fix(orchestrator): encrypt OpenClaw provider tokens at rest

apps/orchestrator/src/security/encryption.service.ts

@@ -1,6 +1,6 @@
 import { Injectable } from "@nestjs/common";
 import { ConfigService } from "@nestjs/config";
-import { createDecipheriv, hkdfSync } from "node:crypto";
+import { createCipheriv, createDecipheriv, hkdfSync, randomBytes } from "node:crypto";
 
 const ALGORITHM = "aes-256-gcm";
 const ENCRYPTED_PREFIX = "enc:";
@@ -16,6 +16,27 @@ export class EncryptionService {
 
   constructor(private readonly configService: ConfigService) {}
 
+  encryptIfNeeded(value: string): string {
+    if (this.isEncrypted(value)) {
+      return value;
+    }
+
+    return this.encrypt(value);
+  }
+
+  encrypt(plaintext: string): string {
+    try {
+      const iv = randomBytes(IV_LENGTH);
+      const cipher = createCipheriv(ALGORITHM, this.getOrCreateKey(), iv);
+      const ciphertext = Buffer.concat([cipher.update(plaintext, "utf8"), cipher.final()]);
+      const authTag = cipher.getAuthTag();
+      const payload = Buffer.concat([iv, ciphertext, authTag]);
+      return `${ENCRYPTED_PREFIX}${payload.toString("base64")}`;
+    } catch {
+      throw new Error("Failed to encrypt value");
+    }
+  }
+
   decryptIfNeeded(value: string): string {
     if (!this.isEncrypted(value)) {
       return value;