Cache the generateCipherKey function and add profiling support to lint

[mangelajo]

The lint/apply/dry-run had become slow, and profiling showed up that we were calling generateCipherKey many times as the yaml base grows.

This patch adds caching to the generateCipherKey function avoiding the regeneration for the same password/salt. This reduces our lint run time from 17s to 0.4s

Summary by CodeRabbit

• New Features

  • Added optional CPU profiling to the lint command via a --cpu-profile flag.
  • Lint now displays how long validation takes.

• Performance Improvements

  • Faster, thread-safe decryption of Vault secrets through cached key derivation.

• Reliability

  • Improved lint error handling to surface failures without abrupt termination, providing clearer feedback.

[coderabbitai]

Caution

Review failed

The pull request is closed.

Walkthrough

Adds optional CPU profiling and timing to the lint command, switches to an error-returning validation path, and expands linting to include template rendering checks. Introduces error-map merging utilities. Implements a thread-safe cached key-derivation mechanism in VaultDecryptor and updates decryption to use it.

Changes

Cohort / File(s)	Summary
CLI lint profiling and timing cmd/lint.go	Adds --cpu-profile flag, starts/stops runtime/pprof CPU profiling when provided, prints validation duration, and uses config_lint.ValidateWithError(cfg) to propagate errors.
Config lint pipeline and API internal/config_lint/lint.go	Adds ValidateWithError(cfg) returning error; expands Lint to merge reference and template validation errors; introduces mergeErrors and validateTemplates; retains existing Validate with os.Exit on failure.
Vault decryptor cached key derivation internal/vars/vault.go	Extends VaultDecryptor with cache and RWMutex; converts generateCipherKey to a method that caches PBKDF2-derived keys by salt; updates Decrypt to use vd.generateCipherKey(salt); initializes cache in constructor.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant U as User
  participant CLI as cmd/lint
  participant L as config_lint
  participant P as pprof

  U->>CLI: run lint [--cpu-profile=file]
  alt cpu profiling enabled
    CLI->>P: pprof.StartCPUProfile(file)
    Note over CLI,P: Profiling active
  end
  CLI->>L: ValidateWithError(cfg)
  L->>L: Lint(cfg) = validateReferences + validateTemplates
  L-->>CLI: error or nil
  CLI->>CLI: record duration and print
  alt profiling active
    CLI->>P: pprof.StopCPUProfile()
  end
  CLI-->>U: exit with code (0/1)

Loading

sequenceDiagram
  autonumber
  participant C as Caller
  participant VD as VaultDecryptor
  participant Cache as vd.cache
  participant KDF as PBKDF2

  C->>VD: Decrypt(vaultData)
  VD->>VD: parse salt from vaultData
  VD->>Cache: lookup key by salt-hex (RLock)
  alt cache hit
    Cache-->>VD: CipherKey
  else cache miss
    VD->>KDF: derive from vd.password + salt
    KDF-->>VD: CipherKey
    VD->>Cache: store (Lock)
  end
  VD-->>C: plaintext or error

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

I thump my paw on terminal ground,
Profilers hum, new timings found.
Templates checked, errors merge and rhyme,
Vault keys cached to save some time.
With whiskers twitching, I lint and leap—
Bugs beware, this bunny’s deep. 🐇✨

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between d6b4bd4 and 9d53e09.

📒 Files selected for processing (3)

• cmd/lint.go (4 hunks)
• internal/config_lint/lint.go (1 hunks)
• internal/vars/vault.go (5 hunks)

✨ Finishing Touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch speedup-generate-cipher-key

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore or @coderabbit ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.