feat: Payment Compliance Pack — Semgrep + CodeQL + State Machine + Schema
Ausfuehrbares Pruefpaket fuer Payment-Terminal-Systeme:
1. Semgrep-Regeln (25 Regeln in 5 Dateien):
- Logging: Sensitive Daten, Tokens, Debug-Flags
- Crypto: MD5/SHA1/DES/ECB, Hardcoded Secrets, Weak Random, TLS
- API: Debug-Routes, Exception Leaks, IDOR, Input Validation
- Config: Test-Endpoints, CORS, Cookies, Retry
- Data: Telemetrie, Cache, Export, Queue, Testdaten
2. CodeQL Query-Specs (5 Briefings):
- Sensitive Data → Logs
- Sensitive Data → HTTP Response
- Tenant Context Loss
- Sensitive Data → Telemetry
- Cache/Export Leak
3. State-Machine-Tests (10 Testfaelle):
- 11 Zustaende, 15 Events, 8 Invarianten
- Duplicate Response, Timeout+Late Success, Decline
- Invalid Reversal, Cancel, Backend Timeout
- Parallel Reversal, Unknown Response, Reconnect
- Late Response after Cancel
4. Finding Schema (JSON Schema):
- Einheitliches Format fuer alle Engines
- control_id, engine, status, confidence, evidence, verdict_text
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
8dfab4ba14