Rescan scoped capability roots after method calls

Author: Mauricio Gomes

vibes/capability_contracts.go

@@ -31,15 +31,15 @@ func validateCapabilityDataOnlyValue(label string, val Value) error {
 
 func bindCapabilityContracts(
 	val Value,
-	contractsByName map[string]CapabilityMethodContract,
+	scope *capabilityContractScope,
 	target map[*Builtin]CapabilityMethodContract,
-	scopes map[*Builtin]map[string]CapabilityMethodContract,
+	scopes map[*Builtin]*capabilityContractScope,
 ) {
-	if len(contractsByName) == 0 {
+	if scope == nil || len(scope.contracts) == 0 {
 		return
 	}
 	scanner := newCapabilityContractScanner()
-	scanner.bindContracts(val, contractsByName, target, scopes)
+	scanner.bindContracts(val, scope, target, scopes)
 }
 
 func (s *capabilityContractScanner) containsCallable(val Value) bool {
@@ -83,17 +83,17 @@ func (s *capabilityContractScanner) containsCallable(val Value) bool {
 
 func (s *capabilityContractScanner) bindContracts(
 	val Value,
-	contractsByName map[string]CapabilityMethodContract,
+	scope *capabilityContractScope,
 	target map[*Builtin]CapabilityMethodContract,
-	scopes map[*Builtin]map[string]CapabilityMethodContract,
+	scopes map[*Builtin]*capabilityContractScope,
 ) {
 	switch val.Kind() {
 	case KindBuiltin:
 		builtin := val.Builtin()
 		if _, seen := scopes[builtin]; !seen {
-			scopes[builtin] = contractsByName
+			scopes[builtin] = scope
 		}
-		if contract, ok := contractsByName[builtin.Name]; ok {
+		if contract, ok := scope.contracts[builtin.Name]; ok {
 			if _, seen := target[builtin]; !seen {
 				target[builtin] = contract
 			}
@@ -110,7 +110,7 @@ func (s *capabilityContractScanner) bindContracts(
 		}
 		s.seenArrays[id] = struct{}{}
 		for _, item := range values {
-			s.bindContracts(item, contractsByName, target, scopes)
+			s.bindContracts(item, scope, target, scopes)
 		}
 	case KindHash, KindObject:
 		entries := val.Hash()
@@ -120,7 +120,7 @@ func (s *capabilityContractScanner) bindContracts(
 		}
 		s.seenMaps[ptr] = struct{}{}
 		for _, item := range entries {
-			s.bindContracts(item, contractsByName, target, scopes)
+			s.bindContracts(item, scope, target, scopes)
 		}
 	case KindClass:
 		classDef := val.Class()
@@ -132,7 +132,7 @@ func (s *capabilityContractScanner) bindContracts(
 		}
 		s.seenClasses[classDef] = struct{}{}
 		for _, item := range classDef.ClassVars {
-			s.bindContracts(item, contractsByName, target, scopes)
+			s.bindContracts(item, scope, target, scopes)
 		}
 	case KindInstance:
 		instance := val.Instance()
@@ -144,10 +144,10 @@ func (s *capabilityContractScanner) bindContracts(
 		}
 		s.seenInstances[instance] = struct{}{}
 		for _, item := range instance.Ivars {
-			s.bindContracts(item, contractsByName, target, scopes)
+			s.bindContracts(item, scope, target, scopes)
 		}
 		if instance.Class != nil {
-			s.bindContracts(NewClass(instance.Class), contractsByName, target, scopes)
+			s.bindContracts(NewClass(instance.Class), scope, target, scopes)
 		}
 	}
 }

vibes/capability_contracts_test.go

@@ -256,6 +256,47 @@ func (c legacyFooCapability) Bind(binding CapabilityBinding) (map[string]Value,
 	}, nil
 }
 
+type siblingMutationContractCapability struct {
+	invokeCount *int
+}
+
+func (c siblingMutationContractCapability) Bind(binding CapabilityBinding) (map[string]Value, error) {
+	peer := NewInstance(&Instance{
+		Class: &ClassDef{
+			Name:         "PeerHost",
+			Methods:      map[string]*ScriptFunction{},
+			ClassMethods: map[string]*ScriptFunction{},
+			ClassVars:    map[string]Value{},
+		},
+		Ivars: map[string]Value{},
+	})
+	return map[string]Value{
+		"publisher": NewObject(map[string]Value{
+			"install": NewBuiltin("publisher.install", func(exec *Execution, receiver Value, args []Value, kwargs map[string]Value, block Value) (Value, error) {
+				peer.Instance().Ivars["call"] = NewBuiltin("peer.call", func(exec *Execution, receiver Value, args []Value, kwargs map[string]Value, block Value) (Value, error) {
+					*c.invokeCount = *c.invokeCount + 1
+					return NewString("ok"), nil
+				})
+				return NewString("installed"), nil
+			}),
+		}),
+		"peer": peer,
+	}, nil
+}
+
+func (c siblingMutationContractCapability) CapabilityContracts() map[string]CapabilityMethodContract {
+	return map[string]CapabilityMethodContract{
+		"peer.call": {
+			ValidateArgs: func(args []Value, kwargs map[string]Value, block Value) error {
+				if len(args) != 1 || args[0].Kind() != KindInt {
+					return fmt.Errorf("peer.call expects int")
+				}
+				return nil
+			},
+		},
+	}
+}
+
 func TestCapabilityContractRejectsInvalidArguments(t *testing.T) {
 	engine := MustNewEngine(Config{})
 	script, err := engine.Compile(`def run()
@@ -491,3 +532,30 @@ end`)
 		t.Fatalf("unexpected result: %#v", result)
 	}
 }
+
+func TestCapabilityContractsBindAfterSiblingScopeMutation(t *testing.T) {
+	engine := MustNewEngine(Config{})
+	script, err := engine.Compile(`def run()
+  publisher.install()
+  peer.call("bad")
+end`)
+	if err != nil {
+		t.Fatalf("compile failed: %v", err)
+	}
+
+	invocations := 0
+	_, err = script.Call(context.Background(), "run", nil, CallOptions{
+		Capabilities: []CapabilityAdapter{
+			siblingMutationContractCapability{invokeCount: &invocations},
+		},
+	})
+	if err == nil {
+		t.Fatalf("expected sibling-mutation contract validation error")
+	}
+	if got := err.Error(); !strings.Contains(got, "peer.call expects int") {
+		t.Fatalf("unexpected error: %s", got)
+	}
+	if invocations != 0 {
+		t.Fatalf("sibling mutation capability should not execute when contract fails")
+	}
+}

vibes/execution.go

@@ -55,14 +55,19 @@ type Execution struct {
 	moduleLoadStack           []string
 	moduleStack               []moduleContext
 	capabilityContracts       map[*Builtin]CapabilityMethodContract
-	capabilityContractScopes  map[*Builtin]map[string]CapabilityMethodContract
+	capabilityContractScopes  map[*Builtin]*capabilityContractScope
 	capabilityContractsByName map[string]CapabilityMethodContract
 	receiverStack             []Value
 	envStack                  []*Env
 	strictEffects             bool
 	allowRequire              bool
 }
 
+type capabilityContractScope struct {
+	contracts map[string]CapabilityMethodContract
+	roots     []Value
+}
+
 type moduleContext struct {
 	key  string
 	path string
@@ -625,14 +630,19 @@ func (exec *Execution) invokeCallable(callee Value, receiver Value, args []Value
 				return NewNil(), exec.wrapError(err, pos)
 			}
 		}
-		scopeContracts := exec.capabilityContractScopes[builtin]
-		if len(scopeContracts) > 0 {
+		scope := exec.capabilityContractScopes[builtin]
+		if scope != nil && len(scope.contracts) > 0 {
 			// Capability methods can lazily publish additional builtins at runtime
 			// (e.g. through factory return values or receiver mutation). Re-scan
 			// these values so future calls still enforce declared contracts.
-			bindCapabilityContracts(result, scopeContracts, exec.capabilityContracts, exec.capabilityContractScopes)
+			bindCapabilityContracts(result, scope, exec.capabilityContracts, exec.capabilityContractScopes)
 			if receiver.Kind() != KindNil {
-				bindCapabilityContracts(receiver, scopeContracts, exec.capabilityContracts, exec.capabilityContractScopes)
+				bindCapabilityContracts(receiver, scope, exec.capabilityContracts, exec.capabilityContractScopes)
+			}
+			// Methods can mutate sibling scope roots via captured references; refresh
+			// all adapter roots so newly exposed builtins also get bound.
+			for _, root := range scope.roots {
+				bindCapabilityContracts(root, scope, exec.capabilityContracts, exec.capabilityContractScopes)
 			}
 		}
 		return result, nil
@@ -3413,7 +3423,7 @@ func (s *Script) Call(ctx context.Context, name string, args []Value, opts CallO
 		moduleLoadStack:           make([]string, 0, 8),
 		moduleStack:               make([]moduleContext, 0, 8),
 		capabilityContracts:       make(map[*Builtin]CapabilityMethodContract),
-		capabilityContractScopes:  make(map[*Builtin]map[string]CapabilityMethodContract),
+		capabilityContractScopes:  make(map[*Builtin]*capabilityContractScope),
 		capabilityContractsByName: make(map[string]CapabilityMethodContract),
 		receiverStack:             make([]Value, 0, 8),
 		envStack:                  make([]*Env, 0, 8),
@@ -3427,7 +3437,9 @@ func (s *Script) Call(ctx context.Context, name string, args []Value, opts CallO
 			if adapter == nil {
 				continue
 			}
-			adapterContracts := map[string]CapabilityMethodContract{}
+			scope := &capabilityContractScope{
+				contracts: map[string]CapabilityMethodContract{},
+			}
 			if provider, ok := adapter.(CapabilityContractProvider); ok {
 				for methodName, contract := range provider.CapabilityContracts() {
 					name := strings.TrimSpace(methodName)
@@ -3438,7 +3450,7 @@ func (s *Script) Call(ctx context.Context, name string, args []Value, opts CallO
 						return NewNil(), fmt.Errorf("duplicate capability contract for %s", name)
 					}
 					exec.capabilityContractsByName[name] = contract
-					adapterContracts[name] = contract
+					scope.contracts[name] = contract
 				}
 			}
 			globals, err := adapter.Bind(binding)
@@ -3448,7 +3460,8 @@ func (s *Script) Call(ctx context.Context, name string, args []Value, opts CallO
 			for name, val := range globals {
 				rebound := rebinder.rebindValue(val)
 				root.Define(name, rebound)
-				bindCapabilityContracts(rebound, adapterContracts, exec.capabilityContracts, exec.capabilityContractScopes)
+				scope.roots = append(scope.roots, rebound)
+				bindCapabilityContracts(rebound, scope, exec.capabilityContracts, exec.capabilityContractScopes)
 			}
 		}
 	}