Document schema generation

[AshlinHarris]

In production, the schema should be shared only to developers who are running the linking scripts. The file should be destroyed after use (other than the escrow copy, depending on the study design). I should add a guide on how to generate the schema file.

• The schema file contains many details that are more or less determined by the study. Obscuring them could have some security benefit, but it's probably more important to keep these details public to allow for peer review of the details and their corresponding test cases.
• The salt should be completely secret, and nothing in the repo should indicate anything about a production value, including precise length.
• I should look into the value of adding dummy fields, altering field order, changing format, etc. My impression is that most creative variations will not add worthwhile value over the existing process and could even decrease security in the worst case, in terms of either cryptography or human behavior.

In practice, the schema file should be stored and transmitted as a password.

[AshlinHarris]

The schema generation aim from #45 would essentially cover this. Any sensitive fields would be generated separately from the public schema template. I'm not sure if it would be worthwhile to have a separate configuration for what variables to use, so it may be sufficient to add an individual template for each set of variables.