generalize presets into mosaic profiles with runtime overlays

profiles/domains/fintech-security.json

@@ -0,0 +1,181 @@
+{
+  "name": "Fintech Security Compliance",
+  "description": "PCI DSS and financial security requirements for fintech applications",
+  "domainKeywords": ["payment", "financial", "banking", "credit", "debit", "transaction", "pci", "fintech"],
+  "compliance": {
+    "regulations": ["PCI DSS", "PSD2", "SOX", "KYC", "AML"],
+    "scope": "Applications processing payment card data",
+    "requirements": [
+      "Secure cardholder data",
+      "Encrypt transmission of cardholder data",
+      "Protect stored cardholder data",
+      "Maintain vulnerability management program",
+      "Implement strong access control measures",
+      "Regularly monitor and test networks",
+      "Maintain information security policy"
+    ]
+  },
+  "dataClassification": {
+    "pan": {
+      "definition": "Primary Account Number (Credit/Debit card number)",
+      "storage": "Never store full PAN unless absolutely necessary",
+      "masking": "Show only last 4 digits",
+      "encryption": "AES-256 if storage required",
+      "transmission": "Always encrypted with TLS 1.2+"
+    },
+    "sadData": {
+      "definition": "Sensitive Authentication Data",
+      "types": ["CVV2", "PIN", "Track data"],
+      "storage": "Never store SAD after authorization",
+      "handling": "Process but do not retain"
+    },
+    "cardholderData": {
+      "definition": "PAN + cardholder name, service code, expiration date",
+      "minimization": "Store only if business need exists",
+      "retention": "Purge when no longer needed",
+      "access": "Restrict access to authorized personnel only"
+    }
+  },
+  "securityPatterns": {
+    "encryption": {
+      "algorithm": "AES-256 for data at rest",
+      "keyManagement": "Hardware Security Modules (HSMs) preferred",
+      "transmission": "TLS 1.2+ for data in transit",
+      "tokenization": "Replace PAN with non-sensitive tokens"
+    },
+    "authentication": {
+      "mfa": "Multi-factor authentication mandatory",
+      "passwordPolicy": "Complex passwords, regular rotation",
+      "sessionManagement": "Secure session handling with timeout",
+      "biometric": "Support for biometric authentication"
+    },
+    "authorization": {
+      "rbac": "Role-based access control",
+      "segregationOfDuties": "Separate roles for sensitive operations",
+      "leastPrivilege": "Minimum necessary access principle",
+      "approval": "Multi-person approval for high-value transactions"
+    },
+    "fraudPrevention": {
+      "riskScoring": "Real-time transaction risk assessment",
+      "monitoring": "Anomaly detection and behavioral analytics",
+      "alerts": "Immediate alerts for suspicious activities",
+      "blocking": "Automatic blocking of fraudulent transactions"
+    }
+  },
+  "implementationPatterns": {
+    "backend": {
+      "paymentProcessing": {
+        "tokenization": "Use payment tokens instead of card data",
+        "validation": "Validate all payment inputs",
+        "logging": "Log transactions without sensitive data",
+        "encryption": "Encrypt cardholder data before storage"
+      },
+      "apiSecurity": {
+        "rateLimit": "Implement rate limiting",
+        "apiKeys": "Secure API key management", 
+        "signing": "Request signing for sensitive operations",
+        "monitoring": "Monitor API usage patterns"
+      },
+      "database": {
+        "encryption": "Database-level encryption for sensitive fields",
+        "access": "Database access controls and monitoring",
+        "backup": "Encrypted backups with secure key management",
+        "masking": "Data masking for non-production environments"
+      }
+    },
+    "frontend": {
+      "paymentForms": {
+        "https": "Always use HTTPS for payment pages",
+        "validation": "Client-side validation with server confirmation",
+        "autocomplete": "Disable autocomplete for sensitive fields",
+        "iframes": "Use secure iframes for payment card input"
+      },
+      "dataHandling": {
+        "noStorage": "Never store payment data in browser",
+        "masking": "Mask card numbers in UI",
+        "timeout": "Session timeout for payment pages",
+        "clearData": "Clear payment data from memory after use"
+      }
+    }
+  },
+  "testingRequirements": {
+    "coverage": {
+      "minimum": "90% for payment processing modules",
+      "focus": "Security controls and fraud prevention"
+    },
+    "security": [
+      "Penetration testing quarterly",
+      "Vulnerability scanning monthly",
+      "Code review for all payment code",
+      "Test encryption implementation",
+      "Validate tokenization process"
+    ],
+    "compliance": [
+      "PCI DSS compliance validation",
+      "Test access controls",
+      "Validate audit logging",
+      "Test incident response procedures",
+      "Verify data retention policies"
+    ]
+  },
+  "context7Libraries": [
+    "stripe",
+    "bcrypt",
+    "jsonwebtoken",
+    "helmet",
+    "express-rate-limit",
+    "crypto"
+  ],
+  "codeTemplates": {
+    "paymentEntity": {
+      "description": "Payment entity with tokenization",
+      "template": "@Entity()\nexport class Payment {\n  @Tokenized()\n  @Column()\n  cardToken: string;\n\n  @Column()\n  lastFourDigits: string;\n\n  @Encrypted()\n  @Column()\n  amount: number;\n}"
+    },
+    "transactionLog": {
+      "description": "Secure transaction logging",
+      "template": "await this.auditService.logTransaction({\n  transactionId: transaction.id,\n  userId: user.id,\n  amount: transaction.amount,\n  currency: transaction.currency,\n  status: 'COMPLETED',\n  riskScore: riskAssessment.score,\n  timestamp: new Date()\n});"
+    },
+    "fraudCheck": {
+      "description": "Fraud prevention check",
+      "template": "const riskScore = await this.fraudService.assessRisk({\n  userId: user.id,\n  amount: transaction.amount,\n  location: transaction.location,\n  deviceFingerprint: request.deviceId\n});\n\nif (riskScore > FRAUD_THRESHOLD) {\n  await this.alertService.triggerFraudAlert(transaction);\n}"
+    }
+  },
+  "complianceChecklist": [
+    "Cardholder data is encrypted at rest and in transit",
+    "Sensitive authentication data is not stored",
+    "Access to cardholder data is restricted and monitored",
+    "Strong cryptography and security protocols are used",
+    "Antivirus software is maintained",
+    "Secure systems and applications are developed",
+    "Access to data is restricted by business need-to-know",
+    "Unique IDs are assigned to each person with computer access",
+    "Physical access to cardholder data is restricted",
+    "All access to network resources is logged and monitored",
+    "Security systems and processes are regularly tested",
+    "Information security policy is maintained"
+  ],
+  "riskAssessment": [
+    "Unauthorized access to payment data",
+    "Data breaches and card data theft",
+    "Fraud and unauthorized transactions",
+    "System vulnerabilities and exploits",
+    "Insider threats and malicious employees",
+    "Third-party payment processor risks",
+    "Network security vulnerabilities",
+    "Application security weaknesses",
+    "Physical security of payment systems",
+    "Business continuity and disaster recovery"
+  ],
+  "regulatoryReporting": [
+    "PCI DSS compliance reports",
+    "Suspicious activity reports (SARs)",
+    "Currency transaction reports (CTRs)",
+    "Know Your Customer (KYC) documentation",
+    "Anti-Money Laundering (AML) compliance",
+    "Data breach notification requirements",
+    "Consumer privacy disclosures",
+    "Financial audit requirements",
+    "Incident response documentation",
+    "Third-party risk assessments"
+  ]
+}