Built fail-closed, isolated, and auditable. Designed against OWASP ASVS, ISO 27001 Annex A, and SOC 2 trust criteria as a checklist lens.

• Fail-closed by default at every boundary.
• Defense in depth, no single control assumed sufficient.
• No money-moving or identity-bearing primitive trusts the client.
• Authenticated cryptography throughout, no unauthenticated modes.

Passwords: scrypt with embedded cost parameters N=16384, r=8, p=1, constant-time verification. TOTP per RFC 6238 with backup codes per RFC 4226. M2M API keys are SHA-256-hashed at rest. Invite tokens are 192-bit CSPRNG, SHA-256-stored. Lockout enforced per identity and per source IP.

Opaque sess_… tokens, hashed at rest. Session cookies HttpOnly + SameSite=Strict. CSRF via double-submit token with constant-time comparison. Live re-validation on every request, no stale acceptance window.

Scope is derived from the principal, not the request. enforceScope validates query and body in a single pass. RBAC is a fail-closed allow-list. Postgres RLS is ENABLE + FORCE on 13 named tables. Audit events live in journal_events, append-only via a BEFORE trigger. Unknown IBANs are quarantined.

Field-level AES-256-GCM. Ciphertext format enc:v2:<keyId>:… enables key rotation by embedded keyId. Keys are domain-separated per data class.

Database TLS with certificate verification enforced. Outbound traffic HTTPS-only, redirects are not followed. Strict-Transport-Security in production.

Parameterised SQL throughout. Zod schemas at the boundary. Money represented as BigInt minor units. Request body capped at 1 MB. Per-caller rate limiting. Idempotency keys required on write paths. Slowloris timeouts on connections. Generic error responses, no internal detail leakage. Cache-Control: no-store on sensitive responses.

Explicit CSP. X-Frame-Options: DENY. Metrics labels kept low-cardinality to prevent label-explosion DoS.

Path-traversal guard on every filename. XXE fully closed: DOCTYPE is refused, not just resolved-as-empty. Gzip expansion capped at 64 MB. Idempotency is content-addressed.

Structural SSRF guard rejects private-range, loopback, and decoded obfuscated IP literals. DNS resolution is checked, and IP pinning defeats DNS-rebinding TOCTOU between check and connect. SFTP host keys are pinned. Webhook destination URLs are re-checked at delivery time.

PGP sign + encrypt fail-closed. XML-DSig with RSA-SHA256 and mandatory certificate pinning. EBICS H005 uses RSA-OAEP with HPB fingerprint verification. Bank Connect messages are signature-verified.

Honest note: several banks still mandate RSA PKCS#1 v1.5 and AES-CBC at the channel boundary. Where those are required we use them, surrounded by extra integrity and pinning hardening, but we do not pretend the underlying primitives are our choice.

Maker-checker is fail-closed: an initiator cannot self-approve. Locked policies require a second admin to modify. Terminal states are protected, sent and acknowledged payments cannot regress. MsgId is scoped per bank key to prevent collision across tenants.

All state changes journaled. The journal is hash-chained with HMAC-SHA256 using a server-held audit key. GET /journal/audit/verify re-walks the chain and reports the first inconsistent entry. We document what this guarantees (tamper-evidence within the database trust boundary) and what it does not (it is not an external timestamping service).

KeyProvider validates required keys at boot. Refuses to start in production with a development key. Refuses to start if the audit HMAC key fails an entropy check.

Used as a checklist lens. Not a certification claim. SOC 2 / ISO 27001 readiness in progress. External penetration testing is built in as an integral, ongoing part of delivery over time. KMS/HSM as default key custody planned. Live production bank round-trips pending real bank agreements.