From b2d60e27db2660a146815cf7f01f215ec9769de6 Mon Sep 17 00:00:00 2001
From: Ho Ngoc Hai <hongochai10@icloud.com>
Date: Thu, 9 Apr 2026 09:00:21 +0700
Subject: [PATCH] feat(security): add KYC field encryption and PII log
 hardening

- Add AES-256-GCM field-level encryption for KYC data at rest
  (field-encryption.ts with enc:v{n}: format and key rotation support)
- Add Prisma service encrypt/decrypt helpers for transparent KYC handling
- Require KYC_ENCRYPTION_KEY in production (env-validation.ts)
- Add migration script for existing plaintext KYC records (encrypt-existing-kyc.ts)
- Expand PII masker with 13 additional sensitive keys (email, phone, kycData, etc.)
- Add Pino redact paths as defense-in-depth (24 paths covering nested PII)
- Remove email address PII from email service log messages
- 15 unit tests for field-encryption round-trip, tamper detection, key validation

Co-Authored-By: Paperclip <noreply@paperclip.ing>