@striae-org/striae 5.0.0 → 5.1.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@striae-org/striae",
-  "version": "5.0.0",
+  "version": "5.1.1",
   "private": false,
   "description": "Striae is a specialized, cloud-native platform designed to streamline forensic firearms identification by providing an intuitive environment for digital comparison image annotation, authenticated confirmations, and automated report generation.",
   "license": "Apache-2.0",
@@ -106,7 +106,7 @@
     "deploy-workers:image": "cd workers/image-worker && npm run deploy",
     "deploy-workers:keys": "cd workers/keys-worker && npm run deploy",
     "deploy-workers:pdf": "cd workers/pdf-worker && npm run deploy",
-    "deploy-workers:user": "cd workers/user-worker && npm run deploy"
+    "deploy-workers:user": "cd workers/user-worker && npm run deploy"    
   },
   "dependencies": {
     "@react-router/cloudflare": "^7.13.2",

package/scripts/deploy-config.sh

@@ -81,13 +81,23 @@ require_command grep
 
 is_placeholder() {
     local value="$1"
-    local normalized=$(echo "$value" | tr '[:upper:]' '[:lower:]')
+    local normalized
+
+    normalized=$(printf '%s' "$value" | tr -d '\r' | tr '[:upper:]' '[:lower:]')
+    normalized=$(printf '%s' "$normalized" | sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//')
+    normalized=${normalized#\"}
+    normalized=${normalized%\"}
 
     if [ -z "$normalized" ]; then
         return 1
     fi
 
-    [[ "$normalized" == your_*_here ]]
+    [[ "$normalized" =~ ^your_[a-z0-9_]+_here$ || \
+       "$normalized" =~ ^your-[a-z0-9-]+-here$ || \
+       "$normalized" == "placeholder" || \
+       "$normalized" == "changeme" || \
+       "$normalized" == "replace_me" || \
+       "$normalized" == "replace-me" ]]
 }
 
 # Check if .env file exists
@@ -334,7 +344,7 @@ write_env_var() {
     var_value=$(strip_carriage_returns "$var_value")
     env_file_value="$var_value"
 
-    if [ "$var_name" = "FIREBASE_SERVICE_ACCOUNT_PRIVATE_KEY" ] || [ "$var_name" = "MANIFEST_SIGNING_PRIVATE_KEY" ] || [ "$var_name" = "MANIFEST_SIGNING_PUBLIC_KEY" ] || [ "$var_name" = "EXPORT_ENCRYPTION_PRIVATE_KEY" ] || [ "$var_name" = "EXPORT_ENCRYPTION_PUBLIC_KEY" ]; then
+    if [ "$var_name" = "FIREBASE_SERVICE_ACCOUNT_PRIVATE_KEY" ] || [ "$var_name" = "MANIFEST_SIGNING_PRIVATE_KEY" ] || [ "$var_name" = "MANIFEST_SIGNING_PUBLIC_KEY" ] || [ "$var_name" = "EXPORT_ENCRYPTION_PRIVATE_KEY" ] || [ "$var_name" = "EXPORT_ENCRYPTION_PUBLIC_KEY" ] || [ "$var_name" = "DATA_AT_REST_ENCRYPTION_PRIVATE_KEY" ] || [ "$var_name" = "DATA_AT_REST_ENCRYPTION_PUBLIC_KEY" ]; then
         # Store as a quoted string so sourced .env preserves escaped newline markers (\n)
         env_file_value=${env_file_value//\"/\\\"}
         env_file_value="\"$env_file_value\""
@@ -590,6 +600,117 @@ configure_export_encryption_credentials() {
     echo ""
 }
 
+generate_data_at_rest_encryption_key_pair() {
+    local private_key_file
+    local public_key_file
+    private_key_file=$(mktemp)
+    public_key_file=$(mktemp)
+
+    if ! node -e "const { generateKeyPairSync } = require('crypto'); const fs = require('fs'); const pair = generateKeyPairSync('rsa', { modulusLength: 2048, publicKeyEncoding: { type: 'spki', format: 'pem' }, privateKeyEncoding: { type: 'pkcs8', format: 'pem' } }); fs.writeFileSync(process.argv[1], pair.privateKey, 'utf8'); fs.writeFileSync(process.argv[2], pair.publicKey, 'utf8');" "$private_key_file" "$public_key_file"; then
+        rm -f "$private_key_file" "$public_key_file"
+        return 1
+    fi
+
+    local private_key_pem
+    local public_key_pem
+    private_key_pem=$(cat "$private_key_file")
+    public_key_pem=$(cat "$public_key_file")
+    rm -f "$private_key_file" "$public_key_file"
+
+    private_key_pem="${private_key_pem//$'\r'/}"
+    public_key_pem="${public_key_pem//$'\r'/}"
+
+    DATA_AT_REST_ENCRYPTION_PRIVATE_KEY="${private_key_pem//$'\n'/\\n}"
+    DATA_AT_REST_ENCRYPTION_PUBLIC_KEY="${public_key_pem//$'\n'/\\n}"
+
+    export DATA_AT_REST_ENCRYPTION_PRIVATE_KEY
+    export DATA_AT_REST_ENCRYPTION_PUBLIC_KEY
+
+    write_env_var "DATA_AT_REST_ENCRYPTION_PRIVATE_KEY" "$DATA_AT_REST_ENCRYPTION_PRIVATE_KEY"
+    write_env_var "DATA_AT_REST_ENCRYPTION_PUBLIC_KEY" "$DATA_AT_REST_ENCRYPTION_PUBLIC_KEY"
+
+    return 0
+}
+
+configure_data_at_rest_encryption_credentials() {
+    echo -e "${BLUE}🗃️ DATA-AT-REST ENCRYPTION CONFIGURATION${NC}"
+    echo "========================================"
+
+    # Data-at-rest encryption is mandatory for all environments.
+    DATA_AT_REST_ENCRYPTION_ENABLED="true"
+
+    export DATA_AT_REST_ENCRYPTION_ENABLED
+    write_env_var "DATA_AT_REST_ENCRYPTION_ENABLED" "$DATA_AT_REST_ENCRYPTION_ENABLED"
+    echo -e "${GREEN}✅ DATA_AT_REST_ENCRYPTION_ENABLED: $DATA_AT_REST_ENCRYPTION_ENABLED${NC}"
+
+    local should_generate="false"
+    local regenerate_choice=""
+
+    if [ "$update_env" = "true" ]; then
+        should_generate="true"
+    elif [ -z "$DATA_AT_REST_ENCRYPTION_PRIVATE_KEY" ] || is_placeholder "$DATA_AT_REST_ENCRYPTION_PRIVATE_KEY" || [ -z "$DATA_AT_REST_ENCRYPTION_PUBLIC_KEY" ] || is_placeholder "$DATA_AT_REST_ENCRYPTION_PUBLIC_KEY"; then
+        should_generate="true"
+    else
+        echo -e "${GREEN}Current data-at-rest encryption key pair: [HIDDEN]${NC}"
+        read -p "Generate new data-at-rest encryption key pair? (press Enter to keep current, or type 'y' to regenerate): " regenerate_choice
+        regenerate_choice=$(strip_carriage_returns "$regenerate_choice")
+        if [ "$regenerate_choice" = "y" ] || [ "$regenerate_choice" = "Y" ]; then
+            should_generate="true"
+        fi
+    fi
+
+    if [ "$should_generate" = "true" ]; then
+        echo -e "${YELLOW}Generating data-at-rest encryption RSA key pair...${NC}"
+        if generate_data_at_rest_encryption_key_pair; then
+            echo -e "${GREEN}✅ Data-at-rest encryption key pair generated${NC}"
+        else
+            echo -e "${RED}❌ Error: Failed to generate data-at-rest encryption key pair${NC}"
+            exit 1
+        fi
+    else
+        echo -e "${GREEN}✅ Keeping current data-at-rest encryption key pair${NC}"
+    fi
+
+    if [ -z "$DATA_AT_REST_ENCRYPTION_KEY_ID" ] || is_placeholder "$DATA_AT_REST_ENCRYPTION_KEY_ID" || [ "$should_generate" = "true" ]; then
+        local generated_key_id
+        generated_key_id=$(generate_worker_subdomain_label)
+        if [ -z "$generated_key_id" ] || [ ${#generated_key_id} -ne 10 ]; then
+            echo -e "${RED}❌ Error: Failed to generate DATA_AT_REST_ENCRYPTION_KEY_ID${NC}"
+            exit 1
+        fi
+        DATA_AT_REST_ENCRYPTION_KEY_ID="$generated_key_id"
+        export DATA_AT_REST_ENCRYPTION_KEY_ID
+        write_env_var "DATA_AT_REST_ENCRYPTION_KEY_ID" "$DATA_AT_REST_ENCRYPTION_KEY_ID"
+        echo -e "${GREEN}✅ DATA_AT_REST_ENCRYPTION_KEY_ID generated: $DATA_AT_REST_ENCRYPTION_KEY_ID${NC}"
+    else
+        echo -e "${GREEN}✅ DATA_AT_REST_ENCRYPTION_KEY_ID: $DATA_AT_REST_ENCRYPTION_KEY_ID${NC}"
+    fi
+
+    echo ""
+}
+
+validate_data_at_rest_encryption_settings() {
+    local enabled_normalized
+    enabled_normalized=$(printf '%s' "${DATA_AT_REST_ENCRYPTION_ENABLED:-false}" | tr '[:upper:]' '[:lower:]')
+
+    if [ "$enabled_normalized" = "1" ] || [ "$enabled_normalized" = "true" ] || [ "$enabled_normalized" = "yes" ] || [ "$enabled_normalized" = "on" ]; then
+        if [ -z "$DATA_AT_REST_ENCRYPTION_PRIVATE_KEY" ] || is_placeholder "$DATA_AT_REST_ENCRYPTION_PRIVATE_KEY"; then
+            echo -e "${RED}❌ Error: DATA_AT_REST_ENCRYPTION_PRIVATE_KEY is required when DATA_AT_REST_ENCRYPTION_ENABLED is true${NC}"
+            exit 1
+        fi
+
+        if [ -z "$DATA_AT_REST_ENCRYPTION_PUBLIC_KEY" ] || is_placeholder "$DATA_AT_REST_ENCRYPTION_PUBLIC_KEY"; then
+            echo -e "${RED}❌ Error: DATA_AT_REST_ENCRYPTION_PUBLIC_KEY is required when DATA_AT_REST_ENCRYPTION_ENABLED is true${NC}"
+            exit 1
+        fi
+
+        if [ -z "$DATA_AT_REST_ENCRYPTION_KEY_ID" ] || is_placeholder "$DATA_AT_REST_ENCRYPTION_KEY_ID"; then
+            echo -e "${RED}❌ Error: DATA_AT_REST_ENCRYPTION_KEY_ID is required when DATA_AT_REST_ENCRYPTION_ENABLED is true${NC}"
+            exit 1
+        fi
+    fi
+}
+
 # Validate required variables
 required_vars=(
     # Core Cloudflare Configuration
@@ -634,15 +755,14 @@ required_vars=(
     # Storage Configuration (required for config replacement)
     "DATA_BUCKET_NAME"
     "AUDIT_BUCKET_NAME"
+    "FILES_BUCKET_NAME"
     "KV_STORE_ID"
     
     # Worker-Specific Secrets (required for deployment)
     "KEYS_AUTH"
     "PDF_WORKER_AUTH"
-    "ACCOUNT_HASH"
-    "API_TOKEN"
+    "IMAGE_SIGNED_URL_SECRET"
     "BROWSER_API_TOKEN"
-    "HMAC_KEY"
     "MANIFEST_SIGNING_PRIVATE_KEY"
     "MANIFEST_SIGNING_KEY_ID"
     "MANIFEST_SIGNING_PUBLIC_KEY"
@@ -824,10 +944,10 @@ validate_generated_configs() {
 
     assert_contains_literal "workers/data-worker/wrangler.jsonc" "$DATA_BUCKET_NAME" "DATA_BUCKET_NAME missing in data worker config"
     assert_contains_literal "workers/audit-worker/wrangler.jsonc" "$AUDIT_BUCKET_NAME" "AUDIT_BUCKET_NAME missing in audit worker config"
+    assert_contains_literal "workers/image-worker/wrangler.jsonc" "$FILES_BUCKET_NAME" "FILES_BUCKET_NAME missing in image worker config"
     assert_contains_literal "workers/user-worker/wrangler.jsonc" "$KV_STORE_ID" "KV_STORE_ID missing in user worker config"
 
     assert_contains_literal "app/config/config.json" "https://$PAGES_CUSTOM_DOMAIN" "PAGES_CUSTOM_DOMAIN missing in app/config/config.json"
-    assert_contains_literal "app/config/config.json" "$ACCOUNT_HASH" "ACCOUNT_HASH missing in app/config/config.json"
     assert_contains_literal "app/config/config.json" "$EXPORT_ENCRYPTION_KEY_ID" "EXPORT_ENCRYPTION_KEY_ID missing in app/config/config.json"
     assert_contains_literal "app/config/config.json" "\"export_encryption_public_key\":" "export_encryption_public_key missing in app/config/config.json"
     assert_contains_literal "app/routes/auth/login.tsx" "const APP_CANONICAL_ORIGIN = 'https://$PAGES_CUSTOM_DOMAIN';" "PAGES_CUSTOM_DOMAIN missing in app/routes/auth/login.tsx canonical origin"
@@ -848,7 +968,7 @@ validate_generated_configs() {
     assert_contains_literal "workers/user-worker/src/user-worker.ts" "https://$PAGES_CUSTOM_DOMAIN" "PAGES_CUSTOM_DOMAIN missing in user-worker source"
 
     local placeholder_pattern
-    placeholder_pattern="(\"(ACCOUNT_ID|PAGES_PROJECT_NAME|PAGES_CUSTOM_DOMAIN|KEYS_WORKER_NAME|USER_WORKER_NAME|DATA_WORKER_NAME|AUDIT_WORKER_NAME|IMAGES_WORKER_NAME|PDF_WORKER_NAME|KEYS_WORKER_DOMAIN|USER_WORKER_DOMAIN|DATA_WORKER_DOMAIN|AUDIT_WORKER_DOMAIN|IMAGES_WORKER_DOMAIN|PDF_WORKER_DOMAIN|DATA_BUCKET_NAME|AUDIT_BUCKET_NAME|KV_STORE_ID|ACCOUNT_HASH|MANIFEST_SIGNING_KEY_ID|MANIFEST_SIGNING_PUBLIC_KEY|EXPORT_ENCRYPTION_KEY_ID|EXPORT_ENCRYPTION_PUBLIC_KEY|YOUR_FIREBASE_API_KEY|YOUR_FIREBASE_AUTH_DOMAIN|YOUR_FIREBASE_PROJECT_ID|YOUR_FIREBASE_STORAGE_BUCKET|YOUR_FIREBASE_MESSAGING_SENDER_ID|YOUR_FIREBASE_APP_ID|YOUR_FIREBASE_MEASUREMENT_ID)\"|'(PAGES_CUSTOM_DOMAIN|DATA_WORKER_DOMAIN|IMAGES_WORKER_DOMAIN)')"
+    placeholder_pattern="(\"(ACCOUNT_ID|PAGES_PROJECT_NAME|PAGES_CUSTOM_DOMAIN|KEYS_WORKER_NAME|USER_WORKER_NAME|DATA_WORKER_NAME|AUDIT_WORKER_NAME|IMAGES_WORKER_NAME|PDF_WORKER_NAME|KEYS_WORKER_DOMAIN|USER_WORKER_DOMAIN|DATA_WORKER_DOMAIN|AUDIT_WORKER_DOMAIN|IMAGES_WORKER_DOMAIN|PDF_WORKER_DOMAIN|DATA_BUCKET_NAME|AUDIT_BUCKET_NAME|FILES_BUCKET_NAME|KV_STORE_ID|MANIFEST_SIGNING_KEY_ID|MANIFEST_SIGNING_PUBLIC_KEY|EXPORT_ENCRYPTION_KEY_ID|EXPORT_ENCRYPTION_PUBLIC_KEY|YOUR_FIREBASE_API_KEY|YOUR_FIREBASE_AUTH_DOMAIN|YOUR_FIREBASE_PROJECT_ID|YOUR_FIREBASE_STORAGE_BUCKET|YOUR_FIREBASE_MESSAGING_SENDER_ID|YOUR_FIREBASE_APP_ID|YOUR_FIREBASE_MEASUREMENT_ID)\"|'(PAGES_CUSTOM_DOMAIN|DATA_WORKER_DOMAIN|IMAGES_WORKER_DOMAIN)')"
 
     local files_to_scan=(
         "wrangler.toml"
@@ -880,6 +1000,7 @@ run_validation_checkpoint() {
     validate_required_vars
     validate_env_value_formats
     validate_env_file_entries
+    validate_data_at_rest_encryption_settings
     validate_generated_configs
 }
 
@@ -1108,6 +1229,58 @@ prompt_for_secrets() {
     fi
     
     # Function to prompt for a variable
+    is_auto_generated_secret_var() {
+        local var_name=$1
+        case "$var_name" in
+            USER_DB_AUTH|R2_KEY_SECRET|KEYS_AUTH|PDF_WORKER_AUTH|IMAGES_API_TOKEN|IMAGE_SIGNED_URL_SECRET)
+                return 0
+                ;;
+            *)
+                return 1
+                ;;
+        esac
+    }
+
+    is_secret_placeholder_value() {
+        local var_name=$1
+        local value=$2
+        case "$var_name" in
+            USER_DB_AUTH)
+                [ "$value" = "your_custom_user_db_auth_token_here" ]
+                ;;
+            R2_KEY_SECRET)
+                [ "$value" = "your_custom_r2_secret_here" ]
+                ;;
+            KEYS_AUTH)
+                [ "$value" = "your_custom_keys_auth_token_here" ]
+                ;;
+            PDF_WORKER_AUTH)
+                [ "$value" = "your_custom_pdf_worker_auth_token_here" ]
+                ;;
+            IMAGES_API_TOKEN)
+                [ "$value" = "your_cloudflare_images_api_token_here" ]
+                ;;
+            IMAGE_SIGNED_URL_SECRET)
+                [ "$value" = "your_image_signed_url_secret_here" ]
+                ;;
+            *)
+                return 1
+                ;;
+        esac
+    }
+
+    generate_secret_value() {
+        local var_name=$1
+        case "$var_name" in
+            IMAGE_SIGNED_URL_SECRET)
+                openssl rand -base64 48 2>/dev/null | tr '+/' '-_' | tr -d '='
+                ;;
+            *)
+                openssl rand -hex 32 2>/dev/null
+                ;;
+        esac
+    }
+
     prompt_for_var() {
         local var_name=$1
         local description=$2
@@ -1121,19 +1294,19 @@ prompt_for_secrets() {
             current_value=$(resolve_existing_domain_value "$var_name" "$current_value")
         fi
         
-        # Auto-generate specific authentication secrets - but allow keeping current
-        if [ "$var_name" = "USER_DB_AUTH" ] || [ "$var_name" = "R2_KEY_SECRET" ] || [ "$var_name" = "KEYS_AUTH" ] || [ "$var_name" = "PDF_WORKER_AUTH" ]; then
+        # Auto-generate selected secrets - but allow keeping current.
+        if is_auto_generated_secret_var "$var_name"; then
             echo -e "${BLUE}$var_name${NC}"
             echo -e "${YELLOW}$description${NC}"
             
-            if [ "$update_env" != "true" ] && [ -n "$current_value" ] && ! is_placeholder "$current_value" && [ "$current_value" != "your_custom_user_db_auth_token_here" ] && [ "$current_value" != "your_custom_r2_secret_here" ] && [ "$current_value" != "your_custom_keys_auth_token_here" ] && [ "$current_value" != "your_custom_pdf_worker_auth_token_here" ]; then
+            if [ "$update_env" != "true" ] && [ -n "$current_value" ] && ! is_placeholder "$current_value" && ! is_secret_placeholder_value "$var_name" "$current_value"; then
                 # Current value exists and is not a placeholder
                 echo -e "${GREEN}Current value: [HIDDEN]${NC}"
                 read -p "Generate new secret? (press Enter to keep current, or type 'y' to generate): " gen_choice
                 gen_choice=$(strip_carriage_returns "$gen_choice")
                 
                 if [ "$gen_choice" = "y" ] || [ "$gen_choice" = "Y" ]; then
-                    new_value=$(openssl rand -hex 32 2>/dev/null || echo "")
+                    new_value=$(generate_secret_value "$var_name" || echo "")
                     if [ -n "$new_value" ]; then
                         echo -e "${GREEN}✅ $var_name auto-generated${NC}"
                     else
@@ -1160,7 +1333,7 @@ prompt_for_secrets() {
             else
                 # No current value or placeholder value - auto-generate
                 echo -e "${YELLOW}Auto-generating secret...${NC}"
-                new_value=$(openssl rand -hex 32 2>/dev/null || echo "")
+                new_value=$(generate_secret_value "$var_name" || echo "")
                 if [ -n "$new_value" ]; then
                     echo -e "${GREEN}✅ $var_name auto-generated${NC}"
                 else
@@ -1286,7 +1459,7 @@ prompt_for_secrets() {
     echo "==================================="
     prompt_for_var "USER_DB_AUTH" "Custom user database authentication token (generate with: openssl rand -hex 16)"
     prompt_for_var "R2_KEY_SECRET" "Custom R2 storage authentication token (generate with: openssl rand -hex 16)"
-    prompt_for_var "IMAGES_API_TOKEN" "Cloudflare Images API token (shared between workers)"
+    prompt_for_var "IMAGES_API_TOKEN" "Image worker API token (shared between workers)"
     
     echo -e "${BLUE}🔥 FIREBASE AUTH CONFIGURATION${NC}"
     echo "==============================="
@@ -1385,19 +1558,19 @@ prompt_for_secrets() {
     echo "========================="
     prompt_for_var "DATA_BUCKET_NAME" "Your R2 bucket name for case data storage"
     prompt_for_var "AUDIT_BUCKET_NAME" "Your R2 bucket name for audit logs (separate from data bucket)"
+    prompt_for_var "FILES_BUCKET_NAME" "Your R2 bucket name for encrypted files storage"
     prompt_for_var "KV_STORE_ID" "Your KV namespace ID (UUID format)"
     
     echo -e "${BLUE}🔐 SERVICE-SPECIFIC SECRETS${NC}"
     echo "============================"
     prompt_for_var "KEYS_AUTH" "Keys worker authentication token (generate with: openssl rand -hex 16)"
     prompt_for_var "PDF_WORKER_AUTH" "PDF worker authentication token (generate with: openssl rand -hex 16)"
-    prompt_for_var "ACCOUNT_HASH" "Cloudflare Images Account Hash"
-    prompt_for_var "API_TOKEN" "Cloudflare Images API token (for Images Worker)"
+    prompt_for_var "IMAGE_SIGNED_URL_SECRET" "Image signed URL secret (generate with: openssl rand -base64 48 | tr '+/' '-_' | tr -d '=')"
     prompt_for_var "BROWSER_API_TOKEN" "Cloudflare Browser Rendering API token (for PDF Worker)"
-    prompt_for_var "HMAC_KEY" "Cloudflare Images HMAC signing key"
 
     configure_manifest_signing_credentials
     configure_export_encryption_credentials
+    configure_data_at_rest_encryption_credentials
     
     # Reload the updated .env file
     source .env
@@ -1462,6 +1635,7 @@ update_wrangler_configs() {
         echo -e "${YELLOW}  Updating image-worker/wrangler.jsonc...${NC}"
         sed -i "s/\"IMAGES_WORKER_NAME\"/\"$IMAGES_WORKER_NAME\"/g" workers/image-worker/wrangler.jsonc
         sed -i "s/\"ACCOUNT_ID\"/\"$ACCOUNT_ID\"/g" workers/image-worker/wrangler.jsonc
+        sed -i "s/\"FILES_BUCKET_NAME\"/\"$FILES_BUCKET_NAME\"/g" workers/image-worker/wrangler.jsonc
         echo -e "${GREEN}    ✅ image-worker configuration updated${NC}"
     fi
     
@@ -1537,15 +1711,12 @@ update_wrangler_configs() {
         local escaped_manifest_signing_public_key
         local escaped_export_encryption_key_id
         local escaped_export_encryption_public_key
-        local escaped_account_hash
         escaped_manifest_signing_key_id=$(escape_for_sed_replacement "$MANIFEST_SIGNING_KEY_ID")
         escaped_manifest_signing_public_key=$(escape_for_sed_replacement "$MANIFEST_SIGNING_PUBLIC_KEY")
         escaped_export_encryption_key_id=$(escape_for_sed_replacement "$EXPORT_ENCRYPTION_KEY_ID")
         escaped_export_encryption_public_key=$(escape_for_sed_replacement "$EXPORT_ENCRYPTION_PUBLIC_KEY")
-        escaped_account_hash=$(escape_for_sed_replacement "$ACCOUNT_HASH")
 
         sed -i "s|\"url\": \"[^\"]*\"|\"url\": \"https://$escaped_pages_custom_domain\"|g" app/config/config.json
-        sed -i "s|\"account_hash\": \"[^\"]*\"|\"account_hash\": \"$escaped_account_hash\"|g" app/config/config.json
         sed -i "s|\"MANIFEST_SIGNING_KEY_ID\"|\"$escaped_manifest_signing_key_id\"|g" app/config/config.json
         sed -i "s|\"MANIFEST_SIGNING_PUBLIC_KEY\"|\"$escaped_manifest_signing_public_key\"|g" app/config/config.json
         sed -i "s|\"EXPORT_ENCRYPTION_KEY_ID\"|\"$escaped_export_encryption_key_id\"|g" app/config/config.json

package/scripts/deploy-pages-secrets.sh

@@ -172,12 +172,6 @@ deploy_pages_environment_secrets() {
         set_pages_secret "$secret" "$secret_value" "$pages_env"
     done
 
-    local optional_api_token
-    optional_api_token=$(get_optional_value "API_TOKEN")
-    if [ -n "$optional_api_token" ]; then
-        set_pages_secret "API_TOKEN" "$optional_api_token" "$pages_env"
-    fi
-
     local optional_primershear_emails
     optional_primershear_emails=$(get_optional_value "PRIMERSHEAR_EMAILS")
     if [ -n "$optional_primershear_emails" ]; then

package/scripts/deploy-worker-secrets.sh

@@ -95,6 +95,30 @@ load_required_admin_service_credentials() {
 
 load_required_admin_service_credentials
 
+build_audit_worker_secret_list() {
+    local secrets=(
+        "R2_KEY_SECRET"
+    )
+
+    if [ -n "${DATA_AT_REST_ENCRYPTION_ENABLED:-}" ]; then
+        secrets+=("DATA_AT_REST_ENCRYPTION_ENABLED")
+    fi
+
+    if [ -n "${DATA_AT_REST_ENCRYPTION_PRIVATE_KEY:-}" ]; then
+        secrets+=("DATA_AT_REST_ENCRYPTION_PRIVATE_KEY")
+    fi
+
+    if [ -n "${DATA_AT_REST_ENCRYPTION_PUBLIC_KEY:-}" ]; then
+        secrets+=("DATA_AT_REST_ENCRYPTION_PUBLIC_KEY")
+    fi
+
+    if [ -n "${DATA_AT_REST_ENCRYPTION_KEY_ID:-}" ]; then
+        secrets+=("DATA_AT_REST_ENCRYPTION_KEY_ID")
+    fi
+
+    printf '%s\n' "${secrets[@]}"
+}
+
 # Function to set worker secrets
 set_worker_secrets() {
     local worker_name=$1
@@ -143,6 +167,34 @@ set_worker_secrets() {
     popd > /dev/null
 }
 
+build_data_worker_secret_list() {
+    local secrets=(
+        "R2_KEY_SECRET"
+        "MANIFEST_SIGNING_PRIVATE_KEY"
+        "MANIFEST_SIGNING_KEY_ID"
+        "EXPORT_ENCRYPTION_PRIVATE_KEY"
+        "EXPORT_ENCRYPTION_KEY_ID"
+    )
+
+    if [ -n "${DATA_AT_REST_ENCRYPTION_ENABLED:-}" ]; then
+        secrets+=("DATA_AT_REST_ENCRYPTION_ENABLED")
+    fi
+
+    if [ -n "${DATA_AT_REST_ENCRYPTION_PRIVATE_KEY:-}" ]; then
+        secrets+=("DATA_AT_REST_ENCRYPTION_PRIVATE_KEY")
+    fi
+
+    if [ -n "${DATA_AT_REST_ENCRYPTION_PUBLIC_KEY:-}" ]; then
+        secrets+=("DATA_AT_REST_ENCRYPTION_PUBLIC_KEY")
+    fi
+
+    if [ -n "${DATA_AT_REST_ENCRYPTION_KEY_ID:-}" ]; then
+        secrets+=("DATA_AT_REST_ENCRYPTION_KEY_ID")
+    fi
+
+    printf '%s\n' "${secrets[@]}"
+}
+
 # Deploy secrets to each worker
 echo -e "\n${BLUE}🔐 Deploying secrets to workers...${NC}"
 
@@ -168,14 +220,18 @@ elif [ $workers_configured -lt $total_workers ]; then
 fi
 
 # Audit Worker
-if ! set_worker_secrets "Audit Worker" "workers/audit-worker" \
-    "R2_KEY_SECRET"; then
+audit_worker_secrets=()
+while IFS= read -r secret; do
+    audit_worker_secrets+=("$secret")
+done < <(build_audit_worker_secret_list)
+
+if ! set_worker_secrets "Audit Worker" "workers/audit-worker" "${audit_worker_secrets[@]}"; then
     echo -e "${YELLOW}⚠️  Skipping Audit Worker (not configured)${NC}"
 fi
 
 # Keys Worker
 if ! set_worker_secrets "Keys Worker" "workers/keys-worker" \
-    "KEYS_AUTH" "USER_DB_AUTH" "R2_KEY_SECRET" "ACCOUNT_HASH" "IMAGES_API_TOKEN" "PDF_WORKER_AUTH"; then
+    "KEYS_AUTH" "USER_DB_AUTH" "R2_KEY_SECRET" "IMAGES_API_TOKEN" "PDF_WORKER_AUTH"; then
     echo -e "${YELLOW}⚠️  Skipping Keys Worker (not configured)${NC}"
 fi
 
@@ -186,14 +242,18 @@ if ! set_worker_secrets "User Worker" "workers/user-worker" \
 fi
 
 # Data Worker
-if ! set_worker_secrets "Data Worker" "workers/data-worker" \
-    "R2_KEY_SECRET" "MANIFEST_SIGNING_PRIVATE_KEY" "MANIFEST_SIGNING_KEY_ID" "EXPORT_ENCRYPTION_PRIVATE_KEY" "EXPORT_ENCRYPTION_KEY_ID"; then
+data_worker_secrets=()
+while IFS= read -r secret; do
+    data_worker_secrets+=("$secret")
+done < <(build_data_worker_secret_list)
+
+if ! set_worker_secrets "Data Worker" "workers/data-worker" "${data_worker_secrets[@]}"; then
     echo -e "${YELLOW}⚠️  Skipping Data Worker (not configured)${NC}"
 fi
 
 # Images Worker
 if ! set_worker_secrets "Images Worker" "workers/image-worker" \
-    "ACCOUNT_ID" "API_TOKEN" "HMAC_KEY"; then
+    "IMAGES_API_TOKEN" "DATA_AT_REST_ENCRYPTION_PRIVATE_KEY" "DATA_AT_REST_ENCRYPTION_PUBLIC_KEY" "DATA_AT_REST_ENCRYPTION_KEY_ID" "IMAGE_SIGNED_URL_SECRET"; then
     echo -e "${YELLOW}⚠️  Skipping Images Worker (not configured)${NC}"
 fi
 
@@ -210,6 +270,7 @@ echo "   - Copy wrangler.jsonc.example to wrangler.jsonc in each worker director
 echo "   - Configure KV namespace ID in workers/user-worker/wrangler.jsonc"
 echo "   - Configure R2 bucket name in workers/data-worker/wrangler.jsonc"
 echo "   - Configure R2 bucket name in workers/audit-worker/wrangler.jsonc"
+echo "   - Configure R2 bucket name in workers/image-worker/wrangler.jsonc"
 echo "   - Update ACCOUNT_ID and custom domains in all worker configurations"
 
 echo -e "\n${BLUE}📝 For manual deployment, use these commands:${NC}"

package/worker-configuration.d.ts

@@ -1,6 +1,6 @@
 /* eslint-disable */
-// Generated by Wrangler by running `wrangler types` (hash: 3509cf2c6fcfb4a2a6e6bd16efbe22b3)
-// Runtime types generated with workerd@1.20250823.0 2026-03-20 nodejs_compat
+// Generated by Wrangler by running `wrangler types` (hash: abf7efe3b0d9f2d66e012084f057d73b)
+// Runtime types generated with workerd@1.20250823.0 2026-03-24 nodejs_compat
 declare namespace Cloudflare {
 	interface Env {
 		ACCOUNT_ID: string;
@@ -27,22 +27,30 @@ declare namespace Cloudflare {
 		KV_STORE_ID: string;
 		DATA_WORKER_NAME: string;
 		DATA_BUCKET_NAME: string;
+		FILES_BUCKET_NAME: string;
 		DATA_WORKER_DOMAIN: string;
 		MANIFEST_SIGNING_PRIVATE_KEY: string;
 		MANIFEST_SIGNING_KEY_ID: string;
 		MANIFEST_SIGNING_PUBLIC_KEY: string;
+		EXPORT_ENCRYPTION_PRIVATE_KEY: string;
+		EXPORT_ENCRYPTION_KEY_ID: string;
+		EXPORT_ENCRYPTION_PUBLIC_KEY: string;
+		DATA_AT_REST_ENCRYPTION_PRIVATE_KEY: string;
+		DATA_AT_REST_ENCRYPTION_KEY_ID: string;
+		DATA_AT_REST_ENCRYPTION_PUBLIC_KEY: string;
 		AUDIT_WORKER_NAME: string;
 		AUDIT_BUCKET_NAME: string;
 		AUDIT_WORKER_DOMAIN: string;
 		IMAGES_WORKER_NAME: string;
 		IMAGES_WORKER_DOMAIN: string;
-		API_TOKEN: string;
-		HMAC_KEY: string;
+		IMAGE_SIGNED_URL_SECRET: string;
+		IMAGE_SIGNED_URL_TTL_SECONDS: string;
 		PDF_WORKER_NAME: string;
 		PDF_WORKER_DOMAIN: string;
 		PDF_WORKER_AUTH: string;
 		BROWSER_API_TOKEN: string;
 		PRIMERSHEAR_EMAILS: string;
+		DATA_AT_REST_ENCRYPTION_ENABLED: string;
 	}
 }
 interface Env extends Cloudflare.Env {}
@@ -50,7 +58,7 @@ type StringifyValues<EnvType extends Record<string, unknown>> = {
 	[Binding in keyof EnvType]: EnvType[Binding] extends string ? EnvType[Binding] : string;
 };
 declare namespace NodeJS {
-	interface ProcessEnv extends StringifyValues<Pick<Cloudflare.Env, "ACCOUNT_ID" | "USER_DB_AUTH" | "R2_KEY_SECRET" | "IMAGES_API_TOKEN" | "API_KEY" | "AUTH_DOMAIN" | "PROJECT_ID" | "STORAGE_BUCKET" | "MESSAGING_SENDER_ID" | "APP_ID" | "MEASUREMENT_ID" | "FIREBASE_SERVICE_ACCOUNT_EMAIL" | "FIREBASE_SERVICE_ACCOUNT_PRIVATE_KEY" | "PAGES_PROJECT_NAME" | "PAGES_CUSTOM_DOMAIN" | "KEYS_WORKER_NAME" | "KEYS_WORKER_DOMAIN" | "KEYS_AUTH" | "ACCOUNT_HASH" | "USER_WORKER_NAME" | "USER_WORKER_DOMAIN" | "KV_STORE_ID" | "DATA_WORKER_NAME" | "DATA_BUCKET_NAME" | "DATA_WORKER_DOMAIN" | "MANIFEST_SIGNING_PRIVATE_KEY" | "MANIFEST_SIGNING_KEY_ID" | "MANIFEST_SIGNING_PUBLIC_KEY" | "AUDIT_WORKER_NAME" | "AUDIT_BUCKET_NAME" | "AUDIT_WORKER_DOMAIN" | "IMAGES_WORKER_NAME" | "IMAGES_WORKER_DOMAIN" | "API_TOKEN" | "HMAC_KEY" | "PDF_WORKER_NAME" | "PDF_WORKER_DOMAIN" | "PDF_WORKER_AUTH" | "BROWSER_API_TOKEN" | "PRIMERSHEAR_EMAILS">> {}
+	interface ProcessEnv extends StringifyValues<Pick<Cloudflare.Env, "ACCOUNT_ID" | "USER_DB_AUTH" | "R2_KEY_SECRET" | "IMAGES_API_TOKEN" | "API_KEY" | "AUTH_DOMAIN" | "PROJECT_ID" | "STORAGE_BUCKET" | "MESSAGING_SENDER_ID" | "APP_ID" | "MEASUREMENT_ID" | "FIREBASE_SERVICE_ACCOUNT_EMAIL" | "FIREBASE_SERVICE_ACCOUNT_PRIVATE_KEY" | "PAGES_PROJECT_NAME" | "PAGES_CUSTOM_DOMAIN" | "KEYS_WORKER_NAME" | "KEYS_WORKER_DOMAIN" | "KEYS_AUTH" | "ACCOUNT_HASH" | "USER_WORKER_NAME" | "USER_WORKER_DOMAIN" | "KV_STORE_ID" | "DATA_WORKER_NAME" | "DATA_BUCKET_NAME" | "FILES_BUCKET_NAME" | "DATA_WORKER_DOMAIN" | "MANIFEST_SIGNING_PRIVATE_KEY" | "MANIFEST_SIGNING_KEY_ID" | "MANIFEST_SIGNING_PUBLIC_KEY" | "EXPORT_ENCRYPTION_PRIVATE_KEY" | "EXPORT_ENCRYPTION_KEY_ID" | "EXPORT_ENCRYPTION_PUBLIC_KEY" | "DATA_AT_REST_ENCRYPTION_PRIVATE_KEY" | "DATA_AT_REST_ENCRYPTION_KEY_ID" | "DATA_AT_REST_ENCRYPTION_PUBLIC_KEY" | "AUDIT_WORKER_NAME" | "AUDIT_BUCKET_NAME" | "AUDIT_WORKER_DOMAIN" | "IMAGES_WORKER_NAME" | "IMAGES_WORKER_DOMAIN" | "IMAGE_SIGNED_URL_SECRET" | "IMAGE_SIGNED_URL_TTL_SECONDS" | "PDF_WORKER_NAME" | "PDF_WORKER_DOMAIN" | "PDF_WORKER_AUTH" | "BROWSER_API_TOKEN" | "PRIMERSHEAR_EMAILS" | "DATA_AT_REST_ENCRYPTION_ENABLED">> {}
 }
 
 // Begin runtime types
@@ -5485,7 +5493,7 @@ type AIGatewayHeaders = {
     [key: string]: string | number | boolean | object;
 };
 type AIGatewayUniversalRequest = {
-    provider: AIGatewayProviders | string;
+    provider: AIGatewayProviders | string; // eslint-disable-line
     endpoint: string;
     headers: Partial<AIGatewayHeaders>;
     query: unknown;
@@ -5501,7 +5509,7 @@ declare abstract class AiGateway {
         gateway?: UniversalGatewayOptions;
         extraHeaders?: object;
     }): Promise<Response>;
-    getUrl(provider?: AIGatewayProviders | string): Promise<string>;
+    getUrl(provider?: AIGatewayProviders | string): Promise<string>; // eslint-disable-line
 }
 interface AutoRAGInternalError extends Error {
 }

package/workers/audit-worker/package.json

@@ -5,13 +5,10 @@
 	"scripts": {
 		"deploy": "wrangler deploy",
 		"dev": "wrangler dev",
-		"start": "wrangler dev",
-		"test": "vitest"
+		"start": "wrangler dev"
 	},
 	"devDependencies": {
 		"@cloudflare/puppeteer": "^1.0.6",
-		"@cloudflare/vitest-pool-workers": "^0.13.0",
-		"vitest": "~4.1.0",
 		"wrangler": "^4.76.0"
 	},
 	"overrides": {