@majikah/majik-signature 0.0.13 → 0.0.15

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/dist/core/embed/majik-embed.js +20 -9
  2. package/package.json +1 -1
package/dist/core/embed/majik-embed.js CHANGED
@@ -112,11 +112,15 @@ export class MajikSignatureEmbed {
112
112
  if (envelope.sealHash) {
113
113
  throw new MajikSignatureError("Cannot sign a sealed envelope. The issuer has locked this file against further signatures.");
114
114
  }
115
- // ── Step 3: Allowlist enforcement ──────────────────────────────────────
116
- const allowlistCheck = checkAllowlist(envelope, key);
117
- if (!allowlistCheck.permitted) {
118
- throw new MajikSignatureAllowlistError(`Signer "${key.fingerprint}" is not permitted to sign this file. ` +
119
- `The file has a signing allowlist established by "${envelope.allowlistSignerId}".`, key.fingerprint);
115
+ // ── Step 3: Allowlist enforcement ──────────────────────────────────────────
116
+ // Issuer always bypasses the allowlist — they established it and control sealing
117
+ const isIssuer = envelope.allowlistSignerId === key.fingerprint;
118
+ if (!isIssuer) {
119
+ const allowlistCheck = checkAllowlist(envelope, key);
120
+ if (!allowlistCheck.permitted) {
121
+ throw new MajikSignatureAllowlistError(`Signer "${key.fingerprint}" is not permitted to sign this file. ` +
122
+ `The file has a signing allowlist established by "${envelope.allowlistSignerId}".`, key.fingerprint);
123
+ }
120
124
  }
121
125
  // ── Step 4: Get clean original bytes ───────────────────────────────────
122
126
  const originalBytes = await handler.strip(bytes);
@@ -289,10 +293,13 @@ export class MajikSignatureEmbed {
289
293
  // "Cannot seal an open-signing file. Sealing is only available for files with an allowlist.",
290
294
  // );
291
295
  // }
292
- // Only the issuer may seal
293
- if (key.fingerprint !== envelope.allowlistSignerId) {
294
- throw new MajikSignatureKeyError(`Only the issuer ("${envelope.allowlistSignerId}") may seal this file. ` +
295
- `Provided key fingerprint: "${key.fingerprint}".`);
296
+ // Must be a restricted multi-sig file (has an allowlist)
297
+ if (!!envelope.allowlist && !!envelope.allowlistSignerId?.trim()) {
298
+ // Only the issuer may seal
299
+ if (key.fingerprint !== envelope.allowlistSignerId) {
300
+ throw new MajikSignatureKeyError(`Only the issuer ("${envelope.allowlistSignerId}") may seal this file. ` +
301
+ `Provided key fingerprint: "${key.fingerprint}".`);
302
+ }
296
303
  }
297
304
  // Already sealed
298
305
  if (envelope.sealHash) {
@@ -428,6 +435,10 @@ export class MajikSignatureEmbed {
428
435
  if (!envelope.allowlist || envelope.allowlist.length === 0) {
429
436
  return { permitted: true };
430
437
  }
438
+ // Issuer bypass — always permitted regardless of allowlist membership
439
+ if (envelope.allowlistSignerId === key.fingerprint) {
440
+ return { permitted: true };
441
+ }
431
442
  // Allowlist present — check all three fields
432
443
  const check = checkAllowlist(envelope, key);
433
444
  if (!check.permitted) {
package/package.json CHANGED
@@ -2,7 +2,7 @@
2
2
  "name": "@majikah/majik-signature",
3
3
  "type": "module",
4
4
  "description": "Majik Signature is a hybrid post-quantum content signing and verification library for the Majikah ecosystem. Built on top of Majik Key, it provides tamper-proof, forgery-resistant digital signatures for any content format — using a dual-algorithm architecture that combines classical Ed25519 with post-quantum ML-DSA-87 (FIPS-204).",
5
- "version": "0.0.13",
5
+ "version": "0.0.15",
6
6
  "license": "Apache-2.0",
7
7
  "author": "Zelijah",
8
8
  "main": "./dist/index.js",