Skip to content

RunForge

Backend — lib/crypto.ts

AccursedGalaxy/RunForge

RunForge

AccursedGalaxy/RunForge

Home
User guide
User guide
- Start here
- Getting started
- Provider setup
  Provider setup
- Use cases
  Use cases
  - Content creation
- Troubleshooting
Quickstart
Concepts
Concepts
- Overview
- Architecture
- Data model
- Metrics
  Metrics
  - Definitions
- Glossary
How-to guides
How-to guides
- Features
  Features
- Components
  Components
Developer
Developer
- Frontend
- Backend
- Convex realtime
- Convex
  Convex
  - KPIs
  - Runs
  - Runs actions
  - Schema
- Prisma
  Prisma
  - Models
  - Tables (Runs)
- Backend reference
  Backend reference
  - Auth
  - Crypto Crypto
    Table of contents
    
    Purpose
    
    Public Surface
    
    Behavior & Invariants
    
    Security & Privacy
    
    Example Usage
  - Database
  - Utils
  - Validation
- SDKs
  SDKs
  - TypeScript
  - Python
  - Go
API reference
API reference
Integrations
Integrations
Operations
Operations
Guides
Guides
- SDK Auto Extraction guide
Coverage
About
About
- Contributing
- Docs README

lib/crypto.ts¶

Purpose¶

AES‑256‑GCM encrypt/decrypt helpers for BYOK secrets.

Public Surface¶

encryptAesGcm(plaintext: Buffer|string, aad?: Buffer): Buffer
decryptAesGcm(blob: Buffer, aad?: Buffer): Buffer

Behavior & Invariants¶

RUNFORGE_MASTER_KEY must be 32 bytes (base64 or 64‑hex). Throws otherwise.
Output format: [12B IV][16B TAG][CIPHERTEXT...].

Security & Privacy¶

Use distinct AAD per record when possible (e.g., orgId).
Store only ciphertext in Postgres.

Example Usage¶

const enc = encryptAesGcm(Buffer.from('secret'), Buffer.from(orgId))
const dec = decryptAesGcm(enc, Buffer.from(orgId))