update documentation about 0.db admin db + symmetric encryption + include RPC examples + asymmetric transpart named key instances for encryption and signatures

docs/basics.md

@@ -1,4 +1,58 @@
-Here's an expanded version of the cmds.md documentation to include the list commands:
+# HeroDB Basics
+
+## Launching HeroDB
+
+To launch HeroDB, use the binary with required and optional flags. The `--admin-secret` flag is mandatory, encrypting the admin database (DB 0) and authorizing admin access.
+
+### Launch Flags
+- `--dir <path>`: Directory for database files (default: current directory).
+- `--port <port>`: TCP port for Redis protocol (default: 6379).
+- `--debug`: Enable debug logging.
+- `--sled`: Use Sled backend (default: Redb).
+- `--enable-rpc`: Start JSON-RPC management server on port 8080.
+- `--rpc-port <port>`: Custom RPC port (default: 8080).
+- `--admin-secret <secret>`: Required secret for DB 0 encryption and admin access.
+
+Example:
+```bash
+./target/release/herodb --dir /tmp/herodb --admin-secret mysecret --port 6379 --enable-rpc
+```
+
+Deprecated flags (`--encrypt`, `--encryption-key`) are ignored for data DBs; per-database encryption is managed via RPC.
+
+## Admin Database (DB 0)
+
+DB 0 acts as the administrative database instance, storing metadata for all user databases (IDs >= 1). It controls existence, access control, and per-database encryption. DB 0 is always encrypted with the `--admin-secret`.
+
+When creating a new database, DB 0 allocates an ID, registers it, and optionally stores a per-database encryption key (write-only). Databases are public by default; use RPC to set them private, requiring access keys for SELECT (read or readwrite based on permissions). Keys are persisted in DB 0 for managed AGE operations.
+
+Access DB 0 with `SELECT 0 KEY <admin-secret>`.
+
+## Symmetric Encryption
+
+HeroDB supports stateless symmetric encryption via SYM commands, using XChaCha20-Poly1305 AEAD.
+
+Commands:
+- `SYM KEYGEN`: Generate 32-byte key. Returns base64-encoded key.
+- `SYM ENCRYPT <key_b64> <message>`: Encrypt message. Returns base64 ciphertext.
+- `SYM DECRYPT <key_b64> <ciphertext_b64>`: Decrypt. Returns plaintext.
+
+Example:
+```bash
+redis-cli SYM KEYGEN
+# → base64_key
+
+redis-cli SYM ENCRYPT base64_key "secret"
+# → base64_ciphertext
+
+redis-cli SYM DECRYPT base64_key base64_ciphertext
+# → "secret"
+```
+
+## RPC Options
+
+Enable the JSON-RPC server with `--enable-rpc` for database management. Methods include creating databases, managing access keys, and setting encryption. See [JSON-RPC Examples](./rpc_examples.md) for payloads.
+
 # HeroDB Commands
 
 HeroDB implements a subset of Redis commands over the Redis protocol. This document describes the available commands and their usage.
@@ -575,6 +629,29 @@ redis-cli -p $PORT AGE LIST
 #    2) "keyname2"
 ```
 
+## SYM Commands
+
+### SYM KEYGEN
+Generate a symmetric encryption key.
+```bash
+redis-cli -p $PORT SYM KEYGEN
+# → base64_encoded_32byte_key
+```
+
+### SYM ENCRYPT
+Encrypt a message with a symmetric key.
+```bash
+redis-cli -p $PORT SYM ENCRYPT <key_b64> "message"
+# → base64_encoded_ciphertext
+```
+
+### SYM DECRYPT
+Decrypt a ciphertext with a symmetric key.
+```bash
+redis-cli -p $PORT SYM DECRYPT <key_b64> <ciphertext_b64>
+# → decrypted_message
+```
+
 ## Server Information Commands
 
 ### INFO
@@ -621,3 +698,27 @@ This expanded documentation includes all the list commands that were implemented
 10. LINDEX - get element by index
 11. LRANGE - get range of elements
 
+
+## Updated Database Selection and Access Keys
+
+HeroDB uses an `Admin DB 0` to control database existence, access, and encryption. Access to data DBs can be public (no key) or private (requires a key). See detailed model in `docs/admin.md`.
+
+Examples:
+
+```bash
+# Public database (no key required)
+redis-cli -p $PORT SELECT 1
+# → OK
+```
+
+```bash
+# Private database (requires access key)
+redis-cli -p $PORT SELECT 2 KEY my-db2-access-key
+# → OK
+```
+
+```bash
+# Admin DB 0 (requires admin secret)
+redis-cli -p $PORT SELECT 0 KEY my-admin-secret
+# → OK
+```