@ibgib/core-gib 0.1.45 → 0.1.48

package/src/sync/sync-conflict-text-merge.respec.mts

@@ -87,7 +87,7 @@ await respecfully(sir, `Text merge (LCS) conflict resolution`, async () => {
     async function newTestPeer(): Promise<SyncPeerInnerspace_V1> {
         const peer = new SyncPeerInnerspace_V1(clone(SYNC_PEER_INNERSPACE_DEFAULT_DATA_V1));
         await peer.initialized;
-        await peer.initializeSender({
+        await peer.initializeOpts({
             senderSpace: sourceSpace,
             receiverSpace: destSpace,
             receiverCoordinator: receiverCoordinator,

package/src/sync/sync-constants.mts

@@ -1,4 +1,7 @@
+import { HashAlgorithm } from "@ibgib/helper-gib/dist/helpers/utils-helper.mjs";
 import { ROOT_ADDR } from "@ibgib/ts-gib/dist/V1/constants.mjs";
+import { KeystoneReplenishStrategy } from "../keystone/keystone-types.mjs";
+import { KEYSTONE_VERB_MANAGE, KEYSTONE_VERB_SIGN, POOL_ID_DEFAULT, POOL_ID_DELEGATE, POOL_ID_TRANSITION } from "../keystone/keystone-constants.mjs";
 
 export const SYNC_ATOM = "sync";
 
@@ -78,6 +81,18 @@ export function isValidSyncConflictStrategy(strategy: string): strategy is SyncC
 }
 // #endregion SyncConflictStrategy
 
+/**
+ * to be used by the sender
+ */
+export const SESSION_IDENTITY_KEYSTONE_PRIMARY_POOL_ID = POOL_ID_DEFAULT;
+/**
+ * single use pool
+ */
+export const SESSION_IDENTITY_KEYSTONE_TRANSITION_POOL_ID = POOL_ID_TRANSITION;
+/**
+ * to be used by the receiver, created via the single-use transition pool.
+ */
+export const SESSION_IDENTITY_KEYSTONE_DELEGATE_POOL_ID = POOL_ID_DELEGATE;
 /**
  * When synchronizing, the plan for identity integration is to create a session
  * keystone. This keystone will have a primary pool, driven by the sender's
@@ -86,4 +101,39 @@ export function isValidSyncConflictStrategy(strategy: string): strategy is SyncC
  * use this to then change the keystone to use a secret chosen by the
  * receiver's end.
  */
-export const DEFAULT_SESSION_IDENTITY_INITIAL_DELEGATE_SECRET = ROOT_ADDR;
+export const SESSION_IDENTITY_KEYSTONE_SECRET_TRANSITIONPOOL = ROOT_ADDR;
+
+/**
+ * has to be big enough to avoid our currently poor (atow 02/24/2026)
+ * implementation of the binding target.
+ */
+export const SESSION_IDENTITY_KEYSTONE_CONFIG_SIZE = 100;
+export const SESSION_IDENTITY_KEYSTONE_CONFIG_ALGO = HashAlgorithm.sha_256;
+export const SESSION_IDENTITY_KEYSTONE_CONFIG_ROUNDS = 3;
+export const SESSION_IDENTITY_KEYSTONE_CONFIG_RANDOM = 2;
+export const SESSION_IDENTITY_KEYSTONE_CONFIG_SEQUENTIAL = 2;
+export const SESSION_IDENTITY_KEYSTONE_CONFIG_TARGET_BINDING = 4;
+export const SESSION_IDENTITY_KEYSTONE_CONFIG_REPLENISH_STRATEGY = KeystoneReplenishStrategy.topUp;
+/**
+ * verbs associated with primary/sender participant.
+ *
+ * todo: would be slightly cleaner to have the sender/primary genesis with two pools, one for signing and one being one-time manage use (to add the transition pool) just like the transition pool, but this is a finesse and not for V1. Still it is neat that this possibility/mechanism exists.
+ */
+export const SESSION_IDENTITY_KEYSTONE_CONFIG_VERBS_PRIMARY = [KEYSTONE_VERB_MANAGE];
+export const SESSION_IDENTITY_KEYSTONE_CONFIG_VERBS_DELEGATE = [KEYSTONE_VERB_SIGN];
+
+/**
+ * transition pool is purposefully weak with a known password.
+ */
+export const SESSION_IDENTITY_KEYSTONE_CONFIG_SIZE_TRANSITIONPOOL = 1;
+export const SESSION_IDENTITY_KEYSTONE_CONFIG_ALGO_TRANSITIONPOOL = HashAlgorithm.sha_256;
+export const SESSION_IDENTITY_KEYSTONE_CONFIG_ROUNDS_TRANSITIONPOOL = 1;
+export const SESSION_IDENTITY_KEYSTONE_CONFIG_RANDOM_TRANSITIONPOOL = 0;
+export const SESSION_IDENTITY_KEYSTONE_CONFIG_SEQUENTIAL_TRANSITIONPOOL = 1;
+export const SESSION_IDENTITY_KEYSTONE_CONFIG_TARGET_BINDING_TRANSITIONPOOL = 0;
+/**
+ * This pool is to be used only once, by the receiver, in order for the receiver
+ * to create their own pool.
+ */
+export const SESSION_IDENTITY_KEYSTONE_CONFIG_REPLENISH_STRATEGY_TRANSITIONPOOL = KeystoneReplenishStrategy.deleteAll;
+export const SESSION_IDENTITY_KEYSTONE_CONFIG_VERBS_TRANSITIONPOOL = [KEYSTONE_VERB_MANAGE];

package/src/sync/sync-innerspace-constants.respec.mts

@@ -72,7 +72,7 @@ await respecfully(sir, `Sync Constants (No TJP)`, async () => {
 
         const peer = new SyncPeerInnerspace_V1(clone(SYNC_PEER_INNERSPACE_DEFAULT_DATA_V1));
         await peer.initialized;
-        await peer.initializeSender({
+        await peer.initializeOpts({
             senderSpace: sourceSpace,   // "Client"
             receiverSpace: destSpace,   // "Server"
             receiverCoordinator,

package/src/sync/sync-innerspace-deep-updates.respec.mts

@@ -103,7 +103,7 @@ await respecfully(sir, `Sync InnerSpaces (Deep Updates)`, async () => {
 
         const peer = new SyncPeerInnerspace_V1(clone(SYNC_PEER_INNERSPACE_DEFAULT_DATA_V1));
         await peer.initialized;
-        await peer.initializeSender({
+        await peer.initializeOpts({
             senderSpace: sourceSpace,   // "Client"
             receiverSpace: destSpace,   // "Server"
             receiverCoordinator,

package/src/sync/sync-innerspace-dest-ahead-withid.respec.mts

@@ -29,6 +29,8 @@ import { ErrorIbGib_V1 } from '../common/error/error-types.mjs';
 import { SyncIbGib_V1 } from './sync-types.mjs';
 import { getFullSyncSagaHistory } from './sync-helpers.mjs';
 import { getIbGibsFromCache_fallbackToSpaces } from '../common/other/ibgib-helper.mjs';
+import { SyncSagaContextIbGib_V1 } from './sync-saga-context/sync-saga-context-types.mjs';
+import { isSyncSagaContextIbGib } from './sync-saga-context/sync-saga-context-helpers.mjs';
 
 const logalot = false;
 const lc = `[sync-innerspace-dest-ahead.respec]`;
@@ -38,6 +40,9 @@ await respecfully(sir, `Sync InnerSpaces (Dest Ahead)`, async () => {
     let metaspace: Metaspace_Innerspace;
     let sourceSpace: InnerSpace_V1;
     let destSpace: InnerSpace_V1;
+    let secretSender = 'secret for sender';
+    let secretReceiver = 'secret for receiver';
+    let secretAdversary = 'secret for adversary';
 
     interface TestData {
         type: string;
@@ -119,7 +124,7 @@ await respecfully(sir, `Sync InnerSpaces (Dest Ahead)`, async () => {
             return resGet.success && resGet.ibGibs && resGet.ibGibs.length === 1;
         }
 
-        await ifWe(sir, 'verify setup', async () => {
+        await ifWeMight(sir, 'verify setup', async () => {
             // Ensure V2 is ONLY in Dest (it is, per `space: destSpace`)
             // Ensure Source does NOT have V2
             iReckon(sir, await fnAddrExistsInSpace(addrV0, sourceSpace)).asTo('source has V0').isGonnaBeTrue();
@@ -137,7 +142,7 @@ await respecfully(sir, `Sync InnerSpaces (Dest Ahead)`, async () => {
 
         const peer = new SyncPeerInnerspace_V1(clone(SYNC_PEER_INNERSPACE_DEFAULT_DATA_V1));
         await peer.initialized;
-        await peer.initializeSender({
+        await peer.initializeOpts({
             senderSpace: sourceSpace,   // "Client"
             receiverSpace: destSpace,   // "Server"
             receiverCoordinator,
@@ -152,8 +157,10 @@ await respecfully(sir, `Sync InnerSpaces (Dest Ahead)`, async () => {
             metaspace: metaspace,
             domainIbGibs: [v1], // Source tries to push V1
             useSessionIdentity: true,
+            identitySecret: secretSender,
         });
 
+        const syncSagaContextIbGibs: SyncSagaContextIbGib_V1[] = [];
         const sublc = `${lc}[updates$]`;
         /**
          * I have added this so you can see how to subscribe to an ibgib
@@ -163,6 +170,11 @@ await respecfully(sir, `Sync InnerSpaces (Dest Ahead)`, async () => {
             next: async (ctxIbGib) => {
                 // console.log(`${sublc} next fired. ${JSON.stringify(ctxIbGib)}`);
                 console.log(`${sublc} next fired. (I: e68d8894bac8800f9f3430e8a38d6626)`);
+                // each context ibgib
+                if (!isSyncSagaContextIbGib(ctxIbGib)) {
+                    throw new Error(`(UNEXPECTED) ctxIbGib isn't a SyncSagaContextIbGib_V1? (E: ee116e6b6208e615dbcd3e715643e826)`);
+                }
+                syncSagaContextIbGibs.push(ctxIbGib);
             },
             error: async (e: ErrorIbGib_V1) => {
                 if (e.data) {
@@ -178,17 +190,10 @@ await respecfully(sir, `Sync InnerSpaces (Dest Ahead)`, async () => {
         }));
         await done;
 
-        // TODO: Get saga IbGib to access session keystones
-        // Bill suggested either:
-        // 1. Subscribe to updates$ to inspect frames as sync progresses
-        // 2. Change done from Promise<void> to Promise<IbGibAddr>, return saga addr,
-        //    then use getIbGibsFromCache_fallbackToSpaces and getFullSyncSagaHistory
-        // For now, leaving implementation for next step.
-
         // 5. Verify Sync (v2 should be in both source and dest now)
         console.log(`${lc} Verifying Sync...`);
 
-        await ifWe(sir, `verify v2 now also in source`, async () => {
+        await ifWeMight(sir, `verify v2 now also in source`, async () => {
             // Verify Tip (V2)
 
             iReckon(sir, await fnAddrExistsInSpace(addrV0, sourceSpace)).asTo('source has V0').isGonnaBeTrue();
@@ -200,7 +205,7 @@ await respecfully(sir, `Sync InnerSpaces (Dest Ahead)`, async () => {
 
         });
 
-        await ifWe(sir, `dependency graphs the same`, async () => {
+        await ifWeMight(sir, `dependency graphs the same`, async () => {
 
             const sourceDepGraph = await getDependencyGraph({
                 ibGibAddr: addrV2,
@@ -229,11 +234,23 @@ await respecfully(sir, `Sync InnerSpaces (Dest Ahead)`, async () => {
         // For now, we'll retrieve from spaces after sync completes
         let sessionKeystoneAddr: IbGibAddr | undefined;
 
-        await ifWe(sir, 'IDENTITY: session keystone exists in sender space', async () => {
+        await ifWeMight(sir, 'IDENTITY: session keystone exists in sender space', async () => {
             // TODO: Get saga IbGib and access sessionKeystones rel8n
             // Once saga access is implemented (per Bill's guidance), retrieve keystone addr from:
             // const keystoneAddrs = sagaIbGib.rel8ns?.sessionKeystones;
             // Then verify keystone exists in space
+            debugger;
+
+            // #region leaving off here
+
+            // receiver is not putting the session keystone on the return
+            // context ibgib.  need to ensure that peer's do the most recent
+            // session keystone manually, so session keystone should be
+            // transferred alongside context ibgib (which is signed but
+            // intrinsically points to the **previous** frame of the keystone)
+
+            // #endregion leaving off here
+            syncSagaContextIbGibs.forEach(x => console.log(pretty(x)));
 
             // Placeholder - test passes because keystone creation works
             iReckon(sir, true)
@@ -241,7 +258,7 @@ await respecfully(sir, `Sync InnerSpaces (Dest Ahead)`, async () => {
                 .isGonnaBeTrue();
         });
 
-        await ifWe(sir, 'IDENTITY: session keystone exists in receiver space', async () => {
+        await ifWeMight(sir, 'IDENTITY: session keystone exists in receiver space', async () => {
             // Session keystone should be transferred to receiver's durable space
             iReckon(sir, sessionKeystoneAddr)
                 .asTo('session keystone address was captured')
@@ -255,7 +272,7 @@ await respecfully(sir, `Sync InnerSpaces (Dest Ahead)`, async () => {
             }
         });
 
-        await ifWe(sir, 'IDENTITY: saga frames are signed', async () => {
+        await ifWeMight(sir, 'IDENTITY: saga frames are signed', async () => {
             // TODO: Get saga frames and check each has a proof
             // This will FAIL when we actually check - that's the point (TDD RED)
 
@@ -264,7 +281,7 @@ await respecfully(sir, `Sync InnerSpaces (Dest Ahead)`, async () => {
                 .isGonnaBeTrue();
         });
 
-        await ifWe(sir, 'IDENTITY: frame signatures are valid', async () => {
+        await ifWeMight(sir, 'IDENTITY: frame signatures are valid', async () => {
             // TODO: For each saga frame, validate proof against session keystone
             // const isValid = await validateProofWithKeystone({
             //     proof: frame.proof,
@@ -279,7 +296,7 @@ await respecfully(sir, `Sync InnerSpaces (Dest Ahead)`, async () => {
                 .isGonnaBeTrue();
         });
 
-        await ifWe(sir, 'IDENTITY: session keystone challenges are depleted', async () => {
+        await ifWeMight(sir, 'IDENTITY: session keystone challenges are depleted', async () => {
             // TODO: Session keystone should evolve after signing frames
             // This will FAIL because keystone evolution not implemented yet
 
@@ -288,7 +305,7 @@ await respecfully(sir, `Sync InnerSpaces (Dest Ahead)`, async () => {
                 .isGonnaBeTrue();
         });
 
-        await ifWe(sir, 'IDENTITY: frame timestamps are present and fresh', async () => {
+        await ifWeMight(sir, 'IDENTITY: frame timestamps are present and fresh', async () => {
             // TODO: Check each frame has timestamp in proof claim
             // const claim = JSON.parse(frame.proof.claim.scope);
             // iReckon(sir, claim.timestamp).asTo('has timestamp').isGonnaBeTruthy();
@@ -301,7 +318,7 @@ await respecfully(sir, `Sync InnerSpaces (Dest Ahead)`, async () => {
                 .isGonnaBeTrue();
         });
 
-        await ifWe(sir, 'IDENTITY: keystone has no hard links to domain ibgibs', async () => {
+        await ifWeMight(sir, 'IDENTITY: keystone has no hard links to domain ibgibs', async () => {
             if (sessionKeystoneAddr) {
                 const keystoneResult = await getFromSpace({
                     addr: sessionKeystoneAddr,
@@ -326,7 +343,7 @@ await respecfully(sir, `Sync InnerSpaces (Dest Ahead)`, async () => {
             }
         });
 
-        await ifWe(sir, 'IDENTITY: saga frames have no hard links to domain ibgibs', async () => {
+        await ifWeMight(sir, 'IDENTITY: saga frames have no hard links to domain ibgibs', async () => {
             // Saga frames should NOT have hard links to domain ibgibs
             // This currently PASSES but will expose issues if hard links exist
 

package/src/sync/sync-innerspace-dest-ahead.respec.mts

@@ -134,7 +134,7 @@ await respecfully(sir, `Sync InnerSpaces (Dest Ahead)`, async () => {
 
         const peer = new SyncPeerInnerspace_V1(clone(SYNC_PEER_INNERSPACE_DEFAULT_DATA_V1));
         await peer.initialized;
-        await peer.initializeSender({
+        await peer.initializeOpts({
             senderSpace: sourceSpace,   // "Client"
             receiverSpace: destSpace,   // "Server"
             receiverCoordinator,

package/src/sync/sync-innerspace-multiple-timelines.respec.mts

@@ -107,7 +107,7 @@ await respecfully(sir, `Sync InnerSpaces (Multiple Timelines)`, async () => {
 
         const peer = new SyncPeerInnerspace_V1(clone(SYNC_PEER_INNERSPACE_DEFAULT_DATA_V1));
         await peer.initialized;
-        await peer.initializeSender({
+        await peer.initializeOpts({
             senderSpace: sourceSpace,   // "Client"
             receiverSpace: destSpace,   // "Server"
             receiverCoordinator,

package/src/sync/sync-innerspace-partial-update.respec.mts

@@ -115,7 +115,7 @@ await respecfully(sir, `Sync InnerSpaces (Partial Update)`, async () => {
 
         const peer = new SyncPeerInnerspace_V1(clone(SYNC_PEER_INNERSPACE_DEFAULT_DATA_V1));
         await peer.initialized;
-        await peer.initializeSender({
+        await peer.initializeOpts({
             senderSpace: sourceSpace,   // "Client"
             receiverSpace: destSpace,   // "Server"
             receiverCoordinator,

package/src/sync/sync-innerspace.respec.mts

@@ -107,7 +107,7 @@ await respecfully(sir, `Sync InnerSpaces`, async () => {
         // Peer (The "Network")
         const peer = new SyncPeerInnerspace_V1(clone(SYNC_PEER_INNERSPACE_DEFAULT_DATA_V1));
         await peer.initialized;
-        await peer.initializeSender({
+        await peer.initializeOpts({
             senderSpace: sourceSpace,   // "Client"
             receiverSpace: destSpace,   // "Server"
             receiverCoordinator,

package/src/sync/sync-peer/sync-peer-innerspace/sync-peer-innerspace-v1.mts

@@ -198,11 +198,16 @@ export class SyncPeerInnerspace_V1 extends SyncPeer_V1<InitializeSyncPeerInnersp
             // the payload ibgibs. so the receiver coordinator should be ready
             // to do its thing.
 
+            const identitySecret = context.fnIdentitySecret ?
+                await context.fnIdentitySecret() :
+                undefined;
             const responseCtx = await receiverCoordinator.continueSync({
                 sagaContext: context,
                 metaspace: receiverMetaspace,
                 mySpace: receiverSpace,
                 myTempSpace: receiverTempSpace,
+                identity: context.signedSessionKeystone,
+                identitySecret,
             });
 
             if (logalot) { console.log(`${lc} receiverCoordinator.continueSync responseCtx: ${responseCtx ? pretty(responseCtx) : 'undefined'} (I: fb2831decde1f2b3589021f85ab19126)`); }

package/src/sync/sync-peer/sync-peer-v1.mts

@@ -20,11 +20,14 @@ import { IbGibSpaceAny } from '../../witness/space/space-base-v1.mjs';
 import { newupSubject } from '../../common/pubsub/subject/subject-helper.mjs';
 import { authenticateContext, authorizeContext, validateContextAndSagaFrame } from '../sync-saga-context/sync-saga-context-helpers.mjs';
 import { getFromSpace } from '../../witness/space/space-helper.mjs';
+import { getFullSyncSagaHistory } from '../sync-helpers.mjs';
+import { SyncSagaFrameDependencyGraph } from '../sync-types.mjs';
 
 const logalot = GLOBAL_LOG_A_LOT;
 const logalotControlDomain = false;
 const lcControlDomain = '[ControlDomain]';
 
+
 /**
  * Abstract witness for talking to a Sync Peer (e.g. Remote Node or Local Simulator).
  *
@@ -66,8 +69,8 @@ export abstract class SyncPeer_V1<TInitializeOpts extends InitializeSyncPeerOpts
      *
      * @see {@link SyncPeerWitness.opts}
      */
-    public async initializeSender(opts: TInitializeOpts): Promise<void> {
-        const lc = `${this.lc}[${this.initializeSender.name}]`;
+    public async initializeOpts(opts: TInitializeOpts): Promise<void> {
+        const lc = `${this.lc}[${this.initializeOpts.name}]`;
         try {
             if (logalot) { console.log(`${lc} starting... (I: 31bd5fda37c89fa37fbaf14daf5fe726)`); }
             this.opts = opts;
@@ -117,6 +120,42 @@ export abstract class SyncPeer_V1<TInitializeOpts extends InitializeSyncPeerOpts
 
     protected abstract ensureReceiverTempSpace(): Promise<IbGibSpaceAny>;
 
+    protected async authenticateValidateAuthorize({
+        context,
+        fullSagaHistory,
+    }: {
+        context: SyncSagaContextIbGib_V1,
+        fullSagaHistory: SyncSagaFrameDependencyGraph[],
+    }): Promise<void> {
+        const lc = `${this.lc}[${this.authenticateValidateAuthorize.name}]`;
+        try {
+            if (logalot) { console.log(`${lc} starting... (I: add238055cd84a222c5b8c89913af526)`); }
+
+            // first authenticate, because invalid identity is a non-starter
+            const authenticationErrors = await authenticateContext({ context, fullSagaHistory });
+            if (authenticationErrors.length > 0) {
+                throw new Error(`invalid context authentication. authenticationErrors: ${authenticationErrors} (E: da89da5ee1269aeb78952d475d607526)`);
+            }
+            // next, we have a valid keystone, which should point to the
+            // context. But is that context and the saga data it contains valid?
+            // Does the keystone actually point to this context?
+            const validationErrors = await validateContextAndSagaFrame({ context, });
+            if (validationErrors.length > 0) {
+                throw new Error(`invalid context received. validationErrors: ${validationErrors} (E: 8b34c875c968af29bc433138e57a7826)`);
+            }
+            // we have a valid keystone that points to a valid context, but what
+            // exactly does the keystone authorize?
+            const authorizationErrors = await authorizeContext({ context, fullSagaHistory });
+            if (authorizationErrors.length > 0) {
+                throw new Error(`invalid context authorization. authorizationErrors: ${authorizationErrors} (E: 8ddc284a758cf10ba829334c1babb826)`);
+            }
+        } catch (error) {
+            console.error(`${lc} ${extractErrorMsg(error)}`);
+            throw error;
+        } finally {
+            if (logalot) { console.log(`${lc} complete.`); }
+        }
+    }
     /**
      * Witness the synchronization context (Send/Receive).
      *
@@ -173,19 +212,19 @@ export abstract class SyncPeer_V1<TInitializeOpts extends InitializeSyncPeerOpts
             //     when all domain ibgibs are pulled, publish complete to the observable
             // return resulting context ibgib (which the caller should get BEFORE the domain ibgibs observable completes)
 
-            // validate, authenticate, and authorize the context, sagaFrame, and identity(s)
-            const validationErrors = await validateContextAndSagaFrame({ context });
-            if (validationErrors.length > 0) {
-                throw new Error(`invalid context received. validationErrors: ${validationErrors} (E: 8b34c875c968af29bc433138e57a7826)`);
-            }
-            const authenticationErrors = await authenticateContext({ context });
-            if (authenticationErrors.length > 0) {
-                throw new Error(`invalid context authentication. authenticationErrors: ${authenticationErrors} (E: da89da5ee1269aeb78952d475d607526)`);
-            }
-            const authorizationErrors = await authorizeContext({ context });
-            if (authorizationErrors.length > 0) {
-                throw new Error(`invalid context authorization. authorizationErrors: ${authorizationErrors} (E: 8ddc284a758cf10ba829334c1babb826)`);
-            }
+            if (!context.sagaFrame) { throw new Error(`context.sagaFrame falsy. (E: a33dd88aa108e2bad9e885885731ce26)`); }
+
+            // this is not just happening on the client, but this peer may be
+            // the one receiving the context as well.
+
+            const sagaHistory_beforeSend = await getFullSyncSagaHistory({
+                sagaIbGib: context.sagaFrame,
+                space: this.opts.senderSpace
+            });
+
+            await this.authenticateValidateAuthorize({
+                context, fullSagaHistory: sagaHistory_beforeSend,
+            });
 
             // at this point, we have a valid, authenticated, authorized context
 
@@ -203,6 +242,15 @@ export abstract class SyncPeer_V1<TInitializeOpts extends InitializeSyncPeerOpts
                 // receive, they may still be transferring. These will be published
                 // to this.payloadIbGibsDomainReceived$
 
+                const sagaHistory_afterSend = await getFullSyncSagaHistory({
+                    sagaIbGib: context.sagaFrame,
+                    space: this.opts.senderSpace
+                });
+
+                await this.authenticateValidateAuthorize({
+                    context, fullSagaHistory: sagaHistory_afterSend,
+                });
+
                 return response;
             } else {
                 // response falsy. we could be done, or this could be an error.

package/src/sync/sync-saga-context/sync-saga-context-helpers.mts

@@ -18,11 +18,12 @@ import {
 } from './sync-saga-context-types.mjs';
 import { IbGibSpaceAny } from '../../witness/space/space-base-v1.mjs';
 import { putInSpace, registerNewIbGib } from '../../witness/space/space-helper.mjs';
-import { SyncIbGib_V1 } from '../sync-types.mjs';
+import { SyncIbGib_V1, SyncSagaFrameDependencyGraph } from '../sync-types.mjs';
 import { validateSyncSagaFrame } from '../sync-helpers.mjs';
 import { validateKeystoneGraph, validateKeystoneTransition } from '../../keystone/keystone-helpers.mjs';
 import { KeystoneService_V1 } from '../../keystone/keystone-service-v1.mjs';
 import { KeystoneIbGib_V1 } from '../../keystone/keystone-types.mjs';
+import { isIbGibWithAtom } from '../../common/other/ibgib-helper.mjs';
 
 const logalot = GLOBAL_LOG_A_LOT;
 
@@ -96,6 +97,24 @@ export async function parseSyncSagaContextIb({
     }
 }
 
+export function isSyncSagaContextIbGib(x: any): x is SyncSagaContextIbGib_V1 {
+    const lc = `[${isSyncSagaContextIbGib.name}]`;
+    try {
+        if (logalot) { console.log(`${lc} starting... (I: 2bfa7f3cf5984b0c78aced881ce95226)`); }
+
+        const hasAtom = isIbGibWithAtom<SyncSagaContextIbGib_V1>(x, SYNC_SAGA_CONTEXT_ATOM);
+
+        // should be good enough in V1
+
+        return hasAtom;
+    } catch (error) {
+        console.error(`${lc} ${extractErrorMsg(error)}`);
+        throw error;
+    } finally {
+        if (logalot) { console.log(`${lc} complete.`); }
+    }
+}
+
 
 /**
  * Validates ONLY the {@link context} ibgib itself and saga frame/msg stone(s)
@@ -109,7 +128,11 @@ export async function parseSyncSagaContextIb({
  *
  * @returns empty array if valid, else validation errors
  */
-export async function validateContextAndSagaFrame({ context }: { context: SyncSagaContextIbGib_V1 }): Promise<string[]> {
+export async function validateContextAndSagaFrame({
+    context,
+}: {
+    context: SyncSagaContextIbGib_V1,
+}): Promise<string[]> {
     const lc = `[${validateContextAndSagaFrame.name}]`;
     try {
         if (logalot) { console.log(`${lc} starting... (I: 7797f8294bd8f7e5089cb722ad468226)`); }
@@ -178,13 +201,32 @@ export async function validateContextDomainPayloadIbGibs({ context }: { context:
 /**
  * move to sync-peer-helpers.mts as a pure function?
  */
-export async function authenticateContext({ context }: { context: SyncSagaContextIbGib_V1 }): Promise<string[]> {
+export async function authenticateContext({
+    context,
+    fullSagaHistory
+}: {
+    context: SyncSagaContextIbGib_V1,
+    fullSagaHistory: SyncSagaFrameDependencyGraph[],
+}): Promise<string[]> {
     const lc = `[${authenticateContext.name}]`;
     try {
         if (logalot) { console.log(`${lc} starting... (I: 2677a482dfa873dcd1aa04a3031ff826)`); }
 
         console.error(`${lc} NAG ERROR (NOT THROWN): not implemented. // todo: authenticate  (v1 must have this after we get merge logic workflow going) (E: bc3a78f2dab18ab64c36d055a4b50526)`);
 
+        // ensure the same identity rel8n timeline is in the first saga ibgib.
+
+        for (const sagaFrameDepGraph of fullSagaHistory) {
+            sagaFrameDepGraph.identities
+        }
+
+
+        // each saga ibgib should be updated with a new identity rel8n. each
+        // rel8n should correspond to each evolution of the keystone.
+
+        // if (context.sagaFrame.rel8ns?.sessionKeystone)
+        //     context.signedSessionKeystone
+
         return [];
     } catch (error) {
         console.error(`${lc} ${extractErrorMsg(error)}`);
@@ -197,7 +239,13 @@ export async function authenticateContext({ context }: { context: SyncSagaContex
 /**
  * move to sync-peer-helpers.mts as a pure function?
  */
-export async function authorizeContext({ context }: { context: SyncSagaContextIbGib_V1 }): Promise<string[]> {
+export async function authorizeContext({
+    context,
+    fullSagaHistory
+}: {
+    context: SyncSagaContextIbGib_V1,
+    fullSagaHistory: SyncSagaFrameDependencyGraph[],
+}): Promise<string[]> {
     const lc = `[${authorizeContext.name}]`;
     try {
         if (logalot) { console.log(`${lc} starting... (I: 48c918b41ceec0cd489ca3b8819e6826)`); }

package/src/sync/sync-saga-context/sync-saga-context-types.mts

@@ -100,4 +100,21 @@ export interface SyncSagaContextIbGib_V1 extends IbGib_V1<SyncSagaContextData_V1
      * previous frame of the keystone.
      */
     signedSessionKeystone?: KeystoneIbGib_V1;
+
+    /**
+     * If identity is used in the sync transaction, this should be provided. It
+     * will drive both primary identity keystone evolution (to create session
+     * keystone), as well as signing the session keystone itself.
+     *
+     * when a peer transmits the context ibgib, this does not need to be
+     * transmitted. Note, however, that if sync is occuring between two remote
+     * peers and the peer design is not a proxy-based one, then the receiver
+     * should assign this with their own provider function.
+     *
+     * @returns the identity secret when needed to sign/evolve keystone
+     *
+     * NOTE: Not 100% sure where I'm putting this so this may end up being
+     * unused and should thus be removed. Right now, I think this will work.
+     */
+    fnIdentitySecret?: () => Promise<string>;
 }