fix(ocap-kernel): address PR review — avoid mutation, fix this binding, add tests

sirtimid · claude · sirtimid · commit 1b4d32d4d65a · 2026-04-13T12:22:41.000+02:00
- Avoid direct mutation of potentially-hardened entries in initRemoteIdentity
  bootstrap clearing loop (use spread instead)
- Extract getRelayEntries as local function in makeKernelStore to avoid
  fragile this binding in getKnownRelayAddresses
- Add test: init clears bootstrap flag on relays removed from bootstrap set
- Add test: init enforces MAX_KNOWN_RELAYS pool cap

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/packages/ocap-kernel/src/remotes/kernel/remote-comms.test.ts b/packages/ocap-kernel/src/remotes/kernel/remote-comms.test.ts
@@ -591,6 +591,49 @@ describe('remote-comms', () => {
       expect(secondSeen).toBeGreaterThan(firstSeen);
     });
 
+    it('init clears bootstrap flag on relays removed from the bootstrap set', async () => {
+      await initRemoteIdentity(mockKernelStore, {
+        relays: ['/dns4/relayA.example/tcp/443/wss/p2p-circuit'],
+      });
+
+      // Re-init with a different bootstrap set
+      await initRemoteIdentity(mockKernelStore, {
+        relays: ['/dns4/relayB.example/tcp/443/wss/p2p-circuit'],
+      });
+
+      const entries = mockKernelStore.getRelayEntries();
+      expect(
+        entries.find((entry) => entry.addr.includes('relayA'))?.isBootstrap,
+      ).toBe(false);
+      expect(
+        entries.find((entry) => entry.addr.includes('relayB'))?.isBootstrap,
+      ).toBe(true);
+    });
+
+    it('init enforces MAX_KNOWN_RELAYS pool cap', async () => {
+      // Pre-seed MAX_KNOWN_RELAYS learned relays
+      mockKernelStore.setRelayEntries(
+        Array.from({ length: MAX_KNOWN_RELAYS }, (_, i) => ({
+          addr: `/dns4/learned${i}.example/tcp/443/wss/p2p-circuit`,
+          lastSeen: 100,
+          isBootstrap: false,
+        })),
+      );
+
+      const bootstrapRelays = Array.from(
+        { length: 5 },
+        (_, i) => `/dns4/bootstrap${i}.example/tcp/443/wss/p2p-circuit`,
+      );
+      await initRemoteIdentity(mockKernelStore, { relays: bootstrapRelays });
+
+      const entries = mockKernelStore.getRelayEntries();
+      expect(entries).toHaveLength(MAX_KNOWN_RELAYS);
+      // All bootstrap relays must survive
+      for (const addr of bootstrapRelays) {
+        expect(entries.some((entry) => entry.addr === addr)).toBe(true);
+      }
+    });
+
     it('init marks bootstrap relays and preserves learned relays', async () => {
       // Pre-seed a learned relay
       mockKernelStore.setRelayEntries([
diff --git a/packages/ocap-kernel/src/remotes/kernel/remote-comms.ts b/packages/ocap-kernel/src/remotes/kernel/remote-comms.ts
@@ -124,9 +124,10 @@ export async function initRemoteIdentity(
       byAddr.set(addr, { addr, lastSeen: now, isBootstrap: true });
     }
     // Clear bootstrap flag on entries no longer in the current bootstrap set
-    for (const entry of byAddr.values()) {
-      if (entry.isBootstrap && !bootstrapSet.has(entry.addr)) {
-        entry.isBootstrap = false;
+    // (create new objects to avoid mutating potentially-hardened entries)
+    for (const [addr, entry] of byAddr.entries()) {
+      if (entry.isBootstrap && !bootstrapSet.has(addr)) {
+        byAddr.set(addr, { ...entry, isBootstrap: false });
       }
     }
     let merged = [...byAddr.values()];
diff --git a/packages/ocap-kernel/src/store/index.ts b/packages/ocap-kernel/src/store/index.ts
@@ -286,6 +286,46 @@ export function makeKernelStore(kdb: KernelDatabase, logger?: Logger) {
     kdb.rollbackSavepoint(name);
   }
 
+  /**
+   * Read relay entries from storage, auto-migrating from the legacy
+   * `string[]` format if necessary.
+   *
+   * @returns The relay entries.
+   */
+  function getRelayEntries(): RelayEntry[] {
+    const raw = kv.get('knownRelays');
+    if (!raw) {
+      return [];
+    }
+    const parsed: unknown = JSON.parse(raw);
+    Array.isArray(parsed) || Fail`knownRelays must be an array`;
+
+    // Migrate legacy string[] format → RelayEntry[] (persisted back to storage)
+    if (parsed.length > 0 && typeof parsed[0] === 'string') {
+      if (!parsed.every((entry: unknown) => typeof entry === 'string')) {
+        Fail`knownRelays legacy format must be all strings`;
+      }
+      const migrated: RelayEntry[] = (parsed as string[]).map((addr) => ({
+        addr,
+        lastSeen: 0,
+        isBootstrap: false,
+      }));
+      kv.set('knownRelays', JSON.stringify(migrated));
+      return migrated;
+    }
+
+    // New RelayEntry[] format
+    for (const entry of parsed) {
+      (typeof entry === 'object' &&
+        entry !== null &&
+        typeof (entry as RelayEntry).addr === 'string' &&
+        typeof (entry as RelayEntry).lastSeen === 'number' &&
+        typeof (entry as RelayEntry).isBootstrap === 'boolean') ||
+        Fail`knownRelays entries must have addr, lastSeen, isBootstrap`;
+    }
+    return parsed as RelayEntry[];
+  }
+
   return harden({
     ...id,
     ...queue,
@@ -350,45 +390,7 @@ export function makeKernelStore(kdb: KernelDatabase, logger?: Logger) {
     ): void {
       kv.set(key, value);
     },
-    /**
-     * Read relay entries from storage, auto-migrating from the legacy
-     * `string[]` format if necessary.
-     *
-     * @returns The relay entries.
-     */
-    getRelayEntries(): RelayEntry[] {
-      const raw = kv.get('knownRelays');
-      if (!raw) {
-        return [];
-      }
-      const parsed: unknown = JSON.parse(raw);
-      Array.isArray(parsed) || Fail`knownRelays must be an array`;
-
-      // Migrate legacy string[] format → RelayEntry[]
-      if (parsed.length > 0 && typeof parsed[0] === 'string') {
-        if (!parsed.every((entry: unknown) => typeof entry === 'string')) {
-          Fail`knownRelays legacy format must be all strings`;
-        }
-        const migrated: RelayEntry[] = (parsed as string[]).map((addr) => ({
-          addr,
-          lastSeen: 0,
-          isBootstrap: false,
-        }));
-        kv.set('knownRelays', JSON.stringify(migrated));
-        return migrated;
-      }
-
-      // New RelayEntry[] format
-      for (const entry of parsed) {
-        (typeof entry === 'object' &&
-          entry !== null &&
-          typeof (entry as RelayEntry).addr === 'string' &&
-          typeof (entry as RelayEntry).lastSeen === 'number' &&
-          typeof (entry as RelayEntry).isBootstrap === 'boolean') ||
-          Fail`knownRelays entries must have addr, lastSeen, isBootstrap`;
-      }
-      return parsed as RelayEntry[];
-    },
+    getRelayEntries,
 
     /**
      * Persist relay entries to storage.
@@ -405,7 +407,7 @@ export function makeKernelStore(kdb: KernelDatabase, logger?: Logger) {
      * @returns The relay addresses.
      */
     getKnownRelayAddresses(): string[] {
-      return this.getRelayEntries().map((entry) => entry.addr);
+      return getRelayEntries().map((entry) => entry.addr);
     },
   });
 }

Original file line number	Diff line number	Diff line change
`@@ -124,9 +124,10 @@ export async function initRemoteIdentity(`
`124`	`124`	`byAddr.set(addr, { addr, lastSeen: now, isBootstrap: true });`
`125`	`125`	`}`
`126`	`126`	`// Clear bootstrap flag on entries no longer in the current bootstrap set`
`127`		`- for (const entry of byAddr.values()) {`
`128`		`- if (entry.isBootstrap && !bootstrapSet.has(entry.addr)) {`
`129`		`- entry.isBootstrap = false;`
	`127`	`+ // (create new objects to avoid mutating potentially-hardened entries)`
	`128`	`+ for (const [addr, entry] of byAddr.entries()) {`
	`129`	`+ if (entry.isBootstrap && !bootstrapSet.has(addr)) {`
	`130`	`+ byAddr.set(addr, { ...entry, isBootstrap: false });`
`130`	`131`	`}`
`131`	`132`	`}`
`132`	`133`	`let merged = [...byAddr.values()];`