@striae-org/striae 5.5.1 → 5.5.2

package/.env.example

@@ -141,4 +141,12 @@ BROWSER_API_TOKEN=your_cloudflare_browser_rendering_api_token_here
 # Comma-separated list of email addresses that will receive the primershear PDF format.
 # Leave empty to disable the feature. Never commit this value to source control.
 # Example: PRIMERSHEAR_EMAILS=analyst@org.com,user2@org.com
-PRIMERSHEAR_EMAILS=
+PRIMERSHEAR_EMAILS=
+
+# ================================
+# REGISTRATION EMAIL ALLOWLIST CONFIGURATION
+# ================================
+# Comma-separated list of email addresses that may register an account.
+# Leave empty to disable the feature. Never commit this value to source control.
+# Example: REGISTRATION_EMAILS=analyst@org.com,user2@org.com
+REGISTRATION_EMAILS=

package/app/routes/auth/login.example.tsx

@@ -94,14 +94,26 @@ export const Login = () => {
     setIsClient(true);
   }, []);
 
-  // Email validation with regex
-  const validateRegistrationEmail = (email: string): { valid: boolean } => {
+  // Email validation with regex and registration gateway allowlist check
+  const validateRegistrationEmail = async (email: string): Promise<{ valid: boolean; message?: string }> => {
     const emailRegex = /^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$/;
-    
+
     if (!emailRegex.test(email)) {
       return { valid: false };
     }
 
+    try {
+      const response = await fetch(`/api/auth/can-register?email=${encodeURIComponent(email)}`);
+      if (response.status === 403) {
+        return {
+          valid: false,
+          message: 'Registration is limited to Striae membership. You may join at https://join.striae.org.'
+        };
+      }
+    } catch {
+      // Fail open on network error — server-side PUT guard provides defense-in-depth
+    }
+
     return { valid: true };
   };
 
@@ -282,9 +294,9 @@ export const Login = () => {
 
   try {
     if (!isLogin) {
-      const emailValidation = validateRegistrationEmail(email);
+      const emailValidation = await validateRegistrationEmail(email);
       if (!emailValidation.valid) {
-        setError('Please enter a valid email address');
+        setError(emailValidation.message ?? 'Please enter a valid email address');
         setIsLoading(false);
         return;
       }

package/functions/api/_shared/registration-allowlist.ts

@@ -0,0 +1,38 @@
+/**
+ * Checks whether the given email is permitted to register based on the
+ * REGISTRATION_EMAILS secret (a comma-separated list of allowed entries).
+ *
+ * Each entry may be:
+ *   - An exact email address:  user@example.com
+ *   - A domain wildcard:       @example.com  (matches any email from that domain)
+ *
+ * If registrationEmails is empty or unset, all registrations are allowed
+ * (backward-compatible — deploys without a members.emails file are unrestricted).
+ */
+export function isEmailAllowed(email: string, registrationEmails: string): boolean {
+  if (!registrationEmails || registrationEmails.trim().length === 0) {
+    return true;
+  }
+
+  const normalizedEmail = email.toLowerCase().trim();
+  const entries = registrationEmails
+    .split(',')
+    .map(e => e.trim().toLowerCase())
+    .filter(Boolean);
+
+  for (const entry of entries) {
+    if (entry.startsWith('@')) {
+      // Domain wildcard: @example.com matches user@example.com
+      if (normalizedEmail.endsWith(entry)) {
+        return true;
+      }
+    } else {
+      // Exact email match
+      if (normalizedEmail === entry) {
+        return true;
+      }
+    }
+  }
+
+  return false;
+}

package/functions/api/auth/can-register.ts

@@ -0,0 +1,59 @@
+import { isEmailAllowed } from '../_shared/registration-allowlist';
+
+interface CanRegisterContext {
+  request: Request;
+  env: Env;
+}
+
+const SUPPORTED_METHODS = new Set(['GET', 'OPTIONS']);
+
+function jsonResponse(payload: Record<string, unknown>, status: number = 200): Response {
+  return new Response(JSON.stringify(payload), {
+    status,
+    headers: {
+      'Cache-Control': 'no-store',
+      'Content-Type': 'application/json; charset=utf-8'
+    }
+  });
+}
+
+function textResponse(message: string, status: number): Response {
+  return new Response(message, {
+    status,
+    headers: {
+      'Cache-Control': 'no-store',
+      'Content-Type': 'text/plain; charset=utf-8'
+    }
+  });
+}
+
+export const onRequest = async ({ request, env }: CanRegisterContext): Promise<Response> => {
+  if (!SUPPORTED_METHODS.has(request.method)) {
+    return textResponse('Method not allowed', 405);
+  }
+
+  if (request.method === 'OPTIONS') {
+    return new Response(null, {
+      status: 204,
+      headers: {
+        'Allow': 'GET, OPTIONS',
+        'Cache-Control': 'no-store'
+      }
+    });
+  }
+
+  const url = new URL(request.url);
+  const email = url.searchParams.get('email');
+
+  if (!email || email.trim().length === 0) {
+    return textResponse('Missing required parameter: email', 400);
+  }
+
+  const registrationEmails = env.REGISTRATION_EMAILS ?? '';
+
+  if (isEmailAllowed(email, registrationEmails)) {
+    return jsonResponse({ allowed: true });
+  }
+
+  return jsonResponse({ allowed: false }, 403);
+};

package/functions/api/user/[[path]].ts

@@ -1,4 +1,5 @@
 import { verifyFirebaseIdentityFromRequest } from '../_shared/firebase-auth';
+import { isEmailAllowed } from '../_shared/registration-allowlist';
 
 interface UserProxyContext {
   request: Request;
@@ -155,6 +156,39 @@ export const onRequest = async ({ request, env }: UserProxyContext): Promise<Res
   if (requestedUserId !== identity.uid) {
     return textResponse('Forbidden', 403);
   }
+
+  // Registration gateway: for PUT requests, check if this is a new user creation.
+  // If REGISTRATION_EMAILS is set and the user record does not yet exist, enforce the allowlist.
+  // This is defense-in-depth — the primary check runs client-side in the login flow.
+  if (request.method === 'PUT' && env.REGISTRATION_EMAILS && env.REGISTRATION_EMAILS.trim().length > 0) {
+    try {
+      const existenceCheckUrl = `${userWorkerBaseUrl}/${encodeURIComponent(requestedUserId)}`;
+      const existenceResponse = await fetch(existenceCheckUrl, {
+        method: 'GET',
+        headers: {
+          'Accept': 'application/json',
+          'X-Custom-Auth-Key': env.USER_DB_AUTH
+        }
+      });
+
+      if (existenceResponse.status === 404) {
+        // User does not exist yet — this is a registration PUT.
+        // Enforce the email allowlist.
+        if (!isEmailAllowed(identity.email ?? '', env.REGISTRATION_EMAILS)) {
+          return textResponse('Registration is not permitted for this email address', 403);
+        }
+      } else if (!existenceResponse.ok) {
+        // Existence check failed (non-404, non-2xx response).
+        // Fail closed: reject the registration to prevent allowlist bypass during errors.
+        return textResponse('Unable to verify registration eligibility', 502);
+      }
+      // If user already exists (200), proceed normally.
+    } catch {
+      // Fail closed: on network error with allowlist active, reject the request.
+      return textResponse('Unable to verify registration eligibility', 502);
+    }
+  }
+
   const upstreamUrl = `${userWorkerBaseUrl}${proxyPath}${requestUrl.search}`;
 
   const upstreamHeaders = new Headers();

package/members.emails.example

@@ -0,0 +1,11 @@
+# Registration gateway - authorized email addresses
+# One entry per line. Lines starting with # are ignored.
+# This file is untracked. Run: npm run deploy-members to push changes.
+#
+# Supported formats:
+#   Exact email:   analyst@organization.com
+#   Domain wildcard: @organization.com  (allows all emails from that domain)
+#
+# Examples:
+# analyst@organization.com
+# @striae.org

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@striae-org/striae",
-  "version": "5.5.1",
+  "version": "5.5.2",
   "private": false,
   "description": "Striae is a specialized, cloud-native platform designed to streamline forensic firearms identification by providing an intuitive environment for digital comparison image annotation, authenticated confirmations, and automated report generation.",
   "license": "Apache-2.0",
@@ -52,11 +52,12 @@
     "workers/pdf-worker/src/formats/format-striae.ts",
     ".env.example",
     "primershear.emails.example",
+    "members.emails.example",
     "firebase.json",
     "tsconfig.json",
     "vite.config.ts",
     "/worker-configuration.d.ts",
-    "wrangler.toml.example",
+    "wrangler.toml.example",    
     "LICENSE"
   ],
   "sideEffects": false,
@@ -90,9 +91,10 @@
     "install-workers": "bash ./scripts/install-workers.sh",
     "deploy-workers": "npm run deploy-workers:audit && npm run deploy-workers:data && npm run deploy-workers:image && npm run deploy-workers:pdf && npm run deploy-workers:user",
     "deploy-workers:secrets": "bash ./scripts/deploy-worker-secrets.sh",
-    "deploy-pages:secrets": "bash ./scripts/deploy-pages-secrets.sh --production-only",
+    "deploy-pages:secrets": "bash ./scripts/deploy-pages-secrets.sh",
     "deploy-pages": "bash ./scripts/deploy-pages.sh",
-    "deploy-primershear": "bash ./scripts/deploy-primershear-emails.sh --production-only",
+    "deploy-primershear": "bash ./scripts/deploy-primershear-emails.sh",
+    "deploy-members": "bash ./scripts/deploy-members-emails.sh",
     "deploy-workers:audit": "cd workers/audit-worker && npm run deploy",
     "deploy-workers:data": "cd workers/data-worker && npm run deploy",
     "deploy-workers:image": "cd workers/image-worker && npm run deploy",
@@ -101,7 +103,7 @@
   },
   "dependencies": {
     "@react-router/cloudflare": "^7.14.0",
-    "firebase": "^12.11.0",
+    "firebase": "^12.12.0",
     "isbot": "^5.1.37",
     "jszip": "^3.10.1",
     "qrcode": "^1.5.4",
@@ -123,7 +125,7 @@
     "eslint-plugin-jsx-a11y": "^6.10.2",
     "eslint-plugin-react": "^7.37.5",
     "eslint-plugin-react-hooks": "^7.0.1",
-    "firebase-admin": "^13.7.0",
+    "firebase-admin": "^13.8.0",
     "modern-normalize": "^3.0.1",
     "typescript": "^5.9.3",
     "vite": "^7.3.2",
@@ -131,9 +133,7 @@
     "wrangler": "^4.81.1"
   },
   "overrides": {
-    "@tootallnate/once": "3.0.1",
-    "tar": "7.5.11",
-    "undici": "7.24.1"
+    "@tootallnate/once": "3.0.1"
   },
   "engines": {
     "node": ">=20.19.0"

package/scripts/deploy-all.sh

@@ -127,8 +127,8 @@ echo ""
 # Step 5: Deploy Pages Secrets
 echo -e "${PURPLE}Step 5/6: Deploying Pages Secrets${NC}"
 echo "----------------------------------"
-echo -e "${YELLOW}🔐 Deploying Pages environment variables to production only...${NC}"
-if ! bash "$SCRIPT_DIR/deploy-pages-secrets.sh" --production-only; then
+echo -e "${YELLOW}🔐 Deploying Pages environment variables...${NC}"
+if ! bash "$SCRIPT_DIR/deploy-pages-secrets.sh"; then
     echo -e "${RED}❌ Pages secrets deployment failed!${NC}"
     exit 1
 fi

package/scripts/deploy-members-emails.sh

@@ -0,0 +1,102 @@
+#!/bin/bash
+
+# ============================================
+# MEMBERS EMAIL LIST DEPLOYMENT SCRIPT
+# ============================================
+# Reads members.emails, updates REGISTRATION_EMAILS in .env,
+# then deploys that secret directly to Cloudflare Pages (production).
+
+set -e
+set -o pipefail
+
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+BLUE='\033[0;34m'
+NC='\033[0m'
+
+echo -e "${BLUE}👥 Members Email List Deployment${NC}"
+echo "=================================="
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
+cd "$PROJECT_ROOT"
+
+trap 'echo -e "\n${RED}❌ deploy-members-emails.sh failed near line ${LINENO}${NC}"' ERR
+
+# ── Read emails file ──────────────────────────────────────────────────────────
+
+EMAILS_FILE="$PROJECT_ROOT/members.emails"
+
+if [ ! -f "$EMAILS_FILE" ]; then
+    echo -e "${RED}❌ members.emails not found at: $EMAILS_FILE${NC}"
+    echo -e "${YELLOW}   Create it with one email address or @domain.com wildcard per line.${NC}"
+    echo -e "${YELLOW}   See members.emails.example for the format.${NC}"
+    exit 1
+fi
+
+# Strip comment lines and blank lines, then join with commas
+# Use || true to avoid failure if paste gets no input (handles empty file gracefully)
+REGISTRATION_EMAILS=$(grep -v '^[[:space:]]*#' "$EMAILS_FILE" | grep -v '^[[:space:]]*$' | paste -sd ',' - || true)
+
+if [ -z "$REGISTRATION_EMAILS" ]; then
+    echo -e "${YELLOW}⚠️  members.emails contains no active entries.${NC}"
+    echo -e "${YELLOW}   The secret will be set to an empty string, disabling the gateway (open registration).${NC}"
+fi
+
+ENTRY_COUNT=$(echo "$REGISTRATION_EMAILS" | tr ',' '\n' | grep -c '[^[:space:]]' || true)
+echo -e "${GREEN}✅ Loaded $ENTRY_COUNT entry(ies) from members.emails${NC}"
+
+# ── Update .env ───────────────────────────────────────────────────────────────
+
+ENV_FILE="$PROJECT_ROOT/.env"
+
+if [ ! -f "$ENV_FILE" ]; then
+    echo -e "${RED}❌ .env not found. Run deploy-config first.${NC}"
+    exit 1
+fi
+
+# Replace the REGISTRATION_EMAILS= line in .env (handles both empty and populated values)
+if grep -q '^REGISTRATION_EMAILS=' "$ENV_FILE"; then
+    # Use a temp file to avoid sed -i portability issues across macOS/Linux
+    local_tmp=$(mktemp)
+    sed "s|^REGISTRATION_EMAILS=.*|REGISTRATION_EMAILS=${REGISTRATION_EMAILS}|" "$ENV_FILE" > "$local_tmp"
+    mv "$local_tmp" "$ENV_FILE"
+    echo -e "${GREEN}✅ Updated REGISTRATION_EMAILS in .env${NC}"
+else
+    echo "" >> "$ENV_FILE"
+    echo "REGISTRATION_EMAILS=${REGISTRATION_EMAILS}" >> "$ENV_FILE"
+    echo -e "${GREEN}✅ Appended REGISTRATION_EMAILS to .env${NC}"
+fi
+
+# ── Deploy to Cloudflare Pages ────────────────────────────────────────────────
+
+if ! command -v wrangler > /dev/null 2>&1; then
+    echo -e "${RED}❌ wrangler is not installed or not in PATH${NC}"
+    exit 1
+fi
+
+source "$ENV_FILE"
+
+PAGES_PROJECT_NAME=$(echo "$PAGES_PROJECT_NAME" | tr -d '\r')
+if [ -z "$PAGES_PROJECT_NAME" ]; then
+    echo -e "${RED}❌ PAGES_PROJECT_NAME is missing from .env${NC}"
+    exit 1
+fi
+
+echo -e "${YELLOW}  Setting REGISTRATION_EMAILS for production...${NC}"
+printf '%s' "$REGISTRATION_EMAILS" | wrangler pages secret put REGISTRATION_EMAILS \
+    --project-name "$PAGES_PROJECT_NAME"
+
+echo -e "${GREEN}✅ REGISTRATION_EMAILS deployed to production${NC}"
+
+# Deploy Pages so the new secret takes effect immediately
+echo -e "\n${YELLOW}🚀 Building and deploying Pages to activate new secret...${NC}"
+
+if ! npm run deploy-pages; then
+    echo -e "${RED}❌ Pages deployment failed${NC}"
+    exit 1
+fi
+echo -e "${GREEN}✅ Pages deployment complete${NC}"
+
+echo -e "\n${GREEN}🎉 Members email list deployment complete!${NC}"

package/scripts/deploy-pages-secrets.sh

@@ -24,46 +24,6 @@ cd "$PROJECT_ROOT"
 
 trap 'echo -e "\n${RED}❌ deploy-pages-secrets.sh failed near line ${LINENO}${NC}"' ERR
 
-show_help=false
-deploy_production=true
-deploy_preview=true
-
-for arg in "$@"; do
-    case "$arg" in
-        -h|--help)
-            show_help=true
-            ;;
-        --production-only)
-            deploy_production=true
-            deploy_preview=false
-            ;;
-        --preview-only)
-            deploy_production=false
-            deploy_preview=true
-            ;;
-        *)
-            echo -e "${RED}❌ Unknown option: $arg${NC}"
-            echo "Use --help to see supported options."
-            exit 1
-            ;;
-    esac
-done
-
-if [ "$show_help" = "true" ]; then
-    echo "Usage: bash ./scripts/deploy-pages-secrets.sh [--production-only|--preview-only]"
-    echo ""
-    echo "Options:"
-    echo "  --production-only  Deploy secrets only to the production Pages environment"
-    echo "  --preview-only     Deploy secrets only to the preview Pages environment"
-    echo "  -h, --help         Show this help message"
-    exit 0
-fi
-
-if [ "$deploy_production" != "true" ] && [ "$deploy_preview" != "true" ]; then
-    echo -e "${RED}❌ No target environment selected${NC}"
-    exit 1
-fi
-
 require_command() {
     local cmd=$1
     if ! command -v "$cmd" > /dev/null 2>&1; then
@@ -145,40 +105,29 @@ get_optional_value() {
     printf '%s' "$value"
 }
 
-set_pages_secret() {
-    local secret_name=$1
-    local secret_value=$2
-    local pages_env=$3
-
-    echo -e "${YELLOW}  Setting $secret_name for $pages_env...${NC}"
-
-    if [ "$pages_env" = "production" ]; then
-        printf '%s' "$secret_value" | wrangler pages secret put "$secret_name" --project-name "$PAGES_PROJECT_NAME"
-        return 0
-    fi
-
-    printf '%s' "$secret_value" | wrangler pages secret put "$secret_name" --project-name "$PAGES_PROJECT_NAME" --env "$pages_env"
-}
-
-deploy_pages_environment_secrets() {
-    local pages_env=$1
+deploy_pages_secrets() {
     local secret
     local secret_value
 
-    echo -e "\n${BLUE}🔧 Deploying Pages secrets to $pages_env...${NC}"
+    echo -e "\n${BLUE}🔧 Deploying Pages secrets to production...${NC}"
 
     for secret in "${required_pages_secrets[@]}"; do
         secret_value=$(get_required_value "$secret")
-        set_pages_secret "$secret" "$secret_value" "$pages_env"
+        echo -e "${YELLOW}  Setting $secret...${NC}"
+        printf '%s' "$secret_value" | wrangler pages secret put "$secret" --project-name "$PAGES_PROJECT_NAME"
     done
 
     local optional_primershear_emails
     optional_primershear_emails=$(get_optional_value "PRIMERSHEAR_EMAILS")
-    if [ -n "$optional_primershear_emails" ]; then
-        set_pages_secret "PRIMERSHEAR_EMAILS" "$optional_primershear_emails" "$pages_env"
-    fi
+    echo -e "${YELLOW}  Setting PRIMERSHEAR_EMAILS...${NC}"
+    printf '%s' "$optional_primershear_emails" | wrangler pages secret put "PRIMERSHEAR_EMAILS" --project-name "$PAGES_PROJECT_NAME"
 
-    echo -e "${GREEN}✅ Pages secrets deployed to $pages_env${NC}"
+    local optional_registration_emails
+    optional_registration_emails=$(get_optional_value "REGISTRATION_EMAILS")
+    echo -e "${YELLOW}  Setting REGISTRATION_EMAILS...${NC}"
+    printf '%s' "$optional_registration_emails" | wrangler pages secret put "REGISTRATION_EMAILS" --project-name "$PAGES_PROJECT_NAME"
+
+    echo -e "${GREEN}✅ Pages secrets deployed to production${NC}"
 }
 
 require_command wrangler
@@ -220,12 +169,6 @@ for secret in "${required_pages_secrets[@]}"; do
 done
 echo -e "${GREEN}✅ Required Pages secret values found${NC}"
 
-if [ "$deploy_production" = "true" ]; then
-    deploy_pages_environment_secrets "production"
-fi
-
-if [ "$deploy_preview" = "true" ]; then
-    deploy_pages_environment_secrets "preview"
-fi
+deploy_pages_secrets
 
 echo -e "\n${GREEN}🎉 Pages secrets deployment completed!${NC}"

package/scripts/deploy-primershear-emails.sh

@@ -4,16 +4,7 @@
 # PRIMERSHEAR EMAIL LIST DEPLOYMENT SCRIPT
 # ============================================
 # Reads primershear.emails, updates PRIMERSHEAR_EMAILS in .env,
-# then deploys that secret directly to Cloudflare Pages.
-#
-# Usage:
-#   bash ./scripts/deploy-primershear-emails.sh [--production-only|--preview-only|--env-only]
-#
-# Options:
-#   --production-only  Deploy to production Pages environment only
-#   --preview-only     Deploy to preview Pages environment only
-#   --env-only         Update .env only; do not deploy to Cloudflare
-#   -h, --help         Show this help message
+# then deploys that secret directly to Cloudflare Pages (production).
 
 set -e
 set -o pipefail
@@ -33,43 +24,6 @@ cd "$PROJECT_ROOT"
 
 trap 'echo -e "\n${RED}❌ deploy-primershear-emails.sh failed near line ${LINENO}${NC}"' ERR
 
-# ── Argument parsing ─────────────────────────────────────────────────────────
-
-deploy_production=true
-deploy_preview=true
-env_only=false
-
-for arg in "$@"; do
-    case "$arg" in
-        -h|--help)
-            echo "Usage: bash ./scripts/deploy-primershear-emails.sh [--production-only|--preview-only|--env-only]"
-            echo ""
-            echo "Options:"
-            echo "  --production-only  Deploy to production Pages environment only"
-            echo "  --preview-only     Deploy to preview Pages environment only"
-            echo "  --env-only         Update .env only; do not deploy to Cloudflare"
-            echo "  -h, --help         Show this help message"
-            exit 0
-            ;;
-        --production-only)
-            deploy_production=true
-            deploy_preview=false
-            ;;
-        --preview-only)
-            deploy_production=false
-            deploy_preview=true
-            ;;
-        --env-only)
-            env_only=true
-            ;;
-        *)
-            echo -e "${RED}❌ Unknown option: $arg${NC}"
-            echo "Use --help to see supported options."
-            exit 1
-            ;;
-    esac
-done
-
 # ── Read emails file ──────────────────────────────────────────────────────────
 
 EMAILS_FILE="$PROJECT_ROOT/primershear.emails"
@@ -114,11 +68,6 @@ else
     echo -e "${GREEN}✅ Appended PRIMERSHEAR_EMAILS to .env${NC}"
 fi
 
-if [ "$env_only" = "true" ]; then
-    echo -e "\n${GREEN}🎉 .env updated. Skipping Cloudflare deployment (--env-only).${NC}"
-    exit 0
-fi
-
 # ── Deploy to Cloudflare Pages ────────────────────────────────────────────────
 
 if ! command -v wrangler > /dev/null 2>&1; then
@@ -134,31 +83,16 @@ if [ -z "$PAGES_PROJECT_NAME" ]; then
     exit 1
 fi
 
-set_secret() {
-    local pages_env=$1
-    echo -e "${YELLOW}  Setting PRIMERSHEAR_EMAILS for $pages_env...${NC}"
-    if [ "$pages_env" = "production" ]; then
-        printf '%s' "$PRIMERSHEAR_EMAILS" | wrangler pages secret put PRIMERSHEAR_EMAILS \
-            --project-name "$PAGES_PROJECT_NAME"
-    else
-        printf '%s' "$PRIMERSHEAR_EMAILS" | wrangler pages secret put PRIMERSHEAR_EMAILS \
-            --project-name "$PAGES_PROJECT_NAME" --env "$pages_env"
-    fi
-}
-
-if [ "$deploy_production" = "true" ]; then
-    set_secret "production"
-    echo -e "${GREEN}✅ PRIMERSHEAR_EMAILS deployed to production${NC}"
-fi
+echo -e "${YELLOW}  Setting PRIMERSHEAR_EMAILS for production...${NC}"
+printf '%s' "$PRIMERSHEAR_EMAILS" | wrangler pages secret put PRIMERSHEAR_EMAILS \
+    --project-name "$PAGES_PROJECT_NAME"
 
-if [ "$deploy_preview" = "true" ]; then
-    set_secret "preview"
-    echo -e "${GREEN}✅ PRIMERSHEAR_EMAILS deployed to preview${NC}"
-fi
+echo -e "${GREEN}✅ PRIMERSHEAR_EMAILS deployed to production${NC}"
 
 # Deploy Pages so the new secret takes effect immediately
 echo -e "\n${YELLOW}🚀 Building and deploying Pages to activate new secret...${NC}"
-if ! npm run deploy; then
+
+if ! npm run deploy-pages; then
     echo -e "${RED}❌ Pages deployment failed${NC}"
     exit 1
 fi

package/worker-configuration.d.ts

@@ -58,6 +58,7 @@ declare namespace Cloudflare {
 		PDF_WORKER_AUTH: string;
 		BROWSER_API_TOKEN: string;
 		PRIMERSHEAR_EMAILS: string;
+		REGISTRATION_EMAILS: string;
 	}
 }
 interface Env extends Cloudflare.Env {}
@@ -65,7 +66,7 @@ type StringifyValues<EnvType extends Record<string, unknown>> = {
 	[Binding in keyof EnvType]: EnvType[Binding] extends string ? EnvType[Binding] : string;
 };
 declare namespace NodeJS {
-	interface ProcessEnv extends StringifyValues<Pick<Cloudflare.Env, "ACCOUNT_ID" | "USER_DB_AUTH" | "R2_KEY_SECRET" | "IMAGES_API_TOKEN" | "API_KEY" | "AUTH_DOMAIN" | "PROJECT_ID" | "STORAGE_BUCKET" | "MESSAGING_SENDER_ID" | "APP_ID" | "MEASUREMENT_ID" | "FIREBASE_SERVICE_ACCOUNT_EMAIL" | "FIREBASE_SERVICE_ACCOUNT_PRIVATE_KEY" | "USER_KV_ENCRYPTION_PRIVATE_KEY" | "USER_KV_ENCRYPTION_KEY_ID" | "USER_KV_ENCRYPTION_PUBLIC_KEY" | "USER_KV_WRITE_ENDPOINTS_ENABLED" | "USER_KV_ENCRYPTION_KEYS_JSON" | "USER_KV_ENCRYPTION_ACTIVE_KEY_ID" | "MANIFEST_SIGNING_PRIVATE_KEY" | "MANIFEST_SIGNING_KEY_ID" | "MANIFEST_SIGNING_PUBLIC_KEY" | "EXPORT_ENCRYPTION_PRIVATE_KEY" | "EXPORT_ENCRYPTION_KEY_ID" | "EXPORT_ENCRYPTION_PUBLIC_KEY" | "EXPORT_ENCRYPTION_KEYS_JSON" | "EXPORT_ENCRYPTION_ACTIVE_KEY_ID" | "DATA_AT_REST_ENCRYPTION_ENABLED" | "DATA_AT_REST_ENCRYPTION_PRIVATE_KEY" | "DATA_AT_REST_ENCRYPTION_KEY_ID" | "DATA_AT_REST_ENCRYPTION_PUBLIC_KEY" | "DATA_AT_REST_ENCRYPTION_KEYS_JSON" | "DATA_AT_REST_ENCRYPTION_ACTIVE_KEY_ID" | "PAGES_PROJECT_NAME" | "PAGES_CUSTOM_DOMAIN" | "USER_WORKER_NAME" | "USER_WORKER_DOMAIN" | "KV_STORE_ID" | "DATA_WORKER_NAME" | "DATA_BUCKET_NAME" | "FILES_BUCKET_NAME" | "DATA_WORKER_DOMAIN" | "AUDIT_WORKER_NAME" | "AUDIT_BUCKET_NAME" | "AUDIT_WORKER_DOMAIN" | "IMAGES_WORKER_NAME" | "IMAGES_WORKER_DOMAIN" | "IMAGE_SIGNED_URL_SECRET" | "IMAGE_SIGNED_URL_TTL_SECONDS" | "IMAGE_SIGNED_URL_BASE_URL" | "PDF_WORKER_NAME" | "PDF_WORKER_DOMAIN" | "PDF_WORKER_AUTH" | "BROWSER_API_TOKEN" | "PRIMERSHEAR_EMAILS">> {}
+	interface ProcessEnv extends StringifyValues<Pick<Cloudflare.Env, "ACCOUNT_ID" | "USER_DB_AUTH" | "R2_KEY_SECRET" | "IMAGES_API_TOKEN" | "API_KEY" | "AUTH_DOMAIN" | "PROJECT_ID" | "STORAGE_BUCKET" | "MESSAGING_SENDER_ID" | "APP_ID" | "MEASUREMENT_ID" | "FIREBASE_SERVICE_ACCOUNT_EMAIL" | "FIREBASE_SERVICE_ACCOUNT_PRIVATE_KEY" | "USER_KV_ENCRYPTION_PRIVATE_KEY" | "USER_KV_ENCRYPTION_KEY_ID" | "USER_KV_ENCRYPTION_PUBLIC_KEY" | "USER_KV_WRITE_ENDPOINTS_ENABLED" | "USER_KV_ENCRYPTION_KEYS_JSON" | "USER_KV_ENCRYPTION_ACTIVE_KEY_ID" | "MANIFEST_SIGNING_PRIVATE_KEY" | "MANIFEST_SIGNING_KEY_ID" | "MANIFEST_SIGNING_PUBLIC_KEY" | "EXPORT_ENCRYPTION_PRIVATE_KEY" | "EXPORT_ENCRYPTION_KEY_ID" | "EXPORT_ENCRYPTION_PUBLIC_KEY" | "EXPORT_ENCRYPTION_KEYS_JSON" | "EXPORT_ENCRYPTION_ACTIVE_KEY_ID" | "DATA_AT_REST_ENCRYPTION_ENABLED" | "DATA_AT_REST_ENCRYPTION_PRIVATE_KEY" | "DATA_AT_REST_ENCRYPTION_KEY_ID" | "DATA_AT_REST_ENCRYPTION_PUBLIC_KEY" | "DATA_AT_REST_ENCRYPTION_KEYS_JSON" | "DATA_AT_REST_ENCRYPTION_ACTIVE_KEY_ID" | "PAGES_PROJECT_NAME" | "PAGES_CUSTOM_DOMAIN" | "USER_WORKER_NAME" | "USER_WORKER_DOMAIN" | "KV_STORE_ID" | "DATA_WORKER_NAME" | "DATA_BUCKET_NAME" | "FILES_BUCKET_NAME" | "DATA_WORKER_DOMAIN" | "AUDIT_WORKER_NAME" | "AUDIT_BUCKET_NAME" | "AUDIT_WORKER_DOMAIN" | "IMAGES_WORKER_NAME" | "IMAGES_WORKER_DOMAIN" | "IMAGE_SIGNED_URL_SECRET" | "IMAGE_SIGNED_URL_TTL_SECONDS" | "IMAGE_SIGNED_URL_BASE_URL" | "PDF_WORKER_NAME" | "PDF_WORKER_DOMAIN" | "PDF_WORKER_AUTH" | "BROWSER_API_TOKEN" | "PRIMERSHEAR_EMAILS" | "REGISTRATION_EMAILS">> {}
 }
 
 // Begin runtime types

package/workers/audit-worker/package.json

@@ -1,6 +1,6 @@
 {
   "name": "audit-worker",
-  "version": "5.5.1",
+  "version": "5.5.2",
   "private": true,
   "scripts": {
     "deploy": "wrangler deploy",
@@ -9,9 +9,5 @@
   },
   "devDependencies": {
     "wrangler": "^4.81.1"
-  },
-  "overrides": {
-    "undici": "7.24.1",
-    "yauzl": "3.2.1"
   }
 }

package/workers/audit-worker/wrangler.jsonc.example

@@ -7,7 +7,7 @@
   "name": "AUDIT_WORKER_NAME",
   "account_id": "ACCOUNT_ID",
   "main": "src/audit-worker.ts",
-  "compatibility_date": "2026-04-09",
+  "compatibility_date": "2026-04-10",
   "compatibility_flags": [
     "nodejs_compat"
   ], 

package/workers/data-worker/package.json

@@ -1,6 +1,6 @@
 {
   "name": "data-worker",
-  "version": "5.5.1",
+  "version": "5.5.2",
   "private": true,
   "scripts": {
     "deploy": "wrangler deploy",
@@ -9,9 +9,5 @@
   },
   "devDependencies": {
     "wrangler": "^4.81.1"
-  },
-  "overrides": {
-    "undici": "7.24.1",
-    "yauzl": "3.2.1"
   }
 }

package/workers/data-worker/wrangler.jsonc.example

@@ -5,7 +5,7 @@
   "name": "DATA_WORKER_NAME",
   "account_id": "ACCOUNT_ID",
   "main": "src/data-worker.ts",
-  "compatibility_date": "2026-04-09",
+  "compatibility_date": "2026-04-10",
   "compatibility_flags": [
     "nodejs_compat"
   ], 

package/workers/image-worker/package.json

@@ -1,6 +1,6 @@
 {
   "name": "image-worker",
-  "version": "5.5.1",
+  "version": "5.5.2",
   "private": true,
   "scripts": {
     "deploy": "wrangler deploy",
@@ -9,9 +9,5 @@
   },
   "devDependencies": {
     "wrangler": "^4.81.1"
-  },
-  "overrides": {
-    "undici": "7.24.1",
-    "yauzl": "3.2.1"
   }
 }

package/workers/image-worker/wrangler.jsonc.example

@@ -2,7 +2,7 @@
   "name": "IMAGES_WORKER_NAME",
   "account_id": "ACCOUNT_ID",
   "main": "src/image-worker.ts",
-  "compatibility_date": "2026-04-09",
+  "compatibility_date": "2026-04-10",
   "compatibility_flags": [
     "nodejs_compat"
   ], 

package/workers/pdf-worker/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pdf-worker",
-  "version": "5.5.1",
+  "version": "5.5.2",
   "private": true,
   "scripts": {
     "generate:assets": "node scripts/generate-assets.js",
@@ -10,9 +10,5 @@
   },
   "devDependencies": {
     "wrangler": "^4.81.1"
-  },
-  "overrides": {
-    "undici": "7.24.1",
-    "yauzl": "3.2.1"
   }
 }

package/workers/pdf-worker/wrangler.jsonc.example

@@ -2,7 +2,7 @@
   "name": "PDF_WORKER_NAME",
   "account_id": "ACCOUNT_ID",
   "main": "src/pdf-worker.ts",
-  "compatibility_date": "2026-04-09",
+  "compatibility_date": "2026-04-10",
   "compatibility_flags": [
     "nodejs_compat"
   ],

package/workers/user-worker/package.json

@@ -1,6 +1,6 @@
 {
   "name": "user-worker",
-  "version": "5.5.1",
+  "version": "5.5.2",
   "private": true,
   "scripts": {
     "deploy": "wrangler deploy",
@@ -9,9 +9,5 @@
   },
   "devDependencies": {
     "wrangler": "^4.81.1"
-  },
-  "overrides": {
-    "undici": "7.24.1",
-    "yauzl": "3.2.1"
   }
 }

package/workers/user-worker/wrangler.jsonc.example

@@ -2,7 +2,7 @@
   "name": "USER_WORKER_NAME",
   "account_id": "ACCOUNT_ID",
   "main": "src/user-worker.ts",
-  "compatibility_date": "2026-04-09",
+  "compatibility_date": "2026-04-10",
   "compatibility_flags": [
     "nodejs_compat"
   ], 

package/wrangler.toml.example

@@ -1,6 +1,6 @@
 #:schema node_modules/wrangler/config-schema.json
 name = "PAGES_PROJECT_NAME"
-compatibility_date = "2026-04-09"
+compatibility_date = "2026-04-10"
 compatibility_flags = ["nodejs_compat"]
 pages_build_output_dir = "./build/client"