fix(crypto): reject legacy page format in encrypted files and strip encryption on empty recipients

- Decoder now rejects pages without the size flag when the file is
  encrypted, preventing bypass of per-page AEAD verification
- FileSpec.WriteTo clears encryption header fields when no recipient
  keys are configured, preventing corrupt output from rekey without
  -encrypt-to

Author: corylanou

decoder.go

@@ -279,6 +279,11 @@ func (dec *Decoder) DecodePage(hdr *PageHeader, data []byte) error {
 		return err
 	}
 
+	// Encrypted files must use the size-prefixed block format.
+	if dec.encrypted && hdr.Flags&PageHeaderFlagSize == 0 {
+		return fmt.Errorf("encrypted file contains page without size flag (pgno=%d)", hdr.Pgno)
+	}
+
 	// Read page data using format-specific approach.
 	if hdr.Flags&PageHeaderFlagSize != 0 {
 		// New block format: read size prefix, then data.

decoder_test.go

@@ -431,6 +431,56 @@ func TestDecoder_Encrypted(t *testing.T) {
 	})
 }
 
+func TestFileSpec_StripEncryptionWhenNoRecipients(t *testing.T) {
+	pub, priv, _ := ltx.GenerateKeyPair()
+
+	pageData := make([]byte, 1024)
+	pageData[0] = 0xAB
+
+	chksum := ltx.ChecksumFlag | ltx.ChecksumPage(1, pageData)
+
+	// Create encrypted file.
+	var encBuf bytes.Buffer
+	spec := ltx.FileSpec{
+		Header: ltx.Header{
+			Version: ltx.Version, PageSize: 1024, Commit: 1,
+			MinTXID: 1, MaxTXID: 1, Timestamp: 1000,
+		},
+		Pages:   []ltx.PageSpec{{Header: ltx.PageHeader{Pgno: 1}, Data: pageData}},
+		Trailer: ltx.Trailer{PostApplyChecksum: chksum},
+
+		RecipientPublicKeys: [][]byte{pub},
+	}
+	if _, err := spec.WriteTo(&encBuf); err != nil {
+		t.Fatal(err)
+	}
+
+	// Read back with key.
+	var spec2 ltx.FileSpec
+	if _, err := spec2.ReadFromWithKey(bytes.NewReader(encBuf.Bytes()), priv); err != nil {
+		t.Fatal(err)
+	}
+
+	// Write without recipients — should produce a valid unencrypted file.
+	spec2.RecipientPublicKeys = nil
+	var plainBuf bytes.Buffer
+	if _, err := spec2.WriteTo(&plainBuf); err != nil {
+		t.Fatal(err)
+	}
+
+	// Verify the output is readable without a key.
+	var spec3 ltx.FileSpec
+	if _, err := spec3.ReadFrom(bytes.NewReader(plainBuf.Bytes())); err != nil {
+		t.Fatalf("expected unencrypted file to be readable without key: %v", err)
+	}
+	if spec3.Header.Encrypted() {
+		t.Fatal("expected header to not have encrypted flag")
+	}
+	if !bytes.Equal(spec3.Pages[0].Data, pageData) {
+		t.Fatal("page data mismatch")
+	}
+}
+
 func TestDecoder_64KBPageSize(t *testing.T) {
 	const pageSize = 65536 // 64KB - maximum SQLite page size
 

file_spec.go

@@ -26,6 +26,15 @@ func (s *FileSpec) WriteTo(dst io.Writer) (n int64, err error) {
 		if err := enc.SetEncryption(s.RecipientPublicKeys); err != nil {
 			return 0, fmt.Errorf("set encryption: %s", err)
 		}
+	} else {
+		// Clear encryption header fields when no recipients are configured.
+		// This prevents writing a corrupt file when a previously-encrypted
+		// FileSpec is written without recipients (e.g. ltx rekey without -encrypt-to).
+		s.Header.Flags &^= HeaderFlagEncryptedHPKE
+		s.Header.RecipientCount = 0
+		s.Header.KEMID = 0
+		s.Header.KDFID = 0
+		s.Header.AEADID = 0
 	}
 
 	if err := enc.EncodeHeader(s.Header); err != nil {