@striae-org/striae 4.1.0 → 4.2.0

package/app/utils/forensics/export-verification.ts

@@ -1,22 +1,74 @@
 import { type ConfirmationImportData } from '~/types';
 import {
   extractForensicManifestData,
+  type ManifestSignatureVerificationResult,
   type SignedForensicManifest,
   calculateSHA256Secure,
   validateCaseIntegritySecure,
   verifyForensicManifestSignature
 } from './SHA256';
+import {
+  type AuditExportSigningPayload,
+  verifyAuditExportSignature
+} from './audit-export-signature';
 import { verifyConfirmationSignature } from './confirmation-signature';
 
 export interface ExportVerificationResult {
   isValid: boolean;
   message: string;
-  exportType?: 'case-zip' | 'confirmation';
+  exportType?: 'case-zip' | 'confirmation' | 'audit-json';
 }
 
 const CASE_EXPORT_FILE_REGEX = /_data\.(json|csv)$/i;
 const CONFIRMATION_EXPORT_FILE_REGEX = /^confirmation-data-.*\.json$/i;
 
+interface BundledAuditExportFile {
+  metadata?: {
+    exportTimestamp?: string;
+    exportVersion?: string;
+    totalEntries?: number;
+    application?: string;
+    exportType?: 'entries' | 'trail' | 'report';
+    scopeType?: 'case' | 'user';
+    scopeIdentifier?: string;
+    hash?: string;
+    signatureVersion?: string;
+    signatureMetadata?: Partial<AuditExportSigningPayload>;
+    signature?: {
+      algorithm: string;
+      keyId: string;
+      signedAt: string;
+      value: string;
+    };
+  };
+  auditTrail?: unknown;
+  auditEntries?: unknown;
+}
+
+interface StandaloneAuditExportFile extends BundledAuditExportFile {
+  metadata?: BundledAuditExportFile['metadata'] & {
+    integrityNote?: string;
+  };
+}
+
+export interface CasePackageIntegrityInput {
+  cleanedContent: string;
+  imageFiles: Record<string, Blob>;
+  forensicManifest: SignedForensicManifest;
+  verificationPublicKeyPem?: string;
+  bundledAuditFiles?: {
+    auditTrailContent?: string;
+    auditSignatureContent?: string;
+  };
+}
+
+export interface CasePackageIntegrityResult {
+  isValid: boolean;
+  signatureResult: ManifestSignatureVerificationResult;
+  integrityResult: Awaited<ReturnType<typeof validateCaseIntegritySecure>>;
+  bundledAuditVerification: ExportVerificationResult | null;
+}
+
 function createVerificationResult(
   isValid: boolean,
   message: string,
@@ -31,7 +83,7 @@ function createVerificationResult(
 
 function getSignatureFailureMessage(
   error: string | undefined,
-  targetLabel: 'export ZIP' | 'confirmation file'
+  targetLabel: 'export ZIP' | 'confirmation file' | 'audit export'
 ): string {
   if (error?.includes('invalid public key')) {
     return 'The selected PEM file is not a valid public key.';
@@ -62,6 +114,249 @@ function isConfirmationImportCandidate(candidate: unknown): candidate is Partial
   );
 }
 
+function isAuditExportCandidate(candidate: unknown): candidate is StandaloneAuditExportFile {
+  if (!candidate || typeof candidate !== 'object') {
+    return false;
+  }
+
+  const auditCandidate = candidate as StandaloneAuditExportFile;
+  const metadata = auditCandidate.metadata;
+
+  if (!metadata || typeof metadata !== 'object') {
+    return false;
+  }
+
+  return (
+    typeof metadata.exportTimestamp === 'string' &&
+    typeof metadata.exportType === 'string' &&
+    typeof metadata.scopeType === 'string' &&
+    typeof metadata.scopeIdentifier === 'string' &&
+    typeof metadata.hash === 'string' &&
+    !!metadata.signature &&
+    (auditCandidate.auditTrail !== undefined || auditCandidate.auditEntries !== undefined)
+  );
+}
+
+async function verifyAuditExportContent(
+  fileContent: string,
+  verificationPublicKeyPem: string
+): Promise<ExportVerificationResult> {
+  try {
+    const parsedContent = JSON.parse(fileContent) as unknown;
+
+    if (!isAuditExportCandidate(parsedContent)) {
+      return createVerificationResult(
+        false,
+        'The JSON file is not a supported Striae audit export.',
+        'audit-json'
+      );
+    }
+
+    const auditExport = parsedContent as StandaloneAuditExportFile;
+    const metadata = auditExport.metadata!;
+
+    const unsignedAuditExport = auditExport.auditTrail !== undefined
+      ? {
+          metadata: {
+            exportTimestamp: metadata.exportTimestamp,
+            exportVersion: metadata.exportVersion,
+            totalEntries: metadata.totalEntries,
+            application: metadata.application,
+            exportType: metadata.exportType,
+            scopeType: metadata.scopeType,
+            scopeIdentifier: metadata.scopeIdentifier,
+          },
+          auditTrail: auditExport.auditTrail,
+        }
+      : {
+          metadata: {
+            exportTimestamp: metadata.exportTimestamp,
+            exportVersion: metadata.exportVersion,
+            totalEntries: metadata.totalEntries,
+            application: metadata.application,
+            exportType: metadata.exportType,
+            scopeType: metadata.scopeType,
+            scopeIdentifier: metadata.scopeIdentifier,
+          },
+          auditEntries: auditExport.auditEntries,
+        };
+
+    const recalculatedHash = await calculateSHA256Secure(JSON.stringify(unsignedAuditExport, null, 2));
+    const hashValid = recalculatedHash.toUpperCase() === metadata.hash!.toUpperCase();
+
+    const signaturePayload: Partial<AuditExportSigningPayload> = {
+      signatureVersion: metadata.signatureVersion,
+      exportFormat: 'json',
+      exportType: metadata.exportType,
+      scopeType: metadata.scopeType,
+      scopeIdentifier: metadata.scopeIdentifier,
+      generatedAt: metadata.exportTimestamp,
+      totalEntries: metadata.totalEntries,
+      hash: metadata.hash,
+    };
+
+    const signatureResult = await verifyAuditExportSignature(
+      signaturePayload,
+      metadata.signature,
+      verificationPublicKeyPem
+    );
+
+    if (hashValid && signatureResult.isValid) {
+      return createVerificationResult(
+        true,
+        'The audit export passed signature and integrity verification.',
+        'audit-json'
+      );
+    }
+
+    if (!hashValid && !signatureResult.isValid) {
+      return createVerificationResult(
+        false,
+        'The audit export failed signature and integrity verification.',
+        'audit-json'
+      );
+    }
+
+    if (!signatureResult.isValid) {
+      return createVerificationResult(
+        false,
+        getSignatureFailureMessage(signatureResult.error, 'audit export'),
+        'audit-json'
+      );
+    }
+
+    return createVerificationResult(
+      false,
+      'The audit export failed integrity verification.',
+      'audit-json'
+    );
+  } catch {
+    return createVerificationResult(
+      false,
+      'The JSON file could not be read as a supported Striae audit export.',
+      'audit-json'
+    );
+  }
+}
+
+export async function verifyBundledAuditExport(
+  zip: {
+    file: (path: string) => { async: (type: 'text') => Promise<string> } | null;
+  },
+  verificationPublicKeyPem: string
+): Promise<ExportVerificationResult | null> {
+  const auditTrailContent = await zip.file('audit/case-audit-trail.json')?.async('text');
+  const auditSignatureContent = await zip.file('audit/case-audit-signature.json')?.async('text');
+
+  if (!auditTrailContent && !auditSignatureContent) {
+    return null;
+  }
+
+  if (!auditTrailContent || !auditSignatureContent) {
+    return createVerificationResult(
+      false,
+      'The archive ZIP contains incomplete bundled audit verification files.',
+      'case-zip'
+    );
+  }
+
+  try {
+    const auditTrailExport = JSON.parse(auditTrailContent) as BundledAuditExportFile;
+    const auditSignatureExport = JSON.parse(auditSignatureContent) as {
+      signatureMetadata?: Partial<AuditExportSigningPayload>;
+      signature?: NonNullable<BundledAuditExportFile['metadata']>['signature'];
+    };
+
+    const metadata = auditTrailExport.metadata;
+    if (!metadata?.signature || typeof metadata.hash !== 'string') {
+      return createVerificationResult(
+        false,
+        'The bundled audit export is missing required hash or signature metadata.',
+        'case-zip'
+      );
+    }
+
+    const unsignedAuditExport = auditTrailExport.auditTrail !== undefined
+      ? {
+          metadata: {
+            exportTimestamp: metadata.exportTimestamp,
+            exportVersion: metadata.exportVersion,
+            totalEntries: metadata.totalEntries,
+            application: metadata.application,
+            exportType: metadata.exportType,
+            scopeType: metadata.scopeType,
+            scopeIdentifier: metadata.scopeIdentifier,
+          },
+          auditTrail: auditTrailExport.auditTrail,
+        }
+      : {
+          metadata: {
+            exportTimestamp: metadata.exportTimestamp,
+            exportVersion: metadata.exportVersion,
+            totalEntries: metadata.totalEntries,
+            application: metadata.application,
+            exportType: metadata.exportType,
+            scopeType: metadata.scopeType,
+            scopeIdentifier: metadata.scopeIdentifier,
+          },
+          auditEntries: auditTrailExport.auditEntries,
+        };
+
+    const recalculatedHash = await calculateSHA256Secure(JSON.stringify(unsignedAuditExport, null, 2));
+    if (recalculatedHash.toUpperCase() !== metadata.hash.toUpperCase()) {
+      return createVerificationResult(
+        false,
+        'The bundled audit export failed integrity verification.',
+        'case-zip'
+      );
+    }
+
+    const embeddedSignaturePayload: Partial<AuditExportSigningPayload> = metadata.signatureMetadata ?? {
+      signatureVersion: metadata.signatureVersion,
+      exportFormat: 'json',
+      exportType: metadata.exportType,
+      scopeType: metadata.scopeType,
+      scopeIdentifier: metadata.scopeIdentifier,
+      generatedAt: metadata.exportTimestamp,
+      totalEntries: metadata.totalEntries,
+      hash: metadata.hash,
+    };
+
+    const signatureVerification = await verifyAuditExportSignature(
+      embeddedSignaturePayload,
+      metadata.signature,
+      verificationPublicKeyPem
+    );
+
+    if (!signatureVerification.isValid) {
+      return createVerificationResult(
+        false,
+        getSignatureFailureMessage(signatureVerification.error, 'export ZIP'),
+        'case-zip'
+      );
+    }
+
+    if (
+      JSON.stringify(auditSignatureExport.signatureMetadata ?? null) !== JSON.stringify(metadata.signatureMetadata ?? null) ||
+      JSON.stringify(auditSignatureExport.signature ?? null) !== JSON.stringify(metadata.signature ?? null)
+    ) {
+      return createVerificationResult(
+        false,
+        'The bundled audit signature artifact does not match the signed audit export.',
+        'case-zip'
+      );
+    }
+
+    return null;
+  } catch {
+    return createVerificationResult(
+      false,
+      'The bundled audit export could not be parsed for verification.',
+      'case-zip'
+    );
+  }
+}
+
 /**
  * Remove forensic warning from content for hash validation.
  * Supports the warning formats added to JSON and CSV case exports.
@@ -174,8 +469,26 @@ async function verifyCaseZipExport(
       })
     );
 
-    const signatureResult = await verifyForensicManifestSignature(forensicManifest, verificationPublicKeyPem);
-    const integrityResult = await validateCaseIntegritySecure(cleanedContent, imageFiles, manifestData);
+    const bundledAuditFiles = {
+      auditTrailContent: await zip.file('audit/case-audit-trail.json')?.async('text'),
+      auditSignatureContent: await zip.file('audit/case-audit-signature.json')?.async('text')
+    };
+
+    const casePackageResult = await verifyCasePackageIntegrity({
+      cleanedContent,
+      imageFiles,
+      forensicManifest,
+      verificationPublicKeyPem,
+      bundledAuditFiles
+    });
+
+    const signatureResult = casePackageResult.signatureResult;
+    const integrityResult = casePackageResult.integrityResult;
+    const bundledAuditVerification = casePackageResult.bundledAuditVerification;
+
+    if (bundledAuditVerification) {
+      return bundledAuditVerification;
+    }
 
     if (signatureResult.isValid && integrityResult.isValid) {
       return createVerificationResult(
@@ -211,22 +524,6 @@ async function verifyCaseZipExport(
   }
 }
 
-async function verifyConfirmationExport(
-  file: File,
-  verificationPublicKeyPem: string
-): Promise<ExportVerificationResult> {
-  try {
-    const fileContent = await file.text();
-    return verifyConfirmationContent(fileContent, verificationPublicKeyPem);
-  } catch {
-    return createVerificationResult(
-      false,
-      'The JSON file could not be read as a supported Striae confirmation export.',
-      'confirmation'
-    );
-  }
-}
-
 async function verifyConfirmationContent(
   fileContent: string,
   verificationPublicKeyPem: string
@@ -343,11 +640,189 @@ export async function verifyExportFile(
   }
 
   if (lowerName.endsWith('.json')) {
-    return verifyConfirmationExport(file, verificationPublicKeyPem);
+    try {
+      const fileContent = await file.text();
+      const parsedContent = JSON.parse(fileContent) as unknown;
+
+      if (isConfirmationImportCandidate(parsedContent)) {
+        return verifyConfirmationContent(fileContent, verificationPublicKeyPem);
+      }
+
+      if (isAuditExportCandidate(parsedContent)) {
+        return verifyAuditExportContent(fileContent, verificationPublicKeyPem);
+      }
+
+      return createVerificationResult(
+        false,
+        'Select a confirmation JSON/ZIP file, standalone audit JSON export, or a case export ZIP file.'
+      );
+    } catch {
+      return createVerificationResult(
+        false,
+        'The JSON file could not be read as a supported Striae confirmation or audit export.'
+      );
+    }
   }
 
   return createVerificationResult(
     false,
-    'Select a confirmation JSON/ZIP file or a case export ZIP file.'
+    'Select a confirmation JSON/ZIP file, standalone audit JSON export, or a case export ZIP file.'
+  );
+}
+
+export async function verifyCasePackageIntegrity(
+  input: CasePackageIntegrityInput
+): Promise<CasePackageIntegrityResult> {
+  const manifestData = extractForensicManifestData(input.forensicManifest);
+
+  if (!manifestData) {
+    return {
+      isValid: false,
+      signatureResult: {
+        isValid: false,
+        error: 'Forensic manifest structure is invalid'
+      },
+      integrityResult: {
+        isValid: false,
+        dataValid: false,
+        imageValidation: {},
+        manifestValid: false,
+        errors: ['Forensic manifest structure is invalid'],
+        summary: 'Manifest validation failed'
+      },
+      bundledAuditVerification: null
+    };
+  }
+
+  const signatureResult = await verifyForensicManifestSignature(
+    input.forensicManifest,
+    input.verificationPublicKeyPem
+  );
+
+  const integrityResult = await validateCaseIntegritySecure(
+    input.cleanedContent,
+    input.imageFiles,
+    manifestData
   );
+
+  const bundledAuditVerification = input.bundledAuditFiles
+    ? await (async () => {
+        const { auditTrailContent, auditSignatureContent } = input.bundledAuditFiles ?? {};
+
+        if (!auditTrailContent && !auditSignatureContent) {
+          return null;
+        }
+
+        if (!auditTrailContent || !auditSignatureContent) {
+          return createVerificationResult(
+            false,
+            'The archive ZIP contains incomplete bundled audit verification files.',
+            'case-zip'
+          );
+        }
+
+        try {
+          const auditTrailExport = JSON.parse(auditTrailContent) as BundledAuditExportFile;
+          const auditSignatureExport = JSON.parse(auditSignatureContent) as {
+            signatureMetadata?: Partial<AuditExportSigningPayload>;
+            signature?: NonNullable<BundledAuditExportFile['metadata']>['signature'];
+          };
+
+          const metadata = auditTrailExport.metadata;
+          if (!metadata?.signature || typeof metadata.hash !== 'string') {
+            return createVerificationResult(
+              false,
+              'The bundled audit export is missing required hash or signature metadata.',
+              'case-zip'
+            );
+          }
+
+          const unsignedAuditExport = auditTrailExport.auditTrail !== undefined
+            ? {
+                metadata: {
+                  exportTimestamp: metadata.exportTimestamp,
+                  exportVersion: metadata.exportVersion,
+                  totalEntries: metadata.totalEntries,
+                  application: metadata.application,
+                  exportType: metadata.exportType,
+                  scopeType: metadata.scopeType,
+                  scopeIdentifier: metadata.scopeIdentifier,
+                },
+                auditTrail: auditTrailExport.auditTrail,
+              }
+            : {
+                metadata: {
+                  exportTimestamp: metadata.exportTimestamp,
+                  exportVersion: metadata.exportVersion,
+                  totalEntries: metadata.totalEntries,
+                  application: metadata.application,
+                  exportType: metadata.exportType,
+                  scopeType: metadata.scopeType,
+                  scopeIdentifier: metadata.scopeIdentifier,
+                },
+                auditEntries: auditTrailExport.auditEntries,
+              };
+
+          const recalculatedHash = await calculateSHA256Secure(JSON.stringify(unsignedAuditExport, null, 2));
+          if (recalculatedHash.toUpperCase() !== metadata.hash.toUpperCase()) {
+            return createVerificationResult(
+              false,
+              'The bundled audit export failed integrity verification.',
+              'case-zip'
+            );
+          }
+
+          const embeddedSignaturePayload: Partial<AuditExportSigningPayload> = metadata.signatureMetadata ?? {
+            signatureVersion: metadata.signatureVersion,
+            exportFormat: 'json',
+            exportType: metadata.exportType,
+            scopeType: metadata.scopeType,
+            scopeIdentifier: metadata.scopeIdentifier,
+            generatedAt: metadata.exportTimestamp,
+            totalEntries: metadata.totalEntries,
+            hash: metadata.hash,
+          };
+
+          const signatureVerification = await verifyAuditExportSignature(
+            embeddedSignaturePayload,
+            metadata.signature,
+            input.verificationPublicKeyPem
+          );
+
+          if (!signatureVerification.isValid) {
+            return createVerificationResult(
+              false,
+              getSignatureFailureMessage(signatureVerification.error, 'export ZIP'),
+              'case-zip'
+            );
+          }
+
+          if (
+            JSON.stringify(auditSignatureExport.signatureMetadata ?? null) !== JSON.stringify(metadata.signatureMetadata ?? null) ||
+            JSON.stringify(auditSignatureExport.signature ?? null) !== JSON.stringify(metadata.signature ?? null)
+          ) {
+            return createVerificationResult(
+              false,
+              'The bundled audit signature artifact does not match the signed audit export.',
+              'case-zip'
+            );
+          }
+
+          return null;
+        } catch {
+          return createVerificationResult(
+            false,
+            'The bundled audit export could not be parsed for verification.',
+            'case-zip'
+          );
+        }
+      })()
+    : null;
+
+  return {
+    isValid: signatureResult.isValid && integrityResult.isValid && !bundledAuditVerification,
+    signatureResult,
+    integrityResult,
+    bundledAuditVerification
+  };
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@striae-org/striae",
-  "version": "4.1.0",
+  "version": "4.2.0",
   "private": false,
   "description": "Striae is a specialized, cloud-native platform designed to streamline forensic firearms identification by providing an intuitive environment for digital comparison image annotation, authenticated confirmations, and automated report generation.",
   "license": "Apache-2.0",
@@ -102,9 +102,9 @@
     "install-workers": "bash ./scripts/install-workers.sh",
     "deploy-workers": "npm run deploy-workers:audit && npm run deploy-workers:data && npm run deploy-workers:image && npm run deploy-workers:keys && npm run deploy-workers:pdf && npm run deploy-workers:user",
     "deploy-workers:secrets": "bash ./scripts/deploy-worker-secrets.sh",
-    "deploy-pages:secrets": "bash ./scripts/deploy-pages-secrets.sh",
+    "deploy-pages:secrets": "bash ./scripts/deploy-pages-secrets.sh --production-only",
     "deploy-pages": "bash ./scripts/deploy-pages.sh",
-    "deploy-primershear": "bash ./scripts/deploy-primershear-emails.sh",
+    "deploy-primershear": "bash ./scripts/deploy-primershear-emails.sh --production-only",
     "deploy-workers:audit": "cd workers/audit-worker && npm run deploy",
     "deploy-workers:data": "cd workers/data-worker && npm run deploy",
     "deploy-workers:image": "cd workers/image-worker && npm run deploy",

package/scripts/deploy-primershear-emails.sh

@@ -81,7 +81,8 @@ if [ ! -f "$EMAILS_FILE" ]; then
 fi
 
 # Strip comment lines and blank lines, then join with commas
-PRIMERSHEAR_EMAILS=$(grep -v '^\s*#' "$EMAILS_FILE" | grep -v '^\s*$' | paste -sd ',' -)
+# Use || true to avoid failure if paste gets no input (handles empty file gracefully)
+PRIMERSHEAR_EMAILS=$(grep -v '^\s*#' "$EMAILS_FILE" | grep -v '^\s*$' | paste -sd ',' - || true)
 
 if [ -z "$PRIMERSHEAR_EMAILS" ]; then
     echo -e "${YELLOW}⚠️  primershear.emails contains no active email addresses.${NC}"

package/worker-configuration.d.ts

@@ -1,6 +1,6 @@
 /* eslint-disable */
 // Generated by Wrangler by running `wrangler types` (hash: 3509cf2c6fcfb4a2a6e6bd16efbe22b3)
-// Runtime types generated with workerd@1.20250823.0 2026-03-19 nodejs_compat
+// Runtime types generated with workerd@1.20250823.0 2026-03-20 nodejs_compat
 declare namespace Cloudflare {
 	interface Env {
 		ACCOUNT_ID: string;