🚀 Enhancements
- common: Sensitive-fields registry, encryption service, mask helper (U1) (93185efc0)
- intake: Stamp sensitiveType on intake fields at creation (U2) (4fc5ef7d0)
- intake: Encrypt sensitive values on intaker submit (U3) (1db18cc8e)
- intake: Encrypt sensitive values on processor correct + AI-apply (U4) (814599bb0)
- intake: Mask sensitive values at read boundaries (U5) (d26b85476)
- intake: Audited per-value reveal endpoint + field-detail masking (U6) (d853f8283)
- intake: Backfill-encrypt existing SSN/account values (U9) (eed98b72c)
- intake: Encrypt AI suggestion/recommendation values for sensitive fields (U8) (7aa296f90)
- intake: Mask + reveal affordance in processor and intaker UI (U7) (edad3332e)
- intake: Fork-sanitize reseeds encrypted intake values + registry-completeness guard (U10) (830ec7d67)
🩹 Fixes
- intake: Close recommendation read/apply gaps + leak-scanner regression tests (bae816615)
- review: Apply validated code-review findings (4c5065bf7)
- review: Close remaining sensitive-field masking gaps from review (8c23dff45)
💅 Refactors
- intake: Dedupe sensitive-fields plumbing (simplify pass) (c1dd69169)
📖 Documentation
- plans: SSN/account encryption plan + single-file CE model precedent (d2780d10d)
🏡 Chore
- Sync release notes from GitHub skip release (61d1c9356)
- Lint:fix pre-existing failures outside U8 scope (11de23a5a)
✅ Tests
- intake: Mock field-encryption key in route tests; lint cleanup (266db0e4d)
❤️ Contributors
- Dimitri Roche (@dimroc)