@beyondwork/docx-react-component 1.0.97 → 1.0.98

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@beyondwork/docx-react-component",
   "publisher": "beyondwork",
-  "version": "1.0.97",
+  "version": "1.0.98",
   "description": "Embeddable React Word (docx) editor with review, comments, tracked changes, and round-trip OOXML fidelity.",
   "type": "module",
   "sideEffects": [

package/src/api/public-types.ts

@@ -2640,6 +2640,20 @@ export interface AddScopeResult {
 export interface ExportDocxOptions {
   fileName?: string;
   reason?: string;
+  /**
+   * Optional signer for the workflow-payload `<bw:signature>` block
+   * (coord-06 cleanup §3). When present, `buildWorkflowPayloadParts`
+   * computes the signature over the canonicalized payload XML (bw-
+   * canon/1; `<bw:signature>` excluded from hashing) and injects a
+   * `<bw:signature>` element inside `<bw:workflowPayload>`. Reload
+   * passes the extracted signature to `collabSession.attach({ payload
+   * })` where the tamper-gate transitions to `verified` / `tampered`.
+   *
+   * Hosts that don't pass a signer get the trust-on-first-use
+   * (unsigned) behaviour that shipped before — the payload part is
+   * written without a `<bw:signature>` element.
+   */
+  signer?: import("../io/ooxml/payload-signature.ts").PayloadSigner;
   /**
    * Controls the browser download fallback used by the mounted
    * `WordReviewEditor` ref when no host/datastore `saveExport` adapter is

package/src/io/ooxml/payload-signature.ts

@@ -49,6 +49,107 @@ export async function verifyWorkflowPayloadXml(
   return verifier.verify(bytes, sig);
 }
 
+/**
+ * Coord-06 cleanup §3 (2026-04-24) — sign the workflow payload XML and
+ * inject a `<bw:signature>` block into the payload root. The block is
+ * excluded from canonicalization before hashing (see
+ * `canonicalize-payload.ts::stripSignature`) so the signature is
+ * self-consistent: writer and reader both canonicalize-with-signature-
+ * stripped, so the same bytes hash.
+ *
+ * The injection happens inside the root `<bw:workflowPayload>` element,
+ * before the closing tag. Idempotent — re-signing on export re-injects
+ * a fresh signature block, stripping any prior one first.
+ */
+export async function signAndInjectWorkflowPayloadSignature(
+  xml: string,
+  signer: PayloadSigner,
+  now: string = new Date().toISOString(),
+): Promise<string> {
+  const withoutPriorSignature = stripSignatureBlockFromPayload(xml);
+  const signature = await signWorkflowPayloadXml(withoutPriorSignature, signer, now);
+  return injectSignatureBlock(withoutPriorSignature, signature);
+}
+
+/**
+ * Parse a `<bw:signature ...>base64...</bw:signature>` block out of a
+ * workflow payload XML string. Returns `null` when the payload is
+ * unsigned (no `<bw:signature>` found) or when the block is malformed
+ * (missing required attributes / unparseable). Malformed returns null
+ * rather than throwing — the caller flips the tamper-gate to
+ * `"unsigned"` on null and to `"tampered"` only when verification
+ * fails on a well-formed signature block.
+ */
+export function extractWorkflowPayloadSignature(
+  xml: string,
+): PayloadSignature | null {
+  // Match `<bw:signature ...>...</bw:signature>` or self-closing.
+  const re =
+    /<bw:signature\b([^>]*?)(?:\/>|>([\s\S]*?)<\/bw:signature>)/u;
+  const m = re.exec(xml);
+  if (!m) return null;
+  const attrs = parseAttributes(m[1] ?? "");
+  const body = (m[2] ?? "").trim();
+  const algorithm = attrs.algorithm;
+  const keyId = attrs.keyId;
+  const signedAt = attrs.signedAt;
+  const canonicalizationProfile = attrs.canonicalizationProfile;
+  if (!algorithm || !keyId || !signedAt || !canonicalizationProfile) return null;
+  if (algorithm !== "hmac-sha256" && algorithm !== "ed25519") return null;
+  if (canonicalizationProfile !== "bw-canon/1") return null;
+  if (!body) return null;
+  return {
+    algorithm,
+    keyId,
+    signedAt,
+    canonicalizationProfile,
+    value: body,
+  };
+}
+
+function stripSignatureBlockFromPayload(xml: string): string {
+  return xml.replace(
+    /<bw:signature\b[^>]*?(?:\/>|>[\s\S]*?<\/bw:signature>)\s*/u,
+    "",
+  );
+}
+
+function injectSignatureBlock(xml: string, sig: PayloadSignature): string {
+  const block =
+    `<bw:signature algorithm="${escapeAttr(sig.algorithm)}"` +
+    ` keyId="${escapeAttr(sig.keyId)}"` +
+    ` signedAt="${escapeAttr(sig.signedAt)}"` +
+    ` canonicalizationProfile="${escapeAttr(sig.canonicalizationProfile)}">` +
+    `${sig.value}</bw:signature>`;
+  // Inject just before the closing `</bw:workflowPayload>` tag so the
+  // block is a direct child of the root element. Falls back to a
+  // root-tag rewrite if the closing tag isn't the expected shape
+  // (e.g. the root is renamed in a future schema bump).
+  const closeRe = /<\/bw:workflowPayload>\s*$/u;
+  if (closeRe.test(xml)) {
+    return xml.replace(closeRe, `${block}</bw:workflowPayload>`);
+  }
+  return xml.replace(/<\/([^>]+)>\s*$/u, `${block}</$1>`);
+}
+
+function parseAttributes(source: string): Record<string, string> {
+  const out: Record<string, string> = {};
+  const re = /([a-zA-Z_][\w:.-]*)\s*=\s*"([^"]*)"/gu;
+  let m: RegExpExecArray | null;
+  while ((m = re.exec(source)) !== null) {
+    out[m[1]] = m[2];
+  }
+  return out;
+}
+
+function escapeAttr(value: string): string {
+  return value
+    .replaceAll("&", "&amp;")
+    .replaceAll('"', "&quot;")
+    .replaceAll("<", "&lt;")
+    .replaceAll(">", "&gt;");
+}
+
 // HMAC-SHA256 helpers ----------------------------------------------------
 
 /**

package/src/runtime/layout/layout-engine-version.ts

@@ -1025,8 +1025,14 @@
  *   without an upstream bump. Bump here so persisted cache envelopes
  *   re-derive; no algorithm change beyond the floating-drawing clip
  *   widening already covered by the resurrected tests.
+ *
+ *  62 — nested break detection inside wrapped surface blocks. Page and
+ *   column break detection now walks `sdt_block` children and table-cell
+ *   content instead of checking only top-level paragraphs. This honors
+ *   `<w:br w:type="page"/>` inside cover-page SDTs such as the CCEP SOW
+ *   template, changing page assignment from the v61 cache shape.
  */
-export const LAYOUT_ENGINE_VERSION = 61 as const;
+export const LAYOUT_ENGINE_VERSION = 62 as const;
 
 /**
  * Serialization schema version for the LayCache payload (the cache envelope

package/src/session/export/stateful-export-pipeline.ts

@@ -164,6 +164,17 @@ export function ensureHostMetadataParts(
   });
 }
 
+/**
+ * Return shape reports whether a payload part was written AND exposes
+ * the built XML + path so the export pipeline can post-process (e.g.
+ * coord-06 §3 sign-and-inject `<bw:signature>`). Returns `null` when
+ * no payload part was written (no runtime-owned content).
+ */
+export interface EnsureWorkflowPayloadPartsResult {
+  readonly payloadPartPath: string;
+  readonly payloadPartXml: string;
+}
+
 export function ensureWorkflowPayloadParts(
   exportSession: ExportSession,
   sessionState: EditorSessionState,
@@ -174,7 +185,7 @@ export function ensureWorkflowPayloadParts(
     itemPropsPartPath: string;
   },
   editorState?: EditorStatePayload,
-): void {
+): EnsureWorkflowPayloadPartsResult | null {
   const payloadParts = buildWorkflowPayloadParts({
     sourcePackage,
     workflowMetadata: sessionState.workflowMetadata,
@@ -188,7 +199,7 @@ export function ensureWorkflowPayloadParts(
     producerVersion: sessionState.editorBuild,
   });
   if (!payloadParts) {
-    return;
+    return null;
   }
   if (
     payloadParts.payloadPartPath !== resolvedPartPaths.payloadPartPath ||
@@ -228,6 +239,11 @@ export function ensureWorkflowPayloadParts(
     target: WORKFLOW_PAYLOAD_CUSTOM_PROPS_PART_PATH,
     preferredId: "rIdBwWorkflowCustomProps",
   });
+
+  return {
+    payloadPartPath: payloadParts.payloadPartPath,
+    payloadPartXml: payloadParts.payloadPartXml,
+  };
 }
 
 export function hasHostSafeMetadataPackageStructure(sourcePackage: OpcPackage): boolean {

package/src/session/export/stateful-export.ts

@@ -93,6 +93,7 @@ import {
   ensureWorkflowPayloadParts,
   serializeProtectionRangesIntoDocumentXml,
 } from "./stateful-export-pipeline.ts";
+import { signAndInjectWorkflowPayloadSignature } from "../../io/ooxml/payload-signature.ts";
 import {
   assertExportNotBlockedByCompatibility,
   assertNoBlockingPreservedComments,
@@ -612,7 +613,7 @@ export async function runStatefulExport(
 
   // Schema 1.2: pass through editorState payload collected by the
   // runtime channel, with any offload entries folded in above.
-  ensureWorkflowPayloadParts(
+  const payloadResult = ensureWorkflowPayloadParts(
     exportSession,
     sessionState,
     currentDocument,
@@ -621,6 +622,25 @@ export async function runStatefulExport(
     editorStateWithEmbeddings,
   );
 
+  // coord-06 cleanup §3 — if the host supplied a PayloadSigner, sign
+  // the built payload XML and rewrite the customXml/item1.xml part with
+  // a `<bw:signature>` block injected inside the root element. The
+  // canonicalization pass strips the block before hashing so signer
+  // and verifier agree; see `src/io/ooxml/canonicalize-payload.ts`.
+  if (options?.signer && payloadResult) {
+    const signedXml = await signAndInjectWorkflowPayloadSignature(
+      payloadResult.payloadPartXml,
+      options.signer,
+    );
+    const payloadPart = state.sourcePackage.parts.get(payloadResult.payloadPartPath);
+    exportSession.replaceOwnedPart({
+      path: payloadResult.payloadPartPath,
+      bytes: new TextEncoder().encode(signedXml),
+      contentType: payloadPart?.contentType ?? "application/xml",
+      compression: payloadPart?.compression,
+    });
+  }
+
   return {
     bytes: exportSession.serialize(),
     mimeType: DOCX_MIME_TYPE,

package/src/ui-tailwind/editor-surface/preserve-position.ts

@@ -199,6 +199,14 @@ export interface ReplaceStateOptions extends PreservePositionOptions {
    * Tests override it to capture the release callback.
    */
   scheduleMicrotask?: (callback: () => void) => void;
+  /**
+   * Synchronous work that must happen after `view.updateState(newState)`
+   * but before the optional scroll restore. The ProseMirror surface uses
+   * this to dispatch runtime decoration inputs into the PM plugin while
+   * the same captured scroll anchor still protects the whole replacement
+   * cycle.
+   */
+  afterUpdateState?: () => void;
 }
 
 /**
@@ -212,8 +220,9 @@ export interface ReplaceStateOptions extends PreservePositionOptions {
  *      `preserveScrollAnchor: true` and a live `geometryFacet`
  *   2. suppressionRef.current = true
  *   3. view.updateState(newState)      ← PM may fire selection events here
- *   4. (optional) restore scroll anchor
- *   5. queueMicrotask(() => suppressionRef.current = false)
+ *   4. options.afterUpdateState?.()    ← optional decoration/plugin sync
+ *   5. (optional) restore scroll anchor
+ *   6. queueMicrotask(() => suppressionRef.current = false)
  *
  * The microtask release guarantees the flag is still `true` for any
  * synchronous selection-change handler that fires during (3), and
@@ -242,6 +251,7 @@ export function replaceStatePreservingPosition(
     : null;
   options.suppressionRef.current = true;
   options.view.updateState(newState);
+  options.afterUpdateState?.();
   if (preserved) {
     const restored = restorePosition(preserved, options);
     if (!restored) {

package/src/ui-tailwind/editor-surface/tw-prosemirror-surface.tsx

@@ -936,6 +936,7 @@ export const TwProseMirrorSurface = forwardRef<
     recordPerfSample("pm.rebuild");
     incrementInvalidationCounter("pm.laneA.rebuilds");
 
+    let appliedDecorationProps = false;
     if (!viewRef.current) {
       const view = new EditorView(mountRef.current, {
         state,
@@ -960,32 +961,42 @@ export const TwProseMirrorSurface = forwardRef<
       // would move by more than the small local-edit budget, the helper
       // refuses that exact target but restores the captured scrollTop so
       // a PM/browser-origin top jump is not accepted as the final state.
+      // The runtime-decoration plugin is also updated inside the funnel:
+      // its meta transaction can rebuild page-break/widget decorations
+      // synchronously, so it must be included before the final restore.
       //
       // Ordering invariant is regression-guarded by
       // `test/ui-tailwind/editor-surface/preserve-position-ordering.test.ts`.
+      const view = viewRef.current;
       const scrollAnchorPolicy = pendingRebuildScrollAnchorRef.current;
       pendingRebuildScrollAnchorRef.current = null;
       const preserveScrollAnchor = shouldPreserveScrollAnchorForRebuild({
         policy: scrollAnchorPolicy,
-        view: viewRef.current,
+        view,
         geometryFacet: props.geometryFacet,
         previousStory: lastBuiltStoryRef.current,
         nextStory: snapshot.activeStory,
       });
       replaceStatePreservingPosition(
         {
-          view: viewRef.current,
+          view,
           geometryFacet: props.geometryFacet,
           suppressionRef: suppressSelectionEchoRef,
           preserveScrollAnchor,
           maxScrollDeltaPx: BOUNDED_TYPING_SCROLL_RESTORE_MAX_DELTA_PX,
+          afterUpdateState: () => {
+            applyDecorationProps(view, positionMap);
+            appliedDecorationProps = true;
+          },
         },
         state,
       );
     }
     documentBuildKeyRef.current = documentBuildKey;
     lastBuiltStoryRef.current = snapshot.activeStory;
-    applyDecorationProps(viewRef.current, positionMap);
+    if (!appliedDecorationProps) {
+      applyDecorationProps(viewRef.current, positionMap);
+    }
 
     if (activeSearchRef.current) {
       applySearch(