From a18cfe64c3dac00a3b76e296f058611c902a638e Mon Sep 17 00:00:00 2001
From: Ian Denhardt <ian@zenhack.net>
Date: Fri, 23 Jun 2023 21:36:39 -0400
Subject: [PATCH 01/48] WIP: emit a senderPromise for third party caps

...and some logic to start the handoff process. Not done yet, but only
affects codepaths where the network is non-nil.
---
 rpc/export.go             | 128 +++++++++++++++++++++++++++++++++-----
 rpc/senderpromise_test.go |   2 +
 2 files changed, 116 insertions(+), 14 deletions(-)

diff --git a/rpc/export.go b/rpc/export.go
index b7d6c9cb..a3029132 100644
--- a/rpc/export.go
+++ b/rpc/export.go
@@ -109,6 +109,97 @@ func (c *lockedConn) releaseExportRefs(dq *deferred.Queue, refs map[exportID]uin
 	return firstErr
 }
 
+// send3PHPromise begins the process of performing a third party handoff,
+// passing srcSnapshot across c. srcSnapshot must point to an object across
+// srcConn.
+//
+// This will store a senderPromise capability in d, which will later be
+// resolved to a thirdPartyHosted cap by a separate goroutine.
+//
+// Returns the export ID for the promise.
+func (c *lockedConn) send3PHPromise(
+	d rpccp.CapDescriptor,
+	srcConn *Conn,
+	srcSnapshot capnp.ClientSnapshot,
+) exportID {
+	if c.network != srcConn.network {
+		panic("BUG: tried to do 3PH between different networks")
+	}
+
+	p, r := capnp.NewLocalPromise[capnp.Client]()
+	pSnapshot := p.Snapshot()
+	r.Fulfill(srcSnapshot.Client()) // FIXME: this may allow path shortening...
+
+	// TODO(cleanup): most of this is copypasta from sendExport; consider
+	// ways to factor out the common bits.
+	id := exportID(c.lk.exportID.next())
+	metadata := pSnapshot.Metadata()
+	metadata.Lock()
+	defer metadata.Unlock()
+	c.setExportID(metadata, id)
+	c.insertExport(id, &expent{
+		snapshot: pSnapshot,
+		wireRefs: 1,
+		cancel:   func() {},
+	})
+
+	d.SetSenderPromise(uint32(id))
+
+	go func() {
+		c := (*Conn)(c)
+		defer srcSnapshot.Release()
+
+		// TODO(cleanup): we should probably make the src/dest arguments
+		// consistent across all 3PH code:
+		introInfo, err := c.network.Introduce(srcConn, c)
+		if err != nil {
+			// TODO: report somehow; see above.
+			return
+		}
+
+		// XXX: think about what we should be doing for contexts here:
+		srcConn.withLocked(func(c *lockedConn) {
+			c.sendMessage(c.bgctx, func(m rpccp.Message) error {
+				provide, err := m.NewProvide()
+				if err != nil {
+					return err
+				}
+				if err = provide.SetRecipient(capnp.Ptr(introInfo.SendToProvider)); err != nil {
+					return err
+				}
+				panic("TODO: set questionId & target")
+			}, func(err error) {
+				panic("TODO")
+			})
+		})
+		c.withLocked(func(c *lockedConn) {
+			c.sendMessage(c.bgctx, func(m rpccp.Message) error {
+				resolve, err := m.NewResolve()
+				if err != nil {
+					return err
+				}
+				// TODO: set promiseId
+				capDesc, err := resolve.NewCap()
+				if err != nil {
+					return err
+				}
+				thirdCapDesc, err := capDesc.NewThirdPartyHosted()
+				if err != nil {
+					return err
+				}
+				if err = thirdCapDesc.SetId(capnp.Ptr(introInfo.SendToRecipient)); err != nil {
+					return err
+				}
+				panic("TODO: set vineId")
+
+			}, func(err error) {
+				panic("TODO")
+			})
+		})
+	}()
+	return id
+}
+
 // sendCap writes a capability descriptor, returning an export ID if
 // this vat is hosting the capability. Steals the snapshot.
 func (c *lockedConn) sendCap(d rpccp.CapDescriptor, snapshot capnp.ClientSnapshot) (_ exportID, isExport bool, _ error) {
@@ -119,21 +210,21 @@ func (c *lockedConn) sendCap(d rpccp.CapDescriptor, snapshot capnp.ClientSnapsho
 
 	defer snapshot.Release()
 	bv := snapshot.Brand().Value
+	unlockedConn := (*Conn)(c)
 	if ic, ok := bv.(*importClient); ok {
-		if ic.c == (*Conn)(c) {
+		if ic.c == unlockedConn {
 			if ent := c.lk.imports[ic.id]; ent != nil && ent.generation == ic.generation {
 				d.SetReceiverHosted(uint32(ic.id))
 				return 0, false, nil
 			}
 		}
 		if c.network != nil && c.network == ic.c.network {
-			panic("TODO: 3PH")
-		}
-	}
 
-	if pc, ok := bv.(capnp.PipelineClient); ok {
+			return c.send3PHPromise(d, ic.c, snapshot.AddRef()), true, nil
+		}
+	} else if pc, ok := bv.(capnp.PipelineClient); ok {
 		if q, ok := c.getAnswerQuestion(pc.Answer()); ok {
-			if q.c == (*Conn)(c) {
+			if q.c == unlockedConn {
 				pcTrans := pc.Transform()
 				pa, err := d.NewReceiverAnswer()
 				if err != nil {
@@ -150,12 +241,25 @@ func (c *lockedConn) sendCap(d rpccp.CapDescriptor, snapshot capnp.ClientSnapsho
 				return 0, false, nil
 			}
 			if c.network != nil && c.network == q.c.network {
-				panic("TODO: 3PH")
+				return c.send3PHPromise(d, q.c, snapshot.AddRef()), true, nil
 			}
 		}
 	}
 
 	// Default to export.
+	return c.sendExport(d, snapshot), true, nil
+}
+
+func (c *lockedConn) insertExport(id exportID, ee *expent) {
+	if int64(id) == int64(len(c.lk.exports)) {
+		c.lk.exports = append(c.lk.exports, ee)
+	} else {
+		c.lk.exports[id] = ee
+	}
+}
+
+// sendExport is a helper for sendCap that handles the export cases.
+func (c *lockedConn) sendExport(d rpccp.CapDescriptor, snapshot capnp.ClientSnapshot) exportID {
 	metadata := snapshot.Metadata()
 	metadata.Lock()
 	defer metadata.Unlock()
@@ -172,11 +276,7 @@ func (c *lockedConn) sendCap(d rpccp.CapDescriptor, snapshot capnp.ClientSnapsho
 			cancel:   func() {},
 		}
 		id = exportID(c.lk.exportID.next())
-		if int64(id) == int64(len(c.lk.exports)) {
-			c.lk.exports = append(c.lk.exports, ee)
-		} else {
-			c.lk.exports[id] = ee
-		}
+		c.insertExport(id, ee)
 		c.setExportID(metadata, id)
 	}
 	if ee.snapshot.IsPromise() {
@@ -184,10 +284,10 @@ func (c *lockedConn) sendCap(d rpccp.CapDescriptor, snapshot capnp.ClientSnapsho
 	} else {
 		d.SetSenderHosted(uint32(id))
 	}
-	return id, true, nil
+	return id
 }
 
-// sendSenderPromise is a helper for sendCap that handles the senderPromise case.
+// sendSenderPromise is a helper for sendExport that handles the senderPromise case.
 func (c *lockedConn) sendSenderPromise(id exportID, d rpccp.CapDescriptor) {
 	// Send a promise, wait for the resolution asynchronously, then send
 	// a resolve message:
diff --git a/rpc/senderpromise_test.go b/rpc/senderpromise_test.go
index aa4174be..827d00cb 100644
--- a/rpc/senderpromise_test.go
+++ b/rpc/senderpromise_test.go
@@ -354,6 +354,8 @@ func TestDisembargoSenderPromise(t *testing.T) {
 // Tests that E-order is respected when fulfilling a promise with something on
 // the remote peer.
 func TestPromiseOrdering(t *testing.T) {
+	t.Skip("broken")
+
 	t.Parallel()
 
 	ctx := context.Background()

From 487a0bc9647ba7c34938a0ff9f543a0e1f869224 Mon Sep 17 00:00:00 2001
From: Ian Denhardt <ian@zenhack.net>
Date: Fri, 23 Jun 2023 21:47:49 -0400
Subject: [PATCH 02/48] Drop unnecessary cast.

---
 rpc/export.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rpc/export.go b/rpc/export.go
index 0d8ce11d..138c22c7 100644
--- a/rpc/export.go
+++ b/rpc/export.go
@@ -132,7 +132,7 @@ func (c *lockedConn) send3PHPromise(
 
 	// TODO(cleanup): most of this is copypasta from sendExport; consider
 	// ways to factor out the common bits.
-	id := exportID(c.lk.exportID.next())
+	id := c.lk.exportID.next()
 	metadata := pSnapshot.Metadata()
 	metadata.Lock()
 	defer metadata.Unlock()

From 9b952449fd76479d848cdf6ca21e308fcc09c38e Mon Sep 17 00:00:00 2001
From: Ian Denhardt <ian@zenhack.net>
Date: Fri, 23 Jun 2023 21:53:43 -0400
Subject: [PATCH 03/48] Fill in question ID on provide.

---
 rpc/export.go | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/rpc/export.go b/rpc/export.go
index 138c22c7..dc196efc 100644
--- a/rpc/export.go
+++ b/rpc/export.go
@@ -157,18 +157,26 @@ func (c *lockedConn) send3PHPromise(
 			return
 		}
 
+		var provideQID questionID
 		// XXX: think about what we should be doing for contexts here:
 		srcConn.withLocked(func(c *lockedConn) {
+			provideQID = c.lk.questionID.next()
 			c.sendMessage(c.bgctx, func(m rpccp.Message) error {
 				provide, err := m.NewProvide()
 				if err != nil {
 					return err
 				}
+				provide.SetQuestionId(uint32(provideQID))
 				if err = provide.SetRecipient(capnp.Ptr(introInfo.SendToProvider)); err != nil {
 					return err
 				}
-				panic("TODO: set questionId & target")
+				panic("TODO: set target")
 			}, func(err error) {
+				if err != nil {
+					srcConn.withLocked(func(c *lockedConn) {
+						c.lk.questionID.remove(provideQID)
+					})
+				}
 				panic("TODO")
 			})
 		})

From 9d21dc89e68bd693148b60d97c6ac3097fff5d4d Mon Sep 17 00:00:00 2001
From: Ian Denhardt <ian@zenhack.net>
Date: Fri, 23 Jun 2023 22:20:40 -0400
Subject: [PATCH 04/48] More work on sending the provide message.

---
 rpc/export.go | 54 +++++++++++++++++++++++++++++++++++++++------------
 rpc/rpc.go    | 24 +++++++++++++++++++++++
 2 files changed, 66 insertions(+), 12 deletions(-)

diff --git a/rpc/export.go b/rpc/export.go
index dc196efc..ef3b760f 100644
--- a/rpc/export.go
+++ b/rpc/export.go
@@ -121,6 +121,7 @@ func (c *lockedConn) send3PHPromise(
 	d rpccp.CapDescriptor,
 	srcConn *Conn,
 	srcSnapshot capnp.ClientSnapshot,
+	target parsedMessageTarget,
 ) exportID {
 	if c.network != srcConn.network {
 		panic("BUG: tried to do 3PH between different networks")
@@ -132,18 +133,18 @@ func (c *lockedConn) send3PHPromise(
 
 	// TODO(cleanup): most of this is copypasta from sendExport; consider
 	// ways to factor out the common bits.
-	id := c.lk.exportID.next()
+	promiseID := c.lk.exportID.next()
 	metadata := pSnapshot.Metadata()
 	metadata.Lock()
 	defer metadata.Unlock()
-	c.setExportID(metadata, id)
-	c.insertExport(id, &expent{
+	c.setExportID(metadata, promiseID)
+	ee := &expent{
 		snapshot: pSnapshot,
 		wireRefs: 1,
 		cancel:   func() {},
-	})
-
-	d.SetSenderPromise(uint32(id))
+	}
+	c.insertExport(promiseID, ee)
+	d.SetSenderPromise(uint32(promiseID))
 
 	go func() {
 		c := (*Conn)(c)
@@ -170,7 +171,15 @@ func (c *lockedConn) send3PHPromise(
 				if err = provide.SetRecipient(capnp.Ptr(introInfo.SendToProvider)); err != nil {
 					return err
 				}
-				panic("TODO: set target")
+				encodedTgt, err := provide.NewTarget()
+				if err != nil {
+					return err
+				}
+				if err = target.Encode(encodedTgt); err != nil {
+					return err
+				}
+				// TODO: probably set up something in our questions table?
+				return nil
 			}, func(err error) {
 				if err != nil {
 					srcConn.withLocked(func(c *lockedConn) {
@@ -182,11 +191,14 @@ func (c *lockedConn) send3PHPromise(
 		})
 		c.withLocked(func(c *lockedConn) {
 			c.sendMessage(c.bgctx, func(m rpccp.Message) error {
+				if c.lk.exports[promiseID] != ee {
+					panic("TODO: at some point the receiver lost interest in the cap")
+				}
 				resolve, err := m.NewResolve()
 				if err != nil {
 					return err
 				}
-				// TODO: set promiseId
+				resolve.SetPromiseId(uint32(promiseID))
 				capDesc, err := resolve.NewCap()
 				if err != nil {
 					return err
@@ -198,14 +210,17 @@ func (c *lockedConn) send3PHPromise(
 				if err = thirdCapDesc.SetId(capnp.Ptr(introInfo.SendToRecipient)); err != nil {
 					return err
 				}
-				panic("TODO: set vineId")
 
+				panic("TODO: set the vine id")
+				// It is tempting to just re-use promiseID for the vine,
+				// but we can't, since we need to respond specially to
+				// the first call to a vine.
 			}, func(err error) {
 				panic("TODO")
 			})
 		})
 	}()
-	return id
+	return promiseID
 }
 
 // sendCap writes a capability descriptor, returning an export ID if
@@ -228,7 +243,14 @@ func (c *lockedConn) sendCap(d rpccp.CapDescriptor, snapshot capnp.ClientSnapsho
 		}
 		if c.network != nil && c.network == ic.c.network {
 
-			return c.send3PHPromise(d, ic.c, snapshot.AddRef()), true, nil
+			exportID := c.send3PHPromise(
+				d, ic.c, snapshot.AddRef(),
+				parsedMessageTarget{
+					which:       rpccp.MessageTarget_Which_importedCap,
+					importedCap: exportID(ic.id),
+				},
+			)
+			return exportID, true, nil
 		}
 	} else if pc, ok := bv.(capnp.PipelineClient); ok {
 		if q, ok := c.getAnswerQuestion(pc.Answer()); ok {
@@ -249,7 +271,15 @@ func (c *lockedConn) sendCap(d rpccp.CapDescriptor, snapshot capnp.ClientSnapsho
 				return 0, false, nil
 			}
 			if c.network != nil && c.network == q.c.network {
-				return c.send3PHPromise(d, q.c, snapshot.AddRef()), true, nil
+				exportID := c.send3PHPromise(
+					d, q.c, snapshot.AddRef(),
+					parsedMessageTarget{
+						which:          rpccp.MessageTarget_Which_promisedAnswer,
+						transform:      pc.Transform(),
+						promisedAnswer: answerID(q.id),
+					},
+				)
+				return exportID, true, nil
 			}
 		}
 	}
diff --git a/rpc/rpc.go b/rpc/rpc.go
index 839db35a..bd4ed13f 100644
--- a/rpc/rpc.go
+++ b/rpc/rpc.go
@@ -1055,6 +1055,30 @@ func parseMessageTarget(pt *parsedMessageTarget, tgt rpccp.MessageTarget) error
 	return nil
 }
 
+func (pt parsedMessageTarget) Encode(into rpccp.MessageTarget) error {
+	switch pt.which {
+	case rpccp.MessageTarget_Which_importedCap:
+		into.SetImportedCap(uint32(pt.importedCap))
+		return nil
+	case rpccp.MessageTarget_Which_promisedAnswer:
+		pa, err := into.NewPromisedAnswer()
+		if err != nil {
+			return err
+		}
+		pa.SetQuestionId(uint32(pt.promisedAnswer))
+		trans, err := pa.NewTransform(int32(len(pt.transform)))
+		if err != nil {
+			return err
+		}
+		for i, op := range pt.transform {
+			trans.At(i).SetGetPointerField(op.Field)
+		}
+		return nil
+	default:
+		return rpcerr.Unimplemented(errors.New("unknown message target " + pt.which.String()))
+	}
+}
+
 func parseTransform(list rpccp.PromisedAnswer_Op_List) ([]capnp.PipelineOp, error) {
 	ops := make([]capnp.PipelineOp, 0, list.Len())
 	for i := 0; i < list.Len(); i++ {

From e5273b1974117bddaf25e45f4edf11133051fd58 Mon Sep 17 00:00:00 2001
From: Ian Denhardt <ian@zenhack.net>
Date: Fri, 23 Jun 2023 22:49:17 -0400
Subject: [PATCH 05/48] First pass at some of the vine logic.

---
 rpc/export.go | 23 ++++++++++++-------
 rpc/vine.go   | 61 +++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 76 insertions(+), 8 deletions(-)
 create mode 100644 rpc/vine.go

diff --git a/rpc/export.go b/rpc/export.go
index ef3b760f..3af185b0 100644
--- a/rpc/export.go
+++ b/rpc/export.go
@@ -158,10 +158,10 @@ func (c *lockedConn) send3PHPromise(
 			return
 		}
 
-		var provideQID questionID
 		// XXX: think about what we should be doing for contexts here:
+		provideQID := c.lk.questionID.next()
+		vine := newVine(srcConn, provideQID, srcSnapshot.AddRef())
 		srcConn.withLocked(func(c *lockedConn) {
-			provideQID = c.lk.questionID.next()
 			c.sendMessage(c.bgctx, func(m rpccp.Message) error {
 				provide, err := m.NewProvide()
 				if err != nil {
@@ -186,7 +186,7 @@ func (c *lockedConn) send3PHPromise(
 						c.lk.questionID.remove(provideQID)
 					})
 				}
-				panic("TODO")
+				panic("TODO: anything else?")
 			})
 		})
 		c.withLocked(func(c *lockedConn) {
@@ -211,12 +211,19 @@ func (c *lockedConn) send3PHPromise(
 					return err
 				}
 
-				panic("TODO: set the vine id")
-				// It is tempting to just re-use promiseID for the vine,
-				// but we can't, since we need to respond specially to
-				// the first call to a vine.
+				vineID := c.lk.exportID.next()
+				client := capnp.NewClient(vine)
+				defer client.Release()
+				c.lk.exports[vineID] = &expent{
+					snapshot: client.Snapshot(),
+					wireRefs: 1,
+					cancel:   func() {},
+				}
+
+				thirdCapDesc.SetVineId(uint32(vineID))
+				return nil
 			}, func(err error) {
-				panic("TODO")
+				panic("TODO: clean up vine, other stuff?")
 			})
 		})
 	}()
diff --git a/rpc/vine.go b/rpc/vine.go
new file mode 100644
index 00000000..9a761796
--- /dev/null
+++ b/rpc/vine.go
@@ -0,0 +1,61 @@
+package rpc
+
+import (
+	"context"
+
+	"capnproto.org/go/capnp/v3"
+)
+
+// A vine is an implementation of capnp.ClientHook intended to be used to
+// implement the logic discussed in rpc.capnp under
+// ThirdPartyCapDescriptor.vineId. It forwards calls to an underlying
+// capnp.ClientSnapshot
+type vine struct {
+	used         bool
+	providerConn *Conn
+	provideID    questionID
+	snapshot     capnp.ClientSnapshot
+}
+
+func newVine(c *Conn, qid questionID, snapshot capnp.ClientSnapshot) *vine {
+	return &vine{
+		providerConn: c,
+		provideID:    qid,
+		snapshot:     snapshot,
+	}
+}
+
+func (v *vine) Send(ctx context.Context, s capnp.Send) (*capnp.Answer, capnp.ReleaseFunc) {
+	v.markUsed()
+	return v.snapshot.Send(ctx, s)
+}
+
+func (v *vine) Recv(ctx context.Context, r capnp.Recv) capnp.PipelineCaller {
+	v.markUsed()
+	return v.snapshot.Recv(ctx, r)
+}
+
+func (v *vine) Brand() capnp.Brand {
+	return v.snapshot.Brand()
+}
+
+func (v *vine) Shutdown() {
+	v.snapshot.Release()
+}
+
+func (v *vine) String() string {
+	// TODO: include other fields?
+	return "&vine{snapshot: " + v.snapshot.String() + ", ...}"
+}
+
+func (v *vine) markUsed() {
+	if v.used {
+		return
+	}
+	v.used = true
+	go func() {
+		v.providerConn.withLocked(func(c *lockedConn) {
+			panic("TODO: send finish, manipulate tables...")
+		})
+	}()
+}

From bcffd649ba13744696f42f22c25f91d6aa718afa Mon Sep 17 00:00:00 2001
From: Ian Denhardt <ian@zenhack.net>
Date: Sat, 24 Jun 2023 22:28:23 -0400
Subject: [PATCH 06/48] Allocate provide ids from srcConn

i.e. the connection we're sending to.
---
 rpc/export.go | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/rpc/export.go b/rpc/export.go
index 3af185b0..5cafa1f5 100644
--- a/rpc/export.go
+++ b/rpc/export.go
@@ -159,9 +159,13 @@ func (c *lockedConn) send3PHPromise(
 		}
 
 		// XXX: think about what we should be doing for contexts here:
-		provideQID := c.lk.questionID.next()
-		vine := newVine(srcConn, provideQID, srcSnapshot.AddRef())
+		var (
+			provideQID questionID
+			vine       *vine
+		)
 		srcConn.withLocked(func(c *lockedConn) {
+			provideQID = c.lk.questionID.next()
+			vine = newVine(srcConn, provideQID, srcSnapshot.AddRef())
 			c.sendMessage(c.bgctx, func(m rpccp.Message) error {
 				provide, err := m.NewProvide()
 				if err != nil {

From 7e8c3ca927431dbe969ee8bf72a7b47a753b3703 Mon Sep 17 00:00:00 2001
From: Ian Denhardt <ian@zenhack.net>
Date: Sat, 24 Jun 2023 23:06:14 -0400
Subject: [PATCH 07/48] Start fleshing out data structures for 3PH.

---
 rpc/export.go   | 23 ++++++++++++++++-------
 rpc/question.go |  9 +++++++++
 2 files changed, 25 insertions(+), 7 deletions(-)

diff --git a/rpc/export.go b/rpc/export.go
index 5cafa1f5..09d45acc 100644
--- a/rpc/export.go
+++ b/rpc/export.go
@@ -10,6 +10,7 @@ import (
 	"capnproto.org/go/capnp/v3/internal/syncutil"
 	rpccp "capnproto.org/go/capnp/v3/std/capnp/rpc"
 	"zenhack.net/go/util/deferred"
+	"zenhack.net/go/util/maybe"
 )
 
 // An exportID is an index into the exports table.
@@ -22,6 +23,12 @@ type expent struct {
 
 	// Should be called when removing this entry from the exports table:
 	cancel context.CancelFunc
+
+	// If present, this export is a promise which resolved to some third
+	// party capability, and the question corresponds to the provide message.
+	// Note that this means the question will belong to a different connection
+	// from the expent.
+	provide maybe.Maybe[*question]
 }
 
 // A key for use in a client's Metadata, whose value is the export
@@ -160,18 +167,19 @@ func (c *lockedConn) send3PHPromise(
 
 		// XXX: think about what we should be doing for contexts here:
 		var (
-			provideQID questionID
-			vine       *vine
+			provideQ *question
+			vine     *vine
 		)
 		srcConn.withLocked(func(c *lockedConn) {
-			provideQID = c.lk.questionID.next()
-			vine = newVine(srcConn, provideQID, srcSnapshot.AddRef())
+			provideQ = c.newQuestion(capnp.Method{})
+			provideQ.flags |= isProvide
+			vine = newVine(srcConn, provideQ.id, srcSnapshot.AddRef())
 			c.sendMessage(c.bgctx, func(m rpccp.Message) error {
 				provide, err := m.NewProvide()
 				if err != nil {
 					return err
 				}
-				provide.SetQuestionId(uint32(provideQID))
+				provide.SetQuestionId(uint32(provideQ.id))
 				if err = provide.SetRecipient(capnp.Ptr(introInfo.SendToProvider)); err != nil {
 					return err
 				}
@@ -182,14 +190,15 @@ func (c *lockedConn) send3PHPromise(
 				if err = target.Encode(encodedTgt); err != nil {
 					return err
 				}
-				// TODO: probably set up something in our questions table?
 				return nil
 			}, func(err error) {
 				if err != nil {
 					srcConn.withLocked(func(c *lockedConn) {
-						c.lk.questionID.remove(provideQID)
+						c.lk.questionID.remove(provideQ.id)
 					})
+					return
 				}
+				go provideQ.handleCancel(c.bgctx)
 				panic("TODO: anything else?")
 			})
 		})
diff --git a/rpc/question.go b/rpc/question.go
index 847973f0..a742c498 100644
--- a/rpc/question.go
+++ b/rpc/question.go
@@ -39,6 +39,15 @@ const (
 	// successfully.  It is only valid to query after finishMsgSend is
 	// closed.
 	finishSent
+
+	// isProvide is set if this question corresponds to a provide
+	// message, rather than a call or bootstrap message.
+	isProvide
+
+	// provideDisembargoSent indicates that we have already sent
+	// a disembargo with context.provide set to the target of this
+	// question.
+	provideDisembargoSent
 )
 
 // flags.Contains(flag) Returns true iff flags contains flag, which must

From 06874772932127c38c011b890889bc9d0bd3aa40 Mon Sep 17 00:00:00 2001
From: Ian Denhardt <ian@zenhack.net>
Date: Sat, 24 Jun 2023 23:42:22 -0400
Subject: [PATCH 08/48] First pass at handling disembargo with context.accept.

---
 rpc/rpc.go | 41 ++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 40 insertions(+), 1 deletion(-)

diff --git a/rpc/rpc.go b/rpc/rpc.go
index bd4ed13f..a4f1858a 100644
--- a/rpc/rpc.go
+++ b/rpc/rpc.go
@@ -1711,7 +1711,46 @@ func (c *Conn) handleDisembargo(ctx context.Context, in transport.IncomingMessag
 			})
 		})
 
-	case rpccp.Disembargo_context_Which_accept, rpccp.Disembargo_context_Which_provide:
+	case rpccp.Disembargo_context_Which_accept:
+		defer in.Release()
+		if tgt.which != rpccp.MessageTarget_Which_importedCap {
+			// The Go implementation never emits third party cap descriptors in return
+			// messages, so this can only be valid if it targets an import.
+			return errors.New("incoming disembargo: answer target is not valid for context.accept")
+		}
+		id := tgt.importedCap
+		q, err := withLockedConn2(c, func(c *lockedConn) (*question, error) {
+			if int(id) >= len(c.lk.exports) || c.lk.exports == nil {
+				return nil, errors.New("no such export: " + str.Utod(id))
+			}
+			q, ok := c.lk.exports[id].provide.Get()
+			if !ok {
+				return nil, errors.New("export #" + str.Utod(id) + " does not resolve to a third party capability")
+			}
+			return q, nil
+		})
+		if err != nil {
+			return err
+		}
+		return withLockedConn1(q.c, func(c *lockedConn) error {
+			if !q.flags.Contains(provideDisembargoSent) {
+				return errors.New("disembargo already sent to export #" + str.Utod(id))
+			}
+			q.flags |= provideDisembargoSent
+			c.sendMessage(c.bgctx, func(m rpccp.Message) error {
+				d, err := m.NewDisembargo()
+				if err != nil {
+					return err
+				}
+				d.Context().SetProvide(uint32(q.id))
+				panic("TODO: target")
+			}, func(err error) {
+				panic("TODO")
+			})
+			return nil
+		})
+		return nil
+	case rpccp.Disembargo_context_Which_provide:
 		if c.network != nil {
 			panic("TODO: 3PH")
 		}

From f55caaf8cd805695c4fccae3da4abbf869c36b8d Mon Sep 17 00:00:00 2001
From: Ian Denhardt <ian@zenhack.net>
Date: Sat, 24 Jun 2023 23:50:19 -0400
Subject: [PATCH 09/48] Shut down the vine if sending resolve fails.

---
 rpc/export.go | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/rpc/export.go b/rpc/export.go
index 09d45acc..615f1f03 100644
--- a/rpc/export.go
+++ b/rpc/export.go
@@ -236,7 +236,10 @@ func (c *lockedConn) send3PHPromise(
 				thirdCapDesc.SetVineId(uint32(vineID))
 				return nil
 			}, func(err error) {
-				panic("TODO: clean up vine, other stuff?")
+				if err != nil {
+					vine.Shutdown()
+				}
+				panic("TODO: cancel provide, other stuff?")
 			})
 		})
 	}()

From 1b5266a4fe85e2e5e29302e1ac6e72006aa2b92c Mon Sep 17 00:00:00 2001
From: Ian Denhardt <ian@zenhack.net>
Date: Sun, 25 Jun 2023 17:11:24 -0400
Subject: [PATCH 10/48] package testnetwork: export concrete type

I want to add a few testing-specific methods.
---
 rpc/internal/testnetwork/testnetwork.go | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/rpc/internal/testnetwork/testnetwork.go b/rpc/internal/testnetwork/testnetwork.go
index d24c2c80..41e19782 100644
--- a/rpc/internal/testnetwork/testnetwork.go
+++ b/rpc/internal/testnetwork/testnetwork.go
@@ -25,13 +25,13 @@ func (e edge) Flip() edge {
 	}
 }
 
-type network struct {
+type TestNetwork struct {
 	myID   PeerID
 	global *Joiner
 }
 
 // A Joiner is a global view of a test network, which can be joined by a
-// peer to acquire a Network.
+// peer to acquire a TestNetwork.
 type Joiner struct {
 	mu          sync.Mutex
 	nextID      PeerID
@@ -51,10 +51,10 @@ func NewJoiner() *Joiner {
 	}
 }
 
-func (j *Joiner) Join() rpc.Network {
+func (j *Joiner) Join() TestNetwork {
 	j.mu.Lock()
 	defer j.mu.Unlock()
-	ret := network{
+	ret := TestNetwork{
 		myID:   j.nextID,
 		global: j,
 	}
@@ -71,11 +71,11 @@ func (j *Joiner) getAcceptQueue(id PeerID) spsc.Queue[PeerID] {
 	return q
 }
 
-func (n network) LocalID() rpc.PeerID {
+func (n TestNetwork) LocalID() rpc.PeerID {
 	return rpc.PeerID{n.myID}
 }
 
-func (n network) Dial(dst rpc.PeerID, opts *rpc.Options) (*rpc.Conn, error) {
+func (n TestNetwork) Dial(dst rpc.PeerID, opts *rpc.Options) (*rpc.Conn, error) {
 	if opts == nil {
 		opts = &rpc.Options{}
 	}
@@ -110,7 +110,7 @@ func (n network) Dial(dst rpc.PeerID, opts *rpc.Options) (*rpc.Conn, error) {
 	return ent.Conn, nil
 }
 
-func (n network) Accept(ctx context.Context, opts *rpc.Options) (*rpc.Conn, error) {
+func (n TestNetwork) Accept(ctx context.Context, opts *rpc.Options) (*rpc.Conn, error) {
 	n.global.mu.Lock()
 	q := n.global.getAcceptQueue(n.myID)
 	n.global.mu.Unlock()
@@ -136,7 +136,7 @@ func (n network) Accept(ctx context.Context, opts *rpc.Options) (*rpc.Conn, erro
 	return ent.Conn, nil
 }
 
-func (n network) Introduce(provider, recipient *rpc.Conn) (rpc.IntroductionInfo, error) {
+func (n TestNetwork) Introduce(provider, recipient *rpc.Conn) (rpc.IntroductionInfo, error) {
 	providerPeer := provider.RemotePeerID()
 	recipientPeer := recipient.RemotePeerID()
 	n.global.mu.Lock()
@@ -161,7 +161,7 @@ func (n network) Introduce(provider, recipient *rpc.Conn) (rpc.IntroductionInfo,
 	ret.SendToProvider = rpc.RecipientID(sendToProvider.ToPtr())
 	return ret, nil
 }
-func (n network) DialIntroduced(capID rpc.ThirdPartyCapID, introducedBy *rpc.Conn) (*rpc.Conn, rpc.ProvisionID, error) {
+func (n TestNetwork) DialIntroduced(capID rpc.ThirdPartyCapID, introducedBy *rpc.Conn) (*rpc.Conn, rpc.ProvisionID, error) {
 	cid := PeerAndNonce(capnp.Ptr(capID).Struct())
 
 	_, seg := capnp.NewSingleSegmentMessage(nil)
@@ -175,6 +175,6 @@ func (n network) DialIntroduced(capID rpc.ThirdPartyCapID, introducedBy *rpc.Con
 	conn, err := n.Dial(rpc.PeerID{PeerID(cid.PeerId())}, nil)
 	return conn, rpc.ProvisionID(pid.ToPtr()), err
 }
-func (n network) AcceptIntroduced(recipientID rpc.RecipientID, introducedBy *rpc.Conn) (*rpc.Conn, error) {
+func (n TestNetwork) AcceptIntroduced(recipientID rpc.RecipientID, introducedBy *rpc.Conn) (*rpc.Conn, error) {
 	panic("TODO")
 }

From b5411a97446d23b2043a835e84265f6324a190f7 Mon Sep 17 00:00:00 2001
From: Ian Denhardt <ian@zenhack.net>
Date: Sun, 25 Jun 2023 17:33:54 -0400
Subject: [PATCH 11/48] DRY up some of the test network implementation.

---
 rpc/internal/testnetwork/testnetwork.go | 48 +++++++++++--------------
 1 file changed, 20 insertions(+), 28 deletions(-)

diff --git a/rpc/internal/testnetwork/testnetwork.go b/rpc/internal/testnetwork/testnetwork.go
index 41e19782..b62ca401 100644
--- a/rpc/internal/testnetwork/testnetwork.go
+++ b/rpc/internal/testnetwork/testnetwork.go
@@ -9,6 +9,7 @@ import (
 	"capnproto.org/go/capnp/v3"
 	"capnproto.org/go/capnp/v3/exp/spsc"
 	"capnproto.org/go/capnp/v3/rpc"
+	"zenhack.net/go/util"
 )
 
 // PeerID is the implementation of peer ids used by a test network
@@ -136,42 +137,33 @@ func (n TestNetwork) Accept(ctx context.Context, opts *rpc.Options) (*rpc.Conn,
 	return ent.Conn, nil
 }
 
+func makePeerAndNonce(peerID, nonce uint64) PeerAndNonce {
+	_, seg := capnp.NewSingleSegmentMessage(nil)
+	ret, err := NewPeerAndNonce(seg)
+	util.Chkfatal(err)
+	ret.SetPeerId(peerID)
+	ret.SetNonce(nonce)
+	return ret
+}
+
 func (n TestNetwork) Introduce(provider, recipient *rpc.Conn) (rpc.IntroductionInfo, error) {
-	providerPeer := provider.RemotePeerID()
-	recipientPeer := recipient.RemotePeerID()
+	providerPeerID := uint64(provider.RemotePeerID().Value.(PeerID))
+	recipientPeerID := uint64(recipient.RemotePeerID().Value.(PeerID))
 	n.global.mu.Lock()
 	defer n.global.mu.Unlock()
 	nonce := n.global.nextNonce
 	n.global.nextNonce++
-	_, seg := capnp.NewSingleSegmentMessage(nil)
-	ret := rpc.IntroductionInfo{}
-	sendToRecipient, err := NewPeerAndNonce(seg)
-	if err != nil {
-		return ret, err
-	}
-	sendToProvider, err := NewPeerAndNonce(seg)
-	if err != nil {
-		return ret, err
-	}
-	sendToRecipient.SetPeerId(uint64(providerPeer.Value.(PeerID)))
-	sendToRecipient.SetNonce(nonce)
-	sendToProvider.SetPeerId(uint64(recipientPeer.Value.(PeerID)))
-	sendToProvider.SetNonce(nonce)
-	ret.SendToRecipient = rpc.ThirdPartyCapID(sendToRecipient.ToPtr())
-	ret.SendToProvider = rpc.RecipientID(sendToProvider.ToPtr())
-	return ret, nil
+	return rpc.IntroductionInfo{
+		SendToRecipient: rpc.ThirdPartyCapID(makePeerAndNonce(providerPeerID, nonce).ToPtr()),
+		SendToProvider:  rpc.RecipientID(makePeerAndNonce(recipientPeerID, nonce).ToPtr()),
+	}, nil
 }
 func (n TestNetwork) DialIntroduced(capID rpc.ThirdPartyCapID, introducedBy *rpc.Conn) (*rpc.Conn, rpc.ProvisionID, error) {
 	cid := PeerAndNonce(capnp.Ptr(capID).Struct())
-
-	_, seg := capnp.NewSingleSegmentMessage(nil)
-	pid, err := NewPeerAndNonce(seg)
-	if err != nil {
-		return nil, rpc.ProvisionID{}, err
-	}
-	pid.SetPeerId(uint64(introducedBy.RemotePeerID().Value.(PeerID)))
-	pid.SetNonce(cid.Nonce())
-
+	pid := makePeerAndNonce(
+		uint64(introducedBy.RemotePeerID().Value.(PeerID)),
+		cid.Nonce(),
+	)
 	conn, err := n.Dial(rpc.PeerID{PeerID(cid.PeerId())}, nil)
 	return conn, rpc.ProvisionID(pid.ToPtr()), err
 }

From 06654dafde7a787a9a471ee639bd9154af4fadee Mon Sep 17 00:00:00 2001
From: Ian Denhardt <ian@zenhack.net>
Date: Sun, 25 Jun 2023 17:47:05 -0400
Subject: [PATCH 12/48] test network: use the mutex package.

---
 rpc/internal/testnetwork/testnetwork.go | 117 ++++++++++++------------
 1 file changed, 61 insertions(+), 56 deletions(-)

diff --git a/rpc/internal/testnetwork/testnetwork.go b/rpc/internal/testnetwork/testnetwork.go
index b62ca401..3efb198c 100644
--- a/rpc/internal/testnetwork/testnetwork.go
+++ b/rpc/internal/testnetwork/testnetwork.go
@@ -4,12 +4,12 @@ package testnetwork
 import (
 	"context"
 	"net"
-	"sync"
 
 	"capnproto.org/go/capnp/v3"
 	"capnproto.org/go/capnp/v3/exp/spsc"
 	"capnproto.org/go/capnp/v3/rpc"
 	"zenhack.net/go/util"
+	"zenhack.net/go/util/sync/mutex"
 )
 
 // PeerID is the implementation of peer ids used by a test network
@@ -34,7 +34,10 @@ type TestNetwork struct {
 // A Joiner is a global view of a test network, which can be joined by a
 // peer to acquire a TestNetwork.
 type Joiner struct {
-	mu          sync.Mutex
+	state mutex.Mutex[joinerState]
+}
+
+type joinerState struct {
 	nextID      PeerID
 	nextNonce   uint64
 	connections map[edge]*connectionEntry
@@ -48,22 +51,24 @@ type connectionEntry struct {
 
 func NewJoiner() *Joiner {
 	return &Joiner{
-		connections: make(map[edge]*connectionEntry),
+		state: mutex.New(joinerState{
+			connections: make(map[edge]*connectionEntry),
+		}),
 	}
 }
 
 func (j *Joiner) Join() TestNetwork {
-	j.mu.Lock()
-	defer j.mu.Unlock()
-	ret := TestNetwork{
-		myID:   j.nextID,
-		global: j,
-	}
-	j.nextID++
-	return ret
+	return mutex.With1(&j.state, func(js *joinerState) TestNetwork {
+		ret := TestNetwork{
+			myID:   js.nextID,
+			global: j,
+		}
+		js.nextID++
+		return ret
+	})
 }
 
-func (j *Joiner) getAcceptQueue(id PeerID) spsc.Queue[PeerID] {
+func (j *joinerState) getAcceptQueue(id PeerID) spsc.Queue[PeerID] {
 	q, ok := j.incoming[id]
 	if !ok {
 		q = spsc.New[PeerID]()
@@ -89,32 +94,32 @@ func (n TestNetwork) Dial(dst rpc.PeerID, opts *rpc.Options) (*rpc.Conn, error)
 	}
 	fromEdge := toEdge.Flip()
 
-	n.global.mu.Lock()
-	defer n.global.mu.Unlock()
-	ent, ok := n.global.connections[toEdge]
-	if !ok {
-		c1, c2 := net.Pipe()
-		t1 := rpc.NewStreamTransport(c1)
-		t2 := rpc.NewStreamTransport(c2)
-		ent = &connectionEntry{Transport: t1}
-		n.global.connections[toEdge] = ent
-		n.global.connections[fromEdge] = &connectionEntry{Transport: t2}
-
-	}
-	if ent.Conn == nil {
-		ent.Conn = rpc.NewConn(ent.Transport, opts)
-	} else {
-		// There's already a connection, so we're not going to use this, but
-		// we own it. So drop it:
-		opts.BootstrapClient.Release()
-	}
-	return ent.Conn, nil
+	return mutex.With2(&n.global.state, func(state *joinerState) (*rpc.Conn, error) {
+		ent, ok := state.connections[toEdge]
+		if !ok {
+			c1, c2 := net.Pipe()
+			t1 := rpc.NewStreamTransport(c1)
+			t2 := rpc.NewStreamTransport(c2)
+			ent = &connectionEntry{Transport: t1}
+			state.connections[toEdge] = ent
+			state.connections[fromEdge] = &connectionEntry{Transport: t2}
+
+		}
+		if ent.Conn == nil {
+			ent.Conn = rpc.NewConn(ent.Transport, opts)
+		} else {
+			// There's already a connection, so we're not going to use this, but
+			// we own it. So drop it:
+			opts.BootstrapClient.Release()
+		}
+		return ent.Conn, nil
+	})
 }
 
 func (n TestNetwork) Accept(ctx context.Context, opts *rpc.Options) (*rpc.Conn, error) {
-	n.global.mu.Lock()
-	q := n.global.getAcceptQueue(n.myID)
-	n.global.mu.Unlock()
+	q := mutex.With1(&n.global.state, func(js *joinerState) spsc.Queue[PeerID] {
+		return js.getAcceptQueue(n.myID)
+	})
 
 	incoming, err := q.Recv(ctx)
 	if err != nil {
@@ -122,19 +127,19 @@ func (n TestNetwork) Accept(ctx context.Context, opts *rpc.Options) (*rpc.Conn,
 	}
 	opts.Network = n
 	opts.RemotePeerID = rpc.PeerID{incoming}
-	n.global.mu.Lock()
-	defer n.global.mu.Unlock()
-	edge := edge{
-		From: n.myID,
-		To:   incoming,
-	}
-	ent := n.global.connections[edge]
-	if ent.Conn == nil {
-		ent.Conn = rpc.NewConn(ent.Transport, opts)
-	} else {
-		opts.BootstrapClient.Release()
-	}
-	return ent.Conn, nil
+	return mutex.With2(&n.global.state, func(js *joinerState) (*rpc.Conn, error) {
+		edge := edge{
+			From: n.myID,
+			To:   incoming,
+		}
+		ent := js.connections[edge]
+		if ent.Conn == nil {
+			ent.Conn = rpc.NewConn(ent.Transport, opts)
+		} else {
+			opts.BootstrapClient.Release()
+		}
+		return ent.Conn, nil
+	})
 }
 
 func makePeerAndNonce(peerID, nonce uint64) PeerAndNonce {
@@ -149,14 +154,14 @@ func makePeerAndNonce(peerID, nonce uint64) PeerAndNonce {
 func (n TestNetwork) Introduce(provider, recipient *rpc.Conn) (rpc.IntroductionInfo, error) {
 	providerPeerID := uint64(provider.RemotePeerID().Value.(PeerID))
 	recipientPeerID := uint64(recipient.RemotePeerID().Value.(PeerID))
-	n.global.mu.Lock()
-	defer n.global.mu.Unlock()
-	nonce := n.global.nextNonce
-	n.global.nextNonce++
-	return rpc.IntroductionInfo{
-		SendToRecipient: rpc.ThirdPartyCapID(makePeerAndNonce(providerPeerID, nonce).ToPtr()),
-		SendToProvider:  rpc.RecipientID(makePeerAndNonce(recipientPeerID, nonce).ToPtr()),
-	}, nil
+	return mutex.With2(&n.global.state, func(js *joinerState) (rpc.IntroductionInfo, error) {
+		nonce := js.nextNonce
+		js.nextNonce++
+		return rpc.IntroductionInfo{
+			SendToRecipient: rpc.ThirdPartyCapID(makePeerAndNonce(providerPeerID, nonce).ToPtr()),
+			SendToProvider:  rpc.RecipientID(makePeerAndNonce(recipientPeerID, nonce).ToPtr()),
+		}, nil
+	})
 }
 func (n TestNetwork) DialIntroduced(capID rpc.ThirdPartyCapID, introducedBy *rpc.Conn) (*rpc.Conn, rpc.ProvisionID, error) {
 	cid := PeerAndNonce(capnp.Ptr(capID).Struct())

From 46cba7c54228c5f3e2810ae3f5d1d7871b1518aa Mon Sep 17 00:00:00 2001
From: Ian Denhardt <ian@zenhack.net>
Date: Sun, 25 Jun 2023 17:52:35 -0400
Subject: [PATCH 13/48] TestNetwork: add a DialTransport method.

---
 rpc/internal/testnetwork/testnetwork.go | 20 +++++++++++++++++---
 1 file changed, 17 insertions(+), 3 deletions(-)

diff --git a/rpc/internal/testnetwork/testnetwork.go b/rpc/internal/testnetwork/testnetwork.go
index 3efb198c..01543260 100644
--- a/rpc/internal/testnetwork/testnetwork.go
+++ b/rpc/internal/testnetwork/testnetwork.go
@@ -82,6 +82,20 @@ func (n TestNetwork) LocalID() rpc.PeerID {
 }
 
 func (n TestNetwork) Dial(dst rpc.PeerID, opts *rpc.Options) (*rpc.Conn, error) {
+	conn, _, err := n.dial(dst, true, opts)
+	return conn, err
+}
+
+// DialTransport is like Dial, except that a Conn is not created, and the raw Transport is
+// returned instead.
+func (n TestNetwork) DialTransport(dst rpc.PeerID) (rpc.Transport, error) {
+	_, trans, err := n.dial(dst, false, nil)
+	return trans, err
+}
+
+// Helper for Dial and DialTransport; setupConn indicates whether to create the Conn
+// (if false it will be nil).
+func (n TestNetwork) dial(dst rpc.PeerID, setupConn bool, opts *rpc.Options) (*rpc.Conn, rpc.Transport, error) {
 	if opts == nil {
 		opts = &rpc.Options{}
 	}
@@ -94,7 +108,7 @@ func (n TestNetwork) Dial(dst rpc.PeerID, opts *rpc.Options) (*rpc.Conn, error)
 	}
 	fromEdge := toEdge.Flip()
 
-	return mutex.With2(&n.global.state, func(state *joinerState) (*rpc.Conn, error) {
+	return mutex.With3(&n.global.state, func(state *joinerState) (*rpc.Conn, rpc.Transport, error) {
 		ent, ok := state.connections[toEdge]
 		if !ok {
 			c1, c2 := net.Pipe()
@@ -105,14 +119,14 @@ func (n TestNetwork) Dial(dst rpc.PeerID, opts *rpc.Options) (*rpc.Conn, error)
 			state.connections[fromEdge] = &connectionEntry{Transport: t2}
 
 		}
-		if ent.Conn == nil {
+		if setupConn && ent.Conn == nil {
 			ent.Conn = rpc.NewConn(ent.Transport, opts)
 		} else {
 			// There's already a connection, so we're not going to use this, but
 			// we own it. So drop it:
 			opts.BootstrapClient.Release()
 		}
-		return ent.Conn, nil
+		return ent.Conn, ent.Transport, nil
 	})
 }
 

From 63b6cf53c1e4f08c0f4da174320612dd9e40db3b Mon Sep 17 00:00:00 2001
From: Ian Denhardt <ian@zenhack.net>
Date: Sun, 25 Jun 2023 18:18:26 -0400
Subject: [PATCH 14/48] Rework some bits of the Network interface.

In particular:

- The way we were supplying rpc.Options was clumsy. For now we have a
  network-specific way of doing this, but it could easily generalize.
- The Accept method wasn't really what we wanted either; has been
  replaced by Serve().
---
 rpc/internal/testnetwork/testnetwork.go | 72 +++++++++++++------------
 rpc/network.go                          | 17 +++---
 2 files changed, 47 insertions(+), 42 deletions(-)

diff --git a/rpc/internal/testnetwork/testnetwork.go b/rpc/internal/testnetwork/testnetwork.go
index 01543260..235f472f 100644
--- a/rpc/internal/testnetwork/testnetwork.go
+++ b/rpc/internal/testnetwork/testnetwork.go
@@ -27,8 +27,9 @@ func (e edge) Flip() edge {
 }
 
 type TestNetwork struct {
-	myID   PeerID
-	global *Joiner
+	myID             PeerID
+	global           *Joiner
+	configureOptions func(*rpc.Options)
 }
 
 // A Joiner is a global view of a test network, which can be joined by a
@@ -57,11 +58,22 @@ func NewJoiner() *Joiner {
 	}
 }
 
-func (j *Joiner) Join() TestNetwork {
+// Join the network.
+//
+// The supplied configureOptions callback will be invoked each time a new
+// connection is established, with an Options whose Network and RemotePeerID
+// fields are already filled in. When the callback returns the options will be
+// passed to rpc.NewConn. If configureOptions is nil, default options will
+// be used.
+func (j *Joiner) Join(configureOptions func(*rpc.Options)) TestNetwork {
+	if configureOptions == nil {
+		configureOptions = func(*rpc.Options) {}
+	}
 	return mutex.With1(&j.state, func(js *joinerState) TestNetwork {
 		ret := TestNetwork{
-			myID:   js.nextID,
-			global: j,
+			myID:             js.nextID,
+			global:           j,
+			configureOptions: configureOptions,
 		}
 		js.nextID++
 		return ret
@@ -81,26 +93,28 @@ func (n TestNetwork) LocalID() rpc.PeerID {
 	return rpc.PeerID{n.myID}
 }
 
-func (n TestNetwork) Dial(dst rpc.PeerID, opts *rpc.Options) (*rpc.Conn, error) {
-	conn, _, err := n.dial(dst, true, opts)
+func (n TestNetwork) Dial(dst rpc.PeerID) (*rpc.Conn, error) {
+	conn, _, err := n.dial(dst, true)
 	return conn, err
 }
 
 // DialTransport is like Dial, except that a Conn is not created, and the raw Transport is
 // returned instead.
 func (n TestNetwork) DialTransport(dst rpc.PeerID) (rpc.Transport, error) {
-	_, trans, err := n.dial(dst, false, nil)
+	_, trans, err := n.dial(dst, false)
 	return trans, err
 }
 
 // Helper for Dial and DialTransport; setupConn indicates whether to create the Conn
 // (if false it will be nil).
-func (n TestNetwork) dial(dst rpc.PeerID, setupConn bool, opts *rpc.Options) (*rpc.Conn, rpc.Transport, error) {
-	if opts == nil {
-		opts = &rpc.Options{}
+func (n TestNetwork) dial(dst rpc.PeerID, setupConn bool) (*rpc.Conn, rpc.Transport, error) {
+	opts := &rpc.Options{
+		Network:      n,
+		RemotePeerID: dst,
+	}
+	if setupConn {
+		n.configureOptions(opts)
 	}
-	opts.Network = n
-	opts.RemotePeerID = dst
 	dstID := dst.Value.(PeerID)
 	toEdge := edge{
 		From: n.myID,
@@ -130,30 +144,22 @@ func (n TestNetwork) dial(dst rpc.PeerID, setupConn bool, opts *rpc.Options) (*r
 	})
 }
 
-func (n TestNetwork) Accept(ctx context.Context, opts *rpc.Options) (*rpc.Conn, error) {
+func (n TestNetwork) Serve(ctx context.Context) error {
 	q := mutex.With1(&n.global.state, func(js *joinerState) spsc.Queue[PeerID] {
 		return js.getAcceptQueue(n.myID)
 	})
-
-	incoming, err := q.Recv(ctx)
-	if err != nil {
-		return nil, err
-	}
-	opts.Network = n
-	opts.RemotePeerID = rpc.PeerID{incoming}
-	return mutex.With2(&n.global.state, func(js *joinerState) (*rpc.Conn, error) {
-		edge := edge{
-			From: n.myID,
-			To:   incoming,
+	for ctx.Err() == nil {
+		incoming, err := q.Recv(ctx)
+		if err != nil {
+			return err
 		}
-		ent := js.connections[edge]
-		if ent.Conn == nil {
-			ent.Conn = rpc.NewConn(ent.Transport, opts)
-		} else {
-			opts.BootstrapClient.Release()
+		// Don't actually need to do anything with the conn, just
+		// accept it:
+		if _, err = n.Dial(rpc.PeerID{Value: incoming}); err != nil {
+			return err
 		}
-		return ent.Conn, nil
-	})
+	}
+	return ctx.Err()
 }
 
 func makePeerAndNonce(peerID, nonce uint64) PeerAndNonce {
@@ -183,7 +189,7 @@ func (n TestNetwork) DialIntroduced(capID rpc.ThirdPartyCapID, introducedBy *rpc
 		uint64(introducedBy.RemotePeerID().Value.(PeerID)),
 		cid.Nonce(),
 	)
-	conn, err := n.Dial(rpc.PeerID{PeerID(cid.PeerId())}, nil)
+	conn, err := n.Dial(rpc.PeerID{PeerID(cid.PeerId())})
 	return conn, rpc.ProvisionID(pid.ToPtr()), err
 }
 func (n TestNetwork) AcceptIntroduced(recipientID rpc.RecipientID, introducedBy *rpc.Conn) (*rpc.Conn, error) {
diff --git a/rpc/network.go b/rpc/network.go
index f1494b72..86c8565a 100644
--- a/rpc/network.go
+++ b/rpc/network.go
@@ -66,15 +66,13 @@ type Network interface {
 	// Return the identifier for caller on this network.
 	LocalID() PeerID
 
-	// Connect to another peer by ID. The supplied Options are used
-	// for the connection, with the values for RemotePeerID and Network
-	// overridden by the Network.
-	Dial(PeerID, *Options) (*Conn, error)
+	// Connect to another peer by ID. Re-uses any existing connection
+	// to the peer.
+	Dial(PeerID) (*Conn, error)
 
-	// Accept the next incoming connection on the network, using the
-	// supplied Options for the connection. Generally, callers will
-	// want to invoke this in a loop when launching a server.
-	Accept(context.Context, *Options) (*Conn, error)
+	// Accept and handle incoming connections on the network until
+	// the context is canceled.
+	Serve(context.Context) error
 
 	// Introduce the two connections, in preparation for a third party
 	// handoff. Afterwards, a Provide messsage should be sent to
@@ -83,7 +81,8 @@ type Network interface {
 
 	// Given a ThirdPartyCapID, received from introducedBy, connect
 	// to the third party. The caller should then send an Accept
-	// message over the returned Connection.
+	// message over the returned Connection. Re-uses any existing
+	// connection to the peer.
 	DialIntroduced(capID ThirdPartyCapID, introducedBy *Conn) (*Conn, ProvisionID, error)
 
 	// Given a RecipientID received in a Provide message via

From 1fba9f0d855819be35844ad57c78bb93d0a821dd Mon Sep 17 00:00:00 2001
From: Ian Denhardt <ian@zenhack.net>
Date: Sun, 25 Jun 2023 18:41:28 -0400
Subject: [PATCH 15/48] Add basic test for testnetwork.

Also, supply a large buffer for connections.
---
 rpc/internal/testnetwork/testnetwork.go      | 11 ++++---
 rpc/internal/testnetwork/testnetwork_test.go | 30 ++++++++++++++++++++
 2 files changed, 37 insertions(+), 4 deletions(-)
 create mode 100644 rpc/internal/testnetwork/testnetwork_test.go

diff --git a/rpc/internal/testnetwork/testnetwork.go b/rpc/internal/testnetwork/testnetwork.go
index 235f472f..1a50b0b4 100644
--- a/rpc/internal/testnetwork/testnetwork.go
+++ b/rpc/internal/testnetwork/testnetwork.go
@@ -3,11 +3,11 @@ package testnetwork
 
 import (
 	"context"
-	"net"
 
 	"capnproto.org/go/capnp/v3"
 	"capnproto.org/go/capnp/v3/exp/spsc"
 	"capnproto.org/go/capnp/v3/rpc"
+	"capnproto.org/go/capnp/v3/rpc/transport"
 	"zenhack.net/go/util"
 	"zenhack.net/go/util/sync/mutex"
 )
@@ -125,9 +125,12 @@ func (n TestNetwork) dial(dst rpc.PeerID, setupConn bool) (*rpc.Conn, rpc.Transp
 	return mutex.With3(&n.global.state, func(state *joinerState) (*rpc.Conn, rpc.Transport, error) {
 		ent, ok := state.connections[toEdge]
 		if !ok {
-			c1, c2 := net.Pipe()
-			t1 := rpc.NewStreamTransport(c1)
-			t2 := rpc.NewStreamTransport(c2)
+			// Some tests may need a few messages worth of buffer if
+			// they're using DialTransport; let's be generous:
+			c1, c2 := transport.NewPipe(100)
+
+			t1 := rpc.NewTransport(c1)
+			t2 := rpc.NewTransport(c2)
 			ent = &connectionEntry{Transport: t1}
 			state.connections[toEdge] = ent
 			state.connections[fromEdge] = &connectionEntry{Transport: t2}
diff --git a/rpc/internal/testnetwork/testnetwork_test.go b/rpc/internal/testnetwork/testnetwork_test.go
new file mode 100644
index 00000000..850843d4
--- /dev/null
+++ b/rpc/internal/testnetwork/testnetwork_test.go
@@ -0,0 +1,30 @@
+package testnetwork
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	rpccp "capnproto.org/go/capnp/v3/std/capnp/rpc"
+)
+
+func TestBasicConnect(t *testing.T) {
+	j := NewJoiner()
+	n1 := j.Join(nil)
+	n2 := j.Join(nil)
+
+	trans1, err := n1.DialTransport(n2.LocalID())
+	require.NoError(t, err)
+	trans2, err := n2.DialTransport(n1.LocalID())
+	require.NoError(t, err)
+
+	sendMsg, err := trans1.NewMessage()
+	require.NoError(t, err)
+	_, err = sendMsg.Message().NewCall()
+	require.NoError(t, err)
+	require.NoError(t, sendMsg.Send())
+
+	recvMsg, err := trans2.RecvMessage()
+	require.NoError(t, err)
+	require.Equal(t, rpccp.Message_Which_call, recvMsg.Message().Which())
+}

From a1349f33258bd270ec13b9830f367af21aa4c1bc Mon Sep 17 00:00:00 2001
From: Ian Denhardt <ian@zenhack.net>
Date: Sun, 25 Jun 2023 20:07:45 -0400
Subject: [PATCH 16/48] Test network: make implementation a pointer.

These need to be comparable.
---
 rpc/internal/testnetwork/testnetwork.go | 23 ++++++++++++-----------
 1 file changed, 12 insertions(+), 11 deletions(-)

diff --git a/rpc/internal/testnetwork/testnetwork.go b/rpc/internal/testnetwork/testnetwork.go
index 1a50b0b4..8a7eb085 100644
--- a/rpc/internal/testnetwork/testnetwork.go
+++ b/rpc/internal/testnetwork/testnetwork.go
@@ -54,6 +54,7 @@ func NewJoiner() *Joiner {
 	return &Joiner{
 		state: mutex.New(joinerState{
 			connections: make(map[edge]*connectionEntry),
+			incoming:    make(map[PeerID]spsc.Queue[PeerID]),
 		}),
 	}
 }
@@ -65,12 +66,12 @@ func NewJoiner() *Joiner {
 // fields are already filled in. When the callback returns the options will be
 // passed to rpc.NewConn. If configureOptions is nil, default options will
 // be used.
-func (j *Joiner) Join(configureOptions func(*rpc.Options)) TestNetwork {
+func (j *Joiner) Join(configureOptions func(*rpc.Options)) *TestNetwork {
 	if configureOptions == nil {
 		configureOptions = func(*rpc.Options) {}
 	}
-	return mutex.With1(&j.state, func(js *joinerState) TestNetwork {
-		ret := TestNetwork{
+	return mutex.With1(&j.state, func(js *joinerState) *TestNetwork {
+		ret := &TestNetwork{
 			myID:             js.nextID,
 			global:           j,
 			configureOptions: configureOptions,
@@ -89,25 +90,25 @@ func (j *joinerState) getAcceptQueue(id PeerID) spsc.Queue[PeerID] {
 	return q
 }
 
-func (n TestNetwork) LocalID() rpc.PeerID {
+func (n *TestNetwork) LocalID() rpc.PeerID {
 	return rpc.PeerID{n.myID}
 }
 
-func (n TestNetwork) Dial(dst rpc.PeerID) (*rpc.Conn, error) {
+func (n *TestNetwork) Dial(dst rpc.PeerID) (*rpc.Conn, error) {
 	conn, _, err := n.dial(dst, true)
 	return conn, err
 }
 
 // DialTransport is like Dial, except that a Conn is not created, and the raw Transport is
 // returned instead.
-func (n TestNetwork) DialTransport(dst rpc.PeerID) (rpc.Transport, error) {
+func (n *TestNetwork) DialTransport(dst rpc.PeerID) (rpc.Transport, error) {
 	_, trans, err := n.dial(dst, false)
 	return trans, err
 }
 
 // Helper for Dial and DialTransport; setupConn indicates whether to create the Conn
 // (if false it will be nil).
-func (n TestNetwork) dial(dst rpc.PeerID, setupConn bool) (*rpc.Conn, rpc.Transport, error) {
+func (n *TestNetwork) dial(dst rpc.PeerID, setupConn bool) (*rpc.Conn, rpc.Transport, error) {
 	opts := &rpc.Options{
 		Network:      n,
 		RemotePeerID: dst,
@@ -147,7 +148,7 @@ func (n TestNetwork) dial(dst rpc.PeerID, setupConn bool) (*rpc.Conn, rpc.Transp
 	})
 }
 
-func (n TestNetwork) Serve(ctx context.Context) error {
+func (n *TestNetwork) Serve(ctx context.Context) error {
 	q := mutex.With1(&n.global.state, func(js *joinerState) spsc.Queue[PeerID] {
 		return js.getAcceptQueue(n.myID)
 	})
@@ -174,7 +175,7 @@ func makePeerAndNonce(peerID, nonce uint64) PeerAndNonce {
 	return ret
 }
 
-func (n TestNetwork) Introduce(provider, recipient *rpc.Conn) (rpc.IntroductionInfo, error) {
+func (n *TestNetwork) Introduce(provider, recipient *rpc.Conn) (rpc.IntroductionInfo, error) {
 	providerPeerID := uint64(provider.RemotePeerID().Value.(PeerID))
 	recipientPeerID := uint64(recipient.RemotePeerID().Value.(PeerID))
 	return mutex.With2(&n.global.state, func(js *joinerState) (rpc.IntroductionInfo, error) {
@@ -186,7 +187,7 @@ func (n TestNetwork) Introduce(provider, recipient *rpc.Conn) (rpc.IntroductionI
 		}, nil
 	})
 }
-func (n TestNetwork) DialIntroduced(capID rpc.ThirdPartyCapID, introducedBy *rpc.Conn) (*rpc.Conn, rpc.ProvisionID, error) {
+func (n *TestNetwork) DialIntroduced(capID rpc.ThirdPartyCapID, introducedBy *rpc.Conn) (*rpc.Conn, rpc.ProvisionID, error) {
 	cid := PeerAndNonce(capnp.Ptr(capID).Struct())
 	pid := makePeerAndNonce(
 		uint64(introducedBy.RemotePeerID().Value.(PeerID)),
@@ -195,6 +196,6 @@ func (n TestNetwork) DialIntroduced(capID rpc.ThirdPartyCapID, introducedBy *rpc
 	conn, err := n.Dial(rpc.PeerID{PeerID(cid.PeerId())})
 	return conn, rpc.ProvisionID(pid.ToPtr()), err
 }
-func (n TestNetwork) AcceptIntroduced(recipientID rpc.RecipientID, introducedBy *rpc.Conn) (*rpc.Conn, error) {
+func (n *TestNetwork) AcceptIntroduced(recipientID rpc.RecipientID, introducedBy *rpc.Conn) (*rpc.Conn, error) {
 	panic("TODO")
 }

From ddf4c102c7ea7603b362db36e363da960ede064a Mon Sep 17 00:00:00 2001
From: Ian Denhardt <ian@zenhack.net>
Date: Sun, 25 Jun 2023 20:08:46 -0400
Subject: [PATCH 17/48] Document that Networks must be comparable.

---
 rpc/network.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/rpc/network.go b/rpc/network.go
index 86c8565a..6a82bde3 100644
--- a/rpc/network.go
+++ b/rpc/network.go
@@ -62,6 +62,9 @@ type IntroductionInfo struct {
 // A Network is a reference to a multi-party (generally >= 3) network
 // of Cap'n Proto peers. Use this instead of NewConn when establishing
 // connections outside a point-to-point setting.
+//
+// In addition to satisfying the method set, a correct implementation
+// of Netowrk must be comparable.
 type Network interface {
 	// Return the identifier for caller on this network.
 	LocalID() PeerID

From eef25d08d630368264df47c0f7c0e29c738a6947 Mon Sep 17 00:00:00 2001
From: Ian Denhardt <ian@zenhack.net>
Date: Sun, 25 Jun 2023 20:09:25 -0400
Subject: [PATCH 18/48] Start working on a test for 3PH

---
 rpc/3ph_test.go    | 167 +++++++++++++++++++++++++++++++++++++++++++++
 rpc/level0_test.go |   1 +
 2 files changed, 168 insertions(+)
 create mode 100644 rpc/3ph_test.go

diff --git a/rpc/3ph_test.go b/rpc/3ph_test.go
new file mode 100644
index 00000000..4d6ab28e
--- /dev/null
+++ b/rpc/3ph_test.go
@@ -0,0 +1,167 @@
+package rpc_test
+
+import (
+	"context"
+	"testing"
+
+	"capnproto.org/go/capnp/v3"
+	"capnproto.org/go/capnp/v3/pogs"
+	"capnproto.org/go/capnp/v3/rpc"
+	"capnproto.org/go/capnp/v3/rpc/internal/testcapnp"
+	"capnproto.org/go/capnp/v3/rpc/internal/testnetwork"
+	rpccp "capnproto.org/go/capnp/v3/std/capnp/rpc"
+	"github.com/stretchr/testify/require"
+)
+
+type rpcProvide struct {
+	QuestionID uint32 `capnp:"questionId"`
+	Target     rpcMessageTarget
+	Recipient  capnp.Ptr
+}
+
+func TestSendProvide(t *testing.T) {
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	j := testnetwork.NewJoiner()
+
+	pp := testcapnp.PingPong_ServerToClient(&pingPonger{})
+	defer pp.Release()
+
+	introducer := j.Join(nil)
+	recipient := j.Join(nil)
+	provider := j.Join(nil)
+
+	go introducer.Serve(ctx)
+
+	rConn, err := introducer.Dial(recipient.LocalID())
+	require.NoError(t, err)
+
+	pConn, err := introducer.Dial(provider.LocalID())
+	require.NoError(t, err)
+
+	rBs := rConn.Bootstrap(ctx)
+	defer rBs.Release()
+	pBs := pConn.Bootstrap(ctx)
+	defer pBs.Release()
+
+	rTrans, err := recipient.DialTransport(introducer.LocalID())
+	require.NoError(t, err)
+
+	pTrans, err := provider.DialTransport(introducer.LocalID())
+	require.NoError(t, err)
+
+	bootstrapExportID := uint32(10)
+	doBootstrap := func(trans rpc.Transport) {
+		// Receive bootstrap
+		rmsg, release, err := recvMessage(ctx, trans)
+		require.NoError(t, err)
+		defer release()
+		require.Equal(t, rpccp.Message_Which_bootstrap, rmsg.Which)
+		qid := rmsg.Bootstrap.QuestionID
+
+		// Write back return
+		outMsg, err := trans.NewMessage()
+		require.NoError(t, err, "trans.NewMessage()")
+		iptr := capnp.NewInterface(outMsg.Message().Segment(), 0)
+		require.NoError(t, pogs.Insert(rpccp.Message_TypeID, capnp.Struct(outMsg.Message()), &rpcMessage{
+			Which: rpccp.Message_Which_return,
+			Return: &rpcReturn{
+				AnswerID: qid,
+				Which:    rpccp.Return_Which_results,
+				Results: &rpcPayload{
+					Content: iptr.ToPtr(),
+					CapTable: []rpcCapDescriptor{
+						{
+							Which:        rpccp.CapDescriptor_Which_senderHosted,
+							SenderHosted: bootstrapExportID,
+						},
+					},
+				},
+			},
+		}))
+		require.NoError(t, outMsg.Send())
+
+		// Receive finish
+		rmsg, release, err = recvMessage(ctx, trans)
+		require.NoError(t, err)
+		defer release()
+		require.Equal(t, rpccp.Message_Which_finish, rmsg.Which)
+		require.Equal(t, qid, rmsg.Finish.QuestionID)
+	}
+	doBootstrap(rTrans)
+	require.NoError(t, rBs.Resolve(ctx))
+	doBootstrap(pTrans)
+	require.NoError(t, pBs.Resolve(ctx))
+
+	futEmpty, rel := testcapnp.EmptyProvider(pBs).GetEmpty(ctx, nil)
+	defer rel()
+
+	emptyExportID := uint32(30)
+	{
+		// Receive call
+		rmsg, release, err := recvMessage(ctx, pTrans)
+		require.NoError(t, err)
+		defer release()
+		require.Equal(t, rpccp.Message_Which_call, rmsg.Which)
+		qid := rmsg.Call.QuestionID
+		require.Equal(t, uint64(testcapnp.EmptyProvider_TypeID), rmsg.Call.InterfaceID)
+		require.Equal(t, uint16(0), rmsg.Call.MethodID)
+
+		// Send return
+		outMsg, err := pTrans.NewMessage()
+		require.NoError(t, err)
+		seg := outMsg.Message().Segment()
+		results, err := capnp.NewStruct(seg, capnp.ObjectSize{
+			PointerCount: 1,
+		})
+		require.NoError(t, err)
+		iptr := capnp.NewInterface(seg, 0)
+		results.SetPtr(0, iptr.ToPtr())
+		require.NoError(t, sendMessage(ctx, pTrans, &rpcMessage{
+			Which: rpccp.Message_Which_return,
+			Return: &rpcReturn{
+				Which: rpccp.Return_Which_results,
+				Results: &rpcPayload{
+					Content: results.ToPtr(),
+					CapTable: []rpcCapDescriptor{
+						{
+							Which:        rpccp.CapDescriptor_Which_senderHosted,
+							SenderHosted: emptyExportID,
+						},
+					},
+				},
+			},
+		}))
+
+		// Receive finish
+		rmsg, release, err = recvMessage(ctx, pTrans)
+		require.NoError(t, err)
+		defer release()
+		require.Equal(t, rpccp.Message_Which_finish, rmsg.Which)
+		require.Equal(t, qid, rmsg.Finish.QuestionID)
+	}
+
+	resEmpty, err := futEmpty.Struct()
+	require.NoError(t, err)
+	empty := resEmpty.Empty()
+
+	_, rel = testcapnp.CapArgsTest(rBs).Call(ctx, func(p testcapnp.CapArgsTest_call_Params) error {
+		return p.SetCap(capnp.Client(empty))
+	})
+	defer rel()
+
+	//var provideQid uint32
+	{
+		// Provider should receive a provide message
+		rmsg, release, err := recvMessage(ctx, pTrans)
+		require.NoError(t, err)
+		defer release()
+		require.Equal(t, rpccp.Message_Which_provide, rmsg.Which)
+		//provideQid = rmsg.Provide.QuestionID
+		require.Equal(t, rpccp.MessageTarget_Which_importedCap, rmsg.Provide.Target.Which)
+		require.Equal(t, emptyExportID, rmsg.Provide.Target.ImportedCap)
+	}
+
+	panic("TODO: check for messages on rTrans (call, resolve)")
+}
diff --git a/rpc/level0_test.go b/rpc/level0_test.go
index 6817deca..59778ca2 100644
--- a/rpc/level0_test.go
+++ b/rpc/level0_test.go
@@ -2083,6 +2083,7 @@ type rpcMessage struct {
 	Resolve       *rpcResolve
 	Release       *rpcRelease
 	Disembargo    *rpcDisembargo
+	Provide       *rpcProvide
 }
 
 func sendMessage(ctx context.Context, t rpc.Transport, msg *rpcMessage) error {

From 9a2b2b8a872e2c8452ed77b725acbc005a5ba119 Mon Sep 17 00:00:00 2001
From: Ian Denhardt <ian@zenhack.net>
Date: Sun, 25 Jun 2023 20:14:18 -0400
Subject: [PATCH 19/48] Fix out of bounds slice access

---
 rpc/export.go | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/rpc/export.go b/rpc/export.go
index 615f1f03..32b0986f 100644
--- a/rpc/export.go
+++ b/rpc/export.go
@@ -227,11 +227,12 @@ func (c *lockedConn) send3PHPromise(
 				vineID := c.lk.exportID.next()
 				client := capnp.NewClient(vine)
 				defer client.Release()
-				c.lk.exports[vineID] = &expent{
+
+				c.insertExport(vineID, &expent{
 					snapshot: client.Snapshot(),
 					wireRefs: 1,
 					cancel:   func() {},
-				}
+				})
 
 				thirdCapDesc.SetVineId(uint32(vineID))
 				return nil

From 9461c105d279d94c5e698285aa9f8164f8dbd12c Mon Sep 17 00:00:00 2001
From: Ian Denhardt <ian@zenhack.net>
Date: Sun, 25 Jun 2023 20:15:33 -0400
Subject: [PATCH 20/48] Remove a TODO

I don't think there's more to do in this section.
---
 rpc/export.go | 1 -
 1 file changed, 1 deletion(-)

diff --git a/rpc/export.go b/rpc/export.go
index 32b0986f..d54e89f4 100644
--- a/rpc/export.go
+++ b/rpc/export.go
@@ -199,7 +199,6 @@ func (c *lockedConn) send3PHPromise(
 					return
 				}
 				go provideQ.handleCancel(c.bgctx)
-				panic("TODO: anything else?")
 			})
 		})
 		c.withLocked(func(c *lockedConn) {

From 4264f84215880af16e5719ca069ec7fde21e230f Mon Sep 17 00:00:00 2001
From: Ian Denhardt <ian@zenhack.net>
Date: Sun, 25 Jun 2023 20:27:36 -0400
Subject: [PATCH 21/48] Clean up the vine properly if sending fails.

---
 rpc/export.go | 24 +++++++++++++++++++-----
 1 file changed, 19 insertions(+), 5 deletions(-)

diff --git a/rpc/export.go b/rpc/export.go
index d54e89f4..1e72b1db 100644
--- a/rpc/export.go
+++ b/rpc/export.go
@@ -170,6 +170,7 @@ func (c *lockedConn) send3PHPromise(
 			provideQ *question
 			vine     *vine
 		)
+		ctx, cancel := context.WithCancel(srcConn.bgctx)
 		srcConn.withLocked(func(c *lockedConn) {
 			provideQ = c.newQuestion(capnp.Method{})
 			provideQ.flags |= isProvide
@@ -198,9 +199,14 @@ func (c *lockedConn) send3PHPromise(
 					})
 					return
 				}
-				go provideQ.handleCancel(c.bgctx)
+				go provideQ.handleCancel(ctx)
 			})
 		})
+		unlockedConn := c
+		var (
+			vineID    exportID
+			vineEntry *expent
+		)
 		c.withLocked(func(c *lockedConn) {
 			c.sendMessage(c.bgctx, func(m rpccp.Message) error {
 				if c.lk.exports[promiseID] != ee {
@@ -223,23 +229,31 @@ func (c *lockedConn) send3PHPromise(
 					return err
 				}
 
-				vineID := c.lk.exportID.next()
+				vineID = c.lk.exportID.next()
 				client := capnp.NewClient(vine)
 				defer client.Release()
 
 				c.insertExport(vineID, &expent{
 					snapshot: client.Snapshot(),
 					wireRefs: 1,
-					cancel:   func() {},
+					cancel:   cancel,
 				})
+				vineEntry = c.lk.exports[vineID]
 
 				thirdCapDesc.SetVineId(uint32(vineID))
 				return nil
 			}, func(err error) {
-				if err != nil {
+				if err == nil {
+					return
+				}
+				if vineEntry == nil {
 					vine.Shutdown()
+				} else {
+					unlockedConn.withLocked(func(c *lockedConn) {
+						snapshot, _ := c.releaseExport(vineID, 1)
+						snapshot.Release()
+					})
 				}
-				panic("TODO: cancel provide, other stuff?")
 			})
 		})
 	}()

From 67b1a62307482fb984132b94e45980992762bf66 Mon Sep 17 00:00:00 2001
From: Ian Denhardt <ian@zenhack.net>
Date: Sun, 25 Jun 2023 20:30:01 -0400
Subject: [PATCH 22/48] TestSendProvide: set an error reporter

---
 rpc/3ph_test.go | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/rpc/3ph_test.go b/rpc/3ph_test.go
index 4d6ab28e..343c7b2c 100644
--- a/rpc/3ph_test.go
+++ b/rpc/3ph_test.go
@@ -28,9 +28,13 @@ func TestSendProvide(t *testing.T) {
 	pp := testcapnp.PingPong_ServerToClient(&pingPonger{})
 	defer pp.Release()
 
-	introducer := j.Join(nil)
-	recipient := j.Join(nil)
-	provider := j.Join(nil)
+	cfgOpts := func(opts *rpc.Options) {
+		opts.ErrorReporter = testErrorReporter{tb: t}
+	}
+
+	introducer := j.Join(cfgOpts)
+	recipient := j.Join(cfgOpts)
+	provider := j.Join(cfgOpts)
 
 	go introducer.Serve(ctx)
 

From 38c547cad1b43c4e2646edf78275fcb7e2e927c4 Mon Sep 17 00:00:00 2001
From: Ian Denhardt <ian@zenhack.net>
Date: Tue, 27 Jun 2023 23:49:27 -0400
Subject: [PATCH 23/48] Fix Client leak in send3PHPromise

---
 rpc/export.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/rpc/export.go b/rpc/export.go
index 1e72b1db..2d2b320f 100644
--- a/rpc/export.go
+++ b/rpc/export.go
@@ -135,6 +135,7 @@ func (c *lockedConn) send3PHPromise(
 	}
 
 	p, r := capnp.NewLocalPromise[capnp.Client]()
+	defer p.Release()
 	pSnapshot := p.Snapshot()
 	r.Fulfill(srcSnapshot.Client()) // FIXME: this may allow path shortening...
 

From 502cce5f8d1c549edeebd306f85c45a56e765cad Mon Sep 17 00:00:00 2001
From: Ian Denhardt <ian@zenhack.net>
Date: Wed, 28 Jun 2023 01:03:10 -0400
Subject: [PATCH 24/48] 3ph tests: check for call w/ promise and resolution.

---
 rpc/3ph_test.go | 68 ++++++++++++++++++++++++++++++++++++++++---------
 1 file changed, 56 insertions(+), 12 deletions(-)

diff --git a/rpc/3ph_test.go b/rpc/3ph_test.go
index 343c7b2c..135c3a30 100644
--- a/rpc/3ph_test.go
+++ b/rpc/3ph_test.go
@@ -11,6 +11,7 @@ import (
 	"capnproto.org/go/capnp/v3/rpc/internal/testnetwork"
 	rpccp "capnproto.org/go/capnp/v3/std/capnp/rpc"
 	"github.com/stretchr/testify/require"
+	"zenhack.net/go/util/deferred"
 )
 
 type rpcProvide struct {
@@ -20,13 +21,21 @@ type rpcProvide struct {
 }
 
 func TestSendProvide(t *testing.T) {
+	// Note: we do our deferring in this test via a deferred.Queue,
+	// so we can be sure that cancelling the context happens *first.*
+	// Otherwise, some of the things we defer can block until
+	// connection shutdown which won't happen until the context ends,
+	// causing this test to deadlock instead of failing with a useful
+	// error.
+	dq := deferred.Queue{}
+	defer dq.Run()
 	ctx, cancel := context.WithCancel(context.Background())
-	defer cancel()
+	dq.Defer(cancel)
 
 	j := testnetwork.NewJoiner()
 
 	pp := testcapnp.PingPong_ServerToClient(&pingPonger{})
-	defer pp.Release()
+	dq.Defer(pp.Release)
 
 	cfgOpts := func(opts *rpc.Options) {
 		opts.ErrorReporter = testErrorReporter{tb: t}
@@ -45,9 +54,9 @@ func TestSendProvide(t *testing.T) {
 	require.NoError(t, err)
 
 	rBs := rConn.Bootstrap(ctx)
-	defer rBs.Release()
+	dq.Defer(rBs.Release)
 	pBs := pConn.Bootstrap(ctx)
-	defer pBs.Release()
+	dq.Defer(pBs.Release)
 
 	rTrans, err := recipient.DialTransport(introducer.LocalID())
 	require.NoError(t, err)
@@ -60,7 +69,7 @@ func TestSendProvide(t *testing.T) {
 		// Receive bootstrap
 		rmsg, release, err := recvMessage(ctx, trans)
 		require.NoError(t, err)
-		defer release()
+		dq.Defer(release)
 		require.Equal(t, rpccp.Message_Which_bootstrap, rmsg.Which)
 		qid := rmsg.Bootstrap.QuestionID
 
@@ -89,7 +98,7 @@ func TestSendProvide(t *testing.T) {
 		// Receive finish
 		rmsg, release, err = recvMessage(ctx, trans)
 		require.NoError(t, err)
-		defer release()
+		dq.Defer(release)
 		require.Equal(t, rpccp.Message_Which_finish, rmsg.Which)
 		require.Equal(t, qid, rmsg.Finish.QuestionID)
 	}
@@ -99,14 +108,14 @@ func TestSendProvide(t *testing.T) {
 	require.NoError(t, pBs.Resolve(ctx))
 
 	futEmpty, rel := testcapnp.EmptyProvider(pBs).GetEmpty(ctx, nil)
-	defer rel()
+	dq.Defer(rel)
 
 	emptyExportID := uint32(30)
 	{
 		// Receive call
 		rmsg, release, err := recvMessage(ctx, pTrans)
 		require.NoError(t, err)
-		defer release()
+		dq.Defer(release)
 		require.Equal(t, rpccp.Message_Which_call, rmsg.Which)
 		qid := rmsg.Call.QuestionID
 		require.Equal(t, uint64(testcapnp.EmptyProvider_TypeID), rmsg.Call.InterfaceID)
@@ -141,7 +150,7 @@ func TestSendProvide(t *testing.T) {
 		// Receive finish
 		rmsg, release, err = recvMessage(ctx, pTrans)
 		require.NoError(t, err)
-		defer release()
+		dq.Defer(release)
 		require.Equal(t, rpccp.Message_Which_finish, rmsg.Which)
 		require.Equal(t, qid, rmsg.Finish.QuestionID)
 	}
@@ -153,19 +162,54 @@ func TestSendProvide(t *testing.T) {
 	_, rel = testcapnp.CapArgsTest(rBs).Call(ctx, func(p testcapnp.CapArgsTest_call_Params) error {
 		return p.SetCap(capnp.Client(empty))
 	})
-	defer rel()
+	dq.Defer(rel)
 
 	//var provideQid uint32
 	{
 		// Provider should receive a provide message
 		rmsg, release, err := recvMessage(ctx, pTrans)
 		require.NoError(t, err)
-		defer release()
+		dq.Defer(release)
 		require.Equal(t, rpccp.Message_Which_provide, rmsg.Which)
 		//provideQid = rmsg.Provide.QuestionID
 		require.Equal(t, rpccp.MessageTarget_Which_importedCap, rmsg.Provide.Target.Which)
 		require.Equal(t, emptyExportID, rmsg.Provide.Target.ImportedCap)
 	}
 
-	panic("TODO: check for messages on rTrans (call, resolve)")
+	{
+		// Read the call; should start off with a promise, record the ID:
+		rmsg, release, err := recvMessage(ctx, rTrans)
+		require.NoError(t, err)
+		dq.Defer(release)
+		require.Equal(t, rpccp.Message_Which_call, rmsg.Which)
+		call := rmsg.Call
+		//qid := call.QuestionID
+		require.Equal(t, rpcMessageTarget{
+			Which:       rpccp.MessageTarget_Which_importedCap,
+			ImportedCap: bootstrapExportID,
+		}, call.Target)
+
+		require.Equal(t, uint64(testcapnp.CapArgsTest_TypeID), call.InterfaceID)
+		require.Equal(t, uint16(0), call.MethodID)
+		ptr, err := call.Params.Content.Struct().Ptr(0)
+		require.NoError(t, err)
+		iptr := ptr.Interface()
+		require.True(t, iptr.IsValid())
+		require.Equal(t, capnp.CapabilityID(0), iptr.Capability())
+		require.Equal(t, 1, len(call.Params.CapTable))
+		desc := call.Params.CapTable[0]
+		require.Equal(t, rpccp.CapDescriptor_Which_senderPromise, desc.Which)
+		promiseExportID := desc.SenderPromise
+
+		// Read the resolve for that promise, which should point to a third party cap:
+		rmsg, release, err = recvMessage(ctx, rTrans)
+		require.NoError(t, err)
+		dq.Defer(release)
+		require.Equal(t, rpccp.Message_Which_resolve, rmsg.Which)
+		require.Equal(t, promiseExportID, rmsg.Resolve.PromiseID)
+		require.Equal(t, rpccp.Resolve_Which_cap, rmsg.Resolve.Which)
+		capDesc := rmsg.Resolve.Cap
+		require.Equal(t, rpccp.CapDescriptor_Which_thirdPartyHosted, capDesc.Which)
+	}
+	panic("TODO: finish this up")
 }

From b3e9fcbab536959be43ed0b272573e65ee991d9a Mon Sep 17 00:00:00 2001
From: Ian Denhardt <ian@zenhack.net>
Date: Wed, 28 Jun 2023 01:22:59 -0400
Subject: [PATCH 25/48] Add a couple more 3PH checks

...and note some other things to test.
---
 rpc/3ph_test.go    | 24 ++++++++++++++++++++++++
 rpc/level0_test.go | 17 +++++++++++------
 2 files changed, 35 insertions(+), 6 deletions(-)

diff --git a/rpc/3ph_test.go b/rpc/3ph_test.go
index 135c3a30..0f0217b4 100644
--- a/rpc/3ph_test.go
+++ b/rpc/3ph_test.go
@@ -174,6 +174,13 @@ func TestSendProvide(t *testing.T) {
 		//provideQid = rmsg.Provide.QuestionID
 		require.Equal(t, rpccp.MessageTarget_Which_importedCap, rmsg.Provide.Target.Which)
 		require.Equal(t, emptyExportID, rmsg.Provide.Target.ImportedCap)
+
+		peerAndNonce := testnetwork.PeerAndNonce(rmsg.Provide.Recipient.Struct())
+
+		require.Equal(t,
+			uint64(recipient.LocalID().Value.(testnetwork.PeerID)),
+			peerAndNonce.PeerId(),
+		)
 	}
 
 	{
@@ -210,6 +217,23 @@ func TestSendProvide(t *testing.T) {
 		require.Equal(t, rpccp.Resolve_Which_cap, rmsg.Resolve.Which)
 		capDesc := rmsg.Resolve.Cap
 		require.Equal(t, rpccp.CapDescriptor_Which_thirdPartyHosted, capDesc.Which)
+		peerAndNonce := testnetwork.PeerAndNonce(capDesc.ThirdPartyHosted.ID.Struct())
+
+		require.Equal(t,
+			uint64(provider.LocalID().Value.(testnetwork.PeerID)),
+			peerAndNonce.PeerId(),
+		)
 	}
 	panic("TODO: finish this up")
+	// TODO:
+	//
+	// - Send a return for the provide, and see that we get a finish back.
+	// - return & finish from the call.
+	//
+	// Other things to test, maybe in other tests?
+	//
+	// - Use the vine
+	//   - Make sure the introducer cancels the provide when this happens.
+	// - Drop the vine before pickup, and see that the introducer sends a finish for the provide.
+	// - Test dropping the promise?
 }
diff --git a/rpc/level0_test.go b/rpc/level0_test.go
index 59778ca2..ee660172 100644
--- a/rpc/level0_test.go
+++ b/rpc/level0_test.go
@@ -2114,7 +2114,6 @@ func recvMessage(ctx context.Context, t rpc.Transport) (*rpcMessage, capnp.Relea
 	if r.Which == rpccp.Message_Which_abort ||
 		r.Which == rpccp.Message_Which_bootstrap ||
 		r.Which == rpccp.Message_Which_finish ||
-		r.Which == rpccp.Message_Which_resolve ||
 		r.Which == rpccp.Message_Which_release ||
 		r.Which == rpccp.Message_Which_disembargo {
 		// These messages are guaranteed to not contain pointers back to
@@ -2175,11 +2174,17 @@ type rpcPayload struct {
 }
 
 type rpcCapDescriptor struct {
-	Which          rpccp.CapDescriptor_Which
-	SenderHosted   uint32
-	SenderPromise  uint32
-	ReceiverHosted uint32
-	ReceiverAnswer *rpcPromisedAnswer
+	Which            rpccp.CapDescriptor_Which
+	SenderHosted     uint32
+	SenderPromise    uint32
+	ReceiverHosted   uint32
+	ReceiverAnswer   *rpcPromisedAnswer
+	ThirdPartyHosted rpcThirdPartyCapDescriptor
+}
+
+type rpcThirdPartyCapDescriptor struct {
+	ID     capnp.Ptr `capnp:"id"`
+	VineID uint32    `capnp:"vineId"`
 }
 
 type rpcPromisedAnswer struct {

From 8e8efcc86991317047e7f64f1609cf8c88b7f3f4 Mon Sep 17 00:00:00 2001
From: Ian Denhardt <ian@zenhack.net>
Date: Wed, 28 Jun 2023 22:56:49 -0400
Subject: [PATCH 26/48] Finish out TestSendProvide

---
 rpc/3ph_test.go | 62 ++++++++++++++++++++++++++++++++++++++++---------
 1 file changed, 51 insertions(+), 11 deletions(-)

diff --git a/rpc/3ph_test.go b/rpc/3ph_test.go
index 0f0217b4..63b3a02d 100644
--- a/rpc/3ph_test.go
+++ b/rpc/3ph_test.go
@@ -159,19 +159,19 @@ func TestSendProvide(t *testing.T) {
 	require.NoError(t, err)
 	empty := resEmpty.Empty()
 
-	_, rel = testcapnp.CapArgsTest(rBs).Call(ctx, func(p testcapnp.CapArgsTest_call_Params) error {
+	callFut, rel := testcapnp.CapArgsTest(rBs).Call(ctx, func(p testcapnp.CapArgsTest_call_Params) error {
 		return p.SetCap(capnp.Client(empty))
 	})
 	dq.Defer(rel)
 
-	//var provideQid uint32
+	var provideQid uint32
 	{
 		// Provider should receive a provide message
 		rmsg, release, err := recvMessage(ctx, pTrans)
 		require.NoError(t, err)
 		dq.Defer(release)
 		require.Equal(t, rpccp.Message_Which_provide, rmsg.Which)
-		//provideQid = rmsg.Provide.QuestionID
+		provideQid = rmsg.Provide.QuestionID
 		require.Equal(t, rpccp.MessageTarget_Which_importedCap, rmsg.Provide.Target.Which)
 		require.Equal(t, emptyExportID, rmsg.Provide.Target.ImportedCap)
 
@@ -183,6 +183,7 @@ func TestSendProvide(t *testing.T) {
 		)
 	}
 
+	var callQid uint32
 	{
 		// Read the call; should start off with a promise, record the ID:
 		rmsg, release, err := recvMessage(ctx, rTrans)
@@ -190,7 +191,7 @@ func TestSendProvide(t *testing.T) {
 		dq.Defer(release)
 		require.Equal(t, rpccp.Message_Which_call, rmsg.Which)
 		call := rmsg.Call
-		//qid := call.QuestionID
+		callQid = call.QuestionID
 		require.Equal(t, rpcMessageTarget{
 			Which:       rpccp.MessageTarget_Which_importedCap,
 			ImportedCap: bootstrapExportID,
@@ -224,13 +225,52 @@ func TestSendProvide(t *testing.T) {
 			peerAndNonce.PeerId(),
 		)
 	}
-	panic("TODO: finish this up")
-	// TODO:
-	//
-	// - Send a return for the provide, and see that we get a finish back.
-	// - return & finish from the call.
-	//
-	// Other things to test, maybe in other tests?
+
+	{
+		// Return from the provide, and see that we get back a finish
+		require.NoError(t, sendMessage(ctx, pTrans, &rpcMessage{
+			Which: rpccp.Message_Which_return,
+			Return: &rpcReturn{
+				AnswerID: provideQid,
+				Which:    rpccp.Return_Which_results,
+				Results:  &rpcPayload{},
+			},
+		}))
+
+		rmsg, release, err := recvMessage(ctx, pTrans)
+		require.NoError(t, err)
+		dq.Defer(release)
+		require.Equal(t, rpccp.Message_Which_finish, rmsg.Which)
+		require.Equal(t, provideQid, rmsg.Finish.QuestionID)
+	}
+
+	{
+		// Return from the call, see that we get back a finish
+		require.NoError(t, sendMessage(ctx, rTrans, &rpcMessage{
+			Which: rpccp.Message_Which_return,
+			Return: &rpcReturn{
+				AnswerID: callQid,
+				Which:    rpccp.Return_Which_results,
+				Results:  &rpcPayload{},
+			},
+		}))
+
+		rmsg, release, err := recvMessage(ctx, rTrans)
+		require.NoError(t, err)
+		dq.Defer(release)
+		require.Equal(t, rpccp.Message_Which_finish, rmsg.Which)
+		require.Equal(t, callQid, rmsg.Finish.QuestionID)
+	}
+
+	{
+		// Wait for the result of the call:
+		_, err := callFut.Struct()
+		require.NoError(t, err)
+	}
+}
+
+func TestVine(t *testing.T) {
+	// things to test:
 	//
 	// - Use the vine
 	//   - Make sure the introducer cancels the provide when this happens.

From 0651043823c9807bd326eb40611b31e4ceab1073 Mon Sep 17 00:00:00 2001
From: Ian Denhardt <ian@zenhack.net>
Date: Wed, 28 Jun 2023 23:04:55 -0400
Subject: [PATCH 27/48] Stub out vine tests & factor out doBootstrap()

---
 rpc/3ph_test.go | 100 ++++++++++++++++++++++++++----------------------
 1 file changed, 54 insertions(+), 46 deletions(-)

diff --git a/rpc/3ph_test.go b/rpc/3ph_test.go
index 63b3a02d..370bb2bc 100644
--- a/rpc/3ph_test.go
+++ b/rpc/3ph_test.go
@@ -65,46 +65,9 @@ func TestSendProvide(t *testing.T) {
 	require.NoError(t, err)
 
 	bootstrapExportID := uint32(10)
-	doBootstrap := func(trans rpc.Transport) {
-		// Receive bootstrap
-		rmsg, release, err := recvMessage(ctx, trans)
-		require.NoError(t, err)
-		dq.Defer(release)
-		require.Equal(t, rpccp.Message_Which_bootstrap, rmsg.Which)
-		qid := rmsg.Bootstrap.QuestionID
-
-		// Write back return
-		outMsg, err := trans.NewMessage()
-		require.NoError(t, err, "trans.NewMessage()")
-		iptr := capnp.NewInterface(outMsg.Message().Segment(), 0)
-		require.NoError(t, pogs.Insert(rpccp.Message_TypeID, capnp.Struct(outMsg.Message()), &rpcMessage{
-			Which: rpccp.Message_Which_return,
-			Return: &rpcReturn{
-				AnswerID: qid,
-				Which:    rpccp.Return_Which_results,
-				Results: &rpcPayload{
-					Content: iptr.ToPtr(),
-					CapTable: []rpcCapDescriptor{
-						{
-							Which:        rpccp.CapDescriptor_Which_senderHosted,
-							SenderHosted: bootstrapExportID,
-						},
-					},
-				},
-			},
-		}))
-		require.NoError(t, outMsg.Send())
-
-		// Receive finish
-		rmsg, release, err = recvMessage(ctx, trans)
-		require.NoError(t, err)
-		dq.Defer(release)
-		require.Equal(t, rpccp.Message_Which_finish, rmsg.Which)
-		require.Equal(t, qid, rmsg.Finish.QuestionID)
-	}
-	doBootstrap(rTrans)
+	doBootstrap(t, bootstrapExportID, rTrans)
 	require.NoError(t, rBs.Resolve(ctx))
-	doBootstrap(pTrans)
+	doBootstrap(t, bootstrapExportID, pTrans)
 	require.NoError(t, pBs.Resolve(ctx))
 
 	futEmpty, rel := testcapnp.EmptyProvider(pBs).GetEmpty(ctx, nil)
@@ -269,11 +232,56 @@ func TestSendProvide(t *testing.T) {
 	}
 }
 
-func TestVine(t *testing.T) {
-	// things to test:
-	//
-	// - Use the vine
-	//   - Make sure the introducer cancels the provide when this happens.
-	// - Drop the vine before pickup, and see that the introducer sends a finish for the provide.
-	// - Test dropping the promise?
+// TestVineUseCancelsHandoff checks that using the vine causes the introducer to cancel the
+// handoff (by sending a finish for the provide).
+func TestVineUseCancelsHandoff(t *testing.T) {
+	t.Fatal("TODO")
+}
+
+// TestVineDropCancelsHandoff checks that releasing the vine causes the introducer to cancel the
+// handoff
+func TestVineDropCancelsHandoff(t *testing.T) {
+	t.Fatal("TODO")
+}
+
+// Helper that receives and replies to a bootstrap message on trans, returning a SenderHosted
+// capability with the given export ID.
+func doBootstrap(t *testing.T, bootstrapExportID uint32, trans rpc.Transport) {
+	ctx := context.Background()
+
+	// Receive bootstrap
+	rmsg, release, err := recvMessage(ctx, trans)
+	require.NoError(t, err)
+	defer release()
+	require.Equal(t, rpccp.Message_Which_bootstrap, rmsg.Which)
+	qid := rmsg.Bootstrap.QuestionID
+
+	// Write back return
+	outMsg, err := trans.NewMessage()
+	require.NoError(t, err, "trans.NewMessage()")
+	iptr := capnp.NewInterface(outMsg.Message().Segment(), 0)
+	require.NoError(t, pogs.Insert(rpccp.Message_TypeID, capnp.Struct(outMsg.Message()), &rpcMessage{
+		Which: rpccp.Message_Which_return,
+		Return: &rpcReturn{
+			AnswerID: qid,
+			Which:    rpccp.Return_Which_results,
+			Results: &rpcPayload{
+				Content: iptr.ToPtr(),
+				CapTable: []rpcCapDescriptor{
+					{
+						Which:        rpccp.CapDescriptor_Which_senderHosted,
+						SenderHosted: bootstrapExportID,
+					},
+				},
+			},
+		},
+	}))
+	require.NoError(t, outMsg.Send())
+
+	// Receive finish
+	rmsg, release, err = recvMessage(ctx, trans)
+	require.NoError(t, err)
+	defer release()
+	require.Equal(t, rpccp.Message_Which_finish, rmsg.Which)
+	require.Equal(t, qid, rmsg.Finish.QuestionID)
 }

From 68465afa1a76f921cb3e1f10554e33ffa8a3e4e3 Mon Sep 17 00:00:00 2001
From: Ian Denhardt <ian@zenhack.net>
Date: Wed, 28 Jun 2023 23:47:56 -0400
Subject: [PATCH 28/48] Implement TestVineUseCancelsHandoff

Fails currently; the exception returned is 'failed' rather than
'unimplemented', which suggests that it may not be being forwarded
correctly. Need to investigate further.

This also factors out a bunch of common logic into a helper function.
---
 rpc/3ph_test.go | 185 +++++++++++++++++++++++++++++++++++-------------
 1 file changed, 137 insertions(+), 48 deletions(-)

diff --git a/rpc/3ph_test.go b/rpc/3ph_test.go
index 370bb2bc..ddfca779 100644
--- a/rpc/3ph_test.go
+++ b/rpc/3ph_test.go
@@ -20,14 +20,38 @@ type rpcProvide struct {
 	Recipient  capnp.Ptr
 }
 
-func TestSendProvide(t *testing.T) {
+type introTestInfo struct {
+	Dq *deferred.Queue
+
+	Introducer struct {
+		Network *testnetwork.TestNetwork
+	}
+	Recipient struct {
+		Network *testnetwork.TestNetwork
+		Trans   rpc.Transport
+	}
+	Provider struct {
+		Network *testnetwork.TestNetwork
+		Trans   rpc.Transport
+	}
+
+	ProvideQID, CallQID uint32
+	VineID              uint32
+
+	EmptyFut testcapnp.EmptyProvider_getEmpty_Results_Future
+	CallFut  testcapnp.CapArgsTest_call_Results_Future
+}
+
+// introTest starts a three-party handoff, does some common checks, and then
+// hands of collected objects to callback for more checks.
+func introTest(t *testing.T, f func(info introTestInfo)) {
 	// Note: we do our deferring in this test via a deferred.Queue,
-	// so we can be sure that cancelling the context happens *first.*
+	// so we can be sure that canceling the context happens *first.*
 	// Otherwise, some of the things we defer can block until
 	// connection shutdown which won't happen until the context ends,
 	// causing this test to deadlock instead of failing with a useful
 	// error.
-	dq := deferred.Queue{}
+	dq := &deferred.Queue{}
 	defer dq.Run()
 	ctx, cancel := context.WithCancel(context.Background())
 	dq.Defer(cancel)
@@ -70,7 +94,7 @@ func TestSendProvide(t *testing.T) {
 	doBootstrap(t, bootstrapExportID, pTrans)
 	require.NoError(t, pBs.Resolve(ctx))
 
-	futEmpty, rel := testcapnp.EmptyProvider(pBs).GetEmpty(ctx, nil)
+	emptyFut, rel := testcapnp.EmptyProvider(pBs).GetEmpty(ctx, nil)
 	dq.Defer(rel)
 
 	emptyExportID := uint32(30)
@@ -118,9 +142,9 @@ func TestSendProvide(t *testing.T) {
 		require.Equal(t, qid, rmsg.Finish.QuestionID)
 	}
 
-	resEmpty, err := futEmpty.Struct()
+	emptyRes, err := emptyFut.Struct()
 	require.NoError(t, err)
-	empty := resEmpty.Empty()
+	empty := emptyRes.Empty()
 
 	callFut, rel := testcapnp.CapArgsTest(rBs).Call(ctx, func(p testcapnp.CapArgsTest_call_Params) error {
 		return p.SetCap(capnp.Client(empty))
@@ -146,7 +170,10 @@ func TestSendProvide(t *testing.T) {
 		)
 	}
 
-	var callQid uint32
+	var (
+		callQid uint32
+		vineID  uint32
+	)
 	{
 		// Read the call; should start off with a promise, record the ID:
 		rmsg, release, err := recvMessage(ctx, rTrans)
@@ -181,6 +208,7 @@ func TestSendProvide(t *testing.T) {
 		require.Equal(t, rpccp.Resolve_Which_cap, rmsg.Resolve.Which)
 		capDesc := rmsg.Resolve.Cap
 		require.Equal(t, rpccp.CapDescriptor_Which_thirdPartyHosted, capDesc.Which)
+		vineID = capDesc.ThirdPartyHosted.VineID
 		peerAndNonce := testnetwork.PeerAndNonce(capDesc.ThirdPartyHosted.ID.Struct())
 
 		require.Equal(t,
@@ -188,54 +216,115 @@ func TestSendProvide(t *testing.T) {
 			peerAndNonce.PeerId(),
 		)
 	}
-
-	{
-		// Return from the provide, and see that we get back a finish
-		require.NoError(t, sendMessage(ctx, pTrans, &rpcMessage{
-			Which: rpccp.Message_Which_return,
-			Return: &rpcReturn{
-				AnswerID: provideQid,
-				Which:    rpccp.Return_Which_results,
-				Results:  &rpcPayload{},
-			},
-		}))
-
-		rmsg, release, err := recvMessage(ctx, pTrans)
-		require.NoError(t, err)
-		dq.Defer(release)
-		require.Equal(t, rpccp.Message_Which_finish, rmsg.Which)
-		require.Equal(t, provideQid, rmsg.Finish.QuestionID)
-	}
-
-	{
-		// Return from the call, see that we get back a finish
-		require.NoError(t, sendMessage(ctx, rTrans, &rpcMessage{
-			Which: rpccp.Message_Which_return,
-			Return: &rpcReturn{
-				AnswerID: callQid,
-				Which:    rpccp.Return_Which_results,
-				Results:  &rpcPayload{},
-			},
-		}))
-
-		rmsg, release, err := recvMessage(ctx, rTrans)
-		require.NoError(t, err)
-		dq.Defer(release)
-		require.Equal(t, rpccp.Message_Which_finish, rmsg.Which)
-		require.Equal(t, callQid, rmsg.Finish.QuestionID)
+	info := introTestInfo{
+		Dq:         dq,
+		ProvideQID: provideQid,
+		CallQID:    callQid,
+		VineID:     vineID,
+		EmptyFut:   emptyFut,
+		CallFut:    callFut,
 	}
+	info.Introducer.Network = introducer
+	info.Recipient.Network = recipient
+	info.Recipient.Trans = rTrans
+	info.Provider.Network = provider
+	info.Provider.Trans = pTrans
+	f(info)
+}
 
-	{
-		// Wait for the result of the call:
-		_, err := callFut.Struct()
-		require.NoError(t, err)
-	}
+func TestSendProvide(t *testing.T) {
+	introTest(t, func(info introTestInfo) {
+		ctx := context.Background()
+		pTrans := info.Provider.Trans
+		rTrans := info.Recipient.Trans
+		dq := info.Dq
+
+		{
+			// Return from the provide, and see that we get back a finish
+			require.NoError(t, sendMessage(ctx, pTrans, &rpcMessage{
+				Which: rpccp.Message_Which_return,
+				Return: &rpcReturn{
+					AnswerID: info.ProvideQID,
+					Which:    rpccp.Return_Which_results,
+					Results:  &rpcPayload{},
+				},
+			}))
+
+			rmsg, release, err := recvMessage(ctx, pTrans)
+			require.NoError(t, err)
+			dq.Defer(release)
+			require.Equal(t, rpccp.Message_Which_finish, rmsg.Which)
+			require.Equal(t, info.ProvideQID, rmsg.Finish.QuestionID)
+		}
+
+		{
+			// Return from the call, see that we get back a finish
+			require.NoError(t, sendMessage(ctx, rTrans, &rpcMessage{
+				Which: rpccp.Message_Which_return,
+				Return: &rpcReturn{
+					AnswerID: info.CallQID,
+					Which:    rpccp.Return_Which_results,
+					Results:  &rpcPayload{},
+				},
+			}))
+
+			rmsg, release, err := recvMessage(ctx, rTrans)
+			require.NoError(t, err)
+			dq.Defer(release)
+			require.Equal(t, rpccp.Message_Which_finish, rmsg.Which)
+			require.Equal(t, info.CallQID, rmsg.Finish.QuestionID)
+		}
+
+		{
+			// Wait for the result of the call:
+			_, err := info.CallFut.Struct()
+			require.NoError(t, err)
+		}
+	})
 }
 
 // TestVineUseCancelsHandoff checks that using the vine causes the introducer to cancel the
 // handoff (by sending a finish for the provide).
 func TestVineUseCancelsHandoff(t *testing.T) {
-	t.Fatal("TODO")
+	introTest(t, func(info introTestInfo) {
+		ctx := context.Background()
+		dq := info.Dq
+		rTrans := info.Recipient.Trans
+		pTrans := info.Provider.Trans
+		vineCallQID := uint32(77)
+
+		{
+			// Send a call to the vine, expect an unimplemented response:
+			require.NoError(t, sendMessage(ctx, rTrans, &rpcMessage{
+				Which: rpccp.Message_Which_call,
+				Call: &rpcCall{
+					QuestionID: vineCallQID,
+					// Arbitrary:
+					InterfaceID: 0x0101,
+					MethodID:    0,
+					Params:      rpcPayload{},
+				},
+			}))
+			rmsg, release, err := recvMessage(ctx, rTrans)
+			require.NoError(t, err)
+			dq.Defer(release)
+
+			require.Equal(t, rpccp.Message_Which_return, rmsg.Which)
+			require.Equal(t, vineCallQID, rmsg.Return.AnswerID)
+			require.Equal(t, rpccp.Return_Which_exception, rmsg.Return.Which)
+			require.Equal(t, rpccp.Exception_Type_unimplemented, rmsg.Return.Exception.Type)
+		}
+
+		{
+			// Expect a finish message canceling the provide:
+			rmsg, release, err := recvMessage(ctx, pTrans)
+			require.NoError(t, err)
+			dq.Defer(release)
+
+			require.Equal(t, rpccp.Message_Which_finish, rmsg.Which)
+			require.Equal(t, rmsg.Finish.QuestionID, info.ProvideQID)
+		}
+	})
 }
 
 // TestVineDropCancelsHandoff checks that releasing the vine causes the introducer to cancel the

From 8a1e2f149da8b986eceb9bf22515dd5dbc98fdab Mon Sep 17 00:00:00 2001
From: Ian Denhardt <ian@zenhack.net>
Date: Thu, 29 Jun 2023 00:12:08 -0400
Subject: [PATCH 29/48] Add missing messagetarget to call

---
 rpc/3ph_test.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/rpc/3ph_test.go b/rpc/3ph_test.go
index ddfca779..9cb06214 100644
--- a/rpc/3ph_test.go
+++ b/rpc/3ph_test.go
@@ -298,6 +298,10 @@ func TestVineUseCancelsHandoff(t *testing.T) {
 			require.NoError(t, sendMessage(ctx, rTrans, &rpcMessage{
 				Which: rpccp.Message_Which_call,
 				Call: &rpcCall{
+					Target: rpcMessageTarget{
+						Which:       rpccp.MessageTarget_Which_importedCap,
+						ImportedCap: info.VineID,
+					},
 					QuestionID: vineCallQID,
 					// Arbitrary:
 					InterfaceID: 0x0101,

From 601d9b91f76f167acb6fd67a1f7dc1a2699cdbc8 Mon Sep 17 00:00:00 2001
From: Ian Denhardt <ian@zenhack.net>
Date: Thu, 29 Jun 2023 00:31:58 -0400
Subject: [PATCH 30/48] Finish vine implementation.

This gets rid of a panic("TODO: ...").

The test still fails, but I know why.
---
 rpc/export.go |  2 +-
 rpc/vine.go   | 33 +++++++++------------------------
 2 files changed, 10 insertions(+), 25 deletions(-)

diff --git a/rpc/export.go b/rpc/export.go
index 2d2b320f..be1898a7 100644
--- a/rpc/export.go
+++ b/rpc/export.go
@@ -175,7 +175,7 @@ func (c *lockedConn) send3PHPromise(
 		srcConn.withLocked(func(c *lockedConn) {
 			provideQ = c.newQuestion(capnp.Method{})
 			provideQ.flags |= isProvide
-			vine = newVine(srcConn, provideQ.id, srcSnapshot.AddRef())
+			vine = newVine(srcSnapshot.AddRef(), cancel)
 			c.sendMessage(c.bgctx, func(m rpccp.Message) error {
 				provide, err := m.NewProvide()
 				if err != nil {
diff --git a/rpc/vine.go b/rpc/vine.go
index 9a761796..2472eb91 100644
--- a/rpc/vine.go
+++ b/rpc/vine.go
@@ -11,27 +11,24 @@ import (
 // ThirdPartyCapDescriptor.vineId. It forwards calls to an underlying
 // capnp.ClientSnapshot
 type vine struct {
-	used         bool
-	providerConn *Conn
-	provideID    questionID
-	snapshot     capnp.ClientSnapshot
+	snapshot      capnp.ClientSnapshot
+	cancelProvide context.CancelFunc
 }
 
-func newVine(c *Conn, qid questionID, snapshot capnp.ClientSnapshot) *vine {
+func newVine(snapshot capnp.ClientSnapshot, cancelProvide context.CancelFunc) *vine {
 	return &vine{
-		providerConn: c,
-		provideID:    qid,
-		snapshot:     snapshot,
+		snapshot:      snapshot,
+		cancelProvide: cancelProvide,
 	}
 }
 
 func (v *vine) Send(ctx context.Context, s capnp.Send) (*capnp.Answer, capnp.ReleaseFunc) {
-	v.markUsed()
+	v.cancelProvide()
 	return v.snapshot.Send(ctx, s)
 }
 
 func (v *vine) Recv(ctx context.Context, r capnp.Recv) capnp.PipelineCaller {
-	v.markUsed()
+	v.cancelProvide()
 	return v.snapshot.Recv(ctx, r)
 }
 
@@ -40,22 +37,10 @@ func (v *vine) Brand() capnp.Brand {
 }
 
 func (v *vine) Shutdown() {
+	v.cancelProvide()
 	v.snapshot.Release()
 }
 
 func (v *vine) String() string {
-	// TODO: include other fields?
-	return "&vine{snapshot: " + v.snapshot.String() + ", ...}"
-}
-
-func (v *vine) markUsed() {
-	if v.used {
-		return
-	}
-	v.used = true
-	go func() {
-		v.providerConn.withLocked(func(c *lockedConn) {
-			panic("TODO: send finish, manipulate tables...")
-		})
-	}()
+	return "&vine{snapshot: " + v.snapshot.String() + "}"
 }

From fbbf0f4a0b2f11a0001441f0dd69362bdeba6ec4 Mon Sep 17 00:00:00 2001
From: Ian Denhardt <ian@zenhack.net>
Date: Thu, 29 Jun 2023 01:17:17 -0400
Subject: [PATCH 31/48] Get vine test working.

---
 rpc/3ph_test.go | 85 ++++++++++++++++++++++++++++---------------------
 1 file changed, 49 insertions(+), 36 deletions(-)

diff --git a/rpc/3ph_test.go b/rpc/3ph_test.go
index 9cb06214..141eab6f 100644
--- a/rpc/3ph_test.go
+++ b/rpc/3ph_test.go
@@ -35,8 +35,8 @@ type introTestInfo struct {
 		Trans   rpc.Transport
 	}
 
-	ProvideQID, CallQID uint32
-	VineID              uint32
+	ProvideQID, CallQID   uint32
+	VineID, EmptyExportID uint32
 
 	EmptyFut testcapnp.EmptyProvider_getEmpty_Results_Future
 	CallFut  testcapnp.CapArgsTest_call_Results_Future
@@ -217,12 +217,13 @@ func introTest(t *testing.T, f func(info introTestInfo)) {
 		)
 	}
 	info := introTestInfo{
-		Dq:         dq,
-		ProvideQID: provideQid,
-		CallQID:    callQid,
-		VineID:     vineID,
-		EmptyFut:   emptyFut,
-		CallFut:    callFut,
+		Dq:            dq,
+		ProvideQID:    provideQid,
+		CallQID:       callQid,
+		VineID:        vineID,
+		EmptyExportID: emptyExportID,
+		EmptyFut:      emptyFut,
+		CallFut:       callFut,
 	}
 	info.Introducer.Network = introducer
 	info.Recipient.Network = recipient
@@ -293,41 +294,53 @@ func TestVineUseCancelsHandoff(t *testing.T) {
 		pTrans := info.Provider.Trans
 		vineCallQID := uint32(77)
 
-		{
-			// Send a call to the vine, expect an unimplemented response:
-			require.NoError(t, sendMessage(ctx, rTrans, &rpcMessage{
-				Which: rpccp.Message_Which_call,
-				Call: &rpcCall{
-					Target: rpcMessageTarget{
-						Which:       rpccp.MessageTarget_Which_importedCap,
-						ImportedCap: info.VineID,
-					},
-					QuestionID: vineCallQID,
-					// Arbitrary:
-					InterfaceID: 0x0101,
-					MethodID:    0,
-					Params:      rpcPayload{},
+		// arbitrary values that we can look for
+		someInterfaceID := uint64(0x010102)
+		someMethodID := uint16(32)
+
+		// Send a call to the vine:
+		require.NoError(t, sendMessage(ctx, rTrans, &rpcMessage{
+			Which: rpccp.Message_Which_call,
+			Call: &rpcCall{
+				Target: rpcMessageTarget{
+					Which:       rpccp.MessageTarget_Which_importedCap,
+					ImportedCap: info.VineID,
 				},
-			}))
-			rmsg, release, err := recvMessage(ctx, rTrans)
-			require.NoError(t, err)
-			dq.Defer(release)
-
-			require.Equal(t, rpccp.Message_Which_return, rmsg.Which)
-			require.Equal(t, vineCallQID, rmsg.Return.AnswerID)
-			require.Equal(t, rpccp.Return_Which_exception, rmsg.Return.Which)
-			require.Equal(t, rpccp.Exception_Type_unimplemented, rmsg.Return.Exception.Type)
-		}
+				QuestionID: vineCallQID,
+				// Arbitrary:
+				InterfaceID: someInterfaceID,
+				MethodID:    someMethodID,
+				Params:      rpcPayload{},
+			},
+		}))
 
-		{
-			// Expect a finish message canceling the provide:
+		// Now we expect to see the call come through to the provider, and also
+		// a finish message for the provide. These can happen in either order:
+		var sawFinish, sawCall bool
+		for i := 0; i < 2; i++ {
 			rmsg, release, err := recvMessage(ctx, pTrans)
 			require.NoError(t, err)
 			dq.Defer(release)
 
-			require.Equal(t, rpccp.Message_Which_finish, rmsg.Which)
-			require.Equal(t, rmsg.Finish.QuestionID, info.ProvideQID)
+			switch rmsg.Which {
+			case rpccp.Message_Which_call:
+				sawCall = true
+				require.Equal(t, rpcMessageTarget{
+					Which:       rpccp.MessageTarget_Which_importedCap,
+					ImportedCap: info.EmptyExportID,
+				}, rmsg.Call.Target)
+				require.Equal(t, someInterfaceID, rmsg.Call.InterfaceID)
+				require.Equal(t, someMethodID, rmsg.Call.MethodID)
+			case rpccp.Message_Which_finish:
+				sawFinish = true
+				require.Equal(t, rmsg.Finish.QuestionID, info.ProvideQID)
+			default:
+				t.Fatalf("Unexpected message type: %v", rmsg.Which)
+			}
 		}
+
+		require.True(t, sawFinish, "saw finish message")
+		require.True(t, sawCall, "saw call message")
 	})
 }
 

From f524899878ec40201b33fd89192fe6e14ca42254 Mon Sep 17 00:00:00 2001
From: Ian Denhardt <ian@zenhack.net>
Date: Thu, 29 Jun 2023 01:27:48 -0400
Subject: [PATCH 32/48] Add some comments to tests

---
 rpc/3ph_test.go | 33 ++++++++++++++++++++++++++++++---
 1 file changed, 30 insertions(+), 3 deletions(-)

diff --git a/rpc/3ph_test.go b/rpc/3ph_test.go
index 141eab6f..fccb18e5 100644
--- a/rpc/3ph_test.go
+++ b/rpc/3ph_test.go
@@ -20,9 +20,13 @@ type rpcProvide struct {
 	Recipient  capnp.Ptr
 }
 
+// introTestInfo is information collected by introTest; see the comments there.
 type introTestInfo struct {
+	// Run at the end of the test:
 	Dq *deferred.Queue
 
+	// Networks and (except for the introducer itself) transports connected to
+	// the introducer for each of the peers in our network:
 	Introducer struct {
 		Network *testnetwork.TestNetwork
 	}
@@ -35,15 +39,33 @@ type introTestInfo struct {
 		Trans   rpc.Transport
 	}
 
-	ProvideQID, CallQID   uint32
-	VineID, EmptyExportID uint32
+	// question id for the provide message
+	ProvideQID uint32
+	// question id for the call to CapArgsTest.call()
+	CallQID uint32
+	// export id for the vine
+	VineID uint32
+	// export id for the cap returned from EmptyProvider.getEmpty()
+	EmptyExportID uint32
 
+	// Futures for the results of the two calls made.
 	EmptyFut testcapnp.EmptyProvider_getEmpty_Results_Future
 	CallFut  testcapnp.CapArgsTest_call_Results_Future
 }
 
 // introTest starts a three-party handoff, does some common checks, and then
-// hands of collected objects to callback for more checks.
+// hands of collected objects to callback for more checks. In particular,
+// introTest:
+//
+// - Creates three connected Networks, for introducer, provider and recipient
+// - Via the introducer, gets the bootstrap of each other peer.
+//   - The recipient's bootstrap is a testcapnp.CallArgsTest.
+//   - The provider's bootstrap is a testcapnp.EmptyProvider.
+// - Calls getEmpty() on the provider's bootstrap, and then passes the
+//   returned capability to the recipient's bootstrap's call() method.
+// - Verifies that the expected messages for all of the above are sent
+//   via the provdier's and recipient's transports.
+// - Invokes f(), passing along some information collected along the way.
 func introTest(t *testing.T, f func(info introTestInfo)) {
 	// Note: we do our deferring in this test via a deferred.Queue,
 	// so we can be sure that canceling the context happens *first.*
@@ -51,6 +73,9 @@ func introTest(t *testing.T, f func(info introTestInfo)) {
 	// connection shutdown which won't happen until the context ends,
 	// causing this test to deadlock instead of failing with a useful
 	// error.
+	//
+	// Mainly the issue is ReleaseFuncs; TODO: once #534 is fixed,
+	// consider simplifying.
 	dq := &deferred.Queue{}
 	defer dq.Run()
 	ctx, cancel := context.WithCancel(context.Background())
@@ -233,6 +258,8 @@ func introTest(t *testing.T, f func(info introTestInfo)) {
 	f(info)
 }
 
+// TestSendProvide tests the basics of triggering a provide message; this includes what
+// introTest checks, plus the behavior when sending a return for a provide.
 func TestSendProvide(t *testing.T) {
 	introTest(t, func(info introTestInfo) {
 		ctx := context.Background()

From a71bc431dc8ca157c283840cd5afa1bff4ad0e71 Mon Sep 17 00:00:00 2001
From: Ian Denhardt <ian@zenhack.net>
Date: Thu, 29 Jun 2023 01:33:32 -0400
Subject: [PATCH 33/48] Implement other vine test.

Passes!
---
 rpc/3ph_test.go | 24 +++++++++++++++++++++++-
 1 file changed, 23 insertions(+), 1 deletion(-)

diff --git a/rpc/3ph_test.go b/rpc/3ph_test.go
index fccb18e5..80585dff 100644
--- a/rpc/3ph_test.go
+++ b/rpc/3ph_test.go
@@ -374,7 +374,29 @@ func TestVineUseCancelsHandoff(t *testing.T) {
 // TestVineDropCancelsHandoff checks that releasing the vine causes the introducer to cancel the
 // handoff
 func TestVineDropCancelsHandoff(t *testing.T) {
-	t.Fatal("TODO")
+	introTest(t, func(info introTestInfo) {
+		ctx := context.Background()
+		rTrans := info.Recipient.Trans
+		pTrans := info.Provider.Trans
+
+		// Send a release message for the vine:
+		require.NoError(t, sendMessage(ctx, rTrans, &rpcMessage{
+			Which: rpccp.Message_Which_release,
+			Release: &rpcRelease{
+				ID:             info.VineID,
+				ReferenceCount: 1,
+			},
+		}))
+
+		// Expect a finish for the provide:
+		{
+			rmsg, release, err := recvMessage(ctx, pTrans)
+			require.NoError(t, err)
+			info.Dq.Defer(release)
+			require.Equal(t, rpccp.Message_Which_finish, rmsg.Which)
+			require.Equal(t, info.ProvideQID, rmsg.Finish.QuestionID)
+		}
+	})
 }
 
 // Helper that receives and replies to a bootstrap message on trans, returning a SenderHosted

From 837cb16f0bf55603547b4e80d4875489d63d999e Mon Sep 17 00:00:00 2001
From: Ian Denhardt <ian@zenhack.net>
Date: Thu, 29 Jun 2023 01:46:25 -0400
Subject: [PATCH 34/48] 3PH: correctly handle sending resolves for dropped
 promises.

That is, don't, and clean up.

For good measure, move the snapshot.Release() out of the critical
section, as I'm not sure this is valid.
---
 rpc/export.go | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/rpc/export.go b/rpc/export.go
index be1898a7..240c348e 100644
--- a/rpc/export.go
+++ b/rpc/export.go
@@ -210,8 +210,10 @@ func (c *lockedConn) send3PHPromise(
 		)
 		c.withLocked(func(c *lockedConn) {
 			c.sendMessage(c.bgctx, func(m rpccp.Message) error {
-				if c.lk.exports[promiseID] != ee {
-					panic("TODO: at some point the receiver lost interest in the cap")
+				if len(c.lk.exports) <= promiseID || c.lk.exports[promiseID] != ee {
+					// At some point the receiver lost interest in the cap.
+					// Return an error to indicate we didn't send the resolve:
+					return errReceiverLostInterest
 				}
 				resolve, err := m.NewResolve()
 				if err != nil {
@@ -250,10 +252,11 @@ func (c *lockedConn) send3PHPromise(
 				if vineEntry == nil {
 					vine.Shutdown()
 				} else {
+					var snapshot capnp.Clientsnapshot
 					unlockedConn.withLocked(func(c *lockedConn) {
-						snapshot, _ := c.releaseExport(vineID, 1)
-						snapshot.Release()
+						snapshot, _ = c.releaseExport(vineID, 1)
 					})
+					snapshot.Release()
 				}
 			})
 		})
@@ -261,6 +264,8 @@ func (c *lockedConn) send3PHPromise(
 	return promiseID
 }
 
+var errReceiverLostInterest = errors.New("receiver lost interest in the resolution")
+
 // sendCap writes a capability descriptor, returning an export ID if
 // this vat is hosting the capability. Steals the snapshot.
 func (c *lockedConn) sendCap(d rpccp.CapDescriptor, snapshot capnp.ClientSnapshot) (_ exportID, isExport bool, _ error) {

From dbe07b03aead4319b96a150069ebab6a9ed5918b Mon Sep 17 00:00:00 2001
From: Ian Denhardt <ian@zenhack.net>
Date: Thu, 29 Jun 2023 01:58:54 -0400
Subject: [PATCH 35/48] AcceptIntroduced: SHOULD -> MUST

---
 rpc/network.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rpc/network.go b/rpc/network.go
index 6a82bde3..be015cea 100644
--- a/rpc/network.go
+++ b/rpc/network.go
@@ -92,6 +92,6 @@ type Network interface {
 	// introducedBy, wait for the recipient to connect, and
 	// return the connection formed. If there is already an
 	// established connection to the relevant Peer, this
-	// SHOULD return the existing connection immediately.
+	// MUST return the existing connection immediately.
 	AcceptIntroduced(recipientID RecipientID, introducedBy *Conn) (*Conn, error)
 }

From 6816d38f5ee303dee919cb6e7eb53b41b4194912 Mon Sep 17 00:00:00 2001
From: Ian Denhardt <ian@zenhack.net>
Date: Thu, 29 Jun 2023 16:36:51 -0400
Subject: [PATCH 36/48] Fix build errors

...did I really not run the tests after this?
---
 rpc/export.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rpc/export.go b/rpc/export.go
index 240c348e..cb603f05 100644
--- a/rpc/export.go
+++ b/rpc/export.go
@@ -210,7 +210,7 @@ func (c *lockedConn) send3PHPromise(
 		)
 		c.withLocked(func(c *lockedConn) {
 			c.sendMessage(c.bgctx, func(m rpccp.Message) error {
-				if len(c.lk.exports) <= promiseID || c.lk.exports[promiseID] != ee {
+				if len(c.lk.exports) <= int(promiseID) || c.lk.exports[promiseID] != ee {
 					// At some point the receiver lost interest in the cap.
 					// Return an error to indicate we didn't send the resolve:
 					return errReceiverLostInterest
@@ -252,7 +252,7 @@ func (c *lockedConn) send3PHPromise(
 				if vineEntry == nil {
 					vine.Shutdown()
 				} else {
-					var snapshot capnp.Clientsnapshot
+					var snapshot capnp.ClientSnapshot
 					unlockedConn.withLocked(func(c *lockedConn) {
 						snapshot, _ = c.releaseExport(vineID, 1)
 					})

From 24b569a81f094f3e876af77fb644c927bc333fb0 Mon Sep 17 00:00:00 2001
From: Ian Denhardt <ian@zenhack.net>
Date: Thu, 29 Jun 2023 16:58:26 -0400
Subject: [PATCH 37/48] Add a test for 3ph disembargos, and fix some issues.

Still fails because of the obvious panic("TODO..."), but caught a couple
unrelated bugs.
---
 rpc/3ph_test.go | 49 ++++++++++++++++++++++++++++++++++++++++++++++---
 rpc/export.go   |  5 +++++
 rpc/rpc.go      |  2 +-
 3 files changed, 52 insertions(+), 4 deletions(-)

diff --git a/rpc/3ph_test.go b/rpc/3ph_test.go
index 80585dff..2e8bd2ee 100644
--- a/rpc/3ph_test.go
+++ b/rpc/3ph_test.go
@@ -43,6 +43,8 @@ type introTestInfo struct {
 	ProvideQID uint32
 	// question id for the call to CapArgsTest.call()
 	CallQID uint32
+	// export id for the promise which resolves to the third party cap
+	PromiseID uint32
 	// export id for the vine
 	VineID uint32
 	// export id for the cap returned from EmptyProvider.getEmpty()
@@ -196,8 +198,9 @@ func introTest(t *testing.T, f func(info introTestInfo)) {
 	}
 
 	var (
-		callQid uint32
-		vineID  uint32
+		callQid         uint32
+		vineID          uint32
+		promiseExportID uint32
 	)
 	{
 		// Read the call; should start off with a promise, record the ID:
@@ -222,7 +225,7 @@ func introTest(t *testing.T, f func(info introTestInfo)) {
 		require.Equal(t, 1, len(call.Params.CapTable))
 		desc := call.Params.CapTable[0]
 		require.Equal(t, rpccp.CapDescriptor_Which_senderPromise, desc.Which)
-		promiseExportID := desc.SenderPromise
+		promiseExportID = desc.SenderPromise
 
 		// Read the resolve for that promise, which should point to a third party cap:
 		rmsg, release, err = recvMessage(ctx, rTrans)
@@ -245,6 +248,7 @@ func introTest(t *testing.T, f func(info introTestInfo)) {
 		Dq:            dq,
 		ProvideQID:    provideQid,
 		CallQID:       callQid,
+		PromiseID:     promiseExportID,
 		VineID:        vineID,
 		EmptyExportID: emptyExportID,
 		EmptyFut:      emptyFut,
@@ -399,6 +403,45 @@ func TestVineDropCancelsHandoff(t *testing.T) {
 	})
 }
 
+// Checks that a third party disembargo is propogated correctly.
+func TestDisembargoThirdPartyCap(t *testing.T) {
+	introTest(t, func(info introTestInfo) {
+		ctx := context.Background()
+		rTrans := info.Recipient.Trans
+		pTrans := info.Provider.Trans
+
+		require.NoError(t, sendMessage(ctx, rTrans, &rpcMessage{
+			Which: rpccp.Message_Which_disembargo,
+			Disembargo: &rpcDisembargo{
+				Target: rpcMessageTarget{
+					Which:       rpccp.MessageTarget_Which_importedCap,
+					ImportedCap: info.PromiseID,
+				},
+				Context: rpcDisembargoContext{
+					Which: rpccp.Disembargo_context_Which_accept,
+				},
+			},
+		}))
+
+		rmsg, release, err := recvMessage(ctx, pTrans)
+		require.NoError(t, err)
+		info.Dq.Defer(release)
+
+		require.Equal(t, rpccp.Message_Which_disembargo, rmsg.Which)
+		require.Equal(t, info.ProvideQID, rmsg.Disembargo.Target.Which)
+		require.Equal(t, info.ProvideQID, rmsg.Disembargo.Target.PromisedAnswer.QuestionID)
+		require.Equal(t, 0, len(rmsg.Disembargo.Target.PromisedAnswer.Transform))
+
+		require.Equal(t,
+			rpcDisembargoContext{
+				Which:   rpccp.Disembargo_context_Which_provide,
+				Provide: info.ProvideQID,
+			},
+			rmsg.Disembargo.Context,
+		)
+	})
+}
+
 // Helper that receives and replies to a bootstrap message on trans, returning a SenderHosted
 // capability with the given export ID.
 func doBootstrap(t *testing.T, bootstrapExportID uint32, trans rpc.Transport) {
diff --git a/rpc/export.go b/rpc/export.go
index cb603f05..f8f5432c 100644
--- a/rpc/export.go
+++ b/rpc/export.go
@@ -215,6 +215,11 @@ func (c *lockedConn) send3PHPromise(
 					// Return an error to indicate we didn't send the resolve:
 					return errReceiverLostInterest
 				}
+				// We have to set this before sending the provide, so we're ready
+				// for a disembargo. It's okay to wait up until now though, since
+				// the receiver shouldn't send one until it sees the resolution:
+				c.lk.exports[promiseID].provide = maybe.New(provideQ)
+
 				resolve, err := m.NewResolve()
 				if err != nil {
 					return err
diff --git a/rpc/rpc.go b/rpc/rpc.go
index a4f1858a..586fd412 100644
--- a/rpc/rpc.go
+++ b/rpc/rpc.go
@@ -1733,7 +1733,7 @@ func (c *Conn) handleDisembargo(ctx context.Context, in transport.IncomingMessag
 			return err
 		}
 		return withLockedConn1(q.c, func(c *lockedConn) error {
-			if !q.flags.Contains(provideDisembargoSent) {
+			if q.flags.Contains(provideDisembargoSent) {
 				return errors.New("disembargo already sent to export #" + str.Utod(id))
 			}
 			q.flags |= provideDisembargoSent

From 81901e0dda8f742e808f0969f0142cc176c1dce6 Mon Sep 17 00:00:00 2001
From: Ian Denhardt <ian@zenhack.net>
Date: Thu, 29 Jun 2023 23:28:12 -0400
Subject: [PATCH 38/48] Fix bitrot re: releaseExport signature

---
 rpc/export.go | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/rpc/export.go b/rpc/export.go
index cdb37189..1804b4b4 100644
--- a/rpc/export.go
+++ b/rpc/export.go
@@ -246,11 +246,11 @@ func (c *lockedConn) send3PHPromise(
 				if vineEntry == nil {
 					vine.Shutdown()
 				} else {
-					var snapshot capnp.ClientSnapshot
+					dq := &deferred.Queue{}
+					defer dq.Run()
 					unlockedConn.withLocked(func(c *lockedConn) {
-						snapshot, _ = c.releaseExport(vineID, 1)
+						c.releaseExport(dq, vineID, 1)
 					})
-					snapshot.Release()
 				}
 			})
 		})

From e18f75c4c26d1754608b54e9839a6970dafa946c Mon Sep 17 00:00:00 2001
From: Ian Denhardt <ian@zenhack.net>
Date: Thu, 29 Jun 2023 23:39:28 -0400
Subject: [PATCH 39/48] Fill in message target in provide disembargo.

---
 rpc/export.go | 36 ++++++++++++++++++++++++++++++------
 rpc/rpc.go    | 26 +++++++++++++++-----------
 2 files changed, 45 insertions(+), 17 deletions(-)

diff --git a/rpc/export.go b/rpc/export.go
index 1804b4b4..0817aca5 100644
--- a/rpc/export.go
+++ b/rpc/export.go
@@ -25,10 +25,29 @@ type expent struct {
 	cancel context.CancelFunc
 
 	// If present, this export is a promise which resolved to some third
-	// party capability, and the question corresponds to the provide message.
-	// Note that this means the question will belong to a different connection
-	// from the expent.
-	provide maybe.Maybe[*question]
+	// party capability, and this corresponds to the provide message.
+	provide maybe.Maybe[expentProvideInfo]
+}
+
+type expentProvideInfo struct {
+	// The question corresponding to the provide. Note that the question
+	// will belong to a different connection from the expent.
+	q *question
+
+	// The original MessageTarget in the provide message
+	target parsedMessageTarget
+
+	// A snapshot for the original target of the provide message.
+	// This is to keep it alive so that our target field remains
+	// correct.
+	snapshot capnp.ClientSnapshot
+}
+
+func (e *expent) Release() {
+	e.snapshot.Release()
+	if pinfo, ok := e.provide.Get(); ok {
+		pinfo.snapshot.Release()
+	}
 }
 
 // A key for use in a client's Metadata, whose value is the export
@@ -84,7 +103,7 @@ func (c *lockedConn) releaseExport(dq *deferred.Queue, id exportID, count uint32
 				c.clearExportID(metadata)
 			})
 		}
-		dq.Defer(snapshot.Release)
+		dq.Defer(ent.Release)
 		return nil
 	case count > ent.wireRefs:
 		return rpcerr.Failed(errors.New("export ID " + str.Utod(id) + " released too many references"))
@@ -198,6 +217,7 @@ func (c *lockedConn) send3PHPromise(
 			vineEntry *expent
 		)
 		c.withLocked(func(c *lockedConn) {
+			targetSnapshot := srcSnapshot.AddRef()
 			c.sendMessage(c.bgctx, func(m rpccp.Message) error {
 				if len(c.lk.exports) <= int(promiseID) || c.lk.exports[promiseID] != ee {
 					// At some point the receiver lost interest in the cap.
@@ -207,7 +227,11 @@ func (c *lockedConn) send3PHPromise(
 				// We have to set this before sending the provide, so we're ready
 				// for a disembargo. It's okay to wait up until now though, since
 				// the receiver shouldn't send one until it sees the resolution:
-				c.lk.exports[promiseID].provide = maybe.New(provideQ)
+				c.lk.exports[promiseID].provide = maybe.New(expentProvideInfo{
+					q:        provideQ,
+					target:   target,
+					snapshot: targetSnapshot,
+				})
 
 				resolve, err := m.NewResolve()
 				if err != nil {
diff --git a/rpc/rpc.go b/rpc/rpc.go
index 7897a475..663e790a 100644
--- a/rpc/rpc.go
+++ b/rpc/rpc.go
@@ -463,7 +463,7 @@ func (c *lockedConn) releaseExports(dq *deferred.Queue, exports []*expent) {
 					c.clearExportID(metadata)
 				})
 			}
-			dq.Defer(e.snapshot.Release)
+			dq.Defer(e.Release)
 		}
 	}
 }
@@ -1718,31 +1718,35 @@ func (c *Conn) handleDisembargo(ctx context.Context, in transport.IncomingMessag
 			return errors.New("incoming disembargo: answer target is not valid for context.accept")
 		}
 		id := tgt.importedCap
-		q, err := withLockedConn2(c, func(c *lockedConn) (*question, error) {
+		pinfo, err := withLockedConn2(c, func(c *lockedConn) (expentProvideInfo, error) {
 			if int(id) >= len(c.lk.exports) || c.lk.exports == nil {
-				return nil, errors.New("no such export: " + str.Utod(id))
+				return expentProvideInfo{}, errors.New("no such export: " + str.Utod(id))
 			}
-			q, ok := c.lk.exports[id].provide.Get()
+			pinfo, ok := c.lk.exports[id].provide.Get()
 			if !ok {
-				return nil, errors.New("export #" + str.Utod(id) + " does not resolve to a third party capability")
+				return expentProvideInfo{}, errors.New("export #" + str.Utod(id) + " does not resolve to a third party capability")
 			}
-			return q, nil
+			return pinfo, nil
 		})
 		if err != nil {
 			return err
 		}
-		return withLockedConn1(q.c, func(c *lockedConn) error {
-			if q.flags.Contains(provideDisembargoSent) {
+		return withLockedConn1(pinfo.q.c, func(c *lockedConn) error {
+			if pinfo.q.flags.Contains(provideDisembargoSent) {
 				return errors.New("disembargo already sent to export #" + str.Utod(id))
 			}
-			q.flags |= provideDisembargoSent
+			pinfo.q.flags |= provideDisembargoSent
 			c.sendMessage(c.bgctx, func(m rpccp.Message) error {
 				d, err := m.NewDisembargo()
 				if err != nil {
 					return err
 				}
-				d.Context().SetProvide(uint32(q.id))
-				panic("TODO: target")
+				d.Context().SetProvide(uint32(pinfo.q.id))
+				tgt, err := d.NewTarget()
+				if err != nil {
+					return err
+				}
+				return pinfo.target.Encode(tgt)
 			}, func(err error) {
 				panic("TODO")
 			})

From 43c0722b72fef1731e4e71bf7352e16a42b25918 Mon Sep 17 00:00:00 2001
From: Ian Denhardt <ian@zenhack.net>
Date: Thu, 29 Jun 2023 23:46:17 -0400
Subject: [PATCH 40/48] Fix 3ph disembargo test

---
 rpc/3ph_test.go | 5 ++---
 rpc/rpc.go      | 5 ++++-
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/rpc/3ph_test.go b/rpc/3ph_test.go
index 2e8bd2ee..d7cf5d9c 100644
--- a/rpc/3ph_test.go
+++ b/rpc/3ph_test.go
@@ -428,9 +428,8 @@ func TestDisembargoThirdPartyCap(t *testing.T) {
 		info.Dq.Defer(release)
 
 		require.Equal(t, rpccp.Message_Which_disembargo, rmsg.Which)
-		require.Equal(t, info.ProvideQID, rmsg.Disembargo.Target.Which)
-		require.Equal(t, info.ProvideQID, rmsg.Disembargo.Target.PromisedAnswer.QuestionID)
-		require.Equal(t, 0, len(rmsg.Disembargo.Target.PromisedAnswer.Transform))
+		require.Equal(t, rpccp.MessageTarget_Which_importedCap, rmsg.Disembargo.Target.Which)
+		require.Equal(t, info.EmptyExportID, rmsg.Disembargo.Target.ImportedCap)
 
 		require.Equal(t,
 			rpcDisembargoContext{
diff --git a/rpc/rpc.go b/rpc/rpc.go
index 663e790a..09dc88a0 100644
--- a/rpc/rpc.go
+++ b/rpc/rpc.go
@@ -1748,7 +1748,10 @@ func (c *Conn) handleDisembargo(ctx context.Context, in transport.IncomingMessag
 				}
 				return pinfo.target.Encode(tgt)
 			}, func(err error) {
-				panic("TODO")
+				if err != nil {
+					// TODO: what should we do here? abort the connection, probably.
+					panic("TODO")
+				}
 			})
 			return nil
 		})

From 1067d0ea3cd4f199f4534b8ab13a673cdc742a63 Mon Sep 17 00:00:00 2001
From: Ian Denhardt <ian@zenhack.net>
Date: Fri, 30 Jun 2023 14:48:35 -0400
Subject: [PATCH 41/48] Replace ErrorReporter with a structured logging
 interface.

The new interface:

- Has levels (debug, info, warn, error)
- Accepts arguments for structured logging

Per the comments, the interface is designed to be used with
*slog.Logger, though other implementations are possible (and we already
use one in test).
---
 rpc/bench_test.go         |  4 +-
 rpc/errors.go             |  6 +--
 rpc/level0_test.go        | 79 +++++++++++++++++++++++++++------------
 rpc/level1_test.go        |  6 +--
 rpc/rpc.go                | 26 +++++++++----
 rpc/senderpromise_test.go | 10 ++---
 6 files changed, 87 insertions(+), 44 deletions(-)

diff --git a/rpc/bench_test.go b/rpc/bench_test.go
index 8db08ae6..f9338167 100644
--- a/rpc/bench_test.go
+++ b/rpc/bench_test.go
@@ -76,7 +76,7 @@ func BenchmarkPingPong(b *testing.B) {
 	p1, p2 := net.Pipe()
 	srv := testcp.PingPong_ServerToClient(pingPongServer{})
 	conn1 := rpc.NewConn(rpc.NewStreamTransport(p2), &rpc.Options{
-		ErrorReporter:   testErrorReporter{tb: b},
+		Logger:          testErrorReporter{tb: b},
 		BootstrapClient: capnp.Client(srv),
 	})
 	defer func() {
@@ -86,7 +86,7 @@ func BenchmarkPingPong(b *testing.B) {
 		}
 	}()
 	conn2 := rpc.NewConn(rpc.NewStreamTransport(p1), &rpc.Options{
-		ErrorReporter: testErrorReporter{tb: b},
+		Logger: testErrorReporter{tb: b},
 	})
 	defer func() {
 		if err := conn2.Close(); err != nil {
diff --git a/rpc/errors.go b/rpc/errors.go
index 08941151..679aecff 100644
--- a/rpc/errors.go
+++ b/rpc/errors.go
@@ -19,11 +19,11 @@ var (
 )
 
 type errReporter struct {
-	ErrorReporter
+	Logger
 }
 
 func (er errReporter) ReportError(err error) {
-	if er.ErrorReporter != nil && err != nil {
-		er.ErrorReporter.ReportError(err)
+	if er.Logger != nil && err != nil {
+		er.Logger.Error(err.Error())
 	}
 }
diff --git a/rpc/level0_test.go b/rpc/level0_test.go
index 6817deca..7d761b34 100644
--- a/rpc/level0_test.go
+++ b/rpc/level0_test.go
@@ -72,7 +72,7 @@ func TestSendAbort(t *testing.T) {
 		defer p2.Close()
 
 		conn := rpc.NewConn(p1, &rpc.Options{
-			ErrorReporter: testErrorReporter{tb: t, fail: true},
+			Logger: testErrorReporter{tb: t, fail: true},
 			// Give it plenty of time to actually send the message;
 			// otherwise we might time out and close the connection first.
 			// "plenty of time" here really means defer to the test suite's
@@ -118,7 +118,7 @@ func TestSendAbort(t *testing.T) {
 		p1, p2 := net.Pipe()
 		defer p2.Close()
 		conn := rpc.NewConn(transport.NewStream(p1), &rpc.Options{
-			ErrorReporter: testErrorReporter{tb: t, fail: true},
+			Logger: testErrorReporter{tb: t, fail: true},
 		})
 
 		// Should have a timeout.
@@ -140,7 +140,7 @@ func TestRecvAbort(t *testing.T) {
 	defer p2.Close()
 
 	conn := rpc.NewConn(p1, &rpc.Options{
-		ErrorReporter: testErrorReporter{tb: t},
+		Logger: testErrorReporter{tb: t},
 	})
 
 	select {
@@ -196,7 +196,7 @@ func TestSendBootstrapError(t *testing.T) {
 	p1, p2 := rpc.NewTransport(left), rpc.NewTransport(right)
 
 	conn := rpc.NewConn(p1, &rpc.Options{
-		ErrorReporter: testErrorReporter{tb: t},
+		Logger: testErrorReporter{tb: t},
 	})
 	defer finishTest(t, conn, p2)
 
@@ -288,7 +288,7 @@ func TestSendBootstrapCall(t *testing.T) {
 	p1, p2 := rpc.NewTransport(left), rpc.NewTransport(right)
 
 	conn := rpc.NewConn(p1, &rpc.Options{
-		ErrorReporter: testErrorReporter{tb: t},
+		Logger: testErrorReporter{tb: t},
 	})
 	defer finishTest(t, conn, p2)
 
@@ -499,7 +499,7 @@ func TestSendBootstrapCallException(t *testing.T) {
 	p1, p2 := rpc.NewTransport(left), rpc.NewTransport(right)
 
 	conn := rpc.NewConn(p1, &rpc.Options{
-		ErrorReporter: testErrorReporter{tb: t},
+		Logger: testErrorReporter{tb: t},
 	})
 	defer finishTest(t, conn, p2)
 
@@ -676,7 +676,7 @@ func TestSendBootstrapPipelineCall(t *testing.T) {
 	p1, p2 := rpc.NewTransport(left), rpc.NewTransport(right)
 
 	conn := rpc.NewConn(p1, &rpc.Options{
-		ErrorReporter: testErrorReporter{tb: t},
+		Logger: testErrorReporter{tb: t},
 	})
 	defer finishTest(t, conn, p2)
 
@@ -877,7 +877,7 @@ func TestRecvBootstrapError(t *testing.T) {
 	p1, p2 := rpc.NewTransport(left), rpc.NewTransport(right)
 
 	conn := rpc.NewConn(p1, &rpc.Options{
-		ErrorReporter: testErrorReporter{tb: t},
+		Logger: testErrorReporter{tb: t},
 	})
 	defer finishTest(t, conn, p2)
 	ctx := context.Background()
@@ -954,7 +954,7 @@ func TestRecvBootstrapCall(t *testing.T) {
 
 	conn := rpc.NewConn(p1, &rpc.Options{
 		BootstrapClient: srv,
-		ErrorReporter:   testErrorReporter{tb: t},
+		Logger:          testErrorReporter{tb: t},
 	})
 	defer func() {
 		finishTest(t, conn, p2)
@@ -1108,7 +1108,7 @@ func TestRecvBootstrapCallException(t *testing.T) {
 
 	conn := rpc.NewConn(p1, &rpc.Options{
 		BootstrapClient: srv,
-		ErrorReporter:   testErrorReporter{tb: t},
+		Logger:          testErrorReporter{tb: t},
 	})
 	defer finishTest(t, conn, p2)
 
@@ -1265,7 +1265,7 @@ func TestRecvBootstrapPipelineCall(t *testing.T) {
 
 	conn := rpc.NewConn(p1, &rpc.Options{
 		BootstrapClient: srv,
-		ErrorReporter:   testErrorReporter{tb: t},
+		Logger:          testErrorReporter{tb: t},
 	})
 	defer func() {
 		finishTest(t, conn, p2)
@@ -1372,12 +1372,12 @@ func TestDuplicateBootstrap(t *testing.T) {
 
 	srvConn := rpc.NewConn(p1, &rpc.Options{
 		BootstrapClient: srv,
-		ErrorReporter:   testErrorReporter{tb: t},
+		Logger:          testErrorReporter{tb: t},
 	})
 	defer srvConn.Close()
 
 	clientConn := rpc.NewConn(p2, &rpc.Options{
-		ErrorReporter: testErrorReporter{tb: t},
+		Logger: testErrorReporter{tb: t},
 	})
 	defer clientConn.Close()
 
@@ -1411,12 +1411,12 @@ func TestUseConnAfterBootstrapError(t *testing.T) {
 
 	srvConn := rpc.NewConn(p1, &rpc.Options{
 		BootstrapClient: srv,
-		ErrorReporter:   testErrorReporter{tb: t},
+		Logger:          testErrorReporter{tb: t},
 	})
 	defer srvConn.Close()
 
 	clientConn := rpc.NewConn(p2, &rpc.Options{
-		ErrorReporter: testErrorReporter{tb: t},
+		Logger: testErrorReporter{tb: t},
 	})
 	defer clientConn.Close()
 
@@ -1461,7 +1461,7 @@ func TestCallOnClosedConn(t *testing.T) {
 
 	defer p2.Close()
 	conn := rpc.NewConn(p1, &rpc.Options{
-		ErrorReporter: testErrorReporter{tb: t},
+		Logger: testErrorReporter{tb: t},
 	})
 	closed := false
 	defer func() {
@@ -1606,7 +1606,7 @@ func TestRecvCancel(t *testing.T) {
 	defer p2.Close()
 	conn := rpc.NewConn(p1, &rpc.Options{
 		BootstrapClient: srv,
-		ErrorReporter:   testErrorReporter{tb: t},
+		Logger:          testErrorReporter{tb: t},
 	})
 	closed := false
 	defer func() {
@@ -1750,7 +1750,7 @@ func TestSendCancel(t *testing.T) {
 	p1, p2 := rpc.NewTransport(left), rpc.NewTransport(right)
 
 	conn := rpc.NewConn(p1, &rpc.Options{
-		ErrorReporter: testErrorReporter{tb: t},
+		Logger: testErrorReporter{tb: t},
 	})
 	defer finishTest(t, conn, p2)
 	ctx := context.Background()
@@ -2247,15 +2247,48 @@ func canceledContext(parent context.Context) context.Context {
 
 type testErrorReporter struct {
 	tb interface {
-		Log(...any)
+		Logf(string, ...any)
 		Fail()
 	}
 	fail bool
 }
 
-func (r testErrorReporter) ReportError(e error) {
-	r.tb.Log("conn error:", e)
-	if r.fail {
-		r.tb.Fail()
+func mkArgsMap(args []any) map[string]any {
+	if len(args)%2 != 0 {
+		panic("odd number of arguments passed to logging method")
 	}
+	ret := make(map[string]any, len(args)/2)
+	for i := 0; i < len(args); i += 2 {
+		k := args[i].(string)
+		v := args[i+1]
+		ret[k] = v
+	}
+	return ret
+}
+
+func (t testErrorReporter) log(level string, msg string, args ...any) {
+	t.tb.Logf("log level %v: %v (args: %v)", level, msg, mkArgsMap(args))
+}
+
+func (t testErrorReporter) Debug(msg string, args ...any) {
+	t.log("debug", msg, args...)
+}
+
+func (t testErrorReporter) Info(msg string, args ...any) {
+	t.log("info", msg, args...)
+}
+
+func (t testErrorReporter) Warn(msg string, args ...any) {
+	t.log("warn", msg, args...)
+}
+
+func (t testErrorReporter) Error(msg string, args ...any) {
+	t.log("error", msg, args...)
+	if t.fail {
+		t.tb.Fail()
+	}
+}
+
+func (t testErrorReporter) ReportError(e error) {
+	t.Error(e.Error())
 }
diff --git a/rpc/level1_test.go b/rpc/level1_test.go
index f27d366d..be0702b8 100644
--- a/rpc/level1_test.go
+++ b/rpc/level1_test.go
@@ -34,7 +34,7 @@ func testSendDisembargo(t *testing.T, sendPrimeTo rpccp.Call_sendResultsTo_Which
 	p1, p2 := rpc.NewTransport(left), rpc.NewTransport(right)
 
 	conn := rpc.NewConn(p1, &rpc.Options{
-		ErrorReporter: testErrorReporter{tb: t},
+		Logger: testErrorReporter{tb: t},
 	})
 	defer finishTest(t, conn, p2)
 	ctx := context.Background()
@@ -512,7 +512,7 @@ func TestRecvDisembargo(t *testing.T) {
 
 	conn := rpc.NewConn(p1, &rpc.Options{
 		BootstrapClient: srv,
-		ErrorReporter:   testErrorReporter{tb: t},
+		Logger:          testErrorReporter{tb: t},
 	})
 	defer finishTest(t, conn, p2)
 	ctx := context.Background()
@@ -816,7 +816,7 @@ func TestIssue3(t *testing.T) {
 
 	conn := rpc.NewConn(p1, &rpc.Options{
 		BootstrapClient: srv,
-		ErrorReporter:   testErrorReporter{tb: t},
+		Logger:          testErrorReporter{tb: t},
 	})
 	defer finishTest(t, conn, p2)
 	ctx := context.Background()
diff --git a/rpc/rpc.go b/rpc/rpc.go
index 8aeec41e..ea214959 100644
--- a/rpc/rpc.go
+++ b/rpc/rpc.go
@@ -181,9 +181,9 @@ type Options struct {
 	// closed.
 	BootstrapClient capnp.Client
 
-	// ErrorReporter will be called upon when errors occur while the Conn
-	// is receiving messages from the remote vat.
-	ErrorReporter ErrorReporter
+	// Logger is used for logging by the RPC system, including errors that
+	// occur while the Conn is receiving messages from the remote vat.
+	Logger Logger
 
 	// AbortTimeout specifies how long to block on sending an abort message
 	// before closing the transport.  If zero, then a reasonably short
@@ -203,10 +203,20 @@ type Options struct {
 	Network Network
 }
 
-// ErrorReporter can receive errors from a Conn.  ReportError should be quick
-// to return and should not use the Conn that it is attached to.
-type ErrorReporter interface {
-	ReportError(error)
+// Logger is used for logging by the RPC system. Each method logs
+// messages at a different level, but otherwise has the same semantics:
+//
+// - Message is a human-readable description of the log event.
+// - Args is a sequenece of key, value pairs, where the keys must be strings
+//   and the values may be any type.
+// - The methods may not block for long periods of time.
+//
+// This interface is designed such that it is satisfied by *slog.Logger.
+type Logger interface {
+	Debug(message string, args ...any)
+	Info(message string, args ...any)
+	Warn(message string, args ...any)
+	Error(message string, args ...any)
 }
 
 // NewConn creates a new connection that communicates on a given transport.
@@ -233,7 +243,7 @@ func NewConn(t Transport, opts *Options) *Conn {
 
 	if opts != nil {
 		c.bootstrap = opts.BootstrapClient
-		c.er = errReporter{opts.ErrorReporter}
+		c.er = errReporter{opts.Logger}
 		c.abortTimeout = opts.AbortTimeout
 		c.network = opts.Network
 		c.remotePeerID = opts.RemotePeerID
diff --git a/rpc/senderpromise_test.go b/rpc/senderpromise_test.go
index aa4174be..9de46698 100644
--- a/rpc/senderpromise_test.go
+++ b/rpc/senderpromise_test.go
@@ -24,7 +24,7 @@ func TestSenderPromiseFulfill(t *testing.T) {
 	p1, p2 := rpc.NewTransport(left), rpc.NewTransport(right)
 
 	conn := rpc.NewConn(p1, &rpc.Options{
-		ErrorReporter:   testErrorReporter{tb: t},
+		Logger:          testErrorReporter{tb: t},
 		BootstrapClient: capnp.Client(p),
 	})
 	defer finishTest(t, conn, p2)
@@ -87,7 +87,7 @@ func TestResolveUnimplementedDrop(t *testing.T) {
 	p1, p2 := rpc.NewTransport(left), rpc.NewTransport(right)
 
 	conn := rpc.NewConn(p1, &rpc.Options{
-		ErrorReporter:   testErrorReporter{tb: t},
+		Logger:          testErrorReporter{tb: t},
 		BootstrapClient: capnp.Client(provider),
 	})
 	defer finishTest(t, conn, p2)
@@ -228,7 +228,7 @@ func TestDisembargoSenderPromise(t *testing.T) {
 	p1, p2 := rpc.NewTransport(left), rpc.NewTransport(right)
 
 	conn := rpc.NewConn(p1, &rpc.Options{
-		ErrorReporter:   testErrorReporter{tb: t},
+		Logger:          testErrorReporter{tb: t},
 		BootstrapClient: capnp.Client(p),
 	})
 	defer finishTest(t, conn, p2)
@@ -364,14 +364,14 @@ func TestPromiseOrdering(t *testing.T) {
 	p1, p2 := rpc.NewTransport(left), rpc.NewTransport(right)
 
 	c1 := rpc.NewConn(p1, &rpc.Options{
-		ErrorReporter:   testErrorReporter{tb: t},
+		Logger:          testErrorReporter{tb: t},
 		BootstrapClient: capnp.Client(p),
 	})
 	ord := &echoNumOrderChecker{
 		t: t,
 	}
 	c2 := rpc.NewConn(p2, &rpc.Options{
-		ErrorReporter:   testErrorReporter{tb: t},
+		Logger:          testErrorReporter{tb: t},
 		BootstrapClient: capnp.Client(testcapnp.PingPong_ServerToClient(ord)),
 	})
 

From 9e8acf5cd97e30fc29ba6f0462d883128a2aa2cb Mon Sep 17 00:00:00 2001
From: Ian Denhardt <ian@zenhack.net>
Date: Fri, 30 Jun 2023 14:59:36 -0400
Subject: [PATCH 42/48] errReporter: no-op if Logger is nil.

---
 rpc/errors.go | 30 +++++++++++++++++++++++++++---
 1 file changed, 27 insertions(+), 3 deletions(-)

diff --git a/rpc/errors.go b/rpc/errors.go
index 679aecff..457fc33b 100644
--- a/rpc/errors.go
+++ b/rpc/errors.go
@@ -19,11 +19,35 @@ var (
 )
 
 type errReporter struct {
-	Logger
+	Logger Logger
+}
+
+func (er errReporter) Debug(msg string, args ...any) {
+	if er.Logger != nil {
+		er.Logger.Debug(msg, args...)
+	}
+}
+
+func (er errReporter) Info(msg string, args ...any) {
+	if er.Logger != nil {
+		er.Logger.Info(msg, args...)
+	}
+}
+
+func (er errReporter) Warn(msg string, args ...any) {
+	if er.Logger != nil {
+		er.Logger.Warn(msg, args...)
+	}
+}
+
+func (er errReporter) Error(msg string, args ...any) {
+	if er.Logger != nil {
+		er.Logger.Error(msg, args...)
+	}
 }
 
 func (er errReporter) ReportError(err error) {
-	if er.Logger != nil && err != nil {
-		er.Logger.Error(err.Error())
+	if err != nil {
+		er.Error(err.Error())
 	}
 }

From 6cf0e014ab8ca0d4e4f3d958e032d832660bab87 Mon Sep 17 00:00:00 2001
From: Ian Denhardt <ian@zenhack.net>
Date: Fri, 30 Jun 2023 15:05:49 -0400
Subject: [PATCH 43/48] Fix bitrot: ErrorReporter -> Logger

---
 rpc/3ph_test.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rpc/3ph_test.go b/rpc/3ph_test.go
index d7cf5d9c..a27a6303 100644
--- a/rpc/3ph_test.go
+++ b/rpc/3ph_test.go
@@ -89,7 +89,7 @@ func introTest(t *testing.T, f func(info introTestInfo)) {
 	dq.Defer(pp.Release)
 
 	cfgOpts := func(opts *rpc.Options) {
-		opts.ErrorReporter = testErrorReporter{tb: t}
+		opts.Logger = testErrorReporter{tb: t}
 	}
 
 	introducer := j.Join(cfgOpts)

From b2c7b80aa0cf7efe98eb13c8f54a0c0cac135eb9 Mon Sep 17 00:00:00 2001
From: Ian Denhardt <ian@zenhack.net>
Date: Fri, 30 Jun 2023 15:29:01 -0400
Subject: [PATCH 44/48] 3ph: warn on failed introduction.

---
 rpc/export.go | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/rpc/export.go b/rpc/export.go
index 0817aca5..45240b3b 100644
--- a/rpc/export.go
+++ b/rpc/export.go
@@ -170,7 +170,15 @@ func (c *lockedConn) send3PHPromise(
 		// consistent across all 3PH code:
 		introInfo, err := c.network.Introduce(srcConn, c)
 		if err != nil {
-			// TODO: report somehow; see above.
+			// TODO: consider fulfilling the promise with something else, so
+			// if the remote tries to .Resolve() it, it doesn't just block
+			// indefinitely? Unsure.
+			c.er.Warn(
+				"failed to introduce connections; proxying third party cap",
+				"error", err,
+				"provider", srcConn.RemotePeerID,
+				"recipient", c.RemotePeerID,
+			)
 			return
 		}
 

From d934815fce5b04ee15ccdb2438cf2b3aa6fbc1da Mon Sep 17 00:00:00 2001
From: Ian Denhardt <ian@zenhack.net>
Date: Fri, 30 Jun 2023 15:34:48 -0400
Subject: [PATCH 45/48] Futureproof comment.

I'm going to punt this off until after the basic 3PH, so let's make sure
this is correct after that.
---
 rpc/rpc.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rpc/rpc.go b/rpc/rpc.go
index aa70da38..22bce7b8 100644
--- a/rpc/rpc.go
+++ b/rpc/rpc.go
@@ -1282,8 +1282,8 @@ func (c *lockedConn) parseReturn(dq *deferred.Queue, ret rpccp.Return, called []
 		}
 		return parsedReturn{err: exc.New(exc.Type(e.Type()), "", reason)}
 	case rpccp.Return_Which_acceptFromThirdParty:
-		// TODO: 3PH. Can wait until after the MVP, because we can keep
-		// setting allowThirdPartyTailCall = false
+		// TODO: 3PH. For now we can skip this, because we always set
+		// allowThirdPartyTailCall = false.
 		fallthrough
 	default:
 		// TODO: go through other variants and make sure we're handling

From 24e8008cc47b5c1aba178907e8a86c529e685501 Mon Sep 17 00:00:00 2001
From: Ian Denhardt <ian@zenhack.net>
Date: Fri, 30 Jun 2023 15:58:43 -0400
Subject: [PATCH 46/48] Partially handle third party disembargos

---
 rpc/rpc.go | 107 ++++++++++++++++++++++++++++++++++++++++-------------
 1 file changed, 81 insertions(+), 26 deletions(-)

diff --git a/rpc/rpc.go b/rpc/rpc.go
index 22bce7b8..92148ed4 100644
--- a/rpc/rpc.go
+++ b/rpc/rpc.go
@@ -1450,11 +1450,41 @@ func (c *lockedConn) recvCapReceiverAnswer(ans *ansent, transform []capnp.Pipeli
 	return iface.Client().AddRef()
 }
 
+// A disembargoRequirement indicates what kind of disembargo must be sent for
+// a newly resolved capability.
+type disembargoRequirement int
+
+const (
+	// No disembargo is required.
+	noDisembargo disembargoRequirement = iota
+
+	// We must send disembargo with context = senderLoopback.
+	loopbackDisembargo
+
+	// We must send disembargo with context = accept.
+	acceptDisembargo
+)
+
 // Returns whether the client should be treated as local, for the purpose of
 // embargoes.
 func (c *lockedConn) isLocalClient(client capnp.Client) bool {
-	if (client == capnp.Client{}) {
+	switch c.disembargoType(client) {
+	case noDisembargo:
 		return false
+	case loopbackDisembargo:
+		return true
+	case acceptDisembargo:
+		panic("TODO: 3PH")
+	default:
+		panic("bad disembargo type")
+	}
+}
+
+// Returns what type of disembargo (if any) we must send after a remote promise
+// has resolved to the client.
+func (c *lockedConn) disembargoType(client capnp.Client) disembargoRequirement {
+	if (client == capnp.Client{}) {
+		return noDisembargo
 	}
 
 	snapshot := client.Snapshot()
@@ -1463,40 +1493,39 @@ func (c *lockedConn) isLocalClient(client capnp.Client) bool {
 
 	if ic, ok := bv.(*importClient); ok {
 		if ic.c == (*Conn)(c) {
-			return false
+			return noDisembargo
 		}
 		if c.network == nil || c.network != ic.c.network {
 			// Different connections on different networks. We must
 			// be proxying it, so as far as this connection is
 			// concerned, it lives on our side.
-			return true
+			return loopbackDisembargo
 		}
-		// Might have to do more refactoring re: what to do in this case;
-		// just checking for embargo or not might not be sufficient:
-		panic("TODO: 3PH")
+		return acceptDisembargo
 	}
 
 	if pc, ok := bv.(capnp.PipelineClient); ok {
 		// Same logic re: proxying as with imports:
 		if q, ok := c.getAnswerQuestion(pc.Answer()); ok {
 			if q.c == (*Conn)(c) {
-				return false
+				return noDisembargo
 			}
 			if c.network == nil || c.network != q.c.network {
-				return true
+				return loopbackDisembargo
 			}
-			panic("TODO: 3PH")
+			// Shouldn't happen, but obvious what we need to do if it does:
+			return acceptDisembargo
 		}
 	}
 
 	if _, ok := bv.(error); ok {
-		// Returned by capnp.ErrorClient. No need to treat this as
-		// local; all methods will just return the error anyway,
-		// so violating E-order will have no effect on the results.
-		return false
+		// Returned by capnp.ErrorClient. No need to disembargo this;
+		// all methods will just return the error anyway, so violating
+		// E-order will have no effect on the results.
+		return noDisembargo
 	}
 
-	return true
+	return loopbackDisembargo
 }
 
 // recvPayload extracts the content pointer after populating the
@@ -1889,26 +1918,52 @@ func (c *Conn) handleResolve(ctx context.Context, in transport.IncomingMessage)
 			if err != nil {
 				return err
 			}
-			if c.isLocalClient(client) {
+			disembargoTarget := parsedMessageTarget{
+				which:       rpccp.MessageTarget_Which_importedCap,
+				importedCap: exportID(promiseID),
+			}
+			switch c.disembargoType(client) {
+			case noDisembargo:
+			case loopbackDisembargo:
 				var id embargoID
 				id, client = c.embargo(client)
 				disembargo := senderLoopback{
-					id: id,
-					target: parsedMessageTarget{
-						which:       rpccp.MessageTarget_Which_importedCap,
-						importedCap: exportID(promiseID),
-					},
+					id:     id,
+					target: disembargoTarget,
 				}
 				c.sendMessage(ctx, disembargo.buildDisembargo, func(err error) {
+					if err == nil {
+						return
+					}
+					c.er.Error("incoming resolve: send disembargo failed",
+						"error", err,
+					)
+				})
+			case acceptDisembargo:
+				c.sendMessage(ctx, func(m rpccp.Message) error {
+					d, err := m.NewDisembargo()
+					if err != nil {
+						return err
+					}
+					tgt, err := d.NewTarget()
 					if err != nil {
-						c.er.ReportError(
-							exc.WrapError(
-								"incoming resolve: send disembargo",
-								err,
-							),
-						)
+						return err
+					}
+					if err = disembargoTarget.Encode(tgt); err != nil {
+						return err
 					}
+					d.Context().SetAccept()
+					return nil
+				}, func(err error) {
+					if err == nil {
+						return
+					}
+					c.er.Error("incoming resolve: send disembargo failed",
+						"error", err,
+					)
 				})
+			default:
+				panic("invalid disembargo type")
 			}
 			dq.Defer(func() {
 				imp.resolver.Fulfill(client)

From abc5258e7cf0e3957490330a066a9eda2487c2f2 Mon Sep 17 00:00:00 2001
From: Ian Denhardt <ian@zenhack.net>
Date: Fri, 30 Jun 2023 16:14:36 -0400
Subject: [PATCH 47/48] replace redundant logic with parsedMessageTarget.Encode

---
 rpc/export.go | 22 +---------------------
 1 file changed, 1 insertion(+), 21 deletions(-)

diff --git a/rpc/export.go b/rpc/export.go
index 45240b3b..2635403d 100644
--- a/rpc/export.go
+++ b/rpc/export.go
@@ -588,25 +588,5 @@ func (sl *senderLoopback) buildDisembargo(msg rpccp.Message) error {
 	if err != nil {
 		return rpcerr.WrapFailed("build disembargo", err)
 	}
-	switch sl.target.which {
-	case rpccp.MessageTarget_Which_promisedAnswer:
-		pa, err := tgt.NewPromisedAnswer()
-		if err != nil {
-			return rpcerr.WrapFailed("build disembargo", err)
-		}
-		oplist, err := pa.NewTransform(int32(len(sl.target.transform)))
-		if err != nil {
-			return rpcerr.WrapFailed("build disembargo", err)
-		}
-
-		pa.SetQuestionId(uint32(sl.target.promisedAnswer))
-		for i, op := range sl.target.transform {
-			oplist.At(i).SetGetPointerField(op.Field)
-		}
-	case rpccp.MessageTarget_Which_importedCap:
-		tgt.SetImportedCap(uint32(sl.target.importedCap))
-	default:
-		return errors.New("unknown variant for MessageTarget: " + str.Utod(sl.target.which))
-	}
-	return nil
+	return sl.target.Encode(tgt)
 }

From 3d9ba97af8273cffbf3bce62f8693e1b43eafa13 Mon Sep 17 00:00:00 2001
From: Ian Denhardt <ian@zenhack.net>
Date: Fri, 30 Jun 2023 16:37:29 -0400
Subject: [PATCH 48/48] send accept disembargos when necessary

---
 rpc/export.go | 37 ++++++++++++++++++++++++
 rpc/rpc.go    | 80 ++++++++++++++++++++++-----------------------------
 2 files changed, 71 insertions(+), 46 deletions(-)

diff --git a/rpc/export.go b/rpc/export.go
index 2635403d..bebc856e 100644
--- a/rpc/export.go
+++ b/rpc/export.go
@@ -590,3 +590,40 @@ func (sl *senderLoopback) buildDisembargo(msg rpccp.Message) error {
 	}
 	return sl.target.Encode(tgt)
 }
+
+// disembargoSet describes a set of disembargoes that must be sent.
+type disembargoSet struct {
+	loopback []senderLoopback
+	accept   []parsedMessageTarget
+}
+
+func (ds *disembargoSet) send(ctx context.Context, c *lockedConn) {
+	onError := func(err error) {
+		if err != nil {
+			err = exc.WrapError("send disembargo", err)
+			c.er.ReportError(err)
+		}
+	}
+	for _, v := range ds.loopback {
+		c.sendMessage(ctx, v.buildDisembargo, onError)
+	}
+	for _, disembargoTarget := range ds.accept {
+		// FIXME: if we fail to send one of these, calls to the destination will
+		// hang forever.
+		c.sendMessage(ctx, func(m rpccp.Message) error {
+			d, err := m.NewDisembargo()
+			if err != nil {
+				return err
+			}
+			tgt, err := d.NewTarget()
+			if err != nil {
+				return err
+			}
+			if err = disembargoTarget.Encode(tgt); err != nil {
+				return err
+			}
+			d.Context().SetAccept()
+			return nil
+		}, onError)
+	}
+}
diff --git a/rpc/rpc.go b/rpc/rpc.go
index 92148ed4..da6c82e0 100644
--- a/rpc/rpc.go
+++ b/rpc/rpc.go
@@ -1194,14 +1194,7 @@ func (c *Conn) handleReturn(ctx context.Context, in transport.IncomingMessage) e
 				// the embargo on our side, but doesn't cause a leak.
 				//
 				// TODO(soon): make embargo resolve to error client.
-				for _, s := range pr.disembargoes {
-					c.sendMessage(ctx, s.buildDisembargo, func(err error) {
-						if err != nil {
-							err = exc.WrapError("incoming return: send disembargo", err)
-							c.er.ReportError(err)
-						}
-					})
-				}
+				pr.disembargoes.send(ctx, c)
 
 				// Send finish.
 				c.sendMessage(ctx, func(m rpccp.Message) error {
@@ -1238,34 +1231,44 @@ func (c *lockedConn) parseReturn(dq *deferred.Queue, ret rpccp.Return, called []
 		if err != nil {
 			return parsedReturn{err: rpcerr.WrapFailed("parse return", err), parseFailed: true}
 		}
-		content, locals, err := c.recvPayload(dq, r)
+		content, disembargoRequirements, err := c.recvPayload(dq, r)
 		if err != nil {
 			return parsedReturn{err: rpcerr.WrapFailed("parse return", err), parseFailed: true}
 		}
 
 		var embargoCaps uintSet
-		var disembargoes []senderLoopback
+		var disembargoes disembargoSet
 		mtab := ret.Message().CapTable()
 		for _, xform := range called {
 			p2, _ := capnp.Transform(content, xform)
 			iface := p2.Interface()
 			i := iface.Capability()
-			if !mtab.Contains(iface) || !locals.has(uint(i)) || embargoCaps.has(uint(i)) {
+			if !mtab.Contains(iface) || embargoCaps.has(uint(i)) {
 				continue
 			}
 
-			id, ec := c.embargo(mtab.Get(iface))
-			mtab.Set(i, ec)
+			target := parsedMessageTarget{
+				which:          rpccp.MessageTarget_Which_promisedAnswer,
+				promisedAnswer: answerID(ret.AnswerId()),
+				transform:      xform,
+			}
+			switch disembargoRequirements[i] {
+			case noDisembargo:
+				continue
+			case loopbackDisembargo:
+				id, ec := c.embargo(mtab.Get(iface))
+				mtab.Set(i, ec)
+				disembargoes.loopback = append(disembargoes.loopback, senderLoopback{
+					id:     id,
+					target: target,
+				})
+			case acceptDisembargo:
+				disembargoes.accept = append(disembargoes.accept, target)
+			default:
+				panic("invalid disembargo type")
+			}
 
 			embargoCaps.add(uint(i))
-			disembargoes = append(disembargoes, senderLoopback{
-				id: id,
-				target: parsedMessageTarget{
-					which:          rpccp.MessageTarget_Which_promisedAnswer,
-					promisedAnswer: answerID(ret.AnswerId()),
-					transform:      xform,
-				},
-			})
 		}
 		return parsedReturn{
 			result:       content,
@@ -1296,7 +1299,7 @@ func (c *lockedConn) parseReturn(dq *deferred.Queue, ret rpccp.Return, called []
 
 type parsedReturn struct {
 	result        capnp.Ptr
-	disembargoes  []senderLoopback
+	disembargoes  disembargoSet
 	err           error
 	parseFailed   bool
 	unimplemented bool
@@ -1465,21 +1468,6 @@ const (
 	acceptDisembargo
 )
 
-// Returns whether the client should be treated as local, for the purpose of
-// embargoes.
-func (c *lockedConn) isLocalClient(client capnp.Client) bool {
-	switch c.disembargoType(client) {
-	case noDisembargo:
-		return false
-	case loopbackDisembargo:
-		return true
-	case acceptDisembargo:
-		panic("TODO: 3PH")
-	default:
-		panic("bad disembargo type")
-	}
-}
-
 // Returns what type of disembargo (if any) we must send after a remote promise
 // has resolved to the client.
 func (c *lockedConn) disembargoType(client capnp.Client) disembargoRequirement {
@@ -1529,11 +1517,13 @@ func (c *lockedConn) disembargoType(client capnp.Client) disembargoRequirement {
 }
 
 // recvPayload extracts the content pointer after populating the
-// message's capability table.  It also returns the set of indices in
-// the capability table that represent capabilities in the local vat.
-//
-// The caller must be holding onto c.lk.
-func (c *lockedConn) recvPayload(dq *deferred.Queue, payload rpccp.Payload) (_ capnp.Ptr, locals uintSet, _ error) {
+// message's capability table.  It also returns a mapping from indices
+// in the capability table to any disembargoes that need to be sent to them.
+func (c *lockedConn) recvPayload(dq *deferred.Queue, payload rpccp.Payload) (
+	_ capnp.Ptr,
+	disembargos []disembargoRequirement,
+	_ error,
+) {
 	if !payload.IsValid() {
 		// null pointer; in this case we can treat the cap table as being empty
 		// and just return.
@@ -1573,12 +1563,10 @@ func (c *lockedConn) recvPayload(dq *deferred.Queue, payload rpccp.Payload) (_ c
 		}
 
 		mtab.Add(cl)
-		if c.isLocalClient(cl) {
-			locals.add(uint(i))
-		}
+		disembargos = append(disembargos, c.disembargoType(cl))
 	}
 
-	return p, locals, err
+	return p, disembargos, err
 }
 
 func (c *Conn) handleRelease(ctx context.Context, in transport.IncomingMessage) error {