@striae-org/striae 4.3.4 → 5.1.0

package/workers/data-worker/src/encryption-utils.ts

@@ -0,0 +1,269 @@
+export function base64UrlDecode(value: string): Uint8Array {
+  const normalized = value.replace(/-/g, '+').replace(/_/g, '/');
+  const padding = '='.repeat((4 - (normalized.length % 4)) % 4);
+  const decoded = atob(normalized + padding);
+  const bytes = new Uint8Array(decoded.length);
+
+  for (let i = 0; i < decoded.length; i += 1) {
+    bytes[i] = decoded.charCodeAt(i);
+  }
+
+  return bytes;
+}
+
+export function base64UrlEncode(value: Uint8Array): string {
+  let binary = '';
+  const chunkSize = 8192;
+
+  for (let i = 0; i < value.length; i += chunkSize) {
+    const chunk = value.subarray(i, Math.min(i + chunkSize, value.length));
+    for (let j = 0; j < chunk.length; j += 1) {
+      binary += String.fromCharCode(chunk[j]);
+    }
+  }
+
+  return btoa(binary)
+    .replace(/\+/g, '-')
+    .replace(/\//g, '_')
+    .replace(/=+$/g, '');
+}
+
+const DATA_AT_REST_ENCRYPTION_ALGORITHM = 'RSA-OAEP-AES-256-GCM';
+const DATA_AT_REST_ENCRYPTION_VERSION = '1.0';
+
+export interface DataAtRestEnvelope {
+  algorithm: string;
+  encryptionVersion: string;
+  keyId: string;
+  dataIv: string;
+  wrappedKey: string;
+}
+
+interface EncryptJsonAtRestResult {
+  ciphertext: Uint8Array;
+  envelope: DataAtRestEnvelope;
+}
+
+function parseSpkiPublicKey(publicKey: string): ArrayBuffer {
+  const normalizedKey = publicKey
+    .trim()
+    .replace(/^['"]|['"]$/g, '')
+    .replace(/\\n/g, '\n');
+
+  const pemBody = normalizedKey
+    .replace('-----BEGIN PUBLIC KEY-----', '')
+    .replace('-----END PUBLIC KEY-----', '')
+    .replace(/\s+/g, '');
+
+  if (!pemBody) {
+    throw new Error('Encryption public key is invalid');
+  }
+
+  const binary = atob(pemBody);
+  const bytes = new Uint8Array(binary.length);
+
+  for (let index = 0; index < binary.length; index += 1) {
+    bytes[index] = binary.charCodeAt(index);
+  }
+
+  return bytes.buffer;
+}
+
+function parsePkcs8PrivateKey(privateKey: string): ArrayBuffer {
+  const normalizedKey = privateKey
+    .trim()
+    .replace(/^['"]|['"]$/g, '')
+    .replace(/\\n/g, '\n');
+
+  const pemBody = normalizedKey
+    .replace('-----BEGIN PRIVATE KEY-----', '')
+    .replace('-----END PRIVATE KEY-----', '')
+    .replace(/\s+/g, '');
+
+  if (!pemBody) {
+    throw new Error('Encryption private key is invalid');
+  }
+
+  const binary = atob(pemBody);
+  const bytes = new Uint8Array(binary.length);
+
+  for (let index = 0; index < binary.length; index += 1) {
+    bytes[index] = binary.charCodeAt(index);
+  }
+
+  return bytes.buffer;
+}
+
+/**
+ * Import RSA private key from PKCS8 PEM format
+ */
+async function importRsaOaepPrivateKey(privateKeyPem: string): Promise<CryptoKey> {
+  const key = await crypto.subtle.importKey(
+    'pkcs8',
+    parsePkcs8PrivateKey(privateKeyPem),
+    {
+      name: 'RSA-OAEP',
+      hash: 'SHA-256'
+    },
+    false,
+    ['decrypt']
+  );
+
+  return key;
+}
+
+async function importRsaOaepPublicKey(publicKeyPem: string): Promise<CryptoKey> {
+  const key = await crypto.subtle.importKey(
+    'spki',
+    parseSpkiPublicKey(publicKeyPem),
+    {
+      name: 'RSA-OAEP',
+      hash: 'SHA-256'
+    },
+    false,
+    ['encrypt']
+  );
+
+  return key;
+}
+
+async function createAesGcmKey(usages: KeyUsage[]): Promise<CryptoKey> {
+  return crypto.subtle.generateKey(
+    {
+      name: 'AES-GCM',
+      length: 256
+    },
+    true,
+    usages
+  ) as Promise<CryptoKey>;
+}
+
+async function wrapAesKey(
+  aesKey: CryptoKey,
+  publicKeyPem: string
+): Promise<string> {
+  const rsaPublicKey = await importRsaOaepPublicKey(publicKeyPem);
+  const rawAesKey = await crypto.subtle.exportKey('raw', aesKey);
+  const wrappedKey = await crypto.subtle.encrypt(
+    { name: 'RSA-OAEP' },
+    rsaPublicKey,
+    rawAesKey as BufferSource
+  );
+
+  return base64UrlEncode(new Uint8Array(wrappedKey));
+}
+
+/**
+ * Decrypt AES key from RSA-OAEP wrapped form
+ */
+async function unwrapAesKey(
+  wrappedKeyBase64: string,
+  privateKeyPem: string
+): Promise<CryptoKey> {
+  const rsaPrivateKey = await importRsaOaepPrivateKey(privateKeyPem);
+  const wrappedKeyBytes = base64UrlDecode(wrappedKeyBase64);
+
+  const rawAesKey = await crypto.subtle.decrypt(
+    { name: 'RSA-OAEP' },
+    rsaPrivateKey,
+    wrappedKeyBytes as BufferSource
+  );
+
+  return crypto.subtle.importKey(
+    'raw',
+    rawAesKey,
+    { name: 'AES-GCM' },
+    false,
+    ['encrypt', 'decrypt']
+  );
+}
+
+export async function encryptJsonForStorage(
+  plaintextJson: string,
+  publicKeyPem: string,
+  keyId: string
+): Promise<EncryptJsonAtRestResult> {
+  const aesKey = await createAesGcmKey(['encrypt', 'decrypt']);
+  const wrappedKey = await wrapAesKey(aesKey, publicKeyPem);
+  const iv = crypto.getRandomValues(new Uint8Array(12));
+
+  const plaintextBytes = new TextEncoder().encode(plaintextJson);
+  const encryptedBuffer = await crypto.subtle.encrypt(
+    { name: 'AES-GCM', iv: iv as BufferSource },
+    aesKey,
+    plaintextBytes as BufferSource
+  );
+
+  return {
+    ciphertext: new Uint8Array(encryptedBuffer),
+    envelope: {
+      algorithm: DATA_AT_REST_ENCRYPTION_ALGORITHM,
+      encryptionVersion: DATA_AT_REST_ENCRYPTION_VERSION,
+      keyId,
+      dataIv: base64UrlEncode(iv),
+      wrappedKey
+    }
+  };
+}
+
+export async function decryptJsonFromStorage(
+  ciphertext: ArrayBuffer,
+  envelope: DataAtRestEnvelope,
+  privateKeyPem: string
+): Promise<string> {
+  const aesKey = await unwrapAesKey(envelope.wrappedKey, privateKeyPem);
+  const iv = base64UrlDecode(envelope.dataIv);
+
+  const plaintext = await crypto.subtle.decrypt(
+    { name: 'AES-GCM', iv: iv as BufferSource },
+    aesKey,
+    ciphertext as BufferSource
+  );
+
+  return new TextDecoder().decode(plaintext);
+}
+
+/**
+ * Decrypt data file (plaintext JSON/CSV)
+ */
+export async function decryptExportData(
+  encryptedDataBase64: string,
+  wrappedKeyBase64: string,
+  ivBase64: string,
+  privateKeyPem: string
+): Promise<string> {
+  const aesKey = await unwrapAesKey(wrappedKeyBase64, privateKeyPem);
+  const iv = base64UrlDecode(ivBase64);
+  const ciphertext = base64UrlDecode(encryptedDataBase64);
+
+  const plaintext = await crypto.subtle.decrypt(
+    { name: 'AES-GCM', iv: iv as BufferSource },
+    aesKey,
+    ciphertext as BufferSource
+  );
+
+  return new TextDecoder().decode(plaintext);
+}
+
+/**
+ * Decrypt a single image blob
+ */
+export async function decryptImageBlob(
+  encryptedImageBase64: string,
+  wrappedKeyBase64: string,
+  ivBase64: string,
+  privateKeyPem: string
+): Promise<Blob> {
+  const aesKey = await unwrapAesKey(wrappedKeyBase64, privateKeyPem);
+  const iv = base64UrlDecode(ivBase64);
+  const ciphertext = base64UrlDecode(encryptedImageBase64);
+
+  const plaintext = await crypto.subtle.decrypt(
+    { name: 'AES-GCM', iv: iv as BufferSource },
+    aesKey,
+    ciphertext as BufferSource
+  );
+
+  // Return as blob (caller can determine MIME type from context)
+  return new Blob([plaintext]);
+}

package/workers/data-worker/worker-configuration.d.ts

@@ -1,6 +1,6 @@
 /* eslint-disable */
 // Generated by Wrangler by running `wrangler types` (hash: 4ccb8b314830f4c7bb743cb9b033a6cb)
-// Runtime types generated with workerd@1.20250823.0 2026-03-20 nodejs_compat
+// Runtime types generated with workerd@1.20250823.0 2026-03-23 nodejs_compat
 declare namespace Cloudflare {
 	interface Env {
 		STRIAE_DATA: R2Bucket;

package/workers/data-worker/wrangler.jsonc.example

@@ -1,9 +1,13 @@
 {
-  // Required secrets: R2_KEY_SECRET, MANIFEST_SIGNING_PRIVATE_KEY, MANIFEST_SIGNING_KEY_ID
+  // Required secrets: R2_KEY_SECRET, MANIFEST_SIGNING_PRIVATE_KEY, MANIFEST_SIGNING_KEY_ID, EXPORT_ENCRYPTION_PRIVATE_KEY, EXPORT_ENCRYPTION_KEY_ID
+  // Optional data-at-rest secrets/vars:
+  // - DATA_AT_REST_ENCRYPTION_ENABLED=true
+  // - DATA_AT_REST_ENCRYPTION_PRIVATE_KEY (required for decrypting encrypted records)
+  // - DATA_AT_REST_ENCRYPTION_PUBLIC_KEY and DATA_AT_REST_ENCRYPTION_KEY_ID (required when encrypt-on-write is enabled)
   "name": "DATA_WORKER_NAME",
   "account_id": "ACCOUNT_ID",
   "main": "src/data-worker.ts",
-  "compatibility_date": "2026-03-23",
+  "compatibility_date": "2026-03-24",
   "compatibility_flags": [
     "nodejs_compat"
   ], 

package/workers/image-worker/package.json

@@ -5,13 +5,10 @@
 	"scripts": {
 		"deploy": "wrangler deploy",
 		"dev": "wrangler dev",
-		"start": "wrangler dev",
-		"test": "vitest"
+		"start": "wrangler dev"
 	},
 	"devDependencies": {
 		"@cloudflare/puppeteer": "^1.0.6",
-		"@cloudflare/vitest-pool-workers": "^0.13.0",
-		"vitest": "~4.1.0",
 		"wrangler": "^4.76.0"
 	},
 	"overrides": {

package/workers/image-worker/src/encryption-utils.ts

@@ -0,0 +1,217 @@
+export function base64UrlDecode(value: string): Uint8Array {
+  const normalized = value.replace(/-/g, '+').replace(/_/g, '/');
+  const padding = '='.repeat((4 - (normalized.length % 4)) % 4);
+  const decoded = atob(normalized + padding);
+  const bytes = new Uint8Array(decoded.length);
+
+  for (let i = 0; i < decoded.length; i += 1) {
+    bytes[i] = decoded.charCodeAt(i);
+  }
+
+  return bytes;
+}
+
+export function base64UrlEncode(value: Uint8Array): string {
+  let binary = '';
+  const chunkSize = 8192;
+
+  for (let i = 0; i < value.length; i += chunkSize) {
+    const chunk = value.subarray(i, Math.min(i + chunkSize, value.length));
+    for (let j = 0; j < chunk.length; j += 1) {
+      binary += String.fromCharCode(chunk[j]);
+    }
+  }
+
+  return btoa(binary)
+    .replace(/\+/g, '-')
+    .replace(/\//g, '_')
+    .replace(/=+$/g, '');
+}
+
+const DATA_AT_REST_ENCRYPTION_ALGORITHM = 'RSA-OAEP-AES-256-GCM';
+const DATA_AT_REST_ENCRYPTION_VERSION = '1.0';
+
+export interface DataAtRestEnvelope {
+  algorithm: string;
+  encryptionVersion: string;
+  keyId: string;
+  dataIv: string;
+  wrappedKey: string;
+}
+
+interface EncryptBinaryAtRestResult {
+  ciphertext: Uint8Array;
+  envelope: DataAtRestEnvelope;
+}
+
+function parseSpkiPublicKey(publicKey: string): ArrayBuffer {
+  const normalizedKey = publicKey
+    .trim()
+    .replace(/^['"]|['"]$/g, '')
+    .replace(/\\n/g, '\n');
+
+  const pemBody = normalizedKey
+    .replace('-----BEGIN PUBLIC KEY-----', '')
+    .replace('-----END PUBLIC KEY-----', '')
+    .replace(/\s+/g, '');
+
+  if (!pemBody) {
+    throw new Error('Encryption public key is invalid');
+  }
+
+  const binary = atob(pemBody);
+  const bytes = new Uint8Array(binary.length);
+
+  for (let index = 0; index < binary.length; index += 1) {
+    bytes[index] = binary.charCodeAt(index);
+  }
+
+  return bytes.buffer;
+}
+
+function parsePkcs8PrivateKey(privateKey: string): ArrayBuffer {
+  const normalizedKey = privateKey
+    .trim()
+    .replace(/^['"]|['"]$/g, '')
+    .replace(/\\n/g, '\n');
+
+  const pemBody = normalizedKey
+    .replace('-----BEGIN PRIVATE KEY-----', '')
+    .replace('-----END PRIVATE KEY-----', '')
+    .replace(/\s+/g, '');
+
+  if (!pemBody) {
+    throw new Error('Encryption private key is invalid');
+  }
+
+  const binary = atob(pemBody);
+  const bytes = new Uint8Array(binary.length);
+
+  for (let index = 0; index < binary.length; index += 1) {
+    bytes[index] = binary.charCodeAt(index);
+  }
+
+  return bytes.buffer;
+}
+
+async function importRsaOaepPrivateKey(privateKeyPem: string): Promise<CryptoKey> {
+  return crypto.subtle.importKey(
+    'pkcs8',
+    parsePkcs8PrivateKey(privateKeyPem),
+    {
+      name: 'RSA-OAEP',
+      hash: 'SHA-256'
+    },
+    false,
+    ['decrypt']
+  );
+}
+
+async function importRsaOaepPublicKey(publicKeyPem: string): Promise<CryptoKey> {
+  return crypto.subtle.importKey(
+    'spki',
+    parseSpkiPublicKey(publicKeyPem),
+    {
+      name: 'RSA-OAEP',
+      hash: 'SHA-256'
+    },
+    false,
+    ['encrypt']
+  );
+}
+
+async function createAesGcmKey(usages: KeyUsage[]): Promise<CryptoKey> {
+  return crypto.subtle.generateKey(
+    {
+      name: 'AES-GCM',
+      length: 256
+    },
+    true,
+    usages
+  ) as Promise<CryptoKey>;
+}
+
+async function wrapAesKey(aesKey: CryptoKey, publicKeyPem: string): Promise<string> {
+  const rsaPublicKey = await importRsaOaepPublicKey(publicKeyPem);
+  const rawAesKey = await crypto.subtle.exportKey('raw', aesKey);
+  const wrappedKey = await crypto.subtle.encrypt(
+    { name: 'RSA-OAEP' },
+    rsaPublicKey,
+    rawAesKey as BufferSource
+  );
+
+  return base64UrlEncode(new Uint8Array(wrappedKey));
+}
+
+async function unwrapAesKey(wrappedKeyBase64: string, privateKeyPem: string): Promise<CryptoKey> {
+  const rsaPrivateKey = await importRsaOaepPrivateKey(privateKeyPem);
+  const wrappedKeyBytes = base64UrlDecode(wrappedKeyBase64);
+
+  const rawAesKey = await crypto.subtle.decrypt(
+    { name: 'RSA-OAEP' },
+    rsaPrivateKey,
+    wrappedKeyBytes as BufferSource
+  );
+
+  return crypto.subtle.importKey(
+    'raw',
+    rawAesKey,
+    { name: 'AES-GCM' },
+    false,
+    ['encrypt', 'decrypt']
+  );
+}
+
+export function validateEnvelope(envelope: DataAtRestEnvelope): void {
+  if (envelope.algorithm !== DATA_AT_REST_ENCRYPTION_ALGORITHM) {
+    throw new Error('Unsupported data-at-rest encryption algorithm');
+  }
+
+  if (envelope.encryptionVersion !== DATA_AT_REST_ENCRYPTION_VERSION) {
+    throw new Error('Unsupported data-at-rest encryption version');
+  }
+}
+
+export async function encryptBinaryForStorage(
+  plaintextBytes: ArrayBuffer,
+  publicKeyPem: string,
+  keyId: string
+): Promise<EncryptBinaryAtRestResult> {
+  const aesKey = await createAesGcmKey(['encrypt', 'decrypt']);
+  const wrappedKey = await wrapAesKey(aesKey, publicKeyPem);
+  const iv = crypto.getRandomValues(new Uint8Array(12));
+
+  const encryptedBuffer = await crypto.subtle.encrypt(
+    { name: 'AES-GCM', iv: iv as BufferSource },
+    aesKey,
+    plaintextBytes as BufferSource
+  );
+
+  return {
+    ciphertext: new Uint8Array(encryptedBuffer),
+    envelope: {
+      algorithm: DATA_AT_REST_ENCRYPTION_ALGORITHM,
+      encryptionVersion: DATA_AT_REST_ENCRYPTION_VERSION,
+      keyId,
+      dataIv: base64UrlEncode(iv),
+      wrappedKey
+    }
+  };
+}
+
+export async function decryptBinaryFromStorage(
+  ciphertext: ArrayBuffer,
+  envelope: DataAtRestEnvelope,
+  privateKeyPem: string
+): Promise<ArrayBuffer> {
+  validateEnvelope(envelope);
+
+  const aesKey = await unwrapAesKey(envelope.wrappedKey, privateKeyPem);
+  const iv = base64UrlDecode(envelope.dataIv);
+
+  return crypto.subtle.decrypt(
+    { name: 'AES-GCM', iv: iv as BufferSource },
+    aesKey,
+    ciphertext as BufferSource
+  );
+}