@striae-org/striae 3.2.1 → 3.3.0

package/app/components/actions/case-export/core-export.ts

@@ -1,5 +1,5 @@
-import { User } from 'firebase/auth';
-import { AnnotationData, CaseExportData, AllCasesExportData, ExportOptions } from '~/types';
+import type { User } from 'firebase/auth';
+import { type AnnotationData, type CaseExportData, type AllCasesExportData, type ExportOptions } from '~/types';
 import { fetchFiles } from '../image-manage';
 import { getNotes } from '../notes-manage';
 import { checkExistingCase, validateCaseNumber, listCases } from '../case-manage';

package/app/components/actions/case-export/data-processing.ts

@@ -1,4 +1,4 @@
-import { CaseExportData } from '~/types';
+import { type CaseExportData } from '~/types';
 import { calculateSHA256Secure } from '~/utils/SHA256';
 import { CSV_HEADERS } from './types-constants';
 import { addForensicDataWarning } from './metadata-helpers';
@@ -6,8 +6,23 @@ import { addForensicDataWarning } from './metadata-helpers';
 export type TabularCell = string | number | boolean | null;
 
 const MAX_SPREADSHEET_CELL_LENGTH = 32767;
-const CONTROL_CHAR_PATTERN = /[\u0000-\u0008\u000B\u000C\u000E-\u001F\u007F]/g;
-const DANGEROUS_FORMULA_PREFIX_PATTERN = /^[\s\u0000-\u001F]*[=+\-@]/;
+const DANGEROUS_FORMULA_PREFIX_PATTERN = /^\s*[=+\-@]/;
+
+function stripUnsafeControlChars(input: string): string {
+  let output = '';
+
+  for (let index = 0; index < input.length; index += 1) {
+    const code = input.charCodeAt(index);
+    const isControlChar = code <= 0x1f || code === 0x7f;
+    const isAllowedWhitespace = code === 0x09 || code === 0x0a || code === 0x0d;
+
+    if (!isControlChar || isAllowedWhitespace) {
+      output += input[index];
+    }
+  }
+
+  return output;
+}
 
 /**
  * Sanitize cell values before CSV/XLSX export.
@@ -24,7 +39,7 @@ export function sanitizeTabularCell(value: unknown): TabularCell {
     return value;
   }
 
-  let normalized = String(value).replace(CONTROL_CHAR_PATTERN, '');
+  let normalized = stripUnsafeControlChars(String(value));
 
   if (normalized.length > MAX_SPREADSHEET_CELL_LENGTH) {
     normalized = normalized.slice(0, MAX_SPREADSHEET_CELL_LENGTH);

package/app/components/actions/case-export/download-handlers.ts

@@ -1,16 +1,22 @@
-import { User } from 'firebase/auth';
-import { FileData, AllCasesExportData, CaseExportData, ExportOptions } from '~/types';
+import type { User } from 'firebase/auth';
+import type * as ExcelJSModule from 'exceljs';
+import { type FileData, type AllCasesExportData, type CaseExportData, type ExportOptions } from '~/types';
 import { getImageUrl } from '../image-manage';
 import { generateForensicManifestSecure, calculateSHA256Secure } from '~/utils/SHA256';
 import { signForensicManifest } from '~/utils/data-operations';
-import { ExportFormat, formatDateForFilename, CSV_HEADERS } from './types-constants';
+import {
+  createPublicSigningKeyFileName,
+  getCurrentPublicSigningKeyDetails,
+  getVerificationPublicKey
+} from '~/utils/signature-utils';
+import { type ExportFormat, formatDateForFilename, CSV_HEADERS } from './types-constants';
 import { protectExcelWorksheet, addForensicDataWarning } from './metadata-helpers';
 import { generateMetadataRows, generateCSVContent, processFileDataForTabular, sanitizeTabularMatrix } from './data-processing';
 import { exportCaseData } from './core-export';
-import { auditService } from '~/services/audit.service';
+import { auditService } from '~/services/audit';
 
 type TabularRow = Array<string | number | boolean | null | undefined>;
-type ExcelJsBrowserBundle = typeof import('exceljs');
+type ExcelJsBrowserBundle = typeof ExcelJSModule;
 
 const EXCELJS_BROWSER_BUNDLE_SRC = '/vendor/exceljs.bare.min.js';
 let excelJsBundlePromise: Promise<ExcelJsBrowserBundle> | null = null;
@@ -114,6 +120,30 @@ function generateExportFilename(originalFilename: string, id: string): string {
   return `${basename}-${id}${extension}`;
 }
 
+function addPublicSigningKeyPemToZip(
+  zip: { file: (path: string, data: string) => unknown },
+  preferredKeyId?: string
+): string {
+  const preferredPublicKey =
+    typeof preferredKeyId === 'string' && preferredKeyId.trim().length > 0
+      ? getVerificationPublicKey(preferredKeyId)
+      : null;
+
+  const currentKey = getCurrentPublicSigningKeyDetails();
+  const keyId = preferredPublicKey ? preferredKeyId ?? null : currentKey.keyId;
+  const publicKeyPem = preferredPublicKey ?? currentKey.publicKeyPem;
+
+  if (!publicKeyPem || publicKeyPem.trim().length === 0) {
+    throw new Error('No public signing key is configured for ZIP export packaging.');
+  }
+
+  const publicKeyFileName = createPublicSigningKeyFileName(keyId);
+  const normalizedPem = publicKeyPem.endsWith('\n') ? publicKeyPem : `${publicKeyPem}\n`;
+  zip.file(publicKeyFileName, normalizedPem);
+
+  return publicKeyFileName;
+}
+
 /**
  * Download all cases data as JSON file
  */
@@ -608,6 +638,7 @@ export async function downloadCaseAsZip(
   const startTime = Date.now();
   let manifestSignatureKeyId: string | undefined;
   let manifestSigned = false;
+  let publicKeyFileName: string | undefined;
   
   try {
     // Start audit workflow
@@ -671,6 +702,8 @@ export async function downloadCaseAsZip(
       manifestSignatureKeyId = signingResult.signature.keyId;
       manifestSigned = true;
 
+      publicKeyFileName = addPublicSigningKeyPemToZip(zip, signingResult.signature.keyId);
+
       const signedForensicManifest = {
         ...forensicManifest,
         manifestVersion: signingResult.manifestVersion,
@@ -695,6 +728,7 @@ Archive Contents:
 - ${caseNumber}_data.${format}: Complete case data in ${format.toUpperCase()} format
 - images/: Original image files with annotations
 - FORENSIC_MANIFEST.json: File integrity validation manifest
+- ${publicKeyFileName}: Public signing key PEM for verification
 - README.txt: General information about this export
 
 Case Information:
@@ -712,7 +746,11 @@ For questions about this export, contact your Striae system administrator.
       zip.file('READ_ONLY_INSTRUCTIONS.txt', instructionContent);
       
       // Add README 
-      const readme = generateZipReadme(exportData, options.protectForensicData);
+      const readme = generateZipReadme(
+        exportData,
+        options.protectForensicData,
+        publicKeyFileName
+      );
       zip.file('README.txt', readme);
       onProgress?.(85);
       
@@ -771,8 +809,14 @@ For questions about this export, contact your Striae system administrator.
       return; // Exit early as we've handled the forensic case
     }
 
+    publicKeyFileName = addPublicSigningKeyPemToZip(zip);
+
     // Add README (standard or enhanced for forensic)
-    const readme = generateZipReadme(exportData, options.protectForensicData);
+    const readme = generateZipReadme(
+      exportData,
+      options.protectForensicData,
+      publicKeyFileName
+    );
     zip.file('README.txt', readme);
     onProgress?.(85);
     
@@ -877,7 +921,11 @@ async function fetchImageAsBlob(user: User, fileData: FileData, caseNumber: stri
 /**
  * Generate README content for ZIP export with optional forensic protection
  */
-function generateZipReadme(exportData: CaseExportData, protectForensicData: boolean = true): string {
+function generateZipReadme(
+  exportData: CaseExportData,
+  protectForensicData: boolean = true,
+  publicKeyFileName: string = createPublicSigningKeyFileName()
+): string {
   const totalFiles = exportData.files?.length || 0;
   const filesWithAnnotations = exportData.summary?.filesWithAnnotations || 0;
   const totalBoxAnnotations = exportData.summary?.totalBoxAnnotations || 0;
@@ -911,6 +959,7 @@ Summary:
 Contents:
 - ${exportData.metadata.caseNumber}_data.json/.csv: Case data and annotations
 - images/: Original uploaded images
+- ${publicKeyFileName}: Public signing key PEM for verification
 - README.txt: This file`;
 
   const forensicAddition = `

package/app/components/actions/case-export/metadata-helpers.ts

@@ -1,4 +1,4 @@
-import { User } from 'firebase/auth';
+import type { User } from 'firebase/auth';
 import { getUserData } from '~/utils/permissions';
 
 /**

package/app/components/actions/case-import/annotation-import.ts

@@ -1,5 +1,5 @@
-import { User } from 'firebase/auth';
-import { CaseExportData } from '~/types';
+import type { User } from 'firebase/auth';
+import { type CaseExportData } from '~/types';
 import { saveNotes } from '../notes-manage';
 
 /**

package/app/components/actions/case-import/confirmation-import.ts

@@ -1,10 +1,11 @@
-import { User } from 'firebase/auth';
+import type { User } from 'firebase/auth';
 import paths from '~/config/config.json';
 import { getDataApiKey } from '~/utils/auth';
-import { ConfirmationImportResult, ConfirmationImportData } from '~/types';
+import { type ConfirmationImportResult, type ConfirmationImportData } from '~/types';
 import { checkExistingCase } from '../case-manage';
+import { extractConfirmationImportPackage } from './confirmation-package';
 import { validateExporterUid, validateConfirmationHash, validateConfirmationSignatureFile } from './validation';
-import { auditService } from '~/services/audit.service';
+import { auditService } from '~/services/audit';
 
 const DATA_WORKER_URL = paths.data_worker_url;
 
@@ -36,6 +37,8 @@ export async function importConfirmationData(
   let signatureValid = false;
   let signaturePresent = false;
   let signatureKeyId: string | undefined;
+  let confirmationDataForAudit: ConfirmationImportData | null = null;
+  let confirmationJsonFileNameForAudit = confirmationFile.name;
   
   const result: ConfirmationImportResult = {
     success: false,
@@ -47,11 +50,17 @@ export async function importConfirmationData(
   };
 
   try {
-    onProgress?.('Reading confirmation file', 10, 'Loading JSON data...');
+    onProgress?.('Reading confirmation file', 10, 'Loading confirmation package...');
 
-    // Read and parse the JSON file
-    const fileContent = await confirmationFile.text();
-    const confirmationData: ConfirmationImportData = JSON.parse(fileContent);
+    const {
+      confirmationData,
+      confirmationJsonContent,
+      verificationPublicKeyPem,
+      confirmationFileName
+    } = await extractConfirmationImportPackage(confirmationFile);
+
+    confirmationDataForAudit = confirmationData;
+    confirmationJsonFileNameForAudit = confirmationFileName;
     result.caseNumber = confirmationData.metadata.caseNumber;
     
     // Start audit workflow
@@ -60,14 +69,17 @@ export async function importConfirmationData(
     onProgress?.('Validating hash', 20, 'Verifying data integrity...');
 
     // Validate hash
-    hashValid = await validateConfirmationHash(fileContent, confirmationData.metadata.hash);
+    hashValid = await validateConfirmationHash(confirmationJsonContent, confirmationData.metadata.hash);
     if (!hashValid) {
       throw new Error('Confirmation data hash validation failed. The file may have been tampered with or corrupted.');
     }
 
     onProgress?.('Validating signature', 30, 'Verifying signed confirmation metadata...');
 
-    const signatureResult = await validateConfirmationSignatureFile(confirmationData);
+    const signatureResult = await validateConfirmationSignatureFile(
+      confirmationData,
+      verificationPublicKeyPem
+    );
     signaturePresent = !!confirmationData.metadata.signature;
     signatureValid = signatureResult.isValid;
     signatureKeyId = signatureResult.keyId;
@@ -276,7 +288,7 @@ export async function importConfirmationData(
     await auditService.logConfirmationImport(
       user,
       result.caseNumber,
-      confirmationFile.name,
+      confirmationJsonFileNameForAudit,
       result.success ? (result.errors && result.errors.length > 0 ? 'warning' : 'success') : 'failure',
       hashValid,
       result.confirmationsImported, // Successfully imported confirmations
@@ -318,19 +330,31 @@ export async function importConfirmationData(
     let signatureValidForAudit = signatureValid;
     let signatureKeyIdForAudit = signatureKeyId;
     
+    const auditConfirmationData = confirmationDataForAudit;
+
     // First, try to extract basic metadata for audit purposes (if file is parseable)
-    try {
-      const confirmationData = JSON.parse(await confirmationFile.text()) as ConfirmationImportData;
-      reviewingExaminerUidForAudit = confirmationData.metadata?.exportedByUid;
-      totalConfirmationsForAudit = confirmationData.metadata?.totalConfirmations || 0;
-      if (confirmationData.metadata?.signature) {
+    if (auditConfirmationData) {
+      reviewingExaminerUidForAudit = auditConfirmationData.metadata?.exportedByUid;
+      totalConfirmationsForAudit = auditConfirmationData.metadata?.totalConfirmations || 0;
+      if (auditConfirmationData.metadata?.signature) {
         signaturePresentForAudit = true;
-        signatureKeyIdForAudit = confirmationData.metadata.signature.keyId;
+        signatureKeyIdForAudit = auditConfirmationData.metadata.signature.keyId;
+      }
+    } else {
+      try {
+        const extracted = await extractConfirmationImportPackage(confirmationFile);
+        reviewingExaminerUidForAudit = extracted.confirmationData.metadata?.exportedByUid;
+        totalConfirmationsForAudit = extracted.confirmationData.metadata?.totalConfirmations || 0;
+        confirmationJsonFileNameForAudit = extracted.confirmationFileName;
+        if (extracted.confirmationData.metadata?.signature) {
+          signaturePresentForAudit = true;
+          signatureKeyIdForAudit = extracted.confirmationData.metadata.signature.keyId;
+        }
+      } catch {
+        // If we can't parse the file, keep undefined/default values
       }
-    } catch {
-      // If we can't parse the file, keep undefined/default values
     }
-    
+
     const errorMessage = error instanceof Error ? error.message : 'Unknown error';
     if (errorMessage.includes('hash validation failed')) {
       // Hash failed - only flag file integrity, don't affect other validations
@@ -352,7 +376,7 @@ export async function importConfirmationData(
     await auditService.logConfirmationImport(
       user,
       result.caseNumber || 'unknown',
-      confirmationFile.name,
+      confirmationJsonFileNameForAudit,
       'failure',
       hashValidForAudit,
       0, // No confirmations successfully imported for failures

package/app/components/actions/case-import/confirmation-package.ts

@@ -0,0 +1,86 @@
+import { type ConfirmationImportData } from '~/types';
+
+const CONFIRMATION_EXPORT_FILE_REGEX = /^confirmation-data-.*\.json$/i;
+
+export interface ConfirmationImportPackage {
+  confirmationData: ConfirmationImportData;
+  confirmationJsonContent: string;
+  verificationPublicKeyPem?: string;
+  confirmationFileName: string;
+}
+
+function getLeafFileName(path: string): string {
+  const segments = path.split('/').filter(Boolean);
+  return segments.length > 0 ? segments[segments.length - 1] : path;
+}
+
+function selectPreferredPemPath(pemPaths: string[]): string | undefined {
+  if (pemPaths.length === 0) {
+    return undefined;
+  }
+
+  const sortedPaths = [...pemPaths].sort((left, right) => left.localeCompare(right));
+  const preferred = sortedPaths.find((path) =>
+    /^striae-public-signing-key.*\.pem$/i.test(getLeafFileName(path))
+  );
+
+  return preferred ?? sortedPaths[0];
+}
+
+async function extractConfirmationPackageFromZip(file: File): Promise<ConfirmationImportPackage> {
+  const JSZip = (await import('jszip')).default;
+  const zip = await JSZip.loadAsync(file);
+  const fileEntries = Object.keys(zip.files).filter((path) => !zip.files[path].dir);
+
+  const confirmationPaths = fileEntries.filter((path) =>
+    CONFIRMATION_EXPORT_FILE_REGEX.test(getLeafFileName(path))
+  );
+
+  if (confirmationPaths.length !== 1) {
+    throw new Error('Confirmation ZIP must contain exactly one confirmation-data JSON file.');
+  }
+
+  const confirmationPath = confirmationPaths[0];
+  const confirmationJsonContent = await zip.file(confirmationPath)?.async('text');
+  if (!confirmationJsonContent) {
+    throw new Error('Failed to read confirmation JSON from ZIP package.');
+  }
+
+  const confirmationData = JSON.parse(confirmationJsonContent) as ConfirmationImportData;
+
+  const pemPaths = fileEntries.filter((path) => getLeafFileName(path).toLowerCase().endsWith('.pem'));
+  const preferredPemPath = selectPreferredPemPath(pemPaths);
+
+  let verificationPublicKeyPem: string | undefined;
+  if (preferredPemPath) {
+    verificationPublicKeyPem = await zip.file(preferredPemPath)?.async('text');
+  }
+
+  return {
+    confirmationData,
+    confirmationJsonContent,
+    verificationPublicKeyPem,
+    confirmationFileName: getLeafFileName(confirmationPath)
+  };
+}
+
+export async function extractConfirmationImportPackage(file: File): Promise<ConfirmationImportPackage> {
+  const lowerName = file.name.toLowerCase();
+
+  if (lowerName.endsWith('.json')) {
+    const confirmationJsonContent = await file.text();
+    const confirmationData = JSON.parse(confirmationJsonContent) as ConfirmationImportData;
+
+    return {
+      confirmationData,
+      confirmationJsonContent,
+      confirmationFileName: file.name
+    };
+  }
+
+  if (lowerName.endsWith('.zip')) {
+    return extractConfirmationPackageFromZip(file);
+  }
+
+  throw new Error('Unsupported confirmation import file type. Use a confirmation JSON or confirmation ZIP file.');
+}

package/app/components/actions/case-import/image-operations.ts

@@ -1,6 +1,6 @@
 import paths from '~/config/config.json';
 import { getImageApiKey } from '~/utils/auth';
-import { FileData, ImageUploadResponse } from '~/types';
+import { type FileData, type ImageUploadResponse } from '~/types';
 
 const IMAGE_WORKER_URL = paths.image_worker_url;
 

package/app/components/actions/case-import/index.ts

@@ -34,6 +34,7 @@ export { importAnnotations } from './annotation-import';
 
 // Confirmation import
 export { importConfirmationData } from './confirmation-import';
+export { extractConfirmationImportPackage } from './confirmation-package';
 
 // Main orchestrator
 export { importCaseForReview } from './orchestrator';

package/app/components/actions/case-import/orchestrator.ts

@@ -1,9 +1,9 @@
-import { User } from 'firebase/auth';
-import { ImportOptions, ImportResult, ReadOnlyCaseMetadata, FileData } from '~/types';
+import type { User } from 'firebase/auth';
+import { type ImportOptions, type ImportResult, type ReadOnlyCaseMetadata, type FileData } from '~/types';
 import { checkExistingCase } from '../case-manage';
 import {
   extractForensicManifestData,
-  SignedForensicManifest,
+  type SignedForensicManifest,
   validateCaseIntegritySecure as validateForensicIntegrity,
   verifyForensicManifestSignature
 } from '~/utils/SHA256';
@@ -19,7 +19,7 @@ import {
 } from './storage-operations';
 import { uploadImageBlob } from './image-operations';
 import { importAnnotations } from './annotation-import';
-import { auditService } from '~/services/audit.service';
+import { auditService } from '~/services/audit';
 
 /**
  * Track the state of an import operation for cleanup purposes
@@ -137,7 +137,14 @@ export async function importCaseForReview(
     onProgress?.('Parsing ZIP file', 10, 'Extracting archive contents...');
     
     // Step 1: Parse ZIP file
-    const { caseData, imageFiles, imageIdMapping, metadata, cleanedContent } = await parseImportZip(zipFile, user);
+    const {
+      caseData,
+      imageFiles,
+      imageIdMapping,
+      metadata,
+      cleanedContent,
+      verificationPublicKeyPem
+    } = await parseImportZip(zipFile, user);
     parsedForensicManifest = metadata?.forensicManifest as SignedForensicManifest | undefined;
     result.caseNumber = caseData.metadata.caseNumber;
     importState.caseNumber = result.caseNumber;
@@ -181,7 +188,10 @@ export async function importCaseForReview(
         );
       }
 
-      const signatureResult = await verifyForensicManifestSignature(parsedForensicManifest);
+      const signatureResult = await verifyForensicManifestSignature(
+        parsedForensicManifest,
+        verificationPublicKeyPem
+      );
       signatureValidationPassed = signatureResult.isValid;
       signatureKeyId = signatureResult.keyId;
 

package/app/components/actions/case-import/storage-operations.ts

@@ -1,4 +1,4 @@
-import { User } from 'firebase/auth';
+import type { User } from 'firebase/auth';
 import paths from '~/config/config.json';
 import { 
   getDataApiKey,
@@ -10,14 +10,14 @@ import {
   validateUserSession
 } from '~/utils/permissions';
 import { 
-  CaseExportData,   
-  ExtendedUserData,
-  FileData,
-  CaseData,
-  ReadOnlyCaseMetadata
+  type CaseExportData,   
+  type ExtendedUserData,
+  type FileData,
+  type CaseData,
+  type ReadOnlyCaseMetadata
 } from '~/types';
 import { deleteFile } from '../image-manage';
-import { SignedForensicManifest } from '~/utils/SHA256';
+import { type SignedForensicManifest } from '~/utils/SHA256';
 
 const USER_WORKER_URL = paths.user_worker_url;
 const DATA_WORKER_URL = paths.data_worker_url;

package/app/components/actions/case-import/validation.ts

@@ -1,68 +1,13 @@
-import { User } from 'firebase/auth';
+import type { User } from 'firebase/auth';
 import paths from '~/config/config.json';
 import { getUserApiKey } from '~/utils/auth';
-import { CaseExportData, ConfirmationImportData } from '~/types';
-import { calculateSHA256Secure, ManifestSignatureVerificationResult } from '~/utils/SHA256';
+import { type CaseExportData, type ConfirmationImportData } from '~/types';
+import { type ManifestSignatureVerificationResult } from '~/utils/SHA256';
 import { verifyConfirmationSignature } from '~/utils/confirmation-signature';
+export { removeForensicWarning, validateConfirmationHash } from '~/utils/export-verification';
 
 const USER_WORKER_URL = paths.user_worker_url;
 
-/**
- * Remove forensic warning from content for hash validation (supports both JSON and CSV formats)
- * This function ensures exact match with the content used during export hash generation
- */
-export function removeForensicWarning(content: string): string {
-  // Handle JSON forensic warnings (block comment format)
-  // /* CASE DATA WARNING
-  //  * This file contains evidence data for forensic examination.
-  //  * Any modification may compromise the integrity of the evidence.
-  //  * Handle according to your organization's chain of custody procedures.
-  //  * 
-  //  * File generated: YYYY-MM-DDTHH:mm:ss.sssZ
-  //  */
-  const jsonForensicWarningRegex = /^\/\*\s*CASE\s+DATA\s+WARNING[\s\S]*?\*\/\s*\r?\n*/;
-  
-  // Handle CSV forensic warnings (quoted string format at the beginning of file)
-  // CRITICAL: The CSV forensic warning is ONLY the first quoted line, followed by two newlines
-  // Format: "CASE DATA WARNING: This file contains evidence data for forensic examination. Any modification may compromise the integrity of the evidence. Handle according to your organization's chain of custody procedures."\n\n
-  // 
-  // After removal, what remains should be the csvWithHash content:
-  // # Striae Case Export - Generated: ...
-  // # Case: ...
-  // # Total Files: ...
-  // # SHA256 Hash: ...
-  // # Verification: ...
-  //
-  // [actual CSV data]
-  // More robust regex to handle various line endings and exact format from generation
-  const csvForensicWarningRegex = /^"CASE DATA WARNING: This file contains evidence data for forensic examination\. Any modification may compromise the integrity of the evidence\. Handle according to your organization's chain of custody procedures\."(?:\r?\n){2}/;
-  
-  let cleaned = content;
-  
-  // Try JSON format first
-  if (jsonForensicWarningRegex.test(content)) {
-    cleaned = content.replace(jsonForensicWarningRegex, '');
-  }
-  // Try CSV format with exact pattern match
-  else if (csvForensicWarningRegex.test(content)) {
-    cleaned = content.replace(csvForensicWarningRegex, '');
-  }
-  // Fallback: try broader CSV pattern in case of slight format differences
-  else if (content.startsWith('"CASE DATA WARNING:')) {
-    // Find the end of the first quoted string followed by newlines
-    const match = content.match(/^"[^"]*"(?:\r?\n)+/);
-    if (match) {
-      cleaned = content.substring(match[0].length);
-    }
-  }
-  
-  // Additional cleanup: remove any leading whitespace that might remain
-  // This ensures we match exactly what the generation functions produce with protectForensicData: false
-  cleaned = cleaned.replace(/^\s+/, '');
-  
-  return cleaned;
-}
-
 /**
  * Validate that a user exists in the database by UID and is not the current user
  */
@@ -93,45 +38,6 @@ export function isConfirmationDataFile(filename: string): boolean {
   return filename.startsWith('confirmation-data') && filename.endsWith('.json');
 }
 
-/**
- * Validate confirmation data file hash
- */
-export async function validateConfirmationHash(jsonContent: string, expectedHash: string): Promise<boolean> {
-  try {
-    // Validate input parameters
-    if (!expectedHash || typeof expectedHash !== 'string') {
-      console.error('validateConfirmationHash: expected hash input is invalid');
-      return false;
-    }
-
-    // Create data without hash for validation
-    const data = JSON.parse(jsonContent);
-    const dataWithoutHash = {
-      ...data,
-      metadata: {
-        ...data.metadata,
-        hash: undefined
-      }
-    };
-    delete dataWithoutHash.metadata.hash;
-    delete dataWithoutHash.metadata.signature;
-    delete dataWithoutHash.metadata.signatureVersion;
-    
-    const contentForHash = JSON.stringify(dataWithoutHash, null, 2);
-    const actualHash = await calculateSHA256Secure(contentForHash);
-    
-    if (!actualHash) {
-      console.error('validateConfirmationHash: failed to calculate hash');
-      return false;
-    }
-    
-    return actualHash.toUpperCase() === expectedHash.toUpperCase();
-  } catch {
-    console.error('validateConfirmationHash: validation failed');
-    return false;
-  }
-}
-
 /**
  * Validate imported case data integrity (optional verification)
  */
@@ -183,7 +89,8 @@ export function validateCaseIntegrity(
  * Validate confirmation data file signature.
  */
 export async function validateConfirmationSignatureFile(
-  confirmationData: Partial<ConfirmationImportData>
+  confirmationData: Partial<ConfirmationImportData>,
+  verificationPublicKeyPem?: string
 ): Promise<ManifestSignatureVerificationResult> {
-  return verifyConfirmationSignature(confirmationData);
+  return verifyConfirmationSignature(confirmationData, verificationPublicKeyPem);
 }