@striae-org/striae 5.1.1 → 5.2.0

package/.env.example

@@ -54,6 +54,17 @@ KEYS_AUTH=your_custom_keys_auth_token_here
 USER_WORKER_NAME=your_user_worker_name_here
 USER_WORKER_DOMAIN=your_user_worker_domain_here
 KV_STORE_ID=your_kv_store_id_here
+USER_KV_ENCRYPTION_PRIVATE_KEY=your_user_kv_encryption_private_key_here
+USER_KV_ENCRYPTION_KEY_ID=your_user_kv_encryption_key_id_here
+USER_KV_ENCRYPTION_PUBLIC_KEY=your_user_kv_encryption_public_key_here
+# Optional write toggle for USER_DB mutation endpoints.
+# true (default): require USER_KV_ENCRYPTION_PUBLIC_KEY and USER_KV_ENCRYPTION_KEY_ID for encrypt-on-write.
+# false: allow read-only deployments using private key material (legacy key or key registry) without write-path keys.
+USER_KV_WRITE_ENDPOINTS_ENABLED=true
+# Optional key registry for rotation-safe USER_DB reads.
+# JSON shape: {"activeKeyId":"kid_current","keys":{"kid_current":"-----BEGIN PRIVATE KEY-----\\n...","kid_previous":"-----BEGIN PRIVATE KEY-----\\n..."}}
+USER_KV_ENCRYPTION_KEYS_JSON='{"activeKeyId":"your_user_kv_active_encryption_key_id_here","keys":{"your_user_kv_active_encryption_key_id_here":"your_user_kv_encryption_private_key_here"}}'
+USER_KV_ENCRYPTION_ACTIVE_KEY_ID=your_user_kv_active_encryption_key_id_here
 
 # ================================
 # DATA WORKER ENVIRONMENT VARIABLES
@@ -69,10 +80,18 @@ MANIFEST_SIGNING_PUBLIC_KEY=your_manifest_signing_public_key_here
 EXPORT_ENCRYPTION_PRIVATE_KEY=your_export_encryption_private_key_here
 EXPORT_ENCRYPTION_KEY_ID=your_export_encryption_key_id_here
 EXPORT_ENCRYPTION_PUBLIC_KEY=your_export_encryption_public_key_here
+# Optional key registry for export decrypt compatibility.
+# JSON shape: {"activeKeyId":"kid_current","keys":{"kid_current":"-----BEGIN PRIVATE KEY-----\\n...","kid_previous":"-----BEGIN PRIVATE KEY-----\\n..."}}
+EXPORT_ENCRYPTION_KEYS_JSON='{"activeKeyId":"your_export_encryption_active_key_id_here","keys":{"your_export_encryption_active_key_id_here":"your_export_encryption_private_key_here"}}'
+EXPORT_ENCRYPTION_ACTIVE_KEY_ID=your_export_encryption_active_key_id_here
+DATA_AT_REST_ENCRYPTION_ENABLED=true
 DATA_AT_REST_ENCRYPTION_PRIVATE_KEY=your_data_at_rest_encryption_private_key_here
 DATA_AT_REST_ENCRYPTION_KEY_ID=your_data_at_rest_encryption_key_id_here
 DATA_AT_REST_ENCRYPTION_PUBLIC_KEY=your_data_at_rest_encryption_public_key_here
-
+# Optional key registry for data/files/audit decryption compatibility.
+# JSON shape: {"activeKeyId":"kid_current","keys":{"kid_current":"-----BEGIN PRIVATE KEY-----\\n...","kid_previous":"-----BEGIN PRIVATE KEY-----\\n..."}}
+DATA_AT_REST_ENCRYPTION_KEYS_JSON='{"activeKeyId":"your_data_at_rest_active_encryption_key_id_here","keys":{"your_data_at_rest_active_encryption_key_id_here":"your_data_at_rest_encryption_private_key_here"}}'
+DATA_AT_REST_ENCRYPTION_ACTIVE_KEY_ID=your_data_at_rest_active_encryption_key_id_here
 
 # ================================
 # AUDIT WORKER ENVIRONMENT VARIABLES

package/app/utils/data/permissions.ts

@@ -42,8 +42,10 @@ export const getUserData = async (user: User): Promise<UserData | null> => {
     if (response.status === 404) {
       return null; // User not found
     }
-    
-    throw new Error('Failed to fetch user data');
+
+    const responseBody = await response.text().catch(() => '');
+    const detail = responseBody ? `: ${responseBody}` : '';
+    throw new Error(`Failed to fetch user data (${response.status} ${response.statusText})${detail}`);
   } catch (error) {
     console.error('Error fetching user data:', error);
     throw error;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@striae-org/striae",
-  "version": "5.1.1",
+  "version": "5.2.0",
   "private": false,
   "description": "Striae is a specialized, cloud-native platform designed to streamline forensic firearms identification by providing an intuitive environment for digital comparison image annotation, authenticated confirmations, and automated report generation.",
   "license": "Apache-2.0",
@@ -54,7 +54,7 @@
     "workers/*/src/*.example.ts",
     "workers/*/src/*.example.js",
     "workers/*/src/*.ts",
-    "workers/pdf-worker/scripts/*.js",    
+    "workers/pdf-worker/scripts/*.js",
     "!workers/*/src/*worker.ts",
     "workers/pdf-worker/src/assets/generated-assets.example.ts",
     "workers/pdf-worker/src/formats/format-striae.ts",
@@ -67,7 +67,7 @@
     "vite.config.ts",
     "worker-configuration.d.ts",
     "wrangler.toml.example",
-    "LICENSE"    
+    "LICENSE"
   ],
   "sideEffects": false,
   "type": "module",
@@ -106,7 +106,7 @@
     "deploy-workers:image": "cd workers/image-worker && npm run deploy",
     "deploy-workers:keys": "cd workers/keys-worker && npm run deploy",
     "deploy-workers:pdf": "cd workers/pdf-worker && npm run deploy",
-    "deploy-workers:user": "cd workers/user-worker && npm run deploy"    
+    "deploy-workers:user": "cd workers/user-worker && npm run deploy"
   },
   "dependencies": {
     "@react-router/cloudflare": "^7.13.2",

package/scripts/deploy-config/modules/env-utils.sh

@@ -0,0 +1,322 @@
+#!/bin/bash
+
+escape_for_sed_pattern() {
+    printf '%s' "$1" | sed -e 's/[][\\.^$*+?{}|()]/\\&/g'
+}
+
+dedupe_env_var_entries() {
+    local var_name=$1
+    local expected_count=1
+    local escaped_var_name
+
+    escaped_var_name=$(escape_for_sed_pattern "$var_name")
+
+    if [ -f ".env.example" ]; then
+        expected_count=$(grep -c "^$escaped_var_name=" .env.example || true)
+
+        if [ "$expected_count" -lt 1 ]; then
+            expected_count=1
+        fi
+    fi
+
+    awk -v key="$var_name" -v keep="$expected_count" '
+        BEGIN { seen = 0 }
+        {
+            if (index($0, key "=") == 1) {
+                seen++
+
+                if (seen > keep) {
+                    next
+                }
+            }
+            print
+        }
+    ' .env > .env.tmp && mv .env.tmp .env
+}
+
+normalize_domain_value() {
+    local domain="$1"
+
+    domain=$(printf '%s' "$domain" | sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//')
+    domain="${domain#http://}"
+    domain="${domain#https://}"
+    domain="${domain%/}"
+
+    printf '%s' "$domain"
+}
+
+normalize_worker_label_value() {
+    local label="$1"
+
+    label=$(normalize_domain_value "$label")
+    label="${label#.}"
+    label="${label%.}"
+    label=$(printf '%s' "$label" | tr '[:upper:]' '[:lower:]')
+
+    printf '%s' "$label"
+}
+
+normalize_worker_subdomain_value() {
+    local subdomain="$1"
+
+    subdomain=$(normalize_domain_value "$subdomain")
+    subdomain="${subdomain#.}"
+    subdomain="${subdomain%.}"
+    subdomain=$(printf '%s' "$subdomain" | tr '[:upper:]' '[:lower:]')
+
+    printf '%s' "$subdomain"
+}
+
+is_valid_worker_label() {
+    local label="$1"
+
+    [[ "$label" =~ ^[a-z0-9-]+$ ]]
+}
+
+is_valid_worker_subdomain() {
+    local subdomain="$1"
+
+    [[ "$subdomain" =~ ^[a-z0-9]([a-z0-9-]*[a-z0-9])?(\.[a-z0-9]([a-z0-9-]*[a-z0-9])?)+$ ]]
+}
+
+strip_carriage_returns() {
+    printf '%s' "$1" | tr -d '\r'
+}
+
+read_env_var_from_file() {
+    local env_file=$1
+    local var_name=$2
+
+    if [ ! -f "$env_file" ]; then
+        return 0
+    fi
+
+    awk -v key="$var_name" '
+        index($0, key "=") == 1 {
+            value = substr($0, length(key) + 2)
+        }
+        END {
+            if (value != "") {
+                gsub(/\r/, "", value)
+                gsub(/^"/, "", value)
+                gsub(/"$/, "", value)
+                print value
+            }
+        }
+    ' "$env_file"
+}
+
+resolve_existing_domain_value() {
+    local var_name=$1
+    local current_value=$2
+    local preserved_value=""
+
+    current_value=$(normalize_domain_value "$current_value")
+
+    if [ "$current_value" = "$var_name" ]; then
+        current_value=""
+    fi
+
+    if [ -n "$current_value" ] && ! is_placeholder "$current_value"; then
+        printf '%s' "$current_value"
+        return 0
+    fi
+
+    if [ -n "$preserved_domain_env_file" ] && [ -f "$preserved_domain_env_file" ]; then
+        preserved_value=$(read_env_var_from_file "$preserved_domain_env_file" "$var_name")
+        preserved_value=$(normalize_domain_value "$preserved_value")
+
+        if [ "$preserved_value" = "$var_name" ]; then
+            preserved_value=""
+        fi
+
+        if [ -n "$preserved_value" ] && ! is_placeholder "$preserved_value"; then
+            printf '%s' "$preserved_value"
+            return 0
+        fi
+    fi
+
+    printf '%s' "$current_value"
+}
+
+restore_env_var_from_backup_if_missing() {
+    local var_name=$1
+    local current_value="${!var_name}"
+    local preserved_value=""
+
+    if [ "$update_env" != "true" ]; then
+        return 0
+    fi
+
+    if [ -z "$preserved_domain_env_file" ] || [ ! -f "$preserved_domain_env_file" ]; then
+        return 0
+    fi
+
+    current_value=$(strip_carriage_returns "$current_value")
+
+    if [ -n "$current_value" ] && ! is_placeholder "$current_value"; then
+        return 0
+    fi
+
+    preserved_value=$(read_env_var_from_file "$preserved_domain_env_file" "$var_name")
+    preserved_value=$(strip_carriage_returns "$preserved_value")
+
+    if [ -z "$preserved_value" ] || is_placeholder "$preserved_value"; then
+        return 0
+    fi
+
+    printf -v "$var_name" '%s' "$preserved_value"
+    export "$var_name"
+    write_env_var "$var_name" "$preserved_value"
+}
+
+confirm_key_pair_regeneration() {
+    local key_pair_label=$1
+    local impact_warning=$2
+    local regenerate_choice=""
+
+    if [ "$force_rotate_keys" = "true" ]; then
+        echo -e "${YELLOW}⚠️  Auto-confirmed regeneration for $key_pair_label key pair (--force-rotate-keys).${NC}"
+        return 0
+    fi
+
+    echo -e "${GREEN}Current $key_pair_label key pair: [HIDDEN]${NC}"
+
+    if [ -n "$impact_warning" ]; then
+        echo -e "${YELLOW}⚠️  $impact_warning${NC}"
+    fi
+
+    read -p "Regenerate $key_pair_label key pair? (press Enter to keep current, or type 'y' to regenerate): " regenerate_choice
+    regenerate_choice=$(strip_carriage_returns "$regenerate_choice")
+
+    if [ "$regenerate_choice" = "y" ] || [ "$regenerate_choice" = "Y" ]; then
+        return 0
+    fi
+
+    return 1
+}
+
+generate_worker_subdomain_label() {
+    node -e "const { randomInt } = require('crypto'); const alphabet = 'abcdefghijklmnopqrstuvwxyz0123456789'; let value = ''; for (let index = 0; index < 10; index += 1) { value += alphabet[randomInt(alphabet.length)]; } process.stdout.write(value);" 2>/dev/null
+}
+
+compose_worker_domain() {
+    local worker_name=$1
+    local worker_subdomain=$2
+
+    worker_name=$(normalize_worker_label_value "$worker_name")
+    worker_subdomain=$(normalize_worker_subdomain_value "$worker_subdomain")
+
+    if [ -z "$worker_name" ] || [ -z "$worker_subdomain" ]; then
+        return 1
+    fi
+
+    if ! is_valid_worker_label "$worker_name" || ! is_valid_worker_subdomain "$worker_subdomain"; then
+        return 1
+    fi
+
+    printf '%s.%s' "$worker_name" "$worker_subdomain"
+}
+
+infer_worker_subdomain_from_domain() {
+    local worker_name=$1
+    local worker_domain=$2
+    local worker_subdomain=""
+
+    worker_name=$(normalize_worker_label_value "$worker_name")
+    worker_domain=$(normalize_domain_value "$worker_domain")
+    worker_domain=$(printf '%s' "$worker_domain" | tr '[:upper:]' '[:lower:]')
+
+    if [ -z "$worker_name" ] || [ -z "$worker_domain" ] || is_placeholder "$worker_name" || is_placeholder "$worker_domain"; then
+        printf '%s' ""
+        return 0
+    fi
+
+    case "$worker_domain" in
+        "$worker_name".*)
+            worker_subdomain="${worker_domain#${worker_name}.}"
+            worker_subdomain=$(normalize_worker_subdomain_value "$worker_subdomain")
+
+            if is_valid_worker_subdomain "$worker_subdomain"; then
+                printf '%s' "$worker_subdomain"
+                return 0
+            fi
+            ;;
+    esac
+
+    printf '%s' ""
+}
+
+write_env_var() {
+    local var_name=$1
+    local var_value=$2
+    local env_file_value="$var_value"
+
+    var_value=$(strip_carriage_returns "$var_value")
+    env_file_value="$var_value"
+
+    if [ "$var_name" = "FIREBASE_SERVICE_ACCOUNT_PRIVATE_KEY" ] || [ "$var_name" = "MANIFEST_SIGNING_PRIVATE_KEY" ] || [ "$var_name" = "MANIFEST_SIGNING_PUBLIC_KEY" ] || [ "$var_name" = "EXPORT_ENCRYPTION_PRIVATE_KEY" ] || [ "$var_name" = "EXPORT_ENCRYPTION_PUBLIC_KEY" ] || [ "$var_name" = "DATA_AT_REST_ENCRYPTION_PRIVATE_KEY" ] || [ "$var_name" = "DATA_AT_REST_ENCRYPTION_PUBLIC_KEY" ] || [ "$var_name" = "USER_KV_ENCRYPTION_PRIVATE_KEY" ] || [ "$var_name" = "USER_KV_ENCRYPTION_PUBLIC_KEY" ] || [ "$var_name" = "EXPORT_ENCRYPTION_KEYS_JSON" ] || [ "$var_name" = "DATA_AT_REST_ENCRYPTION_KEYS_JSON" ] || [ "$var_name" = "USER_KV_ENCRYPTION_KEYS_JSON" ]; then
+        # Store as a quoted string so sourced .env preserves escaped newline markers (\n)
+        env_file_value=${env_file_value//\"/\\\"}
+        env_file_value="\"$env_file_value\""
+    fi
+
+    local escaped_var_name
+    local replacement_line
+    escaped_var_name=$(escape_for_sed_pattern "$var_name")
+    replacement_line=$(escape_for_sed_replacement "$var_name=$env_file_value")
+
+    if grep -q "^$escaped_var_name=" .env; then
+        # Replace all occurrences so intentional duplicates in .env.example stay in sync.
+        sed -i "s|^$escaped_var_name=.*|$replacement_line|g" .env
+        dedupe_env_var_entries "$var_name"
+    else
+        echo "$var_name=$env_file_value" >> .env
+    fi
+}
+
+update_private_key_registry() {
+    local registry_var_name=$1
+    local active_key_var_name=$2
+    local current_key_id=$3
+    local private_key_value=$4
+    local registry_label=$5
+    local existing_registry_json=""
+    local updated_registry_json=""
+    local registry_entry_count=""
+
+    if [ -z "$registry_var_name" ] || [ -z "$active_key_var_name" ] || [ -z "$current_key_id" ] || [ -z "$private_key_value" ]; then
+        echo -e "${YELLOW}⚠️  Skipping $registry_label key registry update due to missing inputs${NC}"
+        return 0
+    fi
+
+    existing_registry_json="${!registry_var_name}"
+    existing_registry_json=$(strip_carriage_returns "$existing_registry_json")
+
+    if [ -z "$existing_registry_json" ] || is_placeholder "$existing_registry_json"; then
+        existing_registry_json="{}"
+    fi
+
+    updated_registry_json=$(node -e "const raw = process.argv[1] || '{}'; const keyId = process.argv[2] || ''; const privateKey = process.argv[3] || ''; if (!keyId || !privateKey) process.exit(1); const normalized = { activeKeyId: null, keys: {} }; try { const parsed = JSON.parse(raw); if (parsed && typeof parsed === 'object' && !Array.isArray(parsed)) { if (parsed.keys && typeof parsed.keys === 'object' && !Array.isArray(parsed.keys)) { normalized.keys = Object.fromEntries(Object.entries(parsed.keys).filter(([id, pem]) => typeof id === 'string' && id.trim().length > 0 && typeof pem === 'string' && pem.trim().length > 0)); if (typeof parsed.activeKeyId === 'string' && parsed.activeKeyId.trim().length > 0) normalized.activeKeyId = parsed.activeKeyId.trim(); } else { normalized.keys = Object.fromEntries(Object.entries(parsed).filter(([id, pem]) => id !== 'activeKeyId' && id !== 'keys' && typeof id === 'string' && id.trim().length > 0 && typeof pem === 'string' && pem.trim().length > 0)); if (typeof parsed.activeKeyId === 'string' && parsed.activeKeyId.trim().length > 0) normalized.activeKeyId = parsed.activeKeyId.trim(); } } } catch (_) {} normalized.keys[keyId] = privateKey; normalized.activeKeyId = keyId; process.stdout.write(JSON.stringify(normalized));" "$existing_registry_json" "$current_key_id" "$private_key_value" 2>/dev/null || true)
+
+    if [ -z "$updated_registry_json" ]; then
+        echo -e "${RED}❌ Error: Failed to update $registry_label key registry JSON${NC}"
+        exit 1
+    fi
+
+    printf -v "$registry_var_name" '%s' "$updated_registry_json"
+    export "$registry_var_name"
+    write_env_var "$registry_var_name" "$updated_registry_json"
+
+    printf -v "$active_key_var_name" '%s' "$current_key_id"
+    export "$active_key_var_name"
+    write_env_var "$active_key_var_name" "$current_key_id"
+
+    registry_entry_count=$(node -e "const raw = process.argv[1] || '{}'; try { const parsed = JSON.parse(raw); if (!parsed || typeof parsed !== 'object' || Array.isArray(parsed)) { process.stdout.write('0'); process.exit(0); } const keys = parsed.keys && typeof parsed.keys === 'object' && !Array.isArray(parsed.keys) ? parsed.keys : parsed; const count = Object.entries(keys).filter(([id, pem]) => id !== 'activeKeyId' && id !== 'keys' && typeof id === 'string' && id.trim().length > 0 && typeof pem === 'string' && pem.trim().length > 0).length; process.stdout.write(String(count)); } catch (_) { process.stdout.write('0'); }" "$updated_registry_json")
+    echo -e "${GREEN}✅ Updated $registry_label key registry ($registry_entry_count key IDs tracked)${NC}"
+    echo -e "${GREEN}✅ $active_key_var_name: $current_key_id${NC}"
+}
+
+escape_for_sed_replacement() {
+    printf '%s' "$1" | sed -e 's/[&|\\]/\\&/g'
+}