@striae-org/striae 4.3.3 → 5.0.0

package/app/utils/forensics/export-verification.ts

@@ -1,4 +1,3 @@
-import { type ConfirmationImportData } from '~/types';
 import {
   extractForensicManifestData,
   type ManifestSignatureVerificationResult,
@@ -11,7 +10,6 @@ import {
   type AuditExportSigningPayload,
   verifyAuditExportSignature
 } from './audit-export-signature';
-import { verifyConfirmationSignature } from './confirmation-signature';
 
 export interface ExportVerificationResult {
   isValid: boolean;
@@ -19,9 +17,6 @@ export interface ExportVerificationResult {
   exportType?: 'case-zip' | 'confirmation' | 'audit-json';
 }
 
-const CASE_EXPORT_FILE_REGEX = /_data\.(json|csv)$/i;
-const CONFIRMATION_EXPORT_FILE_REGEX = /^confirmation-data-.*\.json$/i;
-
 interface BundledAuditExportFile {
   metadata?: {
     exportTimestamp?: string;
@@ -45,12 +40,6 @@ interface BundledAuditExportFile {
   auditEntries?: unknown;
 }
 
-interface StandaloneAuditExportFile extends BundledAuditExportFile {
-  metadata?: BundledAuditExportFile['metadata'] & {
-    integrityNote?: string;
-  };
-}
-
 export interface CasePackageIntegrityInput {
   cleanedContent: string;
   imageFiles: Record<string, Blob>;
@@ -100,146 +89,7 @@ function getSignatureFailureMessage(
   return `The ${targetLabel} signature did not verify with the selected public key.`;
 }
 
-function isConfirmationImportCandidate(candidate: unknown): candidate is Partial<ConfirmationImportData> {
-  if (!candidate || typeof candidate !== 'object') {
-    return false;
-  }
-
-  const confirmationCandidate = candidate as Partial<ConfirmationImportData>;
-  return (
-    !!confirmationCandidate.metadata &&
-    typeof confirmationCandidate.metadata.hash === 'string' &&
-    !!confirmationCandidate.confirmations &&
-    typeof confirmationCandidate.confirmations === 'object'
-  );
-}
-
-function isAuditExportCandidate(candidate: unknown): candidate is StandaloneAuditExportFile {
-  if (!candidate || typeof candidate !== 'object') {
-    return false;
-  }
-
-  const auditCandidate = candidate as StandaloneAuditExportFile;
-  const metadata = auditCandidate.metadata;
-
-  if (!metadata || typeof metadata !== 'object') {
-    return false;
-  }
-
-  return (
-    typeof metadata.exportTimestamp === 'string' &&
-    typeof metadata.exportType === 'string' &&
-    typeof metadata.scopeType === 'string' &&
-    typeof metadata.scopeIdentifier === 'string' &&
-    typeof metadata.hash === 'string' &&
-    !!metadata.signature &&
-    (auditCandidate.auditTrail !== undefined || auditCandidate.auditEntries !== undefined)
-  );
-}
-
-async function verifyAuditExportContent(
-  fileContent: string,
-  verificationPublicKeyPem: string
-): Promise<ExportVerificationResult> {
-  try {
-    const parsedContent = JSON.parse(fileContent) as unknown;
-
-    if (!isAuditExportCandidate(parsedContent)) {
-      return createVerificationResult(
-        false,
-        'The JSON file is not a supported Striae audit export.',
-        'audit-json'
-      );
-    }
-
-    const auditExport = parsedContent as StandaloneAuditExportFile;
-    const metadata = auditExport.metadata!;
-
-    const unsignedAuditExport = auditExport.auditTrail !== undefined
-      ? {
-          metadata: {
-            exportTimestamp: metadata.exportTimestamp,
-            exportVersion: metadata.exportVersion,
-            totalEntries: metadata.totalEntries,
-            application: metadata.application,
-            exportType: metadata.exportType,
-            scopeType: metadata.scopeType,
-            scopeIdentifier: metadata.scopeIdentifier,
-          },
-          auditTrail: auditExport.auditTrail,
-        }
-      : {
-          metadata: {
-            exportTimestamp: metadata.exportTimestamp,
-            exportVersion: metadata.exportVersion,
-            totalEntries: metadata.totalEntries,
-            application: metadata.application,
-            exportType: metadata.exportType,
-            scopeType: metadata.scopeType,
-            scopeIdentifier: metadata.scopeIdentifier,
-          },
-          auditEntries: auditExport.auditEntries,
-        };
-
-    const recalculatedHash = await calculateSHA256Secure(JSON.stringify(unsignedAuditExport, null, 2));
-    const hashValid = recalculatedHash.toUpperCase() === metadata.hash!.toUpperCase();
-
-    const signaturePayload: Partial<AuditExportSigningPayload> = {
-      signatureVersion: metadata.signatureVersion,
-      exportFormat: 'json',
-      exportType: metadata.exportType,
-      scopeType: metadata.scopeType,
-      scopeIdentifier: metadata.scopeIdentifier,
-      generatedAt: metadata.exportTimestamp,
-      totalEntries: metadata.totalEntries,
-      hash: metadata.hash,
-    };
-
-    const signatureResult = await verifyAuditExportSignature(
-      signaturePayload,
-      metadata.signature,
-      verificationPublicKeyPem
-    );
-
-    if (hashValid && signatureResult.isValid) {
-      return createVerificationResult(
-        true,
-        'The audit export passed signature and integrity verification.',
-        'audit-json'
-      );
-    }
-
-    if (!hashValid && !signatureResult.isValid) {
-      return createVerificationResult(
-        false,
-        'The audit export failed signature and integrity verification.',
-        'audit-json'
-      );
-    }
-
-    if (!signatureResult.isValid) {
-      return createVerificationResult(
-        false,
-        getSignatureFailureMessage(signatureResult.error, 'audit export'),
-        'audit-json'
-      );
-    }
-
-    return createVerificationResult(
-      false,
-      'The audit export failed integrity verification.',
-      'audit-json'
-    );
-  } catch {
-    return createVerificationResult(
-      false,
-      'The JSON file could not be read as a supported Striae audit export.',
-      'audit-json'
-    );
-  }
-}
-
-export async function verifyBundledAuditExport(
+async function verifyBundledAuditExport(
   zip: {
     file: (path: string) => { async: (type: 'text') => Promise<string> } | null;
   },
@@ -412,264 +262,6 @@ export async function validateConfirmationHash(jsonContent: string, expectedHash
   }
 }
 
-async function verifyCaseZipExport(
-  file: File,
-  verificationPublicKeyPem: string
-): Promise<ExportVerificationResult> {
-  const JSZip = (await import('jszip')).default;
-
-  try {
-    const zip = await JSZip.loadAsync(file);
-    const dataFiles = Object.keys(zip.files).filter((name) => CASE_EXPORT_FILE_REGEX.test(name));
-
-    if (dataFiles.length !== 1) {
-      return createVerificationResult(
-        false,
-        'The ZIP file must contain exactly one case export data file.',
-        'case-zip'
-      );
-    }
-
-    const dataContent = await zip.file(dataFiles[0])?.async('text');
-    if (!dataContent) {
-      return createVerificationResult(false, 'The ZIP data file could not be read.', 'case-zip');
-    }
-
-    const manifestContent = await zip.file('FORENSIC_MANIFEST.json')?.async('text');
-    if (!manifestContent) {
-      return createVerificationResult(
-        false,
-        'The ZIP file does not contain FORENSIC_MANIFEST.json.',
-        'case-zip'
-      );
-    }
-
-    const forensicManifest = JSON.parse(manifestContent) as SignedForensicManifest;
-    const manifestData = extractForensicManifestData(forensicManifest);
-
-    if (!manifestData) {
-      return createVerificationResult(false, 'The forensic manifest is malformed.', 'case-zip');
-    }
-
-    const cleanedContent = removeForensicWarning(dataContent);
-    const imageFiles: Record<string, Blob> = {};
-
-    await Promise.all(
-      Object.keys(zip.files).map(async (path) => {
-        if (!path.startsWith('images/') || path.endsWith('/')) {
-          return;
-        }
-
-        const zipEntry = zip.file(path);
-        if (!zipEntry) {
-          return;
-        }
-
-        imageFiles[path.replace('images/', '')] = await zipEntry.async('blob');
-      })
-    );
-
-    const bundledAuditFiles = {
-      auditTrailContent: await zip.file('audit/case-audit-trail.json')?.async('text'),
-      auditSignatureContent: await zip.file('audit/case-audit-signature.json')?.async('text')
-    };
-
-    const casePackageResult = await verifyCasePackageIntegrity({
-      cleanedContent,
-      imageFiles,
-      forensicManifest,
-      verificationPublicKeyPem,
-      bundledAuditFiles
-    });
-
-    const signatureResult = casePackageResult.signatureResult;
-    const integrityResult = casePackageResult.integrityResult;
-    const bundledAuditVerification = casePackageResult.bundledAuditVerification;
-
-    if (bundledAuditVerification) {
-      return bundledAuditVerification;
-    }
-
-    if (signatureResult.isValid && integrityResult.isValid) {
-      return createVerificationResult(
-        true,
-        'The export ZIP passed signature and integrity verification.',
-        'case-zip'
-      );
-    }
-
-    if (!signatureResult.isValid && !integrityResult.isValid) {
-      return createVerificationResult(
-        false,
-        'The export ZIP failed signature and integrity verification.',
-        'case-zip'
-      );
-    }
-
-    if (!signatureResult.isValid) {
-      return createVerificationResult(
-        false,
-        getSignatureFailureMessage(signatureResult.error, 'export ZIP'),
-        'case-zip'
-      );
-    }
-
-    return createVerificationResult(false, 'The export ZIP failed integrity verification.', 'case-zip');
-  } catch {
-    return createVerificationResult(
-      false,
-      'The ZIP file could not be read as a supported Striae export.',
-      'case-zip'
-    );
-  }
-}
-
-async function verifyConfirmationContent(
-  fileContent: string,
-  verificationPublicKeyPem: string
-): Promise<ExportVerificationResult> {
-  try {
-    const parsedContent = JSON.parse(fileContent) as unknown;
-
-    if (!isConfirmationImportCandidate(parsedContent)) {
-      return createVerificationResult(
-        false,
-        'The JSON file is not a supported Striae confirmation export.',
-        'confirmation'
-      );
-    }
-
-    const confirmationData = parsedContent as Partial<ConfirmationImportData>;
-    const hashValid = await validateConfirmationHash(fileContent, confirmationData.metadata!.hash);
-    const signatureResult = await verifyConfirmationSignature(confirmationData, verificationPublicKeyPem);
-
-    if (hashValid && signatureResult.isValid) {
-      return createVerificationResult(
-        true,
-        'The confirmation file passed signature and integrity verification.',
-        'confirmation'
-      );
-    }
-
-    if (!signatureResult.isValid && signatureResult.error === 'Confirmation content is malformed') {
-      return createVerificationResult(
-        false,
-        'The JSON file is not a supported Striae confirmation export.',
-        'confirmation'
-      );
-    }
-
-    if (!hashValid && !signatureResult.isValid) {
-      return createVerificationResult(
-        false,
-        'The confirmation file failed signature and integrity verification.',
-        'confirmation'
-      );
-    }
-
-    if (!signatureResult.isValid) {
-      return createVerificationResult(
-        false,
-        getSignatureFailureMessage(signatureResult.error, 'confirmation file'),
-        'confirmation'
-      );
-    }
-
-    return createVerificationResult(
-      false,
-      'The confirmation file failed integrity verification.',
-      'confirmation'
-    );
-  } catch {
-    return createVerificationResult(
-      false,
-      'The confirmation content could not be read as a supported Striae confirmation export.',
-      'confirmation'
-    );
-  }
-}
-
-async function verifyConfirmationZipExport(
-  file: File,
-  verificationPublicKeyPem: string
-): Promise<ExportVerificationResult> {
-  const JSZip = (await import('jszip')).default;
-
-  try {
-    const zip = await JSZip.loadAsync(file);
-    const confirmationFiles = Object.keys(zip.files).filter((name) => CONFIRMATION_EXPORT_FILE_REGEX.test(name));
-
-    if (confirmationFiles.length !== 1) {
-      return createVerificationResult(
-        false,
-        'The ZIP file is not a supported Striae confirmation export package.'
-      );
-    }
-
-    const confirmationContent = await zip.file(confirmationFiles[0])?.async('text');
-    if (!confirmationContent) {
-      return createVerificationResult(
-        false,
-        'The confirmation JSON file inside the ZIP could not be read.',
-        'confirmation'
-      );
-    }
-
-    return verifyConfirmationContent(confirmationContent, verificationPublicKeyPem);
-  } catch {
-    return createVerificationResult(
-      false,
-      'The ZIP file could not be read as a supported Striae export.'
-    );
-  }
-}
-
-export async function verifyExportFile(
-  file: File,
-  verificationPublicKeyPem: string
-): Promise<ExportVerificationResult> {
-  const lowerName = file.name.toLowerCase();
-
-  if (lowerName.endsWith('.zip')) {
-    const confirmationZipResult = await verifyConfirmationZipExport(file, verificationPublicKeyPem);
-    if (confirmationZipResult.exportType === 'confirmation' || confirmationZipResult.isValid) {
-      return confirmationZipResult;
-    }
-
-    return verifyCaseZipExport(file, verificationPublicKeyPem);
-  }
-
-  if (lowerName.endsWith('.json')) {
-    try {
-      const fileContent = await file.text();
-      const parsedContent = JSON.parse(fileContent) as unknown;
-
-      if (isConfirmationImportCandidate(parsedContent)) {
-        return verifyConfirmationContent(fileContent, verificationPublicKeyPem);
-      }
-
-      if (isAuditExportCandidate(parsedContent)) {
-        return verifyAuditExportContent(fileContent, verificationPublicKeyPem);
-      }
-
-      return createVerificationResult(
-        false,
-        'Select a confirmation JSON/ZIP file, standalone audit JSON export, or a case export ZIP file.'
-      );
-    } catch {
-      return createVerificationResult(
-        false,
-        'The JSON file could not be read as a supported Striae confirmation or audit export.'
-      );
-    }
-  }
-
-  return createVerificationResult(
-    false,
-    'Select a confirmation JSON/ZIP file, standalone audit JSON export, or a case export ZIP file.'
-  );
-}
-
 export async function verifyCasePackageIntegrity(
   input: CasePackageIntegrityInput
 ): Promise<CasePackageIntegrityResult> {

package/app/utils/forensics/index.ts

@@ -1,5 +1,6 @@
 export * from './SHA256';
 export * from './audit-export-signature';
 export * from './confirmation-signature';
+export * from './export-encryption';
 export * from './export-verification';
 export * from './signature-utils';

package/app/utils/ui/case-messages.ts

@@ -5,15 +5,18 @@
 
 // Import validation messages
 export const IMPORT_FILE_TYPE_NOT_ALLOWED =
-  'Only Striae case ZIP files, confirmation ZIP files, or confirmation JSON files are allowed.';
+  'Only Striae case ZIP files and encrypted confirmation ZIP packages exported from Striae are allowed.';
 
 export const IMPORT_FILE_TYPE_NOT_SUPPORTED =
-  'The selected file is not a supported Striae case or confirmation import package.';
+  'The selected file is not a supported Striae case ZIP or encrypted confirmation package.';
 
 // Import blocking messages
 export const ARCHIVED_REGULAR_CASE_BLOCK_MESSAGE =
   'This archived case cannot be imported because the case already exists in your regular case list. Delete the regular case before importing this archive.';
 
+export const ARCHIVED_SELF_IMPORT_NOTE =
+  'Archived export detected. Original exporter imports are only allowed after the case has been deleted from your regular case list.';
+
 // Read-only case operations
 export const CREATE_READ_ONLY_CASE_EXISTS_ERROR = (caseNumber: string): string =>
   `Case "${caseNumber}" already exists as a read-only review case.`;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@striae-org/striae",
-  "version": "4.3.3",
+  "version": "5.0.0",
   "private": false,
   "description": "Striae is a specialized, cloud-native platform designed to streamline forensic firearms identification by providing an intuitive environment for digital comparison image annotation, authenticated confirmations, and automated report generation.",
   "license": "Apache-2.0",

package/scripts/deploy-config.sh

@@ -334,7 +334,7 @@ write_env_var() {
     var_value=$(strip_carriage_returns "$var_value")
     env_file_value="$var_value"
 
-    if [ "$var_name" = "FIREBASE_SERVICE_ACCOUNT_PRIVATE_KEY" ] || [ "$var_name" = "MANIFEST_SIGNING_PRIVATE_KEY" ] || [ "$var_name" = "MANIFEST_SIGNING_PUBLIC_KEY" ]; then
+    if [ "$var_name" = "FIREBASE_SERVICE_ACCOUNT_PRIVATE_KEY" ] || [ "$var_name" = "MANIFEST_SIGNING_PRIVATE_KEY" ] || [ "$var_name" = "MANIFEST_SIGNING_PUBLIC_KEY" ] || [ "$var_name" = "EXPORT_ENCRYPTION_PRIVATE_KEY" ] || [ "$var_name" = "EXPORT_ENCRYPTION_PUBLIC_KEY" ]; then
         # Store as a quoted string so sourced .env preserves escaped newline markers (\n)
         env_file_value=${env_file_value//\"/\\\"}
         env_file_value="\"$env_file_value\""
@@ -508,6 +508,88 @@ configure_manifest_signing_credentials() {
     echo ""
 }
 
+generate_export_encryption_key_pair() {
+    local private_key_file
+    local public_key_file
+    private_key_file=$(mktemp)
+    public_key_file=$(mktemp)
+
+    if ! node -e "const { generateKeyPairSync } = require('crypto'); const fs = require('fs'); const pair = generateKeyPairSync('rsa', { modulusLength: 2048, publicKeyEncoding: { type: 'spki', format: 'pem' }, privateKeyEncoding: { type: 'pkcs8', format: 'pem' } }); fs.writeFileSync(process.argv[1], pair.privateKey, 'utf8'); fs.writeFileSync(process.argv[2], pair.publicKey, 'utf8');" "$private_key_file" "$public_key_file"; then
+        rm -f "$private_key_file" "$public_key_file"
+        return 1
+    fi
+
+    local private_key_pem
+    local public_key_pem
+    private_key_pem=$(cat "$private_key_file")
+    public_key_pem=$(cat "$public_key_file")
+    rm -f "$private_key_file" "$public_key_file"
+
+    private_key_pem="${private_key_pem//$'\r'/}"
+    public_key_pem="${public_key_pem//$'\r'/}"
+
+    EXPORT_ENCRYPTION_PRIVATE_KEY="${private_key_pem//$'\n'/\\n}"
+    EXPORT_ENCRYPTION_PUBLIC_KEY="${public_key_pem//$'\n'/\\n}"
+
+    export EXPORT_ENCRYPTION_PRIVATE_KEY
+    export EXPORT_ENCRYPTION_PUBLIC_KEY
+
+    write_env_var "EXPORT_ENCRYPTION_PRIVATE_KEY" "$EXPORT_ENCRYPTION_PRIVATE_KEY"
+    write_env_var "EXPORT_ENCRYPTION_PUBLIC_KEY" "$EXPORT_ENCRYPTION_PUBLIC_KEY"
+
+    return 0
+}
+
+configure_export_encryption_credentials() {
+    echo -e "${BLUE}🔐 EXPORT ENCRYPTION CONFIGURATION${NC}"
+    echo "================================="
+
+    local should_generate="false"
+    local regenerate_choice=""
+
+    if [ "$update_env" = "true" ]; then
+        should_generate="true"
+    elif [ -z "$EXPORT_ENCRYPTION_PRIVATE_KEY" ] || is_placeholder "$EXPORT_ENCRYPTION_PRIVATE_KEY" || [ -z "$EXPORT_ENCRYPTION_PUBLIC_KEY" ] || is_placeholder "$EXPORT_ENCRYPTION_PUBLIC_KEY"; then
+        should_generate="true"
+    else
+        echo -e "${GREEN}Current export encryption key pair: [HIDDEN]${NC}"
+        read -p "Generate new export encryption key pair? (press Enter to keep current, or type 'y' to regenerate): " regenerate_choice
+        regenerate_choice=$(strip_carriage_returns "$regenerate_choice")
+        if [ "$regenerate_choice" = "y" ] || [ "$regenerate_choice" = "Y" ]; then
+            should_generate="true"
+        fi
+    fi
+
+    if [ "$should_generate" = "true" ]; then
+        echo -e "${YELLOW}Generating export encryption RSA key pair...${NC}"
+        if generate_export_encryption_key_pair; then
+            echo -e "${GREEN}✅ Export encryption key pair generated${NC}"
+        else
+            echo -e "${RED}❌ Error: Failed to generate export encryption key pair${NC}"
+            exit 1
+        fi
+    else
+        echo -e "${GREEN}✅ Keeping current export encryption key pair${NC}"
+    fi
+
+    if [ -z "$EXPORT_ENCRYPTION_KEY_ID" ] || is_placeholder "$EXPORT_ENCRYPTION_KEY_ID" || [ "$should_generate" = "true" ]; then
+        local generated_key_id
+        generated_key_id=$(generate_worker_subdomain_label)
+        if [ -z "$generated_key_id" ] || [ ${#generated_key_id} -ne 10 ]; then
+            echo -e "${RED}❌ Error: Failed to generate EXPORT_ENCRYPTION_KEY_ID${NC}"
+            exit 1
+        fi
+        EXPORT_ENCRYPTION_KEY_ID="$generated_key_id"
+        export EXPORT_ENCRYPTION_KEY_ID
+        write_env_var "EXPORT_ENCRYPTION_KEY_ID" "$EXPORT_ENCRYPTION_KEY_ID"
+        echo -e "${GREEN}✅ EXPORT_ENCRYPTION_KEY_ID generated: $EXPORT_ENCRYPTION_KEY_ID${NC}"
+    else
+        echo -e "${GREEN}✅ EXPORT_ENCRYPTION_KEY_ID: $EXPORT_ENCRYPTION_KEY_ID${NC}"
+    fi
+
+    echo ""
+}
+
 # Validate required variables
 required_vars=(
     # Core Cloudflare Configuration
@@ -564,6 +646,9 @@ required_vars=(
     "MANIFEST_SIGNING_PRIVATE_KEY"
     "MANIFEST_SIGNING_KEY_ID"
     "MANIFEST_SIGNING_PUBLIC_KEY"
+    "EXPORT_ENCRYPTION_PRIVATE_KEY"
+    "EXPORT_ENCRYPTION_KEY_ID"
+    "EXPORT_ENCRYPTION_PUBLIC_KEY"
 )
 
 validate_required_vars() {
@@ -591,7 +676,7 @@ assert_contains_literal() {
     local literal=$2
     local description=$3
 
-    if ! grep -Fq "$literal" "$file_path"; then
+    if ! grep -Fq -- "$literal" "$file_path"; then
         echo -e "${RED}❌ Error: ${description}${NC}"
         echo -e "${YELLOW}   Expected to find '$literal' in $file_path${NC}"
         exit 1
@@ -743,6 +828,8 @@ validate_generated_configs() {
 
     assert_contains_literal "app/config/config.json" "https://$PAGES_CUSTOM_DOMAIN" "PAGES_CUSTOM_DOMAIN missing in app/config/config.json"
     assert_contains_literal "app/config/config.json" "$ACCOUNT_HASH" "ACCOUNT_HASH missing in app/config/config.json"
+    assert_contains_literal "app/config/config.json" "$EXPORT_ENCRYPTION_KEY_ID" "EXPORT_ENCRYPTION_KEY_ID missing in app/config/config.json"
+    assert_contains_literal "app/config/config.json" "\"export_encryption_public_key\":" "export_encryption_public_key missing in app/config/config.json"
     assert_contains_literal "app/routes/auth/login.tsx" "const APP_CANONICAL_ORIGIN = 'https://$PAGES_CUSTOM_DOMAIN';" "PAGES_CUSTOM_DOMAIN missing in app/routes/auth/login.tsx canonical origin"
 
     assert_contains_literal "app/config/firebase.ts" "$API_KEY" "API_KEY missing in app/config/firebase.ts"
@@ -761,7 +848,7 @@ validate_generated_configs() {
     assert_contains_literal "workers/user-worker/src/user-worker.ts" "https://$PAGES_CUSTOM_DOMAIN" "PAGES_CUSTOM_DOMAIN missing in user-worker source"
 
     local placeholder_pattern
-    placeholder_pattern="(\"(ACCOUNT_ID|PAGES_PROJECT_NAME|PAGES_CUSTOM_DOMAIN|KEYS_WORKER_NAME|USER_WORKER_NAME|DATA_WORKER_NAME|AUDIT_WORKER_NAME|IMAGES_WORKER_NAME|PDF_WORKER_NAME|KEYS_WORKER_DOMAIN|USER_WORKER_DOMAIN|DATA_WORKER_DOMAIN|AUDIT_WORKER_DOMAIN|IMAGES_WORKER_DOMAIN|PDF_WORKER_DOMAIN|DATA_BUCKET_NAME|AUDIT_BUCKET_NAME|KV_STORE_ID|ACCOUNT_HASH|MANIFEST_SIGNING_KEY_ID|MANIFEST_SIGNING_PUBLIC_KEY|YOUR_FIREBASE_API_KEY|YOUR_FIREBASE_AUTH_DOMAIN|YOUR_FIREBASE_PROJECT_ID|YOUR_FIREBASE_STORAGE_BUCKET|YOUR_FIREBASE_MESSAGING_SENDER_ID|YOUR_FIREBASE_APP_ID|YOUR_FIREBASE_MEASUREMENT_ID)\"|'(PAGES_CUSTOM_DOMAIN|DATA_WORKER_DOMAIN|IMAGES_WORKER_DOMAIN)')"
+    placeholder_pattern="(\"(ACCOUNT_ID|PAGES_PROJECT_NAME|PAGES_CUSTOM_DOMAIN|KEYS_WORKER_NAME|USER_WORKER_NAME|DATA_WORKER_NAME|AUDIT_WORKER_NAME|IMAGES_WORKER_NAME|PDF_WORKER_NAME|KEYS_WORKER_DOMAIN|USER_WORKER_DOMAIN|DATA_WORKER_DOMAIN|AUDIT_WORKER_DOMAIN|IMAGES_WORKER_DOMAIN|PDF_WORKER_DOMAIN|DATA_BUCKET_NAME|AUDIT_BUCKET_NAME|KV_STORE_ID|ACCOUNT_HASH|MANIFEST_SIGNING_KEY_ID|MANIFEST_SIGNING_PUBLIC_KEY|EXPORT_ENCRYPTION_KEY_ID|EXPORT_ENCRYPTION_PUBLIC_KEY|YOUR_FIREBASE_API_KEY|YOUR_FIREBASE_AUTH_DOMAIN|YOUR_FIREBASE_PROJECT_ID|YOUR_FIREBASE_STORAGE_BUCKET|YOUR_FIREBASE_MESSAGING_SENDER_ID|YOUR_FIREBASE_APP_ID|YOUR_FIREBASE_MEASUREMENT_ID)\"|'(PAGES_CUSTOM_DOMAIN|DATA_WORKER_DOMAIN|IMAGES_WORKER_DOMAIN)')"
 
     local files_to_scan=(
         "wrangler.toml"
@@ -1310,6 +1397,7 @@ prompt_for_secrets() {
     prompt_for_var "HMAC_KEY" "Cloudflare Images HMAC signing key"
 
     configure_manifest_signing_credentials
+    configure_export_encryption_credentials
     
     # Reload the updated .env file
     source .env
@@ -1447,15 +1535,21 @@ update_wrangler_configs() {
         echo -e "${YELLOW}    Updating app/config/config.json...${NC}"
         local escaped_manifest_signing_key_id
         local escaped_manifest_signing_public_key
+        local escaped_export_encryption_key_id
+        local escaped_export_encryption_public_key
         local escaped_account_hash
         escaped_manifest_signing_key_id=$(escape_for_sed_replacement "$MANIFEST_SIGNING_KEY_ID")
         escaped_manifest_signing_public_key=$(escape_for_sed_replacement "$MANIFEST_SIGNING_PUBLIC_KEY")
+        escaped_export_encryption_key_id=$(escape_for_sed_replacement "$EXPORT_ENCRYPTION_KEY_ID")
+        escaped_export_encryption_public_key=$(escape_for_sed_replacement "$EXPORT_ENCRYPTION_PUBLIC_KEY")
         escaped_account_hash=$(escape_for_sed_replacement "$ACCOUNT_HASH")
 
         sed -i "s|\"url\": \"[^\"]*\"|\"url\": \"https://$escaped_pages_custom_domain\"|g" app/config/config.json
         sed -i "s|\"account_hash\": \"[^\"]*\"|\"account_hash\": \"$escaped_account_hash\"|g" app/config/config.json
         sed -i "s|\"MANIFEST_SIGNING_KEY_ID\"|\"$escaped_manifest_signing_key_id\"|g" app/config/config.json
         sed -i "s|\"MANIFEST_SIGNING_PUBLIC_KEY\"|\"$escaped_manifest_signing_public_key\"|g" app/config/config.json
+        sed -i "s|\"EXPORT_ENCRYPTION_KEY_ID\"|\"$escaped_export_encryption_key_id\"|g" app/config/config.json
+        sed -i "s|\"EXPORT_ENCRYPTION_PUBLIC_KEY\"|\"$escaped_export_encryption_public_key\"|g" app/config/config.json
         echo -e "${GREEN}      ✅ app config.json updated${NC}"
     fi
     

package/scripts/deploy-worker-secrets.sh

@@ -187,7 +187,7 @@ fi
 
 # Data Worker
 if ! set_worker_secrets "Data Worker" "workers/data-worker" \
-    "R2_KEY_SECRET" "MANIFEST_SIGNING_PRIVATE_KEY" "MANIFEST_SIGNING_KEY_ID"; then
+    "R2_KEY_SECRET" "MANIFEST_SIGNING_PRIVATE_KEY" "MANIFEST_SIGNING_KEY_ID" "EXPORT_ENCRYPTION_PRIVATE_KEY" "EXPORT_ENCRYPTION_KEY_ID"; then
     echo -e "${YELLOW}⚠️  Skipping Data Worker (not configured)${NC}"
 fi
 

package/workers/audit-worker/wrangler.jsonc.example

@@ -2,7 +2,7 @@
   "name": "AUDIT_WORKER_NAME",
   "account_id": "ACCOUNT_ID",
   "main": "src/audit-worker.ts",
-  "compatibility_date": "2026-03-23",
+  "compatibility_date": "2026-03-24",
   "compatibility_flags": [
     "nodejs_compat"
   ],