@striae-org/striae 5.0.0 → 5.1.0

package/workers/data-worker/package.json

@@ -5,13 +5,10 @@
 	"scripts": {
 		"deploy": "wrangler deploy",
 		"dev": "wrangler dev",
-		"start": "wrangler dev",
-		"test": "vitest"
+		"start": "wrangler dev"
 	},
 	"devDependencies": {
 		"@cloudflare/puppeteer": "^1.0.6",
-		"@cloudflare/vitest-pool-workers": "^0.13.0",
-		"vitest": "~4.1.0",
 		"wrangler": "^4.76.0"
 	},
 	"overrides": {

package/workers/data-worker/src/data-worker.example.ts

@@ -1,5 +1,11 @@
 import { signPayload as signWithWorkerKey } from './signature-utils';
-import { decryptExportData, decryptImageBlob } from './encryption-utils';
+import {
+  decryptExportData,
+  decryptImageBlob,
+  decryptJsonFromStorage,
+  encryptJsonForStorage,
+  type DataAtRestEnvelope
+} from './encryption-utils';
 import {
   AUDIT_EXPORT_SIGNATURE_VERSION,
   CONFIRMATION_SIGNATURE_VERSION,
@@ -23,6 +29,10 @@ interface Env {
   MANIFEST_SIGNING_KEY_ID: string;
   EXPORT_ENCRYPTION_PRIVATE_KEY?: string;
   EXPORT_ENCRYPTION_KEY_ID?: string;
+  DATA_AT_REST_ENCRYPTION_ENABLED?: string;
+  DATA_AT_REST_ENCRYPTION_PRIVATE_KEY?: string;
+  DATA_AT_REST_ENCRYPTION_PUBLIC_KEY?: string;
+  DATA_AT_REST_ENCRYPTION_KEY_ID?: string;
 }
 
 interface SuccessResponse {
@@ -54,6 +64,203 @@ const SIGN_MANIFEST_PATH = '/api/forensic/sign-manifest';
 const SIGN_CONFIRMATION_PATH = '/api/forensic/sign-confirmation';
 const SIGN_AUDIT_EXPORT_PATH = '/api/forensic/sign-audit-export';
 const DECRYPT_EXPORT_PATH = '/api/forensic/decrypt-export';
+const DATA_AT_REST_BACKFILL_PATH = '/api/admin/data-at-rest-backfill';
+const DATA_AT_REST_ENCRYPTION_ALGORITHM = 'RSA-OAEP-AES-256-GCM';
+const DATA_AT_REST_ENCRYPTION_VERSION = '1.0';
+
+function isDataAtRestEncryptionEnabled(env: Env): boolean {
+  const value = env.DATA_AT_REST_ENCRYPTION_ENABLED;
+  if (!value) {
+    return false;
+  }
+
+  const normalizedValue = value.trim().toLowerCase();
+  return normalizedValue === '1' || normalizedValue === 'true' || normalizedValue === 'yes' || normalizedValue === 'on';
+}
+
+function extractDataAtRestEnvelope(file: R2ObjectBody): DataAtRestEnvelope | null {
+  const metadata = file.customMetadata;
+  if (!metadata) {
+    return null;
+  }
+
+  const {
+    algorithm,
+    encryptionVersion,
+    keyId,
+    dataIv,
+    wrappedKey
+  } = metadata;
+
+  if (
+    typeof algorithm !== 'string' ||
+    typeof encryptionVersion !== 'string' ||
+    typeof keyId !== 'string' ||
+    typeof dataIv !== 'string' ||
+    typeof wrappedKey !== 'string'
+  ) {
+    return null;
+  }
+
+  return {
+    algorithm,
+    encryptionVersion,
+    keyId,
+    dataIv,
+    wrappedKey
+  };
+}
+
+function hasDataAtRestMetadata(metadata: Record<string, string> | undefined): boolean {
+  if (!metadata) {
+    return false;
+  }
+
+  return (
+    typeof metadata.algorithm === 'string' &&
+    typeof metadata.encryptionVersion === 'string' &&
+    typeof metadata.keyId === 'string' &&
+    typeof metadata.dataIv === 'string' &&
+    typeof metadata.wrappedKey === 'string'
+  );
+}
+
+function clampBackfillBatchSize(size: number | undefined): number {
+  if (typeof size !== 'number' || !Number.isFinite(size)) {
+    return 100;
+  }
+
+  const normalized = Math.floor(size);
+  if (normalized < 1) {
+    return 1;
+  }
+
+  if (normalized > 1000) {
+    return 1000;
+  }
+
+  return normalized;
+}
+
+async function handleDataAtRestBackfill(request: Request, env: Env): Promise<Response> {
+  if (!env.DATA_AT_REST_ENCRYPTION_PUBLIC_KEY || !env.DATA_AT_REST_ENCRYPTION_KEY_ID) {
+    return createResponse(
+      { error: 'Data-at-rest encryption is not configured for backfill writes' },
+      400
+    );
+  }
+
+  const requestBody = await request.json().catch(() => ({})) as {
+    dryRun?: boolean;
+    prefix?: string;
+    cursor?: string;
+    batchSize?: number;
+  };
+
+  const dryRun = requestBody.dryRun === true;
+  const prefix = typeof requestBody.prefix === 'string' ? requestBody.prefix : '';
+  const cursor = typeof requestBody.cursor === 'string' && requestBody.cursor.length > 0
+    ? requestBody.cursor
+    : undefined;
+  const batchSize = clampBackfillBatchSize(requestBody.batchSize);
+
+  const bucket = env.STRIAE_DATA;
+  const listed = await bucket.list({
+    prefix: prefix.length > 0 ? prefix : undefined,
+    cursor,
+    limit: batchSize
+  });
+
+  let scanned = 0;
+  let eligible = 0;
+  let encrypted = 0;
+  let skippedEncrypted = 0;
+  let skippedNonJson = 0;
+  let failed = 0;
+  const failures: Array<{ key: string; error: string }> = [];
+
+  for (const object of listed.objects) {
+    scanned += 1;
+    const key = object.key;
+
+    if (!key.endsWith('.json')) {
+      skippedNonJson += 1;
+      continue;
+    }
+
+    const objectHead = await bucket.head(key);
+    if (!objectHead) {
+      failed += 1;
+      if (failures.length < 20) {
+        failures.push({ key, error: 'Object not found during metadata check' });
+      }
+      continue;
+    }
+
+    if (hasDataAtRestMetadata(objectHead.customMetadata)) {
+      skippedEncrypted += 1;
+      continue;
+    }
+
+    eligible += 1;
+
+    if (dryRun) {
+      continue;
+    }
+
+    try {
+      const existingObject = await bucket.get(key);
+      if (!existingObject) {
+        failed += 1;
+        if (failures.length < 20) {
+          failures.push({ key, error: 'Object disappeared before processing' });
+        }
+        continue;
+      }
+
+      const plaintext = await existingObject.text();
+      const encryptedPayload = await encryptJsonForStorage(
+        plaintext,
+        env.DATA_AT_REST_ENCRYPTION_PUBLIC_KEY,
+        env.DATA_AT_REST_ENCRYPTION_KEY_ID
+      );
+
+      await bucket.put(key, encryptedPayload.ciphertext, {
+        customMetadata: {
+          algorithm: encryptedPayload.envelope.algorithm,
+          encryptionVersion: encryptedPayload.envelope.encryptionVersion,
+          keyId: encryptedPayload.envelope.keyId,
+          dataIv: encryptedPayload.envelope.dataIv,
+          wrappedKey: encryptedPayload.envelope.wrappedKey
+        }
+      });
+
+      encrypted += 1;
+    } catch (error) {
+      failed += 1;
+      if (failures.length < 20) {
+        const errorMessage = error instanceof Error ? error.message : 'Unknown backfill failure';
+        failures.push({ key, error: errorMessage });
+      }
+    }
+  }
+
+  return createResponse({
+    success: failed === 0,
+    dryRun,
+    prefix: prefix.length > 0 ? prefix : null,
+    batchSize,
+    scanned,
+    eligible,
+    encrypted,
+    skippedEncrypted,
+    skippedNonJson,
+    failed,
+    failures,
+    hasMore: listed.truncated,
+    nextCursor: listed.truncated ? listed.cursor : null
+  });
+}
 
 async function signPayloadWithWorkerKey(payload: string, env: Env): Promise<{
   algorithm: string;
@@ -353,6 +560,10 @@ export default {
         return await handleDecryptExport(request, env);
       }
 
+      if (request.method === 'POST' && pathname === DATA_AT_REST_BACKFILL_PATH) {
+        return await handleDataAtRestBackfill(request, env);
+      }
+
       const filename = pathname.slice(1) || 'data.json';
 
       if (!filename.endsWith('.json')) {
@@ -365,6 +576,39 @@ export default {
           if (!file) {
             return createResponse([], 200);
           }
+
+          const atRestEnvelope = extractDataAtRestEnvelope(file);
+          if (atRestEnvelope) {
+            if (atRestEnvelope.algorithm !== DATA_AT_REST_ENCRYPTION_ALGORITHM) {
+              return createResponse({ error: 'Unsupported data-at-rest encryption algorithm' }, 500);
+            }
+
+            if (atRestEnvelope.encryptionVersion !== DATA_AT_REST_ENCRYPTION_VERSION) {
+              return createResponse({ error: 'Unsupported data-at-rest encryption version' }, 500);
+            }
+
+            if (!env.DATA_AT_REST_ENCRYPTION_PRIVATE_KEY) {
+              return createResponse(
+                { error: 'Data-at-rest decryption is not configured on this server' },
+                500
+              );
+            }
+
+            try {
+              const encryptedData = await file.arrayBuffer();
+              const plaintext = await decryptJsonFromStorage(
+                encryptedData,
+                atRestEnvelope,
+                env.DATA_AT_REST_ENCRYPTION_PRIVATE_KEY
+              );
+              const decryptedPayload = JSON.parse(plaintext);
+              return createResponse(decryptedPayload);
+            } catch (error) {
+              console.error('Data-at-rest decryption failed:', error);
+              return createResponse({ error: 'Failed to decrypt stored data' }, 500);
+            }
+          }
+
           const fileText = await file.text();
           const data = JSON.parse(fileText);
           return createResponse(data);
@@ -372,7 +616,41 @@ export default {
 
         case 'PUT': {
           const newData = await request.json();
-          await bucket.put(filename, JSON.stringify(newData));
+          const serializedData = JSON.stringify(newData);
+
+          if (!isDataAtRestEncryptionEnabled(env)) {
+            await bucket.put(filename, serializedData);
+            return createResponse({ success: true });
+          }
+
+          if (!env.DATA_AT_REST_ENCRYPTION_PUBLIC_KEY || !env.DATA_AT_REST_ENCRYPTION_KEY_ID) {
+            return createResponse(
+              { error: 'Data-at-rest encryption is enabled but not fully configured' },
+              500
+            );
+          }
+
+          try {
+            const encryptedPayload = await encryptJsonForStorage(
+              serializedData,
+              env.DATA_AT_REST_ENCRYPTION_PUBLIC_KEY,
+              env.DATA_AT_REST_ENCRYPTION_KEY_ID
+            );
+
+            await bucket.put(filename, encryptedPayload.ciphertext, {
+              customMetadata: {
+                algorithm: encryptedPayload.envelope.algorithm,
+                encryptionVersion: encryptedPayload.envelope.encryptionVersion,
+                keyId: encryptedPayload.envelope.keyId,
+                dataIv: encryptedPayload.envelope.dataIv,
+                wrappedKey: encryptedPayload.envelope.wrappedKey
+              }
+            });
+          } catch (error) {
+            console.error('Data-at-rest encryption failed:', error);
+            return createResponse({ error: 'Failed to encrypt data for storage' }, 500);
+          }
+
           return createResponse({ success: true });
         }
 

package/workers/data-worker/src/encryption-utils.ts

@@ -11,6 +11,64 @@ export function base64UrlDecode(value: string): Uint8Array {
   return bytes;
 }
 
+export function base64UrlEncode(value: Uint8Array): string {
+  let binary = '';
+  const chunkSize = 8192;
+
+  for (let i = 0; i < value.length; i += chunkSize) {
+    const chunk = value.subarray(i, Math.min(i + chunkSize, value.length));
+    for (let j = 0; j < chunk.length; j += 1) {
+      binary += String.fromCharCode(chunk[j]);
+    }
+  }
+
+  return btoa(binary)
+    .replace(/\+/g, '-')
+    .replace(/\//g, '_')
+    .replace(/=+$/g, '');
+}
+
+const DATA_AT_REST_ENCRYPTION_ALGORITHM = 'RSA-OAEP-AES-256-GCM';
+const DATA_AT_REST_ENCRYPTION_VERSION = '1.0';
+
+export interface DataAtRestEnvelope {
+  algorithm: string;
+  encryptionVersion: string;
+  keyId: string;
+  dataIv: string;
+  wrappedKey: string;
+}
+
+interface EncryptJsonAtRestResult {
+  ciphertext: Uint8Array;
+  envelope: DataAtRestEnvelope;
+}
+
+function parseSpkiPublicKey(publicKey: string): ArrayBuffer {
+  const normalizedKey = publicKey
+    .trim()
+    .replace(/^['"]|['"]$/g, '')
+    .replace(/\\n/g, '\n');
+
+  const pemBody = normalizedKey
+    .replace('-----BEGIN PUBLIC KEY-----', '')
+    .replace('-----END PUBLIC KEY-----', '')
+    .replace(/\s+/g, '');
+
+  if (!pemBody) {
+    throw new Error('Encryption public key is invalid');
+  }
+
+  const binary = atob(pemBody);
+  const bytes = new Uint8Array(binary.length);
+
+  for (let index = 0; index < binary.length; index += 1) {
+    bytes[index] = binary.charCodeAt(index);
+  }
+
+  return bytes.buffer;
+}
+
 function parsePkcs8PrivateKey(privateKey: string): ArrayBuffer {
   const normalizedKey = privateKey
     .trim()
@@ -54,6 +112,47 @@ async function importRsaOaepPrivateKey(privateKeyPem: string): Promise<CryptoKey
   return key;
 }
 
+async function importRsaOaepPublicKey(publicKeyPem: string): Promise<CryptoKey> {
+  const key = await crypto.subtle.importKey(
+    'spki',
+    parseSpkiPublicKey(publicKeyPem),
+    {
+      name: 'RSA-OAEP',
+      hash: 'SHA-256'
+    },
+    false,
+    ['encrypt']
+  );
+
+  return key;
+}
+
+async function createAesGcmKey(usages: KeyUsage[]): Promise<CryptoKey> {
+  return crypto.subtle.generateKey(
+    {
+      name: 'AES-GCM',
+      length: 256
+    },
+    true,
+    usages
+  ) as Promise<CryptoKey>;
+}
+
+async function wrapAesKey(
+  aesKey: CryptoKey,
+  publicKeyPem: string
+): Promise<string> {
+  const rsaPublicKey = await importRsaOaepPublicKey(publicKeyPem);
+  const rawAesKey = await crypto.subtle.exportKey('raw', aesKey);
+  const wrappedKey = await crypto.subtle.encrypt(
+    { name: 'RSA-OAEP' },
+    rsaPublicKey,
+    rawAesKey as BufferSource
+  );
+
+  return base64UrlEncode(new Uint8Array(wrappedKey));
+}
+
 /**
  * Decrypt AES key from RSA-OAEP wrapped form
  */
@@ -75,10 +174,55 @@ async function unwrapAesKey(
     rawAesKey,
     { name: 'AES-GCM' },
     false,
-    ['decrypt']
+    ['encrypt', 'decrypt']
   );
 }
 
+export async function encryptJsonForStorage(
+  plaintextJson: string,
+  publicKeyPem: string,
+  keyId: string
+): Promise<EncryptJsonAtRestResult> {
+  const aesKey = await createAesGcmKey(['encrypt', 'decrypt']);
+  const wrappedKey = await wrapAesKey(aesKey, publicKeyPem);
+  const iv = crypto.getRandomValues(new Uint8Array(12));
+
+  const plaintextBytes = new TextEncoder().encode(plaintextJson);
+  const encryptedBuffer = await crypto.subtle.encrypt(
+    { name: 'AES-GCM', iv: iv as BufferSource },
+    aesKey,
+    plaintextBytes as BufferSource
+  );
+
+  return {
+    ciphertext: new Uint8Array(encryptedBuffer),
+    envelope: {
+      algorithm: DATA_AT_REST_ENCRYPTION_ALGORITHM,
+      encryptionVersion: DATA_AT_REST_ENCRYPTION_VERSION,
+      keyId,
+      dataIv: base64UrlEncode(iv),
+      wrappedKey
+    }
+  };
+}
+
+export async function decryptJsonFromStorage(
+  ciphertext: ArrayBuffer,
+  envelope: DataAtRestEnvelope,
+  privateKeyPem: string
+): Promise<string> {
+  const aesKey = await unwrapAesKey(envelope.wrappedKey, privateKeyPem);
+  const iv = base64UrlDecode(envelope.dataIv);
+
+  const plaintext = await crypto.subtle.decrypt(
+    { name: 'AES-GCM', iv: iv as BufferSource },
+    aesKey,
+    ciphertext as BufferSource
+  );
+
+  return new TextDecoder().decode(plaintext);
+}
+
 /**
  * Decrypt data file (plaintext JSON/CSV)
  */

package/workers/data-worker/wrangler.jsonc.example

@@ -1,5 +1,9 @@
 {
   // Required secrets: R2_KEY_SECRET, MANIFEST_SIGNING_PRIVATE_KEY, MANIFEST_SIGNING_KEY_ID, EXPORT_ENCRYPTION_PRIVATE_KEY, EXPORT_ENCRYPTION_KEY_ID
+  // Optional data-at-rest secrets/vars:
+  // - DATA_AT_REST_ENCRYPTION_ENABLED=true
+  // - DATA_AT_REST_ENCRYPTION_PRIVATE_KEY (required for decrypting encrypted records)
+  // - DATA_AT_REST_ENCRYPTION_PUBLIC_KEY and DATA_AT_REST_ENCRYPTION_KEY_ID (required when encrypt-on-write is enabled)
   "name": "DATA_WORKER_NAME",
   "account_id": "ACCOUNT_ID",
   "main": "src/data-worker.ts",

package/workers/image-worker/package.json

@@ -5,13 +5,10 @@
 	"scripts": {
 		"deploy": "wrangler deploy",
 		"dev": "wrangler dev",
-		"start": "wrangler dev",
-		"test": "vitest"
+		"start": "wrangler dev"
 	},
 	"devDependencies": {
 		"@cloudflare/puppeteer": "^1.0.6",
-		"@cloudflare/vitest-pool-workers": "^0.13.0",
-		"vitest": "~4.1.0",
 		"wrangler": "^4.76.0"
 	},
 	"overrides": {