@striae-org/striae 3.2.2 → 3.3.0

package/app/components/actions/case-export/download-handlers.ts

@@ -4,6 +4,11 @@ import { type FileData, type AllCasesExportData, type CaseExportData, type Expor
 import { getImageUrl } from '../image-manage';
 import { generateForensicManifestSecure, calculateSHA256Secure } from '~/utils/SHA256';
 import { signForensicManifest } from '~/utils/data-operations';
+import {
+  createPublicSigningKeyFileName,
+  getCurrentPublicSigningKeyDetails,
+  getVerificationPublicKey
+} from '~/utils/signature-utils';
 import { type ExportFormat, formatDateForFilename, CSV_HEADERS } from './types-constants';
 import { protectExcelWorksheet, addForensicDataWarning } from './metadata-helpers';
 import { generateMetadataRows, generateCSVContent, processFileDataForTabular, sanitizeTabularMatrix } from './data-processing';
@@ -115,6 +120,30 @@ function generateExportFilename(originalFilename: string, id: string): string {
   return `${basename}-${id}${extension}`;
 }
 
+function addPublicSigningKeyPemToZip(
+  zip: { file: (path: string, data: string) => unknown },
+  preferredKeyId?: string
+): string {
+  const preferredPublicKey =
+    typeof preferredKeyId === 'string' && preferredKeyId.trim().length > 0
+      ? getVerificationPublicKey(preferredKeyId)
+      : null;
+
+  const currentKey = getCurrentPublicSigningKeyDetails();
+  const keyId = preferredPublicKey ? preferredKeyId ?? null : currentKey.keyId;
+  const publicKeyPem = preferredPublicKey ?? currentKey.publicKeyPem;
+
+  if (!publicKeyPem || publicKeyPem.trim().length === 0) {
+    throw new Error('No public signing key is configured for ZIP export packaging.');
+  }
+
+  const publicKeyFileName = createPublicSigningKeyFileName(keyId);
+  const normalizedPem = publicKeyPem.endsWith('\n') ? publicKeyPem : `${publicKeyPem}\n`;
+  zip.file(publicKeyFileName, normalizedPem);
+
+  return publicKeyFileName;
+}
+
 /**
  * Download all cases data as JSON file
  */
@@ -609,6 +638,7 @@ export async function downloadCaseAsZip(
   const startTime = Date.now();
   let manifestSignatureKeyId: string | undefined;
   let manifestSigned = false;
+  let publicKeyFileName: string | undefined;
   
   try {
     // Start audit workflow
@@ -672,6 +702,8 @@ export async function downloadCaseAsZip(
       manifestSignatureKeyId = signingResult.signature.keyId;
       manifestSigned = true;
 
+      publicKeyFileName = addPublicSigningKeyPemToZip(zip, signingResult.signature.keyId);
+
       const signedForensicManifest = {
         ...forensicManifest,
         manifestVersion: signingResult.manifestVersion,
@@ -696,6 +728,7 @@ Archive Contents:
 - ${caseNumber}_data.${format}: Complete case data in ${format.toUpperCase()} format
 - images/: Original image files with annotations
 - FORENSIC_MANIFEST.json: File integrity validation manifest
+- ${publicKeyFileName}: Public signing key PEM for verification
 - README.txt: General information about this export
 
 Case Information:
@@ -713,7 +746,11 @@ For questions about this export, contact your Striae system administrator.
       zip.file('READ_ONLY_INSTRUCTIONS.txt', instructionContent);
       
       // Add README 
-      const readme = generateZipReadme(exportData, options.protectForensicData);
+      const readme = generateZipReadme(
+        exportData,
+        options.protectForensicData,
+        publicKeyFileName
+      );
       zip.file('README.txt', readme);
       onProgress?.(85);
       
@@ -772,8 +809,14 @@ For questions about this export, contact your Striae system administrator.
       return; // Exit early as we've handled the forensic case
     }
 
+    publicKeyFileName = addPublicSigningKeyPemToZip(zip);
+
     // Add README (standard or enhanced for forensic)
-    const readme = generateZipReadme(exportData, options.protectForensicData);
+    const readme = generateZipReadme(
+      exportData,
+      options.protectForensicData,
+      publicKeyFileName
+    );
     zip.file('README.txt', readme);
     onProgress?.(85);
     
@@ -878,7 +921,11 @@ async function fetchImageAsBlob(user: User, fileData: FileData, caseNumber: stri
 /**
  * Generate README content for ZIP export with optional forensic protection
  */
-function generateZipReadme(exportData: CaseExportData, protectForensicData: boolean = true): string {
+function generateZipReadme(
+  exportData: CaseExportData,
+  protectForensicData: boolean = true,
+  publicKeyFileName: string = createPublicSigningKeyFileName()
+): string {
   const totalFiles = exportData.files?.length || 0;
   const filesWithAnnotations = exportData.summary?.filesWithAnnotations || 0;
   const totalBoxAnnotations = exportData.summary?.totalBoxAnnotations || 0;
@@ -912,6 +959,7 @@ Summary:
 Contents:
 - ${exportData.metadata.caseNumber}_data.json/.csv: Case data and annotations
 - images/: Original uploaded images
+- ${publicKeyFileName}: Public signing key PEM for verification
 - README.txt: This file`;
 
   const forensicAddition = `

package/app/components/actions/case-import/confirmation-import.ts

@@ -3,6 +3,7 @@ import paths from '~/config/config.json';
 import { getDataApiKey } from '~/utils/auth';
 import { type ConfirmationImportResult, type ConfirmationImportData } from '~/types';
 import { checkExistingCase } from '../case-manage';
+import { extractConfirmationImportPackage } from './confirmation-package';
 import { validateExporterUid, validateConfirmationHash, validateConfirmationSignatureFile } from './validation';
 import { auditService } from '~/services/audit';
 
@@ -36,6 +37,8 @@ export async function importConfirmationData(
   let signatureValid = false;
   let signaturePresent = false;
   let signatureKeyId: string | undefined;
+  let confirmationDataForAudit: ConfirmationImportData | null = null;
+  let confirmationJsonFileNameForAudit = confirmationFile.name;
   
   const result: ConfirmationImportResult = {
     success: false,
@@ -47,11 +50,17 @@ export async function importConfirmationData(
   };
 
   try {
-    onProgress?.('Reading confirmation file', 10, 'Loading JSON data...');
+    onProgress?.('Reading confirmation file', 10, 'Loading confirmation package...');
 
-    // Read and parse the JSON file
-    const fileContent = await confirmationFile.text();
-    const confirmationData: ConfirmationImportData = JSON.parse(fileContent);
+    const {
+      confirmationData,
+      confirmationJsonContent,
+      verificationPublicKeyPem,
+      confirmationFileName
+    } = await extractConfirmationImportPackage(confirmationFile);
+
+    confirmationDataForAudit = confirmationData;
+    confirmationJsonFileNameForAudit = confirmationFileName;
     result.caseNumber = confirmationData.metadata.caseNumber;
     
     // Start audit workflow
@@ -60,14 +69,17 @@ export async function importConfirmationData(
     onProgress?.('Validating hash', 20, 'Verifying data integrity...');
 
     // Validate hash
-    hashValid = await validateConfirmationHash(fileContent, confirmationData.metadata.hash);
+    hashValid = await validateConfirmationHash(confirmationJsonContent, confirmationData.metadata.hash);
     if (!hashValid) {
       throw new Error('Confirmation data hash validation failed. The file may have been tampered with or corrupted.');
     }
 
     onProgress?.('Validating signature', 30, 'Verifying signed confirmation metadata...');
 
-    const signatureResult = await validateConfirmationSignatureFile(confirmationData);
+    const signatureResult = await validateConfirmationSignatureFile(
+      confirmationData,
+      verificationPublicKeyPem
+    );
     signaturePresent = !!confirmationData.metadata.signature;
     signatureValid = signatureResult.isValid;
     signatureKeyId = signatureResult.keyId;
@@ -276,7 +288,7 @@ export async function importConfirmationData(
     await auditService.logConfirmationImport(
       user,
       result.caseNumber,
-      confirmationFile.name,
+      confirmationJsonFileNameForAudit,
       result.success ? (result.errors && result.errors.length > 0 ? 'warning' : 'success') : 'failure',
       hashValid,
       result.confirmationsImported, // Successfully imported confirmations
@@ -318,19 +330,31 @@ export async function importConfirmationData(
     let signatureValidForAudit = signatureValid;
     let signatureKeyIdForAudit = signatureKeyId;
     
+    const auditConfirmationData = confirmationDataForAudit;
+
     // First, try to extract basic metadata for audit purposes (if file is parseable)
-    try {
-      const confirmationData = JSON.parse(await confirmationFile.text()) as ConfirmationImportData;
-      reviewingExaminerUidForAudit = confirmationData.metadata?.exportedByUid;
-      totalConfirmationsForAudit = confirmationData.metadata?.totalConfirmations || 0;
-      if (confirmationData.metadata?.signature) {
+    if (auditConfirmationData) {
+      reviewingExaminerUidForAudit = auditConfirmationData.metadata?.exportedByUid;
+      totalConfirmationsForAudit = auditConfirmationData.metadata?.totalConfirmations || 0;
+      if (auditConfirmationData.metadata?.signature) {
         signaturePresentForAudit = true;
-        signatureKeyIdForAudit = confirmationData.metadata.signature.keyId;
+        signatureKeyIdForAudit = auditConfirmationData.metadata.signature.keyId;
+      }
+    } else {
+      try {
+        const extracted = await extractConfirmationImportPackage(confirmationFile);
+        reviewingExaminerUidForAudit = extracted.confirmationData.metadata?.exportedByUid;
+        totalConfirmationsForAudit = extracted.confirmationData.metadata?.totalConfirmations || 0;
+        confirmationJsonFileNameForAudit = extracted.confirmationFileName;
+        if (extracted.confirmationData.metadata?.signature) {
+          signaturePresentForAudit = true;
+          signatureKeyIdForAudit = extracted.confirmationData.metadata.signature.keyId;
+        }
+      } catch {
+        // If we can't parse the file, keep undefined/default values
       }
-    } catch {
-      // If we can't parse the file, keep undefined/default values
     }
-    
+
     const errorMessage = error instanceof Error ? error.message : 'Unknown error';
     if (errorMessage.includes('hash validation failed')) {
       // Hash failed - only flag file integrity, don't affect other validations
@@ -352,7 +376,7 @@ export async function importConfirmationData(
     await auditService.logConfirmationImport(
       user,
       result.caseNumber || 'unknown',
-      confirmationFile.name,
+      confirmationJsonFileNameForAudit,
       'failure',
       hashValidForAudit,
       0, // No confirmations successfully imported for failures

package/app/components/actions/case-import/confirmation-package.ts

@@ -0,0 +1,86 @@
+import { type ConfirmationImportData } from '~/types';
+
+const CONFIRMATION_EXPORT_FILE_REGEX = /^confirmation-data-.*\.json$/i;
+
+export interface ConfirmationImportPackage {
+  confirmationData: ConfirmationImportData;
+  confirmationJsonContent: string;
+  verificationPublicKeyPem?: string;
+  confirmationFileName: string;
+}
+
+function getLeafFileName(path: string): string {
+  const segments = path.split('/').filter(Boolean);
+  return segments.length > 0 ? segments[segments.length - 1] : path;
+}
+
+function selectPreferredPemPath(pemPaths: string[]): string | undefined {
+  if (pemPaths.length === 0) {
+    return undefined;
+  }
+
+  const sortedPaths = [...pemPaths].sort((left, right) => left.localeCompare(right));
+  const preferred = sortedPaths.find((path) =>
+    /^striae-public-signing-key.*\.pem$/i.test(getLeafFileName(path))
+  );
+
+  return preferred ?? sortedPaths[0];
+}
+
+async function extractConfirmationPackageFromZip(file: File): Promise<ConfirmationImportPackage> {
+  const JSZip = (await import('jszip')).default;
+  const zip = await JSZip.loadAsync(file);
+  const fileEntries = Object.keys(zip.files).filter((path) => !zip.files[path].dir);
+
+  const confirmationPaths = fileEntries.filter((path) =>
+    CONFIRMATION_EXPORT_FILE_REGEX.test(getLeafFileName(path))
+  );
+
+  if (confirmationPaths.length !== 1) {
+    throw new Error('Confirmation ZIP must contain exactly one confirmation-data JSON file.');
+  }
+
+  const confirmationPath = confirmationPaths[0];
+  const confirmationJsonContent = await zip.file(confirmationPath)?.async('text');
+  if (!confirmationJsonContent) {
+    throw new Error('Failed to read confirmation JSON from ZIP package.');
+  }
+
+  const confirmationData = JSON.parse(confirmationJsonContent) as ConfirmationImportData;
+
+  const pemPaths = fileEntries.filter((path) => getLeafFileName(path).toLowerCase().endsWith('.pem'));
+  const preferredPemPath = selectPreferredPemPath(pemPaths);
+
+  let verificationPublicKeyPem: string | undefined;
+  if (preferredPemPath) {
+    verificationPublicKeyPem = await zip.file(preferredPemPath)?.async('text');
+  }
+
+  return {
+    confirmationData,
+    confirmationJsonContent,
+    verificationPublicKeyPem,
+    confirmationFileName: getLeafFileName(confirmationPath)
+  };
+}
+
+export async function extractConfirmationImportPackage(file: File): Promise<ConfirmationImportPackage> {
+  const lowerName = file.name.toLowerCase();
+
+  if (lowerName.endsWith('.json')) {
+    const confirmationJsonContent = await file.text();
+    const confirmationData = JSON.parse(confirmationJsonContent) as ConfirmationImportData;
+
+    return {
+      confirmationData,
+      confirmationJsonContent,
+      confirmationFileName: file.name
+    };
+  }
+
+  if (lowerName.endsWith('.zip')) {
+    return extractConfirmationPackageFromZip(file);
+  }
+
+  throw new Error('Unsupported confirmation import file type. Use a confirmation JSON or confirmation ZIP file.');
+}

package/app/components/actions/case-import/index.ts

@@ -34,6 +34,7 @@ export { importAnnotations } from './annotation-import';
 
 // Confirmation import
 export { importConfirmationData } from './confirmation-import';
+export { extractConfirmationImportPackage } from './confirmation-package';
 
 // Main orchestrator
 export { importCaseForReview } from './orchestrator';

package/app/components/actions/case-import/orchestrator.ts

@@ -137,7 +137,14 @@ export async function importCaseForReview(
     onProgress?.('Parsing ZIP file', 10, 'Extracting archive contents...');
     
     // Step 1: Parse ZIP file
-    const { caseData, imageFiles, imageIdMapping, metadata, cleanedContent } = await parseImportZip(zipFile, user);
+    const {
+      caseData,
+      imageFiles,
+      imageIdMapping,
+      metadata,
+      cleanedContent,
+      verificationPublicKeyPem
+    } = await parseImportZip(zipFile, user);
     parsedForensicManifest = metadata?.forensicManifest as SignedForensicManifest | undefined;
     result.caseNumber = caseData.metadata.caseNumber;
     importState.caseNumber = result.caseNumber;
@@ -181,7 +188,10 @@ export async function importCaseForReview(
         );
       }
 
-      const signatureResult = await verifyForensicManifestSignature(parsedForensicManifest);
+      const signatureResult = await verifyForensicManifestSignature(
+        parsedForensicManifest,
+        verificationPublicKeyPem
+      );
       signatureValidationPassed = signatureResult.isValid;
       signatureKeyId = signatureResult.keyId;
 

package/app/components/actions/case-import/validation.ts

@@ -2,67 +2,12 @@ import type { User } from 'firebase/auth';
 import paths from '~/config/config.json';
 import { getUserApiKey } from '~/utils/auth';
 import { type CaseExportData, type ConfirmationImportData } from '~/types';
-import { calculateSHA256Secure, type ManifestSignatureVerificationResult } from '~/utils/SHA256';
+import { type ManifestSignatureVerificationResult } from '~/utils/SHA256';
 import { verifyConfirmationSignature } from '~/utils/confirmation-signature';
+export { removeForensicWarning, validateConfirmationHash } from '~/utils/export-verification';
 
 const USER_WORKER_URL = paths.user_worker_url;
 
-/**
- * Remove forensic warning from content for hash validation (supports both JSON and CSV formats)
- * This function ensures exact match with the content used during export hash generation
- */
-export function removeForensicWarning(content: string): string {
-  // Handle JSON forensic warnings (block comment format)
-  // /* CASE DATA WARNING
-  //  * This file contains evidence data for forensic examination.
-  //  * Any modification may compromise the integrity of the evidence.
-  //  * Handle according to your organization's chain of custody procedures.
-  //  * 
-  //  * File generated: YYYY-MM-DDTHH:mm:ss.sssZ
-  //  */
-  const jsonForensicWarningRegex = /^\/\*\s*CASE\s+DATA\s+WARNING[\s\S]*?\*\/\s*\r?\n*/;
-  
-  // Handle CSV forensic warnings (quoted string format at the beginning of file)
-  // CRITICAL: The CSV forensic warning is ONLY the first quoted line, followed by two newlines
-  // Format: "CASE DATA WARNING: This file contains evidence data for forensic examination. Any modification may compromise the integrity of the evidence. Handle according to your organization's chain of custody procedures."\n\n
-  // 
-  // After removal, what remains should be the csvWithHash content:
-  // # Striae Case Export - Generated: ...
-  // # Case: ...
-  // # Total Files: ...
-  // # SHA256 Hash: ...
-  // # Verification: ...
-  //
-  // [actual CSV data]
-  // More robust regex to handle various line endings and exact format from generation
-  const csvForensicWarningRegex = /^"CASE DATA WARNING: This file contains evidence data for forensic examination\. Any modification may compromise the integrity of the evidence\. Handle according to your organization's chain of custody procedures\."(?:\r?\n){2}/;
-  
-  let cleaned = content;
-  
-  // Try JSON format first
-  if (jsonForensicWarningRegex.test(content)) {
-    cleaned = content.replace(jsonForensicWarningRegex, '');
-  }
-  // Try CSV format with exact pattern match
-  else if (csvForensicWarningRegex.test(content)) {
-    cleaned = content.replace(csvForensicWarningRegex, '');
-  }
-  // Fallback: try broader CSV pattern in case of slight format differences
-  else if (content.startsWith('"CASE DATA WARNING:')) {
-    // Find the end of the first quoted string followed by newlines
-    const match = content.match(/^"[^"]*"(?:\r?\n)+/);
-    if (match) {
-      cleaned = content.substring(match[0].length);
-    }
-  }
-  
-  // Additional cleanup: remove any leading whitespace that might remain
-  // This ensures we match exactly what the generation functions produce with protectForensicData: false
-  cleaned = cleaned.replace(/^\s+/, '');
-  
-  return cleaned;
-}
-
 /**
  * Validate that a user exists in the database by UID and is not the current user
  */
@@ -93,45 +38,6 @@ export function isConfirmationDataFile(filename: string): boolean {
   return filename.startsWith('confirmation-data') && filename.endsWith('.json');
 }
 
-/**
- * Validate confirmation data file hash
- */
-export async function validateConfirmationHash(jsonContent: string, expectedHash: string): Promise<boolean> {
-  try {
-    // Validate input parameters
-    if (!expectedHash || typeof expectedHash !== 'string') {
-      console.error('validateConfirmationHash: expected hash input is invalid');
-      return false;
-    }
-
-    // Create data without hash for validation
-    const data = JSON.parse(jsonContent);
-    const dataWithoutHash = {
-      ...data,
-      metadata: {
-        ...data.metadata,
-        hash: undefined
-      }
-    };
-    delete dataWithoutHash.metadata.hash;
-    delete dataWithoutHash.metadata.signature;
-    delete dataWithoutHash.metadata.signatureVersion;
-    
-    const contentForHash = JSON.stringify(dataWithoutHash, null, 2);
-    const actualHash = await calculateSHA256Secure(contentForHash);
-    
-    if (!actualHash) {
-      console.error('validateConfirmationHash: failed to calculate hash');
-      return false;
-    }
-    
-    return actualHash.toUpperCase() === expectedHash.toUpperCase();
-  } catch {
-    console.error('validateConfirmationHash: validation failed');
-    return false;
-  }
-}
-
 /**
  * Validate imported case data integrity (optional verification)
  */
@@ -183,7 +89,8 @@ export function validateCaseIntegrity(
  * Validate confirmation data file signature.
  */
 export async function validateConfirmationSignatureFile(
-  confirmationData: Partial<ConfirmationImportData>
+  confirmationData: Partial<ConfirmationImportData>,
+  verificationPublicKeyPem?: string
 ): Promise<ManifestSignatureVerificationResult> {
-  return verifyConfirmationSignature(confirmationData);
+  return verifyConfirmationSignature(confirmationData, verificationPublicKeyPem);
 }

package/app/components/actions/case-import/zip-processing.ts

@@ -9,6 +9,41 @@ import {
 } from '~/utils/SHA256';
 import { validateExporterUid, removeForensicWarning } from './validation';
 
+function getLeafFileName(path: string): string {
+  const segments = path.split('/').filter(Boolean);
+  return segments.length > 0 ? segments[segments.length - 1] : path;
+}
+
+function selectPreferredPemPath(pemPaths: string[]): string | undefined {
+  if (pemPaths.length === 0) {
+    return undefined;
+  }
+
+  const sortedPaths = [...pemPaths].sort((left, right) => left.localeCompare(right));
+  const preferred = sortedPaths.find((path) =>
+    /^striae-public-signing-key.*\.pem$/i.test(getLeafFileName(path))
+  );
+
+  return preferred ?? sortedPaths[0];
+}
+
+async function extractVerificationPublicKeyFromZip(
+  zip: {
+    files: Record<string, { dir: boolean }>;
+    file: (path: string) => { async: (type: 'text') => Promise<string> } | null;
+  }
+): Promise<string | undefined> {
+  const filePaths = Object.keys(zip.files).filter((path) => !zip.files[path].dir);
+  const pemPaths = filePaths.filter((path) => getLeafFileName(path).toLowerCase().endsWith('.pem'));
+  const preferredPemPath = selectPreferredPemPath(pemPaths);
+
+  if (!preferredPemPath) {
+    return undefined;
+  }
+
+  return zip.file(preferredPemPath)?.async('text');
+}
+
 /**
  * Extract original image ID from export filename format
  * Format: {originalFilename}-{id}.{extension}
@@ -51,6 +86,7 @@ export async function previewCaseImport(zipFile: File, currentUser: User): Promi
   
   try {
     const zip = await JSZip.loadAsync(zipFile);
+    const verificationPublicKeyPem = await extractVerificationPublicKeyFromZip(zip);
     
     // First, validate hash if forensic metadata exists
     let hashValid: boolean | undefined = undefined;
@@ -128,7 +164,10 @@ export async function previewCaseImport(zipFile: File, currentUser: User): Promi
               }));
             }
 
-            const signatureResult = await verifyForensicManifestSignature(forensicManifest);
+            const signatureResult = await verifyForensicManifestSignature(
+              forensicManifest,
+              verificationPublicKeyPem
+            );
           
             // Perform comprehensive validation
             const validation = await validateForensicIntegrity(
@@ -267,12 +306,14 @@ export async function parseImportZip(zipFile: File, currentUser: User): Promise<
   imageIdMapping: { [exportFilename: string]: string }; // exportFilename -> originalImageId
   metadata?: Record<string, unknown>;
   cleanedContent?: string; // Add cleaned content for hash validation
+  verificationPublicKeyPem?: string;
 }> {
   // Dynamic import of JSZip to avoid bundle size issues
   const JSZip = (await import('jszip')).default;
   
   try {
     const zip = await JSZip.loadAsync(zipFile);
+    const verificationPublicKeyPem = await extractVerificationPublicKeyFromZip(zip);
     
     // Find the main data file (JSON or CSV)
     const dataFiles = Object.keys(zip.files).filter(name => 
@@ -367,7 +408,8 @@ export async function parseImportZip(zipFile: File, currentUser: User): Promise<
       imageFiles,
       imageIdMapping,
       metadata,
-      cleanedContent
+      cleanedContent,
+      verificationPublicKeyPem
     };
     
   } catch (error) {

package/app/components/actions/confirm-export.ts

@@ -3,6 +3,11 @@ import { calculateSHA256Secure } from '~/utils/SHA256';
 import { getUserData } from '~/utils/permissions';
 import { getCaseData, updateCaseData, signConfirmationData } from '~/utils/data-operations';
 import { type ConfirmationData, type CaseConfirmations, type CaseDataWithConfirmations, type ConfirmationImportData } from '~/types';
+import {
+  createPublicSigningKeyFileName,
+  getCurrentPublicSigningKeyDetails,
+  getVerificationPublicKey
+} from '~/utils/signature-utils';
 import { auditService } from '~/services/audit';
 
 /**
@@ -267,15 +272,8 @@ export async function exportConfirmationData(
       }
     };
 
-    // Convert final data to JSON blob
     const finalJsonString = JSON.stringify(finalExportData, null, 2);
-    const blob = new Blob([finalJsonString], { type: 'application/json' });
-    
-    // Create download
-    const url = URL.createObjectURL(blob);
-    const a = document.createElement('a');
-    a.href = url;
-    
+
     // Use local timezone for filename timestamp
     const now = new Date();
     const year = now.getFullYear();
@@ -285,14 +283,47 @@ export async function exportConfirmationData(
     const minutes = String(now.getMinutes()).padStart(2, '0');
     const seconds = String(now.getSeconds()).padStart(2, '0');
     const timestampString = `${year}${month}${day}-${hours}${minutes}${seconds}`;
+
+    const confirmationFileName = `confirmation-data-${caseNumber}-${timestampString}.json`;
+
+    const keyFromSignature = getVerificationPublicKey(signingResult.signature.keyId);
+    const currentKey = getCurrentPublicSigningKeyDetails();
+    const publicKeyPem = keyFromSignature ?? currentKey.publicKeyPem;
+    const publicKeyFileName = createPublicSigningKeyFileName(
+      keyFromSignature ? signingResult.signature.keyId : currentKey.keyId
+    );
+
+    if (!publicKeyPem || publicKeyPem.trim().length === 0) {
+      throw new Error('No public signing key is configured for confirmation export packaging.');
+    }
+
+    const JSZip = (await import('jszip')).default;
+    const zip = new JSZip();
+    const normalizedPem = publicKeyPem.endsWith('\n') ? publicKeyPem : `${publicKeyPem}\n`;
+
+    zip.file(confirmationFileName, finalJsonString);
+    zip.file(publicKeyFileName, normalizedPem);
+
+    const zipBlob = await zip.generateAsync({
+      type: 'blob',
+      compression: 'DEFLATE',
+      compressionOptions: { level: 6 }
+    });
+
+    const exportFileName = `confirmation-export-${caseNumber}-${timestampString}.zip`;
+
+    // Create download
+    const url = URL.createObjectURL(zipBlob);
+    const a = document.createElement('a');
+    a.href = url;
     
-    a.download = `confirmation-data-${caseNumber}-${timestampString}.json`;
+    a.download = exportFileName;
     document.body.appendChild(a);
     a.click();
     document.body.removeChild(a);
     URL.revokeObjectURL(url);
     
-    console.log(`Confirmation data exported for case ${caseNumber}`);
+    console.log(`Confirmation export ZIP generated for case ${caseNumber}`);
     
     // Log successful confirmation export
     const endTime = Date.now();
@@ -300,14 +331,14 @@ export async function exportConfirmationData(
     await auditService.logConfirmationExport(
       user,
       caseNumber,
-      `confirmation-data-${caseNumber}-${timestampString}.json`,
+      exportFileName,
       confirmationCount,
       'success',
       [],
       undefined, // Original examiner UID not available here
       {
         processingTimeMs: endTime - startTime,
-        fileSizeBytes: new Blob([jsonString]).size,
+        fileSizeBytes: zipBlob.size,
         validationStepsCompleted: confirmationCount,
         validationStepsFailed: 0
       },
@@ -328,7 +359,7 @@ export async function exportConfirmationData(
     await auditService.logConfirmationExport(
       user,
       caseNumber,
-      `confirmation-data-${caseNumber}-error.json`,
+      `confirmation-export-${caseNumber}-error.zip`,
       0,
       'failure',
       [error instanceof Error ? error.message : 'Unknown error'],

package/app/components/form/form-button.tsx

@@ -1,7 +1,7 @@
 import styles from './form.module.css';
 
 interface FormButtonProps extends React.ButtonHTMLAttributes<HTMLButtonElement> {
-  variant?: 'primary' | 'secondary' | 'success' | 'error';
+  variant?: 'primary' | 'secondary' | 'success' | 'error' | 'audit';
   isLoading?: boolean;
   loadingText?: string;
   children: React.ReactNode;