@striae-org/striae 5.4.0 → 5.4.2

package/app/components/actions/case-import/confirmation-import.ts

@@ -185,6 +185,17 @@ export async function importConfirmationData(
       throw new Error('You cannot import confirmation data that you exported yourself.');
     }
 
+    // Validate that this confirmation package was intended for the current user.
+    // originalCaseOwnerUid is embedded at export time and covered by the package signature.
+    if (
+      confirmationData.metadata.originalCaseOwnerUid &&
+      confirmationData.metadata.originalCaseOwnerUid !== user.uid
+    ) {
+      throw new Error(
+        'This confirmation package was not exported for your case. It can only be imported by the original case owner.'
+      );
+    }
+
     onProgress?.('Validating case', 50, 'Checking case exists...');
 
     // Check if case exists in user's regular cases

package/app/components/actions/case-import/orchestrator.ts

@@ -512,6 +512,7 @@ export async function importCaseForReview(
       importedAt: new Date().toISOString(),
       originalExportDate: caseData.metadata.exportDate,
       originalExportedBy: caseData.metadata.exportedBy || 'Unknown',
+      originalExportedByUid: caseData.metadata.exportedByUid,
       sourceHash: parsedForensicManifest?.manifestHash,
       sourceManifestVersion: parsedForensicManifest?.manifestVersion,
       sourceSignatureKeyId: parsedForensicManifest?.signature?.keyId,

package/app/components/actions/case-import/storage-operations.ts

@@ -118,6 +118,8 @@ export async function storeCaseDataInR2(
       ...(bundledAuditTrail && { bundledAuditTrail }),
       // Add original image ID mapping for confirmation linking
       originalImageIds: originalImageIds,
+      // Store original case owner UID so confirmation exports can embed the intended recipient
+      ...(caseData.metadata.exportedByUid && { originalCaseOwnerUid: caseData.metadata.exportedByUid }),
       // Add forensic manifest timestamp if available for confirmation exports
       ...(forensicManifest?.createdAt && { forensicManifestCreatedAt: forensicManifest.createdAt }),
       // Store full forensic manifest metadata for chain-of-custody validation

package/app/components/actions/confirm-export.ts

@@ -153,7 +153,7 @@ export async function getCaseConfirmations(
 export async function getCaseDataWithManifest(
   user: User,
   caseNumber: string
-): Promise<{ confirmations: CaseConfirmations | null; forensicManifestCreatedAt?: string }> {
+): Promise<{ confirmations: CaseConfirmations | null; forensicManifestCreatedAt?: string; originalCaseOwnerUid?: string }> {
   try {
     const caseData = await getCaseData(user, caseNumber) as CaseDataWithConfirmations & { forensicManifestCreatedAt?: string };
     if (!caseData) {
@@ -163,7 +163,8 @@ export async function getCaseDataWithManifest(
     
     return {
       confirmations: caseData.confirmations || null,
-      forensicManifestCreatedAt: caseData.forensicManifestCreatedAt
+      forensicManifestCreatedAt: caseData.forensicManifestCreatedAt,
+      originalCaseOwnerUid: caseData.originalCaseOwnerUid
     };
 
   } catch (error) {
@@ -206,7 +207,7 @@ export async function exportConfirmationData(
     auditService.startWorkflow(caseNumber);
     
     // Get all confirmation data and forensic manifest info for the case
-    const { confirmations: caseConfirmations, forensicManifestCreatedAt } = await getCaseDataWithManifest(user, caseNumber);
+    const { confirmations: caseConfirmations, forensicManifestCreatedAt, originalCaseOwnerUid } = await getCaseDataWithManifest(user, caseNumber);
     
     if (!caseConfirmations || Object.keys(caseConfirmations).length === 0) {
       throw new Error('No confirmation data found for this case');
@@ -256,7 +257,8 @@ export async function exportConfirmationData(
         ...userMetadata,
         totalConfirmations: Object.keys(caseConfirmations).length,
         version: '2.0',
-        ...(originalExportCreatedAt && { originalExportCreatedAt })
+        ...(originalExportCreatedAt && { originalExportCreatedAt }),
+        ...(originalCaseOwnerUid && { originalCaseOwnerUid })
       },
       confirmations: caseConfirmations
     };

package/app/components/auth/mfa-verification.tsx

@@ -316,6 +316,13 @@ export const MFAVerification = ({ resolver, onSuccess, onError, onCancel }: MFAV
             <p className={styles.description}>
               Enter the 6-digit code from your authenticator app.
             </p>
+            <p className={styles.note}>
+              Lost access to your authenticator app?{' '}
+              <a href="https://striae.org/support" target="_blank" rel="noopener noreferrer">
+                Contact support
+              </a>{' '}
+              to recover your account.
+            </p>
             <input
               type="text"
               inputMode="numeric"

package/app/components/canvas/confirmation/confirmation.tsx

@@ -72,11 +72,6 @@ export const ConfirmationModal = ({ isOpen, onClose, onConfirm, company, default
   if (!isOpen) return null;
 
   const handleConfirm = async () => {
-    if (!badgeId.trim()) {
-      setError('Badge/ID is required');
-      return;
-    }
-
     setIsConfirming(true);
     setError('');
 
@@ -134,19 +129,10 @@ export const ConfirmationModal = ({ isOpen, onClose, onConfirm, company, default
             </div>
 
             <div className={styles.field}>
-              <label className={styles.label} htmlFor="badgeId">Badge/ID: *</label>
-              <input
-                id="badgeId"
-                type="text"
-                className={styles.input}
-                value={badgeId}
-                onChange={(e) => {
-                  setBadgeId(e.target.value);
-                  if (error) setError('');
-                }}
-                placeholder="Enter your badge or ID number"
-                disabled={isConfirming || hasExistingConfirmation}
-              />
+              <span className={styles.label}>Badge/ID:</span>
+              <div className={styles.readOnlyValue}>
+                {badgeId || 'Not set'}
+              </div>
             </div>
 
             <div className={styles.field}>

package/app/types/case.ts

@@ -115,6 +115,7 @@ export interface CaseDataWithConfirmations {
   archiveReason?: string;
   importedAt?: string;
   originalImageIds?: { [originalId: string]: string };
+  originalCaseOwnerUid?: string;
   confirmations?: CaseConfirmations;
   bundledAuditTrail?: BundledAuditTrailData;
 }

package/app/types/import.ts

@@ -21,6 +21,7 @@ export interface ReadOnlyCaseMetadata {
   importedAt: string;
   originalExportDate: string;
   originalExportedBy: string;
+  originalExportedByUid?: string;
   sourceHash?: string;
   sourceManifestVersion?: string;
   sourceSignatureKeyId?: string;
@@ -63,6 +64,7 @@ export interface ConfirmationImportData {
       value: string;
     };
     originalExportCreatedAt?: string;
+    originalCaseOwnerUid?: string;
   };
   confirmations: {
     [originalImageId: string]: Array<{

package/app/utils/forensics/confirmation-signature.ts

@@ -71,6 +71,13 @@ function isValidConfirmationData(candidate: Partial<ConfirmationImportData>): ca
     return false;
   }
 
+  if (
+    typeof metadata.originalCaseOwnerUid !== 'undefined' &&
+    (typeof metadata.originalCaseOwnerUid !== 'string' || metadata.originalCaseOwnerUid.trim().length === 0)
+  ) {
+    return false;
+  }
+
   const confirmations = candidate.confirmations as Record<string, unknown>;
   for (const [imageId, confirmationList] of Object.entries(confirmations)) {
     if (!imageId || !Array.isArray(confirmationList)) {
@@ -146,6 +153,9 @@ export function createConfirmationSigningPayload(
       hash: confirmationData.metadata.hash.toUpperCase(),
       ...(confirmationData.metadata.originalExportCreatedAt
         ? { originalExportCreatedAt: confirmationData.metadata.originalExportCreatedAt }
+        : {}),
+      ...(confirmationData.metadata.originalCaseOwnerUid
+        ? { originalCaseOwnerUid: confirmationData.metadata.originalCaseOwnerUid }
         : {})
     },
     confirmations: normalizeConfirmations(confirmationData.confirmations)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@striae-org/striae",
-  "version": "5.4.0",
+  "version": "5.4.2",
   "private": false,
   "description": "Striae is a specialized, cloud-native platform designed to streamline forensic firearms identification by providing an intuitive environment for digital comparison image annotation, authenticated confirmations, and automated report generation.",
   "license": "Apache-2.0",
@@ -40,23 +40,22 @@
     "scripts/",
     "functions/",
     "public/",
-    "workers/*/package.json",
-    "workers/*/src/**/*.example.ts",
-    "workers/*/src/**/*.ts",
-    "workers/pdf-worker/scripts/*.js",
+    "workers/",
+    "!workers/*/.wrangler",
+    "!workers/*/package-lock.json",
+    "!workers/*/worker-configuration.d.ts",
+    "!workers/*/wrangler.jsonc",
     "!workers/*/src/**/*worker.ts",
     "!workers/pdf-worker/src/assets/**/*",
     "workers/pdf-worker/src/assets/generated-assets.example.ts",
     "!workers/pdf-worker/src/formats/**/*",
     "workers/pdf-worker/src/formats/format-striae.ts",
-    "workers/pdf-worker/src/report-types.ts",
-    "workers/*/wrangler.jsonc.example",
     ".env.example",
     "primershear.emails.example",
     "firebase.json",
     "tsconfig.json",
     "vite.config.ts",
-    "worker-configuration.d.ts",
+    "/worker-configuration.d.ts",
     "wrangler.toml.example",
     "LICENSE"
   ],
@@ -83,6 +82,7 @@
     "preview": "npm run build && wrangler pages dev",
     "cf-typegen": "wrangler types",
     "enable-totp-mfa": "node ./scripts/enable-totp-mfa.mjs",
+    "unenroll-totp-mfa": "node ./scripts/unenroll-totp-mfa.mjs",
     "update-versions": "node ./scripts/update-markdown-versions.cjs",
     "update-compatibility-dates": "node ./scripts/update-compatibility-dates.cjs",
     "deploy-config": "bash ./scripts/deploy-config.sh",

package/scripts/unenroll-totp-mfa.mjs

@@ -0,0 +1,82 @@
+/**
+ * Admin script to unenroll a user's TOTP MFA factor via Firebase Admin SDK.
+ * Run with: npm run unenroll-totp-mfa -- <uid>
+ *
+ * Requires app/config/admin-service.json (gitignored service account key).
+ * Docs: https://firebase.google.com/docs/auth/admin/manage-users#unenroll_a_user_from_mfa
+ */
+
+import { createRequire } from 'module';
+import { fileURLToPath } from 'url';
+import { dirname, resolve } from 'path';
+import { initializeApp, cert, getApps } from 'firebase-admin/app';
+import { getAuth } from 'firebase-admin/auth';
+
+const require = createRequire(import.meta.url);
+const __dirname = dirname(fileURLToPath(import.meta.url));
+
+const uid = process.argv[2];
+
+if (!uid) {
+  console.error('\n❌ No UID provided.');
+  console.error('\nUsage: npm run unenroll-totp-mfa -- <uid>');
+  process.exit(1);
+}
+
+const serviceAccountPath = resolve(__dirname, '../app/config/admin-service.json');
+
+let serviceAccount;
+try {
+  serviceAccount = require(serviceAccountPath);
+} catch {
+  console.error(`\n❌ Could not load service account key from:\n   ${serviceAccountPath}`);
+  console.error('\nMake sure app/config/admin-service.json exists (it is gitignored).');
+  process.exit(1);
+}
+
+if (getApps().length === 0) {
+  initializeApp({ credential: cert(serviceAccount) });
+}
+
+const auth = getAuth();
+
+console.log(`\n🔍 Fetching MFA factors for UID: ${uid}...`);
+
+let userRecord;
+try {
+  userRecord = await auth.getUser(uid);
+} catch (err) {
+  console.error(`\n❌ Could not fetch user record for UID: ${uid}`);
+  console.error(err?.message ?? err);
+  process.exit(1);
+}
+
+const enrolledFactors = userRecord.multiFactor?.enrolledFactors ?? [];
+const totpFactors = enrolledFactors.filter((f) => f.factorId === 'totp');
+const remainingFactors = enrolledFactors.filter((f) => f.factorId !== 'totp');
+
+if (totpFactors.length === 0) {
+  console.log(`\nℹ️  No TOTP MFA factors found for UID: ${uid}`);
+  console.log('   Nothing to unenroll.');
+  process.exit(0);
+}
+
+console.log(`\n   Found ${totpFactors.length} TOTP factor(s):`);
+for (const factor of totpFactors) {
+  console.log(`   - ${factor.uid}  (displayName: ${factor.displayName ?? 'n/a'}, enrolled: ${factor.enrollmentTime})`);
+}
+
+try {
+  await auth.updateUser(uid, {
+    multiFactor: {
+      enrolledFactors: remainingFactors,
+    },
+  });
+
+  console.log(`\n✅ Successfully unenrolled ${totpFactors.length} TOTP factor(s) for UID: ${uid}`);
+  console.log('   The user will need to re-enroll TOTP on their next login.');
+} catch (err) {
+  console.error(`\n❌ Failed to unenroll TOTP factor(s) for UID: ${uid}`);
+  console.error(err?.message ?? err);
+  process.exit(1);
+}

package/worker-configuration.d.ts

@@ -1,6 +1,6 @@
 /* eslint-disable */
-// Generated by Wrangler by running `wrangler types` (hash: d8f8f87d89a635e81e94aa31fb52008f)
-// Runtime types generated with workerd@1.20250823.0 2026-03-26 nodejs_compat
+// Generated by Wrangler by running `wrangler types` (hash: df3e4db815fe1724ed2abbb4f6b2065f)
+// Runtime types generated with workerd@1.20250823.0 2026-03-31 nodejs_compat
 declare namespace Cloudflare {
 	interface Env {
 		ACCOUNT_ID: string;
@@ -52,6 +52,7 @@ declare namespace Cloudflare {
 		IMAGES_WORKER_DOMAIN: string;
 		IMAGE_SIGNED_URL_SECRET: string;
 		IMAGE_SIGNED_URL_TTL_SECONDS: string;
+		IMAGE_SIGNED_URL_BASE_URL: string;
 		PDF_WORKER_NAME: string;
 		PDF_WORKER_DOMAIN: string;
 		PDF_WORKER_AUTH: string;
@@ -64,7 +65,7 @@ type StringifyValues<EnvType extends Record<string, unknown>> = {
 	[Binding in keyof EnvType]: EnvType[Binding] extends string ? EnvType[Binding] : string;
 };
 declare namespace NodeJS {
-	interface ProcessEnv extends StringifyValues<Pick<Cloudflare.Env, "ACCOUNT_ID" | "USER_DB_AUTH" | "R2_KEY_SECRET" | "IMAGES_API_TOKEN" | "API_KEY" | "AUTH_DOMAIN" | "PROJECT_ID" | "STORAGE_BUCKET" | "MESSAGING_SENDER_ID" | "APP_ID" | "MEASUREMENT_ID" | "FIREBASE_SERVICE_ACCOUNT_EMAIL" | "FIREBASE_SERVICE_ACCOUNT_PRIVATE_KEY" | "USER_KV_ENCRYPTION_PRIVATE_KEY" | "USER_KV_ENCRYPTION_KEY_ID" | "USER_KV_ENCRYPTION_PUBLIC_KEY" | "USER_KV_WRITE_ENDPOINTS_ENABLED" | "USER_KV_ENCRYPTION_KEYS_JSON" | "USER_KV_ENCRYPTION_ACTIVE_KEY_ID" | "MANIFEST_SIGNING_PRIVATE_KEY" | "MANIFEST_SIGNING_KEY_ID" | "MANIFEST_SIGNING_PUBLIC_KEY" | "EXPORT_ENCRYPTION_PRIVATE_KEY" | "EXPORT_ENCRYPTION_KEY_ID" | "EXPORT_ENCRYPTION_PUBLIC_KEY" | "EXPORT_ENCRYPTION_KEYS_JSON" | "EXPORT_ENCRYPTION_ACTIVE_KEY_ID" | "DATA_AT_REST_ENCRYPTION_ENABLED" | "DATA_AT_REST_ENCRYPTION_PRIVATE_KEY" | "DATA_AT_REST_ENCRYPTION_KEY_ID" | "DATA_AT_REST_ENCRYPTION_PUBLIC_KEY" | "DATA_AT_REST_ENCRYPTION_KEYS_JSON" | "DATA_AT_REST_ENCRYPTION_ACTIVE_KEY_ID" | "PAGES_PROJECT_NAME" | "PAGES_CUSTOM_DOMAIN" | "USER_WORKER_NAME" | "USER_WORKER_DOMAIN" | "KV_STORE_ID" | "DATA_WORKER_NAME" | "DATA_BUCKET_NAME" | "FILES_BUCKET_NAME" | "DATA_WORKER_DOMAIN" | "AUDIT_WORKER_NAME" | "AUDIT_BUCKET_NAME" | "AUDIT_WORKER_DOMAIN" | "IMAGES_WORKER_NAME" | "IMAGES_WORKER_DOMAIN" | "IMAGE_SIGNED_URL_SECRET" | "IMAGE_SIGNED_URL_TTL_SECONDS" | "PDF_WORKER_NAME" | "PDF_WORKER_DOMAIN" | "PDF_WORKER_AUTH" | "BROWSER_API_TOKEN" | "PRIMERSHEAR_EMAILS">> {}
+	interface ProcessEnv extends StringifyValues<Pick<Cloudflare.Env, "ACCOUNT_ID" | "USER_DB_AUTH" | "R2_KEY_SECRET" | "IMAGES_API_TOKEN" | "API_KEY" | "AUTH_DOMAIN" | "PROJECT_ID" | "STORAGE_BUCKET" | "MESSAGING_SENDER_ID" | "APP_ID" | "MEASUREMENT_ID" | "FIREBASE_SERVICE_ACCOUNT_EMAIL" | "FIREBASE_SERVICE_ACCOUNT_PRIVATE_KEY" | "USER_KV_ENCRYPTION_PRIVATE_KEY" | "USER_KV_ENCRYPTION_KEY_ID" | "USER_KV_ENCRYPTION_PUBLIC_KEY" | "USER_KV_WRITE_ENDPOINTS_ENABLED" | "USER_KV_ENCRYPTION_KEYS_JSON" | "USER_KV_ENCRYPTION_ACTIVE_KEY_ID" | "MANIFEST_SIGNING_PRIVATE_KEY" | "MANIFEST_SIGNING_KEY_ID" | "MANIFEST_SIGNING_PUBLIC_KEY" | "EXPORT_ENCRYPTION_PRIVATE_KEY" | "EXPORT_ENCRYPTION_KEY_ID" | "EXPORT_ENCRYPTION_PUBLIC_KEY" | "EXPORT_ENCRYPTION_KEYS_JSON" | "EXPORT_ENCRYPTION_ACTIVE_KEY_ID" | "DATA_AT_REST_ENCRYPTION_ENABLED" | "DATA_AT_REST_ENCRYPTION_PRIVATE_KEY" | "DATA_AT_REST_ENCRYPTION_KEY_ID" | "DATA_AT_REST_ENCRYPTION_PUBLIC_KEY" | "DATA_AT_REST_ENCRYPTION_KEYS_JSON" | "DATA_AT_REST_ENCRYPTION_ACTIVE_KEY_ID" | "PAGES_PROJECT_NAME" | "PAGES_CUSTOM_DOMAIN" | "USER_WORKER_NAME" | "USER_WORKER_DOMAIN" | "KV_STORE_ID" | "DATA_WORKER_NAME" | "DATA_BUCKET_NAME" | "FILES_BUCKET_NAME" | "DATA_WORKER_DOMAIN" | "AUDIT_WORKER_NAME" | "AUDIT_BUCKET_NAME" | "AUDIT_WORKER_DOMAIN" | "IMAGES_WORKER_NAME" | "IMAGES_WORKER_DOMAIN" | "IMAGE_SIGNED_URL_SECRET" | "IMAGE_SIGNED_URL_TTL_SECONDS" | "IMAGE_SIGNED_URL_BASE_URL" | "PDF_WORKER_NAME" | "PDF_WORKER_DOMAIN" | "PDF_WORKER_AUTH" | "BROWSER_API_TOKEN" | "PRIMERSHEAR_EMAILS">> {}
 }
 
 // Begin runtime types

package/workers/audit-worker/.editorconfig

@@ -0,0 +1,12 @@
+# http://editorconfig.org
+root = true
+
+[*]
+indent_style = tab
+end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true
+
+[*.yml]
+indent_style = space

package/workers/audit-worker/.prettierrc

@@ -0,0 +1,6 @@
+{
+	"printWidth": 140,
+	"singleQuote": true,
+	"semi": true,
+	"useTabs": true
+}

package/workers/data-worker/.editorconfig

@@ -0,0 +1,12 @@
+# http://editorconfig.org
+root = true
+
+[*]
+indent_style = tab
+end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true
+
+[*.yml]
+indent_style = space

package/workers/data-worker/.prettierrc

@@ -0,0 +1,6 @@
+{
+	"printWidth": 140,
+	"singleQuote": true,
+	"semi": true,
+	"useTabs": true
+}

package/workers/data-worker/src/signing-payload-utils.ts

@@ -18,6 +18,7 @@ export interface ConfirmationSignatureMetadata {
   version: string;
   hash: string;
   originalExportCreatedAt?: string;
+  originalCaseOwnerUid?: string;
 }
 
 export interface ConfirmationRecord {
@@ -153,6 +154,13 @@ export function isValidConfirmationPayload(
     return false;
   }
 
+  if (
+    typeof metadata.originalCaseOwnerUid !== 'undefined' &&
+    (typeof metadata.originalCaseOwnerUid !== 'string' || metadata.originalCaseOwnerUid.trim().length === 0)
+  ) {
+    return false;
+  }
+
   for (const [imageId, confirmationList] of Object.entries(candidate.confirmations)) {
     if (!imageId || !Array.isArray(confirmationList)) {
       return false;
@@ -271,6 +279,9 @@ export function createConfirmationSigningPayload(confirmationData: ConfirmationS
       hash: confirmationData.metadata.hash.toUpperCase(),
       ...(confirmationData.metadata.originalExportCreatedAt
         ? { originalExportCreatedAt: confirmationData.metadata.originalExportCreatedAt }
+        : {}),
+      ...(confirmationData.metadata.originalCaseOwnerUid
+        ? { originalCaseOwnerUid: confirmationData.metadata.originalCaseOwnerUid }
         : {})
     },
     confirmations: normalizeConfirmations(confirmationData.confirmations)

package/workers/image-worker/.editorconfig

@@ -0,0 +1,12 @@
+# http://editorconfig.org
+root = true
+
+[*]
+indent_style = tab
+end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true
+
+[*.yml]
+indent_style = space

package/workers/image-worker/.prettierrc

@@ -0,0 +1,6 @@
+{
+	"printWidth": 140,
+	"singleQuote": true,
+	"semi": true,
+	"useTabs": true
+}

package/workers/pdf-worker/.editorconfig

@@ -0,0 +1,12 @@
+# http://editorconfig.org
+root = true
+
+[*]
+indent_style = tab
+end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true
+
+[*.yml]
+indent_style = space

package/workers/pdf-worker/.prettierrc

@@ -0,0 +1,6 @@
+{
+	"printWidth": 140,
+	"singleQuote": true,
+	"semi": true,
+	"useTabs": true
+}

package/workers/user-worker/.editorconfig

@@ -0,0 +1,12 @@
+# http://editorconfig.org
+root = true
+
+[*]
+indent_style = tab
+end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true
+
+[*.yml]
+indent_style = space

package/workers/user-worker/.prettierrc

@@ -0,0 +1,6 @@
+{
+	"printWidth": 140,
+	"singleQuote": true,
+	"semi": true,
+	"useTabs": true
+}