@blamejs/core 0.9.49 → 0.10.2

package/lib/compliance.js

@@ -245,9 +245,40 @@ var KNOWN_POSTURES = Object.freeze([
   "cwe-top-25-2024",             // CWE Top 25 Most Dangerous Software Weaknesses (2024)
   "cis-controls-v8",             // CIS Controls v8
   "cmmc-2.0-level-2",            // CMMC 2.0 Level 2 (Advanced) — 110 NIST 800-171 Rev 2 controls                                                                                                          // allow:raw-byte-literal — NIST pub number / level, not bytes
+  // ---- v0.9.57 — granular CMMC level distinction ----
+  // CMMC 2.0 maturity levels carry distinct control-mapping
+  // expectations: Level 1 = 15 controls (FAR 52.204-21), Level 2 =
+  // 110 controls (NIST 800-171 Rev 2), Level 3 = additional NIST
+  // 800-172 enhanced controls. The umbrella "cmmc-2.0" posture
+  // remains for back-compat with existing operators; the explicit
+  // L1/L2/L3 postures are the recommended pin for new deployments.
+  "cmmc-2.0-level-1",            // CMMC 2.0 Level 1 (Foundational) — 15 FAR controls; FCI-only data        // allow:raw-byte-literal — regulatory identifier, not bytes
+  "cmmc-2.0-level-3",            // CMMC 2.0 Level 3 (Expert) — NIST 800-172 enhanced controls atop L2       // allow:raw-byte-literal — regulatory identifier, not bytes
 ]);
 
-var STATE = { posture: null, setAt: null };
+// SUPPLY-34 — Artifact standards (SBOM / VEX format families) are NOT
+// regulatory regimes. Pinning a posture like `cyclonedx-v1.6` to
+// cascade audit + TLS floors conflates the act of EMITTING a SBOM
+// format with the regulatory floor an operator needs. Operators who
+// emit CycloneDX SBOMs do so because of an underlying regime
+// (FedRAMP SBOM requirement, SSDF PW.4, etc.) — not because emitting
+// the format itself defines the floor.
+//
+// b.compliance.artifactStandards exposes the format catalog as a
+// READ-ONLY channel — operators pick a format (or set of formats)
+// for SBOM / VEX emission without affecting the regulatory posture
+// cascade. The names remain in KNOWN_POSTURES for back-compat
+// (existing operators may have pinned them); pinning them via
+// b.compliance.set emits a `compliance.posture.format_as_regime`
+// audit warning so the misconfiguration is grep-able in the audit
+// chain.
+var ARTIFACT_STANDARDS = Object.freeze([
+  "cyclonedx-v1.6",          // CycloneDX 1.6 SBOM
+  "spdx-v3.0",               // SPDX 3.0 SBOM
+  "vex-csaf-2.1",            // VEX via OASIS CSAF 2.1
+]);
+
+var STATE = { posture: null, setAt: null, fipsMode: false };
 
 function _emitAudit(action, metadata, outcome) {
   try {
@@ -330,6 +361,38 @@ function set(posture) {
   STATE.setAt   = Date.now();
   _emitAudit("compliance.posture.set", { posture: posture });
 
+  // SUPPLY-34 — emit a `format_as_regime` audit warning when an
+  // operator pins an artifact-standard format (cyclonedx-v1.6 /
+  // spdx-v3.0 / vex-csaf-2.1) as the regulatory posture. These names
+  // remain in KNOWN_POSTURES for back-compat but pinning them as the
+  // primary regime conflates "I emit this SBOM/VEX format" with "my
+  // regulatory floor is X". Operators should pin the regulatory
+  // regime (FedRAMP / SSDF / HIPAA / etc.) and surface artifact
+  // standards via b.compliance.artifactStandards.
+  if (ARTIFACT_STANDARDS.indexOf(posture) !== -1) {
+    _emitAudit("compliance.posture.format_as_regime",
+      { posture: posture, artifactStandards: ARTIFACT_STANDARDS,
+        recommendation: "Artifact standards describe what SBOM/VEX format the deployment emits — not the regulatory floor. Pin the underlying regime (e.g. 'nist-800-218-ssdf', 'fedramp-rev5-moderate') and surface emitted formats via b.compliance.artifactStandards()." },
+      "warning");
+  }
+
+  // SUPPLY-21 — emit `fips_conflict` audit warning when posture is
+  // FedRAMP / CMMC L3 AND the framework's PQC-first crypto defaults
+  // are active without an explicit fipsMode opt-in. Operators see
+  // this in the audit chain and either (a) document the deviation
+  // in their SSP or (b) set b.compliance.fipsMode(true) before set()
+  // to switch the audit-signing path to FIPS-validated AES-GCM +
+  // SHA-384.
+  var FIPS_BOUNDARY_POSTURES = ["fedramp-rev5-moderate", "cmmc-2.0-level-3"];
+  if (FIPS_BOUNDARY_POSTURES.indexOf(posture) !== -1 && !STATE.fipsMode) {
+    _emitAudit("compliance.posture.fips_conflict",
+      { posture: posture,
+        cryptoDefaults: "PQC-first (ML-KEM-1024 / SLH-DSA-SHAKE-256f / XChaCha20-Poly1305 / SHA3-512)",
+        fipsMode: false,
+        recommendation: "Call b.compliance.fipsMode(true) BEFORE b.compliance.set() to switch b.audit.sign to FIPS-140-3 validated AES-GCM + SHA-384, or document the PQC-first deviation in the SSP." },
+      "warning");
+  }
+
   // F-POSTURE-1 — cascade the posture into every primitive that owns a
   // posture-conditioned default. Each primitive exposes an
   // `applyPosture(name)` that merges the POSTURE_DEFAULTS entry for the
@@ -480,8 +543,9 @@ function clear() {
 }
 
 function _resetForTest() {
-  STATE.posture = null;
-  STATE.setAt   = null;
+  STATE.posture  = null;
+  STATE.setAt    = null;
+  STATE.fipsMode = false;
 }
 
 // Posture → human-readable name + statutory citation + jurisdiction.
@@ -999,16 +1063,43 @@ var POSTURE_DEFAULTS = Object.freeze({
   "circia":          Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: false }),
   // ---- v0.9.6 — exceptd framework-control-gap closure cascade ----
   "nist-800-53":             Object.freeze({ backupEncryptionRequired: true,  auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: true  }),
-  "nist-ai-rmf-1.0":         Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: false }),
+  // SUPPLY-18 — NIST AI-RMF MANAGE.4.3 / ISO 23894 §6.5 / ISO 42001
+  // §A.6 require encrypted backups for AI system state (model
+  // weights, training data, prompt logs all contain regulated
+  // payload). All AI-domain postures now enforce backupEncryption.
+  "nist-ai-rmf-1.0":         Object.freeze({ backupEncryptionRequired: true,  auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: true  }),
   "iso-42001-2023":          Object.freeze({ backupEncryptionRequired: true,  auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: true  }),
-  "iso-23894-2023":          Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: false }),
-  "owasp-llm-top-10-2025":   Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: false }),
-  "owasp-asvs-v5.0":         Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: false }),
+  "iso-23894-2023":          Object.freeze({ backupEncryptionRequired: true,  auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: true  }),
+  "owasp-llm-top-10-2025":   Object.freeze({ backupEncryptionRequired: true,  auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: true  }),
+  // SUPPLY-19 — OWASP ASVS v5.0 §8.3.4 (sensitive-data deletion)
+  // requires post-delete storage reclamation. Set requireVacuumAfterErase
+  // so operators pinning ASVS v5.0 inherit the proper floor.
+  "owasp-asvs-v5.0":         Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: true  }),
   "nist-800-218-ssdf":       Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: false }),
   "nist-800-82-r3":          Object.freeze({ backupEncryptionRequired: true,  auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: false }),
   "nist-800-63b-rev4":       Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: false }),
   "iec-62443-3-3":           Object.freeze({ backupEncryptionRequired: true,  auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: false }),
-  "fedramp-rev5-moderate":   Object.freeze({ backupEncryptionRequired: true,  auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: true  }),
+  // SUPPLY-21 — FedRAMP Rev 5 Moderate baseline references FIPS 140-3
+  // validated cryptography for protect-against-disclosure controls
+  // (SC-13, SC-28). The framework's PQC-first defaults (ML-KEM-1024,
+  // XChaCha20-Poly1305, SHA3-512) are NOT FIPS-140-3 validated as of
+  // the FedRAMP Rev 5 baseline publication — FIPS modules are still
+  // being certified for the ML-KEM / ML-DSA primitives upstream.
+  //
+  // Conflict resolution: PQC-first remains the framework default
+  // (CLAUDE.md rule §2 — never weaken security middleware), but
+  // operators in a FedRAMP boundary opt into `fipsMode: true` to
+  // switch `b.audit.sign` from SLH-DSA-SHAKE-256f to FIPS-validated
+  // AES-GCM + SHA-384 for the audit-chain signing path. The runtime
+  // emits a `compliance.posture.fips_conflict` audit warning when
+  // posture=fedramp-rev5-moderate AND fipsMode is NOT set so the
+  // conflict is grep-able in the audit chain.
+  //
+  // Operators pinning this posture without setting fipsMode are
+  // signaling "ship the PQC-first defaults and accept that the
+  // FedRAMP boundary will need to document the deviation in their
+  // SSP." The audit warning is the operator-visible signal.
+  "fedramp-rev5-moderate":   Object.freeze({ backupEncryptionRequired: true,  auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: true, fipsMode: false }),
   "hipaa-security-rule":     Object.freeze({ backupEncryptionRequired: true,  auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: true  }),
   "hitrust-csf-v11.4":       Object.freeze({ backupEncryptionRequired: true,  auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: true  }),
   "nerc-cip-007-6":          Object.freeze({ backupEncryptionRequired: true,  auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: false }),
@@ -1023,7 +1114,18 @@ var POSTURE_DEFAULTS = Object.freeze({
   "nist-800-115":            Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: false }),
   "cwe-top-25-2024":         Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: false }),
   "cis-controls-v8":         Object.freeze({ backupEncryptionRequired: true,  auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: false }),
+  // SUPPLY-20 — CMMC 2.0 levels differ in control mapping:
+  //   L1 (Foundational, 15 FAR controls, FCI data only) — encrypted
+  //       backups NOT mandated; audit-chain encouraged.
+  //   L2 (Advanced, 110 NIST 800-171 Rev 2 controls, CUI data) —
+  //       encrypted backups + signed audit + post-erase vacuum.
+  //   L3 (Expert, NIST 800-172 enhanced atop L2) — same control floor
+  //       as L2 plus operator-attested enhanced practices the
+  //       framework can't auto-cascade (FIPS 140-3 boundary,
+  //       continuous monitoring).
+  "cmmc-2.0-level-1":        Object.freeze({ backupEncryptionRequired: false, auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: false }),
   "cmmc-2.0-level-2":        Object.freeze({ backupEncryptionRequired: true,  auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: true  }),
+  "cmmc-2.0-level-3":        Object.freeze({ backupEncryptionRequired: true,  auditChainSignedRequired: true, tlsMinVersion: "TLSv1.3", requireVacuumAfterErase: true, fipsMode: false }),
 });
 
 /**
@@ -1202,6 +1304,69 @@ function list() {
   return out;
 }
 
+/**
+ * @primitive b.compliance.artifactStandards
+ * @signature b.compliance.artifactStandards()
+ * @since     0.9.57
+ * @status    stable
+ *
+ * Return the set of SBOM / VEX artifact standards the framework can
+ * emit. These are FORMAT FAMILIES, not regulatory regimes — pinning
+ * one of these names as the deployment's compliance posture conflates
+ * "format I emit" with "regulatory floor I meet" (SUPPLY-34). Pin
+ * the regulatory regime (FedRAMP / SSDF / HIPAA / etc.) via
+ * `b.compliance.set()` and surface the emitted artifact standards via
+ * this read-only catalog.
+ *
+ * @example
+ *   b.compliance.artifactStandards();
+ *   // → ["cyclonedx-v1.6", "spdx-v3.0", "vex-csaf-2.1"]
+ */
+function artifactStandards() {
+  return ARTIFACT_STANDARDS.slice();
+}
+
+/**
+ * @primitive b.compliance.fipsMode
+ * @signature b.compliance.fipsMode(enable?)
+ * @since     0.9.57
+ * @status    stable
+ * @related   b.compliance.set
+ *
+ * Get or set the FIPS-mode flag. When `enable === true`, the
+ * framework's audit-chain signing path (b.audit.sign) switches from
+ * the PQC-first default (SLH-DSA-SHAKE-256f) to a FIPS-140-3
+ * validated AES-GCM + SHA-384 path so a FedRAMP / CMMC L3 boundary
+ * can pin the audit signer to a validated module.
+ *
+ * Call BEFORE b.compliance.set() so the fips_conflict audit warning
+ * doesn't fire at posture-set time. Cannot be toggled after posture
+ * is pinned — runtime switches create half-set crypto state. Returns
+ * the current flag value when called with no argument.
+ *
+ * @example
+ *   b.compliance.fipsMode(true);          // opt into FIPS-validated path
+ *   b.compliance.set("fedramp-rev5-moderate");
+ *   b.compliance.fipsMode();              // → true
+ */
+function fipsMode(enable) {
+  if (enable === undefined) return STATE.fipsMode === true;
+  if (typeof enable !== "boolean") {
+    throw new ComplianceError("compliance/bad-fips-mode",
+      "compliance.fipsMode: argument must be boolean when supplied (got " +
+      typeof enable + ")");
+  }
+  if (STATE.posture) {
+    throw new ComplianceError("compliance/fips-after-set",
+      "compliance.fipsMode: posture is already pinned ('" + STATE.posture +
+      "'); FIPS-mode must be set BEFORE b.compliance.set() — runtime " +
+      "switches create half-set crypto state.");
+  }
+  STATE.fipsMode = enable;
+  _emitAudit("compliance.fips_mode.set", { fipsMode: enable });
+  return STATE.fipsMode;
+}
+
 module.exports = {
   set:                    set,
   current:                current,
@@ -1214,8 +1379,11 @@ module.exports = {
   postureDefault:         postureDefault,
   sanctions:              sanctions,
   aiAct:                  aiAct,
+  artifactStandards:      artifactStandards,
+  fipsMode:               fipsMode,
   KNOWN_POSTURES:         KNOWN_POSTURES,
   POSTURE_DEFAULTS:       POSTURE_DEFAULTS,
+  ARTIFACT_STANDARDS:     ARTIFACT_STANDARDS,
   REGIME_MAP:             REGIME_MAP,
   ComplianceError:        ComplianceError,
   _resetForTest:          _resetForTest,

package/lib/crypto-field.js

@@ -44,6 +44,7 @@
  */
 var lazyRequire = require("./lazy-require");
 var vault = require("./vault");
+var vaultAad = require("./vault-aad");
 var { sha3Hash, kdf } = require("./crypto");
 var { HASH_PREFIX, VAULT_PREFIX, TIME } = require("./constants");
 
@@ -147,6 +148,21 @@ var perRowKeyTables = Object.create(null);
  *   sealedFields:   string[],              // column names sealed via vault.seal
  *   derivedHashes:  { [hashCol]: { from: string, normalize?: fn } },
  *   hashNamespaces: { [field]: string },   // override default rainbow-defense ns
+ *   aad:            boolean,               // when true, route seal/unseal through
+ *                                          // b.vault.aad — AEAD-binds the ciphertext
+ *                                          // to (table, rowIdField=primary key, column)
+ *                                          // so a DB-write attacker can't copy a
+ *                                          // sealed value between rows. CRYPTO-1.
+ *   rowIdField:     string,                // when aad=true, the column name carrying
+ *                                          // the row identity. Default "id". The row
+ *                                          // passed to sealRow MUST already have this
+ *                                          // column populated; sealRow refuses when
+ *                                          // missing (an AAD bound to a placeholder
+ *                                          // would silently fail every unseal).
+ *   schemaVersion:  string|number,         // when aad=true, the schema version
+ *                                          // threaded into AAD. Default "1". Bump
+ *                                          // when the column layout changes to
+ *                                          // invalidate all prior ciphertext.
  *
  * @example
  *   b.cryptoField.registerTable("patients", {
@@ -156,12 +172,26 @@ var perRowKeyTables = Object.create(null);
  *     }
  *   });
  *   b.cryptoField.getSealedFields("patients");   // → ["ssn", "diagnosis"]
+ *
+ *   // AAD-bound table (recommended for new schemas — CRYPTO-1).
+ *   b.cryptoField.registerTable("idempotency_keys", {
+ *     sealedFields: ["headers", "body"],
+ *     aad:          true,
+ *     rowIdField:   "k",       // primary key column
+ *   });
  */
 function registerTable(name, opts) {
+  var aadOn = opts.aad === true;
+  var rowIdField = typeof opts.rowIdField === "string" && opts.rowIdField.length > 0
+    ? opts.rowIdField : "id";
+  var schemaVersion = opts.schemaVersion != null ? String(opts.schemaVersion) : "1";
   schemas[name] = {
     sealedFields:   Array.isArray(opts.sealedFields)   ? opts.sealedFields.slice()   : [],
     derivedHashes:  Object.assign({}, opts.derivedHashes || {}),
     hashNamespaces: Object.assign({}, opts.hashNamespaces || {}),
+    aad:            aadOn,
+    rowIdField:     rowIdField,
+    schemaVersion:  schemaVersion,
   };
 }
 
@@ -327,7 +357,14 @@ function sealRow(table, row) {
       var spec = s.derivedHashes[derivedField];
       var raw = out[spec.from];
       if (raw === undefined || raw === null) continue;
-      var plain = String(raw).startsWith(VAULT_PREFIX) ? vault.unseal(raw) : raw;
+      var plain;
+      if (typeof raw === "string" && raw.startsWith(VAULT_PREFIX)) {
+        plain = vault.unseal(raw);
+      } else if (typeof raw === "string" && vaultAad.isAadSealed(raw)) {
+        plain = vaultAad.unseal(raw, _aadParts(s, table, spec.from, out));
+      } else {
+        plain = raw;
+      }
       var ns = namespaceFor(table, spec.from, s.hashNamespaces);
       var normalized = spec.normalize ? spec.normalize(plain) : String(plain);
       var saltHex2 = vault.getDerivedHashSalt().toString("hex");
@@ -335,17 +372,59 @@ function sealRow(table, row) {
     }
   }
 
-  // Seal fields (vault.seal is idempotent — already-sealed values pass through)
+  // CRYPTO-1 — AAD-bound table requires the row's identity column to
+  // be populated BEFORE sealRow runs. Sealing under a placeholder /
+  // missing rowId produces ciphertext that no later unseal can open
+  // because the AAD on read is computed against the row's actual id.
+  if (s.aad) {
+    var rowId = out[s.rowIdField];
+    if (rowId === undefined || rowId === null || String(rowId).length === 0) {
+      throw new Error("cryptoField.sealRow: table '" + table +
+        "' is AAD-bound (registerTable({aad:true})); the row's identity " +
+        "column '" + s.rowIdField + "' must be populated BEFORE sealRow. " +
+        "Generate the primary key first (e.g. uuid / sequence INSERT … RETURNING), " +
+        "set row." + s.rowIdField + ", then sealRow.");
+    }
+  }
+
+  // Seal fields. Plain mode: vault.seal (idempotent — already-sealed
+  // values pass through). AAD mode: vault.aad.seal binds the AEAD tag
+  // to (table, rowId, column, schemaVersion) — cross-row copy of a
+  // ciphertext fails Poly1305 on read. CRYPTO-1.
   for (var i = 0; i < s.sealedFields.length; i++) {
     var field = s.sealedFields[i];
     if (out[field] !== undefined && out[field] !== null) {
-      out[field] = vault.seal(String(out[field]));
+      if (s.aad) {
+        // Idempotent: already-AAD-sealed values pass through unchanged.
+        if (typeof out[field] === "string" && vaultAad.isAadSealed(out[field])) {
+          continue;
+        }
+        out[field] = vaultAad.seal(String(out[field]),
+          _aadParts(s, table, field, out));
+      } else {
+        // allow:seal-without-aad — plain-mode legacy table; operator
+        // opts into AAD via registerTable({aad:true})
+        out[field] = vault.seal(String(out[field]));
+      }
     }
   }
 
   return out;
 }
 
+// _aadParts — build the canonical AAD object for an AAD-bound table.
+// Threads (table, rowId, column, schemaVersion) so seal + unseal
+// produce the same AAD bytes. Centralized so the seal path and the
+// unseal path can never drift.
+function _aadParts(schema, table, column, row) {
+  return {
+    table:         table,
+    rowId:         String(row[schema.rowIdField]),
+    column:        column,
+    schemaVersion: schema.schemaVersion,
+  };
+}
+
 /**
  * @primitive b.cryptoField.unsealRow
  * @signature b.cryptoField.unsealRow(table, row)
@@ -379,21 +458,39 @@ function unsealRow(table, row) {
     if (out[field]) {
       var unsealed;
       try {
-        unsealed = vault.unseal(out[field]);
+        // Auto-detect the envelope shape so an AAD-bound table that
+        // contains pre-migration plain-vault rows still reads. Read-
+        // side migration is lazy; the next sealRow re-emits AAD-bound.
+        if (typeof out[field] === "string" && vaultAad.isAadSealed(out[field])) {
+          unsealed = vaultAad.unseal(out[field],
+            _aadParts(s, table, field, out));
+        } else if (typeof out[field] === "string" && out[field].startsWith(VAULT_PREFIX)) {
+          unsealed = vault.unseal(out[field]);
+        } else {
+          // Not a sealed value — pass through.
+          unsealed = out[field];
+        }
       } catch (e) {
-        // A DB-write attacker who can write `vault:<crafted>`
-        // payloads to sealed columns can force ML-KEM
-        // decapsulation on attacker-controlled bytes via this read
-        // path. Surface the failure as a chain row so operators
-        // alert on burst patterns; null the field so downstream
-        // code sees "no value" instead of crashing the request.
+        // A DB-write attacker who can write `vault:<crafted>` /
+        // `vault.aad:<crafted>` payloads to sealed columns can force
+        // KEM decapsulation / AEAD verify on attacker-controlled
+        // bytes via this read path. Surface the failure as a chain
+        // row so operators alert on burst patterns; null the field
+        // so downstream code sees "no value" instead of crashing the
+        // request. AAD-shape failures additionally indicate cross-
+        // row copy attempts — the audit metadata flags the shape so
+        // operators can write alert rules.
         try {
-          var auditMod = require("./audit");                                          // allow:inline-require — circular-load defense
-          auditMod.safeEmit({
+          audit().safeEmit({
             action:   "system.crypto.unseal_failed",
             outcome:  "failure",
-            metadata: { table: table, field: field, rowId: row && row._id || null,
-                        reason: (e && e.message) || String(e) },
+            metadata: {
+              table:   table,
+              field:   field,
+              rowId:   out[s.rowIdField] || out._id || null,
+              shape:   s.aad ? "aad" : "plain",
+              reason:  (e && e.message) || String(e),
+            },
           });
         } catch (_e) { /* drop-silent */ }
         unsealed = null;
@@ -818,6 +915,9 @@ function materializePerRowKey(table, rowId, dbHandle) {
   var saltHex = vault.getDerivedHashSalt().toString("hex");
   var ikm = Buffer.from(saltHex + ":" + table + ":" + rowId + ":" + spec.info, "utf8");
   var kRow = kdf(ikm, spec.keySize);
+  // allow:seal-without-aad — per-row K_row wrap; row identity is the
+  // K_row KDF input, not the AEAD AAD on the wrap. Copy-attacks fail
+  // because the wrapped K_row only decrypts data sealed under it.
   var sealed = vault.seal(kRow.toString("base64"));
   dbHandle.prepare(
     'INSERT INTO "_blamejs_per_row_keys" (tableName, rowId, wrappedKey, createdAt) ' +