@ibgib/core-gib 0.1.54 → 0.1.55

package/src/sync/sync-saga-coordinator.mts

@@ -17,35 +17,11 @@ import { IbGibAddr } from "@ibgib/ts-gib/dist/types.mjs";
 import { GLOBAL_LOG_A_LOT } from "../core-constants.mjs";
 import { IbGibSpaceAny } from "../witness/space/space-base-v1.mjs";
 import { putInSpace, getLatestAddrs, getFromSpace, registerNewIbGib } from "../witness/space/space-helper.mjs";
-import { KeystoneChallengePool, KeystoneChallengeType, KeystoneIbGib_V1, KeystonePoolConfig_HashV1, KeystoneReplenishStrategy } from "../keystone/keystone-types.mjs";
-import { KeystoneService_V1 } from "../keystone/keystone-service-v1.mjs";
-import { deriveKey } from "../keystone/kdf/kdf-helpers.mjs";
-import { KdfStrategy } from "../keystone/kdf/kdf-constants.mjs";
 import { MetaspaceService } from "../witness/space/metaspace/metaspace-types.mjs";
 import {
     SyncStage, SYNC_ATOM, SYNC_MSG_REL8N_NAME, SYNC_SAGA_PAYLOAD_ADDRS_DOMAIN,
-    SyncConflictStrategy,
-    SYNC_CONFLICT_STRATEGY_VALID_VALUES,
-    SESSION_IDENTITY_KEYSTONE_SECRET_TRANSITIONPOOL,
-    SESSION_IDENTITY_KEYSTONE_CONFIG_ALGO,
-    SESSION_IDENTITY_KEYSTONE_CONFIG_ROUNDS,
-    SESSION_IDENTITY_KEYSTONE_CONFIG_RANDOM,
-    SESSION_IDENTITY_KEYSTONE_CONFIG_REPLENISH_STRATEGY,
-    SESSION_IDENTITY_KEYSTONE_CONFIG_SEQUENTIAL,
-    SESSION_IDENTITY_KEYSTONE_CONFIG_TARGET_BINDING,
-    SESSION_IDENTITY_KEYSTONE_CONFIG_SIZE,
-    SESSION_IDENTITY_KEYSTONE_TRANSITION_POOL_ID,
-    SESSION_IDENTITY_KEYSTONE_CONFIG_SIZE_TRANSITIONPOOL,
-    SESSION_IDENTITY_KEYSTONE_CONFIG_REPLENISH_STRATEGY_TRANSITIONPOOL,
-    SESSION_IDENTITY_KEYSTONE_CONFIG_RANDOM_TRANSITIONPOOL,
-    SESSION_IDENTITY_KEYSTONE_CONFIG_SEQUENTIAL_TRANSITIONPOOL,
-    SESSION_IDENTITY_KEYSTONE_CONFIG_TARGET_BINDING_TRANSITIONPOOL,
-    SESSION_IDENTITY_KEYSTONE_CONFIG_ALGO_TRANSITIONPOOL,
-    SESSION_IDENTITY_KEYSTONE_CONFIG_ROUNDS_TRANSITIONPOOL,
-    SESSION_IDENTITY_KEYSTONE_CONFIG_VERBS_TRANSITIONPOOL,
-    SESSION_IDENTITY_KEYSTONE_CONFIG_VERBS_DELEGATE,
-    SESSION_IDENTITY_KEYSTONE_DELEGATE_POOL_ID,
-    SESSION_IDENTITY_KEYSTONE_PRIMARY_POOL_ID,
+    SyncConflictStrategy, SYNC_CONFLICT_STRATEGY_VALID_VALUES,
+
 } from "./sync-constants.mjs";
 import {
     appendToTimeline, createTimeline, getHistory, getHistoryAddrs, Rel8nInfo, Rel8nRemovalInfo
@@ -83,11 +59,7 @@ import { graftTimelines, } from "./graft-info/graft-info-helpers.mjs";
 import { GRAFT_INFO_REL8N_NAME } from "./graft-info/graft-info-constants.mjs";
 import { GraftInfoIbGib_V1 } from "./graft-info/graft-info-types.mjs";
 import { validateIbGibIntrinsically } from "@ibgib/ts-gib/dist/V1/validate-helper.mjs";
-import { KEYSTONE_VERB_MANAGE, KEYSTONE_VERB_SIGN } from "../keystone/keystone-constants.mjs";
-import { addToBindingMap, generateOpaqueChallengeId, validateGenesisKeystone, validateKeystoneGraph } from "../keystone/keystone-helpers.mjs";
 import { SYNC_SAGA_CONTEXT_ATOM } from "./sync-saga-context/sync-saga-context-constants.mjs";
-import { createStandardPoolConfig } from "../keystone/keystone-config-builder.mjs";
-import { KeystoneStrategyFactory } from "../keystone/strategy/keystone-strategy-factory.mjs";
 
 
 const logalot = GLOBAL_LOG_A_LOT;
@@ -104,15 +76,13 @@ const lcControlDomain = '[ControlDomain]';
  * *   **Sender/Local Node**: The node *initiating* the sync (calling `sync()`).
  * *   **Receiver/Remote Node**: The node *accepting* the sync request (the Peer).
  *
- * Note that in a peer-to-peer architecture, "Sender" and "Receiver" are roles relative
- * to a specific Saga session, not fixed node identities.
+ * Note that in a peer-to-peer architecture, "Sender" and "Receiver" are roles
+ * relative to a specific Saga, not fixed node ids.
  */
 export class SyncSagaCoordinator {
     private lc: string = `[${SyncSagaCoordinator.name}]`;
 
-    constructor(
-        public keystoneSvc: KeystoneService_V1
-    ) {
+    constructor() {
 
     }
 
@@ -121,15 +91,12 @@ export class SyncSagaCoordinator {
      *
      * @remarks
      * **Execution Context**: **Sender (Local)**.
-     * This method is the entry point for starting a sync session.
+     * This method is the entry point for starting a sync saga.
      */
     public async sync({
         peer,
         domainIbGibs,
         conflictStrategy = SyncConflictStrategy.abort,
-        useSessionIdentity = true,
-        identity,
-        identitySecret,
         metaspace,
         localSpace,
     }: {
@@ -153,20 +120,6 @@ export class SyncSagaCoordinator {
          * The metaspace context (for registering sync sagas locally).
          */
         metaspace: MetaspaceService;
-        /**
-         * The primary (i.e. non-session) identity authorizing this sync.
-         *
-         * If this is truthy, then {@link identitySecret} must also be provided.
-         */
-        identity?: KeystoneIbGib_V1;
-        /**
-         * The secret for the identity (to sign the commit).
-         *
-         * If provided, this will drive both signing {@link identity} keystone
-         * (if provided) AND session keystone (if {@link useSessionIdentity} is
-         * true).
-         */
-        identitySecret?: string;
         /**
          * How to handle conflicts when both Source and Dest have diverged on the
          * same timeline.
@@ -174,15 +127,6 @@ export class SyncSagaCoordinator {
          * defaults to {@link SyncConflictStrategy.abort}
          */
         conflictStrategy?: SyncConflictStrategy;
-        /**
-         * If true, creates an ephemeral session identity for the sync process
-         * to secure the sync transaction itself.
-         *
-         * If this is true, {@link identitySecret} must also be provided.
-         *
-         * @default true
-         */
-        useSessionIdentity?: boolean;
     }): Promise<SyncSagaInfo> {
         const lc = `${this.lc}[${this.sync.name}]`;
         if (logalot) { console.log(`${lc} starting...`); }
@@ -227,35 +171,12 @@ export class SyncSagaCoordinator {
         // Async execution wrapper
         (async () => {
             try {
-
-                // BOOTSTRAP IDENTITY (Session Keystone)
-                let sessionIdentity: KeystoneIbGib_V1 | undefined = undefined;
-
-                if (useSessionIdentity) {
-                    if (!identitySecret) { throw new Error(`useSessionIdentity is true, but identitySecret is falsy. Must provide a secret if you want to use a session identity. (E: 81915860c4dd3ea4dfd81825fa74c126)`); }
-                    // creates the initial session identity (keystone). the flow
-                    // (i think) will go: evolve saga frame, then sign keystone,
-                    // then create/send context.
-                    const resCreateSessionIdentity = await this.createSessionIdentity({
-                        sagaId,
-                        primaryIdentity: identity,
-                        nonSessionSecret: identitySecret,
-                        metaspace,
-                        localSpace
-                    });
-                    sessionIdentity = resCreateSessionIdentity.sessionIdentity;
-                    if (identity) {
-                        if (!resCreateSessionIdentity.newPrimaryIdentity) { throw new Error(`(UNEXPECTED) identity truthy but resCreateSessionIdentity.newPrimaryIdentity falsy? (E: 4f82e88a3cc5bd7e58a40f8d77bda826)`); }
-                        identity = resCreateSessionIdentity.newPrimaryIdentity;
-                    }
-                }
-
-                // if (logalot) { console.log(`${lc} sessionIdentity: ${sessionIdentity ? pretty(sessionIdentity) : 'undefined'} (I: abc01872800b3a66b819a05898bba826)`); }
+                // CONNECT PEER (if needed)
+                await peer.connect({ sagaId });
 
                 // CREATE INITIAL FRAME (Stage.init)
                 const { initFrame, initDomainGraph } = await this.createInitFrame({
                     sagaId,
-                    sessionIdentity,
                     domainIbGibs,
                     conflictStrategy,
                     metaspace, localSpace, tempSpace,
@@ -265,8 +186,6 @@ export class SyncSagaCoordinator {
                 await this.executeSagaLoop({
                     initFrame, initDomainGraph,
                     peer,
-                    identitySecret,
-                    sessionIdentity,
                     updates$,
                     localSpace,
                     tempSpace,
@@ -305,8 +224,6 @@ export class SyncSagaCoordinator {
         sagaContext,
         mySpace,
         myTempSpace,
-        identity,
-        identitySecret,
         metaspace,
     }: {
         sagaContext: SyncSagaContextIbGib_V1,
@@ -318,14 +235,6 @@ export class SyncSagaCoordinator {
          * Local temp space relative to the execution context's POV
          */
         myTempSpace: IbGibSpaceAny,
-        /**
-         * @see {@link sync} `identity` param.
-         */
-        identity?: KeystoneIbGib_V1,
-        /**
-         * @see {@link sync} `identitySecret` param.
-         */
-        identitySecret?: string,
         metaspace: MetaspaceService,
     }): Promise<SyncSagaContextIbGib_V1 | null> {
         const lc = `${this.lc}[${this.continueSync.name}]`;
@@ -336,7 +245,6 @@ export class SyncSagaCoordinator {
                 sagaContext,
                 mySpace,
                 myTempSpace,
-                identity,
                 metaspace,
             });
 
@@ -364,11 +272,10 @@ export class SyncSagaCoordinator {
                 sagaFrame: frame,
                 localSpace: mySpace,
                 payloadIbGibsDomain,
-                sessionKeystone: identity,
-                sessionSecret: identitySecret,
                 metaspace,
             });
 
+
             const immediateValidationErrors = await validateContextAndSagaFrame({
                 context: responseCtx,
             });
@@ -383,341 +290,7 @@ export class SyncSagaCoordinator {
         }
     }
 
-    /**
-     * helper that KDFs the given identitySecret, using {@link sagaId} to do so.
-     *
-     * @returns deterministically derived session secret
-     */
-    private async deriveSessionSecret({
-        sagaId,
-        nonSessionSecret,
-    }: {
-        sagaId: string,
-        /**
-         * driving secret behind the sync operation. usually, this will be the
-         * secret corresponding to a primary identity keystone. But this can
-         * also just be a one-time secret just to have more security in the
-         * transmission intrinsically.
-         */
-        nonSessionSecret: string,
-    }): Promise<string> {
-        const lc = `${this.lc}[${this.deriveSessionSecret.name}]`;
-        try {
-            if (logalot) { console.log(`${lc} starting... (I: 0de03f8dcd3e32f1fca244e8f2a8a826)`); }
-
-            // Derive session-specific secret using KDF
-            const sessionSecret = await deriveKey({
-                masterSecret: nonSessionSecret,
-                kdfOpts: {
-                    strategy: KdfStrategy.recursive_salt_wrap,
-                    salt: sagaId,
-                    rounds: 10000,
-                    algorithm: 'SHA-256'
-                }
-            });
 
-            return sessionSecret;
-        } catch (error) {
-            console.error(`${lc} ${extractErrorMsg(error)}`);
-            throw error;
-        } finally {
-            if (logalot) { console.log(`${lc} complete.`); }
-        }
-    }
-
-    private async getInitialWeakTransitionSessionSecret({
-        sagaId,
-    }: {
-        sagaId: string,
-    }): Promise<string> {
-        const lc = `${this.lc}[${this.getInitialWeakTransitionSessionSecret.name}]`;
-        try {
-            if (logalot) { console.log(`${lc} starting... (I: 872ab81a78827b9f2822b78459203226)`); }
-
-            // Create delegate pool bootstrap secret (publicly derivable)
-            const initialTransitionSecret = await deriveKey({
-                masterSecret: SESSION_IDENTITY_KEYSTONE_SECRET_TRANSITIONPOOL, // Weak, publicly derivable secret
-                kdfOpts: {
-                    strategy: KdfStrategy.recursive_salt_wrap,
-                    salt: sagaId,
-                    rounds: 1, // Minimal rounds - this is meant to be weak
-                    algorithm: 'SHA-256'
-                }
-            });
-
-            return initialTransitionSecret;
-        } catch (error) {
-            console.error(`${lc} ${extractErrorMsg(error)}`);
-            throw error;
-        } finally {
-            if (logalot) { console.log(`${lc} complete.`); }
-        }
-    }
-
-    private async getTransitionKeystonePool({
-        sagaId,
-    }: {
-        sagaId: string,
-    }): Promise<KeystoneChallengePool> {
-        const lc = `${this.lc}[${this.getTransitionKeystonePool.name}]`;
-        try {
-            if (logalot) { console.log(`${lc} starting... (I: 1ec1c8db7438938b08b96559fcee0826)`); }
-
-            const config = createStandardPoolConfig({
-                salt: sagaId,
-                id: SESSION_IDENTITY_KEYSTONE_TRANSITION_POOL_ID,
-                type: KeystoneChallengeType.hash_reveal_v1,
-                size: SESSION_IDENTITY_KEYSTONE_CONFIG_SIZE_TRANSITIONPOOL,
-                replenishStrategy: SESSION_IDENTITY_KEYSTONE_CONFIG_REPLENISH_STRATEGY_TRANSITIONPOOL,
-                random: SESSION_IDENTITY_KEYSTONE_CONFIG_RANDOM_TRANSITIONPOOL,
-                sequential: SESSION_IDENTITY_KEYSTONE_CONFIG_SEQUENTIAL_TRANSITIONPOOL,
-                targetBinding: SESSION_IDENTITY_KEYSTONE_CONFIG_TARGET_BINDING_TRANSITIONPOOL,
-                hashAlgorithm: SESSION_IDENTITY_KEYSTONE_CONFIG_ALGO_TRANSITIONPOOL,
-                hashRounds: SESSION_IDENTITY_KEYSTONE_CONFIG_ROUNDS_TRANSITIONPOOL,
-                verbs: SESSION_IDENTITY_KEYSTONE_CONFIG_VERBS_TRANSITIONPOOL,
-            });
-            const strategy = KeystoneStrategyFactory.create({ config });
-            const poolSecret = await strategy.derivePoolSecret({
-                masterSecret: await this.getInitialWeakTransitionSessionSecret({ sagaId }),
-            });
-            const challenges: { [id: string]: any } = {};
-            const bindingMap: { [char: string]: string[] } = {};
-
-            const targetSize = config.behavior.size;
-            const timestamp = Date.now().toString();
-            for (let i = 0; i < targetSize; i++) {
-                const challengeId = await generateOpaqueChallengeId({
-                    salt: config.salt, timestamp, index: i
-                });
-                const solution = await strategy.generateSolution({
-                    poolSecret, poolId: config.salt, challengeId,
-                });
-                const challenge = await strategy.generateChallenge({ solution });
-                challenges[challengeId] = challenge;
-                // Populate Binding Map
-                addToBindingMap(bindingMap, challengeId);
-            }
-
-            const transitionPool: KeystoneChallengePool = {
-                id: SESSION_IDENTITY_KEYSTONE_TRANSITION_POOL_ID,
-                config,
-                challenges,
-                bindingMap,
-                isForeign: true,
-                // metadata: { origin: 'receiver', role: 'delegate' } // don't need metadata since we have the pool id being 'delegate' (i think)
-            };
-
-            return transitionPool;
-        } catch (error) {
-            console.error(`${lc} ${extractErrorMsg(error)}`);
-            throw error;
-        } finally {
-            if (logalot) { console.log(`${lc} complete.`); }
-        }
-    }
-
-    private async getDelegateKeystonePool({
-        sagaId,
-    }: {
-        sagaId: string,
-    }): Promise<KeystoneChallengePool> {
-        const lc = `${this.lc}[${this.getDelegateKeystonePool.name}]`;
-        try {
-            if (logalot) { console.log(`${lc} starting... (I: 6b1d338f8e988e68f8d77e72ed00d526)`); }
-
-            // todo: change this to a helper function that does the delegated
-            // functionality better. also the f***ing binding map needs better
-            // implementation. f***ng glazed over by AI.
-
-            const config = createStandardPoolConfig({
-                salt: sagaId,
-                id: SESSION_IDENTITY_KEYSTONE_DELEGATE_POOL_ID,
-                type: KeystoneChallengeType.hash_reveal_v1,
-                size: SESSION_IDENTITY_KEYSTONE_CONFIG_SIZE,
-                replenishStrategy: SESSION_IDENTITY_KEYSTONE_CONFIG_REPLENISH_STRATEGY,
-                random: SESSION_IDENTITY_KEYSTONE_CONFIG_RANDOM,
-                sequential: SESSION_IDENTITY_KEYSTONE_CONFIG_SEQUENTIAL,
-                targetBinding: SESSION_IDENTITY_KEYSTONE_CONFIG_TARGET_BINDING,
-                hashAlgorithm: SESSION_IDENTITY_KEYSTONE_CONFIG_ALGO,
-                hashRounds: SESSION_IDENTITY_KEYSTONE_CONFIG_ROUNDS,
-                verbs: SESSION_IDENTITY_KEYSTONE_CONFIG_VERBS_DELEGATE,
-            });
-            const strategy = KeystoneStrategyFactory.create({ config });
-            const poolSecret = await strategy.derivePoolSecret({
-                masterSecret: SESSION_IDENTITY_KEYSTONE_SECRET_TRANSITIONPOOL
-            });
-            const challenges: { [id: string]: any } = {};
-            const bindingMap: { [char: string]: string[] } = {};
-
-            const targetSize = config.behavior.size;
-            const timestamp = Date.now().toString();
-            for (let i = 0; i < targetSize; i++) {
-                const challengeId = await generateOpaqueChallengeId({
-                    salt: config.salt, timestamp, index: i
-                });
-                const solution = await strategy.generateSolution({
-                    poolSecret, poolId: config.salt, challengeId,
-                });
-                const challenge = await strategy.generateChallenge({ solution });
-                challenges[challengeId] = challenge;
-                // Populate Binding Map
-                addToBindingMap(bindingMap, challengeId);
-            }
-
-            const delegatePool: KeystoneChallengePool = {
-                id: SESSION_IDENTITY_KEYSTONE_DELEGATE_POOL_ID,
-                config,
-                challenges,
-                bindingMap,
-                isForeign: true,
-                // metadata: { origin: 'receiver', role: 'delegate' } // don't need metadata since we have the pool id being 'delegate' (i think)
-            };
-
-            return delegatePool;
-        } catch (error) {
-            console.error(`${lc} ${extractErrorMsg(error)}`);
-            throw error;
-        } finally {
-            if (logalot) { console.log(`${lc} complete.`); }
-        }
-    }
-
-    /**
-     * creates a session identity keystone based off of the given args.
-     *
-     * Then, if the {@link primaryIdentity} keystone is provided, this also
-     * **signs** this keystone pointing to the address of the sess
-     * @param param0
-     * @returns
-     */
-    private async createSessionIdentity({
-        sagaId,
-        primaryIdentity,
-        nonSessionSecret,
-        metaspace,
-        localSpace,
-    }: {
-        /**
-         * unique to any one particular saga.
-         */
-        sagaId: string,
-        /**
-         * optional main identity, e.g., Alice's keystone
-         */
-        primaryIdentity: KeystoneIbGib_V1 | undefined,
-        /**
-         * driving secret behind the sync operation. usually, this will be the
-         * secret corresponding to a primary identity keystone. But this can
-         * also just be a one-time secret just to have more security in the
-         * transmission intrinsically.
-         */
-        nonSessionSecret: string,
-        metaspace: MetaspaceService,
-        localSpace: IbGibSpaceAny,
-    }): Promise<{
-        sessionIdentity: KeystoneIbGib_V1,
-        /**
-         * if truthy, this evolved from the incoming {@link primaryIdentity} and
-         * has already persisted/registered in the incoming {@link localSpace}.
-         */
-        newPrimaryIdentity: KeystoneIbGib_V1 | undefined
-    }> {
-        const lc = `${this.lc}[${this.createSessionIdentity.name}]`;
-        try {
-            if (logalot) { console.log(`${lc} starting... (I: 428392a4ee636b7bd8f7d5d89a87e826)`); }
-
-            if (!nonSessionSecret) { throw new Error(`(UNEXPECTED) nonSessionSecret falsy? This is expected to be truthy by this point. (E: 8ce053fe59825a6678713128953b9d26)`); }
-
-            const primarySessionSecret = await this.deriveSessionSecret({
-                sagaId, nonSessionSecret
-            });
-
-            // Generate keystone with two initial pools in two steps.
-            //   1. Create primary pool with genesis method to correspond to the
-            //      sender/sender's secret/identity.
-            //   2. Create a separate pool and add separately because a
-            //      different pw + config is used for the transition pool.
-
-            const primaryPoolConfig: KeystonePoolConfig_HashV1 = {
-                allowedVerbs: [KEYSTONE_VERB_MANAGE],
-                id: SESSION_IDENTITY_KEYSTONE_PRIMARY_POOL_ID,
-                salt: sagaId,
-                behavior: {
-                    size: SESSION_IDENTITY_KEYSTONE_CONFIG_SIZE,  // Large pool for many signatures
-                    replenish: SESSION_IDENTITY_KEYSTONE_CONFIG_REPLENISH_STRATEGY,
-                    selectSequentially: SESSION_IDENTITY_KEYSTONE_CONFIG_SEQUENTIAL,
-                    selectRandomly: SESSION_IDENTITY_KEYSTONE_CONFIG_RANDOM,
-                    targetBindingChars: SESSION_IDENTITY_KEYSTONE_CONFIG_TARGET_BINDING,
-                },
-                type: KeystoneChallengeType.hash_reveal_v1,
-                algo: SESSION_IDENTITY_KEYSTONE_CONFIG_ALGO,
-                rounds: SESSION_IDENTITY_KEYSTONE_CONFIG_ROUNDS,
-            };
-            const sessionIdentity_genesis = await this.keystoneSvc.genesis({
-                masterSecret: primarySessionSecret,
-                configs: [primaryPoolConfig],
-                metaspace,
-                space: localSpace,
-            });
-
-            // #region sanity validation of genesis keystone
-            /**
-             * not necessary but since it's a new design, I'm putting in this
-             * immediate validation just to put it through its paces. (worth the
-             * slight perf hit).
-             */
-            const validationErrors = await validateGenesisKeystone({
-                keystoneIbGib: sessionIdentity_genesis
-            });
-            if (validationErrors) { throw new Error(`(UNEXPECTED) the sessionIdentity_genesis that we just created already has validation errors just after creation? (E: e9ca08cf0f8858bb1ace8b9fa89f8726)`); }
-            // #endregion sanity validation of genesis keystone
-
-            const transitionPool = await this.getTransitionKeystonePool({ sagaId });
-            /**
-             * Note this actually **signs** the initial {@link sessionIdentity_genesis}
-             * and requires the use of a pool with management priveleges.
-             */
-            const sessionIdentity_withTransitionPool = await this.keystoneSvc.addPools({
-                latestKeystone: sessionIdentity_genesis,
-                /**
-                 * this secret does not do the delegate pool challenges,
-                 * rather, this is the sessionSecret itself to evolve the
-                 * keystone **to add** the delegate pool in the first place.
-                 */
-                masterSecret: primarySessionSecret,
-                metaspace,
-                space: localSpace,
-                newPools: [transitionPool],
-            });
-
-            let newPrimaryIdentity: KeystoneIbGib_V1 | undefined = undefined;
-            if (primaryIdentity) {
-                newPrimaryIdentity = await this.keystoneSvc.sign({
-                    latestKeystone: primaryIdentity,
-                    poolId: primaryPoolConfig.id,
-                    claim: {
-                        verb: KEYSTONE_VERB_SIGN,
-                        target: getIbGibAddr({ ibGib: sessionIdentity_withTransitionPool }),
-                    },
-                    masterSecret: nonSessionSecret,
-                    metaspace,
-                    space: localSpace,
-                    // frameDetails: undefined, // anything to put here?
-                    // requiredChallengeIds: undefined, // not relevant I think
-                });
-            }
-
-            return {
-                sessionIdentity: sessionIdentity_withTransitionPool,
-                newPrimaryIdentity,
-            }
-        } catch (error) {
-            console.error(`${lc} ${extractErrorMsg(error)}`);
-            throw error;
-        } finally {
-            if (logalot) { console.log(`${lc} complete.`); }
-        }
-    }
 
     /**
      * Drives the FSM loop of the Saga.
@@ -738,8 +311,6 @@ export class SyncSagaCoordinator {
         initFrame,
         initDomainGraph,
         peer,
-        sessionIdentity,
-        identitySecret,
         updates$,
         localSpace,
         tempSpace,
@@ -754,11 +325,6 @@ export class SyncSagaCoordinator {
          */
         initDomainGraph: FlatIbGibGraph,
         peer: SyncPeerWitness,
-        sessionIdentity?: KeystoneIbGib_V1,
-        /**
-         * if {@link sessionIdentity} provided, this must also be truthy
-         */
-        identitySecret?: string,
         updates$: SubjectWitness<SyncSagaContextIbGib_V1>,
         metaspace: MetaspaceService
         localSpace: IbGibSpaceAny,
@@ -809,8 +375,6 @@ export class SyncSagaCoordinator {
             // ...create/compose the Request Context itself...
             const requestCtx = await this.createSyncSagaContext({
                 sagaFrame: currentFrame,
-                sessionKeystone: sessionIdentity,
-                sessionSecret: identitySecret,
                 /**
                  * init frame: empty
                  * ack frame: possible push offers
@@ -837,7 +401,7 @@ export class SyncSagaCoordinator {
             updates$.next(requestCtx); // spins off for saga UI updates
 
             // ...And send the context.
-            peer.setOptionalOpts({ localSpace, localTempSpace: tempSpace, keystoneSvc: this.keystoneSvc });
+            peer.setOptionalOpts({ localSpace, localTempSpace: tempSpace, });
             const responseCtx = await peer.witness(requestCtx);
 
             // the send returned, but a peer can return a falsy responseCtx, if
@@ -936,11 +500,6 @@ export class SyncSagaCoordinator {
             currentFrame = frame;
             nextDomainIbGibs = [...(payloadIbGibsDomain || [])];
 
-            // Track identity evolution
-            if (responseCtx.signedSessionKeystone) {
-                sessionIdentity = responseCtx.signedSessionKeystone;
-            }
-
             // #region Log handler output for next iteration
             if (logalotControlDomain) {
                 const handlerDomainAddrs = nextDomainIbGibs.map(p => getIbGibAddr({ ibGib: p }));
@@ -966,8 +525,6 @@ export class SyncSagaCoordinator {
      */
     private async createSyncSagaContext({
         sagaFrame,
-        sessionKeystone,
-        sessionSecret,
         payloadIbGibsDomain,
         metaspace,
         localSpace,
@@ -976,15 +533,6 @@ export class SyncSagaCoordinator {
          * The main saga frame (Init, Ack, etc.).
          */
         sagaFrame: SyncIbGib_V1;
-        /**
-         * Session identity keystone.
-         */
-        sessionKeystone: KeystoneIbGib_V1 | undefined;
-        /**
-         * If using session ({@link sessionKeystone} is truthy), this must be
-         * provided in order to sign it.
-         */
-        sessionSecret: string | undefined;
         /**
          * Domain payload ibgibs when the sync saga frame includes actual domain
          * payloads to send, e.g., in a Delta frame.
@@ -1007,7 +555,6 @@ export class SyncSagaCoordinator {
             // #region sanity/validation
             if (!sagaFrame.data) { throw new Error(`(UNEXPECTED) sagaFrame.data falsy? (E: 04c49b4cccba6842a8b52e4c6f570726)`); }
             if (!sagaFrame.data.n && sagaFrame.data.n !== 0) { throw new Error(`(UNEXPECTED) sagaFrame.data.n falsy and not 0? (E: 45b508da64a8b28428b11765d684b826)`); }
-            if (sessionKeystone && !sessionSecret) { throw new Error(`(UNEXPECTED) sessionKeystone truthy but sessionSecret falsy? (E: 705ecc25038b12df0e94c90c5561e426)`); }
             // #endregion sanity/validation
 
             const date = new Date();
@@ -1028,25 +575,10 @@ export class SyncSagaCoordinator {
                 data[SYNC_SAGA_PAYLOAD_ADDRS_DOMAIN] = payloadAddrsDomain;
             }
 
-            // rel8ns should always have saga frame, sometimes have keystone
+            // rel8ns should always have saga frame
             const rel8ns: SyncSagaContextRel8ns_V1 = {
                 sagaFrame: [getIbGibAddr({ ibGib: sagaFrame })],
             };
-            if (sessionKeystone) {
-                const keystoneErrors = await validateKeystoneGraph({
-                    keystoneIbGib: sessionKeystone,
-                    space: localSpace,
-                    getLatest: true,
-                    invalidIfMoreRecentKeystoneFoundInSpace: true,
-                });
-                if (keystoneErrors.length > 0) {
-                    throw new Error(`invalid sessionKeystone. errors: ${keystoneErrors} (E: 3881b8caf2d803767a331e1141e84826)`);
-                }
-                // this addr is BEFORE we sign. So each context ibgib itself will
-                // point to the frame of the keystone just before that keystone
-                // signs with this context as its target.
-                rel8ns.sessionKeystone = [getIbGibAddr({ ibGib: sessionKeystone })];
-            }
 
             // Generate standard ib
             const ib = await getSyncSagaContextIb({ data });
@@ -1073,19 +605,6 @@ export class SyncSagaCoordinator {
                 contextIbGib.payloadIbGibsDomain = payloadIbGibsDomain;
             }
 
-            if (sessionKeystone) {
-                if (!sessionSecret) { throw new Error(`(UNEXPECTED) sessionKeystone truthy but sessionSecret falsy? we should have thrown before now (E: a2b0517a37b559543968b888f2067826)`); }
-                const contextAddr = getIbGibAddr({ ibGib: contextIbGib });
-                contextIbGib.signedSessionKeystone = await this.keystoneSvc.sign({
-                    latestKeystone: sessionKeystone,
-                    claim: { target: contextAddr, }, // verb?
-                    space: localSpace,
-                    masterSecret: sessionSecret,
-                    metaspace,
-                });
-                contextIbGib.fnIdentitySecret = () => Promise.resolve(sessionSecret);
-            }
-
             return contextIbGib;
         } catch (error) {
             console.error(`${lc} ${extractErrorMsg(error)}`);
@@ -1209,7 +728,6 @@ export class SyncSagaCoordinator {
      */
     private async createInitFrame({
         sagaId,
-        sessionIdentity,
         domainIbGibs,
         conflictStrategy,
         metaspace,
@@ -1217,7 +735,6 @@ export class SyncSagaCoordinator {
         tempSpace,
     }: {
         sagaId: string,
-        sessionIdentity?: KeystoneIbGib_V1,
         domainIbGibs: IbGib_V1[],
         conflictStrategy: SyncConflictStrategy,
         metaspace: MetaspaceService,
@@ -1247,7 +764,6 @@ export class SyncSagaCoordinator {
                 sagaId,
                 stage: SyncStage.init,
                 knowledgeMap: knowledgeMap,
-                identity: sessionIdentity, // KeystoneIbGib is already public data
                 mode: SyncMode.sync,
                 stones: srcStones.map(s => getIbGibAddr({ ibGib: s })),
             };
@@ -1268,7 +784,6 @@ export class SyncSagaCoordinator {
             const sagaFrame = await this.evolveSyncSagaIbGib({
                 msgStones: [initStone],
                 conflictStrategy,
-                sessionIdentity,
                 metaspace,
                 localSpace,
             });
@@ -1385,7 +900,6 @@ export class SyncSagaCoordinator {
         initDomainGraph,
         mySpace,
         myTempSpace,
-        identity,
         metaspace,
     }: {
         sagaContext: SyncSagaContextIbGib_V1,
@@ -1404,7 +918,6 @@ export class SyncSagaCoordinator {
          * Local temp space relative to the execution context's POV
          */
         myTempSpace: IbGibSpaceAny,
-        identity?: KeystoneIbGib_V1,
         metaspace: MetaspaceService,
     }): Promise<HandleSagaResponseContextResult> {
         const lc = `${this.lc}[${this.handleResponseSagaContext.name}]`;
@@ -1427,7 +940,6 @@ export class SyncSagaCoordinator {
                         sagaIbGib,
                         messageData: messageData as SyncSagaMessageInitData_V1,
                         metaspace, mySpace, myTempSpace,
-                        identity,
                     });
                     break;
 
@@ -1438,7 +950,6 @@ export class SyncSagaCoordinator {
                         sagaIbGib,
                         initDomainGraph,
                         metaspace, mySpace, myTempSpace,
-                        identity,
                     });
                     break;
 
@@ -1447,7 +958,6 @@ export class SyncSagaCoordinator {
                         sagaContext,
                         sagaIbGib,
                         metaspace, mySpace, myTempSpace,
-                        identity,
                     });
                     break;
 
@@ -1456,7 +966,6 @@ export class SyncSagaCoordinator {
                     nextFrameInfo = await this.handleCommitFrame({
                         sagaIbGib,
                         metaspace, mySpace, myTempSpace,
-                        identity,
                     });
                     break;
 
@@ -1497,7 +1006,6 @@ export class SyncSagaCoordinator {
         mySpace,
         myTempSpace,
         metaspace,
-        identity,
     }: {
         sagaIbGib: SyncIbGib_V1,
         messageData: SyncSagaMessageInitData_V1,
@@ -1513,7 +1021,6 @@ export class SyncSagaCoordinator {
          */
         myTempSpace: IbGibSpaceAny,
         metaspace: MetaspaceService,
-        identity?: KeystoneIbGib_V1,
     }): Promise<NextSagaFrameInfo> {
         const lc = `${this.lc}[${this.handleInitFrame.name}]`;
         try {
@@ -1762,7 +1269,6 @@ export class SyncSagaCoordinator {
             const ackFrame = await this.evolveSyncSagaIbGib({
                 prevSagaIbGib: sagaIbGib,
                 msgStones: [ackStone],
-                sessionIdentity: identity,
                 localSpace: mySpace,
                 metaspace,
             });
@@ -1857,7 +1363,6 @@ export class SyncSagaCoordinator {
         sagaIbGib,
         initDomainGraph,
         mySpace, myTempSpace, metaspace,
-        identity,
     }: {
         sagaContext: SyncSagaContextIbGib_V1,
         sagaIbGib: SyncIbGib_V1,
@@ -1871,7 +1376,6 @@ export class SyncSagaCoordinator {
         mySpace: IbGibSpaceAny,
         myTempSpace: IbGibSpaceAny,
         metaspace: MetaspaceService,
-        identity?: KeystoneIbGib_V1,
     }): Promise<NextSagaFrameInfo> {
         const lc = `${this.lc}[${this.handleAckFrame.name}]`;
         try {
@@ -2111,16 +1615,14 @@ export class SyncSagaCoordinator {
             const deltaFrame = await this.evolveSyncSagaIbGib({
                 prevSagaIbGib: sagaIbGib,
                 msgStones: [deltaStone],
-                sessionIdentity: identity,
                 localSpace: mySpace,
                 metaspace,
             });
 
             if (logalot) { console.log(`${lc} Delta Frame created. Rel8ns: ${JSON.stringify(deltaFrame.rel8ns)}`); }
 
-            // Build control payloads: frame + its dependencies (msg stone, identity)
+            // Build control payloads: frame + its dependencies (msg stone)
             // const payloadIbGibsControl: IbGib_V1[] = [deltaFrame, deltaStone];
-            // if (identity) { payloadIbGibsControl.push(identity); }
 
             return { frame: deltaFrame, payloadIbGibsDomain: outgoingPayloadsDomain_all, };
         } catch (error) {
@@ -2150,14 +1652,12 @@ export class SyncSagaCoordinator {
         mySpace,
         myTempSpace,
         metaspace,
-        identity,
     }: {
         sagaContext: SyncSagaContextIbGib_V1,
         sagaIbGib: SyncIbGib_V1,
         mySpace: IbGibSpaceAny,
         myTempSpace: IbGibSpaceAny,
         metaspace: MetaspaceService,
-        identity?: KeystoneIbGib_V1,
     }): Promise<NextSagaFrameInfo> {
         const lc = `${this.lc}[${this.handleDeltaFrame.name}]`;
         try {
@@ -2398,7 +1898,6 @@ export class SyncSagaCoordinator {
                 const deltaFrame = await this.evolveSyncSagaIbGib({
                     prevSagaIbGib: sagaIbGib,
                     msgStones: [deltaStone],
-                    sessionIdentity: identity,
                     localSpace: mySpace,
                     metaspace,
                 });
@@ -2422,7 +1921,6 @@ export class SyncSagaCoordinator {
                             sagaIbGib,
                             errors: validationErrors,
                             metaspace, mySpace,
-                            identity,
                         });
                         return { frame: errorCommitFrame, }; /* <<<< returns early */
                     }
@@ -2440,7 +1938,6 @@ export class SyncSagaCoordinator {
                         errors: undefined,
                         metaspace,
                         mySpace,
-                        identity,
                     });
 
                     return { frame: commitFrame, };
@@ -2465,7 +1962,6 @@ export class SyncSagaCoordinator {
                     const deltaFrame = await this.evolveSyncSagaIbGib({
                         prevSagaIbGib: sagaIbGib,
                         msgStones: [deltaStone],
-                        sessionIdentity: identity,
                         localSpace: mySpace,
                         metaspace
                     });
@@ -2491,22 +1987,13 @@ export class SyncSagaCoordinator {
                         const commitFrame = await this.evolveSyncSagaIbGib({
                             prevSagaIbGib: deltaFrame, // Build on top of the Delta we just created/persisted
                             msgStones: [commitStone],
-                            sessionIdentity: identity,
                             localSpace: mySpace,
                             metaspace
                         });
 
-                        // Build control payloads for commit
-                        const commitCtrlPayloads2: IbGib_V1[] = [commitFrame, commitStone];
-                        if (identity) { commitCtrlPayloads2.push(identity); }
-
                         return { frame: commitFrame, };
                     }
 
-                    // Build control payloads for delta propose
-                    // const deltaCtrlPayloads: IbGib_V1[] = [deltaFrame, deltaStone];
-                    // if (identity) { deltaCtrlPayloads.push(identity); }
-
                     return { frame: deltaFrame, payloadIbGibsDomain: outgoingPayload };
                 }
             }
@@ -2526,7 +2013,6 @@ export class SyncSagaCoordinator {
         commitFrame,
         sagaHistory,
         metaspace, localSpace, localTempSpace,
-        identity,
     }: {
         deltaFrame?: SyncIbGib_V1;
         commitFrame?: SyncIbGib_V1;
@@ -2534,7 +2020,6 @@ export class SyncSagaCoordinator {
         metaspace: MetaspaceService;
         localSpace: IbGibSpaceAny;
         localTempSpace: IbGibSpaceAny;
-        identity?: KeystoneIbGib_V1;
     }): Promise<void> {
         const lc = `${this.lc}[${this.executeLocalCommit.name}]`;
         try {
@@ -2784,7 +2269,6 @@ export class SyncSagaCoordinator {
         errors,
         metaspace,
         mySpace,
-        identity,
     }: {
         sagaIbGib: SyncIbGib_V1,
         /**
@@ -2794,7 +2278,6 @@ export class SyncSagaCoordinator {
         errors?: string[],
         metaspace: MetaspaceService,
         mySpace: IbGibSpaceAny,
-        identity: KeystoneIbGib_V1 | undefined,
     }): Promise<SyncIbGib_V1> {
         const lc = `[${this.createCommitFrame.name}]`;
         try {
@@ -2822,7 +2305,6 @@ export class SyncSagaCoordinator {
             const commitFrame = await this.evolveSyncSagaIbGib({
                 prevSagaIbGib: sagaIbGib,
                 msgStones: [commitStone],
-                sessionIdentity: identity,
                 localSpace: mySpace,
                 metaspace,
             });
@@ -2840,13 +2322,11 @@ export class SyncSagaCoordinator {
         mySpace,
         myTempSpace,
         metaspace,
-        identity,
     }: {
         sagaIbGib: SyncIbGib_V1,
         mySpace: IbGibSpaceAny,
         myTempSpace: IbGibSpaceAny,
         metaspace: MetaspaceService,
-        identity?: KeystoneIbGib_V1,
     }): Promise<NextSagaFrameInfo> {
         const lc = `${this.lc}[${this.handleCommitFrame.name}]`;
         try {
@@ -2880,7 +2360,6 @@ export class SyncSagaCoordinator {
                         sagaIbGib,
                         metaspace,
                         mySpace,
-                        identity,
                         errors: validationErrors,
                     });
                     return { frame: errorCommitFrame, }; /* <<<< returns early */
@@ -2911,7 +2390,6 @@ export class SyncSagaCoordinator {
                 errors: [emsg],
                 metaspace,
                 mySpace,
-                identity,
             });
             return { frame: errorCommitFrame }
         } finally {
@@ -3029,7 +2507,6 @@ export class SyncSagaCoordinator {
         prevSagaIbGib,
         conflictStrategy,
         msgStones,
-        sessionIdentity,
         localSpace,
         metaspace,
     }: {
@@ -3038,10 +2515,6 @@ export class SyncSagaCoordinator {
         msgStones: IbGib_V1[],
         localSpace: IbGibSpaceAny,
         metaspace: MetaspaceService,
-        /**
-         * does NOT evolve the keystone.
-         */
-        sessionIdentity: KeystoneIbGib_V1 | undefined,
     }): Promise<SyncIbGib_V1> {
         const lc = `${this.lc}[${this.evolveSyncSagaIbGib.name}]`;
         try {
@@ -3067,8 +2540,6 @@ export class SyncSagaCoordinator {
                 }
             }
 
-            const identityAddr = sessionIdentity ? getIbGibAddr({ ibGib: sessionIdentity }) : undefined;
-
             if (prevSagaIbGib) {
                 /**
                  * rel8ns always include the new msg stone(s)
@@ -3080,11 +2551,6 @@ export class SyncSagaCoordinator {
                     }
                 ];
 
-                // if we're authenticating/signing, we'll have identity
-                if (sessionIdentity) {
-                    rel8nInfos.push({ rel8nName: 'identity', ibGibs: [sessionIdentity], });
-                }
-
                 // remove the existing sync msg stones' addrs
                 if (!prevSagaIbGib.rel8ns) { throw new Error(`(UNEXPECTED) prevSagaIbGib.rel8ns falsy? (E: 81375841aff85b1e48ea42ca218e6826)`); }
                 if (!prevSagaIbGib.rel8ns[SYNC_MSG_REL8N_NAME] || prevSagaIbGib.rel8ns[SYNC_MSG_REL8N_NAME].length === 0) {
@@ -3123,12 +2589,6 @@ export class SyncSagaCoordinator {
                 // rel8ns
                 const stoneAddrs = msgStones.map(s => getIbGibAddr({ ibGib: s }));
                 const rel8ns: SyncRel8ns_V1 = { [SYNC_MSG_REL8N_NAME]: stoneAddrs, };
-                if (identityAddr) { rel8ns.identity = [identityAddr]; }
-
-                // Attach session keystone to saga frame via hard rel8n
-                if (sessionIdentity) {
-                    rel8ns.sessionKeystone = [getIbGibAddr({ ibGib: sessionIdentity })];
-                }
 
                 const resNew = await createTimeline({
                     space: localSpace,