@striae-org/striae 4.3.4 → 5.1.0

package/workers/audit-worker/wrangler.jsonc.example

@@ -1,8 +1,13 @@
 {
+  // Required secrets: R2_KEY_SECRET
+  // Optional data-at-rest secrets/vars:
+  // - DATA_AT_REST_ENCRYPTION_ENABLED=true
+  // - DATA_AT_REST_ENCRYPTION_PRIVATE_KEY (required for decrypting encrypted records)
+  // - DATA_AT_REST_ENCRYPTION_PUBLIC_KEY and DATA_AT_REST_ENCRYPTION_KEY_ID (required when encrypt-on-write is enabled)
   "name": "AUDIT_WORKER_NAME",
   "account_id": "ACCOUNT_ID",
   "main": "src/audit-worker.ts",
-  "compatibility_date": "2026-03-23",
+  "compatibility_date": "2026-03-24",
   "compatibility_flags": [
     "nodejs_compat"
   ], 

package/workers/data-worker/package.json

@@ -5,13 +5,10 @@
 	"scripts": {
 		"deploy": "wrangler deploy",
 		"dev": "wrangler dev",
-		"start": "wrangler dev",
-		"test": "vitest"
+		"start": "wrangler dev"
 	},
 	"devDependencies": {
 		"@cloudflare/puppeteer": "^1.0.6",
-		"@cloudflare/vitest-pool-workers": "^0.13.0",
-		"vitest": "~4.1.0",
 		"wrangler": "^4.76.0"
 	},
 	"overrides": {

package/workers/data-worker/src/data-worker.example.ts

@@ -1,4 +1,11 @@
 import { signPayload as signWithWorkerKey } from './signature-utils';
+import {
+  decryptExportData,
+  decryptImageBlob,
+  decryptJsonFromStorage,
+  encryptJsonForStorage,
+  type DataAtRestEnvelope
+} from './encryption-utils';
 import {
   AUDIT_EXPORT_SIGNATURE_VERSION,
   CONFIRMATION_SIGNATURE_VERSION,
@@ -20,6 +27,12 @@ interface Env {
   STRIAE_DATA: R2Bucket;
   MANIFEST_SIGNING_PRIVATE_KEY: string;
   MANIFEST_SIGNING_KEY_ID: string;
+  EXPORT_ENCRYPTION_PRIVATE_KEY?: string;
+  EXPORT_ENCRYPTION_KEY_ID?: string;
+  DATA_AT_REST_ENCRYPTION_ENABLED?: string;
+  DATA_AT_REST_ENCRYPTION_PRIVATE_KEY?: string;
+  DATA_AT_REST_ENCRYPTION_PUBLIC_KEY?: string;
+  DATA_AT_REST_ENCRYPTION_KEY_ID?: string;
 }
 
 interface SuccessResponse {
@@ -50,6 +63,204 @@ const hasValidHeader = (request: Request, env: Env): boolean =>
 const SIGN_MANIFEST_PATH = '/api/forensic/sign-manifest';
 const SIGN_CONFIRMATION_PATH = '/api/forensic/sign-confirmation';
 const SIGN_AUDIT_EXPORT_PATH = '/api/forensic/sign-audit-export';
+const DECRYPT_EXPORT_PATH = '/api/forensic/decrypt-export';
+const DATA_AT_REST_BACKFILL_PATH = '/api/admin/data-at-rest-backfill';
+const DATA_AT_REST_ENCRYPTION_ALGORITHM = 'RSA-OAEP-AES-256-GCM';
+const DATA_AT_REST_ENCRYPTION_VERSION = '1.0';
+
+function isDataAtRestEncryptionEnabled(env: Env): boolean {
+  const value = env.DATA_AT_REST_ENCRYPTION_ENABLED;
+  if (!value) {
+    return false;
+  }
+
+  const normalizedValue = value.trim().toLowerCase();
+  return normalizedValue === '1' || normalizedValue === 'true' || normalizedValue === 'yes' || normalizedValue === 'on';
+}
+
+function extractDataAtRestEnvelope(file: R2ObjectBody): DataAtRestEnvelope | null {
+  const metadata = file.customMetadata;
+  if (!metadata) {
+    return null;
+  }
+
+  const {
+    algorithm,
+    encryptionVersion,
+    keyId,
+    dataIv,
+    wrappedKey
+  } = metadata;
+
+  if (
+    typeof algorithm !== 'string' ||
+    typeof encryptionVersion !== 'string' ||
+    typeof keyId !== 'string' ||
+    typeof dataIv !== 'string' ||
+    typeof wrappedKey !== 'string'
+  ) {
+    return null;
+  }
+
+  return {
+    algorithm,
+    encryptionVersion,
+    keyId,
+    dataIv,
+    wrappedKey
+  };
+}
+
+function hasDataAtRestMetadata(metadata: Record<string, string> | undefined): boolean {
+  if (!metadata) {
+    return false;
+  }
+
+  return (
+    typeof metadata.algorithm === 'string' &&
+    typeof metadata.encryptionVersion === 'string' &&
+    typeof metadata.keyId === 'string' &&
+    typeof metadata.dataIv === 'string' &&
+    typeof metadata.wrappedKey === 'string'
+  );
+}
+
+function clampBackfillBatchSize(size: number | undefined): number {
+  if (typeof size !== 'number' || !Number.isFinite(size)) {
+    return 100;
+  }
+
+  const normalized = Math.floor(size);
+  if (normalized < 1) {
+    return 1;
+  }
+
+  if (normalized > 1000) {
+    return 1000;
+  }
+
+  return normalized;
+}
+
+async function handleDataAtRestBackfill(request: Request, env: Env): Promise<Response> {
+  if (!env.DATA_AT_REST_ENCRYPTION_PUBLIC_KEY || !env.DATA_AT_REST_ENCRYPTION_KEY_ID) {
+    return createResponse(
+      { error: 'Data-at-rest encryption is not configured for backfill writes' },
+      400
+    );
+  }
+
+  const requestBody = await request.json().catch(() => ({})) as {
+    dryRun?: boolean;
+    prefix?: string;
+    cursor?: string;
+    batchSize?: number;
+  };
+
+  const dryRun = requestBody.dryRun === true;
+  const prefix = typeof requestBody.prefix === 'string' ? requestBody.prefix : '';
+  const cursor = typeof requestBody.cursor === 'string' && requestBody.cursor.length > 0
+    ? requestBody.cursor
+    : undefined;
+  const batchSize = clampBackfillBatchSize(requestBody.batchSize);
+
+  const bucket = env.STRIAE_DATA;
+  const listed = await bucket.list({
+    prefix: prefix.length > 0 ? prefix : undefined,
+    cursor,
+    limit: batchSize
+  });
+
+  let scanned = 0;
+  let eligible = 0;
+  let encrypted = 0;
+  let skippedEncrypted = 0;
+  let skippedNonJson = 0;
+  let failed = 0;
+  const failures: Array<{ key: string; error: string }> = [];
+
+  for (const object of listed.objects) {
+    scanned += 1;
+    const key = object.key;
+
+    if (!key.endsWith('.json')) {
+      skippedNonJson += 1;
+      continue;
+    }
+
+    const objectHead = await bucket.head(key);
+    if (!objectHead) {
+      failed += 1;
+      if (failures.length < 20) {
+        failures.push({ key, error: 'Object not found during metadata check' });
+      }
+      continue;
+    }
+
+    if (hasDataAtRestMetadata(objectHead.customMetadata)) {
+      skippedEncrypted += 1;
+      continue;
+    }
+
+    eligible += 1;
+
+    if (dryRun) {
+      continue;
+    }
+
+    try {
+      const existingObject = await bucket.get(key);
+      if (!existingObject) {
+        failed += 1;
+        if (failures.length < 20) {
+          failures.push({ key, error: 'Object disappeared before processing' });
+        }
+        continue;
+      }
+
+      const plaintext = await existingObject.text();
+      const encryptedPayload = await encryptJsonForStorage(
+        plaintext,
+        env.DATA_AT_REST_ENCRYPTION_PUBLIC_KEY,
+        env.DATA_AT_REST_ENCRYPTION_KEY_ID
+      );
+
+      await bucket.put(key, encryptedPayload.ciphertext, {
+        customMetadata: {
+          algorithm: encryptedPayload.envelope.algorithm,
+          encryptionVersion: encryptedPayload.envelope.encryptionVersion,
+          keyId: encryptedPayload.envelope.keyId,
+          dataIv: encryptedPayload.envelope.dataIv,
+          wrappedKey: encryptedPayload.envelope.wrappedKey
+        }
+      });
+
+      encrypted += 1;
+    } catch (error) {
+      failed += 1;
+      if (failures.length < 20) {
+        const errorMessage = error instanceof Error ? error.message : 'Unknown backfill failure';
+        failures.push({ key, error: errorMessage });
+      }
+    }
+  }
+
+  return createResponse({
+    success: failed === 0,
+    dryRun,
+    prefix: prefix.length > 0 ? prefix : null,
+    batchSize,
+    scanned,
+    eligible,
+    encrypted,
+    skippedEncrypted,
+    skippedNonJson,
+    failed,
+    failures,
+    hasMore: listed.truncated,
+    nextCursor: listed.truncated ? listed.cursor : null
+  });
+}
 
 async function signPayloadWithWorkerKey(payload: string, env: Env): Promise<{
   algorithm: string;
@@ -196,6 +407,128 @@ async function handleSignAuditExport(request: Request, env: Env): Promise<Respon
   }
 }
 
+async function handleDecryptExport(request: Request, env: Env): Promise<Response> {
+  try {
+    // Check if encryption is configured
+    if (!env.EXPORT_ENCRYPTION_PRIVATE_KEY || !env.EXPORT_ENCRYPTION_KEY_ID) {
+      return createResponse(
+        { error: 'Export decryption is not configured on this server' },
+        400
+      );
+    }
+
+    const requestBody = await request.json() as {
+      wrappedKey?: string;
+      dataIv?: string;
+      encryptedData?: string;
+      encryptedImages?: Array<{ filename: string; encryptedData: string; iv?: string }>;
+      keyId?: string;
+    };
+
+    const { wrappedKey, dataIv, encryptedData, encryptedImages, keyId } = requestBody;
+
+    // Validate required fields
+    if (
+      !wrappedKey ||
+      typeof wrappedKey !== 'string' ||
+      !dataIv ||
+      typeof dataIv !== 'string' ||
+      !encryptedData ||
+      typeof encryptedData !== 'string' ||
+      !keyId ||
+      typeof keyId !== 'string'
+    ) {
+      return createResponse(
+        { error: 'Missing or invalid required fields: wrappedKey, dataIv, encryptedData, keyId' },
+        400
+      );
+    }
+
+    // Validate keyId matches configured key
+    if (keyId !== env.EXPORT_ENCRYPTION_KEY_ID) {
+      return createResponse(
+        { error: `Key ID mismatch: expected ${env.EXPORT_ENCRYPTION_KEY_ID}, got ${keyId}` },
+        400
+      );
+    }
+
+    // Decrypt data file
+    let plaintextData: string;
+    try {
+      plaintextData = await decryptExportData(
+        encryptedData,
+        wrappedKey,
+        dataIv,
+        env.EXPORT_ENCRYPTION_PRIVATE_KEY
+      );
+    } catch (error) {
+      console.error('Data file decryption failed:', error);
+      const errorMessage = error instanceof Error ? error.message : 'Decryption failed';
+      return createResponse(
+        { error: `Failed to decrypt data file: ${errorMessage}` },
+        500
+      );
+    }
+
+    // Decrypt images if provided
+    const decryptedImages: Array<{ filename: string; data: string }> = [];
+    if (Array.isArray(encryptedImages) && encryptedImages.length > 0) {
+      for (const imageEntry of encryptedImages) {
+        try {
+          if (!imageEntry.iv || typeof imageEntry.iv !== 'string') {
+            return createResponse(
+              { error: `Missing IV for image ${imageEntry.filename}` },
+              400
+            );
+          }
+
+          const imageBlob = await decryptImageBlob(
+            imageEntry.encryptedData,
+            wrappedKey,
+            imageEntry.iv,
+            env.EXPORT_ENCRYPTION_PRIVATE_KEY
+          );
+
+          // Convert blob to base64 for transport
+          const arrayBuffer = await imageBlob.arrayBuffer();
+          const bytes = new Uint8Array(arrayBuffer);
+            const chunkSize = 8192;
+            let binary = '';
+            for (let i = 0; i < bytes.length; i += chunkSize) {
+              const chunk = bytes.subarray(i, Math.min(i + chunkSize, bytes.length));
+              for (let j = 0; j < chunk.length; j++) {
+                binary += String.fromCharCode(chunk[j]);
+              }
+            }
+            const base64Data = btoa(binary);
+
+          decryptedImages.push({
+            filename: imageEntry.filename,
+            data: base64Data
+          });
+        } catch (error) {
+          console.error(`Image decryption failed for ${imageEntry.filename}:`, error);
+          const errorMessage = error instanceof Error ? error.message : 'Decryption failed';
+          return createResponse(
+            { error: `Failed to decrypt image ${imageEntry.filename}: ${errorMessage}` },
+            500
+          );
+        }
+      }
+    }
+
+    return createResponse({
+      success: true,
+      plaintext: plaintextData,
+      decryptedImages
+    });
+  } catch (error) {
+    console.error('Export decryption request failed:', error);
+    const errorMessage = error instanceof Error ? error.message : 'Unknown error occurred';
+    return createResponse({ error: errorMessage }, 500);
+  }
+}
+
 export default {
   async fetch(request: Request, env: Env): Promise<Response> {
     if (request.method === 'OPTIONS') {
@@ -223,6 +556,14 @@ export default {
         return await handleSignAuditExport(request, env);
       }
 
+      if (request.method === 'POST' && pathname === DECRYPT_EXPORT_PATH) {
+        return await handleDecryptExport(request, env);
+      }
+
+      if (request.method === 'POST' && pathname === DATA_AT_REST_BACKFILL_PATH) {
+        return await handleDataAtRestBackfill(request, env);
+      }
+
       const filename = pathname.slice(1) || 'data.json';
 
       if (!filename.endsWith('.json')) {
@@ -235,6 +576,39 @@ export default {
           if (!file) {
             return createResponse([], 200);
           }
+
+          const atRestEnvelope = extractDataAtRestEnvelope(file);
+          if (atRestEnvelope) {
+            if (atRestEnvelope.algorithm !== DATA_AT_REST_ENCRYPTION_ALGORITHM) {
+              return createResponse({ error: 'Unsupported data-at-rest encryption algorithm' }, 500);
+            }
+
+            if (atRestEnvelope.encryptionVersion !== DATA_AT_REST_ENCRYPTION_VERSION) {
+              return createResponse({ error: 'Unsupported data-at-rest encryption version' }, 500);
+            }
+
+            if (!env.DATA_AT_REST_ENCRYPTION_PRIVATE_KEY) {
+              return createResponse(
+                { error: 'Data-at-rest decryption is not configured on this server' },
+                500
+              );
+            }
+
+            try {
+              const encryptedData = await file.arrayBuffer();
+              const plaintext = await decryptJsonFromStorage(
+                encryptedData,
+                atRestEnvelope,
+                env.DATA_AT_REST_ENCRYPTION_PRIVATE_KEY
+              );
+              const decryptedPayload = JSON.parse(plaintext);
+              return createResponse(decryptedPayload);
+            } catch (error) {
+              console.error('Data-at-rest decryption failed:', error);
+              return createResponse({ error: 'Failed to decrypt stored data' }, 500);
+            }
+          }
+
           const fileText = await file.text();
           const data = JSON.parse(fileText);
           return createResponse(data);
@@ -242,7 +616,41 @@ export default {
 
         case 'PUT': {
           const newData = await request.json();
-          await bucket.put(filename, JSON.stringify(newData));
+          const serializedData = JSON.stringify(newData);
+
+          if (!isDataAtRestEncryptionEnabled(env)) {
+            await bucket.put(filename, serializedData);
+            return createResponse({ success: true });
+          }
+
+          if (!env.DATA_AT_REST_ENCRYPTION_PUBLIC_KEY || !env.DATA_AT_REST_ENCRYPTION_KEY_ID) {
+            return createResponse(
+              { error: 'Data-at-rest encryption is enabled but not fully configured' },
+              500
+            );
+          }
+
+          try {
+            const encryptedPayload = await encryptJsonForStorage(
+              serializedData,
+              env.DATA_AT_REST_ENCRYPTION_PUBLIC_KEY,
+              env.DATA_AT_REST_ENCRYPTION_KEY_ID
+            );
+
+            await bucket.put(filename, encryptedPayload.ciphertext, {
+              customMetadata: {
+                algorithm: encryptedPayload.envelope.algorithm,
+                encryptionVersion: encryptedPayload.envelope.encryptionVersion,
+                keyId: encryptedPayload.envelope.keyId,
+                dataIv: encryptedPayload.envelope.dataIv,
+                wrappedKey: encryptedPayload.envelope.wrappedKey
+              }
+            });
+          } catch (error) {
+            console.error('Data-at-rest encryption failed:', error);
+            return createResponse({ error: 'Failed to encrypt data for storage' }, 500);
+          }
+
           return createResponse({ success: true });
         }