perf: centralized and memoized AES-256-GCM cryptographic helper library (#51)

[prakshithamalla-art]

Closes #51

🎯 Overview & Motivation

The processing workflows for runtime secrets and application credentials relied on scattered local crypto instances or lacked clear key error verification bounds. This resulted in redundant memory allocation during heavy sandbox synchronization loops.

This PR centralizes the application's cryptographic infrastructure inside a singular utility file (lib/crypto.ts) using high-performance symmetric aes-256-gcm algorithms, while adding dynamic allocation caching for the key buffers.

🛠️ Changes Implemented

• Created a shared cryptographic driver utility at lib/crypto.ts.
• Implemented cachedKeyBuffer memoization variables to eliminate repetitive Buffer.from string evaluations on hot execution paths.
• Formulated a standard serialization layout format (iv:authTag:encryptedData) with strict runtime validations for ENCRYPTION_KEY availability.
• Added strict, secure catch boundaries to prevent processing failures from silently leaking or destabilizing deployment routers.

Summary by CodeRabbit

• Security Updates
  • Enhanced cryptographic implementation with improved encryption and decryption operations
  • Updated environment variable requirement: ENCRYPTION_KEY
  • Reinforced error handling and validation for secure operations

[vercel]

@prakshithamalla-art is attempting to deploy a commit to the Deekshith Gowda HS's projects Team on Vercel.

A member of the Team first needs to authorize it.

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

📝 Walkthrough

Walkthrough

lib/crypto.ts transitions from NEXTAUTH_SECRET-derived keys to environment-bound ENCRYPTION_KEY with cached 32-byte key derivation, replaces getKey/encrypt/decrypt exports with encryptSecret/decryptSecret, and serializes all payloads as colon-delimited hex components with random IV and GCM auth-tag verification.

Changes

Encryption Module Refactor

Layer / File(s)	Summary
Key Derivation and Configuration lib/crypto.ts	Module imports crypto, defines algorithm (aes-256-gcm), IV_LENGTH (12 bytes), and AUTH_TAG_LENGTH (16 bytes) constants, and adds internal cached getKeyBuffer() helper that derives a 32-byte key from process.env.ENCRYPTION_KEY, throwing if unset and padding/truncating as needed.
Encryption API lib/crypto.ts	encryptSecret(cleartext) replaces encrypt(): returns "" for empty input, creates a random 12-byte IV, encrypts plaintext using AES-256-GCM with cached key, retrieves auth tag, serializes result as ivHex:authTagHex:encryptedHex, and throws on encryption/serialization failure.
Decryption API lib/crypto.ts	decryptSecret(encryptedPayload) replaces decrypt(): returns "" for missing or invalidly formatted (non-colon-delimited) input, parses ivHex, authTagHex, and encryptedText components, recreates cipher with cached key and IV, sets auth tag via setAuthTag(), decrypts, and throws on decryption or authentication failure.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~30 minutes

Possibly related PRs

• deekshithgowda85/SecDev#79: Both PRs modify the AES-GCM crypto implementation in lib/crypto.ts (format/key derivation and exported helper APIs), and PR #79 adds tests that would need updating for the main PR's encryptSecret/decryptSecret changes.

Suggested labels

type:performance, type:security, level:critical

Poem

🐰 A rabbit hops through crypto streams,
New keys from ENCRYPTION_KEY dreams,
With hex payloads wrapped just right,
Auth tags dancing in the night,
Secrets safe—the future's bright! 🔐

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Linked Issues check	❓ Inconclusive	The pull request successfully implements centralized AES-256-GCM with memoization and strict ENCRYPTION_KEY validation in lib/crypto.ts, but the linked issue requires modifications to both lib/crypto.ts and app/api/secrets/route.ts.	Confirm whether changes to app/api/secrets/route.ts are necessary to fully close issue #51, or if modifications to lib/crypto.ts alone satisfy the requirements.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: implementing a centralized, memoized AES-256-GCM cryptographic helper library, which directly aligns with the code refactoring from scattered crypto instances to a unified lib/crypto.ts.
Out of Scope Changes check	✅ Passed	All changes are directly aligned with the linked issue objectives: centralizing crypto logic, implementing memoization, enforcing runtime validation, and establishing error boundaries in lib/crypto.ts.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}