@ibgib/core-gib 0.1.55 → 0.1.58

package/src/sync/docs/security.md

@@ -0,0 +1,380 @@
+# Ibgib Sync Security
+
+We use ibgib's unique Merkle-DAG-based protocol and innovative "keystone" construct (see keystone [README.md](../../keystone/README.md) and other [docs](../../keystone/docs/)) to maximize security while minimizing surface area (code).
+
+## Core Concepts
+
+* **Domain Keystone (I)**: The primary, long-lived identity keystone representing the data owner (e.g., Alice). This dictates high-level access and is registered with a domain provider (e.g., Space-Gib as an initial reference implementation).
+* **Session Keystone (S)**: An ephemeral, short-lived keystone generated locally by the Sender explicitly for a single sync session.
+* **Target Domain (X)**: The specific ibgib timeline or payload that is the subject of the sync.
+* **Sovereign Broker (Receiver)**: The domain provider acts as a passive, high-integrity validator. It does not generate or sign sync frames with its own session identity; it relies entirely on the Sender's cryptographic proofs to authorize actions. While we may treat the provider as "honest" practically, it is ultimately a sovereign entity over its data, and its "honesty" is driven by long-term self-interest.
+
+## Development Nuances & Implementation TODOs
+
+This section serves as a working scratchpad to capture specific code-level nuances, terminology standardization, and pending tasks before jumping into implementation.
+
+### ✅ Agreed: Secret Naming — `senderSecret` & `sessionSecret`
+
+* **`senderSecret`**: The master secret corresponding to `senderIdentity`. Drives the KDF to produce the session secret. Replaces the old `nonSessionSecret` / `identitySecret` / `domainSecret` names.
+* **`sessionSecret`**: Deterministically derived via `KDF(senderSecret, sagaId)`. Ephemeral and saga-specific. Used only within `establishSessionIdentity` to create the session keystone genesis.
+* *Rationale*: `sender` pairs naturally with `senderIdentity`; `session` pairs naturally with `sessionIdentity`.
+
+### ✅ Agreed: Identity Naming — `senderIdentity` & `sessionIdentity`
+
+* **`senderIdentity`**: The long-lived Domain Keystone (I) representing the Sender (Alice). Optional — a sync can run with just a `domainSecret` and no named identity.
+  * Using `senderIdentity` (not `domainIdentity` or `primaryIdentity`) because "domain" becomes ambiguous when Bob eventually has his own domain identity in a future symmetric model.
+* **`sessionIdentity`**: The ephemeral keystone (S) generated per-saga. Used consistently as both:
+  * A **param/property name** (e.g., `peer.sessionIdentity`, `createSessionIdentity()`).
+  * A **rel8n name** on both the sync saga ibgib and the context ibgib (e.g., `syncSagaIbGib.rel8ns.sessionIdentity`, `contextIbGib.rel8ns.sessionIdentity`).
+
+### ✅ Agreed: Identity Hard-linking Strategy
+
+* **Sync Saga Frame** (`ibgib.data`, soft-link):
+  * `data` should record identity details as soft references (addresses in `ibgib.data`, not hard-linked `ibgib.rel8ns`):
+    * `senderIdentity` TJP addr.
+    * The exact `senderIdentity` frame addr that signed/authorized the session (i.e., the new frame post-`establishSessionIdentity`).
+    * `sessionIdentity` TJP addr.
+  * No hard-link (`rel8ns`) to `sessionIdentity` from the sync saga ibgib.
+* **Context IbGib** (`ibgib.rel8ns`, hard-link):
+  * `rel8ns.sessionIdentity` hard-links to the **previous** session keystone frame (the frame *before* the current signing step). This is the "point forward, sign backward" pattern: the signed (evolved) keystone's claim targets *this context's addr*, so the context can only reference the *prior* frame.
+  * The `signedSessionKeystone` property on the context carries the **newly evolved** frame (the current turn's signature).
+  * **No transition pool**: The prior symmetric "transition pool" (for the receiver's signing turn) is eliminated. Only the Sender signs.
+  * **Sovereign Broker response**: The Receiver includes the *same, unevolved* `sessionIdentity` addr in its response context's `rel8ns.sessionIdentity` — it does not evolve the keystone.
+
+### ✅ Agreed: Session Keystone Pool Configuration
+
+The session keystone has **two dedicated pools**, each with a matching `poolId` and `verb`:
+
+* **`connect` pool** (`poolId: "connect"`, `verb: "connect"`):
+  * Used exclusively during `peer.connect()` — the in-band WebSocket challenge/response handshake.
+  * The receiver issues challenges from this pool; the sender solves them to prove possession of S.
+* **`sync` pool** (`poolId: "sync"`, `verb: "sync"`):
+  * Used to sign each outgoing context frame during the sync ping-pong (Init, Ack, Delta, Commit turns).
+  * Pool separation is intentional — the `connect` handshake and per-turn signing are distinct operations with distinct lifetimes.
+* [ ] Add `"connect"` and `"sync"` verbs to `keystone-constants.mts`.
+* [ ] Create standard pool config factories for both in [`keystone-config-builder.mts`](../../keystone/keystone-config-builder.mts).
+
+Note: The `senderIdentity` Domain Keystone also uses the `"sync"` verb in its claim when it signs/authorizes the session keystone genesis during `establishSessionIdentity`.
+
+### ✅ Agreed: Sync Peer Lifetime — One Peer per Saga
+
+A `SyncPeer` instance is **scoped to exactly one sync saga**. A new peer must be created for each call to `senderCoordinator.sync(...)`. Reusing a peer across multiple sagas is not supported and would compromise the identity security model, since the session keystone `S` is saga-specific (derived from `KDF(senderSecret, sagaId)`).
+
+The `sagaId` is passed to the peer via `initializeOpts` so that `establishSessionIdentity` can derive the correct `sessionSecret` before any other phase begins.
+
+### ✅ Agreed: `establishSessionIdentity` — Pre-Connect Phase
+
+A new `establishSessionIdentity` method on the sync peer base class is the **mandatory first step** before `connect`. It encapsulates:
+
+1. **Generate session keystone**: `sessionIdentity` genesis (S^Stjp) is created locally from `KDF(senderSecret, sagaId)`. The genesis contains the exact target domain addresses (`targetAddrs` in `frameDetails`) to cryptographically bind the session to those specific target domain timelines, preventing it from being used as a "blank check" for other domains.
+2. **Sign `senderIdentity`**: The Sender signs their own `senderIdentity` keystone with a `sync` claim targeting `S^Stjp`. The result (`newSenderIdentity`) is the evolved sender frame that proves delegation. The name `newSenderIdentity` is **only** used within `establishSessionIdentity` and its helper — after this method returns, it becomes the active `senderIdentity`.
+3. **Post to domain provider**: Both `newSenderIdentity` and `sessionIdentity` genesis are transmitted to the Receiver via a pre-connect API call (cf. `putEvolveKeystone` in `dev-tools.mts`).
+4. **Receiver validates**: The Receiver independently loads the **latest known tip** of `I^Itjp` from its own registry (never trusting `newSenderIdentity.rel8ns.past`). It validates the evolution and, if authorized, stores both keystones in the domain.
+5. **After this point**: `senderIdentity` IS the new frame. The session keystone takes over authorization for all subsequent sync turns.
+
+### ✅ Agreed: Per-Turn Transmission Protocol
+
+* **Sender → Receiver (each turn)**: Only the **current evolved frame of `sessionIdentity`** (S) is transmitted. `senderIdentity` is never re-transmitted after `establishSessionIdentity`.
+* **Receiver validation (each turn)**: The Receiver independently loads the latest `senderIdentity` tip from its domain registry, finds the `S^Stjp` addr from the `sync` claim within it, loads the known session keystone graph, and validates the incoming evolved S frame against it.
+  * This is possible on every turn because `establishSessionIdentity` guarantees the domain and `I^Itjp` already exist on the Receiver.
+* **Receiver → Sender (each turn)**: The Receiver's response context echoes the same (unevolved) `sessionIdentity` addr — it never produces a new keystone evolution.
+
+### 🔲 Pending: `authenticateContext` Placement
+
+The receiver-side validation that runs on each incoming context has three steps:
+1. **Transition validity**: Replay the session keystone evolution — verify `data.n` is sequential, challenge solutions are valid, pool not exhausted, etc.
+2. **Target binding**: Verify that the incoming `signedSessionIdentity`'s proof actually targets *this* context's exact address (`proof.claim.target === contextAddr`).
+3. **Domain target binding**: Verify that the first frame of the session keystone `S` ($S^{Stjp}$) contains `targetAddrs` (array) in its `frameDetails`, and that this array contains the exact addresses of the domain ibgibs being synchronized. This must be checked at least in the first sync turn (e.g., `handleInitFrame`) to authenticate that the session is not a "blank check".
+
+**Open**: Where does this code live?
+* **On the sync peer** (e.g., as `peer.authenticateContext(...)`): the peer already knows its local durable space, which is needed to load the latest `senderIdentity` tip. This makes the tip-lookup natural.
+* **As a pure helper function** (`sync-peer-helpers.mts`): would need the durable space passed as a parameter (plus whatever else the tip-lookup requires).
+
+The peer placement is currently preferred since it co-locates the space knowledge with the validation logic. Finalize during implementation.
+
+### ✅ Agreed: `KeystoneService_V1` — No Injection Needed
+
+`KeystoneService_V1` is stateless. It can be `new`-ed on demand wherever validation or signing is needed. There is no need to pass it as a constructor parameter or inject it into `authenticateContext` or any related helper. Just instantiate inline.
+
+### ✅ Agreed: Context Property — `signedSessionIdentity`
+
+The context ibgib carries the newly evolved `sessionIdentity` frame in a property named **`signedSessionIdentity`** (replacing the old `signedSessionKeystone`).
+
+Context ibgib now has a clean, consistent pair:
+* `rel8ns.sessionIdentity` → addr of the **previous** frame (before signing this turn)
+* `signedSessionIdentity` → the **newly evolved** frame (current turn's cryptographic proof)
+
+
+
+## High Level Authorization Flow
+
+1. [ ] **`establishSessionIdentity`** *(new pre-connect phase)*:
+   [ ] * Sender locally generates `sessionIdentity` (S) and signs `senderIdentity` (I → I1) with a `sync` claim targeting `S^Stjp`.
+   [ ] * Both keystones are posted to the domain provider. Receiver validates the evolution against its own known tip of `I^Itjp` and stores them if authorized.
+2. [ ] **`peer.connect()`** *(transport handshake)*:
+   [ ] * Sender opens the transport channel (e.g., WebSocket).
+   [ ] * Receiver issues challenges from S's **`connect` pool**.
+   [ ] * Sender solves and returns proof-of-possession. Session is authorized.
+3. [ ] **Asymmetric Sync (Ping-Pong)**:
+   [ ] * Sender signs all outgoing contexts (Init, Ack, Delta, Commit) using S's **`sync` pool**, evolving S each turn.
+   [ ] * Only the latest evolved S frame is transmitted per turn — never `senderIdentity`.
+   [ ] * Receiver validates by independently loading `I^Itjp`, tracing to `S^Stjp`, and verifying the incoming frame.
+   [ ] * Receiver responds with unsigned contexts (same S addr echoed, no new evolution).
+
+
+## Attack Vectors & Mitigations
+
+| Attack Vector | Description | Mitigation |
+|---------------|-------------|------------|
+| **MITM Replay** | Attacker replays captured saga frames | • Frame signatures include timestamp<br>• Freshness checks reject old frames<br>• Challenge depletion prevents reuse<br>• sagaId deduplication |
+| **Session Fixation** | Attacker pre-generates session keystone | • Session secret derived via KDF (strategy in keystone metadata)<br>• `sessionSecret = KDF(masterSecret, sagaId, strategy)` |
+| **Identity Spoofing** | Impersonation via fake session keystone | • Session keystone includes `derivedFrom` master address<br>• Receiver validates master keystone is known/trusted |
+| **Challenge Grinding** | Brute-force challenge solutions for target binding | • Hash pre-imaging computationally infeasible<br>• Stochastic selection adds randomness |
+| **DoS (Pool Exhaustion)** | Excessive syncs deplete challenge pools | • Top-up replenishment refills challenges<br>• Rate limiting per identity<br>• Pool separation for critical ops |
+| **Saga Hijacking** | Mid-flight frame injection | • All frames signed with session keystone<br>• `past` rel8n creates tamper-evident chain |
+
+## Trust Model
+
+**Asymmetric Identity (Domain-Based Authorization)**:
+- **Sender Signs**: The Sender is responsible for cryptographically signing all requests using their ephemeral Session Keystone.
+- **Receiver Validates**: The Receiver acts strictly as an "Honest Broker". It validates the Sender's proofs and domain boundaries but does not maintain or sign a symmetric session identity.
+- **Delegated Authority**: Trust is explicitly delegated from a Domain Keystone (I) to a Session Keystone (S) via a `sync` claim evolution.
+
+**Session Keystones**:
+- Ephemeral identity per sync saga.
+- Secret derived via `KDF(senderSecret, sagaId)`.
+- Contains two isolated pools: `connect` (for transport handshake) and `sync` (for per-turn frame signing).
+- Validates via proof-of-work (solving challenges from the appropriate pool).
+
+**Propagation**:
+- Sync does NOT rely on global PKI or certificate authorities.
+- Trust propagates through sync sessions (Alice syncs with Bob &rarr; Bob witnesses Alice's keystone).
+- Revocation propagates same way (Alice revokes → syncs revocation to Bob → Bob sees revoked timeline)
+
+**Threat Boundaries**:
+- ✅ Protects against: MITM replay, impersonation, frame tampering
+- ⚠️ Does NOT protect against: Compromised endpoint (live memory access during active session)
+- ⚠️ Master secrets: Raw secrets should NOT stored; keystones master secrets to keystones should be derived secrets via key stretching passwords. raw secret files of course can drive these passwords and must be protected
+- ⚠️ Transport security: Use TLS for network layer encryption (ibgib protocol provides authentication/integrity, not confidentiality)
+
+## Best Practices
+
+1. **Master Secret Protection**: Store master secrets in secure enclaves/keychains
+2. **Session Lifetime**: Limit saga duration, revoke sessions post-completion
+3. **Rate Limiting**: Implement per-identity sync rate limits
+4. **Freshness**: Reject frames older than 60 seconds
+5. **Audit Logs**: Persist saga timelines for post-hoc validation (saga timelines are ibgibs, so integrity is built-in via content addressing)
+6. **TLS**: Always use TLS for network transport (defense-in-depth)
+
+## ❓ Open Questions
+
+### Payload Scope Validation: Can the Protocol Police What ibGibs Are Transmitted?
+
+**Question**: During a sync session authorized by session substone S (itself authorized by domain keystone I with `claim.target = S^Stjp` and sync subject `X^X10.Xtjp`), should the server validate that all Delta payload ibgibs are genuinely related to X's timeline? Or is it sufficient that they arrive under a valid substone?
+
+**Context**: The substone's `frameDetails` records both the parent identity `I^Itjp` and the sync subject `X^X10.Xtjp`. In theory the server could walk the dependency graph of each incoming Delta payload and confirm every ibgib is either:
+- A control ibgib (sync saga, context, substone frames), or
+- Part of the dependency graph rooted at some frame of X's timeline (`X^Xtjp`)
+
+**Problem**: This check may not be enforceable at the protocol layer. A client who controls the keystone (has the master secret) could always evolve X's timeline to hard-link any arbitrary ibgib, and that ibgib would then pass the "is in X's dependency graph" check. So the constraint can be trivially bypassed by the legitimate key-holder, making it only useful against *illegitimate* actors — who are already blocked by the keystone proof requirement.
+
+**Current position**: This is likely a **higher-layer business rule** rather than a sync protocol concern. The sync protocol's job is to ensure the session is cryptographically authorized (via keystone proofs). What is stored under an authorized session is the domain owner's responsibility. Enforcement of content policies (e.g., "only ibgibs of type X are allowed") belongs in the server's `authorizeContext` hook, not in the core sync coordinator.
+
+**Tracked in**: `space-gib.sync-walkthrough.md`
+
+---
+
+## Implementation Plan
+
+Each phase below is a discrete, verifiable step. We proceed **one checkbox at a time**, **reviewing/discussing** code/results before moving to the next. Each phase has two targets: **innerspace** (automated unit test) and **space-gib** (manual/integrated e2e).
+
+The innerspace tests live in `libs/core-gib/src/sync/`. The space-gib integrated tests are done via the `dev-tools.mts` UI in the browser. Separating identity phases into their own `*.respec.mts` file keeps logs clean and complexity isolated.
+
+_Note: respec-gib `*.respec.mts` files execute the **entire** file if any `respecfullyDear`/`ifWeMight` blocks are found. Within that file, any `ifWe` block (without the `Might`) will **still** execute and affect logging. `ifWeMight` **only** affects reporting pass/fail once the file is selected to execute. This is why we isolate individual files as needed._
+
+---
+
+### Phase 1 — `establishSessionIdentity` (Pre-Connect)
+
+**Goal**: Get `I^Itjp` onto the domain provider, generate `S^Stjp` locally, evolve `I → I1` with a `sync` claim targeting `S^Stjp`, and post both `I1` and `S` to the provider. Verify both keystones are in the appropriate durable spaces at the right times.
+
+`senderCoordinator.sync(...)` **will** be called; we are not mocking this out. We expect it may throw at first, and we are examining side-effects (keystone presence in durable spaces) rather than end-to-end correctness. As phases succeed and sync no longer throws, test assertions will be adjusted accordingly.
+
+#### Phase 1A — Innerspace unit test (`sync-withid.establish.respec.mts`)
+
+- [x] Create `sync-withid.establish.respec.mts` with scaffold:
+  - `Metaspace_Innerspace` + two `InnerSpace_V1` (source/dest) + `SyncSagaCoordinator` pair + `newTestPeer()` factory
+  - A `senderSecret` constant (test-only plaintext)
+  - A `KeystoneService_V1` instance (new'd inline, no injection needed)
+- [x] Add `respecfully` block: `"Phase 1: establishSessionIdentity"`
+  - [x] `ifWeMight` — `"creates sessionIdentity genesis (S) locally"`: assert `S^Stjp` was generated and exists in `sourceSpace`
+  - [x] `ifWeMight` — `"evolves senderIdentity (I → I1) with sync claim"`: assert `I1` frame has a proof whose `claim.verb === 'sync'` and `claim.target === S^Stjp`
+  - [x] `ifWeMight` — `"posts I1 and S to destSpace (receiver)"`: assert both addrs are retrievable from `destSpace`
+
+#### Phase 1B — Space-Gib integrated (manual) (`dev-tools.mts`)
+
+Add a new horizontal flexbox row dedicated to the "establish" test flow. Existing debug button rows stay as-is; the new row activates and disables the existing rows (page refresh required to reset). The new row contains:
+
+- [x] Button: **"new identity"** — creates a fresh `senderIdentity` (I) keystone locally
+- [x] Button: **"confirm sender identity"** — asserts I exists in the sender's local space
+- [x] Button: **"confirm receiver identity"** — asserts I (or its absence) in the receiver's domain registry
+- [x] Button: **"sync - establish"** — calls `sync(...)` (which internally runs `establishSessionIdentity`)
+- [x] Button: **"confirm sender identity evolved"** — asserts I1 (evolved frame) is in sender's space
+- [x] Button: **"confirm receiver identity evolved"** — asserts I1 is in receiver's domain registry
+- [x] Button: **"confirm sender session identity"** — asserts S genesis exists in sender's space
+- [x] Button: **"confirm receiver session identity"** — asserts S genesis exists in receiver's domain registry
+- [x] Clean up buttons / consolidate confirms once the flow is stable
+
+##### 1) WebSocket Peer Sender (`SyncPeerWebSocketSender_V1`)
+- [x] Define options and data types (`wsUrl` for sync, `httpEvolveUrl` for pre-connect establish routing).
+- [x] Implement `postEstablishToReceiver` to execute Phase 1 HTTP POST/PUT of evolved $I_1$ and session genesis $S$ to the registry.
+- [x] Implement `connectImpl` to:
+  - [x] Consistently load the handshake solution from local storage/memory.
+  - [x] Perform the RFC 6455 upgrade request with `sAddr` and upfront `solution` parameters.
+  - [x] Listen and respond to multi-turn JSON RPC handshake frames (`auth-challenge-init` -> `auth-init` -> `auth-challenge` -> `auth-proof` -> `auth-ok`).
+- [x] Implement `sendContextRequest` to push context and transactional payloads down the active WebSocket pipe.
+
+##### 2) WebSocket Peer Receiver (`SyncPeerWebSocketReceiver_V1`)
+- [x] Review dev-tools.mts and especially sync-upgrade.handler.mts, moving what code we can from the handler into this peer receiver.
+- [x] Define server-side receiver options matching core registry namespaces.
+- [x] Implement robust event/message routers to handle stateful context payloads during the established synchronization session.
+- [x] Design standard static/pure functions to manage Keystone verification and registration during the establish phase without requiring an active saga connection instance.
+
+##### 3) Serve-Gib Establish Handler (`KeystoneEvolveHandler`)
+- [x] Should delegate to sync peer receiver static methods or pure functions in sync-websocket-peer-helpers.mts (or whatever the exact filename turns out to be for the sync peer's websocket helper functions)
+- [x] Cleanly handle the pre-connect registry POST.
+- [x] Validate signature proof of identity evolution ($I \to I_1$) and store both $I_1$ and $S$ into the domain's server-side durable space registry.
+- [x] Ensure it remains entirely stateless, coordinating purely through persistent database/filesystem states.
+
+##### 4) Serve-Gib Connect/Sync Handler (`SyncChannelHandler`)
+- [x] Refactor and rename the WebSocket handler (moving beyond "upgrade" to reflect its status as the Sync Peer Connect & Transport Channel wrapper).
+- [x] Implement upfront picket-fence validation on upgrade (`validateUpfrontConnect`) by retrieving $S$ from durable space and checking the solution parameter.
+- [x] Manage the stateful WebSocket challenge handshake generically.
+- [x] Instantiate `SyncPeerWebSocketReceiver_V1` and wire it to the active socket stream upon successful authentication.
+
+##### 5) Downstream App Registration (`space-gib`)
+- [x] Update `server.mts` (or equivalent serve-gib orchestrator) to mount the generalized `KeystoneEvolveHandler` (Establish) and `SyncChannelHandler` (Connect/Sync) with simple, clean `regex` + `verb` routing declarations.
+- [x] Wire the Dev Tools perform-sync button to instantiate the unified `SyncSagaCoordinator` and `SyncPeerWebSocketSender_V1` to execute the full sequence.
+
+---
+
+### Phase 2 — `peer.connect()` (Transport Handshake)
+
+**Goal**: Open the transport channel (if applicable to the peer implementation) and sign/deplete S's `connect` pool as proof-of-possession.
+
+We still call `senderCoordinator.sync(...)` — the phase focus is on what `peer.connect()` does internally, not on a separate call.
+
+#### Phase 2A — Innerspace unit test (`sync-withid.connect.respec.mts`)
+
+- [x] Create `sync-withid.connect.respec.mts` (separate file to isolate connect-phase logging)
+- [x] Add `respecfully` block: `"Phase 2: connect"`
+  - [x] `ifWeMight` — `"connect completes without error"`: call sync and assert no exception at/before the connect phase
+  - [x] `ifWeMight` — `"connect pool is fully depleted after connect"`: assert `S.data.pools['connect']` is exhausted (all challenges consumed), since after connect only the `sync` pool remains active
+  - [x] 🔲 **Open question**: Does innerspace issue demanded challenge IDs for the `connect` pool, or is this behavior strictly peer-specific (WebSocket only)? Confirm during implementation — if innerspace skips challenge issuance, the depletion check may not apply and we document the asymmetry.
+
+#### Phase 2B — Space-Gib integrated (manual)
+
+- [x] Confirm WebSocket connection is established — check the browser's Network tab (WS frames) rather than adding any server-side detection endpoint (avoids introducing insecure surface)
+- [x] Confirm server issues and accepts challenge from S's `connect` pool — verify via server logs or debugger
+- [x] Confirm `connect` pool is exhausted in S after handshake (inspect S's latest frame in debugger)
+- [x] Confirm session is considered active server-side after handshake
+
+---
+
+### Phase 3 — Basic Single-Timeline Sync with Identity
+
+**Goal**: With identity fully established and transport connected, sync a single ibgib `X` from source to dest. Verify S evolves correctly per turn (`sync` pool), and X's full dependency graph arrives on dest. After commit, both sender and receiver durable spaces must contain: the same evolved I, the full S dependency graph, and the full X dependency graph.
+
+#### Phase 3A — Innerspace unit test (`sync-withid.fullsync.respec.mts`)
+
+- [ ] Create `sync-withid.fullsync.respec.mts`
+  - [ ] Create `r1_alpha_v0_source` via `TestTransformer`
+  - [ ] Call `senderCoordinator.sync({ domainIbGibs: [alpha], senderIdentity, senderSecret, ... })`
+  - [ ] `ifWeMight` — `"alpha dep graph matches on source and dest"`: use `getDependencyGraph` + `graphsAreEquivalent`
+  - [ ] `ifWeMight` — `"sessionIdentity evolved the expected number of times"`: assert `S.data.n` equals the known deterministic turn count
+    - [ ] 🔲 **TODO**: Manually inspect the full session keystone graph after a first run and count the exact number of outgoing turns (Init + Delta(s) + Commit), then hard-code that number into this assertion
+  - [ ] `ifWeMight` — `"sender durable space has I (evolved frame)"`: assert I1 addr is in `sourceSpace`
+  - [ ] `ifWeMight` — `"receiver durable space has I (evolved frame)"`: assert I1 addr is in `destSpace`
+  - [ ] `ifWeMight` — `"sender durable space has full S dep graph"`: use `getDependencyGraph` on S in `sourceSpace`
+  - [ ] `ifWeMight` — `"receiver durable space has full S dep graph"`: use `getDependencyGraph` on S in `destSpace`
+
+#### Phase 3B — Space-Gib integrated (manual)
+
+- [ ] Trigger a sync of a known test ibgib via `dev-tools.mts` (add "sync - fullsync" button to a new row)
+- [ ] Confirm S evolves on each outgoing turn (inspect frame `data.n` in debugger)
+- [ ] Confirm X's full dependency graph is present on the client after commit
+- [ ] Confirm X's full dependency graph is present on the server after commit
+- [ ] Confirm S's full dependency graph is present on the client after commit
+- [ ] Confirm S's full dependency graph is present on the server after commit
+- [ ] Confirm I's evolved frame (I1) is present on the client after commit
+- [ ] Confirm I's evolved frame (I1) is present on the server after commit
+
+
+---
+
+### Phase 1 — `establishSessionIdentity` (Pre-Connect)
+
+**Goal**: Get `I^Itjp` onto the domain provider, generate `S^Stjp` locally, evolve `I → I1` with a `sync` claim targeting `S^Stjp`, and post both `I1` and `S` to the provider. Verify the provider accepted and stored them.
+
+The sync proper will not be called. The test only cares that the pre-connect identity handoff succeeded.
+
+#### Phase 1A — Innerspace unit test
+
+- [ ] Create `sync-with-identity-basic.respec.mts` with scaffold:
+  - `Metaspace_Innerspace` + two `InnerSpace_V1` (source/dest) + `SyncSagaCoordinator` pair + `newTestPeer()` factory
+  - A `senderSecret` constant (test-only plaintext)
+  - A `KeystoneService_V1` instance (new'd inline)
+- [ ] Add `respecfully` block: `"Phase 1: establishSessionIdentity"`
+  - [ ] `ifWeMight` — `"creates sessionIdentity genesis (S) locally"`: assert `S^Stjp` was generated and exists in `sourceSpace`
+  - [ ] `ifWeMight` — `"evolves senderIdentity (I → I1) with sync claim"`: assert `I1` frame has a proof whose `claim.verb === 'sync'` and `claim.target === S^Stjp`
+  - [ ] `ifWeMight` — `"posts I1 and S to destSpace (receiver)"`: assert both addrs are retrievable from `destSpace`
+
+#### Phase 1B — Space-Gib integrated (manual)
+
+- [x] Confirm `dev-tools.mts` "Create Session Keystone (S)" button produces a valid genesis keystone (inspect in browser debugger)
+- [x] Confirm "Evolve Domain Keystone (I → I1)" button produces `I1` with correct `sync` claim targeting `S^Stjp`
+- [x] Confirm "Post Evolution" (`putEvolveKeystone`) is accepted by the server (HTTP 200 / success response)
+- [x] Confirm server stores both `I1` and `S` — verify via GET or server-side debugger
+
+---
+
+### Phase 2 — `peer.connect()` (Transport H andshake)
+
+**Goal**: Open the transport channel, if applicable, and sign session identity's `connect` pool.
+
+#### Phase 2A — Innerspace unit test
+
+- [x] Extend `sync-with-identity-basic.respec.mts` with a `respecfully` block: `"Phase 2: connect"` (Note: implemented in separate file `sync-withid.connect.respec.mts`)
+  - [x] `ifWeMight` — `"connect completes without error"`: call `peer.connect()` and assert no exception
+  - [x] `ifWeMight` — `"connect pool is depleted by exactly one challenge"`: assert `S.data.pools['connect'].used` increased by the expected count
+
+#### Phase 2B — Space-Gib integrated (manual)
+
+- [x] Confirm "Connect (WS H andshake)" button in `dev-tools.mts` opens WebSocket successfully
+- [x] Confirm server issues challenge from S's `connect` pool and accepts the solution
+- [x] Confirm session is considered active server-side after handshake
+
+---
+
+### Phase 3 — Basic Single-Timeline Sync with Identity
+
+**Goal**: With identity fully established and transport connected, sync a single ibgib `X` from source to dest. Verify S evolves correctly per turn (`sync` pool), and X's full dependency graph arrives on dest and that after sync, both sender and receiver durable spaces contain the same identity I, full session keystone S dependency graph, and full X dependency graph.
+
+#### Phase 3A — Innerspace unit test
+
+- [ ] Extend `sync-with-identity-basic.respec.mts` or create `sync-with-identity-singletimeline.respec.mts`
+  - [ ] Create `r1_alpha_v0_source` via `TestTransformer`
+  - [ ] Call `senderCoordinator.sync({ domainIbGibs: [alpha], senderIdentity, senderSecret, ... })`
+  - [ ] `ifWeMight` — `"alpha dep graph matches on source and dest"`: use `getDependencyGraph` + `graphsAreEquivalent`
+  - [ ] `ifWeMight` — `"sessionIdentity evolved once per sync turn"`: assert `S.data.n` equals number of outgoing turns
+
+#### Phase 3B — Space-Gib integrated (manual)
+
+- [ ] Trigger a sync of a known test ibgib via `dev-tools.mts` or equivalent UI
+- [ ] Confirm S evolves on each outgoing turn (inspect frame `data.n` in debugger)
+- [ ] Confirm X's full dependency graph is present on the client after commit
+- [ ] Confirm X's full dependency graph is present on the server after commit
+- [ ] Confirm S's full dependency graph is present on the client after commit
+- [ ] Confirm S's full dependency graph is present on the server after commit
+- [ ] Confirm I's full dependency graph is present on the client after commit
+- [ ] Confirm I's full dependency graph is present on the server after commit

package/src/sync/graft-info/graft-info-helpers.respec.mts

@@ -8,7 +8,7 @@ await respecfully(sir, 'Graft Info Helpers', async () => {
 
     await respecfully(sir, 'mergeTextLCS', async () => {
 
-        await ifWeMight(sir, 'mergeTextLCS should interleave unique lines (A then B)', async () => {
+        await ifWe(sir, 'mergeTextLCS should interleave unique lines (A then B)', async () => {
             const textA = "Line 1\nLine A\nLine 3";
             const textB = "Line 1\nLine B\nLine 3";
             const res = await mergeTextByLongestCommonSubsequence({ textA, textB });
@@ -16,7 +16,7 @@ await respecfully(sir, 'Graft Info Helpers', async () => {
             iReckon(sir, res).asTo('result').isGonnaBe(expected);
         });
 
-        await ifWeMight(sir, 'mergeTextLCS should handle insertions', async () => {
+        await ifWe(sir, 'mergeTextLCS should handle insertions', async () => {
             const textA = "Line 1\nLine 3";
             const textB = "Line 1\nLine 2\nLine 3";
             const res = await mergeTextByLongestCommonSubsequence({ textA, textB });
@@ -24,7 +24,7 @@ await respecfully(sir, 'Graft Info Helpers', async () => {
             iReckon(sir, res).asTo('result').isGonnaBe(expected);
         });
 
-        await ifWeMight(sir, 'mergeTextLCS should handle appends', async () => {
+        await ifWe(sir, 'mergeTextLCS should handle appends', async () => {
             const textA = "Line 1";
             const textB = "Line 1\nLine 2";
             const res = await mergeTextByLongestCommonSubsequence({ textA, textB });
@@ -32,7 +32,7 @@ await respecfully(sir, 'Graft Info Helpers', async () => {
             iReckon(sir, res).asTo('result').isGonnaBe(expected);
         });
 
-        await ifWeMight(sir, 'mergeTextLCS should handle simultaneous list additions', async () => {
+        await ifWe(sir, 'mergeTextLCS should handle simultaneous list additions', async () => {
             const textA = "- Item 1\n- Item 2\n- Item A";
             const textB = "- Item 1\n- Item 2\n- Item B";
             const res = await mergeTextByLongestCommonSubsequence({ textA, textB });
@@ -42,7 +42,7 @@ await respecfully(sir, 'Graft Info Helpers', async () => {
             iReckon(sir, res).asTo('result').isGonnaBe(expected);
         });
 
-        await ifWeMight(sir, 'mergeTextLCS should handle distinct modifications in code block', async () => {
+        await ifWe(sir, 'mergeTextLCS should handle distinct modifications in code block', async () => {
             const textA = `function foo() {
     console.log("start");
     doA();
@@ -64,7 +64,7 @@ await respecfully(sir, 'Graft Info Helpers', async () => {
             iReckon(sir, res).asTo('result').isGonnaBe(expected);
         });
 
-        await ifWeMight(sir, 'mergeTextLCS should return same string if identical', async () => {
+        await ifWe(sir, 'mergeTextLCS should return same string if identical', async () => {
             const textA = "Hello";
             const res = await mergeTextByLongestCommonSubsequence({ textA, textB: textA });
             iReckon(sir, res).asTo('result').isGonnaBe(textA);
@@ -75,7 +75,7 @@ await respecfully(sir, 'Graft Info Helpers', async () => {
     await respecfully(sir, 'graftTimelines', async () => {
         // We need a more complex setup to test this properly (mock space, etc.)
         // For now, this placeholder ensures the test file runs.
-        await ifWeMight(sir, 'graftTimelines placeholders', async () => {
+        await ifWe(sir, 'graftTimelines placeholders', async () => {
             iReckon(sir, true).isGonnaBeTrue();
         });
     });

package/src/sync/sync-conflict-adv-multitimelines.respec.mts

@@ -127,7 +127,7 @@ await respecfully(sir, `Multi-round/timeline permutations`, async () => {
     // #endregion r1 setup
 
     await respecfully(sir, `r1 verify pre`, async () => {
-        await ifWeMight(sir, 'dest should NOT have alpha', async () => {
+        await ifWe(sir, 'dest should NOT have alpha', async () => {
             const resGet = await getFromSpace({
                 space: destSpace,
                 addr: alpha_tjpAddr,
@@ -150,7 +150,7 @@ await respecfully(sir, `Multi-round/timeline permutations`, async () => {
     if (logalot) { console.log(`${lc} r1_syncSaga Complete.`); }
 
     await respecfully(sir, `r1 verify post`, async () => {
-        await ifWeMight(sir, 'dest should have alpha', async () => {
+        await ifWe(sir, 'dest should have alpha', async () => {
             // alpha's full dep graph should exist on dest
             const [alpha_dest] = await getIbGibsFromCache_fallbackToSpaces({
                 addrs: [r1_alpha_v0_source.addr],
@@ -230,7 +230,7 @@ await respecfully(sir, `Multi-round/timeline permutations`, async () => {
     // Verify Receiver has correct KV (Pre-Sync Check)
     // This ensures the conflict precondition exists.
     await respecfully(sir, `r2 verify pre`, async () => {
-        await ifWeMight(sir, 'dest has alpha v1 common', async () => {
+        await ifWe(sir, 'dest has alpha v1 common', async () => {
             try {
                 const destKV = await receiverCoordinator.getKnowledgeMap({
                     space: destSpace,
@@ -308,7 +308,7 @@ await respecfully(sir, `Multi-round/timeline permutations`, async () => {
             if (!alpha_dest_tipAddr) {
                 throw new Error(`dest Space missing timeline tip for ${alpha_tjpAddr} (E: 30b018c6349917aa28c9f538fa567826)`);
             }
-            await ifWeMight(sir, 'tip addrs', async () => {
+            await ifWe(sir, 'tip addrs', async () => {
                 iReckon(sir, alpha_source_tipAddr).asTo('source/dest have same tip addrs').isGonnaBe(alpha_dest_tipAddr);
             })
 
@@ -334,7 +334,7 @@ await respecfully(sir, `Multi-round/timeline permutations`, async () => {
             // #endregion DEBUG SANITY CHECK
 
 
-            await ifWeMight(sir, 'r2 basics of alpha merge', async () => {
+            await ifWe(sir, 'r2 basics of alpha merge', async () => {
                 iReckon(sir, alpha_source_tipAddr)
                     .asTo(`Source Tip (${alpha_source_tipAddr}) should NOT be r2_alpha_v3_source_rel8dBeta`)
                     .not.isGonnaBe(r2_alpha_v3_source_rel8dBeta.addr);
@@ -357,7 +357,7 @@ await respecfully(sir, `Multi-round/timeline permutations`, async () => {
                 iReckon(sir, gotten_alpha_source_tipIbGib.data![r2_dest_mut8Info.key!]).asTo(`New Tip has dest field ${r2_dest_mut8Info.key!}`).isGonnaBe(r2_dest_mut8Info.value!);
             });
 
-            await ifWeMight(sir, 'r2 alpha and deps synced', async () => {
+            await ifWe(sir, 'r2 alpha and deps synced', async () => {
                 // alpha's full dep graph should exist on dest, even though its
                 // timeline was grafted
                 const [alpha_dest] = await getIbGibsFromCache_fallbackToSpaces({
@@ -390,7 +390,7 @@ await respecfully(sir, `Multi-round/timeline permutations`, async () => {
                 }
             });
 
-            await ifWeMight(sir, 'r2 beta and deps synced', async () => {
+            await ifWe(sir, 'r2 beta and deps synced', async () => {
                 // beta's full dep graph should exist on dest
                 const [beta_dest] = await getIbGibsFromCache_fallbackToSpaces({
                     addrs: [r2_beta_v0_source.addr],
@@ -510,7 +510,7 @@ await respecfully(sir, `Multi-round/timeline permutations`, async () => {
     // #endregion r3 dest edits
 
     await respecfully(sir, `r3 verify pre`, async () => {
-        await ifWeMight(sir, 'dest has both alpha and beta tips (pre-conflict)', async () => {
+        await ifWe(sir, 'dest has both alpha and beta tips (pre-conflict)', async () => {
             try {
                 const destKV = await receiverCoordinator.getKnowledgeMap({
                     space: destSpace,
@@ -585,13 +585,13 @@ await respecfully(sir, `Multi-round/timeline permutations`, async () => {
             });
             const r3_beta_dest_tipAddr = beta_destKV_afterR3[beta_tjpAddr];
             if (!r3_beta_dest_tipAddr) {
-                await ifWeMight(sir, 'r3_beta_dest_tipAddr is falsy?', async () => {
+                await ifWe(sir, 'r3_beta_dest_tipAddr is falsy?', async () => {
                     iReckon(sir, true).asTo('fail').isGonnaBeFalse();
                 });
                 return; /* <<<< returns early */
             }
 
-            await ifWeMight(sir, 'r3 tip addrs match (both timelines)', async () => {
+            await ifWe(sir, 'r3 tip addrs match (both timelines)', async () => {
                 iReckon(sir, r3_alpha_source_tipAddr).asTo('alpha source/dest have same tip addrs').isGonnaBe(r3_alpha_dest_tipAddr);
                 iReckon(sir, r3_beta_source_tipAddr).asTo('beta source/dest have same tip addrs').isGonnaBe(r3_beta_dest_tipAddr);
             });
@@ -610,7 +610,7 @@ await respecfully(sir, `Multi-round/timeline permutations`, async () => {
             const resGet_r3_beta_tip = await getFromSpace({ space: sourceSpace, addr: r3_beta_source_tipAddr });
             const r3_beta_tipIbGib = resGet_r3_beta_tip.ibGibs![0] as IbGib_V1<TestData>;
 
-            await ifWeMight(sir, 'r3 alpha merge has all four fields (commonField, fieldA, fieldB, fieldC, fieldD)', async () => {
+            await ifWe(sir, 'r3 alpha merge has all four fields (commonField, fieldA, fieldB, fieldC, fieldD)', async () => {
                 // Should have new graft point  with different addr than before
                 iReckon(sir, r3_alpha_source_tipAddr)
                     .asTo(`Alpha R3 tip should NOT be r3_alpha_v4_source_mut8fieldC`)
@@ -631,7 +631,7 @@ await respecfully(sir, `Multi-round/timeline permutations`, async () => {
                     .isGonnaBe(r3_alpha_v4_dest_mut8Info.value!);
             });
 
-            await ifWeMight(sir, 'r3 beta merge has both fields (betaFieldA, betaFieldB)', async () => {
+            await ifWe(sir, 'r3 beta merge has both fields (betaFieldA, betaFieldB)', async () => {
                 // Should have new graft point with different addr than before
                 iReckon(sir, r3_beta_source_tipAddr)
                     .asTo(`Beta R3 tip should NOT be r3_beta_v1_source`)
@@ -652,7 +652,7 @@ await respecfully(sir, `Multi-round/timeline permutations`, async () => {
                     .isGonnaBe(r3_dest_beta_mut8Info.value!);
             });
 
-            await ifWeMight(sir, 'r3 alpha and deps synced', async () => {
+            await ifWe(sir, 'r3 alpha and deps synced', async () => {
                 const [alpha_dest] = await getIbGibsFromCache_fallbackToSpaces({
                     // addrs: [r1_alpha_v0_source.addr],
                     addrs: [r3_alpha_source_tipAddr],
@@ -684,7 +684,7 @@ await respecfully(sir, `Multi-round/timeline permutations`, async () => {
                 }
             });
 
-            await ifWeMight(sir, 'r3 beta and deps synced', async () => {
+            await ifWe(sir, 'r3 beta and deps synced', async () => {
                 const [beta_dest] = await getIbGibsFromCache_fallbackToSpaces({
                     // addrs: [r2_beta_v0_source.addr],
                     addrs: [r3_beta_dest_tipAddr],
@@ -836,7 +836,7 @@ await respecfully(sir, `Multi-round/timeline permutations`, async () => {
     // #endregion r4 dest edits
 
     await respecfully(sir, `r4 verify pre`, async () => {
-        await ifWeMight(sir, 'dest has alpha and beta post-R3 tips', async () => {
+        await ifWe(sir, 'dest has alpha and beta post-R3 tips', async () => {
             try {
                 const destKV = await receiverCoordinator.getKnowledgeMap({
                     space: destSpace,
@@ -913,7 +913,7 @@ await respecfully(sir, `Multi-round/timeline permutations`, async () => {
             });
             const r4_beta_dest_tipAddr = r4_beta_destKV[beta_tjpAddr];
             if (!r4_beta_dest_tipAddr) {
-                await ifWeMight(sir, 'r4_beta_dest_tipAddr is falsy?', async () => {
+                await ifWe(sir, 'r4_beta_dest_tipAddr is falsy?', async () => {
                     iReckon(sir, true).asTo('fail').isGonnaBeFalse();
                 });
                 return; /* <<<< returns early */
@@ -933,7 +933,7 @@ await respecfully(sir, `Multi-round/timeline permutations`, async () => {
             });
             const r4_gamma_dest_tipAddr = r4_gamma_destKV[gamma_tjpAddr];
 
-            await ifWeMight(sir, 'r4 tip addrs match (alpha, beta, gamma)', async () => {
+            await ifWe(sir, 'r4 tip addrs match (alpha, beta, gamma)', async () => {
                 iReckon(sir, r4_alpha_source_tipAddr).asTo('alpha source/dest have same tip addrs').isGonnaBe(r4_alpha_dest_tipAddr);
                 iReckon(sir, r4_beta_source_tipAddr).asTo('beta source/dest have same tip addrs').isGonnaBe(r4_beta_dest_tipAddr);
                 iReckon(sir, r4_gamma_source_tipAddr).asTo('gamma source/dest have same tip addrs').isGonnaBe(r4_gamma_dest_tipAddr);
@@ -958,7 +958,7 @@ await respecfully(sir, `Multi-round/timeline permutations`, async () => {
             const resGet_r4_gamma_tip = await getFromSpace({ space: sourceSpace, addr: r4_gamma_source_tipAddr });
             const r4_gamma_tipIbGib = resGet_r4_gamma_tip.ibGibs![0] as IbGib_V1<TestData>;
 
-            await ifWeMight(sir, 'r4 alpha has complete chain of edits and gamma relation', async () => {
+            await ifWe(sir, 'r4 alpha has complete chain of edits and gamma relation', async () => {
                 // Should have new graft point with different addr than either pre-graft version
                 iReckon(sir, r4_alpha_source_tipAddr)
                     .asTo(`Alpha R4 tip should NOT be r4_alpha_v7_source`)
@@ -994,7 +994,7 @@ await respecfully(sir, `Multi-round/timeline permutations`, async () => {
                     .isGonnaBeTrue();
             });
 
-            await ifWeMight(sir, 'r4 beta has all edits', async () => {
+            await ifWe(sir, 'r4 beta has all edits', async () => {
                 // Beta should have new graft from R4
                 iReckon(sir, r4_beta_source_tipAddr)
                     .asTo(`Beta R4 tip should NOT be r4_beta_v2_source (source version pre-graft)`)
@@ -1015,7 +1015,7 @@ await respecfully(sir, `Multi-round/timeline permutations`, async () => {
                     .isGonnaBe(r4_dest_beta_mut8Info.value!);
             });
 
-            await ifWeMight(sir, 'r4 gamma synced with deps', async () => {
+            await ifWe(sir, 'r4 gamma synced with deps', async () => {
                 const [gamma_dest] = await getIbGibsFromCache_fallbackToSpaces({
                     addrs: [r4_gamma_v0_source.addr],
                     space: destSpace,
@@ -1046,7 +1046,7 @@ await respecfully(sir, `Multi-round/timeline permutations`, async () => {
                 }
             });
 
-            await ifWeMight(sir, 'r4 all timelines dep graphs synced', async () => {
+            await ifWe(sir, 'r4 all timelines dep graphs synced', async () => {
                 // Verify alpha dep graphs
                 const [alpha_dest] = await getIbGibsFromCache_fallbackToSpaces({
                     addrs: [r4_alpha_source_tipAddr],