@striae-org/striae 4.0.3 → 4.2.0

package/.env.example

@@ -101,3 +101,11 @@ BROWSER_API_TOKEN=your_cloudflare_browser_rendering_api_token_here
 # □ Configure KV binding in user-worker/wrangler.jsonc
 # □ Configure R2 binding in data-worker/wrangler.jsonc
 # □ Configure R2 binding in audit-worker/wrangler.jsonc
+
+# ================================
+# PRIMERSHEAR PDF FORMAT
+# ================================
+# Comma-separated list of email addresses that will receive the primershear PDF format.
+# Leave empty to disable the feature. Never commit this value to source control.
+# Example: PRIMERSHEAR_EMAILS=analyst@org.com,user2@org.com
+PRIMERSHEAR_EMAILS=

package/app/components/actions/case-export/core-export.ts

@@ -1,8 +1,9 @@
 import type { User } from 'firebase/auth';
 import { type AnnotationData, type CaseExportData, type AllCasesExportData, type ExportOptions } from '~/types';
+import { getCaseData } from '~/utils/data';
 import { fetchFiles } from '../image-manage';
 import { getNotes } from '../notes-manage';
-import { checkExistingCase, validateCaseNumber, listCases } from '../case-manage';
+import { validateCaseNumber, listCases } from '../case-manage';
 import { getUserExportMetadata } from './metadata-helpers';
 
 /**
@@ -104,9 +105,9 @@ export async function exportAllCases(
         // Get case creation date even for failed exports
         let caseCreatedDate = new Date().toISOString(); // fallback
         try {
-          const existingCase = await checkExistingCase(user, caseNumber);
-          if (existingCase?.createdAt) {
-            caseCreatedDate = existingCase.createdAt;
+          const caseData = await getCaseData(user, caseNumber);
+          if (caseData?.createdAt) {
+            caseCreatedDate = caseData.createdAt;
           }
         } catch {
           // Use fallback date if case lookup fails
@@ -200,9 +201,9 @@ export async function exportCaseData(
     throw new Error('Invalid case number format');
   }
 
-  // Check if case exists
-  const existingCase = await checkExistingCase(user, caseNumber);
-  if (!existingCase) {
+  // Check if case exists and is accessible (supports regular and read-only/archived cases)
+  const caseData = await getCaseData(user, caseNumber);
+  if (!caseData) {
     throw new Error(`Case "${caseNumber}" does not exist`);
   }
 
@@ -296,7 +297,12 @@ export async function exportCaseData(
     const exportData: CaseExportData = {
       metadata: {
         caseNumber,
-        caseCreatedDate: existingCase.createdAt,
+        caseCreatedDate: caseData.createdAt,
+        archived: caseData.archived,
+        archivedAt: caseData.archivedAt,
+        archivedBy: caseData.archivedBy,
+        archivedByDisplay: caseData.archivedByDisplay,
+        archiveReason: caseData.archiveReason,
         exportDate: new Date().toISOString(),
         ...userMetadata,
         striaeExportSchemaVersion: '1.0',

package/app/components/actions/case-export/data-processing.ts

@@ -72,6 +72,7 @@ export function generateMetadataRows(exportData: CaseExportData): TabularCell[][
     ['Exported By (UID)', exportData.metadata.exportedByUid || 'N/A'],
     ['Exported By (Name)', exportData.metadata.exportedByName || 'N/A'],
     ['Exported By (Company)', exportData.metadata.exportedByCompany || 'N/A'],
+    ['Exported By (Badge/ID)', exportData.metadata.exportedByBadgeId || 'N/A'],
     ['Striae Export Schema Version', exportData.metadata.striaeExportSchemaVersion],
     ['Total Files', exportData.metadata.totalFiles.toString()],
     [''],

package/app/components/actions/case-export/download-handlers.ts

@@ -264,6 +264,7 @@ export async function downloadAllCasesAsCSV(user: User, exportData: AllCasesExpo
       ['Exported By (UID)', exportData.metadata.exportedByUid || 'N/A'],
       ['Exported By (Name)', exportData.metadata.exportedByName || 'N/A'],
       ['Exported By (Company)', exportData.metadata.exportedByCompany || 'N/A'],
+      ['Exported By (Badge/ID)', exportData.metadata.exportedByBadgeId || 'N/A'],
       ['Striae Export Schema Version', '1.0'],
       ['Total Cases', exportData.cases.length],
       ['Successful Exports', exportData.cases.filter(c => !c.summary?.exportError).length],
@@ -291,6 +292,7 @@ export async function downloadAllCasesAsCSV(user: User, exportData: AllCasesExpo
         'Exported By (UID)',
         'Exported By (Name)',
         'Exported By (Company)',
+        'Exported By (Badge/ID)',
         'Schema Version',
         'Total Files', 
         'Files with Annotations', 
@@ -312,6 +314,7 @@ export async function downloadAllCasesAsCSV(user: User, exportData: AllCasesExpo
         caseData.metadata.exportedByUid || 'N/A',
         caseData.metadata.exportedByName || 'N/A',
         caseData.metadata.exportedByCompany || 'N/A',
+        caseData.metadata.exportedByBadgeId || 'N/A',
         caseData.metadata.striaeExportSchemaVersion,
         caseData.metadata.totalFiles,
         caseData.summary?.filesWithAnnotations || 0,
@@ -944,6 +947,7 @@ Exported By (Email): ${exportData.metadata.exportedBy || 'N/A'}
 Exported By (UID): ${exportData.metadata.exportedByUid || 'N/A'}
 Exported By (Name): ${exportData.metadata.exportedByName || 'N/A'}
 Exported By (Company): ${exportData.metadata.exportedByCompany || 'N/A'}
+Exported By (Badge/ID): ${exportData.metadata.exportedByBadgeId || 'N/A'}
 Striae Export Schema Version: ${exportData.metadata.striaeExportSchemaVersion}
 
 Summary:
@@ -1005,6 +1009,9 @@ async function generateJSONContent(
     if (jsonData.metadata.exportedByCompany) {
       jsonData.metadata.exportedByCompany = '[User Info Excluded]';
     }
+    if (jsonData.metadata.exportedByBadgeId) {
+      jsonData.metadata.exportedByBadgeId = '[User Info Excluded]';
+    }
   }
   
   const jsonString = JSON.stringify(jsonData, null, 2);

package/app/components/actions/case-export/metadata-helpers.ts

@@ -12,7 +12,8 @@ export async function getUserExportMetadata(user: User) {
         exportedBy: user.email,
         exportedByUid: userData.uid,
         exportedByName: `${userData.firstName} ${userData.lastName}`.trim(),
-        exportedByCompany: userData.company
+        exportedByCompany: userData.company,
+        ...(userData.badgeId ? { exportedByBadgeId: userData.badgeId } : {})
       };
     }
   } catch (error) {

package/app/components/actions/case-import/confirmation-import.ts

@@ -14,6 +14,7 @@ interface CaseDataFile {
 interface CaseDataResponse {
   files?: CaseDataFile[];
   originalImageIds?: Record<string, string>;
+  archived?: boolean;
 }
 
 type AnnotationImportData = Record<string, unknown> & {
@@ -123,6 +124,10 @@ export async function importConfirmationData(
     }
 
     const caseData = await caseResponse.json() as CaseDataResponse;
+
+    if (caseData.archived) {
+      throw new Error('Cannot import confirmations into an archived case.');
+    }
     
     // Build mapping from original image IDs to current image IDs
     const imageIdMapping = new Map<string, string>();
@@ -307,7 +312,8 @@ export async function importConfirmationData(
         present: signaturePresent,
         valid: signatureValid,
         keyId: signatureKeyId
-      }
+      },
+      confirmationData.metadata.exportedByBadgeId // Reviewer's badge/ID number
     );
     
     auditService.endWorkflow();
@@ -326,6 +332,7 @@ export async function importConfirmationData(
     let hashValidForAudit = hashValid;
     let exporterUidValidatedForAudit = true;
     let reviewingExaminerUidForAudit: string | undefined = undefined;
+    let reviewerBadgeIdForAudit: string | undefined = undefined;
     let totalConfirmationsForAudit = 0; // Default to 0 for failed imports
     let signaturePresentForAudit = signaturePresent;
     let signatureValidForAudit = signatureValid;
@@ -336,6 +343,7 @@ export async function importConfirmationData(
     // First, try to extract basic metadata for audit purposes (if file is parseable)
     if (auditConfirmationData) {
       reviewingExaminerUidForAudit = auditConfirmationData.metadata?.exportedByUid;
+      reviewerBadgeIdForAudit = auditConfirmationData.metadata?.exportedByBadgeId;
       totalConfirmationsForAudit = auditConfirmationData.metadata?.totalConfirmations || 0;
       if (auditConfirmationData.metadata?.signature) {
         signaturePresentForAudit = true;
@@ -345,6 +353,7 @@ export async function importConfirmationData(
       try {
         const extracted = await extractConfirmationImportPackage(confirmationFile);
         reviewingExaminerUidForAudit = extracted.confirmationData.metadata?.exportedByUid;
+        reviewerBadgeIdForAudit = extracted.confirmationData.metadata?.exportedByBadgeId;
         totalConfirmationsForAudit = extracted.confirmationData.metadata?.totalConfirmations || 0;
         confirmationJsonFileNameForAudit = extracted.confirmationFileName;
         if (extracted.confirmationData.metadata?.signature) {
@@ -393,7 +402,8 @@ export async function importConfirmationData(
         present: signaturePresentForAudit,
         valid: signatureValidForAudit,
         keyId: signatureKeyIdForAudit
-      }
+      },
+      reviewerBadgeIdForAudit // Reviewer's badge/ID number (when extractable)
     );
     
     auditService.endWorkflow();

package/app/components/actions/case-import/orchestrator.ts

@@ -1,11 +1,16 @@
 import type { User } from 'firebase/auth';
-import { type ImportOptions, type ImportResult, type ReadOnlyCaseMetadata, type FileData } from '~/types';
+import {
+  type ImportOptions,
+  type ImportResult,
+  type ReadOnlyCaseMetadata,
+  type FileData,
+  type BundledAuditTrailData,
+  type ValidationAuditEntry
+} from '~/types';
 import { checkExistingCase } from '../case-manage';
 import {
-  extractForensicManifestData,
   type SignedForensicManifest,
-  validateCaseIntegritySecure as validateForensicIntegrity,
-  verifyForensicManifestSignature
+  verifyCasePackageIntegrity
 } from '~/utils/forensics';
 import { deleteFile } from '../image-manage';
 import { parseImportZip } from './zip-processing';
@@ -31,6 +36,48 @@ interface ImportState {
   caseNumber: string;
 }
 
+interface BundledAuditTrailFile {
+  metadata?: {
+    exportTimestamp?: string;
+    totalEntries?: number;
+  };
+  auditTrail?: {
+    entries?: ValidationAuditEntry[];
+  };
+}
+
+function extractBundledAuditTrailData(
+  bundledAuditFiles: {
+    auditTrailContent?: string;
+    auditSignatureContent?: string;
+  } | undefined
+): BundledAuditTrailData | undefined {
+  if (!bundledAuditFiles?.auditTrailContent) {
+    return undefined;
+  }
+
+  try {
+    const parsed = JSON.parse(bundledAuditFiles.auditTrailContent) as BundledAuditTrailFile;
+    const entries = parsed.auditTrail?.entries;
+
+    if (!Array.isArray(entries)) {
+      return undefined;
+    }
+
+    return {
+      source: 'archive-bundle',
+      importedAt: new Date().toISOString(),
+      exportTimestamp: parsed.metadata?.exportTimestamp,
+      totalEntries: typeof parsed.metadata?.totalEntries === 'number'
+        ? parsed.metadata.totalEntries
+        : entries.length,
+      entries
+    };
+  } catch {
+    return undefined;
+  }
+}
+
 /**
  * Clean up partially imported data when an import fails
  */
@@ -141,6 +188,8 @@ export async function importCaseForReview(
       caseData,
       imageFiles,
       imageIdMapping,
+      isArchivedExport,
+      bundledAuditFiles,
       metadata,
       cleanedContent,
       verificationPublicKeyPem
@@ -181,40 +230,35 @@ export async function importCaseForReview(
     if (parsedForensicManifest && cleanedContent) {
       onProgress?.('Validating comprehensive integrity', 15, 'Checking all file hashes...');
 
-      const manifestForValidation = extractForensicManifestData(parsedForensicManifest);
-      if (!manifestForValidation) {
-        throw new Error(
-          'Forensic manifest structure is invalid. Import cannot proceed.'
-        );
+      const imageBlobs: { [filename: string]: Blob } = {};
+      for (const [filename, blob] of Object.entries(imageFiles)) {
+        imageBlobs[filename] = blob;
       }
 
-      const signatureResult = await verifyForensicManifestSignature(
-        parsedForensicManifest,
-        verificationPublicKeyPem
-      );
-      signatureValidationPassed = signatureResult.isValid;
-      signatureKeyId = signatureResult.keyId;
+      const casePackageResult = await verifyCasePackageIntegrity({
+        cleanedContent,
+        imageFiles: imageBlobs,
+        forensicManifest: parsedForensicManifest,
+        verificationPublicKeyPem,
+        bundledAuditFiles
+      });
 
-      if (!signatureResult.isValid) {
+      signatureValidationPassed = casePackageResult.signatureResult.isValid;
+      signatureKeyId = casePackageResult.signatureResult.keyId;
+
+      if (!casePackageResult.signatureResult.isValid) {
         throw new Error(
           'Manifest signature validation failed. Import cannot proceed.'
         );
       }
-      
-      // Extract image files for comprehensive validation
-      const imageBlobs: { [filename: string]: Blob } = {};
-      for (const [filename, blob] of Object.entries(imageFiles)) {
-        imageBlobs[filename] = blob;
+
+      if (casePackageResult.bundledAuditVerification) {
+        throw new Error(
+          `${casePackageResult.bundledAuditVerification.message} Import cannot proceed.`
+        );
       }
-      
-      // Perform comprehensive validation
-      const validation = await validateForensicIntegrity(
-        cleanedContent, 
-        imageBlobs, 
-        manifestForValidation
-      );
-      
-      if (!validation.isValid) {
+
+      if (!casePackageResult.integrityResult.isValid) {
         throw new Error(
           'Comprehensive integrity validation failed. Import cannot proceed.'
         );
@@ -239,7 +283,7 @@ export async function importCaseForReview(
     
     // Step 2a: Check if case already exists in user's regular cases (original analyst)
     const existingRegularCase = await checkExistingCase(user, result.caseNumber);
-    if (existingRegularCase) {
+    if (existingRegularCase && !isArchivedExport) {
       throw new Error(`Case "${result.caseNumber}" already exists in your case list. You cannot import a case for review if you were the original analyst.`);
     }
     
@@ -318,7 +362,9 @@ export async function importCaseForReview(
       caseData,
       importedFiles,
       originalImageIdMapping,
-      parsedForensicManifest
+      parsedForensicManifest,
+      isArchivedExport,
+      isArchivedExport ? extractBundledAuditTrailData(bundledAuditFiles) : undefined
     );
     importState.caseDataStored = true;
     

package/app/components/actions/case-import/storage-operations.ts

@@ -9,7 +9,8 @@ import {
   type CaseExportData,   
   type FileData,
   type CaseData,
-  type ReadOnlyCaseMetadata
+  type ReadOnlyCaseMetadata,
+  type BundledAuditTrailData
 } from '~/types';
 import { deleteFile } from '../image-manage';
 import { type SignedForensicManifest } from '~/utils/forensics';
@@ -80,7 +81,9 @@ export async function storeCaseDataInR2(
   caseData: CaseExportData,
   importedFiles: FileData[],
   originalImageIdMapping?: Map<string, string>,
-  forensicManifest?: SignedForensicManifest
+  forensicManifest?: SignedForensicManifest,
+  isArchivedExport?: boolean,
+  bundledAuditTrail?: BundledAuditTrailData
 ): Promise<void> {
   try {
     // Convert the mapping to a plain object for JSON serialization
@@ -94,6 +97,8 @@ export async function storeCaseDataInR2(
       manifestHash: forensicManifest.manifestHash,
       signature: forensicManifest.signature
     } : undefined;
+
+    const archived = isArchivedExport === true || caseData.metadata.archived === true;
     
     // Create the case data structure that matches normal cases
     const r2CaseData = {
@@ -102,7 +107,15 @@ export async function storeCaseDataInR2(
       files: importedFiles,
       // Add read-only metadata
       isReadOnly: true,
+      ...(archived && {
+        archived: true,
+        archivedAt: caseData.metadata.archivedAt,
+        archivedBy: caseData.metadata.archivedBy,
+        archivedByDisplay: caseData.metadata.archivedByDisplay,
+        archiveReason: caseData.metadata.archiveReason,
+      }),
       importedAt: new Date().toISOString(),
+      ...(bundledAuditTrail && { bundledAuditTrail }),
       // Add original image ID mapping for confirmation linking
       originalImageIds: originalImageIds,
       // Add forensic manifest timestamp if available for confirmation exports
@@ -179,6 +192,20 @@ export async function removeReadOnlyCase(user: User, caseNumber: string): Promis
  * Completely delete a read-only case including all associated data (R2, Images, user references)
  */
 export async function deleteReadOnlyCase(user: User, caseNumber: string): Promise<boolean> {
+  const isBenignCleanupError = (reason: unknown): boolean => {
+    if (!(reason instanceof Error)) {
+      return false;
+    }
+
+    const normalizedMessage = reason.message.toLowerCase();
+    return (
+      normalizedMessage.includes('404') ||
+      normalizedMessage.includes('not found')
+    );
+  };
+
+  let caseDataDeleteHadFailure = false;
+
   try {
     // Get case data first to get file IDs for deletion
     const caseResponse = await fetchDataApi(
@@ -201,13 +228,48 @@ export async function deleteReadOnlyCase(user: User, caseNumber: string): Promis
 
     const caseData = await caseResponse.json() as CaseData;
 
-    // Delete all files using data worker
+    // Delete all files using data worker (best-effort, keep going on individual failures)
     if (caseData.files && caseData.files.length > 0) {
-      await Promise.all(
+      const deleteResults = await Promise.allSettled(
         caseData.files.map((file: FileData) => 
-          deleteFile(user, caseNumber, file.id, 'Read-only case clearing - API operation')
+          deleteFile(
+            user,
+            caseNumber,
+            file.id,
+            'Read-only case clearing - API operation',
+            {
+              skipValidation: true,
+              skipCaseDataUpdate: true,
+              suppressAudit: true
+            }
+          )
         )
       );
+
+      const failedDeletes = deleteResults.filter(
+        (result): result is PromiseRejectedResult =>
+          result.status === 'rejected' && !isBenignCleanupError(result.reason)
+      );
+
+      const benignNotFoundDeletes = deleteResults.filter(
+        (result): result is PromiseRejectedResult =>
+          result.status === 'rejected' && isBenignCleanupError(result.reason)
+      );
+
+      if (failedDeletes.length > 0) {
+        caseDataDeleteHadFailure = true;
+        console.warn(
+          `Partial read-only file cleanup for case ${caseNumber}: ` +
+          `${failedDeletes.length}/${caseData.files.length} file deletions failed.`
+        );
+      }
+
+      if (benignNotFoundDeletes.length > 0) {
+        console.info(
+          `Read-only cleanup for case ${caseNumber}: ` +
+          `${benignNotFoundDeletes.length} file deletions were already missing (404/not found) and treated as successful cleanup.`
+        );
+      }
     }
 
     // Delete case file using data worker
@@ -220,16 +282,43 @@ export async function deleteReadOnlyCase(user: User, caseNumber: string): Promis
     );
 
     if (!deleteCaseResponse.ok && deleteCaseResponse.status !== 404) {
-      throw new Error(`Failed to delete read-only case data: ${deleteCaseResponse.status}`);
+      caseDataDeleteHadFailure = true;
+      console.error(`Failed to delete read-only case data: ${deleteCaseResponse.status}`);
     }
     
-    // Remove from user's read-only case list (separate from regular cases)
-    await removeReadOnlyCase(user, caseNumber);
+    // Remove from user's read-only case list (separate from regular cases).
+    // This is the source of truth for import modal visibility and should be attempted even when storage cleanup is partial.
+    const removedFromMetadata = await removeReadOnlyCase(user, caseNumber);
+
+    if (!removedFromMetadata) {
+      return false;
+    }
+
+    if (caseDataDeleteHadFailure) {
+      console.warn(
+        `Read-only case ${caseNumber} removed from metadata with partial storage cleanup failures.`
+      );
+    }
     
     return true;
     
   } catch (error) {
     console.error('Error deleting read-only case:', error);
+
+    // Fallback: still try to clear read-only metadata so stale entries do not persist in the UI.
+    try {
+      const removedFromMetadata = await removeReadOnlyCase(user, caseNumber);
+      if (removedFromMetadata) {
+        console.warn(
+          `Read-only case ${caseNumber} removed from metadata during error fallback. ` +
+          'Some backing storage may require manual cleanup.'
+        );
+        return true;
+      }
+    } catch (removeError) {
+      console.error('Error removing read-only case metadata during fallback cleanup:', removeError);
+    }
+
     return false;
   }
 }