test(ocap-kernel): tighten endowment tests from final review

- VatSupervisor: add positive-path assertion (init returns a result)
  alongside the existing negation to prevent vacuous pass
- endowments: replace globalThis.fetch mutation with vi.stubGlobal +
  unstubAllGlobals in afterEach; removes the require-atomic-updates
  disable and avoids cross-test bleed
- endowments: assert console.error fallback in the notify-swallow
  test so a silent-swallow regression would fail
- network-caveat: add data:/blob: scheme cases to pin the empty-
  hostname rejection path; rename $scheme it.each label to $label
  for accuracy

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: sirtimid

packages/ocap-kernel/src/vats/VatSupervisor.test.ts

@@ -369,6 +369,15 @@ describe('VatSupervisor', () => {
       });
       await delay(50);
 
+      // With makeLiveSlots mocked, init completes and dispatch receives
+      // the delivery result — assert that positive shape directly so the
+      // test doesn't pass vacuously if init were to short-circuit.
+      expect(dispatch).toHaveBeenCalledWith(
+        expect.objectContaining({
+          id: 'test-init',
+          result: expect.anything(),
+        }),
+      );
       expect(dispatch).not.toHaveBeenCalledWith(
         expect.objectContaining({
           id: 'test-init',

packages/ocap-kernel/src/vats/endowments.test.ts

@@ -33,6 +33,8 @@ describe('createDefaultEndowments', () => {
   // frozen mock, and the resulting error surfaces on the NEXT test.
   afterEach(() => {
     state.override = null;
+    vi.unstubAllGlobals();
+    vi.restoreAllMocks();
   });
 
   it('produces the expected global names', () => {
@@ -187,11 +189,15 @@ describe('createDefaultEndowments', () => {
     });
   });
 
-  it('swallows logger errors inside notify so fetch is not blocked', async () => {
+  it('swallows logger errors inside notify and surfaces them via console.error', async () => {
     const logger = makeLogger();
+    const transportError = new Error('transport broke');
     vi.spyOn(logger, 'debug').mockImplementation(() => {
-      throw new Error('transport broke');
+      throw transportError;
     });
+    const consoleErrorSpy = vi
+      .spyOn(console, 'error')
+      .mockImplementation(() => undefined);
     let capturedNotify:
       | ((n: { method: string; params: unknown }) => Promise<void>)
       | undefined;
@@ -215,6 +221,11 @@ describe('createDefaultEndowments', () => {
         params: { source: 'fetch' },
       }),
     ).toBeUndefined();
+
+    expect(consoleErrorSpy).toHaveBeenCalledWith(
+      '[ocap-kernel] network endowment logger transport failed',
+      transportError,
+    );
   });
 
   it('teardown aborts in-flight fetches started by the network factory', async () => {
@@ -223,40 +234,36 @@ describe('createDefaultEndowments', () => {
     // than rejects — the vat-visible fetch promise once teardown runs, so
     // the meaningful assertions are (1) the abort signal propagated into
     // the base fetch and (2) teardown returns cleanly without hanging on
-    // the open connection.
-    const originalFetch = globalThis.fetch;
+    // the open connection. `vi.stubGlobal` + `unstubAllGlobals` in afterEach
+    // keeps the global mutation scoped to this test.
     let abortReceived = false;
-    globalThis.fetch = (async (_input, init) => {
-      return await new Promise((_resolve, reject) => {
-        const signal = init?.signal;
-        signal?.addEventListener('abort', () => {
-          abortReceived = true;
-          reject(new Error('aborted'));
-        });
-      });
-    }) as typeof fetch;
+    vi.stubGlobal(
+      'fetch',
+      (async (_input: unknown, init?: RequestInit) =>
+        await new Promise<Response>((_resolve, reject) => {
+          init?.signal?.addEventListener('abort', () => {
+            abortReceived = true;
+            reject(new Error('aborted'));
+          });
+        })) as typeof fetch,
+    );
 
-    try {
-      const { globals, teardown } = createDefaultEndowments({
-        logger: makeLogger(),
-      });
-      const fetchFn = globals.fetch as typeof fetch;
+    const { globals, teardown } = createDefaultEndowments({
+      logger: makeLogger(),
+    });
+    const fetchFn = globals.fetch as typeof fetch;
 
-      const inFlight = fetchFn('https://example.test/slow');
-      // Suppress unhandled-rejection noise — the Snaps factory drops this
-      // promise on teardown (neither resolves nor rejects it).
-      inFlight.catch(() => undefined);
+    const inFlight = fetchFn('https://example.test/slow');
+    // Suppress unhandled-rejection noise — the Snaps factory drops this
+    // promise on teardown (neither resolves nor rejects it).
+    inFlight.catch(() => undefined);
 
-      // Give the factory a microtask to register the open connection.
-      await new Promise((resolve) => setTimeout(resolve, 0));
+    // Give the factory a microtask to register the open connection.
+    await new Promise((resolve) => setTimeout(resolve, 0));
 
-      await teardown();
+    await teardown();
 
-      expect(abortReceived).toBe(true);
-    } finally {
-      // eslint-disable-next-line require-atomic-updates
-      globalThis.fetch = originalFetch;
-    }
+    expect(abortReceived).toBe(true);
   });
 
   it('teardown cancels pending timers', async () => {

packages/ocap-kernel/src/vats/network-caveat.test.ts

@@ -45,15 +45,26 @@ describe('makeHostCaveat', () => {
   });
 
   it.each([
-    { scheme: 'file:', input: 'file:///etc/passwd' },
-    { scheme: 'file: via Request', input: new Request('file:///etc/passwd') },
-  ])('rejects $scheme URLs with an fs-capability hint', async ({ input }) => {
+    { label: 'file: string input', input: 'file:///etc/passwd' },
+    { label: 'file: Request input', input: new Request('file:///etc/passwd') },
+  ])('rejects $label with an fs-capability hint', async ({ input }) => {
     const caveat = makeHostCaveat(['example.test']);
     await expect(caveat(input)).rejects.toThrow(
       /fetch cannot target file:\/\/ URLs.*fs platform capability/u,
     );
   });
 
+  it.each([
+    { label: 'data:', input: 'data:text/plain,hello' },
+    { label: 'blob:', input: 'blob:https://example.test/abc123' },
+  ])(
+    'rejects $label URLs via the hostname check (opaque origin has empty hostname)',
+    async ({ input }) => {
+      const caveat = makeHostCaveat(['example.test']);
+      await expect(caveat(input)).rejects.toThrow('Invalid host:');
+    },
+  );
+
   it.each([
     {
       name: 'Request objects',