@striae-org/striae 7.0.0 → 7.1.0

package/.env.example

@@ -110,17 +110,11 @@ PDF_WORKER_NAME=your_pdf_worker_name_here
 BROWSER_API_TOKEN=your_cloudflare_browser_rendering_api_token_here
 
 # ================================
-# PRIMERSHEAR PDF FORMAT
-# ================================
-# Comma-separated list of email addresses that will receive the primershear PDF format.
-# Leave empty to disable the feature. Never commit this value to source control.
-# Example: PRIMERSHEAR_EMAILS=analyst@org.com,user2@org.com
-PRIMERSHEAR_EMAILS=
-
-# ================================
-# REGISTRATION EMAIL ALLOWLIST CONFIGURATION
-# ================================
-# Comma-separated list of email addresses that may register an account.
-# Leave empty to disable the feature. Never commit this value to source control.
-# Example: REGISTRATION_EMAILS=analyst@org.com,user2@org.com
-REGISTRATION_EMAILS=
+# LISTS WORKER ENVIRONMENT VARIABLES
+# ================================
+# The lists-worker manages registration and PDF format allowlists via KV.
+# STRIAE_LISTS_KV_ID is the KV namespace ID backing both lists.
+# LISTS_ADMIN_SECRET guards write endpoints (POST/DELETE); use a strong random value.
+LISTS_WORKER_NAME=your_lists_worker_name_here
+STRIAE_LISTS_KV_ID=your_striae_lists_kv_id_here
+LISTS_ADMIN_SECRET=your_lists_admin_secret_here

package/app/components/canvas/canvas.module.css

@@ -309,6 +309,18 @@
   font-family: "Inter", sans-serif;
 }
 
+.noteSection {
+  flex: 1;
+  display: flex;
+  flex-direction: column;
+  overflow: hidden;
+  min-height: 0;
+}
+
+.noteSection + .noteSection {
+  border-top: 1px solid rgba(255, 255, 255, 0.08);
+}
+
 .additionalNotesBox {
   flex: 1;
   overflow-y: auto;

package/app/components/canvas/canvas.tsx

@@ -424,12 +424,33 @@ export const Canvas = ({
         </div>{/* end imageContainer */}
         
         {/* Additional Notes - Right Panel */}
-        {activeAnnotations?.has('notes') && annotationData?.additionalNotes && (
+        {activeAnnotations?.has('notes') &&
+          (annotationData?.leftAdditionalNotes || annotationData?.rightAdditionalNotes || annotationData?.additionalNotes) && (
           <aside className={styles.notesPanel} aria-label="Additional notes">
-            <div className={styles.notesPanelHeader}>Notes</div>
-            <div className={styles.additionalNotesBox}>
-              {annotationData.additionalNotes}
-            </div>
+            {annotationData?.leftAdditionalNotes && (
+              <div className={styles.noteSection}>
+                <div className={styles.notesPanelHeader}>Left Item</div>
+                <div className={styles.additionalNotesBox}>
+                  {annotationData.leftAdditionalNotes}
+                </div>
+              </div>
+            )}
+            {annotationData?.rightAdditionalNotes && (
+              <div className={styles.noteSection}>
+                <div className={styles.notesPanelHeader}>Right Item</div>
+                <div className={styles.additionalNotesBox}>
+                  {annotationData.rightAdditionalNotes}
+                </div>
+              </div>
+            )}
+            {annotationData?.additionalNotes && (
+              <div className={styles.noteSection}>
+                <div className={styles.notesPanelHeader}>Notes</div>
+                <div className={styles.additionalNotesBox}>
+                  {annotationData.additionalNotes}
+                </div>
+              </div>
+            )}
           </aside>
         )}
         </div>

package/functions/api/_shared/lists-client.ts

@@ -0,0 +1,39 @@
+export type ListResult =
+  | { ok: true; list: string }
+  | { ok: false; error: string };
+
+/**
+ * Client helper for reading email lists from the lists-worker via service binding.
+ * Returns a ListResult so callers can apply fail-open or fail-closed logic
+ * appropriate to their security context.
+ *
+ * - ok: true  → list fetched successfully (may be empty string if list is empty)
+ * - ok: false → worker unreachable, auth failure, or unexpected response shape
+ */
+export async function fetchListFromWorker(
+  binding: Fetcher,
+  list: 'members' | 'primershear',
+  secret: string
+): Promise<ListResult> {
+  try {
+    const response = await binding.fetch(`https://worker/${list}`, {
+      headers: { 'Authorization': `Bearer ${secret}` },
+    });
+    if (!response.ok) {
+      const msg = `lists-client: GET /${list} returned ${response.status}`;
+      console.error(msg);
+      return { ok: false, error: msg };
+    }
+    const data = await response.json() as { list?: unknown };
+    if (typeof data.list !== 'string') {
+      const msg = `lists-client: unexpected response shape for /${list}`;
+      console.error(msg);
+      return { ok: false, error: msg };
+    }
+    return { ok: true, list: data.list };
+  } catch (err) {
+    const msg = `lists-client: failed to fetch /${list}`;
+    console.error(msg, err);
+    return { ok: false, error: msg };
+  }
+}

package/functions/api/_shared/registration-allowlist.ts

@@ -1,17 +1,18 @@
 /**
  * Checks whether the given email is permitted to register based on the
- * REGISTRATION_EMAILS secret (a comma-separated list of allowed entries).
+ * registration allowlist (a comma-separated list of allowed entries) sourced
+ * from the lists-worker KV (key: "allow").
  *
  * Each entry may be:
  *   - An exact email address:  user@example.com
  *   - A domain wildcard:       @example.com  (matches any email from that domain)
  *
- * If registrationEmails is empty or unset, all registrations are allowed
- * (backward-compatible — deploys without a members.emails file are unrestricted).
+ * If registrationEmails is empty or unset, registration is denied (fail closed).
+ * An empty list indicates the allowlist has not been populated, not that all are allowed.
  */
 export function isEmailAllowed(email: string, registrationEmails: string): boolean {
   if (!registrationEmails || registrationEmails.trim().length === 0) {
-    return true;
+    return false;
   }
 
   const normalizedEmail = email.toLowerCase().trim();

package/functions/api/auth/can-register.ts

@@ -1,4 +1,5 @@
 import { isEmailAllowed } from '../_shared/registration-allowlist';
+import { fetchListFromWorker } from '../_shared/lists-client';
 
 interface CanRegisterContext {
   request: Request;
@@ -49,9 +50,13 @@ export const onRequest = async ({ request, env }: CanRegisterContext): Promise<R
     return textResponse('Missing required parameter: email', 400);
   }
 
-  const registrationEmails = env.REGISTRATION_EMAILS ?? '';
+  const listResult = await fetchListFromWorker(env.LISTS_WORKER, 'members', env.LISTS_ADMIN_SECRET);
+  if (!listResult.ok) {
+    // Fail closed: cannot verify allowlist, deny to prevent bypass.
+    return textResponse('Unable to verify registration eligibility', 503);
+  }
 
-  if (isEmailAllowed(email, registrationEmails)) {
+  if (isEmailAllowed(email, listResult.list)) {
     return jsonResponse({ allowed: true });
   }
 

package/functions/api/pdf/[[path]].ts

@@ -1,4 +1,5 @@
 import { verifyFirebaseIdentityFromRequest } from '../_shared/firebase-auth';
+import { fetchListFromWorker } from '../_shared/lists-client';
 
 interface PdfProxyContext {
   request: Request;
@@ -97,9 +98,11 @@ export const onRequest = async ({ request, env }: PdfProxyContext): Promise<Resp
 
   // Resolve the report format server-side based on the verified user email.
   // This prevents email lists from ever being exposed in the client bundle.
+  // Fail-open: if the lists-worker is unavailable, fall back to the default format.
+  const primershearResult = await fetchListFromWorker(env.LISTS_WORKER, 'primershear', env.LISTS_ADMIN_SECRET);
   const reportFormat = resolveReportFormat(
     identity.email,
-    env.PRIMERSHEAR_EMAILS ?? ''
+    primershearResult.ok ? primershearResult.list : ''
   );
 
   let upstreamBody: BodyInit;

package/functions/api/user/[[path]].ts

@@ -1,5 +1,6 @@
 import { verifyFirebaseIdentityFromRequest } from '../_shared/firebase-auth';
 import { isEmailAllowed } from '../_shared/registration-allowlist';
+import { fetchListFromWorker } from '../_shared/lists-client';
 
 interface UserProxyContext {
   request: Request;
@@ -142,9 +143,14 @@ export const onRequest = async ({ request, env }: UserProxyContext): Promise<Res
   }
 
   // Registration gateway: for PUT requests, check if this is a new user creation.
-  // If REGISTRATION_EMAILS is set and the user record does not yet exist, enforce the allowlist.
+  // Always enforce the allowlist for new users — isEmailAllowed fails closed for empty lists.
   // This is defense-in-depth — the primary check runs client-side in the login flow.
-  if (request.method === 'PUT' && env.REGISTRATION_EMAILS && env.REGISTRATION_EMAILS.trim().length > 0) {
+  if (request.method === 'PUT') {
+    const listResult = await fetchListFromWorker(env.LISTS_WORKER, 'members', env.LISTS_ADMIN_SECRET);
+    if (!listResult.ok) {
+      // Fail closed: cannot verify allowlist, reject to prevent bypass.
+      return textResponse('Unable to verify registration eligibility', 503);
+    }
     try {
       const existenceResponse = await env.USER_WORKER.fetch(
         `https://worker/${encodeURIComponent(requestedUserId)}`,
@@ -158,8 +164,8 @@ export const onRequest = async ({ request, env }: UserProxyContext): Promise<Res
 
       if (existenceResponse.status === 404) {
         // User does not exist yet — this is a registration PUT.
-        // Enforce the email allowlist.
-        if (!isEmailAllowed(identity.email ?? '', env.REGISTRATION_EMAILS)) {
+        // Enforce the email allowlist (isEmailAllowed returns false for empty list).
+        if (!isEmailAllowed(identity.email ?? '', listResult.list)) {
           return textResponse('Registration is not permitted for this email address', 403);
         }
       } else if (!existenceResponse.ok) {
@@ -169,7 +175,7 @@ export const onRequest = async ({ request, env }: UserProxyContext): Promise<Res
       }
       // If user already exists (200), proceed normally.
     } catch {
-      // Fail closed: on network error with allowlist active, reject the request.
+      // Fail closed: on network error, reject the request.
       return textResponse('Unable to verify registration eligibility', 502);
     }
   }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@striae-org/striae",
-  "version": "7.0.0",
+  "version": "7.1.0",
   "private": false,
   "description": "Striae is a specialized, cloud-native platform designed to streamline forensic firearms identification by providing an intuitive environment for digital comparison image annotation, authenticated confirmations, and automated report generation.",
   "license": "Apache-2.0",
@@ -89,16 +89,15 @@
     "deploy-config": "bash ./scripts/deploy-config.sh",
     "update-env": "bash ./scripts/deploy-config.sh --update-env",
     "install-workers": "bash ./scripts/install-workers.sh",
-    "deploy-workers": "npm run deploy-workers:audit && npm run deploy-workers:data && npm run deploy-workers:image && npm run deploy-workers:pdf && npm run deploy-workers:user",
+    "deploy-workers": "npm run deploy-workers:audit && npm run deploy-workers:data && npm run deploy-workers:image && npm run deploy-workers:lists && npm run deploy-workers:pdf && npm run deploy-workers:user",
     "deploy-workers:secrets": "bash ./scripts/deploy-worker-secrets.sh",
     "deploy-pages:secrets": "bash ./scripts/deploy-pages-secrets.sh",
     "deploy-pages": "bash ./scripts/deploy-pages.sh",
-    "deploy-primershear": "bash ./scripts/deploy-primershear-emails.sh",
-    "deploy-members": "bash ./scripts/deploy-members-emails.sh",
     "deploy-workers:audit": "cd workers/audit-worker && npm run deploy",
     "deploy-workers:data": "cd workers/data-worker && npm run deploy",
     "deploy-workers:image": "cd workers/image-worker && npm run deploy",
     "deploy-workers:pdf": "cd workers/pdf-worker && npm run deploy",
+    "deploy-workers:lists": "cd workers/lists-worker && npm run deploy",
     "deploy-workers:user": "cd workers/user-worker && npm run deploy"
   },
   "dependencies": {
@@ -112,7 +111,7 @@
     "react-router": "^7.14.2"
   },
   "devDependencies": {
-    "@cloudflare/vitest-pool-workers": "^0.14.9",
+    "@cloudflare/vitest-pool-workers": "^0.15.0",
     "@react-router/dev": "^7.14.2",
     "@react-router/fs-routes": "^7.14.2",
     "@types/qrcode": "^1.5.6",
@@ -130,12 +129,15 @@
     "firebase-admin": "^13.8.0",
     "modern-normalize": "^3.0.1",
     "typescript": "^6.0.3",
-    "vite": "^8.0.9",
+    "vite": "^8.0.10",
     "vitest": "^4.1.5",
-    "wrangler": "^4.84.1"
+    "wrangler": "^4.85.0"
   },
   "overrides": {
-    "@tootallnate/once": "3.0.1"
+    "@tootallnate/once": "3.0.1",
+    "firebase-admin": {
+      "uuid": "^14.0.0"
+    }
   },
   "engines": {
     "node": ">=20.19.0"

package/scripts/deploy-all.sh

@@ -110,7 +110,7 @@ if ! npx wrangler types; then
     echo -e "${RED}❌ Root wrangler types generation failed!${NC}"
     exit 1
 fi
-for WORKER in audit-worker data-worker image-worker pdf-worker user-worker; do
+for WORKER in audit-worker data-worker image-worker lists-worker pdf-worker user-worker; do
     echo -e "${YELLOW}  → Generating types for ${WORKER}...${NC}"
     if ! (cd "workers/$WORKER" && npx wrangler types); then
         echo -e "${RED}❌ wrangler types failed for ${WORKER}!${NC}"
@@ -123,7 +123,7 @@ echo ""
 # Step 4: Deploy Workers
 echo -e "${PURPLE}Step 4/7: Deploying Workers${NC}"
 echo "----------------------------"
-echo -e "${YELLOW}🔧 Deploying all 5 Cloudflare Workers...${NC}"
+echo -e "${YELLOW}🔧 Deploying all 6 Cloudflare Workers...${NC}"
 if ! npm run deploy-workers; then
     echo -e "${RED}❌ Worker deployment failed!${NC}"
     exit 1
@@ -172,7 +172,7 @@ echo ""
 echo -e "${BLUE}Deployed Components:${NC}"
 echo "  ✅ Worker dependencies (npm install)"
 echo "  ✅ Wrangler types (root + all workers)"
-echo "  ✅ 5 Cloudflare Workers"
+echo "  ✅ 6 Cloudflare Workers"
 echo "  ✅ Worker environment variables"
 echo "  ✅ Pages environment variables"
 echo "  ✅ Cloudflare Pages frontend"

package/scripts/deploy-config/modules/prompt.sh

@@ -23,7 +23,7 @@ prompt_for_secrets() {
     is_auto_generated_secret_var() {
         local var_name=$1
         case "$var_name" in
-            IMAGE_SIGNED_URL_SECRET)
+            IMAGE_SIGNED_URL_SECRET|LISTS_ADMIN_SECRET)
                 return 0
                 ;;
             *)
@@ -39,6 +39,9 @@ prompt_for_secrets() {
             IMAGE_SIGNED_URL_SECRET)
                 [ "$value" = "your_image_signed_url_secret_here" ]
                 ;;
+            LISTS_ADMIN_SECRET)
+                [ "$value" = "your_lists_admin_secret_here" ]
+                ;;
             *)
                 return 1
                 ;;
@@ -223,13 +226,44 @@ prompt_for_secrets() {
 
     echo -e "${BLUE}🔑 WORKER NAMES${NC}"
     echo "==============="
-    echo -e "${YELLOW}Worker names are lowercased automatically and must use only letters, numbers, and dashes.${NC}"
+    echo -e "${YELLOW}Worker names are auto-generated and lowercased. Press Enter to keep the generated value or type a custom name.${NC}"
+
+    # Auto-generate each worker name if not yet set or still a placeholder.
+    _gen_worker_name() {
+        local var_name=$1
+        local current="${!var_name:-}"
+        if is_placeholder "$current" || [ -z "$current" ]; then
+            local suffix
+            suffix=$(openssl rand -base64 16 2>/dev/null | tr -dc 'a-z0-9' | head -c 10 || true)
+            if [ -n "$suffix" ]; then
+                printf '%s' "striae-dev-${suffix}"
+            fi
+        fi
+    }
+
+    _new=$(  _gen_worker_name "USER_WORKER_NAME")
+    [ -n "$_new" ] && { USER_WORKER_NAME="$_new"; export USER_WORKER_NAME; }
+    prompt_for_var "USER_WORKER_NAME" "User worker name (auto-generated; change only if using an existing worker)"
+
+    _new=$(_gen_worker_name "DATA_WORKER_NAME")
+    [ -n "$_new" ] && { DATA_WORKER_NAME="$_new"; export DATA_WORKER_NAME; }
+    prompt_for_var "DATA_WORKER_NAME" "Data worker name (auto-generated; change only if using an existing worker)"
+
+    _new=$(_gen_worker_name "AUDIT_WORKER_NAME")
+    [ -n "$_new" ] && { AUDIT_WORKER_NAME="$_new"; export AUDIT_WORKER_NAME; }
+    prompt_for_var "AUDIT_WORKER_NAME" "Audit worker name (auto-generated; change only if using an existing worker)"
+
+    _new=$(_gen_worker_name "IMAGES_WORKER_NAME")
+    [ -n "$_new" ] && { IMAGES_WORKER_NAME="$_new"; export IMAGES_WORKER_NAME; }
+    prompt_for_var "IMAGES_WORKER_NAME" "Images worker name (auto-generated; change only if using an existing worker)"
+
+    _new=$(_gen_worker_name "PDF_WORKER_NAME")
+    [ -n "$_new" ] && { PDF_WORKER_NAME="$_new"; export PDF_WORKER_NAME; }
+    prompt_for_var "PDF_WORKER_NAME" "PDF worker name (auto-generated; change only if using an existing worker)"
 
-    prompt_for_var "USER_WORKER_NAME" "User worker name"
-    prompt_for_var "DATA_WORKER_NAME" "Data worker name"
-    prompt_for_var "AUDIT_WORKER_NAME" "Audit worker name"
-    prompt_for_var "IMAGES_WORKER_NAME" "Images worker name"
-    prompt_for_var "PDF_WORKER_NAME" "PDF worker name"
+    _new=$(_gen_worker_name "LISTS_WORKER_NAME")
+    [ -n "$_new" ] && { LISTS_WORKER_NAME="$_new"; export LISTS_WORKER_NAME; }
+    prompt_for_var "LISTS_WORKER_NAME" "Lists worker name (auto-generated; change only if using an existing worker)"
     echo ""
 
     echo -e "${BLUE}🗄️ STORAGE CONFIGURATION${NC}"
@@ -238,6 +272,7 @@ prompt_for_secrets() {
     prompt_for_var "AUDIT_BUCKET_NAME" "Your R2 bucket name for audit logs (separate from data bucket)"
     prompt_for_var "FILES_BUCKET_NAME" "Your R2 bucket name for encrypted files storage"
     prompt_for_var "KV_STORE_ID" "Your KV namespace ID (UUID format)"
+    prompt_for_var "STRIAE_LISTS_KV_ID" "KV namespace ID for the lists-worker (UUID format; backs registration and primershear allowlists)"
 
     echo -e "${BLUE}🔐 SERVICE-SPECIFIC SECRETS${NC}"
     echo "============================"
@@ -255,6 +290,7 @@ prompt_for_secrets() {
     prompt_for_var "IMAGE_SIGNED_URL_BASE_URL" "Signed URL delivery base URL — routes signed image delivery through the Pages proxy (leave as-is unless using a non-standard domain)"
 
     prompt_for_var "BROWSER_API_TOKEN" "Cloudflare Browser Rendering API token (for PDF Worker)"
+    prompt_for_var "LISTS_ADMIN_SECRET" "Lists worker admin secret — guards write endpoints (auto-generated; guards POST/DELETE on the lists-worker)"
 
     configure_manifest_signing_credentials
     configure_export_encryption_credentials

package/scripts/deploy-config/modules/scaffolding.sh

@@ -106,6 +106,14 @@ copy_example_configs() {
         echo -e "${YELLOW}    ⚠️  pdf-worker: wrangler.jsonc already exists, skipping copy${NC}"
     fi
 
+    cd ../lists-worker
+    if [ -f "wrangler.jsonc.example" ] && { [ "$update_env" = "true" ] || [ ! -f "wrangler.jsonc" ]; }; then
+        cp wrangler.jsonc.example wrangler.jsonc
+        echo -e "${GREEN}    ✅ lists-worker: wrangler.jsonc created from example${NC}"
+    elif [ -f "wrangler.jsonc" ]; then
+        echo -e "${YELLOW}    ⚠️  lists-worker: wrangler.jsonc already exists, skipping copy${NC}"
+    fi
+
     # Return to project root
     cd ../..
 
@@ -172,6 +180,16 @@ update_wrangler_configs() {
         echo -e "${GREEN}    ✅ pdf-worker configuration updated${NC}"
     fi
 
+    if [ -f "workers/lists-worker/wrangler.jsonc" ]; then
+        echo -e "${YELLOW}  Updating lists-worker/wrangler.jsonc...${NC}"
+        local escaped_striae_lists_kv_id
+        escaped_striae_lists_kv_id=$(escape_for_sed_replacement "$STRIAE_LISTS_KV_ID")
+        sed -i "s/\"LISTS_WORKER_NAME\"/\"$LISTS_WORKER_NAME\"/g" workers/lists-worker/wrangler.jsonc
+        sed -i "s/\"ACCOUNT_ID\"/\"$escaped_account_id\"/g" workers/lists-worker/wrangler.jsonc
+        sed -i "s/\"STRIAE_LISTS_KV_ID\"/\"$escaped_striae_lists_kv_id\"/g" workers/lists-worker/wrangler.jsonc
+        echo -e "${GREEN}    ✅ lists-worker configuration updated${NC}"
+    fi
+
     if [ -f "workers/user-worker/wrangler.jsonc" ]; then
         echo -e "${YELLOW}  Updating user-worker/wrangler.jsonc...${NC}"
         sed -i "s/\"USER_WORKER_NAME\"/\"$USER_WORKER_NAME\"/g" workers/user-worker/wrangler.jsonc
@@ -190,6 +208,7 @@ update_wrangler_configs() {
         sed -i "s/AUDIT_WORKER_NAME/$AUDIT_WORKER_NAME/g" wrangler.toml
         sed -i "s/IMAGES_WORKER_NAME/$IMAGES_WORKER_NAME/g" wrangler.toml
         sed -i "s/PDF_WORKER_NAME/$PDF_WORKER_NAME/g" wrangler.toml
+        sed -i "s/LISTS_WORKER_NAME/$LISTS_WORKER_NAME/g" wrangler.toml
         echo -e "${GREEN}    ✅ main wrangler.toml configuration updated${NC}"
     fi
 

package/scripts/deploy-config/modules/validation.sh

@@ -96,12 +96,14 @@ required_vars=(
     "AUDIT_WORKER_NAME"
     "IMAGES_WORKER_NAME"
     "PDF_WORKER_NAME"
+    "LISTS_WORKER_NAME"
 
     # Storage Configuration (required for config replacement)
     "DATA_BUCKET_NAME"
     "AUDIT_BUCKET_NAME"
     "FILES_BUCKET_NAME"
     "KV_STORE_ID"
+    "STRIAE_LISTS_KV_ID"
 
     # Worker-Specific Secrets (required for deployment)
     "IMAGE_SIGNED_URL_SECRET"
@@ -112,6 +114,7 @@ required_vars=(
     "EXPORT_ENCRYPTION_PRIVATE_KEY"
     "EXPORT_ENCRYPTION_KEY_ID"
     "EXPORT_ENCRYPTION_PUBLIC_KEY"
+    "LISTS_ADMIN_SECRET"
 )
 
 validate_required_vars() {

package/scripts/deploy-config.sh

@@ -200,36 +200,6 @@ source "$DEPLOY_CONFIG_VALIDATION_MODULE"
 source "$DEPLOY_CONFIG_SCAFFOLDING_MODULE"
 source "$DEPLOY_CONFIG_PROMPT_MODULE"
 
-EMAIL_LIST_CONFIG_DIR="app/config"
-MEMBERS_EMAILS_FILE="$EMAIL_LIST_CONFIG_DIR/members.emails"
-PRIMERSHEAR_EMAILS_FILE="$EMAIL_LIST_CONFIG_DIR/primershear.emails"
-
-sync_env_var_from_email_list_file() {
-    local env_var_name=$1
-    local file_path=$2
-    local loaded_values=""
-
-    if [ ! -f "$file_path" ]; then
-        echo -e "${YELLOW}⚠️  $file_path not found; keeping existing $env_var_name value in .env${NC}"
-        return 0
-    fi
-
-    loaded_values=$(grep -v '^[[:space:]]*#' "$file_path" | grep -v '^[[:space:]]*$' | sed -e 's/\r$//' -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//' | paste -sd ',' - || true)
-
-    write_env_var "$env_var_name" "$loaded_values"
-    export "$env_var_name=$loaded_values"
-
-    local loaded_count
-    loaded_count=$(echo "$loaded_values" | tr ',' '\n' | grep -c '[^[:space:]]' || true)
-    echo -e "${GREEN}✅ Synced $env_var_name from $file_path ($loaded_count entry/entries)${NC}"
-}
-
-sync_email_list_env_vars_from_config() {
-    echo -e "${YELLOW}📧 Syncing optional email list env vars from app/config...${NC}"
-    sync_env_var_from_email_list_file "REGISTRATION_EMAILS" "$MEMBERS_EMAILS_FILE"
-    sync_env_var_from_email_list_file "PRIMERSHEAR_EMAILS" "$PRIMERSHEAR_EMAILS_FILE"
-}
-
 if [ "$validate_only" = "true" ]; then
     echo -e "\n${BLUE}🧪 Validate-only mode enabled${NC}"
     run_validation_checkpoint
@@ -247,9 +217,6 @@ load_admin_service_credentials
 # Always prompt for secrets to ensure configuration
 prompt_for_secrets
 
-# Keep optional email list env vars aligned with app/config source files.
-sync_email_list_env_vars_from_config
-
 # Validate after secrets have been configured
 validate_required_vars
 

package/scripts/deploy-pages-secrets.sh

@@ -117,16 +117,6 @@ deploy_pages_secrets() {
         printf '%s' "$secret_value" | wrangler pages secret put "$secret" --project-name "$PAGES_PROJECT_NAME"
     done
 
-    local optional_primershear_emails
-    optional_primershear_emails=$(get_optional_value "PRIMERSHEAR_EMAILS")
-    echo -e "${YELLOW}  Setting PRIMERSHEAR_EMAILS...${NC}"
-    printf '%s' "$optional_primershear_emails" | wrangler pages secret put "PRIMERSHEAR_EMAILS" --project-name "$PAGES_PROJECT_NAME"
-
-    local optional_registration_emails
-    optional_registration_emails=$(get_optional_value "REGISTRATION_EMAILS")
-    echo -e "${YELLOW}  Setting REGISTRATION_EMAILS...${NC}"
-    printf '%s' "$optional_registration_emails" | wrangler pages secret put "REGISTRATION_EMAILS" --project-name "$PAGES_PROJECT_NAME"
-
     echo -e "${GREEN}✅ Pages secrets deployed to production${NC}"
 }
 
@@ -152,6 +142,7 @@ fi
 
 required_pages_secrets=(
     "PROJECT_ID"
+    "LISTS_ADMIN_SECRET"
 )
 
 echo -e "${YELLOW}🔍 Validating required Pages secret values...${NC}"

package/scripts/deploy-worker-secrets.sh

@@ -267,6 +267,13 @@ build_data_worker_secret_list() {
     printf '%s\n' "${secrets[@]}"
 }
 
+build_lists_worker_secret_list() {
+    local secrets=(
+        "LISTS_ADMIN_SECRET"
+    )
+    printf '%s\n' "${secrets[@]}"
+}
+
 build_images_worker_secret_list() {
     local secrets=(
         "DATA_AT_REST_ENCRYPTION_PUBLIC_KEY"
@@ -299,7 +306,7 @@ echo -e "\n${BLUE}🔐 Deploying secrets to workers...${NC}"
 # Check if workers are configured
 echo -e "${YELLOW}🔍 Checking worker configurations...${NC}"
 workers_configured=0
-total_workers=5
+total_workers=6
 
 for worker_dir in workers/*/; do
     if [ -f "$worker_dir/wrangler.jsonc" ] || [ -f "$worker_dir/wrangler.toml" ]; then
@@ -363,6 +370,16 @@ if ! set_worker_secrets "PDF Worker" "workers/pdf-worker" \
     echo -e "${YELLOW}⚠️  Skipping PDF Worker (not configured)${NC}"
 fi
 
+# Lists Worker
+lists_worker_secrets=()
+while IFS= read -r secret; do
+    lists_worker_secrets+=("$secret")
+done < <(build_lists_worker_secret_list)
+
+if ! set_worker_secrets "Lists Worker" "workers/lists-worker" "${lists_worker_secrets[@]}"; then
+    echo -e "${YELLOW}⚠️  Skipping Lists Worker (not configured)${NC}"
+fi
+
 echo -e "\n${GREEN}🎉 Worker secrets deployment completed!${NC}"
 
 echo -e "\n${YELLOW}⚠️  WORKER CONFIGURATION REMINDERS:${NC}"
@@ -371,6 +388,7 @@ echo "   - Configure KV namespace ID in workers/user-worker/wrangler.jsonc"
 echo "   - Configure R2 bucket name in workers/data-worker/wrangler.jsonc"
 echo "   - Configure R2 bucket name in workers/audit-worker/wrangler.jsonc"
 echo "   - Configure R2 bucket name in workers/image-worker/wrangler.jsonc"
+echo "   - Configure KV namespace ID in workers/lists-worker/wrangler.jsonc"
 echo "   - Update ACCOUNT_ID and custom domains in all worker configurations"
 
 echo -e "\n${BLUE}📝 For manual deployment, use these commands:${NC}"

package/scripts/install-workers.sh

@@ -7,8 +7,9 @@
 # 1. audit-worker
 # 2. data-worker
 # 3. image-worker
-# 4. pdf-worker
-# 5. user-worker
+# 4. lists-worker
+# 5. pdf-worker
+# 6. user-worker
 
 # Colors for output
 RED='\033[0;31m'
@@ -34,7 +35,7 @@ if [ ! -d "$WORKERS_DIR" ]; then
 fi
 
 # List of workers
-WORKERS=("audit-worker" "data-worker" "image-worker" "pdf-worker" "user-worker")
+WORKERS=("audit-worker" "data-worker" "image-worker" "lists-worker" "pdf-worker" "user-worker")
 
 echo -e "${PURPLE}Installing npm dependencies for all workers...${NC}"
 echo ""

package/scripts/update-markdown-versions.cjs

@@ -11,6 +11,7 @@ const workerDirs = [
   'workers/audit-worker',
   'workers/data-worker',
   'workers/image-worker',
+  'workers/lists-worker',
   'workers/pdf-worker',
   'workers/user-worker',
 ];

package/workers/audit-worker/package.json

@@ -1,6 +1,6 @@
 {
   "name": "audit-worker",
-  "version": "7.0.0",
+  "version": "7.1.0",
   "private": true,
   "scripts": {
     "deploy": "wrangler deploy",
@@ -8,6 +8,6 @@
     "start": "wrangler dev"
   },
   "devDependencies": {
-    "wrangler": "^4.84.1"
+    "wrangler": "^4.85.0"
   }
 }

package/workers/audit-worker/wrangler.jsonc.example

@@ -3,7 +3,7 @@
   "account_id": "ACCOUNT_ID",
   "main": "src/audit-worker.ts",
   "workers_dev": false,
-  "compatibility_date": "2026-04-21",
+  "compatibility_date": "2026-04-25",
   "compatibility_flags": [
     "nodejs_compat"
   ],