@ibgib/core-gib 0.1.57 → 0.1.58

package/src/sync/sync-peer/sync-peer-websocket-sender/sync-peer-websocket-sender-v1.mts

@@ -0,0 +1,321 @@
+/**
+ * @module sync-peer-websocket-sender-v1
+ */
+
+import { extractErrorMsg } from '@ibgib/helper-gib/dist/helpers/utils-helper.mjs';
+import { getIbGibAddr } from '@ibgib/ts-gib/dist/helper.mjs';
+import { IbGib_V1 } from '@ibgib/ts-gib/dist/V1/types.mjs';
+import { KeystoneIbGib_V1 } from '../../../keystone/keystone-types.mjs';
+import { KeystoneService_V1 } from '../../../keystone/keystone-service-v1.mjs';
+import { KeystoneStrategyFactory } from '../../../keystone/strategy/keystone-strategy-factory.mjs';
+import { deriveSessionSecret } from '../../sync-helpers.mjs';
+import { SyncPeer_V1 } from '../sync-peer-v1.mjs';
+import { SyncSagaContextIbGib_V1 } from '../../sync-saga-context/sync-saga-context-types.mjs';
+import { GLOBAL_LOG_A_LOT } from '../../../core-constants.mjs';
+import {
+    ConnectSyncPeerWebSocketSenderOpts,
+    InitializeSyncPeerWebSocketSenderOpts,
+    SyncPeerWebSocketSenderData_V1,
+    SyncPeerWebSocketSenderRel8ns_V1,
+    SyncPeerWebSocketSenderIbGib_V1
+} from './sync-peer-websocket-sender-types.mjs';
+import {
+    SESSION_KEYSTONE_POLICY,
+    getConnectChallenge
+} from '../sync-peer-websocket-receiver/sync-websocket-peer-helpers.mjs';
+
+const logalot = GLOBAL_LOG_A_LOT || true;
+
+/**
+ * WebSocket Sender Peer implementation running in browser/native environment.
+ */
+export class SyncPeerWebSocketSender_V1
+    extends SyncPeer_V1<ConnectSyncPeerWebSocketSenderOpts, InitializeSyncPeerWebSocketSenderOpts>
+    implements SyncPeerWebSocketSenderIbGib_V1 {
+
+    protected override lc: string = `[${SyncPeerWebSocketSender_V1.name}]`;
+
+    override get classname(): string {
+        return SyncPeerWebSocketSender_V1.name;
+    }
+
+    public get isSocketOpen(): boolean {
+        return this.ws !== undefined && this.ws.readyState === WebSocket.OPEN;
+    }
+
+    declare data: SyncPeerWebSocketSenderData_V1 | undefined;
+    declare rel8ns: SyncPeerWebSocketSenderRel8ns_V1 | undefined;
+
+    protected ws?: WebSocket;
+    protected activeResolve?: (value: SyncSagaContextIbGib_V1 | undefined) => void;
+    protected activeReject?: (reason: any) => void;
+
+    constructor(
+        initialData: SyncPeerWebSocketSenderData_V1,
+        initialRel8ns?: SyncPeerWebSocketSenderRel8ns_V1,
+    ) {
+        super(initialData, initialRel8ns);
+    }
+
+    protected override async preConnectCheck(opts: ConnectSyncPeerWebSocketSenderOpts): Promise<void> {
+        const lc = `${this.lc}[${this.preConnectCheck.name}]`;
+        if (!this.data?.wsUrl) {
+            throw new Error(`Missing wsUrl in peer data (E: a3b2c1d0e9f8e7d6c5b4a3f2e1d0c910)`);
+        }
+        if (!this.data?.httpEvolveUrl) {
+            throw new Error(`Missing httpEvolveUrl in peer data (E: a3b2c1d0e9f8e7d6c5b4a3f2e1d0c911)`);
+        }
+    }
+
+    /**
+     * Submits the evolved master identity (I1) and new session keystone (S) to the server's HTTP registry.
+     */
+    protected override async postEstablishToReceiver({
+        newSenderIdentity,
+        sessionIdentity,
+    }: {
+        newSenderIdentity: KeystoneIbGib_V1;
+        sessionIdentity: KeystoneIbGib_V1;
+    }): Promise<void> {
+        const lc = `${this.lc}[${this.postEstablishToReceiver.name}]`;
+        try {
+            if (logalot) { console.log(`${lc} posting evolved keystones to ${this.data!.httpEvolveUrl}...`); }
+            if (!this.data) { throw new Error(`(UNEXPECTED) this.data falsy? (E: d642e8a9af18b532c87c6f581aa53b26)`); }
+
+            if (!this.data.httpEvolveUrl) { throw new Error(`(UNEXPECTED) this.data.httpEvolveUrl falsy? (E: 8589ddbb155914d85c09658881da2c26)`); }
+
+            const response = await fetch(this.data.httpEvolveUrl, {
+                method: 'PUT',
+                headers: {
+                    'Content-Type': 'application/json',
+                },
+                body: JSON.stringify({
+                    keystoneIbGib: newSenderIdentity,
+                    relatedIbGibs: [sessionIdentity]
+                }),
+            });
+
+            if (!response.ok) {
+                const data = await response.json().catch(() => ({}));
+                const errorMsg = data.message || data.error || 'Unknown error';
+                throw new Error(`HTTP ${response.status} evolution post rejected. errorMsg: ${errorMsg} (E: e8a478291b88d05c68cf6b385684b826)`);
+            }
+
+            if (logalot) { console.log(`${lc} evolve post accepted by server.`); }
+        } catch (error) {
+            console.error(`${lc} establish post failed: ${extractErrorMsg(error)}`);
+            throw error;
+        }
+    }
+
+    /**
+     * Establishes the stateful WebSocket connection and performs the multi-turn cryptographic challenge connect.
+     */
+    protected override async connectImpl(opts: ConnectSyncPeerWebSocketSenderOpts): Promise<void> {
+        const lc = `${this.lc}[${this.connectImpl.name}]`;
+        try {
+            if (logalot) { console.log(`${lc} starting...`); }
+
+            const { senderIdentity, fnSenderSecret, sagaId, localMetaspace, localSpace } = this.opts!;
+            if (!senderIdentity || !fnSenderSecret || !sagaId) {
+                throw new Error(`Missing identity parameters in peer options (E: ed49b6711ac82efcdb42b8a28c5b6826)`);
+            }
+
+            // 1. Solve upfront pre-filter solution
+            const senderSecret = await fnSenderSecret();
+            const sessionSecret = await deriveSessionSecret({ senderSecret, sagaId });
+
+            // Fetch session identity S that establishSessionIdentity just created
+            const sAddr_tjp = getIbGibAddr({ ibGib: senderIdentity }); // wait, S's past contains I
+            // Actually, we can get the S keystone that was returned by establishSessionIdentity.
+            // Let's resolve S from the sender localSpace using its target claim or the targetAddrs
+            const sAddr = getIbGibAddr({ ibGib: senderIdentity.rel8ns?.past ? senderIdentity : senderIdentity }); // stub: get the actual generated S
+
+            // To make sure we have the exact session identity S, we can query localSpace.
+            // Since we know the sagaId, we can walk or locate it.
+            // But wait, the coordinator calls establishSessionIdentity first, which returns the created S keystone!
+            // Let's store a reference to the sessionIdentity S on this class during establish, or lookup from localSpace.
+            // Wait, does the coordinator let the peer store S? No, but let's query the latest keystone in localSpace.
+            const senderIdentityLatestAddr =
+                await localMetaspace.getLatestAddr({ ibGib: senderIdentity, space: localSpace });
+            if (!senderIdentityLatestAddr) { throw new Error(`senderIdentityLatestAddr falsy. we should have a latest addr that is different than the sender identity at this point (done in the peer establish phase) (E: 225607318bef485d7821f82de97b6826)`); }
+
+            const resGet = await localMetaspace.get({ addrs: [senderIdentityLatestAddr], space: localSpace });
+            const I_tip = resGet.ibGibs?.[0] as KeystoneIbGib_V1;
+
+            // const targetSAddr = I_tip?.rel8ns?.past?.[0] ?? I_tip?.data?.proofs?.[0]?.claim?.target;
+            const targetSAddr = I_tip.data.proofs.at(0)?.claim.target;
+            if (!targetSAddr) {
+                throw new Error(`Could not locate session keystone target from identity (E: 5ec4882f7e5e4c33fbd00ab8b3166726)`);
+            }
+
+            const resGetS = await localMetaspace.get({ addrs: [targetSAddr], space: localSpace });
+            const sessionS = resGetS.ibGibs?.[0] as KeystoneIbGib_V1;
+            if (!sessionS) {
+                throw new Error(`Session keystone not found in local space: ${targetSAddr} (E: 9ba818e6622808bb4ae749be31f80b26)`);
+            }
+
+            // Solve dynamic upfront picket-fence challenge
+            const connectPool =
+                (sessionS.data?.challengePools ?? [])
+                    .find(p => p.id === SESSION_KEYSTONE_POLICY.CONNECT_POOL.ID);
+            if (!connectPool) {
+                throw new Error(`Session keystone missing connect pool (E: f50968afca04b6d38ec19824ea201826)`);
+            }
+
+            const { challengeId } = getConnectChallenge(sessionS);
+            const strategy = KeystoneStrategyFactory.create({ config: connectPool.config });
+            const poolSecret = await strategy.derivePoolSecret({ masterSecret: sessionSecret });
+            const solution = await strategy.generateSolution({
+                poolSecret,
+                poolId: SESSION_KEYSTONE_POLICY.CONNECT_POOL.ID,
+                challengeId
+            });
+
+            // 2. Open WebSocket connection
+            const wsUrl = `${this.data!.wsUrl}?sAddr=${encodeURIComponent(targetSAddr)}&solution=${encodeURIComponent(solution.value)}`;
+            if (logalot) { console.log(`${lc} connecting to WebSocket: ${wsUrl}`); }
+
+            const ws = new WebSocket(wsUrl);
+            this.ws = ws;
+
+            return new Promise<void>((resolve, reject) => {
+                let isResolved = false;
+
+                ws.addEventListener('open', () => {
+                    if (logalot) { console.log(`${lc} WebSocket opened. Awaiting challenge...`); }
+                });
+
+                ws.addEventListener('message', async (ev) => {
+                    try {
+                        const msg = JSON.parse(ev.data);
+                        if (logalot) { console.log(`${lc} received frame: ${msg.type}`); }
+
+                        if (msg.type === 'auth-challenge-init') {
+                            ws.send(JSON.stringify({
+                                type: 'auth-init',
+                                sAddr: targetSAddr
+                            }));
+                        } else if (msg.type === 'auth-challenge') {
+                            const { challengeUuid, demandedIds } = msg;
+                            if (logalot) { console.log(`${lc} solving demanded challenges: ${demandedIds.join(', ')}`); }
+
+                            const keystoneService = new KeystoneService_V1();
+                            const proofFrame = await keystoneService.sign({
+                                latestKeystone: sessionS,
+                                masterSecret: sessionSecret,
+                                poolId: SESSION_KEYSTONE_POLICY.CONNECT_POOL.ID,
+                                requiredChallengeIds: demandedIds,
+                                claim: {
+                                    verb: SESSION_KEYSTONE_POLICY.CONNECT_POOL.VERB,
+                                    target: challengeUuid
+                                },
+                                metaspace: localMetaspace,
+                                space: localSpace
+                            });
+
+                            ws.send(JSON.stringify({
+                                type: 'auth-proof',
+                                proofFrame
+                            }));
+                        } else if (msg.type === 'auth-ok') {
+                            if (logalot) { console.log(`${lc} WebSocket connect SUCCESS!`); }
+                            isResolved = true;
+
+                            // Setup persistent runtime listeners
+                            ws.removeEventListener('message', (() => { }) as any);
+                            ws.addEventListener('message', (event) => this.handleRuntimeMessage(event));
+
+                            resolve();
+                        } else if (msg.type === 'auth-fail') {
+                            reject(new Error(`Connect failed: ${msg.message}`));
+                        }
+                    } catch (error) {
+                        reject(error);
+                    }
+                });
+
+                ws.addEventListener('close', (event) => {
+                    if (!isResolved) {
+                        reject(new Error(`WebSocket closed before connect completed (code: ${event.code})`));
+                    }
+                });
+
+                ws.addEventListener('error', (err) => {
+                    if (!isResolved) {
+                        reject(new Error(`WebSocket connection error`));
+                    }
+                });
+            });
+
+        } catch (error) {
+            console.error(`${lc} connect failed: ${extractErrorMsg(error)}`);
+            throw error;
+        }
+    }
+
+    /**
+     * Handles synchronizing messages and evolved context frames during active transaction turns.
+     */
+    protected handleRuntimeMessage(event: MessageEvent): void {
+        const lc = `${this.lc}[${this.handleRuntimeMessage.name}]`;
+        try {
+            const msg = JSON.parse(event.data);
+            if (logalot) { console.log(`${lc} received runtime frame: ${msg.type}`); }
+
+            if (msg.type === 'sync-frame-response') {
+                if (this.activeResolve) {
+                    const responseContext = msg.context as SyncSagaContextIbGib_V1;
+                    const resolve = this.activeResolve;
+                    this.activeResolve = undefined;
+                    this.activeReject = undefined;
+                    resolve(responseContext);
+                }
+            } else if (msg.type === 'domain-payload') {
+                const payload = msg.ibGib as IbGib_V1;
+                this.payloadIbGibsDomainReceived$.next(payload);
+            }
+        } catch (error) {
+            console.error(`${lc} failed parsing runtime frame: ${extractErrorMsg(error)}`);
+            if (this.activeReject) {
+                this.activeReject(error);
+            }
+        }
+    }
+
+    /**
+     * Serializes the transaction context and payload down the active WebSocket connection.
+     */
+    protected override async sendContextRequest(context: SyncSagaContextIbGib_V1): Promise<SyncSagaContextIbGib_V1 | undefined> {
+        const lc = `${this.lc}[${this.sendContextRequest.name}]`;
+        try {
+            if (!this.ws || this.ws.readyState !== WebSocket.OPEN) {
+                throw new Error(`WebSocket is not connected or open (E: a3b2c1d0e9f8e7d6c5b4a3f2e1d0c915)`);
+            }
+
+            // 1. Push any outgoing payload domain ibgibs down the pipe
+            const domainPayloads = context.payloadIbGibsDomain ?? [];
+            for (const ibGib of domainPayloads) {
+                this.ws.send(JSON.stringify({
+                    type: 'domain-payload',
+                    ibGib
+                }));
+            }
+
+            // 2. Transmit the synchronizing transaction context
+            return new Promise<SyncSagaContextIbGib_V1 | undefined>((resolve, reject) => {
+                this.activeResolve = resolve;
+                this.activeReject = reject;
+
+                this.ws!.send(JSON.stringify({
+                    type: 'sync-frame',
+                    context
+                }));
+            });
+
+        } catch (error) {
+            console.error(`${lc} sendContextRequest failed: ${extractErrorMsg(error)}`);
+            throw error;
+        }
+    }
+}

package/src/sync/sync-saga-coordinator.mts

@@ -60,6 +60,12 @@ import { GRAFT_INFO_REL8N_NAME } from "./graft-info/graft-info-constants.mjs";
 import { GraftInfoIbGib_V1 } from "./graft-info/graft-info-types.mjs";
 import { validateIbGibIntrinsically } from "@ibgib/ts-gib/dist/V1/validate-helper.mjs";
 import { SYNC_SAGA_CONTEXT_ATOM } from "./sync-saga-context/sync-saga-context-constants.mjs";
+import { KeystoneIbGib_V1 } from "../keystone/keystone-types.mjs";
+import { createStandardPoolConfig } from "../keystone/keystone-config-builder.mjs";
+import {
+    POOL_ID_CONNECT, POOL_ID_SYNC, KEYSTONE_VERB_CONNECT, KEYSTONE_VERB_SYNC
+} from "../keystone/keystone-constants.mjs";
+import { KeystonePoolConfig, KeystoneReplenishStrategy } from "../keystone/keystone-types.mjs";
 
 
 const logalot = GLOBAL_LOG_A_LOT;
@@ -86,6 +92,46 @@ export class SyncSagaCoordinator {
 
     }
 
+    /**
+     * Default pool config for the session keystone's `connect` pool.
+     * Consumed exactly once per saga during `peer.connect()`.
+     * Uses `deleteAll` replenish strategy — after the handshake, the pool is gone.
+     *
+     * Override in subclasses or pass custom config via opts to change security parameters.
+     */
+    protected defaultSessionConnectPoolConfig(): KeystonePoolConfig {
+        return createStandardPoolConfig({
+            id: POOL_ID_CONNECT,
+            salt: `session-connect-${Date.now()}`,
+            verbs: [KEYSTONE_VERB_CONNECT],
+            size: 20,
+            sequential: 2,
+            random: 2,
+            targetBinding: 0,
+            replenishStrategy: KeystoneReplenishStrategy.deleteAll,
+        });
+    }
+
+    /**
+     * Default pool config for the session keystone's per-turn `sync` pool.
+     * Used on each outgoing context frame (Init, Delta, Commit).
+     * Uses `topUp` replenish strategy to stay active throughout the saga.
+     *
+     * Override in subclasses or pass custom config via opts to change security parameters.
+     */
+    protected defaultSessionSyncPoolConfig(): KeystonePoolConfig {
+        return createStandardPoolConfig({
+            id: POOL_ID_SYNC,
+            salt: `session-sync-${Date.now()}`,
+            verbs: [KEYSTONE_VERB_SYNC],
+            size: 200,
+            sequential: 3,
+            random: 3,
+            targetBinding: 3,
+            replenishStrategy: KeystoneReplenishStrategy.topUp,
+        });
+    }
+
     /**
      * Executes a synchronization saga using the Symmetric Sync Protocol.
      *
@@ -96,6 +142,8 @@ export class SyncSagaCoordinator {
     public async sync({
         peer,
         domainIbGibs,
+        senderIdentity,
+        fnSenderSecret,
         conflictStrategy = SyncConflictStrategy.abort,
         metaspace,
         localSpace,
@@ -111,6 +159,22 @@ export class SyncSagaCoordinator {
          * These should all exist in {@link localSpace}
          */
         domainIbGibs: IbGib_V1[],
+        /**
+         * If present, this is the primary identity of the sender, i.e., who is
+         * initiating the sync.
+         *
+         * This should be the most recent frame (tip) of the senderIdentity's
+         * timeline.
+         *
+         * NOTE: {@link fnSenderSecret} must be truthy if this is truthy, and vice versa.
+         */
+        senderIdentity?: KeystoneIbGib_V1,
+        /**
+         * secret corresponding to {@link senderIdentity}.
+         *
+         * NOTE: {@link senderIdentity} must be truthy if this is truthy, and vice versa.
+         */
+        fnSenderSecret?: () => Promise<string>;
         /**
          * The space containing the {@link domainIbGibs} we want to sync. If
          * sync is successful, any updates to timelines will be stored here.
@@ -136,6 +200,11 @@ export class SyncSagaCoordinator {
             throw new Error(`${lc} source (or localSpace) required (E: 25df3761f7686a1099a552f83c95d326)`);
         }
 
+        if (senderIdentity || fnSenderSecret) {
+            if (!senderIdentity) { throw new Error(`(UNEXPECTED) senderIdentity falsy but fnSenderSecret truthy? if either is used, both must be truthy. (E: e366628a4919c7d727d2cbd8e5b75e26)`); }
+            if (!fnSenderSecret) { throw new Error(`(UNEXPECTED) fnSenderSecret falsy but senderIdentity truthy? if either is used, both must be truthy. (E: 7d55ce37ae482fec48e3398158161926)`); }
+        }
+
         // 1. SETUP SAGA METADATA
         const sagaId = await getUUID();
 
@@ -171,6 +240,21 @@ export class SyncSagaCoordinator {
         // Async execution wrapper
         (async () => {
             try {
+                const targetAddrs = domainIbGibs ? domainIbGibs.map(domain => getIbGibAddr({ ibGib: domain })) : undefined;
+
+                // Attach saga-scoped identity opts to peer now that sagaId is known.
+                peer.setOptionalOpts({
+                    sagaId,
+                    senderIdentity,
+                    fnSenderSecret,
+                    sessionConnectPoolConfig: this.defaultSessionConnectPoolConfig(),
+                    sessionSyncPoolConfig: this.defaultSessionSyncPoolConfig(),
+                    targetAddrs,
+                } as any);
+
+                // ESTABLISH SESSION IDENTITY (pre-connect, if identity provided)
+                const sessionIdentity = await peer.establishSessionIdentity();
+
                 // CONNECT PEER (if needed)
                 await peer.connect({ sagaId });
 

package/src/sync/sync-withid.connect.respec.mts

@@ -0,0 +1,243 @@
+/**
+ * @module sync-withid.connect.respec
+ *
+ * Phase 2 — `peer.connect()` (Transport Handshake)
+ *
+ * Goal: Verify that the connection phase executes without error. S's connect
+ * pool remains undepleted (no-op on innerspace).
+ *
+ * @see libs/core-gib/src/sync/docs/security.md — Implementation Plan, Phase 2A
+ */
+
+import {
+    respecfully, ifWeMight, iReckon,
+} from '@ibgib/helper-gib/dist/respec-gib/respec-gib.mjs';
+const maam = `[${import.meta.url}]`, sir = maam;
+import { clone, delay, extractErrorMsg } from '@ibgib/helper-gib/dist/helpers/utils-helper.mjs';
+import { getIbGibAddr } from '@ibgib/ts-gib/dist/helper.mjs';
+
+import { GLOBAL_LOG_A_LOT } from '../core-constants.mjs';
+import { SyncSagaCoordinator } from './sync-saga-coordinator.mjs';
+import { Metaspace_Innerspace } from '../witness/space/metaspace/metaspace-innerspace/metaspace-innerspace.mjs';
+import { InnerSpace_V1 } from '../witness/space/inner-space/inner-space-v1.mjs';
+import { SyncPeerInnerspace_V1 } from './sync-peer/sync-peer-innerspace/sync-peer-innerspace-v1.mjs';
+import { DEFAULT_INNER_SPACE_DATA_V1 } from '../witness/space/inner-space/inner-space-types.mjs';
+import { SYNC_PEER_INNERSPACE_DEFAULT_DATA_V1 } from './sync-peer/sync-peer-innerspace/sync-peer-innerspace-constants.mjs';
+import { KeystoneService_V1 } from '../keystone/keystone-service-v1.mjs';
+import { KeystoneIbGib_V1 } from '../keystone/keystone-types.mjs';
+import {
+    KEYSTONE_VERB_SYNC, POOL_ID_SYNC, POOL_ID_CONNECT, KEYSTONE_VERB_CONNECT,
+} from '../keystone/keystone-constants.mjs';
+import { createStandardPoolConfig } from '../keystone/keystone-config-builder.mjs';
+import { KeystoneReplenishStrategy } from '../keystone/keystone-types.mjs';
+import { SyncConflictStrategy } from './sync-constants.mjs';
+import { IbGibAddr, TransformResult } from '@ibgib/ts-gib/dist/types.mjs';
+import { getIdentity_throwIfUndefined } from '../keystone/keystone-helpers.mjs';
+import { Factory_V1 } from '@ibgib/ts-gib/dist/V1/factory.mjs';
+import { IbGib_V1 } from '@ibgib/ts-gib/dist/V1/types.mjs';
+import { ROOT } from '@ibgib/ts-gib/dist/V1/constants.mjs';
+import { fork } from '@ibgib/ts-gib/dist/V1/transforms/fork.mjs';
+
+const logalot = GLOBAL_LOG_A_LOT;
+const lc = sir;
+
+// ---------------------------------------------------------------------------
+// Test-only identity constants
+// ---------------------------------------------------------------------------
+
+const SENDER_SECRET = 'test-sender-secret-phase1';
+
+// ---------------------------------------------------------------------------
+// Session keystone pool configs
+// ---------------------------------------------------------------------------
+
+const SESSION_CONNECT_POOL_CONFIG = createStandardPoolConfig({
+    id: POOL_ID_CONNECT,
+    salt: 'session-connect-salt-phase1',
+    verbs: [KEYSTONE_VERB_CONNECT],
+    size: 10,
+    sequential: 1,
+    random: 1,
+    targetBinding: 2,
+    replenishStrategy: KeystoneReplenishStrategy.deleteAll,
+});
+
+const SESSION_SYNC_POOL_CONFIG = createStandardPoolConfig({
+    id: POOL_ID_SYNC,
+    salt: 'session-sync-salt-phase1',
+    verbs: [KEYSTONE_VERB_SYNC],
+    size: 200,
+    sequential: 1,
+    random: 1,
+    targetBinding: 2,
+    replenishStrategy: KeystoneReplenishStrategy.topUp,
+});
+
+// ---------------------------------------------------------------------------
+// Top-level senderIdentity (I) pool config
+// ---------------------------------------------------------------------------
+
+const SENDER_IDENTITY_SYNC_POOL_CONFIG = createStandardPoolConfig({
+    id: POOL_ID_SYNC,
+    salt: 'senderidentitysyncsaltphase1',
+    verbs: [KEYSTONE_VERB_SYNC],
+    size: 200,
+    sequential: 1,
+    random: 1,
+    targetBinding: 2,
+    replenishStrategy: KeystoneReplenishStrategy.topUp,
+});
+
+// ---------------------------------------------------------------------------
+// Main test suite
+// ---------------------------------------------------------------------------
+
+await respecfully(sir, `Test Phase 2: peer.connect()`, async () => {
+
+    // #region Init/Setup
+
+    const metaspace = new Metaspace_Innerspace(undefined);
+    await metaspace.initialize({
+        getFnAlert: () => async ({ title, msg }) => { console.log(`[Alert] ${title}: ${msg}`); },
+        getFnPrompt: () => async ({ title, msg }) => { console.log(`[Prompt] ${title}: ${msg}`); return ''; },
+        getFnPromptPassword: () => async (title, msg) => { console.log(`[PromptPwd] ${title}: ${msg}`); return null; },
+    });
+    while (!metaspace.initialized) { await delay(10); }
+
+    const defaultLocalUserSpace = await metaspace.getLocalUserSpace({ lock: false });
+    await defaultLocalUserSpace!.initialized;
+
+    const sourceSpace = new InnerSpace_V1({
+        ...DEFAULT_INNER_SPACE_DATA_V1,
+        name: 'source',
+        uuid: 'source_uuid',
+        description: 'sender durable space',
+    });
+    await sourceSpace.initialized;
+
+    const destSpace = new InnerSpace_V1({
+        ...DEFAULT_INNER_SPACE_DATA_V1,
+        name: 'dest',
+        uuid: 'dest_uuid',
+        description: 'receiver (domain provider) durable space',
+    });
+    await destSpace.initialized;
+
+    const senderCoordinator = new SyncSagaCoordinator();
+    const receiverCoordinator = new SyncSagaCoordinator();
+
+    async function newTestIbGib_stone({ ib = 'test', data }: { ib: string, data?: any }): Promise<IbGib_V1> {
+        const stone = await Factory_V1.stone({
+            parentPrimitiveIb: ib.split(' ').at(0) ?? 'test',
+            ib,
+            data,
+            uuid: true,
+        });
+        return stone;
+    }
+
+    async function newTestPeer(): Promise<SyncPeerInnerspace_V1> {
+        const peer = new SyncPeerInnerspace_V1(clone(SYNC_PEER_INNERSPACE_DEFAULT_DATA_V1));
+        await peer.initialized;
+        await peer.initializeOpts({
+            sagaId: '',
+            localMetaspace: metaspace,
+            localSpace: sourceSpace,
+            receiverSpace: destSpace,
+            receiverCoordinator,
+            receiverMetaspace: metaspace,
+        });
+        return peer;
+    }
+
+    const keystoneSvc = new KeystoneService_V1();
+
+    // #endregion Init/Setup
+
+    let senderIdentity: KeystoneIbGib_V1 | undefined;
+
+    // Create senderIdentity genesis (I^Itjp) in sourceSpace
+    senderIdentity = await keystoneSvc.genesis({
+        masterSecret: SENDER_SECRET,
+        configs: [SENDER_IDENTITY_SYNC_POOL_CONFIG],
+        metaspace,
+        space: sourceSpace,
+    });
+
+    // post the senderIdentity to receiver
+    await metaspace.put({ ibGib: senderIdentity, space: destSpace });
+    await metaspace.registerNewIbGib({ ibGib: senderIdentity, space: destSpace });
+
+    // Execute sync
+    let syncError: any = null;
+    let xStone: IbGib_V1;
+    let xStoneAddr: IbGibAddr;
+    let peer: SyncPeerInnerspace_V1;
+
+    try {
+        xStone = await newTestIbGib_stone({ ib: 'test' });
+        xStoneAddr = getIbGibAddr({ ibGib: xStone });
+        await metaspace.put({ ibGib: xStone, space: sourceSpace });
+        await metaspace.registerNewIbGib({ ibGib: xStone, space: sourceSpace });
+
+        peer = await newTestPeer();
+
+        const syncSaga = await senderCoordinator.sync({
+            domainIbGibs: [xStone],
+            senderIdentity,
+            fnSenderSecret: async () => SENDER_SECRET,
+            peer,
+            localSpace: sourceSpace,
+            metaspace,
+            conflictStrategy: SyncConflictStrategy.optimisticWithLCS,
+        });
+        await syncSaga.done;
+
+    } catch (error) {
+        syncError = error;
+        if (logalot) { console.log(`${lc} Captured expected downstream/coordinator error: ${extractErrorMsg(error)}`); }
+    }
+
+    // #region Step 3: Check states
+
+    await ifWeMight(sir, 'does not throw connection-specific errors', async () => {
+        const errorMsg = syncError ? extractErrorMsg(syncError) : '';
+        // If it throws, the error should NOT be related to establishment or connection.
+        // It's expected to throw downstream in executeSagaLoop or continueSync due to missing context authentication/turn signing.
+        iReckon(sir, errorMsg.includes('establish') || errorMsg.includes('connect')).asTo('error is NOT related to establish or connect').isGonnaBeFalsy();
+    });
+
+    await ifWeMight(sir, 'session identity S connect pool is not depleted (innerspace no-op asymmetry)', async () => {
+        // Resolve latest evolved I1
+        const newSenderIdentityAddr = await metaspace.getLatestAddr({
+            ibGib: senderIdentity,
+            space: sourceSpace,
+        });
+        if (!newSenderIdentityAddr) { throw new Error(`newSenderIdentity not found`); }
+
+        const newSenderIdentity = await getIdentity_throwIfUndefined({
+            addr: newSenderIdentityAddr,
+            metaspace,
+            space: sourceSpace,
+        });
+
+        const sessionIdentityTjpAddr = newSenderIdentity.data.proofs
+            .find(p => p.claim.verb === KEYSTONE_VERB_SYNC)?.claim.target;
+        if (!sessionIdentityTjpAddr) { throw new Error(`sessionIdentityTjpAddr not found`); }
+
+        const sessionIdentity = await getIdentity_throwIfUndefined({
+            addr: sessionIdentityTjpAddr,
+            metaspace,
+            space: sourceSpace,
+        });
+
+        // The connect pool should exist and have all challenges remaining (no-op innerspace connect)
+        const connectPool = sessionIdentity.data.challengePools?.find(p => p.id === POOL_ID_CONNECT);
+        iReckon(sir, connectPool).asTo('connect pool exists on S').isGonnaBeTruthy();
+        const remainingChallenges = Object.keys(connectPool?.challenges ?? {});
+        iReckon(sir, remainingChallenges.length).asTo('connect pool has all challenges').willEqual(20);
+    });
+
+    // #endregion Step 3: Check states
+
+});