@majikah/majik-message 0.2.3 → 0.2.4

package/dist/core/contacts/majik-contact.d.ts

@@ -7,6 +7,8 @@ export type SerializedMajikContact = {
     publicKeyBase64: string;
     mlKey: string;
     majikah_registered?: boolean;
+    edPublicKeyBase64?: string;
+    mlDsaPublicKeyBase64?: string;
 };
 export interface MajikContactMeta {
     label?: string;
@@ -24,6 +26,8 @@ export interface MajikContactData {
     mlKey: string;
     meta?: MajikContactMeta;
     majikah_registered?: boolean;
+    edPublicKeyBase64?: string;
+    mlDsaPublicKeyBase64?: string;
 }
 export interface MajikContactCard {
     id: string;
@@ -31,6 +35,8 @@ export interface MajikContactCard {
     fingerprint: string;
     label: string;
     mlKey: string;
+    edPublicKeyBase64?: string;
+    mlDsaPublicKeyBase64?: string;
 }
 export declare class MajikContactError extends Error {
     cause?: unknown;
@@ -43,6 +49,8 @@ export declare class MajikContact {
     };
     readonly fingerprint: string;
     readonly mlKey: string;
+    readonly edPublicKeyBase64: string;
+    readonly mlDsaPublicKeyBase64: string;
     meta: MajikContactMeta;
     private majikah_registered?;
     constructor(data: MajikContactData);

package/dist/core/contacts/majik-contact.js

@@ -18,6 +18,8 @@ export class MajikContact {
     publicKey;
     fingerprint;
     mlKey;
+    edPublicKeyBase64;
+    mlDsaPublicKeyBase64;
     meta;
     majikah_registered;
     constructor(data) {
@@ -29,6 +31,8 @@ export class MajikContact {
         this.publicKey = data.publicKey;
         this.fingerprint = data.fingerprint;
         this.mlKey = data.mlKey;
+        this.edPublicKeyBase64 = data.edPublicKeyBase64 || "";
+        this.mlDsaPublicKeyBase64 = data.mlDsaPublicKeyBase64 || "";
         this.meta = {
             label: data.meta?.label || "",
             notes: data.meta?.notes || "",
@@ -152,6 +156,8 @@ export class MajikContact {
             publicKeyBase64: await this.getPublicKeyBase64(),
             majikah_registered: this.majikah_registered,
             mlKey: this.mlKey,
+            edPublicKeyBase64: this.edPublicKeyBase64,
+            mlDsaPublicKeyBase64: this.mlDsaPublicKeyBase64,
         };
     }
     /**
@@ -167,6 +173,8 @@ export class MajikContact {
                 publicKey: { raw: publicKeyRaw },
                 majikah_registered: serialized.majikah_registered,
                 mlKey: serialized.mlKey,
+                edPublicKeyBase64: serialized.edPublicKeyBase64,
+                mlDsaPublicKeyBase64: serialized.mlDsaPublicKeyBase64,
             });
         }
         catch (err) {

package/dist/core/crypto/keystore.d.ts

@@ -4,24 +4,6 @@
  * IDB persistence + in-memory cache layer for MajikKey accounts.
  * Replaces MajikKeyStore as the account storage backend for MajikMessage.
  *
- * Design:
- *   - MajikKeyJSON is the canonical storage format (replaces MajikKeyStore.SerializedIdentity)
- *   - MajikKey is the canonical account object (replaces KeyStoreIdentity)
- *   - In-memory Map<id, MajikKey> caches unlocked accounts for the session
- *   - All crypto (KDF, encrypt/decrypt) stays inside MajikKey — this class only does IDB
- *
- * Migration from MajikKeyStore:
- *   Old accounts stored as SerializedIdentity (5 fields, PBKDF2) are loaded via
- *   fromSerializedIdentity() which reconstructs a locked MajikKey from the legacy format.
- *   On next unlock, MajikKey automatically uses the correct KDF (PBKDF2 for old accounts).
- *   On next passphrase change or importFromMnemonicBackup(), the account is fully upgraded.
- *
- * IDB schema:
- *   Store name: "majik-keys"  (separate from old "identities" store — intentional)
- *   Key path: "id"
- *   Value: MajikKeyJSON (full MajikKey serialization)
- *
- *   Legacy store: "identities" (MajikKeyStore format — read-only migration path)
  */
 import { MajikKey, SerializedIdentity } from "@majikah/majik-key";
 /**

package/dist/core/crypto/keystore.js

@@ -4,24 +4,6 @@
  * IDB persistence + in-memory cache layer for MajikKey accounts.
  * Replaces MajikKeyStore as the account storage backend for MajikMessage.
  *
- * Design:
- *   - MajikKeyJSON is the canonical storage format (replaces MajikKeyStore.SerializedIdentity)
- *   - MajikKey is the canonical account object (replaces KeyStoreIdentity)
- *   - In-memory Map<id, MajikKey> caches unlocked accounts for the session
- *   - All crypto (KDF, encrypt/decrypt) stays inside MajikKey — this class only does IDB
- *
- * Migration from MajikKeyStore:
- *   Old accounts stored as SerializedIdentity (5 fields, PBKDF2) are loaded via
- *   fromSerializedIdentity() which reconstructs a locked MajikKey from the legacy format.
- *   On next unlock, MajikKey automatically uses the correct KDF (PBKDF2 for old accounts).
- *   On next passphrase change or importFromMnemonicBackup(), the account is fully upgraded.
- *
- * IDB schema:
- *   Store name: "majik-keys"  (separate from old "identities" store — intentional)
- *   Key path: "id"
- *   Value: MajikKeyJSON (full MajikKey serialization)
- *
- *   Legacy store: "identities" (MajikKeyStore format — read-only migration path)
  */
 import { MajikKey } from "@majikah/majik-key";
 import { base64ToArrayBuffer } from "../utils/utilities";

package/dist/core/types.d.ts

@@ -196,6 +196,10 @@ export interface EncryptFileResult {
      * .mjkb Blob for R2 upload. Equivalent to file.toMJKB().
      */
     binary: Blob;
+    /**
+     * Signed .mjkb Blob for offline or direct sharing. Equivalent to file.toSignedMJKB().
+     */
+    signedBinary: Blob;
 }
 /**
  * Options for MajikMessage.decryptFile().
@@ -213,4 +217,11 @@ export interface DecryptFileOptions {
      * automatically — you rarely need to set this explicitly.
      */
     accountId?: string;
+    /**
+     * The MajikFileJSON metadata row from Supabase.
+     * When provided, the signature field is automatically threaded into
+     * decryptWithMetadata() so the returned signature is populated without
+     * a second parse or round-trip.
+     */
+    metadata?: MajikFileJSON;
 }

package/dist/majik-message.d.ts

@@ -6,6 +6,9 @@ import { MajikContactDirectory, type MajikContactDirectoryData } from "./core/co
 import type { DecryptFileOptions, EncryptFileOptions, EncryptFileResult, MAJIK_API_RESPONSE, MajikMessagePublicKey } from "./core/types";
 import { MajikMessageChat } from "./core/database/chat/majik-message-chat";
 import { MajikMessageIdentity } from "./core/database/system/identity";
+import { MajikKey } from "@majikah/majik-key";
+import { MajikFile, MajikFileJSON } from "@majikah/majik-file";
+import { MajikSignature, type MajikSignatureJSON, type MajikSignerPublicKeys, type VerificationResult } from "@majikah/majik-signature";
 type MajikMessageEvents = "message" | "envelope" | "untrusted" | "error" | "new-account" | "new-contact" | "removed-account" | "removed-contact" | "active-account-change";
 interface MajikMessageStatic<T extends MajikMessage> {
     new (config: MajikMessageConfig, id?: string): T;
@@ -161,13 +164,14 @@ export declare class MajikMessage {
     decryptMajikMessageChat(encryptedPayload: string, recipientId?: string): Promise<string>;
     /**
      * Encrypt a binary file and return everything the caller needs to persist it.
-  
-     * @throws Error if no active account, account has no ML-KEM keys, or a
-     *         recipient cannot be resolved from the contact directory.
-     * @throws MajikFileError on validation failures or crypto errors (re-thrown
-     *         from MajikFile.create() so the caller gets typed errors).
+     * Automatically signs the encrypted .mjkb binary using the active account's
+     * signing keys if available. Falls back to unsigned encryption for legacy
+     * accounts that pre-date signing key support.
      *
-     * @example — self-encrypted user upload
+     * @throws Error if no active account or a recipient cannot be resolved.
+     * @throws MajikFileError on validation or crypto failures (typed, re-thrown).
+     *
+     * @example — self-encrypted user upload, auto-signed
      * ```ts
      * const result = await majik.encryptFile({
      *   data: fileBytes,
@@ -176,64 +180,228 @@ export declare class MajikMessage {
      * });
      * await r2.put(result.metadata.r2_key, result.binary);
      * await supabase.from("majik_files").insert(result.metadata);
-     * ```
-     *
-     * @example — group chat image
-     * ```ts
-     * const result = await majik.encryptFile({
-     *   data: imageBytes,
-     *   context: "chat_image",
-     *   originalName: "photo.png",
-     *   conversationId: "conv_abc123",
-     *   recipientIds: ["contact_id_1", "contact_id_2"],
-     *   isTemporary: true,
-     *   expiresAt: MajikFile.buildExpiryDate(15),
-     * });
+     * // result.metadata.signature is populated if the account has signing keys
      * ```
      */
     encryptFile(options: EncryptFileOptions): Promise<EncryptFileResult>;
     /**
      * Decrypt a .mjkb binary and return the original raw bytes.
      *
+     * When `metadata` is provided, the signature field is automatically
+     * threaded through so callers receive the deserialized MajikSignature
+     * in the result without any extra work. Verify it with verifyMajikFile()
+     * or MajikSignature.verify() after decryption.
+     *
      * Flow:
      *  1. If `accountId` is provided, that account is tried first.
-     *     Otherwise the active account is tried first.
-     *  2. For group files (multiple recipients), if the first account fails,
-     *     every own account is tried in sequence until one succeeds.
-     *     This mirrors the behaviour of decryptEnvelope() for group messages.
-     *  3. Delegates to MajikFile.decrypt() — which handles:
-     *       • .mjkb binary parsing and magic-byte validation
-     *       • Single vs group payload discrimination
-     *       • ML-KEM decapsulation
-     *       • AES-256-GCM decryption
-     *       • Zstd decompression (if the file was compressed)
-     *
-     * @returns Raw plaintext bytes — the original file content before encryption.
+     *  2. For group files, every own account is tried in sequence.
+     *  3. Delegates to MajikFile.decryptWithMetadata() for binary parsing,
+     *     ML-KEM decapsulation, AES-256-GCM decryption, and decompression.
      *
-     * @throws Error if no own account can decrypt the file.
-     * @throws MajikFileError (re-thrown) on corrupt binary, wrong key, or format
-     *         errors — callers can import MajikFileError for typed catch blocks.
+     * @returns Raw plaintext bytes, original filename, MIME type, and
+     *          deserialized MajikSignature (null if unsigned or no metadata).
      *
-     * @example — basic usage
-     * ```ts
-     * const mjkbBlob = await r2.get(metadata.r2_key);
-     * const rawBytes = await majik.decryptFile({ source: mjkbBlob });
-     * const url = URL.createObjectURL(new Blob([rawBytes], { type: metadata.mime_type }));
-     * ```
+     * @throws Error if no own account can decrypt the file.
+     * @throws MajikFileError on corrupt binary, wrong key, or format errors.
      *
-     * @example — explicit account (e.g. non-active account in a multi-account UI)
+     * @example — basic usage with metadata row from Supabase
      * ```ts
-     * const rawBytes = await majik.decryptFile({
-     *   source: mjkbBytes,
-     *   accountId: "acc_xyz",
+     * const mjkbBlob = await r2.get(row.r2_key);
+     * const { bytes, mimeType, signature } = await majik.decryptFile({
+     *   source: mjkbBlob,
+     *   metadata: row,
      * });
+     * if (signature) {
+     *   const result = await majik.verifyMajikFile(file, { contactId: row.user_id });
+     * }
      * ```
      */
     decryptFile(options: DecryptFileOptions): Promise<{
         bytes: Uint8Array;
         originalName: string | null;
         mimeType: string | null;
+        signature: MajikSignature | null;
     }>;
+    /**
+     * Sign an already-created MajikFile using the active (or specified) account
+     * and attach the signature to the instance.
+     *
+     * Use this for deferred signing — when a file was created via create() and
+     * signing happens on a second pass (e.g. after user confirmation in the UI).
+     * For create + sign in one call, use encryptFile() which calls createAndSign().
+     *
+     * The file's binary must be loaded (_binary !== null).
+     * Call file.toJSON() and persist to Supabase after signing to save the signature.
+     *
+     * @example
+     *   await majik.signMajikFile(file);
+     *   await supabase
+     *     .from("majik_files")
+     *     .update({ signature: file.signatureRaw, last_update: file.lastUpdate })
+     *     .eq("id", file.id);
+     */
+    signMajikFile(file: MajikFile, options?: {
+        accountId?: string;
+        contentType?: string;
+        timestamp?: string;
+    }): Promise<MajikSignature>;
+    /**
+     * Verify the signature attached to a MajikFile.
+     *
+     * The file's binary must be loaded — call file.attachBinary(r2Bytes) first
+     * if the instance was restored from a metadata-only Supabase row.
+     *
+     * Signer resolution:
+     *   - contactId: looked up in the contact directory (own accounts included)
+     *   - publicKeyBase64: looked up via contact directory
+     *   - key: used directly (skips directory lookup)
+     *   - none provided: falls back to public keys embedded in the signature
+     *     envelope (self-reported — always cross-check result.signerId)
+     *
+     * Returns null if the file has no signature.
+     *
+     * @example — verify against the file's owner contact
+     *   file.attachBinary(await r2.get(row.r2_key).arrayBuffer());
+     *   const result = await majik.verifyMajikFile(file, {
+     *     contactId: ownerContactId,
+     *   });
+     *   if (result?.valid) console.log("Verified, signed by", result.signerId);
+     */
+    verifyMajikFile(file: MajikFile, options?: {
+        contactId?: string;
+        publicKeyBase64?: string;
+        key?: MajikKey;
+    }): Promise<VerificationResult | null>;
+    /**
+     * Full binary verification of a MajikFile — decrypts first, then verifies
+     * the signature against the recovered plaintext bytes.
+     *
+     * Stronger than verifyMajikFile() because it proves both:
+     *   1. The ciphertext decrypts correctly (AES-GCM auth tag passes)
+     *   2. The plaintext matches what the signer originally signed
+     *
+     * Requires both a decryption identity (own account) and the signer's
+     * public keys. The binary must be loaded.
+     *
+     * @param decryptAccountId  Which own account to use for decryption.
+     *                          Defaults to the active account.
+     *
+     * @example
+     *   const result = await majik.verifyMajikFileBinary(file, {
+     *     contactId: "contact_abc",
+     *   });
+     *   if (result.valid) console.log("Plaintext verified");
+     */
+    verifyMajikFileBinary(file: MajikFile, options?: {
+        contactId?: string;
+        publicKeyBase64?: string;
+        key?: MajikKey;
+        decryptAccountId?: string;
+    }): Promise<VerificationResult>;
+    /**
+     * Check whether the active (or specified) account is the signer of a
+     * MajikFile by comparing fingerprints.
+     *
+     * This is a fast, synchronous fingerprint comparison — it does NOT
+     * cryptographically verify the signature. Use verifyMajikFile() for proof.
+     *
+     * Useful for gating UI actions:
+     *   - Show "Re-sign" button only if the active user is the signer
+     *   - Show "Signed by you" vs "Signed by [contact]" labels
+     *
+     * @returns true if the account's fingerprint matches the envelope's signerId.
+     *          false if the file is unsigned, the account has no signing keys,
+     *          the account is not in the keystore memory cache, or fingerprints
+     *          don't match.
+     *
+     * @example
+     *   if (majik.isActiveAccountSigner(file)) {
+     *     showResignButton();
+     *   }
+     */
+    isActiveAccountSigner(file: MajikFile, accountId?: string): boolean;
+    /**
+     * Return a rich metadata object describing who signed a MajikFile,
+     * without performing cryptographic verification.
+     *
+     * Combines getSignatureInfo() with a contact directory and keystore lookup
+     * so the UI can show a human-readable label (e.g. "Signed by Alice") instead
+     * of a raw fingerprint, and can distinguish own-account signatures from
+     * external ones.
+     *
+     * Synchronous — reads only local state. Call verifyMajikFile() separately
+     * if cryptographic proof is required.
+     *
+     * @returns null if the file is unsigned or the signature is malformed.
+     *
+     * @example
+     *   const info = majik.getMajikFileSignerInfo(file);
+     *   if (info) {
+     *     console.log(info.isOwnAccount ? "Signed by you" : `Signed by ${info.signerLabel}`);
+     *     console.log("at", info.timestamp);
+     *   }
+     */
+    getMajikFileSignerInfo(file: MajikFile): {
+        signerId: string;
+        timestamp: string;
+        contentType?: string;
+        contentHash: string;
+        /** Human-readable contact label if the signer is in the contact directory. */
+        signerLabel: string | null;
+        /** True if the signer is one of your own accounts. */
+        isOwnAccount: boolean;
+        /** True if the signer is in the contact directory (own or external). */
+        isKnownContact: boolean;
+    } | null;
+    /**
+     * Remove the signature from a MajikFile and persist the change.
+     *
+     * A convenience wrapper around file.removeSignature() that handles the
+     * Supabase update in one call. Useful for admin flows or when re-signing
+     * after a file mutation.
+     *
+     * Unlike file.removeSignature() which only mutates the in-memory instance,
+     * this method also returns the updated metadata row ready for upsert.
+     *
+     * Note: removing a signature does not re-encrypt or modify the R2 binary —
+     * only the Supabase metadata row changes.
+     *
+     * @returns The updated MajikFileJSON with signature: null.
+     *
+     * @example
+     *   const updatedRow = majik.unsignMajikFile(file);
+     *   await supabase
+     *     .from("majik_files")
+     *     .update({ signature: null, last_update: updatedRow.last_update })
+     *     .eq("id", file.id);
+     */
+    unsignMajikFile(file: MajikFile): MajikFileJSON;
+    /**
+     * Re-sign a MajikFile — removes any existing signature, then signs
+     * with the active (or specified) account.
+     *
+     * Idempotent: calling this multiple times always produces a fresh signature
+     * from the specified account. Useful after a contact label change or when
+     * rotating signing keys.
+     *
+     * The file's binary must be loaded. Call file.attachBinary() first if needed.
+     * Persist with file.toJSON() after calling this method.
+     *
+     * @returns The new MajikSignature.
+     *
+     * @example
+     *   file.attachBinary(await r2.get(row.r2_key).arrayBuffer());
+     *   const sig = await majik.resignMajikFile(file);
+     *   await supabase
+     *     .from("majik_files")
+     *     .update({ signature: file.signatureRaw, last_update: file.lastUpdate })
+     *     .eq("id", file.id);
+     */
+    resignMajikFile(file: MajikFile, options?: {
+        accountId?: string;
+        contentType?: string;
+        timestamp?: string;
+    }): Promise<MajikSignature>;
     listCachedEnvelopes(offset?: number, limit?: number): Promise<EnvelopeCacheItem[]>;
     clearCachedEnvelopes(): Promise<boolean>;
     /**
@@ -252,6 +420,162 @@ export declare class MajikMessage {
     off(event: MajikMessageEvents, callback?: EventCallback): void;
     private emit;
     private handleEnvelope;
+    /**
+     * Sign raw bytes or a string using the active account.
+     *
+     * The active account is unlocked automatically if needed.
+     * This is the MajikMessage equivalent of MajikSignature.sign() — it resolves
+     * the signing key from the keystore so you don't have to manage it yourself.
+     *
+     * @example
+     *   const sig = await majik.signContent(documentBytes, { contentType: "application/pdf" });
+     *   const b64 = sig.serialize(); // store alongside the document
+     */
+    signContent(content: Uint8Array | string, options?: {
+        contentType?: string;
+        timestamp?: string;
+        accountId?: string;
+    }): Promise<MajikSignature>;
+    /**
+     * Sign a file and embed the signature directly into it using the active account.
+     *
+     * Format is auto-detected from magic bytes — PDF stays PDF, WAV stays WAV, etc.
+     * Strips any existing signature before signing (idempotent re-signing).
+     * The active account is unlocked automatically if needed.
+     *
+     * @example
+     *   const { blob: signedPdf } = await majik.signFile(pdfBlob);
+     *   // signedPdf is a valid PDF with the signature embedded in its metadata
+     *
+     * @example — non-active account
+     *   const { blob } = await majik.signFile(wavBlob, { accountId: "acc_xyz" });
+     */
+    signFile(file: Blob, options?: {
+        contentType?: string;
+        timestamp?: string;
+        mimeType?: string;
+        accountId?: string;
+    }): Promise<{
+        blob: Blob;
+        signature: MajikSignature;
+        handler: string;
+        mimeType: string;
+    }>;
+    /**
+     * Verify raw bytes or a string against a MajikSignature.
+     *
+     * The signer can be identified by:
+     *   - A contact ID from the contact directory
+     *   - A raw base64 public key string (same format used in contacts)
+     *   - A MajikKey instance directly
+     *
+     * If no signer is provided, the public keys embedded in the signature
+     * envelope are used (self-reported — see security note below).
+     *
+     * > ⚠️ When no signer is provided, the extracted public keys are self-reported
+     * > by whoever created the signature. Always cross-check `result.signerId`
+     * > against a known contact fingerprint before trusting the result.
+     *
+     * @example — verify against a known contact
+     *   const result = await majik.verifyContent(docBytes, sig, { contactId: "contact_abc" });
+     *   if (result.valid) console.log("Authentic, signed by:", result.signerId);
+     *
+     * @example — verify using embedded keys (self-reported)
+     *   const result = await majik.verifyContent(docBytes, sig);
+     *   // always check result.signerId matches a known fingerprint
+     */
+    verifyContent(content: Uint8Array | string, signature: MajikSignature | MajikSignatureJSON, options?: {
+        contactId?: string;
+        publicKeyBase64?: string;
+        key?: MajikKey;
+        expectedSignerId?: string;
+    }): Promise<VerificationResult>;
+    /**
+     * Verify a file's embedded signature.
+     *
+     * The signer can be identified by:
+     *   - A contact ID from the contact directory
+     *   - A raw base64 public key string
+     *   - A MajikKey instance directly
+     *
+     * If no signer is provided, the public keys embedded in the signature
+     * envelope are used (self-reported — see security note on verifyContent).
+     *
+     * @example — verify a signed PDF against a known contact
+     *   const result = await majik.verifyFile(signedPdf, { contactId: "contact_abc" });
+     *   if (result.valid) console.log("Verified:", result.signerId, result.timestamp);
+     *
+     * @example — check own signed file using active account
+     *   const result = await majik.verifyFile(signedWav, {
+     *     contactId: majik.getActiveAccount()?.id,
+     *   });
+     */
+    verifyFile(file: Blob, options?: {
+        contactId?: string;
+        publicKeyBase64?: string;
+        key?: MajikKey;
+        expectedSignerId?: string;
+        mimeType?: string;
+    }): Promise<VerificationResult & {
+        handler?: string;
+        reason?: string;
+    }>;
+    /**
+     * Extract the embedded MajikSignature from a file.
+     * Returns a fully typed MajikSignature instance, or null if not found.
+     *
+     * Does not verify — use verifyFile() to verify.
+     *
+     * @example
+     *   const sig = await majik.extractSignature(file);
+     *   if (sig) console.log("Signed by:", sig.signerId, "at", sig.timestamp);
+     */
+    extractSignature(file: Blob, options?: {
+        mimeType?: string;
+    }): Promise<MajikSignature | null>;
+    /**
+     * Return a clean copy of the file with any embedded signature removed.
+     * The returned bytes are exactly what was originally signed.
+     *
+     * Useful before re-processing or re-encrypting a signed file.
+     *
+     * @example
+     *   const originalBlob = await majik.stripSignature(signedMp4);
+     */
+    stripSignature(file: Blob, options?: {
+        mimeType?: string;
+    }): Promise<Blob>;
+    /**
+     * Check whether a file contains an embedded MajikSignature.
+     * Does not verify — purely a structural presence check.
+     *
+     * @example
+     *   if (await majik.isFileSigned(file)) {
+     *     const result = await majik.verifyFile(file, { contactId });
+     *   }
+     */
+    isFileSigned(file: Blob, options?: {
+        mimeType?: string;
+    }): Promise<boolean>;
+    /**
+     * Get the public keys for the active account, ready for use with
+     * MajikSignature.verify() or for sharing with another party.
+     *
+     * Works on locked keys — only reads public fields.
+     *
+     * @example
+     *   const myKeys = await majik.getSigningPublicKeys();
+     *   // share myKeys with someone so they can verify your signatures
+     */
+    getSigningPublicKeys(accountId?: string): Promise<MajikSignerPublicKeys>;
+    /**
+     * Resolve MajikSignerPublicKeys from whichever signer hint was provided.
+     * Returns null if no hint was given (caller should fall back to self-reported keys).
+     *
+     * Mirrors the _resolveRecipients / _resolveFileIdentity pattern used
+     * throughout MajikMessage — consistent account/contact resolution in one place.
+     */
+    private _resolveSignerPublicKeys;
     setPIN(pin: string): Promise<void>;
     clearPIN(): Promise<void>;
     isValidPIN(pin: string): Promise<boolean>;