@striae-org/striae 4.0.2 → 4.1.0

package/app/services/audit/audit.service.ts

@@ -60,6 +60,7 @@ export class AuditService {
   private static instance: AuditService;
   private auditBuffer: ValidationAuditEntry[] = [];
   private workflowId: string | null = null;
+  private userBadgeIdByUserId = new Map<string, string>();
 
   private constructor() {}
 
@@ -97,7 +98,26 @@ export class AuditService {
     const startTime = Date.now();
 
     try {
-      const auditEntry = buildValidationAuditEntry(params);
+      const providedBadgeId = params.userProfileDetails?.badgeId?.trim();
+      if (providedBadgeId && params.userId) {
+        this.userBadgeIdByUserId.set(params.userId, providedBadgeId);
+      }
+
+      const resolvedBadgeId =
+        providedBadgeId ||
+        (params.userId ? this.userBadgeIdByUserId.get(params.userId) : undefined);
+
+      const paramsWithBadgeId: CreateAuditEntryParams = resolvedBadgeId
+        ? {
+            ...params,
+            userProfileDetails: {
+              ...(params.userProfileDetails || {}),
+              badgeId: resolvedBadgeId
+            }
+          }
+        : params;
+
+      const auditEntry = buildValidationAuditEntry(paramsWithBadgeId);
 
       // Add to buffer for batch processing
       this.auditBuffer.push(auditEntry);
@@ -196,13 +216,15 @@ export class AuditService {
     originalExaminerUid?: string,
     performanceMetrics?: PerformanceMetrics,
     imageFileId?: string,
-    originalImageFileName?: string
+    originalImageFileName?: string,
+    badgeId?: string
   ): Promise<void> {
     await this.logEvent(
       buildConfirmationCreationAuditParams({
         user,
         caseNumber,
         confirmationId,
+        badgeId,
         result,
         errors,
         originalExaminerUid,
@@ -550,12 +572,13 @@ export class AuditService {
    */
   public async logUserProfileUpdate(
     user: User,
-    profileField: 'displayName' | 'email' | 'organization' | 'role' | 'preferences' | 'avatar',
+    profileField: 'displayName' | 'email' | 'organization' | 'role' | 'preferences' | 'avatar' | 'badgeId',
     oldValue: string,
     newValue: string,
     result: AuditResult,
     sessionId?: string,
-    errors: string[] = []
+    errors: string[] = [],
+    badgeId?: string
   ): Promise<void> {
     await this.logEvent(
       buildUserProfileUpdateAuditParams({
@@ -565,7 +588,8 @@ export class AuditService {
         newValue,
         result,
         sessionId,
-        errors
+        errors,
+        badgeId
       })
     );
   }

package/app/services/audit/builders/audit-entry-builder.ts

@@ -26,7 +26,8 @@ export const buildValidationAuditEntry = (
       fileDetails: params.fileDetails,
       annotationDetails: params.annotationDetails,
       sessionDetails: params.sessionDetails,
-      securityDetails: params.securityDetails
+      securityDetails: params.securityDetails,
+      userProfileDetails: params.userProfileDetails
     }
   };
 };

package/app/services/audit/builders/audit-event-builders-user-security.ts

@@ -57,9 +57,10 @@ export const buildUserLogoutAuditParams = (
 
 interface BuildUserProfileUpdateAuditParamsInput {
   user: User;
-  profileField: 'displayName' | 'email' | 'organization' | 'role' | 'preferences' | 'avatar';
+  profileField: 'displayName' | 'email' | 'organization' | 'role' | 'preferences' | 'avatar' | 'badgeId';
   oldValue: string;
   newValue: string;
+  badgeId?: string;
   result: AuditResult;
   sessionId?: string;
   errors?: string[];
@@ -85,7 +86,8 @@ export const buildUserProfileUpdateAuditParams = (
     userProfileDetails: {
       profileField: input.profileField,
       oldValue: input.oldValue,
-      newValue: input.newValue
+      newValue: input.newValue,
+      badgeId: input.badgeId
     }
   };
 };

package/app/services/audit/builders/audit-event-builders-workflow.ts

@@ -125,6 +125,7 @@ interface BuildConfirmationCreationAuditParamsInput {
   user: User;
   caseNumber: string;
   confirmationId: string;
+  badgeId?: string;
   result: AuditResult;
   errors?: string[];
   originalExaminerUid?: string;
@@ -156,6 +157,11 @@ export const buildConfirmationCreationAuditParams = (
     performanceMetrics: input.performanceMetrics,
     originalExaminerUid: input.originalExaminerUid,
     reviewingExaminerUid: input.user.uid,
+    userProfileDetails: input.badgeId
+      ? {
+          badgeId: input.badgeId
+        }
+      : undefined,
     fileDetails: input.imageFileId && input.originalImageFileName
       ? {
           fileId: input.imageFileId,

package/app/types/audit.ts

@@ -269,9 +269,10 @@ export interface SecurityAuditDetails {
  * User profile and authentication specific audit details
  */
 export interface UserProfileAuditDetails {
-  profileField?: 'displayName' | 'email' | 'organization' | 'role' | 'preferences' | 'avatar';
+  profileField?: 'displayName' | 'email' | 'organization' | 'role' | 'preferences' | 'avatar' | 'badgeId';
   oldValue?: string;
   newValue?: string;
+  badgeId?: string;
   resetMethod?: 'email' | 'sms' | 'security-questions' | 'admin-reset';
   resetToken?: string; // Partial token for tracking (last 4 chars)
   verificationMethod?: 'email-link' | 'sms-code' | 'totp' | 'backup-codes' | 'admin-verification';

package/app/types/user.ts

@@ -8,6 +8,7 @@ export interface UserData {
   firstName: string;
   lastName: string;
   company: string;
+  badgeId?: string;
   permitted: boolean;
   cases: Array<{
     caseNumber: string;

package/app/utils/data/permissions.ts

@@ -110,6 +110,7 @@ export const createUser = async (
       firstName,
       lastName,
       company,
+      badgeId: '',
       permitted,
       cases: [],
       readOnlyCases: [],

package/functions/api/pdf/[[path]].ts

@@ -6,6 +6,8 @@ interface PdfProxyContext {
 }
 
 const SUPPORTED_METHODS = new Set(['POST', 'OPTIONS']);
+const PRIMERSHEAR_FORMAT = 'primershear';
+const DEFAULT_FORMAT = 'striae';
 
 function textResponse(message: string, status: number): Response {
   return new Response(message, {
@@ -40,6 +42,12 @@ function extractProxyPath(url: URL): string | null {
   return remainder.length > 0 ? remainder : '/';
 }
 
+function resolveReportFormat(email: string | null, primershearEmails: string): string {
+  if (!email) return DEFAULT_FORMAT;
+  const allowed = primershearEmails.split(',').map(e => e.trim().toLowerCase()).filter(Boolean);
+  return allowed.includes(email.toLowerCase()) ? PRIMERSHEAR_FORMAT : DEFAULT_FORMAT;
+}
+
 export const onRequest = async ({ request, env }: PdfProxyContext): Promise<Response> => {
   if (!SUPPORTED_METHODS.has(request.method)) {
     return textResponse('Method not allowed', 405);
@@ -86,12 +94,35 @@ export const onRequest = async ({ request, env }: PdfProxyContext): Promise<Resp
 
   upstreamHeaders.set('X-Custom-Auth-Key', env.PDF_WORKER_AUTH);
 
+  // Resolve the report format server-side based on the verified user email.
+  // This prevents email lists from ever being exposed in the client bundle.
+  const reportFormat = resolveReportFormat(
+    identity.email,
+    env.PRIMERSHEAR_EMAILS ?? ''
+  );
+
+  let upstreamBody: BodyInit;
+  try {
+    const payload = await request.json() as Record<string, unknown>;
+    // Inject the server-resolved format, overriding any client-supplied value.
+    if (payload.data && typeof payload.data === 'object') {
+      payload.reportFormat = reportFormat;
+    } else {
+      // Legacy flat payload shape
+      payload.reportFormat = reportFormat;
+    }
+    upstreamBody = JSON.stringify(payload);
+    upstreamHeaders.set('Content-Type', 'application/json');
+  } catch {
+    return textResponse('Invalid request body', 400);
+  }
+
   let upstreamResponse: Response;
   try {
     upstreamResponse = await fetch(upstreamUrl, {
       method: request.method,
       headers: upstreamHeaders,
-      body: request.body
+      body: upstreamBody
     });
   } catch {
     return textResponse('Upstream PDF service unavailable', 502);

package/load-context.ts

@@ -0,0 +1,9 @@
+import { type PlatformProxy } from "wrangler";
+
+type Cloudflare = Omit<PlatformProxy<Env>, "dispose">;
+
+declare module "react-router" {
+  interface AppLoadContext {
+    cloudflare: Cloudflare;
+  }
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@striae-org/striae",
-  "version": "4.0.2",
+  "version": "4.1.0",
   "private": false,
   "description": "Striae is a specialized, cloud-native platform designed to streamline forensic firearms identification by providing an intuitive environment for digital comparison image annotation, authenticated confirmations, and automated report generation.",
   "license": "Apache-2.0",
@@ -43,8 +43,10 @@
     "app/entry.client.tsx",
     "app/entry.server.tsx",
     "app/root.tsx",
+    "app/routes.ts",
     "app/tailwind.css",
     "react-router.config.ts",
+    "load-context.ts",
     "functions/",
     "public/",
     "scripts/",
@@ -60,6 +62,7 @@
     "workers/pdf-worker/src/report-types.ts",
     "workers/*/wrangler.jsonc.example",
     ".env.example",
+    "primershear.emails.example",
     "firebase.json",
     "postcss.config.js",
     "tailwind.config.ts",
@@ -101,6 +104,7 @@
     "deploy-workers:secrets": "bash ./scripts/deploy-worker-secrets.sh",
     "deploy-pages:secrets": "bash ./scripts/deploy-pages-secrets.sh",
     "deploy-pages": "bash ./scripts/deploy-pages.sh",
+    "deploy-primershear": "bash ./scripts/deploy-primershear-emails.sh",
     "deploy-workers:audit": "cd workers/audit-worker && npm run deploy",
     "deploy-workers:data": "cd workers/data-worker && npm run deploy",
     "deploy-workers:image": "cd workers/image-worker && npm run deploy",

package/primershear.emails.example

@@ -0,0 +1,6 @@
+# PrimerShear PDF format - authorized email addresses
+# One email per line. Lines starting with # are ignored.
+# This file is untracked. Run: npm run deploy-primershear to push changes.
+#
+# Example:
+# analyst@organization.com

package/scripts/deploy-config.sh

@@ -697,6 +697,8 @@ validate_generated_configs() {
         "app/config/config.json"
         "app/config/firebase.ts"
         "app/config/admin-service.json"
+        "app/routes/auth/login.tsx"
+        "app/routes/auth/login.module.css"
         "workers/audit-worker/wrangler.jsonc"
         "workers/data-worker/wrangler.jsonc"
         "workers/image-worker/wrangler.jsonc"
@@ -741,6 +743,7 @@ validate_generated_configs() {
 
     assert_contains_literal "app/config/config.json" "https://$PAGES_CUSTOM_DOMAIN" "PAGES_CUSTOM_DOMAIN missing in app/config/config.json"
     assert_contains_literal "app/config/config.json" "$ACCOUNT_HASH" "ACCOUNT_HASH missing in app/config/config.json"
+    assert_contains_literal "app/routes/auth/login.tsx" "const APP_CANONICAL_ORIGIN = 'https://$PAGES_CUSTOM_DOMAIN';" "PAGES_CUSTOM_DOMAIN missing in app/routes/auth/login.tsx canonical origin"
 
     assert_contains_literal "app/config/firebase.ts" "$API_KEY" "API_KEY missing in app/config/firebase.ts"
     assert_contains_literal "app/config/firebase.ts" "$AUTH_DOMAIN" "AUTH_DOMAIN missing in app/config/firebase.ts"
@@ -776,6 +779,7 @@ validate_generated_configs() {
         "workers/user-worker/src/user-worker.ts"
         "app/config/config.json"
         "app/config/firebase.ts"
+        "app/routes/auth/login.tsx"
     )
 
     for file_path in "${files_to_scan[@]}"; do
@@ -862,6 +866,23 @@ copy_example_configs() {
 
         echo -e "${GREEN}    ✅ app: copied $copied_config_files config file(s) from config-example${NC}"
     fi
+
+    # Copy auth route template files
+    echo -e "${YELLOW}  Copying auth route template files...${NC}"
+
+    if [ -f "app/routes/auth/login.example.tsx" ] && { [ "$update_env" = "true" ] || [ ! -f "app/routes/auth/login.tsx" ]; }; then
+        cp app/routes/auth/login.example.tsx app/routes/auth/login.tsx
+        echo -e "${GREEN}    ✅ auth: login.tsx created from example${NC}"
+    elif [ -f "app/routes/auth/login.tsx" ]; then
+        echo -e "${YELLOW}    ⚠️  auth: login.tsx already exists, skipping copy${NC}"
+    fi
+
+    if [ -f "app/routes/auth/login.module.example.css" ] && { [ "$update_env" = "true" ] || [ ! -f "app/routes/auth/login.module.css" ]; }; then
+        cp app/routes/auth/login.module.example.css app/routes/auth/login.module.css
+        echo -e "${GREEN}    ✅ auth: login.module.css created from example${NC}"
+    elif [ -f "app/routes/auth/login.module.css" ]; then
+        echo -e "${YELLOW}    ⚠️  auth: login.module.css already exists, skipping copy${NC}"
+    fi
     
     # Navigate to each worker directory and copy the example file
     echo -e "${YELLOW}  Copying worker configuration files...${NC}"
@@ -1450,6 +1471,12 @@ update_wrangler_configs() {
         sed -i "s|\"YOUR_FIREBASE_MEASUREMENT_ID\"|\"$MEASUREMENT_ID\"|g" app/config/firebase.ts
         echo -e "${GREEN}      ✅ app firebase.ts updated${NC}"
     fi
+
+    if [ -f "app/routes/auth/login.tsx" ]; then
+        echo -e "${YELLOW}    Updating app/routes/auth/login.tsx...${NC}"
+        sed -i "s|^const APP_CANONICAL_ORIGIN = .*;|const APP_CANONICAL_ORIGIN = 'https://$escaped_pages_custom_domain';|g" app/routes/auth/login.tsx
+        echo -e "${GREEN}      ✅ app login.tsx canonical origin updated${NC}"
+    fi
     
     echo -e "${GREEN}✅ All configuration files updated${NC}"
 }

package/scripts/deploy-pages-secrets.sh

@@ -178,6 +178,12 @@ deploy_pages_environment_secrets() {
         set_pages_secret "API_TOKEN" "$optional_api_token" "$pages_env"
     fi
 
+    local optional_primershear_emails
+    optional_primershear_emails=$(get_optional_value "PRIMERSHEAR_EMAILS")
+    if [ -n "$optional_primershear_emails" ]; then
+        set_pages_secret "PRIMERSHEAR_EMAILS" "$optional_primershear_emails" "$pages_env"
+    fi
+
     echo -e "${GREEN}✅ Pages secrets deployed to $pages_env${NC}"
 }
 

package/scripts/deploy-primershear-emails.sh

@@ -0,0 +1,166 @@
+#!/bin/bash
+
+# ============================================
+# PRIMERSHEAR EMAIL LIST DEPLOYMENT SCRIPT
+# ============================================
+# Reads primershear.emails, updates PRIMERSHEAR_EMAILS in .env,
+# then deploys that secret directly to Cloudflare Pages.
+#
+# Usage:
+#   bash ./scripts/deploy-primershear-emails.sh [--production-only|--preview-only|--env-only]
+#
+# Options:
+#   --production-only  Deploy to production Pages environment only
+#   --preview-only     Deploy to preview Pages environment only
+#   --env-only         Update .env only; do not deploy to Cloudflare
+#   -h, --help         Show this help message
+
+set -e
+set -o pipefail
+
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+BLUE='\033[0;34m'
+NC='\033[0m'
+
+echo -e "${BLUE}📧 PrimerShear Email List Deployment${NC}"
+echo "======================================"
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
+cd "$PROJECT_ROOT"
+
+trap 'echo -e "\n${RED}❌ deploy-primershear-emails.sh failed near line ${LINENO}${NC}"' ERR
+
+# ── Argument parsing ─────────────────────────────────────────────────────────
+
+deploy_production=true
+deploy_preview=true
+env_only=false
+
+for arg in "$@"; do
+    case "$arg" in
+        -h|--help)
+            echo "Usage: bash ./scripts/deploy-primershear-emails.sh [--production-only|--preview-only|--env-only]"
+            echo ""
+            echo "Options:"
+            echo "  --production-only  Deploy to production Pages environment only"
+            echo "  --preview-only     Deploy to preview Pages environment only"
+            echo "  --env-only         Update .env only; do not deploy to Cloudflare"
+            echo "  -h, --help         Show this help message"
+            exit 0
+            ;;
+        --production-only)
+            deploy_production=true
+            deploy_preview=false
+            ;;
+        --preview-only)
+            deploy_production=false
+            deploy_preview=true
+            ;;
+        --env-only)
+            env_only=true
+            ;;
+        *)
+            echo -e "${RED}❌ Unknown option: $arg${NC}"
+            echo "Use --help to see supported options."
+            exit 1
+            ;;
+    esac
+done
+
+# ── Read emails file ──────────────────────────────────────────────────────────
+
+EMAILS_FILE="$PROJECT_ROOT/primershear.emails"
+
+if [ ! -f "$EMAILS_FILE" ]; then
+    echo -e "${RED}❌ primershear.emails not found at: $EMAILS_FILE${NC}"
+    echo -e "${YELLOW}   Create it with one email address per line.${NC}"
+    exit 1
+fi
+
+# Strip comment lines and blank lines, then join with commas
+PRIMERSHEAR_EMAILS=$(grep -v '^\s*#' "$EMAILS_FILE" | grep -v '^\s*$' | paste -sd ',' -)
+
+if [ -z "$PRIMERSHEAR_EMAILS" ]; then
+    echo -e "${YELLOW}⚠️  primershear.emails contains no active email addresses.${NC}"
+    echo -e "${YELLOW}   The secret will be set to an empty string, disabling the feature.${NC}"
+fi
+
+EMAIL_COUNT=$(echo "$PRIMERSHEAR_EMAILS" | tr ',' '\n' | grep -c '[^[:space:]]' || true)
+echo -e "${GREEN}✅ Loaded $EMAIL_COUNT email address(es) from primershear.emails${NC}"
+
+# ── Update .env ───────────────────────────────────────────────────────────────
+
+ENV_FILE="$PROJECT_ROOT/.env"
+
+if [ ! -f "$ENV_FILE" ]; then
+    echo -e "${RED}❌ .env not found. Run deploy-config first.${NC}"
+    exit 1
+fi
+
+# Replace the PRIMERSHEAR_EMAILS= line in .env (handles both empty and populated values)
+if grep -q '^PRIMERSHEAR_EMAILS=' "$ENV_FILE"; then
+    # Use a temp file to avoid sed -i portability issues across macOS/Linux
+    local_tmp=$(mktemp)
+    sed "s|^PRIMERSHEAR_EMAILS=.*|PRIMERSHEAR_EMAILS=${PRIMERSHEAR_EMAILS}|" "$ENV_FILE" > "$local_tmp"
+    mv "$local_tmp" "$ENV_FILE"
+    echo -e "${GREEN}✅ Updated PRIMERSHEAR_EMAILS in .env${NC}"
+else
+    echo "" >> "$ENV_FILE"
+    echo "PRIMERSHEAR_EMAILS=${PRIMERSHEAR_EMAILS}" >> "$ENV_FILE"
+    echo -e "${GREEN}✅ Appended PRIMERSHEAR_EMAILS to .env${NC}"
+fi
+
+if [ "$env_only" = "true" ]; then
+    echo -e "\n${GREEN}🎉 .env updated. Skipping Cloudflare deployment (--env-only).${NC}"
+    exit 0
+fi
+
+# ── Deploy to Cloudflare Pages ────────────────────────────────────────────────
+
+if ! command -v wrangler > /dev/null 2>&1; then
+    echo -e "${RED}❌ wrangler is not installed or not in PATH${NC}"
+    exit 1
+fi
+
+source "$ENV_FILE"
+
+PAGES_PROJECT_NAME=$(echo "$PAGES_PROJECT_NAME" | tr -d '\r')
+if [ -z "$PAGES_PROJECT_NAME" ]; then
+    echo -e "${RED}❌ PAGES_PROJECT_NAME is missing from .env${NC}"
+    exit 1
+fi
+
+set_secret() {
+    local pages_env=$1
+    echo -e "${YELLOW}  Setting PRIMERSHEAR_EMAILS for $pages_env...${NC}"
+    if [ "$pages_env" = "production" ]; then
+        printf '%s' "$PRIMERSHEAR_EMAILS" | wrangler pages secret put PRIMERSHEAR_EMAILS \
+            --project-name "$PAGES_PROJECT_NAME"
+    else
+        printf '%s' "$PRIMERSHEAR_EMAILS" | wrangler pages secret put PRIMERSHEAR_EMAILS \
+            --project-name "$PAGES_PROJECT_NAME" --env "$pages_env"
+    fi
+}
+
+if [ "$deploy_production" = "true" ]; then
+    set_secret "production"
+    echo -e "${GREEN}✅ PRIMERSHEAR_EMAILS deployed to production${NC}"
+fi
+
+if [ "$deploy_preview" = "true" ]; then
+    set_secret "preview"
+    echo -e "${GREEN}✅ PRIMERSHEAR_EMAILS deployed to preview${NC}"
+fi
+
+# Deploy Pages so the new secret takes effect immediately
+echo -e "\n${YELLOW}🚀 Building and deploying Pages to activate new secret...${NC}"
+if ! npm run deploy; then
+    echo -e "${RED}❌ Pages deployment failed${NC}"
+    exit 1
+fi
+echo -e "${GREEN}✅ Pages deployment complete${NC}"
+
+echo -e "\n${GREEN}🎉 PrimerShear email list deployment complete!${NC}"