Why
Column name suggests encryption, but no KMS wrapper is visible. If the value is stored plaintext, tenants Resend keys are exposed in the DB dump.
Scope
- Audit current write path of organisations.resendApiKeyEncrypted.
- If plaintext: introduce the same AES-GCM sealTotpSecret style or migrate to a real KMS, AWS KMS or GCP KMS, wrapped DEK.
- Migrate existing rows on next admin save.
Acceptance
- DB dump shows ciphertext for the field.
- Decrypt path test passes; wrong key fails closed.
Why
Column name suggests encryption, but no KMS wrapper is visible. If the value is stored plaintext, tenants Resend keys are exposed in the DB dump.
Scope
Acceptance