# Security Policy

## Supported versions

Sealcraft is pre-1.0. Security fixes are applied to the `main` branch
and released immediately. Once a stable 1.x line ships, this document
will be updated with a concrete support window.

## Reporting a vulnerability

Please do **not** open a public GitHub issue for security reports.

Email: security@crumbls.com

Include:

- The version(s) of Sealcraft affected
- A description of the issue and its impact
- Reproduction steps or a proof of concept
- Your preferred disclosure timeline, if any

You will receive an acknowledgement within 72 hours. We aim to issue
a fix (or a documented mitigation) within 14 days for severe issues
and 30 days for moderate ones, and to coordinate public disclosure
with the reporter.

## Scope

In scope:

- Cipher, AAD, or context canonicalization bugs that could weaken
  confidentiality or authentication
- KEK provider integrations that could leak plaintext DEKs or mis-
  authenticate unwrap requests
- Crypto-shred correctness (data that should be unrecoverable becoming
  recoverable, or vice versa)
- Eloquent cast and trait behavior that could silently drop AAD
  binding or write plaintext to the database
- Rate-limit / event wiring that could mask or suppress security-
  relevant signals

Out of scope:

- Bugs in third-party dependencies (report those upstream)
- Side-channel attacks on libsodium or the host PHP runtime
- Attacks that require live code execution inside the application
  process (see the threat model in `README.md`)
- Denial of service via forced KMS calls — use your KMS provider's
  rate limits and the `rate_limit.unwrap_per_minute` config knob

## Acknowledgements

We credit reporters in release notes unless they request otherwise.

---

## Documentation

- [Sealcraft](https://documentation.crumbls.com/sealcraft/-/index.md)
- [Changelog](https://documentation.crumbls.com/sealcraft/-/CHANGELOG.md)
- [License](https://documentation.crumbls.com/sealcraft/-/LICENSE.md)
- [Agent notes: sealcraft](https://documentation.crumbls.com/sealcraft/-/AGENTS.md)
- [ADR-0001: Active-DEK uniqueness](https://documentation.crumbls.com/sealcraft/-/adr/0001-active-dek-uniqueness-in-app-layer.md)
- [ADR-0002: Per-row requires explicit backfill](https://documentation.crumbls.com/sealcraft/-/adr/0002-per-row-requires-explicit-backfill.md)
- [API Reference](https://documentation.crumbls.com/sealcraft/-/api-reference/_index.md)
- [AWS KMS](https://documentation.crumbls.com/sealcraft/-/providers/aws-kms.md)
- [Advanced](https://documentation.crumbls.com/sealcraft/-/advanced/_index.md)
- [Architecture](https://documentation.crumbls.com/sealcraft/-/advanced/architecture.md)
- [Architecture Decisions](https://documentation.crumbls.com/sealcraft/-/adr/_index.md)
- [Azure Key Vault](https://documentation.crumbls.com/sealcraft/-/providers/azure-key-vault.md)
- [Ciphers](https://documentation.crumbls.com/sealcraft/-/advanced/ciphers.md)
- [Configuration](https://documentation.crumbls.com/sealcraft/-/configuration.md)
- [Contracts](https://documentation.crumbls.com/sealcraft/-/api-reference/contracts.md)
- [Crypto-Shred](https://documentation.crumbls.com/sealcraft/-/key-management/crypto-shred.md)
- [DEK Rotation](https://documentation.crumbls.com/sealcraft/-/key-management/dek-rotation.md)
- [Delegated Context](https://documentation.crumbls.com/sealcraft/-/encryption-contexts/delegated-context.md)
- [Encrypted JSON](https://documentation.crumbls.com/sealcraft/-/getting-started/encrypted-json.md)
- [Encryption Contexts](https://documentation.crumbls.com/sealcraft/-/encryption-contexts/_index.md)
- [Events](https://documentation.crumbls.com/sealcraft/-/events.md)
- [Exceptions](https://documentation.crumbls.com/sealcraft/-/api-reference/exceptions.md)
- [GCP Cloud KMS](https://documentation.crumbls.com/sealcraft/-/providers/gcp-kms.md)
- [Getting Started](https://documentation.crumbls.com/sealcraft/-/getting-started/_index.md)
- [HashiCorp Vault Transit](https://documentation.crumbls.com/sealcraft/-/providers/vault-transit.md)
- [Installation](https://documentation.crumbls.com/sealcraft/-/installation.md)
- [Introduction](https://documentation.crumbls.com/sealcraft/-/introduction.md)
- [KEK Providers](https://documentation.crumbls.com/sealcraft/-/providers/_index.md)
- [KEK Rotation](https://documentation.crumbls.com/sealcraft/-/key-management/kek-rotation.md)
- [Key Management](https://documentation.crumbls.com/sealcraft/-/key-management/_index.md)
- [KeyManager](https://documentation.crumbls.com/sealcraft/-/api-reference/key-manager.md)
- [Local Provider](https://documentation.crumbls.com/sealcraft/-/providers/local.md)
- [Model Integration](https://documentation.crumbls.com/sealcraft/-/getting-started/model-integration.md)
- [Moving columns from APP_KEY to Sealcraft](https://documentation.crumbls.com/sealcraft/-/advanced/migrating-from-app-key.md)
- [Per-Column Override](https://documentation.crumbls.com/sealcraft/-/encryption-contexts/per-column-override.md)
- [Per-Group Strategy](https://documentation.crumbls.com/sealcraft/-/encryption-contexts/per-group.md)
- [Per-Row Strategy](https://documentation.crumbls.com/sealcraft/-/encryption-contexts/per-row.md)
- [Performance](https://documentation.crumbls.com/sealcraft/-/advanced/performance.md)
- [Provider Migration](https://documentation.crumbls.com/sealcraft/-/key-management/provider-migration.md)
- [Testing](https://documentation.crumbls.com/sealcraft/-/testing.md)
- [Threat Model](https://documentation.crumbls.com/sealcraft/-/advanced/threat-model.md)
- [Troubleshooting](https://documentation.crumbls.com/sealcraft/-/troubleshooting.md)
- [v1](https://documentation.crumbls.com/sealcraft/-/_index.md)
