feat(security): Implement AES-256-GCM Payload Encryption and PII Redaction for Supabase Backups

[advikdivekar]

Summary

Fixes #632

This PR implements automated PII redaction and AES-256-GCM payload encryption for all ticket data flowing into Supabase backup storage, as specified in the issue.

Changes

• backend/utils/pii_redaction.py — PII Masking Engine

  • Regex-based scanner that detects and replaces emails, phone numbers, API keys, SSNs, credit card numbers, and optionally IP addresses with [REDACTED]
  • redact_pii(text, **flags) for string-level redaction
  • redact_ticket(ticket_dict) for recursive dict/list redaction of full ticket objects
  • All redaction passes are individually toggle-able via keyword flags

• backend/utils/encryption.py — AES-256-GCM Encrypter

  • Uses pycryptodome (AES-256-GCM mode) with a 12-byte random nonce per encryption
  • Token format: <nonce_b64>.<ciphertext_b64>.<tag_b64> (URL-safe base64)
  • Key loaded from BACKUP_ENCRYPTION_KEY env var (32-byte hex string)
  • encrypt_ticket_for_backup() / decrypt_ticket_from_backup() high-level wrappers
  • GCM authentication tag prevents silent data tampering

• Frontend/src/admin/pages/AdminSettings.jsx — Admin Settings Toggle

  • New Security & Encryption card section with three toggles:
    1. Backup Payload Encryption — enable/disable AES-256-GCM on backup writes
    2. PII Auto-Redaction — enable/disable email/phone/key masking
    3. Redact IP Addresses — sub-toggle (requires PII redaction enabled)
  • Settings persist via the existing adminStore persistence layer

Test Plan

• backend/utils/pii_redaction.py — verify emails, phones, keys replaced with [REDACTED]
• backend/utils/encryption.py — round-trip encrypt → decrypt returns original JSON
• Admin Settings page renders the Security & Encryption card with all three toggles
• Toggles update adminStore state and persist across page reload
• Tampered ciphertext raises ValueError (GCM auth failure)

[vercel]

@advikdivekar is attempting to deploy a commit to the ritesh Team on Vercel.

A member of the Team first needs to authorize it.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 1e333c58-12da-4292-8b49-1c6ac092d9f6

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 1cd539ac16

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Wire the encryption toggle into the write path

When this is enabled, it only updates the browser-local Zustand setting; the backend persistence path still inserts final_data directly in backend/main.py's /tickets/save, and a repo-wide search shows no imports or calls to the new encryption or PII-redaction helpers outside their own modules. In production this means admins can turn the control on but Supabase ticket writes remain unencrypted and unredacted, so the security feature described here has no effect on the data it claims to protect.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Declare the Crypto dependency before using it

The new encryption helper depends on Crypto from pycryptodome, but the backend Dockerfiles install only backend/requirements.txt, and that file does not include pycryptodome. In the deployed backend image this import is absent, _PYCRYPTODOME_AVAILABLE becomes false, and any call to encrypt_payload or decrypt_payload immediately raises the helper's RuntimeError instead of encrypting backups.

Useful? React with 👍 / 👎.

[advikdivekar]

@ritesh-1918 please review my PR, thank you