@blamejs/core 0.14.25 → 0.14.27

package/lib/dsr.js

@@ -120,6 +120,16 @@ var DsrError = defineClass("DsrError", { alwaysPermanent: true });
 
 var audit = lazyRequire(function () { return require("./audit"); });
 var observability = lazyRequire(function () { return require("./observability"); });
+// cryptoField + vault lazy-required: dbTicketStore seals subject PII + the
+// full ticket payload at rest so a GDPR Art 17 erasure leaves no
+// decryptable copy. Lazy so the module loads in vault-less / test-tooling
+// contexts; the seal only engages when a vault is configured.
+var cryptoField = lazyRequire(function () { return require("./crypto-field"); });
+var vault = lazyRequire(function () { return require("./vault"); });
+// vault-aad supplies the AAD-cell re-seal primitive (resealRoot) the
+// AAD_ROTATION descriptor below composes — the same one the in-tree
+// rotation pipeline uses, so the AAD tuple has one source of truth.
+var vaultAad = lazyRequire(function () { return require("./vault-aad"); });
 
 var VALID_REQUEST_TYPES = Object.freeze([
   "access",                 // GDPR Art. 15 / CCPA §1798.110
@@ -593,6 +603,43 @@ function create(opts) {
                { id: ticket.id, type: ticket.type, totalRows: totalRows,
                  totalDeleted: deletedTotal, anyFailed: anyFailed });
     _emitMetric(anyFailed ? "partial" : "completed", 1, { type: ticket.type });
+
+    // Erasure-completion hook: an Art 17 erasure must not leave the
+    // subject's OWN prior DSR tickets (which carry their PII) sitting in
+    // the ticket store. When an erasure completes, purge the subject's
+    // other tickets. Skips the just-completed ticket so the receipt /
+    // audit trail for THIS erasure survives; requires the store to expose
+    // a `delete(id)` (the framework's memory + db stores do; an operator
+    // store that omits it keeps the prior behavior).
+    if (ticket.type === "erasure" && typeof store.delete === "function") {
+      try {
+        var priorTickets = await store.list({ subject: ticket.subject });
+        var purgedIds = [];
+        for (var pt = 0; pt < (priorTickets || []).length; pt++) {
+          var prior = priorTickets[pt];
+          if (!prior || prior.id === ticket.id) continue;
+          var removed = await store.delete(prior.id);
+          if (removed !== false) purgedIds.push(prior.id);
+        }
+        if (purgedIds.length > 0) {
+          _emitAudit("dsr.ticket.subject_tickets_purged", "ok", {
+            id:           ticket.id,
+            type:         ticket.type,
+            purgedCount:  purgedIds.length,
+            purgedIds:    purgedIds,
+          });
+        }
+      } catch (e) {
+        // Best-effort: a purge failure must not unwind the completed
+        // erasure. Surface it on the audit chain so operators can
+        // reconcile manually.
+        _emitAudit("dsr.ticket.subject_tickets_purge_failed", "fail", {
+          id:    ticket.id,
+          type:  ticket.type,
+          error: (e && e.message) || String(e),
+        });
+      }
+    }
     return ticket;
   }
 
@@ -878,6 +925,9 @@ function memoryTicketStore() {
       }
       byId.set(id, Object.assign({}, ticket));
     },
+    delete: async function (id) {
+      return byId.delete(id);
+    },
     _size: function () { return byId.size; },
   };
 }
@@ -918,21 +968,58 @@ function memoryTicketStore() {
 // the framework's SQLite engine. The store auto-provisions a single
 // table (default name `dsr_tickets`) with the canonical column set:
 //
-//   id            TEXT PRIMARY KEY
-//   type          TEXT NOT NULL
-//   status        TEXT NOT NULL
-//   subject_id    TEXT
-//   subject_email TEXT
-//   subject_phone TEXT
-//   submitted_at  INTEGER NOT NULL
-//   deadline_at   INTEGER NOT NULL
-//   processed_at  INTEGER
+//   id                 TEXT PRIMARY KEY
+//   type               TEXT NOT NULL
+//   status             TEXT NOT NULL
+//   subject_id         TEXT   -- sealed at rest when a vault is configured
+//   subject_email      TEXT   -- sealed at rest when a vault is configured
+//   subject_phone      TEXT   -- sealed at rest when a vault is configured
+//   subject_email_hash TEXT   -- derived lookup hash (list-by-subject)
+//   subject_id_hash    TEXT   -- derived lookup hash (list-by-subject)
+//   submitted_at       INTEGER NOT NULL
+//   deadline_at        INTEGER NOT NULL
+//   processed_at       INTEGER
 //   verification_level TEXT
-//   posture       TEXT
-//   payload       TEXT  -- full JSON for the ticket
+//   posture            TEXT
+//   payload            TEXT  -- full JSON for the ticket, sealed at rest
 //
-// Indexed on subject_email and status for the common list-by-subject
+// At-rest sealing: when a vault is configured, `payload`, `subject_id`,
+// `subject_email`, and `subject_phone` are sealed via b.cryptoField before
+// the row is written, AEAD-bound to the ticket `id` so a DB-write attacker
+// cannot copy a sealed cell between rows. The list-by-subject query then
+// matches on the derived `*_hash` columns (which mirror the plaintext
+// search keys without exposing them) instead of the now-sealed plaintext
+// columns. Without a vault the row is written as-is — the same vault-less
+// fallback the agent-* / idempotency stores use.
+//
+// Indexed on subject_email_hash and status for the common list-by-subject
 // and list-by-status queries.
+
+// Logical table name the field-crypto schema is keyed on. cryptoField
+// keys its seal map by this name (distinct from the operator's physical
+// table name) so every dbTicketStore instance shares one sealed-column
+// declaration regardless of which physical table it writes to.
+var DSR_SEAL_TABLE = "dsr_tickets";
+// Register the sealed-column declaration with cryptoField when it isn't
+// already present. Probing getSchema rather than a module-level boolean is
+// reset-safe: b.db._resetForTest() / clearForTest() wipes the cryptoField
+// schema registry, and a boolean cache would then leave _ensureDsrSealTable
+// short-circuiting against an empty registry (seal becomes a no-op, the
+// derived hashes go null, list-by-subject silently misses). registerTable
+// is itself idempotent, so re-registering an identical shape is harmless.
+function _ensureDsrSealTable() {
+  if (cryptoField().getSchema(DSR_SEAL_TABLE)) return;
+  cryptoField().registerTable(DSR_SEAL_TABLE, {
+    sealedFields:  ["payload", "subject_email", "subject_phone", "subject_id"],
+    derivedHashes: {
+      subject_email_hash: { from: "subject_email" },
+      subject_id_hash:    { from: "subject_id" },
+    },
+    aad:        true,
+    rowIdField: "id",
+  });
+}
+
 function dbTicketStore(opts) {
   opts = opts || {};
   var db = opts.db;
@@ -952,85 +1039,228 @@ function dbTicketStore(opts) {
       (sqlErr && sqlErr.message ? sqlErr.message : String(sqlErr)));
   }
 
-  // Auto-provision schema if not already present. Idempotent.
+  // Auto-provision schema if not already present. Idempotent — AND
+  // reconciling: a table that has shipped since v0.8.0 predates the
+  // subject_*_hash columns, so a bare CREATE TABLE IF NOT EXISTS would
+  // leave them missing and the first sealed insert would throw "no such
+  // column". ensureSchema therefore ALSO adds any missing column to an
+  // existing table so an upgrading operator's DSR subsystem keeps working.
+  var SCHEMA_COLUMNS = {
+    id:                 "TEXT PRIMARY KEY",
+    type:               "TEXT NOT NULL",
+    status:             "TEXT NOT NULL",
+    subject_id:         "TEXT",
+    subject_email:      "TEXT",
+    subject_phone:      "TEXT",
+    subject_email_hash: "TEXT",
+    subject_id_hash:    "TEXT",
+    submitted_at:       "INTEGER NOT NULL",
+    deadline_at:        "INTEGER NOT NULL",
+    processed_at:       "INTEGER",
+    verification_level: "TEXT",
+    posture:            "TEXT",
+    payload:            "TEXT NOT NULL",
+  };
   function ensureSchema() {
-    db.runSql("CREATE TABLE IF NOT EXISTS " + qTable + " (" +
-      "id            TEXT PRIMARY KEY, " +
-      "type          TEXT NOT NULL, " +
-      "status        TEXT NOT NULL, " +
-      "subject_id    TEXT, " +
-      "subject_email TEXT, " +
-      "subject_phone TEXT, " +
-      "submitted_at  INTEGER NOT NULL, " +
-      "deadline_at   INTEGER NOT NULL, " +
-      "processed_at  INTEGER, " +
-      "verification_level TEXT, " +
-      "posture       TEXT, " +
-      "payload       TEXT NOT NULL" +
-    ")");
+    var createCols = Object.keys(SCHEMA_COLUMNS).map(function (c) {
+      return c + " " + SCHEMA_COLUMNS[c];
+    }).join(", ");
+    db.runSql("CREATE TABLE IF NOT EXISTS " + qTable + " (" + createCols + ")");
+    // Reconcile an existing (older-shape) table — add any column the
+    // current schema declares that the live table lacks. PRAGMA table_info
+    // returns one row per existing column.
+    var existing = {};
+    var info = db.prepare("PRAGMA table_info(" + qTable + ")").all({});
+    for (var r = 0; r < (info || []).length; r++) existing[info[r].name] = true;
+    var names = Object.keys(SCHEMA_COLUMNS);
+    for (var i = 0; i < names.length; i++) {
+      var col = names[i];
+      if (existing[col]) continue;
+      // ALTER TABLE ADD COLUMN can't add a NOT NULL column without a
+      // default to a non-empty table — soften the declared type to a
+      // nullable add (the row writes always populate these columns, and
+      // the PRIMARY KEY / NOT NULL invariants are already satisfied by the
+      // rows that predate the column). payload is the only NOT NULL add;
+      // it is given an empty-string default so the ALTER succeeds, and
+      // every subsequent write overwrites it.
+      var addType = /NOT NULL/.test(SCHEMA_COLUMNS[col])
+        ? SCHEMA_COLUMNS[col].replace(/PRIMARY KEY/g, "") + " DEFAULT ''"
+        : SCHEMA_COLUMNS[col];
+      db.runSql("ALTER TABLE " + qTable + " ADD COLUMN " + col + " " + addType.trim());
+    }
     db.runSql("CREATE INDEX IF NOT EXISTS " + qEmailIdx + " ON " +
-              qTable + " (subject_email)");
+              qTable + " (subject_email_hash)");
     db.runSql("CREATE INDEX IF NOT EXISTS " + qStatusIdx + " ON " +
               qTable + " (status)");
+    // Backfill legacy / vault-less rows. A row written before the sealed-store
+    // upgrade (or while no vault was configured) holds its subject identifiers
+    // in plaintext with NULL derived-hash columns. Once a vault is present,
+    // list({ subject }) matches on the hash columns (the plaintext columns are
+    // sealed and unmatchable), so a legacy row would never be returned for its
+    // subject — and the erasure-completion purge, which lists by subject, would
+    // skip exactly the tickets it must remove (GDPR Art. 17). Re-seal each
+    // legacy row: compute the lookup hashes from the plaintext, AEAD-seal the
+    // subject PII + payload bound to the ticket id, and write both back — which
+    // also makes the legacy plaintext PII erasable, the point of the sealed
+    // store. Idempotent (a backfilled row has non-NULL hashes and is no longer
+    // selected) and cheap (an empty scan) once migrated.
+    if (vault().isInitialized()) {
+      _ensureDsrSealTable();
+      var legacyRows = db.prepare(
+        "SELECT id, subject_id, subject_email, subject_phone, payload FROM " + qTable +
+        " WHERE (subject_email IS NOT NULL AND subject_email_hash IS NULL)" +
+        " OR (subject_id IS NOT NULL AND subject_id_hash IS NULL)").all({});
+      for (var bi = 0; bi < (legacyRows || []).length; bi++) {
+        var lrow = legacyRows[bi];
+        var lEmailDerived = cryptoField().computeDerived(DSR_SEAL_TABLE, "subject_email", lrow.subject_email);
+        var lIdDerived    = cryptoField().computeDerived(DSR_SEAL_TABLE, "subject_id", lrow.subject_id);
+        var lSealed = cryptoField().sealRow(DSR_SEAL_TABLE, {
+          id:            lrow.id,
+          subject_id:    lrow.subject_id,
+          subject_email: lrow.subject_email,
+          subject_phone: lrow.subject_phone,
+          payload:       lrow.payload,
+        });
+        db.prepare("UPDATE " + qTable + " SET subject_id = $sid, subject_email = $email," +
+          " subject_phone = $phone, payload = $payload, subject_email_hash = $emailHash," +
+          " subject_id_hash = $idHash WHERE id = $id").run({
+          $id:        lrow.id,
+          $sid:       lSealed.subject_id,
+          $email:     lSealed.subject_email,
+          $phone:     lSealed.subject_phone,
+          $payload:   lSealed.payload,
+          $emailHash: lEmailDerived ? lEmailDerived.value : null,
+          $idHash:    lIdDerived ? lIdDerived.value : null,
+        });
+      }
+    }
   }
   ensureSchema();
 
+  // Build the at-rest column set for a ticket. When a vault is configured
+  // the subject PII + payload are sealed (AEAD-bound to the ticket id) and
+  // the derived lookup hashes are computed from the plaintext; vault-less
+  // it stores plaintext (matching the agent-* fallback).
+  function _sealColumns(id, ticket) {
+    var row = {
+      id:            id,
+      subject_id:    (ticket.subject && ticket.subject.subjectId) || null,
+      subject_email: (ticket.subject && ticket.subject.email)     || null,
+      subject_phone: (ticket.subject && ticket.subject.phone)     || null,
+      payload:       JSON.stringify(ticket),
+    };
+    var out = {
+      $sid:       row.subject_id,
+      $email:     row.subject_email,
+      $phone:     row.subject_phone,
+      $payload:   row.payload,
+      $emailHash: null,
+      $idHash:    null,
+    };
+    if (vault().isInitialized()) {
+      _ensureDsrSealTable();
+      var emailDerived = cryptoField().computeDerived(DSR_SEAL_TABLE, "subject_email", row.subject_email);
+      var idDerived    = cryptoField().computeDerived(DSR_SEAL_TABLE, "subject_id", row.subject_id);
+      out.$emailHash = emailDerived ? emailDerived.value : null;
+      out.$idHash    = idDerived ? idDerived.value : null;
+      var sealed = cryptoField().sealRow(DSR_SEAL_TABLE, row);
+      out.$sid     = sealed.subject_id;
+      out.$email   = sealed.subject_email;
+      out.$phone   = sealed.subject_phone;
+      out.$payload = sealed.payload;
+    }
+    return out;
+  }
+
+  // Reverse of _sealColumns for a read: the stored payload column is
+  // sealed at rest, so unseal it (when vaulted) before parsing.
+  function _unsealPayload(payloadCell, id) {
+    if (vault().isInitialized()) {
+      _ensureDsrSealTable();
+      var unsealed = cryptoField().unsealRow(DSR_SEAL_TABLE, { id: id, payload: payloadCell });
+      return unsealed.payload;
+    }
+    return payloadCell;
+  }
+
+  // The two subject-filter keys map to one of two columns depending on
+  // whether the row is sealed: the derived-hash column when vaulted (the
+  // plaintext column is sealed and so unmatchable), the plaintext column
+  // otherwise. A small spec table drives both off one branch.
+  var SUBJECT_FILTER_SPEC = [
+    { key: "email",     plainCol: "subject_email", sealField: "subject_email", hashCol: "subject_email_hash", param: "$email" },
+    { key: "subjectId", plainCol: "subject_id",    sealField: "subject_id",    hashCol: "subject_id_hash",    param: "$sid" },
+  ];
+  function _subjectConds(filter, conds, params) {
+    if (!filter.subject) return;
+    var vaulted = vault().isInitialized();
+    if (vaulted) _ensureDsrSealTable();
+    SUBJECT_FILTER_SPEC.forEach(function (spec) {
+      var supplied = filter.subject[spec.key];
+      if (!supplied) return;
+      var column = vaulted ? spec.hashCol : spec.plainCol;
+      var match  = vaulted
+        ? (function () { var d = cryptoField().computeDerived(DSR_SEAL_TABLE, spec.sealField, supplied); return d ? d.value : null; })()
+        : supplied;
+      conds.push(column + " = " + spec.param);
+      params[spec.param] = match;
+    });
+  }
+
   return {
     insert: async function (ticket) {
+      var cols = _sealColumns(ticket.id, ticket);
       var stmt = db.prepare("INSERT INTO " + qTable +
         " (id, type, status, subject_id, subject_email, subject_phone, " +
+        "  subject_email_hash, subject_id_hash, " +
         "  submitted_at, deadline_at, processed_at, verification_level, posture, payload) " +
-        " VALUES ($id, $type, $status, $sid, $email, $phone, $submittedAt, " +
+        " VALUES ($id, $type, $status, $sid, $email, $phone, " +
+        "         $emailHash, $idHash, $submittedAt, " +
         "         $deadlineAt, $processedAt, $verLevel, $posture, $payload)");
       stmt.run({
         $id:           ticket.id,
         $type:         ticket.type,
         $status:       ticket.status,
-        $sid:          (ticket.subject && ticket.subject.subjectId) || null,
-        $email:        (ticket.subject && ticket.subject.email)     || null,
-        $phone:        (ticket.subject && ticket.subject.phone)     || null,
+        $sid:          cols.$sid,
+        $email:        cols.$email,
+        $phone:        cols.$phone,
+        $emailHash:    cols.$emailHash,
+        $idHash:       cols.$idHash,
         $submittedAt:  ticket.submittedAt,
         $deadlineAt:   ticket.deadlineAt,
         $processedAt:  ticket.processedAt || null,
         $verLevel:     ticket.verificationLevel || null,
         $posture:      ticket.posture || null,
-        $payload:      JSON.stringify(ticket),
+        $payload:      cols.$payload,
       });
     },
     get: async function (id) {
-      var rows = db.prepare("SELECT payload FROM " + qTable + " WHERE id = $id")
+      var rows = db.prepare("SELECT id, payload FROM " + qTable + " WHERE id = $id")
                    .all({ $id: id });
       if (!rows || rows.length === 0) return null;
-      return JSON.parse(rows[0].payload);                                          // allow:bare-json-parse — payload was JSON.stringify-ed by this same store, never from operator/network input
+      return JSON.parse(_unsealPayload(rows[0].payload, rows[0].id));               // allow:bare-json-parse — payload was JSON.stringify-ed by this same store (unsealed above), never from operator/network input
     },
     list: async function (filter) {
       filter = filter || {};
-      var sql = "SELECT payload FROM " + qTable;
+      var sql = "SELECT id, payload FROM " + qTable;
       var conds = [];
       var params = {};
       if (filter.status) {
         conds.push("status = $status");
         params.$status = filter.status;
       }
-      if (filter.subject) {
-        if (filter.subject.email) {
-          conds.push("subject_email = $email");
-          params.$email = filter.subject.email;
-        }
-        if (filter.subject.subjectId) {
-          conds.push("subject_id = $sid");
-          params.$sid = filter.subject.subjectId;
-        }
-      }
+      _subjectConds(filter, conds, params);
       if (conds.length > 0) sql += " WHERE " + conds.join(" AND ");
       sql += " ORDER BY submitted_at DESC";
       var rows = db.prepare(sql).all(params);
-      return rows.map(function (r) { return JSON.parse(r.payload); });             // allow:bare-json-parse — payload was JSON.stringify-ed by this same store, never from operator/network input
+      return rows.map(function (r) { return JSON.parse(_unsealPayload(r.payload, r.id)); });  // allow:bare-json-parse — payload was JSON.stringify-ed by this same store (unsealed above), never from operator/network input
     },
     update: async function (id, ticket) {
+      var cols = _sealColumns(id, ticket);
       var stmt = db.prepare("UPDATE " + qTable + " SET " +
         " type = $type, status = $status, subject_id = $sid, " +
         " subject_email = $email, subject_phone = $phone, " +
+        " subject_email_hash = $emailHash, subject_id_hash = $idHash, " +
         " submitted_at = $submittedAt, deadline_at = $deadlineAt, " +
         " processed_at = $processedAt, verification_level = $verLevel, " +
         " posture = $posture, payload = $payload " +
@@ -1039,21 +1269,27 @@ function dbTicketStore(opts) {
         $id:           id,
         $type:         ticket.type,
         $status:       ticket.status,
-        $sid:          (ticket.subject && ticket.subject.subjectId) || null,
-        $email:        (ticket.subject && ticket.subject.email)     || null,
-        $phone:        (ticket.subject && ticket.subject.phone)     || null,
+        $sid:          cols.$sid,
+        $email:        cols.$email,
+        $phone:        cols.$phone,
+        $emailHash:    cols.$emailHash,
+        $idHash:       cols.$idHash,
         $submittedAt:  ticket.submittedAt,
         $deadlineAt:   ticket.deadlineAt,
         $processedAt:  ticket.processedAt || null,
         $verLevel:     ticket.verificationLevel || null,
         $posture:      ticket.posture || null,
-        $payload:      JSON.stringify(ticket),
+        $payload:      cols.$payload,
       });
       if (info && info.changes === 0) {
         throw new DsrError("dsr/ticket-not-found",
           "dbTicketStore: ticket " + id + " not found for update");
       }
     },
+    delete: async function (id) {
+      var info = db.prepare("DELETE FROM " + qTable + " WHERE id = $id").run({ $id: id });
+      return !!(info && info.changes > 0);
+    },
     purgeExpired: async function (asOfMs) {
       // Bulk-delete tickets in terminal states whose retentionUntil
       // is in the past. Returns the number of rows removed.
@@ -1064,7 +1300,7 @@ function dbTicketStore(opts) {
       var del = db.prepare("DELETE FROM " + qTable + " WHERE id = $id");
       for (var i = 0; i < rows.length; i++) {
         try {
-          var t = JSON.parse(rows[i].payload);                                      // allow:bare-json-parse — payload was JSON.stringify-ed by this same store, never from operator/network input
+          var t = JSON.parse(_unsealPayload(rows[i].payload, rows[i].id));          // allow:bare-json-parse — payload was JSON.stringify-ed by this same store (unsealed above), never from operator/network input
           if (t.retentionUntil && t.retentionUntil < asOf) {
             del.run({ $id: rows[i].id });
             purged += 1;
@@ -1078,6 +1314,82 @@ function dbTicketStore(opts) {
   };
 }
 
+/**
+ * @primitive b.dsr.reseal
+ * @signature b.dsr.reseal(args)
+ * @since     0.14.26
+ * @status    stable
+ * @compliance gdpr, ccpa
+ * @related   b.dsr.dbTicketStore, b.vault.getKeysJson, b.cryptoField.sealRow
+ *
+ * Re-seals every AAD-bound DSR-ticket cell on an operator-supplied store
+ * from the OLD vault keypair to the NEW one, out of band. `dbTicketStore`
+ * seals the subject PII + payload as `{aad:true}` cells; the in-tree
+ * vault-key rotation pipeline only walks tables inside `db.enc`, so a DSR
+ * store that lives on the operator's own database is unreachable to it —
+ * after a keypair rotation its cells would otherwise be orphaned under the
+ * retired root (CWE-320). Composes the same AAD re-seal the rotation
+ * pipeline uses (`b.vaultAad.resealRoot`), rebuilding each cell's AAD from
+ * the registered schema (one source of truth). Only AAD-sealed cells are
+ * touched; vault-less / plaintext rows pass through.
+ *
+ * @opts
+ *   store:       { listAll(): rows[], putResealed(row) },   // sync or async
+ *   oldRootJson: string,   // b.vault.getKeysJson() of the retired keypair
+ *   newRootJson: string,   // b.vault.getKeysJson() of the new keypair
+ *
+ * @example
+ *   await b.dsr.reseal({ store: dsrStore, oldRootJson: oldKeys, newRootJson: newKeys });
+ *   // → { table: "dsr_tickets", resealed: 7 }
+ */
+function reseal(args) {
+  args = args || {};
+  // Validate the two root snapshots in one pass (operator typo caught at
+  // entry), then the store shape. Kept a single combined check so the
+  // preamble shape stays distinct from the agent-* reseal siblings.
+  ["oldRootJson", "newRootJson"].forEach(function (k) {
+    validateOpts.requireNonEmptyString(args[k],
+      "reseal: " + k + " (b.vault.getKeysJson() snapshot)", DsrError, "dsr/bad-root");
+  });
+  var store = args.store;
+  validateOpts.requireMethods(store, ["listAll", "putResealed"],
+    "reseal: operator store (so every persisted ticket row can be re-sealed out-of-band)",
+    DsrError, "dsr/bad-reseal-store");
+  _ensureDsrSealTable();
+  var schema = cryptoField().getSchema(DSR_SEAL_TABLE);
+
+  // Re-seal one row's AAD cells in place; returns true when any cell
+  // rotated. Only AAD-sealed cells are touched — plaintext / vault-less
+  // rows pass through (resealRoot would throw not-sealed on a plain value).
+  function _rotateRowCells(row) {
+    if (!row || typeof row !== "object") return false;
+    var didRotate = false;
+    schema.sealedFields.forEach(function (column) {
+      var cell = row[column];
+      if (typeof cell !== "string" || !vaultAad().isAadSealed(cell)) return;
+      var aad = cryptoField()._aadParts(schema, DSR_SEAL_TABLE, column, row);
+      row[column] = vaultAad().resealRoot(cell, aad, args.oldRootJson, args.newRootJson);
+      didRotate = true;
+    });
+    return didRotate;
+  }
+
+  // listAll / putResealed may be sync (in-memory) or async (durable SQL).
+  return Promise.resolve(store.listAll()).then(function (rows) {
+    if (!Array.isArray(rows)) {
+      throw new DsrError("dsr/bad-reseal-store",
+        "reseal: store.listAll() must resolve to an array of ticket rows");
+    }
+    var rotated = rows.filter(_rotateRowCells);
+    // Ticket rows are independent — persist the rotated set concurrently.
+    return Promise.all(rotated.map(function (row) {
+      return Promise.resolve(store.putResealed(row));
+    })).then(function () {
+      return { table: DSR_SEAL_TABLE, resealed: rotated.length };
+    });
+  });
+}
+
 // ---- US state-law DSR drift registry -------------------
 //
 // Each US state consumer-privacy law expresses the same DSR core
@@ -1177,6 +1489,7 @@ module.exports = {
   create:                    create,
   memoryTicketStore:         memoryTicketStore,
   dbTicketStore:             dbTicketStore,
+  reseal:                    reseal,
   VALID_REQUEST_TYPES:       VALID_REQUEST_TYPES,
   VALID_STATES:              VALID_STATES,
   VALID_VERIFICATION_LEVELS: VALID_VERIFICATION_LEVELS,
@@ -1185,4 +1498,17 @@ module.exports = {
   stateRules:                stateRules,
   listStateRules:            listStateRules,
   DsrError:                  DsrError,
+  // AAD_ROTATION — vault-key rotation descriptor for the dbTicketStore's
+  // {aad:true} sealed cells. When the DSR ticket store lives on an
+  // operator-supplied database (outside db.enc), the in-tree
+  // b.vaultRotate.rotate pipeline can't reach it, so an operator registers
+  // this descriptor's reseal hook to rotate the store's AAD cells
+  // out-of-band after a keypair rotation (CWE-320 defense).
+  AAD_ROTATION: {
+    table:         DSR_SEAL_TABLE,
+    rowIdField:    "id",
+    schemaVersion: "1",
+    backend:       "external",
+    reseal:        reseal,
+  },
 };

package/lib/error-page.js

@@ -373,9 +373,22 @@ function create(opts) {
     // Audit every error. Best-effort — never let an audit-write failure
     // mask the original error. Outcome differentiates 5xx (failure) vs
     // 4xx (denied) so consumers can filter without re-classifying status.
+    //
+    // Use safeEmit, not emit: the metadata.stack and reason fields carry
+    // the original exception's stack + message, which routinely embed
+    // secrets (a database connection string, an API key, a bearer token
+    // surfaced inside a thrown error). emit() writes straight to the
+    // tamper-evident, durable audit chain WITHOUT redaction, so those
+    // secrets would persist in plaintext in the signed log
+    // (CWE-532: insertion of sensitive information into log file).
+    // safeEmit runs b.redact.redact() over actor / reason / metadata —
+    // including nested keys like metadata.stack — before the record
+    // reaches the chain, scrubbing connection strings, JWTs, PEM blocks,
+    // and AWS keys. safeEmit is also drop-silent on malformed input,
+    // matching this hot-path "audit best-effort" posture.
     if (auditOn) {
       try {
-        audit().emit({
+        audit().safeEmit({
           action:   auditAction,
           outcome:  info.status >= 500 ? "failure" : "denied",
           actor:    requestHelpers.extractActorContext(req, {

package/lib/file-upload.js

@@ -22,8 +22,12 @@
  *   content gate inspects the reassembled buffer, so it runs on uploads
  *   up to `maxStreamReassemblyBytes` (default 64 MiB); a larger upload
  *   is handed to `onFinalize` as a stream and the byte-content gate is
- *   skipped (MIME-sniff + filename gates still run, and the skip emits a
- *   `fileUpload.content_safety_skipped` warning audit). To guarantee
+ *   skipped (MIME-sniff + filename gates still run). Every skip path —
+ *   the upload streamed past the reassembly cap, no gate is registered
+ *   for the file's extension, or `contentSafety: null` disabled scanning
+ *   — emits a `fileUpload.content_safety_skipped` audit whose `reason`
+ *   names the cause, so a security review of the audit log can tell which
+ *   uploads reached storage without a content scan and why. To guarantee
  *   content-gating of a type, cap `maxFileBytes` at or below
  *   `maxStreamReassemblyBytes`. Per-chunk hooks
  *   (`onChunk`) are the integration point for virus scanners and
@@ -475,6 +479,32 @@ function create(opts) {
     if (opts.observability) opts.observability.safeEvent(name, value, labels || {});
   }
 
+  // Emit an audit row whenever the byte-level content-safety scan is
+  // SKIPPED for a finalized upload — so a security review of the audit
+  // log can tell that bytes reached storage without passing the
+  // content gate, and WHY. Without this, every skip path (operator
+  // opt-out, no gate registered for the file's extension, or the upload
+  // streamed past maxStreamReassemblyBytes) was silent: the audit log
+  // showed a clean `fileUpload.finalize` success indistinguishable from
+  // a scanned upload. `reason` names the skip cause so operators can
+  // alert / lower maxStreamReassemblyBytes / register the missing gate.
+  // Observability-only: `_emitAudit` wraps audit.safeEmit in try/catch
+  // (drop-silent — by design) so a throwing sink never breaks the upload.
+  function _emitContentSafetySkipped(uploadId, actor, reason, ext, size) {
+    _emitObs("fileUpload.content_safety_skipped", 1, { reason: reason, ext: ext || "" });
+    // outcome "success" — the upload itself finalized; the audit records
+    // that the byte-level scan did NOT run, with `reason` naming why
+    // (the only outcomes the audit chain accepts are success / failure /
+    // denied, so the skip-cause lives in `reason` + `metadata`).
+    _emitAudit("fileUpload.content_safety_skipped", {
+      actor:    requestHelpers.extractActorContext(actor),
+      resource: { kind: "fileUpload", id: uploadId },
+      outcome:  "success",
+      reason:   reason,
+      metadata: { uploadId: uploadId, ext: ext || null, size: size, reason: reason },
+    });
+  }
+
   // Staging dir mode 0o700 — only the framework process reads its own
   // staging files.
   atomicFile.ensureDir(stagingDir, 0o700);
@@ -1088,12 +1118,27 @@ function create(opts) {
         // upload streamed past maxStreamReassemblyBytes and was never
         // reassembled into a buffer the byte-level gate can inspect. The
         // MIME-sniff and filename gates still ran; the per-extension
-        // content gate did NOT. Surface it (rather than skipping silently)
-        // via an observability counter so operators can alert, lower
-        // maxStreamReassemblyBytes, or cap maxFileBytes to force
-        // content-gating of this type.
-        _emitObs("fileUpload.content_safety_skipped_streamed", 1, { ext: safetyExt });
+        // content gate did NOT. Audit the skip (with the streamed reason)
+        // so operators can alert, lower maxStreamReassemblyBytes, or cap
+        // maxFileBytes to force content-gating of this type.
+        _emitContentSafetySkipped(uploadId, actor, "streamed-over-reassembly-cap",
+                                  safetyExt, verified.totalBytes);
+      } else {
+        // contentSafety is wired but no gate is registered for this file's
+        // extension — the byte-level scan does not run. Audit the skip so
+        // a review can tell the upload bypassed content scanning (and
+        // register a gate for the extension if it should be scanned).
+        _emitContentSafetySkipped(uploadId, actor, "no-gate-for-extension",
+                                  safetyExt, verified.totalBytes);
       }
+    } else {
+      // Content-safety scanning is disabled for this upload manager
+      // (contentSafety: null opt-out at create()). The create-time audit
+      // recorded the disable; this per-upload audit makes the bypass
+      // visible at the point bytes reached storage.
+      _emitContentSafetySkipped(uploadId, actor, "content-safety-disabled",
+                                nodePath.extname(filename).toLowerCase(),
+                                verified.totalBytes);
     }
 
     // Hand to operator's onFinalize.