fix(ocap-kernel): harden makeAllowedGlobals output in VatSupervisor

Defense-in-depth restoration of the harden() call the pre-snaps
constructor used to apply to `allowedGlobals`. `createDefaultEndowments`
already hardens its output, but `makeAllowedGlobals` is a public seam
(see the exported `VatEndowments` type) — a custom factory returning
unhardened globals would hand a vat mutable references to its own
endowments, defeating attenuation. `harden` is idempotent and deep, so
this is a no-op on the default path.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: sirtimid

packages/ocap-kernel/CHANGELOG.md

@@ -14,6 +14,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
   - Swap raw `setTimeout`/`clearTimeout` and `Date` for attenuated versions from `@metamask/snaps-execution-environments`
   - Wire factory `teardownFunction`s into `VatSupervisor.terminate()` so pending timers and other resources are released on vat termination
   - Replace exported `DEFAULT_ALLOWED_GLOBALS` constant with `createDefaultEndowments()` factory and `VatEndowments` type; `VatSupervisor` now accepts `makeAllowedGlobals` in place of `allowedGlobals`
+  - Harden the `makeAllowedGlobals` output inside `VatSupervisor` as defense-in-depth against custom factories that may skip hardening
 - Make vat global allowlist configurable and expand available endowments ([#933](https://github.com/MetaMask/ocap-kernel/pull/933))
   - Export `DEFAULT_ALLOWED_GLOBALS` with `URL`, `URLSearchParams`, `atob`, `btoa`, `AbortController`, and `AbortSignal` in addition to the existing globals
   - Accept optional `allowedGlobals` on `VatSupervisor` for custom allowlists

packages/ocap-kernel/src/vats/VatSupervisor.ts

@@ -155,7 +155,8 @@ export class VatSupervisor {
     this.#platformOptions = platformOptions ?? {};
     this.#makePlatform = makePlatform;
     const { globals, teardown } = makeAllowedGlobals();
-    this.#allowedGlobals = globals;
+    // Defense in depth: custom `makeAllowedGlobals` factories may skip hardening.
+    this.#allowedGlobals = harden(globals);
     this.#endowmentsTeardown = teardown;
 
     this.#rpcClient = new RpcClient(