fix: singleton SecretManagerServiceClient to prevent gRPC channel leak + OOM

Every call to getSecret() was creating a new SecretManagerServiceClient,
which opens a new gRPC channel. These channels were not being closed or
garbage collected, causing memory to grow ~488 MiB OOM within ~28 minutes
on a 512M Cloud Run instance.

Fix: use a module-level singleton client (created once per container instance)
and cache secret values in memory (secrets don't change at runtime).

This eliminates both the gRPC channel leak and the Secret Manager round-trips
on every webhook request.

Author: gisk0

src/utils/get-secret.ts

@@ -2,11 +2,27 @@ import { SecretManagerServiceClient } from "@google-cloud/secret-manager";
 import config from "../config.js";
 
 /**
- * Load a secret from Secret Manager
+ * Singleton gRPC client — creating a new SecretManagerServiceClient per request
+ * leaks gRPC channels and causes memory growth (~488 MiB OOM within 30 min).
+ */
+const secretManager = new SecretManagerServiceClient();
+
+/**
+ * In-memory cache for secrets. Secrets don't change during an instance's lifetime,
+ * so we can safely cache them and avoid repeated Secret Manager round-trips.
+ */
+const secretCache = new Map<string, string>();
+
+/**
+ * Load a secret from Secret Manager (cached per instance lifetime)
  */
 export default async function getSecret(secretId: string): Promise<string> {
+  const cached = secretCache.get(secretId);
+  if (cached) {
+    return cached;
+  }
+
   try {
-    const secretManager = new SecretManagerServiceClient();
     const secretFullResourceName = `projects/${config.GCP_PROJECT_ID}/secrets/${secretId}/versions/latest`;
     const [version] = await secretManager.accessSecretVersion({
       name: secretFullResourceName,
@@ -20,6 +36,7 @@ export default async function getSecret(secretId: string): Promise<string> {
       );
     }
 
+    secretCache.set(secretId, secret);
     return secret;
   } catch (error) {
     console.error(