@striae-org/striae 6.1.8 → 7.0.0

package/scripts/deploy-all.sh

@@ -79,7 +79,7 @@ echo -e "${GREEN}✅ Preflight checks passed${NC}"
 echo ""
 
 # Step 1: Configuration Setup
-echo -e "${PURPLE}Step 1/6: Configuration Setup${NC}"
+echo -e "${PURPLE}Step 1/7: Configuration Setup${NC}"
 echo "------------------------------"
 echo -e "${YELLOW}⚙️  Setting up configuration files and replacing placeholders...${NC}"
 if ! bash "$SCRIPT_DIR/deploy-config.sh"; then
@@ -92,7 +92,7 @@ run_config_checkpoint
 echo ""
 
 # Step 2: Install Worker Dependencies
-echo -e "${PURPLE}Step 2/6: Installing Worker Dependencies${NC}"
+echo -e "${PURPLE}Step 2/7: Installing Worker Dependencies${NC}"
 echo "----------------------------------------"
 echo -e "${YELLOW}📦 Installing npm dependencies for all workers...${NC}"
 if ! bash "$SCRIPT_DIR/install-workers.sh"; then
@@ -102,8 +102,26 @@ fi
 echo -e "${GREEN}✅ All worker dependencies installed successfully${NC}"
 echo ""
 
-# Step 3: Deploy Workers
-echo -e "${PURPLE}Step 3/6: Deploying Workers${NC}"
+# Step 3: Generate Wrangler Types
+echo -e "${PURPLE}Step 3/7: Generating Wrangler Types${NC}"
+echo "-------------------------------------"
+echo -e "${YELLOW}📝 Running wrangler types in root and all worker directories...${NC}"
+if ! npx wrangler types; then
+    echo -e "${RED}❌ Root wrangler types generation failed!${NC}"
+    exit 1
+fi
+for WORKER in audit-worker data-worker image-worker pdf-worker user-worker; do
+    echo -e "${YELLOW}  → Generating types for ${WORKER}...${NC}"
+    if ! (cd "workers/$WORKER" && npx wrangler types); then
+        echo -e "${RED}❌ wrangler types failed for ${WORKER}!${NC}"
+        exit 1
+    fi
+done
+echo -e "${GREEN}✅ Wrangler types generated successfully${NC}"
+echo ""
+
+# Step 4: Deploy Workers
+echo -e "${PURPLE}Step 4/7: Deploying Workers${NC}"
 echo "----------------------------"
 echo -e "${YELLOW}🔧 Deploying all 5 Cloudflare Workers...${NC}"
 if ! npm run deploy-workers; then
@@ -113,8 +131,8 @@ fi
 echo -e "${GREEN}✅ All workers deployed successfully${NC}"
 echo ""
 
-# Step 4: Deploy Worker Secrets
-echo -e "${PURPLE}Step 4/6: Deploying Worker Secrets${NC}"
+# Step 5: Deploy Worker Secrets
+echo -e "${PURPLE}Step 5/7: Deploying Worker Secrets${NC}"
 echo "-----------------------------------"
 echo -e "${YELLOW}🔐 Deploying worker environment variables...${NC}"
 if ! bash "$SCRIPT_DIR/deploy-worker-secrets.sh"; then
@@ -124,8 +142,8 @@ fi
 echo -e "${GREEN}✅ Worker secrets deployed successfully${NC}"
 echo ""
 
-# Step 5: Deploy Pages Secrets
-echo -e "${PURPLE}Step 5/6: Deploying Pages Secrets${NC}"
+# Step 6: Deploy Pages Secrets
+echo -e "${PURPLE}Step 6/7: Deploying Pages Secrets${NC}"
 echo "----------------------------------"
 echo -e "${YELLOW}🔐 Deploying Pages environment variables...${NC}"
 if ! bash "$SCRIPT_DIR/deploy-pages-secrets.sh"; then
@@ -135,8 +153,8 @@ fi
 echo -e "${GREEN}✅ Pages secrets deployed successfully${NC}"
 echo ""
 
-# Step 6: Deploy Pages
-echo -e "${PURPLE}Step 6/6: Deploying Pages${NC}"
+# Step 7: Deploy Pages
+echo -e "${PURPLE}Step 7/7: Deploying Pages${NC}"
 echo "--------------------------"
 echo -e "${YELLOW}🌐 Building and deploying Pages...${NC}"
 if ! npm run deploy-pages; then
@@ -153,6 +171,7 @@ echo "=========================================="
 echo ""
 echo -e "${BLUE}Deployed Components:${NC}"
 echo "  ✅ Worker dependencies (npm install)"
+echo "  ✅ Wrangler types (root + all workers)"
 echo "  ✅ 5 Cloudflare Workers"
 echo "  ✅ Worker environment variables"
 echo "  ✅ Pages environment variables"

package/scripts/deploy-config/modules/env-utils.sh

@@ -56,29 +56,12 @@ normalize_worker_label_value() {
     printf '%s' "$label"
 }
 
-normalize_worker_subdomain_value() {
-    local subdomain="$1"
-
-    subdomain=$(normalize_domain_value "$subdomain")
-    subdomain="${subdomain#.}"
-    subdomain="${subdomain%.}"
-    subdomain=$(printf '%s' "$subdomain" | tr '[:upper:]' '[:lower:]')
-
-    printf '%s' "$subdomain"
-}
-
 is_valid_worker_label() {
     local label="$1"
 
     [[ "$label" =~ ^[a-z0-9-]+$ ]]
 }
 
-is_valid_worker_subdomain() {
-    local subdomain="$1"
-
-    [[ "$subdomain" =~ ^[a-z0-9]([a-z0-9-]*[a-z0-9])?(\.[a-z0-9]([a-z0-9-]*[a-z0-9])?)+$ ]]
-}
-
 strip_carriage_returns() {
     printf '%s' "$1" | tr -d '\r'
 }
@@ -196,57 +179,6 @@ confirm_key_pair_regeneration() {
     return 1
 }
 
-generate_worker_subdomain_label() {
-    node -e "const { randomInt } = require('crypto'); const alphabet = 'abcdefghijklmnopqrstuvwxyz0123456789'; let value = ''; for (let index = 0; index < 10; index += 1) { value += alphabet[randomInt(alphabet.length)]; } process.stdout.write(value);" 2>/dev/null
-}
-
-compose_worker_domain() {
-    local worker_name=$1
-    local worker_subdomain=$2
-
-    worker_name=$(normalize_worker_label_value "$worker_name")
-    worker_subdomain=$(normalize_worker_subdomain_value "$worker_subdomain")
-
-    if [ -z "$worker_name" ] || [ -z "$worker_subdomain" ]; then
-        return 1
-    fi
-
-    if ! is_valid_worker_label "$worker_name" || ! is_valid_worker_subdomain "$worker_subdomain"; then
-        return 1
-    fi
-
-    printf '%s.%s' "$worker_name" "$worker_subdomain"
-}
-
-infer_worker_subdomain_from_domain() {
-    local worker_name=$1
-    local worker_domain=$2
-    local worker_subdomain=""
-
-    worker_name=$(normalize_worker_label_value "$worker_name")
-    worker_domain=$(normalize_domain_value "$worker_domain")
-    worker_domain=$(printf '%s' "$worker_domain" | tr '[:upper:]' '[:lower:]')
-
-    if [ -z "$worker_name" ] || [ -z "$worker_domain" ] || is_placeholder "$worker_name" || is_placeholder "$worker_domain"; then
-        printf '%s' ""
-        return 0
-    fi
-
-    case "$worker_domain" in
-        "$worker_name".*)
-            worker_subdomain="${worker_domain#${worker_name}.}"
-            worker_subdomain=$(normalize_worker_subdomain_value "$worker_subdomain")
-
-            if is_valid_worker_subdomain "$worker_subdomain"; then
-                printf '%s' "$worker_subdomain"
-                return 0
-            fi
-            ;;
-    esac
-
-    printf '%s' ""
-}
-
 write_env_var() {
     local var_name=$1
     local var_value=$2

package/scripts/deploy-config/modules/prompt.sh

@@ -23,7 +23,7 @@ prompt_for_secrets() {
     is_auto_generated_secret_var() {
         local var_name=$1
         case "$var_name" in
-            USER_DB_AUTH|R2_KEY_SECRET|PDF_WORKER_AUTH|IMAGES_API_TOKEN|IMAGE_SIGNED_URL_SECRET)
+            IMAGE_SIGNED_URL_SECRET)
                 return 0
                 ;;
             *)
@@ -36,18 +36,6 @@ prompt_for_secrets() {
         local var_name=$1
         local value=$2
         case "$var_name" in
-            USER_DB_AUTH)
-                [ "$value" = "your_custom_user_db_auth_token_here" ]
-                ;;
-            R2_KEY_SECRET)
-                [ "$value" = "your_custom_r2_secret_here" ]
-                ;;
-            PDF_WORKER_AUTH)
-                [ "$value" = "your_custom_pdf_worker_auth_token_here" ]
-                ;;
-            IMAGES_API_TOKEN)
-                [ "$value" = "your_cloudflare_images_api_token_here" ]
-                ;;
             IMAGE_SIGNED_URL_SECRET)
                 [ "$value" = "your_image_signed_url_secret_here" ]
                 ;;
@@ -214,42 +202,11 @@ prompt_for_secrets() {
         echo ""
     }
 
-    set_worker_domain_from_shared_subdomain() {
-        local worker_name_var=$1
-        local worker_domain_var=$2
-        local worker_name_value="${!worker_name_var}"
-        local composed_domain=""
-
-        worker_name_value=$(normalize_worker_label_value "$worker_name_value")
-
-        if [ -z "$worker_name_value" ] || ! is_valid_worker_label "$worker_name_value"; then
-            echo -e "${RED}❌ $worker_name_var must use only lowercase letters, numbers, and dashes.${NC}"
-            exit 1
-        fi
-
-        composed_domain=$(compose_worker_domain "$worker_name_value" "$shared_worker_subdomain" || echo "")
-
-        if [ -z "$composed_domain" ]; then
-            echo -e "${RED}❌ Could not build $worker_domain_var from $worker_name_var and shared worker-subdomain.${NC}"
-            exit 1
-        fi
-
-        write_env_var "$worker_domain_var" "$composed_domain"
-        export "$worker_domain_var=$composed_domain"
-        echo -e "${GREEN}✅ $worker_domain_var set to $composed_domain${NC}"
-    }
-
     echo -e "${BLUE}📊 CLOUDFLARE CORE CONFIGURATION${NC}"
     echo "=================================="
     prompt_for_var "ACCOUNT_ID" "Your Cloudflare Account ID"
 
-    echo -e "${BLUE}🔐 SHARED AUTHENTICATION & STORAGE${NC}"
-    echo "==================================="
-    prompt_for_var "USER_DB_AUTH" "Custom user database authentication token (generate with: openssl rand -hex 16)"
-    prompt_for_var "R2_KEY_SECRET" "Custom R2 storage authentication token (generate with: openssl rand -hex 16)"
-    prompt_for_var "IMAGES_API_TOKEN" "Image worker API token (shared between workers)"
-
-    echo -e "${BLUE}🔥 FIREBASE AUTH CONFIGURATION${NC}"
+    echo -e "${BLUE} FIREBASE AUTH CONFIGURATION${NC}"
     echo "==============================="
     prompt_for_var "API_KEY" "Firebase API key"
     prompt_for_var "AUTH_DOMAIN" "Firebase auth domain (project-id.firebaseapp.com)"
@@ -264,77 +221,15 @@ prompt_for_secrets() {
     prompt_for_var "PAGES_PROJECT_NAME" "Your Cloudflare Pages project name"
     prompt_for_var "PAGES_CUSTOM_DOMAIN" "Your custom domain (e.g., striae.org) - DO NOT include https://"
 
-    echo -e "${BLUE}🔑 WORKER NAMES & DOMAINS${NC}"
-    echo "========================="
+    echo -e "${BLUE}🔑 WORKER NAMES${NC}"
+    echo "==============="
     echo -e "${YELLOW}Worker names are lowercased automatically and must use only letters, numbers, and dashes.${NC}"
-    echo -e "${YELLOW}Enter one shared worker-subdomain as a hostname (for example: team-name.workers.dev).${NC}"
-    echo -e "${YELLOW}Each worker domain is generated as {worker-name}.{worker-subdomain}.${NC}"
-
-    local shared_worker_subdomain=""
-    local shared_worker_subdomain_default=""
-    local shared_worker_subdomain_input=""
-
-    shared_worker_subdomain_default=$(infer_worker_subdomain_from_domain "$USER_WORKER_NAME" "$USER_WORKER_DOMAIN")
-    if [ -z "$shared_worker_subdomain_default" ]; then
-        shared_worker_subdomain_default=$(infer_worker_subdomain_from_domain "$DATA_WORKER_NAME" "$DATA_WORKER_DOMAIN")
-    fi
-    if [ -z "$shared_worker_subdomain_default" ]; then
-        shared_worker_subdomain_default=$(infer_worker_subdomain_from_domain "$AUDIT_WORKER_NAME" "$AUDIT_WORKER_DOMAIN")
-    fi
-    if [ -z "$shared_worker_subdomain_default" ]; then
-        shared_worker_subdomain_default=$(infer_worker_subdomain_from_domain "$IMAGES_WORKER_NAME" "$IMAGES_WORKER_DOMAIN")
-    fi
-    if [ -z "$shared_worker_subdomain_default" ]; then
-        shared_worker_subdomain_default=$(infer_worker_subdomain_from_domain "$PDF_WORKER_NAME" "$PDF_WORKER_DOMAIN")
-    fi
-
-    while true; do
-        echo -e "${BLUE}WORKER_SUBDOMAIN${NC}"
-
-        if [ "$update_env" != "true" ] && [ -n "$shared_worker_subdomain_default" ] && ! is_placeholder "$shared_worker_subdomain_default"; then
-            echo -e "${GREEN}Current value: $shared_worker_subdomain_default${NC}"
-            read -p "New value (or press Enter to keep current): " shared_worker_subdomain_input
-            shared_worker_subdomain_input=$(strip_carriage_returns "$shared_worker_subdomain_input")
-
-            if [ -z "$shared_worker_subdomain_input" ]; then
-                shared_worker_subdomain="$shared_worker_subdomain_default"
-            else
-                shared_worker_subdomain="$shared_worker_subdomain_input"
-            fi
-        else
-            read -p "Enter shared worker-subdomain (e.g., team-name.workers.dev): " shared_worker_subdomain_input
-            shared_worker_subdomain_input=$(strip_carriage_returns "$shared_worker_subdomain_input")
-            shared_worker_subdomain="$shared_worker_subdomain_input"
-        fi
-
-        if [ -z "$shared_worker_subdomain" ] || is_placeholder "$shared_worker_subdomain"; then
-            echo -e "${RED}❌ shared worker-subdomain is required and cannot be a placeholder.${NC}"
-            continue
-        fi
-
-        shared_worker_subdomain=$(normalize_worker_subdomain_value "$shared_worker_subdomain")
-
-        if [ -z "$shared_worker_subdomain" ] || ! is_valid_worker_subdomain "$shared_worker_subdomain"; then
-            echo -e "${RED}❌ shared worker-subdomain must be a valid hostname like team-name.workers.dev (letters, numbers, dashes, and dots).${NC}"
-            continue
-        fi
-
-        echo -e "${GREEN}✅ Shared worker-subdomain set to: $shared_worker_subdomain${NC}"
-        echo ""
-        break
-    done
 
     prompt_for_var "USER_WORKER_NAME" "User worker name"
     prompt_for_var "DATA_WORKER_NAME" "Data worker name"
     prompt_for_var "AUDIT_WORKER_NAME" "Audit worker name"
     prompt_for_var "IMAGES_WORKER_NAME" "Images worker name"
     prompt_for_var "PDF_WORKER_NAME" "PDF worker name"
-
-    set_worker_domain_from_shared_subdomain "USER_WORKER_NAME" "USER_WORKER_DOMAIN"
-    set_worker_domain_from_shared_subdomain "DATA_WORKER_NAME" "DATA_WORKER_DOMAIN"
-    set_worker_domain_from_shared_subdomain "AUDIT_WORKER_NAME" "AUDIT_WORKER_DOMAIN"
-    set_worker_domain_from_shared_subdomain "IMAGES_WORKER_NAME" "IMAGES_WORKER_DOMAIN"
-    set_worker_domain_from_shared_subdomain "PDF_WORKER_NAME" "PDF_WORKER_DOMAIN"
     echo ""
 
     echo -e "${BLUE}🗄️ STORAGE CONFIGURATION${NC}"
@@ -346,7 +241,6 @@ prompt_for_secrets() {
 
     echo -e "${BLUE}🔐 SERVICE-SPECIFIC SECRETS${NC}"
     echo "============================"
-    prompt_for_var "PDF_WORKER_AUTH" "PDF worker authentication token (generate with: openssl rand -hex 16)"
     prompt_for_var "IMAGE_SIGNED_URL_SECRET" "Image signed URL secret (generate with: openssl rand -base64 48 | tr '+/' '-_' | tr -d '=')"
 
     # Auto-derive IMAGE_SIGNED_URL_BASE_URL from PAGES_CUSTOM_DOMAIN if not yet set or still

package/scripts/deploy-config/modules/scaffolding.sh

@@ -185,6 +185,11 @@ update_wrangler_configs() {
     if [ -f "wrangler.toml" ]; then
         echo -e "${YELLOW}  Updating wrangler.toml...${NC}"
         sed -i "s/\"PAGES_PROJECT_NAME\"/\"$PAGES_PROJECT_NAME\"/g" wrangler.toml
+        sed -i "s/USER_WORKER_NAME/$USER_WORKER_NAME/g" wrangler.toml
+        sed -i "s/DATA_WORKER_NAME/$DATA_WORKER_NAME/g" wrangler.toml
+        sed -i "s/AUDIT_WORKER_NAME/$AUDIT_WORKER_NAME/g" wrangler.toml
+        sed -i "s/IMAGES_WORKER_NAME/$IMAGES_WORKER_NAME/g" wrangler.toml
+        sed -i "s/PDF_WORKER_NAME/$PDF_WORKER_NAME/g" wrangler.toml
         echo -e "${GREEN}    ✅ main wrangler.toml configuration updated${NC}"
     fi
 

package/scripts/deploy-config/modules/validation.sh

@@ -75,11 +75,6 @@ required_vars=(
     # Core Cloudflare Configuration
     "ACCOUNT_ID"
 
-    # Shared Authentication & Storage
-    "USER_DB_AUTH"
-    "R2_KEY_SECRET"
-    "IMAGES_API_TOKEN"
-
     # Firebase Auth Configuration
     "API_KEY"
     "AUTH_DOMAIN"
@@ -102,13 +97,6 @@ required_vars=(
     "IMAGES_WORKER_NAME"
     "PDF_WORKER_NAME"
 
-    # Worker Domains (required for proxy/env secrets and worker fallbacks)
-    "USER_WORKER_DOMAIN"
-    "DATA_WORKER_DOMAIN"
-    "AUDIT_WORKER_DOMAIN"
-    "IMAGES_WORKER_DOMAIN"
-    "PDF_WORKER_DOMAIN"
-
     # Storage Configuration (required for config replacement)
     "DATA_BUCKET_NAME"
     "AUDIT_BUCKET_NAME"
@@ -116,7 +104,6 @@ required_vars=(
     "KV_STORE_ID"
 
     # Worker-Specific Secrets (required for deployment)
-    "PDF_WORKER_AUTH"
     "IMAGE_SIGNED_URL_SECRET"
     "BROWSER_API_TOKEN"
     "MANIFEST_SIGNING_PRIVATE_KEY"
@@ -212,11 +199,6 @@ validate_env_value_formats() {
     echo -e "${YELLOW}🔍 Validating environment value formats...${NC}"
 
     validate_domain_var "PAGES_CUSTOM_DOMAIN"
-    validate_domain_var "USER_WORKER_DOMAIN"
-    validate_domain_var "DATA_WORKER_DOMAIN"
-    validate_domain_var "AUDIT_WORKER_DOMAIN"
-    validate_domain_var "IMAGES_WORKER_DOMAIN"
-    validate_domain_var "PDF_WORKER_DOMAIN"
 
     if ! [[ "$KV_STORE_ID" =~ ^([0-9a-fA-F]{32}|[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})$ ]]; then
         echo -e "${RED}❌ Error: KV_STORE_ID must be a 32-character hex namespace ID (or UUID format)${NC}"
@@ -313,7 +295,7 @@ validate_generated_configs() {
     assert_contains_literal "app/config/firebase.ts" "$MEASUREMENT_ID" "MEASUREMENT_ID missing in app/config/firebase.ts"
 
     local placeholder_pattern
-    placeholder_pattern="(\"(ACCOUNT_ID|PAGES_PROJECT_NAME|PAGES_CUSTOM_DOMAIN|USER_WORKER_NAME|DATA_WORKER_NAME|AUDIT_WORKER_NAME|IMAGES_WORKER_NAME|PDF_WORKER_NAME|USER_WORKER_DOMAIN|DATA_WORKER_DOMAIN|AUDIT_WORKER_DOMAIN|IMAGES_WORKER_DOMAIN|PDF_WORKER_DOMAIN|DATA_BUCKET_NAME|AUDIT_BUCKET_NAME|FILES_BUCKET_NAME|KV_STORE_ID|MANIFEST_SIGNING_KEY_ID|MANIFEST_SIGNING_PUBLIC_KEY|EXPORT_ENCRYPTION_KEY_ID|EXPORT_ENCRYPTION_PUBLIC_KEY|YOUR_FIREBASE_API_KEY|YOUR_FIREBASE_AUTH_DOMAIN|YOUR_FIREBASE_PROJECT_ID|YOUR_FIREBASE_STORAGE_BUCKET|YOUR_FIREBASE_MESSAGING_SENDER_ID|YOUR_FIREBASE_APP_ID|YOUR_FIREBASE_MEASUREMENT_ID)\")"
+    placeholder_pattern="(\"(ACCOUNT_ID|PAGES_PROJECT_NAME|PAGES_CUSTOM_DOMAIN|USER_WORKER_NAME|DATA_WORKER_NAME|AUDIT_WORKER_NAME|IMAGES_WORKER_NAME|PDF_WORKER_NAME|DATA_BUCKET_NAME|AUDIT_BUCKET_NAME|FILES_BUCKET_NAME|KV_STORE_ID|MANIFEST_SIGNING_KEY_ID|MANIFEST_SIGNING_PUBLIC_KEY|EXPORT_ENCRYPTION_KEY_ID|EXPORT_ENCRYPTION_PUBLIC_KEY|YOUR_FIREBASE_API_KEY|YOUR_FIREBASE_AUTH_DOMAIN|YOUR_FIREBASE_PROJECT_ID|YOUR_FIREBASE_STORAGE_BUCKET|YOUR_FIREBASE_MESSAGING_SENDER_ID|YOUR_FIREBASE_APP_ID|YOUR_FIREBASE_MEASUREMENT_ID)\")"
 
     local files_to_scan=(
         "wrangler.toml"

package/scripts/deploy-pages-secrets.sh

@@ -151,16 +151,7 @@ if [ -z "$PAGES_PROJECT_NAME" ] || is_placeholder "$PAGES_PROJECT_NAME"; then
 fi
 
 required_pages_secrets=(
-    "AUDIT_WORKER_DOMAIN"
-    "DATA_WORKER_DOMAIN"
-    "IMAGES_API_TOKEN"
-    "IMAGES_WORKER_DOMAIN"
-    "PDF_WORKER_AUTH"
-    "PDF_WORKER_DOMAIN"
     "PROJECT_ID"
-    "R2_KEY_SECRET"
-    "USER_DB_AUTH"
-    "USER_WORKER_DOMAIN"
 )
 
 echo -e "${YELLOW}🔍 Validating required Pages secret values...${NC}"

package/scripts/deploy-worker-secrets.sh

@@ -97,8 +97,6 @@ load_required_admin_service_credentials
 
 build_user_worker_secret_list() {
     local secrets=(
-        "USER_DB_AUTH"
-        "R2_KEY_SECRET"
         "PROJECT_ID"
         "FIREBASE_SERVICE_ACCOUNT_EMAIL"
         "FIREBASE_SERVICE_ACCOUNT_PRIVATE_KEY"
@@ -149,9 +147,7 @@ build_user_worker_secret_list() {
 }
 
 build_audit_worker_secret_list() {
-    local secrets=(
-        "R2_KEY_SECRET"
-    )
+    local secrets=()
 
     if [ -n "${DATA_AT_REST_ENCRYPTION_ENABLED:-}" ]; then
         secrets+=("DATA_AT_REST_ENCRYPTION_ENABLED")
@@ -230,7 +226,6 @@ set_worker_secrets() {
 
 build_data_worker_secret_list() {
     local secrets=(
-        "R2_KEY_SECRET"
         "MANIFEST_SIGNING_PRIVATE_KEY"
         "MANIFEST_SIGNING_KEY_ID"
         "EXPORT_ENCRYPTION_PRIVATE_KEY"
@@ -274,7 +269,6 @@ build_data_worker_secret_list() {
 
 build_images_worker_secret_list() {
     local secrets=(
-        "IMAGES_API_TOKEN"
         "DATA_AT_REST_ENCRYPTION_PUBLIC_KEY"
         "DATA_AT_REST_ENCRYPTION_KEY_ID"
         "IMAGE_SIGNED_URL_SECRET"
@@ -365,7 +359,7 @@ fi
 
 # PDF Worker
 if ! set_worker_secrets "PDF Worker" "workers/pdf-worker" \
-    "PDF_WORKER_AUTH" "ACCOUNT_ID" "BROWSER_API_TOKEN"; then
+    "ACCOUNT_ID" "BROWSER_API_TOKEN"; then
     echo -e "${YELLOW}⚠️  Skipping PDF Worker (not configured)${NC}"
 fi
 

package/tsconfig.json

@@ -7,10 +7,7 @@
     "**/.client/**/*.ts",
     "**/.client/**/*.tsx",
     ".react-router/types/**/*"
-  ],
-  "exclude": [
-    "tests/e2e"
-  ],
+  ],  
   "compilerOptions": {
     "lib": [
       "DOM",

package/workers/audit-worker/package.json

@@ -1,6 +1,6 @@
 {
   "name": "audit-worker",
-  "version": "6.1.8",
+  "version": "7.0.0",
   "private": true,
   "scripts": {
     "deploy": "wrangler deploy",
@@ -8,6 +8,6 @@
     "start": "wrangler dev"
   },
   "devDependencies": {
-    "wrangler": "^4.84.0"
+    "wrangler": "^4.84.1"
   }
 }

package/workers/audit-worker/src/audit-worker.ts

@@ -1,4 +1,3 @@
-import { hasValidHeader } from './config';
 import { handleAuditRequest } from './handlers/audit-routes';
 import type { CreateResponse, Env } from './types';
 
@@ -9,10 +8,6 @@ const createWorkerResponse: CreateResponse = (data, status: number = 200): Respo
 
 export default {
   async fetch(request: Request, env: Env): Promise<Response> {
-    if (!hasValidHeader(request, env)) {
-      return createWorkerResponse({ error: 'Forbidden' }, 403);
-    }
-
     try {
       const url = new URL(request.url);
       const pathname = url.pathname;

package/workers/audit-worker/src/config.ts

@@ -1,7 +1,2 @@
-import type { Env } from './types';
-
 export const DATA_AT_REST_ENCRYPTION_ALGORITHM = 'RSA-OAEP-AES-256-GCM';
-export const DATA_AT_REST_ENCRYPTION_VERSION = '1.0';
-
-export const hasValidHeader = (request: Request, env: Env): boolean =>
-  request.headers.get('X-Custom-Auth-Key') === env.R2_KEY_SECRET;
+export const DATA_AT_REST_ENCRYPTION_VERSION = '1.0';

package/workers/audit-worker/src/types.ts

@@ -1,5 +1,4 @@
 export interface Env {
-  R2_KEY_SECRET: string;
   STRIAE_AUDIT: R2Bucket;
   DATA_AT_REST_ENCRYPTION_ENABLED?: string;
   DATA_AT_REST_ENCRYPTION_PRIVATE_KEY?: string;

package/workers/audit-worker/wrangler.jsonc.example

@@ -1,13 +1,9 @@
 {
-  // Required secrets: R2_KEY_SECRET
-  // Optional data-at-rest secrets/vars:
-  // - DATA_AT_REST_ENCRYPTION_ENABLED=true
-  // - DATA_AT_REST_ENCRYPTION_PRIVATE_KEY (required for decrypting encrypted records)
-  // - DATA_AT_REST_ENCRYPTION_PUBLIC_KEY and DATA_AT_REST_ENCRYPTION_KEY_ID (required when encrypt-on-write is enabled)
   "name": "AUDIT_WORKER_NAME",
   "account_id": "ACCOUNT_ID",
   "main": "src/audit-worker.ts",
-  "compatibility_date": "2026-04-20",
+  "workers_dev": false,
+  "compatibility_date": "2026-04-21",
   "compatibility_flags": [
     "nodejs_compat"
   ], 

package/workers/data-worker/package.json

@@ -1,6 +1,6 @@
 {
   "name": "data-worker",
-  "version": "6.1.8",
+  "version": "7.0.0",
   "private": true,
   "scripts": {
     "deploy": "wrangler deploy",
@@ -8,7 +8,7 @@
     "start": "wrangler dev"
   },
   "devDependencies": {
-    "@cloudflare/vitest-pool-workers": "^0.14.8",
-    "wrangler": "^4.84.0"
+    "@cloudflare/vitest-pool-workers": "^0.14.9",
+    "wrangler": "^4.84.1"
   }
 }

package/workers/data-worker/src/config.ts

@@ -1,11 +1,6 @@
-import type { Env } from './types';
-
 export const SIGN_MANIFEST_PATH = '/api/forensic/sign-manifest';
 export const SIGN_CONFIRMATION_PATH = '/api/forensic/sign-confirmation';
 export const SIGN_AUDIT_EXPORT_PATH = '/api/forensic/sign-audit-export';
 export const DECRYPT_EXPORT_PATH = '/api/forensic/decrypt-export';
 export const DATA_AT_REST_ENCRYPTION_ALGORITHM = 'RSA-OAEP-AES-256-GCM';
-export const DATA_AT_REST_ENCRYPTION_VERSION = '1.0';
-
-export const hasValidHeader = (request: Request, env: Env): boolean =>
-  request.headers.get('X-Custom-Auth-Key') === env.R2_KEY_SECRET;
+export const DATA_AT_REST_ENCRYPTION_VERSION = '1.0';

package/workers/data-worker/src/data-worker.ts

@@ -2,8 +2,7 @@ import {
   DECRYPT_EXPORT_PATH,
   SIGN_AUDIT_EXPORT_PATH,
   SIGN_CONFIRMATION_PATH,
-  SIGN_MANIFEST_PATH,
-  hasValidHeader
+  SIGN_MANIFEST_PATH
 } from './config';
 import { handleDecryptExport } from './handlers/decrypt-export';
 import {
@@ -21,10 +20,6 @@ const createWorkerResponse: CreateResponse = (data, status: number = 200): Respo
 
 export default {
   async fetch(request: Request, env: Env): Promise<Response> {
-    if (!hasValidHeader(request, env)) {
-      return createWorkerResponse({ error: 'Forbidden' }, 403);
-    }
-
     try {
       const url = new URL(request.url);
       const pathname = url.pathname;

package/workers/data-worker/src/types.ts

@@ -1,5 +1,4 @@
 export interface Env {
-  R2_KEY_SECRET: string;
   STRIAE_DATA: R2Bucket;
   MANIFEST_SIGNING_PRIVATE_KEY: string;
   MANIFEST_SIGNING_KEY_ID: string;

package/workers/data-worker/wrangler.jsonc.example

@@ -1,11 +1,9 @@
 {
-  // Required secrets: R2_KEY_SECRET, MANIFEST_SIGNING_PRIVATE_KEY, MANIFEST_SIGNING_KEY_ID, EXPORT_ENCRYPTION_PRIVATE_KEY, EXPORT_ENCRYPTION_KEY_ID  
-  // - DATA_AT_REST_ENCRYPTION_PRIVATE_KEY (required for decrypting encrypted records)
-  // - DATA_AT_REST_ENCRYPTION_PUBLIC_KEY and DATA_AT_REST_ENCRYPTION_KEY_ID (required when encrypt-on-write is enabled)
   "name": "DATA_WORKER_NAME",
   "account_id": "ACCOUNT_ID",
   "main": "src/data-worker.ts",
-  "compatibility_date": "2026-04-20",
+  "workers_dev": false,
+  "compatibility_date": "2026-04-21",
   "compatibility_flags": [
     "nodejs_compat"
   ], 

package/workers/image-worker/package.json

@@ -1,6 +1,6 @@
 {
   "name": "image-worker",
-  "version": "6.1.8",
+  "version": "7.0.0",
   "private": true,
   "scripts": {
     "deploy": "wrangler deploy",
@@ -8,6 +8,6 @@
     "start": "wrangler dev"
   },
   "devDependencies": {
-    "wrangler": "^4.84.0"
+    "wrangler": "^4.84.1"
   }
 }

package/workers/image-worker/src/handlers/delete-image.ts

@@ -1,4 +1,3 @@
-import { hasValidToken } from '../auth';
 import type { CreateImageWorkerResponse, Env } from '../types';
 import { parseFileId } from '../utils/path-utils';
 
@@ -7,10 +6,6 @@ export async function handleImageDelete(
   env: Env,
   createJsonResponse: CreateImageWorkerResponse
 ): Promise<Response> {
-  if (!hasValidToken(request, env)) {
-    return createJsonResponse({ error: 'Unauthorized' }, 403);
-  }
-
   const fileId = parseFileId(new URL(request.url).pathname);
   if (!fileId) {
     return createJsonResponse({ error: 'Image ID is required' }, 400);