In Episode 2 of Striae Origins, Stephen Lu traces the architectural evolution of Striae from five boxes scribbled on a piece of paper to a multi-worker, edge-first forensic platform with same-origin API routing, layered security boundaries, data-at-rest encryption, and cryptographic signing. The episode covers how the Twelve-Factor App methodology, Cloudflare Workers’ V8 isolate model, and the unique demands of forensic evidence handling shaped every architectural decision -- and why security was realized as a gradient rather than a switch.

Topics Covered

• Five Boxes on Paper -- The initial Auth → SPA → (Data, Images, User) sketch, why a defense attorney’s question (”what else did you edit?”) drove the Images/Data separation, and why case ownership lives with the User database instead of alongside case content

• The Twelve-Factor App -- How Factors I (Codebase), III (Config), IV (Backing Services), VI (Processes), VII (Port Binding), and X (Dev/Prod Parity) apply to Striae’s design

• UI-First Development -- Building the skeleton React UI before connecting backend workers, and why that sequence defined the API surface

• Growing the Architecture -- Adding PDF generation, audit logging, and key management; retiring the Keys Worker in favor of distributed key registries

• Cloudflare Workers and V8 Isolates -- How isolate-based serverless differs from container-based serverless, sub-5ms cold starts, edge-local execution

• The Five Workers -- User, Data, Audit, Image, and PDF workers as bounded edge services with modular internal architecture

• Same-Origin API Gateway (v4.0.0) -- Pages Functions at /api/*, Firebase token verification, eliminating CORS, hiding worker secrets from the client

• The Thin UI Layer -- Action components delegating to API routes; the client bundle containing nothing sensitive

• Security as a Gradient -- Firebase Auth and transport security first, hash integrity to manifest signing (RSA-PSS), then AES-256-GCM data-at-rest encryption with envelope pattern and key rotation

• Development Timeline -- Major releases from v1.x through v5.4.x mapped to architectural milestones

Episode 1 Callbacks

• C++ and encapsulation -- The instinct to separate concerns into bounded modules traces back to learning object-oriented design in high school C++

• Forensic reasoning as architecture -- The defense attorney’s cross-examination question shaped storage boundaries before any code was written

• MS-DOS and constraints -- Understanding platform constraints (the 640K barrier) as a design driver, applied now to V8 isolate memory limits and edge compute boundaries

• Networking the computer lab -- “The layer you can touch is the layer you can attack” -- the basis for making the browser UI a thin, secret-free client

About the Host

Stephen J. Lu is a retired crime scene investigator and forensic firearms examiner with seventeen years of experience in forensic science, including forensic biology, firearms analysis, and crime scene reconstruction. He has testified as an expert witness in state courts in Arizona and California and in U.S. federal court. After retiring from active casework, he earned an Executive MBA and shifted his focus to leadership development, writing, and web development. He is the author of CSI to CEO: What the Dead Can Teach Us About Life and Leadership and the founder and developer of Striae.

About Striae

Striae is a cloud-native, open-source forensic annotation platform for firearms examiners. Built with TypeScript, React, and React Router on Cloudflare’s edge infrastructure (Workers, Pages, KV, R2), it provides secure comparison image annotation, authenticated confirmations, automated report generation, and immutable audit trails. Licensed under Apache 2.0.

Links

• Striae -- striae.org

• Striae on GitHub -- github.com/striae-org/striae

• Architecture Guide -- Striae Wiki: Architecture Guide

• Stephen’s Portfolio -- stephenjlu.com

• CSI to CEO (Book) -- csitoceo.com

• Stephen on LinkedIn -- linkedin.com/in/stephenjlu

References and Further Reading

• The Twelve-Factor App -- Adam Wiggins

• Factor I: Codebase -- 12factor.net

• Factor III: Config -- 12factor.net

• Factor IV: Backing Services -- 12factor.net

• How V8 Isolates Actually Work Under the Hood -- Fordel Studios

• Cloudflare Workers Product Page -- Cloudflare

• Redesigning Workers KV for Increased Availability -- The Cloudflare Blog

• NIST SP 800-38D: Galois/Counter Mode (GCM) and GMAC (PDF) -- NIST

• Galois/Counter Mode -- Wikipedia

• The Token Handler Pattern -- Curity

• Improving the Trustworthiness of JavaScript on the Web -- The Cloudflare Blog

• Striae Wiki: Security Guide

• Striae Wiki: Data-at-Rest Encryption

• Striae Wiki: Manifest and Confirmation Signing

• Striae Wiki: Audit Trail System

Next Episode

Episode 3 goes deeper into Striae’s unique Authenticated Confirmation System: how it came to be, how it digitizes a traditionally paper-based process, and how it ensures integrity and authenticity for firearms examiners. You can find this release in the first week of May.