Update clients to interact with (new) server encrypted databases

[avinassh]

This patch enables client to send encryption key header for encrypted databases. The header we are required to send is x-turso-encryption-key.

To connect with encrypted database, either remote or offline write, you may use the builder pattern to provide the encryption context. Ex.:

let encryption = if let Ok(key) = std::env::var("LIBSQL_ENCRYPTION_KEY") {
        Some(EncryptionContext {
            key: EncryptionKey::Base64Encoded(key),
        })
    } else {
        None
    };
let db_builder =
        Builder::new_synced_database(db_path, sync_url, auth_token).remote_encryption(encryption);

This patch also comes with a full example: https://github.com/avinassh/libsql/blob/5b95a1928b821855fced3880caf7871ce032c58b/libsql/examples/encryption_sync.rs

[Copilot]

Pull Request Overview

This PR enables clients to provide an optional encryption context so that the x-turso-encryption-key header is sent on all sync/remote database requests.

• Introduce EncryptionContext and EncryptionKey types and export them in the public API
• Extend SyncContext, HTTP sender, and builders to accept and propagate the encryption context
• Update tests and examples to pass the new remote_encryption parameter

Reviewed Changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
libsql/src/sync/test.rs	Updated test calls to include the new remote_encryption parameter
libsql/src/sync.rs	Added remote_encryption field and header injection in sync logic
libsql/src/local/database.rs	Propagate remote_encryption when constructing SyncContext
libsql/src/lib.rs	Export EncryptionContext and EncryptionKey types
libsql/src/hrana/hyper.rs	Add remote_encryption to HTTP sender and include header in requests
libsql/src/database/builder.rs	Set default remote_encryption and add builders for encryption
libsql/src/database.rs	Define EncryptionKey/EncryptionContext and update DB variants
libsql/examples/encryption_sync.rs	New example demonstrating encrypted sync usage
libsql/Cargo.toml	Added base64 dependency for encryption encoding

Comments suppressed due to low confidence (2)

libsql/src/database/builder.rs:309

• [nitpick] The remote_encryption setter on Builder<RemoteReplica> takes EncryptionContext where other builders accept Option<EncryptionContext>. Consider unifying these signatures for consistency across builder APIs.

        pub fn remote_encryption(mut self, encryption_context: EncryptionContext) -> Builder<RemoteReplica> {

libsql/src/lib.rs:135

• EncryptionContext and EncryptionKey are only exported under the sync feature, but they’re also needed for remote-only scenarios. Consider exporting them under remote (and/or replication) features so they’re available when sync is disabled.

    pub use database::EncryptionContext;

[Copilot]

[nitpick] The code for adding the x-turso-encryption-key header is duplicated across multiple methods in SyncContext. Consider extracting this into a helper method to reduce duplication and improve maintainability.

Suggested change

	if let Some(remote_encryption) = &self.remote_encryption {
	req = req.header("x-turso-encryption-key", remote_encryption.key.as_string());
	}
	let req = req.body(body.clone().into()).expect("valid body");
	self.add_encryption_header(&mut req);