fix: address review findings

- harden(allowedGlobals) in constructor to prevent mutation of custom maps
- move DEFAULT_ALLOWED_GLOBALS tests to co-located endowments.test.ts
- add happy-path test: no warning when all globals are known
- add tamed Date negative test: Date.now throws in secure mode without endowment

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: sirtimid

packages/kernel-test/src/endowment-globals.test.ts

@@ -124,5 +124,13 @@ describe('global endowments', () => {
       const logs = extractTestLogs(entries, vatId);
       expect(logs).toContain(`checkGlobal: ${name}=false`);
     });
+
+    it('throws when calling tamed Date.now without endowing Date', async () => {
+      const { kernel } = await setup([]);
+
+      await expect(kernel.queueMessage(v1Root, 'testDate', [])).rejects.toThrow(
+        'secure mode',
+      );
+    });
   });
 });

packages/ocap-kernel/src/vats/VatSupervisor.test.ts

@@ -6,7 +6,6 @@ import { rpcErrors } from '@metamask/rpc-errors';
 import { TestDuplexStream } from '@ocap/repo-tools/test-utils/streams';
 import { describe, it, expect, vi } from 'vitest';
 
-import { DEFAULT_ALLOWED_GLOBALS } from './endowments.ts';
 import { VatSupervisor } from './VatSupervisor.ts';
 import type { FetchBlob } from './VatSupervisor.ts';
 
@@ -172,28 +171,6 @@ describe('VatSupervisor', () => {
     });
   });
 
-  describe('DEFAULT_ALLOWED_GLOBALS', () => {
-    it('contains the expected global names', () => {
-      expect(Object.keys(DEFAULT_ALLOWED_GLOBALS).sort()).toStrictEqual([
-        'AbortController',
-        'AbortSignal',
-        'Date',
-        'TextDecoder',
-        'TextEncoder',
-        'URL',
-        'URLSearchParams',
-        'atob',
-        'btoa',
-        'clearTimeout',
-        'setTimeout',
-      ]);
-    });
-
-    it('is frozen', () => {
-      expect(Object.isFrozen(DEFAULT_ALLOWED_GLOBALS)).toBe(true);
-    });
-  });
-
   describe('allowedGlobals configuration', () => {
     it('accepts a custom allowedGlobals parameter', async () => {
       const { supervisor } = await makeVatSupervisor({
@@ -202,6 +179,42 @@ describe('VatSupervisor', () => {
       expect(supervisor).toBeInstanceOf(VatSupervisor);
     });
 
+    it('does not warn when all requested globals are known', async () => {
+      const logger = {
+        warn: vi.fn(),
+        error: vi.fn(),
+        subLogger: vi.fn(() => logger),
+      } as unknown as Logger;
+
+      const mockFetchBlob: FetchBlob = vi.fn().mockResolvedValue({
+        ok: true,
+        text: vi.fn().mockResolvedValue(''),
+      });
+
+      const { stream } = await makeVatSupervisor({
+        logger,
+        allowedGlobals: { Date: globalThis.Date },
+        fetchBlob: mockFetchBlob,
+      });
+
+      await stream.receiveInput({
+        id: 'test-init',
+        method: 'initVat',
+        params: {
+          vatConfig: {
+            bundleSpec: 'test.bundle',
+            parameters: {},
+            globals: ['Date'],
+          },
+          state: [],
+        },
+        jsonrpc: '2.0',
+      });
+      await delay(50);
+
+      expect(logger.warn).not.toHaveBeenCalled();
+    });
+
     it('logs a warning when a vat requests an unknown global', async () => {
       const logger = {
         warn: vi.fn(),

packages/ocap-kernel/src/vats/VatSupervisor.ts

@@ -144,7 +144,7 @@ export class VatSupervisor {
     this.#fetchBlob = fetchBlob ?? defaultFetchBlob;
     this.#platformOptions = platformOptions ?? {};
     this.#makePlatform = makePlatform;
-    this.#allowedGlobals = allowedGlobals;
+    this.#allowedGlobals = harden(allowedGlobals);
 
     this.#rpcClient = new RpcClient(
       vatSyscallMethodSpecs,

packages/ocap-kernel/src/vats/endowments.test.ts

@@ -0,0 +1,25 @@
+import { describe, it, expect } from 'vitest';
+
+import { DEFAULT_ALLOWED_GLOBALS } from './endowments.ts';
+
+describe('DEFAULT_ALLOWED_GLOBALS', () => {
+  it('contains the expected global names', () => {
+    expect(Object.keys(DEFAULT_ALLOWED_GLOBALS).sort()).toStrictEqual([
+      'AbortController',
+      'AbortSignal',
+      'Date',
+      'TextDecoder',
+      'TextEncoder',
+      'URL',
+      'URLSearchParams',
+      'atob',
+      'btoa',
+      'clearTimeout',
+      'setTimeout',
+    ]);
+  });
+
+  it('is frozen', () => {
+    expect(Object.isFrozen(DEFAULT_ALLOWED_GLOBALS)).toBe(true);
+  });
+});