From 26a68afdef98a9f1008c6266f6b62049d2c88109 Mon Sep 17 00:00:00 2001
From: Dominion5254 <musashidisciple@proton.me>
Date: Wed, 18 Feb 2026 13:21:33 -0700
Subject: [PATCH] fix: merge version ranges when adding existing package signer
 (#3125)

* fix: merge version ranges when adding existing package signer

   Previously, add_package_signer unconditionally inserted the new
   version range, overwriting any existing authorization for that signer.
   Now it OR-merges the new range with the existing one, so running
   signer add multiple times accumulates permissions rather than
   replacing them.

* add --merge flag to registry package signer add

  Default behavior remains overwrite. When --merge is passed, the new
  version range is OR-merged with the existing one, allowing admins to
  accumulate permissions incrementally.

* add missing attribute to TS type

* make merge optional

* upsert instead of insert

* VersionRange::None on upsert
---
 core/src/registry/package/signer.rs               | 15 ++++++++++++++-
 sdk/base/lib/osBindings/AddPackageSignerParams.ts |  1 +
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/core/src/registry/package/signer.rs b/core/src/registry/package/signer.rs
index a91e139c2..47ec7b13d 100644
--- a/core/src/registry/package/signer.rs
+++ b/core/src/registry/package/signer.rs
@@ -58,6 +58,9 @@ pub struct AddPackageSignerParams {
     #[arg(long, help = "help.arg.version-range")]
     #[ts(type = "string | null")]
     pub versions: Option<VersionRange>,
+    #[arg(long, help = "help.arg.merge")]
+    #[ts(optional)]
+    pub merge: Option<bool>,
 }
 
 pub async fn add_package_signer(
@@ -66,6 +69,7 @@ pub async fn add_package_signer(
         id,
         signer,
         versions,
+        merge,
     }: AddPackageSignerParams,
 ) -> Result<(), Error> {
     ctx.db
@@ -76,13 +80,22 @@ pub async fn add_package_signer(
                 "unknown signer {signer}"
             );
 
+            let versions = versions.unwrap_or_default();
             db.as_index_mut()
                 .as_package_mut()
                 .as_packages_mut()
                 .as_idx_mut(&id)
                 .or_not_found(&id)?
                 .as_authorized_mut()
-                .insert(&signer, &versions.unwrap_or_default())?;
+                .upsert(&signer, || Ok(VersionRange::None))?
+                .mutate(|existing| {
+                    *existing = if merge.unwrap_or(false) {
+                        VersionRange::or(existing.clone(), versions)
+                    } else {
+                        versions
+                    };
+                    Ok(())
+                })?;
 
             Ok(())
         })
diff --git a/sdk/base/lib/osBindings/AddPackageSignerParams.ts b/sdk/base/lib/osBindings/AddPackageSignerParams.ts
index 2ca630678..e9a7788ff 100644
--- a/sdk/base/lib/osBindings/AddPackageSignerParams.ts
+++ b/sdk/base/lib/osBindings/AddPackageSignerParams.ts
@@ -6,4 +6,5 @@ export type AddPackageSignerParams = {
   id: PackageId
   signer: Guid
   versions: string | null
+  merge?: boolean
 }