diff --git a/supply-api/internal/domain/account.go b/supply-api/internal/domain/account.go
index 78f1525d..28159828 100644
--- a/supply-api/internal/domain/account.go
+++ b/supply-api/internal/domain/account.go
@@ -71,7 +71,7 @@ type Account struct {
 
 	// 加密元数据字段 (XR-001)
 	CredentialCipherAlgo  string     `json:"credential_cipher_algo,omitempty"`
-	CredentialKMSKeyAlias string     `json:"credential_kms_key_alias,omitempty"`
+	CredentialKeyAlias    string     `json:"credential_key_alias,omitempty"` // 本地加密密钥别名（非KMS）
 	CredentialKeyVersion  int        `json:"credential_key_version,omitempty"`
 	CredentialFingerprint string     `json:"credential_fingerprint,omitempty"`
 	LastRotationAt        *time.Time `json:"last_rotation_at,omitempty"`
diff --git a/supply-api/internal/repository/account.go b/supply-api/internal/repository/account.go
index f15286b2..7779580a 100644
--- a/supply-api/internal/repository/account.go
+++ b/supply-api/internal/repository/account.go
@@ -105,7 +105,7 @@ func (r *AccountRepository) GetByID(ctx context.Context, supplierID, id int64) (
 		&account.TosCompliant, &account.TosCheckResult,
 		&account.TotalRequests, &account.TotalTokens, &account.TotalCost, &account.SuccessRate,
 		&account.RiskScore, &account.RiskReason, &account.IsFrozen, &account.FrozenReason,
-		&account.CredentialCipherAlgo, &account.CredentialKMSKeyAlias, &account.CredentialKeyVersion,
+		&account.CredentialCipherAlgo, &account.CredentialKeyAlias, &account.CredentialKeyVersion,
 		&account.QuotaUnit, &account.CurrencyCode, &account.Version,
 		&createdIP, &updatedIP, &account.AuditTraceID,
 		&account.CreatedAt, &account.UpdatedAt,
diff --git a/supply-api/internal/security/kms_service.go b/supply-api/internal/security/kms_service.go
index 3fe0ed31..b343b321 100644
--- a/supply-api/internal/security/kms_service.go
+++ b/supply-api/internal/security/kms_service.go
@@ -14,7 +14,15 @@ import (
 	"golang.org/x/crypto/hkdf"
 )
 
-// ==================== P0-02 KMS加密方案 ====================
+// ==================== P0-02 本地加密服务 ====================
+// 注意：KMSService 是本地信封加密实现，非真实 KMS（如 AWS KMS / HashiCorp Vault）。
+// 当前实现在 dev/local 模式下使用 HKDF-SHA256 派生 DEK。
+// 生产部署时应通过 ProviderType 配置集成真实 KMS。
+//
+// 用语说明（KMS表述清理 P4-D）：
+//   - "KMS" (Key Management Service) — 真实外部密钥管理服务（AWS KMS / HashiCorp Vault）
+//   - 本模块使用 "local" ProviderType，是本地加密实现，非真实 KMS
+//   - CredentialKeyAlias 字段记录本地加密密钥别名，与外部 KMS 无关
 
 // AES-256-GCM算法参数
 const (