@agoric/swingset-vat 0.33.0-upgrade-16-dev-0df76a7.0 → 0.33.0-upgrade-17-dev-a1453b2.0

package/README.md

@@ -204,7 +204,7 @@ If wavy dot syntax is used on a Promise which rejects, the method is not invoked
 the return promise's `rejection` function is called instead:
 
 ```js
-const badP = Promise.reject(new Error());
+const badP = Promise.reject(Error());
 const p2 = badP~.foo();
 p2.then(undefined, rej => console.log('rejected', rej));
 // prints 'rejected'

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@agoric/swingset-vat",
-  "version": "0.33.0-upgrade-16-dev-0df76a7.0+0df76a7",
+  "version": "0.33.0-upgrade-17-dev-a1453b2.0+a1453b2",
   "description": "Vat/Container Launcher",
   "type": "module",
   "main": "src/index.js",
@@ -27,33 +27,34 @@
     "@types/yargs-parser": "^21.0.0"
   },
   "dependencies": {
-    "@agoric/assert": "0.6.1-upgrade-16-dev-0df76a7.0+0df76a7",
-    "@agoric/internal": "0.4.0-upgrade-16-dev-0df76a7.0+0df76a7",
-    "@agoric/kmarshal": "0.1.1-upgrade-16-dev-0df76a7.0+0df76a7",
-    "@agoric/store": "0.9.3-upgrade-16-dev-0df76a7.0+0df76a7",
-    "@agoric/swing-store": "0.9.2-upgrade-16-dev-0df76a7.0+0df76a7",
-    "@agoric/swingset-liveslots": "0.10.3-upgrade-16-dev-0df76a7.0+0df76a7",
-    "@agoric/swingset-xsnap-supervisor": "0.10.3-upgrade-16-dev-0df76a7.0+0df76a7",
-    "@agoric/time": "0.3.3-upgrade-16-dev-0df76a7.0+0df76a7",
-    "@agoric/vat-data": "0.5.3-upgrade-16-dev-0df76a7.0+0df76a7",
-    "@agoric/xsnap": "0.14.3-upgrade-16-dev-0df76a7.0+0df76a7",
-    "@agoric/xsnap-lockdown": "0.14.1-upgrade-16-dev-0df76a7.0+0df76a7",
-    "@endo/base64": "^1.0.5",
-    "@endo/bundle-source": "^3.2.3",
-    "@endo/captp": "^4.2.0",
-    "@endo/check-bundle": "^1.0.7",
-    "@endo/compartment-mapper": "^1.1.5",
-    "@endo/eventual-send": "^1.2.2",
-    "@endo/far": "^1.1.2",
-    "@endo/import-bundle": "^1.1.2",
-    "@endo/init": "^1.1.2",
-    "@endo/marshal": "^1.5.0",
-    "@endo/nat": "^5.0.7",
-    "@endo/patterns": "^1.4.0",
-    "@endo/promise-kit": "^1.1.2",
-    "@endo/ses-ava": "^1.2.2",
-    "@endo/stream": "^1.2.2",
-    "@endo/zip": "^1.0.5",
+    "@agoric/internal": "0.4.0-upgrade-17-dev-a1453b2.0+a1453b2",
+    "@agoric/kmarshal": "0.1.1-upgrade-17-dev-a1453b2.0+a1453b2",
+    "@agoric/store": "0.9.3-upgrade-17-dev-a1453b2.0+a1453b2",
+    "@agoric/swing-store": "0.9.2-upgrade-17-dev-a1453b2.0+a1453b2",
+    "@agoric/swingset-liveslots": "0.10.3-upgrade-17-dev-a1453b2.0+a1453b2",
+    "@agoric/swingset-xsnap-supervisor": "0.10.3-upgrade-17-dev-a1453b2.0+a1453b2",
+    "@agoric/time": "0.3.3-upgrade-17-dev-a1453b2.0+a1453b2",
+    "@agoric/vat-data": "0.5.3-upgrade-17-dev-a1453b2.0+a1453b2",
+    "@agoric/xsnap": "0.14.3-upgrade-17-dev-a1453b2.0+a1453b2",
+    "@agoric/xsnap-lockdown": "0.14.1-upgrade-17-dev-a1453b2.0+a1453b2",
+    "@endo/base64": "^1.0.7",
+    "@endo/bundle-source": "^3.4.0",
+    "@endo/captp": "^4.3.0",
+    "@endo/check-bundle": "^1.0.9",
+    "@endo/compartment-mapper": "^1.2.2",
+    "@endo/errors": "^1.2.5",
+    "@endo/eventual-send": "^1.2.5",
+    "@endo/far": "^1.1.5",
+    "@endo/import-bundle": "^1.2.2",
+    "@endo/init": "^1.1.4",
+    "@endo/marshal": "^1.5.3",
+    "@endo/nat": "^5.0.10",
+    "@endo/pass-style": "^1.4.3",
+    "@endo/patterns": "^1.4.3",
+    "@endo/promise-kit": "^1.1.5",
+    "@endo/ses-ava": "^1.2.5",
+    "@endo/stream": "^1.2.5",
+    "@endo/zip": "^1.0.7",
     "ansi-styles": "^6.2.1",
     "anylogger": "^0.21.0",
     "better-sqlite3": "^9.1.1",
@@ -100,7 +101,7 @@
     "access": "public"
   },
   "typeCoverage": {
-    "atLeast": 75.02
+    "atLeast": 75.7
   },
-  "gitHead": "0df76a71058eda04cdc75a54fb4312d286f323a3"
+  "gitHead": "a1453b2877b017a7f5b43a92364067d001901953"
 }

package/src/controller/controller.js

@@ -9,7 +9,7 @@ import { tmpName } from 'tmp';
 import anylogger from 'anylogger';
 import microtime from 'microtime';
 
-import { assert, Fail } from '@agoric/assert';
+import { assert, Fail } from '@endo/errors';
 import { importBundle } from '@endo/import-bundle';
 import { initSwingStore } from '@agoric/swing-store';
 
@@ -21,6 +21,7 @@ import { waitUntilQuiescent } from '@agoric/internal/src/lib-nodejs/waitUntilQui
 import { makeGcAndFinalize } from '@agoric/internal/src/lib-nodejs/gc-and-finalize.js';
 import { kslot, krefOf } from '@agoric/kmarshal';
 import { insistStorageAPI } from '../lib/storageAPI.js';
+import { insistCapData } from '../lib/capdata.js';
 import {
   buildKernelBundle,
   swingsetIsInitialized,
@@ -33,6 +34,10 @@ import {
 import { makeStartXSnap } from './startXSnap.js';
 import { makeStartSubprocessWorkerNode } from './startNodeSubprocess.js';
 
+/**
+ * @typedef { import('../types-internal.js').VatID } VatID
+ */
+
 const endoZipBase64Sha512Shape = harden({
   moduleFormat: 'endoZipBase64',
   endoZipBase64: M.string(harden({ stringLengthLimit: Infinity })),
@@ -441,6 +446,48 @@ export async function makeSwingsetController(
       // no emitCrankHashes here because queueToVatRoot did that
       return result;
     },
+
+    /**
+     * terminate a vat by ID
+     *
+     * This allows the host app to terminate any vat. The effect is
+     * equivalent to the holder of the vat's `adminNode` calling
+     * `E(adminNode).terminateWithFailure(reason)`, or the vat itself
+     * calling `vatPowers.exitVatWithFailure(reason)`. It accepts a
+     * reason capdata structure (use 'kser()' to build one), which
+     * will be included in rejection data for the promise available to
+     * `E(adminNode).done()`, just like the internal termination APIs.
+     * Note that no slots/krefs are allowed in 'reason' when
+     * terminating the vat externally.
+     *
+     * This is a superpower available only from the host app, not from
+     * within vats, since `vatID` is merely a string and can be forged
+     * trivially. The host app is responsible for supplying the right
+     * vatID to kill, by looking at the database or logs (note that
+     * vats do not know their own vatID, and `controller.vatNameToID`
+     * only works for static vats, not dynamic).
+     *
+     * This will cause state changes in the swing-store (specifically
+     * marking the vat as terminated, and rejection all its
+     * outstanding promises), which must be committed before they will
+     * be durable. Either call `hostStorage.commit()` immediately
+     * after calling this, or call `controller.run()` and *then*
+     * `hostStorage.commit()` as you would normally do in response to
+     * other I/O or timer activity.
+     *
+     * The first `controller.run()` after this call will delete all
+     * the old vat's state at once, unless you use a
+     * [`runPolicy`](../docs/run-policy.md) to rate-limit cleanups.
+     *
+     * @param {VatID} vatID
+     * @param {SwingSetCapData} reasonCD
+     */
+
+    terminateVat(vatID, reasonCD) {
+      insistCapData(reasonCD);
+      assert(reasonCD.slots.length === 0, 'no slots allowed in reason');
+      kernel.terminateVatExternally(vatID, reasonCD);
+    },
   });
 
   writeSlogObject({ type: 'kernel-init-finish' });

package/src/controller/initializeKernel.js

@@ -1,22 +1,40 @@
 /* eslint-disable no-use-before-define */
 
+import { assert, Fail } from '@endo/errors';
 import { makeMarshal } from '@endo/marshal';
 import { Far } from '@endo/far';
-import { assert, Fail } from '@agoric/assert';
 import { kser, kunser } from '@agoric/kmarshal';
 import { assertKnownOptions } from '../lib/assertOptions.js';
 import { insistVatID } from '../lib/id.js';
 import { makeVatSlot } from '../lib/parseVatSlots.js';
 import { insistStorageAPI } from '../lib/storageAPI.js';
 import { makeVatOptionRecorder } from '../lib/recordVatOptions.js';
-import makeKernelKeeper from '../kernel/state/kernelKeeper.js';
+import makeKernelKeeper, {
+  DEFAULT_DELIVERIES_PER_BOYD,
+  DEFAULT_GC_KREFS_PER_BOYD,
+} from '../kernel/state/kernelKeeper.js';
 import { exportRootObject } from '../kernel/kernel.js';
 import { makeKernelQueueHandler } from '../kernel/kernelQueue.js';
 
+/**
+ * @typedef { import('../types-external.js').SwingSetKernelConfig } SwingSetKernelConfig
+ * @typedef { import('../types-external.js').SwingStoreKernelStorage } SwingStoreKernelStorage
+ * @typedef { import('../types-internal.js').InternalKernelOptions } InternalKernelOptions
+ * @typedef { import('../types-internal.js').ReapDirtThreshold } ReapDirtThreshold
+ */
+
 function makeVatRootObjectSlot() {
   return makeVatSlot('object', true, 0);
 }
 
+/**
+ * @param {SwingSetKernelConfig} config
+ * @param {SwingStoreKernelStorage} kernelStorage
+ * @param {*} [options]
+ * @returns {Promise<string | undefined>} KPID of the bootstrap message
+ *                                        result promise
+ */
+
 export async function initializeKernel(config, kernelStorage, options = {}) {
   const {
     verbose = false,
@@ -25,22 +43,27 @@ export async function initializeKernel(config, kernelStorage, options = {}) {
   const logStartup = verbose ? console.debug : () => 0;
   insistStorageAPI(kernelStorage.kvStore);
 
-  const kernelSlog = null;
-  const kernelKeeper = makeKernelKeeper(kernelStorage, kernelSlog);
+  const kernelKeeper = makeKernelKeeper(kernelStorage, 'uninitialized');
   const optionRecorder = makeVatOptionRecorder(kernelKeeper, bundleHandler);
 
-  const wasInitialized = kernelKeeper.getInitialized();
-  assert(!wasInitialized);
   const {
     defaultManagerType,
-    defaultReapInterval,
+    defaultReapInterval = DEFAULT_DELIVERIES_PER_BOYD,
+    defaultReapGCKrefs = DEFAULT_GC_KREFS_PER_BOYD,
     relaxDurabilityRules,
     snapshotInitial,
     snapshotInterval,
   } = config;
+  /** @type { ReapDirtThreshold } */
+  const defaultReapDirtThreshold = {
+    deliveries: defaultReapInterval,
+    gcKrefs: defaultReapGCKrefs,
+    computrons: 'never', // TODO no knob?
+  };
+  /** @type { InternalKernelOptions } */
   const kernelOptions = {
     defaultManagerType,
-    defaultReapInterval,
+    defaultReapDirtThreshold,
     relaxDurabilityRules,
     snapshotInitial,
     snapshotInterval,
@@ -49,7 +72,7 @@ export async function initializeKernel(config, kernelStorage, options = {}) {
 
   for (const id of Object.keys(config.idToBundle || {})) {
     const bundle = config.idToBundle[id];
-    assert.equal(bundle.moduleFormat, 'endoZipBase64');
+    assert(bundle.moduleFormat === 'endoZipBase64');
     if (!kernelKeeper.hasBundle(id)) {
       kernelKeeper.addBundle(id, bundle);
     }
@@ -64,7 +87,7 @@ export async function initializeKernel(config, kernelStorage, options = {}) {
 
   // generate the genesis vats
   await null;
-  if (config.vats) {
+  if (config.vats && Object.keys(config.vats).length) {
     for (const name of Object.keys(config.vats)) {
       const {
         bundleID,
@@ -86,6 +109,8 @@ export async function initializeKernel(config, kernelStorage, options = {}) {
         'useTranscript',
         'critical',
         'reapInterval',
+        'reapGCKrefs',
+        'neverReap',
         'nodeOptions',
       ]);
       const vatID = kernelKeeper.allocateVatIDForNameIfNeeded(name);

package/src/controller/initializeSwingset.js

@@ -2,7 +2,7 @@
 import fs from 'fs';
 import path from 'path';
 
-import { assert, Fail } from '@agoric/assert';
+import { assert, Fail } from '@endo/errors';
 import { makeTracer } from '@agoric/internal';
 import { mustMatch } from '@agoric/store';
 import bundleSource from '@endo/bundle-source';
@@ -256,7 +256,10 @@ export async function loadSwingsetConfigFile(configPath) {
 }
 
 export function swingsetIsInitialized(kernelStorage) {
-  return !!kernelStorage.kvStore.get('initialized');
+  return !!(
+    kernelStorage.kvStore.get('version') ||
+    kernelStorage.kvStore.get('initialized')
+  );
 }
 
 /**
@@ -397,7 +400,7 @@ export async function initializeSwingset(
         enableSetup: true,
         managerType: 'local',
         useTranscript: false,
-        reapInterval: 'never',
+        neverReap: true,
       },
     };
   }

package/src/controller/startXSnap.js

@@ -1,5 +1,5 @@
 import path from 'path';
-import { Fail } from '@agoric/assert';
+import { Fail } from '@endo/errors';
 import { type as osType } from 'os';
 import { xsnap, recordXSnap } from '@agoric/xsnap';
 

package/src/controller/upgradeSwingset.js

@@ -0,0 +1,212 @@
+import {
+  DEFAULT_REAP_DIRT_THRESHOLD_KEY,
+  DEFAULT_GC_KREFS_PER_BOYD,
+  getAllDynamicVats,
+  getAllStaticVats,
+} from '../kernel/state/kernelKeeper.js';
+
+const upgradeVatV0toV1 = (kvStore, defaultReapDirtThreshold, vatID) => {
+  // This is called, once per vat, when upgradeSwingset migrates from
+  // v0 to v1
+
+  // schema v0:
+  // Each vat has a `vNN.reapInterval` and `vNN.reapCountdown`.
+  // vNN.options has a `.reapInterval` property (however it was not
+  // updated by processChangeVatOptions).  Either all are numbers, or
+  // all are 'never'.
+
+  const oldReapIntervalKey = `${vatID}.reapInterval`;
+  const oldReapCountdownKey = `${vatID}.reapCountdown`;
+  const vatOptionsKey = `${vatID}.options`;
+
+  // schema v1:
+  // Each vat has a `vNN.reapDirt`, and vNN.options has a
+  // `.reapDirtThreshold` property (which overrides kernel-wide
+  // `defaultReapDirtThreshold`)
+
+  const reapDirtKey = `${vatID}.reapDirt`;
+
+  assert(kvStore.has(oldReapIntervalKey), oldReapIntervalKey);
+  assert(kvStore.has(oldReapCountdownKey), oldReapCountdownKey);
+  assert(!kvStore.has(reapDirtKey), reapDirtKey);
+
+  const reapIntervalString = kvStore.get(oldReapIntervalKey);
+  const reapCountdownString = kvStore.get(oldReapCountdownKey);
+  assert(reapIntervalString !== undefined);
+  assert(reapCountdownString !== undefined);
+
+  const intervalIsNever = reapIntervalString === 'never';
+  const countdownIsNever = reapCountdownString === 'never';
+  // these were supposed to be the same
+  assert(
+    intervalIsNever === countdownIsNever,
+    `reapInterval=${reapIntervalString}, reapCountdown=${reapCountdownString}`,
+  );
+
+  // initialize or upgrade state
+  const reapDirt = {}; // all missing keys are treated as zero
+  const threshold = {};
+
+  if (intervalIsNever) {
+    // old vats that were never reaped (eg comms) used
+    // reapInterval='never', so respect that and set the other
+    // threshold values to never as well
+    threshold.never = true;
+  } else {
+    // deduce delivery count from old countdown values
+    const reapInterval = Number.parseInt(reapIntervalString, 10);
+    const reapCountdown = Number.parseInt(reapCountdownString, 10);
+    const deliveries = reapInterval - reapCountdown;
+    reapDirt.deliveries = Math.max(deliveries, 0); // just in case
+    if (reapInterval !== defaultReapDirtThreshold.deliveries) {
+      threshold.deliveries = reapInterval;
+    }
+  }
+
+  kvStore.delete(oldReapIntervalKey);
+  kvStore.delete(oldReapCountdownKey);
+  kvStore.set(reapDirtKey, JSON.stringify(reapDirt));
+
+  // Update options to use the new schema.
+  const options = JSON.parse(kvStore.get(vatOptionsKey));
+  delete options.reapInterval;
+  options.reapDirtThreshold = threshold;
+  kvStore.set(vatOptionsKey, JSON.stringify(options));
+};
+
+/**
+ * (maybe) upgrade the kernel state to the current schema
+ *
+ * This function is responsible for bringing the kernel's portion of
+ * swing-store (kernelStorage) up to the current version. The host app
+ * must call this each time it launches with a new version of
+ * swingset, before using makeSwingsetController() to build the
+ * kernel/controller (which will throw an error if handed an old
+ * database). It is ok to call it only on those reboots, but it is
+ * also safe to call on every reboot, because upgradeSwingset() is a
+ * no-op if the DB is already up-to-date.
+ *
+ * If an upgrade is needed, this function will modify the DB state, so
+ * the host app must be prepared for export-data callbacks being
+ * called during the upgrade, and it is responsible for doing a
+ * `hostStorage.commit()` afterwards.
+ *
+ * @param {SwingStoreKernelStorage} kernelStorage
+ * @returns {boolean} true if any changes were made
+ */
+export const upgradeSwingset = kernelStorage => {
+  const { kvStore } = kernelStorage;
+  let modified = false;
+  let vstring = kvStore.get('version');
+  if (vstring === undefined) {
+    vstring = '0';
+  }
+  let version = Number(vstring);
+
+  /**
+   * @param {string} key
+   * @returns {string}
+   */
+  function getRequired(key) {
+    if (!kvStore.has(key)) {
+      throw Error(`storage lacks required key ${key}`);
+    }
+    // @ts-expect-error already checked .has()
+    return kvStore.get(key);
+  }
+
+  // kernelKeeper.js has a large comment that defines our current
+  // kvStore schema, with a section describing the deltas. The upgrade
+  // steps applied here must match.
+
+  // schema v0:
+  //
+  // The kernel overall has `kernel.defaultReapInterval` and
+  // `kernel.initialized = 'true'`.
+  //
+  // Each vat has a `vNN.reapInterval` and `vNN.reapCountdown`.
+  // vNN.options has a `.reapInterval` property (however it was not
+  // updated by processChangeVatOptions, so do not rely upon its
+  // value).  Either all are numbers, or all are 'never'.
+
+  if (version < 1) {
+    // schema v1:
+    //
+    // The kernel overall has `kernel.defaultReapDirtThreshold` and
+    // `kernel.version = '1'` (instead of .initialized).
+    //
+    // Each vat has a `vNN.reapDirt`, and vNN.options has a
+    // `.reapDirtThreshold` property
+
+    // So:
+    // * replace `kernel.initialized` with `kernel.version`
+    // * replace `kernel.defaultReapInterval` with
+    //   `kernel.defaultReapDirtThreshold`
+    // * replace vat's `vNN.reapInterval`/`vNN.reapCountdown` with
+    //   `vNN.reapDirt` and a `vNN.reapDirtThreshold` in `vNN.options`
+    // * then do per-vat upgrades with upgradeVatV0toV1
+
+    assert(kvStore.has('initialized'));
+    kvStore.delete('initialized');
+    // 'version' will be set at the end
+
+    // upgrade from old kernel.defaultReapInterval
+
+    const oldDefaultReapIntervalKey = 'kernel.defaultReapInterval';
+    assert(kvStore.has(oldDefaultReapIntervalKey));
+    assert(!kvStore.has(DEFAULT_REAP_DIRT_THRESHOLD_KEY));
+
+    /**
+     * @typedef { import('../types-internal.js').ReapDirtThreshold } ReapDirtThreshold
+     */
+
+    /** @type ReapDirtThreshold */
+    const threshold = {
+      deliveries: 'never',
+      gcKrefs: 'never',
+      computrons: 'never',
+    };
+
+    const oldValue = getRequired(oldDefaultReapIntervalKey);
+    if (oldValue !== 'never') {
+      const value = Number.parseInt(oldValue, 10);
+      assert.typeof(value, 'number');
+      threshold.deliveries = value;
+      // if BOYD wasn't turned off entirely (eg
+      // defaultReapInterval='never', which only happens in unit
+      // tests), then pretend we wanted a gcKrefs= threshold all
+      // along, so all vats get a retroactive gcKrefs threshold, which
+      // we need for the upcoming slow-vat-deletion to not trigger
+      // gigantic BOYD and break the kernel
+      threshold.gcKrefs = DEFAULT_GC_KREFS_PER_BOYD;
+    }
+    harden(threshold);
+    kvStore.set(DEFAULT_REAP_DIRT_THRESHOLD_KEY, JSON.stringify(threshold));
+    kvStore.delete(oldDefaultReapIntervalKey);
+
+    // now upgrade all vats
+    for (const [_name, vatID] of getAllStaticVats(kvStore)) {
+      upgradeVatV0toV1(kvStore, threshold, vatID);
+    }
+    for (const vatID of getAllDynamicVats(getRequired)) {
+      upgradeVatV0toV1(kvStore, threshold, vatID);
+    }
+
+    modified = true;
+    version = 1;
+  }
+
+  if (version < 2) {
+    // schema v2: add vats.terminated = []
+    assert(!kvStore.has('vats.terminated'));
+    kvStore.set('vats.terminated', JSON.stringify([]));
+    modified = true;
+    version = 2;
+  }
+
+  if (modified) {
+    kvStore.set('version', `${version}`);
+  }
+  return modified;
+};
+harden(upgradeSwingset);

package/src/devices/bridge/device-bridge.js

@@ -1,4 +1,4 @@
-import { Fail } from '@agoric/assert';
+import { Fail } from '@endo/errors';
 import { Far } from '@endo/far';
 
 function sanitize(data) {

package/src/devices/bundle/device-bundle.js

@@ -1,4 +1,4 @@
-import { assert } from '@agoric/assert';
+import { assert } from '@endo/errors';
 import { buildSerializationTools } from '../lib/deviceTools.js';
 
 /*

package/src/devices/command/command.js

@@ -1,8 +1,7 @@
+import { Fail } from '@endo/errors';
 import { makePromiseKit } from '@endo/promise-kit';
 import { Nat } from '@endo/nat';
 
-import { Fail } from '@agoric/assert';
-
 export default function buildCommand(broadcastCallback) {
   broadcastCallback || Fail`broadcastCallback must be provided.`;
   let inboundCallback;

package/src/devices/command/device-command.js

@@ -1,8 +1,7 @@
+import { Fail } from '@endo/errors';
 import { Nat } from '@endo/nat';
 import { Far } from '@endo/far';
 
-import { Fail } from '@agoric/assert';
-
 export function buildRootDeviceNode(tools) {
   const { SO, getDeviceState, setDeviceState, endowments } = tools;
   const { registerInboundCallback, deliverResponse, sendBroadcast } =

package/src/devices/lib/deviceTools.js

@@ -1,4 +1,4 @@
-import { assert, Fail } from '@agoric/assert';
+import { assert, Fail } from '@endo/errors';
 import { makeMarshal } from '@endo/marshal';
 import { Far } from '@endo/far';
 import { parseVatSlot } from '../../lib/parseVatSlots.js';

package/src/devices/loopbox/device-loopbox.js

@@ -1,4 +1,4 @@
-import { Fail } from '@agoric/assert';
+import { Fail } from '@endo/errors';
 import { Far } from '@endo/far';
 
 export function buildRootDeviceNode(tools) {

package/src/devices/loopbox/loopbox.js

@@ -1,4 +1,4 @@
-import { Fail } from '@agoric/assert';
+import { Fail } from '@endo/errors';
 
 /*
  * The "loopbox" is a special device used for unit tests, which glues one

package/src/devices/mailbox/device-mailbox.js

@@ -1,8 +1,7 @@
+import { assert, Fail } from '@endo/errors';
 import { Nat } from '@endo/nat';
 import { Far } from '@endo/far';
 
-import { assert, Fail } from '@agoric/assert';
-
 export function buildRootDeviceNode(tools) {
   const { SO, getDeviceState, setDeviceState, endowments } = tools;
 

package/src/devices/mailbox/mailbox.js

@@ -64,10 +64,9 @@
 
 */
 
+import { Fail } from '@endo/errors';
 import { Nat } from '@endo/nat';
 
-import { Fail } from '@agoric/assert';
-
 // This Map-based mailboxState object is a good starting point, but we may
 // replace it with one that tracks which parts of the state have been
 // modified, to build more efficient Merkle proofs.

package/src/devices/plugin/device-plugin.js

@@ -1,6 +1,6 @@
+import { Fail } from '@endo/errors';
 import { makeCapTP } from '@endo/captp';
 import { Far } from '@endo/far';
-import { Fail } from '@agoric/assert';
 
 export function buildRootDeviceNode(tools) {
   const { SO, getDeviceState, setDeviceState, endowments } = tools;

package/src/devices/timer/device-timer.js

@@ -23,7 +23,7 @@
  */
 
 import { Nat } from '@endo/nat';
-import { assert, Fail } from '@agoric/assert';
+import { assert, Fail } from '@endo/errors';
 import { Far } from '@endo/far';
 
 // Since we use harden when saving the state, we need to copy the arrays so they

package/src/devices/timer/timer.js

@@ -1,6 +1,6 @@
 import { Nat } from '@endo/nat';
 
-import { Fail } from '@agoric/assert';
+import { Fail } from '@endo/errors';
 
 /**
  * Endowments for a Timer device that can be made available to SwingSet vats.

package/src/devices/vat-admin/device-vat-admin.js

@@ -1,5 +1,5 @@
 import { Nat } from '@endo/nat';
-import { assert } from '@agoric/assert';
+import { assert } from '@endo/errors';
 import { kunser } from '@agoric/kmarshal';
 import { buildSerializationTools } from '../lib/deviceTools.js';
 import { insistVatID } from '../../lib/id.js';
@@ -82,6 +82,7 @@ bundleID before submitting to the kernel), or (temporarily) a full bundle.
  * @typedef { string } VatID
  * @typedef { string } UpgradeID
  * @typedef {{
+ *  changeOptions: (vatID: string, options: {}) => void;
  *  createMeter: (remaining: bigint, threshold: bigint) => MeterID
  *  createUnlimitedMeter: () => MeterID
  *  addMeterRemaining: (meterID: MeterID, delta: bigint) => void
@@ -89,7 +90,8 @@ bundleID before submitting to the kernel), or (temporarily) a full bundle.
  *  getMeter: (meterID: MeterID) => { remaining: bigint, threshold: bigint }
  *  createByBundle: (bundle: Bundle, options: {}) => VatID
  *  createByBundleID: (bundleID: BundleID, options: {}) => VatID
- *  upgradeVat: (bundleID: BundleID, vatParameters: {}) => UpgradeID
+ *  getBundleIDByName: (name: string) => string;
+ *  upgradeVat: (vatID: string, bundleID: BundleID, _vatParameters: unknown, upgradeMessage: string) => UpgradeID;
  *  terminateWithFailure: (vatID: VatID, reason: {}) => void
  *  getBundleCap: (bundleID: BundleID) => BundleCap
  *  getNamedBundleCap: (name: string) => BundleCap