fix(background-checks): remove employee PII from sessionStorage

[carhartlewis]

Stop storing employeeName and employeeEmail in sessionStorage during the Stripe billing redirect flow. Only requesterNotes (non-PII) is persisted. After redirect, employeeName re-derives from the employee prop and the email field resets to its default.

Resolves code-scanning alert #133 (clear text storage of sensitive information).

What does this PR do?

• Fixes #XXXX (GitHub issue number)
• Fixes COMP-XXXX (Linear issue number - should be visible at the bottom of the GitHub issue description)

Visual Demo (For contributors especially)

A visual demonstration is strongly recommended, for both the original and new change (video / image - any one).

Video Demo (if applicable):

• Show screen recordings of the issue or feature.
• Demonstrate how to reproduce the issue, the behavior before and after the change.

Image Demo (if applicable):

• Add side-by-side screenshots of the original and updated change.
• Highlight any significant change(s).

Mandatory Tasks (DO NOT REMOVE)

• I have self-reviewed the code (A decent size PR without self-review might be rejected).
• I have updated the developer docs in /docs if this PR makes changes that would require a documentation change. If N/A, write N/A here and check the checkbox.
• I confirm automated tests are in place that prove my fix is effective or that my feature works.

How should this be tested?

• Are there environment variables that should be set?
• What are the minimal test data to have?
• What is expected (happy path) to have (input and output)?
• Any other important info that could help to test that PR

Checklist

• I haven't read the contributing guide
• My code doesn't follow the style guidelines of this project
• I haven't commented my code, particularly in hard-to-understand areas
• I haven't checked if my changes generate no new warnings

---

Summary by cubic

Remove employee PII from sessionStorage in the background check Stripe redirect flow. Only requesterNotes is persisted; after return, the form derives the name from the employee prop and clears the email, resolving code-scanning alert #133.

• Bug Fixes
  • Stop writing employeeName and employeeEmail to sessionStorage; persist only requesterNotes.
  • On return, reset form: employeeName from employee.user.name (or existing form value), employeeEmail empty.
  • Narrow PendingBackgroundCheckRequest to organizationId, memberId, and optional requesterNotes.

^{Written for commit ea082b3. Summary will update on new commits. Review in cubic}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
comp-framework-editor	Ready	Preview, Comment	Apr 29, 2026 11:59pm

2 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
app	Skipped		Apr 29, 2026 11:59pm
portal	Skipped		Apr 29, 2026 11:59pm

[claudfuen]

🎉 This PR is included in version 3.39.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀