feat(ocap-kernel): bound relay hints in OCAP URLs and relay pool size

[sirtimid]

Summary

OCAP URLs embed relay multiaddrs as discovery hints. After #887 propagated these hints on redemption, the relay list in URLs (and in the KV store) grows unboundedly as kernels encounter new relays through URL exchange. This PR bounds both the URL hint count and the relay pool size.

After investigating whether a gossip protocol was needed (#889), the conclusion was that the problem is URL size, not relay discovery — passive propagation via URL exchange is sufficient at current scale. A gossip protocol can be added later if needed.

Changes

• Add RelayEntry type with addr, lastSeen, isBootstrap metadata for prioritized relay selection
• Cap relay hints embedded in OCAP URLs to MAX_URL_RELAY_HINTS (3), selecting bootstrap relays first, then most recently seen
• Bound the relay pool to MAX_KNOWN_RELAYS (20) with eviction of oldest non-bootstrap entries
• Mark bootstrap relays at kernel init; merge with (not overwrite) existing learned relays
• Auto-migrate legacy string[] relay storage format to RelayEntry[]
• Update store API: getRelayEntries() / setRelayEntries() / getKnownRelayAddresses() replace getKnownRelays() / setKnownRelays()

Testing

All changes are covered by unit tests. New tests verify URL hint capping, bootstrap relay priority in selection, pool cap enforcement (in both addKnownRelays and initRemoteIdentity), eviction of oldest non-bootstrap entries, lastSeen timestamp updates on re-observation, bootstrap flag clearing on re-init with a different set, and legacy storage format auto-migration. Existing tests were updated for the new store API. All 82 tests pass, lint and build are clean.

Closes #889

---

Note

Medium Risk
Changes relay persistence and selection logic used for OCAP URL issuance, including an on-read KV migration and eviction behavior that could affect connectivity if misconfigured or buggy.

Overview
OCAP URL issuance now limits embedded relay hints (default 3) by selecting relays from a prioritized pool (bootstrap first, then most recently seen).

Relay storage is refactored from a raw string[] to RelayEntry[] (addr, lastSeen, isBootstrap), with a bounded relay pool (default 20) that evicts oldest non-bootstrap entries and merges/updates bootstrap relays on init; legacy knownRelays data is auto-migrated on read.

initRemoteComms/RPC adds maxUrlRelayHints and maxKnownRelays, strips undefined params via ifDefined, and avoids passing mnemonic to platform services; tests are updated/expanded for capping, ordering, eviction, and migration.

^{Reviewed by Cursor Bugbot for commit 9bbc7e9. Bugbot is set up for automated code reviews on this repo. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 1690fd8. Configure here.}

[github-actions]

Coverage Report

Status	Category	Percentage	Covered / Total
🔵	Lines	78.71% ⬆️ +0.12%	8688 / 11037
🔵	Statements	78.53% ⬆️ +0.13%	8830 / 11243
🔵	Functions	76.27% ⬆️ +0.14%	2035 / 2668
🔵	Branches	76.42% ⬆️ +0.13%	3740 / 4894

File Coverage

File	Stmts	Branches	Functions	Lines	Uncovered Lines
Changed Files
packages/ocap-kernel/src/remotes/types.ts	100% 🟰 ±0%	100% 🟰 ±0%	100% 🟰 ±0%	100% 🟰 ±0%
packages/ocap-kernel/src/remotes/kernel/remote-comms.ts	100% 🟰 ±0%	98.48% ⬆️ +0.98%	100% 🟰 ±0%	100% 🟰 ±0%
packages/ocap-kernel/src/rpc/kernel-control/init-remote-comms.ts	100% ⬆️ +6.25%	100% ⬆️ +10.00%	100% 🟰 ±0%	100% ⬆️ +6.25%
packages/ocap-kernel/src/store/index.ts	100% 🟰 ±0%	100% 🟰 ±0%	100% 🟰 ±0%	100% 🟰 ±0%
packages/ocap-kernel/src/store/types.ts	100% 🟰 ±0%	100% 🟰 ±0%	100% 🟰 ±0%	100% 🟰 ±0%
packages/ocap-kernel/src/store/methods/relay.ts	100%	91.66%	100%	100%

Generated in workflow #4271 for commit 9bbc7e9 by the Vitest Coverage Report Action

[grypez]

The code complexity seems high for what amounts to a FIFO queue on relay addresses. I think we are due a review of our connection logic. In context of the codebase, no issues. One nit.

[sirtimid]

The code complexity seems high for what amounts to a FIFO queue on relay addresses. I think we are due a review of our connection logic. In context of the codebase, no issues. One nit.

@grypez It's not a simple FIFO queue, the complexity exists because there are two tiers of relays with different eviction semantics: Bootstrap relays and Learned relays. But I agree, a holistic look at the connection layer could probably simplify things.

addressed

[grypez]

LGTM