fix: set scrypt maxmem for startup key derivation#81
Merged
hqhq1025 merged 1 commit intoOpenCoworkAI:mainfrom Mar 27, 2026
Merged
Conversation
hqhq1025
approved these changes
Mar 27, 2026
Collaborator
hqhq1025
left a comment
hqhq1025
left a comment
There was a problem hiding this comment.
✅ LGTM — Approve
Well-scoped fix for the scrypt maxmem RangeError. Confirmed the issue locally: Node v22 + OpenSSL 3.x defaults to 32 MiB maxmem, but N=65536/r=8 requires 64 MiB. The 128 * N * r + 1 MiB formula is the standard approach per RFC 7914.
Verified
- No crypto parameter changes (N/r/p unchanged), only resource limit — zero security impact
- Derived key output is bit-identical regardless of maxmem
- Test coverage for the previously untested scrypt fallback path ✅
Minor suggestions (non-blocking)
LEGACY_SCRYPT_OPTIONSis exported but has no external consumer — could stay as internalconst- Consider adding
expect(LEGACY_SCRYPT_OPTIONS.maxmem).toBeGreaterThan(128 * 16384 * 8)for symmetry
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary\n- set explicit maxmem headroom for both secure and legacy scrypt key derivation paths\n- reuse the secure scrypt options in the credentials-store fallback machine key path\n- add regression coverage for fallback initialization and secure scrypt options\n\n## Testing\n- npx vitest run tests/store-encryption.test.ts tests/credentials-store-legacy-key.test.ts\n- npm run typecheck\n\n## Context\nThis fixes the Windows/Electron startup failure caused by RangeError: Invalid scrypt params: error:030000AC:digital envelope routines::memory limit exceeded when beta.7 falls back to machine-bound key derivation.