fix(ocap-kernel): enforce one delivery per crank, fix rollback cache staleness

[rekmarks]

As it turns out, we have been violating the invariant that a crank consists of the delivery of a single message or notification. Since at least the introduction of KernelQueue.ts in #484, one iteration of the kernel's run queue—which should be equivalent to a crank—has actually been able to deliver an unbounded number of messages.

This means that, if a delivery aborts mid-crank, rollbackCrank('start') reverts all deliveries in the crank (including earlier successful ones), creating inconsistency with vat in-memory state and leaving promise subscriptions permanently dangling.

This PR ensures that we correctly implement cranks via the kernel's run queue loop as described below.

Summary

• Enforce one run-queue item per crank (change while to if in KernelQueue generator) and fix stale StoredQueue caches after rollbackCrank by refreshing the run queue and invalidating runQueueLengthCache
• Reject JS promise subscriptions when a crank aborts with vat termination; fix terminateVat callback in Kernel to avoid deadlock by bypassing VatManager.terminateVat() (which calls waitForCrank())
• Improve error messages for splat cases (revoked, no owner, no object, endpoint gone) and handle vanished endpoints in KernelRouter delivery
• Fix SubclusterManager to catch rejected bootstrap promises
• Add orphaned ephemeral exo tests (unit + e2e)
• Glossary formatting and crank definition correction

Test plan

• Existing unit tests updated and passing (KernelQueue.test.ts, KernelRouter.test.ts, crank.test.ts, syscall-validation.test.ts, vat-lifecycle.test.ts)
• New unit test for orphaned ephemeral exos (orphaned-ephemeral-exo.test.ts)
• New e2e test for orphaned ephemeral exos (orphaned-ephemeral-exo.test.ts in kernel-node-runtime)

🤖 Generated with Claude Code

---

Note

Medium Risk
Touches core kernel run-queue/crank behavior (delivery loop, rollback, promise subscription resolution) and error propagation; could affect message ordering and failure modes across vats, but changes are covered by expanded unit/e2e tests.

Overview
Kernel crank/run-queue semantics are tightened and rollback is made cache-safe. KernelQueue now processes exactly one run-queue item per crank, and crank rollback refreshes the persisted run-queue wrapper and invalidates the cached run-queue length to avoid stale in-memory state after savepoint rollback.

Promise/result handling on failures is corrected. Kernel-side queueMessage subscriptions now track both resolve and reject; rejected kernel promises now reject the returned JS promise, and aborted cranks that also terminate a vat immediately reject the in-flight message’s result subscription instead of leaving it hanging.

Splat/error cases are clarified and made more robust. KernelRouter improves splat reasons (revoked, no owner, promise fulfilled without an object ref) and resolves splat rejections using the current promise decider after rollback; it also treats “endpoint vanished” during delivery as a splat with a clear rejection and refcount cleanup.

Lifecycle/launch behavior is hardened and tests updated/added. Kernel termination during a crank avoids deadlock by bypassing VatManager.terminateVat() in the queue’s termination callback, bootstrap errors in SubclusterManager now surface as deserialized Errors, and new unit + node-runtime e2e tests cover orphaned ephemeral exo references across vat restart; several existing tests are updated to expect rejected promises and new error text.

Documentation: glossary formatting and crank/kernel-router definitions are updated.

^{Written by Cursor Bugbot for commit fc0ec74. This will update automatically on new commits. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

[cursor]

Bare catch masks unexpected errors as endpoint-vanished

Low Severity

The bare catch around this.#getEndpoint(endpointId) catches all exceptions and treats them as "endpoint vanished" — silently splatting the message and rejecting its result promise. If #getEndpoint throws for an unexpected reason (internal state inconsistency, programming error, etc.), the error is silently swallowed and a deliverable message may be incorrectly discarded. Narrowing the catch to the expected error type (e.g., VatNotFoundError) would prevent masking unrelated failures.

 

[github-actions]

Coverage Report

Status	Category	Percentage	Covered / Total
🔵	Lines	77.26% ⬇️ -0.05%	7829 / 10133
🔵	Statements	77.07% ⬇️ -0.05%	7954 / 10320
🔵	Functions	75.22% ⬇️ -0.13%	1889 / 2511
🔵	Branches	74.83% ⬆️ +0.03%	3200 / 4276

File Coverage

File	Stmts	Branches	Functions	Lines	Uncovered Lines
Changed Files
packages/kernel-test/src/vats/orphaned-ephemeral-consumer.ts	0%	100%	0%	0%	14-20
packages/kernel-test/src/vats/orphaned-ephemeral-provider.ts	0%	100%	0%	0%	11-19
packages/kernel-ui/src/components/SendMessageForm.tsx	100% 🟰 ±0%	72.72% ⬇️ -2.28%	100% 🟰 ±0%	100% 🟰 ±0%
packages/ocap-kernel/src/Kernel.ts	88.18% ⬆️ +1.03%	77.77% 🟰 ±0%	82.6% ⬆️ +2.17%	88.18% ⬆️ +1.03%	286-289, 306, 330, 398-408, 500, 568, 634-637, 650, 660-661, 704, 721
packages/ocap-kernel/src/KernelQueue.ts	98.23% ⬆️ +0.10%	90.32% ⬆️ +1.65%	100% 🟰 ±0%	98.23% ⬆️ +0.10%	152, 336
packages/ocap-kernel/src/KernelRouter.ts	84.44% ⬇️ -5.72%	73.13% ⬇️ -2.25%	100% 🟰 ±0%	84.44% ⬇️ -5.72%	110, 169, 183, 234-257, 263, 290-299, 306, 352, 367, 370
packages/ocap-kernel/src/store/index.ts	100% 🟰 ±0%	100% 🟰 ±0%	100% 🟰 ±0%	100% 🟰 ±0%
packages/ocap-kernel/src/store/types.ts	100% 🟰 ±0%	100% 🟰 ±0%	100% 🟰 ±0%	100% 🟰 ±0%
packages/ocap-kernel/src/store/methods/crank.ts	100% 🟰 ±0%	93.75% 🟰 ±0%	100% 🟰 ±0%	100% 🟰 ±0%
packages/ocap-kernel/src/vats/SubclusterManager.ts	95.71% ⬇️ -0.66%	90.16% ⬇️ -1.64%	100% 🟰 ±0%	95.65% ⬇️ -0.67%	193-196, 250, 333, 338-340, 355

Generated in workflow #3953 for commit 46b674d by the Vitest Coverage Report Action