[MEDIUM] Backup crypto: pin Argon2 params + use version as AEAD associated data

[matthewod11-stack]

Description

backup.rs:269-296 uses Argon2::default() without pinning the variant / version / parameters. A future change in the argon2 crate's default params (they've changed before) will make existing encrypted backups undecryptable with no migration path. Additionally, no Associated Data (AAD) is passed to AES-GCM, so the backup version header isn't authenticated against the ciphertext — an attacker can swap version bytes without detection.

Current State

• src-tauri/src/backup.rs:269-296 — Argon2::default() + cipher.encrypt(nonce, data) with no AAD.
• Salt 16 bytes (good), nonce 12 bytes freshly generated per encryption (good), but params are implicit.

Suggested Fix

• Pin explicit params:

use argon2::{Algorithm, Argon2, Params, Version};
let argon2 = Argon2::new(
    Algorithm::Argon2id,
    Version::V0x13,
    Params::new(19456 /* m */, 2 /* t */, 1 /* p */, Some(32))?,
);

• Encode (m, t, p, version) into the backup file header as a fixed-size block so a future change in defaults can still decrypt old backups.
• Pass version.as_bytes() + Argon2 params as AAD to cipher.encrypt_with_aad. Authenticates the header against ciphertext.
• Add a "backup format version" constant; increment when format changes.
• Add a decryption test that reads a known-good backup file from 0.2.0 and verifies decryption still works after future param changes.

Verification

• cargo test backup passes including round-trip encrypt/decrypt test
• Manual: export backup on 0.2.0, import on a build with different Argon2 params → still decrypts.

Automation Hints

scope: src-tauri/src/backup.rs
do-not-touch: Keychain, DB access
approach: refactor-to-config
risk: medium (changes backup file format; backward-compat required)
max-files-changed: 1
blocked-by: none
bail-if: cannot maintain backward compatibility with existing backup files

Priority

Medium — forward-compat insurance; mild attack surface reduction.