@striae-org/striae 4.0.3 → 4.2.0

package/app/utils/forensics/export-verification.ts

@@ -1,22 +1,74 @@
 import { type ConfirmationImportData } from '~/types';
 import {
   extractForensicManifestData,
+  type ManifestSignatureVerificationResult,
   type SignedForensicManifest,
   calculateSHA256Secure,
   validateCaseIntegritySecure,
   verifyForensicManifestSignature
 } from './SHA256';
+import {
+  type AuditExportSigningPayload,
+  verifyAuditExportSignature
+} from './audit-export-signature';
 import { verifyConfirmationSignature } from './confirmation-signature';
 
 export interface ExportVerificationResult {
   isValid: boolean;
   message: string;
-  exportType?: 'case-zip' | 'confirmation';
+  exportType?: 'case-zip' | 'confirmation' | 'audit-json';
 }
 
 const CASE_EXPORT_FILE_REGEX = /_data\.(json|csv)$/i;
 const CONFIRMATION_EXPORT_FILE_REGEX = /^confirmation-data-.*\.json$/i;
 
+interface BundledAuditExportFile {
+  metadata?: {
+    exportTimestamp?: string;
+    exportVersion?: string;
+    totalEntries?: number;
+    application?: string;
+    exportType?: 'entries' | 'trail' | 'report';
+    scopeType?: 'case' | 'user';
+    scopeIdentifier?: string;
+    hash?: string;
+    signatureVersion?: string;
+    signatureMetadata?: Partial<AuditExportSigningPayload>;
+    signature?: {
+      algorithm: string;
+      keyId: string;
+      signedAt: string;
+      value: string;
+    };
+  };
+  auditTrail?: unknown;
+  auditEntries?: unknown;
+}
+
+interface StandaloneAuditExportFile extends BundledAuditExportFile {
+  metadata?: BundledAuditExportFile['metadata'] & {
+    integrityNote?: string;
+  };
+}
+
+export interface CasePackageIntegrityInput {
+  cleanedContent: string;
+  imageFiles: Record<string, Blob>;
+  forensicManifest: SignedForensicManifest;
+  verificationPublicKeyPem?: string;
+  bundledAuditFiles?: {
+    auditTrailContent?: string;
+    auditSignatureContent?: string;
+  };
+}
+
+export interface CasePackageIntegrityResult {
+  isValid: boolean;
+  signatureResult: ManifestSignatureVerificationResult;
+  integrityResult: Awaited<ReturnType<typeof validateCaseIntegritySecure>>;
+  bundledAuditVerification: ExportVerificationResult | null;
+}
+
 function createVerificationResult(
   isValid: boolean,
   message: string,
@@ -31,7 +83,7 @@ function createVerificationResult(
 
 function getSignatureFailureMessage(
   error: string | undefined,
-  targetLabel: 'export ZIP' | 'confirmation file'
+  targetLabel: 'export ZIP' | 'confirmation file' | 'audit export'
 ): string {
   if (error?.includes('invalid public key')) {
     return 'The selected PEM file is not a valid public key.';
@@ -62,6 +114,249 @@ function isConfirmationImportCandidate(candidate: unknown): candidate is Partial
   );
 }
 
+function isAuditExportCandidate(candidate: unknown): candidate is StandaloneAuditExportFile {
+  if (!candidate || typeof candidate !== 'object') {
+    return false;
+  }
+
+  const auditCandidate = candidate as StandaloneAuditExportFile;
+  const metadata = auditCandidate.metadata;
+
+  if (!metadata || typeof metadata !== 'object') {
+    return false;
+  }
+
+  return (
+    typeof metadata.exportTimestamp === 'string' &&
+    typeof metadata.exportType === 'string' &&
+    typeof metadata.scopeType === 'string' &&
+    typeof metadata.scopeIdentifier === 'string' &&
+    typeof metadata.hash === 'string' &&
+    !!metadata.signature &&
+    (auditCandidate.auditTrail !== undefined || auditCandidate.auditEntries !== undefined)
+  );
+}
+
+async function verifyAuditExportContent(
+  fileContent: string,
+  verificationPublicKeyPem: string
+): Promise<ExportVerificationResult> {
+  try {
+    const parsedContent = JSON.parse(fileContent) as unknown;
+
+    if (!isAuditExportCandidate(parsedContent)) {
+      return createVerificationResult(
+        false,
+        'The JSON file is not a supported Striae audit export.',
+        'audit-json'
+      );
+    }
+
+    const auditExport = parsedContent as StandaloneAuditExportFile;
+    const metadata = auditExport.metadata!;
+
+    const unsignedAuditExport = auditExport.auditTrail !== undefined
+      ? {
+          metadata: {
+            exportTimestamp: metadata.exportTimestamp,
+            exportVersion: metadata.exportVersion,
+            totalEntries: metadata.totalEntries,
+            application: metadata.application,
+            exportType: metadata.exportType,
+            scopeType: metadata.scopeType,
+            scopeIdentifier: metadata.scopeIdentifier,
+          },
+          auditTrail: auditExport.auditTrail,
+        }
+      : {
+          metadata: {
+            exportTimestamp: metadata.exportTimestamp,
+            exportVersion: metadata.exportVersion,
+            totalEntries: metadata.totalEntries,
+            application: metadata.application,
+            exportType: metadata.exportType,
+            scopeType: metadata.scopeType,
+            scopeIdentifier: metadata.scopeIdentifier,
+          },
+          auditEntries: auditExport.auditEntries,
+        };
+
+    const recalculatedHash = await calculateSHA256Secure(JSON.stringify(unsignedAuditExport, null, 2));
+    const hashValid = recalculatedHash.toUpperCase() === metadata.hash!.toUpperCase();
+
+    const signaturePayload: Partial<AuditExportSigningPayload> = {
+      signatureVersion: metadata.signatureVersion,
+      exportFormat: 'json',
+      exportType: metadata.exportType,
+      scopeType: metadata.scopeType,
+      scopeIdentifier: metadata.scopeIdentifier,
+      generatedAt: metadata.exportTimestamp,
+      totalEntries: metadata.totalEntries,
+      hash: metadata.hash,
+    };
+
+    const signatureResult = await verifyAuditExportSignature(
+      signaturePayload,
+      metadata.signature,
+      verificationPublicKeyPem
+    );
+
+    if (hashValid && signatureResult.isValid) {
+      return createVerificationResult(
+        true,
+        'The audit export passed signature and integrity verification.',
+        'audit-json'
+      );
+    }
+
+    if (!hashValid && !signatureResult.isValid) {
+      return createVerificationResult(
+        false,
+        'The audit export failed signature and integrity verification.',
+        'audit-json'
+      );
+    }
+
+    if (!signatureResult.isValid) {
+      return createVerificationResult(
+        false,
+        getSignatureFailureMessage(signatureResult.error, 'audit export'),
+        'audit-json'
+      );
+    }
+
+    return createVerificationResult(
+      false,
+      'The audit export failed integrity verification.',
+      'audit-json'
+    );
+  } catch {
+    return createVerificationResult(
+      false,
+      'The JSON file could not be read as a supported Striae audit export.',
+      'audit-json'
+    );
+  }
+}
+
+export async function verifyBundledAuditExport(
+  zip: {
+    file: (path: string) => { async: (type: 'text') => Promise<string> } | null;
+  },
+  verificationPublicKeyPem: string
+): Promise<ExportVerificationResult | null> {
+  const auditTrailContent = await zip.file('audit/case-audit-trail.json')?.async('text');
+  const auditSignatureContent = await zip.file('audit/case-audit-signature.json')?.async('text');
+
+  if (!auditTrailContent && !auditSignatureContent) {
+    return null;
+  }
+
+  if (!auditTrailContent || !auditSignatureContent) {
+    return createVerificationResult(
+      false,
+      'The archive ZIP contains incomplete bundled audit verification files.',
+      'case-zip'
+    );
+  }
+
+  try {
+    const auditTrailExport = JSON.parse(auditTrailContent) as BundledAuditExportFile;
+    const auditSignatureExport = JSON.parse(auditSignatureContent) as {
+      signatureMetadata?: Partial<AuditExportSigningPayload>;
+      signature?: NonNullable<BundledAuditExportFile['metadata']>['signature'];
+    };
+
+    const metadata = auditTrailExport.metadata;
+    if (!metadata?.signature || typeof metadata.hash !== 'string') {
+      return createVerificationResult(
+        false,
+        'The bundled audit export is missing required hash or signature metadata.',
+        'case-zip'
+      );
+    }
+
+    const unsignedAuditExport = auditTrailExport.auditTrail !== undefined
+      ? {
+          metadata: {
+            exportTimestamp: metadata.exportTimestamp,
+            exportVersion: metadata.exportVersion,
+            totalEntries: metadata.totalEntries,
+            application: metadata.application,
+            exportType: metadata.exportType,
+            scopeType: metadata.scopeType,
+            scopeIdentifier: metadata.scopeIdentifier,
+          },
+          auditTrail: auditTrailExport.auditTrail,
+        }
+      : {
+          metadata: {
+            exportTimestamp: metadata.exportTimestamp,
+            exportVersion: metadata.exportVersion,
+            totalEntries: metadata.totalEntries,
+            application: metadata.application,
+            exportType: metadata.exportType,
+            scopeType: metadata.scopeType,
+            scopeIdentifier: metadata.scopeIdentifier,
+          },
+          auditEntries: auditTrailExport.auditEntries,
+        };
+
+    const recalculatedHash = await calculateSHA256Secure(JSON.stringify(unsignedAuditExport, null, 2));
+    if (recalculatedHash.toUpperCase() !== metadata.hash.toUpperCase()) {
+      return createVerificationResult(
+        false,
+        'The bundled audit export failed integrity verification.',
+        'case-zip'
+      );
+    }
+
+    const embeddedSignaturePayload: Partial<AuditExportSigningPayload> = metadata.signatureMetadata ?? {
+      signatureVersion: metadata.signatureVersion,
+      exportFormat: 'json',
+      exportType: metadata.exportType,
+      scopeType: metadata.scopeType,
+      scopeIdentifier: metadata.scopeIdentifier,
+      generatedAt: metadata.exportTimestamp,
+      totalEntries: metadata.totalEntries,
+      hash: metadata.hash,
+    };
+
+    const signatureVerification = await verifyAuditExportSignature(
+      embeddedSignaturePayload,
+      metadata.signature,
+      verificationPublicKeyPem
+    );
+
+    if (!signatureVerification.isValid) {
+      return createVerificationResult(
+        false,
+        getSignatureFailureMessage(signatureVerification.error, 'export ZIP'),
+        'case-zip'
+      );
+    }
+
+    if (
+      JSON.stringify(auditSignatureExport.signatureMetadata ?? null) !== JSON.stringify(metadata.signatureMetadata ?? null) ||
+      JSON.stringify(auditSignatureExport.signature ?? null) !== JSON.stringify(metadata.signature ?? null)
+    ) {
+      return createVerificationResult(
+        false,
+        'The bundled audit signature artifact does not match the signed audit export.',
+        'case-zip'
+      );
+    }
+
+    return null;
+  } catch {
+    return createVerificationResult(
+      false,
+      'The bundled audit export could not be parsed for verification.',
+      'case-zip'
+    );
+  }
+}
+
 /**
  * Remove forensic warning from content for hash validation.
  * Supports the warning formats added to JSON and CSV case exports.
@@ -174,8 +469,26 @@ async function verifyCaseZipExport(
       })
     );
 
-    const signatureResult = await verifyForensicManifestSignature(forensicManifest, verificationPublicKeyPem);
-    const integrityResult = await validateCaseIntegritySecure(cleanedContent, imageFiles, manifestData);
+    const bundledAuditFiles = {
+      auditTrailContent: await zip.file('audit/case-audit-trail.json')?.async('text'),
+      auditSignatureContent: await zip.file('audit/case-audit-signature.json')?.async('text')
+    };
+
+    const casePackageResult = await verifyCasePackageIntegrity({
+      cleanedContent,
+      imageFiles,
+      forensicManifest,
+      verificationPublicKeyPem,
+      bundledAuditFiles
+    });
+
+    const signatureResult = casePackageResult.signatureResult;
+    const integrityResult = casePackageResult.integrityResult;
+    const bundledAuditVerification = casePackageResult.bundledAuditVerification;
+
+    if (bundledAuditVerification) {
+      return bundledAuditVerification;
+    }
 
     if (signatureResult.isValid && integrityResult.isValid) {
       return createVerificationResult(
@@ -211,22 +524,6 @@ async function verifyCaseZipExport(
   }
 }
 
-async function verifyConfirmationExport(
-  file: File,
-  verificationPublicKeyPem: string
-): Promise<ExportVerificationResult> {
-  try {
-    const fileContent = await file.text();
-    return verifyConfirmationContent(fileContent, verificationPublicKeyPem);
-  } catch {
-    return createVerificationResult(
-      false,
-      'The JSON file could not be read as a supported Striae confirmation export.',
-      'confirmation'
-    );
-  }
-}
-
 async function verifyConfirmationContent(
   fileContent: string,
   verificationPublicKeyPem: string
@@ -343,11 +640,189 @@ export async function verifyExportFile(
   }
 
   if (lowerName.endsWith('.json')) {
-    return verifyConfirmationExport(file, verificationPublicKeyPem);
+    try {
+      const fileContent = await file.text();
+      const parsedContent = JSON.parse(fileContent) as unknown;
+
+      if (isConfirmationImportCandidate(parsedContent)) {
+        return verifyConfirmationContent(fileContent, verificationPublicKeyPem);
+      }
+
+      if (isAuditExportCandidate(parsedContent)) {
+        return verifyAuditExportContent(fileContent, verificationPublicKeyPem);
+      }
+
+      return createVerificationResult(
+        false,
+        'Select a confirmation JSON/ZIP file, standalone audit JSON export, or a case export ZIP file.'
+      );
+    } catch {
+      return createVerificationResult(
+        false,
+        'The JSON file could not be read as a supported Striae confirmation or audit export.'
+      );
+    }
   }
 
   return createVerificationResult(
     false,
-    'Select a confirmation JSON/ZIP file or a case export ZIP file.'
+    'Select a confirmation JSON/ZIP file, standalone audit JSON export, or a case export ZIP file.'
+  );
+}
+
+export async function verifyCasePackageIntegrity(
+  input: CasePackageIntegrityInput
+): Promise<CasePackageIntegrityResult> {
+  const manifestData = extractForensicManifestData(input.forensicManifest);
+
+  if (!manifestData) {
+    return {
+      isValid: false,
+      signatureResult: {
+        isValid: false,
+        error: 'Forensic manifest structure is invalid'
+      },
+      integrityResult: {
+        isValid: false,
+        dataValid: false,
+        imageValidation: {},
+        manifestValid: false,
+        errors: ['Forensic manifest structure is invalid'],
+        summary: 'Manifest validation failed'
+      },
+      bundledAuditVerification: null
+    };
+  }
+
+  const signatureResult = await verifyForensicManifestSignature(
+    input.forensicManifest,
+    input.verificationPublicKeyPem
+  );
+
+  const integrityResult = await validateCaseIntegritySecure(
+    input.cleanedContent,
+    input.imageFiles,
+    manifestData
   );
+
+  const bundledAuditVerification = input.bundledAuditFiles
+    ? await (async () => {
+        const { auditTrailContent, auditSignatureContent } = input.bundledAuditFiles ?? {};
+
+        if (!auditTrailContent && !auditSignatureContent) {
+          return null;
+        }
+
+        if (!auditTrailContent || !auditSignatureContent) {
+          return createVerificationResult(
+            false,
+            'The archive ZIP contains incomplete bundled audit verification files.',
+            'case-zip'
+          );
+        }
+
+        try {
+          const auditTrailExport = JSON.parse(auditTrailContent) as BundledAuditExportFile;
+          const auditSignatureExport = JSON.parse(auditSignatureContent) as {
+            signatureMetadata?: Partial<AuditExportSigningPayload>;
+            signature?: NonNullable<BundledAuditExportFile['metadata']>['signature'];
+          };
+
+          const metadata = auditTrailExport.metadata;
+          if (!metadata?.signature || typeof metadata.hash !== 'string') {
+            return createVerificationResult(
+              false,
+              'The bundled audit export is missing required hash or signature metadata.',
+              'case-zip'
+            );
+          }
+
+          const unsignedAuditExport = auditTrailExport.auditTrail !== undefined
+            ? {
+                metadata: {
+                  exportTimestamp: metadata.exportTimestamp,
+                  exportVersion: metadata.exportVersion,
+                  totalEntries: metadata.totalEntries,
+                  application: metadata.application,
+                  exportType: metadata.exportType,
+                  scopeType: metadata.scopeType,
+                  scopeIdentifier: metadata.scopeIdentifier,
+                },
+                auditTrail: auditTrailExport.auditTrail,
+              }
+            : {
+                metadata: {
+                  exportTimestamp: metadata.exportTimestamp,
+                  exportVersion: metadata.exportVersion,
+                  totalEntries: metadata.totalEntries,
+                  application: metadata.application,
+                  exportType: metadata.exportType,
+                  scopeType: metadata.scopeType,
+                  scopeIdentifier: metadata.scopeIdentifier,
+                },
+                auditEntries: auditTrailExport.auditEntries,
+              };
+
+          const recalculatedHash = await calculateSHA256Secure(JSON.stringify(unsignedAuditExport, null, 2));
+          if (recalculatedHash.toUpperCase() !== metadata.hash.toUpperCase()) {
+            return createVerificationResult(
+              false,
+              'The bundled audit export failed integrity verification.',
+              'case-zip'
+            );
+          }
+
+          const embeddedSignaturePayload: Partial<AuditExportSigningPayload> = metadata.signatureMetadata ?? {
+            signatureVersion: metadata.signatureVersion,
+            exportFormat: 'json',
+            exportType: metadata.exportType,
+            scopeType: metadata.scopeType,
+            scopeIdentifier: metadata.scopeIdentifier,
+            generatedAt: metadata.exportTimestamp,
+            totalEntries: metadata.totalEntries,
+            hash: metadata.hash,
+          };
+
+          const signatureVerification = await verifyAuditExportSignature(
+            embeddedSignaturePayload,
+            metadata.signature,
+            input.verificationPublicKeyPem
+          );
+
+          if (!signatureVerification.isValid) {
+            return createVerificationResult(
+              false,
+              getSignatureFailureMessage(signatureVerification.error, 'export ZIP'),
+              'case-zip'
+            );
+          }
+
+          if (
+            JSON.stringify(auditSignatureExport.signatureMetadata ?? null) !== JSON.stringify(metadata.signatureMetadata ?? null) ||
+            JSON.stringify(auditSignatureExport.signature ?? null) !== JSON.stringify(metadata.signature ?? null)
+          ) {
+            return createVerificationResult(
+              false,
+              'The bundled audit signature artifact does not match the signed audit export.',
+              'case-zip'
+            );
+          }
+
+          return null;
+        } catch {
+          return createVerificationResult(
+            false,
+            'The bundled audit export could not be parsed for verification.',
+            'case-zip'
+          );
+        }
+      })()
+    : null;
+
+  return {
+    isValid: signatureResult.isValid && integrityResult.isValid && !bundledAuditVerification,
+    signatureResult,
+    integrityResult,
+    bundledAuditVerification
+  };
 }

package/functions/api/pdf/[[path]].ts

@@ -6,6 +6,8 @@ interface PdfProxyContext {
 }
 
 const SUPPORTED_METHODS = new Set(['POST', 'OPTIONS']);
+const PRIMERSHEAR_FORMAT = 'primershear';
+const DEFAULT_FORMAT = 'striae';
 
 function textResponse(message: string, status: number): Response {
   return new Response(message, {
@@ -40,6 +42,12 @@ function extractProxyPath(url: URL): string | null {
   return remainder.length > 0 ? remainder : '/';
 }
 
+function resolveReportFormat(email: string | null, primershearEmails: string): string {
+  if (!email) return DEFAULT_FORMAT;
+  const allowed = primershearEmails.split(',').map(e => e.trim().toLowerCase()).filter(Boolean);
+  return allowed.includes(email.toLowerCase()) ? PRIMERSHEAR_FORMAT : DEFAULT_FORMAT;
+}
+
 export const onRequest = async ({ request, env }: PdfProxyContext): Promise<Response> => {
   if (!SUPPORTED_METHODS.has(request.method)) {
     return textResponse('Method not allowed', 405);
@@ -86,12 +94,35 @@ export const onRequest = async ({ request, env }: PdfProxyContext): Promise<Resp
 
   upstreamHeaders.set('X-Custom-Auth-Key', env.PDF_WORKER_AUTH);
 
+  // Resolve the report format server-side based on the verified user email.
+  // This prevents email lists from ever being exposed in the client bundle.
+  const reportFormat = resolveReportFormat(
+    identity.email,
+    env.PRIMERSHEAR_EMAILS ?? ''
+  );
+
+  let upstreamBody: BodyInit;
+  try {
+    const payload = await request.json() as Record<string, unknown>;
+    // Inject the server-resolved format, overriding any client-supplied value.
+    if (payload.data && typeof payload.data === 'object') {
+      payload.reportFormat = reportFormat;
+    } else {
+      // Legacy flat payload shape
+      payload.reportFormat = reportFormat;
+    }
+    upstreamBody = JSON.stringify(payload);
+    upstreamHeaders.set('Content-Type', 'application/json');
+  } catch {
+    return textResponse('Invalid request body', 400);
+  }
+
   let upstreamResponse: Response;
   try {
     upstreamResponse = await fetch(upstreamUrl, {
       method: request.method,
       headers: upstreamHeaders,
-      body: request.body
+      body: upstreamBody
     });
   } catch {
     return textResponse('Upstream PDF service unavailable', 502);

package/load-context.ts

@@ -0,0 +1,9 @@
+import { type PlatformProxy } from "wrangler";
+
+type Cloudflare = Omit<PlatformProxy<Env>, "dispose">;
+
+declare module "react-router" {
+  interface AppLoadContext {
+    cloudflare: Cloudflare;
+  }
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@striae-org/striae",
-  "version": "4.0.3",
+  "version": "4.2.0",
   "private": false,
   "description": "Striae is a specialized, cloud-native platform designed to streamline forensic firearms identification by providing an intuitive environment for digital comparison image annotation, authenticated confirmations, and automated report generation.",
   "license": "Apache-2.0",
@@ -43,8 +43,10 @@
     "app/entry.client.tsx",
     "app/entry.server.tsx",
     "app/root.tsx",
+    "app/routes.ts",
     "app/tailwind.css",
     "react-router.config.ts",
+    "load-context.ts",
     "functions/",
     "public/",
     "scripts/",
@@ -60,6 +62,7 @@
     "workers/pdf-worker/src/report-types.ts",
     "workers/*/wrangler.jsonc.example",
     ".env.example",
+    "primershear.emails.example",
     "firebase.json",
     "postcss.config.js",
     "tailwind.config.ts",
@@ -99,8 +102,9 @@
     "install-workers": "bash ./scripts/install-workers.sh",
     "deploy-workers": "npm run deploy-workers:audit && npm run deploy-workers:data && npm run deploy-workers:image && npm run deploy-workers:keys && npm run deploy-workers:pdf && npm run deploy-workers:user",
     "deploy-workers:secrets": "bash ./scripts/deploy-worker-secrets.sh",
-    "deploy-pages:secrets": "bash ./scripts/deploy-pages-secrets.sh",
+    "deploy-pages:secrets": "bash ./scripts/deploy-pages-secrets.sh --production-only",
     "deploy-pages": "bash ./scripts/deploy-pages.sh",
+    "deploy-primershear": "bash ./scripts/deploy-primershear-emails.sh --production-only",
     "deploy-workers:audit": "cd workers/audit-worker && npm run deploy",
     "deploy-workers:data": "cd workers/data-worker && npm run deploy",
     "deploy-workers:image": "cd workers/image-worker && npm run deploy",

package/primershear.emails.example

@@ -0,0 +1,6 @@
+# PrimerShear PDF format - authorized email addresses
+# One email per line. Lines starting with # are ignored.
+# This file is untracked. Run: npm run deploy-primershear to push changes.
+#
+# Example:
+# analyst@organization.com

package/scripts/deploy-pages-secrets.sh

@@ -178,6 +178,12 @@ deploy_pages_environment_secrets() {
         set_pages_secret "API_TOKEN" "$optional_api_token" "$pages_env"
     fi
 
+    local optional_primershear_emails
+    optional_primershear_emails=$(get_optional_value "PRIMERSHEAR_EMAILS")
+    if [ -n "$optional_primershear_emails" ]; then
+        set_pages_secret "PRIMERSHEAR_EMAILS" "$optional_primershear_emails" "$pages_env"
+    fi
+
     echo -e "${GREEN}✅ Pages secrets deployed to $pages_env${NC}"
 }