I built a training simulator for the dev skills nobody teaches

Pop quiz. What's wrong with this code? router.post('/login', async (req, res) => { const { email, password } = req.body; logger.info('Login attempt', { email, password, // LINE 5 ip: req.ip }); const user = await db.query( 'SELECT * FROM users WHERE email = $1', [email] ); const u = user.rows[0]; // ... auth check ... analytics.track('user_login', { email: u.email, ssn: u.ssn_last4, // LINE 22 creditScore: u.credit_score, }); return res.json({ token, user: { email: u.email, passwordHash: u.password_hash, // LINE 30 ssn: u.ssn_last4, creditScore: u.credit_score, } }); }); There are 7 issues in there. How many did you spot? Did you catch that line 5 writes plaintext passwords to your log aggregator? That line 22 sends SSN data to a third-party analytics service, violating GDPR Article 28? That line 30 returns the password hash in the API response? This is a real scenario from LearningTo.co - a training platform I built for the dev skills that CS programs don't teach. The problem I've