refactor(security): consolidate crypto primitives into @sim/security

Move general-purpose crypto primitives out of apps/sim into the
@sim/security package so both apps/sim and apps/realtime can share them.

@sim/security exports (all pure, dependency-free):
  ./compare    safeCompare (constant-time HMAC-wrapped equality)
  ./encryption encrypt/decrypt (AES-256-GCM, iv:cipher:tag format)
  ./hash       sha256Hex
  ./tokens     generateSecureToken (base64url)

Migrate apps/sim call sites to use these + @sim/utils helpers:
  crypto.randomUUID()            -> generateId() from @sim/utils/id
  createHash('sha256').digest    -> sha256Hex
  timingSafeEqual on hashed hex  -> safeCompare
  new Promise(setTimeout)        -> sleep from @sim/utils/helpers

No behavior change: encryption format, digest output, and token
length are preserved exactly.

Author: waleedlatif1

apps/sim/app/api/auth/oauth2/callback/shopify/route.ts

@@ -1,5 +1,6 @@
 import crypto from 'crypto'
 import { createLogger } from '@sim/logger'
+import { safeCompare } from '@sim/security/compare'
 import { type NextRequest, NextResponse } from 'next/server'
 import { getSession } from '@/lib/auth'
 import { env } from '@/lib/core/config/env'
@@ -36,11 +37,7 @@ function validateHmac(searchParams: URLSearchParams, clientSecret: string): bool
 
   const generatedHmac = crypto.createHmac('sha256', clientSecret).update(message).digest('hex')
 
-  try {
-    return crypto.timingSafeEqual(Buffer.from(hmac, 'hex'), Buffer.from(generatedHmac, 'hex'))
-  } catch {
-    return false
-  }
+  return safeCompare(hmac, generatedHmac)
 }
 
 export const GET = withRouteHandler(async (request: NextRequest) => {

apps/sim/app/api/copilot/chat/stream/route.ts

@@ -1,5 +1,6 @@
 import { context as otelContext, trace } from '@opentelemetry/api'
 import { createLogger } from '@sim/logger'
+import { sleep } from '@sim/utils/helpers'
 import { type NextRequest, NextResponse } from 'next/server'
 import { getLatestRunForStream } from '@/lib/copilot/async-runs/repository'
 import {
@@ -407,7 +408,7 @@ async function handleResumeRequestBody({
           break
         }
 
-        await new Promise((resolve) => setTimeout(resolve, POLL_INTERVAL_MS))
+        await sleep(POLL_INTERVAL_MS)
       }
       if (!controllerClosed && Date.now() - startTime >= MAX_STREAM_MS) {
         emitTerminalIfMissing(MothershipStreamV1CompletionStatus.error, {

apps/sim/app/api/files/serve/[...path]/route.ts

@@ -1,6 +1,6 @@
-import { createHash } from 'crypto'
 import { readFile } from 'fs/promises'
 import { createLogger } from '@sim/logger'
+import { sha256Hex } from '@sim/security/hash'
 import type { NextRequest } from 'next/server'
 import { NextResponse } from 'next/server'
 import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
@@ -80,11 +80,7 @@ async function compileDocumentIfNeeded(
   }
 
   const code = buffer.toString('utf-8')
-  const cacheKey = createHash('sha256')
-    .update(ext)
-    .update(code)
-    .update(workspaceId ?? '')
-    .digest('hex')
+  const cacheKey = sha256Hex(`${ext}${code}${workspaceId ?? ''}`)
   const cached = compiledDocCache.get(cacheKey)
   if (cached) {
     return { buffer: cached, contentType: format.contentType }

apps/sim/app/api/v1/admin/auth.ts

@@ -8,8 +8,8 @@
  *   curl -H "x-admin-key: your_admin_key" https://your-instance/api/v1/admin/...
  */
 
-import { createHash, timingSafeEqual } from 'crypto'
 import { createLogger } from '@sim/logger'
+import { safeCompare } from '@sim/security/compare'
 import type { NextRequest } from 'next/server'
 import { env } from '@/lib/core/config/env'
 
@@ -54,7 +54,7 @@ export function authenticateAdminRequest(request: NextRequest): AdminAuthResult
     }
   }
 
-  if (!constantTimeCompare(providedKey, adminKey)) {
+  if (!safeCompare(providedKey, adminKey)) {
     logger.warn('Invalid admin API key attempted', { keyPrefix: providedKey.slice(0, 8) })
     return {
       authenticated: false,
@@ -64,16 +64,3 @@ export function authenticateAdminRequest(request: NextRequest): AdminAuthResult
 
   return { authenticated: true }
 }
-
-/**
- * Constant-time string comparison.
- *
- * @param a - First string to compare
- * @param b - Second string to compare
- * @returns True if strings are equal, false otherwise
- */
-function constantTimeCompare(a: string, b: string): boolean {
-  const aHash = createHash('sha256').update(a).digest()
-  const bHash = createHash('sha256').update(b).digest()
-  return timingSafeEqual(aHash, bHash)
-}

apps/sim/lib/api-key/crypto.ts

@@ -1,13 +1,12 @@
-import { createCipheriv, createDecipheriv, createHash, randomBytes } from 'crypto'
 import { createLogger } from '@sim/logger'
+import { decrypt, encrypt } from '@sim/security/encryption'
+import { sha256Hex } from '@sim/security/hash'
+import { generateSecureToken } from '@sim/security/tokens'
+import { toError } from '@sim/utils/errors'
 import { env } from '@/lib/core/config/env'
 
 const logger = createLogger('ApiKeyCrypto')
 
-/**
- * Get the API encryption key from the environment
- * @returns The API encryption key
- */
 function getApiEncryptionKey(): Buffer | null {
   const key = env.API_ENCRYPTION_KEY
   if (!key) {
@@ -23,77 +22,38 @@ function getApiEncryptionKey(): Buffer | null {
 }
 
 /**
- * Encrypts an API key using the dedicated API encryption key
- * @param apiKey - The API key to encrypt
- * @returns A promise that resolves to an object containing the encrypted API key and IV
+ * Encrypts an API key using the dedicated API encryption key. Falls back to
+ * returning the plain key when `API_ENCRYPTION_KEY` is unset, for backward
+ * compatibility with deployments that predate encryption-at-rest.
  */
 export async function encryptApiKey(apiKey: string): Promise<{ encrypted: string; iv: string }> {
   const key = getApiEncryptionKey()
-
-  // If no API encryption key is set, return the key as-is for backward compatibility
   if (!key) {
     return { encrypted: apiKey, iv: '' }
   }
-
-  const iv = randomBytes(16)
-  const cipher = createCipheriv('aes-256-gcm', key, iv, { authTagLength: 16 })
-  let encrypted = cipher.update(apiKey, 'utf8', 'hex')
-  encrypted += cipher.final('hex')
-
-  const authTag = cipher.getAuthTag()
-  const ivHex = iv.toString('hex')
-
-  // Format: iv:encrypted:authTag
-  return {
-    encrypted: `${ivHex}:${encrypted}:${authTag.toString('hex')}`,
-    iv: ivHex,
-  }
+  return encrypt(apiKey, key)
 }
 
 /**
- * Decrypts an API key using the dedicated API encryption key
- * @param encryptedValue - The encrypted value in format "iv:encrypted:authTag" or plain text
- * @returns A promise that resolves to an object containing the decrypted API key
+ * Decrypts an API key previously produced by {@link encryptApiKey}. Values
+ * that lack the `iv:ciphertext:authTag` shape are assumed to be legacy plain
+ * text and returned unchanged.
  */
 export async function decryptApiKey(encryptedValue: string): Promise<{ decrypted: string }> {
   const parts = encryptedValue.split(':')
-
-  // Check if this is actually encrypted (contains colons)
   if (parts.length !== 3) {
-    // This is a plain text key, return as-is
     return { decrypted: encryptedValue }
   }
 
   const key = getApiEncryptionKey()
-
-  // If no API encryption key is set, assume it's plain text
   if (!key) {
     return { decrypted: encryptedValue }
   }
 
-  const ivHex = parts[0]
-  const authTagHex = parts[2]
-  const encrypted = parts[1]
-
-  if (!ivHex || !encrypted || !authTagHex) {
-    throw new Error('Invalid encrypted API key format. Expected "iv:encrypted:authTag"')
-  }
-
-  const iv = Buffer.from(ivHex, 'hex')
-  const authTag = Buffer.from(authTagHex, 'hex')
-
   try {
-    const decipher = createDecipheriv('aes-256-gcm', key, iv, { authTagLength: 16 })
-    decipher.setAuthTag(authTag)
-
-    let decrypted = decipher.update(encrypted, 'hex', 'utf8')
-    decrypted += decipher.final('utf8')
-
-    return { decrypted }
-  } catch (error: unknown) {
-    logger.error('API key decryption error:', {
-      error: error instanceof Error ? error.message : 'Unknown error',
-    })
+    return await decrypt(encryptedValue, key)
+  } catch (error) {
+    logger.error('API key decryption error:', { error: toError(error).message })
     throw error
   }
 }
@@ -103,15 +63,15 @@ export async function decryptApiKey(encryptedValue: string): Promise<{ decrypted
  * @returns A new API key string
  */
 export function generateApiKey(): string {
-  return `sim_${randomBytes(24).toString('base64url')}`
+  return `sim_${generateSecureToken(24)}`
 }
 
 /**
  * Generates a new encrypted API key with the 'sk-sim-' prefix
  * @returns A new encrypted API key string
  */
 export function generateEncryptedApiKey(): string {
-  return `sk-sim-${randomBytes(24).toString('base64url')}`
+  return `sk-sim-${generateSecureToken(24)}`
 }
 
 /**
@@ -142,5 +102,5 @@ export function isLegacyApiKeyFormat(apiKey: string): boolean {
  * @returns The hex-encoded SHA-256 digest
  */
 export function hashApiKey(plainKey: string): string {
-  return createHash('sha256').update(plainKey, 'utf8').digest('hex')
+  return sha256Hex(plainKey)
 }

apps/sim/lib/copilot/chat/persisted-message.ts

@@ -1,3 +1,4 @@
+import { generateId } from '@sim/utils/id'
 import {
   MothershipStreamV1CompletionStatus,
   MothershipStreamV1EventType,
@@ -191,7 +192,7 @@ export function buildPersistedAssistantMessage(
   requestId?: string
 ): PersistedMessage {
   const message: PersistedMessage = {
-    id: crypto.randomUUID(),
+    id: generateId(),
     role: 'assistant',
     content: result.content,
     timestamp: new Date().toISOString(),
@@ -488,7 +489,7 @@ function normalizeBlocks(rawBlocks: RawBlock[], messageContent: string): Persist
 
 export function normalizeMessage(raw: Record<string, unknown>): PersistedMessage {
   const msg: PersistedMessage = {
-    id: (raw.id as string) ?? crypto.randomUUID(),
+    id: (raw.id as string) ?? generateId(),
     role: (raw.role as 'user' | 'assistant') ?? 'assistant',
     content: (raw.content as string) ?? '',
     timestamp: (raw.timestamp as string) ?? new Date().toISOString(),

apps/sim/lib/copilot/chat/post.ts

@@ -2,6 +2,7 @@ import { type Context as OtelContext, context as otelContextApi } from '@opentel
 import { db } from '@sim/db'
 import { copilotChats } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
+import { generateId } from '@sim/utils/id'
 import { eq, sql } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
@@ -615,8 +616,8 @@ export async function handleUnifiedChatPost(req: NextRequest) {
   // trace ID) as soon as startCopilotOtelRoot runs. Empty only in the
   // narrow pre-otelRoot window where errors don't correlate anyway.
   let requestId = ''
-  const executionId = crypto.randomUUID()
-  const runId = crypto.randomUUID()
+  const executionId = generateId()
+  const runId = generateId()
 
   try {
     const session = await getSession()
@@ -628,7 +629,7 @@ export async function handleUnifiedChatPost(req: NextRequest) {
 
     const body = ChatMessageSchema.parse(await req.json())
     const normalizedContexts = normalizeContexts(body.contexts) ?? []
-    userMessageId = body.userMessageId || crypto.randomUUID()
+    userMessageId = body.userMessageId || generateId()
 
     otelRoot = startCopilotOtelRoot({
       streamId: userMessageId,

apps/sim/lib/copilot/request/lifecycle/run.ts

@@ -1,6 +1,7 @@
 import type { Context } from '@opentelemetry/api'
 import { createLogger } from '@sim/logger'
 import { toError } from '@sim/utils/errors'
+import { sleep } from '@sim/utils/helpers'
 import { generateId } from '@sim/utils/id'
 import { createRunSegment, updateRunStatus } from '@/lib/copilot/async-runs/repository'
 import { SIM_AGENT_API_URL, SIM_AGENT_VERSION } from '@/lib/copilot/constants'
@@ -556,7 +557,7 @@ function isRetryableStreamError(error: unknown): boolean {
 
 function sleepWithAbort(ms: number, abortSignal?: AbortSignal): Promise<void> {
   if (!abortSignal) {
-    return new Promise((resolve) => setTimeout(resolve, ms))
+    return sleep(ms)
   }
   if (abortSignal.aborted) {
     return Promise.resolve()

apps/sim/lib/copilot/request/tools/tables.ts

@@ -2,6 +2,7 @@ import { db } from '@sim/db'
 import { userTableRows } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { toError } from '@sim/utils/errors'
+import { generateId } from '@sim/utils/id'
 import { parse as csvParse } from 'csv-parse/sync'
 import { eq } from 'drizzle-orm'
 import { FunctionExecute, Read as ReadTool } from '@/lib/copilot/generated/tool-catalog-v1'
@@ -107,7 +108,7 @@ export async function maybeWriteOutputToTable(
             }
             const chunk = rows.slice(i, i + BATCH_CHUNK_SIZE)
             const values = chunk.map((rowData, j) => ({
-              id: `row_${crypto.randomUUID().replace(/-/g, '')}`,
+              id: `row_${generateId().replace(/-/g, '')}`,
               tableId: outputTable,
               workspaceId: context.workspaceId!,
               data: rowData,
@@ -251,7 +252,7 @@ export async function maybeWriteReadCsvToTable(
             }
             const chunk = rows.slice(i, i + BATCH_CHUNK_SIZE)
             const values = chunk.map((rowData, j) => ({
-              id: `row_${crypto.randomUUID().replace(/-/g, '')}`,
+              id: `row_${generateId().replace(/-/g, '')}`,
               tableId: outputTable,
               workspaceId: context.workspaceId!,
               data: rowData,

apps/sim/lib/copilot/tools/handlers/oauth.ts

@@ -1,6 +1,7 @@
 import { db } from '@sim/db'
 import { pendingCredentialDraft, user } from '@sim/db/schema'
 import { toError } from '@sim/utils/errors'
+import { generateId } from '@sim/utils/id'
 import { and, eq, lt } from 'drizzle-orm'
 import type { ExecutionContext, ToolCallResult } from '@/lib/copilot/request/types'
 import { getBaseUrl } from '@/lib/core/utils/urls'
@@ -140,7 +141,7 @@ export async function generateOAuthLink(
   await db
     .insert(pendingCredentialDraft)
     .values({
-      id: crypto.randomUUID(),
+      id: generateId(),
       userId,
       workspaceId,
       providerId,