@striae-org/striae 5.1.0 → 5.1.1

package/.env.example

@@ -47,7 +47,6 @@ PAGES_CUSTOM_DOMAIN=your_custom_domain_here
 KEYS_WORKER_NAME=your_keys_worker_name_here
 KEYS_WORKER_DOMAIN=your_keys_worker_domain_here
 KEYS_AUTH=your_custom_keys_auth_token_here
-ACCOUNT_HASH=your_cloudflare_images_account_hash_here
 
 # ================================
 # USER WORKER ENVIRONMENT VARIABLES  
@@ -70,7 +69,6 @@ MANIFEST_SIGNING_PUBLIC_KEY=your_manifest_signing_public_key_here
 EXPORT_ENCRYPTION_PRIVATE_KEY=your_export_encryption_private_key_here
 EXPORT_ENCRYPTION_KEY_ID=your_export_encryption_key_id_here
 EXPORT_ENCRYPTION_PUBLIC_KEY=your_export_encryption_public_key_here
-DATA_AT_REST_ENCRYPTION_ENABLED=true
 DATA_AT_REST_ENCRYPTION_PRIVATE_KEY=your_data_at_rest_encryption_private_key_here
 DATA_AT_REST_ENCRYPTION_KEY_ID=your_data_at_rest_encryption_key_id_here
 DATA_AT_REST_ENCRYPTION_PUBLIC_KEY=your_data_at_rest_encryption_public_key_here
@@ -88,6 +86,9 @@ AUDIT_WORKER_DOMAIN=your_audit_worker_domain_here
 # ================================
 IMAGES_WORKER_NAME=your_images_worker_name_here
 IMAGES_WORKER_DOMAIN=your_images_worker_domain_here
+IMAGE_SIGNED_URL_SECRET=your_image_signed_url_secret_here
+# Optional: defaults to 3600 and max is 86400.
+IMAGE_SIGNED_URL_TTL_SECONDS=3600
 
 # ================================
 # PDF WORKER ENVIRONMENT VARIABLES

package/app/components/actions/case-export/download-handlers.ts

@@ -965,7 +965,24 @@ For questions about this export, contact your Striae system administrator.
  */
 async function fetchImageAsBlob(user: User, fileData: FileData, caseNumber: string): Promise<Blob | null> {
   try {
-    const { blob, revoke } = await getImageUrl(user, fileData, caseNumber, 'Export Package');
+    const imageAccess = await getImageUrl(user, fileData, caseNumber, 'Export Package');
+    const { blob, revoke, url } = imageAccess;
+
+    if (!blob) {
+      const signedResponse = await fetch(url, {
+        method: 'GET',
+        headers: {
+          'Accept': 'application/octet-stream,image/*'
+        }
+      });
+
+      if (!signedResponse.ok) {
+        throw new Error(`Signed URL fetch failed with status ${signedResponse.status}`);
+      }
+
+      return await signedResponse.blob();
+    }
+
     try {
       return blob;
     } finally {

package/app/components/actions/case-manage.ts

@@ -685,7 +685,23 @@ const getVerificationPublicSigningKey = (preferredKeyId?: string): { keyId: stri
 
 const fetchImageAsBlob = async (user: User, fileData: FileData, caseNumber: string): Promise<Blob | null> => {
   try {
-    const { blob, revoke } = await getImageUrl(user, fileData, caseNumber, 'Archive Package');
+    const imageAccess = await getImageUrl(user, fileData, caseNumber, 'Archive Package');
+    const { blob, revoke, url } = imageAccess;
+
+    if (!blob) {
+      const signedResponse = await fetch(url, {
+        method: 'GET',
+        headers: {
+          'Accept': 'application/octet-stream,image/*'
+        }
+      });
+
+      if (!signedResponse.ok) {
+        throw new Error(`Signed URL fetch failed with status ${signedResponse.status}`);
+      }
+
+      return await signedResponse.blob();
+    }
 
     try {
       return blob;

package/app/components/actions/generate-pdf.ts

@@ -6,6 +6,7 @@ import { fetchPdfApi } from '~/utils/api';
 interface GeneratePDFParams {
   user: User;
   selectedImage: string | undefined;
+  sourceImageId?: string;
   selectedFilename: string | undefined;
   userCompany: string;
   userFirstName: string;
@@ -44,6 +45,10 @@ const resolvePdfImageUrl = async (selectedImage: string | undefined): Promise<st
     return selectedImage;
   }
 
+  if (selectedImage.startsWith('/')) {
+    return new URL(selectedImage, window.location.origin).toString();
+  }
+
   if (selectedImage.startsWith('data:')) {
     return selectedImage;
   }
@@ -64,6 +69,7 @@ const resolvePdfImageUrl = async (selectedImage: string | undefined): Promise<st
 export const generatePDF = async ({
   user,
   selectedImage,
+  sourceImageId,
   selectedFilename,
   userCompany,
   userFirstName,
@@ -187,7 +193,7 @@ export const generatePDF = async ({
           processingTime,
           blob.size,
           [],
-          selectedImage, // Source file ID
+          sourceImageId, // Source file ID
           selectedFilename // Source original filename
         );
       } catch (auditError) {
@@ -215,7 +221,7 @@ export const generatePDF = async ({
           processingTime,
           0, // No file size for failed generation
           [errorText || 'PDF generation failed'],
-          selectedImage, // Source file ID
+          sourceImageId, // Source file ID
           selectedFilename // Source original filename
         );
       } catch (auditError) {
@@ -242,7 +248,7 @@ export const generatePDF = async ({
         processingTime,
         0, // No file size for failed generation
         [error instanceof Error ? error.message : 'Unknown error generating PDF'],
-        selectedImage, // Source file ID
+        sourceImageId, // Source file ID
         selectedFilename // Source original filename
       );
     } catch (auditError) {

package/app/components/actions/image-manage.ts

@@ -1,7 +1,7 @@
 import type { User } from 'firebase/auth';
-import { fetchImageApi, uploadImageApi } from '~/utils/api';
+import { createSignedImageUrlApi, fetchImageApi, uploadImageApi } from '~/utils/api';
 import { canUploadFile, getCaseData, updateCaseData, deleteFileAnnotations } from '~/utils/data';
-import type { CaseData, FileData, ImageUploadResponse } from '~/types';
+import type { CaseData, FileData, ImageAccessResult, ImageUploadResponse } from '~/types';
 import { auditService } from '~/services/audit';
 
 export interface DeleteFileResult {
@@ -255,20 +255,49 @@ export const deleteFile = async (
   }
 };
 
-export const getImageUrl = async (user: User, fileData: FileData, caseNumber: string, accessReason?: string): Promise<{ blob: Blob; url: string; revoke: () => void }> => {
+export const getImageUrl = async (
+  user: User,
+  fileData: FileData,
+  caseNumber: string,
+  accessReason?: string
+): Promise<ImageAccessResult> => {
   const startTime = Date.now();
   const defaultAccessReason = accessReason || 'Image viewer access';
-  
+
   try {
+    try {
+      const signedUrlResponse = await createSignedImageUrlApi(user, fileData.id);
+
+      await auditService.logFileAccess(
+        user,
+        fileData.originalFilename || fileData.id,
+        fileData.id,
+        'signed-url',
+        caseNumber,
+        'success',
+        Date.now() - startTime,
+        defaultAccessReason,
+        fileData.originalFilename
+      );
+
+      return {
+        url: signedUrlResponse.result.url,
+        revoke: () => {},
+        urlType: 'signed',
+        expiresAt: signedUrlResponse.result.expiresAt
+      };
+    } catch {
+      // Fallback to direct blob retrieval during migration.
+    }
+
     const workerResponse = await fetchImageApi(user, `/${encodeURIComponent(fileData.id)}`, {
       method: 'GET',
       headers: {
         'Accept': 'application/octet-stream,image/*'
       }
     });
-    
+
     if (!workerResponse.ok) {
-      // Log failed image access
       await auditService.logFileAccess(
         user,
         fileData.originalFilename || fileData.id,
@@ -285,8 +314,7 @@ export const getImageUrl = async (user: User, fileData: FileData, caseNumber: st
 
     const blob = await workerResponse.blob();
     const objectUrl = URL.createObjectURL(blob);
-    
-    // Log successful image access
+
     await auditService.logFileAccess(
       user,
       fileData.originalFilename || fileData.id,
@@ -298,10 +326,14 @@ export const getImageUrl = async (user: User, fileData: FileData, caseNumber: st
       defaultAccessReason,
       fileData.originalFilename
     );
-    
-    return { blob, url: objectUrl, revoke: () => URL.revokeObjectURL(objectUrl) };
+
+    return {
+      blob,
+      url: objectUrl,
+      revoke: () => URL.revokeObjectURL(objectUrl),
+      urlType: 'blob'
+    };
   } catch (error) {
-    // Log any unexpected errors if not already logged
     if (!(error instanceof Error && error.message.includes('Failed to retrieve image'))) {
       await auditService.logFileAccess(
         user,

package/app/routes/striae/striae.tsx

@@ -241,6 +241,7 @@ export const Striae = ({ user }: StriaePage) => {
     await generatePDF({
       user,
       selectedImage,
+      sourceImageId: imageId,
       selectedFilename,
       userCompany,
       userFirstName,

package/app/types/file.ts

@@ -12,8 +12,6 @@ export interface FileUploadResponse {
     id: string;
     filename: string;
     uploaded: string;
-    requireSignedURLs: boolean;
-    variants: string[];
   };
   errors: Array<{
     code: number;
@@ -27,4 +25,22 @@ export interface ImageUploadResponse {
   result: FileUploadResponse['result'];
   errors: FileUploadResponse['errors'];
   messages: FileUploadResponse['messages'];
+}
+
+export interface SignedImageUrlResponse {
+  success: boolean;
+  result: {
+    fileId: string;
+    url: string;
+    expiresAt: string;
+    expiresInSeconds: number;
+  };
+}
+
+export interface ImageAccessResult {
+  url: string;
+  revoke: () => void;
+  blob?: Blob;
+  urlType: 'signed' | 'blob';
+  expiresAt?: string;
 }

package/app/utils/api/image-api-client.ts

@@ -1,5 +1,5 @@
 import type { User } from 'firebase/auth';
-import { type ImageUploadResponse } from '~/types';
+import { type ImageUploadResponse, type SignedImageUrlResponse } from '~/types';
 
 const IMAGE_API_BASE = '/api/image';
 
@@ -93,6 +93,54 @@ function parseUploadResponse(payload: string): ImageUploadResponse {
   return parsed;
 }
 
+function parseSignedUrlResponse(payload: string): SignedImageUrlResponse {
+  const parsed = JSON.parse(payload) as SignedImageUrlResponse;
+  if (!parsed.success || !parsed.result?.url || !parsed.result?.fileId || !parsed.result?.expiresAt) {
+    throw new Error('Signed URL response is invalid');
+  }
+
+  return parsed;
+}
+
+export async function createSignedImageUrlApi(
+  user: User,
+  fileId: string,
+  expiresInSeconds?: number
+): Promise<SignedImageUrlResponse> {
+  const response = await fetchImageApi(user, `/${encodeURIComponent(fileId)}/signed-url`, {
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/json',
+      'Accept': 'application/json'
+    },
+    body: JSON.stringify(
+      typeof expiresInSeconds === 'number'
+        ? { expiresInSeconds }
+        : {}
+    )
+  });
+
+  if (!response.ok) {
+    throw new Error(`Signed URL request failed with status ${response.status}`);
+  }
+
+  const parsed = parseSignedUrlResponse(await response.text());
+  const rawUrl = parsed.result.url;
+  let normalizedUrl = rawUrl;
+
+  if (rawUrl.startsWith('/')) {
+    normalizedUrl = new URL(rawUrl, window.location.origin).toString();
+  }
+
+  return {
+    ...parsed,
+    result: {
+      ...parsed.result,
+      url: normalizedUrl
+    }
+  };
+}
+
 export async function uploadImageApi(
   user: User,
   file: File,

package/functions/api/image/[[path]].ts

@@ -82,12 +82,13 @@ export const onRequest = async ({ request, env }: ImageProxyContext): Promise<Re
     });
   }
 
+  const requestUrl = new URL(request.url);
+
   const identity = await verifyFirebaseIdentityFromRequest(request, env);
   if (!identity) {
     return textResponse('Unauthorized', 401);
   }
 
-  const requestUrl = new URL(request.url);
   const proxyPathResult = extractProxyPath(requestUrl);
   if (!proxyPathResult.ok) {
     return proxyPathResult.reason === 'bad-encoding'

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@striae-org/striae",
-  "version": "5.1.0",
+  "version": "5.1.1",
   "private": false,
   "description": "Striae is a specialized, cloud-native platform designed to streamline forensic firearms identification by providing an intuitive environment for digital comparison image annotation, authenticated confirmations, and automated report generation.",
   "license": "Apache-2.0",

package/scripts/deploy-config.sh

@@ -81,13 +81,23 @@ require_command grep
 
 is_placeholder() {
     local value="$1"
-    local normalized=$(echo "$value" | tr '[:upper:]' '[:lower:]')
+    local normalized
+
+    normalized=$(printf '%s' "$value" | tr -d '\r' | tr '[:upper:]' '[:lower:]')
+    normalized=$(printf '%s' "$normalized" | sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//')
+    normalized=${normalized#\"}
+    normalized=${normalized%\"}
 
     if [ -z "$normalized" ]; then
         return 1
     fi
 
-    [[ "$normalized" == your_*_here ]]
+    [[ "$normalized" =~ ^your_[a-z0-9_]+_here$ || \
+       "$normalized" =~ ^your-[a-z0-9-]+-here$ || \
+       "$normalized" == "placeholder" || \
+       "$normalized" == "changeme" || \
+       "$normalized" == "replace_me" || \
+       "$normalized" == "replace-me" ]]
 }
 
 # Check if .env file exists
@@ -626,38 +636,8 @@ configure_data_at_rest_encryption_credentials() {
     echo -e "${BLUE}🗃️ DATA-AT-REST ENCRYPTION CONFIGURATION${NC}"
     echo "========================================"
 
-    local current_enabled="${DATA_AT_REST_ENCRYPTION_ENABLED:-}"
-    local normalized_enabled=""
-    local enable_choice=""
-
-    current_enabled=$(strip_carriage_returns "$current_enabled")
-    normalized_enabled=$(printf '%s' "$current_enabled" | tr '[:upper:]' '[:lower:]')
-
-    if [ -z "$normalized_enabled" ] || is_placeholder "$normalized_enabled"; then
-        DATA_AT_REST_ENCRYPTION_ENABLED="false"
-    elif [ "$normalized_enabled" = "1" ] || [ "$normalized_enabled" = "true" ] || [ "$normalized_enabled" = "yes" ] || [ "$normalized_enabled" = "on" ]; then
-        DATA_AT_REST_ENCRYPTION_ENABLED="true"
-    else
-        DATA_AT_REST_ENCRYPTION_ENABLED="false"
-    fi
-
-    if [ "$update_env" != "true" ]; then
-        read -p "Enable data-at-rest encryption for new writes? (y/N, Enter keeps current): " enable_choice
-        enable_choice=$(strip_carriage_returns "$enable_choice")
-        case "$enable_choice" in
-            y|Y|yes|YES)
-                DATA_AT_REST_ENCRYPTION_ENABLED="true"
-                ;;
-            n|N|no|NO)
-                DATA_AT_REST_ENCRYPTION_ENABLED="false"
-                ;;
-            "")
-                ;;
-            *)
-                echo -e "${YELLOW}⚠️  Unrecognized choice '$enable_choice'; keeping current setting${NC}"
-                ;;
-        esac
-    fi
+    # Data-at-rest encryption is mandatory for all environments.
+    DATA_AT_REST_ENCRYPTION_ENABLED="true"
 
     export DATA_AT_REST_ENCRYPTION_ENABLED
     write_env_var "DATA_AT_REST_ENCRYPTION_ENABLED" "$DATA_AT_REST_ENCRYPTION_ENABLED"
@@ -781,7 +761,7 @@ required_vars=(
     # Worker-Specific Secrets (required for deployment)
     "KEYS_AUTH"
     "PDF_WORKER_AUTH"
-    "ACCOUNT_HASH"
+    "IMAGE_SIGNED_URL_SECRET"
     "BROWSER_API_TOKEN"
     "MANIFEST_SIGNING_PRIVATE_KEY"
     "MANIFEST_SIGNING_KEY_ID"
@@ -968,7 +948,6 @@ validate_generated_configs() {
     assert_contains_literal "workers/user-worker/wrangler.jsonc" "$KV_STORE_ID" "KV_STORE_ID missing in user worker config"
 
     assert_contains_literal "app/config/config.json" "https://$PAGES_CUSTOM_DOMAIN" "PAGES_CUSTOM_DOMAIN missing in app/config/config.json"
-    assert_contains_literal "app/config/config.json" "$ACCOUNT_HASH" "ACCOUNT_HASH missing in app/config/config.json"
     assert_contains_literal "app/config/config.json" "$EXPORT_ENCRYPTION_KEY_ID" "EXPORT_ENCRYPTION_KEY_ID missing in app/config/config.json"
     assert_contains_literal "app/config/config.json" "\"export_encryption_public_key\":" "export_encryption_public_key missing in app/config/config.json"
     assert_contains_literal "app/routes/auth/login.tsx" "const APP_CANONICAL_ORIGIN = 'https://$PAGES_CUSTOM_DOMAIN';" "PAGES_CUSTOM_DOMAIN missing in app/routes/auth/login.tsx canonical origin"
@@ -989,7 +968,7 @@ validate_generated_configs() {
     assert_contains_literal "workers/user-worker/src/user-worker.ts" "https://$PAGES_CUSTOM_DOMAIN" "PAGES_CUSTOM_DOMAIN missing in user-worker source"
 
     local placeholder_pattern
-    placeholder_pattern="(\"(ACCOUNT_ID|PAGES_PROJECT_NAME|PAGES_CUSTOM_DOMAIN|KEYS_WORKER_NAME|USER_WORKER_NAME|DATA_WORKER_NAME|AUDIT_WORKER_NAME|IMAGES_WORKER_NAME|PDF_WORKER_NAME|KEYS_WORKER_DOMAIN|USER_WORKER_DOMAIN|DATA_WORKER_DOMAIN|AUDIT_WORKER_DOMAIN|IMAGES_WORKER_DOMAIN|PDF_WORKER_DOMAIN|DATA_BUCKET_NAME|AUDIT_BUCKET_NAME|FILES_BUCKET_NAME|KV_STORE_ID|ACCOUNT_HASH|MANIFEST_SIGNING_KEY_ID|MANIFEST_SIGNING_PUBLIC_KEY|EXPORT_ENCRYPTION_KEY_ID|EXPORT_ENCRYPTION_PUBLIC_KEY|YOUR_FIREBASE_API_KEY|YOUR_FIREBASE_AUTH_DOMAIN|YOUR_FIREBASE_PROJECT_ID|YOUR_FIREBASE_STORAGE_BUCKET|YOUR_FIREBASE_MESSAGING_SENDER_ID|YOUR_FIREBASE_APP_ID|YOUR_FIREBASE_MEASUREMENT_ID)\"|'(PAGES_CUSTOM_DOMAIN|DATA_WORKER_DOMAIN|IMAGES_WORKER_DOMAIN)')"
+    placeholder_pattern="(\"(ACCOUNT_ID|PAGES_PROJECT_NAME|PAGES_CUSTOM_DOMAIN|KEYS_WORKER_NAME|USER_WORKER_NAME|DATA_WORKER_NAME|AUDIT_WORKER_NAME|IMAGES_WORKER_NAME|PDF_WORKER_NAME|KEYS_WORKER_DOMAIN|USER_WORKER_DOMAIN|DATA_WORKER_DOMAIN|AUDIT_WORKER_DOMAIN|IMAGES_WORKER_DOMAIN|PDF_WORKER_DOMAIN|DATA_BUCKET_NAME|AUDIT_BUCKET_NAME|FILES_BUCKET_NAME|KV_STORE_ID|MANIFEST_SIGNING_KEY_ID|MANIFEST_SIGNING_PUBLIC_KEY|EXPORT_ENCRYPTION_KEY_ID|EXPORT_ENCRYPTION_PUBLIC_KEY|YOUR_FIREBASE_API_KEY|YOUR_FIREBASE_AUTH_DOMAIN|YOUR_FIREBASE_PROJECT_ID|YOUR_FIREBASE_STORAGE_BUCKET|YOUR_FIREBASE_MESSAGING_SENDER_ID|YOUR_FIREBASE_APP_ID|YOUR_FIREBASE_MEASUREMENT_ID)\"|'(PAGES_CUSTOM_DOMAIN|DATA_WORKER_DOMAIN|IMAGES_WORKER_DOMAIN)')"
 
     local files_to_scan=(
         "wrangler.toml"
@@ -1250,6 +1229,58 @@ prompt_for_secrets() {
     fi
     
     # Function to prompt for a variable
+    is_auto_generated_secret_var() {
+        local var_name=$1
+        case "$var_name" in
+            USER_DB_AUTH|R2_KEY_SECRET|KEYS_AUTH|PDF_WORKER_AUTH|IMAGES_API_TOKEN|IMAGE_SIGNED_URL_SECRET)
+                return 0
+                ;;
+            *)
+                return 1
+                ;;
+        esac
+    }
+
+    is_secret_placeholder_value() {
+        local var_name=$1
+        local value=$2
+        case "$var_name" in
+            USER_DB_AUTH)
+                [ "$value" = "your_custom_user_db_auth_token_here" ]
+                ;;
+            R2_KEY_SECRET)
+                [ "$value" = "your_custom_r2_secret_here" ]
+                ;;
+            KEYS_AUTH)
+                [ "$value" = "your_custom_keys_auth_token_here" ]
+                ;;
+            PDF_WORKER_AUTH)
+                [ "$value" = "your_custom_pdf_worker_auth_token_here" ]
+                ;;
+            IMAGES_API_TOKEN)
+                [ "$value" = "your_cloudflare_images_api_token_here" ]
+                ;;
+            IMAGE_SIGNED_URL_SECRET)
+                [ "$value" = "your_image_signed_url_secret_here" ]
+                ;;
+            *)
+                return 1
+                ;;
+        esac
+    }
+
+    generate_secret_value() {
+        local var_name=$1
+        case "$var_name" in
+            IMAGE_SIGNED_URL_SECRET)
+                openssl rand -base64 48 2>/dev/null | tr '+/' '-_' | tr -d '='
+                ;;
+            *)
+                openssl rand -hex 32 2>/dev/null
+                ;;
+        esac
+    }
+
     prompt_for_var() {
         local var_name=$1
         local description=$2
@@ -1263,19 +1294,19 @@ prompt_for_secrets() {
             current_value=$(resolve_existing_domain_value "$var_name" "$current_value")
         fi
         
-        # Auto-generate specific authentication secrets - but allow keeping current
-        if [ "$var_name" = "USER_DB_AUTH" ] || [ "$var_name" = "R2_KEY_SECRET" ] || [ "$var_name" = "KEYS_AUTH" ] || [ "$var_name" = "PDF_WORKER_AUTH" ]; then
+        # Auto-generate selected secrets - but allow keeping current.
+        if is_auto_generated_secret_var "$var_name"; then
             echo -e "${BLUE}$var_name${NC}"
             echo -e "${YELLOW}$description${NC}"
             
-            if [ "$update_env" != "true" ] && [ -n "$current_value" ] && ! is_placeholder "$current_value" && [ "$current_value" != "your_custom_user_db_auth_token_here" ] && [ "$current_value" != "your_custom_r2_secret_here" ] && [ "$current_value" != "your_custom_keys_auth_token_here" ] && [ "$current_value" != "your_custom_pdf_worker_auth_token_here" ]; then
+            if [ "$update_env" != "true" ] && [ -n "$current_value" ] && ! is_placeholder "$current_value" && ! is_secret_placeholder_value "$var_name" "$current_value"; then
                 # Current value exists and is not a placeholder
                 echo -e "${GREEN}Current value: [HIDDEN]${NC}"
                 read -p "Generate new secret? (press Enter to keep current, or type 'y' to generate): " gen_choice
                 gen_choice=$(strip_carriage_returns "$gen_choice")
                 
                 if [ "$gen_choice" = "y" ] || [ "$gen_choice" = "Y" ]; then
-                    new_value=$(openssl rand -hex 32 2>/dev/null || echo "")
+                    new_value=$(generate_secret_value "$var_name" || echo "")
                     if [ -n "$new_value" ]; then
                         echo -e "${GREEN}✅ $var_name auto-generated${NC}"
                     else
@@ -1302,7 +1333,7 @@ prompt_for_secrets() {
             else
                 # No current value or placeholder value - auto-generate
                 echo -e "${YELLOW}Auto-generating secret...${NC}"
-                new_value=$(openssl rand -hex 32 2>/dev/null || echo "")
+                new_value=$(generate_secret_value "$var_name" || echo "")
                 if [ -n "$new_value" ]; then
                     echo -e "${GREEN}✅ $var_name auto-generated${NC}"
                 else
@@ -1428,7 +1459,7 @@ prompt_for_secrets() {
     echo "==================================="
     prompt_for_var "USER_DB_AUTH" "Custom user database authentication token (generate with: openssl rand -hex 16)"
     prompt_for_var "R2_KEY_SECRET" "Custom R2 storage authentication token (generate with: openssl rand -hex 16)"
-    prompt_for_var "IMAGES_API_TOKEN" "Cloudflare Images API token (shared between workers)"
+    prompt_for_var "IMAGES_API_TOKEN" "Image worker API token (shared between workers)"
     
     echo -e "${BLUE}🔥 FIREBASE AUTH CONFIGURATION${NC}"
     echo "==============================="
@@ -1534,7 +1565,7 @@ prompt_for_secrets() {
     echo "============================"
     prompt_for_var "KEYS_AUTH" "Keys worker authentication token (generate with: openssl rand -hex 16)"
     prompt_for_var "PDF_WORKER_AUTH" "PDF worker authentication token (generate with: openssl rand -hex 16)"
-    prompt_for_var "ACCOUNT_HASH" "Cloudflare Images Account Hash"
+    prompt_for_var "IMAGE_SIGNED_URL_SECRET" "Image signed URL secret (generate with: openssl rand -base64 48 | tr '+/' '-_' | tr -d '=')"
     prompt_for_var "BROWSER_API_TOKEN" "Cloudflare Browser Rendering API token (for PDF Worker)"
 
     configure_manifest_signing_credentials
@@ -1680,15 +1711,12 @@ update_wrangler_configs() {
         local escaped_manifest_signing_public_key
         local escaped_export_encryption_key_id
         local escaped_export_encryption_public_key
-        local escaped_account_hash
         escaped_manifest_signing_key_id=$(escape_for_sed_replacement "$MANIFEST_SIGNING_KEY_ID")
         escaped_manifest_signing_public_key=$(escape_for_sed_replacement "$MANIFEST_SIGNING_PUBLIC_KEY")
         escaped_export_encryption_key_id=$(escape_for_sed_replacement "$EXPORT_ENCRYPTION_KEY_ID")
         escaped_export_encryption_public_key=$(escape_for_sed_replacement "$EXPORT_ENCRYPTION_PUBLIC_KEY")
-        escaped_account_hash=$(escape_for_sed_replacement "$ACCOUNT_HASH")
 
         sed -i "s|\"url\": \"[^\"]*\"|\"url\": \"https://$escaped_pages_custom_domain\"|g" app/config/config.json
-        sed -i "s|\"account_hash\": \"[^\"]*\"|\"account_hash\": \"$escaped_account_hash\"|g" app/config/config.json
         sed -i "s|\"MANIFEST_SIGNING_KEY_ID\"|\"$escaped_manifest_signing_key_id\"|g" app/config/config.json
         sed -i "s|\"MANIFEST_SIGNING_PUBLIC_KEY\"|\"$escaped_manifest_signing_public_key\"|g" app/config/config.json
         sed -i "s|\"EXPORT_ENCRYPTION_KEY_ID\"|\"$escaped_export_encryption_key_id\"|g" app/config/config.json

package/scripts/deploy-worker-secrets.sh

@@ -231,7 +231,7 @@ fi
 
 # Keys Worker
 if ! set_worker_secrets "Keys Worker" "workers/keys-worker" \
-    "KEYS_AUTH" "USER_DB_AUTH" "R2_KEY_SECRET" "ACCOUNT_HASH" "IMAGES_API_TOKEN" "PDF_WORKER_AUTH"; then
+    "KEYS_AUTH" "USER_DB_AUTH" "R2_KEY_SECRET" "IMAGES_API_TOKEN" "PDF_WORKER_AUTH"; then
     echo -e "${YELLOW}⚠️  Skipping Keys Worker (not configured)${NC}"
 fi
 
@@ -253,7 +253,7 @@ fi
 
 # Images Worker
 if ! set_worker_secrets "Images Worker" "workers/image-worker" \
-    "IMAGES_API_TOKEN" "DATA_AT_REST_ENCRYPTION_PRIVATE_KEY" "DATA_AT_REST_ENCRYPTION_PUBLIC_KEY" "DATA_AT_REST_ENCRYPTION_KEY_ID"; then
+    "IMAGES_API_TOKEN" "DATA_AT_REST_ENCRYPTION_PRIVATE_KEY" "DATA_AT_REST_ENCRYPTION_PUBLIC_KEY" "DATA_AT_REST_ENCRYPTION_KEY_ID" "IMAGE_SIGNED_URL_SECRET"; then
     echo -e "${YELLOW}⚠️  Skipping Images Worker (not configured)${NC}"
 fi
 

package/worker-configuration.d.ts

@@ -1,5 +1,5 @@
 /* eslint-disable */
-// Generated by Wrangler by running `wrangler types` (hash: f4bdacbf5374924fcd3b9a294158d34f)
+// Generated by Wrangler by running `wrangler types` (hash: abf7efe3b0d9f2d66e012084f057d73b)
 // Runtime types generated with workerd@1.20250823.0 2026-03-24 nodejs_compat
 declare namespace Cloudflare {
 	interface Env {
@@ -35,7 +35,6 @@ declare namespace Cloudflare {
 		EXPORT_ENCRYPTION_PRIVATE_KEY: string;
 		EXPORT_ENCRYPTION_KEY_ID: string;
 		EXPORT_ENCRYPTION_PUBLIC_KEY: string;
-		DATA_AT_REST_ENCRYPTION_ENABLED: string;
 		DATA_AT_REST_ENCRYPTION_PRIVATE_KEY: string;
 		DATA_AT_REST_ENCRYPTION_KEY_ID: string;
 		DATA_AT_REST_ENCRYPTION_PUBLIC_KEY: string;
@@ -44,11 +43,14 @@ declare namespace Cloudflare {
 		AUDIT_WORKER_DOMAIN: string;
 		IMAGES_WORKER_NAME: string;
 		IMAGES_WORKER_DOMAIN: string;
+		IMAGE_SIGNED_URL_SECRET: string;
+		IMAGE_SIGNED_URL_TTL_SECONDS: string;
 		PDF_WORKER_NAME: string;
 		PDF_WORKER_DOMAIN: string;
 		PDF_WORKER_AUTH: string;
 		BROWSER_API_TOKEN: string;
 		PRIMERSHEAR_EMAILS: string;
+		DATA_AT_REST_ENCRYPTION_ENABLED: string;
 	}
 }
 interface Env extends Cloudflare.Env {}
@@ -56,7 +58,7 @@ type StringifyValues<EnvType extends Record<string, unknown>> = {
 	[Binding in keyof EnvType]: EnvType[Binding] extends string ? EnvType[Binding] : string;
 };
 declare namespace NodeJS {
-	interface ProcessEnv extends StringifyValues<Pick<Cloudflare.Env, "ACCOUNT_ID" | "USER_DB_AUTH" | "R2_KEY_SECRET" | "IMAGES_API_TOKEN" | "API_KEY" | "AUTH_DOMAIN" | "PROJECT_ID" | "STORAGE_BUCKET" | "MESSAGING_SENDER_ID" | "APP_ID" | "MEASUREMENT_ID" | "FIREBASE_SERVICE_ACCOUNT_EMAIL" | "FIREBASE_SERVICE_ACCOUNT_PRIVATE_KEY" | "PAGES_PROJECT_NAME" | "PAGES_CUSTOM_DOMAIN" | "KEYS_WORKER_NAME" | "KEYS_WORKER_DOMAIN" | "KEYS_AUTH" | "ACCOUNT_HASH" | "USER_WORKER_NAME" | "USER_WORKER_DOMAIN" | "KV_STORE_ID" | "DATA_WORKER_NAME" | "DATA_BUCKET_NAME" | "FILES_BUCKET_NAME" | "DATA_WORKER_DOMAIN" | "MANIFEST_SIGNING_PRIVATE_KEY" | "MANIFEST_SIGNING_KEY_ID" | "MANIFEST_SIGNING_PUBLIC_KEY" | "EXPORT_ENCRYPTION_PRIVATE_KEY" | "EXPORT_ENCRYPTION_KEY_ID" | "EXPORT_ENCRYPTION_PUBLIC_KEY" | "DATA_AT_REST_ENCRYPTION_ENABLED" | "DATA_AT_REST_ENCRYPTION_PRIVATE_KEY" | "DATA_AT_REST_ENCRYPTION_KEY_ID" | "DATA_AT_REST_ENCRYPTION_PUBLIC_KEY" | "AUDIT_WORKER_NAME" | "AUDIT_BUCKET_NAME" | "AUDIT_WORKER_DOMAIN" | "IMAGES_WORKER_NAME" | "IMAGES_WORKER_DOMAIN" | "PDF_WORKER_NAME" | "PDF_WORKER_DOMAIN" | "PDF_WORKER_AUTH" | "BROWSER_API_TOKEN" | "PRIMERSHEAR_EMAILS">> {}
+	interface ProcessEnv extends StringifyValues<Pick<Cloudflare.Env, "ACCOUNT_ID" | "USER_DB_AUTH" | "R2_KEY_SECRET" | "IMAGES_API_TOKEN" | "API_KEY" | "AUTH_DOMAIN" | "PROJECT_ID" | "STORAGE_BUCKET" | "MESSAGING_SENDER_ID" | "APP_ID" | "MEASUREMENT_ID" | "FIREBASE_SERVICE_ACCOUNT_EMAIL" | "FIREBASE_SERVICE_ACCOUNT_PRIVATE_KEY" | "PAGES_PROJECT_NAME" | "PAGES_CUSTOM_DOMAIN" | "KEYS_WORKER_NAME" | "KEYS_WORKER_DOMAIN" | "KEYS_AUTH" | "ACCOUNT_HASH" | "USER_WORKER_NAME" | "USER_WORKER_DOMAIN" | "KV_STORE_ID" | "DATA_WORKER_NAME" | "DATA_BUCKET_NAME" | "FILES_BUCKET_NAME" | "DATA_WORKER_DOMAIN" | "MANIFEST_SIGNING_PRIVATE_KEY" | "MANIFEST_SIGNING_KEY_ID" | "MANIFEST_SIGNING_PUBLIC_KEY" | "EXPORT_ENCRYPTION_PRIVATE_KEY" | "EXPORT_ENCRYPTION_KEY_ID" | "EXPORT_ENCRYPTION_PUBLIC_KEY" | "DATA_AT_REST_ENCRYPTION_PRIVATE_KEY" | "DATA_AT_REST_ENCRYPTION_KEY_ID" | "DATA_AT_REST_ENCRYPTION_PUBLIC_KEY" | "AUDIT_WORKER_NAME" | "AUDIT_BUCKET_NAME" | "AUDIT_WORKER_DOMAIN" | "IMAGES_WORKER_NAME" | "IMAGES_WORKER_DOMAIN" | "IMAGE_SIGNED_URL_SECRET" | "IMAGE_SIGNED_URL_TTL_SECONDS" | "PDF_WORKER_NAME" | "PDF_WORKER_DOMAIN" | "PDF_WORKER_AUTH" | "BROWSER_API_TOKEN" | "PRIMERSHEAR_EMAILS" | "DATA_AT_REST_ENCRYPTION_ENABLED">> {}
 }
 
 // Begin runtime types

package/workers/data-worker/wrangler.jsonc.example

@@ -1,7 +1,5 @@
 {
-  // Required secrets: R2_KEY_SECRET, MANIFEST_SIGNING_PRIVATE_KEY, MANIFEST_SIGNING_KEY_ID, EXPORT_ENCRYPTION_PRIVATE_KEY, EXPORT_ENCRYPTION_KEY_ID
-  // Optional data-at-rest secrets/vars:
-  // - DATA_AT_REST_ENCRYPTION_ENABLED=true
+  // Required secrets: R2_KEY_SECRET, MANIFEST_SIGNING_PRIVATE_KEY, MANIFEST_SIGNING_KEY_ID, EXPORT_ENCRYPTION_PRIVATE_KEY, EXPORT_ENCRYPTION_KEY_ID  
   // - DATA_AT_REST_ENCRYPTION_PRIVATE_KEY (required for decrypting encrypted records)
   // - DATA_AT_REST_ENCRYPTION_PUBLIC_KEY and DATA_AT_REST_ENCRYPTION_KEY_ID (required when encrypt-on-write is enabled)
   "name": "DATA_WORKER_NAME",