feat(unseal): add unseal protocol and crypto infrastructure

2026-02-11 13:31:49 +01:00
parent 8dd0276185
commit bbbb4feaa0
18 changed files with 1323 additions and 88 deletions
--- a/server/crates/arbiter-server/src/db/schema.rs
+++ b/server/crates/arbiter-server/src/db/schema.rs
@@ -1,9 +1,19 @@
 // @generated automatically by Diesel CLI.

 diesel::table! {
-    arbiter_settings (rowid) {
-        rowid -> Integer,
-        root_key_enc -> Nullable<Binary>,
+    aead_encrypted (id) {
+        id -> Integer,
+        current_nonce -> Integer,
+        ciphertext -> Binary,
+        tag -> Binary,
+        schema_version -> Integer,
+    }
+}
+
+diesel::table! {
+    arbiter_settings (id) {
+        id -> Integer,
+        root_key_id -> Nullable<Integer>,
        cert_key -> Binary,
        cert -> Binary,
    }
@@ -11,7 +21,7 @@ diesel::table! {

 diesel::table! {
    key_identity (id) {
-        id -> Nullable<Integer>,
+        id -> Integer,
        name -> Text,
        public_key -> Text,
        created_at -> Integer,
@@ -21,7 +31,7 @@ diesel::table! {

 diesel::table! {
    program_client (id) {
-        id -> Nullable<Integer>,
+        id -> Integer,
        key_identity_id -> Integer,
        created_at -> Integer,
        updated_at -> Integer,
@@ -30,17 +40,19 @@ diesel::table! {

 diesel::table! {
    useragent_client (id) {
-        id -> Nullable<Integer>,
+        id -> Integer,
        key_identity_id -> Integer,
        created_at -> Integer,
        updated_at -> Integer,
    }
 }

+diesel::joinable!(arbiter_settings -> aead_encrypted (root_key_id));
 diesel::joinable!(program_client -> key_identity (key_identity_id));
 diesel::joinable!(useragent_client -> key_identity (key_identity_id));

 diesel::allow_tables_to_appear_in_same_query!(
+    aead_encrypted,
    arbiter_settings,
    key_identity,
    program_client,