Make SignatureAndPayloadConfig and PolicyBindingConfig initializers public

[arkavo-com]

Issue

The SignatureAndPayloadConfig and PolicyBindingConfig structs have internal initializers, preventing external packages from using the signature functionality.

Current Behavior

// In external package using OpenTDFKit
let config = SignatureAndPayloadConfig(
    signed: true,
    signatureCurve: .secp256r1,
    payloadCipher: .aes256GCM128
)
// Error: 'SignatureAndPayloadConfig' initializer is inaccessible due to 'internal' protection level

The addSignatureToNanoTDF() function is public and documented, but cannot be used because the required SignatureAndPayloadConfig parameter cannot be constructed externally.

Expected Behavior

Users should be able to create signed NanoTDFs from external packages:

import OpenTDFKit
import CryptoKit

var nanoTDF = try await createNanoTDF(...)

let config = SignatureAndPayloadConfig(
    signed: true,
    signatureCurve: .secp256r1,
    payloadCipher: .aes256GCM128
)

let privateKey = P256.Signing.PrivateKey()
try await addSignatureToNanoTDF(
    nanoTDF: &nanoTDF,
    privateKey: privateKey,
    config: config
)

Proposed Solution

Add public initializers to both structs:

SignatureAndPayloadConfig

public struct SignatureAndPayloadConfig: Sendable {
    var signed: Bool
    var signatureCurve: Curve?
    let payloadCipher: Cipher?

    // Add this public initializer
    public init(signed: Bool, signatureCurve: Curve?, payloadCipher: Cipher?) {
        self.signed = signed
        self.signatureCurve = signatureCurve
        self.payloadCipher = payloadCipher
    }

    // ... existing toData() method
}

PolicyBindingConfig

public struct PolicyBindingConfig: Sendable {
    var ecdsaBinding: Bool
    var curve: Curve

    // Add this public initializer
    public init(ecdsaBinding: Bool, curve: Curve) {
        self.ecdsaBinding = ecdsaBinding
        self.curve = curve
    }

    // ... existing toData() method
}

Impact

Without public initializers:

• ❌ Cannot use addSignatureToNanoTDF() from external packages
• ❌ Cannot manually construct NanoTDF headers with custom configs
• ❌ Signature functionality is effectively unusable outside OpenTDFKit itself

With public initializers:

• ✅ Full signature support for external packages
• ✅ Ability to create signed NanoTDFs for NTDF Profile v1.2 chains
• ✅ Custom header configurations for advanced use cases

Use Case

We're implementing NTDF Profile v1.2 Chain of Trust authorization where each link should be signed:

1. Origin Link (PE attestation) - signed by user's DID key
2. Intermediate Link (NPE attestation) - signed by app's key
3. Terminal Link (from IdP) - signed by IdP's key

Currently blocked because we cannot create SignatureAndPayloadConfig to pass to addSignatureToNanoTDF().

Related: arkavo-org/app#160, arkavo-org/app#161

Files to Modify

OpenTDFKit/NanoTDF.swift:

• Lines 523-552: SignatureAndPayloadConfig struct
• Lines 502-521: PolicyBindingConfig struct

Just add public initializers to both structs (3 lines each).

Workaround (Current)

Currently relying on GMAC policy binding instead of signatures, which works but is not ideal for multi-party chains where each party should cryptographically sign their attestation.

Priority

Medium - Signature functionality exists but is inaccessible. GMAC binding provides security, but signatures would enable stronger attestation chains.