@ibgib/core-gib 0.1.57 → 0.1.59

package/src/sync/sync-saga-coordinator.mts

@@ -44,7 +44,7 @@ import {
 import { getSyncSagaMessageIb } from "./sync-saga-message/sync-saga-message-helpers.mjs";
 import { SYNC_SAGA_MSG_ATOM } from "./sync-saga-message/sync-saga-message-constants.mjs";
 import { SyncSagaInfo } from "./sync-types.mjs";
-import { splitPerTjpAndOrDna, getTimelinesGroupedByTjp, isIbGib, getIbGibsFromCache_fallbackToSpaces } from "../common/other/ibgib-helper.mjs";
+import { splitPerTjpAndOrDna, getTimelinesGroupedByTjp, isIbGib, getIbGibsFromCache_fallbackToSpaces, toDto, getTjpAddr } from "../common/other/ibgib-helper.mjs";
 import { SyncPeerWitness } from "./sync-peer/sync-peer-types.mjs";
 import { SyncSagaContextData_V1, SyncSagaContextIbGib_V1, SyncSagaContextRel8ns_V1, } from "./sync-saga-context/sync-saga-context-types.mjs";
 import { getSyncSagaContextIb, validateContextAndSagaFrame } from "./sync-saga-context/sync-saga-context-helpers.mjs";
@@ -60,10 +60,17 @@ import { GRAFT_INFO_REL8N_NAME } from "./graft-info/graft-info-constants.mjs";
 import { GraftInfoIbGib_V1 } from "./graft-info/graft-info-types.mjs";
 import { validateIbGibIntrinsically } from "@ibgib/ts-gib/dist/V1/validate-helper.mjs";
 import { SYNC_SAGA_CONTEXT_ATOM } from "./sync-saga-context/sync-saga-context-constants.mjs";
+import { KeystoneIbGib_V1 } from "../keystone/keystone-types.mjs";
+import { createStandardPoolConfig } from "../keystone/keystone-config-builder.mjs";
+import {
+    POOL_ID_CONNECT, POOL_ID_SYNC, KEYSTONE_VERB_CONNECT, KEYSTONE_VERB_SYNC
+} from "../keystone/keystone-constants.mjs";
+import { KeystonePoolConfig, KeystoneReplenishStrategy } from "../keystone/keystone-types.mjs";
+import { SyncPeer_V1 } from "./sync-peer/sync-peer-v1.mjs";
 
 
-const logalot = GLOBAL_LOG_A_LOT;
-const logalotControlDomain = false;
+const logalot = GLOBAL_LOG_A_LOT || true;
+const logalotControlDomain = true;
 const lcControlDomain = '[ControlDomain]';
 
 /**
@@ -86,6 +93,46 @@ export class SyncSagaCoordinator {
 
     }
 
+    /**
+     * Default pool config for the session keystone's `connect` pool.
+     * Consumed exactly once per saga during `peer.connect()`.
+     * Uses `deleteAll` replenish strategy — after the handshake, the pool is gone.
+     *
+     * Override in subclasses or pass custom config via opts to change security parameters.
+     */
+    protected defaultSessionConnectPoolConfig(): KeystonePoolConfig {
+        return createStandardPoolConfig({
+            id: POOL_ID_CONNECT,
+            salt: `session-connect-${Date.now()}`,
+            verbs: [KEYSTONE_VERB_CONNECT],
+            size: 20,
+            sequential: 2,
+            random: 2,
+            targetBinding: 0,
+            replenishStrategy: KeystoneReplenishStrategy.deleteAll,
+        });
+    }
+
+    /**
+     * Default pool config for the session keystone's per-turn `sync` pool.
+     * Used on each outgoing context frame (Init, Delta, Commit).
+     * Uses `topUp` replenish strategy to stay active throughout the saga.
+     *
+     * Override in subclasses or pass custom config via opts to change security parameters.
+     */
+    protected defaultSessionSyncPoolConfig(): KeystonePoolConfig {
+        return createStandardPoolConfig({
+            id: POOL_ID_SYNC,
+            salt: `session-sync-${Date.now()}`,
+            verbs: [KEYSTONE_VERB_SYNC],
+            size: 200,
+            sequential: 3,
+            random: 3,
+            targetBinding: 3,
+            replenishStrategy: KeystoneReplenishStrategy.topUp,
+        });
+    }
+
     /**
      * Executes a synchronization saga using the Symmetric Sync Protocol.
      *
@@ -96,6 +143,8 @@ export class SyncSagaCoordinator {
     public async sync({
         peer,
         domainIbGibs,
+        senderIdentity,
+        fnSenderSecret,
         conflictStrategy = SyncConflictStrategy.abort,
         metaspace,
         localSpace,
@@ -111,6 +160,22 @@ export class SyncSagaCoordinator {
          * These should all exist in {@link localSpace}
          */
         domainIbGibs: IbGib_V1[],
+        /**
+         * If present, this is the primary identity of the sender, i.e., who is
+         * initiating the sync.
+         *
+         * This should be the most recent frame (tip) of the senderIdentity's
+         * timeline.
+         *
+         * NOTE: {@link fnSenderSecret} must be truthy if this is truthy, and vice versa.
+         */
+        senderIdentity?: KeystoneIbGib_V1,
+        /**
+         * secret corresponding to {@link senderIdentity}.
+         *
+         * NOTE: {@link senderIdentity} must be truthy if this is truthy, and vice versa.
+         */
+        fnSenderSecret?: () => Promise<string>;
         /**
          * The space containing the {@link domainIbGibs} we want to sync. If
          * sync is successful, any updates to timelines will be stored here.
@@ -136,6 +201,11 @@ export class SyncSagaCoordinator {
             throw new Error(`${lc} source (or localSpace) required (E: 25df3761f7686a1099a552f83c95d326)`);
         }
 
+        if (senderIdentity || fnSenderSecret) {
+            if (!senderIdentity) { throw new Error(`(UNEXPECTED) senderIdentity falsy but fnSenderSecret truthy? if either is used, both must be truthy. (E: e366628a4919c7d727d2cbd8e5b75e26)`); }
+            if (!fnSenderSecret) { throw new Error(`(UNEXPECTED) fnSenderSecret falsy but senderIdentity truthy? if either is used, both must be truthy. (E: 7d55ce37ae482fec48e3398158161926)`); }
+        }
+
         // 1. SETUP SAGA METADATA
         const sagaId = await getUUID();
 
@@ -171,6 +241,21 @@ export class SyncSagaCoordinator {
         // Async execution wrapper
         (async () => {
             try {
+                const targetAddrs = domainIbGibs ? domainIbGibs.map(domain => getIbGibAddr({ ibGib: domain })) : undefined;
+
+                // Attach saga-scoped identity opts to peer now that sagaId is known.
+                peer.setOptionalOpts({
+                    sagaId,
+                    senderIdentity,
+                    fnSenderSecret,
+                    sessionConnectPoolConfig: this.defaultSessionConnectPoolConfig(),
+                    sessionSyncPoolConfig: this.defaultSessionSyncPoolConfig(),
+                    targetAddrs,
+                } as any);
+
+                // ESTABLISH SESSION IDENTITY (pre-connect, if identity provided)
+                await peer.establishSessionIdentity();
+
                 // CONNECT PEER (if needed)
                 await peer.connect({ sagaId });
 
@@ -180,6 +265,7 @@ export class SyncSagaCoordinator {
                     domainIbGibs,
                     conflictStrategy,
                     metaspace, localSpace, tempSpace,
+                    peer,
                 });
 
                 // KICK OFF THE PING-PONG SAGA LOOP (FSM)
@@ -225,6 +311,7 @@ export class SyncSagaCoordinator {
         mySpace,
         myTempSpace,
         metaspace,
+        peer,
     }: {
         sagaContext: SyncSagaContextIbGib_V1,
         /**
@@ -236,6 +323,10 @@ export class SyncSagaCoordinator {
          */
         myTempSpace: IbGibSpaceAny,
         metaspace: MetaspaceService,
+        /**
+         * the peer that is continuing the sync
+         */
+        peer: SyncPeer_V1,
     }): Promise<SyncSagaContextIbGib_V1 | null> {
         const lc = `${this.lc}[${this.continueSync.name}]`;
         try {
@@ -273,6 +364,9 @@ export class SyncSagaCoordinator {
                 localSpace: mySpace,
                 payloadIbGibsDomain,
                 metaspace,
+                sessionIdentityAddr: sagaContext.rel8ns?.sessionIdentity?.[0],
+                peer,
+                skipSign: true,
             });
 
 
@@ -384,6 +478,8 @@ export class SyncSagaCoordinator {
                 payloadIbGibsDomain: nextDomainIbGibs,
                 localSpace,
                 metaspace,
+                sessionIdentityAddr: peer.currentSessionIdentityAddr,
+                peer,
             });
 
             // #region Log what we're sending
@@ -528,6 +624,9 @@ export class SyncSagaCoordinator {
         payloadIbGibsDomain,
         metaspace,
         localSpace,
+        sessionIdentityAddr,
+        peer,
+        skipSign,
     }: {
         /**
          * The main saga frame (Init, Ack, etc.).
@@ -547,6 +646,22 @@ export class SyncSagaCoordinator {
          * execution POV) right when we create it.
          */
         localSpace: IbGibSpaceAny;
+        sessionIdentityAddr?: string;
+        peer: SyncPeerWitness;
+        /**
+         * If true, will not sign context.
+         *
+         * For now, this should be true when we call {@link continueSync}, as
+         * the receiver does not sign any keystones.
+         *
+         * ## intent
+         *
+         * In V1, our receiving endpoint is not signing the context, rather, it
+         * is just returning its response context ibgib with the same session
+         * identity addr. We are thus trusting the security of the transport
+         * itself for now.
+         */
+        skipSign?: boolean,
     }): Promise<SyncSagaContextIbGib_V1> {
         const lc = `[${this.createSyncSagaContext.name}]`;
         try {
@@ -580,6 +695,20 @@ export class SyncSagaCoordinator {
                 sagaFrame: [getIbGibAddr({ ibGib: sagaFrame })],
             };
 
+            let sessionIdentity: KeystoneIbGib_V1 | undefined = undefined;
+            if (sessionIdentityAddr) {
+                sessionIdentityAddr =
+                    await metaspace.getLatestAddr({ addr: sessionIdentityAddr, space: localSpace }) ?? sessionIdentityAddr;
+                const resGet = await getFromSpace({ addr: sessionIdentityAddr, space: localSpace });
+                if (resGet.success && resGet.ibGibs?.length === 1) {
+                    sessionIdentity = resGet.ibGibs![0]! as KeystoneIbGib_V1;
+                    rel8ns.sessionIdentity = [sessionIdentityAddr];
+                } else {
+                    debugger; // what stage of the algo is this? which side?
+                    throw new Error(`Couldn't get sessionIdentityAddr (${sessionIdentityAddr}) in space: ${localSpace.ib} (E: 5c29e80d68dbd1749866c358be093826)`);
+                }
+            }
+
             // Generate standard ib
             const ib = await getSyncSagaContextIb({ data });
 
@@ -590,8 +719,16 @@ export class SyncSagaCoordinator {
                 rel8ns,
             }) as SyncSagaContextIbGib_V1;
 
-            // put/register immediately. Note that contextIbGib at this point is
-            // pure DTO, i.e., only ib, gib, data, rel8ns props.
+            const contextAddr = getIbGibAddr({ ibGib: contextIbGib });
+            let signedSessionIdentity: KeystoneIbGib_V1 | undefined = undefined;
+            if (sessionIdentity && !skipSign) {
+                // signing context persists and registers the new keystone
+                // using the peer's localMetaspace and localSpace
+                signedSessionIdentity = await peer.signContext({ contextAddr });
+            }
+
+            // put/register context immediately in local space (currently is a
+            // DTO) but we don't want a broadcast on the metaspace
             await putInSpace({ ibGib: contextIbGib, space: localSpace, });
             await registerNewIbGib({
                 ibGib: contextIbGib,
@@ -599,11 +736,14 @@ export class SyncSagaCoordinator {
                 fnBroadcast: undefined,
             });
 
-            // Attach actual ibgibs for transport (not pure DTO now)
+            // Attach actual ibgibs for transport
             contextIbGib.sagaFrame = sagaFrame;
             if (payloadIbGibsDomain && payloadIbGibsDomain.length > 0) {
                 contextIbGib.payloadIbGibsDomain = payloadIbGibsDomain;
             }
+            if (signedSessionIdentity) {
+                contextIbGib.signedSessionIdentity = signedSessionIdentity;
+            }
 
             return contextIbGib;
         } catch (error) {
@@ -733,6 +873,7 @@ export class SyncSagaCoordinator {
         metaspace,
         localSpace,
         tempSpace,
+        peer,
     }: {
         sagaId: string,
         domainIbGibs: IbGib_V1[],
@@ -740,6 +881,7 @@ export class SyncSagaCoordinator {
         metaspace: MetaspaceService,
         localSpace: IbGibSpaceAny,
         tempSpace: IbGibSpaceAny,
+        peer: SyncPeerWitness,
     }): Promise<{ initFrame: SyncIbGib_V1, initDomainGraph: { [addr: string]: IbGib_V1 } }> {
         const lc = `${this.lc}[${this.createInitFrame.name}]`;
         try {
@@ -786,6 +928,7 @@ export class SyncSagaCoordinator {
                 conflictStrategy,
                 metaspace,
                 localSpace,
+                sessionIdentity: peer.currentSessionIdentity,
             });
 
             if (logalot) { console.log(`${lc} sagaFrame (init): ${pretty(sagaFrame)} (I: b3d6a8be69248f18713cc3073cb08626)`); }
@@ -2509,12 +2652,19 @@ export class SyncSagaCoordinator {
         msgStones,
         localSpace,
         metaspace,
+        sessionIdentity,
     }: {
         prevSagaIbGib?: SyncIbGib_V1,
         conflictStrategy?: SyncConflictStrategy,
         msgStones: IbGib_V1[],
         localSpace: IbGibSpaceAny,
         metaspace: MetaspaceService,
+        /**
+         * this is only used on the init frame ({@link prevSagaIbGib}).
+         * otherwise, the sessionIdentityTjpAddr for the next sync saga ibgib
+         * frame will be driven by the {@link prevSagaIbGib}.
+         */
+        sessionIdentity?: KeystoneIbGib_V1 | undefined,
     }): Promise<SyncIbGib_V1> {
         const lc = `${this.lc}[${this.evolveSyncSagaIbGib.name}]`;
         try {
@@ -2584,6 +2734,12 @@ export class SyncSagaCoordinator {
                     isTjp: true,
                     conflictStrategy,
                 };
+                if (sessionIdentity) {
+                    const sessionIdentityTjpAddr =
+                        getTjpAddr({ ibGib: sessionIdentity });
+                    if (!sessionIdentityTjpAddr) { throw new Error(`(UNEXPECTED) sessionIdentity is truthy but sessionIdentityTjpAddr falsy? (E: f52004c10288987a6886f4e8fdf90826)`); }
+                    data.sessionIdentityTjpAddr = sessionIdentityTjpAddr;
+                }
                 // ib
                 const ib = await getSyncIb({ data });
                 // rel8ns

package/src/sync/sync-types.mts

@@ -4,11 +4,8 @@ import { IbGib_V1, IbGibData_V1, IbGibRel8ns_V1 } from "@ibgib/ts-gib/dist/V1/ty
 import { SubjectWitness } from "../common/pubsub/subject/subject-types.mjs";
 import { SyncSagaContextIbGib_V1 } from "./sync-saga-context/sync-saga-context-types.mjs";
 import { SYNC_ATOM, SYNC_MSG_REL8N_NAME, SyncConflictStrategy, } from "./sync-constants.mjs";
-import { IbGibSpaceAny } from "../witness/space/space-base-v1.mjs";
-import { MetaspaceService } from "../witness/space/metaspace/metaspace-types.mjs";
-import { SyncPeerWitness } from "./sync-peer/sync-peer-types.mjs";
 import { FlatIbGibGraph } from "../common/other/graph-types.mjs";
-import { SyncSagaConflictInfo, SyncSagaMessageIbGib_V1 } from "./sync-saga-message/sync-saga-message-types.mjs";
+import { SyncSagaMessageIbGib_V1 } from "./sync-saga-message/sync-saga-message-types.mjs";
 
 
 // #region SyncMode
@@ -184,6 +181,14 @@ export interface SyncData_V1 extends IbGibData_V1 {
      * 2. Rate limiting / Backpressure (Don't process this old request).
      */
     expirationTimestamp?: string;
+
+    /**
+     * If using session identity in the sync saga, this should be set and
+     * carried over in each saga frame
+     *
+     * TODO: IMPLEMENT THIS IN CODE. I HAVE JUST STUBBED THIS PROPERTY BUT IT DOES NOT EXIST IN CODE.
+     */
+    sessionIdentityTjpAddr?: IbGibAddr;
 }
 
 export interface SyncRel8ns_V1 extends IbGibRel8ns_V1 {
@@ -197,3 +202,22 @@ export interface SyncRel8ns_V1 extends IbGibRel8ns_V1 {
 export interface SyncIbGib_V1 extends IbGib_V1<SyncData_V1, SyncRel8ns_V1> { }
 
 // #endregion Sync Ib, Data, Rel8ns, IbGib
+
+/**
+ * A session keystone should have this info in
+ * `sessionIdentity.data.frameDetails`.
+ */
+export interface SessionGenesisFrameDetails {
+    senderIdentityAddr: IbGibAddr;
+    senderIdentityTjpAddr: IbGibAddr;
+    targetAddrs?: IbGibAddr[];
+}
+
+/**
+ * used in authentication/validation/authorization
+ * basically, **when** are we calling this validation method?
+ *
+ * terrible name, probably a code smell, but i'm getting desperate here
+ * to get this working.
+ */
+export type StageInProtocol = "beforeSend" | "beforeReceive";

package/src/sync/sync-withid.connect.respec.mts

@@ -0,0 +1,243 @@
+/**
+ * @module sync-withid.connect.respec
+ *
+ * Phase 2 — `peer.connect()` (Transport Handshake)
+ *
+ * Goal: Verify that the connection phase executes without error. S's connect
+ * pool remains undepleted (no-op on innerspace).
+ *
+ * @see libs/core-gib/src/sync/docs/security.md — Implementation Plan, Phase 2A
+ */
+
+import {
+    respecfully, ifWe, iReckon,
+} from '@ibgib/helper-gib/dist/respec-gib/respec-gib.mjs';
+const maam = `[${import.meta.url}]`, sir = maam;
+import { clone, delay, extractErrorMsg } from '@ibgib/helper-gib/dist/helpers/utils-helper.mjs';
+import { getIbGibAddr } from '@ibgib/ts-gib/dist/helper.mjs';
+
+import { GLOBAL_LOG_A_LOT } from '../core-constants.mjs';
+import { SyncSagaCoordinator } from './sync-saga-coordinator.mjs';
+import { Metaspace_Innerspace } from '../witness/space/metaspace/metaspace-innerspace/metaspace-innerspace.mjs';
+import { InnerSpace_V1 } from '../witness/space/inner-space/inner-space-v1.mjs';
+import { SyncPeerInnerspace_V1 } from './sync-peer/sync-peer-innerspace/sync-peer-innerspace-v1.mjs';
+import { DEFAULT_INNER_SPACE_DATA_V1 } from '../witness/space/inner-space/inner-space-types.mjs';
+import { SYNC_PEER_INNERSPACE_DEFAULT_DATA_V1 } from './sync-peer/sync-peer-innerspace/sync-peer-innerspace-constants.mjs';
+import { KeystoneService_V1 } from '../keystone/keystone-service-v1.mjs';
+import { KeystoneIbGib_V1 } from '../keystone/keystone-types.mjs';
+import {
+    KEYSTONE_VERB_SYNC, POOL_ID_SYNC, POOL_ID_CONNECT, KEYSTONE_VERB_CONNECT,
+} from '../keystone/keystone-constants.mjs';
+import { createStandardPoolConfig } from '../keystone/keystone-config-builder.mjs';
+import { KeystoneReplenishStrategy } from '../keystone/keystone-types.mjs';
+import { SyncConflictStrategy } from './sync-constants.mjs';
+import { IbGibAddr, TransformResult } from '@ibgib/ts-gib/dist/types.mjs';
+import { getIdentity_throwIfUndefined } from '../keystone/keystone-helpers.mjs';
+import { Factory_V1 } from '@ibgib/ts-gib/dist/V1/factory.mjs';
+import { IbGib_V1 } from '@ibgib/ts-gib/dist/V1/types.mjs';
+import { ROOT } from '@ibgib/ts-gib/dist/V1/constants.mjs';
+import { fork } from '@ibgib/ts-gib/dist/V1/transforms/fork.mjs';
+
+const logalot = GLOBAL_LOG_A_LOT;
+const lc = sir;
+
+// ---------------------------------------------------------------------------
+// Test-only identity constants
+// ---------------------------------------------------------------------------
+
+const SENDER_SECRET = 'test-sender-secret-phase1';
+
+// ---------------------------------------------------------------------------
+// Session keystone pool configs
+// ---------------------------------------------------------------------------
+
+const SESSION_CONNECT_POOL_CONFIG = createStandardPoolConfig({
+    id: POOL_ID_CONNECT,
+    salt: 'session-connect-salt-phase1',
+    verbs: [KEYSTONE_VERB_CONNECT],
+    size: 10,
+    sequential: 1,
+    random: 1,
+    targetBinding: 2,
+    replenishStrategy: KeystoneReplenishStrategy.deleteAll,
+});
+
+const SESSION_SYNC_POOL_CONFIG = createStandardPoolConfig({
+    id: POOL_ID_SYNC,
+    salt: 'session-sync-salt-phase1',
+    verbs: [KEYSTONE_VERB_SYNC],
+    size: 200,
+    sequential: 1,
+    random: 1,
+    targetBinding: 2,
+    replenishStrategy: KeystoneReplenishStrategy.topUp,
+});
+
+// ---------------------------------------------------------------------------
+// Top-level senderIdentity (I) pool config
+// ---------------------------------------------------------------------------
+
+const SENDER_IDENTITY_SYNC_POOL_CONFIG = createStandardPoolConfig({
+    id: POOL_ID_SYNC,
+    salt: 'senderidentitysyncsaltphase1',
+    verbs: [KEYSTONE_VERB_SYNC],
+    size: 200,
+    sequential: 1,
+    random: 1,
+    targetBinding: 2,
+    replenishStrategy: KeystoneReplenishStrategy.topUp,
+});
+
+// ---------------------------------------------------------------------------
+// Main test suite
+// ---------------------------------------------------------------------------
+
+await respecfully(sir, `Test Phase 2: peer.connect()`, async () => {
+
+    // #region Init/Setup
+
+    const metaspace = new Metaspace_Innerspace(undefined);
+    await metaspace.initialize({
+        getFnAlert: () => async ({ title, msg }) => { console.log(`[Alert] ${title}: ${msg}`); },
+        getFnPrompt: () => async ({ title, msg }) => { console.log(`[Prompt] ${title}: ${msg}`); return ''; },
+        getFnPromptPassword: () => async (title, msg) => { console.log(`[PromptPwd] ${title}: ${msg}`); return null; },
+    });
+    while (!metaspace.initialized) { await delay(10); }
+
+    const defaultLocalUserSpace = await metaspace.getLocalUserSpace({ lock: false });
+    await defaultLocalUserSpace!.initialized;
+
+    const sourceSpace = new InnerSpace_V1({
+        ...DEFAULT_INNER_SPACE_DATA_V1,
+        name: 'source',
+        uuid: 'source_uuid',
+        description: 'sender durable space',
+    });
+    await sourceSpace.initialized;
+
+    const destSpace = new InnerSpace_V1({
+        ...DEFAULT_INNER_SPACE_DATA_V1,
+        name: 'dest',
+        uuid: 'dest_uuid',
+        description: 'receiver (domain provider) durable space',
+    });
+    await destSpace.initialized;
+
+    const senderCoordinator = new SyncSagaCoordinator();
+    const receiverCoordinator = new SyncSagaCoordinator();
+
+    async function newTestIbGib_stone({ ib = 'test', data }: { ib: string, data?: any }): Promise<IbGib_V1> {
+        const stone = await Factory_V1.stone({
+            parentPrimitiveIb: ib.split(' ').at(0) ?? 'test',
+            ib,
+            data,
+            uuid: true,
+        });
+        return stone;
+    }
+
+    async function newTestPeer(): Promise<SyncPeerInnerspace_V1> {
+        const peer = new SyncPeerInnerspace_V1(clone(SYNC_PEER_INNERSPACE_DEFAULT_DATA_V1));
+        await peer.initialized;
+        await peer.initializeOpts({
+            sagaId: '',
+            localMetaspace: metaspace,
+            localSpace: sourceSpace,
+            receiverSpace: destSpace,
+            receiverCoordinator,
+            receiverMetaspace: metaspace,
+        });
+        return peer;
+    }
+
+    const keystoneSvc = new KeystoneService_V1();
+
+    // #endregion Init/Setup
+
+    let senderIdentity: KeystoneIbGib_V1 | undefined;
+
+    // Create senderIdentity genesis (I^Itjp) in sourceSpace
+    senderIdentity = await keystoneSvc.genesis({
+        masterSecret: SENDER_SECRET,
+        configs: [SENDER_IDENTITY_SYNC_POOL_CONFIG],
+        metaspace,
+        space: sourceSpace,
+    });
+
+    // post the senderIdentity to receiver
+    await metaspace.put({ ibGib: senderIdentity, space: destSpace });
+    await metaspace.registerNewIbGib({ ibGib: senderIdentity, space: destSpace });
+
+    // Execute sync
+    let syncError: any = null;
+    let xStone: IbGib_V1;
+    let xStoneAddr: IbGibAddr;
+    let peer: SyncPeerInnerspace_V1;
+
+    try {
+        xStone = await newTestIbGib_stone({ ib: 'test' });
+        xStoneAddr = getIbGibAddr({ ibGib: xStone });
+        await metaspace.put({ ibGib: xStone, space: sourceSpace });
+        await metaspace.registerNewIbGib({ ibGib: xStone, space: sourceSpace });
+
+        peer = await newTestPeer();
+
+        const syncSaga = await senderCoordinator.sync({
+            domainIbGibs: [xStone],
+            senderIdentity,
+            fnSenderSecret: async () => SENDER_SECRET,
+            peer,
+            localSpace: sourceSpace,
+            metaspace,
+            conflictStrategy: SyncConflictStrategy.optimisticWithLCS,
+        });
+        await syncSaga.done;
+
+    } catch (error) {
+        syncError = error;
+        if (logalot) { console.log(`${lc} Captured expected downstream/coordinator error: ${extractErrorMsg(error)}`); }
+    }
+
+    // #region Step 3: Check states
+
+    await ifWe(sir, 'does not throw connection-specific errors', async () => {
+        const errorMsg = syncError ? extractErrorMsg(syncError) : '';
+        // If it throws, the error should NOT be related to establishment or connection.
+        // It's expected to throw downstream in executeSagaLoop or continueSync due to missing context authentication/turn signing.
+        iReckon(sir, errorMsg.includes('establish') || errorMsg.includes('connect')).asTo('error is NOT related to establish or connect').isGonnaBeFalsy();
+    });
+
+    await ifWe(sir, 'session identity S connect pool is not depleted (innerspace no-op asymmetry)', async () => {
+        // Resolve latest evolved I1
+        const newSenderIdentityAddr = await metaspace.getLatestAddr({
+            ibGib: senderIdentity,
+            space: sourceSpace,
+        });
+        if (!newSenderIdentityAddr) { throw new Error(`newSenderIdentity not found`); }
+
+        const newSenderIdentity = await getIdentity_throwIfUndefined({
+            addr: newSenderIdentityAddr,
+            metaspace,
+            space: sourceSpace,
+        });
+
+        const sessionIdentityTjpAddr = newSenderIdentity.data.proofs
+            .find(p => p.claim.verb === KEYSTONE_VERB_SYNC)?.claim.target;
+        if (!sessionIdentityTjpAddr) { throw new Error(`sessionIdentityTjpAddr not found`); }
+
+        const sessionIdentity = await getIdentity_throwIfUndefined({
+            addr: sessionIdentityTjpAddr,
+            metaspace,
+            space: sourceSpace,
+        });
+
+        // The connect pool should exist and have all challenges remaining (no-op innerspace connect)
+        const connectPool = sessionIdentity.data.challengePools?.find(p => p.id === POOL_ID_CONNECT);
+        iReckon(sir, connectPool).asTo('connect pool exists on S').isGonnaBeTruthy();
+        const remainingChallenges = Object.keys(connectPool?.challenges ?? {});
+        iReckon(sir, remainingChallenges.length).asTo('connect pool has all challenges').willEqual(20);
+    });
+
+    // #endregion Step 3: Check states
+
+});