@striae-org/striae 5.2.1 → 5.3.1

package/workers/data-worker/src/data-worker.example.ts

@@ -1,71 +1,18 @@
-import { signPayload as signWithWorkerKey } from './signature-utils';
 import {
-  decryptExportData,
-  decryptImageBlob,
-  decryptJsonFromStorage,
-  encryptJsonForStorage,
-  type DataAtRestEnvelope
-} from './encryption-utils';
+  DECRYPT_EXPORT_PATH,
+  SIGN_AUDIT_EXPORT_PATH,
+  SIGN_CONFIRMATION_PATH,
+  SIGN_MANIFEST_PATH,
+  hasValidHeader
+} from './config';
+import { handleDecryptExport } from './handlers/decrypt-export';
 import {
-  AUDIT_EXPORT_SIGNATURE_VERSION,
-  CONFIRMATION_SIGNATURE_VERSION,
-  FORENSIC_MANIFEST_SIGNATURE_ALGORITHM,
-  FORENSIC_MANIFEST_VERSION,
-  type AuditExportSigningPayload,
-  type ConfirmationSigningPayload,
-  type ForensicManifestPayload,
-  createAuditExportSigningPayload,
-  createConfirmationSigningPayload,
-  createManifestSigningPayload,
-  isValidAuditExportPayload,
-  isValidConfirmationPayload,
-  isValidManifestPayload
-} from './signing-payload-utils';
-
-interface Env {
-  R2_KEY_SECRET: string;
-  STRIAE_DATA: R2Bucket;
-  MANIFEST_SIGNING_PRIVATE_KEY: string;
-  MANIFEST_SIGNING_KEY_ID: string;
-  EXPORT_ENCRYPTION_PRIVATE_KEY?: string;
-  EXPORT_ENCRYPTION_KEY_ID?: string;
-  EXPORT_ENCRYPTION_KEYS_JSON?: string;
-  EXPORT_ENCRYPTION_ACTIVE_KEY_ID?: string;
-  DATA_AT_REST_ENCRYPTION_ENABLED?: string;
-  DATA_AT_REST_ENCRYPTION_PRIVATE_KEY?: string;
-  DATA_AT_REST_ENCRYPTION_PUBLIC_KEY?: string;
-  DATA_AT_REST_ENCRYPTION_KEY_ID?: string;
-  DATA_AT_REST_ENCRYPTION_KEYS_JSON?: string;
-  DATA_AT_REST_ENCRYPTION_ACTIVE_KEY_ID?: string;
-}
-
-interface KeyRegistryPayload {
-  activeKeyId?: unknown;
-  keys?: unknown;
-}
-
-interface PrivateKeyRegistry {
-  activeKeyId: string | null;
-  keys: Record<string, string>;
-}
-
-interface ExportDecryptionContext {
-  recordKeyId: string | null;
-  candidates: Array<{ keyId: string; privateKeyPem: string }>;
-  primaryKeyId: string | null;
-}
-
-type DecryptionTelemetryOutcome = 'primary-hit' | 'fallback-hit' | 'all-failed';
-
-interface SuccessResponse {
-  success: boolean;
-}
-
-interface ErrorResponse {
-  error: string;
-}
-
-type APIResponse = SuccessResponse | ErrorResponse | unknown[] | Record<string, unknown>;
+  handleSignAuditExport,
+  handleSignConfirmation,
+  handleSignManifest
+} from './handlers/signing';
+import { handleStorageRequest } from './handlers/storage-routes';
+import type { CreateResponse, Env } from './types';
 
 const corsHeaders: Record<string, string> = {
   'Access-Control-Allow-Origin': 'PAGES_CUSTOM_DOMAIN',
@@ -74,780 +21,11 @@ const corsHeaders: Record<string, string> = {
   'Content-Type': 'application/json'
 };
 
-const createResponse = (data: APIResponse, status: number = 200): Response => new Response(
+const createWorkerResponse: CreateResponse = (data, status: number = 200): Response => new Response(
   JSON.stringify(data),
   { status, headers: corsHeaders }
 );
 
-const hasValidHeader = (request: Request, env: Env): boolean =>
-  request.headers.get('X-Custom-Auth-Key') === env.R2_KEY_SECRET;
-
-const SIGN_MANIFEST_PATH = '/api/forensic/sign-manifest';
-const SIGN_CONFIRMATION_PATH = '/api/forensic/sign-confirmation';
-const SIGN_AUDIT_EXPORT_PATH = '/api/forensic/sign-audit-export';
-const DECRYPT_EXPORT_PATH = '/api/forensic/decrypt-export';
-const DATA_AT_REST_BACKFILL_PATH = '/api/admin/data-at-rest-backfill';
-const DATA_AT_REST_ENCRYPTION_ALGORITHM = 'RSA-OAEP-AES-256-GCM';
-const DATA_AT_REST_ENCRYPTION_VERSION = '1.0';
-
-function normalizePrivateKeyPem(rawValue: string): string {
-  return rawValue.trim().replace(/^['"]|['"]$/g, '').replace(/\\n/g, '\n');
-}
-
-function getNonEmptyString(value: unknown): string | null {
-  return typeof value === 'string' && value.trim().length > 0 ? value.trim() : null;
-}
-
-function parsePrivateKeyRegistry(input: {
-  registryJson: string | undefined;
-  activeKeyId: string | undefined;
-  legacyKeyId: string | undefined;
-  legacyPrivateKey: string | undefined;
-  context: string;
-}): PrivateKeyRegistry {
-  const keys: Record<string, string> = {};
-  const configuredActiveKeyId = getNonEmptyString(input.activeKeyId);
-  const registryJson = getNonEmptyString(input.registryJson);
-
-  if (registryJson) {
-    let parsedRegistry: unknown;
-
-    try {
-      parsedRegistry = JSON.parse(registryJson) as unknown;
-    } catch {
-      throw new Error(`${input.context} registry JSON is invalid`);
-    }
-
-    if (!parsedRegistry || typeof parsedRegistry !== 'object') {
-      throw new Error(`${input.context} registry JSON must be an object`);
-    }
-
-    const payload = parsedRegistry as KeyRegistryPayload;
-    const payloadActiveKeyId = getNonEmptyString(payload.activeKeyId);
-    const rawKeys = payload.keys && typeof payload.keys === 'object'
-      ? payload.keys as Record<string, unknown>
-      : parsedRegistry as Record<string, unknown>;
-
-    for (const [keyId, pemValue] of Object.entries(rawKeys)) {
-      if (keyId === 'activeKeyId' || keyId === 'keys') {
-        continue;
-      }
-
-      const normalizedKeyId = getNonEmptyString(keyId);
-      const normalizedPem = getNonEmptyString(pemValue);
-
-      if (!normalizedKeyId || !normalizedPem) {
-        continue;
-      }
-
-      keys[normalizedKeyId] = normalizePrivateKeyPem(normalizedPem);
-    }
-
-    const resolvedActiveKeyId = configuredActiveKeyId ?? payloadActiveKeyId;
-
-    if (Object.keys(keys).length === 0) {
-      throw new Error(`${input.context} registry does not contain any usable keys`);
-    }
-
-    if (resolvedActiveKeyId && !keys[resolvedActiveKeyId]) {
-      throw new Error(`${input.context} active key ID is not present in registry`);
-    }
-
-    return {
-      activeKeyId: resolvedActiveKeyId ?? null,
-      keys
-    };
-  }
-
-  const legacyKeyId = getNonEmptyString(input.legacyKeyId);
-  const legacyPrivateKey = getNonEmptyString(input.legacyPrivateKey);
-
-  if (!legacyKeyId || !legacyPrivateKey) {
-    throw new Error(`${input.context} private key registry is not configured`);
-  }
-
-  keys[legacyKeyId] = normalizePrivateKeyPem(legacyPrivateKey);
-  const resolvedActiveKeyId = configuredActiveKeyId ?? legacyKeyId;
-
-  return {
-    activeKeyId: resolvedActiveKeyId,
-    keys
-  };
-}
-
-function buildPrivateKeyCandidates(
-  recordKeyId: string | null,
-  registry: PrivateKeyRegistry
-): Array<{ keyId: string; privateKeyPem: string }> {
-  const candidates: Array<{ keyId: string; privateKeyPem: string }> = [];
-  const seen = new Set<string>();
-
-  const appendCandidate = (candidateKeyId: string | null): void => {
-    if (!candidateKeyId || seen.has(candidateKeyId)) {
-      return;
-    }
-
-    const privateKeyPem = registry.keys[candidateKeyId];
-    if (!privateKeyPem) {
-      return;
-    }
-
-    seen.add(candidateKeyId);
-    candidates.push({ keyId: candidateKeyId, privateKeyPem });
-  };
-
-  appendCandidate(recordKeyId);
-  appendCandidate(registry.activeKeyId);
-
-  for (const keyId of Object.keys(registry.keys)) {
-    appendCandidate(keyId);
-  }
-
-  return candidates;
-}
-
-function logRegistryDecryptionTelemetry(input: {
-  scope: 'data-at-rest' | 'export-data' | 'export-image';
-  recordKeyId: string | null;
-  selectedKeyId: string | null;
-  attemptCount: number;
-  outcome: DecryptionTelemetryOutcome;
-  reason?: string;
-}): void {
-  const details = {
-    scope: input.scope,
-    recordKeyId: input.recordKeyId,
-    selectedKeyId: input.selectedKeyId,
-    attemptCount: input.attemptCount,
-    fallbackUsed: input.outcome === 'fallback-hit',
-    outcome: input.outcome,
-    reason: input.reason ?? null
-  };
-
-  if (input.outcome === 'all-failed') {
-    console.warn('Key registry decryption failed', details);
-    return;
-  }
-
-  console.info('Key registry decryption resolved', details);
-}
-
-function getDataAtRestPrivateKeyRegistry(env: Env): PrivateKeyRegistry {
-  return parsePrivateKeyRegistry({
-    registryJson: env.DATA_AT_REST_ENCRYPTION_KEYS_JSON,
-    activeKeyId: env.DATA_AT_REST_ENCRYPTION_ACTIVE_KEY_ID,
-    legacyKeyId: env.DATA_AT_REST_ENCRYPTION_KEY_ID,
-    legacyPrivateKey: env.DATA_AT_REST_ENCRYPTION_PRIVATE_KEY,
-    context: 'Data-at-rest decryption'
-  });
-}
-
-function getExportPrivateKeyRegistry(env: Env): PrivateKeyRegistry {
-  return parsePrivateKeyRegistry({
-    registryJson: env.EXPORT_ENCRYPTION_KEYS_JSON,
-    activeKeyId: env.EXPORT_ENCRYPTION_ACTIVE_KEY_ID,
-    legacyKeyId: env.EXPORT_ENCRYPTION_KEY_ID,
-    legacyPrivateKey: env.EXPORT_ENCRYPTION_PRIVATE_KEY,
-    context: 'Export decryption'
-  });
-}
-
-function buildExportDecryptionContext(keyId: string | null, env: Env): ExportDecryptionContext {
-  const keyRegistry = getExportPrivateKeyRegistry(env);
-  const candidates = buildPrivateKeyCandidates(keyId, keyRegistry);
-
-  if (candidates.length === 0) {
-    throw new Error('Export decryption key registry does not contain any usable keys');
-  }
-
-  return {
-    recordKeyId: keyId,
-    candidates,
-    primaryKeyId: candidates[0]?.keyId ?? null
-  };
-}
-
-async function decryptJsonFromStorageWithRegistry(
-  ciphertext: ArrayBuffer,
-  envelope: DataAtRestEnvelope,
-  env: Env
-): Promise<string> {
-  const keyRegistry = getDataAtRestPrivateKeyRegistry(env);
-  const candidates = buildPrivateKeyCandidates(getNonEmptyString(envelope.keyId), keyRegistry);
-  const primaryKeyId = candidates[0]?.keyId ?? null;
-  let lastError: unknown;
-
-  for (let index = 0; index < candidates.length; index += 1) {
-    const candidate = candidates[index];
-    try {
-      const plaintext = await decryptJsonFromStorage(ciphertext, envelope, candidate.privateKeyPem);
-      logRegistryDecryptionTelemetry({
-        scope: 'data-at-rest',
-        recordKeyId: getNonEmptyString(envelope.keyId),
-        selectedKeyId: candidate.keyId,
-        attemptCount: index + 1,
-        outcome: candidate.keyId === primaryKeyId ? 'primary-hit' : 'fallback-hit'
-      });
-      return plaintext;
-    } catch (error) {
-      lastError = error;
-    }
-  }
-
-  logRegistryDecryptionTelemetry({
-    scope: 'data-at-rest',
-    recordKeyId: getNonEmptyString(envelope.keyId),
-    selectedKeyId: null,
-    attemptCount: candidates.length,
-    outcome: 'all-failed',
-    reason: lastError instanceof Error ? lastError.message : 'unknown decryption error'
-  });
-
-  throw new Error(
-    `Failed to decrypt stored data after ${candidates.length} key attempt(s): ${
-      lastError instanceof Error ? lastError.message : 'unknown decryption error'
-    }`
-  );
-}
-
-async function decryptExportDataWithRegistry(
-  encryptedDataBase64: string,
-  wrappedKeyBase64: string,
-  ivBase64: string,
-  context: ExportDecryptionContext
-): Promise<string> {
-  let lastError: unknown;
-
-  for (let index = 0; index < context.candidates.length; index += 1) {
-    const candidate = context.candidates[index];
-    try {
-      const plaintext = await decryptExportData(
-        encryptedDataBase64,
-        wrappedKeyBase64,
-        ivBase64,
-        candidate.privateKeyPem
-      );
-      logRegistryDecryptionTelemetry({
-        scope: 'export-data',
-        recordKeyId: context.recordKeyId,
-        selectedKeyId: candidate.keyId,
-        attemptCount: index + 1,
-        outcome: candidate.keyId === context.primaryKeyId ? 'primary-hit' : 'fallback-hit'
-      });
-      return plaintext;
-    } catch (error) {
-      lastError = error;
-    }
-  }
-
-  logRegistryDecryptionTelemetry({
-    scope: 'export-data',
-    recordKeyId: context.recordKeyId,
-    selectedKeyId: null,
-    attemptCount: context.candidates.length,
-    outcome: 'all-failed',
-    reason: lastError instanceof Error ? lastError.message : 'unknown decryption error'
-  });
-
-  throw new Error(
-    `Failed to decrypt export payload after ${context.candidates.length} key attempt(s): ${
-      lastError instanceof Error ? lastError.message : 'unknown decryption error'
-    }`
-  );
-}
-
-async function decryptExportImageWithRegistry(
-  encryptedImageBase64: string,
-  wrappedKeyBase64: string,
-  ivBase64: string,
-  context: ExportDecryptionContext
-): Promise<Blob> {
-  let lastError: unknown;
-
-  for (let index = 0; index < context.candidates.length; index += 1) {
-    const candidate = context.candidates[index];
-    try {
-      const imageBlob = await decryptImageBlob(
-        encryptedImageBase64,
-        wrappedKeyBase64,
-        ivBase64,
-        candidate.privateKeyPem
-      );
-      logRegistryDecryptionTelemetry({
-        scope: 'export-image',
-        recordKeyId: context.recordKeyId,
-        selectedKeyId: candidate.keyId,
-        attemptCount: index + 1,
-        outcome: candidate.keyId === context.primaryKeyId ? 'primary-hit' : 'fallback-hit'
-      });
-      return imageBlob;
-    } catch (error) {
-      lastError = error;
-    }
-  }
-
-  logRegistryDecryptionTelemetry({
-    scope: 'export-image',
-    recordKeyId: context.recordKeyId,
-    selectedKeyId: null,
-    attemptCount: context.candidates.length,
-    outcome: 'all-failed',
-    reason: lastError instanceof Error ? lastError.message : 'unknown decryption error'
-  });
-
-  throw new Error(
-    `Failed to decrypt export image after ${context.candidates.length} key attempt(s): ${
-      lastError instanceof Error ? lastError.message : 'unknown decryption error'
-    }`
-  );
-}
-
-function isDataAtRestEncryptionEnabled(env: Env): boolean {
-  const value = env.DATA_AT_REST_ENCRYPTION_ENABLED;
-  if (!value) {
-    return false;
-  }
-
-  const normalizedValue = value.trim().toLowerCase();
-  return normalizedValue === '1' || normalizedValue === 'true' || normalizedValue === 'yes' || normalizedValue === 'on';
-}
-
-function extractDataAtRestEnvelope(file: R2ObjectBody): DataAtRestEnvelope | null {
-  const metadata = file.customMetadata;
-  if (!metadata) {
-    return null;
-  }
-
-  const {
-    algorithm,
-    encryptionVersion,
-    keyId,
-    dataIv,
-    wrappedKey
-  } = metadata;
-
-  if (
-    typeof algorithm !== 'string' ||
-    typeof encryptionVersion !== 'string' ||
-    typeof keyId !== 'string' ||
-    typeof dataIv !== 'string' ||
-    typeof wrappedKey !== 'string'
-  ) {
-    return null;
-  }
-
-  return {
-    algorithm,
-    encryptionVersion,
-    keyId,
-    dataIv,
-    wrappedKey
-  };
-}
-
-function hasDataAtRestMetadata(metadata: Record<string, string> | undefined): boolean {
-  if (!metadata) {
-    return false;
-  }
-
-  return (
-    typeof metadata.algorithm === 'string' &&
-    typeof metadata.encryptionVersion === 'string' &&
-    typeof metadata.keyId === 'string' &&
-    typeof metadata.dataIv === 'string' &&
-    typeof metadata.wrappedKey === 'string'
-  );
-}
-
-function clampBackfillBatchSize(size: number | undefined): number {
-  if (typeof size !== 'number' || !Number.isFinite(size)) {
-    return 100;
-  }
-
-  const normalized = Math.floor(size);
-  if (normalized < 1) {
-    return 1;
-  }
-
-  if (normalized > 1000) {
-    return 1000;
-  }
-
-  return normalized;
-}
-
-async function handleDataAtRestBackfill(request: Request, env: Env): Promise<Response> {
-  if (!env.DATA_AT_REST_ENCRYPTION_PUBLIC_KEY || !env.DATA_AT_REST_ENCRYPTION_KEY_ID) {
-    return createResponse(
-      { error: 'Data-at-rest encryption is not configured for backfill writes' },
-      400
-    );
-  }
-
-  const requestBody = await request.json().catch(() => ({})) as {
-    dryRun?: boolean;
-    prefix?: string;
-    cursor?: string;
-    batchSize?: number;
-  };
-
-  const dryRun = requestBody.dryRun === true;
-  const prefix = typeof requestBody.prefix === 'string' ? requestBody.prefix : '';
-  const cursor = typeof requestBody.cursor === 'string' && requestBody.cursor.length > 0
-    ? requestBody.cursor
-    : undefined;
-  const batchSize = clampBackfillBatchSize(requestBody.batchSize);
-
-  const bucket = env.STRIAE_DATA;
-  const listed = await bucket.list({
-    prefix: prefix.length > 0 ? prefix : undefined,
-    cursor,
-    limit: batchSize
-  });
-
-  let scanned = 0;
-  let eligible = 0;
-  let encrypted = 0;
-  let skippedEncrypted = 0;
-  let skippedNonJson = 0;
-  let failed = 0;
-  const failures: Array<{ key: string; error: string }> = [];
-
-  for (const object of listed.objects) {
-    scanned += 1;
-    const key = object.key;
-
-    if (!key.endsWith('.json')) {
-      skippedNonJson += 1;
-      continue;
-    }
-
-    const objectHead = await bucket.head(key);
-    if (!objectHead) {
-      failed += 1;
-      if (failures.length < 20) {
-        failures.push({ key, error: 'Object not found during metadata check' });
-      }
-      continue;
-    }
-
-    if (hasDataAtRestMetadata(objectHead.customMetadata)) {
-      skippedEncrypted += 1;
-      continue;
-    }
-
-    eligible += 1;
-
-    if (dryRun) {
-      continue;
-    }
-
-    try {
-      const existingObject = await bucket.get(key);
-      if (!existingObject) {
-        failed += 1;
-        if (failures.length < 20) {
-          failures.push({ key, error: 'Object disappeared before processing' });
-        }
-        continue;
-      }
-
-      const plaintext = await existingObject.text();
-      const encryptedPayload = await encryptJsonForStorage(
-        plaintext,
-        env.DATA_AT_REST_ENCRYPTION_PUBLIC_KEY,
-        env.DATA_AT_REST_ENCRYPTION_KEY_ID
-      );
-
-      await bucket.put(key, encryptedPayload.ciphertext, {
-        customMetadata: {
-          algorithm: encryptedPayload.envelope.algorithm,
-          encryptionVersion: encryptedPayload.envelope.encryptionVersion,
-          keyId: encryptedPayload.envelope.keyId,
-          dataIv: encryptedPayload.envelope.dataIv,
-          wrappedKey: encryptedPayload.envelope.wrappedKey
-        }
-      });
-
-      encrypted += 1;
-    } catch (error) {
-      failed += 1;
-      if (failures.length < 20) {
-        const errorMessage = error instanceof Error ? error.message : 'Unknown backfill failure';
-        failures.push({ key, error: errorMessage });
-      }
-    }
-  }
-
-  return createResponse({
-    success: failed === 0,
-    dryRun,
-    prefix: prefix.length > 0 ? prefix : null,
-    batchSize,
-    scanned,
-    eligible,
-    encrypted,
-    skippedEncrypted,
-    skippedNonJson,
-    failed,
-    failures,
-    hasMore: listed.truncated,
-    nextCursor: listed.truncated ? listed.cursor : null
-  });
-}
-
-async function signPayloadWithWorkerKey(payload: string, env: Env): Promise<{
-  algorithm: string;
-  keyId: string;
-  signedAt: string;
-  value: string;
-}> {
-  return signWithWorkerKey(
-    payload,
-    env.MANIFEST_SIGNING_PRIVATE_KEY,
-    env.MANIFEST_SIGNING_KEY_ID,
-    FORENSIC_MANIFEST_SIGNATURE_ALGORITHM
-  );
-}
-
-async function signManifest(manifest: ForensicManifestPayload, env: Env): Promise<{
-  algorithm: string;
-  keyId: string;
-  signedAt: string;
-  value: string;
-}> {
-  const payload = createManifestSigningPayload(manifest);
-  return signPayloadWithWorkerKey(payload, env);
-}
-
-async function signConfirmation(confirmationData: ConfirmationSigningPayload, env: Env): Promise<{
-  algorithm: string;
-  keyId: string;
-  signedAt: string;
-  value: string;
-}> {
-  const payload = createConfirmationSigningPayload(confirmationData);
-  return signPayloadWithWorkerKey(payload, env);
-}
-
-async function signAuditExport(auditExportData: AuditExportSigningPayload, env: Env): Promise<{
-  algorithm: string;
-  keyId: string;
-  signedAt: string;
-  value: string;
-}> {
-  const payload = createAuditExportSigningPayload(auditExportData);
-  return signPayloadWithWorkerKey(payload, env);
-}
-
-async function handleSignManifest(request: Request, env: Env): Promise<Response> {
-  try {
-    const requestBody = await request.json() as { manifest?: Partial<ForensicManifestPayload> } & Partial<ForensicManifestPayload>;
-    const manifestCandidate: Partial<ForensicManifestPayload> = requestBody.manifest ?? requestBody;
-
-    if (!manifestCandidate || !isValidManifestPayload(manifestCandidate)) {
-      return createResponse({ error: 'Invalid manifest payload' }, 400);
-    }
-
-    const signature = await signManifest(manifestCandidate, env);
-
-    return createResponse({
-      success: true,
-      manifestVersion: FORENSIC_MANIFEST_VERSION,
-      signature
-    });
-  } catch (error) {
-    console.error('Manifest signing failed:', error);
-    const errorMessage = error instanceof Error ? error.message : 'Unknown error occurred';
-    return createResponse({ error: errorMessage }, 500);
-  }
-}
-
-async function handleSignConfirmation(request: Request, env: Env): Promise<Response> {
-  try {
-    const requestBody = await request.json() as {
-      confirmationData?: Partial<ConfirmationSigningPayload>;
-      signatureVersion?: string;
-    } & Partial<ConfirmationSigningPayload>;
-
-    const requestedSignatureVersion =
-      typeof requestBody.signatureVersion === 'string' && requestBody.signatureVersion.trim().length > 0
-        ? requestBody.signatureVersion
-        : CONFIRMATION_SIGNATURE_VERSION;
-
-    if (requestedSignatureVersion !== CONFIRMATION_SIGNATURE_VERSION) {
-      return createResponse(
-        { error: `Unsupported confirmation signature version: ${requestedSignatureVersion}` },
-        400
-      );
-    }
-
-    const confirmationCandidate: Partial<ConfirmationSigningPayload> = requestBody.confirmationData ?? requestBody;
-
-    if (!confirmationCandidate || !isValidConfirmationPayload(confirmationCandidate)) {
-      return createResponse({ error: 'Invalid confirmation payload' }, 400);
-    }
-
-    const signature = await signConfirmation(confirmationCandidate, env);
-
-    return createResponse({
-      success: true,
-      signatureVersion: CONFIRMATION_SIGNATURE_VERSION,
-      signature
-    });
-  } catch (error) {
-    console.error('Confirmation signing failed:', error);
-    const errorMessage = error instanceof Error ? error.message : 'Unknown error occurred';
-    return createResponse({ error: errorMessage }, 500);
-  }
-}
-
-async function handleSignAuditExport(request: Request, env: Env): Promise<Response> {
-  try {
-    const requestBody = await request.json() as {
-      auditExport?: Partial<AuditExportSigningPayload>;
-      signatureVersion?: string;
-    } & Partial<AuditExportSigningPayload>;
-
-    const requestedSignatureVersion =
-      typeof requestBody.signatureVersion === 'string' && requestBody.signatureVersion.trim().length > 0
-        ? requestBody.signatureVersion
-        : AUDIT_EXPORT_SIGNATURE_VERSION;
-
-    if (requestedSignatureVersion !== AUDIT_EXPORT_SIGNATURE_VERSION) {
-      return createResponse(
-        { error: `Unsupported audit export signature version: ${requestedSignatureVersion}` },
-        400
-      );
-    }
-
-    const auditExportCandidate: Partial<AuditExportSigningPayload> = requestBody.auditExport ?? requestBody;
-
-    if (!auditExportCandidate || !isValidAuditExportPayload(auditExportCandidate)) {
-      return createResponse({ error: 'Invalid audit export payload' }, 400);
-    }
-
-    const signature = await signAuditExport(auditExportCandidate, env);
-
-    return createResponse({
-      success: true,
-      signatureVersion: AUDIT_EXPORT_SIGNATURE_VERSION,
-      signature
-    });
-  } catch (error) {
-    console.error('Audit export signing failed:', error);
-    const errorMessage = error instanceof Error ? error.message : 'Unknown error occurred';
-    return createResponse({ error: errorMessage }, 500);
-  }
-}
-
-async function handleDecryptExport(request: Request, env: Env): Promise<Response> {
-  try {
-    const requestBody = await request.json() as {
-      wrappedKey?: string;
-      dataIv?: string;
-      encryptedData?: string;
-      encryptedImages?: Array<{ filename: string; encryptedData: string; iv?: string }>;
-      keyId?: string;
-    };
-
-    const { wrappedKey, dataIv, encryptedData, encryptedImages, keyId } = requestBody;
-
-    // Validate required fields
-    if (
-      !wrappedKey ||
-      typeof wrappedKey !== 'string' ||
-      !dataIv ||
-      typeof dataIv !== 'string' ||
-      !encryptedData ||
-      typeof encryptedData !== 'string'
-    ) {
-      return createResponse(
-        { error: 'Missing or invalid required fields: wrappedKey, dataIv, encryptedData' },
-        400
-      );
-    }
-
-    const recordKeyId = getNonEmptyString(keyId);
-    const decryptionContext = buildExportDecryptionContext(recordKeyId, env);
-
-    // Decrypt data file
-    let plaintextData: string;
-    try {
-      plaintextData = await decryptExportDataWithRegistry(
-        encryptedData,
-        wrappedKey,
-        dataIv,
-        decryptionContext
-      );
-    } catch (error) {
-      console.error('Data file decryption failed:', error);
-      const errorMessage = error instanceof Error ? error.message : 'Decryption failed';
-      return createResponse(
-        { error: `Failed to decrypt data file: ${errorMessage}` },
-        500
-      );
-    }
-
-    // Decrypt images if provided
-    const decryptedImages: Array<{ filename: string; data: string }> = [];
-    if (Array.isArray(encryptedImages) && encryptedImages.length > 0) {
-      for (const imageEntry of encryptedImages) {
-        try {
-          if (!imageEntry.iv || typeof imageEntry.iv !== 'string') {
-            return createResponse(
-              { error: `Missing IV for image ${imageEntry.filename}` },
-              400
-            );
-          }
-
-          const imageBlob = await decryptExportImageWithRegistry(
-            imageEntry.encryptedData,
-            wrappedKey,
-            imageEntry.iv,
-            decryptionContext
-          );
-
-          // Convert blob to base64 for transport
-          const arrayBuffer = await imageBlob.arrayBuffer();
-          const bytes = new Uint8Array(arrayBuffer);
-            const chunkSize = 8192;
-            let binary = '';
-            for (let i = 0; i < bytes.length; i += chunkSize) {
-              const chunk = bytes.subarray(i, Math.min(i + chunkSize, bytes.length));
-              for (let j = 0; j < chunk.length; j++) {
-                binary += String.fromCharCode(chunk[j]);
-              }
-            }
-            const base64Data = btoa(binary);
-
-          decryptedImages.push({
-            filename: imageEntry.filename,
-            data: base64Data
-          });
-        } catch (error) {
-          console.error(`Image decryption failed for ${imageEntry.filename}:`, error);
-          const errorMessage = error instanceof Error ? error.message : 'Decryption failed';
-          return createResponse(
-            { error: `Failed to decrypt image ${imageEntry.filename}: ${errorMessage}` },
-            500
-          );
-        }
-      }
-    }
-
-    return createResponse({
-      success: true,
-      plaintext: plaintextData,
-      decryptedImages
-    });
-  } catch (error) {
-    console.error('Export decryption request failed:', error);
-    const errorMessage = error instanceof Error ? error.message : 'Unknown error occurred';
-    return createResponse({ error: errorMessage }, 500);
-  }
-}
-
 export default {
   async fetch(request: Request, env: Env): Promise<Response> {
     if (request.method === 'OPTIONS') {
@@ -855,133 +33,34 @@ export default {
     }
 
     if (!hasValidHeader(request, env)) {
-      return createResponse({ error: 'Forbidden' }, 403);
+      return createWorkerResponse({ error: 'Forbidden' }, 403);
     }
 
     try {
       const url = new URL(request.url);
       const pathname = url.pathname;
-      const bucket = env.STRIAE_DATA;
 
       if (request.method === 'POST' && pathname === SIGN_MANIFEST_PATH) {
-        return await handleSignManifest(request, env);
+        return await handleSignManifest(request, env, createWorkerResponse);
       }
 
       if (request.method === 'POST' && pathname === SIGN_CONFIRMATION_PATH) {
-        return await handleSignConfirmation(request, env);
+        return await handleSignConfirmation(request, env, createWorkerResponse);
       }
 
       if (request.method === 'POST' && pathname === SIGN_AUDIT_EXPORT_PATH) {
-        return await handleSignAuditExport(request, env);
+        return await handleSignAuditExport(request, env, createWorkerResponse);
       }
 
       if (request.method === 'POST' && pathname === DECRYPT_EXPORT_PATH) {
-        return await handleDecryptExport(request, env);
+        return await handleDecryptExport(request, env, createWorkerResponse);
       }
 
-      if (request.method === 'POST' && pathname === DATA_AT_REST_BACKFILL_PATH) {
-        return await handleDataAtRestBackfill(request, env);
-      }
-
-      const filename = pathname.slice(1) || 'data.json';
-
-      if (!filename.endsWith('.json')) {
-        return createResponse({ error: 'Invalid file type. Only JSON files are allowed.' }, 400);
-      }
-
-      switch (request.method) {
-        case 'GET': {
-          const file = await bucket.get(filename);
-          if (!file) {
-            return createResponse([], 200);
-          }
-
-          const atRestEnvelope = extractDataAtRestEnvelope(file);
-          if (atRestEnvelope) {
-            if (atRestEnvelope.algorithm !== DATA_AT_REST_ENCRYPTION_ALGORITHM) {
-              return createResponse({ error: 'Unsupported data-at-rest encryption algorithm' }, 500);
-            }
-
-            if (atRestEnvelope.encryptionVersion !== DATA_AT_REST_ENCRYPTION_VERSION) {
-              return createResponse({ error: 'Unsupported data-at-rest encryption version' }, 500);
-            }
-
-            try {
-              const encryptedData = await file.arrayBuffer();
-              const plaintext = await decryptJsonFromStorageWithRegistry(
-                encryptedData,
-                atRestEnvelope,
-                env
-              );
-              const decryptedPayload = JSON.parse(plaintext);
-              return createResponse(decryptedPayload);
-            } catch (error) {
-              console.error('Data-at-rest decryption failed:', error);
-              return createResponse({ error: 'Failed to decrypt stored data' }, 500);
-            }
-          }
-
-          const fileText = await file.text();
-          const data = JSON.parse(fileText);
-          return createResponse(data);
-        }
-
-        case 'PUT': {
-          const newData = await request.json();
-          const serializedData = JSON.stringify(newData);
-
-          if (!isDataAtRestEncryptionEnabled(env)) {
-            await bucket.put(filename, serializedData);
-            return createResponse({ success: true });
-          }
-
-          if (!env.DATA_AT_REST_ENCRYPTION_PUBLIC_KEY || !env.DATA_AT_REST_ENCRYPTION_KEY_ID) {
-            return createResponse(
-              { error: 'Data-at-rest encryption is enabled but not fully configured' },
-              500
-            );
-          }
-
-          try {
-            const encryptedPayload = await encryptJsonForStorage(
-              serializedData,
-              env.DATA_AT_REST_ENCRYPTION_PUBLIC_KEY,
-              env.DATA_AT_REST_ENCRYPTION_KEY_ID
-            );
-
-            await bucket.put(filename, encryptedPayload.ciphertext, {
-              customMetadata: {
-                algorithm: encryptedPayload.envelope.algorithm,
-                encryptionVersion: encryptedPayload.envelope.encryptionVersion,
-                keyId: encryptedPayload.envelope.keyId,
-                dataIv: encryptedPayload.envelope.dataIv,
-                wrappedKey: encryptedPayload.envelope.wrappedKey
-              }
-            });
-          } catch (error) {
-            console.error('Data-at-rest encryption failed:', error);
-            return createResponse({ error: 'Failed to encrypt data for storage' }, 500);
-          }
-
-          return createResponse({ success: true });
-        }
-
-        case 'DELETE': {
-          const file = await bucket.get(filename);
-          if (!file) {
-            return createResponse({ error: 'File not found' }, 404);
-          }
-          await bucket.delete(filename);
-          return createResponse({ success: true });
-        }
-
-        default:
-          return createResponse({ error: 'Method not allowed' }, 405);
-      }
+      return await handleStorageRequest(request, env, pathname, createWorkerResponse);
     } catch (error) {
       console.error('Worker error:', error);
       const errorMessage = error instanceof Error ? error.message : 'Unknown error occurred';
-      return createResponse({ error: errorMessage }, 500);
+      return createWorkerResponse({ error: errorMessage }, 500);
     }
   }
 };