@striae-org/striae 7.0.1 → 7.1.0

package/.env.example

@@ -110,17 +110,11 @@ PDF_WORKER_NAME=your_pdf_worker_name_here
 BROWSER_API_TOKEN=your_cloudflare_browser_rendering_api_token_here
 
 # ================================
-# PRIMERSHEAR PDF FORMAT
-# ================================
-# Comma-separated list of email addresses that will receive the primershear PDF format.
-# Leave empty to disable the feature. Never commit this value to source control.
-# Example: PRIMERSHEAR_EMAILS=analyst@org.com,user2@org.com
-PRIMERSHEAR_EMAILS=
-
-# ================================
-# REGISTRATION EMAIL ALLOWLIST CONFIGURATION
-# ================================
-# Comma-separated list of email addresses that may register an account.
-# Leave empty to disable the feature. Never commit this value to source control.
-# Example: REGISTRATION_EMAILS=analyst@org.com,user2@org.com
-REGISTRATION_EMAILS=
+# LISTS WORKER ENVIRONMENT VARIABLES
+# ================================
+# The lists-worker manages registration and PDF format allowlists via KV.
+# STRIAE_LISTS_KV_ID is the KV namespace ID backing both lists.
+# LISTS_ADMIN_SECRET guards write endpoints (POST/DELETE); use a strong random value.
+LISTS_WORKER_NAME=your_lists_worker_name_here
+STRIAE_LISTS_KV_ID=your_striae_lists_kv_id_here
+LISTS_ADMIN_SECRET=your_lists_admin_secret_here

package/functions/api/_shared/lists-client.ts

@@ -0,0 +1,39 @@
+export type ListResult =
+  | { ok: true; list: string }
+  | { ok: false; error: string };
+
+/**
+ * Client helper for reading email lists from the lists-worker via service binding.
+ * Returns a ListResult so callers can apply fail-open or fail-closed logic
+ * appropriate to their security context.
+ *
+ * - ok: true  → list fetched successfully (may be empty string if list is empty)
+ * - ok: false → worker unreachable, auth failure, or unexpected response shape
+ */
+export async function fetchListFromWorker(
+  binding: Fetcher,
+  list: 'members' | 'primershear',
+  secret: string
+): Promise<ListResult> {
+  try {
+    const response = await binding.fetch(`https://worker/${list}`, {
+      headers: { 'Authorization': `Bearer ${secret}` },
+    });
+    if (!response.ok) {
+      const msg = `lists-client: GET /${list} returned ${response.status}`;
+      console.error(msg);
+      return { ok: false, error: msg };
+    }
+    const data = await response.json() as { list?: unknown };
+    if (typeof data.list !== 'string') {
+      const msg = `lists-client: unexpected response shape for /${list}`;
+      console.error(msg);
+      return { ok: false, error: msg };
+    }
+    return { ok: true, list: data.list };
+  } catch (err) {
+    const msg = `lists-client: failed to fetch /${list}`;
+    console.error(msg, err);
+    return { ok: false, error: msg };
+  }
+}

package/functions/api/_shared/registration-allowlist.ts

@@ -1,17 +1,18 @@
 /**
  * Checks whether the given email is permitted to register based on the
- * REGISTRATION_EMAILS secret (a comma-separated list of allowed entries).
+ * registration allowlist (a comma-separated list of allowed entries) sourced
+ * from the lists-worker KV (key: "allow").
  *
  * Each entry may be:
  *   - An exact email address:  user@example.com
  *   - A domain wildcard:       @example.com  (matches any email from that domain)
  *
- * If registrationEmails is empty or unset, all registrations are allowed
- * (backward-compatible — deploys without a members.emails file are unrestricted).
+ * If registrationEmails is empty or unset, registration is denied (fail closed).
+ * An empty list indicates the allowlist has not been populated, not that all are allowed.
  */
 export function isEmailAllowed(email: string, registrationEmails: string): boolean {
   if (!registrationEmails || registrationEmails.trim().length === 0) {
-    return true;
+    return false;
   }
 
   const normalizedEmail = email.toLowerCase().trim();

package/functions/api/auth/can-register.ts

@@ -1,4 +1,5 @@
 import { isEmailAllowed } from '../_shared/registration-allowlist';
+import { fetchListFromWorker } from '../_shared/lists-client';
 
 interface CanRegisterContext {
   request: Request;
@@ -49,9 +50,13 @@ export const onRequest = async ({ request, env }: CanRegisterContext): Promise<R
     return textResponse('Missing required parameter: email', 400);
   }
 
-  const registrationEmails = env.REGISTRATION_EMAILS ?? '';
+  const listResult = await fetchListFromWorker(env.LISTS_WORKER, 'members', env.LISTS_ADMIN_SECRET);
+  if (!listResult.ok) {
+    // Fail closed: cannot verify allowlist, deny to prevent bypass.
+    return textResponse('Unable to verify registration eligibility', 503);
+  }
 
-  if (isEmailAllowed(email, registrationEmails)) {
+  if (isEmailAllowed(email, listResult.list)) {
     return jsonResponse({ allowed: true });
   }
 

package/functions/api/pdf/[[path]].ts

@@ -1,4 +1,5 @@
 import { verifyFirebaseIdentityFromRequest } from '../_shared/firebase-auth';
+import { fetchListFromWorker } from '../_shared/lists-client';
 
 interface PdfProxyContext {
   request: Request;
@@ -97,9 +98,11 @@ export const onRequest = async ({ request, env }: PdfProxyContext): Promise<Resp
 
   // Resolve the report format server-side based on the verified user email.
   // This prevents email lists from ever being exposed in the client bundle.
+  // Fail-open: if the lists-worker is unavailable, fall back to the default format.
+  const primershearResult = await fetchListFromWorker(env.LISTS_WORKER, 'primershear', env.LISTS_ADMIN_SECRET);
   const reportFormat = resolveReportFormat(
     identity.email,
-    env.PRIMERSHEAR_EMAILS ?? ''
+    primershearResult.ok ? primershearResult.list : ''
   );
 
   let upstreamBody: BodyInit;

package/functions/api/user/[[path]].ts

@@ -1,5 +1,6 @@
 import { verifyFirebaseIdentityFromRequest } from '../_shared/firebase-auth';
 import { isEmailAllowed } from '../_shared/registration-allowlist';
+import { fetchListFromWorker } from '../_shared/lists-client';
 
 interface UserProxyContext {
   request: Request;
@@ -142,9 +143,14 @@ export const onRequest = async ({ request, env }: UserProxyContext): Promise<Res
   }
 
   // Registration gateway: for PUT requests, check if this is a new user creation.
-  // If REGISTRATION_EMAILS is set and the user record does not yet exist, enforce the allowlist.
+  // Always enforce the allowlist for new users — isEmailAllowed fails closed for empty lists.
   // This is defense-in-depth — the primary check runs client-side in the login flow.
-  if (request.method === 'PUT' && env.REGISTRATION_EMAILS && env.REGISTRATION_EMAILS.trim().length > 0) {
+  if (request.method === 'PUT') {
+    const listResult = await fetchListFromWorker(env.LISTS_WORKER, 'members', env.LISTS_ADMIN_SECRET);
+    if (!listResult.ok) {
+      // Fail closed: cannot verify allowlist, reject to prevent bypass.
+      return textResponse('Unable to verify registration eligibility', 503);
+    }
     try {
       const existenceResponse = await env.USER_WORKER.fetch(
         `https://worker/${encodeURIComponent(requestedUserId)}`,
@@ -158,8 +164,8 @@ export const onRequest = async ({ request, env }: UserProxyContext): Promise<Res
 
       if (existenceResponse.status === 404) {
         // User does not exist yet — this is a registration PUT.
-        // Enforce the email allowlist.
-        if (!isEmailAllowed(identity.email ?? '', env.REGISTRATION_EMAILS)) {
+        // Enforce the email allowlist (isEmailAllowed returns false for empty list).
+        if (!isEmailAllowed(identity.email ?? '', listResult.list)) {
           return textResponse('Registration is not permitted for this email address', 403);
         }
       } else if (!existenceResponse.ok) {
@@ -169,7 +175,7 @@ export const onRequest = async ({ request, env }: UserProxyContext): Promise<Res
       }
       // If user already exists (200), proceed normally.
     } catch {
-      // Fail closed: on network error with allowlist active, reject the request.
+      // Fail closed: on network error, reject the request.
       return textResponse('Unable to verify registration eligibility', 502);
     }
   }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@striae-org/striae",
-  "version": "7.0.1",
+  "version": "7.1.0",
   "private": false,
   "description": "Striae is a specialized, cloud-native platform designed to streamline forensic firearms identification by providing an intuitive environment for digital comparison image annotation, authenticated confirmations, and automated report generation.",
   "license": "Apache-2.0",
@@ -89,16 +89,15 @@
     "deploy-config": "bash ./scripts/deploy-config.sh",
     "update-env": "bash ./scripts/deploy-config.sh --update-env",
     "install-workers": "bash ./scripts/install-workers.sh",
-    "deploy-workers": "npm run deploy-workers:audit && npm run deploy-workers:data && npm run deploy-workers:image && npm run deploy-workers:pdf && npm run deploy-workers:user",
+    "deploy-workers": "npm run deploy-workers:audit && npm run deploy-workers:data && npm run deploy-workers:image && npm run deploy-workers:lists && npm run deploy-workers:pdf && npm run deploy-workers:user",
     "deploy-workers:secrets": "bash ./scripts/deploy-worker-secrets.sh",
     "deploy-pages:secrets": "bash ./scripts/deploy-pages-secrets.sh",
     "deploy-pages": "bash ./scripts/deploy-pages.sh",
-    "deploy-primershear": "bash ./scripts/deploy-primershear-emails.sh",
-    "deploy-members": "bash ./scripts/deploy-members-emails.sh",
     "deploy-workers:audit": "cd workers/audit-worker && npm run deploy",
     "deploy-workers:data": "cd workers/data-worker && npm run deploy",
     "deploy-workers:image": "cd workers/image-worker && npm run deploy",
     "deploy-workers:pdf": "cd workers/pdf-worker && npm run deploy",
+    "deploy-workers:lists": "cd workers/lists-worker && npm run deploy",
     "deploy-workers:user": "cd workers/user-worker && npm run deploy"
   },
   "dependencies": {
@@ -112,7 +111,7 @@
     "react-router": "^7.14.2"
   },
   "devDependencies": {
-    "@cloudflare/vitest-pool-workers": "^0.14.9",
+    "@cloudflare/vitest-pool-workers": "^0.15.0",
     "@react-router/dev": "^7.14.2",
     "@react-router/fs-routes": "^7.14.2",
     "@types/qrcode": "^1.5.6",
@@ -130,12 +129,15 @@
     "firebase-admin": "^13.8.0",
     "modern-normalize": "^3.0.1",
     "typescript": "^6.0.3",
-    "vite": "^8.0.9",
+    "vite": "^8.0.10",
     "vitest": "^4.1.5",
-    "wrangler": "^4.84.1"
+    "wrangler": "^4.85.0"
   },
   "overrides": {
-    "@tootallnate/once": "3.0.1"
+    "@tootallnate/once": "3.0.1",
+    "firebase-admin": {
+      "uuid": "^14.0.0"
+    }
   },
   "engines": {
     "node": ">=20.19.0"

package/scripts/deploy-all.sh

@@ -110,7 +110,7 @@ if ! npx wrangler types; then
     echo -e "${RED}❌ Root wrangler types generation failed!${NC}"
     exit 1
 fi
-for WORKER in audit-worker data-worker image-worker pdf-worker user-worker; do
+for WORKER in audit-worker data-worker image-worker lists-worker pdf-worker user-worker; do
     echo -e "${YELLOW}  → Generating types for ${WORKER}...${NC}"
     if ! (cd "workers/$WORKER" && npx wrangler types); then
         echo -e "${RED}❌ wrangler types failed for ${WORKER}!${NC}"
@@ -123,7 +123,7 @@ echo ""
 # Step 4: Deploy Workers
 echo -e "${PURPLE}Step 4/7: Deploying Workers${NC}"
 echo "----------------------------"
-echo -e "${YELLOW}🔧 Deploying all 5 Cloudflare Workers...${NC}"
+echo -e "${YELLOW}🔧 Deploying all 6 Cloudflare Workers...${NC}"
 if ! npm run deploy-workers; then
     echo -e "${RED}❌ Worker deployment failed!${NC}"
     exit 1
@@ -172,7 +172,7 @@ echo ""
 echo -e "${BLUE}Deployed Components:${NC}"
 echo "  ✅ Worker dependencies (npm install)"
 echo "  ✅ Wrangler types (root + all workers)"
-echo "  ✅ 5 Cloudflare Workers"
+echo "  ✅ 6 Cloudflare Workers"
 echo "  ✅ Worker environment variables"
 echo "  ✅ Pages environment variables"
 echo "  ✅ Cloudflare Pages frontend"

package/scripts/deploy-config/modules/prompt.sh

@@ -23,7 +23,7 @@ prompt_for_secrets() {
     is_auto_generated_secret_var() {
         local var_name=$1
         case "$var_name" in
-            IMAGE_SIGNED_URL_SECRET)
+            IMAGE_SIGNED_URL_SECRET|LISTS_ADMIN_SECRET)
                 return 0
                 ;;
             *)
@@ -39,6 +39,9 @@ prompt_for_secrets() {
             IMAGE_SIGNED_URL_SECRET)
                 [ "$value" = "your_image_signed_url_secret_here" ]
                 ;;
+            LISTS_ADMIN_SECRET)
+                [ "$value" = "your_lists_admin_secret_here" ]
+                ;;
             *)
                 return 1
                 ;;
@@ -223,13 +226,44 @@ prompt_for_secrets() {
 
     echo -e "${BLUE}🔑 WORKER NAMES${NC}"
     echo "==============="
-    echo -e "${YELLOW}Worker names are lowercased automatically and must use only letters, numbers, and dashes.${NC}"
+    echo -e "${YELLOW}Worker names are auto-generated and lowercased. Press Enter to keep the generated value or type a custom name.${NC}"
+
+    # Auto-generate each worker name if not yet set or still a placeholder.
+    _gen_worker_name() {
+        local var_name=$1
+        local current="${!var_name:-}"
+        if is_placeholder "$current" || [ -z "$current" ]; then
+            local suffix
+            suffix=$(openssl rand -base64 16 2>/dev/null | tr -dc 'a-z0-9' | head -c 10 || true)
+            if [ -n "$suffix" ]; then
+                printf '%s' "striae-dev-${suffix}"
+            fi
+        fi
+    }
+
+    _new=$(  _gen_worker_name "USER_WORKER_NAME")
+    [ -n "$_new" ] && { USER_WORKER_NAME="$_new"; export USER_WORKER_NAME; }
+    prompt_for_var "USER_WORKER_NAME" "User worker name (auto-generated; change only if using an existing worker)"
+
+    _new=$(_gen_worker_name "DATA_WORKER_NAME")
+    [ -n "$_new" ] && { DATA_WORKER_NAME="$_new"; export DATA_WORKER_NAME; }
+    prompt_for_var "DATA_WORKER_NAME" "Data worker name (auto-generated; change only if using an existing worker)"
+
+    _new=$(_gen_worker_name "AUDIT_WORKER_NAME")
+    [ -n "$_new" ] && { AUDIT_WORKER_NAME="$_new"; export AUDIT_WORKER_NAME; }
+    prompt_for_var "AUDIT_WORKER_NAME" "Audit worker name (auto-generated; change only if using an existing worker)"
+
+    _new=$(_gen_worker_name "IMAGES_WORKER_NAME")
+    [ -n "$_new" ] && { IMAGES_WORKER_NAME="$_new"; export IMAGES_WORKER_NAME; }
+    prompt_for_var "IMAGES_WORKER_NAME" "Images worker name (auto-generated; change only if using an existing worker)"
+
+    _new=$(_gen_worker_name "PDF_WORKER_NAME")
+    [ -n "$_new" ] && { PDF_WORKER_NAME="$_new"; export PDF_WORKER_NAME; }
+    prompt_for_var "PDF_WORKER_NAME" "PDF worker name (auto-generated; change only if using an existing worker)"
 
-    prompt_for_var "USER_WORKER_NAME" "User worker name"
-    prompt_for_var "DATA_WORKER_NAME" "Data worker name"
-    prompt_for_var "AUDIT_WORKER_NAME" "Audit worker name"
-    prompt_for_var "IMAGES_WORKER_NAME" "Images worker name"
-    prompt_for_var "PDF_WORKER_NAME" "PDF worker name"
+    _new=$(_gen_worker_name "LISTS_WORKER_NAME")
+    [ -n "$_new" ] && { LISTS_WORKER_NAME="$_new"; export LISTS_WORKER_NAME; }
+    prompt_for_var "LISTS_WORKER_NAME" "Lists worker name (auto-generated; change only if using an existing worker)"
     echo ""
 
     echo -e "${BLUE}🗄️ STORAGE CONFIGURATION${NC}"
@@ -238,6 +272,7 @@ prompt_for_secrets() {
     prompt_for_var "AUDIT_BUCKET_NAME" "Your R2 bucket name for audit logs (separate from data bucket)"
     prompt_for_var "FILES_BUCKET_NAME" "Your R2 bucket name for encrypted files storage"
     prompt_for_var "KV_STORE_ID" "Your KV namespace ID (UUID format)"
+    prompt_for_var "STRIAE_LISTS_KV_ID" "KV namespace ID for the lists-worker (UUID format; backs registration and primershear allowlists)"
 
     echo -e "${BLUE}🔐 SERVICE-SPECIFIC SECRETS${NC}"
     echo "============================"
@@ -255,6 +290,7 @@ prompt_for_secrets() {
     prompt_for_var "IMAGE_SIGNED_URL_BASE_URL" "Signed URL delivery base URL — routes signed image delivery through the Pages proxy (leave as-is unless using a non-standard domain)"
 
     prompt_for_var "BROWSER_API_TOKEN" "Cloudflare Browser Rendering API token (for PDF Worker)"
+    prompt_for_var "LISTS_ADMIN_SECRET" "Lists worker admin secret — guards write endpoints (auto-generated; guards POST/DELETE on the lists-worker)"
 
     configure_manifest_signing_credentials
     configure_export_encryption_credentials

package/scripts/deploy-config/modules/scaffolding.sh

@@ -106,6 +106,14 @@ copy_example_configs() {
         echo -e "${YELLOW}    ⚠️  pdf-worker: wrangler.jsonc already exists, skipping copy${NC}"
     fi
 
+    cd ../lists-worker
+    if [ -f "wrangler.jsonc.example" ] && { [ "$update_env" = "true" ] || [ ! -f "wrangler.jsonc" ]; }; then
+        cp wrangler.jsonc.example wrangler.jsonc
+        echo -e "${GREEN}    ✅ lists-worker: wrangler.jsonc created from example${NC}"
+    elif [ -f "wrangler.jsonc" ]; then
+        echo -e "${YELLOW}    ⚠️  lists-worker: wrangler.jsonc already exists, skipping copy${NC}"
+    fi
+
     # Return to project root
     cd ../..
 
@@ -172,6 +180,16 @@ update_wrangler_configs() {
         echo -e "${GREEN}    ✅ pdf-worker configuration updated${NC}"
     fi
 
+    if [ -f "workers/lists-worker/wrangler.jsonc" ]; then
+        echo -e "${YELLOW}  Updating lists-worker/wrangler.jsonc...${NC}"
+        local escaped_striae_lists_kv_id
+        escaped_striae_lists_kv_id=$(escape_for_sed_replacement "$STRIAE_LISTS_KV_ID")
+        sed -i "s/\"LISTS_WORKER_NAME\"/\"$LISTS_WORKER_NAME\"/g" workers/lists-worker/wrangler.jsonc
+        sed -i "s/\"ACCOUNT_ID\"/\"$escaped_account_id\"/g" workers/lists-worker/wrangler.jsonc
+        sed -i "s/\"STRIAE_LISTS_KV_ID\"/\"$escaped_striae_lists_kv_id\"/g" workers/lists-worker/wrangler.jsonc
+        echo -e "${GREEN}    ✅ lists-worker configuration updated${NC}"
+    fi
+
     if [ -f "workers/user-worker/wrangler.jsonc" ]; then
         echo -e "${YELLOW}  Updating user-worker/wrangler.jsonc...${NC}"
         sed -i "s/\"USER_WORKER_NAME\"/\"$USER_WORKER_NAME\"/g" workers/user-worker/wrangler.jsonc
@@ -190,6 +208,7 @@ update_wrangler_configs() {
         sed -i "s/AUDIT_WORKER_NAME/$AUDIT_WORKER_NAME/g" wrangler.toml
         sed -i "s/IMAGES_WORKER_NAME/$IMAGES_WORKER_NAME/g" wrangler.toml
         sed -i "s/PDF_WORKER_NAME/$PDF_WORKER_NAME/g" wrangler.toml
+        sed -i "s/LISTS_WORKER_NAME/$LISTS_WORKER_NAME/g" wrangler.toml
         echo -e "${GREEN}    ✅ main wrangler.toml configuration updated${NC}"
     fi
 

package/scripts/deploy-config/modules/validation.sh

@@ -96,12 +96,14 @@ required_vars=(
     "AUDIT_WORKER_NAME"
     "IMAGES_WORKER_NAME"
     "PDF_WORKER_NAME"
+    "LISTS_WORKER_NAME"
 
     # Storage Configuration (required for config replacement)
     "DATA_BUCKET_NAME"
     "AUDIT_BUCKET_NAME"
     "FILES_BUCKET_NAME"
     "KV_STORE_ID"
+    "STRIAE_LISTS_KV_ID"
 
     # Worker-Specific Secrets (required for deployment)
     "IMAGE_SIGNED_URL_SECRET"
@@ -112,6 +114,7 @@ required_vars=(
     "EXPORT_ENCRYPTION_PRIVATE_KEY"
     "EXPORT_ENCRYPTION_KEY_ID"
     "EXPORT_ENCRYPTION_PUBLIC_KEY"
+    "LISTS_ADMIN_SECRET"
 )
 
 validate_required_vars() {

package/scripts/deploy-config.sh

@@ -200,36 +200,6 @@ source "$DEPLOY_CONFIG_VALIDATION_MODULE"
 source "$DEPLOY_CONFIG_SCAFFOLDING_MODULE"
 source "$DEPLOY_CONFIG_PROMPT_MODULE"
 
-EMAIL_LIST_CONFIG_DIR="app/config"
-MEMBERS_EMAILS_FILE="$EMAIL_LIST_CONFIG_DIR/members.emails"
-PRIMERSHEAR_EMAILS_FILE="$EMAIL_LIST_CONFIG_DIR/primershear.emails"
-
-sync_env_var_from_email_list_file() {
-    local env_var_name=$1
-    local file_path=$2
-    local loaded_values=""
-
-    if [ ! -f "$file_path" ]; then
-        echo -e "${YELLOW}⚠️  $file_path not found; keeping existing $env_var_name value in .env${NC}"
-        return 0
-    fi
-
-    loaded_values=$(grep -v '^[[:space:]]*#' "$file_path" | grep -v '^[[:space:]]*$' | sed -e 's/\r$//' -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//' | paste -sd ',' - || true)
-
-    write_env_var "$env_var_name" "$loaded_values"
-    export "$env_var_name=$loaded_values"
-
-    local loaded_count
-    loaded_count=$(echo "$loaded_values" | tr ',' '\n' | grep -c '[^[:space:]]' || true)
-    echo -e "${GREEN}✅ Synced $env_var_name from $file_path ($loaded_count entry/entries)${NC}"
-}
-
-sync_email_list_env_vars_from_config() {
-    echo -e "${YELLOW}📧 Syncing optional email list env vars from app/config...${NC}"
-    sync_env_var_from_email_list_file "REGISTRATION_EMAILS" "$MEMBERS_EMAILS_FILE"
-    sync_env_var_from_email_list_file "PRIMERSHEAR_EMAILS" "$PRIMERSHEAR_EMAILS_FILE"
-}
-
 if [ "$validate_only" = "true" ]; then
     echo -e "\n${BLUE}🧪 Validate-only mode enabled${NC}"
     run_validation_checkpoint
@@ -247,9 +217,6 @@ load_admin_service_credentials
 # Always prompt for secrets to ensure configuration
 prompt_for_secrets
 
-# Keep optional email list env vars aligned with app/config source files.
-sync_email_list_env_vars_from_config
-
 # Validate after secrets have been configured
 validate_required_vars
 

package/scripts/deploy-pages-secrets.sh

@@ -117,16 +117,6 @@ deploy_pages_secrets() {
         printf '%s' "$secret_value" | wrangler pages secret put "$secret" --project-name "$PAGES_PROJECT_NAME"
     done
 
-    local optional_primershear_emails
-    optional_primershear_emails=$(get_optional_value "PRIMERSHEAR_EMAILS")
-    echo -e "${YELLOW}  Setting PRIMERSHEAR_EMAILS...${NC}"
-    printf '%s' "$optional_primershear_emails" | wrangler pages secret put "PRIMERSHEAR_EMAILS" --project-name "$PAGES_PROJECT_NAME"
-
-    local optional_registration_emails
-    optional_registration_emails=$(get_optional_value "REGISTRATION_EMAILS")
-    echo -e "${YELLOW}  Setting REGISTRATION_EMAILS...${NC}"
-    printf '%s' "$optional_registration_emails" | wrangler pages secret put "REGISTRATION_EMAILS" --project-name "$PAGES_PROJECT_NAME"
-
     echo -e "${GREEN}✅ Pages secrets deployed to production${NC}"
 }
 
@@ -152,6 +142,7 @@ fi
 
 required_pages_secrets=(
     "PROJECT_ID"
+    "LISTS_ADMIN_SECRET"
 )
 
 echo -e "${YELLOW}🔍 Validating required Pages secret values...${NC}"

package/scripts/deploy-worker-secrets.sh

@@ -267,6 +267,13 @@ build_data_worker_secret_list() {
     printf '%s\n' "${secrets[@]}"
 }
 
+build_lists_worker_secret_list() {
+    local secrets=(
+        "LISTS_ADMIN_SECRET"
+    )
+    printf '%s\n' "${secrets[@]}"
+}
+
 build_images_worker_secret_list() {
     local secrets=(
         "DATA_AT_REST_ENCRYPTION_PUBLIC_KEY"
@@ -299,7 +306,7 @@ echo -e "\n${BLUE}🔐 Deploying secrets to workers...${NC}"
 # Check if workers are configured
 echo -e "${YELLOW}🔍 Checking worker configurations...${NC}"
 workers_configured=0
-total_workers=5
+total_workers=6
 
 for worker_dir in workers/*/; do
     if [ -f "$worker_dir/wrangler.jsonc" ] || [ -f "$worker_dir/wrangler.toml" ]; then
@@ -363,6 +370,16 @@ if ! set_worker_secrets "PDF Worker" "workers/pdf-worker" \
     echo -e "${YELLOW}⚠️  Skipping PDF Worker (not configured)${NC}"
 fi
 
+# Lists Worker
+lists_worker_secrets=()
+while IFS= read -r secret; do
+    lists_worker_secrets+=("$secret")
+done < <(build_lists_worker_secret_list)
+
+if ! set_worker_secrets "Lists Worker" "workers/lists-worker" "${lists_worker_secrets[@]}"; then
+    echo -e "${YELLOW}⚠️  Skipping Lists Worker (not configured)${NC}"
+fi
+
 echo -e "\n${GREEN}🎉 Worker secrets deployment completed!${NC}"
 
 echo -e "\n${YELLOW}⚠️  WORKER CONFIGURATION REMINDERS:${NC}"
@@ -371,6 +388,7 @@ echo "   - Configure KV namespace ID in workers/user-worker/wrangler.jsonc"
 echo "   - Configure R2 bucket name in workers/data-worker/wrangler.jsonc"
 echo "   - Configure R2 bucket name in workers/audit-worker/wrangler.jsonc"
 echo "   - Configure R2 bucket name in workers/image-worker/wrangler.jsonc"
+echo "   - Configure KV namespace ID in workers/lists-worker/wrangler.jsonc"
 echo "   - Update ACCOUNT_ID and custom domains in all worker configurations"
 
 echo -e "\n${BLUE}📝 For manual deployment, use these commands:${NC}"

package/scripts/install-workers.sh

@@ -7,8 +7,9 @@
 # 1. audit-worker
 # 2. data-worker
 # 3. image-worker
-# 4. pdf-worker
-# 5. user-worker
+# 4. lists-worker
+# 5. pdf-worker
+# 6. user-worker
 
 # Colors for output
 RED='\033[0;31m'
@@ -34,7 +35,7 @@ if [ ! -d "$WORKERS_DIR" ]; then
 fi
 
 # List of workers
-WORKERS=("audit-worker" "data-worker" "image-worker" "pdf-worker" "user-worker")
+WORKERS=("audit-worker" "data-worker" "image-worker" "lists-worker" "pdf-worker" "user-worker")
 
 echo -e "${PURPLE}Installing npm dependencies for all workers...${NC}"
 echo ""

package/scripts/update-markdown-versions.cjs

@@ -11,6 +11,7 @@ const workerDirs = [
   'workers/audit-worker',
   'workers/data-worker',
   'workers/image-worker',
+  'workers/lists-worker',
   'workers/pdf-worker',
   'workers/user-worker',
 ];

package/workers/audit-worker/package.json

@@ -1,6 +1,6 @@
 {
   "name": "audit-worker",
-  "version": "7.0.1",
+  "version": "7.1.0",
   "private": true,
   "scripts": {
     "deploy": "wrangler deploy",
@@ -8,6 +8,6 @@
     "start": "wrangler dev"
   },
   "devDependencies": {
-    "wrangler": "^4.84.1"
+    "wrangler": "^4.85.0"
   }
 }

package/workers/audit-worker/wrangler.jsonc.example

@@ -3,7 +3,7 @@
   "account_id": "ACCOUNT_ID",
   "main": "src/audit-worker.ts",
   "workers_dev": false,
-  "compatibility_date": "2026-04-22",
+  "compatibility_date": "2026-04-25",
   "compatibility_flags": [
     "nodejs_compat"
   ], 

package/workers/data-worker/package.json

@@ -1,6 +1,6 @@
 {
   "name": "data-worker",
-  "version": "7.0.1",
+  "version": "7.1.0",
   "private": true,
   "scripts": {
     "deploy": "wrangler deploy",
@@ -9,6 +9,6 @@
   },
   "devDependencies": {
     "@cloudflare/vitest-pool-workers": "^0.14.9",
-    "wrangler": "^4.84.1"
+    "wrangler": "^4.85.0"
   }
 }

package/workers/data-worker/wrangler.jsonc.example

@@ -3,7 +3,7 @@
   "account_id": "ACCOUNT_ID",
   "main": "src/data-worker.ts",
   "workers_dev": false,
-  "compatibility_date": "2026-04-22",
+  "compatibility_date": "2026-04-25",
   "compatibility_flags": [
     "nodejs_compat"
   ], 

package/workers/image-worker/package.json

@@ -1,6 +1,6 @@
 {
   "name": "image-worker",
-  "version": "7.0.1",
+  "version": "7.1.0",
   "private": true,
   "scripts": {
     "deploy": "wrangler deploy",
@@ -8,6 +8,6 @@
     "start": "wrangler dev"
   },
   "devDependencies": {
-    "wrangler": "^4.84.1"
+    "wrangler": "^4.85.0"
   }
 }

package/workers/image-worker/wrangler.jsonc.example

@@ -3,7 +3,7 @@
   "account_id": "ACCOUNT_ID",
   "main": "src/image-worker.ts",
   "workers_dev": false,
-  "compatibility_date": "2026-04-22",
+  "compatibility_date": "2026-04-25",
   "compatibility_flags": [
     "nodejs_compat"
   ], 

package/workers/lists-worker/package.json

@@ -0,0 +1,13 @@
+{
+  "name": "lists-worker",
+  "version": "7.1.0",
+  "private": true,
+  "scripts": {
+    "deploy": "wrangler deploy",
+    "dev": "wrangler dev",
+    "start": "wrangler dev"
+  },
+  "devDependencies": {
+    "wrangler": "^4.85.0"
+  }
+}

package/workers/lists-worker/src/lists-worker.ts

@@ -0,0 +1,97 @@
+import type { Env } from './types';
+
+const JSON_HEADERS: HeadersInit = {
+  'Content-Type': 'application/json',
+  'Cache-Control': 'no-store',
+  'Pragma': 'no-cache',
+};
+
+/** Routes map URL path segment to the KV key used in STRIAE_LISTS. */
+const ROUTE_TO_KV_KEY: Record<string, string> = {
+  members: 'allow',
+  primershear: 'primershear',
+};
+
+function jsonResponse(data: Record<string, unknown>, status = 200): Response {
+  return new Response(JSON.stringify(data), { status, headers: JSON_HEADERS });
+}
+
+/**
+ * Constant-time string comparison to mitigate timing side-channels on auth checks.
+ * Both strings are encoded to bytes and compared with a full XOR pass.
+ */
+function timingSafeEqual(a: string, b: string): boolean {
+  const encoder = new TextEncoder();
+  const aBytes = encoder.encode(a);
+  const bBytes = encoder.encode(b);
+  if (aBytes.length !== bBytes.length) return false;
+  let diff = 0;
+  for (let i = 0; i < aBytes.length; i++) {
+    diff |= aBytes[i] ^ bBytes[i];
+  }
+  return diff === 0;
+}
+
+function isAuthorized(request: Request, secret: string): boolean {
+  if (!secret) return false;
+  const auth = request.headers.get('Authorization');
+  if (!auth || !auth.startsWith('Bearer ')) return false;
+  return timingSafeEqual(auth.slice(7), secret);
+}
+
+export default {
+  async fetch(request: Request, env: Env): Promise<Response> {
+    const url = new URL(request.url);
+    const segment = url.pathname.replace(/^\/+|\/+$/g, '');
+    const kvKey = ROUTE_TO_KV_KEY[segment];
+
+    if (!kvKey) {
+      return jsonResponse({ error: 'Not found' }, 404);
+    }
+
+    if (request.method === 'GET') {
+      if (!isAuthorized(request, env.LISTS_ADMIN_SECRET)) {
+        return jsonResponse({ error: 'Unauthorized' }, 401);
+      }
+      const raw = (await env.STRIAE_LISTS.get(kvKey)) ?? '';
+      const list = raw ? raw.split(',').map(e => e.trim().toLowerCase()).filter(Boolean).join(',') : '';
+      return jsonResponse({ list });
+    }
+
+    if (request.method === 'POST' || request.method === 'DELETE') {
+      if (!isAuthorized(request, env.LISTS_ADMIN_SECRET)) {
+        return jsonResponse({ error: 'Unauthorized' }, 401);
+      }
+
+      let body: { entry?: unknown };
+      try {
+        body = await request.json() as { entry?: unknown };
+      } catch {
+        return jsonResponse({ error: 'Invalid JSON body' }, 400);
+      }
+
+      const entry = typeof body.entry === 'string' ? body.entry.trim().toLowerCase() : '';
+      if (!entry) {
+        return jsonResponse({ error: 'Missing or empty entry' }, 400);
+      }
+
+      const current = (await env.STRIAE_LISTS.get(kvKey)) ?? '';
+      const entries = current ? current.split(',').map(e => e.trim().toLowerCase()).filter(Boolean) : [];
+
+      if (request.method === 'POST') {
+        if (!entries.includes(entry)) {
+          entries.push(entry);
+        }
+        await env.STRIAE_LISTS.put(kvKey, entries.join(','));
+        return jsonResponse({ ok: true });
+      }
+
+      // DELETE
+      const filtered = entries.filter(e => e !== entry);
+      await env.STRIAE_LISTS.put(kvKey, filtered.join(','));
+      return jsonResponse({ ok: true });
+    }
+
+    return jsonResponse({ error: 'Method not allowed' }, 405);
+  },
+};

package/workers/lists-worker/src/types.ts

@@ -0,0 +1,4 @@
+export interface Env {
+  STRIAE_LISTS: KVNamespace;
+  LISTS_ADMIN_SECRET: string;
+}

package/workers/lists-worker/wrangler.jsonc.example

@@ -0,0 +1,23 @@
+{
+  "name": "LISTS_WORKER_NAME",
+  "account_id": "ACCOUNT_ID",
+  "main": "src/lists-worker.ts",
+  "workers_dev": false,
+  "compatibility_date": "2026-04-25",
+  "compatibility_flags": [
+    "nodejs_compat"
+  ],
+
+  "observability": {
+    "enabled": true
+  },
+
+  "kv_namespaces": [
+    {
+      "binding": "STRIAE_LISTS",
+      "id": "STRIAE_LISTS_KV_ID"
+    }
+  ],
+  
+  "placement": { "mode": "smart" }
+}

package/workers/pdf-worker/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pdf-worker",
-  "version": "7.0.1",
+  "version": "7.1.0",
   "private": true,
   "scripts": {
     "generate:assets": "node scripts/generate-assets.js",
@@ -9,6 +9,6 @@
     "start": "wrangler dev"
   },
   "devDependencies": {
-    "wrangler": "^4.84.1"
+    "wrangler": "^4.85.0"
   }
 }

package/workers/pdf-worker/wrangler.jsonc.example

@@ -3,7 +3,7 @@
   "account_id": "ACCOUNT_ID",
   "main": "src/pdf-worker.ts",
   "workers_dev": false,
-  "compatibility_date": "2026-04-22",
+  "compatibility_date": "2026-04-25",
   "compatibility_flags": [
     "nodejs_compat"
   ],

package/workers/user-worker/package.json

@@ -1,6 +1,6 @@
 {
   "name": "user-worker",
-  "version": "7.0.1",
+  "version": "7.1.0",
   "private": true,
   "scripts": {
     "deploy": "wrangler deploy",
@@ -8,6 +8,6 @@
     "start": "wrangler dev"
   },
   "devDependencies": {
-    "wrangler": "^4.84.1"
+    "wrangler": "^4.85.0"
   }
 }

package/workers/user-worker/wrangler.jsonc.example

@@ -3,7 +3,7 @@
   "account_id": "ACCOUNT_ID",
   "main": "src/user-worker.ts",
   "workers_dev": false,
-  "compatibility_date": "2026-04-22",
+  "compatibility_date": "2026-04-25",
   "compatibility_flags": [
     "nodejs_compat"
   ], 

package/wrangler.toml.example

@@ -1,6 +1,6 @@
 #:schema node_modules/wrangler/config-schema.json
 name = "PAGES_PROJECT_NAME"
-compatibility_date = "2026-04-22"
+compatibility_date = "2026-04-25"
 compatibility_flags = ["nodejs_compat"]
 pages_build_output_dir = "./build/client"
 
@@ -25,4 +25,8 @@ service = "IMAGES_WORKER_NAME"
 
 [[services]]
 binding = "PDF_WORKER"
-service = "PDF_WORKER_NAME"
+service = "PDF_WORKER_NAME"
+
+[[services]]
+binding = "LISTS_WORKER"
+service = "LISTS_WORKER_NAME"

package/app/config-example/members.emails

@@ -1,11 +0,0 @@
-# Registration gateway - authorized email addresses
-# One entry per line. Lines starting with # are ignored.
-# This file is untracked. Run: npm run deploy-members to push changes.
-#
-# Supported formats:
-#   Exact email:   analyst@organization.com
-#   Domain wildcard: @organization.com  (allows all emails from that domain)
-#
-# Examples:
-# analyst@organization.com
-# @striae.org

package/app/config-example/primershear.emails

@@ -1,6 +0,0 @@
-# PrimerShear PDF format - authorized email addresses
-# One email per line. Lines starting with # are ignored.
-# This file is untracked. Run: npm run deploy-primershear to push changes.
-#
-# Example:
-# analyst@organization.com

package/scripts/deploy-members-emails.sh

@@ -1,102 +0,0 @@
-#!/bin/bash
-
-# ============================================
-# MEMBERS EMAIL LIST DEPLOYMENT SCRIPT
-# ============================================
-# Reads app/config/members.emails, updates REGISTRATION_EMAILS in .env,
-# then deploys that secret directly to Cloudflare Pages (production).
-
-set -e
-set -o pipefail
-
-RED='\033[0;31m'
-GREEN='\033[0;32m'
-YELLOW='\033[1;33m'
-BLUE='\033[0;34m'
-NC='\033[0m'
-
-echo -e "${BLUE}👥 Members Email List Deployment${NC}"
-echo "=================================="
-
-SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
-PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
-cd "$PROJECT_ROOT"
-
-trap 'echo -e "\n${RED}❌ deploy-members-emails.sh failed near line ${LINENO}${NC}"' ERR
-
-# ── Read emails file ──────────────────────────────────────────────────────────
-
-EMAILS_FILE="$PROJECT_ROOT/app/config/members.emails"
-
-if [ ! -f "$EMAILS_FILE" ]; then
-    echo -e "${RED}❌ members.emails not found at: $EMAILS_FILE${NC}"
-    echo -e "${YELLOW}   Create it with one email address or @domain.com wildcard per line.${NC}"
-    echo -e "${YELLOW}   See app/config-example/members.emails for the format.${NC}"
-    exit 1
-fi
-
-# Strip comment lines and blank lines, then join with commas
-# Use || true to avoid failure if paste gets no input (handles empty file gracefully)
-REGISTRATION_EMAILS=$(grep -v '^[[:space:]]*#' "$EMAILS_FILE" | grep -v '^[[:space:]]*$' | paste -sd ',' - || true)
-
-if [ -z "$REGISTRATION_EMAILS" ]; then
-    echo -e "${YELLOW}⚠️  members.emails contains no active entries.${NC}"
-    echo -e "${YELLOW}   The secret will be set to an empty string, disabling the gateway (open registration).${NC}"
-fi
-
-ENTRY_COUNT=$(echo "$REGISTRATION_EMAILS" | tr ',' '\n' | grep -c '[^[:space:]]' || true)
-echo -e "${GREEN}✅ Loaded $ENTRY_COUNT entry(ies) from app/config/members.emails${NC}"
-
-# ── Update .env ───────────────────────────────────────────────────────────────
-
-ENV_FILE="$PROJECT_ROOT/.env"
-
-if [ ! -f "$ENV_FILE" ]; then
-    echo -e "${RED}❌ .env not found. Run deploy-config first.${NC}"
-    exit 1
-fi
-
-# Replace the REGISTRATION_EMAILS= line in .env (handles both empty and populated values)
-if grep -q '^REGISTRATION_EMAILS=' "$ENV_FILE"; then
-    # Use a temp file to avoid sed -i portability issues across macOS/Linux
-    local_tmp=$(mktemp)
-    sed "s|^REGISTRATION_EMAILS=.*|REGISTRATION_EMAILS=${REGISTRATION_EMAILS}|" "$ENV_FILE" > "$local_tmp"
-    mv "$local_tmp" "$ENV_FILE"
-    echo -e "${GREEN}✅ Updated REGISTRATION_EMAILS in .env${NC}"
-else
-    echo "" >> "$ENV_FILE"
-    echo "REGISTRATION_EMAILS=${REGISTRATION_EMAILS}" >> "$ENV_FILE"
-    echo -e "${GREEN}✅ Appended REGISTRATION_EMAILS to .env${NC}"
-fi
-
-# ── Deploy to Cloudflare Pages ────────────────────────────────────────────────
-
-if ! command -v wrangler > /dev/null 2>&1; then
-    echo -e "${RED}❌ wrangler is not installed or not in PATH${NC}"
-    exit 1
-fi
-
-source "$ENV_FILE"
-
-PAGES_PROJECT_NAME=$(echo "$PAGES_PROJECT_NAME" | tr -d '\r')
-if [ -z "$PAGES_PROJECT_NAME" ]; then
-    echo -e "${RED}❌ PAGES_PROJECT_NAME is missing from .env${NC}"
-    exit 1
-fi
-
-echo -e "${YELLOW}  Setting REGISTRATION_EMAILS for production...${NC}"
-printf '%s' "$REGISTRATION_EMAILS" | wrangler pages secret put REGISTRATION_EMAILS \
-    --project-name "$PAGES_PROJECT_NAME"
-
-echo -e "${GREEN}✅ REGISTRATION_EMAILS deployed to production${NC}"
-
-# Deploy Pages so the new secret takes effect immediately
-echo -e "\n${YELLOW}🚀 Building and deploying Pages to activate new secret...${NC}"
-
-if ! npm run deploy-pages; then
-    echo -e "${RED}❌ Pages deployment failed${NC}"
-    exit 1
-fi
-echo -e "${GREEN}✅ Pages deployment complete${NC}"
-
-echo -e "\n${GREEN}🎉 Members email list deployment complete!${NC}"

package/scripts/deploy-primershear-emails.sh

@@ -1,101 +0,0 @@
-#!/bin/bash
-
-# ============================================
-# PRIMERSHEAR EMAIL LIST DEPLOYMENT SCRIPT
-# ============================================
-# Reads app/config/primershear.emails, updates PRIMERSHEAR_EMAILS in .env,
-# then deploys that secret directly to Cloudflare Pages (production).
-
-set -e
-set -o pipefail
-
-RED='\033[0;31m'
-GREEN='\033[0;32m'
-YELLOW='\033[1;33m'
-BLUE='\033[0;34m'
-NC='\033[0m'
-
-echo -e "${BLUE}📧 PrimerShear Email List Deployment${NC}"
-echo "======================================"
-
-SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
-PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
-cd "$PROJECT_ROOT"
-
-trap 'echo -e "\n${RED}❌ deploy-primershear-emails.sh failed near line ${LINENO}${NC}"' ERR
-
-# ── Read emails file ──────────────────────────────────────────────────────────
-
-EMAILS_FILE="$PROJECT_ROOT/app/config/primershear.emails"
-
-if [ ! -f "$EMAILS_FILE" ]; then
-    echo -e "${RED}❌ primershear.emails not found at: $EMAILS_FILE${NC}"
-    echo -e "${YELLOW}   Create it with one email address per line.${NC}"
-    exit 1
-fi
-
-# Strip comment lines and blank lines, then join with commas
-# Use || true to avoid failure if paste gets no input (handles empty file gracefully)
-PRIMERSHEAR_EMAILS=$(grep -v '^[[:space:]]*#' "$EMAILS_FILE" | grep -v '^[[:space:]]*$' | paste -sd ',' - || true)
-
-if [ -z "$PRIMERSHEAR_EMAILS" ]; then
-    echo -e "${YELLOW}⚠️  primershear.emails contains no active email addresses.${NC}"
-    echo -e "${YELLOW}   The secret will be set to an empty string, disabling the feature.${NC}"
-fi
-
-EMAIL_COUNT=$(echo "$PRIMERSHEAR_EMAILS" | tr ',' '\n' | grep -c '[^[:space:]]' || true)
-echo -e "${GREEN}✅ Loaded $EMAIL_COUNT email address(es) from app/config/primershear.emails${NC}"
-
-# ── Update .env ───────────────────────────────────────────────────────────────
-
-ENV_FILE="$PROJECT_ROOT/.env"
-
-if [ ! -f "$ENV_FILE" ]; then
-    echo -e "${RED}❌ .env not found. Run deploy-config first.${NC}"
-    exit 1
-fi
-
-# Replace the PRIMERSHEAR_EMAILS= line in .env (handles both empty and populated values)
-if grep -q '^PRIMERSHEAR_EMAILS=' "$ENV_FILE"; then
-    # Use a temp file to avoid sed -i portability issues across macOS/Linux
-    local_tmp=$(mktemp)
-    sed "s|^PRIMERSHEAR_EMAILS=.*|PRIMERSHEAR_EMAILS=${PRIMERSHEAR_EMAILS}|" "$ENV_FILE" > "$local_tmp"
-    mv "$local_tmp" "$ENV_FILE"
-    echo -e "${GREEN}✅ Updated PRIMERSHEAR_EMAILS in .env${NC}"
-else
-    echo "" >> "$ENV_FILE"
-    echo "PRIMERSHEAR_EMAILS=${PRIMERSHEAR_EMAILS}" >> "$ENV_FILE"
-    echo -e "${GREEN}✅ Appended PRIMERSHEAR_EMAILS to .env${NC}"
-fi
-
-# ── Deploy to Cloudflare Pages ────────────────────────────────────────────────
-
-if ! command -v wrangler > /dev/null 2>&1; then
-    echo -e "${RED}❌ wrangler is not installed or not in PATH${NC}"
-    exit 1
-fi
-
-source "$ENV_FILE"
-
-PAGES_PROJECT_NAME=$(echo "$PAGES_PROJECT_NAME" | tr -d '\r')
-if [ -z "$PAGES_PROJECT_NAME" ]; then
-    echo -e "${RED}❌ PAGES_PROJECT_NAME is missing from .env${NC}"
-    exit 1
-fi
-
-echo -e "${YELLOW}  Setting PRIMERSHEAR_EMAILS for production...${NC}"
-printf '%s' "$PRIMERSHEAR_EMAILS" | wrangler pages secret put PRIMERSHEAR_EMAILS \
-    --project-name "$PAGES_PROJECT_NAME"
-
-echo -e "${GREEN}✅ PRIMERSHEAR_EMAILS deployed to production${NC}"
-
-# Deploy Pages so the new secret takes effect immediately
-echo -e "\n${YELLOW}🚀 Building and deploying Pages to activate new secret...${NC}"
-
-if ! npm run deploy-pages; then
-    echo -e "${RED}❌ Pages deployment failed${NC}"
-    exit 1
-fi
-echo -e "${GREEN}✅ Pages deployment complete${NC}"
-
-echo -e "\n${GREEN}🎉 PrimerShear email list deployment complete!${NC}"