@ibgib/core-gib 0.1.47 → 0.1.48

package/src/sync/sync-saga-coordinator.mts

@@ -7,6 +7,7 @@ import {
     clone,
     unique,
     delay,
+    hash,
 } from "@ibgib/helper-gib/dist/helpers/utils-helper.mjs";
 import { getIbGibAddr } from "@ibgib/ts-gib/dist/helper.mjs";
 import { Factory_V1 } from "@ibgib/ts-gib/dist/V1/factory.mjs";
@@ -16,7 +17,7 @@ import { IbGibAddr } from "@ibgib/ts-gib/dist/types.mjs";
 import { GLOBAL_LOG_A_LOT } from "../core-constants.mjs";
 import { IbGibSpaceAny } from "../witness/space/space-base-v1.mjs";
 import { putInSpace, getLatestAddrs, getFromSpace, registerNewIbGib } from "../witness/space/space-helper.mjs";
-import { KeystoneIbGib_V1, KeystonePoolConfig_HashV1 } from "../keystone/keystone-types.mjs";
+import { KeystoneChallengePool, KeystoneChallengeType, KeystoneIbGib_V1, KeystonePoolConfig_HashV1, KeystoneReplenishStrategy } from "../keystone/keystone-types.mjs";
 import { KeystoneService_V1 } from "../keystone/keystone-service-v1.mjs";
 import { deriveKey } from "../keystone/kdf/kdf-helpers.mjs";
 import { KdfStrategy } from "../keystone/kdf/kdf-constants.mjs";
@@ -25,7 +26,26 @@ import {
     SyncStage, SYNC_ATOM, SYNC_MSG_REL8N_NAME, SYNC_SAGA_PAYLOAD_ADDRS_DOMAIN,
     SyncConflictStrategy,
     SYNC_CONFLICT_STRATEGY_VALID_VALUES,
-    DEFAULT_SESSION_IDENTITY_INITIAL_DELEGATE_SECRET,
+    SESSION_IDENTITY_KEYSTONE_SECRET_TRANSITIONPOOL,
+    SESSION_IDENTITY_KEYSTONE_CONFIG_ALGO,
+    SESSION_IDENTITY_KEYSTONE_CONFIG_ROUNDS,
+    SESSION_IDENTITY_KEYSTONE_CONFIG_RANDOM,
+    SESSION_IDENTITY_KEYSTONE_CONFIG_REPLENISH_STRATEGY,
+    SESSION_IDENTITY_KEYSTONE_CONFIG_SEQUENTIAL,
+    SESSION_IDENTITY_KEYSTONE_CONFIG_TARGET_BINDING,
+    SESSION_IDENTITY_KEYSTONE_CONFIG_SIZE,
+    SESSION_IDENTITY_KEYSTONE_TRANSITION_POOL_ID,
+    SESSION_IDENTITY_KEYSTONE_CONFIG_SIZE_TRANSITIONPOOL,
+    SESSION_IDENTITY_KEYSTONE_CONFIG_REPLENISH_STRATEGY_TRANSITIONPOOL,
+    SESSION_IDENTITY_KEYSTONE_CONFIG_RANDOM_TRANSITIONPOOL,
+    SESSION_IDENTITY_KEYSTONE_CONFIG_SEQUENTIAL_TRANSITIONPOOL,
+    SESSION_IDENTITY_KEYSTONE_CONFIG_TARGET_BINDING_TRANSITIONPOOL,
+    SESSION_IDENTITY_KEYSTONE_CONFIG_ALGO_TRANSITIONPOOL,
+    SESSION_IDENTITY_KEYSTONE_CONFIG_ROUNDS_TRANSITIONPOOL,
+    SESSION_IDENTITY_KEYSTONE_CONFIG_VERBS_TRANSITIONPOOL,
+    SESSION_IDENTITY_KEYSTONE_CONFIG_VERBS_DELEGATE,
+    SESSION_IDENTITY_KEYSTONE_DELEGATE_POOL_ID,
+    SESSION_IDENTITY_KEYSTONE_PRIMARY_POOL_ID,
 } from "./sync-constants.mjs";
 import {
     appendToTimeline, createTimeline, getHistory, getHistoryAddrs, Rel8nInfo, Rel8nRemovalInfo
@@ -63,9 +83,11 @@ import { graftTimelines, } from "./graft-info/graft-info-helpers.mjs";
 import { GRAFT_INFO_REL8N_NAME } from "./graft-info/graft-info-constants.mjs";
 import { GraftInfoIbGib_V1 } from "./graft-info/graft-info-types.mjs";
 import { validateIbGibIntrinsically } from "@ibgib/ts-gib/dist/V1/validate-helper.mjs";
-import { KEYSTONE_VERB_MANAGE } from "../keystone/keystone-constants.mjs";
-import { validateKeystoneGraph } from "../keystone/keystone-helpers.mjs";
+import { KEYSTONE_VERB_MANAGE, KEYSTONE_VERB_SIGN } from "../keystone/keystone-constants.mjs";
+import { addToBindingMap, generateOpaqueChallengeId, validateGenesisKeystone, validateKeystoneGraph } from "../keystone/keystone-helpers.mjs";
 import { SYNC_SAGA_CONTEXT_ATOM } from "./sync-saga-context/sync-saga-context-constants.mjs";
+import { createStandardPoolConfig } from "../keystone/keystone-config-builder.mjs";
+import { KeystoneStrategyFactory } from "../keystone/strategy/keystone-strategy-factory.mjs";
 
 
 const logalot = GLOBAL_LOG_A_LOT;
@@ -214,7 +236,18 @@ export class SyncSagaCoordinator {
                     // creates the initial session identity (keystone). the flow
                     // (i think) will go: evolve saga frame, then sign keystone,
                     // then create/send context.
-                    sessionIdentity = await this.getSessionIdentity({ sagaId, identitySecret, metaspace, localSpace });
+                    const resCreateSessionIdentity = await this.createSessionIdentity({
+                        sagaId,
+                        primaryIdentity: identity,
+                        nonSessionSecret: identitySecret,
+                        metaspace,
+                        localSpace
+                    });
+                    sessionIdentity = resCreateSessionIdentity.sessionIdentity;
+                    if (identity) {
+                        if (!resCreateSessionIdentity.newPrimaryIdentity) { throw new Error(`(UNEXPECTED) identity truthy but resCreateSessionIdentity.newPrimaryIdentity falsy? (E: 4f82e88a3cc5bd7e58a40f8d77bda826)`); }
+                        identity = resCreateSessionIdentity.newPrimaryIdentity;
+                    }
                 }
 
                 // if (logalot) { console.log(`${lc} sessionIdentity: ${sessionIdentity ? pretty(sessionIdentity) : 'undefined'} (I: abc01872800b3a66b819a05898bba826)`); }
@@ -350,20 +383,31 @@ export class SyncSagaCoordinator {
         }
     }
 
-    private async getSessionSecret({
+    /**
+     * helper that KDFs the given identitySecret, using {@link sagaId} to do so.
+     *
+     * @returns deterministically derived session secret
+     */
+    private async deriveSessionSecret({
         sagaId,
-        identitySecret,
+        nonSessionSecret,
     }: {
         sagaId: string,
-        identitySecret: string,
+        /**
+         * driving secret behind the sync operation. usually, this will be the
+         * secret corresponding to a primary identity keystone. But this can
+         * also just be a one-time secret just to have more security in the
+         * transmission intrinsically.
+         */
+        nonSessionSecret: string,
     }): Promise<string> {
-        const lc = `${this.lc}[${this.getSessionSecret.name}]`;
+        const lc = `${this.lc}[${this.deriveSessionSecret.name}]`;
         try {
             if (logalot) { console.log(`${lc} starting... (I: 0de03f8dcd3e32f1fca244e8f2a8a826)`); }
 
             // Derive session-specific secret using KDF
             const sessionSecret = await deriveKey({
-                masterSecret: identitySecret,
+                masterSecret: nonSessionSecret,
                 kdfOpts: {
                     strategy: KdfStrategy.recursive_salt_wrap,
                     salt: sagaId,
@@ -381,18 +425,18 @@ export class SyncSagaCoordinator {
         }
     }
 
-    private async getInitialWeakDelegateSessionSecret({
+    private async getInitialWeakTransitionSessionSecret({
         sagaId,
     }: {
         sagaId: string,
     }): Promise<string> {
-        const lc = `${this.lc}[${this.getInitialWeakDelegateSessionSecret.name}]`;
+        const lc = `${this.lc}[${this.getInitialWeakTransitionSessionSecret.name}]`;
         try {
             if (logalot) { console.log(`${lc} starting... (I: 872ab81a78827b9f2822b78459203226)`); }
 
             // Create delegate pool bootstrap secret (publicly derivable)
-            const initialDelegateSecret = await deriveKey({
-                masterSecret: DEFAULT_SESSION_IDENTITY_INITIAL_DELEGATE_SECRET, // Weak, publicly derivable secret
+            const initialTransitionSecret = await deriveKey({
+                masterSecret: SESSION_IDENTITY_KEYSTONE_SECRET_TRANSITIONPOOL, // Weak, publicly derivable secret
                 kdfOpts: {
                     strategy: KdfStrategy.recursive_salt_wrap,
                     salt: sagaId,
@@ -401,7 +445,7 @@ export class SyncSagaCoordinator {
                 }
             });
 
-            return initialDelegateSecret;
+            return initialTransitionSecret;
         } catch (error) {
             console.error(`${lc} ${extractErrorMsg(error)}`);
             throw error;
@@ -410,75 +454,263 @@ export class SyncSagaCoordinator {
         }
     }
 
-    private async getSessionIdentity({
+    private async getTransitionKeystonePool({
         sagaId,
-        identitySecret,
+    }: {
+        sagaId: string,
+    }): Promise<KeystoneChallengePool> {
+        const lc = `${this.lc}[${this.getTransitionKeystonePool.name}]`;
+        try {
+            if (logalot) { console.log(`${lc} starting... (I: 1ec1c8db7438938b08b96559fcee0826)`); }
+
+            const config = createStandardPoolConfig({
+                salt: sagaId,
+                id: SESSION_IDENTITY_KEYSTONE_TRANSITION_POOL_ID,
+                type: KeystoneChallengeType.hash_reveal_v1,
+                size: SESSION_IDENTITY_KEYSTONE_CONFIG_SIZE_TRANSITIONPOOL,
+                replenishStrategy: SESSION_IDENTITY_KEYSTONE_CONFIG_REPLENISH_STRATEGY_TRANSITIONPOOL,
+                random: SESSION_IDENTITY_KEYSTONE_CONFIG_RANDOM_TRANSITIONPOOL,
+                sequential: SESSION_IDENTITY_KEYSTONE_CONFIG_SEQUENTIAL_TRANSITIONPOOL,
+                targetBinding: SESSION_IDENTITY_KEYSTONE_CONFIG_TARGET_BINDING_TRANSITIONPOOL,
+                hashAlgorithm: SESSION_IDENTITY_KEYSTONE_CONFIG_ALGO_TRANSITIONPOOL,
+                hashRounds: SESSION_IDENTITY_KEYSTONE_CONFIG_ROUNDS_TRANSITIONPOOL,
+                verbs: SESSION_IDENTITY_KEYSTONE_CONFIG_VERBS_TRANSITIONPOOL,
+            });
+            const strategy = KeystoneStrategyFactory.create({ config });
+            const poolSecret = await strategy.derivePoolSecret({
+                masterSecret: await this.getInitialWeakTransitionSessionSecret({ sagaId }),
+            });
+            const challenges: { [id: string]: any } = {};
+            const bindingMap: { [char: string]: string[] } = {};
+
+            const targetSize = config.behavior.size;
+            const timestamp = Date.now().toString();
+            for (let i = 0; i < targetSize; i++) {
+                const challengeId = await generateOpaqueChallengeId({
+                    salt: config.salt, timestamp, index: i
+                });
+                const solution = await strategy.generateSolution({
+                    poolSecret, poolId: config.salt, challengeId,
+                });
+                const challenge = await strategy.generateChallenge({ solution });
+                challenges[challengeId] = challenge;
+                // Populate Binding Map
+                addToBindingMap(bindingMap, challengeId);
+            }
+
+            const transitionPool: KeystoneChallengePool = {
+                id: SESSION_IDENTITY_KEYSTONE_TRANSITION_POOL_ID,
+                config,
+                challenges,
+                bindingMap,
+                isForeign: true,
+                // metadata: { origin: 'receiver', role: 'delegate' } // don't need metadata since we have the pool id being 'delegate' (i think)
+            };
+
+            return transitionPool;
+        } catch (error) {
+            console.error(`${lc} ${extractErrorMsg(error)}`);
+            throw error;
+        } finally {
+            if (logalot) { console.log(`${lc} complete.`); }
+        }
+    }
+
+    private async getDelegateKeystonePool({
+        sagaId,
+    }: {
+        sagaId: string,
+    }): Promise<KeystoneChallengePool> {
+        const lc = `${this.lc}[${this.getDelegateKeystonePool.name}]`;
+        try {
+            if (logalot) { console.log(`${lc} starting... (I: 6b1d338f8e988e68f8d77e72ed00d526)`); }
+
+            // todo: change this to a helper function that does the delegated
+            // functionality better. also the f***ing binding map needs better
+            // implementation. f***ng glazed over by AI.
+
+            const config = createStandardPoolConfig({
+                salt: sagaId,
+                id: SESSION_IDENTITY_KEYSTONE_DELEGATE_POOL_ID,
+                type: KeystoneChallengeType.hash_reveal_v1,
+                size: SESSION_IDENTITY_KEYSTONE_CONFIG_SIZE,
+                replenishStrategy: SESSION_IDENTITY_KEYSTONE_CONFIG_REPLENISH_STRATEGY,
+                random: SESSION_IDENTITY_KEYSTONE_CONFIG_RANDOM,
+                sequential: SESSION_IDENTITY_KEYSTONE_CONFIG_SEQUENTIAL,
+                targetBinding: SESSION_IDENTITY_KEYSTONE_CONFIG_TARGET_BINDING,
+                hashAlgorithm: SESSION_IDENTITY_KEYSTONE_CONFIG_ALGO,
+                hashRounds: SESSION_IDENTITY_KEYSTONE_CONFIG_ROUNDS,
+                verbs: SESSION_IDENTITY_KEYSTONE_CONFIG_VERBS_DELEGATE,
+            });
+            const strategy = KeystoneStrategyFactory.create({ config });
+            const poolSecret = await strategy.derivePoolSecret({
+                masterSecret: SESSION_IDENTITY_KEYSTONE_SECRET_TRANSITIONPOOL
+            });
+            const challenges: { [id: string]: any } = {};
+            const bindingMap: { [char: string]: string[] } = {};
+
+            const targetSize = config.behavior.size;
+            const timestamp = Date.now().toString();
+            for (let i = 0; i < targetSize; i++) {
+                const challengeId = await generateOpaqueChallengeId({
+                    salt: config.salt, timestamp, index: i
+                });
+                const solution = await strategy.generateSolution({
+                    poolSecret, poolId: config.salt, challengeId,
+                });
+                const challenge = await strategy.generateChallenge({ solution });
+                challenges[challengeId] = challenge;
+                // Populate Binding Map
+                addToBindingMap(bindingMap, challengeId);
+            }
+
+            const delegatePool: KeystoneChallengePool = {
+                id: SESSION_IDENTITY_KEYSTONE_DELEGATE_POOL_ID,
+                config,
+                challenges,
+                bindingMap,
+                isForeign: true,
+                // metadata: { origin: 'receiver', role: 'delegate' } // don't need metadata since we have the pool id being 'delegate' (i think)
+            };
+
+            return delegatePool;
+        } catch (error) {
+            console.error(`${lc} ${extractErrorMsg(error)}`);
+            throw error;
+        } finally {
+            if (logalot) { console.log(`${lc} complete.`); }
+        }
+    }
+
+    /**
+     * creates a session identity keystone based off of the given args.
+     *
+     * Then, if the {@link primaryIdentity} keystone is provided, this also
+     * **signs** this keystone pointing to the address of the sess
+     * @param param0
+     * @returns
+     */
+    private async createSessionIdentity({
+        sagaId,
+        primaryIdentity,
+        nonSessionSecret,
         metaspace,
         localSpace,
     }: {
+        /**
+         * unique to any one particular saga.
+         */
         sagaId: string,
-        identitySecret: string,
+        /**
+         * optional main identity, e.g., Alice's keystone
+         */
+        primaryIdentity: KeystoneIbGib_V1 | undefined,
+        /**
+         * driving secret behind the sync operation. usually, this will be the
+         * secret corresponding to a primary identity keystone. But this can
+         * also just be a one-time secret just to have more security in the
+         * transmission intrinsically.
+         */
+        nonSessionSecret: string,
         metaspace: MetaspaceService,
         localSpace: IbGibSpaceAny,
-    }): Promise<KeystoneIbGib_V1> {
-        const lc = `${this.lc}[${this.getSessionIdentity.name}]`;
+    }): Promise<{
+        sessionIdentity: KeystoneIbGib_V1,
+        /**
+         * if truthy, this evolved from the incoming {@link primaryIdentity} and
+         * has already persisted/registered in the incoming {@link localSpace}.
+         */
+        newPrimaryIdentity: KeystoneIbGib_V1 | undefined
+    }> {
+        const lc = `${this.lc}[${this.createSessionIdentity.name}]`;
         try {
             if (logalot) { console.log(`${lc} starting... (I: 428392a4ee636b7bd8f7d5d89a87e826)`); }
 
-            if (!identitySecret) { throw new Error(`(UNEXPECTED) identitySecret falsy? This is expected to be truthy by this point. (E: 8ce053fe59825a6678713128953b9d26)`); }
-
-            const sessionSecret = await this.getSessionSecret({ sagaId, identitySecret });
+            if (!nonSessionSecret) { throw new Error(`(UNEXPECTED) nonSessionSecret falsy? This is expected to be truthy by this point. (E: 8ce053fe59825a6678713128953b9d26)`); }
 
-            const init = await this.getInitialWeakDelegateSessionSecret({ sagaId });
+            const primarySessionSecret = await this.deriveSessionSecret({
+                sagaId, nonSessionSecret
+            });
 
+            // Generate keystone with two initial pools in two steps.
+            //   1. Create primary pool with genesis method to correspond to the
+            //      sender/sender's secret/identity.
+            //   2. Create a separate pool and add separately because a
+            //      different pw + config is used for the transition pool.
 
-            // Create TWO pool configs: Primary (strong) + Delegate (weak bootstrap)
             const primaryPoolConfig: KeystonePoolConfig_HashV1 = {
                 allowedVerbs: [KEYSTONE_VERB_MANAGE],
-                id: 'primary',
-                type: 'hash-reveal-v1',
+                id: SESSION_IDENTITY_KEYSTONE_PRIMARY_POOL_ID,
                 salt: sagaId,
                 behavior: {
-                    size: 100,  // Large pool for many signatures
-                    replenish: 'top-up',
-                    selectSequentially: 2,
-                    selectRandomly: 2,
-                    targetBindingChars: 10
+                    size: SESSION_IDENTITY_KEYSTONE_CONFIG_SIZE,  // Large pool for many signatures
+                    replenish: SESSION_IDENTITY_KEYSTONE_CONFIG_REPLENISH_STRATEGY,
+                    selectSequentially: SESSION_IDENTITY_KEYSTONE_CONFIG_SEQUENTIAL,
+                    selectRandomly: SESSION_IDENTITY_KEYSTONE_CONFIG_RANDOM,
+                    targetBindingChars: SESSION_IDENTITY_KEYSTONE_CONFIG_TARGET_BINDING,
                 },
-                algo: 'SHA-256',
-                rounds: 1
+                type: KeystoneChallengeType.hash_reveal_v1,
+                algo: SESSION_IDENTITY_KEYSTONE_CONFIG_ALGO,
+                rounds: SESSION_IDENTITY_KEYSTONE_CONFIG_ROUNDS,
             };
+            const sessionIdentity_genesis = await this.keystoneSvc.genesis({
+                masterSecret: primarySessionSecret,
+                configs: [primaryPoolConfig],
+                metaspace,
+                space: localSpace,
+            });
 
-            const delegatePoolConfig: any = {
-                id: 'delegate',
-                type: 'hash-reveal-v1',
-                salt: sagaId,
-                behavior: {
-                    size: 10,  // Small pool - only for initial handshake
-                    replenish: 'top-up',
-                    selectSequentially: 1,
-                    selectRandomly: 1,
-                    targetBindingChars: 0
-                },
-                algo: 'SHA-256',
-                rounds: 1
-            };
+            // #region sanity validation of genesis keystone
+            /**
+             * not necessary but since it's a new design, I'm putting in this
+             * immediate validation just to put it through its paces. (worth the
+             * slight perf hit).
+             */
+            const validationErrors = await validateGenesisKeystone({
+                keystoneIbGib: sessionIdentity_genesis
+            });
+            if (validationErrors) { throw new Error(`(UNEXPECTED) the sessionIdentity_genesis that we just created already has validation errors just after creation? (E: e9ca08cf0f8858bb1ace8b9fa89f8726)`); }
+            // #endregion sanity validation of genesis keystone
 
-            // Generate keystone with DUAL pools. We have to first genesis with
-            // one and then add the other, because we have two distinct
-            // secrets.
-            const sessionIdentity = await this.keystoneSvc.genesis({
-                masterSecret: sessionSecret,
-                configs: [primaryPoolConfig],
+            const transitionPool = await this.getTransitionKeystonePool({ sagaId });
+            /**
+             * Note this actually **signs** the initial {@link sessionIdentity_genesis}
+             * and requires the use of a pool with management priveleges.
+             */
+            const sessionIdentity_withTransitionPool = await this.keystoneSvc.addPools({
+                latestKeystone: sessionIdentity_genesis,
+                /**
+                 * this secret does not do the delegate pool challenges,
+                 * rather, this is the sessionSecret itself to evolve the
+                 * keystone **to add** the delegate pool in the first place.
+                 */
+                masterSecret: primarySessionSecret,
                 metaspace,
-                space: localSpace
+                space: localSpace,
+                newPools: [transitionPool],
             });
 
-            // TODO: Store delegate pool separate challenges derived from bootstrap secret
-            // This allows receiver to verify/evolve the delegate pool
-            // For now, the keystone genesis with multiple configs handles this
+            let newPrimaryIdentity: KeystoneIbGib_V1 | undefined = undefined;
+            if (primaryIdentity) {
+                newPrimaryIdentity = await this.keystoneSvc.sign({
+                    latestKeystone: primaryIdentity,
+                    poolId: primaryPoolConfig.id,
+                    claim: {
+                        verb: KEYSTONE_VERB_SIGN,
+                        target: getIbGibAddr({ ibGib: sessionIdentity_withTransitionPool }),
+                    },
+                    masterSecret: nonSessionSecret,
+                    metaspace,
+                    space: localSpace,
+                    // frameDetails: undefined, // anything to put here?
+                    // requiredChallengeIds: undefined, // not relevant I think
+                });
+            }
 
-            return sessionIdentity;
+            return {
+                sessionIdentity: sessionIdentity_withTransitionPool,
+                newPrimaryIdentity,
+            }
         } catch (error) {
             console.error(`${lc} ${extractErrorMsg(error)}`);
             throw error;
@@ -846,6 +1078,7 @@ export class SyncSagaCoordinator {
                     masterSecret: sessionSecret,
                     metaspace,
                 });
+                contextIbGib.fnIdentitySecret = () => Promise.resolve(sessionSecret);
             }
 
             return contextIbGib;
@@ -1665,8 +1898,8 @@ export class SyncSagaCoordinator {
             if (ackData.stage !== SyncStage.ack) {
                 throw new Error(`${lc} Invalid ack frame: ackData.stage !== SyncStage.ack (E: 2e8b0a94b5954a66a6a1a7a0b3f5b7a1)`);
             }
-            if (logalot) { console.log(`${lc} ackData: ${pretty(ackData)} (I: 7f8e9d0a1b2c3d4e5f6g7h8i9j0k)`); }
-            if (!sagaIbGib.data) { throw new Error(`(UNEXPECTED) sagaIbGib.data falsy? (E: 385e389610282aa9c5dbe4083adbde26)`); }
+            if (logalot) { console.log(`${lc} ackData: ${pretty(ackData)} (I: b817c5571c5e916fe8f90b892b3e8e26)`); }
+            if (!sagaIbGib.data) { throw new Error(`(UNEXPECTED) sagaIbGib.data falsy? (E: e3f2e8f162484859787651b85c011826)`); }
             // #region sanity/validation
 
             // 1. Check for Conflicts
@@ -2889,7 +3122,7 @@ export class SyncSagaCoordinator {
 
                 // Attach session keystone to saga frame via hard rel8n
                 if (sessionIdentity) {
-                    rel8ns.sessionKeystones = [getIbGibAddr({ ibGib: sessionIdentity })];
+                    rel8ns.sessionKeystone = [getIbGibAddr({ ibGib: sessionIdentity })];
                 }
 
                 const resNew = await createTimeline({

package/src/sync/sync-types.mts

@@ -205,7 +205,7 @@ export interface SyncRel8ns_V1 extends IbGibRel8ns_V1 {
      * Each sync endpoint retrieves the session keystone from this rel8n
      * rather than searching spaces. Keystones are stored in durable spaces.
      */
-    sessionKeystones?: IbGibAddr[];
+    sessionKeystone?: IbGibAddr[];
 
     /**
      * The message stone that contains the information about the particular