feat(server::key_holder): unique index on (root_key_id, nonce) to avoid nonce reuse

server/crates/arbiter-server/src/db/models.rs

@@ -24,6 +24,7 @@ pub struct AeadEncrypted {
     pub tag: Vec<u8>,
     pub current_nonce: Vec<u8>,
     pub schema_version: i32,
+    pub associated_root_key_id: i32, // references root_key_history.id
     pub created_at: i32,
 }
 

server/crates/arbiter-server/src/db/schema.rs

@@ -7,6 +7,7 @@ diesel::table! {
         ciphertext -> Binary,
         tag -> Binary,
         schema_version -> Integer,
+        associated_root_key_id -> Integer,
         created_at -> Integer,
     }
 }
@@ -52,6 +53,7 @@ diesel::table! {
     }
 }
 
+diesel::joinable!(aead_encrypted -> root_key_history (associated_root_key_id));
 diesel::joinable!(arbiter_settings -> root_key_history (root_key_id));
 
 diesel::allow_tables_to_appear_in_same_query!(