It seems that this uses the "deprecatedObjectId". The spec says it's
deprecated because:

1. "in practice, the ability to restore SturdyRefs is itself a capability
that may require going through an authentication process to obtain."

2. "the earliest version of the EZ RPC interfaces set a precedent of
exporting multiple main interfaces by allowing them to be exported under
string names"

3. "Often, "main" or "well-known" capabilities exported by a vat are in
fact not public: they are intended to be accessed only by clients who are
capable of forming a connection to the vat." and "the supervisor has to be
careful not to honor an external request addressing the application's
default capability".

However:

1. If a sturdy ref is a capability reference then holding it should be
sufficient to use it, without needing additional capabilities. It's not
clear why the spec thinks this isn't enough.

2. It's not clear why one implementation using string names means the
protocol needs to change.

3. This seems like a sandstorm-specific problem, and could be fixed in one
place (the supervisor). As a safer alternative, sandstorm apps could
instead use a pre-exported "export 0" for their admin API. The protocol
should already prevent external clients from getting access to unrelated
exports.

Given the lack of an alternative, I've implemented this "deprecated" scheme
in the OCaml version now. It seems to work fine, and works with the other
implementations.
I'm now storing the service ID, base64-encoded, as the final path component
in the URI.
I also have some additional questions now:

- The schema language doesn't define a SturdyRef type. Since it seems that
interfaces shouldn't contain network-specific types, this means that
SturdyRefs currently have to be defined as AnyPointer. It would be useful
if the spec could pre-define this abstract (and generic) type. Then schema
compilers could output type-safe code for building and reading them.

- It seems that sturdy refs are intended to be stored as plain data.
However, this is usually readable by the application code. Perhaps they
should instead go in the CapDescriptor table?

The spec says:

"we specify several "parameter" types. Each type is defined here as an
alias for `AnyPointer`, but a specific network will want to define a
specific set of types to use. All vats in a vat network must agree on
these parameters in order to be able to communicate. Inter-network
communication can be accomplished through "gateways" that perform
translation between the primitives used on each network; these gateways may
need to be deeply stateful, depending on the translations they perform."

Does "deeply stateful" mean that gateways need to understand the schema to
know which fields are sturdy refs?

Hi Thomas,

Sorry I missed this earlier!

So, "level 2" of the RPC protocol / SturdyRefs turn out to be something
that does not make sense to specify as part of the Cap'n Proto
implementation itself. Probably level 2 should be ripped out of the spec
entirely. This is what we learned as we build Sandstorm: SturdyRefs and how
to restore them turned out to be intrinsically tied to the Sandstorm
environment, and attempts to define an "abstract" SturdyRef format not
dependent on Sandstorm did not seem to fit what Sandstorm needed.

To understand this, consider a few different cases:
- A Sandstorm grain (app instance).
- A node in the Blackrock (clustered Sandstorm) infrastructure.
- An application on the general internet that has nothing to do with
Sandstorm.

Now try to answer the question: What does a SturdyRef express, and how does
one restore it?

The answer is totally different depending on the context:

- For a Sandstorm grain, a SturdyRef can be an opaque byte string, which
refers to an object in another grain. The client grain passes the SturdyRef
to the Sandstorm API to restore it. The Sandstorm infrastructure then looks
up the token in its database, verifies that the token belongs to the
requesting grain, finds out to what grain the token points, starts up that
grain, asks that grain for a live ref of the desired capability, and then
returns that to the requesting grain.

- For a Blackrock node, a SturdyRef typically refers to another component
of the Blackrock infrastructure: maybe an object in Blackrock storage (a
graph store of Cap'n Proto objects), or a running container on one of the
worker nodes. Or, it could also refer to something hosted in a grain, or a
totally external capability. See the definition here:
https://github.com/sandstorm-io/blackrock/blob/master/src/blackrock/cluster-rpc.capnp#L67
Notice how the namespace of SturdyRefs as seen by the infrastructure itself
is completely different from the namespace of SturdyRefs seen by apps --
although some kinds of objects can be represented by both. Also notice that
depending on the type of SturdyRef, the process for restoring is different:
for "transient" objects located on a specific machine, the restorer
connects directly to the target, but for stored object, the restorer
connects to "the storage service" which it is introduced to independently
at startup, and for external caps, it connects to "the gateways", etc.

- For the public internet, you probably want a SturdyRef to encode a
hostname and perhaps a pinned certificate list. Maybe it even encodes an
HTTP URL, to which a Cap'n Proto session can be created over WebSocket or
streaming HTTP/2. Additionally, it would encode some sort of object ID,
probably as an AnyPointer. The target host would provide a bootstrap
interface with a restore() method that takes this AnyPointer.

As you can see, in each case the format of a SturdyRef and the procedure
for restoring it is completely different, so much so that it doesn't appear
that any "standard" definition makes sense.

At some point I do want to spec out the "public internet" SturdyRef format
and protocol. But, for now, I think implementations should leave SturdyRefs
up to the application to define.

On a side note, it seems like you were confused a bit by EZ RPC's mechanism
for exporting capabilities by name. We deprecated this in favor of a
singleton bootstrap interface because you can trivially implement the same
thing by defining a bootstrap interface with a "restore(name)" method.

-Kenton