feat(harden): Introduce @endo/harden

ava-noop-harden.config.mjs

@@ -0,0 +1,5 @@
+export default {
+  nodeArguments: ['-C', 'noop-harden'],
+  files: ['test/**/*.test.*'],
+  timeout: '2m',
+};

packages/bundle-source/NEWS.md

@@ -1,5 +1,17 @@
 User-visible changes to `@endo/bundle-source`:
 
+# Next release
+
+- Relaxes dependence on a global, post-lockdown `harden` function by taking a
+  dependency on the new `@endo/harden` package.
+  Consequently, bundles will now entrain a `harden` implementation that is
+  superfluous if the bundled program is guaranteed to run in a post-lockdown
+  HardenedJS environment.
+  To compensate, use `bundle-source` with `-C hardened` or the analgous feature
+  for packaging conditions with your preferred bundler tool.
+  This will hollow out `@endo/harden` and defer exclusively to the global
+  `harden`.
+
 # v4.1.0 (2025-06-02)
 
 - The `'endoZipBase64'` moduleFormat now utilizes the `importHook` option to

packages/bundle-source/cache.js

@@ -1,4 +1,5 @@
 // @ts-check
+import harden from '@endo/harden';
 import { makePromiseKit } from '@endo/promise-kit';
 import { makeReadPowers } from '@endo/compartment-mapper/node-powers.js';
 

packages/bundle-source/package.json

@@ -26,6 +26,7 @@
     "@endo/base64": "workspace:^",
     "@endo/compartment-mapper": "workspace:^",
     "@endo/evasive-transform": "workspace:^",
+    "@endo/harden": "workspace:^",
     "@endo/init": "workspace:^",
     "@endo/promise-kit": "workspace:^",
     "@endo/where": "workspace:^",

packages/bundle-source/src/fs.js

@@ -1,4 +1,6 @@
 // @ts-check
+import harden from '@endo/harden';
+
 let mutex = Promise.resolve(undefined);
 
 /**

packages/bundle-source/src/script.js

@@ -7,6 +7,7 @@
 import fs from 'fs';
 import os from 'os';
 
+import harden from '@endo/harden';
 import { makeFunctor } from '@endo/compartment-mapper/functor.js';
 import { makeReadPowers } from '@endo/compartment-mapper/node-powers.js';
 

packages/bundle-source/src/zip-base64.js

@@ -7,6 +7,7 @@
 import fs from 'fs';
 import os from 'os';
 
+import harden from '@endo/harden';
 import { mapNodeModules } from '@endo/compartment-mapper/node-modules.js';
 import { makeAndHashArchiveFromMap } from '@endo/compartment-mapper/archive-lite.js';
 import { encodeBase64 } from '@endo/base64';

packages/captp/NEWS.md

@@ -1,5 +1,17 @@
 User-visible changes in `@endo/captp`:
 
+# Next release
+
+- Relaxes dependence on a global, post-lockdown `harden` function by taking a
+  dependency on the new `@endo/harden` package.
+  Consequently, bundles will now entrain a `harden` implementation that is
+  superfluous if the bundled program is guaranteed to run in a post-lockdown
+  HardenedJS environment.
+  To compensate, use `bundle-source` with `-C hardened` or the analgous feature
+  for packaging conditions with your preferred bundler tool.
+  This will hollow out `@endo/harden` and defer exclusively to the global
+  `harden`.
+
 # v4.4.0 (2024-10-10)
 
 - Add optional configuration `makeCapTPImportExportTables` for external management of import/export tables.

packages/captp/package.json

@@ -58,6 +58,7 @@
   "dependencies": {
     "@endo/errors": "workspace:^",
     "@endo/eventual-send": "workspace:^",
+    "@endo/harden": "workspace:^",
     "@endo/marshal": "workspace:^",
     "@endo/nat": "workspace:^",
     "@endo/pass-style": "workspace:^",
@@ -71,7 +72,8 @@
   },
   "sesAvaConfigs": {
     "lockdown": "../../ava-endo-lockdown.config.mjs",
-    "unsafe": "../../ava-endo-lockdown-unsafe.config.mjs"
+    "unsafe": "../../ava-endo-lockdown-unsafe.config.mjs",
+    "endo": "../../ava-endo-shims-only.config.mjs"
   },
   "eslintConfig": {
     "extends": [

packages/captp/src/atomics.js

@@ -1,3 +1,4 @@
+import harden from '@endo/harden';
 import { X, Fail } from '@endo/errors';
 
 // This is a pathological minimum, but exercised by the unit test.

packages/captp/src/captp.js

@@ -5,6 +5,8 @@
 
 // This logic was mostly adapted from an earlier version of Agoric's liveSlots.js with a
 // good dose of https://github.com/capnproto/capnproto/blob/master/c++/src/capnp/rpc.capnp
+
+import harden from '@endo/harden';
 import { Remotable, Far, makeMarshal, QCLASS } from '@endo/marshal';
 import { E, HandledPromise } from '@endo/eventual-send';
 import { isPromise, makePromiseKit } from '@endo/promise-kit';

packages/captp/src/loopback.js

@@ -1,3 +1,4 @@
+import harden from '@endo/harden';
 import { Far } from '@endo/marshal';
 import { E, makeCapTP } from './captp.js';
 import { nearTrapImpl } from './trap.js';

packages/captp/src/trap.js

@@ -1,5 +1,7 @@
 // Lifted mostly from `@endo/eventual-send/src/E.js`.
 
+import harden from '@endo/harden';
+
 const { freeze } = Object;
 
 /**

packages/captp/test/export-hook.test.js

@@ -2,6 +2,8 @@
 /* global globalThis */
 import test from '@endo/ses-ava/test.js';
 
+import harden from '@endo/harden';
+import hardenIsNoop from '@endo/harden/is-noop.js';
 import { Far } from '@endo/marshal';
 import { E, makeLoopback } from '../src/loopback.js';
 
@@ -66,8 +68,8 @@
 
   // Trigger the hook to throw.
   harden(exports);
-  // @ts-ignore `isFake` purposely omitted from type
-  if (!harden.isFake) {
+  // We cannot rely on isExtensible when using lockdown with unsafe hardenTaming.
+  if (!hardenIsNoop(harden)) {
     await t.throwsAsync(() => E(bs).echo(Promise.resolve('never exported')), {
       message: /.*object is not extensible/,
     });

packages/captp/test/loopback.test.js

@@ -1,6 +1,7 @@
 /* global setTimeout */
 import test from '@endo/ses-ava/test.js';
 
+import harden from '@endo/harden';
 import { Far } from '@endo/marshal';
 import { E, makeLoopback } from '../src/loopback.js';
 

packages/check-bundle/NEWS.md

@@ -1,4 +1,16 @@
 
+# Next release
+
+- Relaxes dependence on a global, post-lockdown `harden` function by taking a
+  dependency on the new `@endo/harden` package.
+  Consequently, bundles will now entrain a `harden` implementation that is
+  superfluous if the bundled program is guaranteed to run in a post-lockdown
+  HardenedJS environment.
+  To compensate, use `bundle-source` with `-C hardened` or the analgous feature
+  for packaging conditions with your preferred bundler tool.
+  This will hollow out `@endo/harden` and defer exclusively to the global
+  `harden`.
+
 # 0.2.0 (2022-04-11)
 
 - *BREAKING:* the `@endo/check-bundle` module exports Node.js convenience

packages/check-bundle/index.js

@@ -1,4 +1,5 @@
 // @ts-check
+import harden from '@endo/harden';
 import * as fs from 'fs';
 import * as crypto from 'crypto';
 import { checkBundle as powerlessCheckBundle } from './lite.js';

packages/check-bundle/package.json

@@ -42,7 +42,8 @@
   "dependencies": {
     "@endo/base64": "workspace:^",
     "@endo/compartment-mapper": "workspace:^",
-    "@endo/errors": "workspace:^"
+    "@endo/errors": "workspace:^",
+    "@endo/harden": "workspace:^"
   },
   "devDependencies": {
     "@endo/bundle-source": "workspace:^",
@@ -77,7 +78,7 @@
   "sesAvaConfigs": {
     "lockdown": "../../ava-endo-lockdown.config.mjs",
     "unsafe": "../../ava-endo-lockdown-unsafe.config.mjs",
-    "shims": "../../ava-endo-shims-only.config.mjs"
+    "endo": "../../ava-endo-shims-only.config.mjs"
   },
   "typeCoverage": {
     "atLeast": 86.95

packages/check-bundle/test/check-bundle.test.js

@@ -5,6 +5,7 @@ import test from 'ava';
 import * as fs from 'fs';
 import * as url from 'url';
 import * as crypto from 'crypto';
+import harden from '@endo/harden';
 import bundleSource from '@endo/bundle-source';
 import { ZipWriter } from '@endo/zip';
 import { encodeBase64 } from '@endo/base64';
@@ -98,18 +99,17 @@ test('bundle and check corrupt endo zip base64 package', async t => {
   );
 });
 
-test('bundle and hash unfrozen object', async t => {
-  const bundle = {};
-  await null;
-  // @ts-ignore `isFake` purposely omitted from type
-  if (harden.isFake) {
-    t.pass();
-  } else {
+// This test is not possible if isFrozen is compromised by unsafe hardenTaming.
+(Object.isFrozen({}) ? test.skip : test)(
+  'bundle and hash unfrozen object',
+  async t => {
+    const bundle = {};
+    await null;
     await t.throwsAsync(checkBundle(bundle, computeSha512, 'fixture/main.js'), {
       message: `checkBundle cannot vouch for the ongoing integrity of an unfrozen object, got {}`,
     });
-  }
-});
+  },
+);
 
 test('bundle and hash bogus package', async t => {
   const bundle = Object.freeze({ moduleFormat: 'bogus' });

packages/cli/package.json

@@ -38,6 +38,7 @@
     "@endo/eventual-send": "workspace:^",
     "@endo/exo": "workspace:^",
     "@endo/far": "workspace:^",
+    "@endo/harden": "workspace:^",
     "@endo/import-bundle": "workspace:^",
     "@endo/init": "workspace:^",
     "@endo/lockdown": "workspace:^",

packages/cli/src/commands/run.js

@@ -1,6 +1,7 @@
 /* global globalThis, process */
 import url from 'url';
 import os from 'os';
+import harden from '@endo/harden';
 import { E, Far } from '@endo/far';
 import { makeExo } from '@endo/exo';
 import { M } from '@endo/patterns';

packages/common/NEWS.md

@@ -3,6 +3,15 @@ User-visible changes in `@endo/common`:
 # Next release
 
 - Deprecates this package's support for the checkFoo/assertCheck pattern (`Checker`, `identChecker`) in favor of the confirm/reject pattern supported by @endo/errors/rejector.js.
+- Relaxes dependence on a global, post-lockdown `harden` function by taking a
+  dependency on the new `@endo/harden` package.
+  Consequently, bundles will now entrain a `harden` implementation that is
+  superfluous if the bundled program is guaranteed to run in a post-lockdown
+  HardenedJS environment.
+  To compensate, use `bundle-source` with `-C hardened` or the analgous feature
+  for packaging conditions with your preferred bundler tool.
+  This will hollow out `@endo/harden` and defer exclusively to the global
+  `harden`.
 
 # v1.1.0 (2024-02-22)
 

packages/common/from-unique-entries.js

@@ -1,3 +1,4 @@
+import harden from '@endo/harden';
 import { q, Fail } from '@endo/errors';
 
 const { fromEntries } = Object;

packages/common/ident-checker.js

@@ -1,3 +1,5 @@
+import harden from '@endo/harden';
+
 /**
  * @deprecated Use `Rejector` in the confirm/reject pattern instead
  * @callback Checker

packages/common/list-difference.js

@@ -1,3 +1,5 @@
+import harden from '@endo/harden';
+
 /**
  * Return a list of all the elements present in the `leftList` and not
  * in the `rightList`. Return in the order of their appearance in `leftList`.

packages/common/make-array-iterator.js

@@ -1,3 +1,4 @@
+import harden from '@endo/harden';
 import { makeIterator } from './make-iterator.js';
 
 /**

packages/common/make-iterator.js

@@ -1,3 +1,5 @@
+import harden from '@endo/harden';
+
 /**
  * Makes a one-shot iterable iterator from a provided `next` function.
  *

packages/common/object-map.js

@@ -1,3 +1,5 @@
+import harden from '@endo/harden';
+
 const { entries, fromEntries } = Object;
 
 /**

packages/common/object-meta-assign.js

@@ -1,3 +1,5 @@
+import harden from '@endo/harden';
+
 const { getOwnPropertyDescriptors, defineProperties } = Object;
 
 /**

packages/common/object-meta-map.js

@@ -1,3 +1,5 @@
+import harden from '@endo/harden';
+
 const { getOwnPropertyDescriptors, create, fromEntries } = Object;
 const { ownKeys } = Reflect;
 

packages/common/package.json

@@ -42,6 +42,7 @@
   "dependencies": {
     "@endo/errors": "workspace:^",
     "@endo/eventual-send": "workspace:^",
+    "@endo/harden": "workspace:^",
     "@endo/promise-kit": "workspace:^"
   },
   "devDependencies": {
@@ -74,6 +75,7 @@
   },
   "sesAvaConfigs": {
     "lockdown": "../../ava-endo-lockdown.config.mjs",
-    "unsafe": "../../ava-endo-lockdown-unsafe.config.mjs"
+    "unsafe": "../../ava-endo-lockdown-unsafe.config.mjs",
+    "endo": "../../ava-endo-shims-only.config.mjs"
   }
 }

packages/common/test/from-unique-entries.test.js

@@ -1,5 +1,6 @@
 import test from '@endo/ses-ava/test.js';
 
+import harden from '@endo/harden';
 import { fromUniqueEntries } from '../from-unique-entries.js';
 
 test('test fromUniqueEntries', async t => {

packages/common/test/object-meta-map.test.js

@@ -1,12 +1,11 @@
 import test from '@endo/ses-ava/test.js';
 
+import harden from '@endo/harden';
+import hardenIsNoop from '@endo/harden/is-noop.js';
 import { objectMetaMap } from '../object-meta-map.js';
 
 const { getOwnPropertyDescriptors, getPrototypeOf } = Object;
 
-// @ts-expect-error isFake is not advertised by the type of harden.
-const hardenIsFake = !!harden.isFake;
-
 test('test objectMetaMap', async t => {
   const mapped = objectMetaMap(
     { a: 1, b: 2, c: 3 },
@@ -24,15 +23,15 @@ test('test objectMetaMap', async t => {
   t.deepEqual(getOwnPropertyDescriptors(mapped), {
     a: {
       value: 2,
-      writable: hardenIsFake,
+      writable: hardenIsNoop(harden),
       enumerable: false,
-      configurable: hardenIsFake,
+      configurable: hardenIsNoop(harden),
     },
     c: {
       value: 6,
-      writable: hardenIsFake,
+      writable: hardenIsNoop(harden),
       enumerable: false,
-      configurable: hardenIsFake,
+      configurable: hardenIsNoop(harden),
     },
   });
   t.is(getPrototypeOf(mapped), null);

packages/compartment-mapper/package.json

@@ -68,6 +68,7 @@
     "ses": "workspace:^"
   },
   "devDependencies": {
+    "@endo/init": "workspace:^",
     "ava": "catalog:dev",
     "c8": "catalog:dev",
     "eslint": "catalog:dev",