@striae-org/striae 5.1.0 → 5.2.0

package/scripts/deploy-config.sh

@@ -28,6 +28,7 @@ trap 'echo -e "\n${RED}❌ deploy-config.sh failed near line ${LINENO}${NC}"' ER
 update_env=false
 show_help=false
 validate_only=false
+force_rotate_keys=false
 for arg in "$@"; do
     case "$arg" in
         -h|--help)
@@ -39,6 +40,9 @@ for arg in "$@"; do
         --validate-only)
             validate_only=true
             ;;
+        --force-rotate-keys)
+            force_rotate_keys=true
+            ;;
         *)
             echo -e "${RED}❌ Unknown option: $arg${NC}"
             echo "Use --help to see supported options."
@@ -52,18 +56,28 @@ if [ "$update_env" = "true" ] && [ "$validate_only" = "true" ]; then
     exit 1
 fi
 
+if [ "$force_rotate_keys" = "true" ] && [ "$validate_only" = "true" ]; then
+    echo -e "${RED}❌ --force-rotate-keys and --validate-only cannot be used together${NC}"
+    exit 1
+fi
+
 if [ "$show_help" = "true" ]; then
-    echo "Usage: bash ./scripts/deploy-config.sh [--update-env] [--validate-only]"
+    echo "Usage: bash ./scripts/deploy-config.sh [--update-env] [--validate-only] [--force-rotate-keys]"
     echo ""
     echo "Options:"
     echo "  --update-env   Reset .env from .env.example and overwrite configs"
     echo "  --validate-only Validate current .env and generated config files without modifying them"
+    echo "  --force-rotate-keys Force regeneration of all encryption/signing key pairs without prompts"
     echo "  -h, --help     Show this help message"
     exit 0
 fi
 
 if [ "$update_env" = "true" ]; then
-    echo -e "${YELLOW}⚠️  Update-env mode: overwriting configs and regenerating .env values${NC}"
+    echo -e "${YELLOW}⚠️  Update-env mode: overwriting configs and resetting .env values from template${NC}"
+fi
+
+if [ "$force_rotate_keys" = "true" ]; then
+    echo -e "${YELLOW}⚠️  Force-rotate-keys mode: all encryption/signing key pairs will be regenerated without prompts${NC}"
 fi
 
 require_command() {
@@ -81,13 +95,23 @@ require_command grep
 
 is_placeholder() {
     local value="$1"
-    local normalized=$(echo "$value" | tr '[:upper:]' '[:lower:]')
+    local normalized
+
+    normalized=$(printf '%s' "$value" | tr -d '\r' | tr '[:upper:]' '[:lower:]')
+    normalized=$(printf '%s' "$normalized" | sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//')
+    normalized=${normalized#\"}
+    normalized=${normalized%\"}
 
     if [ -z "$normalized" ]; then
         return 1
     fi
 
-    [[ "$normalized" == your_*_here ]]
+    [[ "$normalized" =~ ^your_[a-z0-9_]+_here$ || \
+       "$normalized" =~ ^your-[a-z0-9-]+-here$ || \
+       "$normalized" == "placeholder" || \
+       "$normalized" == "changeme" || \
+       "$normalized" == "replace_me" || \
+       "$normalized" == "replace-me" ]]
 }
 
 # Check if .env file exists
@@ -136,894 +160,45 @@ fi
 echo -e "${YELLOW}📖 Loading environment variables from .env...${NC}"
 source .env
 
-escape_for_sed_pattern() {
-    printf '%s' "$1" | sed -e 's/[][\\.^$*+?{}|()]/\\&/g'
-}
-
-dedupe_env_var_entries() {
-    local var_name=$1
-    local expected_count=1
-    local escaped_var_name
-
-    escaped_var_name=$(escape_for_sed_pattern "$var_name")
-
-    if [ -f ".env.example" ]; then
-        expected_count=$(grep -c "^$escaped_var_name=" .env.example || true)
-
-        if [ "$expected_count" -lt 1 ]; then
-            expected_count=1
-        fi
-    fi
-
-    awk -v key="$var_name" -v keep="$expected_count" '
-        BEGIN { seen = 0 }
-        {
-            if (index($0, key "=") == 1) {
-                seen++
-
-                if (seen > keep) {
-                    next
-                }
-            }
-            print
-        }
-    ' .env > .env.tmp && mv .env.tmp .env
-}
-
-normalize_domain_value() {
-    local domain="$1"
-
-    domain=$(printf '%s' "$domain" | sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//')
-    domain="${domain#http://}"
-    domain="${domain#https://}"
-    domain="${domain%/}"
-
-    printf '%s' "$domain"
-}
-
-normalize_worker_label_value() {
-    local label="$1"
-
-    label=$(normalize_domain_value "$label")
-    label="${label#.}"
-    label="${label%.}"
-    label=$(printf '%s' "$label" | tr '[:upper:]' '[:lower:]')
-
-    printf '%s' "$label"
-}
-
-normalize_worker_subdomain_value() {
-    local subdomain="$1"
-
-    subdomain=$(normalize_domain_value "$subdomain")
-    subdomain="${subdomain#.}"
-    subdomain="${subdomain%.}"
-    subdomain=$(printf '%s' "$subdomain" | tr '[:upper:]' '[:lower:]')
-
-    printf '%s' "$subdomain"
-}
-
-is_valid_worker_label() {
-    local label="$1"
-
-    [[ "$label" =~ ^[a-z0-9-]+$ ]]
-}
-
-is_valid_worker_subdomain() {
-    local subdomain="$1"
-
-    [[ "$subdomain" =~ ^[a-z0-9]([a-z0-9-]*[a-z0-9])?(\.[a-z0-9]([a-z0-9-]*[a-z0-9])?)+$ ]]
-}
-
-strip_carriage_returns() {
-    printf '%s' "$1" | tr -d '\r'
-}
-
-read_env_var_from_file() {
-    local env_file=$1
-    local var_name=$2
-
-    if [ ! -f "$env_file" ]; then
-        return 0
-    fi
-
-    awk -v key="$var_name" '
-        index($0, key "=") == 1 {
-            value = substr($0, length(key) + 2)
-        }
-        END {
-            if (value != "") {
-                gsub(/\r/, "", value)
-                gsub(/^"/, "", value)
-                gsub(/"$/, "", value)
-                print value
-            }
-        }
-    ' "$env_file"
-}
-
-resolve_existing_domain_value() {
-    local var_name=$1
-    local current_value=$2
-    local preserved_value=""
-
-    current_value=$(normalize_domain_value "$current_value")
-
-    if [ "$current_value" = "$var_name" ]; then
-        current_value=""
-    fi
-
-    if [ -n "$current_value" ] && ! is_placeholder "$current_value"; then
-        printf '%s' "$current_value"
-        return 0
-    fi
-
-    if [ -n "$preserved_domain_env_file" ] && [ -f "$preserved_domain_env_file" ]; then
-        preserved_value=$(read_env_var_from_file "$preserved_domain_env_file" "$var_name")
-        preserved_value=$(normalize_domain_value "$preserved_value")
-
-        if [ "$preserved_value" = "$var_name" ]; then
-            preserved_value=""
-        fi
-
-        if [ -n "$preserved_value" ] && ! is_placeholder "$preserved_value"; then
-            printf '%s' "$preserved_value"
-            return 0
-        fi
-    fi
-
-    printf '%s' "$current_value"
-}
-
-generate_worker_subdomain_label() {
-    node -e "const { randomInt } = require('crypto'); const alphabet = 'abcdefghijklmnopqrstuvwxyz0123456789'; let value = ''; for (let index = 0; index < 10; index += 1) { value += alphabet[randomInt(alphabet.length)]; } process.stdout.write(value);" 2>/dev/null
-}
-
-compose_worker_domain() {
-    local worker_name=$1
-    local worker_subdomain=$2
-
-    worker_name=$(normalize_worker_label_value "$worker_name")
-    worker_subdomain=$(normalize_worker_subdomain_value "$worker_subdomain")
-
-    if [ -z "$worker_name" ] || [ -z "$worker_subdomain" ]; then
-        return 1
-    fi
-
-    if ! is_valid_worker_label "$worker_name" || ! is_valid_worker_subdomain "$worker_subdomain"; then
-        return 1
-    fi
-
-    printf '%s.%s' "$worker_name" "$worker_subdomain"
-}
-
-infer_worker_subdomain_from_domain() {
-    local worker_name=$1
-    local worker_domain=$2
-    local worker_subdomain=""
-
-    worker_name=$(normalize_worker_label_value "$worker_name")
-    worker_domain=$(normalize_domain_value "$worker_domain")
-    worker_domain=$(printf '%s' "$worker_domain" | tr '[:upper:]' '[:lower:]')
-
-    if [ -z "$worker_name" ] || [ -z "$worker_domain" ] || is_placeholder "$worker_name" || is_placeholder "$worker_domain"; then
-        printf '%s' ""
-        return 0
-    fi
-
-    case "$worker_domain" in
-        "$worker_name".*)
-            worker_subdomain="${worker_domain#${worker_name}.}"
-            worker_subdomain=$(normalize_worker_subdomain_value "$worker_subdomain")
-
-            if is_valid_worker_subdomain "$worker_subdomain"; then
-                printf '%s' "$worker_subdomain"
-                return 0
-            fi
-            ;;
-    esac
-
-    printf '%s' ""
-}
-
-write_env_var() {
-    local var_name=$1
-    local var_value=$2
-    local env_file_value="$var_value"
-
-    var_value=$(strip_carriage_returns "$var_value")
-    env_file_value="$var_value"
-
-    if [ "$var_name" = "FIREBASE_SERVICE_ACCOUNT_PRIVATE_KEY" ] || [ "$var_name" = "MANIFEST_SIGNING_PRIVATE_KEY" ] || [ "$var_name" = "MANIFEST_SIGNING_PUBLIC_KEY" ] || [ "$var_name" = "EXPORT_ENCRYPTION_PRIVATE_KEY" ] || [ "$var_name" = "EXPORT_ENCRYPTION_PUBLIC_KEY" ] || [ "$var_name" = "DATA_AT_REST_ENCRYPTION_PRIVATE_KEY" ] || [ "$var_name" = "DATA_AT_REST_ENCRYPTION_PUBLIC_KEY" ]; then
-        # Store as a quoted string so sourced .env preserves escaped newline markers (\n)
-        env_file_value=${env_file_value//\"/\\\"}
-        env_file_value="\"$env_file_value\""
-    fi
-
-    local escaped_var_name
-    local replacement_line
-    escaped_var_name=$(escape_for_sed_pattern "$var_name")
-    replacement_line=$(escape_for_sed_replacement "$var_name=$env_file_value")
-
-    if grep -q "^$escaped_var_name=" .env; then
-        # Replace all occurrences so intentional duplicates in .env.example stay in sync.
-        sed -i "s|^$escaped_var_name=.*|$replacement_line|g" .env
-        dedupe_env_var_entries "$var_name"
-    else
-        echo "$var_name=$env_file_value" >> .env
-    fi
-}
-
-escape_for_sed_replacement() {
-    printf '%s' "$1" | sed -e 's/[&|\\]/\\&/g'
-}
-
-is_admin_service_placeholder() {
-    local value="$1"
-    local normalized=$(echo "$value" | tr '[:upper:]' '[:lower:]')
-
-    [[ -z "$normalized" || "$normalized" == your-* || "$normalized" == *"your_private_key"* ]]
-}
-
-load_admin_service_credentials() {
-    local admin_service_path="app/config/admin-service.json"
-
-    if [ ! -f "$admin_service_path" ]; then
-        echo -e "${RED}❌ Error: Required Firebase admin service file not found: $admin_service_path${NC}"
-        echo -e "${YELLOW}   Create app/config/admin-service.json with service account credentials.${NC}"
-        exit 1
-    fi
-
-    local service_project_id
-    local service_client_email
-    local service_private_key
-
-    if ! service_project_id=$(node -e "const fs=require('fs'); const data=JSON.parse(fs.readFileSync(process.argv[1], 'utf8')); process.stdout.write(data.project_id || '');" "$admin_service_path"); then
-        echo -e "${RED}❌ Error: Could not parse project_id from $admin_service_path${NC}"
-        exit 1
-    fi
-
-    if ! service_client_email=$(node -e "const fs=require('fs'); const data=JSON.parse(fs.readFileSync(process.argv[1], 'utf8')); process.stdout.write(data.client_email || '');" "$admin_service_path"); then
-        echo -e "${RED}❌ Error: Could not parse client_email from $admin_service_path${NC}"
-        exit 1
-    fi
-
-    if ! service_private_key=$(node -e "const fs=require('fs'); const data=JSON.parse(fs.readFileSync(process.argv[1], 'utf8')); process.stdout.write(data.private_key || '');" "$admin_service_path"); then
-        echo -e "${RED}❌ Error: Could not parse private_key from $admin_service_path${NC}"
-        exit 1
-    fi
-
-    local normalized_private_key="${service_private_key//$'\r'/}"
-    normalized_private_key="${normalized_private_key//$'\n'/\\n}"
-
-    if is_admin_service_placeholder "$service_project_id"; then
-        echo -e "${RED}❌ Error: project_id in $admin_service_path is missing or placeholder${NC}"
-        exit 1
-    fi
-
-    if is_admin_service_placeholder "$service_client_email" || [[ "$service_client_email" != *".gserviceaccount.com"* ]]; then
-        echo -e "${RED}❌ Error: client_email in $admin_service_path is invalid${NC}"
-        exit 1
-    fi
-
-    if is_admin_service_placeholder "$normalized_private_key" || [[ "$normalized_private_key" != *"-----BEGIN PRIVATE KEY-----"* ]] || [[ "$normalized_private_key" != *"-----END PRIVATE KEY-----"* ]]; then
-        echo -e "${RED}❌ Error: private_key in $admin_service_path is invalid${NC}"
-        exit 1
-    fi
-
-    PROJECT_ID="$service_project_id"
-    export PROJECT_ID
-    write_env_var "PROJECT_ID" "$PROJECT_ID"
-
-    FIREBASE_SERVICE_ACCOUNT_EMAIL="$service_client_email"
-    export FIREBASE_SERVICE_ACCOUNT_EMAIL
-    write_env_var "FIREBASE_SERVICE_ACCOUNT_EMAIL" "$FIREBASE_SERVICE_ACCOUNT_EMAIL"
-
-    FIREBASE_SERVICE_ACCOUNT_PRIVATE_KEY="$normalized_private_key"
-    export FIREBASE_SERVICE_ACCOUNT_PRIVATE_KEY
-    write_env_var "FIREBASE_SERVICE_ACCOUNT_PRIVATE_KEY" "$FIREBASE_SERVICE_ACCOUNT_PRIVATE_KEY"
-
-    echo -e "${GREEN}✅ Imported Firebase service account credentials from $admin_service_path${NC}"
-}
-
-generate_manifest_signing_key_pair() {
-    local private_key_file
-    local public_key_file
-    private_key_file=$(mktemp)
-    public_key_file=$(mktemp)
-
-    if ! node -e "const { generateKeyPairSync } = require('crypto'); const fs = require('fs'); const pair = generateKeyPairSync('rsa', { modulusLength: 2048, publicKeyEncoding: { type: 'spki', format: 'pem' }, privateKeyEncoding: { type: 'pkcs8', format: 'pem' } }); fs.writeFileSync(process.argv[1], pair.privateKey, 'utf8'); fs.writeFileSync(process.argv[2], pair.publicKey, 'utf8');" "$private_key_file" "$public_key_file"; then
-        rm -f "$private_key_file" "$public_key_file"
-        return 1
-    fi
-
-    local private_key_pem
-    local public_key_pem
-    private_key_pem=$(cat "$private_key_file")
-    public_key_pem=$(cat "$public_key_file")
-    rm -f "$private_key_file" "$public_key_file"
-
-    private_key_pem="${private_key_pem//$'\r'/}"
-    public_key_pem="${public_key_pem//$'\r'/}"
-
-    MANIFEST_SIGNING_PRIVATE_KEY="${private_key_pem//$'\n'/\\n}"
-    MANIFEST_SIGNING_PUBLIC_KEY="${public_key_pem//$'\n'/\\n}"
-
-    export MANIFEST_SIGNING_PRIVATE_KEY
-    export MANIFEST_SIGNING_PUBLIC_KEY
-
-    write_env_var "MANIFEST_SIGNING_PRIVATE_KEY" "$MANIFEST_SIGNING_PRIVATE_KEY"
-    write_env_var "MANIFEST_SIGNING_PUBLIC_KEY" "$MANIFEST_SIGNING_PUBLIC_KEY"
-
-    return 0
-}
-
-configure_manifest_signing_credentials() {
-    echo -e "${BLUE}🛡️ MANIFEST SIGNING CONFIGURATION${NC}"
-    echo "================================="
-
-    local should_generate="false"
-    local regenerate_choice=""
-
-    if [ "$update_env" = "true" ]; then
-        should_generate="true"
-    elif [ -z "$MANIFEST_SIGNING_PRIVATE_KEY" ] || is_placeholder "$MANIFEST_SIGNING_PRIVATE_KEY" || [ -z "$MANIFEST_SIGNING_PUBLIC_KEY" ] || is_placeholder "$MANIFEST_SIGNING_PUBLIC_KEY"; then
-        should_generate="true"
-    else
-        echo -e "${GREEN}Current manifest signing key pair: [HIDDEN]${NC}"
-        read -p "Generate new manifest signing key pair? (press Enter to keep current, or type 'y' to regenerate): " regenerate_choice
-        regenerate_choice=$(strip_carriage_returns "$regenerate_choice")
-        if [ "$regenerate_choice" = "y" ] || [ "$regenerate_choice" = "Y" ]; then
-            should_generate="true"
-        fi
-    fi
-
-    if [ "$should_generate" = "true" ]; then
-        echo -e "${YELLOW}Generating manifest signing RSA key pair...${NC}"
-        if generate_manifest_signing_key_pair; then
-            echo -e "${GREEN}✅ Manifest signing key pair generated${NC}"
-        else
-            echo -e "${RED}❌ Error: Failed to generate manifest signing key pair${NC}"
-            exit 1
-        fi
-    else
-        echo -e "${GREEN}✅ Keeping current manifest signing key pair${NC}"
-    fi
-
-    if [ -z "$MANIFEST_SIGNING_KEY_ID" ] || is_placeholder "$MANIFEST_SIGNING_KEY_ID" || [ "$should_generate" = "true" ]; then
-        local generated_key_id
-        generated_key_id=$(generate_worker_subdomain_label)
-        if [ -z "$generated_key_id" ] || [ ${#generated_key_id} -ne 10 ]; then
-            echo -e "${RED}❌ Error: Failed to generate MANIFEST_SIGNING_KEY_ID${NC}"
-            exit 1
-        fi
-        MANIFEST_SIGNING_KEY_ID="$generated_key_id"
-        export MANIFEST_SIGNING_KEY_ID
-        write_env_var "MANIFEST_SIGNING_KEY_ID" "$MANIFEST_SIGNING_KEY_ID"
-        echo -e "${GREEN}✅ MANIFEST_SIGNING_KEY_ID generated: $MANIFEST_SIGNING_KEY_ID${NC}"
-    else
-        echo -e "${GREEN}✅ MANIFEST_SIGNING_KEY_ID: $MANIFEST_SIGNING_KEY_ID${NC}"
-    fi
-
-    echo ""
-}
-
-generate_export_encryption_key_pair() {
-    local private_key_file
-    local public_key_file
-    private_key_file=$(mktemp)
-    public_key_file=$(mktemp)
-
-    if ! node -e "const { generateKeyPairSync } = require('crypto'); const fs = require('fs'); const pair = generateKeyPairSync('rsa', { modulusLength: 2048, publicKeyEncoding: { type: 'spki', format: 'pem' }, privateKeyEncoding: { type: 'pkcs8', format: 'pem' } }); fs.writeFileSync(process.argv[1], pair.privateKey, 'utf8'); fs.writeFileSync(process.argv[2], pair.publicKey, 'utf8');" "$private_key_file" "$public_key_file"; then
-        rm -f "$private_key_file" "$public_key_file"
-        return 1
-    fi
-
-    local private_key_pem
-    local public_key_pem
-    private_key_pem=$(cat "$private_key_file")
-    public_key_pem=$(cat "$public_key_file")
-    rm -f "$private_key_file" "$public_key_file"
-
-    private_key_pem="${private_key_pem//$'\r'/}"
-    public_key_pem="${public_key_pem//$'\r'/}"
-
-    EXPORT_ENCRYPTION_PRIVATE_KEY="${private_key_pem//$'\n'/\\n}"
-    EXPORT_ENCRYPTION_PUBLIC_KEY="${public_key_pem//$'\n'/\\n}"
-
-    export EXPORT_ENCRYPTION_PRIVATE_KEY
-    export EXPORT_ENCRYPTION_PUBLIC_KEY
-
-    write_env_var "EXPORT_ENCRYPTION_PRIVATE_KEY" "$EXPORT_ENCRYPTION_PRIVATE_KEY"
-    write_env_var "EXPORT_ENCRYPTION_PUBLIC_KEY" "$EXPORT_ENCRYPTION_PUBLIC_KEY"
-
-    return 0
-}
-
-configure_export_encryption_credentials() {
-    echo -e "${BLUE}🔐 EXPORT ENCRYPTION CONFIGURATION${NC}"
-    echo "================================="
-
-    local should_generate="false"
-    local regenerate_choice=""
-
-    if [ "$update_env" = "true" ]; then
-        should_generate="true"
-    elif [ -z "$EXPORT_ENCRYPTION_PRIVATE_KEY" ] || is_placeholder "$EXPORT_ENCRYPTION_PRIVATE_KEY" || [ -z "$EXPORT_ENCRYPTION_PUBLIC_KEY" ] || is_placeholder "$EXPORT_ENCRYPTION_PUBLIC_KEY"; then
-        should_generate="true"
-    else
-        echo -e "${GREEN}Current export encryption key pair: [HIDDEN]${NC}"
-        read -p "Generate new export encryption key pair? (press Enter to keep current, or type 'y' to regenerate): " regenerate_choice
-        regenerate_choice=$(strip_carriage_returns "$regenerate_choice")
-        if [ "$regenerate_choice" = "y" ] || [ "$regenerate_choice" = "Y" ]; then
-            should_generate="true"
-        fi
-    fi
-
-    if [ "$should_generate" = "true" ]; then
-        echo -e "${YELLOW}Generating export encryption RSA key pair...${NC}"
-        if generate_export_encryption_key_pair; then
-            echo -e "${GREEN}✅ Export encryption key pair generated${NC}"
-        else
-            echo -e "${RED}❌ Error: Failed to generate export encryption key pair${NC}"
-            exit 1
-        fi
-    else
-        echo -e "${GREEN}✅ Keeping current export encryption key pair${NC}"
-    fi
-
-    if [ -z "$EXPORT_ENCRYPTION_KEY_ID" ] || is_placeholder "$EXPORT_ENCRYPTION_KEY_ID" || [ "$should_generate" = "true" ]; then
-        local generated_key_id
-        generated_key_id=$(generate_worker_subdomain_label)
-        if [ -z "$generated_key_id" ] || [ ${#generated_key_id} -ne 10 ]; then
-            echo -e "${RED}❌ Error: Failed to generate EXPORT_ENCRYPTION_KEY_ID${NC}"
-            exit 1
-        fi
-        EXPORT_ENCRYPTION_KEY_ID="$generated_key_id"
-        export EXPORT_ENCRYPTION_KEY_ID
-        write_env_var "EXPORT_ENCRYPTION_KEY_ID" "$EXPORT_ENCRYPTION_KEY_ID"
-        echo -e "${GREEN}✅ EXPORT_ENCRYPTION_KEY_ID generated: $EXPORT_ENCRYPTION_KEY_ID${NC}"
-    else
-        echo -e "${GREEN}✅ EXPORT_ENCRYPTION_KEY_ID: $EXPORT_ENCRYPTION_KEY_ID${NC}"
-    fi
-
-    echo ""
-}
+DEPLOY_CONFIG_MODULES_DIR="$SCRIPT_DIR/deploy-config/modules"
+DEPLOY_CONFIG_ENV_UTILS_MODULE="$DEPLOY_CONFIG_MODULES_DIR/env-utils.sh"
 
-generate_data_at_rest_encryption_key_pair() {
-    local private_key_file
-    local public_key_file
-    private_key_file=$(mktemp)
-    public_key_file=$(mktemp)
-
-    if ! node -e "const { generateKeyPairSync } = require('crypto'); const fs = require('fs'); const pair = generateKeyPairSync('rsa', { modulusLength: 2048, publicKeyEncoding: { type: 'spki', format: 'pem' }, privateKeyEncoding: { type: 'pkcs8', format: 'pem' } }); fs.writeFileSync(process.argv[1], pair.privateKey, 'utf8'); fs.writeFileSync(process.argv[2], pair.publicKey, 'utf8');" "$private_key_file" "$public_key_file"; then
-        rm -f "$private_key_file" "$public_key_file"
-        return 1
-    fi
-
-    local private_key_pem
-    local public_key_pem
-    private_key_pem=$(cat "$private_key_file")
-    public_key_pem=$(cat "$public_key_file")
-    rm -f "$private_key_file" "$public_key_file"
-
-    private_key_pem="${private_key_pem//$'\r'/}"
-    public_key_pem="${public_key_pem//$'\r'/}"
-
-    DATA_AT_REST_ENCRYPTION_PRIVATE_KEY="${private_key_pem//$'\n'/\\n}"
-    DATA_AT_REST_ENCRYPTION_PUBLIC_KEY="${public_key_pem//$'\n'/\\n}"
-
-    export DATA_AT_REST_ENCRYPTION_PRIVATE_KEY
-    export DATA_AT_REST_ENCRYPTION_PUBLIC_KEY
-
-    write_env_var "DATA_AT_REST_ENCRYPTION_PRIVATE_KEY" "$DATA_AT_REST_ENCRYPTION_PRIVATE_KEY"
-    write_env_var "DATA_AT_REST_ENCRYPTION_PUBLIC_KEY" "$DATA_AT_REST_ENCRYPTION_PUBLIC_KEY"
-
-    return 0
-}
-
-configure_data_at_rest_encryption_credentials() {
-    echo -e "${BLUE}🗃️ DATA-AT-REST ENCRYPTION CONFIGURATION${NC}"
-    echo "========================================"
-
-    local current_enabled="${DATA_AT_REST_ENCRYPTION_ENABLED:-}"
-    local normalized_enabled=""
-    local enable_choice=""
-
-    current_enabled=$(strip_carriage_returns "$current_enabled")
-    normalized_enabled=$(printf '%s' "$current_enabled" | tr '[:upper:]' '[:lower:]')
-
-    if [ -z "$normalized_enabled" ] || is_placeholder "$normalized_enabled"; then
-        DATA_AT_REST_ENCRYPTION_ENABLED="false"
-    elif [ "$normalized_enabled" = "1" ] || [ "$normalized_enabled" = "true" ] || [ "$normalized_enabled" = "yes" ] || [ "$normalized_enabled" = "on" ]; then
-        DATA_AT_REST_ENCRYPTION_ENABLED="true"
-    else
-        DATA_AT_REST_ENCRYPTION_ENABLED="false"
-    fi
-
-    if [ "$update_env" != "true" ]; then
-        read -p "Enable data-at-rest encryption for new writes? (y/N, Enter keeps current): " enable_choice
-        enable_choice=$(strip_carriage_returns "$enable_choice")
-        case "$enable_choice" in
-            y|Y|yes|YES)
-                DATA_AT_REST_ENCRYPTION_ENABLED="true"
-                ;;
-            n|N|no|NO)
-                DATA_AT_REST_ENCRYPTION_ENABLED="false"
-                ;;
-            "")
-                ;;
-            *)
-                echo -e "${YELLOW}⚠️  Unrecognized choice '$enable_choice'; keeping current setting${NC}"
-                ;;
-        esac
-    fi
-
-    export DATA_AT_REST_ENCRYPTION_ENABLED
-    write_env_var "DATA_AT_REST_ENCRYPTION_ENABLED" "$DATA_AT_REST_ENCRYPTION_ENABLED"
-    echo -e "${GREEN}✅ DATA_AT_REST_ENCRYPTION_ENABLED: $DATA_AT_REST_ENCRYPTION_ENABLED${NC}"
-
-    local should_generate="false"
-    local regenerate_choice=""
-
-    if [ "$update_env" = "true" ]; then
-        should_generate="true"
-    elif [ -z "$DATA_AT_REST_ENCRYPTION_PRIVATE_KEY" ] || is_placeholder "$DATA_AT_REST_ENCRYPTION_PRIVATE_KEY" || [ -z "$DATA_AT_REST_ENCRYPTION_PUBLIC_KEY" ] || is_placeholder "$DATA_AT_REST_ENCRYPTION_PUBLIC_KEY"; then
-        should_generate="true"
-    else
-        echo -e "${GREEN}Current data-at-rest encryption key pair: [HIDDEN]${NC}"
-        read -p "Generate new data-at-rest encryption key pair? (press Enter to keep current, or type 'y' to regenerate): " regenerate_choice
-        regenerate_choice=$(strip_carriage_returns "$regenerate_choice")
-        if [ "$regenerate_choice" = "y" ] || [ "$regenerate_choice" = "Y" ]; then
-            should_generate="true"
-        fi
-    fi
-
-    if [ "$should_generate" = "true" ]; then
-        echo -e "${YELLOW}Generating data-at-rest encryption RSA key pair...${NC}"
-        if generate_data_at_rest_encryption_key_pair; then
-            echo -e "${GREEN}✅ Data-at-rest encryption key pair generated${NC}"
-        else
-            echo -e "${RED}❌ Error: Failed to generate data-at-rest encryption key pair${NC}"
-            exit 1
-        fi
-    else
-        echo -e "${GREEN}✅ Keeping current data-at-rest encryption key pair${NC}"
-    fi
-
-    if [ -z "$DATA_AT_REST_ENCRYPTION_KEY_ID" ] || is_placeholder "$DATA_AT_REST_ENCRYPTION_KEY_ID" || [ "$should_generate" = "true" ]; then
-        local generated_key_id
-        generated_key_id=$(generate_worker_subdomain_label)
-        if [ -z "$generated_key_id" ] || [ ${#generated_key_id} -ne 10 ]; then
-            echo -e "${RED}❌ Error: Failed to generate DATA_AT_REST_ENCRYPTION_KEY_ID${NC}"
-            exit 1
-        fi
-        DATA_AT_REST_ENCRYPTION_KEY_ID="$generated_key_id"
-        export DATA_AT_REST_ENCRYPTION_KEY_ID
-        write_env_var "DATA_AT_REST_ENCRYPTION_KEY_ID" "$DATA_AT_REST_ENCRYPTION_KEY_ID"
-        echo -e "${GREEN}✅ DATA_AT_REST_ENCRYPTION_KEY_ID generated: $DATA_AT_REST_ENCRYPTION_KEY_ID${NC}"
-    else
-        echo -e "${GREEN}✅ DATA_AT_REST_ENCRYPTION_KEY_ID: $DATA_AT_REST_ENCRYPTION_KEY_ID${NC}"
-    fi
-
-    echo ""
-}
-
-validate_data_at_rest_encryption_settings() {
-    local enabled_normalized
-    enabled_normalized=$(printf '%s' "${DATA_AT_REST_ENCRYPTION_ENABLED:-false}" | tr '[:upper:]' '[:lower:]')
-
-    if [ "$enabled_normalized" = "1" ] || [ "$enabled_normalized" = "true" ] || [ "$enabled_normalized" = "yes" ] || [ "$enabled_normalized" = "on" ]; then
-        if [ -z "$DATA_AT_REST_ENCRYPTION_PRIVATE_KEY" ] || is_placeholder "$DATA_AT_REST_ENCRYPTION_PRIVATE_KEY"; then
-            echo -e "${RED}❌ Error: DATA_AT_REST_ENCRYPTION_PRIVATE_KEY is required when DATA_AT_REST_ENCRYPTION_ENABLED is true${NC}"
-            exit 1
-        fi
-
-        if [ -z "$DATA_AT_REST_ENCRYPTION_PUBLIC_KEY" ] || is_placeholder "$DATA_AT_REST_ENCRYPTION_PUBLIC_KEY"; then
-            echo -e "${RED}❌ Error: DATA_AT_REST_ENCRYPTION_PUBLIC_KEY is required when DATA_AT_REST_ENCRYPTION_ENABLED is true${NC}"
-            exit 1
-        fi
-
-        if [ -z "$DATA_AT_REST_ENCRYPTION_KEY_ID" ] || is_placeholder "$DATA_AT_REST_ENCRYPTION_KEY_ID"; then
-            echo -e "${RED}❌ Error: DATA_AT_REST_ENCRYPTION_KEY_ID is required when DATA_AT_REST_ENCRYPTION_ENABLED is true${NC}"
-            exit 1
-        fi
-    fi
-}
-
-# Validate required variables
-required_vars=(
-    # Core Cloudflare Configuration
-    "ACCOUNT_ID"
-    
-    # Shared Authentication & Storage
-    "USER_DB_AUTH"
-    "R2_KEY_SECRET"
-    "IMAGES_API_TOKEN"
-    
-    # Firebase Auth Configuration
-    "API_KEY"
-    "AUTH_DOMAIN"
-    "PROJECT_ID"
-    "STORAGE_BUCKET"
-    "MESSAGING_SENDER_ID"
-    "APP_ID"
-    "MEASUREMENT_ID"
-    "FIREBASE_SERVICE_ACCOUNT_EMAIL"
-    "FIREBASE_SERVICE_ACCOUNT_PRIVATE_KEY"
-    
-    # Pages Configuration
-    "PAGES_PROJECT_NAME"
-    "PAGES_CUSTOM_DOMAIN"
-    
-    # Worker Names (required for config replacement)
-    "KEYS_WORKER_NAME"
-    "USER_WORKER_NAME"
-    "DATA_WORKER_NAME"
-    "AUDIT_WORKER_NAME"
-    "IMAGES_WORKER_NAME"
-    "PDF_WORKER_NAME"
-    
-    # Worker Domains (required for proxy/env secrets and worker fallbacks)
-    "KEYS_WORKER_DOMAIN"
-    "USER_WORKER_DOMAIN"
-    "DATA_WORKER_DOMAIN"
-    "AUDIT_WORKER_DOMAIN"
-    "IMAGES_WORKER_DOMAIN"
-    "PDF_WORKER_DOMAIN"
-    
-    # Storage Configuration (required for config replacement)
-    "DATA_BUCKET_NAME"
-    "AUDIT_BUCKET_NAME"
-    "FILES_BUCKET_NAME"
-    "KV_STORE_ID"
-    
-    # Worker-Specific Secrets (required for deployment)
-    "KEYS_AUTH"
-    "PDF_WORKER_AUTH"
-    "ACCOUNT_HASH"
-    "BROWSER_API_TOKEN"
-    "MANIFEST_SIGNING_PRIVATE_KEY"
-    "MANIFEST_SIGNING_KEY_ID"
-    "MANIFEST_SIGNING_PUBLIC_KEY"
-    "EXPORT_ENCRYPTION_PRIVATE_KEY"
-    "EXPORT_ENCRYPTION_KEY_ID"
-    "EXPORT_ENCRYPTION_PUBLIC_KEY"
-)
-
-validate_required_vars() {
-    echo -e "${YELLOW}🔍 Validating required environment variables...${NC}"
-    for var in "${required_vars[@]}"; do
-        if [ -z "${!var}" ] || is_placeholder "${!var}"; then
-            echo -e "${RED}❌ Error: $var is not set in .env file or is a placeholder${NC}"
-            exit 1
-        fi
-    done
-    echo -e "${GREEN}✅ All required variables found${NC}"
-}
-
-assert_file_exists() {
-    local file_path=$1
-
-    if [ ! -f "$file_path" ]; then
-        echo -e "${RED}❌ Error: required file is missing: $file_path${NC}"
-        exit 1
-    fi
-}
-
-assert_contains_literal() {
-    local file_path=$1
-    local literal=$2
-    local description=$3
-
-    if ! grep -Fq -- "$literal" "$file_path"; then
-        echo -e "${RED}❌ Error: ${description}${NC}"
-        echo -e "${YELLOW}   Expected to find '$literal' in $file_path${NC}"
-        exit 1
-    fi
-}
-
-assert_no_match_in_file() {
-    local file_path=$1
-    local pattern=$2
-    local description=$3
-    local matches
-
-    matches=$(grep -En "$pattern" "$file_path" | head -n 3 || true)
-    if [ -n "$matches" ]; then
-        echo -e "${RED}❌ Error: ${description}${NC}"
-        echo -e "${YELLOW}   First matching lines in $file_path:${NC}"
-        echo "$matches"
-        exit 1
-    fi
-}
-
-validate_json_file() {
-    local file_path=$1
-
-    if ! node -e "const fs=require('fs'); JSON.parse(fs.readFileSync(process.argv[1], 'utf8'));" "$file_path" > /dev/null 2>&1; then
-        echo -e "${RED}❌ Error: invalid JSON in $file_path${NC}"
-        exit 1
-    fi
-}
-
-validate_domain_var() {
-    local var_name=$1
-    local value="${!var_name}"
-    local normalized
-
-    value=$(strip_carriage_returns "$value")
-    normalized=$(normalize_domain_value "$value")
-
-    if [ -z "$value" ] || is_placeholder "$value"; then
-        echo -e "${RED}❌ Error: $var_name is missing or placeholder${NC}"
-        exit 1
-    fi
-
-    if [ "$value" != "$normalized" ]; then
-        echo -e "${RED}❌ Error: $var_name must not include protocol, trailing slash, or surrounding whitespace${NC}"
-        echo -e "${YELLOW}   Use '$normalized' instead${NC}"
-        exit 1
-    fi
-
-    if [[ "$value" == */* ]]; then
-        echo -e "${RED}❌ Error: $var_name must be a bare domain (no path segments)${NC}"
-        exit 1
-    fi
-}
-
-validate_env_value_formats() {
-    echo -e "${YELLOW}🔍 Validating environment value formats...${NC}"
-
-    validate_domain_var "PAGES_CUSTOM_DOMAIN"
-    validate_domain_var "KEYS_WORKER_DOMAIN"
-    validate_domain_var "USER_WORKER_DOMAIN"
-    validate_domain_var "DATA_WORKER_DOMAIN"
-    validate_domain_var "AUDIT_WORKER_DOMAIN"
-    validate_domain_var "IMAGES_WORKER_DOMAIN"
-    validate_domain_var "PDF_WORKER_DOMAIN"
-
-    if ! [[ "$KV_STORE_ID" =~ ^([0-9a-fA-F]{32}|[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})$ ]]; then
-        echo -e "${RED}❌ Error: KV_STORE_ID must be a 32-character hex namespace ID (or UUID format)${NC}"
-        exit 1
-    fi
-
-    if [[ "$ACCOUNT_ID" =~ [[:space:]] ]]; then
-        echo -e "${RED}❌ Error: ACCOUNT_ID must not contain whitespace${NC}"
-        exit 1
-    fi
-
-    echo -e "${GREEN}✅ Environment value formats look valid${NC}"
-}
-
-validate_env_file_entries() {
-    local var_name
-    local escaped_var_name
-    local count
-
-    echo -e "${YELLOW}🔍 Verifying required .env entries...${NC}"
-    for var_name in "${required_vars[@]}"; do
-        escaped_var_name=$(escape_for_sed_pattern "$var_name")
-        count=$(grep -c "^$escaped_var_name=" .env || true)
-
-        if [ "$count" -lt 1 ]; then
-            echo -e "${RED}❌ Error: missing .env entry for $var_name${NC}"
-            exit 1
-        fi
-    done
-    echo -e "${GREEN}✅ Required .env entries found${NC}"
-}
-
-validate_generated_configs() {
-    echo -e "${YELLOW}🔍 Running generated configuration checkpoint validations...${NC}"
-
-    local required_files=(
-        "wrangler.toml"
-        "app/config/config.json"
-        "app/config/firebase.ts"
-        "app/config/admin-service.json"
-        "app/routes/auth/login.tsx"
-        "app/routes/auth/login.module.css"
-        "workers/audit-worker/wrangler.jsonc"
-        "workers/data-worker/wrangler.jsonc"
-        "workers/image-worker/wrangler.jsonc"
-        "workers/keys-worker/wrangler.jsonc"
-        "workers/pdf-worker/wrangler.jsonc"
-        "workers/user-worker/wrangler.jsonc"
-        "workers/audit-worker/src/audit-worker.ts"
-        "workers/data-worker/src/data-worker.ts"
-        "workers/image-worker/src/image-worker.ts"
-        "workers/keys-worker/src/keys.ts"
-        "workers/pdf-worker/src/pdf-worker.ts"
-        "workers/user-worker/src/user-worker.ts"
-    )
-
-    local file_path
-    for file_path in "${required_files[@]}"; do
-        assert_file_exists "$file_path"
-    done
-
-    validate_json_file "app/config/config.json"
-    validate_json_file "app/config/admin-service.json"
-
-    assert_contains_literal "wrangler.toml" "\"$PAGES_PROJECT_NAME\"" "PAGES_PROJECT_NAME was not applied to wrangler.toml"
-
-    assert_contains_literal "workers/keys-worker/wrangler.jsonc" "$KEYS_WORKER_NAME" "KEYS_WORKER_NAME was not applied"
-    assert_contains_literal "workers/user-worker/wrangler.jsonc" "$USER_WORKER_NAME" "USER_WORKER_NAME was not applied"
-    assert_contains_literal "workers/data-worker/wrangler.jsonc" "$DATA_WORKER_NAME" "DATA_WORKER_NAME was not applied"
-    assert_contains_literal "workers/audit-worker/wrangler.jsonc" "$AUDIT_WORKER_NAME" "AUDIT_WORKER_NAME was not applied"
-    assert_contains_literal "workers/image-worker/wrangler.jsonc" "$IMAGES_WORKER_NAME" "IMAGES_WORKER_NAME was not applied"
-    assert_contains_literal "workers/pdf-worker/wrangler.jsonc" "$PDF_WORKER_NAME" "PDF_WORKER_NAME was not applied"
-
-    assert_contains_literal "workers/keys-worker/wrangler.jsonc" "$ACCOUNT_ID" "ACCOUNT_ID missing in keys worker config"
-    assert_contains_literal "workers/user-worker/wrangler.jsonc" "$ACCOUNT_ID" "ACCOUNT_ID missing in user worker config"
-    assert_contains_literal "workers/data-worker/wrangler.jsonc" "$ACCOUNT_ID" "ACCOUNT_ID missing in data worker config"
-    assert_contains_literal "workers/audit-worker/wrangler.jsonc" "$ACCOUNT_ID" "ACCOUNT_ID missing in audit worker config"
-    assert_contains_literal "workers/image-worker/wrangler.jsonc" "$ACCOUNT_ID" "ACCOUNT_ID missing in image worker config"
-    assert_contains_literal "workers/pdf-worker/wrangler.jsonc" "$ACCOUNT_ID" "ACCOUNT_ID missing in pdf worker config"
-
-    assert_contains_literal "workers/data-worker/wrangler.jsonc" "$DATA_BUCKET_NAME" "DATA_BUCKET_NAME missing in data worker config"
-    assert_contains_literal "workers/audit-worker/wrangler.jsonc" "$AUDIT_BUCKET_NAME" "AUDIT_BUCKET_NAME missing in audit worker config"
-    assert_contains_literal "workers/image-worker/wrangler.jsonc" "$FILES_BUCKET_NAME" "FILES_BUCKET_NAME missing in image worker config"
-    assert_contains_literal "workers/user-worker/wrangler.jsonc" "$KV_STORE_ID" "KV_STORE_ID missing in user worker config"
-
-    assert_contains_literal "app/config/config.json" "https://$PAGES_CUSTOM_DOMAIN" "PAGES_CUSTOM_DOMAIN missing in app/config/config.json"
-    assert_contains_literal "app/config/config.json" "$ACCOUNT_HASH" "ACCOUNT_HASH missing in app/config/config.json"
-    assert_contains_literal "app/config/config.json" "$EXPORT_ENCRYPTION_KEY_ID" "EXPORT_ENCRYPTION_KEY_ID missing in app/config/config.json"
-    assert_contains_literal "app/config/config.json" "\"export_encryption_public_key\":" "export_encryption_public_key missing in app/config/config.json"
-    assert_contains_literal "app/routes/auth/login.tsx" "const APP_CANONICAL_ORIGIN = 'https://$PAGES_CUSTOM_DOMAIN';" "PAGES_CUSTOM_DOMAIN missing in app/routes/auth/login.tsx canonical origin"
+if [ ! -f "$DEPLOY_CONFIG_ENV_UTILS_MODULE" ]; then
+    echo -e "${RED}❌ Error: Required deploy-config module not found: $DEPLOY_CONFIG_ENV_UTILS_MODULE${NC}"
+    exit 1
+fi
 
-    assert_contains_literal "app/config/firebase.ts" "$API_KEY" "API_KEY missing in app/config/firebase.ts"
-    assert_contains_literal "app/config/firebase.ts" "$AUTH_DOMAIN" "AUTH_DOMAIN missing in app/config/firebase.ts"
-    assert_contains_literal "app/config/firebase.ts" "$PROJECT_ID" "PROJECT_ID missing in app/config/firebase.ts"
-    assert_contains_literal "app/config/firebase.ts" "$STORAGE_BUCKET" "STORAGE_BUCKET missing in app/config/firebase.ts"
-    assert_contains_literal "app/config/firebase.ts" "$MESSAGING_SENDER_ID" "MESSAGING_SENDER_ID missing in app/config/firebase.ts"
-    assert_contains_literal "app/config/firebase.ts" "$APP_ID" "APP_ID missing in app/config/firebase.ts"
-    assert_contains_literal "app/config/firebase.ts" "$MEASUREMENT_ID" "MEASUREMENT_ID missing in app/config/firebase.ts"
+source "$DEPLOY_CONFIG_ENV_UTILS_MODULE"
 
-    assert_contains_literal "workers/audit-worker/src/audit-worker.ts" "https://$PAGES_CUSTOM_DOMAIN" "PAGES_CUSTOM_DOMAIN missing in audit-worker source"
-    assert_contains_literal "workers/data-worker/src/data-worker.ts" "https://$PAGES_CUSTOM_DOMAIN" "PAGES_CUSTOM_DOMAIN missing in data-worker source"
-    assert_contains_literal "workers/image-worker/src/image-worker.ts" "https://$PAGES_CUSTOM_DOMAIN" "PAGES_CUSTOM_DOMAIN missing in image-worker source"
-    assert_contains_literal "workers/keys-worker/src/keys.ts" "https://$PAGES_CUSTOM_DOMAIN" "PAGES_CUSTOM_DOMAIN missing in keys-worker source"
-    assert_contains_literal "workers/pdf-worker/src/pdf-worker.ts" "https://$PAGES_CUSTOM_DOMAIN" "PAGES_CUSTOM_DOMAIN missing in pdf-worker source"
-    assert_contains_literal "workers/user-worker/src/user-worker.ts" "https://$PAGES_CUSTOM_DOMAIN" "PAGES_CUSTOM_DOMAIN missing in user-worker source"
+DEPLOY_CONFIG_KEYS_MODULE="$DEPLOY_CONFIG_MODULES_DIR/keys.sh"
+DEPLOY_CONFIG_VALIDATION_MODULE="$DEPLOY_CONFIG_MODULES_DIR/validation.sh"
+DEPLOY_CONFIG_SCAFFOLDING_MODULE="$DEPLOY_CONFIG_MODULES_DIR/scaffolding.sh"
+DEPLOY_CONFIG_PROMPT_MODULE="$DEPLOY_CONFIG_MODULES_DIR/prompt.sh"
 
-    local placeholder_pattern
-    placeholder_pattern="(\"(ACCOUNT_ID|PAGES_PROJECT_NAME|PAGES_CUSTOM_DOMAIN|KEYS_WORKER_NAME|USER_WORKER_NAME|DATA_WORKER_NAME|AUDIT_WORKER_NAME|IMAGES_WORKER_NAME|PDF_WORKER_NAME|KEYS_WORKER_DOMAIN|USER_WORKER_DOMAIN|DATA_WORKER_DOMAIN|AUDIT_WORKER_DOMAIN|IMAGES_WORKER_DOMAIN|PDF_WORKER_DOMAIN|DATA_BUCKET_NAME|AUDIT_BUCKET_NAME|FILES_BUCKET_NAME|KV_STORE_ID|ACCOUNT_HASH|MANIFEST_SIGNING_KEY_ID|MANIFEST_SIGNING_PUBLIC_KEY|EXPORT_ENCRYPTION_KEY_ID|EXPORT_ENCRYPTION_PUBLIC_KEY|YOUR_FIREBASE_API_KEY|YOUR_FIREBASE_AUTH_DOMAIN|YOUR_FIREBASE_PROJECT_ID|YOUR_FIREBASE_STORAGE_BUCKET|YOUR_FIREBASE_MESSAGING_SENDER_ID|YOUR_FIREBASE_APP_ID|YOUR_FIREBASE_MEASUREMENT_ID)\"|'(PAGES_CUSTOM_DOMAIN|DATA_WORKER_DOMAIN|IMAGES_WORKER_DOMAIN)')"
+if [ ! -f "$DEPLOY_CONFIG_KEYS_MODULE" ]; then
+    echo -e "${RED}❌ Error: Required deploy-config module not found: $DEPLOY_CONFIG_KEYS_MODULE${NC}"
+    exit 1
+fi
 
-    local files_to_scan=(
-        "wrangler.toml"
-        "workers/audit-worker/wrangler.jsonc"
-        "workers/data-worker/wrangler.jsonc"
-        "workers/image-worker/wrangler.jsonc"
-        "workers/keys-worker/wrangler.jsonc"
-        "workers/pdf-worker/wrangler.jsonc"
-        "workers/user-worker/wrangler.jsonc"
-        "workers/audit-worker/src/audit-worker.ts"
-        "workers/data-worker/src/data-worker.ts"
-        "workers/image-worker/src/image-worker.ts"
-        "workers/keys-worker/src/keys.ts"
-        "workers/pdf-worker/src/pdf-worker.ts"
-        "workers/user-worker/src/user-worker.ts"
-        "app/config/config.json"
-        "app/config/firebase.ts"
-        "app/routes/auth/login.tsx"
-    )
+if [ ! -f "$DEPLOY_CONFIG_VALIDATION_MODULE" ]; then
+    echo -e "${RED}❌ Error: Required deploy-config module not found: $DEPLOY_CONFIG_VALIDATION_MODULE${NC}"
+    exit 1
+fi
 
-    for file_path in "${files_to_scan[@]}"; do
-        assert_no_match_in_file "$file_path" "$placeholder_pattern" "Unresolved placeholder token found after config update"
-    done
+if [ ! -f "$DEPLOY_CONFIG_SCAFFOLDING_MODULE" ]; then
+    echo -e "${RED}❌ Error: Required deploy-config module not found: $DEPLOY_CONFIG_SCAFFOLDING_MODULE${NC}"
+    exit 1
+fi
 
-    echo -e "${GREEN}✅ Generated configuration checkpoint validation passed${NC}"
-}
+if [ ! -f "$DEPLOY_CONFIG_PROMPT_MODULE" ]; then
+    echo -e "${RED}❌ Error: Required deploy-config module not found: $DEPLOY_CONFIG_PROMPT_MODULE${NC}"
+    exit 1
+fi
 
-run_validation_checkpoint() {
-    validate_required_vars
-    validate_env_value_formats
-    validate_env_file_entries
-    validate_data_at_rest_encryption_settings
-    validate_generated_configs
-}
+source "$DEPLOY_CONFIG_KEYS_MODULE"
+source "$DEPLOY_CONFIG_VALIDATION_MODULE"
+source "$DEPLOY_CONFIG_SCAFFOLDING_MODULE"
+source "$DEPLOY_CONFIG_PROMPT_MODULE"
 
 if [ "$validate_only" = "true" ]; then
     echo -e "\n${BLUE}🧪 Validate-only mode enabled${NC}"
@@ -1032,196 +207,6 @@ if [ "$validate_only" = "true" ]; then
     exit 0
 fi
 
-# Function to copy example configuration files
-copy_example_configs() {
-    echo -e "\n${BLUE}📋 Copying example configuration files...${NC}"
-    
-    # Copy app configuration files
-    echo -e "${YELLOW}  Copying app configuration files...${NC}"
-    
-    # Copy app config-example directory to config (always sync non-admin files)
-    if [ -d "app/config-example" ]; then
-        local admin_service_backup=""
-        local copied_config_files=0
-        local skipped_existing_files=0
-
-        if [ -f "app/config/admin-service.json" ]; then
-            admin_service_backup=$(mktemp)
-            cp "app/config/admin-service.json" "$admin_service_backup"
-        fi
-
-        if [ "$update_env" = "true" ]; then
-            rm -rf app/config
-        fi
-
-        mkdir -p app/config
-
-        while IFS= read -r source_file; do
-            local relative_path
-            local destination_file
-            relative_path="${source_file#app/config-example/}"
-            destination_file="app/config/$relative_path"
-
-            mkdir -p "$(dirname "$destination_file")"
-
-            if [ "$update_env" = "true" ] || [ ! -f "$destination_file" ]; then
-                cp "$source_file" "$destination_file"
-                copied_config_files=$((copied_config_files + 1))
-            else
-                skipped_existing_files=$((skipped_existing_files + 1))
-            fi
-        done < <(find app/config-example -type f ! -name "admin-service.json")
-
-        # Ensure example credentials are never copied from config-example.
-        rm -f app/config/admin-service.json
-
-        if [ -n "$admin_service_backup" ] && [ -f "$admin_service_backup" ]; then
-            cp "$admin_service_backup" "app/config/admin-service.json"
-            rm -f "$admin_service_backup"
-            echo -e "${GREEN}    ✅ app: preserved existing admin-service.json${NC}"
-        else
-            echo -e "${YELLOW}    ⚠️  app: skipped copying admin-service.json (provide your own credentials file)${NC}"
-        fi
-
-        if [ "$update_env" = "true" ]; then
-            echo -e "${GREEN}    ✅ app: config directory reset from config-example (excluding admin-service.json)${NC}"
-        else
-            echo -e "${GREEN}    ✅ app: synced missing files from config-example (excluding admin-service.json)${NC}"
-        fi
-
-        if [ "$skipped_existing_files" -gt 0 ]; then
-            echo -e "${YELLOW}    ℹ️  app: kept $skipped_existing_files existing config file(s)${NC}"
-        fi
-
-        echo -e "${GREEN}    ✅ app: copied $copied_config_files config file(s) from config-example${NC}"
-    fi
-
-    # Copy auth route template files
-    echo -e "${YELLOW}  Copying auth route template files...${NC}"
-
-    if [ -f "app/routes/auth/login.example.tsx" ] && { [ "$update_env" = "true" ] || [ ! -f "app/routes/auth/login.tsx" ]; }; then
-        cp app/routes/auth/login.example.tsx app/routes/auth/login.tsx
-        echo -e "${GREEN}    ✅ auth: login.tsx created from example${NC}"
-    elif [ -f "app/routes/auth/login.tsx" ]; then
-        echo -e "${YELLOW}    ⚠️  auth: login.tsx already exists, skipping copy${NC}"
-    fi
-
-    if [ -f "app/routes/auth/login.module.example.css" ] && { [ "$update_env" = "true" ] || [ ! -f "app/routes/auth/login.module.css" ]; }; then
-        cp app/routes/auth/login.module.example.css app/routes/auth/login.module.css
-        echo -e "${GREEN}    ✅ auth: login.module.css created from example${NC}"
-    elif [ -f "app/routes/auth/login.module.css" ]; then
-        echo -e "${YELLOW}    ⚠️  auth: login.module.css already exists, skipping copy${NC}"
-    fi
-    
-    # Navigate to each worker directory and copy the example file
-    echo -e "${YELLOW}  Copying worker configuration files...${NC}"
-    
-    cd workers/keys-worker
-    if [ -f "wrangler.jsonc.example" ] && { [ "$update_env" = "true" ] || [ ! -f "wrangler.jsonc" ]; }; then
-        cp wrangler.jsonc.example wrangler.jsonc
-        echo -e "${GREEN}    ✅ keys-worker: wrangler.jsonc created from example${NC}"
-    elif [ -f "wrangler.jsonc" ]; then
-        echo -e "${YELLOW}    ⚠️  keys-worker: wrangler.jsonc already exists, skipping copy${NC}"
-    fi
-
-    cd ../user-worker
-    if [ -f "wrangler.jsonc.example" ] && { [ "$update_env" = "true" ] || [ ! -f "wrangler.jsonc" ]; }; then
-        cp wrangler.jsonc.example wrangler.jsonc
-        echo -e "${GREEN}    ✅ user-worker: wrangler.jsonc created from example${NC}"
-    elif [ -f "wrangler.jsonc" ]; then
-        echo -e "${YELLOW}    ⚠️  user-worker: wrangler.jsonc already exists, skipping copy${NC}"
-    fi
-
-    cd ../data-worker
-    if [ -f "wrangler.jsonc.example" ] && { [ "$update_env" = "true" ] || [ ! -f "wrangler.jsonc" ]; }; then
-        cp wrangler.jsonc.example wrangler.jsonc
-        echo -e "${GREEN}    ✅ data-worker: wrangler.jsonc created from example${NC}"
-    elif [ -f "wrangler.jsonc" ]; then
-        echo -e "${YELLOW}    ⚠️  data-worker: wrangler.jsonc already exists, skipping copy${NC}"
-    fi
-
-    cd ../audit-worker
-    if [ -f "wrangler.jsonc.example" ] && { [ "$update_env" = "true" ] || [ ! -f "wrangler.jsonc" ]; }; then
-        cp wrangler.jsonc.example wrangler.jsonc
-        echo -e "${GREEN}    ✅ audit-worker: wrangler.jsonc created from example${NC}"
-    elif [ -f "wrangler.jsonc" ]; then
-        echo -e "${YELLOW}    ⚠️  audit-worker: wrangler.jsonc already exists, skipping copy${NC}"
-    fi
-
-    cd ../image-worker
-    if [ -f "wrangler.jsonc.example" ] && { [ "$update_env" = "true" ] || [ ! -f "wrangler.jsonc" ]; }; then
-        cp wrangler.jsonc.example wrangler.jsonc
-        echo -e "${GREEN}    ✅ image-worker: wrangler.jsonc created from example${NC}"
-    elif [ -f "wrangler.jsonc" ]; then
-        echo -e "${YELLOW}    ⚠️  image-worker: wrangler.jsonc already exists, skipping copy${NC}"
-    fi
-
-    cd ../pdf-worker
-    if [ -f "wrangler.jsonc.example" ] && { [ "$update_env" = "true" ] || [ ! -f "wrangler.jsonc" ]; }; then
-        cp wrangler.jsonc.example wrangler.jsonc
-        echo -e "${GREEN}    ✅ pdf-worker: wrangler.jsonc created from example${NC}"
-    elif [ -f "wrangler.jsonc" ]; then
-        echo -e "${YELLOW}    ⚠️  pdf-worker: wrangler.jsonc already exists, skipping copy${NC}"
-    fi
-
-    # Return to project root
-    cd ../..
-
-    # Copy worker source template files
-    echo -e "${YELLOW}  Copying worker source template files...${NC}"
-
-    if [ -f "workers/keys-worker/src/keys.example.ts" ] && { [ "$update_env" = "true" ] || [ ! -f "workers/keys-worker/src/keys.ts" ]; }; then
-        cp workers/keys-worker/src/keys.example.ts workers/keys-worker/src/keys.ts
-        echo -e "${GREEN}    ✅ keys-worker: keys.ts created from example${NC}"
-    elif [ -f "workers/keys-worker/src/keys.ts" ]; then
-        echo -e "${YELLOW}    ⚠️  keys-worker: keys.ts already exists, skipping copy${NC}"
-    fi
-
-    if [ -f "workers/user-worker/src/user-worker.example.ts" ] && { [ "$update_env" = "true" ] || [ ! -f "workers/user-worker/src/user-worker.ts" ]; }; then
-        cp workers/user-worker/src/user-worker.example.ts workers/user-worker/src/user-worker.ts
-        echo -e "${GREEN}    ✅ user-worker: user-worker.ts created from example${NC}"
-    elif [ -f "workers/user-worker/src/user-worker.ts" ]; then
-        echo -e "${YELLOW}    ⚠️  user-worker: user-worker.ts already exists, skipping copy${NC}"
-    fi
-
-    if [ -f "workers/data-worker/src/data-worker.example.ts" ] && { [ "$update_env" = "true" ] || [ ! -f "workers/data-worker/src/data-worker.ts" ]; }; then
-        cp workers/data-worker/src/data-worker.example.ts workers/data-worker/src/data-worker.ts
-        echo -e "${GREEN}    ✅ data-worker: data-worker.ts created from example${NC}"
-    elif [ -f "workers/data-worker/src/data-worker.ts" ]; then
-        echo -e "${YELLOW}    ⚠️  data-worker: data-worker.ts already exists, skipping copy${NC}"
-    fi
-
-    if [ -f "workers/audit-worker/src/audit-worker.example.ts" ] && { [ "$update_env" = "true" ] || [ ! -f "workers/audit-worker/src/audit-worker.ts" ]; }; then
-        cp workers/audit-worker/src/audit-worker.example.ts workers/audit-worker/src/audit-worker.ts
-        echo -e "${GREEN}    ✅ audit-worker: audit-worker.ts created from example${NC}"
-    elif [ -f "workers/audit-worker/src/audit-worker.ts" ]; then
-        echo -e "${YELLOW}    ⚠️  audit-worker: audit-worker.ts already exists, skipping copy${NC}"
-    fi
-
-    if [ -f "workers/image-worker/src/image-worker.example.ts" ] && { [ "$update_env" = "true" ] || [ ! -f "workers/image-worker/src/image-worker.ts" ]; }; then
-        cp workers/image-worker/src/image-worker.example.ts workers/image-worker/src/image-worker.ts
-        echo -e "${GREEN}    ✅ image-worker: image-worker.ts created from example${NC}"
-    elif [ -f "workers/image-worker/src/image-worker.ts" ]; then
-        echo -e "${YELLOW}    ⚠️  image-worker: image-worker.ts already exists, skipping copy${NC}"
-    fi
-
-    if [ -f "workers/pdf-worker/src/pdf-worker.example.ts" ] && { [ "$update_env" = "true" ] || [ ! -f "workers/pdf-worker/src/pdf-worker.ts" ]; }; then
-        cp workers/pdf-worker/src/pdf-worker.example.ts workers/pdf-worker/src/pdf-worker.ts
-        echo -e "${GREEN}    ✅ pdf-worker: pdf-worker.ts created from example${NC}"
-    elif [ -f "workers/pdf-worker/src/pdf-worker.ts" ]; then
-        echo -e "${YELLOW}    ⚠️  pdf-worker: pdf-worker.ts already exists, skipping copy${NC}"
-    fi
-    
-    # Copy main wrangler.toml from example
-    if [ -f "wrangler.toml.example" ] && { [ "$update_env" = "true" ] || [ ! -f "wrangler.toml" ]; }; then
-        cp wrangler.toml.example wrangler.toml
-        echo -e "${GREEN}    ✅ root: wrangler.toml created from example${NC}"
-    elif [ -f "wrangler.toml" ]; then
-        echo -e "${YELLOW}    ⚠️  root: wrangler.toml already exists, skipping copy${NC}"
-    fi
-    
-    echo -e "${GREEN}✅ Configuration file copying completed${NC}"
-}
 
 # Copy example configuration files
 copy_example_configs
@@ -1229,494 +214,12 @@ copy_example_configs
 # Load required Firebase admin service credentials from app/config/admin-service.json
 load_admin_service_credentials
 
-# Function to prompt for environment variables and update .env file
-prompt_for_secrets() {
-    echo -e "\n${BLUE}🔐 Environment Variables Setup${NC}"
-    echo "=============================="
-    echo -e "${YELLOW}Please provide values for the following environment variables.${NC}"
-    echo -e "${YELLOW}Press Enter to keep existing values (if any).${NC}"
-    echo ""
-    
-    # Create or backup existing .env
-    if [ -f ".env" ] && [ "$update_env" != "true" ]; then
-        cp .env .env.backup
-        echo -e "${GREEN}📄 Existing .env backed up to .env.backup${NC}"
-    fi
-    
-    # Copy .env.example to .env if it doesn't exist
-    if [ ! -f ".env" ]; then
-        cp .env.example .env
-        echo -e "${GREEN}📄 Created .env from .env.example${NC}"
-    fi
-    
-    # Function to prompt for a variable
-    prompt_for_var() {
-        local var_name=$1
-        local description=$2
-        local current_value="${!var_name}"
-        local new_value=""
-        local allow_keep="false"
-
-        current_value=$(strip_carriage_returns "$current_value")
-
-        if [ "$var_name" = "PAGES_CUSTOM_DOMAIN" ]; then
-            current_value=$(resolve_existing_domain_value "$var_name" "$current_value")
-        fi
-        
-        # Auto-generate specific authentication secrets - but allow keeping current
-        if [ "$var_name" = "USER_DB_AUTH" ] || [ "$var_name" = "R2_KEY_SECRET" ] || [ "$var_name" = "KEYS_AUTH" ] || [ "$var_name" = "PDF_WORKER_AUTH" ]; then
-            echo -e "${BLUE}$var_name${NC}"
-            echo -e "${YELLOW}$description${NC}"
-            
-            if [ "$update_env" != "true" ] && [ -n "$current_value" ] && ! is_placeholder "$current_value" && [ "$current_value" != "your_custom_user_db_auth_token_here" ] && [ "$current_value" != "your_custom_r2_secret_here" ] && [ "$current_value" != "your_custom_keys_auth_token_here" ] && [ "$current_value" != "your_custom_pdf_worker_auth_token_here" ]; then
-                # Current value exists and is not a placeholder
-                echo -e "${GREEN}Current value: [HIDDEN]${NC}"
-                read -p "Generate new secret? (press Enter to keep current, or type 'y' to generate): " gen_choice
-                gen_choice=$(strip_carriage_returns "$gen_choice")
-                
-                if [ "$gen_choice" = "y" ] || [ "$gen_choice" = "Y" ]; then
-                    new_value=$(openssl rand -hex 32 2>/dev/null || echo "")
-                    if [ -n "$new_value" ]; then
-                        echo -e "${GREEN}✅ $var_name auto-generated${NC}"
-                    else
-                        while true; do
-                            echo -e "${RED}❌ Failed to auto-generate, please enter manually:${NC}"
-                            read -p "Enter value: " new_value
-                            new_value=$(strip_carriage_returns "$new_value")
-                            if [ -z "$new_value" ]; then
-                                echo -e "${RED}❌ A value is required.${NC}"
-                                continue
-                            fi
-                            if is_placeholder "$new_value"; then
-                                echo -e "${RED}❌ Placeholder values are not allowed.${NC}"
-                                new_value=""
-                                continue
-                            fi
-                            break
-                        done
-                    fi
-                else
-                    # User wants to keep current value
-                    new_value=""
-                fi
-            else
-                # No current value or placeholder value - auto-generate
-                echo -e "${YELLOW}Auto-generating secret...${NC}"
-                new_value=$(openssl rand -hex 32 2>/dev/null || echo "")
-                if [ -n "$new_value" ]; then
-                    echo -e "${GREEN}✅ $var_name auto-generated${NC}"
-                else
-                    while true; do
-                        echo -e "${RED}❌ Failed to auto-generate, please enter manually:${NC}"
-                        read -p "Enter value: " new_value
-                        new_value=$(strip_carriage_returns "$new_value")
-                        if [ -z "$new_value" ]; then
-                            echo -e "${RED}❌ A value is required.${NC}"
-                            continue
-                        fi
-                        if is_placeholder "$new_value"; then
-                            echo -e "${RED}❌ Placeholder values are not allowed.${NC}"
-                            new_value=""
-                            continue
-                        fi
-                        break
-                    done
-                fi
-            fi
-        else
-            # Normal prompt for other variables
-            echo -e "${BLUE}$var_name${NC}"
-            echo -e "${YELLOW}$description${NC}"
-            if [ "$update_env" != "true" ] && [ -n "$current_value" ] && ! is_placeholder "$current_value"; then
-                allow_keep="true"
-                if [ "$var_name" = "FIREBASE_SERVICE_ACCOUNT_PRIVATE_KEY" ]; then
-                    echo -e "${GREEN}Current value: [HIDDEN]${NC}"
-                else
-                    echo -e "${GREEN}Current value: $current_value${NC}"
-                fi
-            fi
-
-            while true; do
-                if [ "$allow_keep" = "true" ]; then
-                    read -p "New value (or press Enter to keep current): " new_value
-                    new_value=$(strip_carriage_returns "$new_value")
-                    if [ -z "$new_value" ]; then
-                        break
-                    fi
-                else
-                    read -p "Enter value: " new_value
-                    new_value=$(strip_carriage_returns "$new_value")
-                    if [ -z "$new_value" ]; then
-                        echo -e "${RED}❌ A value is required.${NC}"
-                        continue
-                    fi
-                fi
-
-                if is_placeholder "$new_value"; then
-                    echo -e "${RED}❌ Placeholder values are not allowed.${NC}"
-                    new_value=""
-                    continue
-                fi
-
-                if [[ "$var_name" == *_WORKER_NAME ]]; then
-                    new_value=$(normalize_worker_label_value "$new_value")
-
-                    if [ -z "$new_value" ] || ! is_valid_worker_label "$new_value"; then
-                        echo -e "${RED}❌ $var_name must use only lowercase letters, numbers, and dashes.${NC}"
-                        new_value=""
-                        continue
-                    fi
-                fi
-
-                break
-            done
-        fi
-        
-        if [ -n "$new_value" ]; then
-            if [ "$var_name" = "PAGES_CUSTOM_DOMAIN" ]; then
-                new_value=$(normalize_domain_value "$new_value")
-            fi
-
-            # Update the .env file
-            write_env_var "$var_name" "$new_value"
-
-            export "$var_name=$new_value"
-            echo -e "${GREEN}✅ $var_name updated${NC}"
-        elif [ -n "$current_value" ]; then
-            if [[ "$var_name" == *_WORKER_NAME ]]; then
-                current_value=$(normalize_worker_label_value "$current_value")
-            fi
-
-            # Keep values aligned with .env.example ordering and remove stale duplicates.
-            write_env_var "$var_name" "$current_value"
-            export "$var_name=$current_value"
-            echo -e "${GREEN}✅ Keeping current value for $var_name${NC}"
-        fi
-        echo ""
-    }
-
-    set_worker_domain_from_shared_subdomain() {
-        local worker_name_var=$1
-        local worker_domain_var=$2
-        local worker_name_value="${!worker_name_var}"
-        local composed_domain=""
-
-        worker_name_value=$(normalize_worker_label_value "$worker_name_value")
-
-        if [ -z "$worker_name_value" ] || ! is_valid_worker_label "$worker_name_value"; then
-            echo -e "${RED}❌ $worker_name_var must use only lowercase letters, numbers, and dashes.${NC}"
-            exit 1
-        fi
-
-        composed_domain=$(compose_worker_domain "$worker_name_value" "$shared_worker_subdomain" || echo "")
-
-        if [ -z "$composed_domain" ]; then
-            echo -e "${RED}❌ Could not build $worker_domain_var from $worker_name_var and shared worker-subdomain.${NC}"
-            exit 1
-        fi
-
-        write_env_var "$worker_domain_var" "$composed_domain"
-        export "$worker_domain_var=$composed_domain"
-        echo -e "${GREEN}✅ $worker_domain_var set to $composed_domain${NC}"
-    }
-    
-    echo -e "${BLUE}📊 CLOUDFLARE CORE CONFIGURATION${NC}"
-    echo "=================================="
-    prompt_for_var "ACCOUNT_ID" "Your Cloudflare Account ID"
-    
-    echo -e "${BLUE}🔐 SHARED AUTHENTICATION & STORAGE${NC}"
-    echo "==================================="
-    prompt_for_var "USER_DB_AUTH" "Custom user database authentication token (generate with: openssl rand -hex 16)"
-    prompt_for_var "R2_KEY_SECRET" "Custom R2 storage authentication token (generate with: openssl rand -hex 16)"
-    prompt_for_var "IMAGES_API_TOKEN" "Cloudflare Images API token (shared between workers)"
-    
-    echo -e "${BLUE}🔥 FIREBASE AUTH CONFIGURATION${NC}"
-    echo "==============================="
-    prompt_for_var "API_KEY" "Firebase API key"
-    prompt_for_var "AUTH_DOMAIN" "Firebase auth domain (project-id.firebaseapp.com)"
-    prompt_for_var "STORAGE_BUCKET" "Firebase storage bucket"
-    prompt_for_var "MESSAGING_SENDER_ID" "Firebase messaging sender ID"
-    prompt_for_var "APP_ID" "Firebase app ID"
-    prompt_for_var "MEASUREMENT_ID" "Firebase measurement ID (optional)"
-    echo -e "${GREEN}Using PROJECT_ID and service account values from app/config/admin-service.json${NC}"
-    
-    echo -e "${BLUE}📄 PAGES CONFIGURATION${NC}"
-    echo "======================"
-    prompt_for_var "PAGES_PROJECT_NAME" "Your Cloudflare Pages project name"
-    prompt_for_var "PAGES_CUSTOM_DOMAIN" "Your custom domain (e.g., striae.org) - DO NOT include https://"
-    
-    echo -e "${BLUE}🔑 WORKER NAMES & DOMAINS${NC}"
-    echo "========================="
-    echo -e "${YELLOW}Worker names are lowercased automatically and must use only letters, numbers, and dashes.${NC}"
-    echo -e "${YELLOW}Enter one shared worker-subdomain as a hostname (for example: team-name.workers.dev).${NC}"
-    echo -e "${YELLOW}Each worker domain is generated as {worker-name}.{worker-subdomain}.${NC}"
-
-    local shared_worker_subdomain=""
-    local shared_worker_subdomain_default=""
-    local shared_worker_subdomain_input=""
-
-    shared_worker_subdomain_default=$(infer_worker_subdomain_from_domain "$KEYS_WORKER_NAME" "$KEYS_WORKER_DOMAIN")
-    if [ -z "$shared_worker_subdomain_default" ]; then
-        shared_worker_subdomain_default=$(infer_worker_subdomain_from_domain "$USER_WORKER_NAME" "$USER_WORKER_DOMAIN")
-    fi
-    if [ -z "$shared_worker_subdomain_default" ]; then
-        shared_worker_subdomain_default=$(infer_worker_subdomain_from_domain "$DATA_WORKER_NAME" "$DATA_WORKER_DOMAIN")
-    fi
-    if [ -z "$shared_worker_subdomain_default" ]; then
-        shared_worker_subdomain_default=$(infer_worker_subdomain_from_domain "$AUDIT_WORKER_NAME" "$AUDIT_WORKER_DOMAIN")
-    fi
-    if [ -z "$shared_worker_subdomain_default" ]; then
-        shared_worker_subdomain_default=$(infer_worker_subdomain_from_domain "$IMAGES_WORKER_NAME" "$IMAGES_WORKER_DOMAIN")
-    fi
-    if [ -z "$shared_worker_subdomain_default" ]; then
-        shared_worker_subdomain_default=$(infer_worker_subdomain_from_domain "$PDF_WORKER_NAME" "$PDF_WORKER_DOMAIN")
-    fi
-
-    while true; do
-        echo -e "${BLUE}WORKER_SUBDOMAIN${NC}"
-
-        if [ "$update_env" != "true" ] && [ -n "$shared_worker_subdomain_default" ] && ! is_placeholder "$shared_worker_subdomain_default"; then
-            echo -e "${GREEN}Current value: $shared_worker_subdomain_default${NC}"
-            read -p "New value (or press Enter to keep current): " shared_worker_subdomain_input
-            shared_worker_subdomain_input=$(strip_carriage_returns "$shared_worker_subdomain_input")
-
-            if [ -z "$shared_worker_subdomain_input" ]; then
-                shared_worker_subdomain="$shared_worker_subdomain_default"
-            else
-                shared_worker_subdomain="$shared_worker_subdomain_input"
-            fi
-        else
-            read -p "Enter shared worker-subdomain (e.g., team-name.workers.dev): " shared_worker_subdomain_input
-            shared_worker_subdomain_input=$(strip_carriage_returns "$shared_worker_subdomain_input")
-            shared_worker_subdomain="$shared_worker_subdomain_input"
-        fi
-
-        if [ -z "$shared_worker_subdomain" ] || is_placeholder "$shared_worker_subdomain"; then
-            echo -e "${RED}❌ shared worker-subdomain is required and cannot be a placeholder.${NC}"
-            continue
-        fi
-
-        shared_worker_subdomain=$(normalize_worker_subdomain_value "$shared_worker_subdomain")
-
-        if [ -z "$shared_worker_subdomain" ] || ! is_valid_worker_subdomain "$shared_worker_subdomain"; then
-            echo -e "${RED}❌ shared worker-subdomain must be a valid hostname like team-name.workers.dev (letters, numbers, dashes, and dots).${NC}"
-            continue
-        fi
-
-        echo -e "${GREEN}✅ Shared worker-subdomain set to: $shared_worker_subdomain${NC}"
-        echo ""
-        break
-    done
-
-    prompt_for_var "KEYS_WORKER_NAME" "Keys worker name"
-    prompt_for_var "USER_WORKER_NAME" "User worker name"
-    prompt_for_var "DATA_WORKER_NAME" "Data worker name"
-    prompt_for_var "AUDIT_WORKER_NAME" "Audit worker name"
-    prompt_for_var "IMAGES_WORKER_NAME" "Images worker name"
-    prompt_for_var "PDF_WORKER_NAME" "PDF worker name"
-
-    set_worker_domain_from_shared_subdomain "KEYS_WORKER_NAME" "KEYS_WORKER_DOMAIN"
-    set_worker_domain_from_shared_subdomain "USER_WORKER_NAME" "USER_WORKER_DOMAIN"
-    set_worker_domain_from_shared_subdomain "DATA_WORKER_NAME" "DATA_WORKER_DOMAIN"
-    set_worker_domain_from_shared_subdomain "AUDIT_WORKER_NAME" "AUDIT_WORKER_DOMAIN"
-    set_worker_domain_from_shared_subdomain "IMAGES_WORKER_NAME" "IMAGES_WORKER_DOMAIN"
-    set_worker_domain_from_shared_subdomain "PDF_WORKER_NAME" "PDF_WORKER_DOMAIN"
-    echo ""
-    
-    echo -e "${BLUE}🗄️ STORAGE CONFIGURATION${NC}"
-    echo "========================="
-    prompt_for_var "DATA_BUCKET_NAME" "Your R2 bucket name for case data storage"
-    prompt_for_var "AUDIT_BUCKET_NAME" "Your R2 bucket name for audit logs (separate from data bucket)"
-    prompt_for_var "FILES_BUCKET_NAME" "Your R2 bucket name for encrypted files storage"
-    prompt_for_var "KV_STORE_ID" "Your KV namespace ID (UUID format)"
-    
-    echo -e "${BLUE}🔐 SERVICE-SPECIFIC SECRETS${NC}"
-    echo "============================"
-    prompt_for_var "KEYS_AUTH" "Keys worker authentication token (generate with: openssl rand -hex 16)"
-    prompt_for_var "PDF_WORKER_AUTH" "PDF worker authentication token (generate with: openssl rand -hex 16)"
-    prompt_for_var "ACCOUNT_HASH" "Cloudflare Images Account Hash"
-    prompt_for_var "BROWSER_API_TOKEN" "Cloudflare Browser Rendering API token (for PDF Worker)"
-
-    configure_manifest_signing_credentials
-    configure_export_encryption_credentials
-    configure_data_at_rest_encryption_credentials
-    
-    # Reload the updated .env file
-    source .env
-    
-    echo -e "${GREEN}🎉 Environment variables setup completed!${NC}"
-    echo -e "${BLUE}📄 All values saved to .env file${NC}"
-}
-
 # Always prompt for secrets to ensure configuration
 prompt_for_secrets
 
 # Validate after secrets have been configured
 validate_required_vars
 
-# Function to replace variables in wrangler configuration files
-update_wrangler_configs() {
-    echo -e "\n${BLUE}🔧 Updating wrangler configuration files...${NC}"
-
-    local normalized_pages_custom_domain
-    local escaped_pages_custom_domain
-
-    normalized_pages_custom_domain=$(normalize_domain_value "$PAGES_CUSTOM_DOMAIN")
-    PAGES_CUSTOM_DOMAIN="$normalized_pages_custom_domain"
-    export PAGES_CUSTOM_DOMAIN
-    write_env_var "PAGES_CUSTOM_DOMAIN" "$PAGES_CUSTOM_DOMAIN"
-    escaped_pages_custom_domain=$(escape_for_sed_replacement "$PAGES_CUSTOM_DOMAIN")
-    
-    # Audit Worker
-    if [ -f "workers/audit-worker/wrangler.jsonc" ]; then
-        echo -e "${YELLOW}  Updating audit-worker/wrangler.jsonc...${NC}"
-        sed -i "s/\"AUDIT_WORKER_NAME\"/\"$AUDIT_WORKER_NAME\"/g" workers/audit-worker/wrangler.jsonc
-        sed -i "s/\"ACCOUNT_ID\"/\"$ACCOUNT_ID\"/g" workers/audit-worker/wrangler.jsonc
-        sed -i "s/\"AUDIT_BUCKET_NAME\"/\"$AUDIT_BUCKET_NAME\"/g" workers/audit-worker/wrangler.jsonc
-        echo -e "${GREEN}    ✅ audit-worker configuration updated${NC}"
-    fi
-    
-    # Update audit-worker source file domain placeholders
-    if [ -f "workers/audit-worker/src/audit-worker.ts" ]; then
-        echo -e "${YELLOW}  Updating audit-worker source placeholders...${NC}"
-        sed -i "s|'Access-Control-Allow-Origin': '[^']*'|'Access-Control-Allow-Origin': 'https://$escaped_pages_custom_domain'|g" workers/audit-worker/src/audit-worker.ts
-        echo -e "${GREEN}    ✅ audit-worker source placeholders updated${NC}"
-    fi
-    
-    # Data Worker
-    if [ -f "workers/data-worker/wrangler.jsonc" ]; then
-        echo -e "${YELLOW}  Updating data-worker/wrangler.jsonc...${NC}"
-        sed -i "s/\"DATA_WORKER_NAME\"/\"$DATA_WORKER_NAME\"/g" workers/data-worker/wrangler.jsonc
-        sed -i "s/\"ACCOUNT_ID\"/\"$ACCOUNT_ID\"/g" workers/data-worker/wrangler.jsonc
-        sed -i "s/\"DATA_BUCKET_NAME\"/\"$DATA_BUCKET_NAME\"/g" workers/data-worker/wrangler.jsonc
-        echo -e "${GREEN}    ✅ data-worker configuration updated${NC}"
-    fi
-    
-    # Update data-worker source file domain placeholders
-    if [ -f "workers/data-worker/src/data-worker.ts" ]; then
-        echo -e "${YELLOW}  Updating data-worker source placeholders...${NC}"
-        sed -i "s|'Access-Control-Allow-Origin': '[^']*'|'Access-Control-Allow-Origin': 'https://$escaped_pages_custom_domain'|g" workers/data-worker/src/data-worker.ts
-        echo -e "${GREEN}    ✅ data-worker source placeholders updated${NC}"
-    fi
-    
-    # Image Worker
-    if [ -f "workers/image-worker/wrangler.jsonc" ]; then
-        echo -e "${YELLOW}  Updating image-worker/wrangler.jsonc...${NC}"
-        sed -i "s/\"IMAGES_WORKER_NAME\"/\"$IMAGES_WORKER_NAME\"/g" workers/image-worker/wrangler.jsonc
-        sed -i "s/\"ACCOUNT_ID\"/\"$ACCOUNT_ID\"/g" workers/image-worker/wrangler.jsonc
-        sed -i "s/\"FILES_BUCKET_NAME\"/\"$FILES_BUCKET_NAME\"/g" workers/image-worker/wrangler.jsonc
-        echo -e "${GREEN}    ✅ image-worker configuration updated${NC}"
-    fi
-    
-    # Update image-worker source file domain placeholders
-    if [ -f "workers/image-worker/src/image-worker.ts" ]; then
-        echo -e "${YELLOW}  Updating image-worker source placeholders...${NC}"
-        sed -i "s|'Access-Control-Allow-Origin': '[^']*'|'Access-Control-Allow-Origin': 'https://$escaped_pages_custom_domain'|g" workers/image-worker/src/image-worker.ts
-        echo -e "${GREEN}    ✅ image-worker source placeholders updated${NC}"
-    fi
-    
-    # Keys Worker
-    if [ -f "workers/keys-worker/wrangler.jsonc" ]; then
-        echo -e "${YELLOW}  Updating keys-worker/wrangler.jsonc...${NC}"
-        sed -i "s/\"KEYS_WORKER_NAME\"/\"$KEYS_WORKER_NAME\"/g" workers/keys-worker/wrangler.jsonc
-        sed -i "s/\"ACCOUNT_ID\"/\"$ACCOUNT_ID\"/g" workers/keys-worker/wrangler.jsonc
-        echo -e "${GREEN}    ✅ keys-worker configuration updated${NC}"
-    fi
-    
-    # Update keys-worker source file domain placeholders
-    if [ -f "workers/keys-worker/src/keys.ts" ]; then
-        echo -e "${YELLOW}  Updating keys-worker source placeholders...${NC}"
-        sed -i "s|'Access-Control-Allow-Origin': '[^']*'|'Access-Control-Allow-Origin': 'https://$escaped_pages_custom_domain'|g" workers/keys-worker/src/keys.ts
-        echo -e "${GREEN}    ✅ keys-worker source placeholders updated${NC}"
-    fi
-    
-    # PDF Worker
-    if [ -f "workers/pdf-worker/wrangler.jsonc" ]; then
-        echo -e "${YELLOW}  Updating pdf-worker/wrangler.jsonc...${NC}"
-        sed -i "s/\"PDF_WORKER_NAME\"/\"$PDF_WORKER_NAME\"/g" workers/pdf-worker/wrangler.jsonc
-        sed -i "s/\"ACCOUNT_ID\"/\"$ACCOUNT_ID\"/g" workers/pdf-worker/wrangler.jsonc
-        echo -e "${GREEN}    ✅ pdf-worker configuration updated${NC}"
-    fi
-    
-    # Update pdf-worker source file domain placeholders
-    if [ -f "workers/pdf-worker/src/pdf-worker.ts" ]; then
-        echo -e "${YELLOW}  Updating pdf-worker source placeholders...${NC}"
-        sed -i "s|'Access-Control-Allow-Origin': '[^']*'|'Access-Control-Allow-Origin': 'https://$escaped_pages_custom_domain'|g" workers/pdf-worker/src/pdf-worker.ts
-        echo -e "${GREEN}    ✅ pdf-worker source placeholders updated${NC}"
-    fi
-    
-    # User Worker
-    if [ -f "workers/user-worker/wrangler.jsonc" ]; then
-        echo -e "${YELLOW}  Updating user-worker/wrangler.jsonc...${NC}"
-        sed -i "s/\"USER_WORKER_NAME\"/\"$USER_WORKER_NAME\"/g" workers/user-worker/wrangler.jsonc
-        sed -i "s/\"ACCOUNT_ID\"/\"$ACCOUNT_ID\"/g" workers/user-worker/wrangler.jsonc
-        sed -i "s/\"KV_STORE_ID\"/\"$KV_STORE_ID\"/g" workers/user-worker/wrangler.jsonc
-        echo -e "${GREEN}    ✅ user-worker configuration updated${NC}"
-    fi
-    
-    # Update user-worker source file domain placeholders
-    if [ -f "workers/user-worker/src/user-worker.ts" ]; then
-        echo -e "${YELLOW}  Updating user-worker source placeholders...${NC}"
-        sed -i "s|'Access-Control-Allow-Origin': '[^']*'|'Access-Control-Allow-Origin': 'https://$escaped_pages_custom_domain'|g" workers/user-worker/src/user-worker.ts
-        sed -i "s|'DATA_WORKER_DOMAIN'|'https://$DATA_WORKER_DOMAIN'|g" workers/user-worker/src/user-worker.ts
-        sed -i "s|'IMAGES_WORKER_DOMAIN'|'https://$IMAGES_WORKER_DOMAIN'|g" workers/user-worker/src/user-worker.ts
-        echo -e "${GREEN}    ✅ user-worker source placeholders updated${NC}"
-    fi
-    
-    # Main wrangler.toml
-    if [ -f "wrangler.toml" ]; then
-        echo -e "${YELLOW}  Updating wrangler.toml...${NC}"
-        sed -i "s/\"PAGES_PROJECT_NAME\"/\"$PAGES_PROJECT_NAME\"/g" wrangler.toml
-        echo -e "${GREEN}    ✅ main wrangler.toml configuration updated${NC}"
-    fi
-    
-    # Update app configuration files
-    echo -e "${YELLOW}  Updating app configuration files...${NC}"
-    
-    # Update app/config/config.json
-    if [ -f "app/config/config.json" ]; then
-        echo -e "${YELLOW}    Updating app/config/config.json...${NC}"
-        local escaped_manifest_signing_key_id
-        local escaped_manifest_signing_public_key
-        local escaped_export_encryption_key_id
-        local escaped_export_encryption_public_key
-        local escaped_account_hash
-        escaped_manifest_signing_key_id=$(escape_for_sed_replacement "$MANIFEST_SIGNING_KEY_ID")
-        escaped_manifest_signing_public_key=$(escape_for_sed_replacement "$MANIFEST_SIGNING_PUBLIC_KEY")
-        escaped_export_encryption_key_id=$(escape_for_sed_replacement "$EXPORT_ENCRYPTION_KEY_ID")
-        escaped_export_encryption_public_key=$(escape_for_sed_replacement "$EXPORT_ENCRYPTION_PUBLIC_KEY")
-        escaped_account_hash=$(escape_for_sed_replacement "$ACCOUNT_HASH")
-
-        sed -i "s|\"url\": \"[^\"]*\"|\"url\": \"https://$escaped_pages_custom_domain\"|g" app/config/config.json
-        sed -i "s|\"account_hash\": \"[^\"]*\"|\"account_hash\": \"$escaped_account_hash\"|g" app/config/config.json
-        sed -i "s|\"MANIFEST_SIGNING_KEY_ID\"|\"$escaped_manifest_signing_key_id\"|g" app/config/config.json
-        sed -i "s|\"MANIFEST_SIGNING_PUBLIC_KEY\"|\"$escaped_manifest_signing_public_key\"|g" app/config/config.json
-        sed -i "s|\"EXPORT_ENCRYPTION_KEY_ID\"|\"$escaped_export_encryption_key_id\"|g" app/config/config.json
-        sed -i "s|\"EXPORT_ENCRYPTION_PUBLIC_KEY\"|\"$escaped_export_encryption_public_key\"|g" app/config/config.json
-        echo -e "${GREEN}      ✅ app config.json updated${NC}"
-    fi
-    
-    # Update app/config/firebase.ts
-    if [ -f "app/config/firebase.ts" ]; then
-        echo -e "${YELLOW}    Updating app/config/firebase.ts...${NC}"
-        sed -i "s|\"YOUR_FIREBASE_API_KEY\"|\"$API_KEY\"|g" app/config/firebase.ts
-        sed -i "s|\"YOUR_FIREBASE_AUTH_DOMAIN\"|\"$AUTH_DOMAIN\"|g" app/config/firebase.ts
-        sed -i "s|\"YOUR_FIREBASE_PROJECT_ID\"|\"$PROJECT_ID\"|g" app/config/firebase.ts
-        sed -i "s|\"YOUR_FIREBASE_STORAGE_BUCKET\"|\"$STORAGE_BUCKET\"|g" app/config/firebase.ts
-        sed -i "s|\"YOUR_FIREBASE_MESSAGING_SENDER_ID\"|\"$MESSAGING_SENDER_ID\"|g" app/config/firebase.ts
-        sed -i "s|\"YOUR_FIREBASE_APP_ID\"|\"$APP_ID\"|g" app/config/firebase.ts
-        sed -i "s|\"YOUR_FIREBASE_MEASUREMENT_ID\"|\"$MEASUREMENT_ID\"|g" app/config/firebase.ts
-        echo -e "${GREEN}      ✅ app firebase.ts updated${NC}"
-    fi
-
-    if [ -f "app/routes/auth/login.tsx" ]; then
-        echo -e "${YELLOW}    Updating app/routes/auth/login.tsx...${NC}"
-        sed -i "s|^const APP_CANONICAL_ORIGIN = .*;|const APP_CANONICAL_ORIGIN = 'https://$escaped_pages_custom_domain';|g" app/routes/auth/login.tsx
-        echo -e "${GREEN}      ✅ app login.tsx canonical origin updated${NC}"
-    fi
-    
-    echo -e "${GREEN}✅ All configuration files updated${NC}"
-}
 
 # Update wrangler configurations
 update_wrangler_configs