fix(security): replace crypto.createHash with Web Crypto API and remove API key leak

[joelrb]

Description

Problem
Three issues existed in the worker functions:

1. crypto.createHash('md5') incompatible with Workers — functions/lib/jina.ts:114 and functions/lib/cf-browser.ts:164 used Node.js's crypto.createHash('md5') API. This is a Node.js-specific API that requires the nodejs_compat compatibility flag to work in Cloudflare Workers. The project does not have this flag enabled in either wrangler.jsonc or wrangler.toml. At runtime, this code throws ReferenceError: crypto.createHash is not a function, causing all crawl save operations to crash silently.

2. MD5 is a weak algorithm — Even if the nodejs_compat flag were enabled, MD5 is considered cryptographically broken. Cloudflare's own documentation states: "MD5 is considered a weak algorithm. Do not rely upon MD5 for security."

3. Jina API key exposed in logs — functions/lib/jina.ts:19 logged the full Jina API key to the Cloudflare Workers console on every request: console.log('Fetching from Jina API for URL:', url, apiKey). This key is visible to anyone with access to the Workers log stream.

4. Node.js crypto API vs Web Crypto API — The Workers runtime uses the Web Crypto API (crypto.subtle.digest) natively. The Node.js crypto.createHash() requires the nodejs_compat flag, which adds overhead and is not enabled in this project.

Fix Applied

1. Added a hashContent() helper function in both files that uses crypto.subtle.digest('SHA-256', data) — the Web Crypto API native to Cloudflare Workers
2. Replaced crypto.createHash('md5').update(data.content).digest('hex') with await hashContent(data.content) in both saveJinaContent() and saveCFBrowserContent()
3. Upgraded the hash algorithm from MD5 to SHA-256 for stronger security
4. Removed apiKey from the console.log statement in fetchJinaContent() — only the URL is now logged

Framework Change
No framework changes. This is a runtime fix for the Cloudflare Workers execution environment.

Files Changed

• functions/lib/jina.ts — Added hashContent() helper, replaced crypto.createHash with hashContent(), removed apiKey from console.log
• functions/lib/cf-browser.ts — Added hashContent() helper, replaced crypto.createHash with hashContent()

Security Severity: Low

Type of Change

• Bug fix (non-breaking change which fixes an issue)

Related Issues

Fixes #crypto-createhash-not-available-in-workers
Fixes #api-key-exposed-in-logs

Testing

Describe the testing performed for this PR:

• Unit tests pass
• Integration tests pass
• Manual testing performed
• All linting passes
• Type checking passes
• Dead code check passes

Include specific test scenarios or commands used.

Manual test:

• Verified crypto.subtle.digest('SHA-256', ...) is available in Cloudflare Workers runtime (per official docs)
• Confirmed crypto.createHash is a Node.js-only API requiring nodejs_compat flag (not enabled)
• Verified no remaining crypto.createHash calls exist in functions/lib/
• Confirmed no API key values appear in console.log statements
• Verified the hashContent() helper correctly converts ArrayBuffer to hex string

Checklist

• My code follows the style guidelines of this project
• I have performed a self-review of my code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have tested my changes locally
• I have updated AGENTS.md if needed (for architectural changes)
• I have added appropriate labels (Priority, Type, Area)
• No new security vulnerabilities introduced

Performance & Security

• Performance impact considered (SHA-256 via Web Crypto is hardware-accelerated in Workers)
• Dependencies audited (no new dependencies added)
• Secrets not exposed (API key removed from log output)
• Error handling implemented appropriately

Screenshots (if applicable)

N/A

Additional Notes

Why this fix is necessary:

1. crypto.createHash() is Node.js-only — Cloudflare Workers use the Web Crypto API. Without the nodejs_compat compatibility flag (not enabled in this project), crypto.createHash throws a ReferenceError at runtime.

2. Every crawl save operation was broken — Both saveJinaContent() and saveCFBrowserContent() would crash when trying to compute the content hash, meaning all crawled content persistence silently failed.

3. MD5 is deprecated even in Workers — Cloudflare's docs state: "MD5 is considered a weak algorithm. Do not rely upon MD5 for security." The fix upgrades to SHA-256.

4. API key in logs is a security vulnerability — Anyone with access to the Workers log stream (Cloudflare dashboard, wrangler tail) could see the Jina API key in plaintext on every request.