Skip to content

feat: extract encryption into @kilocode/encryption package#697

Merged
iscekic merged 10 commits intomainfrom
chore/worker-utils-encryption
Mar 1, 2026
Merged

feat: extract encryption into @kilocode/encryption package#697
iscekic merged 10 commits intomainfrom
chore/worker-utils-encryption

Conversation

@iscekic
Copy link
Contributor

@iscekic iscekic commented Mar 1, 2026
edited
Loading

Summary

  • Extracts existing node:crypto encryption code into a new @kilocode/encryption workspace package
  • No API changes — all functions remain synchronous, wire format is identical, PKCS#1 keys keep working
  • Workers using this package have Node.js compat, so no need to rewrite to Web Crypto API

Changes

  • packages/encryption/ — new @kilocode/encryption package containing:

    • encryptWithPublicKey, decryptWithPrivateKey (RSA-OAEP + AES-256-GCM envelope)
    • encryptWithSymmetricKey, decryptWithSymmetricKey (AES-256-GCM symmetric)
    • decryptSecrets, mergeEnvVarsWithSecrets (batch helpers, lifted from cloud-agent wrappers)
    • Error classes: EncryptionConfigurationError, EncryptionFormatError
    • 19 tests covering RSA, symmetric, batch helpers

  • Consumer updates (all thin re-export layers, no logic changes):

    • src/lib/encryption.ts — re-exports from @kilocode/encryption
    • cloud-agent{,-next}/src/utils/encryption.ts — re-exports with aliases (DecryptionConfigurationError, etc.)
    • cloudflare-deploy-infra/builder/src/env-decryptor.ts — imports from @kilocode/encryption
    • cloud-agent{,-next}/src/utils/encryption.test.ts — imports encryptWithPublicKey from package

  • Infrastructure: workspace registration, @kilocode/encryption dep in root + cloud-agent + cloud-agent-next + deploy-infra/builder, tsconfig path alias

What does NOT change

  • All function signatures remain synchronous (no await changes at call sites)
  • PKCS#1 private keys continue to work (node:crypto handles both formats)
  • Wire format is identical — zero migration risk
  • Symmetric encryption included in the package for completeness

Base: chore/worker-utils (PR #683)

@iscekic iscekic self-assigned this Mar 1, 2026
@iscekic iscekic mentioned this pull request Mar 1, 2026
Merged
kilo-code-bot[bot]
kilo-code-bot bot reviewed Mar 1, 2026
View reviewed changes
@kilo-code-bot
Copy link
Contributor

kilo-code-bot bot commented Mar 1, 2026
edited
Loading

Code Review Summary

Status: 1 Issue Found | Recommendation: Address before merge

Overview

Severity Count
CRITICAL 0
WARNING 1
SUGGESTION 0
Issue Details (click to expand)

WARNING

File Line Issue
jest.config.ts 25-34 Missing moduleNameMapper entry for @kilocode/encryption. Both @kilocode/db and @kilocode/worker-utils have explicit Jest module mappers (pointing to their src/index.ts), but the new @kilocode/encryption package does not. Since src/lib/encryption.ts now re-exports from @kilocode/encryption, any Jest test that transitively imports encryption may fail to resolve the module. Add: '^@kilocode/encryption$': '<rootDir>/packages/encryption/src/index.ts' to moduleNameMapper.
Other Observations (not in diff)

Issues found in unchanged code that cannot receive inline comments:

File Line Issue
jest.config.ts 25-34 [WARNING] Missing moduleNameMapper for @kilocode/encryption — the moduleNameMapper section was not modified in this PR, but it needs a new entry to match the pattern used by @kilocode/db and @kilocode/worker-utils. Without it, Jest tests that transitively import @/lib/encryption (which now re-exports from @kilocode/encryption) may fail with module resolution errors.
Files Reviewed (28 files)
  • cloud-agent-next/package.json - 0 issues
  • cloud-agent-next/src/utils/encryption.test.ts - deleted
  • cloud-agent-next/src/utils/encryption.ts - 0 new issues
  • cloud-agent/package.json - 0 issues
  • cloud-agent/src/utils/encryption.test.ts - deleted
  • cloud-agent/src/utils/encryption.ts - 0 new issues
  • cloudflare-db-proxy/package.json - 0 issues
  • cloudflare-db-proxy/src/utils/auth.ts - 0 issues
  • cloudflare-deploy-infra/builder/package.json - 0 issues
  • cloudflare-deploy-infra/builder/src/env-decryptor.ts - 0 issues
  • cloudflare-webhook-agent-ingest/package.json - 0 issues
  • cloudflare-webhook-agent-ingest/src/util/webhook-auth.ts - 0 issues
  • jest.config.ts - 1 issue (not in diff)
  • kiloclaw/package.json - 0 issues
  • kiloclaw/src/auth/middleware.ts - 0 issues
  • package.json - 0 issues
  • packages/encryption/package.json - 0 issues
  • packages/encryption/src/encryption.test.ts - 0 issues
  • packages/encryption/src/encryption.ts - 0 new issues
  • packages/encryption/src/index.ts - 0 issues
  • packages/encryption/src/timing-safe-equal.test.ts - 0 issues
  • packages/encryption/src/timing-safe-equal.ts - 0 issues
  • packages/encryption/tsconfig.json - 0 issues
  • pnpm-lock.yaml - skipped (generated)
  • pnpm-workspace.yaml - 0 issues
  • src/lib/encryption.test.ts - deleted
  • src/lib/encryption.ts - 0 issues
  • tsconfig.json - 0 issues

Fix these issues in Kilo Cloud

@iscekic iscekic force-pushed the chore/worker-utils-encryption branch from de2f062 to d2a9c63 Compare March 1, 2026 17:00
@iscekic iscekic changed the title feat: port encryption from node:crypto to Web Crypto API feat: extract encryption into @kilocode/encryption package Mar 1, 2026
kilo-code-bot[bot]
kilo-code-bot bot reviewed Mar 1, 2026
View reviewed changes
iscekic added a commit that referenced this pull request Mar 1, 2026
@iscekic
refactor: move timingSafeEqual out of worker-utils to encryption foll…
71a6039 
…ow-up PR

Restore local timingSafeEqual implementations in cloudflare-db-proxy,
cloudflare-webhook-agent-ingest, and kiloclaw to keep this PR focused
on non-crypto utilities. The shared extraction will land in PR #697.
iscekic added 4 commits March 1, 2026 19:04
@iscekic
feat: extract encryption into @kilocode/encryption package
8add043 
Copy existing node:crypto encryption code into a new shared package
at packages/encryption/. No API changes — all functions remain
synchronous, wire format is identical, PKCS#1 keys keep working.

- New @kilocode/encryption package with RSA envelope + symmetric encryption
- Lifts decryptSecrets and mergeEnvVarsWithSecrets from cloud-agent wrappers
- src/lib/encryption.ts becomes a thin re-export layer
- cloud-agent{,-next} wrappers re-export from @kilocode/encryption
- cloudflare-deploy-infra/builder imports from @kilocode/encryption
- 19 tests in the package covering RSA, symmetric, batch helpers
@iscekic
fix: address review comments
19f374d 
- Remove consumer-specific AGENT_ENV_VARS_PRIVATE_KEY from shared package error message
- Remove redundant bare EncryptedEnvelope type export from cloud-agent wrappers
- Fix lint: use import type instead of inline import() annotation
@iscekic
chore: remove redundant encryption tests from consumers
e4b9433 
All test cases are covered by packages/encryption/src/encryption.test.ts.
The deleted files tested the same functions through re-export layers.
@iscekic
feat: add timingSafeEqual to @kilocode/encryption and migrate consumers
c3b13cf 
Add a unified timingSafeEqual using node:crypto (works in both Node.js
and Cloudflare Workers with nodejs_compat). Replace local implementations
in cloudflare-db-proxy, cloudflare-webhook-agent-ingest, and kiloclaw.
@iscekic iscekic force-pushed the chore/worker-utils-encryption branch from 85907e5 to c3b13cf Compare March 1, 2026 18:09
Base automatically changed from chore/worker-utils to main March 1, 2026 21:10
kilo-code-bot[bot]
kilo-code-bot bot reviewed Mar 1, 2026
View reviewed changes
@iscekic
fix: resolve CI failures in encryption package imports
03d5d64 
Remove .js extensions from index.ts imports (webpack can't resolve them)
and replace inline import() type annotations with proper import type
statements to satisfy consistent-type-imports lint rule.
kilo-code-bot[bot]
kilo-code-bot bot reviewed Mar 1, 2026
View reviewed changes
@iscekic iscekic enabled auto-merge March 1, 2026 21:29
@iscekic iscekic merged commit 9c04f0e into main Mar 1, 2026
12 checks passed
@iscekic iscekic deleted the chore/worker-utils-encryption branch March 1, 2026 21:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kilo-code-bot kilo-code-bot[bot] kilo-code-bot[bot] left review comments

@jeanduplessis jeanduplessis jeanduplessis approved these changes

Assignees

@iscekic iscekic

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@iscekic @jeanduplessis