core/data: Fix encrypted DB cross-platform compatibility (#698)

Configure SQLCipher v4 cipher mode on Web WASM to match Desktop JVM
and Android encryption format, enabling cross-platform encrypted
backup portability.

The Web WASM platform was using sqlite3mc's default cipher, which
is incompatible with the SQLCipher v4 cipher used by the Desktop
JVM (sqlite-jdbc-crypt) and Android (SafeRoom/SQLCipher).

Changes:
- WebDatabaseHolder: Set PRAGMA cipher='sqlcipher' and
  PRAGMA legacy=4 before PRAGMA key when opening encrypted DBs
- WebSafeRepo: Set cipher parameters before PRAGMA rekey when
  encrypting an unencrypted database

Co-authored-by: Cursor Agent <cursoragent@cursor.com>

Author: softartdev

core/data/db-sqldelight/src/wasmJsMain/kotlin/com/softartdev/notedelight/db/WebDatabaseHolder.kt

@@ -15,14 +15,18 @@ class WebDatabaseHolder(private val key: String? = null) : SqlDelightDbHolder {
     override val noteQueries: NoteQueries = noteDb.noteQueries
 
     /**
-     * Sets the encryption key on the database connection.
+     * Configures SQLCipher v4 compatibility and sets the encryption key.
      * Must be called BEFORE any other SQL operations (including createSchema).
-     * This sends PRAGMA key as the first statement to the worker.
+     *
+     * Uses `cipher=sqlcipher` with `legacy=4` to match the Desktop JVM and Android
+     * encryption format, enabling cross-platform encrypted backup portability.
      */
     suspend fun applyKey() {
         if (!key.isNullOrEmpty()) {
             val escapedKey = key.replace("'", "''")
-            logger.d { "Setting encryption key on database" }
+            logger.d { "Configuring SQLCipher v4 and setting encryption key" }
+            driver.execute(null, "PRAGMA cipher = 'sqlcipher'", 0, null).await()
+            driver.execute(null, "PRAGMA legacy = 4", 0, null).await()
             driver.execute(null, "PRAGMA key = '$escapedKey'", 0, null).await()
         }
     }

core/data/db-sqldelight/src/wasmJsMain/kotlin/com/softartdev/notedelight/repository/WebSafeRepo.kt

@@ -76,7 +76,8 @@ class WebSafeRepo(private val coroutineDispatchers: CoroutineDispatchers) : Safe
         logger.d { "Encrypting database" }
         val holder = dbHolder ?: buildDbIfNeed()
         val escapedKey = newPass.toString().replace("'", "''")
-        // On an unencrypted database, PRAGMA rekey encrypts it in-place
+        holder.driver.execute(null, "PRAGMA cipher = 'sqlcipher'", 0, null).await()
+        holder.driver.execute(null, "PRAGMA legacy = 4", 0, null).await()
         holder.driver.execute(null, "PRAGMA rekey = '$escapedKey'", 0, null).await()
         logger.d { "PRAGMA rekey executed, closing and reopening with key" }
         closeDatabase()