Add full monorepo: virtual-banker, backend, frontend, docs, scripts, deployment

Co-authored-by: Cursor <cursoragent@cursor.com>

docs/specs/security/auth-spec.md

@@ -0,0 +1,100 @@
+# Authentication & Authorization Specification
+
+## Overview
+
+Authentication and authorization system for user access and API access.
+
+## User Authentication Flows
+
+### Authentication Methods
+
+**1. Email/Password**:
+- Registration with email
+- Password hashing (bcrypt/argon2)
+- Email verification
+
+**2. OAuth**:
+- Google, GitHub, etc.
+- OAuth 2.0 flow
+- Token-based authentication
+
+**3. Wallet Authentication**:
+- Signature-based authentication
+- Prove ownership of address
+
+### Session Management
+
+**Storage**: HTTP-only cookies or JWT tokens
+**Expiration**: Configurable (default: 24 hours)
+**Refresh**: Refresh tokens for extended sessions
+
+## API Key Management
+
+### Key Generation
+
+**Format**: Secure random tokens
+**Storage**: Hashed (not plaintext)
+**Metadata**: Name, tier, permissions, expiration
+
+### Key Usage
+
+**Authentication**: Via `X-API-Key` header
+**Rate Limiting**: Based on key tier
+**Revocation**: Support key revocation
+
+## RBAC (Role-Based Access Control)
+
+### Roles
+
+**Public**: Unauthenticated users
+**User**: Authenticated users
+**Pro**: Paid tier users
+**Admin**: Platform administrators
+**Compliance**: Compliance officers
+
+### Permissions
+
+**Read**: View data
+**Write**: Create/update data
+**Admin**: Full access
+**Compliance**: Compliance-specific access
+
+## OAuth Integration
+
+### OAuth Providers
+
+- Google
+- GitHub
+- Others as needed
+
+### OAuth Flow
+
+1. User initiates OAuth login
+2. Redirect to provider
+3. User authorizes
+4. Callback with code
+5. Exchange code for tokens
+6. Create/login user account
+7. Establish session
+
+## Session Management
+
+### Session Storage
+
+**Options**: 
+- Server-side sessions (Redis)
+- JWT tokens (stateless)
+
+**Recommendation**: Server-side sessions for better security
+
+### Session Security
+
+- Secure cookies (HTTPS only)
+- HttpOnly flag
+- SameSite attribute
+- CSRF protection
+
+## References
+
+- Security Architecture: See `security-architecture.md`
+

docs/specs/security/ddos-protection.md

@@ -0,0 +1,62 @@
+# DDoS Protection Specification
+
+## Overview
+
+DDoS protection via WAF, CDN, and rate limiting.
+
+## WAF Rules
+
+### Rule Categories
+
+**1. IP Reputation**:
+- Block known malicious IPs
+- Rate limit suspicious IPs
+
+**2. Request Patterns**:
+- Detect bot patterns
+- Block automated attacks
+
+**3. Geographic**:
+- Optional geographic restrictions
+- Block high-risk regions
+
+## CDN Integration
+
+**Provider**: Cloudflare
+**Benefits**: 
+- DDoS mitigation
+- Geographic distribution
+- Caching
+
+## Rate Limiting Strategies
+
+### Rate Limit Levels
+
+**Per IP**: 100 requests/minute
+**Per API Key**: Based on tier
+**Per Endpoint**: Varies by endpoint complexity
+
+### Implementation
+
+**Method**: Token bucket or sliding window
+**Storage**: Redis for distributed rate limiting
+**Headers**: Rate limit headers in responses
+
+## IP Blocking and Whitelisting
+
+### Blocking
+
+**Automatic**: Block IPs exceeding rate limits
+**Manual**: Admin can block specific IPs
+**Temporary**: Auto-unblock after cooldown period
+
+### Whitelisting
+
+**Use Case**: Known good IPs (partners, internal)
+**Implementation**: Bypass rate limits for whitelisted IPs
+
+## References
+
+- API Gateway: See `../api/api-gateway.md`
+- Security Architecture: See `security-architecture.md`
+

docs/specs/security/privacy-controls.md

@@ -0,0 +1,63 @@
+# Privacy Controls Specification
+
+## Overview
+
+Privacy controls for PII protection and data residency.
+
+## PII Separation Strategy
+
+### Data Segregation
+
+**Public Data**: Blockchain data (no PII)
+**Private Data**: User accounts, KYC data (PII)
+**Storage**: Separate databases/partitions
+
+### Access Control
+
+**Public Data**: Open access
+**Private Data**: Strict access control, encryption
+
+## Tokenization/Encryption
+
+### Identity Artifacts
+
+**Encryption**: Encrypt sensitive identity documents
+**Storage**: Encrypted at rest
+**Access**: Decrypt only when needed, audit logged
+
+### Tokenization
+
+**Use Case**: Reference PII without exposing it
+**Implementation**: Store tokens, map to PII securely
+
+## Regional Data Residency Controls
+
+### Data Residency
+
+**Requirement**: Store data in specific regions per regulations
+**Implementation**: Regional databases/partitions
+**Routing**: Route user data to appropriate region
+
+### Compliance
+
+- GDPR (EU)
+- CCPA (California)
+- Others as needed
+
+## Data Retention Policies
+
+### Retention Periods
+
+**User Data**: Per regulatory requirements
+**Transaction Data**: Per regulatory requirements
+**Logs**: Per security requirements
+
+### Deletion
+
+**Right to Deletion**: Support user data deletion requests
+**Process**: Secure deletion, audit logged
+
+## References
+
+- Security Architecture: See `security-architecture.md`
+

docs/specs/security/security-architecture.md

@@ -0,0 +1,69 @@
+# Security Architecture Specification
+
+## Overview
+
+Security architecture including threat model, security boundaries, and security controls.
+
+## Threat Model
+
+### Threat Categories
+
+**1. External Threats**:
+- DDoS attacks
+- SQL injection
+- XSS attacks
+- API abuse
+
+**2. Internal Threats**:
+- Privileged user abuse
+- Data breaches
+- Insider threats
+
+**3. Infrastructure Threats**:
+- Node compromise
+- Database breaches
+- Network attacks
+
+## Security Boundaries
+
+**DMZ**: Public-facing services
+**Internal Network**: Backend services
+**Data Layer**: Database and storage (isolated)
+**Blockchain Network**: Node network (isolated)
+
+## KMS/HSM Integration
+
+### Key Management
+
+**Storage**: Hardware Security Module (HSM)
+**Usage**: API keys, signing keys, encryption keys
+**Access**: Role-based, audit logged
+
+## Secrets Management
+
+### Secret Storage
+
+**Solution**: Vault, AWS Secrets Manager, or similar
+**Encryption**: At rest and in transit
+**Rotation**: Regular key rotation
+**Access**: Least privilege principle
+
+## Signed Builds and SBOM
+
+### Build Signing
+
+**Process**: Sign all builds
+**Verification**: Verify signatures before deployment
+**Tooling**: Code signing certificates
+
+### SBOM (Software Bill of Materials)
+
+**Generation**: Generate SBOM for all dependencies
+**Storage**: Store SBOM for audit
+**Vulnerability Scanning**: Scan SBOM for known vulnerabilities
+
+## References
+
+- Authentication: See `auth-spec.md`
+- Privacy: See `privacy-controls.md`
+