@striae-org/striae 5.1.1 → 5.2.0

package/scripts/deploy-worker-secrets.sh

@@ -95,6 +95,46 @@ load_required_admin_service_credentials() {
 
 load_required_admin_service_credentials
 
+build_user_worker_secret_list() {
+    local secrets=(
+        "USER_DB_AUTH"
+        "R2_KEY_SECRET"
+        "IMAGES_API_TOKEN"
+        "DATA_WORKER_DOMAIN"
+        "IMAGES_WORKER_DOMAIN"
+        "PROJECT_ID"
+        "FIREBASE_SERVICE_ACCOUNT_EMAIL"
+        "FIREBASE_SERVICE_ACCOUNT_PRIVATE_KEY"
+    )
+
+    if [ -n "${USER_KV_ENCRYPTION_PRIVATE_KEY:-}" ]; then
+        secrets+=("USER_KV_ENCRYPTION_PRIVATE_KEY")
+    fi
+
+    if [ -n "${USER_KV_ENCRYPTION_KEYS_JSON:-}" ]; then
+        secrets+=("USER_KV_ENCRYPTION_KEYS_JSON")
+    fi
+
+    if [ -n "${USER_KV_ENCRYPTION_ACTIVE_KEY_ID:-}" ]; then
+        secrets+=("USER_KV_ENCRYPTION_ACTIVE_KEY_ID")
+    fi
+
+    local write_endpoints_enabled_normalized
+    write_endpoints_enabled_normalized=$(printf '%s' "${USER_KV_WRITE_ENDPOINTS_ENABLED:-true}" | tr '[:upper:]' '[:lower:]')
+
+    if [ "$write_endpoints_enabled_normalized" = "1" ] || [ "$write_endpoints_enabled_normalized" = "true" ] || [ "$write_endpoints_enabled_normalized" = "yes" ] || [ "$write_endpoints_enabled_normalized" = "on" ]; then
+        if [ -n "${USER_KV_ENCRYPTION_KEY_ID:-}" ]; then
+            secrets+=("USER_KV_ENCRYPTION_KEY_ID")
+        fi
+
+        if [ -n "${USER_KV_ENCRYPTION_PUBLIC_KEY:-}" ]; then
+            secrets+=("USER_KV_ENCRYPTION_PUBLIC_KEY")
+        fi
+    fi
+
+    printf '%s\n' "${secrets[@]}"
+}
+
 build_audit_worker_secret_list() {
     local secrets=(
         "R2_KEY_SECRET"
@@ -116,6 +156,14 @@ build_audit_worker_secret_list() {
         secrets+=("DATA_AT_REST_ENCRYPTION_KEY_ID")
     fi
 
+    if [ -n "${DATA_AT_REST_ENCRYPTION_KEYS_JSON:-}" ]; then
+        secrets+=("DATA_AT_REST_ENCRYPTION_KEYS_JSON")
+    fi
+
+    if [ -n "${DATA_AT_REST_ENCRYPTION_ACTIVE_KEY_ID:-}" ]; then
+        secrets+=("DATA_AT_REST_ENCRYPTION_ACTIVE_KEY_ID")
+    fi
+
     printf '%s\n' "${secrets[@]}"
 }
 
@@ -192,6 +240,45 @@ build_data_worker_secret_list() {
         secrets+=("DATA_AT_REST_ENCRYPTION_KEY_ID")
     fi
 
+    if [ -n "${DATA_AT_REST_ENCRYPTION_KEYS_JSON:-}" ]; then
+        secrets+=("DATA_AT_REST_ENCRYPTION_KEYS_JSON")
+    fi
+
+    if [ -n "${DATA_AT_REST_ENCRYPTION_ACTIVE_KEY_ID:-}" ]; then
+        secrets+=("DATA_AT_REST_ENCRYPTION_ACTIVE_KEY_ID")
+    fi
+
+    if [ -n "${EXPORT_ENCRYPTION_KEYS_JSON:-}" ]; then
+        secrets+=("EXPORT_ENCRYPTION_KEYS_JSON")
+    fi
+
+    if [ -n "${EXPORT_ENCRYPTION_ACTIVE_KEY_ID:-}" ]; then
+        secrets+=("EXPORT_ENCRYPTION_ACTIVE_KEY_ID")
+    fi
+
+    printf '%s\n' "${secrets[@]}"
+}
+
+build_images_worker_secret_list() {
+    local secrets=(
+        "IMAGES_API_TOKEN"
+        "DATA_AT_REST_ENCRYPTION_PUBLIC_KEY"
+        "DATA_AT_REST_ENCRYPTION_KEY_ID"
+        "IMAGE_SIGNED_URL_SECRET"
+    )
+
+    if [ -n "${DATA_AT_REST_ENCRYPTION_PRIVATE_KEY:-}" ]; then
+        secrets+=("DATA_AT_REST_ENCRYPTION_PRIVATE_KEY")
+    fi
+
+    if [ -n "${DATA_AT_REST_ENCRYPTION_KEYS_JSON:-}" ]; then
+        secrets+=("DATA_AT_REST_ENCRYPTION_KEYS_JSON")
+    fi
+
+    if [ -n "${DATA_AT_REST_ENCRYPTION_ACTIVE_KEY_ID:-}" ]; then
+        secrets+=("DATA_AT_REST_ENCRYPTION_ACTIVE_KEY_ID")
+    fi
+
     printf '%s\n' "${secrets[@]}"
 }
 
@@ -235,9 +322,13 @@ if ! set_worker_secrets "Keys Worker" "workers/keys-worker" \
     echo -e "${YELLOW}⚠️  Skipping Keys Worker (not configured)${NC}"
 fi
 
-# User Worker  
-if ! set_worker_secrets "User Worker" "workers/user-worker" \
-    "USER_DB_AUTH" "R2_KEY_SECRET" "IMAGES_API_TOKEN" "DATA_WORKER_DOMAIN" "IMAGES_WORKER_DOMAIN" "PROJECT_ID" "FIREBASE_SERVICE_ACCOUNT_EMAIL" "FIREBASE_SERVICE_ACCOUNT_PRIVATE_KEY"; then
+# User Worker
+user_worker_secrets=()
+while IFS= read -r secret; do
+    user_worker_secrets+=("$secret")
+done < <(build_user_worker_secret_list)
+
+if ! set_worker_secrets "User Worker" "workers/user-worker" "${user_worker_secrets[@]}"; then
     echo -e "${YELLOW}⚠️  Skipping User Worker (not configured)${NC}"
 fi
 
@@ -252,8 +343,12 @@ if ! set_worker_secrets "Data Worker" "workers/data-worker" "${data_worker_secre
 fi
 
 # Images Worker
-if ! set_worker_secrets "Images Worker" "workers/image-worker" \
-    "IMAGES_API_TOKEN" "DATA_AT_REST_ENCRYPTION_PRIVATE_KEY" "DATA_AT_REST_ENCRYPTION_PUBLIC_KEY" "DATA_AT_REST_ENCRYPTION_KEY_ID" "IMAGE_SIGNED_URL_SECRET"; then
+images_worker_secrets=()
+while IFS= read -r secret; do
+    images_worker_secrets+=("$secret")
+done < <(build_images_worker_secret_list)
+
+if ! set_worker_secrets "Images Worker" "workers/image-worker" "${images_worker_secrets[@]}"; then
     echo -e "${YELLOW}⚠️  Skipping Images Worker (not configured)${NC}"
 fi
 

package/worker-configuration.d.ts

@@ -1,6 +1,6 @@
 /* eslint-disable */
-// Generated by Wrangler by running `wrangler types` (hash: abf7efe3b0d9f2d66e012084f057d73b)
-// Runtime types generated with workerd@1.20250823.0 2026-03-24 nodejs_compat
+// Generated by Wrangler by running `wrangler types` (hash: 3fce96aefe167606678b821d5dbcc109)
+// Runtime types generated with workerd@1.20250823.0 2026-03-25 nodejs_compat
 declare namespace Cloudflare {
 	interface Env {
 		ACCOUNT_ID: string;
@@ -25,6 +25,9 @@ declare namespace Cloudflare {
 		USER_WORKER_NAME: string;
 		USER_WORKER_DOMAIN: string;
 		KV_STORE_ID: string;
+		USER_KV_ENCRYPTION_PRIVATE_KEY: string;
+		USER_KV_ENCRYPTION_KEY_ID: string;
+		USER_KV_ENCRYPTION_PUBLIC_KEY: string;
 		DATA_WORKER_NAME: string;
 		DATA_BUCKET_NAME: string;
 		FILES_BUCKET_NAME: string;
@@ -58,7 +61,7 @@ type StringifyValues<EnvType extends Record<string, unknown>> = {
 	[Binding in keyof EnvType]: EnvType[Binding] extends string ? EnvType[Binding] : string;
 };
 declare namespace NodeJS {
-	interface ProcessEnv extends StringifyValues<Pick<Cloudflare.Env, "ACCOUNT_ID" | "USER_DB_AUTH" | "R2_KEY_SECRET" | "IMAGES_API_TOKEN" | "API_KEY" | "AUTH_DOMAIN" | "PROJECT_ID" | "STORAGE_BUCKET" | "MESSAGING_SENDER_ID" | "APP_ID" | "MEASUREMENT_ID" | "FIREBASE_SERVICE_ACCOUNT_EMAIL" | "FIREBASE_SERVICE_ACCOUNT_PRIVATE_KEY" | "PAGES_PROJECT_NAME" | "PAGES_CUSTOM_DOMAIN" | "KEYS_WORKER_NAME" | "KEYS_WORKER_DOMAIN" | "KEYS_AUTH" | "ACCOUNT_HASH" | "USER_WORKER_NAME" | "USER_WORKER_DOMAIN" | "KV_STORE_ID" | "DATA_WORKER_NAME" | "DATA_BUCKET_NAME" | "FILES_BUCKET_NAME" | "DATA_WORKER_DOMAIN" | "MANIFEST_SIGNING_PRIVATE_KEY" | "MANIFEST_SIGNING_KEY_ID" | "MANIFEST_SIGNING_PUBLIC_KEY" | "EXPORT_ENCRYPTION_PRIVATE_KEY" | "EXPORT_ENCRYPTION_KEY_ID" | "EXPORT_ENCRYPTION_PUBLIC_KEY" | "DATA_AT_REST_ENCRYPTION_PRIVATE_KEY" | "DATA_AT_REST_ENCRYPTION_KEY_ID" | "DATA_AT_REST_ENCRYPTION_PUBLIC_KEY" | "AUDIT_WORKER_NAME" | "AUDIT_BUCKET_NAME" | "AUDIT_WORKER_DOMAIN" | "IMAGES_WORKER_NAME" | "IMAGES_WORKER_DOMAIN" | "IMAGE_SIGNED_URL_SECRET" | "IMAGE_SIGNED_URL_TTL_SECONDS" | "PDF_WORKER_NAME" | "PDF_WORKER_DOMAIN" | "PDF_WORKER_AUTH" | "BROWSER_API_TOKEN" | "PRIMERSHEAR_EMAILS" | "DATA_AT_REST_ENCRYPTION_ENABLED">> {}
+	interface ProcessEnv extends StringifyValues<Pick<Cloudflare.Env, "ACCOUNT_ID" | "USER_DB_AUTH" | "R2_KEY_SECRET" | "IMAGES_API_TOKEN" | "API_KEY" | "AUTH_DOMAIN" | "PROJECT_ID" | "STORAGE_BUCKET" | "MESSAGING_SENDER_ID" | "APP_ID" | "MEASUREMENT_ID" | "FIREBASE_SERVICE_ACCOUNT_EMAIL" | "FIREBASE_SERVICE_ACCOUNT_PRIVATE_KEY" | "PAGES_PROJECT_NAME" | "PAGES_CUSTOM_DOMAIN" | "KEYS_WORKER_NAME" | "KEYS_WORKER_DOMAIN" | "KEYS_AUTH" | "ACCOUNT_HASH" | "USER_WORKER_NAME" | "USER_WORKER_DOMAIN" | "KV_STORE_ID" | "USER_KV_ENCRYPTION_PRIVATE_KEY" | "USER_KV_ENCRYPTION_KEY_ID" | "USER_KV_ENCRYPTION_PUBLIC_KEY" | "DATA_WORKER_NAME" | "DATA_BUCKET_NAME" | "FILES_BUCKET_NAME" | "DATA_WORKER_DOMAIN" | "MANIFEST_SIGNING_PRIVATE_KEY" | "MANIFEST_SIGNING_KEY_ID" | "MANIFEST_SIGNING_PUBLIC_KEY" | "EXPORT_ENCRYPTION_PRIVATE_KEY" | "EXPORT_ENCRYPTION_KEY_ID" | "EXPORT_ENCRYPTION_PUBLIC_KEY" | "DATA_AT_REST_ENCRYPTION_PRIVATE_KEY" | "DATA_AT_REST_ENCRYPTION_KEY_ID" | "DATA_AT_REST_ENCRYPTION_PUBLIC_KEY" | "AUDIT_WORKER_NAME" | "AUDIT_BUCKET_NAME" | "AUDIT_WORKER_DOMAIN" | "IMAGES_WORKER_NAME" | "IMAGES_WORKER_DOMAIN" | "IMAGE_SIGNED_URL_SECRET" | "IMAGE_SIGNED_URL_TTL_SECONDS" | "PDF_WORKER_NAME" | "PDF_WORKER_DOMAIN" | "PDF_WORKER_AUTH" | "BROWSER_API_TOKEN" | "PRIMERSHEAR_EMAILS" | "DATA_AT_REST_ENCRYPTION_ENABLED">> {}
 }
 
 // Begin runtime types

package/workers/audit-worker/package.json

@@ -9,7 +9,7 @@
 	},
 	"devDependencies": {
 		"@cloudflare/puppeteer": "^1.0.6",
-		"wrangler": "^4.76.0"
+		"wrangler": "^4.77.0"
 	},
 	"overrides": {
 		"undici": "7.24.1",

package/workers/audit-worker/src/audit-worker.example.ts

@@ -5,8 +5,22 @@ interface Env {
   DATA_AT_REST_ENCRYPTION_PRIVATE_KEY?: string;
   DATA_AT_REST_ENCRYPTION_PUBLIC_KEY?: string;
   DATA_AT_REST_ENCRYPTION_KEY_ID?: string;
+  DATA_AT_REST_ENCRYPTION_KEYS_JSON?: string;
+  DATA_AT_REST_ENCRYPTION_ACTIVE_KEY_ID?: string;
 }
 
+interface KeyRegistryPayload {
+  activeKeyId?: unknown;
+  keys?: unknown;
+}
+
+interface PrivateKeyRegistry {
+  activeKeyId: string | null;
+  keys: Record<string, string>;
+}
+
+type DecryptionTelemetryOutcome = 'primary-hit' | 'fallback-hit' | 'all-failed';
+
 interface AuditEntry {
   timestamp: string;
   userId: string;
@@ -58,6 +72,178 @@ const DATA_AT_REST_BACKFILL_PATH = '/api/admin/data-at-rest-backfill';
 const DATA_AT_REST_ENCRYPTION_ALGORITHM = 'RSA-OAEP-AES-256-GCM';
 const DATA_AT_REST_ENCRYPTION_VERSION = '1.0';
 
+function normalizePrivateKeyPem(rawValue: string): string {
+  return rawValue.trim().replace(/^['"]|['"]$/g, '').replace(/\\n/g, '\n');
+}
+
+function getNonEmptyString(value: unknown): string | null {
+  return typeof value === 'string' && value.trim().length > 0 ? value.trim() : null;
+}
+
+function parseDataAtRestPrivateKeyRegistry(env: Env): PrivateKeyRegistry {
+  const keys: Record<string, string> = {};
+  const configuredActiveKeyId = getNonEmptyString(env.DATA_AT_REST_ENCRYPTION_ACTIVE_KEY_ID);
+  const registryJson = getNonEmptyString(env.DATA_AT_REST_ENCRYPTION_KEYS_JSON);
+
+  if (registryJson) {
+    let parsedRegistry: unknown;
+    try {
+      parsedRegistry = JSON.parse(registryJson) as unknown;
+    } catch {
+      throw new Error('DATA_AT_REST_ENCRYPTION_KEYS_JSON is not valid JSON');
+    }
+
+    if (!parsedRegistry || typeof parsedRegistry !== 'object') {
+      throw new Error('DATA_AT_REST_ENCRYPTION_KEYS_JSON must be an object');
+    }
+
+    const payload = parsedRegistry as KeyRegistryPayload;
+    const payloadActiveKeyId = getNonEmptyString(payload.activeKeyId);
+    const rawKeys = payload.keys && typeof payload.keys === 'object'
+      ? payload.keys as Record<string, unknown>
+      : parsedRegistry as Record<string, unknown>;
+
+    for (const [keyId, pemValue] of Object.entries(rawKeys)) {
+      if (keyId === 'activeKeyId' || keyId === 'keys') {
+        continue;
+      }
+
+      const normalizedKeyId = getNonEmptyString(keyId);
+      const normalizedPem = getNonEmptyString(pemValue);
+      if (!normalizedKeyId || !normalizedPem) {
+        continue;
+      }
+
+      keys[normalizedKeyId] = normalizePrivateKeyPem(normalizedPem);
+    }
+
+    const resolvedActiveKeyId = configuredActiveKeyId ?? payloadActiveKeyId;
+
+    if (Object.keys(keys).length === 0) {
+      throw new Error('DATA_AT_REST_ENCRYPTION_KEYS_JSON does not contain any usable keys');
+    }
+
+    if (resolvedActiveKeyId && !keys[resolvedActiveKeyId]) {
+      throw new Error('DATA_AT_REST active key ID is not present in DATA_AT_REST_ENCRYPTION_KEYS_JSON');
+    }
+
+    return {
+      activeKeyId: resolvedActiveKeyId ?? null,
+      keys
+    };
+  }
+
+  const legacyKeyId = getNonEmptyString(env.DATA_AT_REST_ENCRYPTION_KEY_ID);
+  const legacyPrivateKey = getNonEmptyString(env.DATA_AT_REST_ENCRYPTION_PRIVATE_KEY);
+  if (!legacyKeyId || !legacyPrivateKey) {
+    throw new Error('Data-at-rest decryption key registry is not configured');
+  }
+
+  keys[legacyKeyId] = normalizePrivateKeyPem(legacyPrivateKey);
+
+  return {
+    activeKeyId: configuredActiveKeyId ?? legacyKeyId,
+    keys
+  };
+}
+
+function buildPrivateKeyCandidates(
+  recordKeyId: string,
+  registry: PrivateKeyRegistry
+): Array<{ keyId: string; privateKeyPem: string }> {
+  const candidates: Array<{ keyId: string; privateKeyPem: string }> = [];
+  const seen = new Set<string>();
+
+  const appendCandidate = (candidateKeyId: string | null): void => {
+    if (!candidateKeyId || seen.has(candidateKeyId)) {
+      return;
+    }
+
+    const privateKeyPem = registry.keys[candidateKeyId];
+    if (!privateKeyPem) {
+      return;
+    }
+
+    seen.add(candidateKeyId);
+    candidates.push({ keyId: candidateKeyId, privateKeyPem });
+  };
+
+  appendCandidate(getNonEmptyString(recordKeyId));
+  appendCandidate(registry.activeKeyId);
+
+  for (const keyId of Object.keys(registry.keys)) {
+    appendCandidate(keyId);
+  }
+
+  return candidates;
+}
+
+function logAuditDecryptionTelemetry(input: {
+  recordKeyId: string;
+  selectedKeyId: string | null;
+  attemptCount: number;
+  outcome: DecryptionTelemetryOutcome;
+  reason?: string;
+}): void {
+  const details = {
+    scope: 'audit-at-rest',
+    recordKeyId: input.recordKeyId,
+    selectedKeyId: input.selectedKeyId,
+    attemptCount: input.attemptCount,
+    fallbackUsed: input.outcome === 'fallback-hit',
+    outcome: input.outcome,
+    reason: input.reason ?? null
+  };
+
+  if (input.outcome === 'all-failed') {
+    console.warn('Key registry decryption failed', details);
+    return;
+  }
+
+  console.info('Key registry decryption resolved', details);
+}
+
+async function decryptAuditJsonWithRegistry(
+  ciphertext: ArrayBuffer,
+  envelope: DataAtRestEnvelope,
+  env: Env
+): Promise<string> {
+  const keyRegistry = parseDataAtRestPrivateKeyRegistry(env);
+  const candidates = buildPrivateKeyCandidates(envelope.keyId, keyRegistry);
+  const primaryKeyId = candidates[0]?.keyId ?? null;
+  let lastError: unknown;
+
+  for (let index = 0; index < candidates.length; index += 1) {
+    const candidate = candidates[index];
+    try {
+      const plaintext = await decryptJsonFromStorage(ciphertext, envelope, candidate.privateKeyPem);
+      logAuditDecryptionTelemetry({
+        recordKeyId: envelope.keyId,
+        selectedKeyId: candidate.keyId,
+        attemptCount: index + 1,
+        outcome: candidate.keyId === primaryKeyId ? 'primary-hit' : 'fallback-hit'
+      });
+      return plaintext;
+    } catch (error) {
+      lastError = error;
+    }
+  }
+
+  logAuditDecryptionTelemetry({
+    recordKeyId: envelope.keyId,
+    selectedKeyId: null,
+    attemptCount: candidates.length,
+    outcome: 'all-failed',
+    reason: lastError instanceof Error ? lastError.message : 'unknown decryption error'
+  });
+
+  throw new Error(
+    `Failed to decrypt audit record after ${candidates.length} key attempt(s): ${
+      lastError instanceof Error ? lastError.message : 'unknown decryption error'
+    }`
+  );
+}
+
 function isDataAtRestEncryptionEnabled(env: Env): boolean {
   const value = env.DATA_AT_REST_ENCRYPTION_ENABLED;
   if (!value) {
@@ -357,15 +543,11 @@ async function readAuditEntriesFromObject(file: R2ObjectBody, env: Env): Promise
     throw new Error('Unsupported data-at-rest encryption version');
   }
 
-  if (!env.DATA_AT_REST_ENCRYPTION_PRIVATE_KEY) {
-    throw new Error('Data-at-rest decryption is not configured on this server');
-  }
-
   const encryptedData = await file.arrayBuffer();
-  const plaintext = await decryptJsonFromStorage(
+  const plaintext = await decryptAuditJsonWithRegistry(
     encryptedData,
     atRestEnvelope,
-    env.DATA_AT_REST_ENCRYPTION_PRIVATE_KEY
+    env
   );
 
   return JSON.parse(plaintext) as AuditEntry[];

package/workers/audit-worker/wrangler.jsonc.example

@@ -7,7 +7,7 @@
   "name": "AUDIT_WORKER_NAME",
   "account_id": "ACCOUNT_ID",
   "main": "src/audit-worker.ts",
-  "compatibility_date": "2026-03-24",
+  "compatibility_date": "2026-03-25",
   "compatibility_flags": [
     "nodejs_compat"
   ], 

package/workers/data-worker/package.json

@@ -9,7 +9,7 @@
 	},
 	"devDependencies": {
 		"@cloudflare/puppeteer": "^1.0.6",
-		"wrangler": "^4.76.0"
+		"wrangler": "^4.77.0"
 	},
 	"overrides": {
 		"undici": "7.24.1",