@striae-org/striae 5.3.2 → 5.4.1

package/scripts/deploy-worker-secrets.sh

@@ -0,0 +1,385 @@
+#!/bin/bash
+
+# ======================================
+# STRIAE WORKER SECRETS DEPLOYMENT SCRIPT  
+# ======================================
+# This script deploys environment variables/secrets to Cloudflare Workers
+# Run this AFTER workers are deployed to avoid deployment errors
+
+set -e
+
+# Colors for output
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+BLUE='\033[0;34m'
+NC='\033[0m' # No Color
+
+echo -e "${BLUE}🔐 Striae Worker Secrets Deployment Script${NC}"
+echo "=========================================="
+
+# Check if .env file exists
+if [ ! -f ".env" ]; then
+    echo -e "${RED}❌ Error: .env file not found!${NC}"
+    echo "Please copy .env.example to .env and fill in your values."
+    exit 1
+fi
+
+# Source the .env file
+echo -e "${YELLOW}📖 Loading environment variables from .env...${NC}"
+source .env
+
+is_admin_service_placeholder() {
+    local value="$1"
+    local normalized=$(echo "$value" | tr '[:upper:]' '[:lower:]')
+
+    [[ -z "$normalized" || "$normalized" == your-* || "$normalized" == *"your_private_key"* ]]
+}
+
+load_required_admin_service_credentials() {
+    local admin_service_path="app/config/admin-service.json"
+
+    if [ ! -f "$admin_service_path" ]; then
+        echo -e "${RED}❌ Error: Required Firebase admin service file not found: $admin_service_path${NC}"
+        echo -e "${YELLOW}   Create app/config/admin-service.json before deploying worker secrets.${NC}"
+        exit 1
+    fi
+
+    local service_project_id
+    local service_client_email
+    local service_private_key
+
+    if ! service_project_id=$(node -e "const fs=require('fs'); const data=JSON.parse(fs.readFileSync(process.argv[1], 'utf8')); process.stdout.write(data.project_id || '');" "$admin_service_path"); then
+        echo -e "${RED}❌ Error: Could not parse project_id from $admin_service_path${NC}"
+        exit 1
+    fi
+
+    if ! service_client_email=$(node -e "const fs=require('fs'); const data=JSON.parse(fs.readFileSync(process.argv[1], 'utf8')); process.stdout.write(data.client_email || '');" "$admin_service_path"); then
+        echo -e "${RED}❌ Error: Could not parse client_email from $admin_service_path${NC}"
+        exit 1
+    fi
+
+    if ! service_private_key=$(node -e "const fs=require('fs'); const data=JSON.parse(fs.readFileSync(process.argv[1], 'utf8')); process.stdout.write(data.private_key || '');" "$admin_service_path"); then
+        echo -e "${RED}❌ Error: Could not parse private_key from $admin_service_path${NC}"
+        exit 1
+    fi
+
+    local normalized_private_key="${service_private_key//$'\r'/}"
+    normalized_private_key="${normalized_private_key//$'\n'/\\n}"
+
+    if is_admin_service_placeholder "$service_project_id"; then
+        echo -e "${RED}❌ Error: project_id in $admin_service_path is missing or placeholder${NC}"
+        exit 1
+    fi
+
+    if is_admin_service_placeholder "$service_client_email" || [[ "$service_client_email" != *".gserviceaccount.com"* ]]; then
+        echo -e "${RED}❌ Error: client_email in $admin_service_path is invalid${NC}"
+        exit 1
+    fi
+
+    if is_admin_service_placeholder "$normalized_private_key" || [[ "$normalized_private_key" != *"-----BEGIN PRIVATE KEY-----"* ]] || [[ "$normalized_private_key" != *"-----END PRIVATE KEY-----"* ]]; then
+        echo -e "${RED}❌ Error: private_key in $admin_service_path is invalid${NC}"
+        exit 1
+    fi
+
+    PROJECT_ID="$service_project_id"
+    FIREBASE_SERVICE_ACCOUNT_EMAIL="$service_client_email"
+    FIREBASE_SERVICE_ACCOUNT_PRIVATE_KEY="$normalized_private_key"
+
+    export PROJECT_ID
+    export FIREBASE_SERVICE_ACCOUNT_EMAIL
+    export FIREBASE_SERVICE_ACCOUNT_PRIVATE_KEY
+
+    echo -e "${GREEN}✅ Loaded Firebase service account credentials from $admin_service_path${NC}"
+}
+
+load_required_admin_service_credentials
+
+build_user_worker_secret_list() {
+    local secrets=(
+        "USER_DB_AUTH"
+        "R2_KEY_SECRET"
+        "PROJECT_ID"
+        "FIREBASE_SERVICE_ACCOUNT_EMAIL"
+        "FIREBASE_SERVICE_ACCOUNT_PRIVATE_KEY"
+    )
+
+    if [ -n "${DATA_AT_REST_ENCRYPTION_PRIVATE_KEY:-}" ]; then
+        secrets+=("DATA_AT_REST_ENCRYPTION_PRIVATE_KEY")
+    fi
+
+    if [ -n "${DATA_AT_REST_ENCRYPTION_KEY_ID:-}" ]; then
+        secrets+=("DATA_AT_REST_ENCRYPTION_KEY_ID")
+    fi
+
+    if [ -n "${DATA_AT_REST_ENCRYPTION_KEYS_JSON:-}" ]; then
+        secrets+=("DATA_AT_REST_ENCRYPTION_KEYS_JSON")
+    fi
+
+    if [ -n "${DATA_AT_REST_ENCRYPTION_ACTIVE_KEY_ID:-}" ]; then
+        secrets+=("DATA_AT_REST_ENCRYPTION_ACTIVE_KEY_ID")
+    fi
+
+    if [ -n "${USER_KV_ENCRYPTION_PRIVATE_KEY:-}" ]; then
+        secrets+=("USER_KV_ENCRYPTION_PRIVATE_KEY")
+    fi
+
+    if [ -n "${USER_KV_ENCRYPTION_KEYS_JSON:-}" ]; then
+        secrets+=("USER_KV_ENCRYPTION_KEYS_JSON")
+    fi
+
+    if [ -n "${USER_KV_ENCRYPTION_ACTIVE_KEY_ID:-}" ]; then
+        secrets+=("USER_KV_ENCRYPTION_ACTIVE_KEY_ID")
+    fi
+
+    local write_endpoints_enabled_normalized
+    write_endpoints_enabled_normalized=$(printf '%s' "${USER_KV_WRITE_ENDPOINTS_ENABLED:-true}" | tr '[:upper:]' '[:lower:]')
+
+    if [ "$write_endpoints_enabled_normalized" = "1" ] || [ "$write_endpoints_enabled_normalized" = "true" ] || [ "$write_endpoints_enabled_normalized" = "yes" ] || [ "$write_endpoints_enabled_normalized" = "on" ]; then
+        if [ -n "${USER_KV_ENCRYPTION_KEY_ID:-}" ]; then
+            secrets+=("USER_KV_ENCRYPTION_KEY_ID")
+        fi
+
+        if [ -n "${USER_KV_ENCRYPTION_PUBLIC_KEY:-}" ]; then
+            secrets+=("USER_KV_ENCRYPTION_PUBLIC_KEY")
+        fi
+    fi
+
+    printf '%s\n' "${secrets[@]}"
+}
+
+build_audit_worker_secret_list() {
+    local secrets=(
+        "R2_KEY_SECRET"
+    )
+
+    if [ -n "${DATA_AT_REST_ENCRYPTION_ENABLED:-}" ]; then
+        secrets+=("DATA_AT_REST_ENCRYPTION_ENABLED")
+    fi
+
+    if [ -n "${DATA_AT_REST_ENCRYPTION_PRIVATE_KEY:-}" ]; then
+        secrets+=("DATA_AT_REST_ENCRYPTION_PRIVATE_KEY")
+    fi
+
+    if [ -n "${DATA_AT_REST_ENCRYPTION_PUBLIC_KEY:-}" ]; then
+        secrets+=("DATA_AT_REST_ENCRYPTION_PUBLIC_KEY")
+    fi
+
+    if [ -n "${DATA_AT_REST_ENCRYPTION_KEY_ID:-}" ]; then
+        secrets+=("DATA_AT_REST_ENCRYPTION_KEY_ID")
+    fi
+
+    if [ -n "${DATA_AT_REST_ENCRYPTION_KEYS_JSON:-}" ]; then
+        secrets+=("DATA_AT_REST_ENCRYPTION_KEYS_JSON")
+    fi
+
+    if [ -n "${DATA_AT_REST_ENCRYPTION_ACTIVE_KEY_ID:-}" ]; then
+        secrets+=("DATA_AT_REST_ENCRYPTION_ACTIVE_KEY_ID")
+    fi
+
+    printf '%s\n' "${secrets[@]}"
+}
+
+# Function to set worker secrets
+set_worker_secrets() {
+    local worker_name=$1
+    local worker_path=$2
+    shift 2
+    local secrets=("$@")
+    
+    echo -e "\n${BLUE}🔧 Setting secrets for $worker_name...${NC}"
+    
+    # Check if worker has a wrangler configuration file
+    if [ ! -f "$worker_path/wrangler.jsonc" ] && [ ! -f "$worker_path/wrangler.toml" ]; then
+        echo -e "${RED}❌ Error: No wrangler configuration found for $worker_name${NC}"
+        echo -e "${YELLOW}   Please copy wrangler.jsonc.example to wrangler.jsonc and configure it first.${NC}"
+        return 1
+    fi
+    
+    # Change to worker directory
+    pushd "$worker_path" > /dev/null
+    
+    # Get the worker name from the configuration file
+    local config_worker_name
+    if [ -f "wrangler.jsonc" ]; then
+        config_worker_name=$(grep -o '"name"[[:space:]]*:[[:space:]]*"[^"]*"' wrangler.jsonc | sed 's/.*"name"[[:space:]]*:[[:space:]]*"\([^"]*\)".*/\1/')
+    elif [ -f "wrangler.toml" ]; then
+        config_worker_name=$(grep '^name[[:space:]]*=' wrangler.toml | sed 's/.*=[[:space:]]*["\x27]\([^"\x27]*\)["\x27].*/\1/')
+    fi
+    
+    if [ -z "$config_worker_name" ]; then
+        echo -e "${RED}❌ Error: Could not determine worker name from configuration${NC}"
+        popd > /dev/null
+        return 1
+    fi
+    
+    echo -e "${YELLOW}  Using worker name: $config_worker_name${NC}"
+    
+    for secret in "${secrets[@]}"; do
+        echo -e "${YELLOW}  Setting $secret...${NC}"
+        if ! echo "${!secret}" | wrangler secret put "$secret" --name "$config_worker_name"; then
+            echo -e "${RED}❌ Failed to set $secret for $worker_name${NC}"
+            popd > /dev/null
+            return 1
+        fi
+    done
+    
+    echo -e "${GREEN}✅ $worker_name secrets configured${NC}"
+    popd > /dev/null
+}
+
+build_data_worker_secret_list() {
+    local secrets=(
+        "R2_KEY_SECRET"
+        "MANIFEST_SIGNING_PRIVATE_KEY"
+        "MANIFEST_SIGNING_KEY_ID"
+        "EXPORT_ENCRYPTION_PRIVATE_KEY"
+        "EXPORT_ENCRYPTION_KEY_ID"
+    )
+
+    if [ -n "${DATA_AT_REST_ENCRYPTION_ENABLED:-}" ]; then
+        secrets+=("DATA_AT_REST_ENCRYPTION_ENABLED")
+    fi
+
+    if [ -n "${DATA_AT_REST_ENCRYPTION_PRIVATE_KEY:-}" ]; then
+        secrets+=("DATA_AT_REST_ENCRYPTION_PRIVATE_KEY")
+    fi
+
+    if [ -n "${DATA_AT_REST_ENCRYPTION_PUBLIC_KEY:-}" ]; then
+        secrets+=("DATA_AT_REST_ENCRYPTION_PUBLIC_KEY")
+    fi
+
+    if [ -n "${DATA_AT_REST_ENCRYPTION_KEY_ID:-}" ]; then
+        secrets+=("DATA_AT_REST_ENCRYPTION_KEY_ID")
+    fi
+
+    if [ -n "${DATA_AT_REST_ENCRYPTION_KEYS_JSON:-}" ]; then
+        secrets+=("DATA_AT_REST_ENCRYPTION_KEYS_JSON")
+    fi
+
+    if [ -n "${DATA_AT_REST_ENCRYPTION_ACTIVE_KEY_ID:-}" ]; then
+        secrets+=("DATA_AT_REST_ENCRYPTION_ACTIVE_KEY_ID")
+    fi
+
+    if [ -n "${EXPORT_ENCRYPTION_KEYS_JSON:-}" ]; then
+        secrets+=("EXPORT_ENCRYPTION_KEYS_JSON")
+    fi
+
+    if [ -n "${EXPORT_ENCRYPTION_ACTIVE_KEY_ID:-}" ]; then
+        secrets+=("EXPORT_ENCRYPTION_ACTIVE_KEY_ID")
+    fi
+
+    printf '%s\n' "${secrets[@]}"
+}
+
+build_images_worker_secret_list() {
+    local secrets=(
+        "IMAGES_API_TOKEN"
+        "DATA_AT_REST_ENCRYPTION_PUBLIC_KEY"
+        "DATA_AT_REST_ENCRYPTION_KEY_ID"
+        "IMAGE_SIGNED_URL_SECRET"
+    )
+
+    if [ -n "${DATA_AT_REST_ENCRYPTION_PRIVATE_KEY:-}" ]; then
+        secrets+=("DATA_AT_REST_ENCRYPTION_PRIVATE_KEY")
+    fi
+
+    if [ -n "${DATA_AT_REST_ENCRYPTION_KEYS_JSON:-}" ]; then
+        secrets+=("DATA_AT_REST_ENCRYPTION_KEYS_JSON")
+    fi
+
+    if [ -n "${DATA_AT_REST_ENCRYPTION_ACTIVE_KEY_ID:-}" ]; then
+        secrets+=("DATA_AT_REST_ENCRYPTION_ACTIVE_KEY_ID")
+    fi
+
+    if [ -n "${IMAGE_SIGNED_URL_BASE_URL:-}" ]; then
+        secrets+=("IMAGE_SIGNED_URL_BASE_URL")
+    fi
+
+    printf '%s\n' "${secrets[@]}"
+}
+
+# Deploy secrets to each worker
+echo -e "\n${BLUE}🔐 Deploying secrets to workers...${NC}"
+
+# Check if workers are configured
+echo -e "${YELLOW}🔍 Checking worker configurations...${NC}"
+workers_configured=0
+total_workers=5
+
+for worker_dir in workers/*/; do
+    if [ -f "$worker_dir/wrangler.jsonc" ] || [ -f "$worker_dir/wrangler.toml" ]; then
+        workers_configured=$((workers_configured + 1))
+    fi
+done
+
+if [ $workers_configured -eq 0 ]; then
+    echo -e "${RED}❌ No workers are configured!${NC}"
+    echo -e "${YELLOW}   Please copy wrangler.jsonc.example to wrangler.jsonc in each worker directory and configure them.${NC}"
+    echo -e "${YELLOW}   Then run this script again.${NC}"
+    exit 1
+elif [ $workers_configured -lt $total_workers ]; then
+    echo -e "${YELLOW}⚠️  Warning: Only $workers_configured of $total_workers workers are configured.${NC}"
+    echo -e "${YELLOW}   Some workers may not have their secrets deployed.${NC}"
+fi
+
+# Audit Worker
+audit_worker_secrets=()
+while IFS= read -r secret; do
+    audit_worker_secrets+=("$secret")
+done < <(build_audit_worker_secret_list)
+
+if ! set_worker_secrets "Audit Worker" "workers/audit-worker" "${audit_worker_secrets[@]}"; then
+    echo -e "${YELLOW}⚠️  Skipping Audit Worker (not configured)${NC}"
+fi
+
+# User Worker
+user_worker_secrets=()
+while IFS= read -r secret; do
+    user_worker_secrets+=("$secret")
+done < <(build_user_worker_secret_list)
+
+if ! set_worker_secrets "User Worker" "workers/user-worker" "${user_worker_secrets[@]}"; then
+    echo -e "${YELLOW}⚠️  Skipping User Worker (not configured)${NC}"
+fi
+
+# Data Worker
+data_worker_secrets=()
+while IFS= read -r secret; do
+    data_worker_secrets+=("$secret")
+done < <(build_data_worker_secret_list)
+
+if ! set_worker_secrets "Data Worker" "workers/data-worker" "${data_worker_secrets[@]}"; then
+    echo -e "${YELLOW}⚠️  Skipping Data Worker (not configured)${NC}"
+fi
+
+# Images Worker
+images_worker_secrets=()
+while IFS= read -r secret; do
+    images_worker_secrets+=("$secret")
+done < <(build_images_worker_secret_list)
+
+if ! set_worker_secrets "Images Worker" "workers/image-worker" "${images_worker_secrets[@]}"; then
+    echo -e "${YELLOW}⚠️  Skipping Images Worker (not configured)${NC}"
+fi
+
+# PDF Worker
+if ! set_worker_secrets "PDF Worker" "workers/pdf-worker" \
+    "PDF_WORKER_AUTH" "ACCOUNT_ID" "BROWSER_API_TOKEN"; then
+    echo -e "${YELLOW}⚠️  Skipping PDF Worker (not configured)${NC}"
+fi
+
+echo -e "\n${GREEN}🎉 Worker secrets deployment completed!${NC}"
+
+echo -e "\n${YELLOW}⚠️  WORKER CONFIGURATION REMINDERS:${NC}"
+echo "   - Copy wrangler.jsonc.example to wrangler.jsonc in each worker directory"
+echo "   - Configure KV namespace ID in workers/user-worker/wrangler.jsonc"
+echo "   - Configure R2 bucket name in workers/data-worker/wrangler.jsonc"
+echo "   - Configure R2 bucket name in workers/audit-worker/wrangler.jsonc"
+echo "   - Configure R2 bucket name in workers/image-worker/wrangler.jsonc"
+echo "   - Update ACCOUNT_ID and custom domains in all worker configurations"
+
+echo -e "\n${BLUE}📝 For manual deployment, use these commands:${NC}"
+echo "   cd workers/[worker-name]"
+echo "   wrangler secret put VARIABLE_NAME --name [worker-name]"
+echo -e "\n${GREEN}✨ Worker secrets deployment complete!${NC}"

package/scripts/dev.cjs

@@ -0,0 +1,23 @@
+const fs = require('fs');
+const path = require('path');
+const { updateMarkdownVersions } = require('./update-markdown-versions.cjs');
+const { updateCompatibilityDates } = require('./update-compatibility-dates.cjs');
+
+// Read the ASCII art file from the filesystem
+const asciiArtPath = path.join(__dirname, '..', 'public', 'striae-ascii.txt');
+let asciiArt;  
+try {  
+    asciiArt = fs.readFileSync(asciiArtPath, 'utf8');  
+} catch (err) {  
+    console.warn(`Warning: Unable to read ASCII art file at ${asciiArtPath}.\n${err.message}`);  
+    asciiArt = "(ASCII art unavailable)\n";  
+} 
+
+// Pop a lil' logo in the terminal
+console.info(asciiArt);
+
+// Update markdown files with current version
+updateMarkdownVersions();
+
+// Update compatibility dates to current date
+updateCompatibilityDates();

package/scripts/enable-totp-mfa.mjs

@@ -0,0 +1,57 @@
+/**
+ * One-time script to enable TOTP MFA provider via Firebase Admin SDK.
+ * Run with: npm run enable-totp-mfa
+ *
+ * Requires app/config/admin-service.json (gitignored service account key).
+ * Docs: https://firebase.google.com/docs/auth/web/totp-mfa#enable_totp_mfa
+ */
+
+import { createRequire } from 'module';
+import { fileURLToPath } from 'url';
+import { dirname, resolve } from 'path';
+import { initializeApp, cert, getApps } from 'firebase-admin/app';
+import { getAuth } from 'firebase-admin/auth';
+
+const require = createRequire(import.meta.url);
+const __dirname = dirname(fileURLToPath(import.meta.url));
+
+const serviceAccountPath = resolve(__dirname, '../app/config/admin-service.json');
+
+let serviceAccount;
+try {
+  serviceAccount = require(serviceAccountPath);
+} catch {
+  console.error(`\n❌ Could not load service account key from:\n   ${serviceAccountPath}`);
+  console.error('\nMake sure app/config/admin-service.json exists (it is gitignored).');
+  process.exit(1);
+}
+
+if (getApps().length === 0) {
+  initializeApp({ credential: cert(serviceAccount) });
+}
+
+const auth = getAuth();
+
+console.log('\n🔑 Enabling TOTP MFA provider...');
+
+try {
+  await auth.projectConfigManager().updateProjectConfig({
+    multiFactorConfig: {
+      providerConfigs: [
+        {
+          state: 'ENABLED',
+          totpProviderConfig: {
+            adjacentIntervals: 5,
+          },
+        },
+      ],
+    },
+  });
+
+  console.log('✅ TOTP MFA provider enabled successfully.');
+  console.log('   adjacentIntervals: 5 (allows ±2.5 minutes clock skew)');
+} catch (err) {
+  console.error('\n❌ Failed to enable TOTP MFA provider:');
+  console.error(err?.message ?? err);
+  process.exit(1);
+}

package/scripts/install-workers.sh

@@ -0,0 +1,87 @@
+#!/bin/bash
+
+# ======================================
+# STRIAE WORKERS NPM INSTALL SCRIPT
+# ======================================
+# This script installs npm dependencies for all Striae workers:
+# 1. audit-worker
+# 2. data-worker
+# 3. image-worker
+# 4. pdf-worker
+# 5. user-worker
+
+# Colors for output
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+BLUE='\033[0;34m'
+PURPLE='\033[0;35m'
+NC='\033[0m' # No Color
+
+echo -e "${BLUE}📦 Striae Workers NPM Install Script${NC}"
+echo "========================================"
+echo ""
+
+# Get the script directory and project root
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(dirname "$SCRIPT_DIR")"
+WORKERS_DIR="$PROJECT_ROOT/workers"
+
+# Check if workers directory exists
+if [ ! -d "$WORKERS_DIR" ]; then
+    echo -e "${RED}❌ Error: Workers directory not found at $WORKERS_DIR${NC}"
+    exit 1
+fi
+
+# List of workers
+WORKERS=("audit-worker" "data-worker" "image-worker" "pdf-worker" "user-worker")
+
+echo -e "${PURPLE}Installing npm dependencies for all workers...${NC}"
+echo ""
+
+# Counter for progress
+total=${#WORKERS[@]}
+current=0
+
+# Install dependencies for each worker
+for worker in "${WORKERS[@]}"; do
+    current=$((current + 1))
+    worker_path="$WORKERS_DIR/$worker"
+    
+    echo -e "${YELLOW}[$current/$total] Installing dependencies for $worker...${NC}"
+    
+    # Check if worker directory exists
+    if [ ! -d "$worker_path" ]; then
+        echo -e "${RED}❌ Warning: Worker directory not found: $worker_path${NC}"
+        continue
+    fi
+    
+    # Check if package.json exists
+    if [ ! -f "$worker_path/package.json" ]; then
+        echo -e "${RED}❌ Warning: package.json not found in $worker_path${NC}"
+        continue
+    fi
+    
+    # Change to worker directory and install dependencies
+    cd "$worker_path"
+    
+    echo "   Running npm install in $worker_path..."
+    if npm install; then
+        echo -e "${GREEN}✅ Successfully installed dependencies for $worker${NC}"
+    else
+        echo -e "${RED}❌ Failed to install dependencies for $worker${NC}"
+        exit 1
+    fi
+    
+    echo ""
+done
+
+# Return to original directory
+cd "$PROJECT_ROOT"
+
+echo -e "${GREEN}🎉 All worker dependencies installed successfully!${NC}"
+echo ""
+echo -e "${BLUE}Summary:${NC}"
+echo "- Installed dependencies for $total workers"
+echo "- All workers are ready for development/deployment"
+echo ""

package/scripts/run-eslint.cjs

@@ -0,0 +1,43 @@
+const { spawnSync } = require('node:child_process');
+const fs = require('node:fs');
+const path = require('node:path');
+
+const eslintApiPath = require.resolve('eslint');
+const eslintCliPath = path.resolve(path.dirname(eslintApiPath), '..', 'bin', 'eslint.js');
+
+const gitignorePath = path.resolve(process.cwd(), '.gitignore');
+const ignorePatterns = fs.existsSync(gitignorePath)
+  ? fs
+      .readFileSync(gitignorePath, 'utf8')
+      .split(/\r?\n/)
+      .map((line) => line.trim())
+      .filter((line) => line && !line.startsWith('#'))
+  : [];
+
+const ignoreArgs = ignorePatterns.flatMap((pattern) => ['--ignore-pattern', pattern]);
+
+const defaultArgs = [
+  ...ignoreArgs,
+  '--cache',
+  '--cache-location',
+  './node_modules/.cache/eslint',
+  '.',
+];
+
+const passthroughArgs = process.argv.slice(2);
+const eslintArgs = passthroughArgs.length > 0 ? passthroughArgs : defaultArgs;
+
+const result = spawnSync(process.execPath, [eslintCliPath, ...eslintArgs], {
+  stdio: 'inherit',
+  env: process.env,
+});
+
+if (typeof result.status === 'number') {
+  process.exit(result.status);
+}
+
+if (result.error) {
+  console.error(result.error);
+}
+
+process.exit(1);

package/scripts/unenroll-totp-mfa.mjs

@@ -0,0 +1,82 @@
+/**
+ * Admin script to unenroll a user's TOTP MFA factor via Firebase Admin SDK.
+ * Run with: npm run unenroll-totp-mfa -- <uid>
+ *
+ * Requires app/config/admin-service.json (gitignored service account key).
+ * Docs: https://firebase.google.com/docs/auth/admin/manage-users#unenroll_a_user_from_mfa
+ */
+
+import { createRequire } from 'module';
+import { fileURLToPath } from 'url';
+import { dirname, resolve } from 'path';
+import { initializeApp, cert, getApps } from 'firebase-admin/app';
+import { getAuth } from 'firebase-admin/auth';
+
+const require = createRequire(import.meta.url);
+const __dirname = dirname(fileURLToPath(import.meta.url));
+
+const uid = process.argv[2];
+
+if (!uid) {
+  console.error('\n❌ No UID provided.');
+  console.error('\nUsage: npm run unenroll-totp-mfa -- <uid>');
+  process.exit(1);
+}
+
+const serviceAccountPath = resolve(__dirname, '../app/config/admin-service.json');
+
+let serviceAccount;
+try {
+  serviceAccount = require(serviceAccountPath);
+} catch {
+  console.error(`\n❌ Could not load service account key from:\n   ${serviceAccountPath}`);
+  console.error('\nMake sure app/config/admin-service.json exists (it is gitignored).');
+  process.exit(1);
+}
+
+if (getApps().length === 0) {
+  initializeApp({ credential: cert(serviceAccount) });
+}
+
+const auth = getAuth();
+
+console.log(`\n🔍 Fetching MFA factors for UID: ${uid}...`);
+
+let userRecord;
+try {
+  userRecord = await auth.getUser(uid);
+} catch (err) {
+  console.error(`\n❌ Could not fetch user record for UID: ${uid}`);
+  console.error(err?.message ?? err);
+  process.exit(1);
+}
+
+const enrolledFactors = userRecord.multiFactor?.enrolledFactors ?? [];
+const totpFactors = enrolledFactors.filter((f) => f.factorId === 'totp');
+const remainingFactors = enrolledFactors.filter((f) => f.factorId !== 'totp');
+
+if (totpFactors.length === 0) {
+  console.log(`\nℹ️  No TOTP MFA factors found for UID: ${uid}`);
+  console.log('   Nothing to unenroll.');
+  process.exit(0);
+}
+
+console.log(`\n   Found ${totpFactors.length} TOTP factor(s):`);
+for (const factor of totpFactors) {
+  console.log(`   - ${factor.uid}  (displayName: ${factor.displayName ?? 'n/a'}, enrolled: ${factor.enrollmentTime})`);
+}
+
+try {
+  await auth.updateUser(uid, {
+    multiFactor: {
+      enrolledFactors: remainingFactors,
+    },
+  });
+
+  console.log(`\n✅ Successfully unenrolled ${totpFactors.length} TOTP factor(s) for UID: ${uid}`);
+  console.log('   The user will need to re-enroll TOTP on their next login.');
+} catch (err) {
+  console.error(`\n❌ Failed to unenroll TOTP factor(s) for UID: ${uid}`);
+  console.error(err?.message ?? err);
+  process.exit(1);
+}