RFC 0006: Secure payout destinations (validation, encryption at rest, audited rotation)

[dligthart]

Parent: #135

Summary

RFC 0006 calls for secure payout destination handling. Current payout address storage is plain text and lacks strong lifecycle controls.

Problem

Sensitive payout destinations should be protected at rest and validated to reduce payout and compliance risk.

Proposal

1. Add payout address validation:

• Lightning Address format validation on create/update
• normalized lowercase storage format

2. Protect at rest:

• encrypt payout destination in DB using application-managed key material
• expose masked value in read APIs/UI (a***@provider.com)

3. Add rotation flow:

• explicit update endpoint with audit log and actor attribution
• optional verification challenge before activation

Acceptance criteria

1. Invalid payout destination formats are rejected with clear remediation.
2. Stored payout destinations are not plain text.
3. Payout destination updates are auditable and masked in operator views.