feat(ocapn): CBOR alternative encoding

[kriskowal]

Description

This change introduces an experimental CBOR codec as an alternative to Syrup for OCapN message serialization. The implementation enables OCapN messages to be parsed by any RFC 8949 compliant CBOR decoder, allowing more of the ecosystem's existing tools to come to bear and making the wire format strictly a compact, machine-readable format.

New: CBOR Codec Implementation

• RFC 8949 compliant canonical encoding
• All integers encoded as bignums (Tags 2/3) for arbitrary precision
• Float64 values with canonical NaN representation
• Symbols via Tag 280
• Records via Tag 27 (generic array)
• Tagged values via Tag 55799 (self-described CBOR)
• BMP-only string validation (rejects surrogate code points)

New: CBOR Diagnostic Notation Codec

A text-based codec for human-readable CBOR representation:

• src/cbor/diagnostic/encode.js - CBOR bytes → diagnostic string
• src/cbor/diagnostic/decode.js - Diagnostic string → JavaScript values
• src/cbor/diagnostic/util.js - Hex conversion and comparison helpers

This enables writing test cases in readable form and debugging encoding issues.

New: Codec Interface Abstraction

src/codec-interface.js defines abstract OcapnReader and OcapnWriter interfaces that both Syrup and CBOR implement. This enables:

• Swapping codecs without changing application code
• Type-safe codec injection
• Future codec negotiation in netlayers

Codec Architecture: Dependency Injection

Applications import only the codec they need:

// For CBOR
import { makeCborWriter, makeCborReader } from '@endo/ocapn/cbor/index.js';

// For Syrup
import { makeSyrupWriter, makeSyrupReader } from '@endo/ocapn/syrup/index.js';

This replaces a hypothetical central factory, ensuring unused implementations are tree-shaken.

Test Infrastructure Enhancements

• Dual-codec testing: All codec tests now run with both Syrup and CBOR
• AVA macros: Table-driven interop tests using AVA macro pattern
• Interop tests: Validates CBOR output parses with the cbor npm package
• Snapshot updates: All codec snapshots now include both Syrup and CBOR variants

Documentation

• docs/cbor-encoding.md - Complete specification covering:
  • All OCapN type mappings to CBOR
  • Canonical encoding rules
  • CapTP operation and descriptor formats
  • Passable data and slot reference design
• docs/codec-usage.md - Usage patterns for both codecs
• src/cbor/README.md - Implementation overview
• src/syrup/README.md - Updated with codec ID

Security Considerations

• Canonical encoding: CBOR output is deterministic, enabling signature verification without re-serialization
• BMP string validation: Rejects strings with surrogate code points (outside Basic Multilingual Plane), consistent with Syrup
• Tag 24 for signed envelopes: The desc:sig-envelope design wraps signed content in embedded CBOR (Tag 24) to enable signature verification against bytewise representation

Scaling Considerations

• 65535-byte message limit consistent with Noise Protocol framing
• Slot references separated from passable body enables forwarding without re-serialization

Documentation Considerations

The docs/cbor-encoding.md specification is comprehensive and self-contained. Users wanting to implement an OCapN codec in another language should be able to do so from this document alone.

Testing Considerations

Existing Syrup tests parameterized to cover CBOR.

Inludes tests that verify that cross-reference legibility of generated CBOR messages with an off-the-shelf, generic CBOR implementation.

Round-trip and canonicalization tests.

Compatibility Considerations

None.

Upgrade Considerations

None.

[gibson042]

These comments are limited to documentation; I haven't looked at any implementing code.

[gibson042]

CBOR tag number 27 suggests (if not requires) that the first element be a string ("The typename [in array [typename, constructargs...]] is usually a class name, or another string that indicates the name of the type"), and I think we should honor that expectation.

Suggested change

	| Target (in-band) | Record marker | `27([280("target")])` |
	| Promise (in-band) | Record marker | `27([280("promise")])` |
	| Error (in-band) | Record with message | `27([280("error"), "TypeError"])` |
	| Target (in-band) | Record marker | `27(["target"])` |
	| Promise (in-band) | Record marker | `27(["promise"])` |
	| Error (in-band) | Record with message | `27(["error", "TypeError"])` |

[gibson042]

So references don't bear any identifying metadata such as a slot index, and the idea is instead to use straightforward counting with repeats as necessary, such that targets [remotable1, remotable2] vs. [remotable1, remotable1] have the same in-band representation but target arrays that vary like e.g.

-[27(["desc:export", 1), 27(["desc:export", 2)]
+[27(["desc:export", 1), 27(["desc:export", 1)]`

?

[kriskowal]

should be merely [27(["desc:export"]), 27(["desc:export"])] in-band.

[gibson042]

Right, that covers "same in-band representation"... I'm asking about what the (presumably out-of-band) target arrays would look like for [remotable1, remotable2] vs. [remotable1, remotable1].

[gibson042]

What is the structure of the envelope containing this body and some number of reference arrays? Is it itself a CBOR array or map, are there CBOR tags relevent to that level, etc.?

[kriskowal]

The body is a CBOR encoded array. There is no additional tag, as writ.

[dckc]

why a target string here? why not a CBOR tag number?

(likewise promise and error markers)

[kriskowal]

Using a CBOR tag number would require a trip to IANA. 27 is a CBOR tag number we’re using to denote a Syrup record, which is analogous to a single-tier Cap’n Web array, e.g., ["date",ms]. CBOR tag number 280 indicates a symbol. So, this is a lot like the existing <desc:import-object> family of descriptors, but we’re collapsing all the targets, promises, and errors to place-holders and all other distinctions moving to slots, as is consistent with Endo’s marshaling. We could add back a gratuitous slot index to each of these, which would make it easier for a human to parse the CBOR diagnostic format.

[dckc]

Using a CBOR tag number would require a trip to IANA.

'nuff said.

[gibson042]

Wouldn't readInteger() misbehave if the value is actually floating point, and readFloat64() misbehave if the value is actually an integer? I see no value in conflating the two distinct types via a single value from peekTypeHint.

[kriskowal]

These methods assert the type matches the expected type by direct observation. This is an artifact of our desire to, in many case, avoid reïfying certain values, and in particular, reïfying symbols as strings when it suits us (often).

[kriskowal]

The explanation is sloppy. Working on that.

[gibson042]

Why does Error appear twice?

[gibson042]

"not for OCapN integers"?

[gibson042]

This seems inconsistent with Quick Reference—is the element after "error" a message or a type?

[kriskowal]

My intention is that the second value in the array is a message and that it be carried in-band, while the respective identifier be carried out-of-band. There should actually be a third element with an OCapN Struct with additional data.