@striae-org/striae 6.1.7 → 7.0.0

package/scripts/deploy-config/modules/scaffolding.sh

@@ -109,44 +109,6 @@ copy_example_configs() {
     # Return to project root
     cd ../..
 
-    # Copy worker source template files
-    echo -e "${YELLOW}  Copying worker source template files...${NC}"
-
-    if [ -f "workers/user-worker/src/user-worker.example.ts" ] && { [ "$update_env" = "true" ] || [ ! -f "workers/user-worker/src/user-worker.ts" ]; }; then
-        cp workers/user-worker/src/user-worker.example.ts workers/user-worker/src/user-worker.ts
-        echo -e "${GREEN}    ✅ user-worker: user-worker.ts created from example${NC}"
-    elif [ -f "workers/user-worker/src/user-worker.ts" ]; then
-        echo -e "${YELLOW}    ⚠️  user-worker: user-worker.ts already exists, skipping copy${NC}"
-    fi
-
-    if [ -f "workers/data-worker/src/data-worker.example.ts" ] && { [ "$update_env" = "true" ] || [ ! -f "workers/data-worker/src/data-worker.ts" ]; }; then
-        cp workers/data-worker/src/data-worker.example.ts workers/data-worker/src/data-worker.ts
-        echo -e "${GREEN}    ✅ data-worker: data-worker.ts created from example${NC}"
-    elif [ -f "workers/data-worker/src/data-worker.ts" ]; then
-        echo -e "${YELLOW}    ⚠️  data-worker: data-worker.ts already exists, skipping copy${NC}"
-    fi
-
-    if [ -f "workers/audit-worker/src/audit-worker.example.ts" ] && { [ "$update_env" = "true" ] || [ ! -f "workers/audit-worker/src/audit-worker.ts" ]; }; then
-        cp workers/audit-worker/src/audit-worker.example.ts workers/audit-worker/src/audit-worker.ts
-        echo -e "${GREEN}    ✅ audit-worker: audit-worker.ts created from example${NC}"
-    elif [ -f "workers/audit-worker/src/audit-worker.ts" ]; then
-        echo -e "${YELLOW}    ⚠️  audit-worker: audit-worker.ts already exists, skipping copy${NC}"
-    fi
-
-    if [ -f "workers/image-worker/src/image-worker.example.ts" ] && { [ "$update_env" = "true" ] || [ ! -f "workers/image-worker/src/image-worker.ts" ]; }; then
-        cp workers/image-worker/src/image-worker.example.ts workers/image-worker/src/image-worker.ts
-        echo -e "${GREEN}    ✅ image-worker: image-worker.ts created from example${NC}"
-    elif [ -f "workers/image-worker/src/image-worker.ts" ]; then
-        echo -e "${YELLOW}    ⚠️  image-worker: image-worker.ts already exists, skipping copy${NC}"
-    fi
-
-    if [ -f "workers/pdf-worker/src/pdf-worker.example.ts" ] && { [ "$update_env" = "true" ] || [ ! -f "workers/pdf-worker/src/pdf-worker.ts" ]; }; then
-        cp workers/pdf-worker/src/pdf-worker.example.ts workers/pdf-worker/src/pdf-worker.ts
-        echo -e "${GREEN}    ✅ pdf-worker: pdf-worker.ts created from example${NC}"
-    elif [ -f "workers/pdf-worker/src/pdf-worker.ts" ]; then
-        echo -e "${YELLOW}    ⚠️  pdf-worker: pdf-worker.ts already exists, skipping copy${NC}"
-    fi
-
     # Copy main wrangler.toml from example
     if [ -f "wrangler.toml.example" ] && { [ "$update_env" = "true" ] || [ ! -f "wrangler.toml" ]; }; then
         cp wrangler.toml.example wrangler.toml
@@ -187,12 +149,6 @@ update_wrangler_configs() {
         echo -e "${GREEN}    ✅ audit-worker configuration updated${NC}"
     fi
 
-    if [ -f "workers/audit-worker/src/audit-worker.ts" ]; then
-        echo -e "${YELLOW}  Updating audit-worker source placeholders...${NC}"
-        sed -i "s|'Access-Control-Allow-Origin': '[^']*'|'Access-Control-Allow-Origin': 'https://$escaped_pages_custom_domain'|g" workers/audit-worker/src/audit-worker.ts
-        echo -e "${GREEN}    ✅ audit-worker source placeholders updated${NC}"
-    fi
-
     if [ -f "workers/data-worker/wrangler.jsonc" ]; then
         echo -e "${YELLOW}  Updating data-worker/wrangler.jsonc...${NC}"
         sed -i "s/\"DATA_WORKER_NAME\"/\"$DATA_WORKER_NAME\"/g" workers/data-worker/wrangler.jsonc
@@ -201,12 +157,6 @@ update_wrangler_configs() {
         echo -e "${GREEN}    ✅ data-worker configuration updated${NC}"
     fi
 
-    if [ -f "workers/data-worker/src/data-worker.ts" ]; then
-        echo -e "${YELLOW}  Updating data-worker source placeholders...${NC}"
-        sed -i "s|'Access-Control-Allow-Origin': '[^']*'|'Access-Control-Allow-Origin': 'https://$escaped_pages_custom_domain'|g" workers/data-worker/src/data-worker.ts
-        echo -e "${GREEN}    ✅ data-worker source placeholders updated${NC}"
-    fi
-
     if [ -f "workers/image-worker/wrangler.jsonc" ]; then
         echo -e "${YELLOW}  Updating image-worker/wrangler.jsonc...${NC}"
         sed -i "s/\"IMAGES_WORKER_NAME\"/\"$IMAGES_WORKER_NAME\"/g" workers/image-worker/wrangler.jsonc
@@ -215,12 +165,6 @@ update_wrangler_configs() {
         echo -e "${GREEN}    ✅ image-worker configuration updated${NC}"
     fi
 
-    if [ -f "workers/image-worker/src/image-worker.ts" ]; then
-        echo -e "${YELLOW}  Updating image-worker source placeholders...${NC}"
-        sed -i "s|'Access-Control-Allow-Origin': '[^']*'|'Access-Control-Allow-Origin': 'https://$escaped_pages_custom_domain'|g" workers/image-worker/src/image-worker.ts
-        echo -e "${GREEN}    ✅ image-worker source placeholders updated${NC}"
-    fi
-
     if [ -f "workers/pdf-worker/wrangler.jsonc" ]; then
         echo -e "${YELLOW}  Updating pdf-worker/wrangler.jsonc...${NC}"
         sed -i "s/\"PDF_WORKER_NAME\"/\"$PDF_WORKER_NAME\"/g" workers/pdf-worker/wrangler.jsonc
@@ -228,12 +172,6 @@ update_wrangler_configs() {
         echo -e "${GREEN}    ✅ pdf-worker configuration updated${NC}"
     fi
 
-    if [ -f "workers/pdf-worker/src/pdf-worker.ts" ]; then
-        echo -e "${YELLOW}  Updating pdf-worker source placeholders...${NC}"
-        sed -i "s|'Access-Control-Allow-Origin': '[^']*'|'Access-Control-Allow-Origin': 'https://$escaped_pages_custom_domain'|g" workers/pdf-worker/src/pdf-worker.ts
-        echo -e "${GREEN}    ✅ pdf-worker source placeholders updated${NC}"
-    fi
-
     if [ -f "workers/user-worker/wrangler.jsonc" ]; then
         echo -e "${YELLOW}  Updating user-worker/wrangler.jsonc...${NC}"
         sed -i "s/\"USER_WORKER_NAME\"/\"$USER_WORKER_NAME\"/g" workers/user-worker/wrangler.jsonc
@@ -244,15 +182,14 @@ update_wrangler_configs() {
         echo -e "${GREEN}    ✅ user-worker configuration updated${NC}"
     fi
 
-    if [ -f "workers/user-worker/src/user-worker.ts" ]; then
-        echo -e "${YELLOW}  Updating user-worker source placeholders...${NC}"
-        sed -i "s|'Access-Control-Allow-Origin': '[^']*'|'Access-Control-Allow-Origin': 'https://$escaped_pages_custom_domain'|g" workers/user-worker/src/user-worker.ts
-        echo -e "${GREEN}    ✅ user-worker source placeholders updated${NC}"
-    fi
-
     if [ -f "wrangler.toml" ]; then
         echo -e "${YELLOW}  Updating wrangler.toml...${NC}"
         sed -i "s/\"PAGES_PROJECT_NAME\"/\"$PAGES_PROJECT_NAME\"/g" wrangler.toml
+        sed -i "s/USER_WORKER_NAME/$USER_WORKER_NAME/g" wrangler.toml
+        sed -i "s/DATA_WORKER_NAME/$DATA_WORKER_NAME/g" wrangler.toml
+        sed -i "s/AUDIT_WORKER_NAME/$AUDIT_WORKER_NAME/g" wrangler.toml
+        sed -i "s/IMAGES_WORKER_NAME/$IMAGES_WORKER_NAME/g" wrangler.toml
+        sed -i "s/PDF_WORKER_NAME/$PDF_WORKER_NAME/g" wrangler.toml
         echo -e "${GREEN}    ✅ main wrangler.toml configuration updated${NC}"
     fi
 

package/scripts/deploy-config/modules/validation.sh

@@ -75,11 +75,6 @@ required_vars=(
     # Core Cloudflare Configuration
     "ACCOUNT_ID"
 
-    # Shared Authentication & Storage
-    "USER_DB_AUTH"
-    "R2_KEY_SECRET"
-    "IMAGES_API_TOKEN"
-
     # Firebase Auth Configuration
     "API_KEY"
     "AUTH_DOMAIN"
@@ -102,13 +97,6 @@ required_vars=(
     "IMAGES_WORKER_NAME"
     "PDF_WORKER_NAME"
 
-    # Worker Domains (required for proxy/env secrets and worker fallbacks)
-    "USER_WORKER_DOMAIN"
-    "DATA_WORKER_DOMAIN"
-    "AUDIT_WORKER_DOMAIN"
-    "IMAGES_WORKER_DOMAIN"
-    "PDF_WORKER_DOMAIN"
-
     # Storage Configuration (required for config replacement)
     "DATA_BUCKET_NAME"
     "AUDIT_BUCKET_NAME"
@@ -116,7 +104,6 @@ required_vars=(
     "KV_STORE_ID"
 
     # Worker-Specific Secrets (required for deployment)
-    "PDF_WORKER_AUTH"
     "IMAGE_SIGNED_URL_SECRET"
     "BROWSER_API_TOKEN"
     "MANIFEST_SIGNING_PRIVATE_KEY"
@@ -212,11 +199,6 @@ validate_env_value_formats() {
     echo -e "${YELLOW}🔍 Validating environment value formats...${NC}"
 
     validate_domain_var "PAGES_CUSTOM_DOMAIN"
-    validate_domain_var "USER_WORKER_DOMAIN"
-    validate_domain_var "DATA_WORKER_DOMAIN"
-    validate_domain_var "AUDIT_WORKER_DOMAIN"
-    validate_domain_var "IMAGES_WORKER_DOMAIN"
-    validate_domain_var "PDF_WORKER_DOMAIN"
 
     if ! [[ "$KV_STORE_ID" =~ ^([0-9a-fA-F]{32}|[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})$ ]]; then
         echo -e "${RED}❌ Error: KV_STORE_ID must be a 32-character hex namespace ID (or UUID format)${NC}"
@@ -312,14 +294,8 @@ validate_generated_configs() {
     assert_contains_literal "app/config/firebase.ts" "$APP_ID" "APP_ID missing in app/config/firebase.ts"
     assert_contains_literal "app/config/firebase.ts" "$MEASUREMENT_ID" "MEASUREMENT_ID missing in app/config/firebase.ts"
 
-    assert_contains_literal "workers/audit-worker/src/audit-worker.ts" "https://$PAGES_CUSTOM_DOMAIN" "PAGES_CUSTOM_DOMAIN missing in audit-worker source"
-    assert_contains_literal "workers/data-worker/src/data-worker.ts" "https://$PAGES_CUSTOM_DOMAIN" "PAGES_CUSTOM_DOMAIN missing in data-worker source"
-    assert_contains_literal "workers/image-worker/src/image-worker.ts" "https://$PAGES_CUSTOM_DOMAIN" "PAGES_CUSTOM_DOMAIN missing in image-worker source"
-    assert_contains_literal "workers/pdf-worker/src/pdf-worker.ts" "https://$PAGES_CUSTOM_DOMAIN" "PAGES_CUSTOM_DOMAIN missing in pdf-worker source"
-    assert_contains_literal "workers/user-worker/src/user-worker.ts" "https://$PAGES_CUSTOM_DOMAIN" "PAGES_CUSTOM_DOMAIN missing in user-worker source"
-
     local placeholder_pattern
-    placeholder_pattern="(\"(ACCOUNT_ID|PAGES_PROJECT_NAME|PAGES_CUSTOM_DOMAIN|USER_WORKER_NAME|DATA_WORKER_NAME|AUDIT_WORKER_NAME|IMAGES_WORKER_NAME|PDF_WORKER_NAME|USER_WORKER_DOMAIN|DATA_WORKER_DOMAIN|AUDIT_WORKER_DOMAIN|IMAGES_WORKER_DOMAIN|PDF_WORKER_DOMAIN|DATA_BUCKET_NAME|AUDIT_BUCKET_NAME|FILES_BUCKET_NAME|KV_STORE_ID|MANIFEST_SIGNING_KEY_ID|MANIFEST_SIGNING_PUBLIC_KEY|EXPORT_ENCRYPTION_KEY_ID|EXPORT_ENCRYPTION_PUBLIC_KEY|YOUR_FIREBASE_API_KEY|YOUR_FIREBASE_AUTH_DOMAIN|YOUR_FIREBASE_PROJECT_ID|YOUR_FIREBASE_STORAGE_BUCKET|YOUR_FIREBASE_MESSAGING_SENDER_ID|YOUR_FIREBASE_APP_ID|YOUR_FIREBASE_MEASUREMENT_ID)\"|'(PAGES_CUSTOM_DOMAIN|DATA_WORKER_DOMAIN|AUDIT_WORKER_DOMAIN|IMAGES_WORKER_DOMAIN)')"
+    placeholder_pattern="(\"(ACCOUNT_ID|PAGES_PROJECT_NAME|PAGES_CUSTOM_DOMAIN|USER_WORKER_NAME|DATA_WORKER_NAME|AUDIT_WORKER_NAME|IMAGES_WORKER_NAME|PDF_WORKER_NAME|DATA_BUCKET_NAME|AUDIT_BUCKET_NAME|FILES_BUCKET_NAME|KV_STORE_ID|MANIFEST_SIGNING_KEY_ID|MANIFEST_SIGNING_PUBLIC_KEY|EXPORT_ENCRYPTION_KEY_ID|EXPORT_ENCRYPTION_PUBLIC_KEY|YOUR_FIREBASE_API_KEY|YOUR_FIREBASE_AUTH_DOMAIN|YOUR_FIREBASE_PROJECT_ID|YOUR_FIREBASE_STORAGE_BUCKET|YOUR_FIREBASE_MESSAGING_SENDER_ID|YOUR_FIREBASE_APP_ID|YOUR_FIREBASE_MEASUREMENT_ID)\")"
 
     local files_to_scan=(
         "wrangler.toml"
@@ -328,11 +304,6 @@ validate_generated_configs() {
         "workers/image-worker/wrangler.jsonc"
         "workers/pdf-worker/wrangler.jsonc"
         "workers/user-worker/wrangler.jsonc"
-        "workers/audit-worker/src/audit-worker.ts"
-        "workers/data-worker/src/data-worker.ts"
-        "workers/image-worker/src/image-worker.ts"
-        "workers/pdf-worker/src/pdf-worker.ts"
-        "workers/user-worker/src/user-worker.ts"
         "app/config/config.json"
         "app/config/firebase.ts"
     )

package/scripts/deploy-pages-secrets.sh

@@ -151,16 +151,7 @@ if [ -z "$PAGES_PROJECT_NAME" ] || is_placeholder "$PAGES_PROJECT_NAME"; then
 fi
 
 required_pages_secrets=(
-    "AUDIT_WORKER_DOMAIN"
-    "DATA_WORKER_DOMAIN"
-    "IMAGES_API_TOKEN"
-    "IMAGES_WORKER_DOMAIN"
-    "PDF_WORKER_AUTH"
-    "PDF_WORKER_DOMAIN"
     "PROJECT_ID"
-    "R2_KEY_SECRET"
-    "USER_DB_AUTH"
-    "USER_WORKER_DOMAIN"
 )
 
 echo -e "${YELLOW}🔍 Validating required Pages secret values...${NC}"

package/scripts/deploy-worker-secrets.sh

@@ -97,8 +97,6 @@ load_required_admin_service_credentials
 
 build_user_worker_secret_list() {
     local secrets=(
-        "USER_DB_AUTH"
-        "R2_KEY_SECRET"
         "PROJECT_ID"
         "FIREBASE_SERVICE_ACCOUNT_EMAIL"
         "FIREBASE_SERVICE_ACCOUNT_PRIVATE_KEY"
@@ -149,9 +147,7 @@ build_user_worker_secret_list() {
 }
 
 build_audit_worker_secret_list() {
-    local secrets=(
-        "R2_KEY_SECRET"
-    )
+    local secrets=()
 
     if [ -n "${DATA_AT_REST_ENCRYPTION_ENABLED:-}" ]; then
         secrets+=("DATA_AT_REST_ENCRYPTION_ENABLED")
@@ -230,7 +226,6 @@ set_worker_secrets() {
 
 build_data_worker_secret_list() {
     local secrets=(
-        "R2_KEY_SECRET"
         "MANIFEST_SIGNING_PRIVATE_KEY"
         "MANIFEST_SIGNING_KEY_ID"
         "EXPORT_ENCRYPTION_PRIVATE_KEY"
@@ -274,7 +269,6 @@ build_data_worker_secret_list() {
 
 build_images_worker_secret_list() {
     local secrets=(
-        "IMAGES_API_TOKEN"
         "DATA_AT_REST_ENCRYPTION_PUBLIC_KEY"
         "DATA_AT_REST_ENCRYPTION_KEY_ID"
         "IMAGE_SIGNED_URL_SECRET"
@@ -365,7 +359,7 @@ fi
 
 # PDF Worker
 if ! set_worker_secrets "PDF Worker" "workers/pdf-worker" \
-    "PDF_WORKER_AUTH" "ACCOUNT_ID" "BROWSER_API_TOKEN"; then
+    "ACCOUNT_ID" "BROWSER_API_TOKEN"; then
     echo -e "${YELLOW}⚠️  Skipping PDF Worker (not configured)${NC}"
 fi
 

package/tsconfig.json

@@ -7,7 +7,7 @@
     "**/.client/**/*.ts",
     "**/.client/**/*.tsx",
     ".react-router/types/**/*"
-  ],
+  ],  
   "compilerOptions": {
     "lib": [
       "DOM",

package/workers/audit-worker/package.json

@@ -1,6 +1,6 @@
 {
   "name": "audit-worker",
-  "version": "6.1.7",
+  "version": "7.0.0",
   "private": true,
   "scripts": {
     "deploy": "wrangler deploy",
@@ -8,6 +8,6 @@
     "start": "wrangler dev"
   },
   "devDependencies": {
-    "wrangler": "^4.84.0"
+    "wrangler": "^4.84.1"
   }
 }

package/workers/audit-worker/src/{audit-worker.example.ts → audit-worker.ts}

@@ -1,29 +1,13 @@
-import { hasValidHeader } from './config';
 import { handleAuditRequest } from './handlers/audit-routes';
 import type { CreateResponse, Env } from './types';
 
-const corsHeaders: Record<string, string> = {
-  'Access-Control-Allow-Origin': 'PAGES_CUSTOM_DOMAIN',
-  'Access-Control-Allow-Methods': 'GET, POST, OPTIONS',
-  'Access-Control-Allow-Headers': 'Content-Type, X-Custom-Auth-Key',
-  'Content-Type': 'application/json'
-};
-
 const createWorkerResponse: CreateResponse = (data, status: number = 200): Response => new Response(
   JSON.stringify(data),
-  { status, headers: corsHeaders }
+  { status, headers: { 'Content-Type': 'application/json' } }
 );
 
 export default {
   async fetch(request: Request, env: Env): Promise<Response> {
-    if (request.method === 'OPTIONS') {
-      return new Response(null, { headers: corsHeaders });
-    }
-
-    if (!hasValidHeader(request, env)) {
-      return createWorkerResponse({ error: 'Forbidden' }, 403);
-    }
-
     try {
       const url = new URL(request.url);
       const pathname = url.pathname;

package/workers/audit-worker/src/config.ts

@@ -1,7 +1,2 @@
-import type { Env } from './types';
-
 export const DATA_AT_REST_ENCRYPTION_ALGORITHM = 'RSA-OAEP-AES-256-GCM';
-export const DATA_AT_REST_ENCRYPTION_VERSION = '1.0';
-
-export const hasValidHeader = (request: Request, env: Env): boolean =>
-  request.headers.get('X-Custom-Auth-Key') === env.R2_KEY_SECRET;
+export const DATA_AT_REST_ENCRYPTION_VERSION = '1.0';

package/workers/audit-worker/src/types.ts

@@ -1,5 +1,4 @@
 export interface Env {
-  R2_KEY_SECRET: string;
   STRIAE_AUDIT: R2Bucket;
   DATA_AT_REST_ENCRYPTION_ENABLED?: string;
   DATA_AT_REST_ENCRYPTION_PRIVATE_KEY?: string;

package/workers/audit-worker/wrangler.jsonc.example

@@ -1,13 +1,9 @@
 {
-  // Required secrets: R2_KEY_SECRET
-  // Optional data-at-rest secrets/vars:
-  // - DATA_AT_REST_ENCRYPTION_ENABLED=true
-  // - DATA_AT_REST_ENCRYPTION_PRIVATE_KEY (required for decrypting encrypted records)
-  // - DATA_AT_REST_ENCRYPTION_PUBLIC_KEY and DATA_AT_REST_ENCRYPTION_KEY_ID (required when encrypt-on-write is enabled)
   "name": "AUDIT_WORKER_NAME",
   "account_id": "ACCOUNT_ID",
   "main": "src/audit-worker.ts",
-  "compatibility_date": "2026-04-20",
+  "workers_dev": false,
+  "compatibility_date": "2026-04-21",
   "compatibility_flags": [
     "nodejs_compat"
   ], 

package/workers/data-worker/package.json

@@ -1,6 +1,6 @@
 {
   "name": "data-worker",
-  "version": "6.1.7",
+  "version": "7.0.0",
   "private": true,
   "scripts": {
     "deploy": "wrangler deploy",
@@ -8,6 +8,7 @@
     "start": "wrangler dev"
   },
   "devDependencies": {
-    "wrangler": "^4.84.0"
+    "@cloudflare/vitest-pool-workers": "^0.14.9",
+    "wrangler": "^4.84.1"
   }
 }

package/workers/data-worker/src/config.ts

@@ -1,11 +1,6 @@
-import type { Env } from './types';
-
 export const SIGN_MANIFEST_PATH = '/api/forensic/sign-manifest';
 export const SIGN_CONFIRMATION_PATH = '/api/forensic/sign-confirmation';
 export const SIGN_AUDIT_EXPORT_PATH = '/api/forensic/sign-audit-export';
 export const DECRYPT_EXPORT_PATH = '/api/forensic/decrypt-export';
 export const DATA_AT_REST_ENCRYPTION_ALGORITHM = 'RSA-OAEP-AES-256-GCM';
-export const DATA_AT_REST_ENCRYPTION_VERSION = '1.0';
-
-export const hasValidHeader = (request: Request, env: Env): boolean =>
-  request.headers.get('X-Custom-Auth-Key') === env.R2_KEY_SECRET;
+export const DATA_AT_REST_ENCRYPTION_VERSION = '1.0';

package/workers/data-worker/src/{data-worker.example.ts → data-worker.ts}

@@ -2,8 +2,7 @@ import {
   DECRYPT_EXPORT_PATH,
   SIGN_AUDIT_EXPORT_PATH,
   SIGN_CONFIRMATION_PATH,
-  SIGN_MANIFEST_PATH,
-  hasValidHeader
+  SIGN_MANIFEST_PATH
 } from './config';
 import { handleDecryptExport } from './handlers/decrypt-export';
 import {
@@ -14,28 +13,13 @@ import {
 import { handleStorageRequest } from './handlers/storage-routes';
 import type { CreateResponse, Env } from './types';
 
-const corsHeaders: Record<string, string> = {
-  'Access-Control-Allow-Origin': 'PAGES_CUSTOM_DOMAIN',
-  'Access-Control-Allow-Methods': 'GET, POST, PUT, DELETE, OPTIONS',
-  'Access-Control-Allow-Headers': 'Content-Type, X-Custom-Auth-Key',
-  'Content-Type': 'application/json'
-};
-
 const createWorkerResponse: CreateResponse = (data, status: number = 200): Response => new Response(
   JSON.stringify(data),
-  { status, headers: corsHeaders }
+  { status, headers: { 'Content-Type': 'application/json' } }
 );
 
 export default {
   async fetch(request: Request, env: Env): Promise<Response> {
-    if (request.method === 'OPTIONS') {
-      return new Response(null, { headers: corsHeaders });
-    }
-
-    if (!hasValidHeader(request, env)) {
-      return createWorkerResponse({ error: 'Forbidden' }, 403);
-    }
-
     try {
       const url = new URL(request.url);
       const pathname = url.pathname;

package/workers/data-worker/src/types.ts

@@ -1,5 +1,4 @@
 export interface Env {
-  R2_KEY_SECRET: string;
   STRIAE_DATA: R2Bucket;
   MANIFEST_SIGNING_PRIVATE_KEY: string;
   MANIFEST_SIGNING_KEY_ID: string;

package/workers/data-worker/wrangler.jsonc.example

@@ -1,11 +1,9 @@
 {
-  // Required secrets: R2_KEY_SECRET, MANIFEST_SIGNING_PRIVATE_KEY, MANIFEST_SIGNING_KEY_ID, EXPORT_ENCRYPTION_PRIVATE_KEY, EXPORT_ENCRYPTION_KEY_ID  
-  // - DATA_AT_REST_ENCRYPTION_PRIVATE_KEY (required for decrypting encrypted records)
-  // - DATA_AT_REST_ENCRYPTION_PUBLIC_KEY and DATA_AT_REST_ENCRYPTION_KEY_ID (required when encrypt-on-write is enabled)
   "name": "DATA_WORKER_NAME",
   "account_id": "ACCOUNT_ID",
   "main": "src/data-worker.ts",
-  "compatibility_date": "2026-04-20",
+  "workers_dev": false,
+  "compatibility_date": "2026-04-21",
   "compatibility_flags": [
     "nodejs_compat"
   ], 

package/workers/image-worker/package.json

@@ -1,6 +1,6 @@
 {
   "name": "image-worker",
-  "version": "6.1.7",
+  "version": "7.0.0",
   "private": true,
   "scripts": {
     "deploy": "wrangler deploy",
@@ -8,6 +8,6 @@
     "start": "wrangler dev"
   },
   "devDependencies": {
-    "wrangler": "^4.84.0"
+    "wrangler": "^4.84.1"
   }
 }

package/workers/image-worker/src/handlers/delete-image.ts

@@ -1,4 +1,3 @@
-import { hasValidToken } from '../auth';
 import type { CreateImageWorkerResponse, Env } from '../types';
 import { parseFileId } from '../utils/path-utils';
 
@@ -7,10 +6,6 @@ export async function handleImageDelete(
   env: Env,
   createJsonResponse: CreateImageWorkerResponse
 ): Promise<Response> {
-  if (!hasValidToken(request, env)) {
-    return createJsonResponse({ error: 'Unauthorized' }, 403);
-  }
-
   const fileId = parseFileId(new URL(request.url).pathname);
   if (!fileId) {
     return createJsonResponse({ error: 'Image ID is required' }, 400);

package/workers/image-worker/src/handlers/mint-signed-url.ts

@@ -1,4 +1,3 @@
-import { hasValidToken } from '../auth';
 import {
   normalizeSignedUrlTtlSeconds,
   parseSignedUrlBaseUrl,
@@ -21,10 +20,6 @@ export async function handleSignedUrlMinting(
   fileId: string,
   createJsonResponse: CreateImageWorkerResponse
 ): Promise<Response> {
-  if (!hasValidToken(request, env)) {
-    return createJsonResponse({ error: 'Unauthorized' }, 403);
-  }
-
   requireSignedUrlConfig(env);
 
   const existing = await env.STRIAE_FILES.head(fileId);

package/workers/image-worker/src/handlers/serve-image.ts

@@ -1,4 +1,3 @@
-import { hasValidToken } from '../auth';
 import {
   decryptBinaryWithRegistry,
   requireEncryptionRetrievalConfig
@@ -12,8 +11,7 @@ export async function handleImageServing(
   request: Request,
   env: Env,
   fileId: string,
-  createJsonResponse: CreateImageWorkerResponse,
-  corsHeaders: Record<string, string>
+  createJsonResponse: CreateImageWorkerResponse
 ): Promise<Response> {
   const requestUrl = new URL(request.url);
   const hasSignedToken = requestUrl.searchParams.has('st');
@@ -30,7 +28,7 @@ export async function handleImageServing(
     if (!tokenValid) {
       return createJsonResponse({ error: 'Invalid or expired signed URL token' }, 403);
     }
-  } else if (!hasValidToken(request, env)) {
+  } else {
     return createJsonResponse({ error: 'Unauthorized' }, 403);
   }
 
@@ -56,7 +54,6 @@ export async function handleImageServing(
   return new Response(plaintext, {
     status: 200,
     headers: {
-      ...corsHeaders,
       'Cache-Control': 'no-store',
       'Content-Type': contentType,
       'Content-Disposition': contentDisposition

package/workers/image-worker/src/handlers/upload-image.ts

@@ -1,4 +1,3 @@
-import { hasValidToken } from '../auth';
 import { encryptBinaryForStorage } from '../encryption-utils';
 import { requireEncryptionUploadConfig } from '../security/key-registry';
 import type { CreateImageWorkerResponse, Env } from '../types';
@@ -9,10 +8,6 @@ export async function handleImageUpload(
   env: Env,
   createJsonResponse: CreateImageWorkerResponse
 ): Promise<Response> {
-  if (!hasValidToken(request, env)) {
-    return createJsonResponse({ error: 'Unauthorized' }, 403);
-  }
-
   requireEncryptionUploadConfig(env);
 
   const formData = await request.formData();

package/workers/image-worker/src/{image-worker.example.ts → image-worker.ts}

@@ -1,31 +1,18 @@
 import { routeImageWorkerRequest } from './router';
 import type { APIResponse, Env } from './types';
 
-const corsHeaders: Record<string, string> = {
-  'Access-Control-Allow-Origin': 'PAGES_CUSTOM_DOMAIN',
-  'Access-Control-Allow-Methods': 'GET, POST, DELETE, OPTIONS',
-  'Access-Control-Allow-Headers': 'Content-Type, Authorization, X-Custom-Auth-Key'
-};
-
 const createJsonResponse = (data: APIResponse, status: number = 200): Response => new Response(
   JSON.stringify(data),
   {
     status,
-    headers: {
-      ...corsHeaders,
-      'Content-Type': 'application/json'
-    }
+    headers: { 'Content-Type': 'application/json' }
   }
 );
 
 export default {
   async fetch(request: Request, env: Env): Promise<Response> {
-    if (request.method === 'OPTIONS') {
-      return new Response(null, { headers: corsHeaders });
-    }
-
     try {
-      return await routeImageWorkerRequest(request, env, createJsonResponse, corsHeaders);
+      return await routeImageWorkerRequest(request, env, createJsonResponse);
     } catch (error) {
       const errorMessage = error instanceof Error ? error.message : 'Unknown error occurred';
       return createJsonResponse({ error: errorMessage }, 500);

package/workers/image-worker/src/router.ts

@@ -8,8 +8,7 @@ import { parsePathSegments } from './utils/path-utils';
 export async function routeImageWorkerRequest(
   request: Request,
   env: Env,
-  createJsonResponse: CreateImageWorkerResponse,
-  corsHeaders: Record<string, string>
+  createJsonResponse: CreateImageWorkerResponse
 ): Promise<Response> {
   const requestUrl = new URL(request.url);
   const pathSegments = parsePathSegments(requestUrl.pathname);
@@ -36,7 +35,7 @@ export async function routeImageWorkerRequest(
         return createJsonResponse({ error: 'Image ID is required' }, 400);
       }
 
-      return handleImageServing(request, env, fileId, createJsonResponse, corsHeaders);
+      return handleImageServing(request, env, fileId, createJsonResponse);
     }
 
     case 'DELETE': {

package/workers/image-worker/src/security/signed-url.ts

@@ -51,7 +51,7 @@ export function normalizeSignedUrlTtlSeconds(requestedTtlSeconds: unknown, env:
 }
 
 export function requireSignedUrlConfig(env: Env): void {
-  const resolvedSecret = (env.IMAGE_SIGNED_URL_SECRET || env.IMAGES_API_TOKEN || '').trim();
+  const resolvedSecret = (env.IMAGE_SIGNED_URL_SECRET || '').trim();
   if (resolvedSecret.length === 0) {
     throw new Error('Signed URL configuration is missing');
   }
@@ -77,7 +77,7 @@ export function parseSignedUrlBaseUrl(raw: string): string {
 }
 
 async function getSignedUrlHmacKey(env: Env): Promise<CryptoKey> {
-  const resolvedSecret = (env.IMAGE_SIGNED_URL_SECRET || env.IMAGES_API_TOKEN || '').trim();
+  const resolvedSecret = (env.IMAGE_SIGNED_URL_SECRET || '').trim();
   const keyBytes = new TextEncoder().encode(resolvedSecret);
 
   return crypto.subtle.importKey(

package/workers/image-worker/src/types.ts

@@ -1,5 +1,4 @@
 export interface Env {
-  IMAGES_API_TOKEN: string;
   STRIAE_FILES: R2Bucket;
   DATA_AT_REST_ENCRYPTION_PRIVATE_KEY?: string;
   DATA_AT_REST_ENCRYPTION_PUBLIC_KEY: string;

package/workers/image-worker/wrangler.jsonc.example

@@ -2,7 +2,8 @@
   "name": "IMAGES_WORKER_NAME",
   "account_id": "ACCOUNT_ID",
   "main": "src/image-worker.ts",
-  "compatibility_date": "2026-04-20",
+  "workers_dev": false,
+  "compatibility_date": "2026-04-21",
   "compatibility_flags": [
     "nodejs_compat"
   ], 

package/workers/pdf-worker/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pdf-worker",
-  "version": "6.1.7",
+  "version": "7.0.0",
   "private": true,
   "scripts": {
     "generate:assets": "node scripts/generate-assets.js",
@@ -9,6 +9,6 @@
     "start": "wrangler dev"
   },
   "devDependencies": {
-    "wrangler": "^4.84.0"
+    "wrangler": "^4.84.1"
   }
 }