feat: implement sql dump encryption

[oripka]

Description

This PR introduces encrypted SQL dumps to Nuxt Content v3, allowing prerendered content dumps to be safely hosted on a CDN or static platform without exposing raw .sql data.

When enabled, dumps are AES-256-GCM encrypted at build time and decrypted in the browser only after the client requests a short-lived key from your app (post-authentication).

Key points

• 🔒 New content.encryption option in nuxt.config.ts

  • enabled: true enables encrypted dumps and key endpoint
  • masterKey (optional) – base64(32 bytes); if omitted, one is generated at build time

• ✨ Adds runtime API endpoints:

  • GET /__nuxt_content/:collection/sql_dump.enc → encrypted dump
  • GET /api/__nuxt_content/:collection/key → returns derived AES key (must be protected by your auth middleware)
  • Legacy sql_dump.txt routes remain available if encryption is disabled

• 🧩 Middleware example added for access control of private collections

• 📚 Documentation updated with new guides:

  • docs/content/docs/1.getting-started/3.configuration.md (content.encryption)
  • docs/content/docs/8.advanced/9.private.md (full guide on encrypted dumps)

• 🛠 Internal changes:

  • New runtime/internal/encryption.ts utilities (HKDF, AES-GCM, envelope handling)
  • Client & server loaders updated to support decrypt-and-hydrate flow
  • Shared dumps preset (src/presets/shared-dumps.ts) ensures consistent handling across Node, Cloudflare, and NuxtHub

Type of change

• 📖 Documentation
• 🐞 Bug fix
• 👌 Enhancement
• ✨ New feature
• ⚠️ Breaking change

Checklist

• Added docs for new config (content.encryption)
• Updated presets (node, cloudflare, nuxthub) to support encrypted dumps
• Added runtime encryption/decryption logic
• Ensured backwards compatibility with legacy .sql dumps

[vercel]

@oripka is attempting to deploy a commit to the NuxtLabs Team on Vercel.

A member of the Team first needs to authorize it.

[pkg-pr-new]

npm i https://pkg.pr.new/@nuxt/content@3510

commit: 80b470e