[Encryption] IKeyProvider API and BLiteEngine Integration

[github-actions]

Problem

BLite provides no way to integrate with external key management systems (Azure Key Vault, AWS KMS, HSM). Without this, teams cannot adopt BLite encryption in production environments that require centralized key management and key rotation policies.

Appetite

Small batch — ~2 days

Solution

New file: src/BLite.Core/Encryption/IKeyProvider.cs

public interface IKeyProvider
{
    ValueTask<ReadOnlyMemory<byte>> GetKeyAsync(string databaseName, CancellationToken ct);
    ValueTask NotifyKeyRotationAsync(string databaseName, CancellationToken ct);
}

Add EncryptionOptions to BLiteEngineOptions:

public sealed class EncryptionOptions
{
    public string? Passphrase { get; init; }          // Option 1: direct passphrase (simple apps)
    public IKeyProvider? KeyProvider { get; init; }   // Option 2: external KMS (production)
    public EncryptionAlgorithm Algorithm { get; init; } = EncryptionAlgorithm.AesGcm256;
    public KdfAlgorithm Kdf { get; init; } = KdfAlgorithm.Pbkdf2;
    public int KdfIterations { get; init; } = 100_000;
}

On engine open: resolve key via IKeyProvider.GetKeyAsync (or derive from passphrase), initialize EncryptionCoordinator, assign providers to all storage components. When encryption is not configured, all providers default to NullCryptoProvider — zero overhead.

Rabbit Holes

• The Passphrase option is convenient for development but unsuitable for production — document this clearly.
• IKeyProvider is called once at open time, not on every page read/write.

No-gos

• BLite does not implement its own KMS or key storage.
• Key rotation is a separate issue.