@striae-org/striae 5.2.0 → 5.3.0

package/workers/audit-worker/src/config.ts

@@ -0,0 +1,7 @@
+import type { Env } from './types';
+
+export const DATA_AT_REST_ENCRYPTION_ALGORITHM = 'RSA-OAEP-AES-256-GCM';
+export const DATA_AT_REST_ENCRYPTION_VERSION = '1.0';
+
+export const hasValidHeader = (request: Request, env: Env): boolean =>
+  request.headers.get('X-Custom-Auth-Key') === env.R2_KEY_SECRET;

package/workers/audit-worker/src/crypto/data-at-rest.ts

@@ -0,0 +1,410 @@
+import {
+  DATA_AT_REST_ENCRYPTION_ALGORITHM,
+  DATA_AT_REST_ENCRYPTION_VERSION
+} from '../config';
+import type {
+  DataAtRestEnvelope,
+  DecryptionTelemetryOutcome,
+  Env,
+  KeyRegistryPayload,
+  PrivateKeyRegistry
+} from '../types';
+
+function normalizePrivateKeyPem(rawValue: string): string {
+  return rawValue.trim().replace(/^['"]|['"]$/g, '').replace(/\\n/g, '\n');
+}
+
+function getNonEmptyString(value: unknown): string | null {
+  return typeof value === 'string' && value.trim().length > 0 ? value.trim() : null;
+}
+
+function parseDataAtRestPrivateKeyRegistry(env: Env): PrivateKeyRegistry {
+  const keys: Record<string, string> = {};
+  const configuredActiveKeyId = getNonEmptyString(env.DATA_AT_REST_ENCRYPTION_ACTIVE_KEY_ID);
+  const registryJson = getNonEmptyString(env.DATA_AT_REST_ENCRYPTION_KEYS_JSON);
+
+  if (registryJson) {
+    let parsedRegistry: unknown;
+
+    try {
+      parsedRegistry = JSON.parse(registryJson) as unknown;
+    } catch {
+      throw new Error('DATA_AT_REST_ENCRYPTION_KEYS_JSON is not valid JSON');
+    }
+
+    if (!parsedRegistry || typeof parsedRegistry !== 'object') {
+      throw new Error('DATA_AT_REST_ENCRYPTION_KEYS_JSON must be an object');
+    }
+
+    const payload = parsedRegistry as KeyRegistryPayload;
+    const payloadActiveKeyId = getNonEmptyString(payload.activeKeyId);
+    const rawKeys = payload.keys && typeof payload.keys === 'object'
+      ? payload.keys as Record<string, unknown>
+      : parsedRegistry as Record<string, unknown>;
+
+    for (const [keyId, pemValue] of Object.entries(rawKeys)) {
+      if (keyId === 'activeKeyId' || keyId === 'keys') {
+        continue;
+      }
+
+      const normalizedKeyId = getNonEmptyString(keyId);
+      const normalizedPem = getNonEmptyString(pemValue);
+      if (!normalizedKeyId || !normalizedPem) {
+        continue;
+      }
+
+      keys[normalizedKeyId] = normalizePrivateKeyPem(normalizedPem);
+    }
+
+    const resolvedActiveKeyId = configuredActiveKeyId ?? payloadActiveKeyId;
+
+    if (Object.keys(keys).length === 0) {
+      throw new Error('DATA_AT_REST_ENCRYPTION_KEYS_JSON does not contain any usable keys');
+    }
+
+    if (resolvedActiveKeyId && !keys[resolvedActiveKeyId]) {
+      throw new Error('DATA_AT_REST active key ID is not present in DATA_AT_REST_ENCRYPTION_KEYS_JSON');
+    }
+
+    return {
+      activeKeyId: resolvedActiveKeyId ?? null,
+      keys
+    };
+  }
+
+  const legacyKeyId = getNonEmptyString(env.DATA_AT_REST_ENCRYPTION_KEY_ID);
+  const legacyPrivateKey = getNonEmptyString(env.DATA_AT_REST_ENCRYPTION_PRIVATE_KEY);
+  if (!legacyKeyId || !legacyPrivateKey) {
+    throw new Error('Data-at-rest decryption key registry is not configured');
+  }
+
+  keys[legacyKeyId] = normalizePrivateKeyPem(legacyPrivateKey);
+
+  return {
+    activeKeyId: configuredActiveKeyId ?? legacyKeyId,
+    keys
+  };
+}
+
+function buildPrivateKeyCandidates(
+  recordKeyId: string,
+  registry: PrivateKeyRegistry
+): Array<{ keyId: string; privateKeyPem: string }> {
+  const candidates: Array<{ keyId: string; privateKeyPem: string }> = [];
+  const seen = new Set<string>();
+
+  const appendCandidate = (candidateKeyId: string | null): void => {
+    if (!candidateKeyId || seen.has(candidateKeyId)) {
+      return;
+    }
+
+    const privateKeyPem = registry.keys[candidateKeyId];
+    if (!privateKeyPem) {
+      return;
+    }
+
+    seen.add(candidateKeyId);
+    candidates.push({ keyId: candidateKeyId, privateKeyPem });
+  };
+
+  appendCandidate(getNonEmptyString(recordKeyId));
+  appendCandidate(registry.activeKeyId);
+
+  for (const keyId of Object.keys(registry.keys)) {
+    appendCandidate(keyId);
+  }
+
+  return candidates;
+}
+
+function logAuditDecryptionTelemetry(input: {
+  recordKeyId: string;
+  selectedKeyId: string | null;
+  attemptCount: number;
+  outcome: DecryptionTelemetryOutcome;
+  reason?: string;
+}): void {
+  const details = {
+    scope: 'audit-at-rest',
+    recordKeyId: input.recordKeyId,
+    selectedKeyId: input.selectedKeyId,
+    attemptCount: input.attemptCount,
+    fallbackUsed: input.outcome === 'fallback-hit',
+    outcome: input.outcome,
+    reason: input.reason ?? null
+  };
+
+  if (input.outcome === 'all-failed') {
+    console.warn('Key registry decryption failed', details);
+    return;
+  }
+
+  console.info('Key registry decryption resolved', details);
+}
+
+function base64UrlDecode(value: string): Uint8Array {
+  const normalized = value.replace(/-/g, '+').replace(/_/g, '/');
+  const padding = '='.repeat((4 - (normalized.length % 4)) % 4);
+  const decoded = atob(normalized + padding);
+  const bytes = new Uint8Array(decoded.length);
+
+  for (let i = 0; i < decoded.length; i += 1) {
+    bytes[i] = decoded.charCodeAt(i);
+  }
+
+  return bytes;
+}
+
+function base64UrlEncode(value: Uint8Array): string {
+  let binary = '';
+  const chunkSize = 8192;
+
+  for (let i = 0; i < value.length; i += chunkSize) {
+    const chunk = value.subarray(i, Math.min(i + chunkSize, value.length));
+    for (let j = 0; j < chunk.length; j += 1) {
+      binary += String.fromCharCode(chunk[j]);
+    }
+  }
+
+  return btoa(binary)
+    .replace(/\+/g, '-')
+    .replace(/\//g, '_')
+    .replace(/=+$/g, '');
+}
+
+function parsePkcs8PrivateKey(privateKey: string): ArrayBuffer {
+  const normalizedKey = privateKey
+    .trim()
+    .replace(/^['"]|['"]$/g, '')
+    .replace(/\\n/g, '\n');
+
+  const pemBody = normalizedKey
+    .replace('-----BEGIN PRIVATE KEY-----', '')
+    .replace('-----END PRIVATE KEY-----', '')
+    .replace(/\s+/g, '');
+
+  if (!pemBody) {
+    throw new Error('Encryption private key is invalid');
+  }
+
+  const binary = atob(pemBody);
+  const bytes = new Uint8Array(binary.length);
+
+  for (let index = 0; index < binary.length; index += 1) {
+    bytes[index] = binary.charCodeAt(index);
+  }
+
+  return bytes.buffer;
+}
+
+function parseSpkiPublicKey(publicKey: string): ArrayBuffer {
+  const normalizedKey = publicKey
+    .trim()
+    .replace(/^['"]|['"]$/g, '')
+    .replace(/\\n/g, '\n');
+
+  const pemBody = normalizedKey
+    .replace('-----BEGIN PUBLIC KEY-----', '')
+    .replace('-----END PUBLIC KEY-----', '')
+    .replace(/\s+/g, '');
+
+  if (!pemBody) {
+    throw new Error('Encryption public key is invalid');
+  }
+
+  const binary = atob(pemBody);
+  const bytes = new Uint8Array(binary.length);
+
+  for (let index = 0; index < binary.length; index += 1) {
+    bytes[index] = binary.charCodeAt(index);
+  }
+
+  return bytes.buffer;
+}
+
+async function importRsaOaepPrivateKey(privateKeyPem: string): Promise<CryptoKey> {
+  return crypto.subtle.importKey(
+    'pkcs8',
+    parsePkcs8PrivateKey(privateKeyPem),
+    {
+      name: 'RSA-OAEP',
+      hash: 'SHA-256'
+    },
+    false,
+    ['decrypt']
+  );
+}
+
+async function importRsaOaepPublicKey(publicKeyPem: string): Promise<CryptoKey> {
+  return crypto.subtle.importKey(
+    'spki',
+    parseSpkiPublicKey(publicKeyPem),
+    {
+      name: 'RSA-OAEP',
+      hash: 'SHA-256'
+    },
+    false,
+    ['encrypt']
+  );
+}
+
+async function createAesGcmKey(usages: KeyUsage[]): Promise<CryptoKey> {
+  return crypto.subtle.generateKey(
+    {
+      name: 'AES-GCM',
+      length: 256
+    },
+    true,
+    usages
+  ) as Promise<CryptoKey>;
+}
+
+async function wrapAesKey(aesKey: CryptoKey, publicKeyPem: string): Promise<string> {
+  const rsaPublicKey = await importRsaOaepPublicKey(publicKeyPem);
+  const rawAesKey = await crypto.subtle.exportKey('raw', aesKey);
+  const wrappedKey = await crypto.subtle.encrypt(
+    { name: 'RSA-OAEP' },
+    rsaPublicKey,
+    rawAesKey as BufferSource
+  );
+
+  return base64UrlEncode(new Uint8Array(wrappedKey));
+}
+
+async function unwrapAesKey(wrappedKeyBase64: string, privateKeyPem: string): Promise<CryptoKey> {
+  const rsaPrivateKey = await importRsaOaepPrivateKey(privateKeyPem);
+  const wrappedKeyBytes = base64UrlDecode(wrappedKeyBase64);
+
+  const rawAesKey = await crypto.subtle.decrypt(
+    { name: 'RSA-OAEP' },
+    rsaPrivateKey,
+    wrappedKeyBytes as BufferSource
+  );
+
+  return crypto.subtle.importKey(
+    'raw',
+    rawAesKey,
+    { name: 'AES-GCM' },
+    false,
+    ['decrypt']
+  );
+}
+
+async function decryptJsonFromStorage(
+  ciphertext: ArrayBuffer,
+  envelope: DataAtRestEnvelope,
+  privateKeyPem: string
+): Promise<string> {
+  const aesKey = await unwrapAesKey(envelope.wrappedKey, privateKeyPem);
+  const iv = base64UrlDecode(envelope.dataIv);
+
+  const plaintext = await crypto.subtle.decrypt(
+    { name: 'AES-GCM', iv: iv as BufferSource },
+    aesKey,
+    ciphertext as BufferSource
+  );
+
+  return new TextDecoder().decode(plaintext);
+}
+
+export async function decryptAuditJsonWithRegistry(
+  ciphertext: ArrayBuffer,
+  envelope: DataAtRestEnvelope,
+  env: Env
+): Promise<string> {
+  const keyRegistry = parseDataAtRestPrivateKeyRegistry(env);
+  const candidates = buildPrivateKeyCandidates(envelope.keyId, keyRegistry);
+  const primaryKeyId = candidates[0]?.keyId ?? null;
+  let lastError: unknown;
+
+  for (let index = 0; index < candidates.length; index += 1) {
+    const candidate = candidates[index];
+    try {
+      const plaintext = await decryptJsonFromStorage(ciphertext, envelope, candidate.privateKeyPem);
+      logAuditDecryptionTelemetry({
+        recordKeyId: envelope.keyId,
+        selectedKeyId: candidate.keyId,
+        attemptCount: index + 1,
+        outcome: candidate.keyId === primaryKeyId ? 'primary-hit' : 'fallback-hit'
+      });
+      return plaintext;
+    } catch (error) {
+      lastError = error;
+    }
+  }
+
+  logAuditDecryptionTelemetry({
+    recordKeyId: envelope.keyId,
+    selectedKeyId: null,
+    attemptCount: candidates.length,
+    outcome: 'all-failed',
+    reason: lastError instanceof Error ? lastError.message : 'unknown decryption error'
+  });
+
+  throw new Error(
+    `Failed to decrypt audit record after ${candidates.length} key attempt(s): ${
+      lastError instanceof Error ? lastError.message : 'unknown decryption error'
+    }`
+  );
+}
+
+export async function encryptJsonForStorage(
+  plaintextJson: string,
+  publicKeyPem: string,
+  keyId: string
+): Promise<{ ciphertext: Uint8Array; envelope: DataAtRestEnvelope }> {
+  const aesKey = await createAesGcmKey(['encrypt', 'decrypt']);
+  const wrappedKey = await wrapAesKey(aesKey, publicKeyPem);
+  const iv = crypto.getRandomValues(new Uint8Array(12));
+
+  const plaintextBytes = new TextEncoder().encode(plaintextJson);
+  const encryptedBuffer = await crypto.subtle.encrypt(
+    { name: 'AES-GCM', iv: iv as BufferSource },
+    aesKey,
+    plaintextBytes as BufferSource
+  );
+
+  return {
+    ciphertext: new Uint8Array(encryptedBuffer),
+    envelope: {
+      algorithm: DATA_AT_REST_ENCRYPTION_ALGORITHM,
+      encryptionVersion: DATA_AT_REST_ENCRYPTION_VERSION,
+      keyId,
+      dataIv: base64UrlEncode(iv),
+      wrappedKey
+    }
+  };
+}
+
+export function extractDataAtRestEnvelope(file: R2ObjectBody): DataAtRestEnvelope | null {
+  const metadata = file.customMetadata;
+  if (!metadata) {
+    return null;
+  }
+
+  const {
+    algorithm,
+    encryptionVersion,
+    keyId,
+    dataIv,
+    wrappedKey
+  } = metadata;
+
+  if (
+    typeof algorithm !== 'string' ||
+    typeof encryptionVersion !== 'string' ||
+    typeof keyId !== 'string' ||
+    typeof dataIv !== 'string' ||
+    typeof wrappedKey !== 'string'
+  ) {
+    return null;
+  }
+
+  return {
+    algorithm,
+    encryptionVersion,
+    keyId,
+    dataIv,
+    wrappedKey
+  };
+}

package/workers/audit-worker/src/handlers/audit-routes.ts

@@ -0,0 +1,125 @@
+import {
+  appendAuditEntry,
+  generateAuditFileName,
+  isValidAuditEntry,
+  readAuditEntriesFromObject
+} from '../storage/audit-storage';
+import type { AuditEntry, CreateResponse, Env } from '../types';
+
+export async function handleAuditRequest(
+  request: Request,
+  env: Env,
+  url: URL,
+  respond: CreateResponse
+): Promise<Response> {
+  const bucket = env.STRIAE_AUDIT;
+  const userId = url.searchParams.get('userId');
+  const startDate = url.searchParams.get('startDate');
+  const endDate = url.searchParams.get('endDate');
+
+  if (request.method === 'POST') {
+    if (!userId) {
+      return respond({ error: 'userId parameter is required' }, 400);
+    }
+
+    const auditEntry: unknown = await request.json();
+
+    if (!isValidAuditEntry(auditEntry)) {
+      return respond({ error: 'Invalid audit entry structure. Required fields: timestamp, userId, action' }, 400);
+    }
+
+    if (auditEntry.userId !== userId) {
+      return respond({ error: 'userId parameter must match auditEntry.userId' }, 400);
+    }
+
+    const filename = generateAuditFileName(userId);
+
+    try {
+      const entryCount = await appendAuditEntry(bucket, filename, auditEntry, env);
+      return respond({
+        success: true,
+        entryCount,
+        filename
+      });
+    } catch (error) {
+      const errorMessage = error instanceof Error ? error.message : 'Unknown error occurred';
+      return respond({ error: `Failed to store audit entry: ${errorMessage}` }, 500);
+    }
+  }
+
+  if (request.method === 'GET') {
+    if (!userId) {
+      return respond({ error: 'userId parameter is required' }, 400);
+    }
+
+    try {
+      let allEntries: AuditEntry[] = [];
+
+      if (startDate && endDate) {
+        const start = new Date(startDate);
+        const end = new Date(endDate);
+        const currentDate = new Date(start);
+
+        while (currentDate <= end) {
+          const filename = generateAuditFileName(userId, currentDate);
+          const file = await bucket.get(filename);
+
+          if (file) {
+            const entries = await readAuditEntriesFromObject(file, env);
+            allEntries.push(...entries);
+          }
+
+          currentDate.setDate(currentDate.getDate() + 1);
+        }
+      } else {
+        const filename = generateAuditFileName(userId);
+        const file = await bucket.get(filename);
+
+        if (file) {
+          allEntries = await readAuditEntriesFromObject(file, env);
+        }
+      }
+
+      allEntries.sort((a, b) => new Date(b.timestamp).getTime() - new Date(a.timestamp).getTime());
+
+      return respond({
+        entries: allEntries,
+        total: allEntries.length
+      });
+    } catch (error) {
+      const errorMessage = error instanceof Error ? error.message : 'Unknown error occurred';
+      return respond({ error: `Failed to retrieve audit entries: ${errorMessage}` }, 500);
+    }
+  }
+
+  if (request.method === 'DELETE') {
+    if (!userId) {
+      return respond({ error: 'userId parameter is required' }, 400);
+    }
+
+    try {
+      const prefix = `audit-trails/${userId}/`;
+      let deletedCount = 0;
+      let cursor: string | undefined;
+
+      do {
+        const listed = await bucket.list({ prefix, cursor, limit: 1000 });
+
+        const keys = listed.objects.map((obj) => obj.key);
+        if (keys.length > 0) {
+          await bucket.delete(keys);
+          deletedCount += keys.length;
+        }
+
+        cursor = listed.truncated ? listed.cursor : undefined;
+      } while (cursor !== undefined);
+
+      return respond({ success: true, deletedCount });
+    } catch (error) {
+      const errorMessage = error instanceof Error ? error.message : 'Unknown error occurred';
+      return respond({ error: `Failed to delete audit entries: ${errorMessage}` }, 500);
+    }
+  }
+
+  return respond({ error: 'Method not allowed for audit endpoints. Only GET, POST, and DELETE are supported.' }, 405);
+}

package/workers/audit-worker/src/storage/audit-storage.ts

@@ -0,0 +1,99 @@
+import {
+  DATA_AT_REST_ENCRYPTION_ALGORITHM,
+  DATA_AT_REST_ENCRYPTION_VERSION
+} from '../config';
+import {
+  decryptAuditJsonWithRegistry,
+  encryptJsonForStorage,
+  extractDataAtRestEnvelope
+} from '../crypto/data-at-rest';
+import type { AuditEntry, Env } from '../types';
+
+export function generateAuditFileName(userId: string, date: Date = new Date()): string {
+  const isoDate = date.toISOString().split('T')[0];
+  return `audit-trails/${userId}/${isoDate}.json`;
+}
+
+export function isValidAuditEntry(entry: unknown): entry is AuditEntry {
+  const candidate = entry as Partial<AuditEntry> | null;
+
+  return (
+    typeof candidate === 'object' &&
+    candidate !== null &&
+    typeof candidate.timestamp === 'string' &&
+    typeof candidate.userId === 'string' &&
+    typeof candidate.action === 'string'
+  );
+}
+
+export async function readAuditEntriesFromObject(file: R2ObjectBody, env: Env): Promise<AuditEntry[]> {
+  const atRestEnvelope = extractDataAtRestEnvelope(file);
+  if (!atRestEnvelope) {
+    throw new Error('Audit record is not encrypted');
+  }
+
+  if (atRestEnvelope.algorithm !== DATA_AT_REST_ENCRYPTION_ALGORITHM) {
+    throw new Error('Unsupported data-at-rest encryption algorithm');
+  }
+
+  if (atRestEnvelope.encryptionVersion !== DATA_AT_REST_ENCRYPTION_VERSION) {
+    throw new Error('Unsupported data-at-rest encryption version');
+  }
+
+  const encryptedData = await file.arrayBuffer();
+  const plaintext = await decryptAuditJsonWithRegistry(encryptedData, atRestEnvelope, env);
+
+  return JSON.parse(plaintext) as AuditEntry[];
+}
+
+export async function writeAuditEntriesToObject(
+  bucket: R2Bucket,
+  filename: string,
+  entries: AuditEntry[],
+  env: Env
+): Promise<void> {
+  const serializedData = JSON.stringify(entries);
+
+  if (!env.DATA_AT_REST_ENCRYPTION_PUBLIC_KEY || !env.DATA_AT_REST_ENCRYPTION_KEY_ID) {
+    throw new Error('Audit encryption is not fully configured');
+  }
+
+  const encryptedPayload = await encryptJsonForStorage(
+    serializedData,
+    env.DATA_AT_REST_ENCRYPTION_PUBLIC_KEY,
+    env.DATA_AT_REST_ENCRYPTION_KEY_ID
+  );
+
+  await bucket.put(filename, encryptedPayload.ciphertext, {
+    customMetadata: {
+      algorithm: encryptedPayload.envelope.algorithm,
+      encryptionVersion: encryptedPayload.envelope.encryptionVersion,
+      keyId: encryptedPayload.envelope.keyId,
+      dataIv: encryptedPayload.envelope.dataIv,
+      wrappedKey: encryptedPayload.envelope.wrappedKey
+    }
+  });
+}
+
+export async function appendAuditEntry(
+  bucket: R2Bucket,
+  filename: string,
+  newEntry: AuditEntry,
+  env: Env
+): Promise<number> {
+  try {
+    const existingFile = await bucket.get(filename);
+    let entries: AuditEntry[] = [];
+
+    if (existingFile) {
+      entries = await readAuditEntriesFromObject(existingFile, env);
+    }
+
+    entries.push(newEntry);
+    await writeAuditEntriesToObject(bucket, filename, entries, env);
+    return entries.length;
+  } catch (error) {
+    console.error('Error appending audit entry:', error);
+    throw error;
+  }
+}

package/workers/audit-worker/src/types.ts

@@ -0,0 +1,56 @@
+export interface Env {
+  R2_KEY_SECRET: string;
+  STRIAE_AUDIT: R2Bucket;
+  DATA_AT_REST_ENCRYPTION_ENABLED?: string;
+  DATA_AT_REST_ENCRYPTION_PRIVATE_KEY?: string;
+  DATA_AT_REST_ENCRYPTION_PUBLIC_KEY?: string;
+  DATA_AT_REST_ENCRYPTION_KEY_ID?: string;
+  DATA_AT_REST_ENCRYPTION_KEYS_JSON?: string;
+  DATA_AT_REST_ENCRYPTION_ACTIVE_KEY_ID?: string;
+}
+
+export interface KeyRegistryPayload {
+  activeKeyId?: unknown;
+  keys?: unknown;
+}
+
+export interface PrivateKeyRegistry {
+  activeKeyId: string | null;
+  keys: Record<string, string>;
+}
+
+export type DecryptionTelemetryOutcome = 'primary-hit' | 'fallback-hit' | 'all-failed';
+
+export interface AuditEntry {
+  timestamp: string;
+  userId: string;
+  action: string;
+  [key: string]: unknown;
+}
+
+export interface SuccessResponse {
+  success: boolean;
+  entryCount?: number;
+  filename?: string;
+}
+
+export interface ErrorResponse {
+  error: string;
+}
+
+export interface AuditRetrievalResponse {
+  entries: AuditEntry[];
+  total: number;
+}
+
+export type APIResponse = SuccessResponse | ErrorResponse | AuditRetrievalResponse | Record<string, unknown>;
+
+export type CreateResponse = (data: APIResponse, status?: number) => Response;
+
+export interface DataAtRestEnvelope {
+  algorithm: string;
+  encryptionVersion: string;
+  keyId: string;
+  dataIv: string;
+  wrappedKey: string;
+}

package/workers/audit-worker/worker-configuration.d.ts

@@ -1,6 +1,6 @@
 /* eslint-disable */
 // Generated by Wrangler by running `wrangler types` (hash: e47787017d9af07a8f6e4fa965fca8c2)
-// Runtime types generated with workerd@1.20250823.0 2026-03-20 nodejs_compat
+// Runtime types generated with workerd@1.20250823.0 2026-03-26 nodejs_compat
 declare namespace Cloudflare {
 	interface Env {
 		STRIAE_AUDIT: R2Bucket;