@striae-org/striae 5.5.2 → 6.0.0

package/app/components/actions/case-export/download-handlers.ts

@@ -8,13 +8,14 @@ import {
   getCurrentPublicSigningKeyDetails,
   getVerificationPublicKey,
   getCurrentEncryptionPublicKeyDetails,
-  encryptExportDataWithAllImages
+  encryptExportDataWithAllImages,
 } from '~/utils/forensics';
 import { signForensicManifest } from '~/utils/data';
 import { formatDateForFilename } from './types-constants';
 import { addForensicDataWarning } from './metadata-helpers';
 import { exportCaseData } from './core-export';
 import { auditService } from '~/services/audit';
+import { buildArchivePackage } from '~/components/actions/case-manage/archive-package-builder';
 
 /**
  * Generate export filename with embedded ID to prevent collisions
@@ -23,15 +24,15 @@ import { auditService } from '~/services/audit';
  */
 function generateExportFilename(originalFilename: string, id: string): string {
   const lastDotIndex = originalFilename.lastIndexOf('.');
-  
+
   if (lastDotIndex === -1) {
     // No extension found
     return `${originalFilename}-${id}`;
   }
-  
+
   const basename = originalFilename.substring(0, lastDotIndex);
   const extension = originalFilename.substring(lastDotIndex);
-  
+
   return `${basename}-${id}${extension}`;
 }
 
@@ -73,25 +74,99 @@ export async function downloadCaseAsZip(
   let manifestSigned = false;
   let publicKeyFileName: string | undefined;
   const protectForensicData = true;
-  
+
   try {
     // Start audit workflow
     auditService.startWorkflow(caseNumber);
-    
+
     onProgress?.(10);
-    
+
     // Get case data
     const exportData = await exportCaseData(user, caseNumber, options);
     onProgress?.(30);
-    
+
+    const archivePackageMode = options.archivePackageMode;
+
+    if (archivePackageMode) {
+      const archivedAt = exportData.metadata.archivedAt || new Date().toISOString();
+      const archivedByDisplay =
+        exportData.metadata.archivedByDisplay ||
+        exportData.metadata.archivedBy ||
+        exportData.metadata.exportedByName ||
+        exportData.metadata.exportedBy ||
+        'Unknown';
+      const caseJsonContent = await generateJSONContent(
+        exportData,
+        options.includeUserInfo,
+        protectForensicData
+      );
+
+      const archivePackage = await buildArchivePackage({
+        user,
+        caseNumber,
+        caseJsonContent,
+        files: exportData.files,
+        auditConfig: {
+          startDate: exportData.metadata.caseCreatedDate,
+          endDate: archivedAt,
+        },
+        readmeConfig: {
+          archivedAt,
+          archivedByDisplay,
+          archiveReason: exportData.metadata.archiveReason,
+        },
+      });
+
+      manifestSignatureKeyId = archivePackage.manifestSignatureKeyId;
+      manifestSigned = true;
+      onProgress?.(95);
+
+      const url = URL.createObjectURL(archivePackage.zipBlob);
+      const exportFileName = `striae-case-${caseNumber}-archive-${formatDateForFilename(new Date())}-encrypted.zip`;
+
+      const linkElement = document.createElement('a');
+      linkElement.href = url;
+      linkElement.setAttribute('download', exportFileName);
+      linkElement.setAttribute('title', 'Encrypted Striae case package');
+      linkElement.click();
+
+      URL.revokeObjectURL(url);
+      onProgress?.(100);
+
+      const endTime = Date.now();
+      await auditService.logCaseExport(
+        user,
+        caseNumber,
+        exportFileName,
+        'success',
+        [],
+        {
+          processingTimeMs: endTime - startTime,
+          fileSizeBytes: archivePackage.zipBlob.size,
+          validationStepsCompleted: exportData.files?.length || 0,
+          validationStepsFailed: 0,
+        },
+        'zip',
+        protectForensicData,
+        {
+          present: true,
+          valid: true,
+          keyId: manifestSignatureKeyId,
+        }
+      );
+
+      auditService.endWorkflow();
+      return;
+    }
+
     // Create ZIP
     const JSZip = (await import('jszip')).default;
     const zip = new JSZip();
-    
+
     const jsonContent = await generateJSONContent(exportData, options.includeUserInfo, protectForensicData);
     zip.file(`${caseNumber}_data.json`, jsonContent);
     onProgress?.(50);
-    
+
     // Add images and collect them for manifest generation
     const imageFolder = zip.folder('images');
     const imageFiles: { [filename: string]: Blob } = {};
@@ -101,7 +176,6 @@ export async function downloadCaseAsZip(
         try {
           const imageBlob = await fetchImageAsBlob(user, file.fileData, caseNumber);
           if (imageBlob) {
-            // Generate export filename with embedded ID to prevent collisions
             const exportFilename = generateExportFilename(file.fileData.originalFilename, file.fileData.id);
             imageFolder.file(exportFilename, imageBlob);
             imageFiles[exportFilename] = imageBlob;
@@ -112,9 +186,7 @@ export async function downloadCaseAsZip(
         onProgress?.(50 + (i / exportData.files.length) * 30);
       }
     }
-    
-    // CRITICAL: Get the content that will be used for hash calculation.
-    // This must match the exported package content before encryption.
+
     const contentForHash = await generateJSONContent(exportData, options.includeUserInfo, false);
 
     const forensicManifest = await generateForensicManifestSecure(contentForHash, imageFiles);
@@ -128,7 +200,7 @@ export async function downloadCaseAsZip(
     const signedForensicManifest = {
       ...forensicManifest,
       manifestVersion: signingResult.manifestVersion,
-      signature: signingResult.signature
+      signature: signingResult.signature,
     };
 
     zip.file('FORENSIC_MANIFEST.json', JSON.stringify(signedForensicManifest, null, 2));
@@ -143,24 +215,30 @@ export async function downloadCaseAsZip(
     }
 
     try {
-      const imagesToEncrypt = Object.entries(imageFiles).map(([filename, blob]) => ({
-        filename,
-        blob
-      }));
+      const filesToEncrypt = [
+        ...Object.entries(imageFiles).map(([filename, blob]) => ({
+          filename,
+          blob,
+        })),
+      ];
 
       const encryptionResult = await encryptExportDataWithAllImages(
         contentForHash,
-        imagesToEncrypt,
+        filesToEncrypt,
         encKeyDetails.publicKeyPem,
         encKeyDetails.keyId
       );
 
       zip.file(`${caseNumber}_data.json`, encryptionResult.ciphertext);
 
-      if (imageFolder && encryptionResult.encryptedImages.length > 0) {
-        for (let i = 0; i < imagesToEncrypt.length; i++) {
-          const originalFilename = imagesToEncrypt[i].filename;
-          imageFolder.file(originalFilename, encryptionResult.encryptedImages[i]);
+      if (encryptionResult.encryptedImages.length > 0) {
+        for (let i = 0; i < filesToEncrypt.length; i++) {
+          const originalFilename = filesToEncrypt[i].filename;
+          const encryptedContent = encryptionResult.encryptedImages[i];
+
+          if (imageFolder) {
+            imageFolder.file(originalFilename, encryptedContent);
+          }
         }
       }
 
@@ -213,28 +291,27 @@ For questions about this export, contact your Striae system administrator.
     );
     zip.file('README.txt', readme);
     onProgress?.(85);
-    
-    const zipBlob = await zip.generateAsync({ 
+
+    const zipBlob = await zip.generateAsync({
       type: 'blob',
       compression: 'DEFLATE',
-      compressionOptions: { level: 6 }
+      compressionOptions: { level: 6 },
     });
     onProgress?.(95);
 
     const url = URL.createObjectURL(zipBlob);
     const exportFileName = `striae-case-${caseNumber}-encrypted-package-${formatDateForFilename(new Date())}.zip`;
-    
+
     const linkElement = document.createElement('a');
     linkElement.href = url;
     linkElement.setAttribute('download', exportFileName);
     linkElement.setAttribute('title', 'Encrypted Striae case package');
-    
+
     linkElement.click();
-    
+
     URL.revokeObjectURL(url);
     onProgress?.(100);
-    
-    // Log successful export audit event (standard case)
+
     const endTime = Date.now();
     await auditService.logCaseExport(
       user,
@@ -246,24 +323,21 @@ For questions about this export, contact your Striae system administrator.
         processingTimeMs: endTime - startTime,
         fileSizeBytes: zipBlob.size,
         validationStepsCompleted: exportData.files?.length || 0,
-        validationStepsFailed: 0
+        validationStepsFailed: 0,
       },
       'zip',
       protectForensicData,
       {
         present: true,
         valid: true,
-        keyId: manifestSignatureKeyId
+        keyId: manifestSignatureKeyId,
       }
     );
-    
-    // End audit workflow
+
     auditService.endWorkflow();
-    
   } catch (error) {
     console.error('ZIP export failed:', error);
-    
-    // Log failed export audit event
+
     const endTime = Date.now();
     await auditService.logCaseExport(
       user,
@@ -275,20 +349,19 @@ For questions about this export, contact your Striae system administrator.
         processingTimeMs: endTime - startTime,
         fileSizeBytes: 0,
         validationStepsCompleted: 0,
-        validationStepsFailed: 1
+        validationStepsFailed: 1,
       },
       'zip',
       protectForensicData,
       {
         present: manifestSigned,
         valid: manifestSigned,
-        keyId: manifestSignatureKeyId
+        keyId: manifestSignatureKeyId,
       }
     );
-    
-    // End audit workflow
+
     auditService.endWorkflow();
-    
+
     throw new Error('Failed to export encrypted case package');
   }
 }
@@ -305,8 +378,8 @@ async function fetchImageAsBlob(user: User, fileData: FileData, caseNumber: stri
       const signedResponse = await fetch(url, {
         method: 'GET',
         headers: {
-          'Accept': 'application/octet-stream,image/*'
-        }
+          Accept: 'application/octet-stream,image/*',
+        },
       });
 
       if (!signedResponse.ok) {
@@ -394,13 +467,12 @@ https://striae.app`;
  * Generate JSON content for case export with forensic protection options
  */
 async function generateJSONContent(
-  exportData: CaseExportData, 
-  includeUserInfo: boolean = true, 
+  exportData: CaseExportData,
+  includeUserInfo: boolean = true,
   protectForensicData: boolean = true
 ): Promise<string> {
   const jsonData = { ...exportData };
-  
-  // Remove sensitive user info if not included
+
   if (!includeUserInfo) {
     if (jsonData.metadata.exportedBy) {
       jsonData.metadata.exportedBy = '[User Info Excluded]';
@@ -418,28 +490,24 @@ async function generateJSONContent(
       jsonData.metadata.exportedByBadgeId = '[User Info Excluded]';
     }
   }
-  
+
   const jsonString = JSON.stringify(jsonData, null, 2);
-  
-  // Calculate hash for integrity verification
   const hash = await calculateSHA256Secure(jsonString);
-  
-  // Add hash to metadata
+
   const finalJsonData = {
     ...jsonData,
     metadata: {
       ...jsonData.metadata,
       hash: hash.toUpperCase(),
-      integrityNote: 'Verify by recalculating SHA256 of this entire JSON content'
-    }
+      integrityNote: 'Verify by recalculating SHA256 of this entire JSON content',
+    },
   };
-  
+
   const finalJsonString = JSON.stringify(finalJsonData, null, 2);
-  
-  // Add forensic protection warning if enabled
+
   if (protectForensicData) {
     return addForensicDataWarning(finalJsonString);
   }
-  
+
   return finalJsonString;
-}
+}

package/app/components/actions/case-manage/archive-package-builder.ts

@@ -0,0 +1,299 @@
+import type { User } from 'firebase/auth';
+import { type AuditTrail, type CaseExportData, type ValidationAuditEntry } from '~/types';
+import { signForensicManifest } from '~/utils/data';
+import {
+  calculateSHA256Secure,
+  createPublicSigningKeyFileName,
+  encryptExportDataWithAllImages,
+  generateForensicManifestSecure,
+  getCurrentEncryptionPublicKeyDetails,
+  getCurrentPublicSigningKeyDetails,
+  getVerificationPublicKey,
+} from '~/utils/forensics';
+import { signAuditExport } from '~/services/audit/audit-export-signing';
+import { generateAuditSummary, sortAuditEntriesNewestFirst } from '~/services/audit/audit-query-helpers';
+import { auditService } from '~/services/audit';
+import { getImageUrl } from '../image-manage';
+
+export interface ArchiveBundleAuditConfig {
+  startDate: string;
+  endDate: string;
+  additionalEntries?: ValidationAuditEntry[];
+}
+
+export interface ArchiveBundleReadmeConfig {
+  archivedAt: string;
+  archivedByDisplay: string;
+  archiveReason?: string;
+}
+
+export interface BuildArchivePackageInput {
+  user: User;
+  caseNumber: string;
+  caseJsonContent: string;
+  files: CaseExportData['files'];
+  auditConfig: ArchiveBundleAuditConfig;
+  readmeConfig: ArchiveBundleReadmeConfig;
+}
+
+export interface BuildArchivePackageResult {
+  zipBlob: Blob;
+  publicKeyFileName: string;
+  manifestSignatureKeyId: string;
+}
+
+function generateArchiveImageFilename(originalFilename: string, id: string): string {
+  const lastDotIndex = originalFilename.lastIndexOf('.');
+
+  if (lastDotIndex === -1) {
+    return `${originalFilename}-${id}`;
+  }
+
+  const basename = originalFilename.substring(0, lastDotIndex);
+  const extension = originalFilename.substring(lastDotIndex);
+
+  return `${basename}-${id}${extension}`;
+}
+
+function getVerificationPublicSigningKey(preferredKeyId?: string): { keyId: string | null; publicKeyPem: string } {
+  const preferredKey = preferredKeyId ? getVerificationPublicKey(preferredKeyId) : null;
+  const currentDetails = getCurrentPublicSigningKeyDetails();
+  const resolvedPem = preferredKey ?? currentDetails.publicKeyPem;
+  const resolvedKeyId = preferredKey ? preferredKeyId ?? null : currentDetails.keyId;
+
+  if (!resolvedPem || resolvedPem.trim().length === 0) {
+    throw new Error('No public signing key is configured for archive packaging.');
+  }
+
+  return {
+    keyId: resolvedKeyId,
+    publicKeyPem: resolvedPem.endsWith('\n') ? resolvedPem : `${resolvedPem}\n`,
+  };
+}
+
+async function fetchImageAsBlob(user: User, fileData: CaseExportData['files'][number]['fileData'], caseNumber: string): Promise<Blob | null> {
+  try {
+    const imageAccess = await getImageUrl(user, fileData, caseNumber, 'Archive Package');
+    const { blob, revoke, url } = imageAccess;
+
+    if (!blob) {
+      const signedResponse = await fetch(url, {
+        method: 'GET',
+        headers: {
+          Accept: 'application/octet-stream,image/*',
+        },
+      });
+
+      if (!signedResponse.ok) {
+        throw new Error(`Signed URL fetch failed with status ${signedResponse.status}`);
+      }
+
+      return await signedResponse.blob();
+    }
+
+    try {
+      return blob;
+    } finally {
+      revoke();
+    }
+  } catch (error) {
+    console.error('Failed to fetch image for archive package:', error);
+    return null;
+  }
+}
+
+export async function buildArchivePackage(input: BuildArchivePackageInput): Promise<BuildArchivePackageResult> {
+  const { user, caseNumber, caseJsonContent, files, auditConfig, readmeConfig } = input;
+
+  const JSZip = (await import('jszip')).default;
+  const zip = new JSZip();
+  zip.file(`${caseNumber}_data.json`, caseJsonContent);
+
+  const imageFolder = zip.folder('images');
+  const imageBlobs: Record<string, Blob> = {};
+  if (imageFolder && files) {
+    for (const fileEntry of files) {
+      const imageBlob = await fetchImageAsBlob(user, fileEntry.fileData, caseNumber);
+      if (!imageBlob) {
+        continue;
+      }
+
+      const exportFileName = generateArchiveImageFilename(
+        fileEntry.fileData.originalFilename,
+        fileEntry.fileData.id
+      );
+      imageFolder.file(exportFileName, imageBlob);
+      imageBlobs[exportFileName] = imageBlob;
+    }
+  }
+
+  const forensicManifest = await generateForensicManifestSecure(caseJsonContent, imageBlobs);
+  const manifestSigningResponse = await signForensicManifest(user, caseNumber, forensicManifest);
+
+  const signingKey = getVerificationPublicSigningKey(manifestSigningResponse.signature.keyId);
+  const publicKeyFileName = createPublicSigningKeyFileName(signingKey.keyId);
+  zip.file(publicKeyFileName, signingKey.publicKeyPem);
+
+  zip.file(
+    'FORENSIC_MANIFEST.json',
+    JSON.stringify(
+      {
+        ...forensicManifest,
+        manifestVersion: manifestSigningResponse.manifestVersion,
+        signature: manifestSigningResponse.signature,
+      },
+      null,
+      2
+    )
+  );
+
+  const auditEntries = await auditService.getAuditEntriesForUser(user.uid, {
+    caseNumber,
+    startDate: auditConfig.startDate,
+    endDate: auditConfig.endDate,
+  });
+
+  const auditEntriesWithExtras = sortAuditEntriesNewestFirst([
+    ...auditEntries,
+    ...(auditConfig.additionalEntries ?? []),
+  ]);
+
+  const auditTrail: AuditTrail = {
+    caseNumber,
+    workflowId: `${caseNumber}-archive-${Date.now()}`,
+    entries: auditEntriesWithExtras,
+    summary: generateAuditSummary(auditEntriesWithExtras),
+  };
+
+  const auditTrailPayload = {
+    metadata: {
+      exportTimestamp: new Date().toISOString(),
+      exportVersion: '1.0',
+      totalEntries: auditTrail.summary.totalEvents,
+      application: 'Striae',
+      exportType: 'trail' as const,
+      scopeType: 'case' as const,
+      scopeIdentifier: caseNumber,
+    },
+    auditTrail,
+  };
+
+  const auditTrailRawContent = JSON.stringify(auditTrailPayload, null, 2);
+  const auditTrailHash = await calculateSHA256Secure(auditTrailRawContent);
+  const signedAuditExportPayload = await signAuditExport(
+    {
+      exportFormat: 'json',
+      exportType: 'trail',
+      generatedAt: auditTrailPayload.metadata.exportTimestamp,
+      totalEntries: auditTrail.summary.totalEvents,
+      hash: auditTrailHash.toUpperCase(),
+    },
+    {
+      user,
+      scopeType: 'case',
+      scopeIdentifier: caseNumber,
+      caseNumber,
+    }
+  );
+
+  const signedAuditTrail = {
+    metadata: {
+      ...auditTrailPayload.metadata,
+      hash: auditTrailHash.toUpperCase(),
+      signatureVersion: signedAuditExportPayload.signatureMetadata.signatureVersion,
+      signatureMetadata: signedAuditExportPayload.signatureMetadata,
+      signature: signedAuditExportPayload.signature,
+    },
+    auditTrail,
+  };
+
+  const auditTrailJson = JSON.stringify(signedAuditTrail, null, 2);
+  const auditSignatureJson = JSON.stringify(signedAuditExportPayload, null, 2);
+  zip.file('audit/case-audit-trail.json', auditTrailJson);
+  zip.file('audit/case-audit-signature.json', auditSignatureJson);
+
+  const encryptionKeyDetails = getCurrentEncryptionPublicKeyDetails();
+
+  if (!encryptionKeyDetails.publicKeyPem || !encryptionKeyDetails.keyId) {
+    throw new Error(
+      'Archive encryption is mandatory. Your Striae instance does not have a configured encryption public key. ' +
+      'Please contact your administrator to set up export encryption.'
+    );
+  }
+
+  const filesToEncrypt: Array<{ filename: string; blob: Blob }> = [
+    ...Object.entries(imageBlobs).map(([filename, blob]) => ({
+      filename,
+      blob,
+    })),
+    {
+      filename: 'audit/case-audit-trail.json',
+      blob: new Blob([auditTrailJson], { type: 'application/json' }),
+    },
+    {
+      filename: 'audit/case-audit-signature.json',
+      blob: new Blob([auditSignatureJson], { type: 'application/json' }),
+    },
+  ];
+
+  const encryptionResult = await encryptExportDataWithAllImages(
+    caseJsonContent,
+    filesToEncrypt,
+    encryptionKeyDetails.publicKeyPem,
+    encryptionKeyDetails.keyId
+  );
+
+  zip.file(`${caseNumber}_data.json`, encryptionResult.ciphertext);
+
+  for (let index = 0; index < filesToEncrypt.length; index += 1) {
+    const originalFilename = filesToEncrypt[index].filename;
+    const encryptedContent = encryptionResult.encryptedImages[index];
+
+    if (originalFilename.startsWith('audit/')) {
+      zip.file(originalFilename, encryptedContent);
+      continue;
+    }
+
+    if (imageFolder) {
+      imageFolder.file(originalFilename, encryptedContent);
+    }
+  }
+
+  zip.file('ENCRYPTION_MANIFEST.json', JSON.stringify(encryptionResult.encryptionManifest, null, 2));
+
+  zip.file(
+    'README.txt',
+    [
+      'Striae Archived Case Package',
+      '===========================',
+      '',
+      `Case Number: ${caseNumber}`,
+      `Archived At: ${readmeConfig.archivedAt}`,
+      `Archived By: ${readmeConfig.archivedByDisplay}`,
+      `Archive Reason: ${readmeConfig.archiveReason?.trim() || 'Not provided'}`,
+      '',
+      'Package Contents',
+      '- Case data JSON export with all image references',
+      '- images/ folder with exported image files (encrypted)',
+      '- Full case audit trail export and signed audit metadata',
+      '- Forensic manifest with server-side signature',
+      '- ENCRYPTION_MANIFEST.json with encryption metadata and encrypted image hashes',
+      `- ${publicKeyFileName} for verification`,
+      '',
+      'This package is intended for read-only review and verification workflows.',
+      'This package is encrypted. Only Striae can decrypt and re-import it.',
+    ].join('\n')
+  );
+
+  const zipBlob = await zip.generateAsync({
+    type: 'blob',
+    compression: 'DEFLATE',
+    compressionOptions: { level: 6 },
+  });
+
+  return {
+    zipBlob,
+    publicKeyFileName,
+    manifestSignatureKeyId: manifestSigningResponse.signature.keyId,
+  };
+}