The Heart of Spritely: Distributed Objects and Capability Security

The following examples will illustrate Goblins using its implementation in Guile (which is a dialect of Scheme, which is itself a dialect of Lisp).⁸ While the ideas here could be ported across many kinds of programming languages, Scheme's minimalism and flexibility allow for cleanly expressing the core ideas of Goblins.

Prior knowledge of Scheme is not necessary, but some familiarity with programming in general is expected. See A Scheme Primer if you'd like an introduction to Scheme.

This document uses an unusual representation of Lisp syntax which is whitespace-based instead of parenthetical, named Wisp.⁹ Experience has shown that while parenthetical representations of Lisp tend to feel alien to newcomers with prior programming experience, Wisp tends to look fairly pleasantly like pseudocode. These examples aim to be as simple as possible to understand just by reading them. If you'd like a more thorough explanation of how Lisp and Wisp relate, see Appendix: Lisp and Wisp.

Lisp and Scheme programming (not only, but especially) tends to involve a cycle between experimenting at the interactive REPL and code you keep around in a file. This paper follows the same convention. Code examples that have lines preceding with REPL> are meant to demonstrate examples of interactive use. Lines which follow and are preceded by underscores represent continued entries for the same expression:

REPL> define name "Doris"
REPL> string-append "Hello " name "!"
; => "Hello Doris!"
REPL> display "Hello screen output!\n"
; prints: Hello screen output!

To get your REPL set up properly for live programming, you will need to setup Guile, Goblins, and Wisp.

The following section gives a high-level demonstration of Goblins through practical use.

If you do choose to follow along by entering the code from this section, you can define this as a full-fledged module, say perhaps taste-of-goblins.w, like so:

define-module : taste-of-goblins
  . #:use-module : goblins
  . #:use-module : goblins actor-lib methods
  . #:export (^cell ^greeter ^cgreeter ^borked-cgreeter
              ^car-factory ^borked-car-factory)

Code examples that are not interactive can/should be entered into this file.

Now you're ready to go. Read on!

Cooperation between independent agents depends upon establishing a degree of security. Each of the cooperating agents needs assurance that the cooperation will not endanger resources of value to that agent. In a computer system, a computational mechanism can assure safe cooperation among the system's users by mediating resource access according to desired security policy. Such a mechanism, which is called a security kernel, lies at the heart of many operating systems and programming environments.

– Jonathan A. Rees, A Security Kernel Based on the Lambda Calculus

Capability security as ordinary programming demonstrated how a programming language which uses lexical scoping and is strict about removing ambient authority is already likely an excellent foundation for a capability secure architecture. A taste of Goblins showed Goblins' powerful transactional distributed object programming system. This section shows the union of the two: that the relationships between Goblins objects is a powerful, expressive, and robust security model for networked programs.

What follows is a common tutorial to make this clear: a blogging style system¹⁷ (in this case, used by a community newspaper of an imagined town) with different users cooperating and performing different roles. Unlike most such tutorials, this is accomplished without an access control list: resources are protected from misuse without relying on checking the identity of the performing agent. Despite this, it will manage to introduce accountability and revocation features, the protection of misuse from unauthorized parties, and even the demonstration of a multiple-stakeholder cooperation pattern which has no direct parallel in an access control system.

The relationship between Spritely Goblins' abstracted distributed object layers can be understood visually. Consider the following relationship graph representing communicating objects:

.----------------------------------.         .----------------------.
|            Machine 1             |         |       Machine 2      |
|            =========             |         |       =========      |
|                                  |         |                      |
| .--------------.  .---------.   ,-.       ,-.                     |
| |    Vat A     |  |  Vat B  |  _|  \______|  \_   .------------.  |
| |  ,-----.     |  |  ,---.  | | |  /      |  / |  |    Vat C   |  |
| | ( Alice )-------->( Bob )---' `-'       `-'  |  |  ,-----.   |  |
| |  `-----'     |  |  `---'  |    |         |   '--->( Carol )  |  |
| |      \       |  |    ^    |    |         |      |  `-----'   |  |
| |       V      |  `----|----'    |         |      |            |  |
| |    ,------.  |       |        ,-.       ,-.     |            |  |
| |   ( Alfred ) |       |_______/  |______/  |__   |  ,------.  |  |
| |    `------'  |               \  |      \  |  '----( Carlos ) |  |
| |              |                `-'       `-'     |  `------'  |  |
| '--------------'                 |         |      |            |  |
|                                  |         |      '------------'  |
'----------------------------------'         '----------------------'

In the above diagram:

• Two machines (Machine 1 and Machine 2) are running separately from each other, but connected to each other over the network via OCapN and CapTP.
• Vat A and Vat B are event loops which live on Machine 1, and Vat C is an event loop which lives on Machine 2.
• The individual objects (represented by circles) live in vats, aka event loops which contain objects. Alice and Alfred live in Vat A, Bob lives in Vat B, and Carol and Carlos live on Vat C. (While these objects have human-like names, they're just Goblins objects.)
• The arrows between the objects represent references these objects have to each other. Alice has references to both Alfred and Bob. Bob has a reference to Carol. Carlos has a reference to Bob.
• Two objects which are in the same vat are considered near each other, and thus can invoke each other synchronously, whereas any objects not in the same vat are considered far from each other. Any objects can invoke each other by asynchronous message passing as long as they have a reference to each other.
• Not pictured: each vat has an actormap, an underlying transactional heap used for object communication. This is what permits transactionality and time travel. (Actormaps can also be used independently of vats for certain categories of applications.)

Another way to think about this is via the following abstraction nesting dolls:

(machine (vat (actormap {refr: object-behavior})))

• Machines, which are computers on the network, or more realistically, operating system processes, which contain…
• Vats, which are communicating event loops, which contain…
• Actormaps, transactional heaps, which contain…
• A mapping of References to Object Behavior.

Goblins follows what is called the vat model of computation. A vat is an event loop that manages a set of objects which are near to each other (and similarly, objects outside of a vat are far from each other), as well as messages between them and from other vats.

           Internal Vat Schematics
          =========================

        stack           heap
        ( $ )        ( actormap )
      .-------.----------------------. -.
      |       |                      |  |
      |       |    ,-.               |  |
      |       |   (obj)        ,-.   |  |
      |       |    `-'        (obj)  |  |
      |  ___  |                `-'   |  |
      | |___) |          ,-.         |  |- actormap
      |  ___  |         (obj)        |  |  territory
      | |___) |          `-'         |  |
      |  ___  |                      |  |
      | |___) |                      |  |
      +-------'----------------------+ -'
queue |  ___   ___   ___             | -.
 (<-) | |___) |___) |___)            |  |- event loop
      '------------------------------' -'  territory

The above schematic of a vat models its constituent parts. The actormap (the heap) holds the objects (actors) local to that vat. Each object in a given vat's actormap are near to each other. The stack holds synchronous messages, which are conventional calls; these are invocations of near objects. The queue holds asynchronous messages, which can either be between near objects, or from other vats and thus from far objects.

Objects which are near can perform synchronous call-return invocations in a manner familiar to most sequential programming languages used by most programmers today. Aside from being a somewhat more convenient way to program, sequential invocation is desirable because of cheap transactionality, which is expounded more later. Goblins uses the $ operator to perform synchronous operations.

Both near and far objects are able to invoke each other asynchronously using asynchronous message passing (in the same style as the classic actor model)¹⁹. It does not generally matter whether or not a far object is running within the same OS process or machine or one somewhere else on the network for most programming tasks²⁰; asynchronous message passing works the same either way. Goblins uses the <- operator to perform asynchronous operations.

The sender of an asynchronous message is handed back a promise to which it can supply callbacks, listening for the promise to be fulfilled with a value or broken (usually in case of an unexpected error). For both programmer convenience and for network efficiency, Goblins supports promise pipelining: messages can be sent to promises which have not yet been resolved, and will be forwarded to the target once the promise resolves.²¹

While the vat model of computation is not new²², Goblins brings some novel contributions to the table in terms of transactionality and time-travel debugging, enhancing an already powerful distributed programming paradigm.

As usual in the vat model of computation, individual message sends to a vat (event loop) are queued and then handled one turn at a time, akin to the way board game players take turns around a table (which is indeed the basis for the term turn). The message, addressing a specific object, is passed to the recipient object's current behavior. This object may then invoke other near objects (residing within the same vat), which may themselves invoke other near objects in synchronous and sequential call-return style familiar to most users of most contemporary programming languages. Any of these invoked objects may also change their state/behavior (behavior changes appear purely functional in Goblins; invocations of other actors do not), spawn new objects, invoke ordinary expressions from the host language, or send asynchronous messages to other objects (which are only sent if the turn completes successfully).

Special to Goblins is the transactional nature of vat turns: unhandled errors result in a turn being rolled back automatically (or more accurately, simply never being committed to the root transactional heap), preventing unintended data corruption. This cheap transactionality means that errors in Goblins are much less eventful and dangerous to deal with than in most asynchronous programming languages. Significantly less effort needs to be spent on cleanup when time is reverted to a point where a mess never occurred.²³

The same transactional-heap design of Goblins can be used for other purposes. A distributed debugger inspired by E's Causeway is planned, complete with message-tracing mechanisms. This will be even more powerful when combined with already-demonstrated time travel features,²⁴ allowing programmers to debug a program in the state of an error when it occured.

Do you, Programmer,
take this Object to be part of the persistent state of your application,
to have and to hold,
through maintenance and iterations,
for past and future versions,
as long as the application shall live?

  —Arturo Bejar

Processes crash or close and must be resumed. Behavior changes and representations must change to accommodate such change. Goblins has an integrated serialization mechanism which simplifies serialization and upgrade.

The need for state persistence and upgrade is hardly unique to Goblins programs. Much of programming traditionally involves reading and writing the state of a program to a more persistent medium, generally files on a disk or some specialized database. Web applications in particular spend an enormous amount of effort moving between database representations and runtime behavior, but translating between runtime behavior and persistent state is typically disjoint and its solution space complicated.

Since Goblins' security model is encoded within the underlying runtime graph, manually scribing and restoring this structure would be a Sisyphean task in terms of labor and, should it naively trust objects' own self-descriptions, an entry point for vulnerability.

As an example, consider a multiplayer fantasy game might have to keep track of many rooms, the inhabitants of those rooms including various monsters and players, players' inventory, and many clever other objects and mechanisms which might even be defined while the game is running. Ad-hoc serialization of such a system would be too hard to keep track of cognitively, and so the system should serialize the process. Asking the objects to self-describe or manipulate the underlying database could also be dangerous, as objects could claim to have authority that they do not. For example, in the game, player-built objects should not be able to claim or dispense in-game currency or grant themselves powers which they did not originally have on restoration.

Spritely Goblins' solution²⁵ is a serialization mechanism which asks objects how they would like to be serialized, but only allows objects to provide self-portraits utilizing the permissions they already have.^{26, 27} Goblins' serializer starts with root objects and calls a special serializer method on each object, asking each object for its self-portrait. This serialization mechanism is sealed off from normal usage; only the serializer can unseal it, preventing objects from interrogating each other for information or capabilities they should not have access to.²⁸

Since walking the entire object graph is expensive, serialization can take advantage of reading turn-transaction-delta information to only serialize objects which have changed, making it performant.

The system is restored by walking the graph in reverse and applying each self-portrait to its build recipe. Restoring an object ends up being a great time to run upgrade code and as Goblins is built out it will collect many upgrade patterns into a common library.

The serialized graph can be used for another purpose: to create a running visualization of a stored ocap system, further helping programmers debug systems and understand the authority graph of a running system.

In general so far when this paper has spoken of distributed objects, it has been referring to objects with one specific "location". But many systems are actually more complicated than this. For example, Alisha and Ben might both be in the same chatroom and there may be a distinct address for Alisha and Ben's personas; if asked whether or not Carol means the same Alisha as Ben, she should have no problem saying "yes, this is the same person", and this can be as simple as address comparison.²⁹ Alisha and Ben may have their own local representations of Carol with their own local behavior and state, particular to the interests, needs, or knowledge of Carol as she is known locally to each networked participant.

The Unum Pattern is a conceptual framework that encompasses the idea of a distributed abstract object with many different presences. One difference between the framing provided by the unum pattern and most other distributed pattern literature is that the unum pattern is particularly interested in distributed behavior rather than distributed data. Distributed data may be emergent from distributed behavior, but it is only one application. In the unum pattern, many different presences cooperate together performing different roles, sometimes even responding to messages in a manner semi-opaque to each other.

Consider a teacup sitting on a table in a virtual world. Where does it live? On the server? What about its representation in your client? What about the representation on another player's client? What about in your mind? While there is one unum, or "conceptual object", of the teacup, there are likely many presences representing it. Information and authority pertaining to the teacup may also be asymmetric;³⁰ you might know that the teacup has a secret note sealed inside it and someone else might not. While there may be one object which is the canonical presence, possibly serving as a source of shared identifier to refer to the object, the canonical presence is still a presence.³¹

Presences in Goblins typically correspond to Goblins objects.³² The unum pattern is typically implemented via several messaging patterns: the reply pattern, the point-to-point pattern, the neighbor pattern, and the broadcast pattern. Keen observers might notice that a subset of the unum pattern, applied to data, is a publish-subscribe (PubSub) system, which is common in social media architecture design (ActivityPub is more or less a glorified data-centric publish-subscribe classic actor model implementation designed for social media on the web). For large-scale distribution of messages, the Amphitheater Pattern will be supported.

However, in recent times there have been advancements in convergent information architectures with research on conflict-free replicated data types. Goblins plans on implementing a standard library of CRDT patterns which can be thought of as a "unum construction kit".

If you're using a Unix-like operating system, you probably have a package manager with Guile available in its repositories - homebrew, apt, dnf, etc. The recommended way to obtain Guile is through such a package manager. Failing that, you may also download Guile source and then compile it according to the instructions in its manual. Note that while Goblins may work with Guile 2, it only supports Guile 3. You'll probably need a few unmentioned dependencies to compile it:

• a C compiler toolchain, such as GCC
• GNU Autotools

With those, inside the directory for the Guile source directory, you'll run the following commands:

> ./configure
> make
> make install

After that's done you can move on to…

Once again, the best route to obtaining Wisp is to use your system package manager where it likely has a name such as guile-wisp. However, you can also download its source code and compile it. This presupposes an extant Guile installation. Inside its source directory, you should be able to run:

> ./configure
> make
> make install

And finally you get to…

At the moment, Goblins is only packaged for Guix and Homebrew. The only alternative is to build it manually. Following the instructions in the Guile Goblins source repository, you'll need to obtain a few dependencies:

• Guile 3.0 (handled above)
• guile-gcrypt
• guile-fibers
• Tor (runtime; optional, for networking)
• git (implicitly)

Then it should be as straightforward as running the following commands:

> git clone https://gitlab.com/spritely/guile-goblins
> cd guile-goblins
> ./configure
> make
> make install

With all of that completed, you get a REPL to run the examples in this document as follows:

> guile --language=wisp

• Abstract Syntax Tree: The abstracted programming language structure which the programming language operates at. See also surface syntax.
• Actor: A computational entity that operates only via asynchronous message passing. See also actor model, defined below. An object which only communicates via asynchronous message passing is usually considered an actor.
• Actor model: A programming paradigm where computation occurs between fully asynchronous message passing between computational entities named actors. An actor operating under the classic actor model processes one incoming message at a time defined by its current behavior, and in response may create new actors (obtaining their addresses in the process), send messages to other actors (including introducing them to actors this actor knows about in the process), or specify a change of behavior in regard to its next message. (To distinguish this core, original, and general subset of possible variants, the term classic actor model is sometimes used.)
• Actormap: A transactional heap mapping object references to a set of behaviors.
• Access Control List (ACL): In contrast to object capability security, an Access Control List system relies on identity checks against approved operations. ACL systems tend to exhibit ambient authority and confused deputy vulnerabilities. See the paper ACLs Don't for an explanation of the many problems inherent to access control lists.
• Ambient authority: A source of vulnerabilities in many programs, particularly those operating under an ACL model of execution; ambient authority refers to authority that is implicitly available. Programs with ambient authority designs tend to be vulnerable to confused deputy attacks and usually fail to adhere to the principle of least authority, increasing the attack surface of a program dramatically. Since an object capability environment involves explicit use of references one holds and has access to, ambient authority risks are significantly smaller.
• Behavior: In Goblins, the behavior of the object is a procedure defining how it will currently react in response to an incoming message.
• Behavior-oriented: In contrast to a data-oriented system, a behavior-oriented system is primarily defined in terms of the behaviors of its participants and their relationships (which may both change over time). The mapping of references to behavior in Goblins is handled at a low level through the actormap (though this is a detail mostly hidden from users of Goblins). Behavior-oriented and data-oriented systems are duals, but the primary paradigm taken dramatically shapes the structure of the underlying architecture.
• Capability: See object capability.
• CapTP: Originally implemented in E, and now (as one layer of OCapN) implemented in Goblins, CapTP provides abstractions for distributed object programming which allow for programming against any object on the network to have the same ease and semantics as against locally hosted objects. Also provides some neat features such as distributed garbage collection and promise pipelining.
• Causeway: A distributed debugger implemented in E and a source of inspiration to Goblins' distributed debugger.
• Classic actor model: See actor model.
• Client-to-server: A network architecture where certain participants on the network have elevated, structurally central status, named servers, and clients connect to these as lighter, structurally less significant (and generally less addressable) status. Typically eventually results in a centralized topology. Contrast with peer-to-peer architectures.
• Confused deputy: A confused deputy is a kind of vulnerability which arises when one entity wishes to exploit the authority another entity has but which the former entity does not. Since the general object capability paradigm results in "if you can't have it, you can't use it", capability systems are (generally) free from such attacks. (Careless introduction of identity or rights amplification into an object capability system can re-introduce the possibility of such vulnerabilities, a topic of a future paper.) Originally described in The Confused Deputy (or why capabilities might have been invented) by Norm Hardy.
• Constructor: Within Goblins, a constructor is the procedure which, upon being invoked via spawn, returns the initial behavior of the newly constructed object. spawn passes the constructor both a bcom capability (for changing behavior) and all the remaining arguments passed to spawn, allowing for initial behavior to be tuned to the purpose of this particular object and with other capabilities as references which allow the object to correctly operate.
• Data-oriented: In contrast to behavior-oriented, data-oriented systems involve heavy analysis of data describing the system. Data-oriented systems tend to involve significant amounts of judgements upon data and narrative, and thus tend to encourage ACL type designs (and thus also their problems), but this is not universally the case. Many CRUD web applications reading and writing from an SQL database with separate logic for interpreting or modifying that data are often data-oriented, and so are many systems which focus on passed messages as descriptive information of updates rather than actions to execute.
• Dialect: A language variant, particularly a variant of Lisp.
• Distributed object programming: A programming style where asynchronous programming may occur against a network of interconnected object relationships, reducing the conceptual overhead of building secure, highly peer-to-peer networked programs.
• Distributed garbage collection: The cooperation of multiple machines to free resources which are no longer needed. Implemented by CapTP. More specifically, cyclic distributed garbage collection if cycles crossing machine boundaries are collected, and acyclic distributed garbage collection if not.
• E: A major influence on the design of Goblins, direct successor to Joule, innovator of many object capability security patterns, first implementer of the vat model of computation, and the source of the first iteration of CapTP (and VatTP, as part of Pluribus).
• Eval/Apply: The heart of most programming languages: eval gathers up the values of arguments to an expression and apply performs the execution of the expression's behavior against the evaluated arguments. Each calls the other until achieving a "fixed point" of computation (the result of the total program evaluation). Popular topic of conversation amongst Scheme programmers.
• Functional programming: Programming without side effects; freedom from time.
• Goblins: The very distributed object system described by this paper, and the heart of Spritely's programming environment.
• Guile: A particular dialect of Scheme, on which Goblins has been implemented, and the implementation of focus in this paper.
• Homoiconic, Homoiconicity: The property, most notably in Lisp, of surface syntax being the same as the abstract syntax tree, under a datastructure which can be manipulated and used by the programmer. This permits easy language extensions in the language and makes the language much more general.
• Identity: An abstract signifier for some individual, resource, or concept. More mysterious a topic than it appears at surface level, and comparison of identity equality and equivalence particularly complicated. When identity is checked as the primary form of access control, becomes an Access Control List.
• Joule: A fully asynchronous programming language, and a direct predecessor to E.
• Lambda: Procedure abstraction, associated heavily with the Lambda Calculus, and generally considered the heart of Scheme. Composes Goblins objects both as the constructor and as the behavior of the object. Generally considered "The Ultimate".
• Lisp: A programming language family known for being highly extensible, easy to implement, and with many dialects. (The particular dialect of Lisp used in this paper is Scheme.) Lisp has a highly flexible abstract syntax which makes it easy to "write Lisp in Lisp", even "writing code that writes code", making language extensions or variants trivial compared to most other languages. Its surface syntax is typically parenthetical but is not necessarily so; see Wisp for the indentation-oriented surface syntax used in this paper.
• Machine: Within CapTP, a computer or process available on the network which contains objects which may be communicated with.
• Monad: Something Goblins tres hard to not expose you to. Arguably, an implicit one exists in Goblins. The meaning of this entry is left as an exercise for the reader.
• Near/Far: Near objects are co-located in the same vat, otherwise they are far.
• Netlayer: Within OCapN, an individual netlayer implements the abstract netlayer interface, which is a way to implement a secure channel of communication between two machines. Different transport layers can be used as a netlayer, ranging from peer-to-peer networks to more contemporary client-server architectures. Originally called VatTP in E's implementation of Pluribus.
• Network: An interconnected system of machines. See OCapN.
• OCapN (the Object Capability Network): The combined layered abstractions of CapTP, Netlayers, and OCapN specific URIs. Combined, these allow for the implementation of a fully peer-to-peer distributed object programming environment with most networked protocol concerns abstracted away from the developer.
• Object: A term with a lot of variant meaning, but which in the case of Goblins means a reference to an abstract resource whose behavior is fully encapsulated by the runtime or network. (Goblins does not mean anything about class hierarchies by the word object, should you be suffering from a Java PTSD induced aversion to the term).
• Object capability (ocap): An object capability based architecture (sometimes known simply as a capability architecture, though this term has prominent naming conflicts) is one where one's authority is based on references which one can invoke to perform computation and cause effects. Without a reference, one can't perform an action, leading to the slogan "if you don't have it, you can't use it." Used as an abstraction of security and favorable to the principle of least authority, though maintaining that pattern requires discipline.
• Object capability programming language: A programming language upholding object capability security properties. Generally has the following properties: no ambient authority, no global mutable state, lexical scoping with reference passing being the primary mechanism for capability transfer, and importing a library should not provide access to interesting authority.
• Object graph: The set of relationships between objects. In an object capability programming language, this is typically the set of other object references within the behavior of an object's scope.
• Peer-to-peer: A network architecture where a participant in the network has the same abstracted priority across the network routing fabric as any other participant on the network. Contrast with client-to-server architectures.
• Pluribus: The equivalent of OCapN in E. Made for a good pun: E, Pluribus, Unum.
• Principle of least authority: Design systems such that entities hold no more authority than they need in order to reduce the attack surface of an application and its subcomponents. Generally easy to pull off in object capability architectures, and hard to pull off in access control list architectures.
• Promise: A special type of object abstraction representing a computation yet to be completed, either fulfilled or broken.
• Promise pipelining: From a programming perspective, the ability to send messages to the objects promises will eventually designate before they are fulfilled. From a network perspective, provides an optimization allowing delivery of messages to the host machine queuing eventual delivery of messages once dependent promises are fulfilled, eliminating unnecessary round trips. In other words, simplifies dependency-based asynchronous plan construction. Propagates errors.
• Quasi-functional: Goblins' tricky "looks imperative from the perspective of invoking another actor and functional from the perspective of an object updating its own behavior" twist on kinda-sorta functional programming. Allows for powerful transactional programming with time-traveling features without having to expose monad plumbing directly to the user.
• Racket: Another Scheme which Spritely Goblins is also implemented on, but which is not the focus of this paper.
• REPL: Read Eval Print Loop, an interactive programming language shell.
• Rights amplification: To (mis-)quote Alan Karp, "combine two things to get access to another thing". Frequently used to provide group-like features in ocap systems. Frequently implemented using sealers and unsealers. Used carelessly, can accidentally re-introduce confused deputy vulnerabilities, but the patterns shown in this paper are free of such problems. Analysis of this phenomena is hopefully the subject of a future paper.
• Safe serialization: Allowing objects to describe how they should be serialized, while still following the object capability motto of "if you don't have it, you can't use it". Implemented by Goblins, but originally in Safe Serialization Under Mutual Suspicion, which was inspired by Uneval/Unapply.
• Sealers and unsealers: The equivalent of public-key cryptography, but implemented in programming language abstractions instead. Frequently used to implement rights amplification.
• Scheme: A lambda heavy dialect of Lisp. The examples in this paper use a particular Scheme, Guile. Has some interesting history regarding the exploration of the actor model, but probably too long to cover in an already overly-verbose glossary appendix.
• Surface syntax: The representation of the programming language that programmers (usually humans) operate at. In Lisp derived languages, the surface syntax and abstract syntax tree are generally not very far apart, which is partly what makes Lisp languages so extensible.
• Swingset: Another interesting contemporary object capability programming language environment, this one layered on Javascript and produced by Agoric.
• Sneakernet: A network architecture where messages are delivered physically from participant to participant (perhaps even on foot, be that foot in wearing a sneaker or not).
• Spritely: An umbrella project to advance networked communities and decentralized networked programming abstractions.
• Spritely Goblins: See Goblins.
• The Spritely Institute: The nonprofit which is the fiscal steward and primary developer of Spritely Goblins amongst other things (and which produced this paper).
• Syntactic sugar: Syntax abstractions which make programming more convenient and (ideally) pleasant to read and write.
• Transaction, transactionality: A set of operations which are replied in a conceptually atomic manner: either all occur or none occur. Within Goblins, a turn is a transaction representing a delta of behavior changes to the actormap (including the introduction of new near objects), as well as a queue of messages to be sent. In the event of an error, the changes will not be committed and the messages will not be sent.
• Turn: A top-level event handled by a Vat, generally a message sent to a particular object. One unique feature of Goblins is that turns happen within transactions.
• Unum/Presence: The unum is an abstracted, conceptually and programmatically unified object, implemented by individual object presences.
• Uneval/Unapply: The abstract concept behind safe serialization and the inverse of eval/apply. Produces a program representing a graph of objects (using only the capabilities the objects' behavior had in scope) which can be later re-instantiated using a complimentary kind of eval/apply. Originally a remark from Jonathan A. Rees to Mark S. Miller leading to the Safe Serialization Under Mutual Suspicion paper. See also Rees's blogpost: Pickling, uneval, unapply.
• URI (Universal Resource Identifier): A type of digital identifier indicating a networked resource. OCapN defines several of these to designate machines and distributed objects.
• Vat, Vat model: An event loop which contains a set of objects, designed to be able to communicate with objects in other event loops. Objects within the vat are considered near to each other may perform both synchronous and asynchronous programming against each other, whereas objects far from each other may only provide asynchronous programming against each other.
• W7: The subset of Scheme implemented (on top of Scheme48) for Jonathan A. Rees's PhD dissertation, A Security Kernel Based on the Lambda Calculus. Highly influential to Spritely Goblins in demonstrating clearly that a pure lexically scoped language (such as a strict subset of scheme) with no mutable toplevel scope or other sources of ambient authority is already a viable object capability programming language.
• Wisp: An indentation-sensitive surface-level Lisp syntax, and the one used in this paper. Wisp determines its expression boundaries based on whitespace. Compatible with most Lisp implementations. Defined under the SRFI-119 specification.

• spawn: The spawn operator in Goblins.
• $: The synchronous call-return operator in Goblins.
• <-: The asynchronous message passing operator in Goblins. Returns a promise.
• on: Set up a callback to be handled with the resolution of a promise (possibly returning its own promise related to said resolution).
• bcom: Pronounced "become", in Goblins bcom is the conventional name given to a capability relevant to a particular object which permits, and is used to, indicate the next behavior of the particular object. Passed by spawn (through Goblins' abstract kernel) to the object's constructor. Technically implemented as a sealer, allowing for a functional substrate for updating behavior.

• Portable encrypted storage: A document storage system where files are not tied to any particular machine location (via content addressed storage) and are encrypted in such a way that hosting content does not provide the ability to read or modify the underlying contents of hosted files.
• Content addressed (storage): A document storage system where documents are named and verifiably retrieved by their content rather than by a particular network location.
• Immutable/mutable: Immutable objects and files do not change or update, mutable objects and files do.
• Size-of-file attack: Statistically determining likeliness that a file contains particular content based on its file size.
• Chunked: Split into consistently sized pieces to be latter reassembled, so as to avoid size-of-file attacks or for storage and retrieval optimizations.
• Location agnostic: Not tied to a particular location on the network.
• Network agnostic: Not tied to a particular network configuration or transport.

Switched Wisp pre-processing of keywords hack to use normal Wisp approach (dots at the start of line).

• Incorporated feedback from Jakob L. Kreuze:
  • Add a detailed footnote explaining a bit more about why promise pipelining makes things cleaner and the risks of re-entrancy attack when coroutines provide splitchronous operations which appear synchronous
  • Various grammar nits
  • Finish explanation of Alisha and Bob bob having their own Carol representations (was a confusing intro to that section without)
  • Rework homoiconic/homoiconicity footnote, glossary entry

• Incorporated feedback from Leilani Gilpin:
  • Added definitions in glossary for peer-to-peer, client-to-server, sneakernet, and italicize usage of those
  • Italicize usage of transaction and friends
  • Clarify: it's not a requirement to read the other (as of this moment: to-be-written) Spritely whitepapers to read this one
• Incorporated feedback from Robin Templeton:
  • Clarify that Unix isn't the origin of ACLs, it popularized them
  • Have a consistent comment syntax in first examples (and make it clear which ones are the SHELL> vs REPL>)
  • Capitalized Lisp/Smalltalk/Scheme
  • Explain more clearly that it's not that Goblins itself is the essential toolkit to build something like Spritely, it's that Goblins provides the essential features to be a worthy toolkit
  • Various garammar nitpicking
  • Give the motivation for Portable encrypted storage sooner in its section
  • Don't say "social network" in introduction, too captured a term
  • Consistency around "New: comments
  • Clearer introduction of what we mean by Unum in its first introduction
  • Call "Lisp types" -> "Lisp dialects"
  • Clarify which machine is local vs remote in fork-motors example

• Many duplicate words removed

• Add PDF export
• Explain which parts of the syntax are keywords
• Fix missing equals sign on the fork-motors section (a whole bunch of reviewers caught this, thanks to everyone else for being so careful ;))

• Incorporated many grammar fixes suggested by Alan Karp

• Guix manifest updated: we're now at the point where anyone with access to the repo can easily build and verify all documents with the following:

  SHELL> guix shell        # sets up dependencies
  GUIX-SHELL> make         # builds papers, extracts all code
  GUIX-SHELL> make check   # runs unit tests on examples
  

• Add tests for blog examples
• Simplify proxy code / explanation by using $ instead of <-
• Switch Matilda / the Teachers' invocations to use <- instead of $ to show off these do work fully async
• Add explanation of define-values, let-values

• Add tests for sealers/unsealers
• Fix some examples in sealers/unsealers section

• Export ^cell in spritely-core.w for tests
• Various bugfixes to interactive examples found while writing tests
• More information in predicate / conditional section
• Add unit tests for Taste of Goblins section
• Add makefile rule to run unit tests

• Both Wisp and Scheme files are now automatically extracted when the user runs make
• Fix format, was using Racket's version
• Provide and use method-cell.scm for importing methods

• Incorporating suggestions from Jessica Tallon
  • Fixed some renames of eval-expr (old name for metacirculator evaluator) to evaluate (thanks for the catch, Jessica Tallon!)
  • Rename some comments before lambda / procedure and procedure invocation / application examples
  • Make it clear that the methods macro does get complicated to figure out what's happening to the ellipses… it's not just you, dear reader!
• Rename for-list macro to for, keep it simpler

• Add a bit more about the Y Combinator (no, not the company) to a footnote in Scheme in Scheme.
• Many tyops caught by spelcheckr
• Couple of small grammar suggestions from Baldur

• Refactor introduction to language stuff, add On language and syntax choice with a mini "how to convert wisp to parenthetical syntax in your head" explainer
• Security as relationships between objects written in full!
  • Guest post with review written!
  • Lessons learned written!

• Adding to Appendix: A small-ish scheme and wisp primer
  • Add explanations of letrec and named lets to Iteration and recursion
  • Show symbols earlier when showing "some more types".
  • Finish metacircular footnote.
  • Explain that 'foo is just shorthand for (quote foo), etc
  • Add On the extensibility of Scheme (and Lisps in general)
  • Preview that we'll show how to write our own when in the first footnote which mentions
  • Fully explain how the evaluator works in Scheme in Scheme
  • Use format sooner

• Adding to Appendix: A small-ish scheme and wisp primer
  • Added Closures
  • Add a footnote to Conditionals and predicates explaining that both cond and if can be written in terms of each other. Also distinguish between <THEN-BODY> and <ELSE-BODY> in the syntactic explanation of cond.
  • Eliminate newline from examples… one less procedure to explain!
  • Explain variable arguments, define*, values
  • Added Mutation, assignment, and other kinds of side effects
  • Added Scheme in Scheme and hoo boy, it's awesome.
  • Add alist and quasiquote examples to Lists and "cons"

• Most of Appendix: A small-ish scheme and wisp primer written.
• Correct footnote… we do explore rights amplification in this paper :)

• Add Makefile, README, instructions for building HTML and extracting output

• Finished incomplete sandboxing footnote
• Include explanations of how to build module files explicitly
• Rename section: Application safety, library safety, and beyond (formerly "Application and library safety (and beyond)")
• Some updates to Appendix: Implementing sealers and unsealers
  • Show example of pos? predicate in use
  • Explain necessity of language runtime participating
  • Move coat check pattern footnote to this section (which is where it was supposed to be once the appendix was added, whoops)
• Reorder some of the appendices
• Started writing Appendix: A small scheme and wisp primer

• Added Application safety, library safety, and beyond
• Added glossary definition for on
• Add Portable encrypted storage section and relevant glossary terms
• Made changelog and glossary subsections into actual reified, linkable-by-fragment subsections
• Added Conclusions

• Added Spritely Goblins as a society of networked objects
• Remove ^revoker from revocation pair example since it isn't used (the cell is though)
• Added When schemes go awry: failure propagation through pipelines
• Fleshed out the Appendix: Glossary in no small amount of detail.

• Added OCapN section
• .w wisp files now extracted from spritely-core.html (source of this document) via org-babel. You can view them at:
  • taste-of-goblins.w
  • goblins-blog.w
  • simple-sealer.w
• Cleaned up several code examples.
• Switched to new Wisp syntax adjustment (after discussion with Wisp upstream): lines starting with keywords no longer require dot to continue previous line. Change likely to be incorporated in future wisps.

• Promise pipelining examples added to A Taste of Goblins. This section was already planned but raised much interest in pre-review.
• Make tagging list with cons in ^post a bit easier to understand
• First batch of the smaller of the changes suggested by Alan Karp (a whole bunch, should iterate…)
• Incorporated feedback from Jessica Tallon
  • Explained how Solitaire gets access to keyboard and mouse
  • Switched reference from ^mcell to ^cell… oops, that's what I get from copy-pasting code from another document
  • Renamed our-cgreeter to julius in example
  • Fixed expected displayed message in "heard back" part
  • No longer use named let but the ^editor constructor, reflect that in surrounding text
  • Mention cons prepends to a list where appropriate
  • Fixed "Run by Robert" which had mistakenly said it was run by Lauren
  • Make it clearer that Lauren will hold Robert responsible for anyone who uses admin-for-robert (including someone Robert delegates authority to).
  • Moved sealers and unsealers implementation details to Appendix: Implementing sealers and unsealers