add an app_id to the encryption AAD

docs/src/sync-protocol.md

@@ -53,21 +53,29 @@ The salt is the SHA256 hash of the 16-byte form of the client key.
 #### Encryption
 
 The client uses [AEAD](https://commondatastorage.googleapis.com/chromium-boringssl-docs/aead.h.html), with algorithm CHACHA20_POLY1305.
-Each encrypted payload has an associated version ID.
-The 16-byte form of this UUID is used as the associated data (AAD) with the AEAD algorithm.
 The client should generate a random nonce, noting that AEAD is _not secure_ if a nonce is used repeatedly for the same key.
 
+AEAD supports additional authenticated data (AAD) which must be provided for both open and seal operations.
+In this protocol, the AAD is always 17 bytes of the form:
+ * `app_id` (byte) - always 1
+ * `version_id` (16 bytes) - 16-byte form of the version ID associated with this data
+   * for versions (AddVersion, GetChildVersion), the _parent_ version_id
+   * for snapshots (AddSnapshot, GetSnapshot), the snapshot version_id
+
+The `app_id` field is for future expansion to handle other, non-task data using this protocol.
+Including it in the AAD ensures that such data cannot be confused with task data.
+
 Although the AEAD specification distinguishes ciphertext and tags, for purposes of this specification they are considered concatenated into a single bytestring as in BoringSSL's `EVP_AEAD_CTX_seal`.
 
 #### Representation
 
-The final byte-stream is comprised of the following structure, with integers represented in network-endian format.
+The final byte-stream is comprised of the following structure:
 
-* `version` (32-bit int) - format version (always 1)
+* `version` (byte) - format version (always 1)
 * `nonce` (12 bytes) - encryption nonce
 * `ciphertext` (remaining bytes) - ciphertext from sealing operation
 
-Future versions may have a completely different format.
+The `version` field identifies this data format, and future formats will have a value other than 1 in this position.
 
 ### Version