Title: feat: KYC/AML Module with SEP-12 Support
Labels: backend, compliance, security
Description:
VaultLink deals with real-world financial assets. Regulatory
compliance requires identity verification (KYC) for all users
before they can participate in financing. This issue implements
the full KYC module with admin review workflow and SEP-12 support.
What Needs to Be Done:
- KycRecord entity:
id (uuid), user_id (FK, unique), status (ENUM: PENDING/APPROVED/REJECTED),
full_name, date_of_birth, nationality, document_type,
document_number, submitted_at, reviewed_at, reviewed_by,
rejection_reason (nullable)
- POST /kyc/submit
- User submits KYC data
- One submission per user (update if PENDING or REJECTED)
- Emits kyc.submitted internal event
- GET /kyc/status
- Returns authenticated user's KYC status
- GET /admin/kyc
- Admin only — list all KYC records with status filter
- Pagination
- POST /admin/kyc/:id/approve
- Admin approves KYC
- Sets status to APPROVED, stores reviewer and timestamp
- Emits kyc.approved webhook event
- POST /admin/kyc/:id/reject
- Admin rejects with required reason
- Sets status to REJECTED, stores reason
- Emits kyc.rejected webhook event
- KycGuard:
- Blocks access to marketplace, invoice creation, and offers
if KYC not APPROVED
- SEP-12 compatibility:
- Accept SEP-12 formatted identity payloads
- Map SEP-12 fields to KycRecord fields
Key Files:
- apps/backend/src/kyc/kyc.module.ts (new)
- apps/backend/src/kyc/kyc.service.ts (new)
- apps/backend/src/kyc/kyc.controller.ts (new)
- apps/backend/src/kyc/kyc.entity.ts (new)
- apps/backend/src/guards/kyc.guard.ts (new)
Acceptance Criteria:
- Users without APPROVED KYC cannot access marketplace or invoices
- Admin can approve or reject with reason
- KYC status visible after login
- Webhook fired on approve and reject
- KYC data never appears in logs (PII redaction applied)
- One KYC record per user (upsert on resubmission)
- Unit tests cover: submit, approve, reject, guard behavior,
duplicate submission, unauthorized admin access
Security Notes:
- KYC document numbers redacted in all logs
- document_number stored encrypted in DB
- KYC check happens on every protected request — not just login
Branch: feat/kyc-aml-module
Commit: feat(kyc): add KYC/AML module with SEP-12 support and admin review workflow
Title: feat: KYC/AML Module with SEP-12 Support
Labels: backend, compliance, security
Description:
VaultLink deals with real-world financial assets. Regulatory
compliance requires identity verification (KYC) for all users
before they can participate in financing. This issue implements
the full KYC module with admin review workflow and SEP-12 support.
What Needs to Be Done:
id (uuid), user_id (FK, unique), status (ENUM: PENDING/APPROVED/REJECTED),
full_name, date_of_birth, nationality, document_type,
document_number, submitted_at, reviewed_at, reviewed_by,
rejection_reason (nullable)
if KYC not APPROVED
Key Files:
Acceptance Criteria:
duplicate submission, unauthorized admin access
Security Notes:
Branch: feat/kyc-aml-module
Commit: feat(kyc): add KYC/AML module with SEP-12 support and admin review workflow