Add full monorepo: virtual-banker, backend, frontend, docs, scripts, deployment

Co-authored-by: Cursor <cursoragent@cursor.com>

docs/specs/security/security-architecture.md

@@ -0,0 +1,69 @@
+# Security Architecture Specification
+
+## Overview
+
+Security architecture including threat model, security boundaries, and security controls.
+
+## Threat Model
+
+### Threat Categories
+
+**1. External Threats**:
+- DDoS attacks
+- SQL injection
+- XSS attacks
+- API abuse
+
+**2. Internal Threats**:
+- Privileged user abuse
+- Data breaches
+- Insider threats
+
+**3. Infrastructure Threats**:
+- Node compromise
+- Database breaches
+- Network attacks
+
+## Security Boundaries
+
+**DMZ**: Public-facing services
+**Internal Network**: Backend services
+**Data Layer**: Database and storage (isolated)
+**Blockchain Network**: Node network (isolated)
+
+## KMS/HSM Integration
+
+### Key Management
+
+**Storage**: Hardware Security Module (HSM)
+**Usage**: API keys, signing keys, encryption keys
+**Access**: Role-based, audit logged
+
+## Secrets Management
+
+### Secret Storage
+
+**Solution**: Vault, AWS Secrets Manager, or similar
+**Encryption**: At rest and in transit
+**Rotation**: Regular key rotation
+**Access**: Least privilege principle
+
+## Signed Builds and SBOM
+
+### Build Signing
+
+**Process**: Sign all builds
+**Verification**: Verify signatures before deployment
+**Tooling**: Code signing certificates
+
+### SBOM (Software Bill of Materials)
+
+**Generation**: Generate SBOM for all dependencies
+**Storage**: Store SBOM for audit
+**Vulnerability Scanning**: Scan SBOM for known vulnerabilities
+
+## References
+
+- Authentication: See `auth-spec.md`
+- Privacy: See `privacy-controls.md`
+