feat(security): add KYC field encryption and PII log hardening

Browse Source

- Add AES-256-GCM field-level encryption for KYC data at rest
  (field-encryption.ts with enc:v{n}: format and key rotation support)
- Add Prisma service encrypt/decrypt helpers for transparent KYC handling
- Require KYC_ENCRYPTION_KEY in production (env-validation.ts)
- Add migration script for existing plaintext KYC records (encrypt-existing-kyc.ts)
- Expand PII masker with 13 additional sensitive keys (email, phone, kycData, etc.)
- Add Pino redact paths as defense-in-depth (24 paths covering nested PII)
- Remove email address PII from email service log messages
- 15 unit tests for field-encryption round-trip, tamper detection, key validation

Co-Authored-By: Paperclip <noreply@paperclip.ing>

...

This commit is contained in:

Ho Ngoc Hai

2026-04-09 09:00:21 +07:00

parent e0154a0105

commit b2d60e27db

Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL

Download Patch File Download Diff File Expand all files Collapse all files

Diff Content Not Available