Claude-code-plugins fondo-security-basics

install

source · Clone the upstream repo

git clone https://github.com/jeremylongshore/claude-code-plugins-plus-skills

Claude Code · Install into ~/.claude/skills/

T=$(mktemp -d) && git clone --depth=1 https://github.com/jeremylongshore/claude-code-plugins-plus-skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/plugins/saas-packs/fondo-pack/skills/fondo-security-basics" ~/.claude/skills/jeremylongshore-claude-code-plugins-fondo-security-basics && rm -rf "$T"

manifest: plugins/saas-packs/fondo-pack/skills/fondo-security-basics/SKILL.md

Fondo Security Basics

Overview

Fondo handles startup tax preparation, bookkeeping, and R&D tax credits containing SSNs, EINs, bank account details, revenue figures, and complete tax returns. A breach exposes founder personal tax data, company financials, and IRS filing details. Protect OAuth connections to banking/payroll systems, exported financial documents, and team access controls with the same rigor as a CPA firm.

API Key Management

function createFondoClient(): { apiKey: string; baseUrl: string } {
  const apiKey = process.env.FONDO_API_KEY;
  if (!apiKey) {
    throw new Error("Missing FONDO_API_KEY — store in secrets manager, never in code");
  }
  // Fondo keys access tax returns and SSN/EIN data — treat as highest sensitivity
  console.log("Fondo client initialized (key suffix:", apiKey.slice(-4), ")");
  return { apiKey, baseUrl: "https://api.fondo.com/v1" };
}

Webhook Signature Verification

import crypto from "crypto";
import { Request, Response, NextFunction } from "express";

function verifyFondoWebhook(req: Request, res: Response, next: NextFunction): void {
  const signature = req.headers["x-fondo-signature"] as string;
  const secret = process.env.FONDO_WEBHOOK_SECRET!;
  const expected = crypto.createHmac("sha256", secret).update(req.body).digest("hex");
  if (!signature || !crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expected))) {
    res.status(401).send("Invalid signature");
    return;
  }
  next();
}

Input Validation

import { z } from "zod";

const TaxFilingSchema = z.object({
  entity_id: z.string().uuid(),
  tax_year: z.number().int().min(2015).max(2030),
  filing_type: z.enum(["1120", "1120S", "1065", "941", "R&D_credit"]),
  ein: z.string().regex(/^\d{2}-\d{7}$/),
  revenue: z.number().nonnegative(),
  status: z.enum(["draft", "review", "filed", "amended"]),
});

function validateTaxFiling(data: unknown) {
  return TaxFilingSchema.parse(data);
}

Data Protection

const FONDO_PII_FIELDS = ["ssn", "ein", "bank_account", "routing_number", "tax_return_url", "revenue", "salary"];

function redactFondoLog(record: Record<string, unknown>): Record<string, unknown> {
  const redacted = { ...record };
  for (const field of FONDO_PII_FIELDS) {
    if (field in redacted) redacted[field] = "[REDACTED]";
  }
  return redacted;
}

Security Checklist

API keys stored in secrets manager, never in code
OAuth connections (Gusto, QuickBooks, Plaid, Stripe) reviewed quarterly
Financial exports never committed to git (
```
.gitignore
```
enforced)
SSN and EIN values never logged in plaintext
Team roles follow least-privilege (Owner/Admin/Viewer/CPA)
Two-factor authentication enabled on Fondo account
Exported tax documents encrypted with GPG before storage
Bank connections use Plaid (encrypted, not screen-scraping)

Error Handling

Vulnerability	Risk	Mitigation
Leaked API key	Full access to tax returns and SSN/EIN data	Secrets manager + rotation
Unencrypted financial exports	Tax data exposed via CSV on disk	GPG encryption + secure deletion
Stale OAuth tokens	Compromised banking/payroll connections	Quarterly OAuth review + revocation
Overly broad team access	Viewer sees SSN/salary data	Role-based access control enforcement
Tax data in application logs	IRS compliance violation	Field-level PII redaction

Resources

Next Steps

See

fondo-prod-checklist