npm - @ibgib/core-gib - Versions diffs - 0.1.55 → 0.1.58 - Mend

@ibgib/core-gib 0.1.55 → 0.1.58

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (134) hide show

package/dist/sync/sync-withid.establish.respec.mjs ADDED Viewed

@@ -0,0 +1,322 @@
+/**
+ * @module sync-withid.establish.respec
+ *
+ * Phase 1 — `establishSessionIdentity` (Pre-Connect)
+ *
+ * Goal: Get `I^Itjp` onto the domain provider, generate `S^Stjp` locally,
+ * evolve `I → I1` with a `sync` claim targeting `S^Stjp`, and post both
+ * `I1` and `S` to the provider. Verify both keystones are in the appropriate
+ * durable spaces at the right times.
+ *
+ * `senderCoordinator.sync(...)` IS called — we are not mocking. We expect it
+ * may throw at first. We examine side-effects (keystone presence in durable
+ * spaces) rather than end-to-end correctness. As phases succeed and sync no
+ * longer throws, assertions will be adjusted accordingly.
+ *
+ * @see libs/core-gib/src/sync/docs/security.md — Implementation Plan, Phase 1A
+ */
+import { respecfully, iReckon, ifWe } from '@ibgib/helper-gib/dist/respec-gib/respec-gib.mjs';
+const maam = `[${import.meta.url}]`, sir = maam;
+import { clone, delay, extractErrorMsg } from '@ibgib/helper-gib/dist/helpers/utils-helper.mjs';
+import { getIbGibAddr } from '@ibgib/ts-gib/dist/helper.mjs';
+import { GLOBAL_LOG_A_LOT } from '../core-constants.mjs';
+import { SyncSagaCoordinator } from './sync-saga-coordinator.mjs';
+import { Metaspace_Innerspace } from '../witness/space/metaspace/metaspace-innerspace/metaspace-innerspace.mjs';
+import { InnerSpace_V1 } from '../witness/space/inner-space/inner-space-v1.mjs';
+import { SyncPeerInnerspace_V1 } from './sync-peer/sync-peer-innerspace/sync-peer-innerspace-v1.mjs';
+import { DEFAULT_INNER_SPACE_DATA_V1 } from '../witness/space/inner-space/inner-space-types.mjs';
+import { SYNC_PEER_INNERSPACE_DEFAULT_DATA_V1 } from './sync-peer/sync-peer-innerspace/sync-peer-innerspace-constants.mjs';
+import { KeystoneService_V1 } from '../keystone/keystone-service-v1.mjs';
+import { KEYSTONE_VERB_SYNC, POOL_ID_SYNC, POOL_ID_CONNECT, KEYSTONE_VERB_CONNECT, } from '../keystone/keystone-constants.mjs';
+import { createStandardPoolConfig } from '../keystone/keystone-config-builder.mjs';
+import { KeystoneReplenishStrategy } from '../keystone/keystone-types.mjs';
+import { SyncConflictStrategy } from './sync-constants.mjs';
+import { getIdentity_throwIfUndefined } from '../keystone/keystone-helpers.mjs';
+import { Factory_V1 } from '@ibgib/ts-gib/dist/V1/factory.mjs';
+import { ROOT } from '@ibgib/ts-gib/dist/V1/constants.mjs';
+import { fork } from '@ibgib/ts-gib/dist/V1/transforms/fork.mjs';
+const logalot = GLOBAL_LOG_A_LOT;
+const lc = sir;
+// ---------------------------------------------------------------------------
+// Test-only identity constants
+// ---------------------------------------------------------------------------
+/**
+ * Plaintext secret for the senderIdentity keystone (I).
+ * Test-only — never use plaintext secrets in production.
+ */
+const SENDER_SECRET = 'test-sender-secret-phase1';
+// ---------------------------------------------------------------------------
+// Session keystone pool configs
+// ---------------------------------------------------------------------------
+/**
+ * `connect` pool — used once during `peer.connect()` transport handshake.
+ * Small pool; fully consumed in one handshake.
+ */
+const SESSION_CONNECT_POOL_CONFIG = createStandardPoolConfig({
+    id: POOL_ID_CONNECT,
+    salt: 'session-connect-salt-phase1',
+    verbs: [KEYSTONE_VERB_CONNECT],
+    // Small size: fully consumed in a single connect handshake
+    size: 10,
+    sequential: 1,
+    random: 1,
+    targetBinding: 2,
+    replenishStrategy: KeystoneReplenishStrategy.deleteAll,
+});
+/**
+ * `sync` pool — used per outgoing context frame (Init, Delta, Commit).
+ * Replenishes via topUp to stay active throughout the saga.
+ */
+const SESSION_SYNC_POOL_CONFIG = createStandardPoolConfig({
+    id: POOL_ID_SYNC,
+    salt: 'session-sync-salt-phase1',
+    verbs: [KEYSTONE_VERB_SYNC],
+    size: 200,
+    sequential: 1,
+    random: 1,
+    targetBinding: 2,
+    replenishStrategy: KeystoneReplenishStrategy.topUp,
+});
+// ---------------------------------------------------------------------------
+// Top-level senderIdentity (I) pool config
+// ---------------------------------------------------------------------------
+/**
+ * The senderIdentity needs a `sync` pool so it can evolve itself (I → I1)
+ * with a claim targeting the session keystone genesis (S^Stjp).
+ */
+const SENDER_IDENTITY_SYNC_POOL_CONFIG = createStandardPoolConfig({
+    id: POOL_ID_SYNC,
+    salt: 'senderidentitysyncsaltphase1', // dashes not allowed in regex
+    verbs: [KEYSTONE_VERB_SYNC],
+    size: 200,
+    sequential: 1,
+    random: 1,
+    targetBinding: 2,
+    replenishStrategy: KeystoneReplenishStrategy.topUp,
+});
+// ---------------------------------------------------------------------------
+// Main test suite
+// ---------------------------------------------------------------------------
+await respecfully(sir, `Test Phase 1: establishSessionIdentity`, async () => {
+    // #region Init/Setup
+    const metaspace = new Metaspace_Innerspace(undefined);
+    await metaspace.initialize({
+        getFnAlert: () => async ({ title, msg }) => { console.log(`[Alert] ${title}: ${msg}`); },
+        getFnPrompt: () => async ({ title, msg }) => { console.log(`[Prompt] ${title}: ${msg}`); return ''; },
+        getFnPromptPassword: () => async (title, msg) => { console.log(`[PromptPwd] ${title}: ${msg}`); return null; },
+    });
+    while (!metaspace.initialized) {
+        await delay(10);
+    }
+    const defaultLocalUserSpace = await metaspace.getLocalUserSpace({ lock: false });
+    await defaultLocalUserSpace.initialized;
+    /** Sender's durable space — where the sender originates ibgibs. */
+    const sourceSpace = new InnerSpace_V1({
+        ...DEFAULT_INNER_SPACE_DATA_V1,
+        name: 'source',
+        uuid: 'source_uuid',
+        description: 'sender durable space',
+    });
+    await sourceSpace.initialized;
+    /** Receiver's durable space — the domain provider in the innerspace simulation. */
+    const destSpace = new InnerSpace_V1({
+        ...DEFAULT_INNER_SPACE_DATA_V1,
+        name: 'dest',
+        uuid: 'dest_uuid',
+        description: 'receiver (domain provider) durable space',
+    });
+    await destSpace.initialized;
+    const senderCoordinator = new SyncSagaCoordinator();
+    const receiverCoordinator = new SyncSagaCoordinator();
+    async function newTestIbGib_stone({ ib = 'test', data }) {
+        const stone = await Factory_V1.stone({
+            parentPrimitiveIb: ib.split(' ').at(0) ?? 'test',
+            ib,
+            data,
+            uuid: true,
+        });
+        return stone;
+    }
+    async function newTestIbGib({ ib = 'test' }) {
+        let resFork = await fork({
+            src: ROOT,
+            destIb: ib,
+            tjp: { timestamp: true, uuid: true },
+            dna: true,
+            nCounter: true,
+        });
+        return resFork;
+    }
+    async function newTestPeer() {
+        const peer = new SyncPeerInnerspace_V1(clone(SYNC_PEER_INNERSPACE_DEFAULT_DATA_V1));
+        await peer.initialized;
+        await peer.initializeOpts({
+            sagaId: '', // coordinator will override this via setOptionalOpts before establishSessionIdentity
+            localMetaspace: metaspace,
+            localSpace: sourceSpace,
+            receiverSpace: destSpace,
+            receiverCoordinator,
+            receiverMetaspace: metaspace,
+        });
+        return peer;
+    }
+    // KeystoneService_V1 is stateless — new it inline wherever needed.
+    const keystoneSvc = new KeystoneService_V1();
+    // #endregion Init/Setup
+    /**
+     * senderIdentity (I): Alice's long-lived Domain Keystone.
+     * Created fresh for this test with a `sync` pool so it can evolve (I → I1).
+     */
+    let senderIdentity;
+    // #region Step 1: Prepare identity
+    // Create senderIdentity genesis (I^Itjp) in sourceSpace
+    senderIdentity = await keystoneSvc.genesis({
+        masterSecret: SENDER_SECRET,
+        configs: [SENDER_IDENTITY_SYNC_POOL_CONFIG],
+        metaspace,
+        space: sourceSpace,
+    });
+    if (logalot) {
+        console.log(`${lc} senderIdentity genesis addr: ${getIbGibAddr({ ibGib: senderIdentity })}`);
+    }
+    // post the senderIdentity to receiver (like "create account")
+    await metaspace.put({ ibGib: senderIdentity, space: destSpace });
+    await metaspace.registerNewIbGib({ ibGib: senderIdentity, space: destSpace });
+    // #endregion Step 1: Prepare identity
+    // at this point, we have mimicked a user who already has an identity via a
+    // create account button.
+    // #region Step 2: Execute
+    let xStone;
+    let xStoneAddr;
+    try {
+        if (logalot) {
+            console.log(`${lc}[Step 2] starting... (I: 1aa5643dd8d46fcdd87d48b8be550826)`);
+        }
+        // setup/call sync
+        // Sync call — sync itself is responsible for establishSessionIdentity
+        // internally.
+        /**
+         * doesn't really matter intrinsically for this test, but we need a
+         * domain ibgib to sync
+         */
+        xStone = await newTestIbGib_stone({ ib: 'test' });
+        xStoneAddr = getIbGibAddr({ ibGib: xStone });
+        await metaspace.put({ ibGib: xStone, space: sourceSpace });
+        await metaspace.registerNewIbGib({ ibGib: xStone, space: sourceSpace });
+        const syncSaga = await senderCoordinator.sync({
+            domainIbGibs: [xStone],
+            senderIdentity,
+            fnSenderSecret: async () => { return SENDER_SECRET; },
+            peer: await newTestPeer(),
+            localSpace: sourceSpace,
+            metaspace,
+            conflictStrategy: SyncConflictStrategy.optimisticWithLCS,
+        });
+        await syncSaga.done;
+    }
+    catch (error) {
+        // error is fine/expected right now. later perhaps we will throw, or
+        // perhaps we always just swallow any exceptions since this is close to
+        // a unit test
+        console.error(`${lc} ${extractErrorMsg(error)}`);
+    }
+    finally {
+        if (logalot) {
+            console.log(`${lc}[Step 2] complete.`);
+        }
+    }
+    // #endregion Step 2: Execute
+    // #region Step 3: Check states
+    // check state of sender/receiver spaces WRT sender identity, new sender
+    // identity, and session identity.
+    // get newSenderIdentity address via metaspace.getLatestAddr
+    // Resolve the latest senderIdentity frame (I1) from the sender's space.
+    // After sync, the coordinator should have evolved I → I1 and stored it.
+    let newSenderIdentityAddr;
+    /**
+     * The session keystone addr should be embedded in I1's proof claim target.
+     */
+    let newSenderIdentity;
+    await ifWe(sir, 'newSenderIdentity created and stored in source space', async () => {
+        newSenderIdentityAddr = await metaspace.getLatestAddr({
+            ibGib: senderIdentity,
+            space: sourceSpace,
+        });
+        if (!newSenderIdentityAddr) {
+            throw new Error(`newSenderIdentity not found in space (${sourceSpace.ib}). this should have been evolved and stored during sync (E: a5a798bf8ba467cbc87595dcc2b36726)`);
+        }
+        newSenderIdentity = await getIdentity_throwIfUndefined({
+            addr: newSenderIdentityAddr,
+            metaspace,
+            space: sourceSpace,
+        });
+        // todo: add iReckon statements for expectations like claim verb, claim target, etc., of newSenderIdentity
+        iReckon(sir, newSenderIdentity).asTo('newSenderIdentity is truthy').isGonnaBeTruthy();
+        const syncProof = newSenderIdentity?.data?.proofs?.find(p => p.claim?.verb === KEYSTONE_VERB_SYNC);
+        iReckon(sir, syncProof).asTo('I1 has a sync-verb proof/claim').isGonnaBeTruthy();
+        iReckon(sir, syncProof?.claim?.target).asTo('sync claim has a target (S^Stjp)').isGonnaBeTruthy();
+    });
+    if (!newSenderIdentity) {
+        throw new Error(`(UNEXPECTED) newSenderIdentity falsy? should have thrown before this if falsy. (E: 7a3d92e6160409de149eaf6802365126)`);
+    }
+    const sessionIdentityTjpAddr = newSenderIdentity.data.proofs
+        .find(p => p.claim.verb === KEYSTONE_VERB_SYNC)?.claim.target;
+    if (!sessionIdentityTjpAddr) {
+        throw new Error(`(UNEXPECTED) sessionIdentityTjpAddr falsy? (E: c53583b07a78837de84a59388b6ff826)`);
+    }
+    let sessionIdentity;
+    await ifWe(sir, 'creates sessionIdentity genesis (S) locally — exists in sourceSpace', async () => {
+        sessionIdentity = await getIdentity_throwIfUndefined({
+            addr: sessionIdentityTjpAddr,
+            metaspace,
+            space: sourceSpace,
+        });
+        iReckon(sir, sessionIdentity).asTo('sessionIdentity is truthy').isGonnaBeTruthy();
+    });
+    if (!sessionIdentity) {
+        throw new Error(`(UNEXPECTED) sessionIdentity falsy? (E: e1fa06009df535f3c848e6ca8b0bd326)`);
+    }
+    await ifWe(sir, 'Session identity S has expected state', async () => {
+        // #region sanity/compile
+        if (!sessionIdentity) {
+            throw new Error(`(UNEXPECTED) sessionIdentity falsy? (E: dd229f4e44489a54488768157a393926)`);
+        }
+        if (!sessionIdentity.data) {
+            throw new Error(`(UNEXPECTED) sessionIdentity.data falsy? (E: 56f10c9f9c18c6147ea19281dcbaf826)`);
+        }
+        // #endregion sanity/compile
+        // Verify S has both pool ids: connect and sync
+        const sPools = sessionIdentity.data.challengePools;
+        iReckon(sir, sPools).asTo('S has challengePools').isGonnaBeTruthy();
+        const hasConnectPool = sPools?.some(p => p.id === POOL_ID_CONNECT);
+        const hasSyncPool = sPools?.some(p => p.id === POOL_ID_SYNC);
+        iReckon(sir, hasConnectPool).asTo('S has connect pool').isGonnaBeTrue();
+        iReckon(sir, hasSyncPool).asTo('S has sync pool').isGonnaBeTrue();
+        const sProofs = sessionIdentity.data.proofs;
+        iReckon(sir, sProofs).asTo('S has proofs array').isGonnaBeTruthy();
+        iReckon(sir, sProofs.length === 0).asTo('S has 0 proofs on genesis').isGonnaBeTrue();
+        // Verify S is bound to target domain (xStone) via frameDetails
+        const targetAddrs = sessionIdentity.data.frameDetails?.targetAddrs;
+        iReckon(sir, targetAddrs).asTo('S has targetAddrs array in frameDetails').isGonnaBeTruthy();
+        iReckon(sir, targetAddrs?.includes(xStoneAddr)).asTo('S targetAddrs contains the domain being synced (xStoneAddr)').isGonnaBeTrue();
+    });
+    await ifWe(sir, 'I, I1 and S all exist in destSpace (receiver)', async () => {
+        // todo: use getIdentity_throwIfUndefined for all three identities but in destSpace
+        const senderIdentityAddr = getIbGibAddr({ ibGib: senderIdentity });
+        await getIdentity_throwIfUndefined({
+            addr: senderIdentityAddr,
+            metaspace,
+            space: destSpace
+        });
+        iReckon(sir, true).asTo('I (original) exists in destSpace').isGonnaBeTrue();
+        if (!newSenderIdentityAddr) {
+            throw new Error(`newSenderIdentity not found in space (${sourceSpace.ib}). this should have been evolved and stored during sync (E: b626885071885b38d87853189f25c826)`);
+        }
+        await getIdentity_throwIfUndefined({ addr: newSenderIdentityAddr, metaspace, space: destSpace });
+        iReckon(sir, true).asTo('I1 (evolved) exists in destSpace').isGonnaBeTrue();
+        await getIdentity_throwIfUndefined({ addr: sessionIdentityTjpAddr, metaspace, space: destSpace });
+        iReckon(sir, true).asTo('S (sessionIdentity) exists in destSpace').isGonnaBeTrue();
+    });
+    // #endregion Step 3: Check states
+});
+//# sourceMappingURL=sync-withid.establish.respec.mjs.map

package/dist/sync/sync-withid.establish.respec.mjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"sync-withid.establish.respec.mjs","sourceRoot":"","sources":["../../src/sync/sync-withid.establish.respec.mts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,EACH,WAAW,EAAa,OAAO,EAAE,IAAI,EACxC,MAAM,kDAAkD,CAAC;AAC1D,MAAM,IAAI,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,GAAG,GAAG,EAAE,GAAG,GAAG,IAAI,CAAC;AAChD,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,eAAe,EAAE,MAAM,iDAAiD,CAAC;AAChG,OAAO,EAAE,YAAY,EAAE,MAAM,+BAA+B,CAAC;AAE7D,OAAO,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAC;AACzD,OAAO,EAAE,mBAAmB,EAAE,MAAM,6BAA6B,CAAC;AAElE,OAAO,EAAE,oBAAoB,EAAE,MAAM,0EAA0E,CAAC;AAChH,OAAO,EAAE,aAAa,EAAE,MAAM,iDAAiD,CAAC;AAChF,OAAO,EAAE,qBAAqB,EAAE,MAAM,8DAA8D,CAAC;AACrG,OAAO,EAAE,2BAA2B,EAAE,MAAM,oDAAoD,CAAC;AACjG,OAAO,EAAE,oCAAoC,EAAE,MAAM,qEAAqE,CAAC;AAC3H,OAAO,EAAE,kBAAkB,EAAE,MAAM,qCAAqC,CAAC;AAEzE,OAAO,EACH,kBAAkB,EAAE,YAAY,EAAE,eAAe,EAAE,qBAAqB,GAC3E,MAAM,oCAAoC,CAAC;AAC5C,OAAO,EAAE,wBAAwB,EAAE,MAAM,yCAAyC,CAAC;AACnF,OAAO,EAAE,yBAAyB,EAAE,MAAM,gCAAgC,CAAC;AAC3E,OAAO,EAAE,oBAAoB,EAAE,MAAM,sBAAsB,CAAC;AAI5D,OAAO,EAAE,4BAA4B,EAAE,MAAM,kCAAkC,CAAC;AAChF,OAAO,EAAE,UAAU,EAAE,MAAM,mCAAmC,CAAC;AAE/D,OAAO,EAAE,IAAI,EAAE,MAAM,qCAAqC,CAAC;AAC3D,OAAO,EAAE,IAAI,EAAE,MAAM,2CAA2C,CAAC;AAEjE,MAAM,OAAO,GAAG,gBAAgB,CAAC;AACjC,MAAM,EAAE,GAAG,GAAG,CAAC;AAEf,8EAA8E;AAC9E,+BAA+B;AAC/B,8EAA8E;AAE9E;;;GAGG;AACH,MAAM,aAAa,GAAG,2BAA2B,CAAC;AAElD,8EAA8E;AAC9E,gCAAgC;AAChC,8EAA8E;AAE9E;;;GAGG;AACH,MAAM,2BAA2B,GAAG,wBAAwB,CAAC;IACzD,EAAE,EAAE,eAAe;IACnB,IAAI,EAAE,6BAA6B;IACnC,KAAK,EAAE,CAAC,qBAAqB,CAAC;IAC9B,2DAA2D;IAC3D,IAAI,EAAE,EAAE;IACR,UAAU,EAAE,CAAC;IACb,MAAM,EAAE,CAAC;IACT,aAAa,EAAE,CAAC;IAChB,iBAAiB,EAAE,yBAAyB,CAAC,SAAS;CACzD,CAAC,CAAC;AAEH;;;GAGG;AACH,MAAM,wBAAwB,GAAG,wBAAwB,CAAC;IACtD,EAAE,EAAE,YAAY;IAChB,IAAI,EAAE,0BAA0B;IAChC,KAAK,EAAE,CAAC,kBAAkB,CAAC;IAC3B,IAAI,EAAE,GAAG;IACT,UAAU,EAAE,CAAC;IACb,MAAM,EAAE,CAAC;IACT,aAAa,EAAE,CAAC;IAChB,iBAAiB,EAAE,yBAAyB,CAAC,KAAK;CACrD,CAAC,CAAC;AAEH,8EAA8E;AAC9E,2CAA2C;AAC3C,8EAA8E;AAE9E;;;GAGG;AACH,MAAM,gCAAgC,GAAG,wBAAwB,CAAC;IAC9D,EAAE,EAAE,YAAY;IAChB,IAAI,EAAE,8BAA8B,EAAE,8BAA8B;IACpE,KAAK,EAAE,CAAC,kBAAkB,CAAC;IAC3B,IAAI,EAAE,GAAG;IACT,UAAU,EAAE,CAAC;IACb,MAAM,EAAE,CAAC;IACT,aAAa,EAAE,CAAC;IAChB,iBAAiB,EAAE,yBAAyB,CAAC,KAAK;CACrD,CAAC,CAAC;AAEH,8EAA8E;AAC9E,kBAAkB;AAClB,8EAA8E;AAE9E,MAAM,WAAW,CAAC,GAAG,EAAE,wCAAwC,EAAE,KAAK,IAAI,EAAE;IAExE,qBAAqB;IAErB,MAAM,SAAS,GAAG,IAAI,oBAAoB,CAAC,SAAS,CAAC,CAAC;IACtD,MAAM,SAAS,CAAC,UAAU,CAAC;QACvB,UAAU,EAAE,GAAG,EAAE,CAAC,KAAK,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE,EAAE,EAAE,GAAG,OAAO,CAAC,GAAG,CAAC,WAAW,KAAK,KAAK,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC;QACxF,WAAW,EAAE,GAAG,EAAE,CAAC,KAAK,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE,EAAE,EAAE,GAAG,OAAO,CAAC,GAAG,CAAC,YAAY,KAAK,KAAK,GAAG,EAAE,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;QACrG,mBAAmB,EAAE,GAAG,EAAE,CAAC,KAAK,EAAE,KAAK,EAAE,GAAG,EAAE,EAAE,GAAG,OAAO,CAAC,GAAG,CAAC,eAAe,KAAK,KAAK,GAAG,EAAE,CAAC,CAAC,CAAC,OAAO,IAAI,CAAC,CAAC,CAAC;KACjH,CAAC,CAAC;IACH,OAAO,CAAC,SAAS,CAAC,WAAW,EAAE,CAAC;QAAC,MAAM,KAAK,CAAC,EAAE,CAAC,CAAC;IAAC,CAAC;IAEnD,MAAM,qBAAqB,GAAG,MAAM,SAAS,CAAC,iBAAiB,CAAC,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IACjF,MAAM,qBAAsB,CAAC,WAAW,CAAC;IAEzC,mEAAmE;IACnE,MAAM,WAAW,GAAG,IAAI,aAAa,CAAC;QAClC,GAAG,2BAA2B;QAC9B,IAAI,EAAE,QAAQ;QACd,IAAI,EAAE,aAAa;QACnB,WAAW,EAAE,sBAAsB;KACtC,CAAC,CAAC;IACH,MAAM,WAAW,CAAC,WAAW,CAAC;IAE9B,mFAAmF;IACnF,MAAM,SAAS,GAAG,IAAI,aAAa,CAAC;QAChC,GAAG,2BAA2B;QAC9B,IAAI,EAAE,MAAM;QACZ,IAAI,EAAE,WAAW;QACjB,WAAW,EAAE,0CAA0C;KAC1D,CAAC,CAAC;IACH,MAAM,SAAS,CAAC,WAAW,CAAC;IAE5B,MAAM,iBAAiB,GAAG,IAAI,mBAAmB,EAAE,CAAC;IACpD,MAAM,mBAAmB,GAAG,IAAI,mBAAmB,EAAE,CAAC;IAEtD,KAAK,UAAU,kBAAkB,CAAC,EAAE,EAAE,GAAG,MAAM,EAAE,IAAI,EAA8B;QAC/E,MAAM,KAAK,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC;YACjC,iBAAiB,EAAE,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,MAAM;YAChD,EAAE;YACF,IAAI;YACJ,IAAI,EAAE,IAAI;SACb,CAAC,CAAC;QACH,OAAO,KAAK,CAAC;IACjB,CAAC;IACD,KAAK,UAAU,YAAY,CAAC,EAAE,EAAE,GAAG,MAAM,EAAkB;QACvD,IAAI,OAAO,GAAG,MAAM,IAAI,CAAC;YACrB,GAAG,EAAE,IAAI;YACT,MAAM,EAAE,EAAE;YACV,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE;YACpC,GAAG,EAAE,IAAI;YACT,QAAQ,EAAE,IAAI;SACjB,CAAC,CAAC;QACH,OAAO,OAAO,CAAC;IACnB,CAAC;IAED,KAAK,UAAU,WAAW;QACtB,MAAM,IAAI,GAAG,IAAI,qBAAqB,CAAC,KAAK,CAAC,oCAAoC,CAAC,CAAC,CAAC;QACpF,MAAM,IAAI,CAAC,WAAW,CAAC;QACvB,MAAM,IAAI,CAAC,cAAc,CAAC;YACtB,MAAM,EAAE,EAAE,EAAE,qFAAqF;YACjG,cAAc,EAAE,SAAS;YACzB,UAAU,EAAE,WAAW;YACvB,aAAa,EAAE,SAAS;YACxB,mBAAmB;YACnB,iBAAiB,EAAE,SAAS;SAC/B,CAAC,CAAC;QACH,OAAO,IAAI,CAAC;IAChB,CAAC;IAED,mEAAmE;IACnE,MAAM,WAAW,GAAG,IAAI,kBAAkB,EAAE,CAAC;IAE7C,wBAAwB;IAGxB;;;OAGG;IACH,IAAI,cAA4C,CAAC;IAEjD,mCAAmC;IAEnC,wDAAwD;IACxD,cAAc,GAAG,MAAM,WAAW,CAAC,OAAO,CAAC;QACvC,YAAY,EAAE,aAAa;QAC3B,OAAO,EAAE,CAAC,gCAAgC,CAAC;QAC3C,SAAS;QACT,KAAK,EAAE,WAAW;KACrB,CAAC,CAAC;IACH,IAAI,OAAO,EAAE,CAAC;QAAC,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,iCAAiC,YAAY,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC,EAAE,CAAC,CAAC;IAAC,CAAC;IAE9G,8DAA8D;IAC9D,MAAM,SAAS,CAAC,GAAG,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,CAAC;IACjE,MAAM,SAAS,CAAC,gBAAgB,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,CAAC;IAE9E,sCAAsC;IAEtC,2EAA2E;IAC3E,yBAAyB;IAEzB,0BAA0B;IAE1B,IAAI,MAAgB,CAAC;IACrB,IAAI,UAAqB,CAAC;IAC1B,IAAI,CAAC;QACD,IAAI,OAAO,EAAE,CAAC;YAAC,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,4DAA4D,CAAC,CAAC;QAAC,CAAC;QAEhG,kBAAkB;QAElB,sEAAsE;QACtE,cAAc;QAEd;;;WAGG;QACH,MAAM,GAAG,MAAM,kBAAkB,CAAC,EAAE,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC;QAClD,UAAU,GAAG,YAAY,CAAC,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;QAC7C,MAAM,SAAS,CAAC,GAAG,CAAC,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,WAAW,EAAE,CAAC,CAAC;QAC3D,MAAM,SAAS,CAAC,gBAAgB,CAAC,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,WAAW,EAAE,CAAC,CAAC;QAExE,MAAM,QAAQ,GAAG,MAAM,iBAAiB,CAAC,IAAI,CAAC;YAC1C,YAAY,EAAE,CAAC,MAAM,CAAC;YACtB,cAAc;YACd,cAAc,EAAE,KAAK,IAAI,EAAE,GAAG,OAAO,aAAa,CAAA,CAAC,CAAC;YACpD,IAAI,EAAE,MAAM,WAAW,EAAE;YACzB,UAAU,EAAE,WAAW;YACvB,SAAS;YACT,gBAAgB,EAAE,oBAAoB,CAAC,iBAAiB;SAC3D,CAAC,CAAC;QACH,MAAM,QAAQ,CAAC,IAAI,CAAC;IAExB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACb,oEAAoE;QACpE,uEAAuE;QACvE,cAAc;QACd,OAAO,CAAC,KAAK,CAAC,GAAG,EAAE,IAAI,eAAe,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IACrD,CAAC;YAAS,CAAC;QACP,IAAI,OAAO,EAAE,CAAC;YAAC,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,oBAAoB,CAAC,CAAC;QAAC,CAAC;IAC5D,CAAC;IAED,6BAA6B;IAE7B,+BAA+B;IAE/B,wEAAwE;IACxE,kCAAkC;IAElC,4DAA4D;IAC5D,wEAAwE;IACxE,wEAAwE;IACxE,IAAI,qBAA4C,CAAC;IACjD;;OAEG;IACH,IAAI,iBAA+C,CAAC;IACpD,MAAM,IAAI,CAAC,GAAG,EAAE,sDAAsD,EAAE,KAAK,IAAI,EAAE;QAC/E,qBAAqB,GAAG,MAAM,SAAS,CAAC,aAAa,CAAC;YAClD,KAAK,EAAE,cAAc;YACrB,KAAK,EAAE,WAAW;SACrB,CAAC,CAAC;QACH,IAAI,CAAC,qBAAqB,EAAE,CAAC;YAAC,MAAM,IAAI,KAAK,CAAC,yCAAyC,WAAW,CAAC,EAAE,+FAA+F,CAAC,CAAC;QAAC,CAAC;QAExM,iBAAiB,GAAG,MAAM,4BAA4B,CAAC;YACnD,IAAI,EAAE,qBAAqB;YAC3B,SAAS;YACT,KAAK,EAAE,WAAW;SACrB,CAAC,CAAC;QAEH,0GAA0G;QAC1G,OAAO,CAAC,GAAG,EAAE,iBAAiB,CAAC,CAAC,IAAI,CAAC,6BAA6B,CAAC,CAAC,eAAe,EAAE,CAAC;QACtF,MAAM,SAAS,GAAG,iBAAiB,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,KAAK,EAAE,IAAI,KAAK,kBAAkB,CAAC,CAAC;QACnG,OAAO,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC,IAAI,CAAC,gCAAgC,CAAC,CAAC,eAAe,EAAE,CAAC;QACjF,OAAO,CAAC,GAAG,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC,IAAI,CAAC,kCAAkC,CAAC,CAAC,eAAe,EAAE,CAAC;IACtG,CAAC,CAAC,CAAC;IACH,IAAI,CAAC,iBAAiB,EAAE,CAAC;QAAC,MAAM,IAAI,KAAK,CAAC,sHAAsH,CAAC,CAAC;IAAC,CAAC;IAEpK,MAAM,sBAAsB,GAAG,iBAAiB,CAAC,IAAI,CAAC,MAAM;SACvD,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,KAAK,kBAAkB,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC;IAElE,IAAI,CAAC,sBAAsB,EAAE,CAAC;QAAC,MAAM,IAAI,KAAK,CAAC,kFAAkF,CAAC,CAAC;IAAC,CAAC;IAErI,IAAI,eAA6C,CAAC;IAClD,MAAM,IAAI,CAAC,GAAG,EAAE,qEAAqE,EAAE,KAAK,IAAI,EAAE;QAC9F,eAAe,GAAG,MAAM,4BAA4B,CAAC;YACjD,IAAI,EAAE,sBAAsB;YAC5B,SAAS;YACT,KAAK,EAAE,WAAW;SACrB,CAAC,CAAC;QACH,OAAO,CAAC,GAAG,EAAE,eAAe,CAAC,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAC,eAAe,EAAE,CAAC;IACtF,CAAC,CAAC,CAAC;IACH,IAAI,CAAC,eAAe,EAAE,CAAC;QAAC,MAAM,IAAI,KAAK,CAAC,2EAA2E,CAAC,CAAC;IAAC,CAAC;IAEvH,MAAM,IAAI,CAAC,GAAG,EAAE,uCAAuC,EAAE,KAAK,IAAI,EAAE;QAChE,yBAAyB;QACzB,IAAI,CAAC,eAAe,EAAE,CAAC;YAAC,MAAM,IAAI,KAAK,CAAC,2EAA2E,CAAC,CAAC;QAAC,CAAC;QACvH,IAAI,CAAC,eAAe,CAAC,IAAI,EAAE,CAAC;YAAC,MAAM,IAAI,KAAK,CAAC,gFAAgF,CAAC,CAAC;QAAC,CAAC;QACjI,4BAA4B;QAE5B,+CAA+C;QAC/C,MAAM,MAAM,GAAG,eAAe,CAAC,IAAI,CAAC,cAAc,CAAC;QACnD,OAAO,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC,eAAe,EAAE,CAAC;QACpE,MAAM,cAAc,GAAG,MAAM,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,eAAe,CAAC,CAAC;QACnE,MAAM,WAAW,GAAG,MAAM,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,YAAY,CAAC,CAAC;QAC7D,OAAO,CAAC,GAAG,EAAE,cAAc,CAAC,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC,aAAa,EAAE,CAAC;QACxE,OAAO,CAAC,GAAG,EAAE,WAAW,CAAC,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC,aAAa,EAAE,CAAC;QAClE,MAAM,OAAO,GAAG,eAAe,CAAC,IAAI,CAAC,MAAM,CAAC;QAC5C,OAAO,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC,eAAe,EAAE,CAAC;QACnE,OAAO,CAAC,GAAG,EAAE,OAAO,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAC,aAAa,EAAE,CAAC;QAErF,+DAA+D;QAC/D,MAAM,WAAW,GAAG,eAAe,CAAC,IAAI,CAAC,YAAY,EAAE,WAAW,CAAC;QACnE,OAAO,CAAC,GAAG,EAAE,WAAW,CAAC,CAAC,IAAI,CAAC,yCAAyC,CAAC,CAAC,eAAe,EAAE,CAAC;QAC5F,OAAO,CAAC,GAAG,EAAE,WAAW,EAAE,QAAQ,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,6DAA6D,CAAC,CAAC,aAAa,EAAE,CAAC;IACxI,CAAC,CAAC,CAAC;IAEH,MAAM,IAAI,CAAC,GAAG,EAAE,+CAA+C,EAAE,KAAK,IAAI,EAAE;QACxE,mFAAmF;QACnF,MAAM,kBAAkB,GAAG,YAAY,CAAC,EAAE,KAAK,EAAE,cAAe,EAAE,CAAC,CAAC;QACpE,MAAM,4BAA4B,CAAC;YAC/B,IAAI,EAAE,kBAAkB;YACxB,SAAS;YACT,KAAK,EAAE,SAAS;SACnB,CAAC,CAAC;QACH,OAAO,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC,IAAI,CAAC,kCAAkC,CAAC,CAAC,aAAa,EAAE,CAAC;QAE5E,IAAI,CAAC,qBAAqB,EAAE,CAAC;YAAC,MAAM,IAAI,KAAK,CAAC,yCAAyC,WAAW,CAAC,EAAE,+FAA+F,CAAC,CAAC;QAAC,CAAC;QACxM,MAAM,4BAA4B,CAAC,EAAE,IAAI,EAAE,qBAAqB,EAAE,SAAS,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,CAAC;QACjG,OAAO,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC,IAAI,CAAC,kCAAkC,CAAC,CAAC,aAAa,EAAE,CAAC;QAE5E,MAAM,4BAA4B,CAAC,EAAE,IAAI,EAAE,sBAAsB,EAAE,SAAS,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,CAAC;QAClG,OAAO,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC,IAAI,CAAC,yCAAyC,CAAC,CAAC,aAAa,EAAE,CAAC;IAEvF,CAAC,CAAC,CAAC;IAEH,kCAAkC;AAEtC,CAAC,CAAC,CAAC"}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@ibgib/core-gib",
-  "version": "0.1.55",
+  "version": "0.1.58",
   "description": "ibgib core functionality, including base architecture for witnesses, spaces, apps, robbots, etc., as well as shared utility functions. Node v19+ needed for heavily-used isomorphic webcrypto hashing consumed in both node and browsers.",
   "funding": {
     "type": "individual",

package/src/keystone/keystone-config-builder.mts CHANGED Viewed

@@ -5,7 +5,10 @@ import {
     KeystonePoolConfig, KeystonePoolConfig_HashV1, KeystonePoolBehavior,
     KeystoneReplenishStrategy, KeystonePoolConfigBase, KeystoneChallengeType,
 } from './keystone-types.mjs';
-import { POOL_ID_REVOKE, KEYSTONE_VERB_REVOKE, KEYSTONE_CONFIG_DEFAULT_SIZE, KEYSTONE_CONFIG_DEFAULT_BINDING, KEYSTONE_CONFIG_DEFAULT_REPLENISH_STRATEGY, KEYSTONE_CONFIG_DEFAULT_SEQUENTIAL, KEYSTONE_CONFIG_DEFAULT_RANDOM, KEYSTONE_CONFIG_DEFAULT_SIZE_HIGHSECURITY, KEYSTONE_CONFIG_DEFAULT_SEQUENTIAL_HIGHSECURITY, KEYSTONE_CONFIG_DEFAULT_RANDOM_HIGHSECURITY, KEYSTONE_CONFIG_DEFAULT_BINDING_HIGHSECURITY, KEYSTONE_CONFIG_DEFAULT_REPLENISH_STRATEGY_HIGHSECURITY, KeystoneVerb, KEYSTONE_CONFIG_DEFAULT_HASH_ALGORITHM, KEYSTONE_CONFIG_DEFAULT_HASH_ROUNDS, KEYSTONE_CONFIG_DEFAULT_HASH_ALGORITHM_HIGHSECURITY, KEYSTONE_CONFIG_DEFAULT_HASH_ROUNDS_HIGHSECURITY } from './keystone-constants.mjs';
+import { POOL_ID_REVOKE, KEYSTONE_VERB_REVOKE, KEYSTONE_CONFIG_DEFAULT_SIZE, KEYSTONE_CONFIG_DEFAULT_BINDING, KEYSTONE_CONFIG_DEFAULT_REPLENISH_STRATEGY, KEYSTONE_CONFIG_DEFAULT_SEQUENTIAL, KEYSTONE_CONFIG_DEFAULT_RANDOM, KEYSTONE_CONFIG_DEFAULT_SIZE_HIGHSECURITY, KEYSTONE_CONFIG_DEFAULT_SEQUENTIAL_HIGHSECURITY, KEYSTONE_CONFIG_DEFAULT_RANDOM_HIGHSECURITY, KEYSTONE_CONFIG_DEFAULT_BINDING_HIGHSECURITY, KEYSTONE_CONFIG_DEFAULT_REPLENISH_STRATEGY_HIGHSECURITY, KeystoneVerb, KEYSTONE_CONFIG_DEFAULT_HASH_ALGORITHM, KEYSTONE_CONFIG_DEFAULT_HASH_ROUNDS, KEYSTONE_CONFIG_DEFAULT_HASH_ALGORITHM_HIGHSECURITY, KEYSTONE_CONFIG_DEFAULT_HASH_ROUNDS_HIGHSECURITY, POOL_ID_SYNC, POOL_ID_CONNECT, POOL_ID_MANAGE } from './keystone-constants.mjs';
+import { KeystoneBehaviorProfileTemplate, KeystonePoolTemplate } from './keystone-policy-types.mjs';
+export { KeystoneBehaviorProfileTemplate, KeystonePoolTemplate };
 const logalot = GLOBAL_LOG_A_LOT;
@@ -308,14 +311,80 @@ export function createHighSecurityPoolConfig(opts: KeystoneConfigFactoryOptions_
 export function createManagePoolConfig(opts: KeystoneConfigFactoryOptions_Standard): KeystonePoolConfig {
     return createHighSecurityPoolConfig({
         ...opts,
-        verbs: [KeystoneVerb.MANAGE],
+        id: opts.id ?? POOL_ID_MANAGE,
+        verbs: opts.verbs ?? [KeystoneVerb.MANAGE],
     });
 }
 export function createRevocationPoolConfig(opts: KeystoneConfigFactoryOptions_Standard): KeystonePoolConfig {
     return createHighSecurityPoolConfig({
         ...opts,
-        verbs: [KeystoneVerb.REVOKE],
-        replenishStrategy: KeystoneReplenishStrategy.deleteAll,
+        id: opts.id ?? POOL_ID_REVOKE,
+        verbs: opts.verbs ?? [KeystoneVerb.REVOKE],
+        replenishStrategy: opts.replenishStrategy ?? KeystoneReplenishStrategy.deleteAll,
     });
 }
+export function createSyncPoolConfig(opts: KeystoneConfigFactoryOptions_Standard): KeystonePoolConfig {
+    return createStandardPoolConfig({
+        ...opts,
+        id: opts.id ?? POOL_ID_SYNC,
+        verbs: opts.verbs ?? [KeystoneVerb.SYNC],
+    });
+}
+export function createConnectPoolConfig(opts: KeystoneConfigFactoryOptions_Standard): KeystonePoolConfig {
+    return createStandardPoolConfig({
+        ...opts,
+        id: opts.id ?? POOL_ID_CONNECT,
+        verbs: opts.verbs ?? [KeystoneVerb.CONNECT],
+        replenishStrategy: opts.replenishStrategy ?? KeystoneReplenishStrategy.deleteAll,
+    });
+}
+/**
+ * Builds a KeystonePoolConfig from a JSON-sourced KeystonePoolTemplate.
+ */
+export function createPoolConfigFromJson({
+    template,
+    behaviorProfiles,
+    salt
+}: {
+    template: KeystonePoolTemplate;
+    behaviorProfiles?: Record<string, KeystoneBehaviorProfileTemplate>;
+    salt: string;
+}): KeystonePoolConfig {
+    let behavior: KeystoneBehaviorProfileTemplate | undefined;
+    if (template.behaviorProfile && behaviorProfiles) {
+        behavior = behaviorProfiles[template.behaviorProfile];
+    }
+    if (!behavior) {
+        behavior = template.behaviorInline;
+    }
+    if (!behavior) {
+        behavior = {
+            size: KEYSTONE_CONFIG_DEFAULT_SIZE,
+            replenish: KEYSTONE_CONFIG_DEFAULT_REPLENISH_STRATEGY,
+            selectSequentially: KEYSTONE_CONFIG_DEFAULT_SEQUENTIAL,
+            selectRandomly: KEYSTONE_CONFIG_DEFAULT_RANDOM,
+            targetBindingChars: KEYSTONE_CONFIG_DEFAULT_BINDING
+        };
+    }
+    return KeystoneConfig.hash()
+        .withId(template.id)
+        .withSalt(salt)
+        .withSize(behavior.size)
+        .withHybrid({
+            seqCount: behavior.selectSequentially,
+            randCount: behavior.selectRandomly,
+        })
+        .withTargetBinding(behavior.targetBindingChars)
+        .withReplenishStrategy(behavior.replenish)
+        .withHash({
+            algo: template.algo,
+            rounds: template.rounds
+        })
+        .forVerbs(template.allowedVerbs)
+        .build();
+}

package/src/keystone/keystone-constants.mts CHANGED Viewed

@@ -3,16 +3,12 @@ import { KeystoneReplenishStrategy } from "./keystone-types.mjs";
 export const KEYSTONE_ATOM = "keystone";
 export const KEYSTONE_POOL_ID_REGEXP = /^\w[\w\-.]*$/;
-/**
- * arbitrary 64 limit? only letters characters good
- */
-export const KEYSTONE_SALT_REGEXP = /^[a-zA-Z0-9]{1,64}$/;
+export const KEYSTONE_SALT_REGEXP = /^[a-zA-Z0-9\-_]{1,64}$/;
 /**
  * arbitrary right now. don't want an easy DoS. this may still be too high.
  */
 export const KEYSTONE_HASH_MAX_ROUNDS = 1_000;
-// #region KeystoneVerb enum
 /**
  * @see {@link KeystoneVerb.REVOKE}
  */
@@ -25,10 +21,28 @@ export const KEYSTONE_VERB_MANAGE = "manage";
  * @see {@link KeystoneVerb.SIGN}
  */
 export const KEYSTONE_VERB_SIGN = "sign";
+/**
+ * Used when a senderIdentity keystone authorizes a session keystone for a sync
+ * operation. The senderIdentity is evolved with a claim whose verb is `sync`,
+ * pointing to the session keystone genesis address.
+ *
+ * @see {@link KeystoneVerb.SYNC}
+ */
+export const KEYSTONE_VERB_SYNC = "sync";
+/**
+ * Used by the session keystone's `connect` pool to authorize the transport
+ * connect (e.g. WebSocket challenge/response). Consumed exactly once per
+ * sync session during `peer.connect()`.
+ *
+ * @see {@link KeystoneVerb.CONNECT}
+ */
+export const KEYSTONE_VERB_CONNECT = "connect";
 export type KeystoneVerb =
     | typeof KEYSTONE_VERB_REVOKE
     | typeof KEYSTONE_VERB_MANAGE
-    | typeof KEYSTONE_VERB_SIGN;
+    | typeof KEYSTONE_VERB_SIGN
+    | typeof KEYSTONE_VERB_SYNC
+    | typeof KEYSTONE_VERB_CONNECT;
 /**
  * Verbs that describe actions that can be authorized by a Keystone.
@@ -55,6 +69,16 @@ export const KeystoneVerb = {
      * This is the least of all privileges that can actually evolve a keystone.
      */
     SIGN: KEYSTONE_VERB_SIGN,
+    /**
+     * Used when a senderIdentity keystone authorizes a session keystone.
+     * The senderIdentity is evolved with a `sync` claim targeting S^Stjp.
+     */
+    SYNC: KEYSTONE_VERB_SYNC,
+    /**
+     * Used by the session keystone's `connect` pool for the transport
+     * connect (proof-of-possession). Consumed once per session.
+     */
+    CONNECT: KEYSTONE_VERB_CONNECT,
 } satisfies { [key: string]: KeystoneVerb };
 export const KEYSTONE_VERB_VALID_VALUES = Object.values(KeystoneVerb);
 export function isKeystoneVerb(value: string): value is KeystoneVerb {
@@ -70,6 +94,18 @@ export const POOL_ID_REVOKE = KEYSTONE_VERB_REVOKE;
 export const POOL_ID_MANAGE = KEYSTONE_VERB_MANAGE;
 export const POOL_ID_DEFAULT = "default";
 export const POOL_ID_DELEGATE = "delegate";
+/**
+ * Pool ID for the session keystone's transport connect pool.
+ * Paired with {@link KEYSTONE_VERB_CONNECT}. Consumed once per sync session
+ * during `peer.connect()`.
+ */
+export const POOL_ID_CONNECT = KEYSTONE_VERB_CONNECT;
+/**
+ * Pool ID for the session keystone's per-turn signing pool.
+ * Paired with {@link KEYSTONE_VERB_SYNC}. Consumed once per outgoing sync
+ * context frame (Init, Delta, Commit, etc.).
+ */
+export const POOL_ID_SYNC = KEYSTONE_VERB_SYNC;
 /**
  * **THESE SHOULD ONLY BE USED IN TEMPORARY/SESSION KEYSTONES.**
  * _this is because a receiver could intercept the stone, DoS participants and

package/src/keystone/keystone-helpers.mts CHANGED Viewed

@@ -1,6 +1,6 @@
 import { extractErrorMsg, hash, HashAlgorithm, pretty } from "@ibgib/helper-gib/dist/helpers/utils-helper.mjs";
 import { GIB } from "@ibgib/ts-gib/dist/V1/constants.mjs";
-import { Ib, TransformResult } from "@ibgib/ts-gib/dist/types.mjs";
+import { Ib, IbGibAddr, TransformResult } from "@ibgib/ts-gib/dist/types.mjs";
 import { getIbAndGib, getIbGibAddr } from "@ibgib/ts-gib/dist/helper.mjs";
 import { validateIbGibIntrinsically } from "@ibgib/ts-gib/dist/V1/validate-helper.mjs";
 import { mut8 } from "@ibgib/ts-gib/dist/V1/transforms/mut8.mjs";
@@ -543,7 +543,7 @@ export async function validateChallengePool_typeHashRevealV1({ pool }: {
         const { algo, rounds, salt, } = pool.config as KeystonePoolConfig_HashV1;
-        const validAlgos: HashAlgorithm[] = [HashAlgorithm.sha_256];
+        const validAlgos: HashAlgorithm[] = [HashAlgorithm.sha_256, HashAlgorithm.sha_512];
         if (algo) {
             if (!validAlgos.includes(algo)) {
                 errors.push(`${lc} invalid hash algorithm (${algo}). Must be one of ${validAlgos}. (E: a22399ca3a68e63ffcc7507699be5826)`);
@@ -1116,3 +1116,45 @@ export async function validateKeystoneGraph({
     }
 }
+export async function getIdentity({
+    addr,
+    metaspace,
+    space,
+}: {
+    addr: IbGibAddr,
+    metaspace: MetaspaceService,
+    space: IbGibSpaceAny,
+}): Promise<KeystoneIbGib_V1 | undefined> {
+    const lc = `[${getIdentity.name}]`;
+    try {
+        if (logalot) { console.log(`${lc} starting... (I: 7f1dac53ff4691cb08cd267bf75f4326)`); }
+        const resGet = await metaspace.get({ addr, space });
+        const identityIbGib = resGet.ibGibs?.at(0) as KeystoneIbGib_V1;
+        if (identityIbGib) {
+            if (!identityIbGib.data) { throw new Error(`(UNEXPECTED) identityIbGib.data falsy? (E: d2f188232cd3bafb873b89e3a25a4826)`); }
+            // should actually be a `isKeystone` guard, but hey...
+            if (!identityIbGib.ib.startsWith(KEYSTONE_ATOM)) {
+                throw new Error(`invalid. does not start with ${KEYSTONE_ATOM} (E: 4523f8647cc139f8c49597fb86329426)`);
+            }
+        }
+        return identityIbGib;
+    } catch (error) {
+        console.error(`${lc} ${extractErrorMsg(error)}`);
+        throw error;
+    } finally {
+        if (logalot) { console.log(`${lc} complete.`); }
+    }
+}
+export async function getIdentity_throwIfUndefined({
+    addr,
+    metaspace,
+    space,
+}: {
+    addr: IbGibAddr,
+    metaspace: MetaspaceService,
+    space: IbGibSpaceAny,
+}): Promise<KeystoneIbGib_V1> {
+    const identityIbGib = await getIdentity({ metaspace, addr, space });
+    if (!identityIbGib) { throw new Error(`addr (${addr}) not found in space: ${space.ib} (E: 7533682e805819cc78bdb0d8960be826)`); }
+    return identityIbGib;
+}

package/src/keystone/keystone-policy-types.mts ADDED Viewed

@@ -0,0 +1,25 @@
+import { HashAlgorithm } from "@ibgib/helper-gib/dist/helpers/utils-helper.mjs";
+import { KeystoneReplenishStrategy, KeystoneChallengeType } from "./keystone-types.mjs";
+export interface KeystoneBehaviorProfileTemplate {
+    size: number;
+    replenish: KeystoneReplenishStrategy;
+    selectSequentially: number;
+    selectRandomly: number;
+    targetBindingChars: number;
+}
+export interface KeystonePoolTemplate {
+    id: string;
+    allowedVerbs: string[];
+    behaviorProfile?: string; // Reference to a behavior profile key
+    behaviorInline?: KeystoneBehaviorProfileTemplate; // Or specify behavior inline
+    algo: HashAlgorithm;
+    rounds: number;
+    type?: KeystoneChallengeType;
+}
+export interface KeystonePolicyConfigTemplate {
+    behaviorProfiles?: Record<string, KeystoneBehaviorProfileTemplate>;
+    pools: Record<string, KeystonePoolTemplate>;
+}