feat(spp_pii_encryption): port PII encryption core from openspp-modules

[gonzalesedwin1123]

What

Migrates the field-level PII encryption module from openspp-modules to OpenSPP2 (Odoo 19). This is PR1 of a planned sequence and ports the runtime encryption core; the bulk-migration wizard is deferred (see below).

Realises ADR-011 (Data Classification) / ADR-012 (PII Encryption Strategy).

What's included

Component	Model	Purpose
Encrypted field mixin	spp.encrypted.field.mixin	Transparent AES-256-GCM encryption + HMAC-SHA256 blind indexes (exact / partial / phonetic) for searchable encrypted fields
Field config	spp.field.encryption.config	UI-based per-field encryption configuration
Audit log	spp.pii.audit.log	Audit trail of PII field access
Masked widget	masked_char (OWL)	Masked display with reveal + audit logging

Integrates with spp_key_management's key manager (get_key / get_salt).
Depends on: base, spp_key_management, spp_registry, spp_security. External python: cryptography.

What's intentionally deferred

The bulk-migration wizard (scan / dry-run / migrate / backup / rollback of existing plaintext) is not in this PR. Its scan step depends on spp.field.classification from spp_data_classification, which is not yet migrated to OpenSPP2. Plan:

• PR2 — migrate spp_data_classification
• PR3 — re-add the migration wizard to this module

Adaptations from the source module

• Manifest: category → OpenSPP/Configuration, website → OpenSPP2, auto_install: False (admin opt-in tool), dependency list trimmed (dropped spp_data_classification and the unused spp_encryption).
• Removed the wizard's 4 models, view, ACL rows, and Migration menu entries.
• Wrapped a ValidationError message in _() for translation.

Verification

• ✅ ./spp t spp_pii_encryption → 7/7 tests pass, module installs
• ✅ pre-commit (OpenSPP compliance hooks + bandit + semgrep) green
• ✅ Installs in full UI stack; menus render correctly (Field Configuration + Audit Log; no Migration menu)
• ✅ web.assets_backend bundle compiles with the masked widget JS + SCSS included

Notes

• The masked widget is registered but not yet wired into any view (ADR-012 lists widget deployment as pending), so the live reveal→audit flow isn't exercised here.
• A few pre-existing lint warnings (redundant string= params; one except: pass in audit_log.py) were carried over unchanged from the source module.

[gemini-code-assist]

Code Review

This pull request introduces the spp_pii_encryption module for Odoo, which implements field-level AES-256-GCM encryption for PII data, searchable blind indexes, UI-based configuration, and access audit logging. The review feedback highlights several critical and high-severity issues: a crash on module load due to the incorrect use of models.Constraint instead of _sql_constraints, stale blind indexes left in the database when encrypted fields are cleared during creation or modification, timezone inconsistencies from using datetime.now() instead of fields.Datetime.now(), and a misleading masking behavior for short values in the frontend widget.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[gemini-code-assist]

Odoo does not have a models.Constraint class. Defining a constraint this way will raise an AttributeError on module load, preventing the module from starting or installing. SQL constraints in Odoo must be defined using the _sql_constraints list of tuples.

    _sql_constraints = [
        (
            "unique_model_field",
            "UNIQUE(model_id, field_id)",
            "Encryption configuration already exists for this model and field!",
        )
    ]

[gemini-code-assist]

If an encrypted field is cleared (set to False or ""), the current implementation skips the encryption block entirely and does not update the corresponding blind index fields (_index and _last4). This leaves stale hashes in the database, allowing searches to find records that have actually had their PII cleared. We should explicitly clear the index fields when the main field is cleared.

    def write(self, vals):
        """Encrypt fields before write."""
        encrypted_fields = self._get_encrypted_fields()
        if not encrypted_fields:
            return super().write(vals)

        for field_name in encrypted_fields:
            if field_name in vals:
                plaintext = vals[field_name]
                if plaintext:
                    # Encrypt
                    vals[field_name] = self._encrypt_value(plaintext, field_name)

                    # Get configured index type
                    index_type = self._get_index_type(field_name)

                    # Compute blind indexes if fields exist
                    index_field = f"{field_name}_index"
                    if index_field in self._fields:
                        vals[index_field] = self._compute_blind_index(plaintext, field_name, index_type)

                    last4_field = f"{field_name}_last4"
                    if last4_field in self._fields:
                        # SECURITY: Store hashed partial index, not plaintext
                        vals[last4_field] = self._compute_blind_index(plaintext, field_name, "partial")
                else:
                    # Clear indexes if the field is cleared
                    index_field = f"{field_name}_index"
                    if index_field in self._fields:
                        vals[index_field] = False
                    last4_field = f"{field_name}_last4"
                    if last4_field in self._fields:
                        vals[last4_field] = False

        return super().write(vals)

[gemini-code-assist]

For consistency and safety, we should also handle the clearing of index fields during record creation if the field is explicitly passed as falsy or empty.

    @api.model_create_multi
    def create(self, vals_list):
        """Encrypt fields before create."""
        encrypted_fields = self._get_encrypted_fields()
        if not encrypted_fields:
            return super().create(vals_list)

        for vals in vals_list:
            for field_name in encrypted_fields:
                if field_name in vals:
                    plaintext = vals[field_name]
                    if plaintext:
                        # Encrypt
                        vals[field_name] = self._encrypt_value(plaintext, field_name)

                        # Get configured index type
                        index_type = self._get_index_type(field_name)

                        # Compute blind indexes if fields exist
                        index_field = f"{field_name}_index"
                        if index_field in self._fields:
                            vals[index_field] = self._compute_blind_index(plaintext, field_name, index_type)

                        last4_field = f"{field_name}_last4"
                        if last4_field in self._fields:
                            # SECURITY: Store hashed partial index, not plaintext
                            vals[last4_field] = self._compute_blind_index(plaintext, field_name, "partial")
                    else:
                        index_field = f"{field_name}_index"
                        if index_field in self._fields:
                            vals[index_field] = False
                        last4_field = f"{field_name}_last4"
                        if last4_field in self._fields:
                            vals[last4_field] = False

        return super().create(vals_list)

[gemini-code-assist]

Using datetime.now() retrieves the server's local time, which can lead to timezone inconsistencies and incorrect query results because Odoo stores datetime values in UTC in the database. Instead, use fields.Datetime.now() to get the current UTC datetime.

Suggested change

	from datetime import datetime, timedelta
	if user_id is None:
	user_id = self.env.user.id
	cutoff = datetime.now() - timedelta(days=days)
	from datetime import timedelta
	if user_id is None:
	user_id = self.env.user.id
	cutoff = fields.Datetime.now() - timedelta(days=days)

[gemini-code-assist]

The current applyMask implementation pads the output with fake bullets to match the full pattern length even if the actual value is much shorter (e.g., a 3-character value like "123" gets masked as "••••-••••-123"). This is highly misleading as it makes short values look long. Additionally, valueIdx is incremented but never used. We should align the value with the pattern from right to left to respect the actual length of the value.

    applyMask(value, pattern) {
        if (!value || !pattern) return "****";

        const valueChars = value.split("");
        const patternChars = pattern.split("");
        const resultChars = [];
        let valIdx = valueChars.length - 1;

        for (let i = patternChars.length - 1; i >= 0; i--) {
            if (valIdx < 0) break;

            const pChar = patternChars[i];
            if (pChar === "#") {
                resultChars.unshift(valueChars[valIdx]);
                valIdx--;
            } else if (pChar === "*") {
                resultChars.unshift("•");
                valIdx--;
            } else {
                resultChars.unshift(pChar);
                if (valueChars[valIdx] === pChar) {
                    valIdx--;
                }
            }
        }

        while (valIdx >= 0) {
            resultChars.unshift("•");
            valIdx--;
        }

        return resultChars.join("") || "••••••••";
    }

[codecov]

Codecov Report

❌ Patch coverage is 73.26007% with 73 lines in your changes missing coverage. Please review.
✅ Project coverage is 73.05%. Comparing base (00f1e5a) to head (c030ea6).

Files with missing lines	Patch %	Lines
spp_pii_encryption/models/encrypted_field_mixin.py	59.87%	65 Missing ⚠️
spp_pii_encryption/models/audit_log.py	88.37%	5 Missing ⚠️
...p_pii_encryption/models/field_encryption_config.py	96.82%	2 Missing ⚠️
spp_pii_encryption/__manifest__.py	0.00%	1 Missing ⚠️

Additional details and impacted files

@@           Coverage Diff            @@
##             19.0     #232    +/-   ##
========================================
  Coverage   73.05%   73.05%            
========================================
  Files        1069     1075     +6     
  Lines       62080    62353   +273     
========================================
+ Hits        45351    45551   +200     
- Misses      16729    16802    +73     

Flag	Coverage Δ
spp_base_common	90.26% <ø> (ø)
spp_pii_encryption	73.26% <73.26%> (?)
spp_programs	64.84% <ø> (ø)
spp_registry	86.83% <ø> (ø)
spp_security	66.66% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
spp_pii_encryption/__init__.py	100.00% <100.00%> (ø)
spp_pii_encryption/models/__init__.py	100.00% <100.00%> (ø)
spp_pii_encryption/__manifest__.py	0.00% <0.00%> (ø)
...p_pii_encryption/models/field_encryption_config.py	96.82% <96.82%> (ø)
spp_pii_encryption/models/audit_log.py	88.37% <88.37%> (ø)
spp_pii_encryption/models/encrypted_field_mixin.py	59.87% <59.87%> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.