@striae-org/striae 7.0.1 → 7.1.1

package/.env.example

@@ -110,17 +110,11 @@ PDF_WORKER_NAME=your_pdf_worker_name_here
 BROWSER_API_TOKEN=your_cloudflare_browser_rendering_api_token_here
 
 # ================================
-# PRIMERSHEAR PDF FORMAT
-# ================================
-# Comma-separated list of email addresses that will receive the primershear PDF format.
-# Leave empty to disable the feature. Never commit this value to source control.
-# Example: PRIMERSHEAR_EMAILS=analyst@org.com,user2@org.com
-PRIMERSHEAR_EMAILS=
-
-# ================================
-# REGISTRATION EMAIL ALLOWLIST CONFIGURATION
-# ================================
-# Comma-separated list of email addresses that may register an account.
-# Leave empty to disable the feature. Never commit this value to source control.
-# Example: REGISTRATION_EMAILS=analyst@org.com,user2@org.com
-REGISTRATION_EMAILS=
+# LISTS WORKER ENVIRONMENT VARIABLES
+# ================================
+# The lists-worker manages registration and PDF format allowlists via KV.
+# STRIAE_LISTS_KV_ID is the KV namespace ID backing both lists.
+# LISTS_ADMIN_SECRET guards write endpoints (POST/DELETE); use a strong random value.
+LISTS_WORKER_NAME=your_lists_worker_name_here
+STRIAE_LISTS_KV_ID=your_striae_lists_kv_id_here
+LISTS_ADMIN_SECRET=your_lists_admin_secret_here

package/functions/api/_shared/lists-client.ts

@@ -0,0 +1,39 @@
+export type ListResult =
+  | { ok: true; list: string }
+  | { ok: false; error: string };
+
+/**
+ * Client helper for reading email lists from the lists-worker via service binding.
+ * Returns a ListResult so callers can apply fail-open or fail-closed logic
+ * appropriate to their security context.
+ *
+ * - ok: true  → list fetched successfully (may be empty string if list is empty)
+ * - ok: false → worker unreachable, auth failure, or unexpected response shape
+ */
+export async function fetchListFromWorker(
+  binding: Fetcher,
+  list: 'members' | 'primershear',
+  secret: string
+): Promise<ListResult> {
+  try {
+    const response = await binding.fetch(`https://worker/${list}`, {
+      headers: { 'Authorization': `Bearer ${secret}` },
+    });
+    if (!response.ok) {
+      const msg = `lists-client: GET /${list} returned ${response.status}`;
+      console.error(msg);
+      return { ok: false, error: msg };
+    }
+    const data = await response.json() as { list?: unknown };
+    if (typeof data.list !== 'string') {
+      const msg = `lists-client: unexpected response shape for /${list}`;
+      console.error(msg);
+      return { ok: false, error: msg };
+    }
+    return { ok: true, list: data.list };
+  } catch (err) {
+    const msg = `lists-client: failed to fetch /${list}`;
+    console.error(msg, err);
+    return { ok: false, error: msg };
+  }
+}

package/functions/api/_shared/registration-allowlist.ts

@@ -1,17 +1,18 @@
 /**
  * Checks whether the given email is permitted to register based on the
- * REGISTRATION_EMAILS secret (a comma-separated list of allowed entries).
+ * registration allowlist (a comma-separated list of allowed entries) sourced
+ * from the lists-worker KV (key: "allow").
  *
  * Each entry may be:
  *   - An exact email address:  user@example.com
  *   - A domain wildcard:       @example.com  (matches any email from that domain)
  *
- * If registrationEmails is empty or unset, all registrations are allowed
- * (backward-compatible — deploys without a members.emails file are unrestricted).
+ * If registrationEmails is empty or unset, registration is denied (fail closed).
+ * An empty list indicates the allowlist has not been populated, not that all are allowed.
  */
 export function isEmailAllowed(email: string, registrationEmails: string): boolean {
   if (!registrationEmails || registrationEmails.trim().length === 0) {
-    return true;
+    return false;
   }
 
   const normalizedEmail = email.toLowerCase().trim();

package/functions/api/auth/can-register.ts

@@ -1,4 +1,5 @@
 import { isEmailAllowed } from '../_shared/registration-allowlist';
+import { fetchListFromWorker } from '../_shared/lists-client';
 
 interface CanRegisterContext {
   request: Request;
@@ -49,9 +50,13 @@ export const onRequest = async ({ request, env }: CanRegisterContext): Promise<R
     return textResponse('Missing required parameter: email', 400);
   }
 
-  const registrationEmails = env.REGISTRATION_EMAILS ?? '';
+  const listResult = await fetchListFromWorker(env.LISTS_WORKER, 'members', env.LISTS_ADMIN_SECRET);
+  if (!listResult.ok) {
+    // Fail closed: cannot verify allowlist, deny to prevent bypass.
+    return textResponse('Unable to verify registration eligibility', 503);
+  }
 
-  if (isEmailAllowed(email, registrationEmails)) {
+  if (isEmailAllowed(email, listResult.list)) {
     return jsonResponse({ allowed: true });
   }
 

package/functions/api/pdf/[[path]].ts

@@ -1,4 +1,5 @@
 import { verifyFirebaseIdentityFromRequest } from '../_shared/firebase-auth';
+import { fetchListFromWorker } from '../_shared/lists-client';
 
 interface PdfProxyContext {
   request: Request;
@@ -97,9 +98,11 @@ export const onRequest = async ({ request, env }: PdfProxyContext): Promise<Resp
 
   // Resolve the report format server-side based on the verified user email.
   // This prevents email lists from ever being exposed in the client bundle.
+  // Fail-open: if the lists-worker is unavailable, fall back to the default format.
+  const primershearResult = await fetchListFromWorker(env.LISTS_WORKER, 'primershear', env.LISTS_ADMIN_SECRET);
   const reportFormat = resolveReportFormat(
     identity.email,
-    env.PRIMERSHEAR_EMAILS ?? ''
+    primershearResult.ok ? primershearResult.list : ''
   );
 
   let upstreamBody: BodyInit;

package/functions/api/user/[[path]].ts

@@ -1,5 +1,6 @@
 import { verifyFirebaseIdentityFromRequest } from '../_shared/firebase-auth';
 import { isEmailAllowed } from '../_shared/registration-allowlist';
+import { fetchListFromWorker } from '../_shared/lists-client';
 
 interface UserProxyContext {
   request: Request;
@@ -142,9 +143,14 @@ export const onRequest = async ({ request, env }: UserProxyContext): Promise<Res
   }
 
   // Registration gateway: for PUT requests, check if this is a new user creation.
-  // If REGISTRATION_EMAILS is set and the user record does not yet exist, enforce the allowlist.
+  // Always enforce the allowlist for new users — isEmailAllowed fails closed for empty lists.
   // This is defense-in-depth — the primary check runs client-side in the login flow.
-  if (request.method === 'PUT' && env.REGISTRATION_EMAILS && env.REGISTRATION_EMAILS.trim().length > 0) {
+  if (request.method === 'PUT') {
+    const listResult = await fetchListFromWorker(env.LISTS_WORKER, 'members', env.LISTS_ADMIN_SECRET);
+    if (!listResult.ok) {
+      // Fail closed: cannot verify allowlist, reject to prevent bypass.
+      return textResponse('Unable to verify registration eligibility', 503);
+    }
     try {
       const existenceResponse = await env.USER_WORKER.fetch(
         `https://worker/${encodeURIComponent(requestedUserId)}`,
@@ -158,8 +164,8 @@ export const onRequest = async ({ request, env }: UserProxyContext): Promise<Res
 
       if (existenceResponse.status === 404) {
         // User does not exist yet — this is a registration PUT.
-        // Enforce the email allowlist.
-        if (!isEmailAllowed(identity.email ?? '', env.REGISTRATION_EMAILS)) {
+        // Enforce the email allowlist (isEmailAllowed returns false for empty list).
+        if (!isEmailAllowed(identity.email ?? '', listResult.list)) {
           return textResponse('Registration is not permitted for this email address', 403);
         }
       } else if (!existenceResponse.ok) {
@@ -169,7 +175,7 @@ export const onRequest = async ({ request, env }: UserProxyContext): Promise<Res
       }
       // If user already exists (200), proceed normally.
     } catch {
-      // Fail closed: on network error with allowlist active, reject the request.
+      // Fail closed: on network error, reject the request.
       return textResponse('Unable to verify registration eligibility', 502);
     }
   }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@striae-org/striae",
-  "version": "7.0.1",
+  "version": "7.1.1",
   "private": false,
   "description": "Striae is a specialized, cloud-native platform designed to streamline forensic firearms identification by providing an intuitive environment for digital comparison image annotation, authenticated confirmations, and automated report generation.",
   "license": "Apache-2.0",
@@ -82,6 +82,7 @@
     "test:workers:data": "vitest run --config tests/workers/data/vitest.config.mjs",
     "test:watch": "vitest --config tests/app/vitest.config.ts",
     "test:coverage": "vitest run --config tests/app/vitest.config.ts --coverage",
+    "delete-account": "node ./scripts/delete-account.mjs",
     "enable-totp-mfa": "node ./scripts/enable-totp-mfa.mjs",
     "unenroll-totp-mfa": "node ./scripts/unenroll-totp-mfa.mjs",
     "update-versions": "node ./scripts/update-markdown-versions.cjs",
@@ -89,16 +90,15 @@
     "deploy-config": "bash ./scripts/deploy-config.sh",
     "update-env": "bash ./scripts/deploy-config.sh --update-env",
     "install-workers": "bash ./scripts/install-workers.sh",
-    "deploy-workers": "npm run deploy-workers:audit && npm run deploy-workers:data && npm run deploy-workers:image && npm run deploy-workers:pdf && npm run deploy-workers:user",
+    "deploy-workers": "npm run deploy-workers:audit && npm run deploy-workers:data && npm run deploy-workers:image && npm run deploy-workers:lists && npm run deploy-workers:pdf && npm run deploy-workers:user",
     "deploy-workers:secrets": "bash ./scripts/deploy-worker-secrets.sh",
     "deploy-pages:secrets": "bash ./scripts/deploy-pages-secrets.sh",
     "deploy-pages": "bash ./scripts/deploy-pages.sh",
-    "deploy-primershear": "bash ./scripts/deploy-primershear-emails.sh",
-    "deploy-members": "bash ./scripts/deploy-members-emails.sh",
     "deploy-workers:audit": "cd workers/audit-worker && npm run deploy",
     "deploy-workers:data": "cd workers/data-worker && npm run deploy",
     "deploy-workers:image": "cd workers/image-worker && npm run deploy",
     "deploy-workers:pdf": "cd workers/pdf-worker && npm run deploy",
+    "deploy-workers:lists": "cd workers/lists-worker && npm run deploy",
     "deploy-workers:user": "cd workers/user-worker && npm run deploy"
   },
   "dependencies": {
@@ -112,14 +112,14 @@
     "react-router": "^7.14.2"
   },
   "devDependencies": {
-    "@cloudflare/vitest-pool-workers": "^0.14.9",
+    "@cloudflare/vitest-pool-workers": "^0.15.0",
     "@react-router/dev": "^7.14.2",
     "@react-router/fs-routes": "^7.14.2",
     "@types/qrcode": "^1.5.6",
     "@types/react": "^19.2.14",
     "@types/react-dom": "^19.2.3",
-    "@typescript-eslint/eslint-plugin": "^8.59.0",
-    "@typescript-eslint/parser": "^8.59.0",
+    "@typescript-eslint/eslint-plugin": "^8.59.1",
+    "@typescript-eslint/parser": "^8.59.1",
     "@vitest/coverage-v8": "^4.1.5",
     "eslint": "^9.39.4",
     "eslint-import-resolver-typescript": "^4.4.4",
@@ -130,15 +130,18 @@
     "firebase-admin": "^13.8.0",
     "modern-normalize": "^3.0.1",
     "typescript": "^6.0.3",
-    "vite": "^8.0.9",
+    "vite": "^8.0.10",
     "vitest": "^4.1.5",
-    "wrangler": "^4.84.1"
+    "wrangler": "^4.85.0"
   },
   "overrides": {
-    "@tootallnate/once": "3.0.1"
+    "@tootallnate/once": "3.0.1",
+    "firebase-admin": {
+      "uuid": "^14.0.0"
+    }
   },
   "engines": {
     "node": ">=20.19.0"
   },
-  "packageManager": "npm@11.12.0"
+  "packageManager": "npm@11.13.0"
 }

package/scripts/delete-account.mjs

@@ -0,0 +1,350 @@
+/**
+ * Admin script to permanently delete a user account via the user worker's delete endpoint.
+ * Run with: npm run delete-account -- <uid> --confirm [--url <base-url>]
+ *
+ * The pages.dev URL is derived automatically from PAGES_PROJECT_NAME in .env.
+ * Use --url to override (e.g. --url https://your-project.pages.dev).
+ * The custom domain blocks automated requests via Cloudflare Bot Fight Mode.
+ *
+ * Requires:
+ *   - app/config/admin-service.json (gitignored service account key)
+ *   - app/config/firebase.ts (gitignored Firebase config, used for apiKey)
+ *   - .env (PAGES_PROJECT_NAME used to construct the default pages.dev URL)
+ *
+ * This script creates a short-lived custom token for the target UID, exchanges it for a
+ * Firebase ID token, then calls the Pages DELETE /api/user/:uid endpoint which runs the
+ * full account deletion routine (KV, R2 files, R2 case data, Firebase Auth).
+ */
+
+import { createRequire } from 'module';
+import { fileURLToPath } from 'url';
+import { dirname, resolve } from 'path';
+import { readFileSync } from 'fs';
+import { createInterface } from 'readline';
+import { initializeApp, cert, getApps } from 'firebase-admin/app';
+import { getAuth } from 'firebase-admin/auth';
+
+const require = createRequire(import.meta.url);
+const __dirname = dirname(fileURLToPath(import.meta.url));
+
+// --- Argument parsing ---
+
+const USAGE = 'Usage: npm run delete-account -- <uid> --confirm [--url <base-url>]';
+
+let uid = null;
+let confirmed = false;
+let urlOverride = null;
+
+{
+  const args = process.argv.slice(2);
+  let i = 0;
+  while (i < args.length) {
+    const arg = args[i];
+    if (arg === '--confirm') {
+      confirmed = true;
+      i++;
+    } else if (arg === '--url') {
+      if (i + 1 >= args.length || args[i + 1].startsWith('--')) {
+        console.error('\n❌ --url requires a value (e.g. --url https://your-project.pages.dev)');
+        console.error(USAGE);
+        process.exit(1);
+      }
+      urlOverride = args[i + 1];
+      i += 2;
+    } else if (arg.startsWith('--')) {
+      console.error(`\n❌ Unknown flag: ${arg}`);
+      console.error(USAGE);
+      process.exit(1);
+    } else if (uid === null) {
+      uid = arg;
+      i++;
+    } else {
+      console.error(`\n❌ Unexpected argument: ${arg}`);
+      console.error(USAGE);
+      process.exit(1);
+    }
+  }
+}
+
+if (!uid) {
+  console.error('\n❌ No UID provided.');
+  console.error(`\n${USAGE}`);
+  console.error('\n  --url  Override the pages.dev URL (e.g. https://your-project.pages.dev)');
+  console.error('         Defaults to https://<PAGES_PROJECT_NAME>.pages.dev from .env');
+  process.exit(1);
+}
+
+if (!confirmed) {
+  console.error('\n❌ Missing --confirm flag.');
+  console.error('\nThis operation permanently deletes the account and all associated data.');
+  console.error('Re-run with --confirm to proceed:');
+  console.error(`\n   npm run delete-account -- ${uid} --confirm\n`);
+  process.exit(1);
+}
+
+// --- Load service account ---
+
+const serviceAccountPath = resolve(__dirname, '../app/config/admin-service.json');
+
+let serviceAccount;
+try {
+  serviceAccount = require(serviceAccountPath);
+} catch {
+  console.error(`\n❌ Could not load service account key from:\n   ${serviceAccountPath}`);
+  console.error('\nMake sure app/config/admin-service.json exists (it is gitignored).');
+  process.exit(1);
+}
+
+// --- Resolve app URL ---
+// Default: derive from PAGES_PROJECT_NAME in .env → https://<name>.pages.dev
+// Override: --url flag
+// Fallback: interactive prompt
+
+let appUrl;
+if (urlOverride) {
+  appUrl = urlOverride.replace(/\/+$/, '');
+  console.log(`\nℹ️  Using URL: ${appUrl}`);
+} else {
+  let pagesProjectName = null;
+  const envPath = resolve(__dirname, '../.env');
+  try {
+    const envContent = readFileSync(envPath, 'utf8');
+    const match = envContent.match(/^PAGES_PROJECT_NAME=(.+)$/m);
+    if (match && match[1].trim()) {
+      pagesProjectName = match[1].trim();
+    }
+  } catch {
+    // .env not found or unreadable — will fall through to prompt
+  }
+
+  if (pagesProjectName) {
+    appUrl = `https://${pagesProjectName}.pages.dev`;
+    console.log(`\nℹ️  Using derived pages.dev URL: ${appUrl}`);
+  } else {
+    console.warn('\n⚠️  Could not read PAGES_PROJECT_NAME from .env.');
+    const rl = createInterface({ input: process.stdin, output: process.stdout });
+    appUrl = await new Promise((res) => {
+      rl.question(
+        'Enter the pages.dev URL (e.g. https://<project>.pages.dev): ',
+        (answer) => { rl.close(); res(answer.trim().replace(/\/+$/, '')); }
+      );
+    });
+    if (!appUrl) {
+      console.error('\n❌ No URL provided. Aborting.');
+      process.exit(1);
+    }
+  }
+}
+
+// --- Load Firebase API key from firebase.ts ---
+
+const firebaseTsPath = resolve(__dirname, '../app/config/firebase.ts');
+let apiKey;
+try {
+  const firebaseTsContent = readFileSync(firebaseTsPath, 'utf8');
+  const match = firebaseTsContent.match(/apiKey:\s*["']([^"']+)["']/);
+  if (!match) {
+    throw new Error('apiKey not found in firebase.ts');
+  }
+  apiKey = match[1];
+  if (apiKey.startsWith('YOUR_')) {
+    throw new Error('apiKey is still a placeholder value');
+  }
+} catch (err) {
+  console.error(`\n❌ Could not read Firebase API key from:\n   ${firebaseTsPath}`);
+  console.error('\nMake sure app/config/firebase.ts exists and contains a valid apiKey.');
+  console.error(err?.message ?? err);
+  process.exit(1);
+}
+
+// --- Initialize Firebase Admin ---
+
+if (getApps().length === 0) {
+  initializeApp({ credential: cert(serviceAccount) });
+}
+
+const auth = getAuth();
+
+// --- Verify user exists ---
+
+console.log(`\n🔍 Fetching user record for UID: ${uid}...`);
+
+let userRecord;
+try {
+  userRecord = await auth.getUser(uid);
+} catch (err) {
+  console.error(`\n❌ Could not fetch user record for UID: ${uid}`);
+  console.error(err?.message ?? err);
+  process.exit(1);
+}
+
+console.log(`\n⚠️  About to permanently delete account:`);
+console.log(`   UID:   ${userRecord.uid}`);
+console.log(`   Email: ${userRecord.email ?? '(no email)'}`);
+
+// --- Interactive confirmation ---
+
+{
+  const rl = createInterface({ input: process.stdin, output: process.stdout });
+  const answer = await new Promise((res) => {
+    rl.question('\nType "DELETE" to confirm permanent deletion, or anything else to abort: ', (a) => {
+      rl.close();
+      res(a.trim());
+    });
+  });
+  if (answer !== 'DELETE') {
+    console.log('\nAborted. No changes were made.');
+    process.exit(0);
+  }
+}
+
+// --- Create custom token and exchange for ID token ---
+
+console.log('\n🔑 Obtaining ID token via custom token exchange...');
+
+let customToken;
+try {
+  customToken = await auth.createCustomToken(uid);
+} catch (err) {
+  console.error('\n❌ Failed to create custom token:');
+  console.error(err?.message ?? err);
+  process.exit(1);
+}
+
+let idToken;
+try {
+  const signInResponse = await fetch(
+    `https://identitytoolkit.googleapis.com/v1/accounts:signInWithCustomToken?key=${apiKey}`,
+    {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ token: customToken, returnSecureToken: true }),
+    }
+  );
+
+  if (!signInResponse.ok) {
+    const errorBody = await signInResponse.text();
+    throw new Error(`Firebase REST sign-in failed (${signInResponse.status}): ${errorBody}`);
+  }
+
+  const signInData = await signInResponse.json();
+  idToken = signInData.idToken;
+  if (!idToken) {
+    throw new Error('No idToken in sign-in response');
+  }
+} catch (err) {
+  console.error('\n❌ Failed to exchange custom token for ID token:');
+  console.error(err?.message ?? err);
+  process.exit(1);
+}
+
+// --- Call the delete endpoint with streaming ---
+
+const deleteUrl = `${appUrl}/api/user/${encodeURIComponent(uid)}?stream=true`;
+console.log(`\n🗑️  Sending DELETE request to: ${deleteUrl}`);
+
+let deleteResponse;
+try {
+  deleteResponse = await fetch(deleteUrl, {
+    method: 'DELETE',
+    headers: {
+      'Authorization': `Bearer ${idToken}`,
+      'Accept': 'text/event-stream',
+    },
+  });
+} catch (err) {
+  console.error('\n❌ Network error during DELETE request:');
+  console.error(err?.message ?? err);
+  process.exit(1);
+}
+
+if (!deleteResponse.ok) {
+  const body = await deleteResponse.text();
+  console.error(`\n❌ DELETE request failed (${deleteResponse.status}): ${body}`);
+  process.exit(1);
+}
+
+// --- Parse SSE stream ---
+
+const contentType = deleteResponse.headers.get('content-type') ?? '';
+const isStream = contentType.includes('text/event-stream');
+
+if (!isStream) {
+  // Non-streaming response (fallback)
+  const result = await deleteResponse.json();
+  if (result.success) {
+    console.log('\n✅ Account deleted successfully.');
+  } else {
+    console.error('\n❌ Deletion reported failure:', result.message ?? result);
+    process.exit(1);
+  }
+  process.exit(0);
+}
+
+// Stream processing
+if (!deleteResponse.body) {
+  console.error('\n❌ DELETE response has no body/stream. Cannot read SSE output.');
+  process.exit(1);
+}
+
+const reader = deleteResponse.body.getReader();
+const decoder = new TextDecoder();
+let buffer = '';
+let failed = false;
+let completed = false;
+let caseIndex = 0;
+
+console.log('');
+
+outer: while (true) {
+  const { done, value } = await reader.read();
+  if (done) break;
+
+  buffer += decoder.decode(value, { stream: true });
+
+  const lines = buffer.split('\n');
+  buffer = lines.pop() ?? '';
+
+  for (const line of lines) {
+    if (!line.startsWith('data: ')) continue;
+
+    let event;
+    try {
+      event = JSON.parse(line.slice(6));
+    } catch {
+      continue;
+    }
+
+    switch (event.event) {
+      case 'start':
+        console.log(`   Starting deletion (${event.totalCases ?? 0} case(s) to remove)...`);
+        break;
+      case 'case-start':
+        caseIndex++;
+        console.log(`   [${caseIndex}/${event.totalCases}] Deleting case ${event.currentCaseNumber}...`);
+        break;
+      case 'case-complete':
+        if (event.success === false) {
+          console.error(`   [${event.completedCases}/${event.totalCases}] Case cleanup failed: ${event.message ?? 'Unknown error'}`);
+        } else {
+          console.log(`   [${event.completedCases}/${event.totalCases}] Case deleted.`);
+        }
+        break;
+      case 'complete':
+        completed = true;
+        console.log('\n✅ Account deleted successfully.');
+        break outer;
+      case 'error':
+        console.error(`\n❌ Deletion failed: ${event.message ?? 'Unknown error'}`);
+        failed = true;
+        break outer;
+    }
+  }
+}
+
+if (!completed && !failed) {
+  console.error('\n❌ SSE stream ended without a completion event (possible network cut or worker crash).');
+  process.exit(1);
+}
+
+process.exit(failed ? 1 : 0);

package/scripts/deploy-all.sh

@@ -110,7 +110,7 @@ if ! npx wrangler types; then
     echo -e "${RED}❌ Root wrangler types generation failed!${NC}"
     exit 1
 fi
-for WORKER in audit-worker data-worker image-worker pdf-worker user-worker; do
+for WORKER in audit-worker data-worker image-worker lists-worker pdf-worker user-worker; do
     echo -e "${YELLOW}  → Generating types for ${WORKER}...${NC}"
     if ! (cd "workers/$WORKER" && npx wrangler types); then
         echo -e "${RED}❌ wrangler types failed for ${WORKER}!${NC}"
@@ -123,7 +123,7 @@ echo ""
 # Step 4: Deploy Workers
 echo -e "${PURPLE}Step 4/7: Deploying Workers${NC}"
 echo "----------------------------"
-echo -e "${YELLOW}🔧 Deploying all 5 Cloudflare Workers...${NC}"
+echo -e "${YELLOW}🔧 Deploying all 6 Cloudflare Workers...${NC}"
 if ! npm run deploy-workers; then
     echo -e "${RED}❌ Worker deployment failed!${NC}"
     exit 1
@@ -172,7 +172,7 @@ echo ""
 echo -e "${BLUE}Deployed Components:${NC}"
 echo "  ✅ Worker dependencies (npm install)"
 echo "  ✅ Wrangler types (root + all workers)"
-echo "  ✅ 5 Cloudflare Workers"
+echo "  ✅ 6 Cloudflare Workers"
 echo "  ✅ Worker environment variables"
 echo "  ✅ Pages environment variables"
 echo "  ✅ Cloudflare Pages frontend"