description": "Internal API token for service-to-service calls",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "requestBody": {
+          "required": true,
+          "content": {
+            "application/json": {
+              "schema": {
+                "$ref": "#/components/schemas/SendTrainingCompletionDto"
+              }
+            }
+          }
+        },
+        "responses": {
+          "200": {
+            "description": "Email sent or reason why it was not sent",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/SendTrainingCompletionResponseDto"
+                }
+              }
+            }
+          }
+        },
+        "summary": "Send training completion email with certificate",
+        "tags": [
+          "Training"
+        ]
+      }
+    },
+    "/v1/training/generate-certificate": {
+      "post": {
+        "description": "Generates a PDF certificate for a member who has completed all training videos. Returns the PDF as a downloadable file.",
+        "operationId": "TrainingController_generateCertificate_v1",
+        "parameters": [
+          {
+            "name": "x-internal-token",
+            "required": true,
+            "in": "header",
+            "description": "Internal API token for service-to-service calls",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "requestBody": {
+          "required": true,
+          "content": {
+            "application/json": {
+              "schema": {
+                "$ref": "#/components/schemas/SendTrainingCompletionDto"
+              }
+            }
+          }
+        },
+        "responses": {
+          "200": {
+            "description": "PDF certificate file"
+          },
+          "400": {
+            "description": "Training not complete or member not found"
+          }
+        },
+        "summary": "Generate training completion certificate PDF",
+        "tags": [
+          "Training"
+        ]
+      }
     }
   },
   "info": {
@@ -15577,6 +16558,125 @@
           }
         }
       },
+      "CreateFindingTemplateDto": {
+        "type": "object",
+        "properties": {
+          "category": {
+            "type": "string",
+            "description": "Category of the finding template",
+            "example": "evidence_issue"
+          },
+          "title": {
+            "type": "string",
+            "description": "Short title of the finding template",
+            "example": "Issue with uploaded evidence"
+          },
+          "content": {
+            "type": "string",
+            "description": "Full message content of the finding template",
+            "example": "The uploaded evidence does not clearly show the Organization Name or URL. Please provide a screenshot showing the context."
+          },
+          "order": {
+            "type": "number",
+            "description": "Display order for the template",
+            "example": 0
+          }
+        },
+        "required": [
+          "category",
+          "title",
+          "content"
+        ]
+      },
+      "UpdateFindingTemplateDto": {
+        "type": "object",
+        "properties": {
+          "category": {
+            "type": "string",
+            "description": "Category of the finding template",
+            "example": "evidence_issue"
+          },
+          "title": {
+            "type": "string",
+            "description": "Short title of the finding template",
+            "example": "Issue with uploaded evidence"
+          },
+          "content": {
+            "type": "string",
+            "description": "Full message content of the finding template",
+            "example": "The uploaded evidence does not clearly show the Organization Name or URL. Please provide a screenshot showing the context."
+          },
+          "order": {
+            "type": "number",
+            "description": "Display order for the template",
+            "example": 0
+          }
+        }
+      },
+      "CreateFindingDto": {
+        "type": "object",
+        "properties": {
+          "taskId": {
+            "type": "string",
+            "description": "Task ID this finding is associated with",
+            "example": "tsk_abc123"
+          },
+          "type": {
+            "type": "string",
+            "description": "Type of finding (SOC 2 or ISO 27001)",
+            "enum": [
+              "soc2",
+              "iso27001"
+            ],
+            "default": "soc2"
+          },
+          "templateId": {
+            "type": "string",
+            "description": "Finding template ID (optional)",
+            "example": "fnd_t_abc123"
+          },
+          "content": {
+            "type": "string",
+            "description": "Finding content/message",
+            "example": "The uploaded evidence does not clearly show the Organization Name or URL.",
+            "maxLength": 5000
+          }
+        },
+        "required": [
+          "taskId",
+          "type",
+          "content"
+        ]
+      },
+      "UpdateFindingDto": {
+        "type": "object",
+        "properties": {
+          "status": {
+            "type": "string",
+            "description": "Finding status",
+            "enum": [
+              "open",
+              "ready_for_review",
+              "needs_revision",
+              "closed"
+            ]
+          },
+          "type": {
+            "type": "string",
+            "description": "Type of finding (SOC 2 or ISO 27001)",
+            "enum": [
+              "soc2",
+              "iso27001"
+            ]
+          },
+          "content": {
+            "type": "string",
+            "description": "Finding content/message",
+            "example": "The uploaded evidence does not clearly show the Organization Name or URL.",
+            "maxLength": 5000
+          }
+        }
+      },
       "ParseQuestionnaireDto": {
         "type": "object",
         "properties": {}
@@ -16331,6 +17431,43 @@
         "required": [
           "messages"
         ]
+      },
+      "SendTrainingCompletionDto": {
+        "type": "object",
+        "properties": {
+          "memberId": {
+            "type": "string",
+            "description": "The member ID who completed training",
+            "example": "mem_abc123"
+          },
+          "organizationId": {
+            "type": "string",
+            "description": "The organization ID",
+            "example": "org_abc123"
+          }
+        },
+        "required": [
+          "memberId",
+          "organizationId"
+        ]
+      },
+      "SendTrainingCompletionResponseDto": {
+        "type": "object",
+        "properties": {
+          "sent": {
+            "type": "boolean",
+            "description": "Whether the email was sent",
+            "example": true
+          },
+          "reason": {
+            "type": "string",
+            "description": "Reason if email was not sent",
+            "example": "training_not_complete"
+          }
+        },
+        "required": [
+          "sent"
+        ]
       }
     }
   }
diff --git a/packages/email/emails/training-completed.tsx b/packages/email/emails/training-completed.tsx
new file mode 100644
index 000000000..9fe2d3081
--- /dev/null
+++ b/packages/email/emails/training-completed.tsx
@@ -0,0 +1,120 @@
+import {
+  Body,
+  Container,
+  Font,
+  Heading,
+  Html,
+  Preview,
+  Section,
+  Tailwind,
+  Text,
+} from '@react-email/components';
+import { Footer } from '../components/footer';
+import { Logo } from '../components/logo';
+import { UnsubscribeLink } from '../components/unsubscribe-link';
+import { getUnsubscribeUrl } from '../lib/unsubscribe';
+
+interface Props {
+  email: string;
+  userName: string;
+  organizationName: string;
+  completedAt: Date;
+}
+
+export const TrainingCompletedEmail = ({
+  email,
+  userName,
+  organizationName,
+  completedAt,
+}: Props) => {
+  const formattedDate = new Date(completedAt).toLocaleDateString('en-US', {
+    year: 'numeric',
+    month: 'long',
+    day: 'numeric',
+  });
+
+  return (
+    <Html>
+      <Tailwind>
+        <head>
+          <Font
+            fontFamily="Geist"
+            fallbackFontFamily="Helvetica"
+            webFont={{
+              url: 'https://app.trycomp.ai/fonts/geist/geist-sans-latin-400-normal.woff2',
+              format: 'woff2',
+            }}
+            fontWeight={400}
+            fontStyle="normal"
+          />
+
+          <Font
+            fontFamily="Geist"
+            fallbackFontFamily="Helvetica"
+            webFont={{
+              url: 'https://app.trycomp.ai/fonts/geist/geist-sans-latin-500-normal.woff2',
+              format: 'woff2',
+            }}
+            fontWeight={500}
+            fontStyle="normal"
+          />
+        </head>
+
+        <Preview>Congratulations! You've completed your Security Awareness Training</Preview>
+
+        <Body className="mx-auto my-auto bg-[#fff] font-sans">
+          <Container
+            className="mx-auto my-[40px] max-w-[600px] border-transparent p-[20px] md:border-[#E8E7E1]"
+            style={{ borderStyle: 'solid', borderWidth: 1 }}
+          >
+            <Logo />
+            <Heading className="mx-0 my-[30px] p-0 text-center text-[24px] font-normal text-[#121212]">
+              Training Complete!
+            </Heading>
+
+            <Text className="text-[14px] leading-[24px] text-[#121212]">Hi {userName},</Text>
+
+            <Text className="text-[14px] leading-[24px] text-[#121212]">
+              Congratulations! You have successfully completed all Security Awareness Training
+              modules for <strong>{organizationName}</strong>.
+            </Text>
+
+            <Section
+              className="mt-[24px] mb-[24px] rounded-[8px] p-[24px] text-center"
+              style={{ backgroundColor: '#f0fdf4', border: '1px solid #bbf7d0' }}
+            >
+              <Text className="m-0 text-[16px] font-medium text-[#166534]">
+                Completion Date: {formattedDate}
+              </Text>
+            </Section>
+
+            <Text className="text-[14px] leading-[24px] text-[#121212]">
+              Your training completion certificate is attached to this email. Please save it for
+              your records.
+            </Text>
+
+            <Text className="text-[14px] leading-[24px] text-[#121212]">
+              Thank you for your commitment to maintaining security awareness and helping protect{' '}
+              {organizationName}.
+            </Text>
+
+            <br />
+            <Section>
+              <Text className="text-[12px] leading-[24px] text-[#666666]">
+                This notification was intended for <span className="text-[#121212]">{email}</span>.
+              </Text>
+            </Section>
+
+            <UnsubscribeLink email={email} unsubscribeUrl={getUnsubscribeUrl(email)} />
+
+            <br />
+
+            <Footer />
+          </Container>
+        </Body>
+      </Tailwind>
+    </Html>
+  );
+};
+
+export default TrainingCompletedEmail;
diff --git a/packages/email/index.ts b/packages/email/index.ts
index c612681a2..9afe95e69 100644
--- a/packages/email/index.ts
+++ b/packages/email/index.ts
@@ -6,6 +6,7 @@ export * from './emails/magic-link';
 export * from './emails/marketing/welcome';
 export * from './emails/otp';
 export * from './emails/policy-notification';
+export * from './emails/training-completed';
 export * from './emails/unassigned-items-notification';
 export * from './emails/waitlist';
 
@@ -16,6 +17,7 @@ export * from './lib/invite-member';
 export * from './lib/magic-link';
 export * from './lib/policy-notification';
 export * from './lib/resend';
+export * from './lib/training-completed';
 export * from './lib/unassigned-items-notification';
 export * from './lib/unsubscribe';
 export * from './lib/waitlist';
diff --git a/packages/email/lib/check-unsubscribe.ts b/packages/email/lib/check-unsubscribe.ts
index b3b93b123..66a4c93bd 100644
--- a/packages/email/lib/check-unsubscribe.ts
+++ b/packages/email/lib/check-unsubscribe.ts
@@ -5,6 +5,7 @@ const DEFAULT_PREFERENCES = {
   unassignedItemsNotifications: true,
   taskMentions: true,
   taskAssignments: true,
+  findingNotifications: true,
 };
 
 type EmailPreferenceType =
@@ -13,7 +14,8 @@ type EmailPreferenceType =
   | 'weeklyTaskDigest'
   | 'unassignedItemsNotifications'
   | 'taskMentions'
-  | 'taskAssignments';
+  | 'taskAssignments'
+  | 'findingNotifications';
 
 /**
  * Helper function to check if a user is unsubscribed from a specific type of email notification
diff --git a/packages/email/lib/resend.ts b/packages/email/lib/resend.ts
index f58cb98a7..f221a25ed 100644
--- a/packages/email/lib/resend.ts
+++ b/packages/email/lib/resend.ts
@@ -1,7 +1,28 @@
+import { randomUUID } from 'node:crypto';
 import { Resend } from 'resend';
 
 export const resend = process.env.RESEND_API_KEY ? new Resend(process.env.RESEND_API_KEY) : null;
 
+function maskEmail(value: string): string {
+  const [name = '', domain = ''] = value.toLowerCase().split('@');
+  if (!domain) return 'invalid-email';
+  const safeName = name.length <= 2 ? name[0] ?? '' : `${name[0]}${'*'.repeat(name.length - 2)}${name.at(-1)}`;
+  return `${safeName}@${domain}`;
+}
+
+function maskEmailList(value: string): string {
+  return value
+    .split(',')
+    .map((email) => maskEmail(email.trim()))
+    .join(', ');
+}
+
+export interface EmailAttachment {
+  filename: string;
+  content: Buffer | string;
+  contentType?: string;
+}
+
 export const sendEmail = async ({
   to,
   subject,
@@ -11,6 +32,7 @@ export const sendEmail = async ({
   test,
   cc,
   scheduledAt,
+  attachments,
 }: {
   to: string;
   subject: string;
@@ -20,6 +42,7 @@ export const sendEmail = async ({
   test?: boolean;
   cc?: string | string[];
   scheduledAt?: string;
+  attachments?: EmailAttachment[];
 }) => {
   if (!resend) {
     throw new Error('Resend not initialized - missing API key');
@@ -47,7 +70,24 @@ export const sendEmail = async ({
     throw new Error('Missing TO address in environment variables');
   }
 
+  const requestId = randomUUID();
+  const startTime = Date.now();
+
   try {
+    console.info('[email] send start', {
+      requestId,
+      provider: 'resend',
+      from: fromAddress,
+      to: maskEmailList(toAddress),
+      subject,
+      scheduledAt,
+      flags: {
+        marketing: Boolean(marketing),
+        system: Boolean(system),
+        test: Boolean(test),
+      },
+    });
+
     const { data, error } = await resend.emails.send({
       from: fromAddress, // now always a string
       to: toAddress, // now always a string
@@ -57,6 +97,11 @@ export const sendEmail = async ({
       // @ts-ignore – React node allowed by the SDK
       react,
       scheduledAt,
+      attachments: attachments?.map((att) => ({
+        filename: att.filename,
+        content: att.content,
+        contentType: att.contentType,
+      })),
     });
 
     if (error) {
@@ -64,12 +109,26 @@ export const sendEmail = async ({
       throw new Error(`Failed to send email: ${error.message}`);
     }
 
+    console.info('[email] send success', {
+      requestId,
+      provider: 'resend',
+      to: maskEmailList(toAddress),
+      messageId: data?.id,
+      durationMs: Date.now() - startTime,
+    });
+
     return {
       message: 'Email sent successfully',
       id: data?.id,
     };
   } catch (error) {
-    console.error('Email sending error:', error);
+    console.error('[email] send failure', {
+      requestId,
+      provider: 'resend',
+      to: maskEmailList(toAddress),
+      durationMs: Date.now() - startTime,
+      error: error instanceof Error ? error.message : String(error),
+    });
     throw error instanceof Error ? error : new Error('Failed to send email');
   }
 };
diff --git a/packages/email/lib/training-completed.ts b/packages/email/lib/training-completed.ts
new file mode 100644
index 000000000..7b873c462
--- /dev/null
+++ b/packages/email/lib/training-completed.ts
@@ -0,0 +1,45 @@
+import TrainingCompletedEmail from '../emails/training-completed';
+import { EmailAttachment, sendEmail } from './resend';
+
+export const sendTrainingCompletedEmail = async (params: {
+  email: string;
+  userName: string;
+  organizationName: string;
+  completedAt: Date;
+  certificatePdf: Buffer;
+}) => {
+  const { email, userName, organizationName, completedAt, certificatePdf } = params;
+
+  const attachments: EmailAttachment[] = [
+    {
+      filename: `security-awareness-training-certificate-${userName.replace(/\s+/g, '-').toLowerCase()}.pdf`,
+      content: certificatePdf,
+      contentType: 'application/pdf',
+    },
+  ];
+
+  try {
+    const sent = await sendEmail({
+      to: email,
+      subject: `Congratulations! You've completed your Security Awareness Training - ${organizationName}`,
+      react: TrainingCompletedEmail({
+        email,
+        userName,
+        organizationName,
+        completedAt,
+      }),
+      system: true,
+      attachments,
+    });
+
+    if (!sent) {
+      console.error('Failed to send training completed email');
+      return { success: false };
+    }
+
+    return { success: true, id: sent.id };
+  } catch (error) {
+    console.error('Error sending training completed email:', error);
+    return { success: false };
+  }
+};