@striae-org/striae 7.1.2 → 8.0.0

package/.env.example

@@ -47,6 +47,10 @@ USER_KV_ENCRYPTION_ACTIVE_KEY_ID=
 MANIFEST_SIGNING_PRIVATE_KEY=your_manifest_signing_private_key_here
 MANIFEST_SIGNING_KEY_ID=your_manifest_signing_key_id_here
 MANIFEST_SIGNING_PUBLIC_KEY=your_manifest_signing_public_key_here
+# Optional key registry for rotation-safe manifest signing.
+# JSON shape: {"activeKeyId":"kid_current","keys":{"kid_current":"-----BEGIN PRIVATE KEY-----\\n...","kid_previous":"-----BEGIN PRIVATE KEY-----\\n..."}}
+MANIFEST_SIGNING_KEYS_JSON='{}'
+MANIFEST_SIGNING_ACTIVE_KEY_ID=
 
 # DATA EXPORT ENCRYPTION CONFIGURATION
 EXPORT_ENCRYPTION_PRIVATE_KEY=your_export_encryption_private_key_here
@@ -62,11 +66,17 @@ DATA_AT_REST_ENCRYPTION_ENABLED=true
 DATA_AT_REST_ENCRYPTION_PRIVATE_KEY=your_data_at_rest_encryption_private_key_here
 DATA_AT_REST_ENCRYPTION_KEY_ID=your_data_at_rest_encryption_key_id_here
 DATA_AT_REST_ENCRYPTION_PUBLIC_KEY=your_data_at_rest_encryption_public_key_here
-# Optional key registry for data/files/audit decryption compatibility.
+# Key registries are now stored in R2 at CONFIG_BUCKET_NAME/{scope}-keys.json.
+# These env vars are only used for initial upload to R2 via scripts/upload-registries.sh.
 # JSON shape: {"activeKeyId":"kid_current","keys":{"kid_current":"-----BEGIN PRIVATE KEY-----\\n...","kid_previous":"-----BEGIN PRIVATE KEY-----\\n..."}}
 DATA_AT_REST_ENCRYPTION_KEYS_JSON='{}'
 DATA_AT_REST_ENCRYPTION_ACTIVE_KEY_ID=
 
+# REGISTRY ENCRYPTION KEY
+# AES-256-GCM key (32 bytes, base64url-encoded) used to encrypt key registries at rest in R2.
+# Generated automatically by deploy-config.sh. Shared across all workers that read registries.
+REGISTRY_ENCRYPTION_KEY=your_registry_encryption_key_here
+
 # ================================
 # PAGES WORKER ENVIRONMENT VARIABLES
 # ================================
@@ -79,6 +89,13 @@ PAGES_CUSTOM_DOMAIN=your_custom_domain_here
 USER_WORKER_NAME=your_user_worker_name_here
 KV_STORE_ID=your_kv_store_id_here
 
+# ================================
+# SHARED CONFIG BUCKET (key registries)
+# ================================
+# All key registries are stored in R2 at this bucket as {scope}-keys.json.
+# Dev: striae-dev-config | Prod: striae-config
+CONFIG_BUCKET_NAME=your_config_bucket_name_here
+
 # ================================
 # DATA WORKER ENVIRONMENT VARIABLES
 # ================================

package/app/components/actions/case-manage/operations.ts

@@ -16,7 +16,7 @@ import {
 } from '~/utils/data';
 import { type CaseData, type CaseExportData, type ValidationAuditEntry } from '~/types';
 import { auditService } from '~/services/audit';
-import { exportCaseData, formatDateForFilename } from '~/components/actions/case-export';
+import { loadCaseExportActions } from '~/utils/data/operations/case-export-loader';
 import { buildArchivePackage } from './archive-package-builder';
 import { deleteFileWithoutAudit } from './delete-helpers';
 import { isReadOnlyCaseData, sortCaseNumbers, validateCaseNumber } from './utils';
@@ -600,6 +600,7 @@ export const archiveCase = async (
       isReadOnly: false,
     } as CaseData;
 
+    const { exportCaseData, formatDateForFilename } = await loadCaseExportActions();
     const exportData = await exportCaseData(user, caseNumber, { includeMetadata: true });
     const archivedExportData: CaseExportData = {
       ...exportData,

package/app/routes/striae/utils/case-export.ts

@@ -1,20 +1,4 @@
-import type * as CaseExportActions from '~/components/actions/case-export';
-
-export type CaseExportActionsModule = typeof CaseExportActions;
-
-let caseExportActionsPromise: Promise<CaseExportActionsModule> | null = null;
-
-export const loadCaseExportActions = (): Promise<CaseExportActionsModule> => {
-  if (!caseExportActionsPromise) {
-    caseExportActionsPromise = import('~/components/actions/case-export').catch((error: unknown) => {
-      // Clear cached failures so transient chunk/network errors can recover on retry.
-      caseExportActionsPromise = null;
-      throw error;
-    });
-  }
-
-  return caseExportActionsPromise;
-};
+export { loadCaseExportActions, type CaseExportActionsModule } from '~/utils/data/operations/case-export-loader';
 
 export const getExportProgressLabel = (progress: number): string => {
   if (progress < 30) {

package/app/utils/data/operations/case-export-loader.ts

@@ -0,0 +1,17 @@
+import type * as CaseExportActions from '~/components/actions/case-export';
+
+export type CaseExportActionsModule = typeof CaseExportActions;
+
+let caseExportActionsPromise: Promise<CaseExportActionsModule> | null = null;
+
+export const loadCaseExportActions = (): Promise<CaseExportActionsModule> => {
+  if (!caseExportActionsPromise) {
+    caseExportActionsPromise = import('~/components/actions/case-export').catch((error: unknown) => {
+      // Clear cached failures so transient chunk/network errors can recover on retry.
+      caseExportActionsPromise = null;
+      throw error;
+    });
+  }
+
+  return caseExportActionsPromise;
+};

package/app/utils/forensics/signature-utils.ts

@@ -29,6 +29,11 @@ export interface PublicSigningKeyDetails {
   publicKeyPem: string | null;
 }
 
+interface VerificationKeyCandidate {
+  keyId: string;
+  publicKeyPem: string;
+}
+
 const RSA_PSS_SALT_LENGTH = 32;
 
 type ManifestSigningConfig = {
@@ -155,6 +160,80 @@ export function getVerificationPublicKey(keyId: string): string | null {
   return null;
 }
 
+function getVerificationPublicKeyCandidates(signatureKeyId: string): VerificationKeyCandidate[] {
+  const config = paths as unknown as ManifestSigningConfig;
+  const keyMap = config.manifest_signing_public_keys;
+  const candidates: VerificationKeyCandidate[] = [];
+  const seenKeyIds = new Set<string>();
+
+  const appendCandidate = (keyId: string | null, publicKeyPem: string | null): void => {
+    if (!keyId || !publicKeyPem || seenKeyIds.has(keyId)) {
+      return;
+    }
+
+    seenKeyIds.add(keyId);
+    candidates.push({ keyId, publicKeyPem });
+  };
+
+  appendCandidate(signatureKeyId, getVerificationPublicKey(signatureKeyId));
+
+  const configuredKeyId =
+    typeof config.manifest_signing_key_id === 'string' && config.manifest_signing_key_id.trim().length > 0
+      ? config.manifest_signing_key_id.trim()
+      : null;
+  const legacyPublicKeyPem = normalizePemOrNull(config.manifest_signing_public_key);
+
+  appendCandidate(configuredKeyId, configuredKeyId ? getVerificationPublicKey(configuredKeyId) : legacyPublicKeyPem);
+
+  if (keyMap && typeof keyMap === 'object') {
+    const orderedEntries = Object.entries(keyMap)
+      .filter(([, value]) => typeof value === 'string' && value.trim().length > 0)
+      .sort(([leftKeyId], [rightKeyId]) => leftKeyId.localeCompare(rightKeyId));
+
+    for (const [keyId, pemValue] of orderedEntries) {
+      appendCandidate(keyId, normalizePemPublicKey(pemValue));
+    }
+  }
+
+  if (candidates.length === 0 && legacyPublicKeyPem) {
+    appendCandidate(configuredKeyId ?? signatureKeyId, legacyPublicKeyPem);
+  }
+
+  return candidates;
+}
+
+async function verifyWithPublicKey(
+  payload: string,
+  signatureValue: string,
+  publicKeyPem: string,
+  invalidPublicKeyError: string
+): Promise<boolean> {
+  const key = await crypto.subtle.importKey(
+    'spki',
+    publicKeyPemToArrayBuffer(publicKeyPem, invalidPublicKeyError),
+    {
+      name: 'RSA-PSS',
+      hash: 'SHA-256'
+    },
+    false,
+    ['verify']
+  );
+
+  const signatureBytes = base64UrlToUint8Array(signatureValue);
+  const signatureBuffer = new Uint8Array(signatureBytes.byteLength);
+  signatureBuffer.set(signatureBytes);
+
+  return crypto.subtle.verify(
+    {
+      name: 'RSA-PSS',
+      saltLength: RSA_PSS_SALT_LENGTH
+    },
+    key,
+    signatureBuffer,
+    new TextEncoder().encode(payload)
+  );
+}
+
 export async function verifySignaturePayload(
   payload: string,
   signature: SignatureEnvelope,
@@ -177,59 +256,46 @@ export async function verifySignaturePayload(
     };
   }
 
-  const publicKeyPem =
-    typeof options.verificationPublicKeyPem === 'string' && options.verificationPublicKeyPem.trim().length > 0
-      ? options.verificationPublicKeyPem
-      : getVerificationPublicKey(signature.keyId);
-  if (!publicKeyPem) {
-    return {
-      isValid: false,
-      keyId: signature.keyId,
-      error: `${messages.noVerificationKeyPrefix || 'No verification key configured for key ID'}: ${signature.keyId}`
-    };
-  }
-
   const verificationFailedError = messages.verificationFailedError || 'Signature verification failed';
   const invalidPublicKeyError =
     messages.invalidPublicKeyError ||
     `${verificationFailedError}: invalid public key`;
 
-  try {
-    const key = await crypto.subtle.importKey(
-      'spki',
-      publicKeyPemToArrayBuffer(publicKeyPem, invalidPublicKeyError),
-      {
-        name: 'RSA-PSS',
-        hash: 'SHA-256'
-      },
-      false,
-      ['verify']
-    );
-
-    const signatureBytes = base64UrlToUint8Array(signature.value);
-    const signatureBuffer = new Uint8Array(signatureBytes.byteLength);
-    signatureBuffer.set(signatureBytes);
-
-    const verified = await crypto.subtle.verify(
-      {
-        name: 'RSA-PSS',
-        saltLength: RSA_PSS_SALT_LENGTH
-      },
-      key,
-      signatureBuffer,
-      new TextEncoder().encode(payload)
-    );
+  const explicitVerificationKey =
+    typeof options.verificationPublicKeyPem === 'string' && options.verificationPublicKeyPem.trim().length > 0
+      ? options.verificationPublicKeyPem
+      : null;
+  const keyCandidates = explicitVerificationKey
+    ? [{ keyId: signature.keyId, publicKeyPem: explicitVerificationKey }]
+    : getVerificationPublicKeyCandidates(signature.keyId);
 
-    return {
-      isValid: verified,
-      keyId: signature.keyId,
-      error: verified ? undefined : verificationFailedError
-    };
-  } catch (error) {
+  if (keyCandidates.length === 0) {
     return {
       isValid: false,
       keyId: signature.keyId,
-      error: error instanceof Error ? error.message : verificationFailedError
+      error: `${messages.noVerificationKeyPrefix || 'No verification key configured for key ID'}: ${signature.keyId}`
     };
   }
+
+  let lastError: unknown;
+
+  for (const candidate of keyCandidates) {
+    try {
+      const verified = await verifyWithPublicKey(payload, signature.value, candidate.publicKeyPem, invalidPublicKeyError);
+      if (verified) {
+        return {
+          isValid: true,
+          keyId: signature.keyId
+        };
+      }
+    } catch (error) {
+      lastError = error;
+    }
+  }
+
+  return {
+    isValid: false,
+    keyId: signature.keyId,
+    error: lastError instanceof Error ? lastError.message : verificationFailedError
+  };
 }

package/functions/[[path]].ts

@@ -1,4 +1,5 @@
 import { createPagesFunctionHandler } from "@react-router/cloudflare";
+import { getLoadContext } from "../load-context";
 
 // eslint-disable-next-line @typescript-eslint/ban-ts-comment
 // @ts-ignore - the server build file is generated by `react-router build`
@@ -6,4 +7,4 @@ import * as build from "../build/server";
 
 // eslint-disable-next-line @typescript-eslint/ban-ts-comment
 // @ts-ignore - temporary workaround for crossOrigin type issue
-export const onRequest = createPagesFunctionHandler({ build });
+export const onRequest = createPagesFunctionHandler({ build, getLoadContext });

package/load-context.ts

@@ -1,9 +1,21 @@
 import { type PlatformProxy } from "wrangler";
+import { RouterContextProvider } from "react-router";
 
 type Cloudflare = Omit<PlatformProxy<Env>, "dispose">;
 
 declare module "react-router" {
-  interface AppLoadContext {
+  interface RouterContextProvider {
     cloudflare: Cloudflare;
   }
+}
+
+export function getLoadContext({
+  context,
+}: {
+  request: Request;
+  context: { cloudflare: Cloudflare };
+}) {
+  const provider = new RouterContextProvider();
+  Object.assign(provider, context);
+  return provider;
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@striae-org/striae",
-  "version": "7.1.2",
+  "version": "8.0.0",
   "private": false,
   "description": "Striae is a specialized, cloud-native platform designed to streamline forensic firearms identification by providing an intuitive environment for digital comparison image annotation, authenticated confirmations, and automated report generation.",
   "license": "Apache-2.0",
@@ -88,6 +88,8 @@
     "update-versions": "node ./scripts/update-markdown-versions.cjs",
     "update-compatibility-dates": "node ./scripts/update-compatibility-dates.cjs",
     "deploy-config": "bash ./scripts/deploy-config.sh",
+    "deploy-config:rotate-keys": "bash ./scripts/deploy-config.sh --force-rotate-keys",
+    "upload-registries": "bash ./scripts/upload-registries.sh",
     "update-env": "bash ./scripts/deploy-config.sh --update-env",
     "install-workers": "bash ./scripts/install-workers.sh",
     "deploy-workers": "npm run deploy-workers:audit && npm run deploy-workers:data && npm run deploy-workers:image && npm run deploy-workers:lists && npm run deploy-workers:pdf && npm run deploy-workers:user",
@@ -102,44 +104,44 @@
     "deploy-workers:user": "cd workers/user-worker && npm run deploy"
   },
   "dependencies": {
-    "@react-router/cloudflare": "^7.15.0",
-    "firebase": "^12.13.0",
-    "isbot": "^5.1.40",
+    "@react-router/cloudflare": "^7.17.0",
+    "firebase": "^12.14.0",
+    "isbot": "^5.1.41",
     "jszip": "^3.10.1",
     "qrcode": "^1.5.4",
-    "react": "^19.2.6",
-    "react-dom": "^19.2.6",
-    "react-router": "^7.15.0"
+    "react": "^19.2.7",
+    "react-dom": "^19.2.7",
+    "react-router": "^7.17.0"
   },
   "devDependencies": {
-    "@cloudflare/vitest-pool-workers": "^0.15.2",
-    "@react-router/dev": "^7.15.0",
-    "@react-router/fs-routes": "^7.15.0",
+    "@cloudflare/vitest-pool-workers": "^0.16.9",
+    "@react-router/dev": "^7.17.0",
+    "@react-router/fs-routes": "^7.17.0",
     "@types/qrcode": "^1.5.6",
-    "@types/react": "^19.2.14",
+    "@types/react": "^19.2.17",
     "@types/react-dom": "^19.2.3",
-    "@typescript-eslint/eslint-plugin": "^8.59.2",
-    "@typescript-eslint/parser": "^8.59.2",
-    "@vitest/coverage-v8": "^4.1.5",
+    "@typescript-eslint/eslint-plugin": "^8.60.1",
+    "@typescript-eslint/parser": "^8.60.1",
+    "@vitest/coverage-v8": "^4.1.8",
     "eslint": "^9.39.4",
-    "eslint-import-resolver-typescript": "^4.4.4",
+    "eslint-import-resolver-typescript": "^4.4.5",
     "eslint-plugin-import": "^2.32.0",
     "eslint-plugin-jsx-a11y": "^6.10.2",
     "eslint-plugin-react": "^7.37.5",
     "eslint-plugin-react-hooks": "^7.1.1",
-    "firebase-admin": "^13.8.0",
+    "firebase-admin": "^13.10.0",
     "modern-normalize": "^3.0.1",
     "typescript": "^6.0.3",
-    "vite": "^8.0.11",
-    "vitest": "^4.1.5",
-    "wrangler": "^4.88.0"
+    "vite": "^8.0.16",
+    "vitest": "^4.1.8",
+    "wrangler": "^4.98.0"
   },
   "overrides": {
     "@tootallnate/once": "3.0.1",
     "uuid": "^14.0.0"
   },
   "engines": {
-    "node": ">=20.19.0"
+    "node": ">=22.0.0"
   },
   "packageManager": "npm@11.13.0"
-}
+}

package/public/_routes.json

@@ -5,6 +5,7 @@
     "/assets/*",
     "/build/*",
     "/*.css",
+    "/*.ico",
     "/*.js",
     "/*.pdf",
     "/*.png",

package/react-router.config.ts

@@ -2,4 +2,11 @@ import type { Config } from "@react-router/dev/config";
 
 export default {
   ssr: true,
+  future: {
+    v8_middleware: true,
+    v8_splitRouteModules: true,
+    v8_viteEnvironmentApi: true,
+    v8_passThroughRequests: true,
+    v8_trailingSlashAwareDataRequests: true,
+  },
 } satisfies Config;

package/scripts/deploy-all.sh

@@ -6,10 +6,12 @@
 # This script deploys the entire Striae application:
 # 1. Configuration setup (copy configs, replace placeholders)
 # 2. Worker dependencies installation
-# 3. Workers (all 5 workers)
-# 4. Worker secrets/environment variables
-# 5. Pages secrets/environment variables
-# 6. Pages (frontend)
+# 3. Wrangler types generation
+# 4. Workers (all 6 workers)
+# 5. Key registries (upload to R2 config bucket)
+# 6. Worker secrets/environment variables
+# 7. Pages secrets/environment variables
+# 8. Pages (frontend)
 
 set -e
 set -o pipefail
@@ -67,6 +69,7 @@ require_command wrangler
 assert_file_exists "$SCRIPT_DIR/deploy-config.sh"
 assert_file_exists "$SCRIPT_DIR/install-workers.sh"
 assert_file_exists "$SCRIPT_DIR/deploy-worker-secrets.sh"
+assert_file_exists "$SCRIPT_DIR/upload-registries.sh"
 assert_file_exists "$SCRIPT_DIR/deploy-pages-secrets.sh"
 assert_file_exists "package.json"
 
@@ -79,7 +82,7 @@ echo -e "${GREEN}✅ Preflight checks passed${NC}"
 echo ""
 
 # Step 1: Configuration Setup
-echo -e "${PURPLE}Step 1/7: Configuration Setup${NC}"
+echo -e "${PURPLE}Step 1/8: Configuration Setup${NC}"
 echo "------------------------------"
 echo -e "${YELLOW}⚙️  Setting up configuration files and replacing placeholders...${NC}"
 if ! bash "$SCRIPT_DIR/deploy-config.sh"; then
@@ -92,7 +95,7 @@ run_config_checkpoint
 echo ""
 
 # Step 2: Install Worker Dependencies
-echo -e "${PURPLE}Step 2/7: Installing Worker Dependencies${NC}"
+echo -e "${PURPLE}Step 2/8: Installing Worker Dependencies${NC}"
 echo "----------------------------------------"
 echo -e "${YELLOW}📦 Installing npm dependencies for all workers...${NC}"
 if ! bash "$SCRIPT_DIR/install-workers.sh"; then
@@ -103,7 +106,7 @@ echo -e "${GREEN}✅ All worker dependencies installed successfully${NC}"
 echo ""
 
 # Step 3: Generate Wrangler Types
-echo -e "${PURPLE}Step 3/7: Generating Wrangler Types${NC}"
+echo -e "${PURPLE}Step 3/8: Generating Wrangler Types${NC}"
 echo "-------------------------------------"
 echo -e "${YELLOW}📝 Running wrangler types in root and all worker directories...${NC}"
 if ! npx wrangler types; then
@@ -121,7 +124,7 @@ echo -e "${GREEN}✅ Wrangler types generated successfully${NC}"
 echo ""
 
 # Step 4: Deploy Workers
-echo -e "${PURPLE}Step 4/7: Deploying Workers${NC}"
+echo -e "${PURPLE}Step 4/8: Deploying Workers${NC}"
 echo "----------------------------"
 echo -e "${YELLOW}🔧 Deploying all 6 Cloudflare Workers...${NC}"
 if ! npm run deploy-workers; then
@@ -131,8 +134,19 @@ fi
 echo -e "${GREEN}✅ All workers deployed successfully${NC}"
 echo ""
 
-# Step 5: Deploy Worker Secrets
-echo -e "${PURPLE}Step 5/7: Deploying Worker Secrets${NC}"
+# Step 5: Upload Key Registries to R2
+echo -e "${PURPLE}Step 5/8: Uploading Key Registries to R2${NC}"
+echo "-----------------------------------------"
+echo -e "${YELLOW}📦 Uploading key registries to config bucket...${NC}"
+if ! bash "$SCRIPT_DIR/upload-registries.sh"; then
+    echo -e "${RED}❌ Key registry upload failed!${NC}"
+    exit 1
+fi
+echo -e "${GREEN}✅ Key registries uploaded successfully${NC}"
+echo ""
+
+# Step 6: Deploy Worker Secrets
+echo -e "${PURPLE}Step 6/8: Deploying Worker Secrets${NC}"
 echo "-----------------------------------"
 echo -e "${YELLOW}🔐 Deploying worker environment variables...${NC}"
 if ! bash "$SCRIPT_DIR/deploy-worker-secrets.sh"; then
@@ -142,8 +156,8 @@ fi
 echo -e "${GREEN}✅ Worker secrets deployed successfully${NC}"
 echo ""
 
-# Step 6: Deploy Pages Secrets
-echo -e "${PURPLE}Step 6/7: Deploying Pages Secrets${NC}"
+# Step 7: Deploy Pages Secrets
+echo -e "${PURPLE}Step 7/8: Deploying Pages Secrets${NC}"
 echo "----------------------------------"
 echo -e "${YELLOW}🔐 Deploying Pages environment variables...${NC}"
 if ! bash "$SCRIPT_DIR/deploy-pages-secrets.sh"; then
@@ -153,8 +167,8 @@ fi
 echo -e "${GREEN}✅ Pages secrets deployed successfully${NC}"
 echo ""
 
-# Step 7: Deploy Pages
-echo -e "${PURPLE}Step 7/7: Deploying Pages${NC}"
+# Step 8: Deploy Pages
+echo -e "${PURPLE}Step 8/8: Deploying Pages${NC}"
 echo "--------------------------"
 echo -e "${YELLOW}🌐 Building and deploying Pages...${NC}"
 if ! npm run deploy-pages; then

package/scripts/deploy-config/modules/env-utils.sh

@@ -187,7 +187,7 @@ write_env_var() {
     var_value=$(strip_carriage_returns "$var_value")
     env_file_value="$var_value"
 
-    if [ "$var_name" = "FIREBASE_SERVICE_ACCOUNT_PRIVATE_KEY" ] || [ "$var_name" = "MANIFEST_SIGNING_PRIVATE_KEY" ] || [ "$var_name" = "MANIFEST_SIGNING_PUBLIC_KEY" ] || [ "$var_name" = "EXPORT_ENCRYPTION_PRIVATE_KEY" ] || [ "$var_name" = "EXPORT_ENCRYPTION_PUBLIC_KEY" ] || [ "$var_name" = "DATA_AT_REST_ENCRYPTION_PRIVATE_KEY" ] || [ "$var_name" = "DATA_AT_REST_ENCRYPTION_PUBLIC_KEY" ] || [ "$var_name" = "USER_KV_ENCRYPTION_PRIVATE_KEY" ] || [ "$var_name" = "USER_KV_ENCRYPTION_PUBLIC_KEY" ] || [ "$var_name" = "EXPORT_ENCRYPTION_KEYS_JSON" ] || [ "$var_name" = "DATA_AT_REST_ENCRYPTION_KEYS_JSON" ] || [ "$var_name" = "USER_KV_ENCRYPTION_KEYS_JSON" ]; then
+    if [ "$var_name" = "FIREBASE_SERVICE_ACCOUNT_PRIVATE_KEY" ] || [ "$var_name" = "MANIFEST_SIGNING_PRIVATE_KEY" ] || [ "$var_name" = "MANIFEST_SIGNING_PUBLIC_KEY" ] || [ "$var_name" = "EXPORT_ENCRYPTION_PRIVATE_KEY" ] || [ "$var_name" = "EXPORT_ENCRYPTION_PUBLIC_KEY" ] || [ "$var_name" = "DATA_AT_REST_ENCRYPTION_PRIVATE_KEY" ] || [ "$var_name" = "DATA_AT_REST_ENCRYPTION_PUBLIC_KEY" ] || [ "$var_name" = "USER_KV_ENCRYPTION_PRIVATE_KEY" ] || [ "$var_name" = "USER_KV_ENCRYPTION_PUBLIC_KEY" ] || [ "$var_name" = "MANIFEST_SIGNING_KEYS_JSON" ] || [ "$var_name" = "EXPORT_ENCRYPTION_KEYS_JSON" ] || [ "$var_name" = "DATA_AT_REST_ENCRYPTION_KEYS_JSON" ] || [ "$var_name" = "USER_KV_ENCRYPTION_KEYS_JSON" ]; then
         # Store as a quoted string so sourced .env preserves escaped newline markers (\n)
         env_file_value=${env_file_value//\"/\\\"}
         env_file_value="\"$env_file_value\""
@@ -252,3 +252,12 @@ update_private_key_registry() {
 escape_for_sed_replacement() {
     printf '%s' "$1" | sed -e 's/[&|\\]/\\&/g'
 }
+
+generate_10_char_id() {
+    local raw label
+    raw=$(openssl rand -base64 32 2>/dev/null | tr -dc 'a-z0-9' || true)
+    label="${raw:0:10}"
+    if [ -n "$label" ] && [ ${#label} -eq 10 ]; then
+        printf '%s' "$label"
+    fi
+}

package/scripts/deploy-config/modules/keys.sh

@@ -108,6 +108,8 @@ configure_manifest_signing_credentials() {
     restore_env_var_from_backup_if_missing "MANIFEST_SIGNING_PRIVATE_KEY"
     restore_env_var_from_backup_if_missing "MANIFEST_SIGNING_PUBLIC_KEY"
     restore_env_var_from_backup_if_missing "MANIFEST_SIGNING_KEY_ID"
+    restore_env_var_from_backup_if_missing "MANIFEST_SIGNING_KEYS_JSON"
+    restore_env_var_from_backup_if_missing "MANIFEST_SIGNING_ACTIVE_KEY_ID"
 
     if [ -z "$MANIFEST_SIGNING_PRIVATE_KEY" ] || is_placeholder "$MANIFEST_SIGNING_PRIVATE_KEY" || [ -z "$MANIFEST_SIGNING_PUBLIC_KEY" ] || is_placeholder "$MANIFEST_SIGNING_PUBLIC_KEY"; then
         should_generate="true"
@@ -131,7 +133,7 @@ configure_manifest_signing_credentials() {
 
     if [ -z "$MANIFEST_SIGNING_KEY_ID" ] || is_placeholder "$MANIFEST_SIGNING_KEY_ID" || [ "$should_generate" = "true" ]; then
         local generated_key_id
-        generated_key_id=$(generate_worker_subdomain_label)
+        generated_key_id=$(generate_10_char_id)
         if [ -z "$generated_key_id" ] || [ ${#generated_key_id} -ne 10 ]; then
             echo -e "${RED}❌ Error: Failed to generate MANIFEST_SIGNING_KEY_ID${NC}"
             exit 1
@@ -144,6 +146,8 @@ configure_manifest_signing_credentials() {
         echo -e "${GREEN}✅ MANIFEST_SIGNING_KEY_ID: $MANIFEST_SIGNING_KEY_ID${NC}"
     fi
 
+    update_private_key_registry "MANIFEST_SIGNING_KEYS_JSON" "MANIFEST_SIGNING_ACTIVE_KEY_ID" "$MANIFEST_SIGNING_KEY_ID" "$MANIFEST_SIGNING_PRIVATE_KEY" "manifest signing"
+
     echo ""
 }
 
@@ -212,7 +216,7 @@ configure_export_encryption_credentials() {
 
     if [ -z "$EXPORT_ENCRYPTION_KEY_ID" ] || is_placeholder "$EXPORT_ENCRYPTION_KEY_ID" || [ "$should_generate" = "true" ]; then
         local generated_key_id
-        generated_key_id=$(generate_worker_subdomain_label)
+        generated_key_id=$(generate_10_char_id)
         if [ -z "$generated_key_id" ] || [ ${#generated_key_id} -ne 10 ]; then
             echo -e "${RED}❌ Error: Failed to generate EXPORT_ENCRYPTION_KEY_ID${NC}"
             exit 1
@@ -327,7 +331,7 @@ configure_user_kv_encryption_credentials() {
 
     if [ -z "$USER_KV_ENCRYPTION_KEY_ID" ] || is_placeholder "$USER_KV_ENCRYPTION_KEY_ID" || [ "$should_generate" = "true" ]; then
         local generated_key_id
-        generated_key_id=$(generate_worker_subdomain_label)
+        generated_key_id=$(generate_10_char_id)
         if [ -z "$generated_key_id" ] || [ ${#generated_key_id} -ne 10 ]; then
             echo -e "${RED}❌ Error: Failed to generate USER_KV_ENCRYPTION_KEY_ID${NC}"
             exit 1
@@ -385,7 +389,7 @@ configure_data_at_rest_encryption_credentials() {
 
     if [ -z "$DATA_AT_REST_ENCRYPTION_KEY_ID" ] || is_placeholder "$DATA_AT_REST_ENCRYPTION_KEY_ID" || [ "$should_generate" = "true" ]; then
         local generated_key_id
-        generated_key_id=$(generate_worker_subdomain_label)
+        generated_key_id=$(generate_10_char_id)
         if [ -z "$generated_key_id" ] || [ ${#generated_key_id} -ne 10 ]; then
             echo -e "${RED}❌ Error: Failed to generate DATA_AT_REST_ENCRYPTION_KEY_ID${NC}"
             exit 1
@@ -402,3 +406,28 @@ configure_data_at_rest_encryption_credentials() {
 
     echo ""
 }
+
+configure_registry_encryption_key() {
+    echo -e "${BLUE}🔒 REGISTRY ENCRYPTION KEY CONFIGURATION${NC}"
+    echo "========================================="
+
+    restore_env_var_from_backup_if_missing "REGISTRY_ENCRYPTION_KEY"
+
+    if [ -n "$REGISTRY_ENCRYPTION_KEY" ] && ! is_placeholder "$REGISTRY_ENCRYPTION_KEY"; then
+        echo -e "${GREEN}✅ REGISTRY_ENCRYPTION_KEY already configured${NC}"
+    else
+        echo -e "${YELLOW}Generating REGISTRY_ENCRYPTION_KEY (32 random bytes, base64url)...${NC}"
+        local key_value
+        key_value=$(node -e "const { randomBytes } = require('crypto'); const buf = randomBytes(32); process.stdout.write(buf.toString('base64url'));")
+        if [ -z "$key_value" ] || [ ${#key_value} -lt 20 ]; then
+            echo -e "${RED}❌ Error: Failed to generate REGISTRY_ENCRYPTION_KEY${NC}"
+            exit 1
+        fi
+        REGISTRY_ENCRYPTION_KEY="$key_value"
+        export REGISTRY_ENCRYPTION_KEY
+        write_env_var "REGISTRY_ENCRYPTION_KEY" "$REGISTRY_ENCRYPTION_KEY"
+        echo -e "${GREEN}✅ REGISTRY_ENCRYPTION_KEY generated${NC}"
+    fi
+
+    echo ""
+}

package/scripts/deploy-config/modules/prompt.sh

@@ -271,6 +271,7 @@ prompt_for_secrets() {
     prompt_for_var "DATA_BUCKET_NAME" "Your R2 bucket name for case data storage"
     prompt_for_var "AUDIT_BUCKET_NAME" "Your R2 bucket name for audit logs (separate from data bucket)"
     prompt_for_var "FILES_BUCKET_NAME" "Your R2 bucket name for encrypted files storage"
+    prompt_for_var "CONFIG_BUCKET_NAME" "Your R2 bucket name for config/key registries (shared across workers)"
     prompt_for_var "KV_STORE_ID" "Your KV namespace ID (UUID format)"
     prompt_for_var "STRIAE_LISTS_KV_ID" "KV namespace ID for the lists-worker (UUID format; backs registration and primershear allowlists)"
 
@@ -296,6 +297,7 @@ prompt_for_secrets() {
     configure_export_encryption_credentials
     configure_user_kv_encryption_credentials
     configure_data_at_rest_encryption_credentials
+    configure_registry_encryption_key
 
     # Reload the updated .env file
     source .env