diff --git a/ai-compliance-sdk/policies/payment_controls_v1.json b/ai-compliance-sdk/policies/payment_controls_v1.json index da359a0..9e54bf2 100644 --- a/ai-compliance-sdk/policies/payment_controls_v1.json +++ b/ai-compliance-sdk/policies/payment_controls_v1.json @@ -192,6 +192,41 @@ "id": "TERMSYNC", "name": "Terminal Synchronization", "description": "Abgleich, Settlement, Offline-Sync, Konsistenz" + }, + { + "id": "ZVT-CMD", + "name": "ZVT Command Flow", + "description": "ZVT-Kommandoreihenfolge, Parameter, Antwortverarbeitung" + }, + { + "id": "ZVT-RT", + "name": "ZVT Retry & Timeout", + "description": "Timeout-Definitionen, Retry-Strategien, Backoff" + }, + { + "id": "ZVT-STATE", + "name": "ZVT State Machine", + "description": "Zustandsmodell, Uebergaenge, Recovery, Deadlock-Vermeidung" + }, + { + "id": "ZVT-COM", + "name": "ZVT Communication Integrity", + "description": "Nachrichtenlaenge, Checksummen, Encoding, Fragmentierung" + }, + { + "id": "ZVT-REV", + "name": "ZVT Reversal & Cancellation", + "description": "Storno, Reversal, Zuordnung, Mehrfachschutz" + }, + { + "id": "ZVT-RESP", + "name": "ZVT Response Handling", + "description": "Response-Codes, Fehlerinterpretation, Statusupdate" + }, + { + "id": "ZVT-SESSION", + "name": "ZVT Session Management", + "description": "Session-Lifecycle, Timeout, Wiederaufnahme, Parallelitaet" } ], "controls": [ @@ -5069,6 +5104,450 @@ "db_schema" ], "automation": "low" + }, + { + "control_id": "TERMSYNC-009", + "domain": "TERMSYNC", + "title": "Sync unterscheidet fachliche Klaerung von technischer Wiederholung", + "objective": "Verhindert Wiederholung finaler Zustaende", + "check_target": "code", + "evidence": [ + "source_code", + "state_machine_tests" + ], + "automation": "medium" + }, + { + "control_id": "TERMSYNC-010", + "domain": "TERMSYNC", + "title": "Terminal/Backend-Zustaende regelmaessig auf Divergenzen geprueft", + "objective": "Erkennt Inkonsistenzen fruehzeitig", + "check_target": "system", + "evidence": [ + "reconciliation_jobs", + "audit_log_sample" + ], + "automation": "medium" + }, + { + "control_id": "ZVT-CMD-001", + "domain": "ZVT-CMD", + "title": "ZVT-Kommandos nur in zulaessiger Reihenfolge", + "objective": "Verhindert Protokollverletzungen", + "check_target": "code", + "evidence": [ + "source_code", + "state_machine_tests" + ], + "automation": "high" + }, + { + "control_id": "ZVT-CMD-002", + "domain": "ZVT-CMD", + "title": "Ungueltige Kommandos sicher zurueckgewiesen", + "objective": "Verhindert undefined behavior", + "check_target": "code", + "evidence": [ + "source_code", + "negative_tests" + ], + "automation": "high" + }, + { + "control_id": "ZVT-CMD-003", + "domain": "ZVT-CMD", + "title": "Verpflichtende Parameter vorhanden", + "objective": "Sichert korrekte Kommunikation", + "check_target": "code", + "evidence": [ + "source_code", + "protocol_tests" + ], + "automation": "high" + }, + { + "control_id": "ZVT-CMD-004", + "domain": "ZVT-CMD", + "title": "Optionalfelder korrekt interpretiert und validiert", + "objective": "Verhindert Fehlinterpretation", + "check_target": "code", + "evidence": [ + "source_code", + "protocol_tests" + ], + "automation": "medium" + }, + { + "control_id": "ZVT-CMD-005", + "domain": "ZVT-CMD", + "title": "Terminalantworten vollstaendig gelesen und verarbeitet", + "objective": "Verhindert Zustandsverlust", + "check_target": "code", + "evidence": [ + "source_code", + "integration_test" + ], + "automation": "medium" + }, + { + "control_id": "ZVT-RT-001", + "domain": "ZVT-RT", + "title": "Timeouts fuer Terminalkommunikation definiert", + "objective": "Verhindert blockierende Prozesse", + "check_target": "config", + "evidence": [ + "config", + "source_code" + ], + "automation": "high" + }, + { + "control_id": "ZVT-RT-002", + "domain": "ZVT-RT", + "title": "Retries unterscheiden idempotent/nicht-idempotent", + "objective": "Verhindert doppelte Buchungen", + "check_target": "code", + "evidence": [ + "source_code", + "retry_logic" + ], + "automation": "medium" + }, + { + "control_id": "ZVT-RT-003", + "domain": "ZVT-RT", + "title": "Retry-Anzahl begrenzt", + "objective": "Verhindert Endlosschleifen", + "check_target": "config", + "evidence": [ + "config", + "source_code" + ], + "automation": "high" + }, + { + "control_id": "ZVT-RT-004", + "domain": "ZVT-RT", + "title": "Backoff-Strategien implementiert", + "objective": "Verhindert Ueberlastung", + "check_target": "code", + "evidence": [ + "source_code", + "retry_logic" + ], + "automation": "medium" + }, + { + "control_id": "ZVT-RT-005", + "domain": "ZVT-RT", + "title": "Abgebrochene Transaktionen eindeutig markiert", + "objective": "Erleichtert Recovery", + "check_target": "system", + "evidence": [ + "db_schema", + "source_code" + ], + "automation": "medium" + }, + { + "control_id": "ZVT-STATE-001", + "domain": "ZVT-STATE", + "title": "Zahlungszustaende als explizite State Machine", + "objective": "Verhindert implizite Zustaende", + "check_target": "code", + "evidence": [ + "source_code", + "state_machine_tests" + ], + "automation": "medium" + }, + { + "control_id": "ZVT-STATE-002", + "domain": "ZVT-STATE", + "title": "Ungueltige Zustandsuebergaenge nicht moeglich", + "objective": "Verhindert inkonsistente Zustaende", + "check_target": "code", + "evidence": [ + "source_code", + "state_machine_tests" + ], + "automation": "high" + }, + { + "control_id": "ZVT-STATE-003", + "domain": "ZVT-STATE", + "title": "Jeder Zustand hat definierten Exit-Pfad", + "objective": "Verhindert Deadlocks", + "check_target": "code", + "evidence": [ + "source_code", + "state_machine_tests" + ], + "automation": "medium" + }, + { + "control_id": "ZVT-STATE-004", + "domain": "ZVT-STATE", + "title": "Terminal- und Backendzustand abgeglichen", + "objective": "Verhindert Divergenzen", + "check_target": "system", + "evidence": [ + "integration_test", + "reconciliation_jobs" + ], + "automation": "medium" + }, + { + "control_id": "ZVT-STATE-005", + "domain": "ZVT-STATE", + "title": "Recovery-Zustaende explizit modelliert", + "objective": "Erhoeht Robustheit", + "check_target": "code", + "evidence": [ + "source_code", + "state_machine_tests" + ], + "automation": "medium" + }, + { + "control_id": "ZVT-COM-001", + "domain": "ZVT-COM", + "title": "Nachrichtenlaengen validiert", + "objective": "Verhindert Parsing-Fehler", + "check_target": "code", + "evidence": [ + "source_code", + "protocol_tests" + ], + "automation": "high" + }, + { + "control_id": "ZVT-COM-002", + "domain": "ZVT-COM", + "title": "Checksummen/Integritaet geprueft", + "objective": "Verhindert manipulierte Daten", + "check_target": "code", + "evidence": [ + "source_code", + "protocol_tests" + ], + "automation": "medium" + }, + { + "control_id": "ZVT-COM-003", + "domain": "ZVT-COM", + "title": "Teilweise empfangene Nachrichten nicht verarbeitet", + "objective": "Verhindert inkonsistente Verarbeitung", + "check_target": "code", + "evidence": [ + "source_code", + "negative_tests" + ], + "automation": "high" + }, + { + "control_id": "ZVT-COM-004", + "domain": "ZVT-COM", + "title": "Nachrichten in korrektem Encoding interpretiert", + "objective": "Verhindert Datenfehler", + "check_target": "code", + "evidence": [ + "source_code", + "protocol_tests" + ], + "automation": "medium" + }, + { + "control_id": "ZVT-COM-005", + "domain": "ZVT-COM", + "title": "Protokollverletzungen erkannt und geloggt", + "objective": "Erhoeht Diagnosefaehigkeit", + "check_target": "system", + "evidence": [ + "source_code", + "log_samples" + ], + "automation": "medium" + }, + { + "control_id": "ZVT-REV-001", + "domain": "ZVT-REV", + "title": "Reversal nur fuer geeignete Transaktionen", + "objective": "Verhindert unzulaessige Rueckabwicklung", + "check_target": "code", + "evidence": [ + "source_code", + "authorization_tests" + ], + "automation": "medium" + }, + { + "control_id": "ZVT-REV-002", + "domain": "ZVT-REV", + "title": "Reversal eindeutig einer Transaktion zugeordnet", + "objective": "Verhindert falsche Zuordnung", + "check_target": "code", + "evidence": [ + "source_code", + "db_schema" + ], + "automation": "high" + }, + { + "control_id": "ZVT-REV-003", + "domain": "ZVT-REV", + "title": "Mehrfach-Reversal verhindert", + "objective": "Verhindert doppelte Rueckbuchung", + "check_target": "code", + "evidence": [ + "source_code", + "integration_test" + ], + "automation": "high" + }, + { + "control_id": "ZVT-REV-004", + "domain": "ZVT-REV", + "title": "Reversal vollstaendig dokumentiert", + "objective": "Ermoeglicht Audit", + "check_target": "system", + "evidence": [ + "audit_log_sample", + "db_schema" + ], + "automation": "medium" + }, + { + "control_id": "ZVT-REV-005", + "domain": "ZVT-REV", + "title": "Fehlgeschlagene Reversals erneut geprueft oder eskaliert", + "objective": "Verhindert offene Transaktionen", + "check_target": "system", + "evidence": [ + "source_code", + "ops_docs" + ], + "automation": "low" + }, + { + "control_id": "ZVT-RESP-001", + "domain": "ZVT-RESP", + "title": "Alle Terminal-Response-Codes vollstaendig abgedeckt", + "objective": "Verhindert unhandled states", + "check_target": "code", + "evidence": [ + "source_code", + "error_mapping" + ], + "automation": "high" + }, + { + "control_id": "ZVT-RESP-002", + "domain": "ZVT-RESP", + "title": "Fehlercodes korrekt interpretiert", + "objective": "Verhindert falsche Verarbeitung", + "check_target": "code", + "evidence": [ + "source_code", + "protocol_tests" + ], + "automation": "medium" + }, + { + "control_id": "ZVT-RESP-003", + "domain": "ZVT-RESP", + "title": "Unbekannte Response-Codes sicher behandelt", + "objective": "Erhoeht Robustheit", + "check_target": "code", + "evidence": [ + "source_code", + "negative_tests" + ], + "automation": "medium" + }, + { + "control_id": "ZVT-RESP-004", + "domain": "ZVT-RESP", + "title": "Response-Daten validiert", + "objective": "Verhindert Inkonsistenzen", + "check_target": "code", + "evidence": [ + "source_code", + "validation_tests" + ], + "automation": "high" + }, + { + "control_id": "ZVT-RESP-005", + "domain": "ZVT-RESP", + "title": "Terminalstatus nach Response aktualisiert", + "objective": "Synchronisiert Zustaende", + "check_target": "system", + "evidence": [ + "source_code", + "state_machine_tests" + ], + "automation": "medium" + }, + { + "control_id": "ZVT-SESSION-001", + "domain": "ZVT-SESSION", + "title": "Terminal-Sessions explizit geoeffnet und geschlossen", + "objective": "Verhindert Zombie-Sessions", + "check_target": "code", + "evidence": [ + "source_code", + "integration_test" + ], + "automation": "medium" + }, + { + "control_id": "ZVT-SESSION-002", + "domain": "ZVT-SESSION", + "title": "Session-Timeouts definiert", + "objective": "Verhindert haengende Sessions", + "check_target": "config", + "evidence": [ + "config", + "source_code" + ], + "automation": "high" + }, + { + "control_id": "ZVT-SESSION-003", + "domain": "ZVT-SESSION", + "title": "Session-Abbrueche erkannt", + "objective": "Erhoeht Stabilitaet", + "check_target": "system", + "evidence": [ + "source_code", + "monitoring_config" + ], + "automation": "medium" + }, + { + "control_id": "ZVT-SESSION-004", + "domain": "ZVT-SESSION", + "title": "Session-Wiederaufnahme kontrolliert", + "objective": "Verhindert Inkonsistenzen", + "check_target": "code", + "evidence": [ + "source_code", + "reconnect_tests" + ], + "automation": "medium" + }, + { + "control_id": "ZVT-SESSION-005", + "domain": "ZVT-SESSION", + "title": "Parallele Sessions kontrolliert", + "objective": "Verhindert Race Conditions", + "check_target": "code", + "evidence": [ + "source_code", + "concurrency_tests" + ], + "automation": "medium" } ] } \ No newline at end of file