fix(infra): trust snet-app on storage networkAcls + replace stub PDFs

The Spring Boot API was returning 500 on PDF download in the deployed
environment because every ADLS Gen2 read failed with HTTP 403
AuthorizationFailure. Root cause: App Service regional VNet integration
traffic was not being trusted by the storage account network rules even
though a Private Endpoint for the dfs sub-resource existed in snet-pe
and DNS resolved to it correctly. Empirically the Private Endpoint alone
is not sufficient for traffic that originates from the App Service VNet
integration's edge agent (sockets show a 169.254/16 link-local source),
so storage rejected every request when defaultAction=Deny.

Fix:
- snet-app now has a Microsoft.Storage service endpoint.
- The storage account networkAcls always allows snet-app via a
  VirtualNetworkRule; publicNetworkAccess stays Enabled (required for
  VirtualNetworkRules to take effect) but defaultAction=Deny + the VNet
  rule provide the equivalent restriction.
- main.bicep wires vnet.outputs.appSubnetId into the storage module.
- deploy.ps1 doc comments updated to describe the new posture; Step 10
  message no longer references a Private Endpoint that the app does not
  actually traverse.

Also fixes the PDF seed data: the original five files were hand-rolled
single-line stubs (~568 bytes each) that rendered as a near-empty page.
A new scripts/generate-sample-evidence.ps1 produces dependency-free
multi-page PDFs (~5-7 KB each) with synthetic but realistic narrative
content per evidence type (witness statement, forensic report, chain
of custody, surveillance log, contract agreement). The script is
idempotent and can be re-run any time.

A repo-level .gitattributes is added so PDFs and other binary assets
are checked out byte-exact on Windows clones (Git was about to rewrite
LF -> CRLF inside the PDF byte stream and corrupt the xref table).

Author: emmanuelknafo

.gitattributes

@@ -0,0 +1,46 @@
+# ---------------------------------------------------------------------------
+# .gitattributes
+#
+# Force binary handling for file types that must NOT be touched by Git's
+# line-ending normalisation. Without this, the PDF seed evidence files
+# under sample-app/api/src/main/resources/data/sample-evidence/ get
+# corrupted on Windows checkouts because Git rewrites LF -> CRLF inside
+# the byte stream, breaking the PDF cross-reference table.
+# ---------------------------------------------------------------------------
+
+# Documents
+*.pdf  binary
+*.doc  binary
+*.docx binary
+*.xls  binary
+*.xlsx binary
+*.ppt  binary
+*.pptx binary
+
+# Images
+*.png  binary
+*.jpg  binary
+*.jpeg binary
+*.gif  binary
+*.ico  binary
+*.webp binary
+
+# Archives
+*.zip  binary
+*.gz   binary
+*.tar  binary
+*.7z   binary
+*.jar  binary
+*.war  binary
+
+# Fonts
+*.ttf  binary
+*.otf  binary
+*.woff  binary
+*.woff2 binary
+
+# Media
+*.mp3 binary
+*.mp4 binary
+*.mov binary
+*.wav binary

infra/main.bicep

@@ -100,6 +100,7 @@ module storageAccount 'modules/storage-account.bicep' = {
     location: location
     tags: tags
     deployerIp: deployerIp
+    appSubnetId: vnet.outputs.appSubnetId
   }
 }
 

infra/modules/storage-account.bicep

@@ -4,14 +4,23 @@
 // Posture:
 //   * isHnsEnabled = true            → Azure Data Lake Storage Gen2.
 //   * allowSharedKeyAccess = false   → only Entra ID (OAuth + RBAC) auth.
-//   * publicNetworkAccess = Disabled → reachable only via Private Endpoint.
+//   * publicNetworkAccess = Enabled  → required for VirtualNetworkRules to
+//                                      take effect (Disabled would cause
+//                                      storage to reject every request
+//                                      that doesn't traverse a Private
+//                                      Endpoint, including snet-app
+//                                      traffic that arrives via the
+//                                      regional VNet integration).
 //   * networkAcls.defaultAction = Deny.
+//   * virtualNetworkRules                 → snet-app is always allowed
+//                                      (App Service VNet integration).
+//   * ipRules                        → optional deployer IP for seeding.
 //   * allowBlobPublicAccess = false  → no anonymous access.
 //
 // Optional: a single deployer IP can be temporarily added to networkAcls.
 // ipRules so seeding scripts can upload sample evidence over OAuth before
-// the App Service starts using the private endpoint. Pass an empty string
-// to omit.
+// the App Service starts serving real traffic. Pass an empty string to
+// remove it.
 // ---------------------------------------------------------------------------
 
 @description('Globally unique storage account name (3-24 lowercase alphanumeric).')
@@ -25,6 +34,9 @@ param location string
 @description('Resource tags.')
 param tags object = {}
 
+@description('Resource ID of the App Service VNet-integration subnet (snet-app). The subnet must have a Microsoft.Storage service endpoint enabled.')
+param appSubnetId string
+
 @description('Optional public IP (or CIDR) of the deployer to temporarily allow over Entra ID auth (e.g. for sample-evidence seeding). Leave empty to keep the account fully private.')
 param deployerIp string = ''
 
@@ -45,7 +57,10 @@ resource storageAccount 'Microsoft.Storage/storageAccounts@2023-05-01' = {
     allowBlobPublicAccess: false
     allowSharedKeyAccess: false
     defaultToOAuthAuthentication: true
-    publicNetworkAccess: hasDeployerIp ? 'Enabled' : 'Disabled'
+    // VirtualNetworkRules require publicNetworkAccess = Enabled.
+    // defaultAction = Deny still rejects everything that doesn't match
+    // a network rule.
+    publicNetworkAccess: 'Enabled'
     networkAcls: {
       bypass: 'AzureServices'
       defaultAction: 'Deny'
@@ -55,7 +70,12 @@ resource storageAccount 'Microsoft.Storage/storageAccounts@2023-05-01' = {
           action: 'Allow'
         }
       ] : []
-      virtualNetworkRules: []
+      virtualNetworkRules: [
+        {
+          id: appSubnetId
+          action: 'Allow'
+        }
+      ]
     }
   }
 }

infra/modules/vnet.bicep

@@ -47,8 +47,19 @@ resource vnet 'Microsoft.Network/virtualNetworks@2023-11-01' = {
               }
             }
           ]
-          // Allow App Service to reach the storage private endpoint
-          serviceEndpoints: []
+          // Microsoft.Storage service endpoint is REQUIRED for the App
+          // Service VNet integration to be trusted by the storage account
+          // network rules. Empirically, traffic from the regional VNet
+          // integration does not bypass storage networkAcls via the
+          // Private Endpoint alone — the storage account must explicitly
+          // allow the snet-app subnet via a VirtualNetworkRule, which
+          // only works when this service endpoint is present.
+          serviceEndpoints: [
+            {
+              service: 'Microsoft.Storage'
+              locations: [ location ]
+            }
+          ]
           privateEndpointNetworkPolicies: 'Enabled'
           privateLinkServiceNetworkPolicies: 'Enabled'
         }

sample-app/api/src/main/resources/data/sample-evidence/chain-of-custody.pdf

@@ -12,13 +12,15 @@
       3. Generates a globally-unique storage account name.
       4. Creates the resource group if needed.
       5. Detects the deployer's public IP + Entra principal objectId.
-      6. Deploys infra (VNet with snet-app + snet-pe, App Service Plan,
-         two App Services with Regional VNet integration, hardened ADLS
-         Gen2 storage with shared keys disabled and publicNetworkAccess
-         off, Private Endpoint on the dfs sub-resource, Private DNS Zone
-         privatelink.dfs.<storage suffix>, App Insights, MI role
-         assignments) via Bicep. The deployer IP is added to storage
-         networkAcls only for the duration of the seeding step.
+      7. Deploys infra (VNet with snet-app + snet-pe, snet-app has a
+         Microsoft.Storage service endpoint, App Service Plan, two App
+         Services with Regional VNet integration, hardened ADLS Gen2
+         storage with shared keys disabled, defaultAction=Deny + a
+         VirtualNetworkRule allowing snet-app, Private Endpoint on the
+         dfs sub-resource, Private DNS Zone privatelink.dfs.<storage
+         suffix>, App Insights, MI role assignments) via Bicep. The
+         deployer IP is added to storage networkAcls only for the
+         duration of the seeding step.
       7. Patches environment.prod.ts with the deployed App Service URLs +
          App Insights connection string + tenant/client IDs.
       8. Builds the Angular SPA (production) and packages the Spring Boot API.
@@ -27,9 +29,10 @@
          SPA app registration (via Graph).
      11. Uploads the bundled sample evidence PDFs over OAuth (Storage Blob
          Data Contributor RBAC, no shared keys) to the storage container.
-     12. Re-deploys the storage module with deployerIp='' to flip
-         publicNetworkAccess back to Disabled (App Services keep working
-         via the Private Endpoint).
+     12. Re-deploys the storage module with deployerIp='' to remove the
+         deployer's IP from networkAcls (App Services keep working via
+         the snet-app VirtualNetworkRule + Microsoft.Storage service
+         endpoint).
      13. Runs smoke verification: API /api/cases responds, SPA returns 200.
 
     All steps are idempotent and safe to re-run.
@@ -402,9 +405,12 @@ if (-not $SkipUpload) {
 # ---------------------------------------------------------------------------
 Write-Section 'Step 10: Locking down storage (removing temporary deployer IP)'
 
-# Re-deploy with deployerIp='' so storage publicNetworkAccess flips back to
-# Disabled. The App Services keep working because they reach storage via
-# the Private Endpoint inside the integrated VNet.
+# Re-deploy with deployerIp='' so the seeding allow-rule is removed.
+# The App Services keep working because storage networkAcls trust snet-app
+# via a VirtualNetworkRule + the Microsoft.Storage service endpoint on the
+# subnet (publicNetworkAccess stays Enabled by design — Disabled would
+# block VNet rules; defaultAction=Deny + the VNet rule provide the
+# equivalent restriction).
 az deployment group create `
     --resource-group $ResourceGroup `
     --template-file "$RepoRoot/infra/main.bicep" `
@@ -419,7 +425,7 @@ az deployment group create `
                  deployerPrincipalId=$deployerObjectId `
                  deployerPrincipalType=$deployerSpType `
     --output none
-Write-Host '    Storage networkAcls now reject all public traffic. App Services reach storage via Private Endpoint.'
+Write-Host '    Storage networkAcls trust snet-app only. Public traffic (other than App Services via VNet integration) is denied.'
 
 # ---------------------------------------------------------------------------
 # Step 11 — Smoke verification