Review vat global allowlist configuration

[rekmarks]

Problem

In packages/ocap-kernel/src/vats/VatSupervisor.ts (lines 299-311), there is a hardcoded allowedGlobals record that controls which globals vats can access:

const allowedGlobals: Record<string, unknown> = {
  Date: globalThis.Date,
};

Vat configs can request globals via globals: string[], and only names present in allowedGlobals are actually injected. This raises some questions worth reviewing.

Questions to resolve

Is Date safe to allow by default?

• Date gives vats access to wall-clock time. Is this an acceptable capability to make available to any vat that requests it, or should it be considered a privileged capability?
• Are there security implications of vats being able to observe timing?

How should allowed globals be configured generally?

• The current allowlist is hardcoded in VatSupervisor.ts. Should this be configurable at a higher level (kernel config, platform config)?
• What other globals might vats reasonably need (e.g., crypto, TextEncoder, TextDecoder, URL)?
• Should there be a distinction between "safe" globals (no side effects) and "powerful" globals (I/O, timing)?
• The current mechanism silently ignores requests for globals not in the allowlist — should it warn or error instead?

Location

• packages/ocap-kernel/src/vats/VatSupervisor.ts (lines 296-317)

[rekmarks]

For reference: see what Snaps does for their default globals: https://github.com/MetaMask/snaps/tree/main/packages/snaps-execution-environments/src/common/endowments