@ibgib/core-gib 0.1.43 → 0.1.44

package/src/keystone/keystone-constants.mts

@@ -1,3 +1,6 @@
+import { HashAlgorithm } from "@ibgib/helper-gib/dist/helpers/utils-helper.mjs";
+import { KeystoneReplenishStrategy } from "./keystone-types.mjs";
+
 export const KEYSTONE_ATOM = "keystone";
 
 // #region KeystoneVerb enum
@@ -25,9 +28,9 @@ export const KeystoneVerb = {
     /**
      * The meta-verb used to authorize structural changes to the Keystone,
      * specifically adding or removing challenge pools.
-     * 
+     *
      * "Root access" to the identity.
-     * 
+     *
      * Basically, this is the verb for the "admin" pool.
      */
     MANAGE: KEYSTONE_VERB_MANAGE,
@@ -44,3 +47,19 @@ export function isKeystoneVerb(value: string): value is KeystoneVerb {
 export const POOL_ID_REVOKE = KEYSTONE_VERB_REVOKE;
 export const POOL_ID_MANAGE = KEYSTONE_VERB_MANAGE;
 export const POOL_ID_DEFAULT = "default";
+
+export const KEYSTONE_CONFIG_DEFAULT_SIZE = 200;
+export const KEYSTONE_CONFIG_DEFAULT_SEQUENTIAL = 2;
+export const KEYSTONE_CONFIG_DEFAULT_RANDOM = 2;
+export const KEYSTONE_CONFIG_DEFAULT_BINDING = 5;
+export const KEYSTONE_CONFIG_DEFAULT_REPLENISH_STRATEGY = KeystoneReplenishStrategy.topUp;
+export const KEYSTONE_CONFIG_DEFAULT_HASH_ALGORITHM = HashAlgorithm.sha_256;
+export const KEYSTONE_CONFIG_DEFAULT_HASH_ROUNDS = 1;
+
+export const KEYSTONE_CONFIG_DEFAULT_SIZE_HIGHSECURITY = 2000;
+export const KEYSTONE_CONFIG_DEFAULT_SEQUENTIAL_HIGHSECURITY = 5;
+export const KEYSTONE_CONFIG_DEFAULT_RANDOM_HIGHSECURITY = 5;
+export const KEYSTONE_CONFIG_DEFAULT_BINDING_HIGHSECURITY = 16;
+export const KEYSTONE_CONFIG_DEFAULT_REPLENISH_STRATEGY_HIGHSECURITY = KeystoneReplenishStrategy.replaceAll;
+export const KEYSTONE_CONFIG_DEFAULT_HASH_ALGORITHM_HIGHSECURITY = HashAlgorithm.sha_256;
+export const KEYSTONE_CONFIG_DEFAULT_HASH_ROUNDS_HIGHSECURITY = 10;

package/src/keystone/keystone-helpers.mts

@@ -8,10 +8,11 @@ import { getGib } from "@ibgib/ts-gib/dist/V1/transforms/transform-helper.mjs";
 
 import { GLOBAL_LOG_A_LOT } from "../core-constants.mjs";
 import { KEYSTONE_ATOM } from "./keystone-constants.mjs";
-import { KeystoneData_V1, KeystoneIbGib_V1, KeystoneIbInfo_V1, KeystoneChallengePool, DeterministicResult, KeystoneProof, KeystonePoolConfig, KeystoneReplenishStrategy, KEYSTONE_REPLENISH_STRATEGY_VALID_VALUES, KeystoneClaim, KeystoneSolution } from "./keystone-types.mjs";
+import { KeystoneData_V1, KeystoneIbGib_V1, KeystoneIb_V1, KeystoneChallengePool, DeterministicResult, KeystoneProof, KeystonePoolConfig, KeystoneReplenishStrategy, KEYSTONE_REPLENISH_STRATEGY_VALID_VALUES, KeystoneClaim, KeystoneSolution } from "./keystone-types.mjs";
 import { MetaspaceService } from "../witness/space/metaspace/metaspace-types.mjs";
 import { IbGibSpaceAny } from "../witness/space/space-base-v1.mjs";
 import { KeystoneStrategyFactory } from "./strategy/keystone-strategy-factory.mjs";
+import { GIB } from "@ibgib/ts-gib/dist/V1/constants.mjs";
 
 const logalot = GLOBAL_LOG_A_LOT;
 
@@ -19,7 +20,7 @@ const logalot = GLOBAL_LOG_A_LOT;
  * space-delimited keystone ib containing select keystone metadata.
  *
  * NOTE: This must match {@link parseKeystoneIb}
- * @see {@link KeystoneIbInfo_V1}
+ * @see {@link KeystoneIb_V1}
  */
 export async function getKeystoneIb({
     keystoneData,
@@ -47,13 +48,13 @@ export async function getKeystoneIb({
 
 /**
  * NOTE: This must match {@link getKeystoneIb}
- * @see {@link KeystoneIbInfo_V1}
+ * @see {@link KeystoneIb_V1}
  */
 export async function parseKeystoneIb({
     ib,
 }: {
     ib: Ib,
-}): Promise<KeystoneIbInfo_V1> {
+}): Promise<KeystoneIb_V1> {
     const lc = `[${parseKeystoneIb.name}]`;
     try {
         if (logalot) { console.log(`${lc} starting... (I: 73cb6832984255ed48b2f44db6a21e25)`); }
@@ -123,7 +124,9 @@ export function getDeterministicRequirements({
         const { gib } = getIbAndGib({ ibGibAddr: targetAddr });
         if (gib) {
             // Get required hex prefixes (e.g. 'a', 'b', 'c', '1')
-            const prefixes = gib.substring(0, behavior.targetBindingChars).toLowerCase();
+            const prefixes = gib !== GIB ?
+                gib.substring(0, behavior.targetBindingChars).toLowerCase() :
+                'abc'; // arbitrary for primitive binding target ibgib
 
             for (const char of prefixes) {
                 // Look in the Explicit Bucket
@@ -200,7 +203,7 @@ export function removeFromBindingMap(
 
 /**
  * Selects the specific pool to use for an operation based on ID, filter criteria, or verb authorization.
- * 
+ *
  * @returns The matching KeystoneChallengePool
  * @throws If no pool matches or if multiple pools match but one was expected.
  */
@@ -216,7 +219,7 @@ export function resolveTargetPool({
      */
     poolId?: string;
     /**
-     * Optional predicate to find a pool. 
+     * Optional predicate to find a pool.
      * Useful for finding delegates via metadata.
      */
     poolFilter?: (pool: KeystoneChallengePool) => boolean;
@@ -276,7 +279,7 @@ export function resolveTargetPool({
 /**
  * Calculates the complete list of Challenge IDs to solve for a given operation.
  * Combines Deterministic requirements (Mandatory/Binding/FIFO) with Stochastic requirements.
- * 
+ *
  * @returns Array of unique challenge IDs.
  */
 export function selectChallengeIds({
@@ -312,7 +315,7 @@ export function selectChallengeIds({
                 throw new Error(`Insufficient challenges for random requirement. Need ${randomCount}, have ${availableIds.length} (E: 9f7a67428515c1e82813158581898125)`);
             }
             // Shuffle & Pick
-            // Note: simple Math.random sort is sufficient for V1 stochastic selection 
+            // Note: simple Math.random sort is sufficient for V1 stochastic selection
             // as we are just picking from valid available options.
             const shuffled = [...availableIds].sort(() => 0.5 - Math.random());
             randomIds.push(...shuffled.slice(0, randomCount));
@@ -347,7 +350,7 @@ export async function generateOpaqueChallengeId({
 /**
  * Calculates the NEXT state of the Challenge Pools given a specific consumption event.
  * Handles TopUp, ReplaceAll, Consume, and ScorchedEarth strategies.
- * 
+ *
  * @returns The new array of KeystoneChallengePools (including the modified one).
  */
 export async function applyReplenishmentStrategy({
@@ -420,7 +423,7 @@ export async function applyReplenishmentStrategy({
             }
         } else if (strategyType === KeystoneReplenishStrategy.consume) {
             consumedIds.forEach(id => delete pool.challenges[id]);
-        } else if (strategyType === KeystoneReplenishStrategy.scorchedEarth) {
+        } else if (strategyType === KeystoneReplenishStrategy.deleteAll) {
             pool.challenges = {};
             pool.bindingMap = {};
         } else {
@@ -441,7 +444,7 @@ export async function applyReplenishmentStrategy({
  * 3. Solves Challenges (Generates Solutions).
  * 4. Replenishes Pool (Calculates the next state of ALL pools).
  * 5. Constructs Proof.
- * 
+ *
  * @returns The resulting Proof and the full list of Next Pools.
  */
 export async function solveAndReplenish({
@@ -512,7 +515,7 @@ export async function solveAndReplenish({
 /**
  * Validates the transition from Prev -> Curr.
  * Enforces Cryptography AND Behavioral Policy.
- * 
+ *
  * @returns Array of validation error strings. Empty array means Valid.
  */
 export async function validateKeystoneTransition({
@@ -525,7 +528,9 @@ export async function validateKeystoneTransition({
     const lc = `[${validateKeystoneTransition.name}]`;
     const errors: string[] = [];
     try {
-        if (!currentIbGib) { throw new Error(`(UNEXPECTED) currentIbGib falsy? (E: 3c0f02655fa8279e386a079ebb604b25)`); }
+        if (!currentIbGib) {
+            throw new Error(`(UNEXPECTED) currentIbGib falsy? (E: 3c0f02655fa8279e386a079ebb604b25)`);
+        }
         if (!prevIbGib) { throw new Error(`(UNEXPECTED) prevIbGib falsy? (E: 0d07c812634d839c784f31b8848ba825)`); }
 
         // intrinsic validation

package/src/keystone/keystone-service-v1.mts

@@ -20,7 +20,7 @@ const logalot = GLOBAL_LOG_A_LOT || true;
 
 /**
  * Facade for managing Keystone Identities.
- * 
+ *
  * Handles Genesis, Authorized Evolution (Signing), and Validation.
  */
 export class KeystoneService_V1 {
@@ -93,9 +93,9 @@ export class KeystoneService_V1 {
 
     /**
      * Signs a claim by solving challenges from a specific pool and evolving the Keystone timeline.
-     * 
+     *
      * Uses a hybrid selection strategy: Mandatory IDs (Alice) + Sequential (FIFO) + Random (Stochastic).
-     * 
+     *
      * Supports Delegation via `poolFilter` to find specific foreign pools.
      */
     async sign({
@@ -122,7 +122,7 @@ export class KeystoneService_V1 {
          */
         poolId?: string;
         /**
-         * Optional predicate to find a pool. 
+         * Optional predicate to find a pool.
          * Useful for finding delegates via metadata without knowing the exact ID.
          * e.g. (p) => p.metadata?.delegate === 'Bob'
          */
@@ -158,7 +158,7 @@ export class KeystoneService_V1 {
             });
 
             // 3. Pay the Cost (Solve & Replenish)
-            // This helper handles the Strategy creation, Secret derivation, Solving, 
+            // This helper handles the Strategy creation, Secret derivation, Solving,
             // and the calculation of the Next state for ALL pools.
             const { proof, nextPools } = await solveAndReplenish({
                 targetPoolId: pool.id,
@@ -196,13 +196,13 @@ export class KeystoneService_V1 {
 
     /**
      * Validates a keystone.
-     * 
+     *
      * ## NOTES
-     * 
+     *
      * Atow (12/22/2025) this only validates the transition from Prev -> Curr.
-     * 
+     *
      * @returns Array of validation error strings. Empty array means Valid.
-     * 
+     *
      * @see {@link validateKeystoneTransition}
      */
     async validate({
@@ -220,11 +220,11 @@ export class KeystoneService_V1 {
 
     /**
      * Permanently revokes the Identity.
-     * 
+     *
      * Logic:
      * 1. Locates the 'revoke' pool.
      * 2. Solves required challenges to prove ownership.
-     * 3. Wipes the pool (via 'scorched-earth' strategy in solveAndReplenish).
+     * 3. Wipes the pool (via the delete all strategy in solveAndReplenish).
      * 4. Sets the revocationInfo on the new frame.
      */
     async revoke({
@@ -270,8 +270,9 @@ export class KeystoneService_V1 {
             if (idsToSolve.length === 0) { throw new Error(`Revocation policy selected 0 challenges? Check config for pool ${pool.id}. Revocation requires proof. (E: 97e5a8356d241ae7b882db791cb1f825)`); }
 
             // 4. Pay the Cost & Scorched Earth
-            // The revoke pool config should have 'replenish: scorched-earth', 
-            // causing solveAndReplenish to return an empty pool in nextPools.
+            // The revoke pool config should have 'replenishStrategy:
+            // KeystoneReplenishStrategy.deleteAll', causing solveAndReplenish
+            // to return an empty pool in nextPools.
             const { proof, nextPools } = await solveAndReplenish({
                 targetPoolId: pool.id,
                 prevPools: prevData.challengePools,
@@ -283,7 +284,7 @@ export class KeystoneService_V1 {
             // warn if nextPools contains pool.id that isn't empty (we were
             // supposed to do "scorched earth" which empties the pool)
             if (nextPools.find(p => p.id === pool.id && Object.keys(p.challenges).length > 0)) {
-                console.warn(`${lc} revocation pool ${pool.id} is not empty after revocation. Is the revocation pool replenish strategy set to ${KeystoneReplenishStrategy.scorchedEarth}? (W: 300c28bc8b98fc3e3c0b0d988344f825)`);
+                console.warn(`${lc} revocation pool ${pool.id} is not empty after revocation. Is the revocation pool replenish strategy set to ${KeystoneReplenishStrategy.deleteAll}? (W: 300c28bc8b98fc3e3c0b0d988344f825)`);
             }
 
             // 5. Construct Revocation Info
@@ -316,11 +317,11 @@ export class KeystoneService_V1 {
 
     /**
      * Structural evolution: Adds new challenge pools to the keystone.
-     * 
-     * Use Case: Adding a delegate (Server) for SSO, adding a recovery key, 
+     *
+     * Use Case: Adding a delegate (Server) for SSO, adding a recovery key,
      * or rotating to a new set of pools.
-     * 
-     * Requires the Master Secret to authorize the change via a pool containing 
+     *
+     * Requires the Master Secret to authorize the change via a pool containing
      * the 'manage' verb.
      */
     async addPools({
@@ -332,14 +333,14 @@ export class KeystoneService_V1 {
     }: {
         latestKeystone: KeystoneIbGib_V1;
         /**
-         * Alice's Master Secret. 
+         * Alice's Master Secret.
          * Required to solve challenges from the Admin/Manage pool to authorize this change.
          */
         masterSecret: string;
         /**
-         * The pools to add. 
-         * NOTE: These are fully constructed Pool objects. 
-         * If they are foreign (Bob's), Alice must have constructed them 
+         * The pools to add.
+         * NOTE: These are fully constructed Pool objects.
+         * If they are foreign (Bob's), Alice must have constructed them
          * using Bob's challenges + Her config restrictions + isForeign=true.
          */
         newPools: KeystoneChallengePool[];

package/src/keystone/keystone-service-v1.respec.mts

@@ -195,12 +195,15 @@ await respecfully(sir, 'Suite A: Strategy Vectors (HashRevealV1)', async () => {
 
     firstOfAll(sir, async () => {
         // Use our standard builder to get a valid config object
-        config = createStandardPoolConfig(salt) as KeystonePoolConfig_HashV1;
+        config = createStandardPoolConfig({
+            id: salt,
+            salt,
+        }) as KeystonePoolConfig_HashV1;
     });
 
     await respecfully(sir, 'Derivation Logic', async () => {
 
-        await ifWe(sir, 'derivePoolSecret with same inputs returns same output', async () => {
+        await ifWeMight(sir, 'derivePoolSecret with same inputs returns same output', async () => {
             const strategy = KeystoneStrategyFactory.create({ config });
 
             const secretA = await strategy.derivePoolSecret({ masterSecret });
@@ -210,7 +213,7 @@ await respecfully(sir, 'Suite A: Strategy Vectors (HashRevealV1)', async () => {
             iReckon(sir, secretA).asTo('secret length').isGonnaBeTruthy();
         });
 
-        await ifWe(sir, 'derivePoolSecret with different master secret returns different output', async () => {
+        await ifWeMight(sir, 'derivePoolSecret with different master secret returns different output', async () => {
             const strategy = KeystoneStrategyFactory.create({ config });
 
             const secretA = await strategy.derivePoolSecret({ masterSecret });
@@ -219,7 +222,7 @@ await respecfully(sir, 'Suite A: Strategy Vectors (HashRevealV1)', async () => {
             iReckon(sir, secretA).asTo('secrets differ').not.willEqual(secretB);
         });
 
-        await ifWe(sir, 'derivePoolSecret with different salt returns different output', async () => {
+        await ifWeMight(sir, 'derivePoolSecret with different salt returns different output', async () => {
             // Modify salt in a copy of config
             const configB = { ...config, salt: "OtherPool" };
             const strategyA = KeystoneStrategyFactory.create({ config });
@@ -234,7 +237,7 @@ await respecfully(sir, 'Suite A: Strategy Vectors (HashRevealV1)', async () => {
 
     await respecfully(sir, 'Challenge/Solution Logic', async () => {
 
-        await ifWe(sir, 'generateSolution -> generateChallenge -> validateSolution loop works', async () => {
+        await ifWeMight(sir, 'generateSolution -> generateChallenge -> validateSolution loop works', async () => {
             const strategy = KeystoneStrategyFactory.create({ config });
             const poolSecret = await strategy.derivePoolSecret({ masterSecret });
             const challengeId = "a3ff7843552870fc28bef2b"; // arbitrary random challengeId
@@ -253,7 +256,7 @@ await respecfully(sir, 'Suite A: Strategy Vectors (HashRevealV1)', async () => {
             iReckon(sir, isValid).asTo('valid pair should pass').isGonnaBeTrue();
         });
 
-        await ifWe(sir, 'validateSolution fails for mismatched values', async () => {
+        await ifWeMight(sir, 'validateSolution fails for mismatched values', async () => {
             const strategy = KeystoneStrategyFactory.create({ config });
             const poolSecret = await strategy.derivePoolSecret({ masterSecret });
             const challengeId = "8c994f3ed598f150e25513"; // arbitrary random challengeId
@@ -269,7 +272,7 @@ await respecfully(sir, 'Suite A: Strategy Vectors (HashRevealV1)', async () => {
             iReckon(sir, isValid).asTo('tampered solution should fail').isGonnaBeFalse();
         });
 
-        await ifWe(sir, 'validateSolution fails for mismatched challenge hashes', async () => {
+        await ifWeMight(sir, 'validateSolution fails for mismatched challenge hashes', async () => {
             const strategy = KeystoneStrategyFactory.create({ config });
             const poolSecret = await strategy.derivePoolSecret({ masterSecret });
 
@@ -310,8 +313,11 @@ await respecfully(sir, 'Suite B: Service Lifecycle', async () => {
     });
 
     await respecfully(sir, 'Genesis', async () => {
-        await ifWe(sir, 'creates a valid genesis frame and persists it', async () => {
-            const config = createStandardPoolConfig(POOL_ID_DEFAULT);
+        await ifWeMight(sir, 'creates a valid genesis frame and persists it', async () => {
+            const config = createStandardPoolConfig({
+                id: POOL_ID_DEFAULT,
+                salt: POOL_ID_DEFAULT,
+            });
 
             genesisKeystone = await service.genesis({
                 masterSecret,
@@ -338,7 +344,7 @@ await respecfully(sir, 'Suite B: Service Lifecycle', async () => {
     });
 
     await respecfully(sir, 'Signing (Evolution)', async () => {
-        await ifWe(sir, 'evolves the keystone with a valid proof', async () => {
+        await ifWeMight(sir, 'evolves the keystone with a valid proof', async () => {
             const claim: Partial<KeystoneClaim> = {
                 target: "comment 123^gib",
                 verb: "post"
@@ -368,7 +374,7 @@ await respecfully(sir, 'Suite B: Service Lifecycle', async () => {
     });
 
     await respecfully(sir, 'Validation', async () => {
-        await ifWe(sir, 'validates the genesis->signed transition', async () => {
+        await ifWeMight(sir, 'validates the genesis->signed transition', async () => {
             const errors = await service.validate({
                 prevIbGib: genesisKeystone,
                 currentIbGib: signedKeystone,
@@ -400,8 +406,13 @@ await respecfully(sir, 'Suite C: Security Vectors', async () => {
         mockMetaspace = new MockMetaspaceService(mockSpace);
 
         // Setup Alice's Identity
-        const config = createStandardPoolConfig(POOL_ID_DEFAULT);
-        config.behavior.size = 10;
+        const config = createStandardPoolConfig({
+            id: POOL_ID_DEFAULT,
+            salt: POOL_ID_DEFAULT,
+            targetBinding: 0,
+            size: 10,
+        });
+        // config.behavior.size = 10;
         genesisKeystone = await service.genesis({
             masterSecret: aliceSecret,
             configs: [config],
@@ -411,7 +422,7 @@ await respecfully(sir, 'Suite C: Security Vectors', async () => {
     });
 
     await respecfully(sir, 'Wrong Secret (Forgery)', async () => {
-        await ifWe(sir, 'prevents creation of forged frames', async () => {
+        await ifWeMight(sir, 'prevents creation of forged frames', async () => {
             const claim: Partial<KeystoneClaim> = { target: "comment 123^gib", verb: "post" };
 
             let errorCaught = false;
@@ -440,10 +451,13 @@ await respecfully(sir, 'Suite C: Security Vectors', async () => {
     });
 
     await respecfully(sir, 'Policy Violation (Restricted Verbs)', async () => {
-        await ifWe(sir, 'throws error if signing forbidden verb with restricted pool', async () => {
+        await ifWeMight(sir, 'throws error if signing forbidden verb with restricted pool', async () => {
             // Create a specific restricted pool config manually
             const restrictedPoolId = "read_only_pool";
-            const restrictedConfig = createStandardPoolConfig(restrictedPoolId);
+            const restrictedConfig = createStandardPoolConfig({
+                id: restrictedPoolId,
+                salt: restrictedPoolId,
+            });
             // Manually restrict it (since Builder defaults to undefined/allow-all)
             restrictedConfig.allowedVerbs = ['read'];
 
@@ -495,8 +509,14 @@ await respecfully(sir, 'Suite D: Revocation', async () => {
         mockMetaspace = new MockMetaspaceService(mockSpace);
 
         // Setup Identity WITH a Revocation Pool
-        const stdConfig = createStandardPoolConfig(POOL_ID_DEFAULT);
-        const revokeConfig = createRevocationPoolConfig(POOL_ID_REVOKE); // Special Config
+        const stdConfig = createStandardPoolConfig({
+            id: POOL_ID_DEFAULT,
+            salt: POOL_ID_DEFAULT,
+        });
+        const revokeConfig = createRevocationPoolConfig({
+            id: POOL_ID_REVOKE,
+            salt: POOL_ID_REVOKE,
+        }); // Special Config
 
         genesisKeystone = await service.genesis({
             masterSecret,
@@ -509,7 +529,7 @@ await respecfully(sir, 'Suite D: Revocation', async () => {
     await respecfully(sir, 'Revoke Lifecycle', async () => {
         let revokedKeystone: KeystoneIbGib_V1;
 
-        await ifWe(sir, 'successfully creates a revocation frame', async () => {
+        await ifWeMight(sir, 'successfully creates a revocation frame', async () => {
             revokedKeystone = await service.revoke({
                 latestKeystone: genesisKeystone,
                 masterSecret,
@@ -527,7 +547,7 @@ await respecfully(sir, 'Suite D: Revocation', async () => {
             iReckon(sir, data.revocationInfo!.proof.claim.verb).willEqual(KEYSTONE_VERB_REVOKE);
         });
 
-        await ifWe(sir, 'validates the revocation frame', async () => {
+        await ifWeMight(sir, 'validates the revocation frame', async () => {
             const errors = await service.validate({
                 prevIbGib: genesisKeystone,
                 currentIbGib: revokedKeystone!,
@@ -538,7 +558,7 @@ await respecfully(sir, 'Suite D: Revocation', async () => {
             iReckon(sir, errors.length).asTo('no validation errors').willEqual(0);
         });
 
-        await ifWe(sir, 'consumed the revocation pool (Scorched Earth)', async () => {
+        await ifWeMight(sir, 'consumed the revocation pool (Scorched Earth)', async () => {
             const data = revokedKeystone!.data!;
             const revokePool = data.challengePools.find(p => p.id === POOL_ID_REVOKE);
 
@@ -568,7 +588,7 @@ await respecfully(sir, 'Suite E: Structural Evolution (addPools)', async () => {
 
     // Helper to generate a "Foreign" pool (e.g. from Bob)
     const createForeignPool = async (id: string, verbs: string[] = []): Promise<KeystoneChallengePool> => {
-        const config = createStandardPoolConfig(id);
+        const config = createStandardPoolConfig({ id, salt: id });
         config.allowedVerbs = verbs;
 
         // We use the factory manually here to simulate Bob doing this offline
@@ -605,7 +625,7 @@ await respecfully(sir, 'Suite E: Structural Evolution (addPools)', async () => {
         mockMetaspace = new MockMetaspaceService(mockSpace);
 
         // Alice Genesis: Standard pool (allows all verbs, including 'manage')
-        const config = createStandardPoolConfig(POOL_ID_DEFAULT);
+        const config = createStandardPoolConfig({ id: POOL_ID_DEFAULT, salt: POOL_ID_DEFAULT });
         aliceKeystone = await service.genesis({
             masterSecret: aliceSecret,
             configs: [config],
@@ -615,7 +635,7 @@ await respecfully(sir, 'Suite E: Structural Evolution (addPools)', async () => {
     });
 
     await respecfully(sir, 'Happy Path', async () => {
-        await ifWe(sir, 'authorizes and adds a foreign pool', async () => {
+        await ifWeMight(sir, 'authorizes and adds a foreign pool', async () => {
             const bobPool = await createForeignPool("pool_bob", ["post"]);
 
             const updatedKeystone = await service.addPools({
@@ -654,9 +674,10 @@ await respecfully(sir, 'Suite E: Structural Evolution (addPools)', async () => {
     });
 
     await respecfully(sir, 'Permissions & Logic', async () => {
-        await ifWe(sir, 'fails if no pool allows "manage" verb', async () => {
+        await ifWeMight(sir, 'fails if no pool allows "manage" verb', async () => {
             // 1. Create a restricted keystone
-            const restrictedConfig = createStandardPoolConfig("read_only");
+            let id = "read_only";
+            const restrictedConfig = createStandardPoolConfig({ id, salt: id });
             restrictedConfig.allowedVerbs = ['read']; // No 'manage'
 
             const restrictedKeystone = await service.genesis({
@@ -686,7 +707,7 @@ await respecfully(sir, 'Suite E: Structural Evolution (addPools)', async () => {
             iReckon(sir, errorCaught).asTo('permission denied').isGonnaBeTrue();
         });
 
-        await ifWe(sir, 'fails on ID collision', async () => {
+        await ifWeMight(sir, 'fails on ID collision', async () => {
             // Try to add "pool_bob" again (it was added in Happy Path)
             const duplicatePool = await createForeignPool("pool_bob");
 
@@ -725,7 +746,7 @@ await respecfully(sir, 'Suite E: Structural Evolution (addPools)', async () => {
 
     // Helper to simulate Bob creating a pool "offline" to give to Alice
     const createForeignPool = async (id: string, verbs: string[] = []): Promise<KeystoneChallengePool> => {
-        const config = createStandardPoolConfig(id);
+        const config = createStandardPoolConfig({ id, salt: id });
         config.allowedVerbs = verbs;
 
         // We use the factory manually here to simulate Bob doing this on his own machine
@@ -762,7 +783,10 @@ await respecfully(sir, 'Suite E: Structural Evolution (addPools)', async () => {
         mockMetaspace = new MockMetaspaceService(mockSpace);
 
         // Alice Genesis: Standard pool (allows all verbs, including 'manage')
-        const config = createStandardPoolConfig(POOL_ID_DEFAULT);
+        const config = createStandardPoolConfig({
+            id: POOL_ID_DEFAULT,
+            salt: POOL_ID_DEFAULT,
+        });
         aliceKeystone = await service.genesis({
             masterSecret: aliceSecret,
             configs: [config],
@@ -772,7 +796,7 @@ await respecfully(sir, 'Suite E: Structural Evolution (addPools)', async () => {
     });
 
     await respecfully(sir, 'Happy Path', async () => {
-        await ifWe(sir, 'authorizes and adds a foreign pool', async () => {
+        await ifWeMight(sir, 'authorizes and adds a foreign pool', async () => {
             const bobPool = await createForeignPool("pool_bob", ["post"]);
 
             const updatedKeystone = await service.addPools({
@@ -811,9 +835,10 @@ await respecfully(sir, 'Suite E: Structural Evolution (addPools)', async () => {
     });
 
     await respecfully(sir, 'Permissions & Logic', async () => {
-        await ifWe(sir, 'fails if no pool allows "manage" verb', async () => {
+        await ifWeMight(sir, 'fails if no pool allows "manage" verb', async () => {
             // 1. Create a restricted keystone (read-only)
-            const restrictedConfig = createStandardPoolConfig("read_only");
+            let id = "read_only";
+            const restrictedConfig = createStandardPoolConfig({ id, salt: id });
             restrictedConfig.allowedVerbs = ['read']; // No 'manage'
 
             const restrictedKeystone = await service.genesis({
@@ -843,7 +868,7 @@ await respecfully(sir, 'Suite E: Structural Evolution (addPools)', async () => {
             iReckon(sir, errorCaught).asTo('permission denied').isGonnaBeTrue();
         });
 
-        await ifWe(sir, 'fails on ID collision', async () => {
+        await ifWeMight(sir, 'fails on ID collision', async () => {
             // Try to add "pool_bob" again (it was added in Happy Path)
             const duplicatePool = await createForeignPool("pool_bob");
 
@@ -883,11 +908,13 @@ await respecfully(sir, 'Suite F: Deep Inspection', async () => {
     let signedKeystone: KeystoneIbGib_V1;
 
     // We use a specific hybrid config to test exact selection logic
-    const hybridConfig = createStandardPoolConfig(salt) as KeystonePoolConfig_HashV1;
-    // 2 FIFO + 2 Random = 4 Total per sign
-    hybridConfig.behavior.selectSequentially = 2;
-    hybridConfig.behavior.selectRandomly = 2;
-    hybridConfig.behavior.size = 20; // Small enough to track, large enough to be random
+    const hybridConfig = createStandardPoolConfig({
+        id: salt,
+        salt,
+        // 2 FIFO + 2 Random = 4 Total per sign
+        sequential: 2, random: 2, targetBinding: 0,
+        size: 20, // Small enough to track, large enough to be random
+    }) as KeystonePoolConfig_HashV1;
 
     firstOfAll(sir, async () => {
         mockSpace = new MockIbGibSpace();
@@ -903,7 +930,7 @@ await respecfully(sir, 'Suite F: Deep Inspection', async () => {
 
     await respecfully(sir, 'Proof Granularity & Math', async () => {
 
-        await ifWe(sir, 'generates exactly the expected number of solutions', async () => {
+        await ifWeMight(sir, 'generates exactly the expected number of solutions', async () => {
             signedKeystone = await service.sign({
                 latestKeystone: genesisKeystone,
                 masterSecret: aliceSecret,
@@ -920,7 +947,7 @@ await respecfully(sir, 'Suite F: Deep Inspection', async () => {
             iReckon(sir, solutions.length).asTo('solution count').willEqual(4);
         });
 
-        await ifWe(sir, 'verifies the math manually (White-box Crypto Check)', async () => {
+        await ifWeMight(sir, 'verifies the math manually (White-box Crypto Check)', async () => {
             const proof = signedKeystone.data!.proofs[0];
             const poolSnapshot = genesisKeystone.data!.challengePools.find(p => p.id === salt)!;
 
@@ -949,7 +976,7 @@ await respecfully(sir, 'Suite F: Deep Inspection', async () => {
             }
         });
 
-        await ifWe(sir, 'verifies FIFO logic (Deterministic Selection)', async () => {
+        await ifWeMight(sir, 'verifies FIFO logic (Deterministic Selection)', async () => {
             const proof = signedKeystone.data!.proofs[0];
             const poolSnapshot = genesisKeystone.data!.challengePools.find(p => p.id === salt)!;
 
@@ -971,7 +998,7 @@ await respecfully(sir, 'Suite F: Deep Inspection', async () => {
 
     await respecfully(sir, 'DTO & Serialization', async () => {
 
-        await ifWe(sir, 'survives a clone/JSON-cycle without corruption', async () => {
+        await ifWeMight(sir, 'survives a clone/JSON-cycle without corruption', async () => {
             // 1. Create a DTO (simulate network transmission/storage)
             // 'clone' does a JSON stringify/parse under the hood (usually) or structured clone.
             const dto = clone(signedKeystone);
@@ -991,7 +1018,7 @@ await respecfully(sir, 'Suite F: Deep Inspection', async () => {
             iReckon(sir, errors.length).asTo('DTO validation errors').willEqual(0);
         });
 
-        await ifWe(sir, 'ensures data contains no functions or circular refs', async () => {
+        await ifWeMight(sir, 'ensures data contains no functions or circular refs', async () => {
             // A crude but effective test: ensure JSON.stringify doesn't throw
             // and the result is equal to the object (if we parsed it back).
 
@@ -1005,7 +1032,7 @@ await respecfully(sir, 'Suite F: Deep Inspection', async () => {
             iReckon(sir, parsedSolution).asTo('deep property survives stringify').willEqual(originalSolution);
 
             // Ensure no extra properties were lost
-            // FIX: JSON.stringify removes keys with 'undefined' values. 
+            // FIX: JSON.stringify removes keys with 'undefined' values.
             // We must filter the original keys to match this behavior for a fair comparison.
             const origKeys = Object.keys(signedKeystone.data!)
                 .filter(k => (signedKeystone.data as any)[k] !== undefined);