feat(compartment-mapper)!: new hooks & type overhaul

[boneskull]

Refs: #2929

This PR supersedes #2929 which should now be considered abandoned.

This PR targets #2915, if you didn't notice.

Description

This PR is "complete" and ready for review. It makes a significant overhaul to types and adds new options to several public APIs.

Description of changes to Types

• The types around CompartmentMapDescriptor have been vastly expanded to reflect the different "flavors" of CompartmentMapDescriptor, CompartmentDescriptor, ModuleDescriptor (now ModuleDescriptorConfiguration to differentiate it from ses' ModuleDescriptor), and the formatting of the compartment names (keys).
• CompartmentDescriptor.label is now a canonical name.
• CompartmentDescriptor.path is removed
• CompartmentDescriptor.compartments is removed
• Added many type guards for validation of these differing types
  • Validation of different types of compartment map
  • Stricter validation
  • Validation of all types of compartment descriptors, module descriptor configurations, etc.

New Default Behavior in mapNodeModules()

Currently, mapNodeModules() avoids adding a ModuleDescriptor (ModuleDescriptorConfiguration) to a nascent CompartmentDescriptor's modules prop if policy disallows it. This PR changes the behavior to consider policy & excise the dependency from the Node itself before the (dependency) Graph is translated into a CompartmentDescriptor. This has implications around what sort of errors are thrown when Compartment A attempts to load a Compartment B to which it has no access (see note about policy tests below).

Other Notes

• Since CompartmentDescriptor.compartments has been removed, that means implicitly allowing dynamic requires of parent/ancestor Compartments from a given Compartment via absolute path is no longer supported. That's fine, since:
  • This should be explicit in policy anyway
  • @lavamoat/node was the only user of this feature and no longer needs it
• The entry compartment now has a canonical name of $root$. It is valid within PackagePolicy; i.e. some other package can be allowed to access the $root$ compartment.
• Many tests in test/policy.test.ts needed to change because of how mapNodeModules' packageDependencies hook works. Instead of rejecting module descriptors (ModuleDescriptorConfigurations) based on policy, we reject entire dependencies before they can be "digested" into module descriptors. This results in ScopeDescriptors not being populated, in addition to ModuleDescriptorConfigurations, and causes downstream effects. Different exceptions are thrown at different times, but the intent of these tests doesn't deviate from "ensure this naughty behavior is not allowed."

Security Considerations

None that I'm aware of.

Scaling Considerations

Any consumer providing a resource-intensive blocking hook to @endo/compartment-mapper gets the performance they deserve.

Documentation Considerations

This is a breaking change to the contents of the archives as well as a breaking change to the types. It is not a breaking change to the archive format, but it will contain different values (instead of packageName-v<version> the compartment descriptors will be keyed on the canonical name).

Testing Considerations

• There are some unit tests but we need more integration tests.

Compatibility Considerations

The breaking changes mentioned above, but it also solves like ten different problems @lavamoat/node was having trying to get things to work. It significantly improves ecosystem compatibility and will improve the performance of @lavamoat/node.

Upgrade Considerations

• Include *BREAKING*: in the commit message with migration instructions for any breaking change.
• Update NEWS.md for user-facing changes.

---

This commit introduces a comprehensive universal hook system for @endo/compartment-mapper,
enabling extensible customization of module mapping, bundling, and policy enforcement.

BREAKING CHANGES: CompartmentDescriptor objects no longer have a path property and the label property is now a canonical name. Types have changed dramatically. Enhanced validation of CompartmentMapDescriptor objects.

New Options

mapNodeModules()

• packageDataHook: Called once before translateGraph with data about all packages found while crawling node_modules. Receives a read-only Map<CanonicalName, PackageData> where each entry contains:

  • name: Package name
  • packageDescriptor: The package.json contents
  • location: File URL to the package
  • canonicalName: The canonical name used in policy

• packageDependenciesHook: Called for each package's dependencies during graph translation, allowing dynamic modification of the dependency graph. Can add or remove dependencies from packages based on policy or other criteria.

• unknownCanonicalNameHook: Called when policy references canonical names that don't exist in the dependency graph, with optional suggestions for typos/similar names.

makeImportHookMaker()

• moduleSourceHook(): Called when module source objects are created (either from local files containing bytes, exit modules, or "error-type" sources)

captureFromMap()

• packageConnectionsHook: Called during digest; surfaces "connections" between compartment descriptors

Type System Overhaul (src/types/)

Major Breaking Type Changes in compartment-map-schema.ts:

CompartmentDescriptor Interface Restructure:

• BREAKING: Removed path property - compartment descriptors no longer track dependency paths
• BREAKING: label property type changed from string to CanonicalName<U> - labels are now type-safe canonical names
• BREAKING: Made CompartmentDescriptor generic with <T extends ModuleDescriptorConfiguration, U extends string> for better type safety
• Added location: string as a required property for all compartment descriptors
• Added optional sourceDirname as found in the sources

CompartmentMapDescriptor Genericization (Is That A Word? No):

• BREAKING: CompartmentMapDescriptor is now generic: CompartmentMapDescriptor<T, Name, EntryName>
• BREAKING: compartments property changed from Record<string, CompartmentDescriptor> to CompartmentDescriptors<T, Name>
• BREAKING: entry property type changed from EntryDescriptor to EntryDescriptor<EntryName>
• New specialized types: PackageCompartmentMapDescriptor, FileCompartmentMapDescriptor, and DigestedCompartmentMapDescriptor

Enhanced Module Descriptor System:

• ModuleDescriptor is now ModuleDescriptorConfiguration to differentiate between it & the ModuleDescriptor from ses
• Added ModuleDescriptorConfigurationCreator enum tracking module creation source ('link' | 'transform' | 'import-hook' | 'digest' | 'node-modules')
• Enhanced BaseModuleDescriptorConfiguration with __createdBy property for debugging
• Added ErrorModuleDescriptorConfiguration for deferred error handling
• Improved type discrimination with ModuleDescriptorConfigurationKindToType utility type

New Type Infrastructure:

canonical-name.ts - Canonical Name Type System:

• NEW: Type-level canonical name validation using template literal types
• CanonicalName<S> - validates npm package name chains separated by '>' (e.g., "foo>bar", "@scope/pkg>dep")
• ScopedPackageName and UnscopedPackageName for npm package name validation
• SplitOnGt<S> and AllValidPackageNames<Parts> for compile-time canonical name parsing
• IsCanonicalName<S> predicate type for conditional type logic

Enhanced Type Safety Features:

Compartment Descriptor Validation:

• DigestedCompartmentDescriptor - restricted descriptor for archived compartment maps
• Properties marked as never for digested descriptors: path, retained, scopes, parsers, types, __createdBy, sourceDirname
• CompartmentDescriptorWithPolicy<T> - enforces policy presence where required

Module Configuration Type Safety:

• ModuleDescriptorConfigurationKind union for module type discrimination
• Type-safe module configuration creators with __createdBy tracking

Policy Integration:

• Enhanced policy types in PackageCompartmentDescriptor with canonical name constraints
• LiteralUnion usage for special canonical names (ATTENUATORS_COMPARTMENT, ENTRY_COMPARTMENT)
• Policy-aware compartment descriptor types with enhanced validation

Type System Utilities:

typescript.ts Enhancements:

• Enhanced LiteralUnion<L, B> for better literal type preservation
• Type utilities supporting the new generic compartment map architecture
• Moved Simplify from tests here (because it's useful dammit)

Enhanced Policy Validation

Policy Validation:

• Unknown canonical name detection with suggestion system
• Cross-reference policy resources against actual compartment contents
• Detailed error reporting with path information for policy issues
• Hook integration for custom policy validation logic

[boneskull]

• Fix:

  Error: ../compartment-mapper/src/policy-format.d.ts(9,76): error TS2304: Cannot find name 'WildcardPolicy'.
  Error: ../compartment-mapper/src/policy-format.d.ts(16,81): error TS2304: Cannot find name 'SomePolicy'.
  

[boneskull]

• policy.test.ts needs further fixes since it breaks prior behaviors.

[naugtur]

This kind of things, at least in my experience with webpack, worked better if aggregated and displayed as a single warning. In a debug mode of sorts they could be used to generate proposed policy fixes.

[boneskull]

This sounds like more work 😄

I could do this, but I think even reporting this at all is going out on a limb (in terms of the overall user-friendliness of @endo/compartment-mapper). I would not be necessarily opposed to expanding this and implementing other friendly improvements, but I don't think they need to be in this PR.

[naugtur]

I'm not sure this is useful, but it could be useful if it allowed altering the descriptor (eg. in case it contain something that was not supported or needed a fix.

[naugtur]

packageDependenciesHook and packageConnectionsHook are similar

I looked at both of these hooks and I think packageConnectionsHook could be replaced with packageDependenciesHook and the main difference is that one of them allows returning a mutated set.
If we could offer the same in digest, we'd have a single hook for both.

[boneskull]

The data from packageDependenciesHook and packageConnectionsHook come from two different types of compartment map, and the latter happens post-digest. I would not want to do this.

[naugtur]

I'm not enjoying there being two flows that are somewhat similar but ultimately distinct. But the solution to that is ultimately not forcing the unification fo the hook, but finding way to split regular flow into steps so that capture was no longer necessary a all.
Can leave this be if you're certain unifying the 2 hooks wouldn't be feasible.
Note that I'm not fond of explaining the details and differences between the two different types of compartment maps to the end user 🙈

[boneskull]

Yeah, I mean, ideally the end user wouldn't need to touch a compartment map.

[naugtur]

@boneskull Why remove the hooks.md with a graph documenting how hooks are reachable from public API? I found it very helpful in understanding how it all goes together.

[naugtur]

LGTM.
Would prefer to keep hooks.md

[boneskull]

@naugtur For some reason I thought that doc was outdated and reflected the old system. If it's not, I'll restore it

UPDATE: I restored it.