aletheiadb 0.1.0

A high-performance bi-temporal graph database for LLM integration
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146

//! Cipher factory and algorithm selection.
//!
//! Resolves the `Auto` algorithm choice based on hardware capabilities and
//! constructs the appropriate cipher implementation.

use zeroize::Zeroizing;

use crate::encryption::cipher::{
    AES_256_GCM_ID, Aes256GcmCipher, CHACHA20_POLY1305_ID, ChaCha20Poly1305Cipher, Cipher,
};

/// Supported encryption algorithms.
///
/// `Auto` selects the best algorithm based on hardware capabilities at runtime.
#[derive(Debug, Default, Clone, Copy, PartialEq, Eq)]
#[cfg_attr(feature = "config-toml", derive(serde::Serialize, serde::Deserialize))]
#[cfg_attr(feature = "config-toml", serde(rename_all = "kebab-case"))]
pub enum Algorithm {
    /// AES-256-GCM -- preferred when AES-NI hardware acceleration is available.
    Aes256Gcm,
    /// ChaCha20-Poly1305 -- preferred on platforms without AES-NI.
    ChaCha20Poly1305,
    /// Automatically select the best algorithm based on CPU features.
    #[default]
    Auto,
}

impl Algorithm {
    /// Resolve `Auto` to a concrete algorithm based on hardware capabilities.
    ///
    /// - On x86/x86_64 with AES-NI: resolves to `Aes256Gcm`
    /// - Otherwise: resolves to `ChaCha20Poly1305`
    ///
    /// Non-`Auto` variants pass through unchanged.
    #[must_use]
    pub fn resolve(self) -> Self {
        match self {
            Self::Auto => {
                if cpu_has_aes_ni() {
                    Self::Aes256Gcm
                } else {
                    Self::ChaCha20Poly1305
                }
            }
            concrete => concrete,
        }
    }
}

/// Check whether the CPU supports AES-NI hardware acceleration.
#[cfg(any(target_arch = "x86", target_arch = "x86_64"))]
fn cpu_has_aes_ni() -> bool {
    is_x86_feature_detected!("aes")
}

/// Non-x86 platforms do not have AES-NI.
#[cfg(not(any(target_arch = "x86", target_arch = "x86_64")))]
fn cpu_has_aes_ni() -> bool {
    false
}

/// Create a boxed [`Cipher`] for the given algorithm and key.
///
/// If `algorithm` is [`Algorithm::Auto`], it is resolved first via
/// [`Algorithm::resolve`].
pub fn create_cipher(algorithm: Algorithm, key: &Zeroizing<[u8; 32]>) -> Box<dyn Cipher> {
    match algorithm.resolve() {
        Algorithm::Aes256Gcm => Box::new(Aes256GcmCipher::new(key)),
        Algorithm::ChaCha20Poly1305 => Box::new(ChaCha20Poly1305Cipher::new(key)),
        Algorithm::Auto => unreachable!("resolve() always returns a concrete algorithm"),
    }
}

/// Look up an [`Algorithm`] by its numeric wire-format identifier.
///
/// Returns `None` for unknown IDs (including 0 = plaintext).
pub fn algorithm_from_id(id: u8) -> Option<Algorithm> {
    match id {
        AES_256_GCM_ID => Some(Algorithm::Aes256Gcm),
        CHACHA20_POLY1305_ID => Some(Algorithm::ChaCha20Poly1305),
        _ => None,
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use rand::RngCore;

    fn test_key() -> Zeroizing<[u8; 32]> {
        let mut key = Zeroizing::new([0u8; 32]);
        rand::thread_rng().fill_bytes(key.as_mut());
        key
    }

    #[test]
    fn auto_resolves_to_concrete() {
        let resolved = Algorithm::Auto.resolve();
        assert!(
            resolved == Algorithm::Aes256Gcm || resolved == Algorithm::ChaCha20Poly1305,
            "Auto should resolve to AES or ChaCha, got: {resolved:?}"
        );
        // Must not remain Auto
        assert_ne!(resolved, Algorithm::Auto);
    }

    #[test]
    fn explicit_algorithm_stays_unchanged() {
        assert_eq!(Algorithm::Aes256Gcm.resolve(), Algorithm::Aes256Gcm);
        assert_eq!(
            Algorithm::ChaCha20Poly1305.resolve(),
            Algorithm::ChaCha20Poly1305
        );
    }

    #[test]
    fn create_cipher_roundtrips() {
        let key = test_key();
        let plaintext = b"factory test payload";
        let aad = b"test-aad";

        for algo in [Algorithm::Aes256Gcm, Algorithm::ChaCha20Poly1305] {
            let cipher = create_cipher(algo, &key);
            let encrypted = cipher.encrypt(plaintext, aad).unwrap();
            let decrypted = cipher.decrypt(&encrypted, aad).unwrap();
            assert_eq!(decrypted, plaintext, "roundtrip failed for {algo:?}");
        }
    }

    #[test]
    fn algorithm_from_id_known() {
        assert_eq!(algorithm_from_id(1), Some(Algorithm::Aes256Gcm));
        assert_eq!(algorithm_from_id(2), Some(Algorithm::ChaCha20Poly1305));
    }

    #[test]
    fn algorithm_from_id_unknown() {
        assert_eq!(algorithm_from_id(0), None);
        assert_eq!(algorithm_from_id(255), None);
    }

    #[test]
    fn default_is_auto() {
        assert_eq!(Algorithm::default(), Algorithm::Auto);
    }
}