diff --git a/output/battlecards/cards/card_07_code_quality_caveats.md b/output/battlecards/cards/card_07_code_quality_caveats.md
new file mode 100644
index 0000000..1ce6054
--- /dev/null
+++ b/output/battlecards/cards/card_07_code_quality_caveats.md
@@ -0,0 +1,28 @@
+# Card 7: Code Quality and Security Caveats
+
+> AI-generated code carries measurable security risks and quality degradation that organizations must manage.
+
+## Fact
+
+- 48% of AI-generated code contains security vulnerabilities overall, with 29.1% of Python and 24.2% of JavaScript code flagged for weaknesses *(Source: security research, 2025)*
+- AI-coauthored pull requests have 1.7× more issues than human-only code, indicating systemic quality degradation *(Source: GitHub/Microsoft research)*
+- 7.2% drop in delivery stability from AI use, measured via DORA metrics *(Source: Google DORA report, 2024)*
+- 6.4% secret leakage rate in AI-generated code — credentials, API keys, and tokens embedded unintentionally *(Source: security analysis)*
+
+![](mini_code_vulnerabilities.png)
+
+## Impact
+
+- **Security exposure is real**: Organizations using AI coding tools must implement mandatory security review processes, adding cost and time to development cycles.
+- **Long-term tech debt**: The quality degradation (1.7× more issues) compounds over time, potentially creating larger maintenance burdens than short-term productivity gains.
+- **Emerging threat landscape**: The TanStack 'Mini Shai-Hulud' attack (May 2026) — CVE-2026-45321 — demonstrated the first attack persisting inside AI coding tool configuration files, exposing new attack vectors *(Source: security research, May 2026)*.
+
+## Act
+
+- **When discussing AI code quality**: Be honest about the risks. 48% vulnerability rate is not acceptable for production systems without rigorous review.
+- **Key question to ask**: 'What is your organization's process for reviewing and validating AI-generated code before it reaches production?'
+- **Counter-argument anticipation**: 'These vulnerabilities are fixable.' Response: They are, but the cost of fixing them post-deployment is exponentially higher than the time spent on proactive review.
+
+---
+
+*Last updated: 2026-06-05 | Sources: Security research 2025, GitHub/Microsoft research, Google DORA report 2024, TanStack CVE-2026-45321*
diff --git a/output/battlecards/charts/mini_code_vulnerabilities.png b/output/battlecards/charts/mini_code_vulnerabilities.png
new file mode 100644
index 0000000..e247282
Binary files /dev/null and b/output/battlecards/charts/mini_code_vulnerabilities.png differ