@striae-org/striae 7.1.2 → 8.0.0

package/workers/image-worker/wrangler.jsonc.example

@@ -3,7 +3,7 @@
   "account_id": "ACCOUNT_ID",
   "main": "src/image-worker.ts",
   "workers_dev": false,
-  "compatibility_date": "2026-05-07",
+  "compatibility_date": "2026-06-07",
   "compatibility_flags": [
     "nodejs_compat"
   ], 
@@ -16,6 +16,10 @@
     {
       "binding": "STRIAE_FILES",
       "bucket_name": "FILES_BUCKET_NAME"
+    },
+    {
+      "binding": "STRIAE_CONFIG",
+      "bucket_name": "CONFIG_BUCKET_NAME"
     }
   ],
 

package/workers/lists-worker/package.json

@@ -1,6 +1,6 @@
 {
   "name": "lists-worker",
-  "version": "7.1.2",
+  "version": "8.0.0",
   "private": true,
   "scripts": {
     "deploy": "wrangler deploy",
@@ -8,6 +8,6 @@
     "start": "wrangler dev"
   },
   "devDependencies": {
-    "wrangler": "^4.89.1"
+    "wrangler": "^4.98.0"
   }
 }

package/workers/lists-worker/wrangler.jsonc.example

@@ -3,7 +3,7 @@
   "account_id": "ACCOUNT_ID",
   "main": "src/lists-worker.ts",
   "workers_dev": false,
-  "compatibility_date": "2026-05-07",
+  "compatibility_date": "2026-06-07",
   "compatibility_flags": [
     "nodejs_compat"
   ],

package/workers/pdf-worker/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pdf-worker",
-  "version": "7.1.2",
+  "version": "8.0.0",
   "private": true,
   "scripts": {
     "generate:assets": "node scripts/generate-assets.js",
@@ -9,6 +9,6 @@
     "start": "wrangler dev"
   },
   "devDependencies": {
-    "wrangler": "^4.89.1"
+    "wrangler": "^4.98.0"
   }
 }

package/workers/pdf-worker/wrangler.jsonc.example

@@ -3,7 +3,7 @@
   "account_id": "ACCOUNT_ID",
   "main": "src/pdf-worker.ts",
   "workers_dev": false,
-  "compatibility_date": "2026-05-07",
+  "compatibility_date": "2026-06-07",
   "compatibility_flags": [
     "nodejs_compat"
   ],

package/workers/user-worker/package.json

@@ -1,6 +1,6 @@
 {
   "name": "user-worker",
-  "version": "7.1.2",
+  "version": "8.0.0",
   "private": true,
   "scripts": {
     "deploy": "wrangler deploy",
@@ -8,6 +8,6 @@
     "start": "wrangler dev"
   },
   "devDependencies": {
-    "wrangler": "^4.89.1"
+    "wrangler": "^4.98.0"
   }
 }

package/workers/user-worker/src/cleanup/account-deletion.ts

@@ -4,87 +4,22 @@ import { readUserRecord } from '../storage/user-records';
 import type {
   AccountDeletionProgressEvent,
   Env,
-  KeyRegistryPayload,
   PrivateKeyRegistry,
   StoredCaseData
 } from '../types';
+import { fetchKeyRegistryFromR2 } from '../../../../shared/registry/r2-key-registry';
 
 function getNonEmptyString(value: unknown): string | null {
   return typeof value === 'string' && value.trim().length > 0 ? value.trim() : null;
 }
 
-function normalizePrivateKeyPem(rawValue: string): string {
-  return rawValue.trim().replace(/^['"]|['"]$/g, '').replace(/\\n/g, '\n');
-}
-
-function parseDataAtRestPrivateKeyRegistry(env: Env): PrivateKeyRegistry {
-  const keys: Record<string, string> = {};
-  const configuredActiveKeyId = getNonEmptyString(env.DATA_AT_REST_ENCRYPTION_ACTIVE_KEY_ID);
-  const registryJson = getNonEmptyString(env.DATA_AT_REST_ENCRYPTION_KEYS_JSON);
-
-  if (registryJson) {
-    let parsedRegistry: unknown;
-
-    try {
-      parsedRegistry = JSON.parse(registryJson) as unknown;
-    } catch {
-      throw new Error('DATA_AT_REST_ENCRYPTION_KEYS_JSON is not valid JSON');
-    }
-
-    if (!parsedRegistry || typeof parsedRegistry !== 'object') {
-      throw new Error('DATA_AT_REST_ENCRYPTION_KEYS_JSON must be an object');
-    }
-
-    const payload = parsedRegistry as KeyRegistryPayload;
-    const payloadActiveKeyId = getNonEmptyString(payload.activeKeyId);
-    const rawKeys = payload.keys && typeof payload.keys === 'object'
-      ? payload.keys as Record<string, unknown>
-      : parsedRegistry as Record<string, unknown>;
-
-    for (const [keyId, pemValue] of Object.entries(rawKeys)) {
-      if (keyId === 'activeKeyId' || keyId === 'keys') {
-        continue;
-      }
-
-      const normalizedKeyId = getNonEmptyString(keyId);
-      const normalizedPem = getNonEmptyString(pemValue);
-
-      if (!normalizedKeyId || !normalizedPem) {
-        continue;
-      }
-
-      keys[normalizedKeyId] = normalizePrivateKeyPem(normalizedPem);
-    }
-
-    const resolvedActiveKeyId = configuredActiveKeyId ?? payloadActiveKeyId;
-
-    if (Object.keys(keys).length === 0) {
-      throw new Error('DATA_AT_REST_ENCRYPTION_KEYS_JSON does not contain any usable keys');
-    }
-
-    if (resolvedActiveKeyId && !keys[resolvedActiveKeyId]) {
-      throw new Error('DATA_AT_REST_ENCRYPTION active key ID is not present in registry');
-    }
-
-    return {
-      activeKeyId: resolvedActiveKeyId ?? null,
-      keys
-    };
-  }
-
-  const legacyKeyId = getNonEmptyString(env.DATA_AT_REST_ENCRYPTION_KEY_ID);
-  const legacyPrivateKey = getNonEmptyString(env.DATA_AT_REST_ENCRYPTION_PRIVATE_KEY);
-
-  if (!legacyKeyId || !legacyPrivateKey) {
-    throw new Error('Data-at-rest decryption key registry is not configured');
-  }
-
-  keys[legacyKeyId] = normalizePrivateKeyPem(legacyPrivateKey);
-
-  return {
-    activeKeyId: configuredActiveKeyId ?? legacyKeyId,
-    keys
-  };
+async function getDataAtRestPrivateKeyRegistry(env: Env): Promise<PrivateKeyRegistry> {
+  return fetchKeyRegistryFromR2(
+    env.STRIAE_CONFIG,
+    'data-at-rest',
+    env.DATA_AT_REST_ENCRYPTION_ACTIVE_KEY_ID,
+    env.REGISTRY_ENCRYPTION_KEY
+  );
 }
 
 function buildPrivateKeyCandidates(
@@ -149,7 +84,7 @@ async function decryptCaseDataWithRegistry(
   envelope: DataAtRestEnvelope,
   env: Env
 ): Promise<string> {
-  const keyRegistry = parseDataAtRestPrivateKeyRegistry(env);
+  const keyRegistry = await getDataAtRestPrivateKeyRegistry(env);
   const candidates = buildPrivateKeyCandidates(getNonEmptyString(envelope.keyId), keyRegistry);
   let lastError: unknown;
 

package/workers/user-worker/src/registry/user-kv.ts

@@ -2,78 +2,21 @@ import { decryptJsonFromUserKv, type UserKvEncryptedRecord } from '../encryption
 import type {
   DecryptionTelemetryOutcome,
   Env,
-  KeyRegistryPayload,
   PrivateKeyRegistry
 } from '../types';
-
-function normalizePrivateKeyPem(rawValue: string): string {
-  return rawValue.trim().replace(/^['"]|['"]$/g, '').replace(/\\n/g, '\n');
-}
+import { fetchKeyRegistryFromR2 } from '../../../../shared/registry/r2-key-registry';
 
 function getNonEmptyString(value: unknown): string | null {
   return typeof value === 'string' && value.trim().length > 0 ? value.trim() : null;
 }
 
-export function parseUserKvPrivateKeyRegistry(env: Env): PrivateKeyRegistry {
-  const keys: Record<string, string> = {};
-  const configuredActiveKeyId = getNonEmptyString(env.USER_KV_ENCRYPTION_ACTIVE_KEY_ID);
-
-  if (getNonEmptyString(env.USER_KV_ENCRYPTION_KEYS_JSON)) {
-    let parsedRegistry: unknown;
-    try {
-      parsedRegistry = JSON.parse(env.USER_KV_ENCRYPTION_KEYS_JSON as string) as unknown;
-    } catch {
-      throw new Error('USER_KV_ENCRYPTION_KEYS_JSON is not valid JSON');
-    }
-
-    if (!parsedRegistry || typeof parsedRegistry !== 'object') {
-      throw new Error('USER_KV_ENCRYPTION_KEYS_JSON must be an object');
-    }
-
-    const payload = parsedRegistry as KeyRegistryPayload;
-    if (!payload.keys || typeof payload.keys !== 'object') {
-      throw new Error('USER_KV_ENCRYPTION_KEYS_JSON must include a keys object');
-    }
-
-    for (const [keyId, pemValue] of Object.entries(payload.keys as Record<string, unknown>)) {
-      const normalizedKeyId = getNonEmptyString(keyId);
-      const normalizedPem = getNonEmptyString(pemValue);
-      if (!normalizedKeyId || !normalizedPem) {
-        continue;
-      }
-
-      keys[normalizedKeyId] = normalizePrivateKeyPem(normalizedPem);
-    }
-
-    const payloadActiveKeyId = getNonEmptyString(payload.activeKeyId);
-    const activeKeyId = configuredActiveKeyId ?? payloadActiveKeyId;
-
-    if (Object.keys(keys).length === 0) {
-      throw new Error('USER_KV_ENCRYPTION_KEYS_JSON does not contain any usable keys');
-    }
-
-    if (activeKeyId && !keys[activeKeyId]) {
-      throw new Error('USER_KV active key ID is not present in USER_KV_ENCRYPTION_KEYS_JSON');
-    }
-
-    return {
-      activeKeyId: activeKeyId ?? null,
-      keys
-    };
-  }
-
-  const legacyKeyId = getNonEmptyString(env.USER_KV_ENCRYPTION_KEY_ID);
-  const legacyPrivateKey = getNonEmptyString(env.USER_KV_ENCRYPTION_PRIVATE_KEY);
-  if (!legacyKeyId || !legacyPrivateKey) {
-    throw new Error('User KV encryption private key registry is not configured');
-  }
-
-  keys[legacyKeyId] = normalizePrivateKeyPem(legacyPrivateKey);
-
-  return {
-    activeKeyId: configuredActiveKeyId ?? legacyKeyId,
-    keys
-  };
+export async function parseUserKvPrivateKeyRegistry(env: Env): Promise<PrivateKeyRegistry> {
+  return fetchKeyRegistryFromR2(
+    env.STRIAE_CONFIG,
+    'user-kv',
+    env.USER_KV_ENCRYPTION_ACTIVE_KEY_ID,
+    env.REGISTRY_ENCRYPTION_KEY
+  );
 }
 
 function buildPrivateKeyCandidates(

package/workers/user-worker/src/storage/user-records.ts

@@ -18,7 +18,7 @@ export async function readUserRecord(env: Env, userUid: string): Promise<UserDat
   }
 
   validateEncryptedRecord(encryptedRecord);
-  const keyRegistry = parseUserKvPrivateKeyRegistry(env);
+  const keyRegistry = await parseUserKvPrivateKeyRegistry(env);
   const decryptedJson = await decryptUserKvRecord(encryptedRecord, keyRegistry);
   return JSON.parse(decryptedJson) as UserData;
 }

package/workers/user-worker/src/types.ts

@@ -2,6 +2,8 @@ export interface Env {
   USER_DB: KVNamespace;
   STRIAE_DATA: R2Bucket;
   STRIAE_FILES: R2Bucket;
+  STRIAE_CONFIG: R2Bucket;
+  REGISTRY_ENCRYPTION_KEY: string;
   DATA_AT_REST_ENCRYPTION_PRIVATE_KEY?: string;
   DATA_AT_REST_ENCRYPTION_KEY_ID?: string;
   DATA_AT_REST_ENCRYPTION_KEYS_JSON?: string;

package/workers/user-worker/wrangler.jsonc.example

@@ -3,7 +3,7 @@
   "account_id": "ACCOUNT_ID",
   "main": "src/user-worker.ts",
   "workers_dev": false,
-  "compatibility_date": "2026-05-07",
+  "compatibility_date": "2026-06-07",
   "compatibility_flags": [
     "nodejs_compat"
   ], 
@@ -27,6 +27,10 @@
     {
       "binding": "STRIAE_FILES",
       "bucket_name": "FILES_BUCKET_NAME"
+    },
+    {
+      "binding": "STRIAE_CONFIG",
+      "bucket_name": "CONFIG_BUCKET_NAME"
     }
   ],
 

package/wrangler.toml.example

@@ -1,6 +1,6 @@
 #:schema node_modules/wrangler/config-schema.json
 name = "PAGES_PROJECT_NAME"
-compatibility_date = "2026-05-07"
+compatibility_date = "2026-06-07"
 compatibility_flags = ["nodejs_compat"]
 pages_build_output_dir = "./build/client"