@ibgib/core-gib 0.1.47 → 0.1.48

package/dist/sync/sync-saga-coordinator.mjs

@@ -5,9 +5,10 @@ import { getIbGibAddr } from "@ibgib/ts-gib/dist/helper.mjs";
 import { Factory_V1 } from "@ibgib/ts-gib/dist/V1/factory.mjs";
 import { GLOBAL_LOG_A_LOT } from "../core-constants.mjs";
 import { putInSpace, getLatestAddrs, getFromSpace, registerNewIbGib } from "../witness/space/space-helper.mjs";
+import { KeystoneChallengeType } from "../keystone/keystone-types.mjs";
 import { deriveKey } from "../keystone/kdf/kdf-helpers.mjs";
 import { KdfStrategy } from "../keystone/kdf/kdf-constants.mjs";
-import { SyncStage, SYNC_ATOM, SYNC_MSG_REL8N_NAME, SYNC_SAGA_PAYLOAD_ADDRS_DOMAIN, SyncConflictStrategy, SYNC_CONFLICT_STRATEGY_VALID_VALUES, DEFAULT_SESSION_IDENTITY_INITIAL_DELEGATE_SECRET, } from "./sync-constants.mjs";
+import { SyncStage, SYNC_ATOM, SYNC_MSG_REL8N_NAME, SYNC_SAGA_PAYLOAD_ADDRS_DOMAIN, SyncConflictStrategy, SYNC_CONFLICT_STRATEGY_VALID_VALUES, SESSION_IDENTITY_KEYSTONE_SECRET_TRANSITIONPOOL, SESSION_IDENTITY_KEYSTONE_CONFIG_ALGO, SESSION_IDENTITY_KEYSTONE_CONFIG_ROUNDS, SESSION_IDENTITY_KEYSTONE_CONFIG_RANDOM, SESSION_IDENTITY_KEYSTONE_CONFIG_REPLENISH_STRATEGY, SESSION_IDENTITY_KEYSTONE_CONFIG_SEQUENTIAL, SESSION_IDENTITY_KEYSTONE_CONFIG_TARGET_BINDING, SESSION_IDENTITY_KEYSTONE_CONFIG_SIZE, SESSION_IDENTITY_KEYSTONE_TRANSITION_POOL_ID, SESSION_IDENTITY_KEYSTONE_CONFIG_SIZE_TRANSITIONPOOL, SESSION_IDENTITY_KEYSTONE_CONFIG_REPLENISH_STRATEGY_TRANSITIONPOOL, SESSION_IDENTITY_KEYSTONE_CONFIG_RANDOM_TRANSITIONPOOL, SESSION_IDENTITY_KEYSTONE_CONFIG_SEQUENTIAL_TRANSITIONPOOL, SESSION_IDENTITY_KEYSTONE_CONFIG_TARGET_BINDING_TRANSITIONPOOL, SESSION_IDENTITY_KEYSTONE_CONFIG_ALGO_TRANSITIONPOOL, SESSION_IDENTITY_KEYSTONE_CONFIG_ROUNDS_TRANSITIONPOOL, SESSION_IDENTITY_KEYSTONE_CONFIG_VERBS_TRANSITIONPOOL, SESSION_IDENTITY_KEYSTONE_CONFIG_VERBS_DELEGATE, SESSION_IDENTITY_KEYSTONE_DELEGATE_POOL_ID, SESSION_IDENTITY_KEYSTONE_PRIMARY_POOL_ID, } from "./sync-constants.mjs";
 import { appendToTimeline, createTimeline, getHistory, getHistoryAddrs } from "../timeline/timeline-api.mjs";
 import { SyncMode, } from "./sync-types.mjs";
 import { getSyncSagaFrameOrigin, getFullSyncSagaHistory, getSyncIb, getTempSpaceName, isPastFrame, putInSpace_dnasThenNonDnas, validateFullSyncSagaHistory, getAllOrphanedAddresses, getFinalConflictsInfo } from "./sync-helpers.mjs";
@@ -22,9 +23,11 @@ import { fnObs } from "../common/pubsub/observer/observer-helper.mjs";
 import { graftTimelines, } from "./graft-info/graft-info-helpers.mjs";
 import { GRAFT_INFO_REL8N_NAME } from "./graft-info/graft-info-constants.mjs";
 import { validateIbGibIntrinsically } from "@ibgib/ts-gib/dist/V1/validate-helper.mjs";
-import { KEYSTONE_VERB_MANAGE } from "../keystone/keystone-constants.mjs";
-import { validateKeystoneGraph } from "../keystone/keystone-helpers.mjs";
+import { KEYSTONE_VERB_MANAGE, KEYSTONE_VERB_SIGN } from "../keystone/keystone-constants.mjs";
+import { addToBindingMap, generateOpaqueChallengeId, validateGenesisKeystone, validateKeystoneGraph } from "../keystone/keystone-helpers.mjs";
 import { SYNC_SAGA_CONTEXT_ATOM } from "./sync-saga-context/sync-saga-context-constants.mjs";
+import { createStandardPoolConfig } from "../keystone/keystone-config-builder.mjs";
+import { KeystoneStrategyFactory } from "../keystone/strategy/keystone-strategy-factory.mjs";
 const logalot = GLOBAL_LOG_A_LOT;
 const logalotControlDomain = false;
 const lcControlDomain = '[ControlDomain]';
@@ -107,7 +110,20 @@ export class SyncSagaCoordinator {
                     // creates the initial session identity (keystone). the flow
                     // (i think) will go: evolve saga frame, then sign keystone,
                     // then create/send context.
-                    sessionIdentity = await this.getSessionIdentity({ sagaId, identitySecret, metaspace, localSpace });
+                    const resCreateSessionIdentity = await this.createSessionIdentity({
+                        sagaId,
+                        primaryIdentity: identity,
+                        nonSessionSecret: identitySecret,
+                        metaspace,
+                        localSpace
+                    });
+                    sessionIdentity = resCreateSessionIdentity.sessionIdentity;
+                    if (identity) {
+                        if (!resCreateSessionIdentity.newPrimaryIdentity) {
+                            throw new Error(`(UNEXPECTED) identity truthy but resCreateSessionIdentity.newPrimaryIdentity falsy? (E: 4f82e88a3cc5bd7e58a40f8d77bda826)`);
+                        }
+                        identity = resCreateSessionIdentity.newPrimaryIdentity;
+                    }
                 }
                 // if (logalot) { console.log(`${lc} sessionIdentity: ${sessionIdentity ? pretty(sessionIdentity) : 'undefined'} (I: abc01872800b3a66b819a05898bba826)`); }
                 // CREATE INITIAL FRAME (Stage.init)
@@ -220,15 +236,20 @@ export class SyncSagaCoordinator {
             }
         }
     }
-    async getSessionSecret({ sagaId, identitySecret, }) {
-        const lc = `${this.lc}[${this.getSessionSecret.name}]`;
+    /**
+     * helper that KDFs the given identitySecret, using {@link sagaId} to do so.
+     *
+     * @returns deterministically derived session secret
+     */
+    async deriveSessionSecret({ sagaId, nonSessionSecret, }) {
+        const lc = `${this.lc}[${this.deriveSessionSecret.name}]`;
         try {
             if (logalot) {
                 console.log(`${lc} starting... (I: 0de03f8dcd3e32f1fca244e8f2a8a826)`);
             }
             // Derive session-specific secret using KDF
             const sessionSecret = await deriveKey({
-                masterSecret: identitySecret,
+                masterSecret: nonSessionSecret,
                 kdfOpts: {
                     strategy: KdfStrategy.recursive_salt_wrap,
                     salt: sagaId,
@@ -248,15 +269,15 @@ export class SyncSagaCoordinator {
             }
         }
     }
-    async getInitialWeakDelegateSessionSecret({ sagaId, }) {
-        const lc = `${this.lc}[${this.getInitialWeakDelegateSessionSecret.name}]`;
+    async getInitialWeakTransitionSessionSecret({ sagaId, }) {
+        const lc = `${this.lc}[${this.getInitialWeakTransitionSessionSecret.name}]`;
         try {
             if (logalot) {
                 console.log(`${lc} starting... (I: 872ab81a78827b9f2822b78459203226)`);
             }
             // Create delegate pool bootstrap secret (publicly derivable)
-            const initialDelegateSecret = await deriveKey({
-                masterSecret: DEFAULT_SESSION_IDENTITY_INITIAL_DELEGATE_SECRET, // Weak, publicly derivable secret
+            const initialTransitionSecret = await deriveKey({
+                masterSecret: SESSION_IDENTITY_KEYSTONE_SECRET_TRANSITIONPOOL, // Weak, publicly derivable secret
                 kdfOpts: {
                     strategy: KdfStrategy.recursive_salt_wrap,
                     salt: sagaId,
@@ -264,7 +285,7 @@ export class SyncSagaCoordinator {
                     algorithm: 'SHA-256'
                 }
             });
-            return initialDelegateSecret;
+            return initialTransitionSecret;
         }
         catch (error) {
             console.error(`${lc} ${extractErrorMsg(error)}`);
@@ -276,60 +297,223 @@ export class SyncSagaCoordinator {
             }
         }
     }
-    async getSessionIdentity({ sagaId, identitySecret, metaspace, localSpace, }) {
-        const lc = `${this.lc}[${this.getSessionIdentity.name}]`;
+    async getTransitionKeystonePool({ sagaId, }) {
+        const lc = `${this.lc}[${this.getTransitionKeystonePool.name}]`;
+        try {
+            if (logalot) {
+                console.log(`${lc} starting... (I: 1ec1c8db7438938b08b96559fcee0826)`);
+            }
+            const config = createStandardPoolConfig({
+                salt: sagaId,
+                id: SESSION_IDENTITY_KEYSTONE_TRANSITION_POOL_ID,
+                type: KeystoneChallengeType.hash_reveal_v1,
+                size: SESSION_IDENTITY_KEYSTONE_CONFIG_SIZE_TRANSITIONPOOL,
+                replenishStrategy: SESSION_IDENTITY_KEYSTONE_CONFIG_REPLENISH_STRATEGY_TRANSITIONPOOL,
+                random: SESSION_IDENTITY_KEYSTONE_CONFIG_RANDOM_TRANSITIONPOOL,
+                sequential: SESSION_IDENTITY_KEYSTONE_CONFIG_SEQUENTIAL_TRANSITIONPOOL,
+                targetBinding: SESSION_IDENTITY_KEYSTONE_CONFIG_TARGET_BINDING_TRANSITIONPOOL,
+                hashAlgorithm: SESSION_IDENTITY_KEYSTONE_CONFIG_ALGO_TRANSITIONPOOL,
+                hashRounds: SESSION_IDENTITY_KEYSTONE_CONFIG_ROUNDS_TRANSITIONPOOL,
+                verbs: SESSION_IDENTITY_KEYSTONE_CONFIG_VERBS_TRANSITIONPOOL,
+            });
+            const strategy = KeystoneStrategyFactory.create({ config });
+            const poolSecret = await strategy.derivePoolSecret({
+                masterSecret: await this.getInitialWeakTransitionSessionSecret({ sagaId }),
+            });
+            const challenges = {};
+            const bindingMap = {};
+            const targetSize = config.behavior.size;
+            const timestamp = Date.now().toString();
+            for (let i = 0; i < targetSize; i++) {
+                const challengeId = await generateOpaqueChallengeId({
+                    salt: config.salt, timestamp, index: i
+                });
+                const solution = await strategy.generateSolution({
+                    poolSecret, poolId: config.salt, challengeId,
+                });
+                const challenge = await strategy.generateChallenge({ solution });
+                challenges[challengeId] = challenge;
+                // Populate Binding Map
+                addToBindingMap(bindingMap, challengeId);
+            }
+            const transitionPool = {
+                id: SESSION_IDENTITY_KEYSTONE_TRANSITION_POOL_ID,
+                config,
+                challenges,
+                bindingMap,
+                isForeign: true,
+                // metadata: { origin: 'receiver', role: 'delegate' } // don't need metadata since we have the pool id being 'delegate' (i think)
+            };
+            return transitionPool;
+        }
+        catch (error) {
+            console.error(`${lc} ${extractErrorMsg(error)}`);
+            throw error;
+        }
+        finally {
+            if (logalot) {
+                console.log(`${lc} complete.`);
+            }
+        }
+    }
+    async getDelegateKeystonePool({ sagaId, }) {
+        const lc = `${this.lc}[${this.getDelegateKeystonePool.name}]`;
+        try {
+            if (logalot) {
+                console.log(`${lc} starting... (I: 6b1d338f8e988e68f8d77e72ed00d526)`);
+            }
+            // todo: change this to a helper function that does the delegated
+            // functionality better. also the f***ing binding map needs better
+            // implementation. f***ng glazed over by AI.
+            const config = createStandardPoolConfig({
+                salt: sagaId,
+                id: SESSION_IDENTITY_KEYSTONE_DELEGATE_POOL_ID,
+                type: KeystoneChallengeType.hash_reveal_v1,
+                size: SESSION_IDENTITY_KEYSTONE_CONFIG_SIZE,
+                replenishStrategy: SESSION_IDENTITY_KEYSTONE_CONFIG_REPLENISH_STRATEGY,
+                random: SESSION_IDENTITY_KEYSTONE_CONFIG_RANDOM,
+                sequential: SESSION_IDENTITY_KEYSTONE_CONFIG_SEQUENTIAL,
+                targetBinding: SESSION_IDENTITY_KEYSTONE_CONFIG_TARGET_BINDING,
+                hashAlgorithm: SESSION_IDENTITY_KEYSTONE_CONFIG_ALGO,
+                hashRounds: SESSION_IDENTITY_KEYSTONE_CONFIG_ROUNDS,
+                verbs: SESSION_IDENTITY_KEYSTONE_CONFIG_VERBS_DELEGATE,
+            });
+            const strategy = KeystoneStrategyFactory.create({ config });
+            const poolSecret = await strategy.derivePoolSecret({
+                masterSecret: SESSION_IDENTITY_KEYSTONE_SECRET_TRANSITIONPOOL
+            });
+            const challenges = {};
+            const bindingMap = {};
+            const targetSize = config.behavior.size;
+            const timestamp = Date.now().toString();
+            for (let i = 0; i < targetSize; i++) {
+                const challengeId = await generateOpaqueChallengeId({
+                    salt: config.salt, timestamp, index: i
+                });
+                const solution = await strategy.generateSolution({
+                    poolSecret, poolId: config.salt, challengeId,
+                });
+                const challenge = await strategy.generateChallenge({ solution });
+                challenges[challengeId] = challenge;
+                // Populate Binding Map
+                addToBindingMap(bindingMap, challengeId);
+            }
+            const delegatePool = {
+                id: SESSION_IDENTITY_KEYSTONE_DELEGATE_POOL_ID,
+                config,
+                challenges,
+                bindingMap,
+                isForeign: true,
+                // metadata: { origin: 'receiver', role: 'delegate' } // don't need metadata since we have the pool id being 'delegate' (i think)
+            };
+            return delegatePool;
+        }
+        catch (error) {
+            console.error(`${lc} ${extractErrorMsg(error)}`);
+            throw error;
+        }
+        finally {
+            if (logalot) {
+                console.log(`${lc} complete.`);
+            }
+        }
+    }
+    /**
+     * creates a session identity keystone based off of the given args.
+     *
+     * Then, if the {@link primaryIdentity} keystone is provided, this also
+     * **signs** this keystone pointing to the address of the sess
+     * @param param0
+     * @returns
+     */
+    async createSessionIdentity({ sagaId, primaryIdentity, nonSessionSecret, metaspace, localSpace, }) {
+        const lc = `${this.lc}[${this.createSessionIdentity.name}]`;
         try {
             if (logalot) {
                 console.log(`${lc} starting... (I: 428392a4ee636b7bd8f7d5d89a87e826)`);
             }
-            if (!identitySecret) {
-                throw new Error(`(UNEXPECTED) identitySecret falsy? This is expected to be truthy by this point. (E: 8ce053fe59825a6678713128953b9d26)`);
+            if (!nonSessionSecret) {
+                throw new Error(`(UNEXPECTED) nonSessionSecret falsy? This is expected to be truthy by this point. (E: 8ce053fe59825a6678713128953b9d26)`);
             }
-            const sessionSecret = await this.getSessionSecret({ sagaId, identitySecret });
-            const init = await this.getInitialWeakDelegateSessionSecret({ sagaId });
-            // Create TWO pool configs: Primary (strong) + Delegate (weak bootstrap)
+            const primarySessionSecret = await this.deriveSessionSecret({
+                sagaId, nonSessionSecret
+            });
+            // Generate keystone with two initial pools in two steps.
+            //   1. Create primary pool with genesis method to correspond to the
+            //      sender/sender's secret/identity.
+            //   2. Create a separate pool and add separately because a
+            //      different pw + config is used for the transition pool.
             const primaryPoolConfig = {
                 allowedVerbs: [KEYSTONE_VERB_MANAGE],
-                id: 'primary',
-                type: 'hash-reveal-v1',
-                salt: sagaId,
-                behavior: {
-                    size: 100, // Large pool for many signatures
-                    replenish: 'top-up',
-                    selectSequentially: 2,
-                    selectRandomly: 2,
-                    targetBindingChars: 10
-                },
-                algo: 'SHA-256',
-                rounds: 1
-            };
-            const delegatePoolConfig = {
-                id: 'delegate',
-                type: 'hash-reveal-v1',
+                id: SESSION_IDENTITY_KEYSTONE_PRIMARY_POOL_ID,
                 salt: sagaId,
                 behavior: {
-                    size: 10, // Small pool - only for initial handshake
-                    replenish: 'top-up',
-                    selectSequentially: 1,
-                    selectRandomly: 1,
-                    targetBindingChars: 0
+                    size: SESSION_IDENTITY_KEYSTONE_CONFIG_SIZE, // Large pool for many signatures
+                    replenish: SESSION_IDENTITY_KEYSTONE_CONFIG_REPLENISH_STRATEGY,
+                    selectSequentially: SESSION_IDENTITY_KEYSTONE_CONFIG_SEQUENTIAL,
+                    selectRandomly: SESSION_IDENTITY_KEYSTONE_CONFIG_RANDOM,
+                    targetBindingChars: SESSION_IDENTITY_KEYSTONE_CONFIG_TARGET_BINDING,
                 },
-                algo: 'SHA-256',
-                rounds: 1
+                type: KeystoneChallengeType.hash_reveal_v1,
+                algo: SESSION_IDENTITY_KEYSTONE_CONFIG_ALGO,
+                rounds: SESSION_IDENTITY_KEYSTONE_CONFIG_ROUNDS,
             };
-            // Generate keystone with DUAL pools. We have to first genesis with
-            // one and then add the other, because we have two distinct
-            // secrets.
-            const sessionIdentity = await this.keystoneSvc.genesis({
-                masterSecret: sessionSecret,
+            const sessionIdentity_genesis = await this.keystoneSvc.genesis({
+                masterSecret: primarySessionSecret,
                 configs: [primaryPoolConfig],
                 metaspace,
-                space: localSpace
+                space: localSpace,
+            });
+            // #region sanity validation of genesis keystone
+            /**
+             * not necessary but since it's a new design, I'm putting in this
+             * immediate validation just to put it through its paces. (worth the
+             * slight perf hit).
+             */
+            const validationErrors = await validateGenesisKeystone({
+                keystoneIbGib: sessionIdentity_genesis
+            });
+            if (validationErrors) {
+                throw new Error(`(UNEXPECTED) the sessionIdentity_genesis that we just created already has validation errors just after creation? (E: e9ca08cf0f8858bb1ace8b9fa89f8726)`);
+            }
+            // #endregion sanity validation of genesis keystone
+            const transitionPool = await this.getTransitionKeystonePool({ sagaId });
+            /**
+             * Note this actually **signs** the initial {@link sessionIdentity_genesis}
+             * and requires the use of a pool with management priveleges.
+             */
+            const sessionIdentity_withTransitionPool = await this.keystoneSvc.addPools({
+                latestKeystone: sessionIdentity_genesis,
+                /**
+                 * this secret does not do the delegate pool challenges,
+                 * rather, this is the sessionSecret itself to evolve the
+                 * keystone **to add** the delegate pool in the first place.
+                 */
+                masterSecret: primarySessionSecret,
+                metaspace,
+                space: localSpace,
+                newPools: [transitionPool],
             });
-            // TODO: Store delegate pool separate challenges derived from bootstrap secret
-            // This allows receiver to verify/evolve the delegate pool
-            // For now, the keystone genesis with multiple configs handles this
-            return sessionIdentity;
+            let newPrimaryIdentity = undefined;
+            if (primaryIdentity) {
+                newPrimaryIdentity = await this.keystoneSvc.sign({
+                    latestKeystone: primaryIdentity,
+                    poolId: primaryPoolConfig.id,
+                    claim: {
+                        verb: KEYSTONE_VERB_SIGN,
+                        target: getIbGibAddr({ ibGib: sessionIdentity_withTransitionPool }),
+                    },
+                    masterSecret: nonSessionSecret,
+                    metaspace,
+                    space: localSpace,
+                    // frameDetails: undefined, // anything to put here?
+                    // requiredChallengeIds: undefined, // not relevant I think
+                });
+            }
+            return {
+                sessionIdentity: sessionIdentity_withTransitionPool,
+                newPrimaryIdentity,
+            };
         }
         catch (error) {
             console.error(`${lc} ${extractErrorMsg(error)}`);
@@ -634,6 +818,7 @@ export class SyncSagaCoordinator {
                     masterSecret: sessionSecret,
                     metaspace,
                 });
+                contextIbGib.fnIdentitySecret = () => Promise.resolve(sessionSecret);
             }
             return contextIbGib;
         }
@@ -1368,10 +1553,10 @@ export class SyncSagaCoordinator {
                 throw new Error(`${lc} Invalid ack frame: ackData.stage !== SyncStage.ack (E: 2e8b0a94b5954a66a6a1a7a0b3f5b7a1)`);
             }
             if (logalot) {
-                console.log(`${lc} ackData: ${pretty(ackData)} (I: 7f8e9d0a1b2c3d4e5f6g7h8i9j0k)`);
+                console.log(`${lc} ackData: ${pretty(ackData)} (I: b817c5571c5e916fe8f90b892b3e8e26)`);
             }
             if (!sagaIbGib.data) {
-                throw new Error(`(UNEXPECTED) sagaIbGib.data falsy? (E: 385e389610282aa9c5dbe4083adbde26)`);
+                throw new Error(`(UNEXPECTED) sagaIbGib.data falsy? (E: e3f2e8f162484859787651b85c011826)`);
             }
             // #region sanity/validation
             // 1. Check for Conflicts
@@ -2492,7 +2677,7 @@ export class SyncSagaCoordinator {
                 }
                 // Attach session keystone to saga frame via hard rel8n
                 if (sessionIdentity) {
-                    rel8ns.sessionKeystones = [getIbGibAddr({ ibGib: sessionIdentity })];
+                    rel8ns.sessionKeystone = [getIbGibAddr({ ibGib: sessionIdentity })];
                 }
                 const resNew = await createTimeline({
                     space: localSpace,