refactor(ocap-kernel): type vat-endowments allowlist as literal union

[sirtimid]

Summary

Follow-up to #937 tightening the type surface of the vat-endowments allowlist.

• New AllowedGlobalName literal-union type (and paired AllowedGlobalNameStruct superstruct) derived from a single readonly tuple in endowments.ts. Typos are now caught at compile time at every propagation site and rejected at the initVat RPC boundary.
• string[] → AllowedGlobalName[] at 5 sites: Kernel.make options, VatManager, VatHandle, initVat RPC spec + InitVat function type, and VatConfig.globals.
• VatSupervisor constructor now assert()s the makeAllowedGlobals() return value against VatEndowmentsStruct, so a malformed custom factory fails fast at construction instead of during termination.
• MakeAllowedGlobals factory type alias, AllowedGlobalNameStruct, and VatEndowmentsStruct are exported from the package index for symmetry with the existing struct exports.

The previously-silent "drops unknown names" path is no longer reachable through the typed API; the equivalent integration test now asserts the RPC-layer rejection (Invalid params).

Test plan

• yarn build — 24/24 tasks clean
• yarn lint clean
• yarn test:dev:quiet — 45/45 turbo tasks, 2279 tests in @metamask/ocap-kernel, full @ocap/kernel-test suite green (incl. updated endowment-globals.test.ts > rejects unknown names in allowedGlobalNames at the RPC boundary)

🤖 Generated with Claude Code

---

Note

Medium Risk
This is a breaking API-surface change that tightens types and adds runtime validation at the initVat RPC boundary; risk is mainly client compatibility and potential new rejections for previously-accepted inputs.

Overview
Tightens vat endowment allowlists from string[] to a literal union. Introduces AllowedGlobalName + AllowedGlobalNameStruct derived from a single allowlist tuple, and propagates the type change through VatConfig.globals, Kernel.make({ allowedGlobalNames }), VatManager/VatHandle, and the initVat RPC params so unknown names are rejected as Invalid params at the RPC boundary.

Hardens extension points and exports. Adds VatEndowmentsStruct + MakeAllowedGlobals and asserts custom makeAllowedGlobals() return values in VatSupervisor to fail fast on malformed factories; re-exports the new types/structs from index.ts and updates tests and changelog accordingly.

^{Reviewed by Cursor Bugbot for commit 5ae29fa. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

Coverage Report

Status	Category	Percentage	Covered / Total
🔵	Lines	78.42% ⬇️ -0.02%	8897 / 11345
🔵	Statements	78.23% ⬇️ -0.03%	9043 / 11559
🔵	Functions	75.82% 🟰 ±0%	2076 / 2738
🔵	Branches	76.19% ⬇️ -0.06%	3829 / 5025

File Coverage

File	Stmts	Branches	Functions	Lines	Uncovered Lines
Changed Files
packages/ocap-kernel/src/Kernel.ts	88.39% 🟰 ±0%	77.77% 🟰 ±0%	82.6% 🟰 ±0%	88.39% 🟰 ±0%	294-297, 314, 338, 413-423, 511, 579, 645-648, 661, 671-672, 715, 732
packages/ocap-kernel/src/index.ts	100% 🟰 ±0%	100% 🟰 ±0%	100% 🟰 ±0%	100% 🟰 ±0%
packages/ocap-kernel/src/types.ts	100% 🟰 ±0%	100% 🟰 ±0%	100% 🟰 ±0%	100% 🟰 ±0%
packages/ocap-kernel/src/rpc/vat/initVat.ts	100% 🟰 ±0%	100% 🟰 ±0%	100% 🟰 ±0%	100% 🟰 ±0%
packages/ocap-kernel/src/vats/VatHandle.ts	90.14% 🟰 ±0%	86.66% 🟰 ±0%	100% 🟰 ±0%	90.14% 🟰 ±0%	325, 376-381, 390-396
packages/ocap-kernel/src/vats/VatManager.ts	100% 🟰 ±0%	100% 🟰 ±0%	100% 🟰 ±0%	100% 🟰 ±0%
packages/ocap-kernel/src/vats/VatSupervisor.ts	75% ⬇️ -3.94%	50% ⬇️ -7.50%	53.33% 🟰 ±0%	75% ⬇️ -3.94%	150, 162, 182, 253, 291-295, 306, 315-316, 338-340, 343, 347-349, 378-379, 386-392, 409, 426-434
packages/ocap-kernel/src/vats/endowments.ts	100% 🟰 ±0%	80% 🟰 ±0%	100% 🟰 ±0%	100% 🟰 ±0%

Generated in workflow #4338 for commit 5ae29fa by the Vitest Coverage Report Action

[rekmarks]

Cool!