@striae-org/striae 7.1.2 → 8.0.0

package/scripts/deploy-config/modules/scaffolding.sh

@@ -154,6 +154,7 @@ update_wrangler_configs() {
         sed -i "s/\"AUDIT_WORKER_NAME\"/\"$AUDIT_WORKER_NAME\"/g" workers/audit-worker/wrangler.jsonc
         sed -i "s/\"ACCOUNT_ID\"/\"$escaped_account_id\"/g" workers/audit-worker/wrangler.jsonc
         sed -i "s/\"AUDIT_BUCKET_NAME\"/\"$AUDIT_BUCKET_NAME\"/g" workers/audit-worker/wrangler.jsonc
+        sed -i "s/\"CONFIG_BUCKET_NAME\"/\"$CONFIG_BUCKET_NAME\"/g" workers/audit-worker/wrangler.jsonc
         echo -e "${GREEN}    ✅ audit-worker configuration updated${NC}"
     fi
 
@@ -162,6 +163,7 @@ update_wrangler_configs() {
         sed -i "s/\"DATA_WORKER_NAME\"/\"$DATA_WORKER_NAME\"/g" workers/data-worker/wrangler.jsonc
         sed -i "s/\"ACCOUNT_ID\"/\"$escaped_account_id\"/g" workers/data-worker/wrangler.jsonc
         sed -i "s/\"DATA_BUCKET_NAME\"/\"$DATA_BUCKET_NAME\"/g" workers/data-worker/wrangler.jsonc
+        sed -i "s/\"CONFIG_BUCKET_NAME\"/\"$CONFIG_BUCKET_NAME\"/g" workers/data-worker/wrangler.jsonc
         echo -e "${GREEN}    ✅ data-worker configuration updated${NC}"
     fi
 
@@ -170,6 +172,7 @@ update_wrangler_configs() {
         sed -i "s/\"IMAGES_WORKER_NAME\"/\"$IMAGES_WORKER_NAME\"/g" workers/image-worker/wrangler.jsonc
         sed -i "s/\"ACCOUNT_ID\"/\"$escaped_account_id\"/g" workers/image-worker/wrangler.jsonc
         sed -i "s/\"FILES_BUCKET_NAME\"/\"$FILES_BUCKET_NAME\"/g" workers/image-worker/wrangler.jsonc
+        sed -i "s/\"CONFIG_BUCKET_NAME\"/\"$CONFIG_BUCKET_NAME\"/g" workers/image-worker/wrangler.jsonc
         echo -e "${GREEN}    ✅ image-worker configuration updated${NC}"
     fi
 
@@ -197,6 +200,7 @@ update_wrangler_configs() {
         sed -i "s/\"KV_STORE_ID\"/\"$KV_STORE_ID\"/g" workers/user-worker/wrangler.jsonc
         sed -i "s/\"DATA_BUCKET_NAME\"/\"$DATA_BUCKET_NAME\"/g" workers/user-worker/wrangler.jsonc
         sed -i "s/\"FILES_BUCKET_NAME\"/\"$FILES_BUCKET_NAME\"/g" workers/user-worker/wrangler.jsonc
+        sed -i "s/\"CONFIG_BUCKET_NAME\"/\"$CONFIG_BUCKET_NAME\"/g" workers/user-worker/wrangler.jsonc
         echo -e "${GREEN}    ✅ user-worker configuration updated${NC}"
     fi
 
@@ -216,20 +220,34 @@ update_wrangler_configs() {
 
     if [ -f "app/config/config.json" ]; then
         echo -e "${YELLOW}    Updating app/config/config.json...${NC}"
-        local escaped_manifest_signing_key_id
-        local escaped_manifest_signing_public_key
-        local escaped_export_encryption_key_id
-        local escaped_export_encryption_public_key
-        escaped_manifest_signing_key_id=$(escape_for_sed_replacement "$MANIFEST_SIGNING_KEY_ID")
-        escaped_manifest_signing_public_key=$(escape_for_sed_replacement "$MANIFEST_SIGNING_PUBLIC_KEY")
-        escaped_export_encryption_key_id=$(escape_for_sed_replacement "$EXPORT_ENCRYPTION_KEY_ID")
-        escaped_export_encryption_public_key=$(escape_for_sed_replacement "$EXPORT_ENCRYPTION_PUBLIC_KEY")
-
-        sed -i "s|\"url\": \"[^\"]*\"|\"url\": \"https://$escaped_pages_custom_domain\"|g" app/config/config.json
-        sed -i "s|\"MANIFEST_SIGNING_KEY_ID\"|\"$escaped_manifest_signing_key_id\"|g" app/config/config.json
-        sed -i "s|\"MANIFEST_SIGNING_PUBLIC_KEY\"|\"$escaped_manifest_signing_public_key\"|g" app/config/config.json
-        sed -i "s|\"EXPORT_ENCRYPTION_KEY_ID\"|\"$escaped_export_encryption_key_id\"|g" app/config/config.json
-        sed -i "s|\"EXPORT_ENCRYPTION_PUBLIC_KEY\"|\"$escaped_export_encryption_public_key\"|g" app/config/config.json
+        if ! node -e "
+const fs = require('fs');
+const path = process.argv[1];
+const config = JSON.parse(fs.readFileSync(path, 'utf8'));
+
+config.url = 'https://' + process.env.PAGES_CUSTOM_DOMAIN;
+
+config.manifest_signing_key_id = process.env.MANIFEST_SIGNING_KEY_ID;
+config.manifest_signing_public_key = process.env.MANIFEST_SIGNING_PUBLIC_KEY.replace(/\\\\n/g, '\n');
+
+if (!config.manifest_signing_public_keys || typeof config.manifest_signing_public_keys !== 'object') {
+    config.manifest_signing_public_keys = {};
+}
+config.manifest_signing_public_keys[process.env.MANIFEST_SIGNING_KEY_ID] = config.manifest_signing_public_key;
+
+config.export_encryption_key_id = process.env.EXPORT_ENCRYPTION_KEY_ID;
+config.export_encryption_public_key = process.env.EXPORT_ENCRYPTION_PUBLIC_KEY.replace(/\\\\n/g, '\n');
+
+if (!config.export_encryption_public_keys || typeof config.export_encryption_public_keys !== 'object') {
+    config.export_encryption_public_keys = {};
+}
+config.export_encryption_public_keys[process.env.EXPORT_ENCRYPTION_KEY_ID] = config.export_encryption_public_key;
+
+fs.writeFileSync(path, JSON.stringify(config, null, 2) + '\n', 'utf8');
+" "app/config/config.json"; then
+            echo -e "${RED}❌ Error: Failed to update app/config/config.json${NC}"
+            exit 1
+        fi
         echo -e "${GREEN}      ✅ app config.json updated${NC}"
     fi
 

package/scripts/deploy-config/modules/validation.sh

@@ -102,6 +102,7 @@ required_vars=(
     "DATA_BUCKET_NAME"
     "AUDIT_BUCKET_NAME"
     "FILES_BUCKET_NAME"
+    "CONFIG_BUCKET_NAME"
     "KV_STORE_ID"
     "STRIAE_LISTS_KV_ID"
 
@@ -279,11 +280,15 @@ validate_generated_configs() {
     assert_contains_literal "workers/pdf-worker/wrangler.jsonc" "$ACCOUNT_ID" "ACCOUNT_ID missing in pdf worker config"
 
     assert_contains_literal "workers/data-worker/wrangler.jsonc" "$DATA_BUCKET_NAME" "DATA_BUCKET_NAME missing in data worker config"
+    assert_contains_literal "workers/data-worker/wrangler.jsonc" "$CONFIG_BUCKET_NAME" "CONFIG_BUCKET_NAME missing in data worker config"
     assert_contains_literal "workers/audit-worker/wrangler.jsonc" "$AUDIT_BUCKET_NAME" "AUDIT_BUCKET_NAME missing in audit worker config"
+    assert_contains_literal "workers/audit-worker/wrangler.jsonc" "$CONFIG_BUCKET_NAME" "CONFIG_BUCKET_NAME missing in audit worker config"
     assert_contains_literal "workers/image-worker/wrangler.jsonc" "$FILES_BUCKET_NAME" "FILES_BUCKET_NAME missing in image worker config"
+    assert_contains_literal "workers/image-worker/wrangler.jsonc" "$CONFIG_BUCKET_NAME" "CONFIG_BUCKET_NAME missing in image worker config"
     assert_contains_literal "workers/user-worker/wrangler.jsonc" "$KV_STORE_ID" "KV_STORE_ID missing in user worker config"
     assert_contains_literal "workers/user-worker/wrangler.jsonc" "$DATA_BUCKET_NAME" "DATA_BUCKET_NAME missing in user worker config"
     assert_contains_literal "workers/user-worker/wrangler.jsonc" "$FILES_BUCKET_NAME" "FILES_BUCKET_NAME missing in user worker config"
+    assert_contains_literal "workers/user-worker/wrangler.jsonc" "$CONFIG_BUCKET_NAME" "CONFIG_BUCKET_NAME missing in user worker config"
 
     assert_contains_literal "app/config/config.json" "https://$PAGES_CUSTOM_DOMAIN" "PAGES_CUSTOM_DOMAIN missing in app/config/config.json"
     assert_contains_literal "app/config/config.json" "$EXPORT_ENCRYPTION_KEY_ID" "EXPORT_ENCRYPTION_KEY_ID missing in app/config/config.json"
@@ -298,7 +303,7 @@ validate_generated_configs() {
     assert_contains_literal "app/config/firebase.ts" "$MEASUREMENT_ID" "MEASUREMENT_ID missing in app/config/firebase.ts"
 
     local placeholder_pattern
-    placeholder_pattern="(\"(ACCOUNT_ID|PAGES_PROJECT_NAME|PAGES_CUSTOM_DOMAIN|USER_WORKER_NAME|DATA_WORKER_NAME|AUDIT_WORKER_NAME|IMAGES_WORKER_NAME|PDF_WORKER_NAME|DATA_BUCKET_NAME|AUDIT_BUCKET_NAME|FILES_BUCKET_NAME|KV_STORE_ID|MANIFEST_SIGNING_KEY_ID|MANIFEST_SIGNING_PUBLIC_KEY|EXPORT_ENCRYPTION_KEY_ID|EXPORT_ENCRYPTION_PUBLIC_KEY|YOUR_FIREBASE_API_KEY|YOUR_FIREBASE_AUTH_DOMAIN|YOUR_FIREBASE_PROJECT_ID|YOUR_FIREBASE_STORAGE_BUCKET|YOUR_FIREBASE_MESSAGING_SENDER_ID|YOUR_FIREBASE_APP_ID|YOUR_FIREBASE_MEASUREMENT_ID)\")"
+    placeholder_pattern="(\"(ACCOUNT_ID|PAGES_PROJECT_NAME|PAGES_CUSTOM_DOMAIN|USER_WORKER_NAME|DATA_WORKER_NAME|AUDIT_WORKER_NAME|IMAGES_WORKER_NAME|PDF_WORKER_NAME|DATA_BUCKET_NAME|AUDIT_BUCKET_NAME|FILES_BUCKET_NAME|CONFIG_BUCKET_NAME|KV_STORE_ID|MANIFEST_SIGNING_KEY_ID|MANIFEST_SIGNING_PUBLIC_KEY|EXPORT_ENCRYPTION_KEY_ID|EXPORT_ENCRYPTION_PUBLIC_KEY|YOUR_FIREBASE_API_KEY|YOUR_FIREBASE_AUTH_DOMAIN|YOUR_FIREBASE_PROJECT_ID|YOUR_FIREBASE_STORAGE_BUCKET|YOUR_FIREBASE_MESSAGING_SENDER_ID|YOUR_FIREBASE_APP_ID|YOUR_FIREBASE_MEASUREMENT_ID)\")"
 
     local files_to_scan=(
         "wrangler.toml"

package/scripts/deploy-worker-secrets.sh

@@ -100,19 +100,11 @@ build_user_worker_secret_list() {
         "PROJECT_ID"
         "FIREBASE_SERVICE_ACCOUNT_EMAIL"
         "FIREBASE_SERVICE_ACCOUNT_PRIVATE_KEY"
+        "REGISTRY_ENCRYPTION_KEY"
     )
 
-    if [ -n "${DATA_AT_REST_ENCRYPTION_PRIVATE_KEY:-}" ]; then
-        secrets+=("DATA_AT_REST_ENCRYPTION_PRIVATE_KEY")
-    fi
-
-    if [ -n "${DATA_AT_REST_ENCRYPTION_KEY_ID:-}" ]; then
-        secrets+=("DATA_AT_REST_ENCRYPTION_KEY_ID")
-    fi
-
-    if [ -n "${DATA_AT_REST_ENCRYPTION_KEYS_JSON:-}" ]; then
-        secrets+=("DATA_AT_REST_ENCRYPTION_KEYS_JSON")
-    fi
+    # DATA_AT_REST_ENCRYPTION_PRIVATE_KEY and KEY_ID are now fetched from
+    # encrypted R2 registries; only the active key ID override is needed.
 
     if [ -n "${DATA_AT_REST_ENCRYPTION_ACTIVE_KEY_ID:-}" ]; then
         secrets+=("DATA_AT_REST_ENCRYPTION_ACTIVE_KEY_ID")
@@ -122,10 +114,6 @@ build_user_worker_secret_list() {
         secrets+=("USER_KV_ENCRYPTION_PRIVATE_KEY")
     fi
 
-    if [ -n "${USER_KV_ENCRYPTION_KEYS_JSON:-}" ]; then
-        secrets+=("USER_KV_ENCRYPTION_KEYS_JSON")
-    fi
-
     if [ -n "${USER_KV_ENCRYPTION_ACTIVE_KEY_ID:-}" ]; then
         secrets+=("USER_KV_ENCRYPTION_ACTIVE_KEY_ID")
     fi
@@ -147,15 +135,12 @@ build_user_worker_secret_list() {
 }
 
 build_audit_worker_secret_list() {
-    local secrets=()
-
-    if [ -n "${DATA_AT_REST_ENCRYPTION_ENABLED:-}" ]; then
-        secrets+=("DATA_AT_REST_ENCRYPTION_ENABLED")
-    fi
+    local secrets=(
+        "REGISTRY_ENCRYPTION_KEY"
+    )
 
-    if [ -n "${DATA_AT_REST_ENCRYPTION_PRIVATE_KEY:-}" ]; then
-        secrets+=("DATA_AT_REST_ENCRYPTION_PRIVATE_KEY")
-    fi
+    # Private keys are now fetched from encrypted R2 registries.
+    # DATA_AT_REST_ENCRYPTION_ENABLED is not checked in audit-worker code.
 
     if [ -n "${DATA_AT_REST_ENCRYPTION_PUBLIC_KEY:-}" ]; then
         secrets+=("DATA_AT_REST_ENCRYPTION_PUBLIC_KEY")
@@ -165,10 +150,6 @@ build_audit_worker_secret_list() {
         secrets+=("DATA_AT_REST_ENCRYPTION_KEY_ID")
     fi
 
-    if [ -n "${DATA_AT_REST_ENCRYPTION_KEYS_JSON:-}" ]; then
-        secrets+=("DATA_AT_REST_ENCRYPTION_KEYS_JSON")
-    fi
-
     if [ -n "${DATA_AT_REST_ENCRYPTION_ACTIVE_KEY_ID:-}" ]; then
         secrets+=("DATA_AT_REST_ENCRYPTION_ACTIVE_KEY_ID")
     fi
@@ -226,18 +207,20 @@ set_worker_secrets() {
 
 build_data_worker_secret_list() {
     local secrets=(
-        "MANIFEST_SIGNING_PRIVATE_KEY"
-        "MANIFEST_SIGNING_KEY_ID"
-        "EXPORT_ENCRYPTION_PRIVATE_KEY"
-        "EXPORT_ENCRYPTION_KEY_ID"
+        "REGISTRY_ENCRYPTION_KEY"
     )
 
-    if [ -n "${DATA_AT_REST_ENCRYPTION_ENABLED:-}" ]; then
-        secrets+=("DATA_AT_REST_ENCRYPTION_ENABLED")
+    # Private keys and key IDs for manifest signing, export encryption, and
+    # data-at-rest are now fetched from encrypted R2 registries via
+    # fetchKeyRegistryFromR2(). Only active-key-ID overrides and the
+    # registry encryption key are needed as secrets.
+
+    if [ -n "${MANIFEST_SIGNING_ACTIVE_KEY_ID:-}" ]; then
+        secrets+=("MANIFEST_SIGNING_ACTIVE_KEY_ID")
     fi
 
-    if [ -n "${DATA_AT_REST_ENCRYPTION_PRIVATE_KEY:-}" ]; then
-        secrets+=("DATA_AT_REST_ENCRYPTION_PRIVATE_KEY")
+    if [ -n "${DATA_AT_REST_ENCRYPTION_ENABLED:-}" ]; then
+        secrets+=("DATA_AT_REST_ENCRYPTION_ENABLED")
     fi
 
     if [ -n "${DATA_AT_REST_ENCRYPTION_PUBLIC_KEY:-}" ]; then
@@ -248,18 +231,10 @@ build_data_worker_secret_list() {
         secrets+=("DATA_AT_REST_ENCRYPTION_KEY_ID")
     fi
 
-    if [ -n "${DATA_AT_REST_ENCRYPTION_KEYS_JSON:-}" ]; then
-        secrets+=("DATA_AT_REST_ENCRYPTION_KEYS_JSON")
-    fi
-
     if [ -n "${DATA_AT_REST_ENCRYPTION_ACTIVE_KEY_ID:-}" ]; then
         secrets+=("DATA_AT_REST_ENCRYPTION_ACTIVE_KEY_ID")
     fi
 
-    if [ -n "${EXPORT_ENCRYPTION_KEYS_JSON:-}" ]; then
-        secrets+=("EXPORT_ENCRYPTION_KEYS_JSON")
-    fi
-
     if [ -n "${EXPORT_ENCRYPTION_ACTIVE_KEY_ID:-}" ]; then
         secrets+=("EXPORT_ENCRYPTION_ACTIVE_KEY_ID")
     fi
@@ -279,15 +254,10 @@ build_images_worker_secret_list() {
         "DATA_AT_REST_ENCRYPTION_PUBLIC_KEY"
         "DATA_AT_REST_ENCRYPTION_KEY_ID"
         "IMAGE_SIGNED_URL_SECRET"
+        "REGISTRY_ENCRYPTION_KEY"
     )
 
-    if [ -n "${DATA_AT_REST_ENCRYPTION_PRIVATE_KEY:-}" ]; then
-        secrets+=("DATA_AT_REST_ENCRYPTION_PRIVATE_KEY")
-    fi
-
-    if [ -n "${DATA_AT_REST_ENCRYPTION_KEYS_JSON:-}" ]; then
-        secrets+=("DATA_AT_REST_ENCRYPTION_KEYS_JSON")
-    fi
+    # Private keys are now fetched from encrypted R2 registries.
 
     if [ -n "${DATA_AT_REST_ENCRYPTION_ACTIVE_KEY_ID:-}" ]; then
         secrets+=("DATA_AT_REST_ENCRYPTION_ACTIVE_KEY_ID")

package/scripts/encrypt-registry.mjs

@@ -0,0 +1,104 @@
+#!/usr/bin/env node
+
+/**
+ * Encrypts a key registry JSON file with AES-256-GCM for R2 storage.
+ *
+ * Usage:
+ *   node scripts/encrypt-registry.mjs <input-file> [output-file]
+ *
+ * Reads REGISTRY_ENCRYPTION_KEY from environment (base64-encoded 32 bytes).
+ * If output-file is omitted, writes to stdout.
+ *
+ * The output envelope matches the format expected by
+ * shared/registry/registry-encryption.ts (decryptRegistryJson).
+ */
+
+import { createCipheriv, randomBytes } from 'node:crypto';
+import { readFileSync, writeFileSync } from 'node:fs';
+
+function base64UrlEncode(buffer) {
+  return buffer
+    .toString('base64')
+    .replace(/\+/g, '-')
+    .replace(/\//g, '_')
+    .replace(/=+$/, '');
+}
+
+function encryptRegistry(plaintextJson, keyBase64) {
+  // Decode key (accept both standard base64 and base64url)
+  const keyBuffer = Buffer.from(
+    keyBase64.replace(/-/g, '+').replace(/_/g, '/'),
+    'base64'
+  );
+
+  if (keyBuffer.length !== 32) {
+    throw new Error(
+      `REGISTRY_ENCRYPTION_KEY must decode to 32 bytes, got ${keyBuffer.length}`
+    );
+  }
+
+  const iv = randomBytes(12);
+  const cipher = createCipheriv('aes-256-gcm', keyBuffer, iv);
+
+  const encrypted = Buffer.concat([
+    cipher.update(plaintextJson, 'utf8'),
+    cipher.final()
+  ]);
+
+  const authTag = cipher.getAuthTag();
+
+  // AES-GCM ciphertext in WebCrypto includes the auth tag appended
+  const ciphertextWithTag = Buffer.concat([encrypted, authTag]);
+
+  return JSON.stringify(
+    {
+      encrypted: true,
+      algorithm: 'AES-256-GCM',
+      version: '1.0',
+      iv: base64UrlEncode(iv),
+      ciphertext: base64UrlEncode(ciphertextWithTag)
+    },
+    null,
+    2
+  );
+}
+
+// --- Main ---
+
+const inputFile = process.argv[2];
+const outputFile = process.argv[3];
+
+if (!inputFile) {
+  console.error('Usage: node scripts/encrypt-registry.mjs <input-file> [output-file]');
+  process.exit(1);
+}
+
+const keyBase64 = process.env.REGISTRY_ENCRYPTION_KEY;
+if (!keyBase64) {
+  console.error('Error: REGISTRY_ENCRYPTION_KEY environment variable is not set');
+  process.exit(1);
+}
+
+let plaintext;
+try {
+  plaintext = readFileSync(inputFile, 'utf8');
+} catch (err) {
+  console.error(`Error reading input file: ${err.message}`);
+  process.exit(1);
+}
+
+// Validate that input is valid JSON
+try {
+  JSON.parse(plaintext);
+} catch {
+  console.error('Error: input file is not valid JSON');
+  process.exit(1);
+}
+
+const envelope = encryptRegistry(plaintext, keyBase64);
+
+if (outputFile) {
+  writeFileSync(outputFile, envelope, 'utf8');
+} else {
+  process.stdout.write(envelope);
+}

package/scripts/upload-registries.sh

@@ -0,0 +1,146 @@
+#!/bin/bash
+
+# ===================================
+# UPLOAD KEY REGISTRIES TO R2
+# ===================================
+# Extracts key registry JSON from .env and uploads them to the
+# R2 config bucket (CONFIG_BUCKET_NAME) as separate files per scope.
+#
+# Usage: bash ./scripts/upload-registries.sh [--dry-run]
+
+set -e
+set -o pipefail
+
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+BLUE='\033[0;34m'
+NC='\033[0m'
+
+echo -e "${BLUE}📦 Upload Key Registries to R2${NC}"
+echo "================================"
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
+cd "$PROJECT_ROOT"
+
+dry_run=false
+for arg in "$@"; do
+    case "$arg" in
+        --dry-run)
+            dry_run=true
+            ;;
+        -h|--help)
+            echo "Usage: bash ./scripts/upload-registries.sh [--dry-run]"
+            echo ""
+            echo "Extracts key registries from .env and uploads them to R2."
+            echo ""
+            echo "Options:"
+            echo "  --dry-run   Show what would be uploaded without actually uploading"
+            echo "  -h, --help  Show this help message"
+            exit 0
+            ;;
+        *)
+            echo -e "${RED}❌ Unknown option: $arg${NC}"
+            exit 1
+            ;;
+    esac
+done
+
+# Source .env
+if [ ! -f ".env" ]; then
+    echo -e "${RED}❌ .env file not found. Run deploy-config.sh first.${NC}"
+    exit 1
+fi
+
+set -a
+# shellcheck disable=SC1091
+source .env
+set +a
+
+if [ -z "${CONFIG_BUCKET_NAME:-}" ]; then
+    echo -e "${RED}❌ CONFIG_BUCKET_NAME is not set in .env${NC}"
+    exit 1
+fi
+
+if [ -z "${REGISTRY_ENCRYPTION_KEY:-}" ]; then
+    echo -e "${RED}❌ REGISTRY_ENCRYPTION_KEY is not set in .env${NC}"
+    echo -e "${YELLOW}   Run deploy-config.sh to generate it.${NC}"
+    exit 1
+fi
+
+export REGISTRY_ENCRYPTION_KEY
+
+echo -e "${YELLOW}  Target bucket: ${CONFIG_BUCKET_NAME}${NC}"
+
+TEMP_DIR=$(mktemp -d)
+trap 'rm -rf "$TEMP_DIR"' EXIT
+
+uploaded=0
+skipped=0
+
+upload_registry() {
+    local env_var_name=$1
+    local filename=$2
+    local scope_label=$3
+
+    local value="${!env_var_name:-}"
+
+    if [ -z "$value" ] || [ "$value" = "'{}'" ] || [ "$value" = "{}" ]; then
+        echo -e "${YELLOW}  ⏭️  Skipping ${scope_label}: ${env_var_name} is empty or placeholder${NC}"
+        skipped=$((skipped + 1))
+        return
+    fi
+
+    # Strip outer single quotes if present (from .env quoting)
+    value="${value#\'}"
+    value="${value%\'}"
+
+    # Validate JSON
+    if ! echo "$value" | node -e "process.stdin.resume(); let d=''; process.stdin.on('data',c=>d+=c); process.stdin.on('end',()=>{JSON.parse(d); process.exit(0)})" 2>/dev/null; then
+        echo -e "${RED}  ❌ ${scope_label}: ${env_var_name} is not valid JSON, skipping${NC}"
+        skipped=$((skipped + 1))
+        return
+    fi
+
+    local filepath="${TEMP_DIR}/${filename}"
+    printf '%s' "$value" > "$filepath"
+
+    # Encrypt the registry before upload
+    local encrypted_filepath="${TEMP_DIR}/encrypted-${filename}"
+    if ! node "${SCRIPT_DIR}/encrypt-registry.mjs" "$filepath" "$encrypted_filepath"; then
+        echo -e "${RED}  ❌ ${scope_label}: encryption failed, skipping${NC}"
+        skipped=$((skipped + 1))
+        return
+    fi
+
+    local size
+    size=$(wc -c < "$encrypted_filepath" | tr -d ' ')
+
+    if [ "$dry_run" = "true" ]; then
+        echo -e "${BLUE}  [dry-run] Would upload ${scope_label}: ${filename} (${size} bytes, encrypted)${NC}"
+    else
+        echo -e "${YELLOW}  Uploading ${scope_label}: ${filename} (${size} bytes, encrypted)...${NC}"
+        if wrangler r2 object put "${CONFIG_BUCKET_NAME}/${filename}" --file "$encrypted_filepath" --content-type "application/json" --remote 2>/dev/null; then
+            echo -e "${GREEN}    ✅ ${filename} uploaded${NC}"
+            uploaded=$((uploaded + 1))
+        else
+            echo -e "${RED}    ❌ Failed to upload ${filename}${NC}"
+            exit 1
+        fi
+    fi
+}
+
+echo ""
+
+upload_registry "DATA_AT_REST_ENCRYPTION_KEYS_JSON" "data-at-rest-keys.json" "Data-at-rest encryption"
+upload_registry "EXPORT_ENCRYPTION_KEYS_JSON" "export-encryption-keys.json" "Export encryption"
+upload_registry "MANIFEST_SIGNING_KEYS_JSON" "manifest-signing-keys.json" "Manifest signing"
+upload_registry "USER_KV_ENCRYPTION_KEYS_JSON" "user-kv-encryption-keys.json" "User KV encryption"
+
+echo ""
+if [ "$dry_run" = "true" ]; then
+    echo -e "${BLUE}[dry-run] Would upload ${uploaded} registries, skipped ${skipped}${NC}"
+else
+    echo -e "${GREEN}✅ Uploaded ${uploaded} registries to ${CONFIG_BUCKET_NAME}, skipped ${skipped}${NC}"
+fi

package/shared/registry/r2-key-registry.ts

@@ -0,0 +1,161 @@
+/**
+ * Shared R2-based key registry module.
+ *
+ * Fetches key registries from a shared R2 config bucket instead of
+ * environment secrets (which have a 5.1 kB limit per secret).
+ *
+ * Each scope maps to a separate JSON file in the config bucket:
+ *   - 'data-at-rest'       → data-at-rest-keys.json
+ *   - 'export-encryption'  → export-encryption-keys.json
+ *   - 'manifest-signing'   → manifest-signing-keys.json
+ *   - 'user-kv'            → user-kv-encryption-keys.json
+ *
+ * Registry files are encrypted at rest with AES-256-GCM using
+ * REGISTRY_ENCRYPTION_KEY before upload and decrypted on fetch.
+ */
+
+import { decryptRegistryJson, isEncryptedEnvelope } from './registry-encryption';
+
+export type KeyRegistryScope =
+  | 'data-at-rest'
+  | 'export-encryption'
+  | 'manifest-signing'
+  | 'user-kv';
+
+export interface PrivateKeyRegistry {
+  activeKeyId: string | null;
+  keys: Record<string, string>;
+}
+
+interface KeyRegistryPayload {
+  activeKeyId?: unknown;
+  keys?: unknown;
+}
+
+const SCOPE_FILE_MAP: Record<KeyRegistryScope, string> = {
+  'data-at-rest': 'data-at-rest-keys.json',
+  'export-encryption': 'export-encryption-keys.json',
+  'manifest-signing': 'manifest-signing-keys.json',
+  'user-kv': 'user-kv-encryption-keys.json'
+};
+
+function normalizePrivateKeyPem(rawValue: string): string {
+  return rawValue.trim().replace(/^['"]|['"]$/g, '').replace(/\\n/g, '\n');
+}
+
+function getNonEmptyString(value: unknown): string | null {
+  return typeof value === 'string' && value.trim().length > 0 ? value.trim() : null;
+}
+
+/**
+ * Fetches and parses a key registry from R2.
+ *
+ * @param r2Bucket - The STRIAE_CONFIG R2 bucket binding
+ * @param scope - Which registry to fetch
+ * @param activeKeyIdOverride - Optional env-level override for the active key ID
+ * @param registryEncryptionKey - Base64-encoded 32-byte AES-256-GCM key for registry decryption
+ * @returns Parsed registry with normalized PEM keys
+ * @throws If R2 object is missing, decryption fails, JSON is invalid, or no usable keys found
+ */
+export async function fetchKeyRegistryFromR2(
+  r2Bucket: R2Bucket,
+  scope: KeyRegistryScope,
+  activeKeyIdOverride: string | undefined,
+  registryEncryptionKey: string
+): Promise<PrivateKeyRegistry> {
+  const filename = SCOPE_FILE_MAP[scope];
+  const contextLabel = `${scope} key registry`;
+
+  const object = await r2Bucket.get(filename);
+  if (!object) {
+    throw new Error(`${contextLabel}: R2 object "${filename}" not found in config bucket`);
+  }
+
+  const rawJson = await object.text();
+  if (!rawJson || rawJson.trim().length === 0) {
+    throw new Error(`${contextLabel}: R2 object "${filename}" is empty`);
+  }
+
+  let parsed: unknown;
+  try {
+    parsed = JSON.parse(rawJson) as unknown;
+  } catch {
+    throw new Error(`${contextLabel}: R2 object "${filename}" is not valid JSON`);
+  }
+
+  if (!isEncryptedEnvelope(parsed)) {
+    throw new Error(`${contextLabel}: R2 object "${filename}" is not an encrypted registry envelope`);
+  }
+
+  let registryJson: string;
+  try {
+    registryJson = await decryptRegistryJson(parsed, registryEncryptionKey);
+  } catch (err) {
+    const message = err instanceof Error ? err.message : 'unknown error';
+    throw new Error(`${contextLabel}: failed to decrypt registry — ${message}`);
+  }
+
+  return parseRegistryJson(registryJson, scope, activeKeyIdOverride);
+}
+
+/**
+ * Parses registry JSON (used both for R2-fetched content and legacy env fallback).
+ */
+export function parseRegistryJson(
+  registryJson: string,
+  scope: KeyRegistryScope,
+  activeKeyIdOverride?: string
+): PrivateKeyRegistry {
+  const contextLabel = `${scope} key registry`;
+  const keys: Record<string, string> = {};
+  const configuredActiveKeyId = getNonEmptyString(activeKeyIdOverride);
+
+  let parsedRegistry: unknown;
+  try {
+    parsedRegistry = JSON.parse(registryJson) as unknown;
+  } catch {
+    throw new Error(`${contextLabel}: JSON is invalid`);
+  }
+
+  if (!parsedRegistry || typeof parsedRegistry !== 'object') {
+    throw new Error(`${contextLabel}: JSON must be an object`);
+  }
+
+  const payload = parsedRegistry as KeyRegistryPayload;
+  const payloadActiveKeyId = getNonEmptyString(payload.activeKeyId);
+
+  // Support both shapes: { activeKeyId, keys: {...} } and flat { keyId: pem }
+  const rawKeys = payload.keys && typeof payload.keys === 'object'
+    ? payload.keys as Record<string, unknown>
+    : parsedRegistry as Record<string, unknown>;
+
+  for (const [keyId, pemValue] of Object.entries(rawKeys)) {
+    if (keyId === 'activeKeyId' || keyId === 'keys') {
+      continue;
+    }
+
+    const normalizedKeyId = getNonEmptyString(keyId);
+    const normalizedPem = getNonEmptyString(pemValue);
+
+    if (!normalizedKeyId || !normalizedPem) {
+      continue;
+    }
+
+    keys[normalizedKeyId] = normalizePrivateKeyPem(normalizedPem);
+  }
+
+  const resolvedActiveKeyId = configuredActiveKeyId ?? payloadActiveKeyId;
+
+  if (Object.keys(keys).length === 0) {
+    throw new Error(`${contextLabel}: does not contain any usable keys`);
+  }
+
+  if (resolvedActiveKeyId && !keys[resolvedActiveKeyId]) {
+    throw new Error(`${contextLabel}: active key ID "${resolvedActiveKeyId}" is not present in registry`);
+  }
+
+  return {
+    activeKeyId: resolvedActiveKeyId ?? null,
+    keys
+  };
+}