From finta-pack
Secure Finta fundraising data and investor information. Trigger with phrases like "finta security", "finta data privacy".
npx claudepluginhub flight505/skill-forge --plugin finta-packThis skill is limited to using the following tools:
Finta manages fundraising pipelines containing investor contact information, term sheet details, valuation data, cap table snapshots, and deal room documents. A breach exposes confidential fundraising strategy, investor relationships, and financial terms that could damage competitive positioning. Protect API credentials, deal room access controls, and any integration that syncs investor data to...
Guides Next.js Cache Components and Partial Prerendering (PPR): 'use cache' directives, cacheLife(), cacheTag(), revalidateTag() for caching, invalidation, static/dynamic optimization. Auto-activates on cacheComponents: true.
Guides building MCP servers enabling LLMs to interact with external services via tools. Covers best practices, TypeScript/Node (MCP SDK), Python (FastMCP).
Share bugs, ideas, or general feedback.
Finta manages fundraising pipelines containing investor contact information, term sheet details, valuation data, cap table snapshots, and deal room documents. A breach exposes confidential fundraising strategy, investor relationships, and financial terms that could damage competitive positioning. Protect API credentials, deal room access controls, and any integration that syncs investor data to external CRMs or spreadsheets.
function createFintaClient(): { apiKey: string; baseUrl: string } {
const apiKey = process.env.FINTA_API_KEY;
if (!apiKey) {
throw new Error("Missing FINTA_API_KEY — store in secrets manager, never in code");
}
// Finta keys access investor contacts and financial terms — treat as highly sensitive
console.log("Finta client initialized (key suffix:", apiKey.slice(-4), ")");
return { apiKey, baseUrl: "https://api.trustfinta.com/v1" };
}
import crypto from "crypto";
import { Request, Response, NextFunction } from "express";
function verifyFintaWebhook(req: Request, res: Response, next: NextFunction): void {
const signature = req.headers["x-finta-signature"] as string;
const secret = process.env.FINTA_WEBHOOK_SECRET!;
const expected = crypto.createHmac("sha256", secret).update(req.body).digest("hex");
if (!signature || !crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expected))) {
res.status(401).send("Invalid signature");
return;
}
next();
}
import { z } from "zod";
const InvestorContactSchema = z.object({
investor_id: z.string().uuid(),
firm_name: z.string().min(1).max(200),
contact_email: z.string().email(),
deal_stage: z.enum(["prospect", "contacted", "meeting", "term_sheet", "closed", "passed"]),
check_size: z.number().positive().optional(),
valuation_cap: z.number().positive().optional(),
});
function validateInvestorData(data: unknown) {
return InvestorContactSchema.parse(data);
}
const FINTA_SENSITIVE_FIELDS = ["valuation_cap", "check_size", "term_sheet_url", "cap_table", "investor_email", "phone"];
function redactFintaLog(record: Record<string, unknown>): Record<string, unknown> {
const redacted = { ...record };
for (const field of FINTA_SENSITIVE_FIELDS) {
if (field in redacted) redacted[field] = "[REDACTED]";
}
return redacted;
}
| Vulnerability | Risk | Mitigation |
|---|---|---|
| Leaked API key | Full access to investor pipeline and deal terms | Secrets manager + rotation |
| Overly broad deal room access | Confidential terms exposed to wrong investors | Per-investor permission scoping |
| Unencrypted pipeline exports | Financial strategy leaked via CSV files | GPG encryption + .gitignore |
| Stale investor access | Former prospects retain document access | Post-round access review |
| CRM sync without redaction | Valuation data leaks to third-party CRM | Field-level redaction before sync |
See finta-prod-checklist.