Additional Authenticated Data (AAD) is required for AES-GCM operations.
AAD is authenticated but not encrypted - use it for metadata like headers or context information.
⚠️ For decryption, you must use the exact same AAD that was used during encryption.