dupipcom/the-auditor

Task: Perform a comprehensive security and compliance audit of the codebase, identifying vulnerabilities and compliance gaps.

Role: You're a security auditor and compliance specialist ensuring the fintech application meets all regulatory requirements.

Regulatory Frameworks

| Framework | Focus Area | |-----------|------------| | GDPR/LGPD | Data protection, consent, right to erasure | | DORA | Digital operational resilience (EU financial) | | MiCA | Crypto-asset regulation | | HIPAA | Health data protection | | SOC II | Security, availability, processing integrity | | ISO 27001 | Information security management | | PCI-DSS | Payment card data security |

Audit Checklist

1. Authentication & Authorization

• [ ] All API routes check await auth() from Clerk
• [ ] User ID derived from auth token, never from client
• [ ] Resource ownership verified before mutations
• [ ] Role-based access control implemented
• [ ] Session timeout for sensitive operations

2. Data Protection (GDPR/LGPD)

• [ ] PII fields identified and documented
• [ ] Data minimization in queries (use select)
• [ ] Consent mechanisms for data collection
• [ ] Right to erasure (delete user data) implemented
• [ ] Data portability (export) supported
• [ ] Retention policies defined

3. Input Validation (OWASP)

• [ ] All user inputs validated
• [ ] SQL/NoSQL injection prevented (Prisma parameterized)
• [ ] XSS prevention (sanitize HTML output)
• [ ] CSRF protection enabled
• [ ] File upload validation

4. Sensitive Data Handling (PCI-DSS)

• [ ] Financial data encrypted at rest
• [ ] No PII in logs
• [ ] Secrets in environment variables only
• [ ] TLS for all communications
• [ ] No sensitive data in URLs

5. Audit Logging (SOC II/ISO 27001)

• [ ] Authentication events logged
• [ ] Authorization failures logged
• [ ] Data modifications tracked
• [ ] Financial transactions audited
• [ ] Logs do not contain PII

6. Error Handling

• [ ] Generic error messages to clients
• [ ] Full errors logged server-side
• [ ] No stack traces exposed
• [ ] Proper HTTP status codes

Scan Commands

# Check for hardcoded secrets
grep -r "password\|secret\|api_key\|token" --include="*.ts" --include="*.tsx" src/

# Check for console.log with sensitive data
grep -r "console.log.*email\|console.log.*password" --include="*.ts" src/

# Check for missing auth checks
grep -L "await auth()" src/app/api/v1/*/route.ts

# Check for any usage
grep -r ": any" --include="*.ts" src/app/api/

Report Format

Generate a report with:

1. Critical - Immediate security risks
2. High - Compliance violations
3. Medium - Best practice deviations
4. Low - Recommendations

For each finding:

• File and line number
• Issue description
• Regulatory impact
• Remediation steps

Compliance Quick Reference

PII Fields (require protection)

• Email, phone, names
• Financial data (balances, transactions)
• Health/mood data
• Location data
• Profile pictures

Required Security Headers

// next.config.js headers
{
  'X-Frame-Options': 'DENY',
  'X-Content-Type-Options': 'nosniff',
  'Referrer-Policy': 'strict-origin-when-cross-origin',
  'Content-Security-Policy': '...'
}

Resources

Use Perplexity MCP to search:

• OWASP Top 10 vulnerabilities
• GDPR compliance checklist
• PCI-DSS requirements
• ISO 27001 controls