@striae-org/striae 7.0.0 → 7.1.0

package/workers/data-worker/package.json

@@ -1,6 +1,6 @@
 {
   "name": "data-worker",
-  "version": "7.0.0",
+  "version": "7.1.0",
   "private": true,
   "scripts": {
     "deploy": "wrangler deploy",
@@ -9,6 +9,6 @@
   },
   "devDependencies": {
     "@cloudflare/vitest-pool-workers": "^0.14.9",
-    "wrangler": "^4.84.1"
+    "wrangler": "^4.85.0"
   }
 }

package/workers/data-worker/wrangler.jsonc.example

@@ -3,7 +3,7 @@
   "account_id": "ACCOUNT_ID",
   "main": "src/data-worker.ts",
   "workers_dev": false,
-  "compatibility_date": "2026-04-21",
+  "compatibility_date": "2026-04-25",
   "compatibility_flags": [
     "nodejs_compat"
   ], 

package/workers/image-worker/package.json

@@ -1,6 +1,6 @@
 {
   "name": "image-worker",
-  "version": "7.0.0",
+  "version": "7.1.0",
   "private": true,
   "scripts": {
     "deploy": "wrangler deploy",
@@ -8,6 +8,6 @@
     "start": "wrangler dev"
   },
   "devDependencies": {
-    "wrangler": "^4.84.1"
+    "wrangler": "^4.85.0"
   }
 }

package/workers/image-worker/src/handlers/delete-image.ts

@@ -1,21 +1,21 @@
-import type { CreateImageWorkerResponse, Env } from '../types';
+import type { CreateResponse, Env } from '../types';
 import { parseFileId } from '../utils/path-utils';
 
 export async function handleImageDelete(
   request: Request,
   env: Env,
-  createJsonResponse: CreateImageWorkerResponse
+  respond: CreateResponse
 ): Promise<Response> {
   const fileId = parseFileId(new URL(request.url).pathname);
   if (!fileId) {
-    return createJsonResponse({ error: 'Image ID is required' }, 400);
+    return respond({ error: 'Image ID is required' }, 400);
   }
 
   const existing = await env.STRIAE_FILES.head(fileId);
   if (!existing) {
-    return createJsonResponse({ error: 'File not found' }, 404);
+    return respond({ error: 'File not found' }, 404);
   }
 
   await env.STRIAE_FILES.delete(fileId);
-  return createJsonResponse({ success: true });
+  return respond({ success: true });
 }

package/workers/image-worker/src/handlers/mint-signed-url.ts

@@ -5,7 +5,7 @@ import {
   signSignedAccessPayload
 } from '../security/signed-url';
 import type {
-  CreateImageWorkerResponse,
+  CreateResponse,
   Env,
   SignedAccessPayload
 } from '../types';
@@ -18,13 +18,13 @@ export async function handleSignedUrlMinting(
   request: Request,
   env: Env,
   fileId: string,
-  createJsonResponse: CreateImageWorkerResponse
+  respond: CreateResponse
 ): Promise<Response> {
   requireSignedUrlConfig(env);
 
   const existing = await env.STRIAE_FILES.head(fileId);
   if (!existing) {
-    return createJsonResponse({ error: 'File not found' }, 404);
+    return respond({ error: 'File not found' }, 404);
   }
 
   let requestedExpiresInSeconds: number | undefined;
@@ -58,7 +58,7 @@ export async function handleSignedUrlMinting(
       console.error('Invalid IMAGE_SIGNED_URL_BASE_URL configuration', {
         reason: error instanceof Error ? error.message : String(error)
       });
-      return createJsonResponse({ error: 'Signed URL base URL is misconfigured' }, 500);
+      return respond({ error: 'Signed URL base URL is misconfigured' }, 500);
     }
   } else {
     baseUrl = new URL(request.url).origin;
@@ -66,7 +66,7 @@ export async function handleSignedUrlMinting(
 
   const signedUrl = `${baseUrl}/${encodeURIComponent(fileId)}?st=${encodeURIComponent(signedToken)}`;
 
-  return createJsonResponse({
+  return respond({
     success: true,
     result: {
       fileId,

package/workers/image-worker/src/handlers/serve-image.ts

@@ -3,7 +3,7 @@ import {
   requireEncryptionRetrievalConfig
 } from '../security/key-registry';
 import { requireSignedUrlConfig, verifySignedAccessToken } from '../security/signed-url';
-import type { CreateImageWorkerResponse, Env } from '../types';
+import type { CreateResponse, Env } from '../types';
 import { buildSafeContentDisposition } from '../utils/content-disposition';
 import { extractEnvelope } from '../utils/storage-metadata';
 
@@ -11,7 +11,7 @@ export async function handleImageServing(
   request: Request,
   env: Env,
   fileId: string,
-  createJsonResponse: CreateImageWorkerResponse
+  respond: CreateResponse
 ): Promise<Response> {
   const requestUrl = new URL(request.url);
   const hasSignedToken = requestUrl.searchParams.has('st');
@@ -21,27 +21,27 @@ export async function handleImageServing(
     requireSignedUrlConfig(env);
 
     if (!signedToken || signedToken.trim().length === 0) {
-      return createJsonResponse({ error: 'Invalid or expired signed URL token' }, 403);
+      return respond({ error: 'Invalid or expired signed URL token' }, 403);
     }
 
     const tokenValid = await verifySignedAccessToken(signedToken, fileId, env);
     if (!tokenValid) {
-      return createJsonResponse({ error: 'Invalid or expired signed URL token' }, 403);
+      return respond({ error: 'Invalid or expired signed URL token' }, 403);
     }
   } else {
-    return createJsonResponse({ error: 'Unauthorized' }, 403);
+    return respond({ error: 'Unauthorized' }, 403);
   }
 
   requireEncryptionRetrievalConfig(env);
 
   const file = await env.STRIAE_FILES.get(fileId);
   if (!file) {
-    return createJsonResponse({ error: 'File not found' }, 404);
+    return respond({ error: 'File not found' }, 404);
   }
 
   const envelope = extractEnvelope(file);
   if (!envelope) {
-    return createJsonResponse({ error: 'Missing data-at-rest envelope metadata' }, 500);
+    return respond({ error: 'Missing data-at-rest envelope metadata' }, 500);
   }
 
   const encryptedData = await file.arrayBuffer();

package/workers/image-worker/src/handlers/upload-image.ts

@@ -1,19 +1,19 @@
 import { encryptBinaryForStorage } from '../encryption-utils';
 import { requireEncryptionUploadConfig } from '../security/key-registry';
-import type { CreateImageWorkerResponse, Env } from '../types';
+import type { CreateResponse, Env } from '../types';
 import { deriveFileKind } from '../utils/content-disposition';
 
 export async function handleImageUpload(
   request: Request,
   env: Env,
-  createJsonResponse: CreateImageWorkerResponse
+  respond: CreateResponse
 ): Promise<Response> {
   requireEncryptionUploadConfig(env);
 
   const formData = await request.formData();
   const fileValue = formData.get('file');
   if (!(fileValue instanceof Blob)) {
-    return createJsonResponse({ error: 'Missing file upload payload' }, 400);
+    return respond({ error: 'Missing file upload payload' }, 400);
   }
 
   const fileBlob = fileValue;
@@ -44,7 +44,7 @@ export async function handleImageUpload(
     }
   });
 
-  return createJsonResponse({
+  return respond({
     success: true,
     errors: [],
     messages: [],

package/workers/image-worker/src/image-worker.ts

@@ -1,7 +1,7 @@
 import { routeImageWorkerRequest } from './router';
-import type { APIResponse, Env } from './types';
+import type { APIResponse, CreateResponse, Env } from './types';
 
-const createJsonResponse = (data: APIResponse, status: number = 200): Response => new Response(
+const createWorkerResponse: CreateResponse = (data: APIResponse, status: number = 200): Response => new Response(
   JSON.stringify(data),
   {
     status,
@@ -12,10 +12,10 @@ const createJsonResponse = (data: APIResponse, status: number = 200): Response =
 export default {
   async fetch(request: Request, env: Env): Promise<Response> {
     try {
-      return await routeImageWorkerRequest(request, env, createJsonResponse);
+      return await routeImageWorkerRequest(request, env, createWorkerResponse);
     } catch (error) {
       const errorMessage = error instanceof Error ? error.message : 'Unknown error occurred';
-      return createJsonResponse({ error: errorMessage }, 500);
+      return createWorkerResponse({ error: errorMessage }, 500);
     }
   }
 };

package/workers/image-worker/src/router.ts

@@ -2,51 +2,51 @@ import { handleImageDelete } from './handlers/delete-image';
 import { handleSignedUrlMinting } from './handlers/mint-signed-url';
 import { handleImageServing } from './handlers/serve-image';
 import { handleImageUpload } from './handlers/upload-image';
-import type { CreateImageWorkerResponse, Env } from './types';
+import type { CreateResponse, Env } from './types';
 import { parsePathSegments } from './utils/path-utils';
 
 export async function routeImageWorkerRequest(
   request: Request,
   env: Env,
-  createJsonResponse: CreateImageWorkerResponse
+  respond: CreateResponse
 ): Promise<Response> {
   const requestUrl = new URL(request.url);
   const pathSegments = parsePathSegments(requestUrl.pathname);
   if (!pathSegments) {
-    return createJsonResponse({ error: 'Invalid image path encoding' }, 400);
+    return respond({ error: 'Invalid image path encoding' }, 400);
   }
 
   switch (request.method) {
     case 'POST': {
       if (pathSegments.length === 0) {
-        return handleImageUpload(request, env, createJsonResponse);
+        return handleImageUpload(request, env, respond);
       }
 
       if (pathSegments.length === 2 && pathSegments[1] === 'signed-url') {
-        return handleSignedUrlMinting(request, env, pathSegments[0], createJsonResponse);
+        return handleSignedUrlMinting(request, env, pathSegments[0], respond);
       }
 
-      return createJsonResponse({ error: 'Not found' }, 404);
+      return respond({ error: 'Not found' }, 404);
     }
 
     case 'GET': {
       const fileId = pathSegments.length === 1 ? pathSegments[0] : null;
       if (!fileId) {
-        return createJsonResponse({ error: 'Image ID is required' }, 400);
+        return respond({ error: 'Image ID is required' }, 400);
       }
 
-      return handleImageServing(request, env, fileId, createJsonResponse);
+      return handleImageServing(request, env, fileId, respond);
     }
 
     case 'DELETE': {
       if (pathSegments.length !== 1) {
-        return createJsonResponse({ error: 'Not found' }, 404);
+        return respond({ error: 'Not found' }, 404);
       }
 
-      return handleImageDelete(request, env, createJsonResponse);
+      return handleImageDelete(request, env, respond);
     }
 
     default:
-      return createJsonResponse({ error: 'Method not allowed' }, 405);
+      return respond({ error: 'Method not allowed' }, 405);
   }
 }

package/workers/image-worker/src/types.ts

@@ -64,4 +64,4 @@ export interface SignedAccessPayload {
   nonce: string;
 }
 
-export type CreateImageWorkerResponse = (data: APIResponse, status?: number) => Response;
+export type CreateResponse = (data: APIResponse, status?: number) => Response;

package/workers/image-worker/wrangler.jsonc.example

@@ -3,7 +3,7 @@
   "account_id": "ACCOUNT_ID",
   "main": "src/image-worker.ts",
   "workers_dev": false,
-  "compatibility_date": "2026-04-21",
+  "compatibility_date": "2026-04-25",
   "compatibility_flags": [
     "nodejs_compat"
   ], 

package/workers/lists-worker/package.json

@@ -0,0 +1,13 @@
+{
+  "name": "lists-worker",
+  "version": "7.1.0",
+  "private": true,
+  "scripts": {
+    "deploy": "wrangler deploy",
+    "dev": "wrangler dev",
+    "start": "wrangler dev"
+  },
+  "devDependencies": {
+    "wrangler": "^4.85.0"
+  }
+}

package/workers/lists-worker/src/lists-worker.ts

@@ -0,0 +1,97 @@
+import type { Env } from './types';
+
+const JSON_HEADERS: HeadersInit = {
+  'Content-Type': 'application/json',
+  'Cache-Control': 'no-store',
+  'Pragma': 'no-cache',
+};
+
+/** Routes map URL path segment to the KV key used in STRIAE_LISTS. */
+const ROUTE_TO_KV_KEY: Record<string, string> = {
+  members: 'allow',
+  primershear: 'primershear',
+};
+
+function jsonResponse(data: Record<string, unknown>, status = 200): Response {
+  return new Response(JSON.stringify(data), { status, headers: JSON_HEADERS });
+}
+
+/**
+ * Constant-time string comparison to mitigate timing side-channels on auth checks.
+ * Both strings are encoded to bytes and compared with a full XOR pass.
+ */
+function timingSafeEqual(a: string, b: string): boolean {
+  const encoder = new TextEncoder();
+  const aBytes = encoder.encode(a);
+  const bBytes = encoder.encode(b);
+  if (aBytes.length !== bBytes.length) return false;
+  let diff = 0;
+  for (let i = 0; i < aBytes.length; i++) {
+    diff |= aBytes[i] ^ bBytes[i];
+  }
+  return diff === 0;
+}
+
+function isAuthorized(request: Request, secret: string): boolean {
+  if (!secret) return false;
+  const auth = request.headers.get('Authorization');
+  if (!auth || !auth.startsWith('Bearer ')) return false;
+  return timingSafeEqual(auth.slice(7), secret);
+}
+
+export default {
+  async fetch(request: Request, env: Env): Promise<Response> {
+    const url = new URL(request.url);
+    const segment = url.pathname.replace(/^\/+|\/+$/g, '');
+    const kvKey = ROUTE_TO_KV_KEY[segment];
+
+    if (!kvKey) {
+      return jsonResponse({ error: 'Not found' }, 404);
+    }
+
+    if (request.method === 'GET') {
+      if (!isAuthorized(request, env.LISTS_ADMIN_SECRET)) {
+        return jsonResponse({ error: 'Unauthorized' }, 401);
+      }
+      const raw = (await env.STRIAE_LISTS.get(kvKey)) ?? '';
+      const list = raw ? raw.split(',').map(e => e.trim().toLowerCase()).filter(Boolean).join(',') : '';
+      return jsonResponse({ list });
+    }
+
+    if (request.method === 'POST' || request.method === 'DELETE') {
+      if (!isAuthorized(request, env.LISTS_ADMIN_SECRET)) {
+        return jsonResponse({ error: 'Unauthorized' }, 401);
+      }
+
+      let body: { entry?: unknown };
+      try {
+        body = await request.json() as { entry?: unknown };
+      } catch {
+        return jsonResponse({ error: 'Invalid JSON body' }, 400);
+      }
+
+      const entry = typeof body.entry === 'string' ? body.entry.trim().toLowerCase() : '';
+      if (!entry) {
+        return jsonResponse({ error: 'Missing or empty entry' }, 400);
+      }
+
+      const current = (await env.STRIAE_LISTS.get(kvKey)) ?? '';
+      const entries = current ? current.split(',').map(e => e.trim().toLowerCase()).filter(Boolean) : [];
+
+      if (request.method === 'POST') {
+        if (!entries.includes(entry)) {
+          entries.push(entry);
+        }
+        await env.STRIAE_LISTS.put(kvKey, entries.join(','));
+        return jsonResponse({ ok: true });
+      }
+
+      // DELETE
+      const filtered = entries.filter(e => e !== entry);
+      await env.STRIAE_LISTS.put(kvKey, filtered.join(','));
+      return jsonResponse({ ok: true });
+    }
+
+    return jsonResponse({ error: 'Method not allowed' }, 405);
+  },
+};

package/workers/lists-worker/src/types.ts

@@ -0,0 +1,4 @@
+export interface Env {
+  STRIAE_LISTS: KVNamespace;
+  LISTS_ADMIN_SECRET: string;
+}

package/workers/lists-worker/wrangler.jsonc.example

@@ -0,0 +1,23 @@
+{
+  "name": "LISTS_WORKER_NAME",
+  "account_id": "ACCOUNT_ID",
+  "main": "src/lists-worker.ts",
+  "workers_dev": false,
+  "compatibility_date": "2026-04-25",
+  "compatibility_flags": [
+    "nodejs_compat"
+  ],
+
+  "observability": {
+    "enabled": true
+  },
+
+  "kv_namespaces": [
+    {
+      "binding": "STRIAE_LISTS",
+      "id": "STRIAE_LISTS_KV_ID"
+    }
+  ],
+  
+  "placement": { "mode": "smart" }
+}

package/workers/pdf-worker/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pdf-worker",
-  "version": "7.0.0",
+  "version": "7.1.0",
   "private": true,
   "scripts": {
     "generate:assets": "node scripts/generate-assets.js",
@@ -9,6 +9,6 @@
     "start": "wrangler dev"
   },
   "devDependencies": {
-    "wrangler": "^4.84.1"
+    "wrangler": "^4.85.0"
   }
 }

package/workers/pdf-worker/wrangler.jsonc.example

@@ -3,7 +3,7 @@
   "account_id": "ACCOUNT_ID",
   "main": "src/pdf-worker.ts",
   "workers_dev": false,
-  "compatibility_date": "2026-04-21",
+  "compatibility_date": "2026-04-25",
   "compatibility_flags": [
     "nodejs_compat"
   ],

package/workers/user-worker/package.json

@@ -1,6 +1,6 @@
 {
   "name": "user-worker",
-  "version": "7.0.0",
+  "version": "7.1.0",
   "private": true,
   "scripts": {
     "deploy": "wrangler deploy",
@@ -8,6 +8,6 @@
     "start": "wrangler dev"
   },
   "devDependencies": {
-    "wrangler": "^4.84.1"
+    "wrangler": "^4.85.0"
   }
 }

package/workers/user-worker/src/handlers/user-routes.ts

@@ -3,49 +3,38 @@ import { readUserRecord, writeUserRecord } from '../storage/user-records';
 import type {
   AddCasesRequest,
   AccountDeletionProgressEvent,
+  CreateResponse,
   DeleteCasesRequest,
   Env,
   UserData,
   UserRequestData
 } from '../types';
 
-function createJsonResponse(data: unknown, status: number = 200): Response {
-  return new Response(JSON.stringify(data), {
-    status,
-    headers: { 'Content-Type': 'application/json; charset=utf-8' }
-  });
-}
-
-function createTextResponse(message: string, status: number): Response {
-  return new Response(message, {
-    status,
-    headers: { 'Content-Type': 'text/plain; charset=utf-8' }
-  });
-}
-
 export async function handleGetUser(
   env: Env,
-  userUid: string
+  userUid: string,
+  respond: CreateResponse
 ): Promise<Response> {
   try {
     const userData = await readUserRecord(env, userUid);
     if (userData === null) {
-      return createTextResponse('User not found', 404);
+      return respond({ error: 'User not found' }, 404);
     }
 
-    return createJsonResponse(userData);
+    return respond(userData);
   } catch (error) {
     const errorMessage = error instanceof Error ? error.message : 'Unknown user data read error';
     console.error('Failed to get user data:', { uid: userUid, reason: errorMessage });
 
-    return createTextResponse('Failed to get user data', 500);
+    return respond({ error: 'Failed to get user data' }, 500);
   }
 }
 
 export async function handleAddUser(
   request: Request,
   env: Env,
-  userUid: string
+  userUid: string,
+  respond: CreateResponse
 ): Promise<Response> {
   try {
     const requestData: UserRequestData = await request.json();
@@ -87,20 +76,21 @@ export async function handleAddUser(
 
     await writeUserRecord(env, userUid, userData);
 
-    return createJsonResponse(userData, existingUser !== null ? 200 : 201);
+    return respond(userData, existingUser !== null ? 200 : 201);
   } catch {
-    return createTextResponse('Failed to save user data', 500);
+    return respond({ error: 'Failed to save user data' }, 500);
   }
 }
 
 export async function handleDeleteUser(
   env: Env,
-  userUid: string
+  userUid: string,
+  respond: CreateResponse
 ): Promise<Response> {
   try {
     const result = await executeUserDeletion(env, userUid);
 
-    return createJsonResponse({
+    return respond({
       success: result.success,
       message: result.message
     });
@@ -109,10 +99,10 @@ export async function handleDeleteUser(
     const errorMessage = error instanceof Error ? error.message : 'Unknown error occurred';
 
     if (errorMessage === 'User not found') {
-      return createTextResponse('User not found', 404);
+      return respond({ error: 'User not found' }, 404);
     }
 
-    return createJsonResponse({
+    return respond({
       success: false,
       message: 'Failed to delete user account'
     }, 500);
@@ -170,13 +160,14 @@ export function handleDeleteUserWithProgress(
 export async function handleAddCases(
   request: Request,
   env: Env,
-  userUid: string
+  userUid: string,
+  respond: CreateResponse
 ): Promise<Response> {
   try {
     const { cases = [] }: AddCasesRequest = await request.json();
     const userData = await readUserRecord(env, userUid);
     if (!userData) {
-      return createTextResponse('User not found', 404);
+      return respond({ error: 'User not found' }, 404);
     }
 
     const existingCases = userData.cases || [];
@@ -188,30 +179,31 @@ export async function handleAddCases(
     userData.updatedAt = new Date().toISOString();
     await writeUserRecord(env, userUid, userData);
 
-    return createJsonResponse(userData);
+    return respond(userData);
   } catch {
-    return createTextResponse('Failed to add cases', 500);
+    return respond({ error: 'Failed to add cases' }, 500);
   }
 }
 
 export async function handleDeleteCases(
   request: Request,
   env: Env,
-  userUid: string
+  userUid: string,
+  respond: CreateResponse
 ): Promise<Response> {
   try {
     const { casesToDelete }: DeleteCasesRequest = await request.json();
     const userData = await readUserRecord(env, userUid);
     if (!userData) {
-      return createTextResponse('User not found', 404);
+      return respond({ error: 'User not found' }, 404);
     }
 
-    userData.cases = userData.cases.filter((caseItem) => !casesToDelete.includes(caseItem.caseNumber));
+    userData.cases = (userData.cases || []).filter((caseItem) => !casesToDelete.includes(caseItem.caseNumber));
     userData.updatedAt = new Date().toISOString();
     await writeUserRecord(env, userUid, userData);
 
-    return createJsonResponse(userData);
+    return respond(userData);
   } catch {
-    return createTextResponse('Failed to delete cases', 500);
+    return respond({ error: 'Failed to delete cases' }, 500);
   }
 }

package/workers/user-worker/src/types.ts

@@ -28,6 +28,19 @@ export interface PrivateKeyRegistry {
 
 export type DecryptionTelemetryOutcome = 'primary-hit' | 'fallback-hit' | 'all-failed';
 
+export interface SuccessResponse {
+  success: boolean;
+  message?: string;
+}
+
+export interface ErrorResponse {
+  error: string;
+}
+
+export type APIResponse = SuccessResponse | ErrorResponse | UserData;
+
+export type CreateResponse = (data: APIResponse, status?: number) => Response;
+
 export interface CaseItem {
   caseNumber: string;
   caseName?: string;