reddb-io-crypto

RedDB's cryptographic authority crate. It owns the canonical per-page encryption-at-rest envelope (AES-256-GCM), the mandatory encrypt parameters, and key parsing — paralleling the reddb-io-file (on-disk artifacts) and reddb-io-wire (protocol contracts) authority crates under ADR 0046 / 0054.

Scope and boundary

• This crate owns the per-page envelope byte-format ([encrypt_page] / [decrypt_page]), the fixed crypto parameters ([params]), and key parsing ([key::parse_key]).
• reddb-io-file owns the page-0 paged-encryption header (PAGED_ENCRYPTION_MARKER = b"RDBE" / PagedEncryptionHeader): the file-level marker, salt, and key-check slot. That is the self-describing "is this database encrypted, under what salt" authority and is intentionally out of this crate's scope.
• reddb-server orchestrates: it binds a key, decides policy (RED_ENCRYPTION_KEY[_FILE]), and routes pager reads/writes through this envelope. It introduces no second envelope format.

History (#1053)

Two dormant, byte-incompatible envelopes existed for the same not-yet-shipped feature. This crate consolidates them: the leaner magic-less frame survives as canonical (it was already embedded in the page-0 key_check and wired into the dormant pager); the self-describing RDEP frame is retired, with its typed errors, OS-CSPRNG nonce source, and key parser carried forward here. See ADR 0054 for the full rationale.