@ibgib/core-gib 0.1.43 → 0.1.45

package/src/keystone/keystone-service-v1.mts

@@ -20,7 +20,7 @@ const logalot = GLOBAL_LOG_A_LOT || true;
 
 /**
  * Facade for managing Keystone Identities.
- * 
+ *
  * Handles Genesis, Authorized Evolution (Signing), and Validation.
  */
 export class KeystoneService_V1 {
@@ -93,9 +93,9 @@ export class KeystoneService_V1 {
 
     /**
      * Signs a claim by solving challenges from a specific pool and evolving the Keystone timeline.
-     * 
+     *
      * Uses a hybrid selection strategy: Mandatory IDs (Alice) + Sequential (FIFO) + Random (Stochastic).
-     * 
+     *
      * Supports Delegation via `poolFilter` to find specific foreign pools.
      */
     async sign({
@@ -122,7 +122,7 @@ export class KeystoneService_V1 {
          */
         poolId?: string;
         /**
-         * Optional predicate to find a pool. 
+         * Optional predicate to find a pool.
          * Useful for finding delegates via metadata without knowing the exact ID.
          * e.g. (p) => p.metadata?.delegate === 'Bob'
          */
@@ -158,7 +158,7 @@ export class KeystoneService_V1 {
             });
 
             // 3. Pay the Cost (Solve & Replenish)
-            // This helper handles the Strategy creation, Secret derivation, Solving, 
+            // This helper handles the Strategy creation, Secret derivation, Solving,
             // and the calculation of the Next state for ALL pools.
             const { proof, nextPools } = await solveAndReplenish({
                 targetPoolId: pool.id,
@@ -196,13 +196,13 @@ export class KeystoneService_V1 {
 
     /**
      * Validates a keystone.
-     * 
+     *
      * ## NOTES
-     * 
+     *
      * Atow (12/22/2025) this only validates the transition from Prev -> Curr.
-     * 
+     *
      * @returns Array of validation error strings. Empty array means Valid.
-     * 
+     *
      * @see {@link validateKeystoneTransition}
      */
     async validate({
@@ -220,11 +220,11 @@ export class KeystoneService_V1 {
 
     /**
      * Permanently revokes the Identity.
-     * 
+     *
      * Logic:
      * 1. Locates the 'revoke' pool.
      * 2. Solves required challenges to prove ownership.
-     * 3. Wipes the pool (via 'scorched-earth' strategy in solveAndReplenish).
+     * 3. Wipes the pool (via the delete all strategy in solveAndReplenish).
      * 4. Sets the revocationInfo on the new frame.
      */
     async revoke({
@@ -270,8 +270,9 @@ export class KeystoneService_V1 {
             if (idsToSolve.length === 0) { throw new Error(`Revocation policy selected 0 challenges? Check config for pool ${pool.id}. Revocation requires proof. (E: 97e5a8356d241ae7b882db791cb1f825)`); }
 
             // 4. Pay the Cost & Scorched Earth
-            // The revoke pool config should have 'replenish: scorched-earth', 
-            // causing solveAndReplenish to return an empty pool in nextPools.
+            // The revoke pool config should have 'replenishStrategy:
+            // KeystoneReplenishStrategy.deleteAll', causing solveAndReplenish
+            // to return an empty pool in nextPools.
             const { proof, nextPools } = await solveAndReplenish({
                 targetPoolId: pool.id,
                 prevPools: prevData.challengePools,
@@ -283,7 +284,7 @@ export class KeystoneService_V1 {
             // warn if nextPools contains pool.id that isn't empty (we were
             // supposed to do "scorched earth" which empties the pool)
             if (nextPools.find(p => p.id === pool.id && Object.keys(p.challenges).length > 0)) {
-                console.warn(`${lc} revocation pool ${pool.id} is not empty after revocation. Is the revocation pool replenish strategy set to ${KeystoneReplenishStrategy.scorchedEarth}? (W: 300c28bc8b98fc3e3c0b0d988344f825)`);
+                console.warn(`${lc} revocation pool ${pool.id} is not empty after revocation. Is the revocation pool replenish strategy set to ${KeystoneReplenishStrategy.deleteAll}? (W: 300c28bc8b98fc3e3c0b0d988344f825)`);
             }
 
             // 5. Construct Revocation Info
@@ -316,11 +317,11 @@ export class KeystoneService_V1 {
 
     /**
      * Structural evolution: Adds new challenge pools to the keystone.
-     * 
-     * Use Case: Adding a delegate (Server) for SSO, adding a recovery key, 
+     *
+     * Use Case: Adding a delegate (Server) for SSO, adding a recovery key,
      * or rotating to a new set of pools.
-     * 
-     * Requires the Master Secret to authorize the change via a pool containing 
+     *
+     * Requires the Master Secret to authorize the change via a pool containing
      * the 'manage' verb.
      */
     async addPools({
@@ -332,14 +333,14 @@ export class KeystoneService_V1 {
     }: {
         latestKeystone: KeystoneIbGib_V1;
         /**
-         * Alice's Master Secret. 
+         * Alice's Master Secret.
          * Required to solve challenges from the Admin/Manage pool to authorize this change.
          */
         masterSecret: string;
         /**
-         * The pools to add. 
-         * NOTE: These are fully constructed Pool objects. 
-         * If they are foreign (Bob's), Alice must have constructed them 
+         * The pools to add.
+         * NOTE: These are fully constructed Pool objects.
+         * If they are foreign (Bob's), Alice must have constructed them
          * using Bob's challenges + Her config restrictions + isForeign=true.
          */
         newPools: KeystoneChallengePool[];

package/src/keystone/keystone-service-v1.respec.mts

@@ -195,12 +195,15 @@ await respecfully(sir, 'Suite A: Strategy Vectors (HashRevealV1)', async () => {
 
     firstOfAll(sir, async () => {
         // Use our standard builder to get a valid config object
-        config = createStandardPoolConfig(salt) as KeystonePoolConfig_HashV1;
+        config = createStandardPoolConfig({
+            id: salt,
+            salt,
+        }) as KeystonePoolConfig_HashV1;
     });
 
     await respecfully(sir, 'Derivation Logic', async () => {
 
-        await ifWe(sir, 'derivePoolSecret with same inputs returns same output', async () => {
+        await ifWeMight(sir, 'derivePoolSecret with same inputs returns same output', async () => {
             const strategy = KeystoneStrategyFactory.create({ config });
 
             const secretA = await strategy.derivePoolSecret({ masterSecret });
@@ -210,7 +213,7 @@ await respecfully(sir, 'Suite A: Strategy Vectors (HashRevealV1)', async () => {
             iReckon(sir, secretA).asTo('secret length').isGonnaBeTruthy();
         });
 
-        await ifWe(sir, 'derivePoolSecret with different master secret returns different output', async () => {
+        await ifWeMight(sir, 'derivePoolSecret with different master secret returns different output', async () => {
             const strategy = KeystoneStrategyFactory.create({ config });
 
             const secretA = await strategy.derivePoolSecret({ masterSecret });
@@ -219,7 +222,7 @@ await respecfully(sir, 'Suite A: Strategy Vectors (HashRevealV1)', async () => {
             iReckon(sir, secretA).asTo('secrets differ').not.willEqual(secretB);
         });
 
-        await ifWe(sir, 'derivePoolSecret with different salt returns different output', async () => {
+        await ifWeMight(sir, 'derivePoolSecret with different salt returns different output', async () => {
             // Modify salt in a copy of config
             const configB = { ...config, salt: "OtherPool" };
             const strategyA = KeystoneStrategyFactory.create({ config });
@@ -234,7 +237,7 @@ await respecfully(sir, 'Suite A: Strategy Vectors (HashRevealV1)', async () => {
 
     await respecfully(sir, 'Challenge/Solution Logic', async () => {
 
-        await ifWe(sir, 'generateSolution -> generateChallenge -> validateSolution loop works', async () => {
+        await ifWeMight(sir, 'generateSolution -> generateChallenge -> validateSolution loop works', async () => {
             const strategy = KeystoneStrategyFactory.create({ config });
             const poolSecret = await strategy.derivePoolSecret({ masterSecret });
             const challengeId = "a3ff7843552870fc28bef2b"; // arbitrary random challengeId
@@ -253,7 +256,7 @@ await respecfully(sir, 'Suite A: Strategy Vectors (HashRevealV1)', async () => {
             iReckon(sir, isValid).asTo('valid pair should pass').isGonnaBeTrue();
         });
 
-        await ifWe(sir, 'validateSolution fails for mismatched values', async () => {
+        await ifWeMight(sir, 'validateSolution fails for mismatched values', async () => {
             const strategy = KeystoneStrategyFactory.create({ config });
             const poolSecret = await strategy.derivePoolSecret({ masterSecret });
             const challengeId = "8c994f3ed598f150e25513"; // arbitrary random challengeId
@@ -269,7 +272,7 @@ await respecfully(sir, 'Suite A: Strategy Vectors (HashRevealV1)', async () => {
             iReckon(sir, isValid).asTo('tampered solution should fail').isGonnaBeFalse();
         });
 
-        await ifWe(sir, 'validateSolution fails for mismatched challenge hashes', async () => {
+        await ifWeMight(sir, 'validateSolution fails for mismatched challenge hashes', async () => {
             const strategy = KeystoneStrategyFactory.create({ config });
             const poolSecret = await strategy.derivePoolSecret({ masterSecret });
 
@@ -310,8 +313,11 @@ await respecfully(sir, 'Suite B: Service Lifecycle', async () => {
     });
 
     await respecfully(sir, 'Genesis', async () => {
-        await ifWe(sir, 'creates a valid genesis frame and persists it', async () => {
-            const config = createStandardPoolConfig(POOL_ID_DEFAULT);
+        await ifWeMight(sir, 'creates a valid genesis frame and persists it', async () => {
+            const config = createStandardPoolConfig({
+                id: POOL_ID_DEFAULT,
+                salt: POOL_ID_DEFAULT,
+            });
 
             genesisKeystone = await service.genesis({
                 masterSecret,
@@ -338,7 +344,7 @@ await respecfully(sir, 'Suite B: Service Lifecycle', async () => {
     });
 
     await respecfully(sir, 'Signing (Evolution)', async () => {
-        await ifWe(sir, 'evolves the keystone with a valid proof', async () => {
+        await ifWeMight(sir, 'evolves the keystone with a valid proof', async () => {
             const claim: Partial<KeystoneClaim> = {
                 target: "comment 123^gib",
                 verb: "post"
@@ -368,7 +374,7 @@ await respecfully(sir, 'Suite B: Service Lifecycle', async () => {
     });
 
     await respecfully(sir, 'Validation', async () => {
-        await ifWe(sir, 'validates the genesis->signed transition', async () => {
+        await ifWeMight(sir, 'validates the genesis->signed transition', async () => {
             const errors = await service.validate({
                 prevIbGib: genesisKeystone,
                 currentIbGib: signedKeystone,
@@ -400,8 +406,13 @@ await respecfully(sir, 'Suite C: Security Vectors', async () => {
         mockMetaspace = new MockMetaspaceService(mockSpace);
 
         // Setup Alice's Identity
-        const config = createStandardPoolConfig(POOL_ID_DEFAULT);
-        config.behavior.size = 10;
+        const config = createStandardPoolConfig({
+            id: POOL_ID_DEFAULT,
+            salt: POOL_ID_DEFAULT,
+            targetBinding: 0,
+            size: 10,
+        });
+        // config.behavior.size = 10;
         genesisKeystone = await service.genesis({
             masterSecret: aliceSecret,
             configs: [config],
@@ -411,7 +422,7 @@ await respecfully(sir, 'Suite C: Security Vectors', async () => {
     });
 
     await respecfully(sir, 'Wrong Secret (Forgery)', async () => {
-        await ifWe(sir, 'prevents creation of forged frames', async () => {
+        await ifWeMight(sir, 'prevents creation of forged frames', async () => {
             const claim: Partial<KeystoneClaim> = { target: "comment 123^gib", verb: "post" };
 
             let errorCaught = false;
@@ -440,10 +451,13 @@ await respecfully(sir, 'Suite C: Security Vectors', async () => {
     });
 
     await respecfully(sir, 'Policy Violation (Restricted Verbs)', async () => {
-        await ifWe(sir, 'throws error if signing forbidden verb with restricted pool', async () => {
+        await ifWeMight(sir, 'throws error if signing forbidden verb with restricted pool', async () => {
             // Create a specific restricted pool config manually
             const restrictedPoolId = "read_only_pool";
-            const restrictedConfig = createStandardPoolConfig(restrictedPoolId);
+            const restrictedConfig = createStandardPoolConfig({
+                id: restrictedPoolId,
+                salt: restrictedPoolId,
+            });
             // Manually restrict it (since Builder defaults to undefined/allow-all)
             restrictedConfig.allowedVerbs = ['read'];
 
@@ -495,8 +509,14 @@ await respecfully(sir, 'Suite D: Revocation', async () => {
         mockMetaspace = new MockMetaspaceService(mockSpace);
 
         // Setup Identity WITH a Revocation Pool
-        const stdConfig = createStandardPoolConfig(POOL_ID_DEFAULT);
-        const revokeConfig = createRevocationPoolConfig(POOL_ID_REVOKE); // Special Config
+        const stdConfig = createStandardPoolConfig({
+            id: POOL_ID_DEFAULT,
+            salt: POOL_ID_DEFAULT,
+        });
+        const revokeConfig = createRevocationPoolConfig({
+            id: POOL_ID_REVOKE,
+            salt: POOL_ID_REVOKE,
+        }); // Special Config
 
         genesisKeystone = await service.genesis({
             masterSecret,
@@ -509,7 +529,7 @@ await respecfully(sir, 'Suite D: Revocation', async () => {
     await respecfully(sir, 'Revoke Lifecycle', async () => {
         let revokedKeystone: KeystoneIbGib_V1;
 
-        await ifWe(sir, 'successfully creates a revocation frame', async () => {
+        await ifWeMight(sir, 'successfully creates a revocation frame', async () => {
             revokedKeystone = await service.revoke({
                 latestKeystone: genesisKeystone,
                 masterSecret,
@@ -527,7 +547,7 @@ await respecfully(sir, 'Suite D: Revocation', async () => {
             iReckon(sir, data.revocationInfo!.proof.claim.verb).willEqual(KEYSTONE_VERB_REVOKE);
         });
 
-        await ifWe(sir, 'validates the revocation frame', async () => {
+        await ifWeMight(sir, 'validates the revocation frame', async () => {
             const errors = await service.validate({
                 prevIbGib: genesisKeystone,
                 currentIbGib: revokedKeystone!,
@@ -538,7 +558,7 @@ await respecfully(sir, 'Suite D: Revocation', async () => {
             iReckon(sir, errors.length).asTo('no validation errors').willEqual(0);
         });
 
-        await ifWe(sir, 'consumed the revocation pool (Scorched Earth)', async () => {
+        await ifWeMight(sir, 'consumed the revocation pool (Scorched Earth)', async () => {
             const data = revokedKeystone!.data!;
             const revokePool = data.challengePools.find(p => p.id === POOL_ID_REVOKE);
 
@@ -568,7 +588,7 @@ await respecfully(sir, 'Suite E: Structural Evolution (addPools)', async () => {
 
     // Helper to generate a "Foreign" pool (e.g. from Bob)
     const createForeignPool = async (id: string, verbs: string[] = []): Promise<KeystoneChallengePool> => {
-        const config = createStandardPoolConfig(id);
+        const config = createStandardPoolConfig({ id, salt: id });
         config.allowedVerbs = verbs;
 
         // We use the factory manually here to simulate Bob doing this offline
@@ -605,7 +625,7 @@ await respecfully(sir, 'Suite E: Structural Evolution (addPools)', async () => {
         mockMetaspace = new MockMetaspaceService(mockSpace);
 
         // Alice Genesis: Standard pool (allows all verbs, including 'manage')
-        const config = createStandardPoolConfig(POOL_ID_DEFAULT);
+        const config = createStandardPoolConfig({ id: POOL_ID_DEFAULT, salt: POOL_ID_DEFAULT });
         aliceKeystone = await service.genesis({
             masterSecret: aliceSecret,
             configs: [config],
@@ -615,7 +635,7 @@ await respecfully(sir, 'Suite E: Structural Evolution (addPools)', async () => {
     });
 
     await respecfully(sir, 'Happy Path', async () => {
-        await ifWe(sir, 'authorizes and adds a foreign pool', async () => {
+        await ifWeMight(sir, 'authorizes and adds a foreign pool', async () => {
             const bobPool = await createForeignPool("pool_bob", ["post"]);
 
             const updatedKeystone = await service.addPools({
@@ -654,9 +674,10 @@ await respecfully(sir, 'Suite E: Structural Evolution (addPools)', async () => {
     });
 
     await respecfully(sir, 'Permissions & Logic', async () => {
-        await ifWe(sir, 'fails if no pool allows "manage" verb', async () => {
+        await ifWeMight(sir, 'fails if no pool allows "manage" verb', async () => {
             // 1. Create a restricted keystone
-            const restrictedConfig = createStandardPoolConfig("read_only");
+            let id = "read_only";
+            const restrictedConfig = createStandardPoolConfig({ id, salt: id });
             restrictedConfig.allowedVerbs = ['read']; // No 'manage'
 
             const restrictedKeystone = await service.genesis({
@@ -686,7 +707,7 @@ await respecfully(sir, 'Suite E: Structural Evolution (addPools)', async () => {
             iReckon(sir, errorCaught).asTo('permission denied').isGonnaBeTrue();
         });
 
-        await ifWe(sir, 'fails on ID collision', async () => {
+        await ifWeMight(sir, 'fails on ID collision', async () => {
             // Try to add "pool_bob" again (it was added in Happy Path)
             const duplicatePool = await createForeignPool("pool_bob");
 
@@ -725,7 +746,7 @@ await respecfully(sir, 'Suite E: Structural Evolution (addPools)', async () => {
 
     // Helper to simulate Bob creating a pool "offline" to give to Alice
     const createForeignPool = async (id: string, verbs: string[] = []): Promise<KeystoneChallengePool> => {
-        const config = createStandardPoolConfig(id);
+        const config = createStandardPoolConfig({ id, salt: id });
         config.allowedVerbs = verbs;
 
         // We use the factory manually here to simulate Bob doing this on his own machine
@@ -762,7 +783,10 @@ await respecfully(sir, 'Suite E: Structural Evolution (addPools)', async () => {
         mockMetaspace = new MockMetaspaceService(mockSpace);
 
         // Alice Genesis: Standard pool (allows all verbs, including 'manage')
-        const config = createStandardPoolConfig(POOL_ID_DEFAULT);
+        const config = createStandardPoolConfig({
+            id: POOL_ID_DEFAULT,
+            salt: POOL_ID_DEFAULT,
+        });
         aliceKeystone = await service.genesis({
             masterSecret: aliceSecret,
             configs: [config],
@@ -772,7 +796,7 @@ await respecfully(sir, 'Suite E: Structural Evolution (addPools)', async () => {
     });
 
     await respecfully(sir, 'Happy Path', async () => {
-        await ifWe(sir, 'authorizes and adds a foreign pool', async () => {
+        await ifWeMight(sir, 'authorizes and adds a foreign pool', async () => {
             const bobPool = await createForeignPool("pool_bob", ["post"]);
 
             const updatedKeystone = await service.addPools({
@@ -811,9 +835,10 @@ await respecfully(sir, 'Suite E: Structural Evolution (addPools)', async () => {
     });
 
     await respecfully(sir, 'Permissions & Logic', async () => {
-        await ifWe(sir, 'fails if no pool allows "manage" verb', async () => {
+        await ifWeMight(sir, 'fails if no pool allows "manage" verb', async () => {
             // 1. Create a restricted keystone (read-only)
-            const restrictedConfig = createStandardPoolConfig("read_only");
+            let id = "read_only";
+            const restrictedConfig = createStandardPoolConfig({ id, salt: id });
             restrictedConfig.allowedVerbs = ['read']; // No 'manage'
 
             const restrictedKeystone = await service.genesis({
@@ -843,7 +868,7 @@ await respecfully(sir, 'Suite E: Structural Evolution (addPools)', async () => {
             iReckon(sir, errorCaught).asTo('permission denied').isGonnaBeTrue();
         });
 
-        await ifWe(sir, 'fails on ID collision', async () => {
+        await ifWeMight(sir, 'fails on ID collision', async () => {
             // Try to add "pool_bob" again (it was added in Happy Path)
             const duplicatePool = await createForeignPool("pool_bob");
 
@@ -883,11 +908,13 @@ await respecfully(sir, 'Suite F: Deep Inspection', async () => {
     let signedKeystone: KeystoneIbGib_V1;
 
     // We use a specific hybrid config to test exact selection logic
-    const hybridConfig = createStandardPoolConfig(salt) as KeystonePoolConfig_HashV1;
-    // 2 FIFO + 2 Random = 4 Total per sign
-    hybridConfig.behavior.selectSequentially = 2;
-    hybridConfig.behavior.selectRandomly = 2;
-    hybridConfig.behavior.size = 20; // Small enough to track, large enough to be random
+    const hybridConfig = createStandardPoolConfig({
+        id: salt,
+        salt,
+        // 2 FIFO + 2 Random = 4 Total per sign
+        sequential: 2, random: 2, targetBinding: 0,
+        size: 20, // Small enough to track, large enough to be random
+    }) as KeystonePoolConfig_HashV1;
 
     firstOfAll(sir, async () => {
         mockSpace = new MockIbGibSpace();
@@ -903,7 +930,7 @@ await respecfully(sir, 'Suite F: Deep Inspection', async () => {
 
     await respecfully(sir, 'Proof Granularity & Math', async () => {
 
-        await ifWe(sir, 'generates exactly the expected number of solutions', async () => {
+        await ifWeMight(sir, 'generates exactly the expected number of solutions', async () => {
             signedKeystone = await service.sign({
                 latestKeystone: genesisKeystone,
                 masterSecret: aliceSecret,
@@ -920,7 +947,7 @@ await respecfully(sir, 'Suite F: Deep Inspection', async () => {
             iReckon(sir, solutions.length).asTo('solution count').willEqual(4);
         });
 
-        await ifWe(sir, 'verifies the math manually (White-box Crypto Check)', async () => {
+        await ifWeMight(sir, 'verifies the math manually (White-box Crypto Check)', async () => {
             const proof = signedKeystone.data!.proofs[0];
             const poolSnapshot = genesisKeystone.data!.challengePools.find(p => p.id === salt)!;
 
@@ -949,7 +976,7 @@ await respecfully(sir, 'Suite F: Deep Inspection', async () => {
             }
         });
 
-        await ifWe(sir, 'verifies FIFO logic (Deterministic Selection)', async () => {
+        await ifWeMight(sir, 'verifies FIFO logic (Deterministic Selection)', async () => {
             const proof = signedKeystone.data!.proofs[0];
             const poolSnapshot = genesisKeystone.data!.challengePools.find(p => p.id === salt)!;
 
@@ -971,7 +998,7 @@ await respecfully(sir, 'Suite F: Deep Inspection', async () => {
 
     await respecfully(sir, 'DTO & Serialization', async () => {
 
-        await ifWe(sir, 'survives a clone/JSON-cycle without corruption', async () => {
+        await ifWeMight(sir, 'survives a clone/JSON-cycle without corruption', async () => {
             // 1. Create a DTO (simulate network transmission/storage)
             // 'clone' does a JSON stringify/parse under the hood (usually) or structured clone.
             const dto = clone(signedKeystone);
@@ -991,7 +1018,7 @@ await respecfully(sir, 'Suite F: Deep Inspection', async () => {
             iReckon(sir, errors.length).asTo('DTO validation errors').willEqual(0);
         });
 
-        await ifWe(sir, 'ensures data contains no functions or circular refs', async () => {
+        await ifWeMight(sir, 'ensures data contains no functions or circular refs', async () => {
             // A crude but effective test: ensure JSON.stringify doesn't throw
             // and the result is equal to the object (if we parsed it back).
 
@@ -1005,7 +1032,7 @@ await respecfully(sir, 'Suite F: Deep Inspection', async () => {
             iReckon(sir, parsedSolution).asTo('deep property survives stringify').willEqual(originalSolution);
 
             // Ensure no extra properties were lost
-            // FIX: JSON.stringify removes keys with 'undefined' values. 
+            // FIX: JSON.stringify removes keys with 'undefined' values.
             // We must filter the original keys to match this behavior for a fair comparison.
             const origKeys = Object.keys(signedKeystone.data!)
                 .filter(k => (signedKeystone.data as any)[k] !== undefined);

package/src/keystone/keystone-types.mts

@@ -2,15 +2,25 @@ import { IbGib_V1, IbGibData_V1, IbGibRel8ns_V1 } from "@ibgib/ts-gib/dist/V1/ty
 
 import { KEYSTONE_ATOM } from "./keystone-constants.mjs";
 
+// #region KeystoneChallengeType
+export const KEYSTONE_CHALLENGE_TYPE_HASH_REVEAL_V1 = 'hash-reveal-v1';
 /**
  * The discriminator for the mechanism.
  * 'hash-reveal-v1': Standard Hash chain (Sigma-like).
  */
 export type KeystoneChallengeType =
-    | 'hash-reveal-v1'
+    | typeof KEYSTONE_CHALLENGE_TYPE_HASH_REVEAL_V1
     // | 'decrypt-v1' // Future
     // | 'pow-v1';    // Future
     ;
+export const KeystoneChallengeType = {
+    hash_reveal_v1: KEYSTONE_CHALLENGE_TYPE_HASH_REVEAL_V1,
+} satisfies { [key: string]: KeystoneChallengeType };
+export const KEYSTONE_CHALLENGE_TYPE_VALID_VALUES = Object.values(KeystoneChallengeType);
+export function isValidKeystoneChallengeType(x: any): x is KeystoneChallengeType {
+    return typeof x === 'string' && KEYSTONE_CHALLENGE_TYPE_VALID_VALUES.includes(x as any);
+}
+// #endregion KeystoneChallengeType
 
 // ===========================================================================
 // CONFIGURATION
@@ -18,55 +28,56 @@ export type KeystoneChallengeType =
 
 // #region KeystoneReplenishStrategy
 /**
- * replaces each used challenge, "topping up" the pool to the pool's size
+ * @see {@link KeystoneReplenishStrategy.topUp}
  */
 export const KEYSTONE_REPLENISH_STRATEGY_TOP_UP = 'top-up';
 /**
- * replaces the entire pool with the new challenges
+ * @see {@link KeystoneReplenishStrategy.replaceAll}
  */
 export const KEYSTONE_REPLENISH_STRATEGY_REPLACE_ALL = 'replace-all';
 /**
- * do not replenish, only consume
- *
- * ## intent
- * adding this for revocation
+ * @see {@link KeystoneReplenishStrategy.consume}
  */
 export const KEYSTONE_REPLENISH_STRATEGY_CONSUME = 'consume';
 /**
- * Deletes ALL challenges in the pool, regardless of how many were used.
- * The "Nuclear Option" for revocation.
+ * @see {@link KeystoneReplenishStrategy.deleteAll}
  */
-export const KEYSTONE_REPLENISH_STRATEGY_SCORCHED_EARTH = 'scorched-earth';
+export const KEYSTONE_REPLENISH_STRATEGY_DELETE_ALL = 'delete-all';
 export type KeystoneReplenishStrategy =
     | typeof KEYSTONE_REPLENISH_STRATEGY_TOP_UP
     | typeof KEYSTONE_REPLENISH_STRATEGY_REPLACE_ALL
     | typeof KEYSTONE_REPLENISH_STRATEGY_CONSUME
-    | typeof KEYSTONE_REPLENISH_STRATEGY_SCORCHED_EARTH
+    | typeof KEYSTONE_REPLENISH_STRATEGY_DELETE_ALL
     ;
 /**
  * @see {@link KeystonePoolBehavior.replenish}
  */
 export const KeystoneReplenishStrategy = {
     /**
-     * @see {@link KEYSTONE_REPLENISH_STRATEGY_TOP_UP}
+     * replaces each used challenge, "topping up" the pool to the pool's size
      */
     topUp: KEYSTONE_REPLENISH_STRATEGY_TOP_UP,
     /**
-     * @see {@link KEYSTONE_REPLENISH_STRATEGY_REPLACE_ALL}
+     * replaces the entire pool with the new challenges
      */
     replaceAll: KEYSTONE_REPLENISH_STRATEGY_REPLACE_ALL,
     /**
-     * @see {@link KEYSTONE_REPLENISH_STRATEGY_CONSUME}
+     * do not replenish, only consume
+     *
+     * ## intent
+     * adding this for revocation, though we have added deleteAll for this now.
+     * Leaving it in.
      */
     consume: KEYSTONE_REPLENISH_STRATEGY_CONSUME,
     /**
-     * @see {@link KEYSTONE_REPLENISH_STRATEGY_SCORCHED_EARTH}
+     * Deletes ALL challenges in the pool, regardless of how many were used.
+     * The "Nuclear Option" for revocation.
      */
-    scorchedEarth: KEYSTONE_REPLENISH_STRATEGY_SCORCHED_EARTH,
+    deleteAll: KEYSTONE_REPLENISH_STRATEGY_DELETE_ALL,
 } satisfies { [key: string]: KeystoneReplenishStrategy };
 export const KEYSTONE_REPLENISH_STRATEGY_VALID_VALUES = Object.values(KeystoneReplenishStrategy);
 export function isKeystoneReplenishStrategy(x: any): x is KeystoneReplenishStrategy {
-    return KEYSTONE_REPLENISH_STRATEGY_VALID_VALUES.includes(x);
+    return typeof x === 'string' && KEYSTONE_REPLENISH_STRATEGY_VALID_VALUES.includes(x as any);
 }
 // #endregion KeystoneReplenishStrategy
 
@@ -78,6 +89,9 @@ export interface KeystonePoolBehavior {
 
     /**
      * How do we fill the void left by consumed challenges?
+     *
+     * @see {@link KeystoneReplenishStrategy} individual members for information
+     * on each one.
      */
     replenish: KeystoneReplenishStrategy;
 
@@ -219,11 +233,11 @@ export interface KeystoneChallengePool {
     bindingMap: { [hexChar: string]: string[] };
 
     /**
-     * If true, this pool's secrets are NOT derived from the Keystone's 
+     * If true, this pool's secrets are NOT derived from the Keystone's
      * primary Master Secret. They are held by an external entity.
-     * 
+     *
      * ## intent
-     * 
+     *
      * The driving use case for this is signing in with a server "super node"
      * and giving that node the ability to sign on behalf of the user. This is a
      * common pattern in SSO-type workflows.
@@ -233,9 +247,9 @@ export interface KeystoneChallengePool {
     /**
      * Arbitrary metadata for the wallet/user to identify the pool.
      * e.g. { delegate: "PrimaryServer", purpose: "SSO" }
-     * 
+     *
      * ## intent
-     * 
+     *
      * The driving use case for this is signing in with a server "super node"
      * and giving that node the ability to sign on behalf of the user. This is a
      * common pattern in SSO-type workflows.
@@ -288,7 +302,7 @@ export interface KeystoneRevocationInfo {
 // TOP LEVEL IBGIB DATA
 // ===========================================================================
 
-export interface KeystoneIbInfo_V1 {
+export interface KeystoneIb_V1 {
     atom: typeof KEYSTONE_ATOM;
 }
 

package/src/keystone/strategy/hash-reveal-v1/hash-reveal-v1.mts

@@ -1,10 +1,10 @@
 import { hash } from '@ibgib/helper-gib/dist/helpers/utils-helper.mjs';
+
 import { KeystoneStrategy } from '../keystone-strategy.mjs';
 import {
-    KeystonePoolConfig_HashV1,
-    KeystoneChallenge_HashV1,
-    KeystoneSolution_HashV1
+    KeystonePoolConfig_HashV1, KeystoneChallenge_HashV1, KeystoneSolution_HashV1
 } from '../../keystone-types.mjs';
+import { kdf_recursiveSaltWrap } from '../../kdf/kdf-helpers.mjs';
 
 /**
  * The concrete implementation of the "Salted Wrap" Hash Reveal strategy.
@@ -26,17 +26,13 @@ export class KeystoneStrategy_HashRevealV1 extends KeystoneStrategy<
         const lc = `[${KeystoneStrategy_HashRevealV1.name}.${this.derivePoolSecret.name}]`;
         try {
             const { salt, rounds, algo } = this.config;
-            // Map algo string to HashAlgorithm type if needed,
-            // assuming config.algo matches the helper's expected inputs.
 
-            let current = masterSecret;
-            for (let i = 0; i < rounds; i++) {
-                current = await hash({
-                    s: `${salt}${current}${salt}`,
-                    algorithm: algo
-                });
-            }
-            return current;
+            return await kdf_recursiveSaltWrap({
+                masterSecret,
+                salt,
+                rounds,
+                algorithm: algo
+            });
         } catch (error) {
             console.error(`${lc} Error deriving pool secret: ${error.message}`);
             throw error;