Initial commit: Port Nimara CRM (Layers 0-4)

Full CRM rebuild with Next.js 15, TypeScript, Tailwind, Drizzle ORM,
PostgreSQL, Redis, BullMQ, MinIO, and Socket.io. Includes 461 source
files covering clients, berths, interests/pipeline, documents/EOI,
expenses/invoices, email, notifications, dashboard, admin, and
client portal. CI/CD via Gitea Actions with Docker builds.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

src/lib/utils/encryption.ts

@@ -0,0 +1,54 @@
+import { createCipheriv, createDecipheriv, randomBytes } from 'node:crypto';
+
+const ALGORITHM = 'aes-256-gcm';
+const IV_LENGTH = 12;
+const TAG_LENGTH = 16;
+
+function getKey(): Buffer {
+  const hex = process.env.EMAIL_CREDENTIAL_KEY;
+  if (!hex || hex.length !== 64) {
+    throw new Error('EMAIL_CREDENTIAL_KEY must be a 64-character hex string');
+  }
+  return Buffer.from(hex, 'hex');
+}
+
+/**
+ * Encrypts plaintext using AES-256-GCM.
+ * Returns a JSON string containing hex-encoded iv, tag, and data.
+ */
+export function encrypt(plaintext: string): string {
+  const key = getKey();
+  const iv = randomBytes(IV_LENGTH);
+  const cipher = createCipheriv(ALGORITHM, key, iv);
+
+  let encrypted = cipher.update(plaintext, 'utf8', 'hex');
+  encrypted += cipher.final('hex');
+  const tag = cipher.getAuthTag();
+
+  return JSON.stringify({
+    iv: iv.toString('hex'),
+    tag: tag.toString('hex'),
+    data: encrypted,
+  });
+}
+
+/**
+ * Decrypts a stored encrypted value (JSON string with iv, tag, data).
+ * Returns the original plaintext.
+ */
+export function decrypt(stored: string): string {
+  const key = getKey();
+  const { iv, tag, data } = JSON.parse(stored) as {
+    iv: string;
+    tag: string;
+    data: string;
+  };
+
+  const decipher = createDecipheriv(ALGORITHM, key, Buffer.from(iv, 'hex'));
+  decipher.setAuthTag(Buffer.from(tag, 'hex'));
+
+  let decrypted = decipher.update(data, 'hex', 'utf8');
+  decrypted += decipher.final('utf8');
+
+  return decrypted;
+}