feat: Add system vats support with KernelFacet #803
+1,235
−311
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Implement system vats that are launched at kernel initialization and have access to privileged kernel services. Key changes: - Add SystemVatConfig type and getSystemVatRoot method to Kernel - Launch system vats after queue starts to avoid deadlock - Terminate and relaunch existing system vat subclusters on restart - Add bootstrap-vat.js for Omnium system services with CapletController - Add baggage-backed storage adapter for vat persistence - Pass systemVats config via URL params from offscreen to kernel worker - Update background.ts to use system vat for caplet operations - Add process.env.NODE_ENV replacement in vat bundler for SES compatibility - Simplify kernel-facet.ts by removing SystemVatManager - Add duplicate name check in KernelServiceManager.registerKernelServiceObject Co-Authored-By: Claude Opus 4.5 <[email protected]>
- Rename bootstrap-vat.js to bootstrap-vat.ts with full type annotations - Export Baggage type from baggage-adapter.ts - Make logger optional throughout controller hierarchy - Simplify defineMethods to take array of method names instead of object map - Update background.ts to use simplified method names (install, uninstall, etc.) - Update package.json build script to reference .ts file Co-Authored-By: Claude Opus 4.5 <[email protected]>
Expose the kernel's reset method via CapTP so it can be called from the background script. Co-Authored-By: Claude Opus 4.5 <[email protected]>
The vat hosts controllers, which better describes its purpose than the generic "bootstrap" name. Co-Authored-By: Claude Opus 4.5 <[email protected]>
…cranks Changed invokeKernelService to not await the service method result. Instead, it uses Promise chaining to resolve the kernel promise when the method eventually completes. This allows service methods to internally use waitForCrank() without causing deadlock - the crank can complete, and the resolution happens in a future turn of the event loop. Key changes: - KernelServiceManager.invokeKernelService() now returns void instead of Promise<void> and uses Promise.resolve().then().catch() for async handling - KernelRouter.#deliverKernelServiceMessage() is now synchronous - Updated tests to use delay() for microtask flushing Co-Authored-By: Claude Opus 4.5 <[email protected]>
Add a `globals` field to VatConfig that allows specifying which globals should be available in the vat's SES Compartment. This fixes the `Date.now()` error when the controller-vat runs under SES lockdown. VatSupervisor reads the globals list and adds requested globals from an allowlist to the compartment endowments. Currently only `Date` is allowed. Co-Authored-By: Claude Opus 4.5 <[email protected]>
Add `callCapletMethod` to the omnium.caplet API for invoking methods on installed caplets directly from the console. Simplify the echo caplet ID from 'com.example.echo' to 'echo' and update the response format. Co-Authored-By: Claude Opus 4.5 <[email protected]>
rekmarks
force-pushed
the
rekm/system-vats-redux
branch
from
f58f8c0 to
079a10a
Compare
Member
Author
|
@cursor review |
Remove `initializeControllers` and `makeChromeStorageAdapter` which are no longer used now that the caplet controller runs inside the vat with baggage-backed storage instead of chrome.storage. Co-Authored-By: Claude Opus 4.5 <[email protected]>
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
Contributor
Coverage Report
File Coverage |
Use proper return type from KernelFacade['queueMessage'] instead of generic type parameter. Add error handling for missing root kref. Co-Authored-By: Claude Opus 4.5 <[email protected]>
- Fix callBootstrap type annotations to use proper return type - Handle null tombstones in baggage adapter get() method - Add promise rejection handling to controller-vat bootstrap() Co-Authored-By: Claude Opus 4.5 <[email protected]>
Member
Author
|
@cursor review |
| baggage.init(key, harden(value)); | ||
| keys.add(key); | ||
| saveKeys(keys); | ||
| } |
There was a problem hiding this comment.
Deleted keys not re-added to tracking on set
Medium Severity
The set() method fails to re-add a previously deleted key to the tracking list. When delete() is called, the key is removed from the keys tracking set but remains in baggage as a null tombstone. On subsequent set() calls for that key, baggage.has(key) returns true (due to the tombstone), so the code takes the update branch which doesn't call keys.add(key) or saveKeys(). This results in the value being stored correctly but keys() not returning the key, causing data to be invisible to iteration-based operations.
| getSystemVatRoot(name: string): KRef | undefined { | ||
| return this.#systemVatRoots.get(name); | ||
| } | ||
|
|
There was a problem hiding this comment.
System vat roots not cleared on kernel reset
Medium Severity
The #systemVatRoots map is never cleared when reset() is called. After reset() terminates all vats (including system vats) and resets the kernel store, the #systemVatRoots map still contains stale krefs referencing terminated vats. Subsequent calls to getSystemVatRoot() return these invalid references, which would cause failures when attempting to use them.
Additional Locations (1)
Add console forwarding to omnium-gatherum to match the extension implementation. This prevents "Unexpected message" errors in the background script when receiving console-forward messages, and ensures console output from the offscreen document and vat iframes is visible in the background devtools console. Co-Authored-By: Claude Opus 4.5 <[email protected]>
- Fix baggage adapter to re-add deleted keys to tracking on set - Clear system vat roots map on kernel reset Co-Authored-By: Claude Opus 4.5 <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Adds support for "system vats" - statically declared vats that are launched at kernel initialization and can receive powerful kernel services not available to normal vats. This enables the core application logic of Omnium—currently just the
CapletController—to run inside the kernel as a vat.Key changes
name,services, andglobalsfields for system vat configurationglobalsconfig to allow vats to receive specific globals (likeDate) in their SES CompartmentNote
High Risk
High risk because it changes kernel initialization/run-loop ordering, kernel service invocation semantics (now fire-and-forget with async promise resolution), and adds privileged system-vat launch/config and new endowments into SES compartments.
Overview
Adds system vats:
Kernel.make()now acceptssystemVatsand, after the run queue starts, registers a privilegedkernelFacetservice and launches configured vats, tracking their bootstrap root krefs for later lookup.Extends the browser runtime/Omnium wiring to use this:
kernel-workerparses asystem-vatsURL param, the CapTPKernelFacadegainsgetSystemVatRoot()andreset(), and Omnium now boots acontroller-vatsystem vat (bundle copied into the extension) and routes caplet install/list/get/uninstall calls through it, adding acallCapletMethodconsole API.Fixes potential crank deadlocks by making
KernelServiceManager.invokeKernelService()non-await(promise-chained resolution) and updatingKernelRouteraccordingly, and addsVatConfig.globalswith a small allowlist (e.g.Date) to endow SES vats. Also tweaks vat bundling to defineprocess.env.NODE_ENV, and updates/tests/docs and the echo caplet ID/output to match the new flow.Written by Cursor Bugbot for commit 052ebb0. This will update automatically on new commits. Configure here.