Copy tiny crypto buffers eagerly

[erikcorry]

This matches what node does and avoids any
issues around later modification of buffers.

[ask-bonk]

OK, the ERR_print_errors_fp(stderr) is pre-existing, not introduced by this PR. Not in scope.

This PR is well-structured:

• Safety improvement: Eliminates a class of TOCTOU bugs where JS code could mutate buffers after passing them to cipher APIs. This also fixes a latent GC safety issue -- the old code stored jsg::JsRef fields without implementing visitForGc, which could lead to GC corruption. The new kj::Array<kj::byte> fields don't need tracing.
• Correctness: Matches Node.js behavior where IV/AAD/auth tag are consumed at the time they're passed.
• Memory safety: All kj::Array<kj::byte> fields are properly moved and owned.
• Tests: Comprehensive coverage of both code paths (EVP_CIPHER and EVP_AEAD) with resize-to-zero, grow, and transfer scenarios.
• No backward compat concerns: This is a defensive copy that makes the implementation more robust. User-visible behavior only changes for pathological cases (modifying crypto buffers after passing them), and the new behavior matches Node.js.

I don't see any actionable issues.

LGTM

github run